summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2016-12-01 02:24:09 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2016-12-01 02:24:09 +0000
commit880f2a22304b393b43397c3ec8de83052a2584ce (patch)
tree23eca19438ee116cca0af840f709c4fd63bcd95b
parentcc08be523a2a647a999dcf82dcce9dee62b4162c (diff)
downloads6-networking-880f2a22304b393b43397c3ec8de83052a2584ce.tar.xz
Fix several bugs in stls, make the engine work
-rw-r--r--src/conn-tools/deps-exe/s6-tlsc1
-rw-r--r--src/conn-tools/deps-exe/s6-tlsd1
-rw-r--r--src/sbearssl/sbearssl_run.c10
-rw-r--r--src/stls/stls_run.c47
-rw-r--r--src/stls/stls_s6tlsc.c15
-rw-r--r--src/stls/stls_s6tlsd.c4
6 files changed, 43 insertions, 35 deletions
diff --git a/src/conn-tools/deps-exe/s6-tlsc b/src/conn-tools/deps-exe/s6-tlsc
index 5ae8124..953d34f 100644
--- a/src/conn-tools/deps-exe/s6-tlsc
+++ b/src/conn-tools/deps-exe/s6-tlsc
@@ -3,4 +3,5 @@ ${LIBS6NET}
-lskarnet
${CRYPTO_LIB}
${SOCKET_LIB}
+${SPAWN_LIB}
${TAINNOW_LIB}
diff --git a/src/conn-tools/deps-exe/s6-tlsd b/src/conn-tools/deps-exe/s6-tlsd
index 5ae8124..953d34f 100644
--- a/src/conn-tools/deps-exe/s6-tlsd
+++ b/src/conn-tools/deps-exe/s6-tlsd
@@ -3,4 +3,5 @@ ${LIBS6NET}
-lskarnet
${CRYPTO_LIB}
${SOCKET_LIB}
+${SPAWN_LIB}
${TAINNOW_LIB}
diff --git a/src/sbearssl/sbearssl_run.c b/src/sbearssl/sbearssl_run.c
index 1617e98..efd711c 100644
--- a/src/sbearssl/sbearssl_run.c
+++ b/src/sbearssl/sbearssl_run.c
@@ -14,16 +14,6 @@
#include <skalibs/djbunix.h>
#include <s6-networking/sbearssl.h>
-#ifdef DEBUG
-# include <skalibs/buffer.h>
-# include <skalibs/strerr2.h>
-# include <skalibs/lolstdio.h>
-# define PLM(...) (bprintf(buffer_2, "%s: debug: ", PROG), bprintf(buffer_2, __VA_ARGS__), buffer_putflush(buffer_2, "\n", 1))
-#else
-# define PLM(...)
-#endif
-
-
int sbearssl_run (br_ssl_engine_context *ctx, int *fds, unsigned int verbosity, uint32_t options, tain_t const *tto)
{
iopause_fd x[4] ;
diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c
index 5c67034..09f9bc0 100644
--- a/src/stls/stls_run.c
+++ b/src/stls/stls_run.c
@@ -22,9 +22,9 @@
typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ;
struct tlsbuf_s
{
- char buf[STLS_BUFSIZE] ;
buffer b ;
- unsigned int blockedonother : 1 ;
+ unsigned char blockedonother : 1 ;
+ char buf[STLS_BUFSIZE] ;
} ;
static inline int buffer_tls_flush (struct tls *ctx, tlsbuf_t *b)
@@ -43,7 +43,7 @@ static inline int buffer_tls_flush (struct tls *ctx, tlsbuf_t *b)
default : break ;
}
w = r ;
- if (v[1].len)
+ if ((size_t)w == v[0].len && v[1].len)
{
r = tls_write(ctx, v[1].s, v[1].len) ;
switch (r)
@@ -81,7 +81,7 @@ static inline int buffer_tls_fill (struct tls *ctx, tlsbuf_t *b)
default : break ;
}
w = r ;
- if (v[1].len)
+ if ((size_t)w == v[0].len && v[1].len)
{
r = tls_read(ctx, v[1].s, v[1].len) ;
switch (r)
@@ -102,12 +102,15 @@ static inline int buffer_tls_fill (struct tls *ctx, tlsbuf_t *b)
return ok ;
}
-static void do_tls_close (struct tls *ctx, int fd)
+static void closeit (struct tls *ctx, int *fds, int doshd)
{
- iopause_fd x = { .fd = fd, .events = IOPAUSE_WRITE } ;
- while (tls_close(ctx) == TLS_WANT_POLLOUT)
- if (iopause_g(&x, 1, 0) < 0)
- strerr_diefu1sys(111, "iopause") ;
+ if (fds[2] >= 0)
+ {
+ ndelay_off(fds[3]) ;
+ tls_close(ctx) ;
+ }
+ if (doshd) shutdown(fds[3], SHUT_WR) ;
+ fd_close(fds[3]) ; fds[3] = -1 ;
}
int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, tain_t const *tto)
@@ -115,6 +118,7 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options,
tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ;
iopause_fd x[4] ;
unsigned int xindex[4] ;
+ int closing = 0 ;
register unsigned int i ;
for (i = 0 ; i < 2 ; i++)
@@ -161,7 +165,7 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options,
}
else xindex[2] = 4 ;
- if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b))
+ if (fds[3] >= 0 && (!b[0].blockedonother && buffer_iswritable(&b[0].b) || closing))
{
x[xlen].fd = fds[3] ;
x[xlen].events = IOPAUSE_WRITE ;
@@ -220,11 +224,17 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options,
strerr_warnwu2x("write to peer: ", tls_error(ctx)) ;
fd_close(fds[0]) ; fds[0] = -1 ;
}
- if (r && fds[0] < 0)
+ if (r)
{
- if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ;
- if (options & 1) shutdown(fds[3], SHUT_WR) ;
- fd_close(fds[3]) ; fds[3] = -1 ;
+ if (closing && buffer_isempty(&b[0].b))
+ {
+ ndelay_off(fds[3]) ;
+ tls_close(ctx) ;
+ fd_close(fds[3]) ; fds[3] = -1 ;
+ if (fds[0] >= 0) { fd_close(fds[0]) ; fds[0] = -1 ; }
+ closing = 0 ;
+ }
+ else if (fds[0] < 0) closeit(ctx, fds, options & 1) ;
}
}
@@ -238,12 +248,7 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options,
{
if (errno != EPIPE) strerr_warnwu1sys("read from application") ;
fd_close(fds[0]) ; fds[0] = -1 ;
- if (buffer_isempty(&b[0].b))
- {
- if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ;
- if (options & 1) shutdown(fds[3], SHUT_WR) ;
- fd_close(fds[3]) ; fds[3] = -1 ;
- }
+ if (buffer_isempty(&b[0].b)) closeit(ctx, fds, options & 1) ;
}
}
@@ -256,12 +261,12 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options,
if (r < 0)
{
if (r == -1) strerr_warnwu2x("read from peer: ", tls_error(ctx)) ;
- if (options & 1) shutdown(fds[2], SHUT_RD) ;
fd_close(fds[2]) ; fds[2] = -1 ;
if (buffer_isempty(&b[1].b))
{
fd_close(fds[1]) ; fds[1] = -1 ;
}
+ closing = 1 ;
}
}
}
diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c
index 1313cfe..70e8f20 100644
--- a/src/stls/stls_s6tlsc.c
+++ b/src/stls/stls_s6tlsc.c
@@ -14,6 +14,15 @@
#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
+#ifdef DEBUG
+# include <skalibs/buffer.h>
+# include <skalibs/strerr2.h>
+# include <skalibs/lolstdio.h>
+# define PLM(...) (bprintf(buffer_2, "%s: debug: ", PROG), bprintf(buffer_2, __VA_ARGS__), buffer_putflush(buffer_2, "\n", 1))
+#else
+# define PLM(...)
+#endif
+
int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
{
int fds[4] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
@@ -68,11 +77,11 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
tls_config_verify(cfg) ;
tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
tls_config_prefer_ciphers_server(cfg) ;
+ if (!servername) tls_config_insecure_noverifyname(cfg) ;
ctx = tls_client() ;
if (!ctx) strerr_diefu1sys(111, "tls_client") ;
if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
- tls_config_free(cfg) ;
pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
@@ -81,12 +90,14 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
if (tls_connect_fds(ctx, fds[2], fds[3], servername) < 0)
diectx(97, ctx, "tls_connect_fds") ;
+ tls_config_free(cfg) ;
+ if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ;
{
int wstat ;
int r = stls_run(ctx, fds, verbosity, options, tto) ;
if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
- else if (r) diectx(98, ctx, "establish or maintain SSL connection to peer") ;
+ else if (r) diectx(98, ctx, "maintain SSL connection to peer") ;
tls_free(ctx) ;
if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
return wait_estatus(wstat) ;
diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c
index 1506556..64cf01f 100644
--- a/src/stls/stls_s6tlsd.c
+++ b/src/stls/stls_s6tlsd.c
@@ -78,14 +78,14 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0)
diectx(97, ctx, "tls_accept_fds") ;
-
tls_free(ctx) ;
+ if (tls_handshake(cctx) < 0) diectx(97, cctx, "perform SSL handshake") ;
{
int wstat ;
int r = stls_run(cctx, fds, verbosity, options, tto) ;
if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
- else if (r) diectx(98, cctx, "establish or maintain SSL connection to peer") ;
+ else if (r) diectx(98, cctx, "maintain SSL connection to peer") ;
if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
return wait_estatus(wstat) ;
}