shithub: tlsclient

Download patch

ref: 11d45ecec19179616e11589d078c2c53d102646c
parent: 5ca0f0875e0762d2c34ce0f5450ffba585e413f0
parent: bf1166558a633c47495e14f2c8666fa05b3d2599
author: B. Atticus Grobe <[email protected]>
date: Wed Jul 13 21:20:03 EDT 2022

Merge branch 'master' of git://shithub.us/moody/tlsclient

--- a/.builds/obsd.yml
+++ b/.builds/obsd.yml
@@ -4,10 +4,8 @@
 packages:
   - "openssl-1.1.1k"
 artifacts:
-  - tlsclient/tlsclient-obsd.tar.gz
+  - tlsclient/obsd.tar.gz
 tasks:
   - build: |
       cd tlsclient
-      sed -i '/^OPENSSL/d' Make.config
-      sed -i 's/#OPENSSL/OPENSSL/g' Make.config
-      make -j $(sysctl -n hw.ncpu) obsddist
+      OPENSSL=eopenssl11 make -j $(sysctl -n hw.ncpu) obsd.tar.gz
--- a/.builds/pam.yml
+++ b/.builds/pam.yml
@@ -2,8 +2,8 @@
 sources:
   - https://git.sr.ht/~moody/tlsclient
 artifacts:
-  - tlsclient/tlsclient.tar.gz
+  - tlsclient/linux.tar.gz
 tasks:
   - build: | 
       cd tlsclient
-      make -j $(nproc) linuxdist
+      make -j $(nproc) linux.tar.gz
--- a/9cpu
+++ /dev/null
@@ -1,33 +1,0 @@
-#!/bin/sh
-
-auth=$AUTH
-user=$USER
-cpu=$CPU
-
-while :; do
-	case $1 in
-		-a)
-			auth=$2
-			shift
-			;;
-		-u)
-			user=$2
-			shift
-			;;
-		-h)
-			cpu=$2
-			shift
-			;;
-		*)
-			break;
-	esac
-	shift
-done
-
-cmd="rc -i"
-
-if [ "$#" -ne 0 ]; then
-	cmd=$*
-fi
-
-USER=$user AUTH=$auth CPU=$cpu tlsclient -R $cmd
--- a/Make.config
+++ b/Make.config
@@ -7,3 +7,5 @@
 
 
 all: default
+PREFIX ?= /usr
+OPENSSL ?= openssl
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,4 @@
 ROOT=.
-
 include ./Make.config
 
 LIBS=\
@@ -10,23 +9,24 @@
 	third_party/boringssl/libcrypto.a\
 	third_party/boringssl/libssl.a
 
+default: tlsclient
 OFILES=cpu.$O p9any.$O
 
 default: $(TARG)
 $(TARG): $(LIBS) $(OFILES)
-	$(CXX) -pthread -Lthird_party/boringssl -Wl,--start-group -lcrypto -lssl -Wl,--end-group $(LDFLAGS) -o $(TARG) $(OFILES) -Wl,--start-group $(LIBS) -Wl,--end-group $(LDADD)
+	$(CXX) -pthread -Lthird_party/boringssl $(LDFLAGS) -o $(TARG) $(OFILES) -Wl,--start-group $(LIBS) -Wl,--end-group $(LDADD)
 
-login_-dp9ik: $(LIBS) p9any.$O bsd.$O
-	$(CC) -o login_-dp9ik p9any.$O bsd.$O $(LIBS)
+login_-dp9ik: bsd.$O $(LIBS)
+	$(CC) -o $@ bsd.$O $(LIBS)
 
-pam_p9.so: $(LIBS) p9any.$O pam.$O
-	$(CC) -shared -o pam_p9.so p9any.$O pam.$O $(LIBS)
+pam_p9.so: pam.$O $(LIBS)
+	$(CC) -shared -o $@ pam.$O $(LIBS)
 
 cpu.$O: cpu.c
 	$(CC) -Ithird_party/boringssl/src/include $(CFLAGS) cpu.c -o cpu.o
 
-p9any.$O: p9any.c
-	$(CC) $(CFLAGS) p9any.c -o p9any.o
+%.$O: %.c
+	$(CC) $(CFLAGS) $< -o $@
 
 pam.$O: pam.c
 	$(CC) $(CFLAGS) pam.c -o pam.o
@@ -43,15 +43,12 @@
 libauthsrv/libauthsrv.a:
 	(cd libauthsrv; $(MAKE))
 
-.PHONY: libmp/libmp.a
 libmp/libmp.a:
 	(cd libmp; $(MAKE))
 
-.PHONY: libc/libc.a
 libc/libc.a:
 	(cd libc; $(MAKE))
 
-.PHONY: libsec/libsec.a
 libsec/libsec.a:
 	(cd libsec; $(MAKE))
 
@@ -67,6 +64,26 @@
 	tar cf tlsclient.tar tlsclient pam_p9.so 9cpu
 	gzip tlsclient.tar
 
-obsddist: tlsclient login_-dp9ik 9cpu
-	tar cf tlsclient-obsd.tar tlsclient 9cpu login_-dp9ik
-	gzip tlsclient-obsd.tar
+linux.tar.gz: tlsclient pam_p9.so tlsclient.1
+	tar cf - tlsclient pam_p9.so tlsclient.1 | gzip > $@
+
+tlsclient.obsd:
+	OPENSSL=eopenssl11 LDFLAGS="$(LDFLAGS) -Xlinker --rpath=/usr/local/lib/eopenssl11/" $(MAKE) tlsclient
+	mv tlsclient tlsclient.obsd
+
+obsd.tar.gz: tlsclient.obsd login_-dp9ik tlsclient.1
+	tar cf - tlsclient.obsd login_-dp9ik tlsclient.1 | gzip > $@
+
+.PHONY: tlsclient.install
+tlsclient.install: tlsclient tlsclient.1
+	cp tlsclient $(PREFIX)/bin
+	cp tlsclient.1 $(PREFIX)/man/man1/
+
+.PHONY: tlsclient.obsd.install
+tlsclient.obsd.install: tlsclient.obsd login_-dp9ik tlsclient.1
+	install tlsclient.obsd $(PREFIX)/bin/tlsclient
+	install tlsclient.1 $(PREFIX)/man/man1/
+	install -d $(PREFIX)/libexec/auth
+	install -g auth login_-dp9ik $(PREFIX)/libexec/auth/
+	install -d $(PREFIX)/libexec/git
+	install git-remote-hjgit $(PREFIX)/libexec/git
--- a/README
+++ b/README
@@ -14,41 +14,48 @@
 
 Usage:
 	tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...
-	9cpu [ -u user ] [ -h host ] [ -a auth ] cmd...
 
 Example:
-	9cpu -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
+	tlsclient -R -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
 
 	# with git-remote-hjgit in your $PATH
 	git clone hjgit://shithub.us/user/repo
 
+Building:
+	$ make tlsclient
+
 OpenBSD:
 	OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
-	not have PSK cipher suites. Tweak Make.config as required. Openssl is
-	only used for tlsclient and rcpu, login_-dp9ik does not require it.
+	not have the PSK cipher suites for tlsclient. As such, the openssl11
+	package is required, and a wrapper recipe is provided:
 
+	$ make tlsclient.obsd
+
 OpenBSD Authentication:
 	Build:
-		# Modify "char *authserver" in bsd.c to specify a default auth server
 		$ make login_-dp9ik
 	Testing:
-		./login_-dp9ik -d -v authserver="my.auth.server"
+		./login_-dp9ik -d $USER
 		# you will see authenticate/reject print out on stdout
 		# for success/failure.
 	Install:
 		$ cp login_-dp9ik /usr/libexec/auth/
 	Config:
+		Each user is allowed to specify an auth
+		server within '$HOME/.p9auth'. The file must
+		have no group or other permissions set.
+
 		Modify the auth-defaults line of /etc/login.conf
 		to use the new executable. This will look something like:
 
 		auth-defaults:auth=-dp9ik,passwd,skey:
 	Notes:
-		OpenBSD requires that all users regardless of
-		authentication mechanism exist in /etc/passwd.
-		OpenBSD does not retry with other mechanisms
-		if one sends a rejection, this means all
-		users(including root) must exist within the
-		auth server.
+		Unless you have a root user in your authdom, it is likely
+		that installing this may lock you out of the root user,
+		logging in with the username 'root:passwd' will authenticate
+		against the system passwd file.
+	See Also:
+		login(1)
 
 PAM Authentication:
 	Build:
--- a/bsd.c
+++ b/bsd.c
@@ -32,6 +32,7 @@
 
 #include <sys/types.h>
 #include <sys/resource.h>
+#include <sys/stat.h>
 
 #include <errno.h>
 #include <pwd.h>
@@ -62,10 +63,14 @@
 main(int argc, char *argv[])
 {
 	FILE *back = NULL;
-	char *class = NULL, *username = NULL, *wheel = NULL;
+	char *username = NULL, *wheel = NULL;
 	char response[1024], pbuf[1024], *pass = "";
-	int ch, mode = 0, lastchance = 0, fd = -1;
+	char authconf[1024];
+	int n, afd;
+	int ch, mode = 0, fd = -1;
 	AuthInfo *ai;
+	struct stat sb;
+	char *p;
 
 	(void)signal(SIGQUIT, SIG_IGN);
 	(void)signal(SIGINT, SIG_IGN);
@@ -93,10 +98,6 @@
 		case 'v':
 			if (strncmp(optarg, "wheel=", 6) == 0)
 				wheel = optarg + 6;
-			else if (strncmp(optarg, "lastchance=", 11) == 0)
-				lastchance = (strcmp(optarg + 11, "yes") == 0);
-			else if (strncmp(optarg, "authserver=", 11) == 0)
-				authserver = optarg + 11;
 			break;
 		default:
 			syslog(LOG_ERR, "usage error");
@@ -106,8 +107,6 @@
 
 	switch (argc - optind) {
 	case 2:
-		class = argv[optind + 1];
-		/* FALLTHROUGH */
 	case 1:
 		username = argv[optind];
 		break;
@@ -120,6 +119,39 @@
 		syslog(LOG_ERR, "reopening back channel: %m");
 		exit(1);
 	}
+
+	snprint(authconf, sizeof authconf, "/home/%s/.p9auth", username);
+	afd = open(authconf, OREAD);
+	if(afd < 0){
+		fprintf(back, BI_REJECT " errormsg %s\n",
+			"user does not have an authserver configured");
+		exit(0);
+	}
+	if(fstat(afd, &sb) < 0){
+		syslog(LOG_ERR, "could not stat: %m");
+		exit(1);
+	}
+	if(sb.st_mode & 077 != 0){
+		fprintf(back, BI_REJECT " errormsg %s\n",
+			"user authserver has improper permissions");
+		exit(0);
+	}
+	n = read(afd, authconf, sizeof authconf - 1);
+	if(n < 0){
+		fprintf(back, BI_REJECT " errormsg %s\n",
+			"could not read");
+		exit(1);
+	}
+	authserver = malloc(n+1);
+	if(authserver == NULL){
+		syslog(LOG_ERR, "oom");
+		exit(1);
+	}
+	memmove(authserver, authconf, n);
+	authserver[n] = '\0';
+	if((p = strchr(authserver, '\n')) != NULL)
+		*p = '\0';
+
 	if (wheel != NULL && strcmp(wheel, "yes") != 0) {
 		fprintf(back, BI_VALUE " errormsg %s\n",
 		    "you are not in group wheel");
--- a/cpu.c
+++ b/cpu.c
@@ -1,6 +1,3 @@
-/*
- * cpu.c - Make a connection to a cpu server
- */
 #include <stdio.h>
 #include <unistd.h>
 #include <stdlib.h>
@@ -23,6 +20,8 @@
 char *authserver;
 static char *user, *pass;
 
+char *shell[] = {"rc", "-i"};
+
 SSL_CTX *ssl_ctx;
 SSL *ssl_conn;
 
@@ -42,9 +41,6 @@
 	return nsecret;
 }
 
-/*
- * p9any authentication followed by tls-psk encryption
- */
 static int
 p9authtls(int fd)
 {
@@ -51,6 +47,7 @@
 	ai = p9any(user, pass, fd);
 	if(ai == nil)
 		sysfatal("can't authenticate");
+	memset(pass, 0, strlen(pass));
 
 	SSL_set_fd(ssl_conn, fd);
 	if(SSL_connect(ssl_conn) < 0)
@@ -59,6 +56,9 @@
 	return fd;
 }
 
+//clean exit signal handler
+void suicide(int num) { exit(0); }
+
 typedef size_t (*iofunc)(int, void*, size_t);
 size_t tls_send(int f, void *b, size_t n) { return SSL_write(ssl_conn, b, n); }
 size_t tls_recv(int f, void *b, size_t n) { return SSL_read(ssl_conn, b, n); }
@@ -71,11 +71,8 @@
 	char buf[12*1024];
 	size_t n;
 	
-	while((n = recvf(from, buf, sizeof buf)) > 0){
-		if(sendf(to, buf, n) < 0)
-			break;
-	}
-
+	while((n = recvf(from, buf, sizeof buf)) > 0 && sendf(to, buf, n) == n)
+		;
 }
 
 void
@@ -99,9 +96,9 @@
 	int pout[2];
 	int infd, outfd;
 	int i;
-	pid_t execc, xferc;
+	pid_t xferc;
 
-	execc = xferc = 0;
+	xferc = 0;
 	Rflag = 0;
 	infd = 0;
 	outfd = 1;
@@ -140,7 +137,7 @@
 	if(*argv && !Rflag){
 		pipe(pin);
 		pipe(pout);
-		switch((execc = fork())){
+		switch(fork()){
 		case -1:
 			sysfatal("fork");
 		case 0:
@@ -158,13 +155,15 @@
 	}
 
 	fd = unix_dial(host, port);
-	if(fd < 0){
-		sysfatal("Failed to connect to the client");
-	}
-
+	if(fd < 0)
+		sysfatal("failed to connect to the client");
 	p9authtls(fd);
 
-	if(*argv && Rflag) {
+	if(Rflag){
+		if(*argv == nil){
+			argv = shell;
+			argc = nelem(shell);
+		}
 		for(i=0,n=0; i<argc; i++)
 			n += snprint(buf+n, sizeof buf - n - 1, "%s ", argv[i]);
 		if(n <= 0)
@@ -177,10 +176,12 @@
 		tls_send(-1, buf, i);
 	}
 
+	signal(SIGUSR1, suicide);
 	switch((xferc = fork())){
 	case -1:
 		sysfatal("fork");
 	case 0:
+		xferc = getppid();
 		xfer(infd, -1, s_recv, tls_send);
 		break;
 	default:
@@ -187,10 +188,6 @@
 		xfer(-1, outfd, tls_recv, s_send);
 		break;
 	}
-	
-	if(xferc)
-		kill(xferc, SIGTERM);
-	if(execc)
-		kill(execc, SIGTERM);
+	kill(xferc, SIGUSR1);
 }
 
--- a/git-remote-hjgit
+++ b/git-remote-hjgit
@@ -8,27 +8,15 @@
 
 dir="$GIT_DIR/hjgit/$alias"
 prefix="refs/hjgit/$alias"
+refspec="refs/heads/*:$prefix/heads/*"
 
-default_refspec="refs/heads/*:${prefix}/heads/*"
-
-refspec="${GIT_REMOTE_HJGIT_REFSPEC-$default_refspec}"
-
+test $GIT_REMOTE_HJGIT_REFSPEC && refspec=$GIT_REMOTE_HJGIT_REFSPEC
 test -z "$refspec" && prefix="refs"
 
-force=
-
 mkdir -p "$dir"
 
-if test -z "$GIT_REMOTE_HJGIT_NO_MARKS"
-then
-	gitmarks="$dir/git.marks"
-	hjgitmarks="$dir/hjgit.marks"
-	test -e "$gitmarks" || >"$gitmarks"
-	test -e "$hjgitmarks" || >"$hjgitmarks"
-fi
-
 packinitfmt(){
-	printf "%s %s\0host=%s" $1 $2 $3 | awk '{ printf("%04x%s\0", length($0)+1+4, $0) }'
+	printf "%s %s\0host=%s\0" $1 $2 $3 | awk '{ printf("%04x%s", length($0)+4, $0) }'
 }
 
 while read line
@@ -43,7 +31,7 @@
 		# lie that the connection works
 		echo
 		{
-			packinitfmt $(echo $line | awk '{ print $2 }') $path $host
+			packinitfmt `echo $line | awk '{ print $2 }'` $path $host
 			cat
 		} | CPU=$host AUTH='p9auth.'$host tlsclient -p 17021
 		exit
--- /dev/null
+++ b/tlsclient.1
@@ -1,0 +1,55 @@
+.TH TLSCLIENT 1
+.SH NAME
+tlsclient \- 9front tls client
+.SH SYNOPSIS
+.B tlsclient
+[
+.B -R
+]
+[
+.B -u
+.I user
+]
+[
+.B -h
+.I host
+]
+[
+.B -a
+.I auth
+]
+.B -p
+.I port
+command...
+.SH DESCRIPTION
+.B Tlsclient
+may be used to establish encrypted tls tunnels with 9front
+.B tlssrv
+servers using p9any to derive pre-shared keys. The
+.BR -u ,
+.BR -h ,
+and
+.B -a
+flags configure the paramaters for authentication.
+These paramaters may also be configured through the
+.IR USER ,
+.IR CPU ,
+and
+.IR AUTH ,
+environment variables respectively.
+.PP
+The
+.I command
+given is executed on the client, with its
+standard input and output pointing to the output and input
+of the remote connection. The
+.B -R
+flag changes this behavior, causing the
+.I command
+to be executed on the remote system in a
+similar fashion to 9front's rcpu. In this
+mode, if
+.I command
+is not specified a rc login shell is used.
+.SH BUGS
+Well, if you want 'em.