summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-23 14:25:24 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-23 14:25:24 +0000
commit564631637bcd238b4c9aad5496aa9e049f948dd9 (patch)
tree970379fee11287430432e18a8f75bb5ddc17990b
parentbae11b88357db72b19413cd05c62ac9242b9b597 (diff)
downloads6-networking-564631637bcd238b4c9aad5496aa9e049f948dd9.tar.xz
Fix more bugs; disable renegociation in bearssl client
-rw-r--r--src/sbearssl/sbearssl_client_init_and_run.c1
-rw-r--r--src/sbearssl/sbearssl_ta_readdir.c28
-rw-r--r--src/stls/stls_client_init_and_handshake.c36
-rw-r--r--src/stls/stls_server_init_and_handshake.c23
4 files changed, 44 insertions, 44 deletions
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
index a6e7aca..73fac70 100644
--- a/src/sbearssl/sbearssl_client_init_and_run.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -59,6 +59,7 @@ void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
genalloc_free(sbearssl_ta, &tas) ;
br_ssl_client_init_full(&cc, &xc, btas, talen) ;
+ br_ssl_engine_add_flags(&cc.eng, BR_OPT_NO_RENEGOTIATION) ;
random_string((char *)buf, 32) ;
random_finish() ;
br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
diff --git a/src/sbearssl/sbearssl_ta_readdir.c b/src/sbearssl/sbearssl_ta_readdir.c
index 4093bcf..f340503 100644
--- a/src/sbearssl/sbearssl_ta_readdir.c
+++ b/src/sbearssl/sbearssl_ta_readdir.c
@@ -1,11 +1,15 @@
/* ISC license. */
+#include <stdint.h>
#include <string.h>
#include <errno.h>
+
+#include <skalibs/uint32.h>
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
#include <skalibs/direntry.h>
#include <skalibs/djbunix.h>
+
#include <s6-networking/sbearssl.h>
int sbearssl_ta_readdir (char const *dirfn, genalloc *taga, stralloc *tasa)
@@ -18,26 +22,26 @@ int sbearssl_ta_readdir (char const *dirfn, genalloc *taga, stralloc *tasa)
stralloc certsa = STRALLOC_ZERO ;
genalloc certga = GENALLOC_ZERO ;
DIR *dir = opendir(dirfn) ;
+ char fn[dirfnlen + 12] ;
if (!dir) return -1 ;
+ memcpy(fn, dirfn, dirfnlen) ;
+ fn[dirfnlen] = '/' ;
for (;;)
{
direntry *d ;
+ uint32_t dummy ;
errno = 0 ;
d = readdir(dir) ;
if (!d) break ;
- if (d->d_name[0] == '.') continue ;
- {
- size_t dlen = strlen(d->d_name) ;
- char fn[dirfnlen + dlen + 2] ;
- memcpy(fn, dirfn, dirfnlen) ;
- fn[dirfnlen] = '/' ;
- memcpy(fn + dirfnlen + 1, d->d_name, dlen) ;
- fn[dirfnlen + 1 + dlen] = 0 ;
- genalloc_setlen(sbearssl_cert, &certga, 0) ;
- certsa.len = 0 ;
- if (sbearssl_cert_readfile(fn, &certga, &certsa)) continue ;
- }
+
+ /* only process files with valid hash names */
+ if (uint32_xscan(d->d_name, &dummy) != 8 || d->d_name[8] != '.' || d->d_name[9] != '0' || d->d_name[10]) continue ;
+
+ memcpy(fn + dirfnlen + 1, d->d_name, 11) ;
+ genalloc_setlen(sbearssl_cert, &certga, 0) ;
+ certsa.len = 0 ;
+ if (sbearssl_cert_readfile(fn, &certga, &certsa)) continue ;
sbearssl_ta_certs(taga, tasa, genalloc_s(sbearssl_cert, &certga), genalloc_len(sbearssl_cert, &certga), certsa.s) ;
}
if (errno) goto fail ;
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c
index 173942f..f0cc5be 100644
--- a/src/stls/stls_client_init_and_handshake.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -22,6 +22,21 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
cfg = tls_config_new() ;
if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
+ if (preoptions & 1)
+ {
+ x = getenv("CERTFILE") ;
+ if (!x) strerr_dienotset(100, "CERTFILE") ;
+ if (tls_config_set_cert_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_cert_file") ;
+
+ x = getenv("KEYFILE") ;
+ if (!x) strerr_dienotset(100, "KEYFILE") ;
+ if (tls_config_set_key_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_key_file") ;
+ }
+
+ stls_drop() ;
+
x = getenv("CADIR") ;
if (x)
{
@@ -36,24 +51,9 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
if (tls_config_set_ca_file(cfg, x) < 0)
diecfg(cfg, "tls_config_set_ca_file") ;
}
- else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ;
+ else strerr_diefu1x(100, "get trust anchor list: neither CADIR nor CAFILE is set") ;
}
- if (preoptions & 1)
- {
- x = getenv("CERTFILE") ;
- if (!x) strerr_dienotset(100, "CERTFILE") ;
- if (tls_config_set_cert_file(cfg, x) < 0)
- diecfg(cfg, "tls_config_set_cert_file") ;
-
- x = getenv("KEYFILE") ;
- if (!x) strerr_dienotset(100, "KEYFILE") ;
- if (tls_config_set_key_file(cfg, x) < 0)
- diecfg(cfg, "tls_config_set_key_file") ;
- }
-
- stls_drop() ;
-
if (tls_config_set_ciphers(cfg, "secure") < 0)
diecfg(cfg, "tls_config_set_ciphers") ;
@@ -75,8 +75,6 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0)
diectx(97, ctx, "tls_connect_fds") ;
tls_config_free(cfg) ;
- strerr_warn1x("before handshake") ;
- if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ;
- strerr_warn1x("after handshake") ;
+ if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ;
return ctx ;
}
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 5dd5284..e6869be 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -14,8 +14,8 @@
struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
{
- struct tls *cctx ;
- struct tls *ctx ;
+ struct tls *ctx = 0 ;
+ struct tls *sctx ;
struct tls_config *cfg ;
char const *x ;
@@ -70,16 +70,13 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
tls_config_prefer_ciphers_server(cfg) ;
- ctx = tls_server() ;
- if (!ctx) strerr_diefu1sys(111, "tls_server") ;
- if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
+ sctx = tls_server() ;
+ if (!sctx) strerr_diefu1sys(111, "tls_server") ;
+ if (tls_configure(sctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
tls_config_free(cfg) ;
- if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0)
- diectx(97, ctx, "tls_accept_fds") ;
- tls_free(ctx) ;
- strerr_warni1x("before handshake") ;
- if (tls_handshake(cctx) < 0)
- diectx(97, cctx, "perform SSL handshake") ;
- strerr_warni1x("after handshake") ;
- return cctx ;
+ if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0)
+ diectx(97, sctx, "tls_accept_fds") ;
+ tls_free(sctx) ;
+ if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ;
+ return ctx ;
}