xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

tlsclient: add -o option to establish connection over a file, free the AuthInfo structure to avoid leaking secrets

Browse source
This commit is contained in:
cinap_lenrek 2016-02-14 02:06:08 +01:00
parent 9ec9a47789
commit a9b1e990b8
2 changed files with 33 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
sys/man/8/tlssrv
View file

@ -59,7 +59,16 @@ logfile
.B -n .B -n
.I servername .I servername
] ]
[
.B -o
]
.I address .I address
[
.I cmd
[
.I args ...
]
]
.PP .PP
.B tlssrvtunnel .B tlssrvtunnel
.I plain-addr .I plain-addr
@ -103,12 +112,14 @@ flag was specified.
.I Tlsclient .I Tlsclient
is the reverse of is the reverse of
.IR tlssrv : .IR tlssrv :
it dials it connects to
.IR address , .IR address ,
starts TLS, starts TLS,
and then relays and then relays
between the network connection between the network connection
and standard input and output. and standard input and output or executes
.I cmd args
with standard input and output redirected to the connection.
The The
.B -D .B -D
flag enables some debug output. flag enables some debug output.
@ -137,6 +148,12 @@ option passes the string
.I servername .I servername
in the TLS hello message (Server Name Idenfitication) in the TLS hello message (Server Name Idenfitication)
which is usefull when talking to webservers. which is usefull when talking to webservers.
When the
.B -o
option was specified,
.I address
is interpreted as a filename to be opend read-write instead of
a dial string.
.PP .PP
.I Tlssrvtunnel .I Tlssrvtunnel
and and

19
sys/src/cmd/tlsclient.c
View file

@ -4,14 +4,14 @@
#include <libsec.h> #include <libsec.h>
#include <auth.h> #include <auth.h>
int debug, auth; int debug, auth, dialfile;
char *keyspec = ""; char *keyspec = "";
char *servername, *file, *filex, *ccert; char *servername, *file, *filex, *ccert;
void void
usage(void) usage(void)
{ {
fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] dialstring [cmd [args...]]\n"); fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] [-o] dialstring [cmd [args...]]\n");
exits("usage"); exits("usage");
} }
@ -47,6 +47,7 @@ main(int argc, char **argv)
char *addr; char *addr;
TLSconn *conn; TLSconn *conn;
Thumbprint *thumb; Thumbprint *thumb;
AuthInfo *ai = nil;
fmtinstall('H', encodefmt); fmtinstall('H', encodefmt);
@ -72,6 +73,9 @@ main(int argc, char **argv)
case 'n': case 'n':
servername = EARGF(usage()); servername = EARGF(usage());
break; break;
case 'o':
dialfile = 1;
break;
default: default:
usage(); usage();
}ARGEND }ARGEND
@ -90,7 +94,7 @@ main(int argc, char **argv)
thumb = nil; thumb = nil;
addr = *argv++; addr = *argv++;
if((fd = dial(addr, 0, 0, 0)) < 0) if((fd = dialfile? open(addr, ORDWR): dial(addr, 0, 0, 0)) < 0)
sysfatal("dial %s: %r", addr); sysfatal("dial %s: %r", addr);
conn = (TLSconn*)mallocz(sizeof *conn, 1); conn = (TLSconn*)mallocz(sizeof *conn, 1);
@ -102,8 +106,6 @@ main(int argc, char **argv)
} }
if(auth){ if(auth){
AuthInfo *ai;
ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec); ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec);
if(ai == nil) if(ai == nil)
sysfatal("auth_proxy: %r"); sysfatal("auth_proxy: %r");
@ -128,8 +130,15 @@ main(int argc, char **argv)
sha1(conn->cert, conn->certlen, digest, nil); sha1(conn->cert, conn->certlen, digest, nil);
if(!okThumbprint(digest, thumb)) if(!okThumbprint(digest, thumb))
sysfatal("server certificate %.*H not recognized", SHA1dlen, digest); sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
freeThumbprints(thumb);
} }
free(conn->cert);
free(conn->sessionID);
free(conn);
if(ai != nil)
auth_freeAI(ai);
if(*argv){ if(*argv){
dup(fd, 0); dup(fd, 0);
dup(fd, 1); dup(fd, 1);