diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-22 15:46:34 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-22 15:46:34 +0000 |
| commit | 4fb917263ac30373cb3e5dfe3e207369eb238def (patch) | |
| tree | 992265c03c46e9fe38084336e9a87733b9e8748c | |
| parent | 47cbbb1619ace4013856843ef8f7d68279c74faa (diff) | |
| download | s6-networking-4fb917263ac30373cb3e5dfe3e207369eb238def.tar.xz | |
Add SSL_PROTOCOL and SSL_CIPHER support, fix some bugs
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | doc/libsbearssl/index.html | 12 | ||||
| -rw-r--r-- | doc/libstls/index.html | 18 | ||||
| -rw-r--r-- | package/deps.mak | 19 | ||||
| -rw-r--r-- | src/include/s6-networking/sbearssl.h | 7 | ||||
| -rw-r--r-- | src/include/s6-networking/stls.h | 1 | ||||
| -rw-r--r-- | src/sbearssl/deps-lib/sbearssl | 8 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl-internal.h | 51 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl_send_environment.c | 31 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl_suite_bits.c | 16 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl_suite_list.c | 201 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl_suite_name.c | 14 | ||||
| -rw-r--r-- | src/stls/deps-lib/stls | 1 | ||||
| -rw-r--r-- | src/stls/stls_send_environment.c | 24 | ||||
| -rw-r--r-- | src/tls/deps-lib/s6tls | 1 | ||||
| -rw-r--r-- | src/tls/s6-tlsc-io.c | 33 | ||||
| -rw-r--r-- | src/tls/s6-tlsd-io.c | 33 |
17 files changed, 415 insertions, 56 deletions
@@ -3,6 +3,7 @@ Main author: Contributors: John Regan <john@jrjrtech.com> + Michael Forney <???@mforney.org> Thanks to: Jean Marot <jean.marot@skarnet.org> diff --git a/doc/libsbearssl/index.html b/doc/libsbearssl/index.html index 656c724..0c53c14 100644 --- a/doc/libsbearssl/index.html +++ b/doc/libsbearssl/index.html @@ -482,6 +482,18 @@ contain something else than numerical uid/gids, the process exits 111 with an error message. </p> +<h4> <code> int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd) </code> </h4> + +<p> + Writes a series of null-terminated strings of the form <tt>key=value</tt> +to file descriptor <em>fd</em>; the series is terminated with an additional +null character. The strings represent information about the TLS connection +represented by context <em>ctx</em>; it is only valid to call this function +after the handshake has completed. The exact keys used will change over time, +but at least <tt>SSL_PROTOCOL=value</tt> and <tt>SSL_CIPHER=value</tt> are +transmitted. The function returns 1 if it succeeds and 0 if it fails. +</p> + <h3> Running the TLS/SSL engine (internal function for both clients and servers) </h3> <h4> <code> void sbearssl_run (br_ssl_engine_context *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, sbearssl_handshake_cb_context_t *cbarg) </code> </h4> diff --git a/doc/libstls/index.html b/doc/libstls/index.html index f81396c..0983fef 100644 --- a/doc/libstls/index.html +++ b/doc/libstls/index.html @@ -66,6 +66,18 @@ contain something else than numerical uid/gids, the process exits 111 with an error message. </p> +<h4> <code> int stls_send_environment (struct tls *ctx, int fd) </code> </h4> + +<p> + Writes a series of null-terminated strings of the form <tt>key=value</tt> +to file descriptor <em>fd</em>; the series is terminated with an additional +null character. The strings represent information about the TLS connection +represented by context <em>ctx</em>; it is only valid to call this function +after the handshake has completed. The exact keys used will change over time, +but at least <tt>SSL_PROTOCOL=value</tt> and <tt>SSL_CIPHER=value</tt> are +transmitted. The function returns 1 if it succeeds and 0 if it fails. +</p> + <h3> Initializing the TLS engine </h3> <h4> <code> struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, char const *servername) </code> </h4> @@ -95,10 +107,8 @@ exits 100 with an error message. </p> <ul> - <li> <tt>fds</tt> : an array of 4 file descriptors, that are in this -order: the fd reading from the application (cleartext), the fd writing to the -application (cleartext), the fd reading from the network, the fd writing to -the network. </li> + <li> <tt>fds</tt> : an array of 2 file descriptors, that are in this +order: the fd reading from the network, the fd writing to the network. </li> <li> <tt>preoptions : a bitfield. <ul> <li> Bit 0: if clear, no client authentication is performed. If set, diff --git a/package/deps.mak b/package/deps.mak index adfe397..784e1eb 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -51,10 +51,14 @@ src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_to.lo: src/sb src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_from.lo: src/sbearssl/sbearssl_rsa_skey_from.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_rsa_skey_to.lo: src/sbearssl/sbearssl_rsa_skey_to.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_run.lo: src/sbearssl/sbearssl_run.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h +src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_send_environment.lo: src/sbearssl/sbearssl_send_environment.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_server_init_and_run.lo: src/sbearssl/sbearssl_server_init_and_run.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_from.lo: src/sbearssl/sbearssl_skey_from.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_readfile.lo: src/sbearssl/sbearssl_skey_readfile.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_skey_to.lo: src/sbearssl/sbearssl_skey_to.c src/include/s6-networking/sbearssl.h +src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_bits.lo: src/sbearssl/sbearssl_suite_bits.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h +src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_list.lo: src/sbearssl/sbearssl_suite_list.c src/sbearssl/sbearssl-internal.h +src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_suite_name.lo: src/sbearssl/sbearssl_suite_name.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_cert.lo: src/sbearssl/sbearssl_ta_cert.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_certs.lo: src/sbearssl/sbearssl_ta_certs.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_from.lo: src/sbearssl/sbearssl_ta_from.c src/include/s6-networking/sbearssl.h @@ -67,6 +71,7 @@ src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_minimal_ src/stls/stls_client_init_and_handshake.o src/stls/stls_client_init_and_handshake.lo: src/stls/stls_client_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h src/stls/stls_drop.o src/stls/stls_drop.lo: src/stls/stls_drop.c src/stls/stls-internal.h src/stls/stls_run.o src/stls/stls_run.lo: src/stls/stls_run.c src/include/s6-networking/stls.h +src/stls/stls_send_environment.o src/stls/stls_send_environment.lo: src/stls/stls_send_environment.c src/include/s6-networking/stls.h src/stls/stls_server_init_and_handshake.o src/stls/stls_server_init_and_handshake.lo: src/stls/stls_server_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h src/tls/s6-tlsc-io.o src/tls/s6-tlsc-io.lo: src/tls/s6-tlsc-io.c src/include/s6-networking/config.h src/include/s6-networking/sbearssl.h src/include/s6-networking/stls.h src/tls/s6-tlsc.o src/tls/s6-tlsc.lo: src/tls/s6-tlsc.c src/tls/s6tls-internal.h @@ -123,25 +128,25 @@ libs6net.so.xyzzy: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_r minidentd: EXTRA_LIBS := -lskarnet ${MAYBEPTHREAD_LIB} ${SOCKET_LIB} ${SYSCLOCK_LIB} minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o ${LIBNSSS} ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) -libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_server_init_and_run.o +libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o else -libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo +libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo endif libsbearssl.so.xyzzy: EXTRA_LIBS := -lbearssl -lskarnet -libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo +libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) -libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o +libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o src/stls/stls_send_environment.o else -libstls.a.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo +libstls.a.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo src/stls/stls_send_environment.lo endif libstls.so.xyzzy: EXTRA_LIBS := ${CRYPTO_LIB} -lskarnet -libstls.so.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo +libstls.so.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo src/stls/stls_send_environment.lo ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) libs6tls.a.xyzzy: src/tls/s6tls_exec_tlscio.o src/tls/s6tls_exec_tlsdio.o src/tls/s6tls_sync_and_exec_app.o src/tls/s6tls_ucspi_exec_app.o else libs6tls.a.xyzzy: src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo endif -libs6tls.so.xyzzy: EXTRA_LIBS := +libs6tls.so.xyzzy: EXTRA_LIBS := -lskarnet libs6tls.so.xyzzy: src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo s6-tlsc: EXTRA_LIBS := -lskarnet s6-tlsc: src/tls/s6-tlsc.o libs6tls.a.xyzzy diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index 9fb8792..5527696 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -34,6 +34,12 @@ extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai_t const #define sbearssl_x509_minimal_set_tain(ctx, a) sbearssl_x509_minimal_set_tai(ctx, tain_secp(a)) + /* Cipher suites */ + +extern char const *sbearssl_suite_name (br_ssl_session_parameters const *) ; +extern uint16_t bearssl_suite_bits (br_ssl_session_parameters const *) ; + + /* Certificates (x509-encoded) */ typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ; @@ -214,6 +220,7 @@ struct sbearssl_handshake_cb_context_s typedef int sbearssl_handshake_cb_t (br_ssl_engine_context *, sbearssl_handshake_cb_context_t *) ; typedef sbearssl_handshake_cb_t *sbearssl_handshake_cb_t_ref ; +extern int sbearssl_send_environment (br_ssl_engine_context *, int) ; extern void sbearssl_run (br_ssl_engine_context *, int *, tain_t const *, uint32_t, unsigned int, sbearssl_handshake_cb_t_ref, sbearssl_handshake_cb_context_t *) gccattr_noreturn ; diff --git a/src/include/s6-networking/stls.h b/src/include/s6-networking/stls.h index 76acdd8..e4ef28a 100644 --- a/src/include/s6-networking/stls.h +++ b/src/include/s6-networking/stls.h @@ -15,6 +15,7 @@ /* Engine */ +extern int stls_send_environment (struct tls *, int) ; extern void stls_run (struct tls *, int *, tain_t const *, uint32_t, unsigned int) gccattr_noreturn ; diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index 13df389..dfa4f29 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -3,6 +3,7 @@ sbearssl_cert_from.o sbearssl_cert_readbigpem.o sbearssl_cert_readfile.o sbearssl_cert_to.o +sbearssl_client_init_and_run.o sbearssl_drop.o sbearssl_ec_issuer_keytype.o sbearssl_ec_pkey_from.o @@ -21,9 +22,14 @@ sbearssl_rsa_pkey_to.o sbearssl_rsa_skey_from.o sbearssl_rsa_skey_to.o sbearssl_run.o +sbearssl_send_environment.o +sbearssl_server_init_and_run.o sbearssl_skey_from.o sbearssl_skey_readfile.o sbearssl_skey_to.o +sbearssl_suite_bits.o +sbearssl_suite_list.o +sbearssl_suite_name.o sbearssl_ta_cert.o sbearssl_ta_certs.o sbearssl_ta_from.o @@ -33,7 +39,5 @@ sbearssl_ta_to.o sbearssl_x500_name_len.o sbearssl_x500_from_ta.o sbearssl_x509_minimal_set_tai.o -sbearssl_client_init_and_run.o -sbearssl_server_init_and_run.o -lbearssl -lskarnet diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h index 2d98680..bfaad73 100644 --- a/src/sbearssl/sbearssl-internal.h +++ b/src/sbearssl/sbearssl-internal.h @@ -5,9 +5,12 @@ #include <sys/types.h> #include <stdint.h> + #include <bearssl.h> + #include <skalibs/stralloc.h> #include <skalibs/genalloc.h> + #include <s6-networking/sbearssl.h> typedef struct sbearssl_strallocerr_s sbearssl_strallocerr, *sbearssl_strallocerr_ref ; @@ -17,8 +20,56 @@ struct sbearssl_strallocerr_s int err ; } ; +typedef enum sbearssl_suite_prop_e sbearssl_suite_prop ; +enum sbearssl_suite_prop_e +{ + /* key exchange */ + kRSA = 1<<0, + ECDHE = 1<<1, + + /* authentication */ + aRSA = 1<<2, + ECDSA = 1<<3, + + /* encryption */ + TRIPLEDES = 1<<4, + AES128 = 1<<5, + AES256 = 1<<6, + AESGCM = 1<<7, + AESCCM = 1<<8, + AESCCM8 = 1<<9, + CHACHA20 = 1<<10, + + /* MAC */ + AEAD = 1<<11, + SHA1 = 1<<12, + SHA256 = 1<<13, + SHA384 = 1<<14, + + /* minimum TLS version */ + TLS10 = 1<<15, + TLS12 = 1<<16, + + /* strength */ + HIGH = 1<<17, + MEDIUM = 1<<18, + LOW = 1<<19, +} ; + +typedef struct sbearssl_suiteinfo_s sbearssl_suiteinfo, *sbearssl_suiteinfo_ref ; +struct sbearssl_suiteinfo_s +{ + char name[32] ; + uint16_t id ; + sbearssl_suite_prop prop ; + uint16_t bits ; +} ; + extern void sbearssl_drop (void) ; extern void sbearssl_append (void *, void const *, size_t) ; extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ; +extern sbearssl_suiteinfo const *const sbearssl_suite_list ; +extern size_t const sbearssl_suite_list_len ; + #endif diff --git a/src/sbearssl/sbearssl_send_environment.c b/src/sbearssl/sbearssl_send_environment.c new file mode 100644 index 0000000..3e1f1e1 --- /dev/null +++ b/src/sbearssl/sbearssl_send_environment.c @@ -0,0 +1,31 @@ +/* ISC license. */ + +#include <skalibs/bytestr.h> +#include <skalibs/buffer.h> + +#include <bearssl.h> + +#include <s6-networking/sbearssl.h> + +int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd) +{ + char buf[4096] ; + buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ; + unsigned int v = br_ssl_engine_get_version(ctx) ; + char const *suite ; + br_ssl_session_parameters params ; + + br_ssl_engine_get_session_parameters(ctx, ¶ms) ; + suite = sbearssl_suite_name(¶ms) ; + byte_zzero((char *)params.master_secret, 48) ; + if (!suite) suite = "" ; + + if (buffer_puts(&b, "SSL_PROTOCOL=") < 0 + || buffer_puts(&b, v == BR_TLS12 ? "TLSv1.2" : v == BR_TLS11 ? "TLSv1.1" : v == BR_TLS10 ? "TLSv1" : "unknown") < 0 + || buffer_put(&b, "", 1) < 0 + || buffer_puts(&b, "SSL_CIPHER=") < 0 + || buffer_puts(&b, suite) < 0 + || buffer_putflush(&b, "\0", 2) < 0) + return 0 ; + return 1 ; +} diff --git a/src/sbearssl/sbearssl_suite_bits.c b/src/sbearssl/sbearssl_suite_bits.c new file mode 100644 index 0000000..8e2584e --- /dev/null +++ b/src/sbearssl/sbearssl_suite_bits.c @@ -0,0 +1,16 @@ +/* ISC license. */ + +#include <stdint.h> + +#include <bearssl.h> + +#include <s6-networking/sbearssl.h> +#include "sbearssl-internal.h" + +uint16_t sbearssl_suite_bits (br_ssl_session_parameters const *params) +{ + for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++) + if (sbearssl_suite_list[i].id == params->cipher_suite) + return sbearssl_suite_list[i].bits ; + return 0 ; +} diff --git a/src/sbearssl/sbearssl_suite_list.c b/src/sbearssl/sbearssl_suite_list.c new file mode 100644 index 0000000..b51c480 --- /dev/null +++ b/src/sbearssl/sbearssl_suite_list.c @@ -0,0 +1,201 @@ +/* ISC license. */ + +/* Copied from Michael Forney's libtls-bearssl */ + +#include "sbearssl-internal.h" + +static sbearssl_suiteinfo const sbearssl_suite_list_[] = +{ + { + "ECDHE-ECDSA-CHACHA20-POLY1305", + BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + ECDHE|ECDSA|CHACHA20|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-RSA-CHACHA20-POLY1305", + BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + ECDHE|aRSA|CHACHA20|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-GCM-SHA256", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + ECDHE|ECDSA|AES128|AESGCM|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-RSA-AES128-GCM-SHA256", + BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + ECDHE|aRSA|AES128|AESGCM|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-GCM-SHA384", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + ECDHE|ECDSA|AES256|AESGCM|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-RSA-AES256-GCM-SHA384", + BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + ECDHE|aRSA|AES256|AESGCM|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-CCM", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + ECDHE|ECDSA|AES128|AESCCM|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-CCM", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + ECDHE|ECDSA|AES256|AESCCM|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-CCM8", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + ECDHE|ECDSA|AES128|AESCCM8|AEAD|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-CCM8", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + ECDHE|ECDSA|AES256|AESCCM8|AEAD|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-SHA256", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + ECDHE|ECDSA|AES128|SHA256|TLS12|HIGH, + 128, + }, + { + "ECDHE-RSA-AES128-SHA256", + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + ECDHE|aRSA|AES128|SHA256|TLS12|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-SHA384", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + ECDHE|ECDSA|AES256|SHA384|TLS12|HIGH, + 256, + }, + { + "ECDHE-RSA-AES256-SHA384", + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + ECDHE|aRSA|AES256|SHA384|TLS12|HIGH, + 256, + }, + { + "ECDHE-ECDSA-AES128-SHA", + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + ECDHE|ECDSA|AES128|SHA1|TLS10|HIGH, + 128, + }, + { + "ECDHE-RSA-AES128-SHA", + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + ECDHE|aRSA|AES128|SHA1|TLS10|HIGH, + 128, + }, + { + "ECDHE-ECDSA-AES256-SHA", + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + ECDHE|ECDSA|AES256|SHA1|TLS10|HIGH, + 256, + }, + { + "ECDHE-RSA-AES256-SHA", + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + ECDHE|aRSA|AES256|SHA1|TLS10|HIGH, + 256, + }, + /* ECDH suites, used in BearSSL "full" profile do + * not have corresponding OpenSSL + */ + { + "AES128-GCM-SHA256", + BR_TLS_RSA_WITH_AES_128_GCM_SHA256, + kRSA|aRSA|AES128|AESGCM|SHA256|TLS12|HIGH, + 128, + }, + { + "AES256-GCM-SHA384", + BR_TLS_RSA_WITH_AES_256_GCM_SHA384, + kRSA|aRSA|AES256|AESGCM|SHA384|TLS12|HIGH, + 256, + }, + { + "AES128-CCM", + BR_TLS_RSA_WITH_AES_128_CCM, + kRSA|aRSA|AES128|AESCCM|TLS12|HIGH, + 128, + }, + { + "AES256-CCM", + BR_TLS_RSA_WITH_AES_256_CCM, + kRSA|aRSA|AES256|AESCCM|TLS12|HIGH, + 256, + }, + { + "AES128-CCM8", + BR_TLS_RSA_WITH_AES_128_CCM_8, + kRSA|aRSA|AES128|AESCCM8|TLS12|HIGH, + 128, + }, + { + "AES256-CCM8", + BR_TLS_RSA_WITH_AES_256_CCM_8, + kRSA|aRSA|AES256|AESCCM8|TLS12|HIGH, + 256, + }, + { + "AES128-SHA256", + BR_TLS_RSA_WITH_AES_128_CBC_SHA256, + kRSA|aRSA|AES128|SHA256|TLS12|HIGH, + 128, + }, + { + "AES256-SHA256", + BR_TLS_RSA_WITH_AES_256_CBC_SHA256, + kRSA|aRSA|AES256|SHA256|TLS12|HIGH, + 256, + }, + { + "AES128-SHA", + BR_TLS_RSA_WITH_AES_128_CBC_SHA, + kRSA|aRSA|AES128|SHA1|TLS10|HIGH, + 128, + }, + { + "AES256-SHA", + BR_TLS_RSA_WITH_AES_256_CBC_SHA, + kRSA|aRSA|AES256|SHA1|TLS10|HIGH, + 256, + }, + { + "ECDHE-ECDSA-DES-CBC3-SHA", + BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + ECDHE|ECDSA|TRIPLEDES|SHA1|TLS10|MEDIUM, + 112, + }, + { + "ECDHE-RSA-DES-CBC3-SHA", + BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + ECDHE|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM, + 112, + }, + { + "DES-CBC3-SHA", + BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA, + kRSA|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM, + 112, + }, +}; + +sbearssl_suiteinfo const *const sbearssl_suite_list = sbearssl_suite_list_ ; +size_t const sbearssl_suite_list_len = sizeof(sbearssl_suite_list_) / sizeof(sbearssl_suiteinfo) ; diff --git a/src/sbearssl/sbearssl_suite_name.c b/src/sbearssl/sbearssl_suite_name.c new file mode 100644 index 0000000..97cc593 --- /dev/null +++ b/src/sbearssl/sbearssl_suite_name.c @@ -0,0 +1,14 @@ +/* ISC license. */ + +#include <bearssl.h> + +#include <s6-networking/sbearssl.h> +#include "sbearssl-internal.h" + +char const *sbearssl_suite_name (br_ssl_session_parameters const *params) +{ + for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++) + if (sbearssl_suite_list[i].id == params->cipher_suite) + return sbearssl_suite_list[i].name ; + return 0 ; +} diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls index 9416332..615ce3b 100644 --- a/src/stls/deps-lib/stls +++ b/src/stls/deps-lib/stls @@ -2,5 +2,6 @@ stls_drop.o stls_run.o stls_client_init_and_handshake.o stls_server_init_and_handshake.o +stls_send_environment.o ${CRYPTO_LIB} -lskarnet diff --git a/src/stls/stls_send_environment.c b/src/stls/stls_send_environment.c new file mode 100644 index 0000000..1c13602 --- /dev/null +++ b/src/stls/stls_send_environment.c @@ -0,0 +1,24 @@ +/* ISC license. */ + +#include <unistd.h> +#include <stdlib.h> + +#include <tls.h> + +#include <skalibs/buffer.h> + +#include <s6-networking/stls.h> + +int stls_send_environment (struct tls *ctx, int fd) +{ + char buf[4096] ; + buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ; + if (buffer_puts(&b, "SSL_PROTOCOL=") < 0 + || buffer_puts(&b, tls_conn_version(ctx)) < 0 + || buffer_put(&b, "", 1) < 0 + || buffer_puts(&b, "SSL_CIPHER=") < 0 + || buffer_puts(&b, tls_conn_cipher(ctx)) < 0 + || buffer_putflush(&b, "\0", 2) < 0) + return 0 ; + return 1 ; +} diff --git a/src/tls/deps-lib/s6tls b/src/tls/deps-lib/s6tls index f392de5..caa9872 100644 --- a/src/tls/deps-lib/s6tls +++ b/src/tls/deps-lib/s6tls @@ -2,3 +2,4 @@ s6tls_exec_tlscio.o s6tls_exec_tlsdio.o s6tls_sync_and_exec_app.o s6tls_ucspi_exec_app.o +-lskarnet diff --git a/src/tls/s6-tlsc-io.c b/src/tls/s6-tlsc-io.c index 79dd25d..48965cc 100644 --- a/src/tls/s6-tlsc-io.c +++ b/src/tls/s6-tlsc-io.c @@ -1,22 +1,20 @@ /* ISC license. */ #include <stdint.h> -#include <unistd.h> #include <signal.h> #include <skalibs/gccattributes.h> #include <skalibs/types.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> -#include <skalibs/allreadwrite.h> #include <skalibs/tai.h> -#include <skalibs/env.h> #include <skalibs/sig.h> #include <skalibs/djbunix.h> #include <s6-networking/config.h> -#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0" +#define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw" +#define dieusage() strerr_dieusage(100, USAGE) static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, char const *, unsigned int) gccattr_noreturn ; @@ -29,7 +27,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 struct tls *ctx = stls_client_init_and_handshake(fds + 2, preoptions, servername) ; if (notif) { - if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) + if (!stls_send_environment(ctx, notif)) strerr_diefu1sys(111, "write post-handshake data") ; fd_close(notif) ; } @@ -39,22 +37,19 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 #else #ifdef S6_NETWORKING_USE_BEARSSL +#include <bearssl.h> + #include <skalibs/random.h> #include <s6-networking/sbearssl.h> -static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) -{ - (void)ctx ; - (void)cbarg ; - return 1 ; -} - -static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) +static int handshake_cb (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) { - if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) - return 0 ; - fd_close(cbarg->notif) ; + if (cbarg->notif) + { + if (!sbearssl_send_environment(ctx, cbarg->notif)) return 0 ; + fd_close(cbarg->notif) ; + } return 1 ; } @@ -63,7 +58,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0) strerr_diefu1sys(111, "set local fds non-blocking") ; if (!random_init()) strerr_diefu1sys(111, "initialize random device") ; - sbearssl_client_init_and_run(fds, tto, preoptions, options, verbosity, servername, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ; + sbearssl_client_init_and_run(fds, tto, preoptions, options, verbosity, servername, &handshake_cb, notif) ; } #else @@ -73,10 +68,6 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 #endif #endif - -#define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw" -#define dieusage() strerr_dieusage(100, USAGE) - int main (int argc, char const *const *argv, char const *const *envp) { char const *servername = 0 ; diff --git a/src/tls/s6-tlsd-io.c b/src/tls/s6-tlsd-io.c index 0b42b3b..14003a2 100644 --- a/src/tls/s6-tlsd-io.c +++ b/src/tls/s6-tlsd-io.c @@ -1,22 +1,20 @@ /* ISC license. */ #include <stdint.h> -#include <unistd.h> #include <signal.h> #include <skalibs/gccattributes.h> #include <skalibs/types.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> -#include <skalibs/allreadwrite.h> -#include <skalibs/sig.h> #include <skalibs/tai.h> -#include <skalibs/env.h> +#include <skalibs/sig.h> #include <skalibs/djbunix.h> #include <s6-networking/config.h> -#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0" +#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw" +#define dieusage() strerr_dieusage(100, USAGE) static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, unsigned int) gccattr_noreturn ; @@ -29,7 +27,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 struct tls *ctx = stls_server_init_and_handshake(fds + 2, preoptions) ; if (notif) { - if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) + if (!stls_send_environment(ctx, notif)) strerr_diefu1sys(111, "write post-handshake data") ; fd_close(notif) ; } @@ -43,18 +41,13 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 #include <s6-networking/sbearssl.h> -static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) -{ - (void)ctx ; - (void)cbarg ; - return 1 ; -} - -static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) +static int handshake_cb (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) { - if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) - return 0 ; - fd_close(cbarg->notif) ; + if (cbarg->notif) + { + if (!sbearssl_send_environment(ctx, cbarg->notif)) return 0 ; + fd_close(cbarg->notif) ; + } return 1 ; } @@ -63,7 +56,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0) strerr_diefu1sys(111, "set local fds non-blocking") ; if (!random_init()) strerr_diefu1sys(111, "initialize random device") ; - sbearssl_server_init_and_run(fds, tto, preoptions, options, verbosity, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ; + sbearssl_server_init_and_run(fds, tto, preoptions, options, verbosity, &handshake_cb, notif) ; } #else @@ -73,10 +66,6 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3 #endif #endif - -#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw" -#define dieusage() strerr_dieusage(100, USAGE) - int main (int argc, char const *const *argv, char const *const *envp) { tain_t tto ; |