version 1.145, 2015/12/07 02:38:54 |
version 1.146, 2015/12/08 15:33:33 |
|
|
int TLSopt; /* TLS options */ |
int TLSopt; /* TLS options */ |
char *tls_expectname; /* required name in peer cert */ |
char *tls_expectname; /* required name in peer cert */ |
char *tls_expecthash; /* required hash of peer cert */ |
char *tls_expecthash; /* required hash of peer cert */ |
|
uint8_t *cacert; |
|
size_t cacertlen; |
|
uint8_t *privkey; |
|
size_t privkeylen; |
|
uint8_t *pubcert; |
|
size_t pubcertlen; |
|
|
int timeout = -1; |
int timeout = -1; |
int family = AF_UNSPEC; |
int family = AF_UNSPEC; |
|
|
} |
} |
|
|
if (usetls) { |
if (usetls) { |
|
if (Rflag && (cacert=tls_load_file(Rflag, &cacertlen, NULL)) == NULL) |
|
errx(1, "unable to load root CA file %s", Rflag); |
|
if (Cflag && (pubcert=tls_load_file(Rflag, &pubcertlen, NULL)) == NULL) |
|
errx(1, "unable to load TLS certificate file %s", Cflag); |
|
if (Kflag && (privkey=tls_load_file(Rflag, &privkeylen, NULL)) == NULL) |
|
errx(1, "unable to load TLS key file %s", Kflag); |
|
|
|
if (pledge("stdio inet dns", NULL) == -1) |
|
err(1, "pledge"); |
|
|
if (tls_init() == -1) |
if (tls_init() == -1) |
errx(1, "unable to initialize TLS"); |
errx(1, "unable to initialize TLS"); |
if ((tls_cfg = tls_config_new()) == NULL) |
if ((tls_cfg = tls_config_new()) == NULL) |
errx(1, "unable to allocate TLS config"); |
errx(1, "unable to allocate TLS config"); |
if (Cflag && (tls_config_set_cert_file(tls_cfg, Cflag) == -1)) |
if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1) |
|
errx(1, "unable to set root CA file %s", Rflag); |
|
if (Cflag && tls_config_set_cert_mem(tls_cfg, cacert, cacertlen) == -1) |
errx(1, "unable to set TLS certificate file %s", Cflag); |
errx(1, "unable to set TLS certificate file %s", Cflag); |
if (Kflag && (tls_config_set_key_file(tls_cfg, Kflag) == -1)) |
if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1) |
errx(1, "unable to set TLS key file %s", Kflag); |
errx(1, "unable to set TLS key file %s", Kflag); |
if (Rflag && (tls_config_set_ca_file(tls_cfg, Rflag) == -1)) |
|
errx(1, "unable to set root CA file %s", Rflag); |
|
if (TLSopt & TLS_LEGACY) { |
if (TLSopt & TLS_LEGACY) { |
tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); |
tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); |
tls_config_set_ciphers(tls_cfg, "legacy"); |
tls_config_set_ciphers(tls_cfg, "legacy"); |