about summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-08-20 15:57:50 -0400
committerJune McEnroe <june@causal.agency>2021-08-20 15:58:48 -0400
commit8a798865419f4b416d8c46ae12dd73cb311b61bd (patch)
tree1595969b6df0de4be6c012a6115805560359abd3
parentHandle TLS_WANT_POLL{IN,OUT} from tls_handshake(3) with server (diff)
downloadpounce-8a798865419f4b416d8c46ae12dd73cb311b61bd.tar.gz
pounce-8a798865419f4b416d8c46ae12dd73cb311b61bd.zip
Explicitly clear TLS secrets after handshake
Ported from catgirl ae64d277b8204c156a30d2e8b6a958e5a31f2a7f.
-rw-r--r--server.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/server.c b/server.c
index c84320a..d970deb 100644
--- a/server.c
+++ b/server.c
@@ -41,12 +41,13 @@
 #include "bounce.h"
 
 static struct tls *client;
+static struct tls_config *config;
 
 void serverConfig(
 	bool insecure, const char *trust, const char *cert, const char *priv
 ) {
 	int error = 0;
-	struct tls_config *config = tls_config_new();
+	config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
 	if (insecure) {
@@ -89,7 +90,6 @@ void serverConfig(
 
 	error = tls_configure(client, config);
 	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
-	tls_config_free(config);
 }
 
 int serverConnect(const char *bindHost, const char *host, const char *port) {
@@ -150,6 +150,7 @@ int serverConnect(const char *bindHost, const char *host, const char *port) {
 		error = tls_handshake(client);
 	} while (error == TLS_WANT_POLLIN || error == TLS_WANT_POLLOUT);
 	if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client));
+	tls_config_clear_keys(config);
 
 	return sock;
 }