Let libtls load the CA, certificate and key files for nc(1), now that it

does this at the time the tls_config_set_*_file() function is called.

ok bluhm@

1 files changed, 15 insertions, 22 deletions

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index bb74bb6070..d30dd938f3 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.161 2016/07/30 22:04:04 halex Exp $ */
+/* $OpenBSD: netcat.c,v 1.162 2016/08/13 13:09:10 jsing Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -104,12 +104,6 @@ int	tls_cachanged;				/* Using non-default CA file */
 int     TLSopt;                                 /* TLS options */
 char    *tls_expectname;                        /* required name in peer cert */
 char    *tls_expecthash;                        /* required hash of peer cert */
-uint8_t *cacert;
-size_t  cacertlen;
-uint8_t *privkey;
-size_t  privkeylen;
-uint8_t *pubcert;
-size_t  pubcertlen;
 
 int timeout = -1;
 int family = AF_UNSPEC;
@@ -444,29 +438,22 @@ main(int argc, char *argv[])
         }
 
         if (usetls) {
-                if (Rflag && (cacert = tls_load_file(Rflag, &cacertlen, NULL)) == NULL)
-                        errx(1, "unable to load root CA file %s", Rflag);
-                if (Cflag && (pubcert = tls_load_file(Cflag, &pubcertlen, NULL)) == NULL)
-                        errx(1, "unable to load TLS certificate file %s", Cflag);
-                if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, NULL)) == NULL)
-                        errx(1, "unable to load TLS key file %s", Kflag);
-
                 if (Pflag) {
-                        if (pledge("stdio inet dns tty", NULL) == -1)
+                        if (pledge("stdio inet dns tty rpath", NULL) == -1)
                                 err(1, "pledge");
-                } else if (pledge("stdio inet dns", NULL) == -1)
+                } else if (pledge("stdio inet dns rpath", NULL) == -1)
                         err(1, "pledge");
 
                 if (tls_init() == -1)
                         errx(1, "unable to initialize TLS");
                 if ((tls_cfg = tls_config_new()) == NULL)
                         errx(1, "unable to allocate TLS config");
-                if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1)
-                        errx(1, "unable to set root CA file %s", Rflag);
-                if (Cflag && tls_config_set_cert_mem(tls_cfg, pubcert, pubcertlen) == -1)
-                        errx(1, "unable to set TLS certificate file %s", Cflag);
-                if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1)
-                        errx(1, "unable to set TLS key file %s", Kflag);
+                if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
+                if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
+                if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
                 if (TLSopt & TLS_LEGACY) {
                         tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
                         tls_config_set_ciphers(tls_cfg, "all");
@@ -481,6 +468,12 @@ main(int argc, char *argv[])
                                     "together");
                         tls_config_insecure_noverifycert(tls_cfg);
                 }
+
+                if (Pflag) {
+                        if (pledge("stdio inet dns tty", NULL) == -1)
+                                err(1, "pledge");
+                } else if (pledge("stdio inet dns", NULL) == -1)
+                        err(1, "pledge");
         }
         if (lflag) {
                 struct tls *tls_cctx = NULL;