core: set again TLS verification functions after GnuTLS options are changed (closes #1763)

When changing the options weechat.network.gnutls_ca_system or
weechat.network.gnutls_ca_user, the GnuTLS credentials are freed then allocated
again, but the verification function used to check the certificate on
connection is not set again.

As a consequence, any TLS connection is made without checking the certificate.

This regression was introduced in version 3.2, when the options were changed to
automatically load system certificates without having to give the path, and to
let user give an extra custom path with certificates.

ChangeLog.adoc

@@ -29,6 +29,7 @@ New features::
 
 Bug fixes::
 
+  * core: set again TLS verification functions after options weechat.network.gnutls_ca_system and weechat.network.gnutls_ca_user are changed (issue #1763)
   * core: fix memory leak when removing a line on a buffer with free content
   * core: remove obsolete option weechat.plugin.debug (issue #1744)
   * core: fix search of commands with UTF-8 chars in name when option weechat.look.command_incomplete is on (issue #1739)

src/core/wee-network.c

@@ -91,6 +91,27 @@ network_init_gcrypt ()
     gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
 }
 
+/*
+ * Allocates credentials structure.
+ */
+
+void
+network_allocate_credentials ()
+{
+    gnutls_certificate_allocate_credentials (&gnutls_xcred);
+#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* 2.9.10 */
+    gnutls_certificate_set_verify_function (gnutls_xcred,
+                                            &hook_connect_gnutls_verify_certificates);
+#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x02090a */
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */
+    gnutls_certificate_set_retrieve_function (gnutls_xcred,
+                                              &hook_connect_gnutls_set_certificates);
+#else
+    gnutls_certificate_client_set_retrieve_function (gnutls_xcred,
+                                                     &hook_connect_gnutls_set_certificates);
+#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */
+}
+
 /*
  * Loads system's default trusted certificate authorities.
  *
@@ -259,9 +280,7 @@ network_reload_ca_files (int force_display)
                              network_num_certs),
                          network_num_certs);
     }
-
-    gnutls_certificate_allocate_credentials (&gnutls_xcred);
-
+    network_allocate_credentials ();
     network_load_ca_files (force_display);
 }
 
@@ -275,19 +294,8 @@ network_init_gnutls ()
     if (!weechat_no_gnutls)
     {
         gnutls_global_init ();
-        gnutls_certificate_allocate_credentials (&gnutls_xcred);
+        network_allocate_credentials ();
         network_load_ca_files (0);
-#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* 2.9.10 */
-        gnutls_certificate_set_verify_function (gnutls_xcred,
-                                                &hook_connect_gnutls_verify_certificates);
-#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x02090a */
-#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */
-        gnutls_certificate_set_retrieve_function (gnutls_xcred,
-                                                  &hook_connect_gnutls_set_certificates);
-#else
-        gnutls_certificate_client_set_retrieve_function (gnutls_xcred,
-                                                         &hook_connect_gnutls_set_certificates);
-#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */
     }
 
     network_init_gnutls_ok = 1;