summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-22 15:46:34 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-22 15:46:34 +0000
commit4fb917263ac30373cb3e5dfe3e207369eb238def (patch)
tree992265c03c46e9fe38084336e9a87733b9e8748c
parent47cbbb1619ace4013856843ef8f7d68279c74faa (diff)
downloads6-networking-4fb917263ac30373cb3e5dfe3e207369eb238def.tar.xz
Add SSL_PROTOCOL and SSL_CIPHER support, fix some bugs
-rw-r--r--AUTHORS1
-rw-r--r--doc/libsbearssl/index.html12
-rw-r--r--doc/libstls/index.html18
-rw-r--r--package/deps.mak19
-rw-r--r--src/include/s6-networking/sbearssl.h7
-rw-r--r--src/include/s6-networking/stls.h1
-rw-r--r--src/sbearssl/deps-lib/sbearssl8
-rw-r--r--src/sbearssl/sbearssl-internal.h51
-rw-r--r--src/sbearssl/sbearssl_send_environment.c31
-rw-r--r--src/sbearssl/sbearssl_suite_bits.c16
-rw-r--r--src/sbearssl/sbearssl_suite_list.c201
-rw-r--r--src/sbearssl/sbearssl_suite_name.c14
-rw-r--r--src/stls/deps-lib/stls1
-rw-r--r--src/stls/stls_send_environment.c24
-rw-r--r--src/tls/deps-lib/s6tls1
-rw-r--r--src/tls/s6-tlsc-io.c33
-rw-r--r--src/tls/s6-tlsd-io.c33
17 files changed, 415 insertions, 56 deletions
diff --git a/AUTHORS b/AUTHORS
index 96ff745..8341bff 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -3,6 +3,7 @@ Main author:
Contributors:
John Regan <john@jrjrtech.com>
+ Michael Forney <???@mforney.org>
Thanks to:
Jean Marot <jean.marot@skarnet.org>
diff --git a/doc/libsbearssl/index.html b/doc/libsbearssl/index.html
index 656c724..0c53c14 100644
--- a/doc/libsbearssl/index.html
+++ b/doc/libsbearssl/index.html
@@ -482,6 +482,18 @@ contain something else than numerical uid/gids, the process exits 111 with
an error message.
</p>
+<h4> <code> int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd) </code> </h4>
+
+<p>
+ Writes a series of null-terminated strings of the form <tt>key=value</tt>
+to file descriptor <em>fd</em>; the series is terminated with an additional
+null character. The strings represent information about the TLS connection
+represented by context <em>ctx</em>; it is only valid to call this function
+after the handshake has completed. The exact keys used will change over time,
+but at least <tt>SSL_PROTOCOL=value</tt> and <tt>SSL_CIPHER=value</tt> are
+transmitted. The function returns 1 if it succeeds and 0 if it fails.
+</p>
+
<h3> Running the TLS/SSL engine (internal function for both clients and servers) </h3>
<h4> <code> void sbearssl_run (br_ssl_engine_context *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, sbearssl_handshake_cb_context_t *cbarg) </code> </h4>
diff --git a/doc/libstls/index.html b/doc/libstls/index.html
index f81396c..0983fef 100644
--- a/doc/libstls/index.html
+++ b/doc/libstls/index.html
@@ -66,6 +66,18 @@ contain something else than numerical uid/gids, the process exits 111 with
an error message.
</p>
+<h4> <code> int stls_send_environment (struct tls *ctx, int fd) </code> </h4>
+
+<p>
+ Writes a series of null-terminated strings of the form <tt>key=value</tt>
+to file descriptor <em>fd</em>; the series is terminated with an additional
+null character. The strings represent information about the TLS connection
+represented by context <em>ctx</em>; it is only valid to call this function
+after the handshake has completed. The exact keys used will change over time,
+but at least <tt>SSL_PROTOCOL=value</tt> and <tt>SSL_CIPHER=value</tt> are
+transmitted. The function returns 1 if it succeeds and 0 if it fails.
+</p>
+
<h3> Initializing the TLS engine </h3>
<h4> <code> struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, char const *servername) </code> </h4>
@@ -95,10 +107,8 @@ exits 100 with an error message.
</p>
<ul>
- <li> <tt>fds</tt>&nbsp;: an array of 4 file descriptors, that are in this
-order: the fd reading from the application (cleartext), the fd writing to the
-application (cleartext), the fd reading from the network, the fd writing to
-the network. </li>
+ <li> <tt>fds</tt>&nbsp;: an array of 2 file descriptors, that are in this
+order: the fd reading from the network, the fd writing to the network. </li>
<li> <tt>preoptions&nbsp;: a bitfield.
<ul>
<li> Bit 0: if clear, no client authentication is performed. If set,
diff --git a/package/deps.mak b/package/deps.mak
index adfe397..784e1eb 100644
--- a/package/deps.mak
+++ b/package/deps.mak
@@ -51,10 +51,14 @@ src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_to.lo: src/sb
src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_from.lo: src/sbearssl/sbearssl_rsa_skey_from.c src/include/s6-networking/sbearssl.h
src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_rsa_skey_to.lo: src/sbearssl/sbearssl_rsa_skey_to.c src/include/s6-networking/sbearssl.h
src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_run.lo: src/sbearssl/sbearssl_run.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
+src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_send_environment.lo: src/sbearssl/sbearssl_send_environment.c src/include/s6-networking/sbearssl.h
src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_server_init_and_run.lo: src/sbearssl/sbearssl_server_init_and_run.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_from.lo: src/sbearssl/sbearssl_skey_from.c src/include/s6-networking/sbearssl.h
src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_readfile.lo: src/sbearssl/sbearssl_skey_readfile.c src/include/s6-networking/sbearssl.h
src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_skey_to.lo: src/sbearssl/sbearssl_skey_to.c src/include/s6-networking/sbearssl.h
+src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_bits.lo: src/sbearssl/sbearssl_suite_bits.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
+src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_list.lo: src/sbearssl/sbearssl_suite_list.c src/sbearssl/sbearssl-internal.h
+src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_suite_name.lo: src/sbearssl/sbearssl_suite_name.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_cert.lo: src/sbearssl/sbearssl_ta_cert.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_certs.lo: src/sbearssl/sbearssl_ta_certs.c src/include/s6-networking/sbearssl.h
src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_from.lo: src/sbearssl/sbearssl_ta_from.c src/include/s6-networking/sbearssl.h
@@ -67,6 +71,7 @@ src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_minimal_
src/stls/stls_client_init_and_handshake.o src/stls/stls_client_init_and_handshake.lo: src/stls/stls_client_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h
src/stls/stls_drop.o src/stls/stls_drop.lo: src/stls/stls_drop.c src/stls/stls-internal.h
src/stls/stls_run.o src/stls/stls_run.lo: src/stls/stls_run.c src/include/s6-networking/stls.h
+src/stls/stls_send_environment.o src/stls/stls_send_environment.lo: src/stls/stls_send_environment.c src/include/s6-networking/stls.h
src/stls/stls_server_init_and_handshake.o src/stls/stls_server_init_and_handshake.lo: src/stls/stls_server_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h
src/tls/s6-tlsc-io.o src/tls/s6-tlsc-io.lo: src/tls/s6-tlsc-io.c src/include/s6-networking/config.h src/include/s6-networking/sbearssl.h src/include/s6-networking/stls.h
src/tls/s6-tlsc.o src/tls/s6-tlsc.lo: src/tls/s6-tlsc.c src/tls/s6tls-internal.h
@@ -123,25 +128,25 @@ libs6net.so.xyzzy: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_r
minidentd: EXTRA_LIBS := -lskarnet ${MAYBEPTHREAD_LIB} ${SOCKET_LIB} ${SYSCLOCK_LIB}
minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o ${LIBNSSS}
ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_server_init_and_run.o
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o
else
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo
endif
libsbearssl.so.xyzzy: EXTRA_LIBS := -lbearssl -lskarnet
-libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo
+libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo
ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o
+libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o src/stls/stls_send_environment.o
else
-libstls.a.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo
+libstls.a.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo src/stls/stls_send_environment.lo
endif
libstls.so.xyzzy: EXTRA_LIBS := ${CRYPTO_LIB} -lskarnet
-libstls.so.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo
+libstls.so.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo src/stls/stls_send_environment.lo
ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
libs6tls.a.xyzzy: src/tls/s6tls_exec_tlscio.o src/tls/s6tls_exec_tlsdio.o src/tls/s6tls_sync_and_exec_app.o src/tls/s6tls_ucspi_exec_app.o
else
libs6tls.a.xyzzy: src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo
endif
-libs6tls.so.xyzzy: EXTRA_LIBS :=
+libs6tls.so.xyzzy: EXTRA_LIBS := -lskarnet
libs6tls.so.xyzzy: src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo
s6-tlsc: EXTRA_LIBS := -lskarnet
s6-tlsc: src/tls/s6-tlsc.o libs6tls.a.xyzzy
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 9fb8792..5527696 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -34,6 +34,12 @@ extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai_t const
#define sbearssl_x509_minimal_set_tain(ctx, a) sbearssl_x509_minimal_set_tai(ctx, tain_secp(a))
+ /* Cipher suites */
+
+extern char const *sbearssl_suite_name (br_ssl_session_parameters const *) ;
+extern uint16_t bearssl_suite_bits (br_ssl_session_parameters const *) ;
+
+
/* Certificates (x509-encoded) */
typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ;
@@ -214,6 +220,7 @@ struct sbearssl_handshake_cb_context_s
typedef int sbearssl_handshake_cb_t (br_ssl_engine_context *, sbearssl_handshake_cb_context_t *) ;
typedef sbearssl_handshake_cb_t *sbearssl_handshake_cb_t_ref ;
+extern int sbearssl_send_environment (br_ssl_engine_context *, int) ;
extern void sbearssl_run (br_ssl_engine_context *, int *, tain_t const *, uint32_t, unsigned int, sbearssl_handshake_cb_t_ref, sbearssl_handshake_cb_context_t *) gccattr_noreturn ;
diff --git a/src/include/s6-networking/stls.h b/src/include/s6-networking/stls.h
index 76acdd8..e4ef28a 100644
--- a/src/include/s6-networking/stls.h
+++ b/src/include/s6-networking/stls.h
@@ -15,6 +15,7 @@
/* Engine */
+extern int stls_send_environment (struct tls *, int) ;
extern void stls_run (struct tls *, int *, tain_t const *, uint32_t, unsigned int) gccattr_noreturn ;
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 13df389..dfa4f29 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -3,6 +3,7 @@ sbearssl_cert_from.o
sbearssl_cert_readbigpem.o
sbearssl_cert_readfile.o
sbearssl_cert_to.o
+sbearssl_client_init_and_run.o
sbearssl_drop.o
sbearssl_ec_issuer_keytype.o
sbearssl_ec_pkey_from.o
@@ -21,9 +22,14 @@ sbearssl_rsa_pkey_to.o
sbearssl_rsa_skey_from.o
sbearssl_rsa_skey_to.o
sbearssl_run.o
+sbearssl_send_environment.o
+sbearssl_server_init_and_run.o
sbearssl_skey_from.o
sbearssl_skey_readfile.o
sbearssl_skey_to.o
+sbearssl_suite_bits.o
+sbearssl_suite_list.o
+sbearssl_suite_name.o
sbearssl_ta_cert.o
sbearssl_ta_certs.o
sbearssl_ta_from.o
@@ -33,7 +39,5 @@ sbearssl_ta_to.o
sbearssl_x500_name_len.o
sbearssl_x500_from_ta.o
sbearssl_x509_minimal_set_tai.o
-sbearssl_client_init_and_run.o
-sbearssl_server_init_and_run.o
-lbearssl
-lskarnet
diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h
index 2d98680..bfaad73 100644
--- a/src/sbearssl/sbearssl-internal.h
+++ b/src/sbearssl/sbearssl-internal.h
@@ -5,9 +5,12 @@
#include <sys/types.h>
#include <stdint.h>
+
#include <bearssl.h>
+
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
+
#include <s6-networking/sbearssl.h>
typedef struct sbearssl_strallocerr_s sbearssl_strallocerr, *sbearssl_strallocerr_ref ;
@@ -17,8 +20,56 @@ struct sbearssl_strallocerr_s
int err ;
} ;
+typedef enum sbearssl_suite_prop_e sbearssl_suite_prop ;
+enum sbearssl_suite_prop_e
+{
+ /* key exchange */
+ kRSA = 1<<0,
+ ECDHE = 1<<1,
+
+ /* authentication */
+ aRSA = 1<<2,
+ ECDSA = 1<<3,
+
+ /* encryption */
+ TRIPLEDES = 1<<4,
+ AES128 = 1<<5,
+ AES256 = 1<<6,
+ AESGCM = 1<<7,
+ AESCCM = 1<<8,
+ AESCCM8 = 1<<9,
+ CHACHA20 = 1<<10,
+
+ /* MAC */
+ AEAD = 1<<11,
+ SHA1 = 1<<12,
+ SHA256 = 1<<13,
+ SHA384 = 1<<14,
+
+ /* minimum TLS version */
+ TLS10 = 1<<15,
+ TLS12 = 1<<16,
+
+ /* strength */
+ HIGH = 1<<17,
+ MEDIUM = 1<<18,
+ LOW = 1<<19,
+} ;
+
+typedef struct sbearssl_suiteinfo_s sbearssl_suiteinfo, *sbearssl_suiteinfo_ref ;
+struct sbearssl_suiteinfo_s
+{
+ char name[32] ;
+ uint16_t id ;
+ sbearssl_suite_prop prop ;
+ uint16_t bits ;
+} ;
+
extern void sbearssl_drop (void) ;
extern void sbearssl_append (void *, void const *, size_t) ;
extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ;
+extern sbearssl_suiteinfo const *const sbearssl_suite_list ;
+extern size_t const sbearssl_suite_list_len ;
+
#endif
diff --git a/src/sbearssl/sbearssl_send_environment.c b/src/sbearssl/sbearssl_send_environment.c
new file mode 100644
index 0000000..3e1f1e1
--- /dev/null
+++ b/src/sbearssl/sbearssl_send_environment.c
@@ -0,0 +1,31 @@
+/* ISC license. */
+
+#include <skalibs/bytestr.h>
+#include <skalibs/buffer.h>
+
+#include <bearssl.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd)
+{
+ char buf[4096] ;
+ buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ;
+ unsigned int v = br_ssl_engine_get_version(ctx) ;
+ char const *suite ;
+ br_ssl_session_parameters params ;
+
+ br_ssl_engine_get_session_parameters(ctx, &params) ;
+ suite = sbearssl_suite_name(&params) ;
+ byte_zzero((char *)params.master_secret, 48) ;
+ if (!suite) suite = "" ;
+
+ if (buffer_puts(&b, "SSL_PROTOCOL=") < 0
+ || buffer_puts(&b, v == BR_TLS12 ? "TLSv1.2" : v == BR_TLS11 ? "TLSv1.1" : v == BR_TLS10 ? "TLSv1" : "unknown") < 0
+ || buffer_put(&b, "", 1) < 0
+ || buffer_puts(&b, "SSL_CIPHER=") < 0
+ || buffer_puts(&b, suite) < 0
+ || buffer_putflush(&b, "\0", 2) < 0)
+ return 0 ;
+ return 1 ;
+}
diff --git a/src/sbearssl/sbearssl_suite_bits.c b/src/sbearssl/sbearssl_suite_bits.c
new file mode 100644
index 0000000..8e2584e
--- /dev/null
+++ b/src/sbearssl/sbearssl_suite_bits.c
@@ -0,0 +1,16 @@
+/* ISC license. */
+
+#include <stdint.h>
+
+#include <bearssl.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+uint16_t sbearssl_suite_bits (br_ssl_session_parameters const *params)
+{
+ for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++)
+ if (sbearssl_suite_list[i].id == params->cipher_suite)
+ return sbearssl_suite_list[i].bits ;
+ return 0 ;
+}
diff --git a/src/sbearssl/sbearssl_suite_list.c b/src/sbearssl/sbearssl_suite_list.c
new file mode 100644
index 0000000..b51c480
--- /dev/null
+++ b/src/sbearssl/sbearssl_suite_list.c
@@ -0,0 +1,201 @@
+/* ISC license. */
+
+/* Copied from Michael Forney's libtls-bearssl */
+
+#include "sbearssl-internal.h"
+
+static sbearssl_suiteinfo const sbearssl_suite_list_[] =
+{
+ {
+ "ECDHE-ECDSA-CHACHA20-POLY1305",
+ BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ ECDHE|ECDSA|CHACHA20|AEAD|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-RSA-CHACHA20-POLY1305",
+ BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ ECDHE|aRSA|CHACHA20|AEAD|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ ECDHE|ECDSA|AES128|AESGCM|AEAD|TLS12|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-RSA-AES128-GCM-SHA256",
+ BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ ECDHE|aRSA|AES128|AESGCM|AEAD|TLS12|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-ECDSA-AES256-GCM-SHA384",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ ECDHE|ECDSA|AES256|AESGCM|AEAD|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-RSA-AES256-GCM-SHA384",
+ BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ ECDHE|aRSA|AES256|AESGCM|AEAD|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-ECDSA-AES128-CCM",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+ ECDHE|ECDSA|AES128|AESCCM|AEAD|TLS12|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-ECDSA-AES256-CCM",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+ ECDHE|ECDSA|AES256|AESCCM|AEAD|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-ECDSA-AES128-CCM8",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+ ECDHE|ECDSA|AES128|AESCCM8|AEAD|TLS12|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-ECDSA-AES256-CCM8",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+ ECDHE|ECDSA|AES256|AESCCM8|AEAD|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-ECDSA-AES128-SHA256",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ ECDHE|ECDSA|AES128|SHA256|TLS12|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-RSA-AES128-SHA256",
+ BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ ECDHE|aRSA|AES128|SHA256|TLS12|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-ECDSA-AES256-SHA384",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ ECDHE|ECDSA|AES256|SHA384|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-RSA-AES256-SHA384",
+ BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ ECDHE|aRSA|AES256|SHA384|TLS12|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-ECDSA-AES128-SHA",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ ECDHE|ECDSA|AES128|SHA1|TLS10|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-RSA-AES128-SHA",
+ BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ ECDHE|aRSA|AES128|SHA1|TLS10|HIGH,
+ 128,
+ },
+ {
+ "ECDHE-ECDSA-AES256-SHA",
+ BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ ECDHE|ECDSA|AES256|SHA1|TLS10|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-RSA-AES256-SHA",
+ BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ ECDHE|aRSA|AES256|SHA1|TLS10|HIGH,
+ 256,
+ },
+ /* ECDH suites, used in BearSSL "full" profile do
+ * not have corresponding OpenSSL
+ */
+ {
+ "AES128-GCM-SHA256",
+ BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
+ kRSA|aRSA|AES128|AESGCM|SHA256|TLS12|HIGH,
+ 128,
+ },
+ {
+ "AES256-GCM-SHA384",
+ BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
+ kRSA|aRSA|AES256|AESGCM|SHA384|TLS12|HIGH,
+ 256,
+ },
+ {
+ "AES128-CCM",
+ BR_TLS_RSA_WITH_AES_128_CCM,
+ kRSA|aRSA|AES128|AESCCM|TLS12|HIGH,
+ 128,
+ },
+ {
+ "AES256-CCM",
+ BR_TLS_RSA_WITH_AES_256_CCM,
+ kRSA|aRSA|AES256|AESCCM|TLS12|HIGH,
+ 256,
+ },
+ {
+ "AES128-CCM8",
+ BR_TLS_RSA_WITH_AES_128_CCM_8,
+ kRSA|aRSA|AES128|AESCCM8|TLS12|HIGH,
+ 128,
+ },
+ {
+ "AES256-CCM8",
+ BR_TLS_RSA_WITH_AES_256_CCM_8,
+ kRSA|aRSA|AES256|AESCCM8|TLS12|HIGH,
+ 256,
+ },
+ {
+ "AES128-SHA256",
+ BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
+ kRSA|aRSA|AES128|SHA256|TLS12|HIGH,
+ 128,
+ },
+ {
+ "AES256-SHA256",
+ BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
+ kRSA|aRSA|AES256|SHA256|TLS12|HIGH,
+ 256,
+ },
+ {
+ "AES128-SHA",
+ BR_TLS_RSA_WITH_AES_128_CBC_SHA,
+ kRSA|aRSA|AES128|SHA1|TLS10|HIGH,
+ 128,
+ },
+ {
+ "AES256-SHA",
+ BR_TLS_RSA_WITH_AES_256_CBC_SHA,
+ kRSA|aRSA|AES256|SHA1|TLS10|HIGH,
+ 256,
+ },
+ {
+ "ECDHE-ECDSA-DES-CBC3-SHA",
+ BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ ECDHE|ECDSA|TRIPLEDES|SHA1|TLS10|MEDIUM,
+ 112,
+ },
+ {
+ "ECDHE-RSA-DES-CBC3-SHA",
+ BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ ECDHE|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM,
+ 112,
+ },
+ {
+ "DES-CBC3-SHA",
+ BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ kRSA|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM,
+ 112,
+ },
+};
+
+sbearssl_suiteinfo const *const sbearssl_suite_list = sbearssl_suite_list_ ;
+size_t const sbearssl_suite_list_len = sizeof(sbearssl_suite_list_) / sizeof(sbearssl_suiteinfo) ;
diff --git a/src/sbearssl/sbearssl_suite_name.c b/src/sbearssl/sbearssl_suite_name.c
new file mode 100644
index 0000000..97cc593
--- /dev/null
+++ b/src/sbearssl/sbearssl_suite_name.c
@@ -0,0 +1,14 @@
+/* ISC license. */
+
+#include <bearssl.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+char const *sbearssl_suite_name (br_ssl_session_parameters const *params)
+{
+ for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++)
+ if (sbearssl_suite_list[i].id == params->cipher_suite)
+ return sbearssl_suite_list[i].name ;
+ return 0 ;
+}
diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
index 9416332..615ce3b 100644
--- a/src/stls/deps-lib/stls
+++ b/src/stls/deps-lib/stls
@@ -2,5 +2,6 @@ stls_drop.o
stls_run.o
stls_client_init_and_handshake.o
stls_server_init_and_handshake.o
+stls_send_environment.o
${CRYPTO_LIB}
-lskarnet
diff --git a/src/stls/stls_send_environment.c b/src/stls/stls_send_environment.c
new file mode 100644
index 0000000..1c13602
--- /dev/null
+++ b/src/stls/stls_send_environment.c
@@ -0,0 +1,24 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <tls.h>
+
+#include <skalibs/buffer.h>
+
+#include <s6-networking/stls.h>
+
+int stls_send_environment (struct tls *ctx, int fd)
+{
+ char buf[4096] ;
+ buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ;
+ if (buffer_puts(&b, "SSL_PROTOCOL=") < 0
+ || buffer_puts(&b, tls_conn_version(ctx)) < 0
+ || buffer_put(&b, "", 1) < 0
+ || buffer_puts(&b, "SSL_CIPHER=") < 0
+ || buffer_puts(&b, tls_conn_cipher(ctx)) < 0
+ || buffer_putflush(&b, "\0", 2) < 0)
+ return 0 ;
+ return 1 ;
+}
diff --git a/src/tls/deps-lib/s6tls b/src/tls/deps-lib/s6tls
index f392de5..caa9872 100644
--- a/src/tls/deps-lib/s6tls
+++ b/src/tls/deps-lib/s6tls
@@ -2,3 +2,4 @@ s6tls_exec_tlscio.o
s6tls_exec_tlsdio.o
s6tls_sync_and_exec_app.o
s6tls_ucspi_exec_app.o
+-lskarnet
diff --git a/src/tls/s6-tlsc-io.c b/src/tls/s6-tlsc-io.c
index 79dd25d..48965cc 100644
--- a/src/tls/s6-tlsc-io.c
+++ b/src/tls/s6-tlsc-io.c
@@ -1,22 +1,20 @@
/* ISC license. */
#include <stdint.h>
-#include <unistd.h>
#include <signal.h>
#include <skalibs/gccattributes.h>
#include <skalibs/types.h>
#include <skalibs/sgetopt.h>
#include <skalibs/strerr2.h>
-#include <skalibs/allreadwrite.h>
#include <skalibs/tai.h>
-#include <skalibs/env.h>
#include <skalibs/sig.h>
#include <skalibs/djbunix.h>
#include <s6-networking/config.h>
-#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0"
+#define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw"
+#define dieusage() strerr_dieusage(100, USAGE)
static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, char const *, unsigned int) gccattr_noreturn ;
@@ -29,7 +27,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
struct tls *ctx = stls_client_init_and_handshake(fds + 2, preoptions, servername) ;
if (notif)
{
- if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
+ if (!stls_send_environment(ctx, notif))
strerr_diefu1sys(111, "write post-handshake data") ;
fd_close(notif) ;
}
@@ -39,22 +37,19 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
#else
#ifdef S6_NETWORKING_USE_BEARSSL
+#include <bearssl.h>
+
#include <skalibs/random.h>
#include <s6-networking/sbearssl.h>
-static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
-{
- (void)ctx ;
- (void)cbarg ;
- return 1 ;
-}
-
-static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
+static int handshake_cb (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
{
- if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
- return 0 ;
- fd_close(cbarg->notif) ;
+ if (cbarg->notif)
+ {
+ if (!sbearssl_send_environment(ctx, cbarg->notif)) return 0 ;
+ fd_close(cbarg->notif) ;
+ }
return 1 ;
}
@@ -63,7 +58,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0)
strerr_diefu1sys(111, "set local fds non-blocking") ;
if (!random_init()) strerr_diefu1sys(111, "initialize random device") ;
- sbearssl_client_init_and_run(fds, tto, preoptions, options, verbosity, servername, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ;
+ sbearssl_client_init_and_run(fds, tto, preoptions, options, verbosity, servername, &handshake_cb, notif) ;
}
#else
@@ -73,10 +68,6 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
#endif
#endif
-
-#define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw"
-#define dieusage() strerr_dieusage(100, USAGE)
-
int main (int argc, char const *const *argv, char const *const *envp)
{
char const *servername = 0 ;
diff --git a/src/tls/s6-tlsd-io.c b/src/tls/s6-tlsd-io.c
index 0b42b3b..14003a2 100644
--- a/src/tls/s6-tlsd-io.c
+++ b/src/tls/s6-tlsd-io.c
@@ -1,22 +1,20 @@
/* ISC license. */
#include <stdint.h>
-#include <unistd.h>
#include <signal.h>
#include <skalibs/gccattributes.h>
#include <skalibs/types.h>
#include <skalibs/sgetopt.h>
#include <skalibs/strerr2.h>
-#include <skalibs/allreadwrite.h>
-#include <skalibs/sig.h>
#include <skalibs/tai.h>
-#include <skalibs/env.h>
+#include <skalibs/sig.h>
#include <skalibs/djbunix.h>
#include <s6-networking/config.h>
-#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0"
+#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw"
+#define dieusage() strerr_dieusage(100, USAGE)
static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
@@ -29,7 +27,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
struct tls *ctx = stls_server_init_and_handshake(fds + 2, preoptions) ;
if (notif)
{
- if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
+ if (!stls_send_environment(ctx, notif))
strerr_diefu1sys(111, "write post-handshake data") ;
fd_close(notif) ;
}
@@ -43,18 +41,13 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
#include <s6-networking/sbearssl.h>
-static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
-{
- (void)ctx ;
- (void)cbarg ;
- return 1 ;
-}
-
-static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
+static int handshake_cb (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
{
- if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
- return 0 ;
- fd_close(cbarg->notif) ;
+ if (cbarg->notif)
+ {
+ if (!sbearssl_send_environment(ctx, cbarg->notif)) return 0 ;
+ fd_close(cbarg->notif) ;
+ }
return 1 ;
}
@@ -63,7 +56,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0)
strerr_diefu1sys(111, "set local fds non-blocking") ;
if (!random_init()) strerr_diefu1sys(111, "initialize random device") ;
- sbearssl_server_init_and_run(fds, tto, preoptions, options, verbosity, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ;
+ sbearssl_server_init_and_run(fds, tto, preoptions, options, verbosity, &handshake_cb, notif) ;
}
#else
@@ -73,10 +66,6 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
#endif
#endif
-
-#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw"
-#define dieusage() strerr_dieusage(100, USAGE)
-
int main (int argc, char const *const *argv, char const *const *envp)
{
tain_t tto ;