summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2017-01-30 19:03:02 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2017-01-30 19:03:02 +0000
commitf85b8a70f3b44510a5cf3895bf7357ae90655f65 (patch)
treef8728e922b1c9d03eb7e2a77bc694bdb98efeae1 /src
parentea6018d600ba0ea3aba54ed41567a73f3a1cd384 (diff)
downloads6-networking-f85b8a70f3b44510a5cf3895bf7357ae90655f65.tar.xz
Delay client cert support, but make s6-networking build against bearssl-0.3
Diffstat (limited to 'src')
-rw-r--r--src/include/s6-networking/sbearssl.h4
-rw-r--r--src/sbearssl/sbearssl_s6tlsc.c2
-rw-r--r--src/sbearssl/sbearssl_s6tlsd.c39
3 files changed, 8 insertions, 37 deletions
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 785e647..a91eea9 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -192,7 +192,7 @@ extern int sbearssl_ta_readfile (char const *, genalloc *, stralloc *) ;
extern int sbearssl_ta_readdir (char const *, genalloc *, stralloc *) ;
extern size_t sbearssl_x500_name_len (sbearssl_ta const *, size_t) ;
-extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ;
+/* extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ; */
/* Errors */
@@ -202,7 +202,7 @@ extern char const *sbearssl_error_str (int) ;
/* Engine */
-extern int sbearssl_run (br_ssl_engine_context *, int *, unsigned int, uint32, tain_t const *) ;
+extern int sbearssl_run (br_ssl_engine_context *, int *, unsigned int, uint32_t, tain_t const *) ;
/* s6-tlsc and s6-tlsd implementations */
diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c
index 1a0b5f0..c6ca4c1 100644
--- a/src/sbearssl/sbearssl_s6tlsc.c
+++ b/src/sbearssl/sbearssl_s6tlsc.c
@@ -23,7 +23,7 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
size_t talen ;
if (preoptions & 1)
- strerr_dief1x(100, "client certificates are not supported by BearSSL yet") ;
+ strerr_dief1x(100, "client certificates are not supported yet") ;
{
int r ;
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
index 66d0542..816d746 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -1,7 +1,6 @@
/* ISC license. */
#include <sys/types.h>
-#include <stdint.h>
#include <unistd.h>
#include <errno.h>
#include <bearssl.h>
@@ -21,10 +20,9 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
sbearssl_skey skey ;
genalloc certs = GENALLOC_ZERO ;
size_t chainlen ;
- size_t x500n = 1 ;
- size_t x500len = 1 ;
- stralloc tastorage = STRALLOC_ZERO ;
- genalloc tas = GENALLOC_ZERO ;
+
+ if (preoptions & 1)
+ strerr_dief1x(100, "client certificates are not supported yet") ;
{
char const *x = env_get2(envp, "KEYFILE") ;
@@ -46,45 +44,17 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
chainlen = genalloc_len(sbearssl_cert, &certs) ;
if (!chainlen)
strerr_diefu2x(96, "find a certificate in ", x) ;
-
- if (preoptions & 1)
- {
- x = env_get2(envp, "CADIR") ;
- if (x) r = sbearssl_ta_readdir(x, &tas, &tastorage) ;
- else
- {
- x = env_get2(envp, "CAFILE") ;
- if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
- r = sbearssl_ta_readfile(x, &tas, &tastorage) ;
- }
-
- if (r < 0)
- strerr_diefu2sys(111, "read trust anchors in ", x) ;
- else if (r)
- strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ;
- x500n = genalloc_len(sbearssl_ta, &tas) ;
- if (!x500n) strerr_dief2x(96, "no trust anchor found in ", x) ;
- x500len = sbearssl_x500_name_len(genalloc_s(sbearssl_ta, &tas), x500n) ;
- }
}
{
int fds[4] = { 0, 1, 0, 1 } ;
unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
- char x500storage[x500len] ;
br_ssl_server_context sc ;
union br_skey_u key ;
br_x509_certificate chain[chainlen] ;
- br_x500_name x500names[x500n] ;
size_t i = chainlen ;
pid_t pid ;
- if (preoptions & 1)
- {
- sbearssl_x500_from_ta(x500names, genalloc_s(sbearssl_ta, &tas), x500n, x500storage, tastorage.s) ;
- genalloc_free(sbearssl_ta, &tas) ;
- stralloc_free(&tastorage) ;
- }
stralloc_shrink(&storage) ;
while (i--)
sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
@@ -130,11 +100,12 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ;
if (preoptions & 1)
{
- br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ;
+ /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */
if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
}
br_ssl_engine_add_flags(&sc.eng, flags) ;
}
+
br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
br_ssl_server_reset(&sc) ;
tain_now_g() ;