diff options
| author | beck <> | 2017-04-05 03:20:19 +0000 |
|---|---|---|
| committer | beck <> | 2017-04-05 03:20:19 +0000 |
| commit | 83f309bbf0134f1cf9d001a778a3ddd8c0556bc2 (patch) | |
| tree | 299fe68381ddcde7d5e4ff06e1d3436e96654278 /src | |
| parent | 2ffca9ef617ca25d3718111a126dbb0d580dd018 (diff) | |
| download | openbsd-83f309bbf0134f1cf9d001a778a3ddd8c0556bc2.tar.gz openbsd-83f309bbf0134f1cf9d001a778a3ddd8c0556bc2.tar.bz2 openbsd-83f309bbf0134f1cf9d001a778a3ddd8c0556bc2.zip | |
Allow nc to save the peer certificate and chain in a pem file specified
with -Z
ok jsing@
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/nc/nc.1 | 9 | ||||
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 34 |
2 files changed, 39 insertions, 4 deletions
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index b1f96488ab..0f1263da7c 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: nc.1,v 1.82 2017/02/09 20:15:59 jca Exp $ | 1 | .\" $OpenBSD: nc.1,v 1.83 2017/04/05 03:20:19 beck Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 1996 David Sacerdote | 3 | .\" Copyright (c) 1996 David Sacerdote |
| 4 | .\" All rights reserved. | 4 | .\" All rights reserved. |
| @@ -25,7 +25,7 @@ | |||
| 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | .\" | 27 | .\" |
| 28 | .Dd $Mdocdate: February 9 2017 $ | 28 | .Dd $Mdocdate: April 5 2017 $ |
| 29 | .Dt NC 1 | 29 | .Dt NC 1 |
| 30 | .Os | 30 | .Os |
| 31 | .Sh NAME | 31 | .Sh NAME |
| @@ -53,6 +53,7 @@ | |||
| 53 | .Op Fl w Ar timeout | 53 | .Op Fl w Ar timeout |
| 54 | .Op Fl X Ar proxy_protocol | 54 | .Op Fl X Ar proxy_protocol |
| 55 | .Op Fl x Ar proxy_address Ns Op : Ns Ar port | 55 | .Op Fl x Ar proxy_address Ns Op : Ns Ar port |
| 56 | .Op Fl Z Ar peercertfile | ||
| 56 | .Op Ar destination | 57 | .Op Ar destination |
| 57 | .Op Ar port | 58 | .Op Ar port |
| 58 | .Sh DESCRIPTION | 59 | .Sh DESCRIPTION |
| @@ -337,6 +338,10 @@ should just scan for listening daemons, without sending any data to them. | |||
| 337 | It is an error to use this option in conjunction with the | 338 | It is an error to use this option in conjunction with the |
| 338 | .Fl l | 339 | .Fl l |
| 339 | option. | 340 | option. |
| 341 | .It Fl Z Ar peercertfile | ||
| 342 | Specifies the filename in which the peer supplied certificates will be saved | ||
| 343 | in PEM format. | ||
| 344 | May only be used with TLS. | ||
| 340 | .El | 345 | .El |
| 341 | .Pp | 346 | .Pp |
| 342 | .Ar destination | 347 | .Ar destination |
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index e222e1e731..74074aa938 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.178 2017/03/09 13:58:00 bluhm Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.179 2017/04/05 03:20:19 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -106,6 +106,7 @@ int tls_cachanged; /* Using non-default CA file */ | |||
| 106 | int TLSopt; /* TLS options */ | 106 | int TLSopt; /* TLS options */ |
| 107 | char *tls_expectname; /* required name in peer cert */ | 107 | char *tls_expectname; /* required name in peer cert */ |
| 108 | char *tls_expecthash; /* required hash of peer cert */ | 108 | char *tls_expecthash; /* required hash of peer cert */ |
| 109 | FILE *Zflag; /* file to save peer cert */ | ||
| 109 | 110 | ||
| 110 | int timeout = -1; | 111 | int timeout = -1; |
| 111 | int family = AF_UNSPEC; | 112 | int family = AF_UNSPEC; |
| @@ -132,6 +133,7 @@ int unix_listen(char *); | |||
| 132 | void set_common_sockopts(int, int); | 133 | void set_common_sockopts(int, int); |
| 133 | int map_tos(char *, int *); | 134 | int map_tos(char *, int *); |
| 134 | int map_tls(char *, int *); | 135 | int map_tls(char *, int *); |
| 136 | void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); | ||
| 135 | void report_connect(const struct sockaddr *, socklen_t, char *); | 137 | void report_connect(const struct sockaddr *, socklen_t, char *); |
| 136 | void report_tls(struct tls *tls_ctx, char * host, char *tls_expectname); | 138 | void report_tls(struct tls *tls_ctx, char * host, char *tls_expectname); |
| 137 | void usage(int); | 139 | void usage(int); |
| @@ -165,7 +167,7 @@ main(int argc, char *argv[]) | |||
| 165 | signal(SIGPIPE, SIG_IGN); | 167 | signal(SIGPIPE, SIG_IGN); |
| 166 | 168 | ||
| 167 | while ((ch = getopt(argc, argv, | 169 | while ((ch = getopt(argc, argv, |
| 168 | "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) { | 170 | "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:Z:z")) != -1) { |
| 169 | switch (ch) { | 171 | switch (ch) { |
| 170 | case '4': | 172 | case '4': |
| 171 | family = AF_INET; | 173 | family = AF_INET; |
| @@ -279,6 +281,12 @@ main(int argc, char *argv[]) | |||
| 279 | if ((proxy = strdup(optarg)) == NULL) | 281 | if ((proxy = strdup(optarg)) == NULL) |
| 280 | err(1, NULL); | 282 | err(1, NULL); |
| 281 | break; | 283 | break; |
| 284 | case 'Z': | ||
| 285 | if (strcmp(optarg, "-") == 0) | ||
| 286 | Zflag = stderr; | ||
| 287 | else if ((Zflag = fopen(optarg, "w")) == NULL) | ||
| 288 | err(1, "can't open %s", optarg); | ||
| 289 | break; | ||
| 282 | case 'z': | 290 | case 'z': |
| 283 | zflag = 1; | 291 | zflag = 1; |
| 284 | break; | 292 | break; |
| @@ -385,6 +393,8 @@ main(int argc, char *argv[]) | |||
| 385 | errx(1, "you must specify -c to use -C"); | 393 | errx(1, "you must specify -c to use -C"); |
| 386 | if (Kflag && !usetls) | 394 | if (Kflag && !usetls) |
| 387 | errx(1, "you must specify -c to use -K"); | 395 | errx(1, "you must specify -c to use -K"); |
| 396 | if (Zflag && !usetls) | ||
| 397 | errx(1, "you must specify -c to use -Z"); | ||
| 388 | if (oflag && !Cflag) | 398 | if (oflag && !Cflag) |
| 389 | errx(1, "you must specify -C to use -o"); | 399 | errx(1, "you must specify -C to use -o"); |
| 390 | if (tls_cachanged && !usetls) | 400 | if (tls_cachanged && !usetls) |
| @@ -766,6 +776,11 @@ tls_setup_client(struct tls *tls_ctx, int s, char *host) | |||
| 766 | if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && | 776 | if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && |
| 767 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) | 777 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) |
| 768 | errx(1, "peer certificate is not %s", tls_expecthash); | 778 | errx(1, "peer certificate is not %s", tls_expecthash); |
| 779 | if (Zflag) { | ||
| 780 | save_peer_cert(tls_ctx, Zflag); | ||
| 781 | if (Zflag != stderr && (fclose(Zflag) != 0)) | ||
| 782 | err(1, "fclose failed saving peer cert"); | ||
| 783 | } | ||
| 769 | } | 784 | } |
| 770 | 785 | ||
| 771 | struct tls * | 786 | struct tls * |
| @@ -1549,6 +1564,21 @@ map_tls(char *s, int *val) | |||
| 1549 | } | 1564 | } |
| 1550 | 1565 | ||
| 1551 | void | 1566 | void |
| 1567 | save_peer_cert(struct tls *tls_ctx, FILE *fp) | ||
| 1568 | { | ||
| 1569 | const char *pem; | ||
| 1570 | size_t plen; | ||
| 1571 | FILE *out; | ||
| 1572 | |||
| 1573 | if ((pem = tls_peer_cert_chain_pem(tls_ctx, &plen)) == NULL) | ||
| 1574 | errx(1, "Can't get peer certificate"); | ||
| 1575 | if (fprintf(fp, "%.*s", plen, pem) < 0) | ||
| 1576 | err(1, "unable to save peer cert"); | ||
| 1577 | if (fflush(fp) != 0) | ||
| 1578 | err(1, "unable to flush peer cert"); | ||
| 1579 | } | ||
| 1580 | |||
| 1581 | void | ||
| 1552 | report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) | 1582 | report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) |
| 1553 | { | 1583 | { |
| 1554 | time_t t; | 1584 | time_t t; |