-/*
-ucspi/cmd/tlsc -- UCSPI TLS client
-Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, version 3 of the License.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
+// ucspi/cmd/tlsc -- UCSPI TCP proxy client
+// Copyright (C) 2021-2024 Sergey Matveev <stargrave@stargrave.org>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, version 3 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see <http://www.gnu.org/licenses/>.
package main
prvPath := flag.String("key", "", "Path to client PKCS#8 private key")
casPath := flag.String("ca", "", "Path to CA certificates file")
hostname := flag.String("name", "example.com", "Expected server's hostname")
+ insecure := flag.Bool("insecure", false, "Insecure mode")
fpr := flag.String("fpr", "", "Expected SHA256 hash of server certificate's SPKI")
flag.Usage = func() {
fmt.Fprintf(os.Stderr, `Usage: tcpclient host port tlsc -name expected.name
}
cfg := &tls.Config{}
- if *hostname == "" || *onlyShow {
+ if *hostname == "" || *onlyShow || *insecure {
cfg.InsecureSkipVerify = true
}
if *hostname != "" {
}
if *casPath != "" {
var err error
- cfg.RootCAs, err = ucspi.CertPoolFromFile(*casPath)
+ _, cfg.RootCAs, err = ucspi.CertPoolFromFile(*casPath)
if err != nil {
log.Fatalln(err)
}
cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
spki := verifiedChains[0][0].RawSubjectPublicKeyInfo
hshTheir := sha256.Sum256(spki)
- if bytes.Compare(hshOur, hshTheir[:]) != 0 {
+ if !bytes.Equal(hshOur, hshTheir[:]) {
return errors.New("server certificate's SPKI hash mismatch")
}
return nil
}
}
- conn := &ucspi.Conn{R: os.NewFile(6, "R"), W: os.NewFile(7, "W")}
- if conn.R == nil {
- log.Fatalln("no 6 file descriptor")
- }
- if conn.W == nil {
- log.Fatalln("no 7 file descriptor")
+ conn, err := ucspi.NewConn(os.NewFile(6, "R"), os.NewFile(7, "W"))
+ if err != nil {
+ log.Fatalln(err)
}
tlsConn := tls.Client(conn, cfg)
if err := tlsConn.Handshake(); err != nil {
connState := tlsConn.ConnectionState()
if *onlyShow {
fmt.Fprintf(
- os.Stderr, "Version: %04x\nCipherSuite: %s\n",
- connState.Version, tls.CipherSuiteName(connState.CipherSuite),
+ os.Stderr,
+ "Version: %s\nCipherSuite: %s\n",
+ ucspi.TLSVersion(connState.Version),
+ tls.CipherSuiteName(connState.CipherSuite),
)
for _, cert := range connState.PeerCertificates {
os.Stderr.WriteString("\n")
if err = cmd.Start(); err != nil {
log.Fatalln(err)
}
- copiers := make(chan struct{})
+ worker := make(chan struct{})
go func() {
io.Copy(rw, tlsConn)
rw.Close()
- close(copiers)
+ close(worker)
}()
go func() {
io.Copy(tlsConn, wr)
}()
_, err = cmd.Process.Wait()
- <-copiers
+ <-worker
+ tlsConn.Close()
if err != nil {
log.Fatalln(err)
}