Refactor tls code to support ucspi-tls

 That includes:
 - new architecture: the tls binary is now a child of the app
instead of the other way around
 - the sbearssl_run engine now takes a post-handshake callback.
This allows s6-tlsc and s6-tlsd to only exec into the app when
the handshake succeeds (which was already the case with libressl).
 - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto
code; they init and run the engine, connecting to 4 already open
fds (stdin/stdout = network, argv[1] and argv[2] = local)
 - s6-tlsc is now a simple wrapper around s6-tlsc-io
 - s6-tlsd is now a simple wrapper around s6-tlsd-io
 - new binary: s6-ucspitlsd, which is also a wrapper around
s6-tlsd-io, but differently: the parent execs the app which should
be ucspi-tls-aware, the child waits for a command from the parent
and execs into s6-tlsd-io if it receives it.

1 files changed, 0 insertions, 79 deletions

diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c
deleted file mode 100644
index 267d79c..0000000
--- a/src/sbearssl/sbearssl_s6tlsc.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* ISC license. */
-
-#include <unistd.h>
-#include <errno.h>
-#include <bearssl.h>
-#include <skalibs/strerr2.h>
-#include <skalibs/env.h>
-#include <skalibs/stralloc.h>
-#include <skalibs/genalloc.h>
-#include <skalibs/djbunix.h>
-#include <skalibs/random.h>
-#include <s6-networking/sbearssl.h>
-#include "sbearssl-internal.h"
-
-int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
-{
-  int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
-  stralloc storage = STRALLOC_ZERO ;
-  genalloc tas = GENALLOC_ZERO ;
-  size_t talen ;
-  pid_t pid ;
-
-  if (preoptions & 1)
-    strerr_dief1x(100, "client certificates are not supported yet") ;
-
-  {
-    int r ;
-    char const *x = env_get2(envp, "CADIR") ;
-    if (x)
-      r = sbearssl_ta_readdir(x, &tas, &storage) ;
-    else
-    {
-      x = env_get2(envp, "CAFILE") ;
-      if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
-      r = sbearssl_ta_readfile(x, &tas, &storage) ;
-    }
-
-    if (r < 0)
-      strerr_diefu2sys(111, "read trust anchors in ", x) ;
-    else if (r)
-      strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ;
-
-    talen = genalloc_len(sbearssl_ta, &tas) ;
-    if (!talen)
-      strerr_dief2x(96, "no trust anchor found in ", x) ;
-  }
-
-  if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ;
-
-  pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
-  {
-    unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
-    br_x509_minimal_context xc ;
-    br_ssl_client_context cc ;
-    br_x509_trust_anchor btas[talen] ;
-    size_t i = talen ;
-    int wstat ;
-
-    stralloc_shrink(&storage) ;
-    while (i--)
-      sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
-    genalloc_free(sbearssl_ta, &tas) ;
-    br_ssl_client_init_full(&cc, &xc, btas, talen) ;
-    random_string((char *)buf, 32) ;
-    br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
-    random_finish() ;
-    br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ;
-    if (!br_ssl_client_reset(&cc, servername, 0))
-      strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ;
-    tain_now_g() ;
-    if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP))
-      strerr_diefu1sys(111, "initialize validation time") ;
-
-    wstat = sbearssl_run(&cc.eng, fds, pid, verbosity, options, tto) ;
-    if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
-    return wait_estatus(wstat) ;
-  }
-}