--- /n/sources/plan9/sys/src/cmd/unix/drawterm/cpu.c Tue Mar 18 09:50:03 2014 +++ /sys/src/cmd/unix/drawterm/cpu.c Tue Jun 23 00:00:00 2026 @@ -1,8 +1,7 @@ /* - * cpu.c - Make a connection to a cpu server + * cpu.c - Make an encrypted connection to a cpu server * - * Invoked by listen as 'cpu -R | -N service net netdir' - * by users as 'cpu [-h system] [-c cmd args ...]' + * Invoked by users as 'cpu [-h system] [-c cmd arg...]' */ #include @@ -14,8 +13,10 @@ #include "args.h" #include "drawterm.h" -#define Maxfdata 8192 -#define MaxStr 128 +enum { + Maxfdata = 16*1024, + MaxStr = 128, +}; static void fatal(int, char*, ...); static void usage(void); @@ -29,10 +30,11 @@ static char *system; static int cflag; extern int dbg; +static int tls; extern char* base; // fs base for devroot static char *srvname = "ncpu"; -static char *ealgs = "rc4_256 sha1"; +static char *ealgs = "rc4_256 sha1"; /* for ssl only */ /* message size for exportfs; may be larger so we can do big graphics in CPU window */ static int msgsize = Maxfdata+IOHDRSZ; @@ -236,10 +238,8 @@ char *negstr = "negotiating authentication method"; -char bug[256]; - char* -rexcall(int *fd, char *host, char *service) +rexcallsec(int *fd, char *host, char *service) { char *na; char dir[MaxStr]; @@ -247,7 +247,7 @@ char msg[MaxStr]; int n; - na = netmkaddr(host, "tcp", "17010"); + na = netmkaddr(host, "tcp", service); if((*fd = dial(na, 0, dir, 0)) < 0) return "can't dial"; @@ -272,6 +272,26 @@ return 0; } +/* always try tls first; if tls is not required, try ssl upon failure */ +char* +rexcall(int *fd, char *host, char *service) +{ + int savedtls; + char *err; + + savedtls = tls; + tls = 1; + err = rexcallsec(fd, host, "cpu-tls"); + tls = savedtls; + + if (err && !tls) { /* failed & tls not required? try ssl */ + err = rexcallsec(fd, host, service); + if (!err && *fd >= 0) + fprint(2, "using ssl with %s\n", ealgs); + } + return err; +} + void writestr(int fd, char *str, char *thing, int ignore) { @@ -362,8 +382,21 @@ f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7], f[8], f[9]); } +static int +pushtlsclient(int fd) +{ + int efd; + TLSconn conn; + + memset(&conn, 0, sizeof conn); + efd = tlsClient(fd, &conn); + free(conn.cert); + return efd; +} + /* - * plan9 authentication followed by rc4 encryption + * perform plan9 authentication on fd, followed by pushing encryption + * and returning a new fd which encrypts. */ static int p9auth(int fd) @@ -396,9 +429,12 @@ mksecret(fromserversecret, digest+10); /* set up encryption */ - i = pushssl(fd, ealgs, fromclientsecret, fromserversecret, nil); + if (tls) + i = pushtlsclient(fd); + else + i = pushssl(fd, ealgs, fromclientsecret, fromserversecret, nil); if(i < 0) - werrstr("can't establish ssl connection: %r"); + werrstr("can't establish %s connection: %r", tls? "tls": "ssl"); return i; } --- /n/sources/plan9/sys/src/cmd/unix/drawterm/kern/devip.c Tue Mar 18 09:50:03 2014 +++ /sys/src/cmd/unix/drawterm/kern/devip.c Tue Jun 23 00:00:00 2026 @@ -680,7 +680,8 @@ "exportfs", 17007, "rexexec", 17009, "ncpu", 17010, - "cpu", 17013, + "cpu", 17013, /* obsolete; pre-9p2k */ + "cpu-tls", 17014, "glenglenda1", 17020, "glenglenda2", 17021, "glenglenda3", 17022,