tlsclient: add -o option to establish connection over a file, free the AuthInfo structure to avoid leaking secrets
This commit is contained in:
cinap_lenrek
parent
9ec9a47789
commit
a9b1e990b8
2 changed files with 33 additions and 7 deletions
|
|
@ -59,7 +59,16 @@ logfile
|
|||
.B -n
|
||||
.I servername
|
||||
]
|
||||
[
|
||||
.B -o
|
||||
]
|
||||
.I address
|
||||
[
|
||||
.I cmd
|
||||
[
|
||||
.I args ...
|
||||
]
|
||||
]
|
||||
.PP
|
||||
.B tlssrvtunnel
|
||||
.I plain-addr
|
||||
|
|
@ -103,12 +112,14 @@ flag was specified.
|
|||
.I Tlsclient
|
||||
is the reverse of
|
||||
.IR tlssrv :
|
||||
it dials
|
||||
it connects to
|
||||
.IR address ,
|
||||
starts TLS,
|
||||
and then relays
|
||||
between the network connection
|
||||
and standard input and output.
|
||||
and standard input and output or executes
|
||||
.I cmd args
|
||||
with standard input and output redirected to the connection.
|
||||
The
|
||||
.B -D
|
||||
flag enables some debug output.
|
||||
|
|
@ -137,6 +148,12 @@ option passes the string
|
|||
.I servername
|
||||
in the TLS hello message (Server Name Idenfitication)
|
||||
which is usefull when talking to webservers.
|
||||
When the
|
||||
.B -o
|
||||
option was specified,
|
||||
.I address
|
||||
is interpreted as a filename to be opend read-write instead of
|
||||
a dial string.
|
||||
.PP
|
||||
.I Tlssrvtunnel
|
||||
and
|
||||
|
|
|
|||
|
|
@ -4,14 +4,14 @@
|
|||
#include <libsec.h>
|
||||
#include <auth.h>
|
||||
|
||||
int debug, auth;
|
||||
int debug, auth, dialfile;
|
||||
char *keyspec = "";
|
||||
char *servername, *file, *filex, *ccert;
|
||||
|
||||
void
|
||||
usage(void)
|
||||
{
|
||||
fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] dialstring [cmd [args...]]\n");
|
||||
fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] [-o] dialstring [cmd [args...]]\n");
|
||||
exits("usage");
|
||||
}
|
||||
|
||||
|
|
@ -47,6 +47,7 @@ main(int argc, char **argv)
|
|||
char *addr;
|
||||
TLSconn *conn;
|
||||
Thumbprint *thumb;
|
||||
AuthInfo *ai = nil;
|
||||
|
||||
fmtinstall('H', encodefmt);
|
||||
|
||||
|
|
@ -72,6 +73,9 @@ main(int argc, char **argv)
|
|||
case 'n':
|
||||
servername = EARGF(usage());
|
||||
break;
|
||||
case 'o':
|
||||
dialfile = 1;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
}ARGEND
|
||||
|
|
@ -90,7 +94,7 @@ main(int argc, char **argv)
|
|||
thumb = nil;
|
||||
|
||||
addr = *argv++;
|
||||
if((fd = dial(addr, 0, 0, 0)) < 0)
|
||||
if((fd = dialfile? open(addr, ORDWR): dial(addr, 0, 0, 0)) < 0)
|
||||
sysfatal("dial %s: %r", addr);
|
||||
|
||||
conn = (TLSconn*)mallocz(sizeof *conn, 1);
|
||||
|
|
@ -102,8 +106,6 @@ main(int argc, char **argv)
|
|||
}
|
||||
|
||||
if(auth){
|
||||
AuthInfo *ai;
|
||||
|
||||
ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec);
|
||||
if(ai == nil)
|
||||
sysfatal("auth_proxy: %r");
|
||||
|
|
@ -128,8 +130,15 @@ main(int argc, char **argv)
|
|||
sha1(conn->cert, conn->certlen, digest, nil);
|
||||
if(!okThumbprint(digest, thumb))
|
||||
sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
|
||||
freeThumbprints(thumb);
|
||||
}
|
||||
|
||||
free(conn->cert);
|
||||
free(conn->sessionID);
|
||||
free(conn);
|
||||
if(ai != nil)
|
||||
auth_freeAI(ai);
|
||||
|
||||
if(*argv){
|
||||
dup(fd, 0);
|
||||
dup(fd, 1);
|
||||
|
|
|
|||
Loading…
Reference in a new issue