summaryrefslogtreecommitdiff
path: root/src/stls
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-23 14:25:24 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-23 14:25:24 +0000
commit564631637bcd238b4c9aad5496aa9e049f948dd9 (patch)
tree970379fee11287430432e18a8f75bb5ddc17990b /src/stls
parentbae11b88357db72b19413cd05c62ac9242b9b597 (diff)
downloads6-networking-564631637bcd238b4c9aad5496aa9e049f948dd9.tar.xz
Fix more bugs; disable renegociation in bearssl client
Diffstat (limited to 'src/stls')
-rw-r--r--src/stls/stls_client_init_and_handshake.c36
-rw-r--r--src/stls/stls_server_init_and_handshake.c23
2 files changed, 27 insertions, 32 deletions
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c
index 173942f..f0cc5be 100644
--- a/src/stls/stls_client_init_and_handshake.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -22,6 +22,21 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
cfg = tls_config_new() ;
if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
+ if (preoptions & 1)
+ {
+ x = getenv("CERTFILE") ;
+ if (!x) strerr_dienotset(100, "CERTFILE") ;
+ if (tls_config_set_cert_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_cert_file") ;
+
+ x = getenv("KEYFILE") ;
+ if (!x) strerr_dienotset(100, "KEYFILE") ;
+ if (tls_config_set_key_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_key_file") ;
+ }
+
+ stls_drop() ;
+
x = getenv("CADIR") ;
if (x)
{
@@ -36,24 +51,9 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
if (tls_config_set_ca_file(cfg, x) < 0)
diecfg(cfg, "tls_config_set_ca_file") ;
}
- else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ;
+ else strerr_diefu1x(100, "get trust anchor list: neither CADIR nor CAFILE is set") ;
}
- if (preoptions & 1)
- {
- x = getenv("CERTFILE") ;
- if (!x) strerr_dienotset(100, "CERTFILE") ;
- if (tls_config_set_cert_file(cfg, x) < 0)
- diecfg(cfg, "tls_config_set_cert_file") ;
-
- x = getenv("KEYFILE") ;
- if (!x) strerr_dienotset(100, "KEYFILE") ;
- if (tls_config_set_key_file(cfg, x) < 0)
- diecfg(cfg, "tls_config_set_key_file") ;
- }
-
- stls_drop() ;
-
if (tls_config_set_ciphers(cfg, "secure") < 0)
diecfg(cfg, "tls_config_set_ciphers") ;
@@ -75,8 +75,6 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0)
diectx(97, ctx, "tls_connect_fds") ;
tls_config_free(cfg) ;
- strerr_warn1x("before handshake") ;
- if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ;
- strerr_warn1x("after handshake") ;
+ if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ;
return ctx ;
}
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 5dd5284..e6869be 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -14,8 +14,8 @@
struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
{
- struct tls *cctx ;
- struct tls *ctx ;
+ struct tls *ctx = 0 ;
+ struct tls *sctx ;
struct tls_config *cfg ;
char const *x ;
@@ -70,16 +70,13 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
tls_config_prefer_ciphers_server(cfg) ;
- ctx = tls_server() ;
- if (!ctx) strerr_diefu1sys(111, "tls_server") ;
- if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
+ sctx = tls_server() ;
+ if (!sctx) strerr_diefu1sys(111, "tls_server") ;
+ if (tls_configure(sctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
tls_config_free(cfg) ;
- if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0)
- diectx(97, ctx, "tls_accept_fds") ;
- tls_free(ctx) ;
- strerr_warni1x("before handshake") ;
- if (tls_handshake(cctx) < 0)
- diectx(97, cctx, "perform SSL handshake") ;
- strerr_warni1x("after handshake") ;
- return cctx ;
+ if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0)
+ diectx(97, sctx, "tls_accept_fds") ;
+ tls_free(sctx) ;
+ if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ;
+ return ctx ;
}