diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2016-08-13 13:09:11 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2016-08-13 13:09:11 +0000 |
| commit | 0503c6dc4c239aca00d1037565b2b3692353680f (patch) | |
| tree | c03b90120cda2e8c688fdbe96b7dc105733eade1 /usr.bin | |
| parent | b908002fe2494be1995704916d6c886d6aeec47d (diff) | |
Let libtls load the CA, certificate and key files for nc(1), now that it
does this at the time the tls_config_set_*_file() function is called.
ok bluhm@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/nc/netcat.c | 37 |
1 files changed, 15 insertions, 22 deletions
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index bb74bb60706..d30dd938f31 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.161 2016/07/30 22:04:04 halex Exp $ */ +/* $OpenBSD: netcat.c,v 1.162 2016/08/13 13:09:10 jsing Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -104,12 +104,6 @@ int tls_cachanged; /* Using non-default CA file */ int TLSopt; /* TLS options */ char *tls_expectname; /* required name in peer cert */ char *tls_expecthash; /* required hash of peer cert */ -uint8_t *cacert; -size_t cacertlen; -uint8_t *privkey; -size_t privkeylen; -uint8_t *pubcert; -size_t pubcertlen; int timeout = -1; int family = AF_UNSPEC; @@ -444,29 +438,22 @@ main(int argc, char *argv[]) } if (usetls) { - if (Rflag && (cacert = tls_load_file(Rflag, &cacertlen, NULL)) == NULL) - errx(1, "unable to load root CA file %s", Rflag); - if (Cflag && (pubcert = tls_load_file(Cflag, &pubcertlen, NULL)) == NULL) - errx(1, "unable to load TLS certificate file %s", Cflag); - if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, NULL)) == NULL) - errx(1, "unable to load TLS key file %s", Kflag); - if (Pflag) { - if (pledge("stdio inet dns tty", NULL) == -1) + if (pledge("stdio inet dns tty rpath", NULL) == -1) err(1, "pledge"); - } else if (pledge("stdio inet dns", NULL) == -1) + } else if (pledge("stdio inet dns rpath", NULL) == -1) err(1, "pledge"); if (tls_init() == -1) errx(1, "unable to initialize TLS"); if ((tls_cfg = tls_config_new()) == NULL) errx(1, "unable to allocate TLS config"); - if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1) - errx(1, "unable to set root CA file %s", Rflag); - if (Cflag && tls_config_set_cert_mem(tls_cfg, pubcert, pubcertlen) == -1) - errx(1, "unable to set TLS certificate file %s", Cflag); - if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1) - errx(1, "unable to set TLS key file %s", Kflag); + if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); + if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); + if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1) + errx(1, "%s", tls_config_error(tls_cfg)); if (TLSopt & TLS_LEGACY) { tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); tls_config_set_ciphers(tls_cfg, "all"); @@ -481,6 +468,12 @@ main(int argc, char *argv[]) "together"); tls_config_insecure_noverifycert(tls_cfg); } + + if (Pflag) { + if (pledge("stdio inet dns tty", NULL) == -1) + err(1, "pledge"); + } else if (pledge("stdio inet dns", NULL) == -1) + err(1, "pledge"); } if (lflag) { struct tls *tls_cctx = NULL; |