shithub: tlsclient

Download patch

ref: 4010db3078491baf3cb0d3d4e3a60c0cea114471
parent: 8bc69a872883224675a55db51ac8f60ab5ed9e5a
parent: 721c69b2b23bbc846aa0c6cfadcc135830d5d0c9
author: grobe0ba <grobe0ba@tcp80.org>
date: Sun Jul 9 05:45:04 EDT 2023 

merge upstream changes


--- a/cpu.c
+++ b/cpu.c
@@ -18,7 +18,7 @@
 char *argv0;
 
 char *authserver;
-static char *user, *pass;
+static char *user, *pass, *askpass;
 
 char *shell[] = {"rc", "-i"};
 
@@ -49,7 +49,8 @@
 		sysfatal("can't authenticate");
 	memset(pass, 0, strlen(pass));
 
-	SSL_set_fd(ssl_conn, fd);
+	if(SSL_set_fd(ssl_conn, fd) == 0)
+		sysfatal("set fd failed");
 	if(SSL_connect(ssl_conn) < 0)
 		sysfatal("ssl could not connect");
 
@@ -56,6 +57,32 @@
 	return fd;
 }
 
+static void
+doaskpass(void)
+{
+	int p[2];
+
+	pipe(p);
+	switch(fork()){
+	case -1:
+		sysfatal("fork");
+	case 0:
+		close(p[0]);
+		dup2(p[1], 1);
+		execlp(askpass, askpass, nil);
+		sysfatal("failed to exec askpass");
+		break;
+	default:
+		close(p[1]);
+		pass = mallocz(1024, 1);
+		int n = read(p[0], pass, 1024);
+		if(n <= 1)
+			sysfatal("askpass gave empty password");
+		pass[n-1] = 0;
+		break;
+	}
+}
+
 //clean exit signal handler
 void suicide(int num) { exit(0); }
 
@@ -119,11 +146,15 @@
 	if(Rflag)
 		port = "17019";
 
-	if(user == nil || host == nil || authserver == nil || port == nil)
+	if(user == nil || host == nil || port == nil)
 		usage();
 
-	if(pass == nil)
-		pass = getpass("password:");
+	if(pass == nil){
+		if((askpass = getenv("TLSCLIENT_ASKPASS")) != nil)
+			doaskpass();
+		else
+			pass = getpass("password:");
+	}
 
 	SSL_library_init();
 	OpenSSL_add_all_algorithms();
@@ -130,9 +161,17 @@
 	SSL_load_error_strings();
 	ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
 	SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
+
+#if OPENSSL_VERSION_MAJOR==3
+	/* 9front support for RFC 5746 is not guranteed but we never do renegotiation anyway... */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+#endif
+
 	if(ssl_ctx == nil)
 		sysfatal("could not init openssl");
 	ssl_conn = SSL_new(ssl_ctx);
+	if(ssl_conn == nil)
+		sysfatal("could not init openssl");
 
 	if(*argv && !Rflag){
 		pipe(pin);
--- a/p9any.c
+++ b/p9any.c
@@ -64,9 +64,6 @@
 
 		break;  /* okay we got one */
 	}
-	if (s == -1) {
-		err(1, "%s", cause);
-	}
 	return s;
 }
 
--- a/tlsclient.1
+++ b/tlsclient.1
@@ -51,5 +51,18 @@
 mode, if
 .I command
 is not specified a rc login shell is used.
+.SH PASSWORDS
+By default
+.B tlsclient
+will ask for the users' password through
+.BR getpass (3).
+For non interactive use the
+.I PASS
+environment variable may be used to specify
+the password literal and
+.I TLSCLIENT_ASKPASS
+may be set to a program that will be executed
+to provide the password on stdout.
 .SH BUGS
-Well, if you want 'em.
+The lack of factotum and portable namespaces make
+this password business not fun.