diff options
| author | jsing <> | 2016-07-07 14:09:44 +0000 |
|---|---|---|
| committer | jsing <> | 2016-07-07 14:09:44 +0000 |
| commit | 793bbb74db9be5898f5b404a5091e6ef33f70a51 (patch) | |
| tree | 75299acad4a63e35a7b861f9f2ee3bf9e73e68f2 | |
| parent | 025e7d6501957fe925241c7e73c233c203a19711 (diff) | |
| download | openbsd-793bbb74db9be5898f5b404a5091e6ef33f70a51.tar.gz openbsd-793bbb74db9be5898f5b404a5091e6ef33f70a51.tar.bz2 openbsd-793bbb74db9be5898f5b404a5091e6ef33f70a51.zip | |
Revert previous since the libtls change has been reverted.
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 40 |
1 files changed, 24 insertions, 16 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 5673dd5b18..e3f6074ab4 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.158 2016/07/06 16:31:18 jsing Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.159 2016/07/07 14:09:44 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -65,6 +65,7 @@ | |||
| 65 | #define POLL_NETIN 2 | 65 | #define POLL_NETIN 2 |
| 66 | #define POLL_STDOUT 3 | 66 | #define POLL_STDOUT 3 |
| 67 | #define BUFSIZE 16384 | 67 | #define BUFSIZE 16384 |
| 68 | #define DEFAULT_CA_FILE "/etc/ssl/cert.pem" | ||
| 68 | 69 | ||
| 69 | #define TLS_LEGACY (1 << 1) | 70 | #define TLS_LEGACY (1 << 1) |
| 70 | #define TLS_NOVERIFY (1 << 2) | 71 | #define TLS_NOVERIFY (1 << 2) |
| @@ -98,11 +99,17 @@ int rtableid = -1; | |||
| 98 | int usetls; /* use TLS */ | 99 | int usetls; /* use TLS */ |
| 99 | char *Cflag; /* Public cert file */ | 100 | char *Cflag; /* Public cert file */ |
| 100 | char *Kflag; /* Private key file */ | 101 | char *Kflag; /* Private key file */ |
| 101 | char *Rflag; /* Root CA file */ | 102 | char *Rflag = DEFAULT_CA_FILE; /* Root CA file */ |
| 102 | int tls_cachanged; /* Using non-default CA file */ | 103 | int tls_cachanged; /* Using non-default CA file */ |
| 103 | int TLSopt; /* TLS options */ | 104 | int TLSopt; /* TLS options */ |
| 104 | char *tls_expectname; /* required name in peer cert */ | 105 | char *tls_expectname; /* required name in peer cert */ |
| 105 | char *tls_expecthash; /* required hash of peer cert */ | 106 | char *tls_expecthash; /* required hash of peer cert */ |
| 107 | uint8_t *cacert; | ||
| 108 | size_t cacertlen; | ||
| 109 | uint8_t *privkey; | ||
| 110 | size_t privkeylen; | ||
| 111 | uint8_t *pubcert; | ||
| 112 | size_t pubcertlen; | ||
| 106 | 113 | ||
| 107 | int timeout = -1; | 114 | int timeout = -1; |
| 108 | int family = AF_UNSPEC; | 115 | int family = AF_UNSPEC; |
| @@ -437,22 +444,29 @@ main(int argc, char *argv[]) | |||
| 437 | } | 444 | } |
| 438 | 445 | ||
| 439 | if (usetls) { | 446 | if (usetls) { |
| 447 | if (Rflag && (cacert = tls_load_file(Rflag, &cacertlen, NULL)) == NULL) | ||
| 448 | errx(1, "unable to load root CA file %s", Rflag); | ||
| 449 | if (Cflag && (pubcert = tls_load_file(Cflag, &pubcertlen, NULL)) == NULL) | ||
| 450 | errx(1, "unable to load TLS certificate file %s", Cflag); | ||
| 451 | if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, NULL)) == NULL) | ||
| 452 | errx(1, "unable to load TLS key file %s", Kflag); | ||
| 453 | |||
| 440 | if (Pflag) { | 454 | if (Pflag) { |
| 441 | if (pledge("stdio inet dns rpath tty", NULL) == -1) | 455 | if (pledge("stdio inet dns tty", NULL) == -1) |
| 442 | err(1, "pledge"); | 456 | err(1, "pledge"); |
| 443 | } else if (pledge("stdio inet dns rpath", NULL) == -1) | 457 | } else if (pledge("stdio inet dns", NULL) == -1) |
| 444 | err(1, "pledge"); | 458 | err(1, "pledge"); |
| 445 | 459 | ||
| 446 | if (tls_init() == -1) | 460 | if (tls_init() == -1) |
| 447 | errx(1, "unable to initialize TLS"); | 461 | errx(1, "unable to initialize TLS"); |
| 448 | if ((tls_cfg = tls_config_new()) == NULL) | 462 | if ((tls_cfg = tls_config_new()) == NULL) |
| 449 | errx(1, "unable to allocate TLS config"); | 463 | errx(1, "unable to allocate TLS config"); |
| 450 | if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) | 464 | if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1) |
| 451 | errx(1, "%s", tls_config_error(tls_cfg)); | 465 | errx(1, "unable to set root CA file %s", Rflag); |
| 452 | if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1) | 466 | if (Cflag && tls_config_set_cert_mem(tls_cfg, pubcert, pubcertlen) == -1) |
| 453 | errx(1, "%s", tls_config_error(tls_cfg)); | 467 | errx(1, "unable to set TLS certificate file %s", Cflag); |
| 454 | if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) | 468 | if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1) |
| 455 | errx(1, "%s", tls_config_error(tls_cfg)); | 469 | errx(1, "unable to set TLS key file %s", Kflag); |
| 456 | if (TLSopt & TLS_LEGACY) { | 470 | if (TLSopt & TLS_LEGACY) { |
| 457 | tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); | 471 | tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); |
| 458 | tls_config_set_ciphers(tls_cfg, "legacy"); | 472 | tls_config_set_ciphers(tls_cfg, "legacy"); |
| @@ -467,12 +481,6 @@ main(int argc, char *argv[]) | |||
| 467 | "together"); | 481 | "together"); |
| 468 | tls_config_insecure_noverifycert(tls_cfg); | 482 | tls_config_insecure_noverifycert(tls_cfg); |
| 469 | } | 483 | } |
| 470 | |||
| 471 | if (Pflag) { | ||
| 472 | if (pledge("stdio inet dns tty", NULL) == -1) | ||
| 473 | err(1, "pledge"); | ||
| 474 | } else if (pledge("stdio inet dns", NULL) == -1) | ||
| 475 | err(1, "pledge"); | ||
| 476 | } | 484 | } |
| 477 | if (lflag) { | 485 | if (lflag) { |
| 478 | struct tls *tls_cctx = NULL; | 486 | struct tls *tls_cctx = NULL; |