summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorbeck <>2015-12-08 15:33:33 +0000
committerbeck <>2015-12-08 15:33:33 +0000
commit83d9cc3cde2fc32d582b308940d1ea7f4814503b (patch)
tree1e8a9e148691a7d2da355fae8342908f498042cc /src
parent631a37ba820508f0f35623f6a9aa2ff84942dbdd (diff)
downloadopenbsd-83d9cc3cde2fc32d582b308940d1ea7f4814503b.tar.gz
openbsd-83d9cc3cde2fc32d582b308940d1ea7f4814503b.tar.bz2
openbsd-83d9cc3cde2fc32d582b308940d1ea7f4814503b.zip
pledge nc better - Load the certificate into memory and then do the pledge,
this allows us to drop the rpath fromt the nc pledge. ok deraadt@, tedu@
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/nc/netcat.c26
1 files changed, 21 insertions, 5 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index cfc5a2363b..a224717c72 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: netcat.c,v 1.145 2015/12/07 02:38:54 tb Exp $ */ 1/* $OpenBSD: netcat.c,v 1.146 2015/12/08 15:33:33 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> 3 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
4 * Copyright (c) 2015 Bob Beck. All rights reserved. 4 * Copyright (c) 2015 Bob Beck. All rights reserved.
@@ -104,6 +104,12 @@ int tls_cachanged; /* Using non-default CA file */
104int TLSopt; /* TLS options */ 104int TLSopt; /* TLS options */
105char *tls_expectname; /* required name in peer cert */ 105char *tls_expectname; /* required name in peer cert */
106char *tls_expecthash; /* required hash of peer cert */ 106char *tls_expecthash; /* required hash of peer cert */
107uint8_t *cacert;
108size_t cacertlen;
109uint8_t *privkey;
110size_t privkeylen;
111uint8_t *pubcert;
112size_t pubcertlen;
107 113
108int timeout = -1; 114int timeout = -1;
109int family = AF_UNSPEC; 115int family = AF_UNSPEC;
@@ -421,16 +427,26 @@ main(int argc, char *argv[])
421 } 427 }
422 428
423 if (usetls) { 429 if (usetls) {
430 if (Rflag && (cacert=tls_load_file(Rflag, &cacertlen, NULL)) == NULL)
431 errx(1, "unable to load root CA file %s", Rflag);
432 if (Cflag && (pubcert=tls_load_file(Rflag, &pubcertlen, NULL)) == NULL)
433 errx(1, "unable to load TLS certificate file %s", Cflag);
434 if (Kflag && (privkey=tls_load_file(Rflag, &privkeylen, NULL)) == NULL)
435 errx(1, "unable to load TLS key file %s", Kflag);
436
437 if (pledge("stdio inet dns", NULL) == -1)
438 err(1, "pledge");
439
424 if (tls_init() == -1) 440 if (tls_init() == -1)
425 errx(1, "unable to initialize TLS"); 441 errx(1, "unable to initialize TLS");
426 if ((tls_cfg = tls_config_new()) == NULL) 442 if ((tls_cfg = tls_config_new()) == NULL)
427 errx(1, "unable to allocate TLS config"); 443 errx(1, "unable to allocate TLS config");
428 if (Cflag && (tls_config_set_cert_file(tls_cfg, Cflag) == -1)) 444 if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1)
445 errx(1, "unable to set root CA file %s", Rflag);
446 if (Cflag && tls_config_set_cert_mem(tls_cfg, cacert, cacertlen) == -1)
429 errx(1, "unable to set TLS certificate file %s", Cflag); 447 errx(1, "unable to set TLS certificate file %s", Cflag);
430 if (Kflag && (tls_config_set_key_file(tls_cfg, Kflag) == -1)) 448 if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1)
431 errx(1, "unable to set TLS key file %s", Kflag); 449 errx(1, "unable to set TLS key file %s", Kflag);
432 if (Rflag && (tls_config_set_ca_file(tls_cfg, Rflag) == -1))
433 errx(1, "unable to set root CA file %s", Rflag);
434 if (TLSopt & TLS_LEGACY) { 450 if (TLSopt & TLS_LEGACY) {
435 tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); 451 tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
436 tls_config_set_ciphers(tls_cfg, "legacy"); 452 tls_config_set_ciphers(tls_cfg, "legacy");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 00:32:48 +0000