diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-23 14:25:24 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-23 14:25:24 +0000 |
commit | 564631637bcd238b4c9aad5496aa9e049f948dd9 (patch) | |
tree | 970379fee11287430432e18a8f75bb5ddc17990b /src/stls | |
parent | bae11b88357db72b19413cd05c62ac9242b9b597 (diff) | |
download | s6-networking-564631637bcd238b4c9aad5496aa9e049f948dd9.tar.xz |
Fix more bugs; disable renegociation in bearssl client
Diffstat (limited to 'src/stls')
-rw-r--r-- | src/stls/stls_client_init_and_handshake.c | 36 | ||||
-rw-r--r-- | src/stls/stls_server_init_and_handshake.c | 23 |
2 files changed, 27 insertions, 32 deletions
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c index 173942f..f0cc5be 100644 --- a/src/stls/stls_client_init_and_handshake.c +++ b/src/stls/stls_client_init_and_handshake.c @@ -22,6 +22,21 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, cfg = tls_config_new() ; if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; + if (preoptions & 1) + { + x = getenv("CERTFILE") ; + if (!x) strerr_dienotset(100, "CERTFILE") ; + if (tls_config_set_cert_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_cert_file") ; + + x = getenv("KEYFILE") ; + if (!x) strerr_dienotset(100, "KEYFILE") ; + if (tls_config_set_key_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_key_file") ; + } + + stls_drop() ; + x = getenv("CADIR") ; if (x) { @@ -36,24 +51,9 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, if (tls_config_set_ca_file(cfg, x) < 0) diecfg(cfg, "tls_config_set_ca_file") ; } - else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ; + else strerr_diefu1x(100, "get trust anchor list: neither CADIR nor CAFILE is set") ; } - if (preoptions & 1) - { - x = getenv("CERTFILE") ; - if (!x) strerr_dienotset(100, "CERTFILE") ; - if (tls_config_set_cert_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_cert_file") ; - - x = getenv("KEYFILE") ; - if (!x) strerr_dienotset(100, "KEYFILE") ; - if (tls_config_set_key_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_key_file") ; - } - - stls_drop() ; - if (tls_config_set_ciphers(cfg, "secure") < 0) diecfg(cfg, "tls_config_set_ciphers") ; @@ -75,8 +75,6 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0) diectx(97, ctx, "tls_connect_fds") ; tls_config_free(cfg) ; - strerr_warn1x("before handshake") ; - if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ; - strerr_warn1x("after handshake") ; + if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ; return ctx ; } diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c index 5dd5284..e6869be 100644 --- a/src/stls/stls_server_init_and_handshake.c +++ b/src/stls/stls_server_init_and_handshake.c @@ -14,8 +14,8 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions) { - struct tls *cctx ; - struct tls *ctx ; + struct tls *ctx = 0 ; + struct tls *sctx ; struct tls_config *cfg ; char const *x ; @@ -70,16 +70,13 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions) tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; tls_config_prefer_ciphers_server(cfg) ; - ctx = tls_server() ; - if (!ctx) strerr_diefu1sys(111, "tls_server") ; - if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; + sctx = tls_server() ; + if (!sctx) strerr_diefu1sys(111, "tls_server") ; + if (tls_configure(sctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; tls_config_free(cfg) ; - if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0) - diectx(97, ctx, "tls_accept_fds") ; - tls_free(ctx) ; - strerr_warni1x("before handshake") ; - if (tls_handshake(cctx) < 0) - diectx(97, cctx, "perform SSL handshake") ; - strerr_warni1x("after handshake") ; - return cctx ; + if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0) + diectx(97, sctx, "tls_accept_fds") ; + tls_free(sctx) ; + if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ; + return ctx ; } |