tlsclient: add -o option to establish connection over a file, free the AuthInfo structure to avoid leaking secrets

2 files changed, 33 insertions, 7 deletions

diff --git a/sys/man/8/tlssrv b/sys/man/8/tlssrv
index 5cb594174..462be928b 100644
--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -59,7 +59,16 @@ logfile
 .B -n
 .I servername
 ]
+[
+.B -o
+]
 .I address
+[
+.I cmd
+[
+.I args ...
+]
+]
 .PP
 .B tlssrvtunnel
 .I plain-addr
@@ -103,12 +112,14 @@ flag was specified.
 .I Tlsclient
 is the reverse of
 .IR tlssrv :
-it dials
+it connects to
 .IR address ,
 starts TLS,
 and then relays 
 between the network connection
-and standard input and output.
+and standard input and output or executes
+.I cmd args
+with standard input and output redirected to the connection.
 The
 .B -D
 flag enables some debug output.
@@ -137,6 +148,12 @@ option passes the string
 .I servername
 in the TLS hello message (Server Name Idenfitication)
 which is usefull when talking to webservers.
+When the
+.B -o
+option was specified,
+.I address
+is interpreted as a filename to be opend read-write instead of
+a dial string.
 .PP
 .I Tlssrvtunnel
 and
diff --git a/sys/src/cmd/tlsclient.c b/sys/src/cmd/tlsclient.c
index bc4b6d678..a90eabf96 100644
--- a/sys/src/cmd/tlsclient.c
+++ b/sys/src/cmd/tlsclient.c
@@ -4,14 +4,14 @@
 #include <libsec.h>
 #include <auth.h>
 
-int debug, auth;
+int debug, auth, dialfile;
 char *keyspec = "";
 char *servername, *file, *filex, *ccert;
 
 void
 usage(void)
 {
-	fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] dialstring [cmd [args...]]\n");
+	fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] [-o] dialstring [cmd [args...]]\n");
 	exits("usage");
 }
 
@@ -47,6 +47,7 @@ main(int argc, char **argv)
 	char *addr;
 	TLSconn *conn;
 	Thumbprint *thumb;
+	AuthInfo *ai = nil;
 
 	fmtinstall('H', encodefmt);
 
@@ -72,6 +73,9 @@ main(int argc, char **argv)
 	case 'n':
 		servername = EARGF(usage());
 		break;
+	case 'o':
+		dialfile = 1;
+		break;
 	default:
 		usage();
 	}ARGEND
@@ -90,7 +94,7 @@ main(int argc, char **argv)
 		thumb = nil;
 
 	addr = *argv++;
-	if((fd = dial(addr, 0, 0, 0)) < 0)
+	if((fd = dialfile? open(addr, ORDWR): dial(addr, 0, 0, 0)) < 0)
 		sysfatal("dial %s: %r", addr);
 
 	conn = (TLSconn*)mallocz(sizeof *conn, 1);
@@ -102,8 +106,6 @@ main(int argc, char **argv)
 	}
 
 	if(auth){
-		AuthInfo *ai;
-
 		ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec);
 		if(ai == nil)
 			sysfatal("auth_proxy: %r");
@@ -128,8 +130,15 @@ main(int argc, char **argv)
 		sha1(conn->cert, conn->certlen, digest, nil);
 		if(!okThumbprint(digest, thumb))
 			sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
+		freeThumbprints(thumb);
 	}
 
+	free(conn->cert);
+	free(conn->sessionID);
+	free(conn);
+	if(ai != nil)
+		auth_freeAI(ai);
+
 	if(*argv){
 		dup(fd, 0);
 		dup(fd, 1);