shithub: riscv

Download patch

ref: a9b1e990b8339d413aecaa00c5db743358caa42c
parent: 9ec9a47789c5c71c8e135d7ce0a92d44317c1fa0
author: cinap_lenrek <[email protected]>
date: Sat Feb 13 21:06:08 EST 2016

tlsclient: add -o option to establish connection over a file, free the AuthInfo structure to avoid leaking secrets

--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -59,7 +59,16 @@
 .B -n
 .I servername
 ]
+[
+.B -o
+]
 .I address
+[
+.I cmd
+[
+.I args ...
+]
+]
 .PP
 .B tlssrvtunnel
 .I plain-addr
@@ -103,12 +112,14 @@
 .I Tlsclient
 is the reverse of
 .IR tlssrv :
-it dials
+it connects to
 .IR address ,
 starts TLS,
 and then relays 
 between the network connection
-and standard input and output.
+and standard input and output or executes
+.I cmd args
+with standard input and output redirected to the connection.
 The
 .B -D
 flag enables some debug output.
@@ -137,6 +148,12 @@
 .I servername
 in the TLS hello message (Server Name Idenfitication)
 which is usefull when talking to webservers.
+When the
+.B -o
+option was specified,
+.I address
+is interpreted as a filename to be opend read-write instead of
+a dial string.
 .PP
 .I Tlssrvtunnel
 and
--- a/sys/src/cmd/tlsclient.c
+++ b/sys/src/cmd/tlsclient.c
@@ -4,7 +4,7 @@
 #include <libsec.h>
 #include <auth.h>
 
-int debug, auth;
+int debug, auth, dialfile;
 char *keyspec = "";
 char *servername, *file, *filex, *ccert;
 
@@ -11,7 +11,7 @@
 void
 usage(void)
 {
-	fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] dialstring [cmd [args...]]\n");
+	fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] [-o] dialstring [cmd [args...]]\n");
 	exits("usage");
 }
 
@@ -47,6 +47,7 @@
 	char *addr;
 	TLSconn *conn;
 	Thumbprint *thumb;
+	AuthInfo *ai = nil;
 
 	fmtinstall('H', encodefmt);
 
@@ -72,6 +73,9 @@
 	case 'n':
 		servername = EARGF(usage());
 		break;
+	case 'o':
+		dialfile = 1;
+		break;
 	default:
 		usage();
 	}ARGEND
@@ -90,7 +94,7 @@
 		thumb = nil;
 
 	addr = *argv++;
-	if((fd = dial(addr, 0, 0, 0)) < 0)
+	if((fd = dialfile? open(addr, ORDWR): dial(addr, 0, 0, 0)) < 0)
 		sysfatal("dial %s: %r", addr);
 
 	conn = (TLSconn*)mallocz(sizeof *conn, 1);
@@ -102,8 +106,6 @@
 	}
 
 	if(auth){
-		AuthInfo *ai;
-
 		ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec);
 		if(ai == nil)
 			sysfatal("auth_proxy: %r");
@@ -128,7 +130,14 @@
 		sha1(conn->cert, conn->certlen, digest, nil);
 		if(!okThumbprint(digest, thumb))
 			sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
+		freeThumbprints(thumb);
 	}
+
+	free(conn->cert);
+	free(conn->sessionID);
+	free(conn);
+	if(ai != nil)
+		auth_freeAI(ai);
 
 	if(*argv){
 		dup(fd, 0);