shithub: tlsclient

--- a/9cpu

+++ /dev/null

@@ -1,33 +1,0 @@

-#!/bin/sh

-auth=$AUTH

-user=$USER

-cpu=$CPU

-while :; do

-	case $1 in

-		-a)

-			auth=$2

-			shift

-			;;

-		-u)

-			user=$2

-			shift

-			;;

-		-h)

-			cpu=$2

-			shift

-			;;

-		*)

-			break;

-	esac

-	shift

-done

-cmd="rc -i"

-if [ "$#" -ne 0 ]; then

-	cmd=$*

-fi

-USER=$user AUTH=$auth CPU=$cpu tlsclient -R $cmd

--- a/Makefile

+++ b/Makefile

@@ -52,10 +52,10 @@

 libsec/libsec.a:

 	(cd libsec; $(MAKE))

-linuxdist: tlsclient pam_p9.so 9cpu

-	tar cf tlsclient.tar tlsclient pam_p9.so 9cpu

+linuxdist: tlsclient pam_p9.so

+	tar cf tlsclient.tar tlsclient pam_p9.so

 	gzip tlsclient.tar

-obsddist: tlsclient login_-dp9ik 9cpu

-	tar cf tlsclient-obsd.tar tlsclient 9cpu login_-dp9ik

+obsddist: tlsclient login_-dp9ik

+	tar cf tlsclient-obsd.tar tlsclient login_-dp9ik

 	gzip tlsclient-obsd.tar

--- a/cpu.c

+++ b/cpu.c

@@ -1,6 +1,3 @@

-/*

- * cpu.c - Make a connection to a cpu server

- */

 #include <stdio.h>

 #include <unistd.h>

 #include <stdlib.h>

@@ -23,6 +20,8 @@

 char *authserver;

 static char *user, *pass;

+char *shell[] = {"rc", "-i"};

 SSL_CTX *ssl_ctx;

 SSL *ssl_conn;

@@ -42,9 +41,6 @@

 	return nsecret;

-/*

- * p9any authentication followed by tls-psk encryption

- */

 static int

 p9authtls(int fd)

@@ -51,6 +47,7 @@

 	ai = p9any(user, pass, fd);

 	if(ai == nil)

 		sysfatal("can't authenticate");

+	memset(pass, 0, strlen(pass));

 	SSL_set_fd(ssl_conn, fd);

 	if(SSL_connect(ssl_conn) < 0)

@@ -59,6 +56,9 @@

 	return fd;

+//clean exit signal handler

+void suicide(int num) { exit(0); }

 typedef size_t (*iofunc)(int, void*, size_t);

 size_t tls_send(int f, void *b, size_t n) { return SSL_write(ssl_conn, b, n); }

 size_t tls_recv(int f, void *b, size_t n) { return SSL_read(ssl_conn, b, n); }

@@ -71,20 +71,11 @@

 	char buf[12*1024];

 	size_t n;

-	while((n = recvf(from, buf, sizeof buf)) > 0){

-		if(sendf(to, buf, n) < 0)

-			break;

-	}

+	while((n = recvf(from, buf, sizeof buf)) > 0 && sendf(to, buf, n) == n)

+		;

 void

-suicide(int num)

-{

-	exit(0);

-}

-void

 usage(void)

 	fprint(2, "Usage: %s [ -R ] [ -u user ] [ -h host ] [ -a authserver ] -p port cmd...\n", argv0);

@@ -105,9 +96,9 @@

 	int pout[2];

 	int infd, outfd;

 	int i;

-	pid_t execc, xferc;

+	pid_t xferc;

-	execc = xferc = 0;

+	xferc = 0;

 	Rflag = 0;

 	infd = 0;

 	outfd = 1;

@@ -146,7 +137,7 @@

 	if(*argv && !Rflag){

 		pipe(pin);

 		pipe(pout);

-		switch((execc = fork())){

+		switch(fork()){

 		case -1:

 			sysfatal("fork");

 		case 0:

@@ -164,13 +155,15 @@

 	fd = unix_dial(host, port);

-	if(fd < 0){

-		sysfatal("Failed to connect to the client");

-	}

+	if(fd < 0)

+		sysfatal("failed to connect to the client");

 	p9authtls(fd);

-	if(*argv && Rflag) {

+	if(Rflag){

+		if(*argv == nil){

+			argv = shell;

+			argc = nelem(shell);

+		}

 		for(i=0,n=0; i<argc; i++)

 			n += snprint(buf+n, sizeof buf - n - 1, "%s ", argv[i]);

 		if(n <= 0)

@@ -183,9 +176,7 @@

 		tls_send(-1, buf, i);

-	//clean exit

 	signal(SIGUSR1, suicide);

 	switch((xferc = fork())){

 	case -1:

 		sysfatal("fork");

@@ -198,8 +189,5 @@

 		break;

 	kill(xferc, SIGUSR1);

-	if(execc)

-		kill(execc, SIGTERM);

--- /dev/null

+++ b/tlsclient.1

@@ -1,0 +1,55 @@

+.TH TLSCLIENT 1

+.SH NAME

+tlsclient \- 9front tls client

+.SH SYNOPSIS

+.B tlsclient

+[

+.B -R

+]

+[

+.B -u

+.I user

+]

+[

+.B -h

+.I host

+]

+[

+.B -a

+.I auth

+]

+.B -p

+.I port

+command...

+.SH DESCRIPTION

+.B Tlsclient

+may be used to establish encrypted tls tunnels with 9front

+.B tlssrv

+servers using p9any to derive pre-shared keys. The

+.BR -u ,

+.BR -h ,

+and

+.B -a

+flags configure the paramaters for authentication.

+These paramaters may also be configured through the

+.IR USER ,

+.IR CPU ,

+and

+.IR AUTH ,

+environment variables respectively.

+.PP

+The

+.I command

+given is executed on the client, with its

+standard input and output pointing to the output and input

+of the remote connection. The

+.B -R

+flag changes this behavior, causing the

+.I command

+to be executed on the remote system in a

+similar fashion to 9front's rcpu. In this

+mode, if

+.I command

+is not specified a rc login shell is used.

+.SH BUGS

+Well, if you want 'em.