diff options
| author | beck <> | 2015-12-08 15:33:33 +0000 | 
|---|---|---|
| committer | beck <> | 2015-12-08 15:33:33 +0000 | 
| commit | 5638e7dd012357d2642fc03c1e21bc8cf6d99a75 (patch) | |
| tree | 1e8a9e148691a7d2da355fae8342908f498042cc | |
| parent | 9d0b6a5f2e0b42caacf7d865393b0c4c39e2ca75 (diff) | |
| download | openbsd-5638e7dd012357d2642fc03c1e21bc8cf6d99a75.tar.gz openbsd-5638e7dd012357d2642fc03c1e21bc8cf6d99a75.tar.bz2 openbsd-5638e7dd012357d2642fc03c1e21bc8cf6d99a75.zip | |
pledge nc better - Load the certificate into memory and then do the pledge,
this allows us to drop the rpath fromt the nc pledge.
ok deraadt@, tedu@
Diffstat (limited to '')
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 26 | 
1 files changed, 21 insertions, 5 deletions
| diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index cfc5a2363b..a224717c72 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.145 2015/12/07 02:38:54 tb Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.146 2015/12/08 15:33:33 beck Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 
| @@ -104,6 +104,12 @@ int tls_cachanged; /* Using non-default CA file */ | |||
| 104 | int TLSopt; /* TLS options */ | 104 | int TLSopt; /* TLS options */ | 
| 105 | char *tls_expectname; /* required name in peer cert */ | 105 | char *tls_expectname; /* required name in peer cert */ | 
| 106 | char *tls_expecthash; /* required hash of peer cert */ | 106 | char *tls_expecthash; /* required hash of peer cert */ | 
| 107 | uint8_t *cacert; | ||
| 108 | size_t cacertlen; | ||
| 109 | uint8_t *privkey; | ||
| 110 | size_t privkeylen; | ||
| 111 | uint8_t *pubcert; | ||
| 112 | size_t pubcertlen; | ||
| 107 | 113 | ||
| 108 | int timeout = -1; | 114 | int timeout = -1; | 
| 109 | int family = AF_UNSPEC; | 115 | int family = AF_UNSPEC; | 
| @@ -421,16 +427,26 @@ main(int argc, char *argv[]) | |||
| 421 | } | 427 | } | 
| 422 | 428 | ||
| 423 | if (usetls) { | 429 | if (usetls) { | 
| 430 | if (Rflag && (cacert=tls_load_file(Rflag, &cacertlen, NULL)) == NULL) | ||
| 431 | errx(1, "unable to load root CA file %s", Rflag); | ||
| 432 | if (Cflag && (pubcert=tls_load_file(Rflag, &pubcertlen, NULL)) == NULL) | ||
| 433 | errx(1, "unable to load TLS certificate file %s", Cflag); | ||
| 434 | if (Kflag && (privkey=tls_load_file(Rflag, &privkeylen, NULL)) == NULL) | ||
| 435 | errx(1, "unable to load TLS key file %s", Kflag); | ||
| 436 | |||
| 437 | if (pledge("stdio inet dns", NULL) == -1) | ||
| 438 | err(1, "pledge"); | ||
| 439 | |||
| 424 | if (tls_init() == -1) | 440 | if (tls_init() == -1) | 
| 425 | errx(1, "unable to initialize TLS"); | 441 | errx(1, "unable to initialize TLS"); | 
| 426 | if ((tls_cfg = tls_config_new()) == NULL) | 442 | if ((tls_cfg = tls_config_new()) == NULL) | 
| 427 | errx(1, "unable to allocate TLS config"); | 443 | errx(1, "unable to allocate TLS config"); | 
| 428 | if (Cflag && (tls_config_set_cert_file(tls_cfg, Cflag) == -1)) | 444 | if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1) | 
| 445 | errx(1, "unable to set root CA file %s", Rflag); | ||
| 446 | if (Cflag && tls_config_set_cert_mem(tls_cfg, cacert, cacertlen) == -1) | ||
| 429 | errx(1, "unable to set TLS certificate file %s", Cflag); | 447 | errx(1, "unable to set TLS certificate file %s", Cflag); | 
| 430 | if (Kflag && (tls_config_set_key_file(tls_cfg, Kflag) == -1)) | 448 | if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1) | 
| 431 | errx(1, "unable to set TLS key file %s", Kflag); | 449 | errx(1, "unable to set TLS key file %s", Kflag); | 
| 432 | if (Rflag && (tls_config_set_ca_file(tls_cfg, Rflag) == -1)) | ||
| 433 | errx(1, "unable to set root CA file %s", Rflag); | ||
| 434 | if (TLSopt & TLS_LEGACY) { | 450 | if (TLSopt & TLS_LEGACY) { | 
| 435 | tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); | 451 | tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); | 
| 436 | tls_config_set_ciphers(tls_cfg, "legacy"); | 452 | tls_config_set_ciphers(tls_cfg, "legacy"); | 
