From 1988b8f65e4bfa2c9fb1fa13316f3c22ec59d298 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 7 Dec 2015 07:55:05 -0600 Subject: fixup cert.pem path override for libtls, add for nc(1) this also fixes the formatting of help for nc(1) --- apps/nc/Makefile.am | 5 +++++ patches/netcat.c.patch | 61 ++++++++++++++++++++++++++++++++++---------------- tls/Makefile.am | 4 ++-- 3 files changed, 49 insertions(+), 21 deletions(-) diff --git a/apps/nc/Makefile.am b/apps/nc/Makefile.am index cfcdab1..564080c 100644 --- a/apps/nc/Makefile.am +++ b/apps/nc/Makefile.am @@ -12,6 +12,11 @@ nc_LDADD += $(top_builddir)/ssl/libssl.la nc_LDADD += $(top_builddir)/tls/libtls.la AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat +if OPENSSLDIR_DEFINED +AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\" +else +AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\" +endif nc_SOURCES = atomicio.c nc_SOURCES += netcat.c diff --git a/patches/netcat.c.patch b/patches/netcat.c.patch index d914231..86cd9ae 100644 --- a/patches/netcat.c.patch +++ b/patches/netcat.c.patch @@ -1,5 +1,5 @@ --- apps/nc/netcat.c.orig Sun Dec 6 22:05:45 2015 -+++ apps/nc/netcat.c Sun Dec 6 23:23:15 2015 ++++ apps/nc/netcat.c Mon Dec 7 07:52:00 2015 @@ -57,6 +57,10 @@ #include #include "atomicio.h" @@ -11,7 +11,17 @@ #define PORT_MAX 65535 #define UNIX_DG_TMP_SOCKET_SIZE 19 -@@ -92,9 +96,13 @@ +@@ -65,7 +69,9 @@ + #define POLL_NETIN 2 + #define POLL_STDOUT 3 + #define BUFSIZE 16384 ++#ifndef DEFAULT_CA_FILE + #define DEFAULT_CA_FILE "/etc/ssl/cert.pem" ++#endif + + #define TLS_LEGACY (1 << 1) + #define TLS_NOVERIFY (1 << 2) +@@ -92,9 +98,13 @@ int Dflag; /* sodebug */ int Iflag; /* TCP receive buffer size */ int Oflag; /* TCP send buffer size */ @@ -25,7 +35,7 @@ int usetls; /* use TLS */ char *Cflag; /* Public cert file */ -@@ -144,7 +152,7 @@ +@@ -144,7 +154,7 @@ struct servent *sv; socklen_t len; struct sockaddr_storage cliaddr; @@ -34,7 +44,7 @@ const char *errstr, *proxyhost = "", *proxyport = NULL; struct addrinfo proxyhints; char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; -@@ -245,12 +253,14 @@ +@@ -245,12 +255,14 @@ case 'u': uflag = 1; break; @@ -49,7 +59,7 @@ case 'v': vflag = 1; break; -@@ -283,9 +293,11 @@ +@@ -283,9 +295,11 @@ errx(1, "TCP send window %s: %s", errstr, optarg); break; @@ -61,7 +71,7 @@ case 'T': errstr = NULL; errno = 0; -@@ -309,9 +321,11 @@ +@@ -309,9 +323,11 @@ argc -= optind; argv += optind; @@ -73,7 +83,19 @@ if (family == AF_UNIX) { if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) -@@ -791,7 +805,10 @@ +@@ -444,7 +460,10 @@ + errx(1, "-H and -T noverify may not be used" + "together"); + tls_config_insecure_noverifycert(tls_cfg); +- } ++ } else { ++ if (Rflag && access(Rflag, R_OK) == -1) ++ errx(1, "unable to find root CA file %s", Rflag); ++ } + } + if (lflag) { + struct tls *tls_cctx = NULL; +@@ -791,7 +810,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints) { struct addrinfo *res, *res0; @@ -85,7 +107,7 @@ if ((error = getaddrinfo(host, port, &hints, &res))) errx(1, "getaddrinfo: %s", gai_strerror(error)); -@@ -806,8 +823,10 @@ +@@ -806,8 +828,10 @@ if (sflag || pflag) { struct addrinfo ahints, *ares; @@ -96,7 +118,7 @@ memset(&ahints, 0, sizeof(struct addrinfo)); ahints.ai_family = res0->ai_family; ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; -@@ -876,7 +895,10 @@ +@@ -876,7 +900,10 @@ local_listen(char *host, char *port, struct addrinfo hints) { struct addrinfo *res, *res0; @@ -108,7 +130,7 @@ int error; /* Allow nodename to be null. */ -@@ -898,9 +920,11 @@ +@@ -898,9 +925,11 @@ res0->ai_protocol)) < 0) continue; @@ -120,7 +142,7 @@ set_common_sockopts(s, res0->ai_family); -@@ -1340,11 +1364,13 @@ +@@ -1340,11 +1369,13 @@ { int x = 1; @@ -134,29 +156,30 @@ if (Dflag) { if (setsockopt(s, SOL_SOCKET, SO_DEBUG, &x, sizeof(x)) == -1) -@@ -1519,15 +1545,19 @@ +@@ -1519,14 +1550,22 @@ \t-P proxyuser\tUsername for proxy authentication\n\ \t-p port\t Specify local port for remote connects\n\ \t-R CAfile CA bundle\n\ - \t-r Randomize remote ports\n\ - \t-S Enable the TCP MD5 signature option\n\ -- \t-s source Local source address\n\ + \t-r Randomize remote ports\n" +#ifdef TCP_MD5SIG -+ "\t-S Enable the TCP MD5 signature option\n" ++ "\ ++ \t-S Enable the TCP MD5 signature option\n" +#endif -+ "\t-s source Local source address\n\ ++ "\ + \t-s source Local source address\n\ \t-T keyword TOS value or TLS options\n\ \t-t Answer TELNET negotiation\n\ \t-U Use UNIX domain socket\n\ - \t-u UDP mode\n\ - \t-V rtable Specify alternate routing table\n\ -- \t-v Verbose\n\ + \t-u UDP mode\n" +#ifdef SO_RTABLE -+ "\t-V rtable Specify alternate routing table\n" ++ "\ ++ \t-V rtable Specify alternate routing table\n" +#endif -+ "\t-v Verbose\n\ ++ "\ + \t-v Verbose\n\ \t-w timeout Timeout for connects and final net reads\n\ \t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ - \t-x addr[:port]\tSpecify proxy address and port\n\ diff --git a/tls/Makefile.am b/tls/Makefile.am index 2d033fd..b19c881 100644 --- a/tls/Makefile.am +++ b/tls/Makefile.am @@ -10,9 +10,9 @@ libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD) libtls_la_CPPFLAGS = $(AM_CPPFLAGS) if OPENSSLDIR_DEFINED -libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"@OPENSSLDIR@\" +libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"@OPENSSLDIR@/cert.pem\" else -libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(sysconfdir)/ssl\" +libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\" endif libtls_la_SOURCES = tls.c -- cgit v1.2.3-55-g6feb