diff options
| author | jsing <> | 2016-07-06 16:31:18 +0000 |
|---|---|---|
| committer | jsing <> | 2016-07-06 16:31:18 +0000 |
| commit | ff841a7f5640cf43d804a47ee366975efc00dffe (patch) | |
| tree | d306af08fcb2db842235ed7ed2f89befa154ae51 /src | |
| parent | c6881b696b1fa5d3e6966b53235e4c76d0574048 (diff) | |
| download | openbsd-ff841a7f5640cf43d804a47ee366975efc00dffe.tar.gz openbsd-ff841a7f5640cf43d804a47ee366975efc00dffe.tar.bz2 openbsd-ff841a7f5640cf43d804a47ee366975efc00dffe.zip | |
Remove manual file loading (now that libtls does this for us) and adjust
pledge to match. Also use tls_config_error() to provide friendlier error
messages.
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 40 |
1 files changed, 16 insertions, 24 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 83cd59a738..5673dd5b18 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.157 2016/07/01 00:29:14 bcook Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.158 2016/07/06 16:31:18 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -65,7 +65,6 @@ | |||
| 65 | #define POLL_NETIN 2 | 65 | #define POLL_NETIN 2 |
| 66 | #define POLL_STDOUT 3 | 66 | #define POLL_STDOUT 3 |
| 67 | #define BUFSIZE 16384 | 67 | #define BUFSIZE 16384 |
| 68 | #define DEFAULT_CA_FILE "/etc/ssl/cert.pem" | ||
| 69 | 68 | ||
| 70 | #define TLS_LEGACY (1 << 1) | 69 | #define TLS_LEGACY (1 << 1) |
| 71 | #define TLS_NOVERIFY (1 << 2) | 70 | #define TLS_NOVERIFY (1 << 2) |
| @@ -99,17 +98,11 @@ int rtableid = -1; | |||
| 99 | int usetls; /* use TLS */ | 98 | int usetls; /* use TLS */ |
| 100 | char *Cflag; /* Public cert file */ | 99 | char *Cflag; /* Public cert file */ |
| 101 | char *Kflag; /* Private key file */ | 100 | char *Kflag; /* Private key file */ |
| 102 | char *Rflag = DEFAULT_CA_FILE; /* Root CA file */ | 101 | char *Rflag; /* Root CA file */ |
| 103 | int tls_cachanged; /* Using non-default CA file */ | 102 | int tls_cachanged; /* Using non-default CA file */ |
| 104 | int TLSopt; /* TLS options */ | 103 | int TLSopt; /* TLS options */ |
| 105 | char *tls_expectname; /* required name in peer cert */ | 104 | char *tls_expectname; /* required name in peer cert */ |
| 106 | char *tls_expecthash; /* required hash of peer cert */ | 105 | char *tls_expecthash; /* required hash of peer cert */ |
| 107 | uint8_t *cacert; | ||
| 108 | size_t cacertlen; | ||
| 109 | uint8_t *privkey; | ||
| 110 | size_t privkeylen; | ||
| 111 | uint8_t *pubcert; | ||
| 112 | size_t pubcertlen; | ||
| 113 | 106 | ||
| 114 | int timeout = -1; | 107 | int timeout = -1; |
| 115 | int family = AF_UNSPEC; | 108 | int family = AF_UNSPEC; |
| @@ -444,29 +437,22 @@ main(int argc, char *argv[]) | |||
| 444 | } | 437 | } |
| 445 | 438 | ||
| 446 | if (usetls) { | 439 | if (usetls) { |
| 447 | if (Rflag && (cacert = tls_load_file(Rflag, &cacertlen, NULL)) == NULL) | ||
| 448 | errx(1, "unable to load root CA file %s", Rflag); | ||
| 449 | if (Cflag && (pubcert = tls_load_file(Cflag, &pubcertlen, NULL)) == NULL) | ||
| 450 | errx(1, "unable to load TLS certificate file %s", Cflag); | ||
| 451 | if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, NULL)) == NULL) | ||
| 452 | errx(1, "unable to load TLS key file %s", Kflag); | ||
| 453 | |||
| 454 | if (Pflag) { | 440 | if (Pflag) { |
| 455 | if (pledge("stdio inet dns tty", NULL) == -1) | 441 | if (pledge("stdio inet dns rpath tty", NULL) == -1) |
| 456 | err(1, "pledge"); | 442 | err(1, "pledge"); |
| 457 | } else if (pledge("stdio inet dns", NULL) == -1) | 443 | } else if (pledge("stdio inet dns rpath", NULL) == -1) |
| 458 | err(1, "pledge"); | 444 | err(1, "pledge"); |
| 459 | 445 | ||
| 460 | if (tls_init() == -1) | 446 | if (tls_init() == -1) |
| 461 | errx(1, "unable to initialize TLS"); | 447 | errx(1, "unable to initialize TLS"); |
| 462 | if ((tls_cfg = tls_config_new()) == NULL) | 448 | if ((tls_cfg = tls_config_new()) == NULL) |
| 463 | errx(1, "unable to allocate TLS config"); | 449 | errx(1, "unable to allocate TLS config"); |
| 464 | if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1) | 450 | if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) |
| 465 | errx(1, "unable to set root CA file %s", Rflag); | 451 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 466 | if (Cflag && tls_config_set_cert_mem(tls_cfg, pubcert, pubcertlen) == -1) | 452 | if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1) |
| 467 | errx(1, "unable to set TLS certificate file %s", Cflag); | 453 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 468 | if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1) | 454 | if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) |
| 469 | errx(1, "unable to set TLS key file %s", Kflag); | 455 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 470 | if (TLSopt & TLS_LEGACY) { | 456 | if (TLSopt & TLS_LEGACY) { |
| 471 | tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); | 457 | tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); |
| 472 | tls_config_set_ciphers(tls_cfg, "legacy"); | 458 | tls_config_set_ciphers(tls_cfg, "legacy"); |
| @@ -481,6 +467,12 @@ main(int argc, char *argv[]) | |||
| 481 | "together"); | 467 | "together"); |
| 482 | tls_config_insecure_noverifycert(tls_cfg); | 468 | tls_config_insecure_noverifycert(tls_cfg); |
| 483 | } | 469 | } |
| 470 | |||
| 471 | if (Pflag) { | ||
| 472 | if (pledge("stdio inet dns tty", NULL) == -1) | ||
| 473 | err(1, "pledge"); | ||
| 474 | } else if (pledge("stdio inet dns", NULL) == -1) | ||
| 475 | err(1, "pledge"); | ||
| 484 | } | 476 | } |
| 485 | if (lflag) { | 477 | if (lflag) { |
| 486 | struct tls *tls_cctx = NULL; | 478 | struct tls *tls_cctx = NULL; |