diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2017-01-10 02:17:16 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2017-01-10 02:17:16 +0000 |
| commit | 334d807b924427434b42d4fbae745d3d1b38a218 (patch) | |
| tree | 6daf12c1e2fa07d2ac6255ef4439e2fb95a57f57 /src/sbearssl/sbearssl_s6tlsd.c | |
| parent | 43cb3ee4227de70e0225e9ac142b4d397f93cc41 (diff) | |
| download | s6-networking-334d807b924427434b42d4fbae745d3d1b38a218.tar.xz | |
Types fix, first pass
XXX marks what must change when skalibs changes.
Also started writing functions for client certificate support
in sbearssl, but it's not working yet (need more high-level
support from BearSSL before it can work)
Diffstat (limited to 'src/sbearssl/sbearssl_s6tlsd.c')
| -rw-r--r-- | src/sbearssl/sbearssl_s6tlsd.c | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index 6cb3f51..66d0542 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <bearssl.h> @@ -20,9 +21,10 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co sbearssl_skey skey ; genalloc certs = GENALLOC_ZERO ; size_t chainlen ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported by BearSSL yet") ; + size_t x500n = 1 ; + size_t x500len = 1 ; + stralloc tastorage = STRALLOC_ZERO ; + genalloc tas = GENALLOC_ZERO ; { char const *x = env_get2(envp, "KEYFILE") ; @@ -44,17 +46,45 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co chainlen = genalloc_len(sbearssl_cert, &certs) ; if (!chainlen) strerr_diefu2x(96, "find a certificate in ", x) ; + + if (preoptions & 1) + { + x = env_get2(envp, "CADIR") ; + if (x) r = sbearssl_ta_readdir(x, &tas, &tastorage) ; + else + { + x = env_get2(envp, "CAFILE") ; + if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; + r = sbearssl_ta_readfile(x, &tas, &tastorage) ; + } + + if (r < 0) + strerr_diefu2sys(111, "read trust anchors in ", x) ; + else if (r) + strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; + x500n = genalloc_len(sbearssl_ta, &tas) ; + if (!x500n) strerr_dief2x(96, "no trust anchor found in ", x) ; + x500len = sbearssl_x500_name_len(genalloc_s(sbearssl_ta, &tas), x500n) ; + } } { int fds[4] = { 0, 1, 0, 1 } ; unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; + char x500storage[x500len] ; br_ssl_server_context sc ; union br_skey_u key ; br_x509_certificate chain[chainlen] ; + br_x500_name x500names[x500n] ; size_t i = chainlen ; pid_t pid ; + if (preoptions & 1) + { + sbearssl_x500_from_ta(x500names, genalloc_s(sbearssl_ta, &tas), x500n, x500storage, tastorage.s) ; + genalloc_free(sbearssl_ta, &tas) ; + stralloc_free(&tastorage) ; + } stralloc_shrink(&storage) ; while (i--) sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; @@ -96,6 +126,15 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; + { + uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ; + if (preoptions & 1) + { + br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; + if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; + } + br_ssl_engine_add_flags(&sc.eng, flags) ; + } br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ; br_ssl_server_reset(&sc) ; tain_now_g() ; |