ref: a9b1e990b8339d413aecaa00c5db743358caa42c
parent: 9ec9a47789c5c71c8e135d7ce0a92d44317c1fa0
author: cinap_lenrek <[email protected]>
date: Sat Feb 13 21:06:08 EST 2016
tlsclient: add -o option to establish connection over a file, free the AuthInfo structure to avoid leaking secrets
--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -59,7 +59,16 @@
.B -n
.I servername
]
+[
+.B -o
+]
.I address
+[
+.I cmd
+[
+.I args ...
+]
+]
.PP
.B tlssrvtunnel
.I plain-addr
@@ -103,12 +112,14 @@
.I Tlsclient
is the reverse of
.IR tlssrv :
-it dials
+it connects to
.IR address ,
starts TLS,
and then relays
between the network connection
-and standard input and output.
+and standard input and output or executes
+.I cmd args
+with standard input and output redirected to the connection.
The
.B -D
flag enables some debug output.
@@ -137,6 +148,12 @@
.I servername
in the TLS hello message (Server Name Idenfitication)
which is usefull when talking to webservers.
+When the
+.B -o
+option was specified,
+.I address
+is interpreted as a filename to be opend read-write instead of
+a dial string.
.PP
.I Tlssrvtunnel
and
--- a/sys/src/cmd/tlsclient.c
+++ b/sys/src/cmd/tlsclient.c
@@ -4,7 +4,7 @@
#include <libsec.h>
#include <auth.h>
-int debug, auth;
+int debug, auth, dialfile;
char *keyspec = "";
char *servername, *file, *filex, *ccert;
@@ -11,7 +11,7 @@
void
usage(void)
{
- fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] dialstring [cmd [args...]]\n");
+ fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] [-o] dialstring [cmd [args...]]\n");
exits("usage");
}
@@ -47,6 +47,7 @@
char *addr;
TLSconn *conn;
Thumbprint *thumb;
+ AuthInfo *ai = nil;
fmtinstall('H', encodefmt);
@@ -72,6 +73,9 @@
case 'n':
servername = EARGF(usage());
break;
+ case 'o':
+ dialfile = 1;
+ break;
default:
usage();
}ARGEND
@@ -90,7 +94,7 @@
thumb = nil;
addr = *argv++;
- if((fd = dial(addr, 0, 0, 0)) < 0)
+ if((fd = dialfile? open(addr, ORDWR): dial(addr, 0, 0, 0)) < 0)
sysfatal("dial %s: %r", addr);
conn = (TLSconn*)mallocz(sizeof *conn, 1);
@@ -102,8 +106,6 @@
}
if(auth){
- AuthInfo *ai;
-
ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec);
if(ai == nil)
sysfatal("auth_proxy: %r");
@@ -128,7 +130,14 @@
sha1(conn->cert, conn->certlen, digest, nil);
if(!okThumbprint(digest, thumb))
sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
+ freeThumbprints(thumb);
}
+
+ free(conn->cert);
+ free(conn->sessionID);
+ free(conn);
+ if(ai != nil)
+ auth_freeAI(ai);
if(*argv){
dup(fd, 0);