diff options
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | doc/index.html | 2 | ||||
-rw-r--r-- | doc/s6-tlsd-io.html | 6 | ||||
-rw-r--r-- | doc/upgrade.html | 9 | ||||
-rw-r--r-- | package/deps.mak | 9 | ||||
-rw-r--r-- | package/info | 2 | ||||
-rw-r--r-- | src/include/s6-networking/sbearssl.h | 5 | ||||
-rw-r--r-- | src/sbearssl/deps-lib/sbearssl | 3 | ||||
-rw-r--r-- | src/sbearssl/sbearssl-internal.h | 3 | ||||
-rw-r--r-- | src/sbearssl/sbearssl_client_init_and_run.c | 82 | ||||
-rw-r--r-- | src/sbearssl/sbearssl_get_keycert.c | 36 | ||||
-rw-r--r-- | src/sbearssl/sbearssl_get_tas.c | 33 | ||||
-rw-r--r-- | src/sbearssl/sbearssl_server_init_and_run.c | 64 | ||||
-rw-r--r-- | src/sbearssl/sbearssl_x509_minimal_init_with_engine.c | 25 | ||||
-rw-r--r-- | src/stls/stls_send_environment.c | 31 |
15 files changed, 225 insertions, 91 deletions
@@ -1,5 +1,11 @@ Changelog for s6-networking. +In 2.4.2.0 +---------- + + - Actual server-side support for client certificates with BearSSL + + In 2.4.1.1 ---------- diff --git a/doc/index.html b/doc/index.html index 727b9e9..221a65b 100644 --- a/doc/index.html +++ b/doc/index.html @@ -91,7 +91,7 @@ run-time requirement if you link against its shared version. </li> <ul> <li> The current released version of s6-networking is -<a href="s6-networking-2.4.1.1.tar.gz">2.4.1.1</a>. </li> +<a href="s6-networking-2.4.2.0.tar.gz">2.4.2.0</a>. </li> <li> Alternatively, you can checkout a copy of the <a href="//git.skarnet.org/cgi-bin/cgit.cgi/s6-networking/">s6-networking git repository</a>: diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html index 807c982..29f75c3 100644 --- a/doc/s6-tlsd-io.html +++ b/doc/s6-tlsd-io.html @@ -188,8 +188,10 @@ no effect. </li> and break the connection when receiving a local EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> - <li> <tt>-Y</tt> : Do not send a client certificate. This is the default. </li> - <li> <tt>-y</tt> : Send a client certificate. </li> + <li> <tt>-Y</tt> : Require an optional client certificate. </li> + <li> <tt>-y</tt> : Require a mandatory client certificate. +The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option, +is not to require a client certificate at all. </li> <li> <tt>-K <em>kimeout</em></tt> : if the peer fails to send data for <em>kimeout</em> milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout diff --git a/doc/upgrade.html b/doc/upgrade.html index 400c014..f174e74 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -18,7 +18,14 @@ <h1> What has changed in s6-networking </h1> -<h2> in 2.4.1.0 </h2> +<h2> in 2.4.2.0 </h2> + +<ul> + <li> Client certificates are now properly supported in +<a href="s6-tlsd-io.html">s6-tlsd-io</a>. </li> +</ul> + +<h2> in 2.4.1.1 </h2> <ul> <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> diff --git a/package/deps.mak b/package/deps.mak index 145adca..472b9fd 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -40,6 +40,8 @@ src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_pkey_to.lo: src/sbea src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_from.lo: src/sbearssl/sbearssl_ec_skey_from.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_ec_skey_to.lo: src/sbearssl/sbearssl_ec_skey_to.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_error_str.lo: src/sbearssl/sbearssl_error_str.c src/include/s6-networking/sbearssl.h +src/sbearssl/sbearssl_get_keycert.o src/sbearssl/sbearssl_get_keycert.lo: src/sbearssl/sbearssl_get_keycert.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h +src/sbearssl/sbearssl_get_tas.o src/sbearssl/sbearssl_get_tas.lo: src/sbearssl/sbearssl_get_tas.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_isder.lo: src/sbearssl/sbearssl_isder.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_buffer.lo: src/sbearssl/sbearssl_pem_decode_from_buffer.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_decode_from_string.lo: src/sbearssl/sbearssl_pem_decode_from_string.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h @@ -67,6 +69,7 @@ src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_readfile.lo: src/sb src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_ta_to.lo: src/sbearssl/sbearssl_ta_to.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_from_ta.lo: src/sbearssl/sbearssl_x500_from_ta.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_name_len.lo: src/sbearssl/sbearssl_x500_name_len.c src/include/s6-networking/sbearssl.h +src/sbearssl/sbearssl_x509_minimal_init_with_engine.o src/sbearssl/sbearssl_x509_minimal_init_with_engine.lo: src/sbearssl/sbearssl_x509_minimal_init_with_engine.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_minimal_set_tai.lo: src/sbearssl/sbearssl_x509_minimal_set_tai.c src/include/s6-networking/sbearssl.h src/stls/stls_client_init_and_handshake.o src/stls/stls_client_init_and_handshake.lo: src/stls/stls_client_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h src/stls/stls_drop.o src/stls/stls_drop.lo: src/stls/stls_drop.c src/stls/stls-internal.h @@ -129,12 +132,12 @@ libs6net.so.xyzzy: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_r minidentd: EXTRA_LIBS := -lskarnet ${MAYBEPTHREAD_LIB} ${SOCKET_LIB} ${SYSCLOCK_LIB} minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o ${LIBNSSS} ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) -libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o +libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_get_keycert.o src/sbearssl/sbearssl_get_tas.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_init_with_engine.o src/sbearssl/sbearssl_x509_minimal_set_tai.o else -libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo +libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_init_with_engine.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo endif libsbearssl.so.xyzzy: EXTRA_LIBS := -lbearssl -lskarnet -libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo +libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_init_with_engine.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_handshake.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o src/stls/stls_send_environment.o else diff --git a/package/info b/package/info index 9f79b32..342e4dd 100644 --- a/package/info +++ b/package/info @@ -1,4 +1,4 @@ package=s6-networking -version=2.4.1.1 +version=2.4.2.0 category=net package_macro_name=S6_NETWORKING diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index 5527696..e473e12 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -30,8 +30,13 @@ /* Utility functions */ extern int sbearssl_isder (unsigned char const *, size_t) ; + + + /* x509 QoL functions */ + extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai_t const *) ; #define sbearssl_x509_minimal_set_tain(ctx, a) sbearssl_x509_minimal_set_tai(ctx, tain_secp(a)) +extern void sbearssl_x509_minimal_init_with_engine (br_x509_minimal_context *, br_ssl_engine_context *, br_x509_trust_anchor const *, size_t) ; /* Cipher suites */ diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index dfa4f29..a1ccbb7 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -11,6 +11,8 @@ sbearssl_ec_pkey_to.o sbearssl_ec_skey_from.o sbearssl_ec_skey_to.o sbearssl_error_str.o +sbearssl_get_keycert.o +sbearssl_get_tas.o sbearssl_isder.o sbearssl_pem_decode_from_buffer.o sbearssl_pem_decode_from_string.o @@ -38,6 +40,7 @@ sbearssl_ta_readfile.o sbearssl_ta_to.o sbearssl_x500_name_len.o sbearssl_x500_from_ta.o +sbearssl_x509_minimal_init_with_engine.o sbearssl_x509_minimal_set_tai.o -lbearssl -lskarnet diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h index bfaad73..21a28d7 100644 --- a/src/sbearssl/sbearssl-internal.h +++ b/src/sbearssl/sbearssl-internal.h @@ -65,6 +65,9 @@ struct sbearssl_suiteinfo_s uint16_t bits ; } ; +extern size_t sbearssl_get_tas (genalloc *, stralloc *) ; +extern size_t sbearssl_get_keycert (sbearssl_skey *, genalloc *, stralloc *) ; + extern void sbearssl_drop (void) ; extern void sbearssl_append (void *, void const *, size_t) ; extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ; diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c index d7bedec..db68096 100644 --- a/src/sbearssl/sbearssl_client_init_and_run.c +++ b/src/sbearssl/sbearssl_client_init_and_run.c @@ -15,50 +15,64 @@ void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif) { + sbearssl_skey skey ; + genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */ + genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */ stralloc storage = STRALLOC_ZERO ; - genalloc tas = GENALLOC_ZERO ; - size_t talen ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported yet") ; - - { - int r ; - char const *x = getenv("CADIR") ; - if (x) - r = sbearssl_ta_readdir(x, &tas, &storage) ; - else - { - x = getenv("CAFILE") ; - if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; - r = sbearssl_ta_readfile(x, &tas, &storage) ; - } - - if (r < 0) - strerr_diefu2sys(111, "read trust anchors in ", x) ; - else if (r) - strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; - - talen = genalloc_len(sbearssl_ta, &tas) ; - if (!talen) - strerr_dief2x(96, "no trust anchor found in ", x) ; - } + size_t chainlen = preoptions & 1 ? sbearssl_get_keycert(&skey, &certs, &storage) : 0 ; + size_t n = sbearssl_get_tas(&tas, &storage) ; sbearssl_drop() ; + stralloc_shrink(&storage) ; { sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; - unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - br_x509_minimal_context xc ; + union br_skey_u key ; br_ssl_client_context cc ; - br_x509_trust_anchor btas[talen] ; - size_t i = talen ; + br_x509_minimal_context xc ; + br_x509_certificate chain[chainlen ? chainlen : 1] ; + br_x509_trust_anchor btas[n] ; + unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; + + for (size_t i = 0 ; i < chainlen ; i++) + sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; + genalloc_free(sbearssl_cert, &certs) ; - stralloc_shrink(&storage) ; - while (i--) + for (size_t i = 0 ; i < n ; i++) sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; genalloc_free(sbearssl_ta, &tas) ; - br_ssl_client_init_full(&cc, &xc, btas, talen) ; + + br_ssl_client_init_full(&cc, &xc, btas, n) ; + + if (chainlen) + { + switch (skey.type) + { + case BR_KEYTYPE_RSA : + sbearssl_rsa_skey_to(&skey.data.rsa, &key.rsa, storage.s) ; + br_ssl_client_set_single_rsa(&cc, chain, chainlen, &key.rsa, br_rsa_pkcs1_sign_get_default()) ; + break ; + case BR_KEYTYPE_EC : + { + int kt, r ; + sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ; + r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ; + switch (r) + { + case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ; + case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ; + case 0 : break ; + default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ; + } + + br_ssl_client_set_single_ec(&cc, chain, chainlen, &key.ec, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt, br_ec_get_default(), br_ecdsa_sign_asn1_get_default()) ; + break ; + } + default : + strerr_dief1x(96, "unsupported private key type") ; + } + } + br_ssl_engine_add_flags(&cc.eng, BR_OPT_NO_RENEGOTIATION) ; random_string((char *)buf, 32) ; random_finish() ; diff --git a/src/sbearssl/sbearssl_get_keycert.c b/src/sbearssl/sbearssl_get_keycert.c new file mode 100644 index 0000000..96e826c --- /dev/null +++ b/src/sbearssl/sbearssl_get_keycert.c @@ -0,0 +1,36 @@ +/* ISC license. */ + +#include <stdlib.h> + +#include <skalibs/strerr2.h> +#include <skalibs/stralloc.h> +#include <skalibs/genalloc.h> + +#include <s6-networking/sbearssl.h> +#include "sbearssl-internal.h" + +size_t sbearssl_get_keycert (sbearssl_skey *skey, genalloc *certs, stralloc *storage) +{ + size_t chainlen ; + int r ; + char const *x = getenv("CERTFILE") ; + if (!x) strerr_dienotset(100, "CERTFILE") ; + r = sbearssl_cert_readbigpem(x, certs, storage) ; + if (r < 0) + strerr_diefu2sys(111, "read certificate chain in ", x) ; + else if (r) + strerr_diefu4sys(96, "read certificate chain in ", x, ": ", sbearssl_error_str(r)) ; + chainlen = genalloc_len(sbearssl_cert, certs) ; + if (!chainlen) + strerr_diefu2x(96, "find a certificate in ", x) ; + + x = getenv("KEYFILE") ; + if (!x) strerr_dienotset(100, "KEYFILE") ; + r = sbearssl_skey_readfile(x, skey, storage) ; + if (r < 0) + strerr_diefu2sys(111, "read private key in ", x) ; + else if (r) + strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ; + + return chainlen ; +} diff --git a/src/sbearssl/sbearssl_get_tas.c b/src/sbearssl/sbearssl_get_tas.c new file mode 100644 index 0000000..aa8f63b --- /dev/null +++ b/src/sbearssl/sbearssl_get_tas.c @@ -0,0 +1,33 @@ +/* ISC license. */ + +#include <stdlib.h> + +#include <skalibs/strerr2.h> +#include <skalibs/stralloc.h> +#include <skalibs/genalloc.h> + +#include <s6-networking/sbearssl.h> +#include "sbearssl-internal.h" + +size_t sbearssl_get_tas (genalloc *tas, stralloc *storage) +{ + size_t talen ; + int r ; + char const *x = getenv("CADIR") ; + if (x) r = sbearssl_ta_readdir(x, tas, storage) ; + else + { + x = getenv("CAFILE") ; + if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; + r = sbearssl_ta_readfile(x, tas, storage) ; + } + + if (r < 0) + strerr_diefu2sys(111, "read trust anchors in ", x) ; + else if (r) + strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; + + talen = genalloc_len(sbearssl_ta, tas) ; + if (!talen) strerr_dief2x(96, "no trust anchor found in ", x) ; + return talen ; +} diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c index a7ae22b..e6df30e 100644 --- a/src/sbearssl/sbearssl_server_init_and_run.c +++ b/src/sbearssl/sbearssl_server_init_and_run.c @@ -15,51 +15,33 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, unsigned int notif) { - stralloc storage = STRALLOC_ZERO ; sbearssl_skey skey ; - genalloc certs = GENALLOC_ZERO ; - size_t chainlen ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported yet") ; - - { - char const *x = getenv("KEYFILE") ; - int r ; - if (!x) strerr_dienotset(100, "KEYFILE") ; - r = sbearssl_skey_readfile(x, &skey, &storage) ; - if (r < 0) - strerr_diefu2sys(111, "read private key in ", x) ; - else if (r) - strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ; - - x = getenv("CERTFILE") ; - if (!x) strerr_dienotset(100, "CERTFILE") ; - r = sbearssl_cert_readbigpem(x, &certs, &storage) ; - if (r < 0) - strerr_diefu2sys(111, "read certificate chain in ", x) ; - else if (r) - strerr_diefu4sys(96, "read certificate chain in ", x, ": ", sbearssl_error_str(r)) ; - chainlen = genalloc_len(sbearssl_cert, &certs) ; - if (!chainlen) - strerr_diefu2x(96, "find a certificate in ", x) ; - } + genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */ + genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */ + stralloc storage = STRALLOC_ZERO ; + size_t chainlen = sbearssl_get_keycert(&skey, &certs, &storage) ; + size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &storage) : 0 ; sbearssl_drop() ; + stralloc_shrink(&storage) ; { sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; - unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - br_ssl_server_context sc ; union br_skey_u key ; + br_ssl_server_context sc ; + br_x509_minimal_context xc ; br_x509_certificate chain[chainlen] ; - size_t i = chainlen ; + br_x509_trust_anchor btas[n ? n : 1] ; + unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - stralloc_shrink(&storage) ; - while (i--) + for (size_t i = 0 ; i < chainlen ; i++) sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; genalloc_free(sbearssl_cert, &certs) ; + for (size_t i = 0 ; i < n ; i++) + sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; + genalloc_free(sbearssl_ta, &tas) ; + switch (skey.type) { case BR_KEYTYPE_RSA : @@ -82,19 +64,23 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti break ; } default : - strerr_dief1x(96, "unsupported private key type") ; + strerr_dief1x(96, "unsupported private key type") ; } { uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ; - if (preoptions & 1) - { - /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */ - if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; - } + if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; br_ssl_engine_add_flags(&sc.eng, flags) ; } + if (n) + { + sbearssl_x509_minimal_init_with_engine(&xc, &sc.eng, btas, n) ; + if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP)) + strerr_diefu1sys(111, "initialize validation time") ; + br_ssl_server_set_trust_anchor_names_alt(&sc, btas, n) ; + } + random_string((char *)buf, 32) ; random_finish() ; br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; diff --git a/src/sbearssl/sbearssl_x509_minimal_init_with_engine.c b/src/sbearssl/sbearssl_x509_minimal_init_with_engine.c new file mode 100644 index 0000000..1b5c7a5 --- /dev/null +++ b/src/sbearssl/sbearssl_x509_minimal_init_with_engine.c @@ -0,0 +1,25 @@ +/* ISC license. */ + +#include <bearssl.h> + +#include <s6-networking/sbearssl.h> + +void sbearssl_x509_minimal_init_with_engine (br_x509_minimal_context *xc, br_ssl_engine_context *eng, br_x509_trust_anchor const *btas, size_t n) +{ + static const br_hash_class *hashes[] = + { + &br_md5_vtable, + &br_sha1_vtable, + &br_sha224_vtable, + &br_sha256_vtable, + &br_sha384_vtable, + &br_sha512_vtable + } ; + + br_x509_minimal_init(xc, &br_sha256_vtable, btas, n) ; + br_x509_minimal_set_rsa(xc, br_ssl_engine_get_rsavrfy(eng)) ; + br_x509_minimal_set_ecdsa(xc, br_ssl_engine_get_ec(eng), br_ssl_engine_get_ecdsa(eng)) ; + for (unsigned int id = br_md5_ID ; id <= br_sha512_ID ; id++) + br_x509_minimal_set_hash(xc, id, hashes[id-1]) ; + br_ssl_engine_set_x509(eng, &xc->vtable) ; +} diff --git a/src/stls/stls_send_environment.c b/src/stls/stls_send_environment.c index c7cb9c7..ab7fba2 100644 --- a/src/stls/stls_send_environment.c +++ b/src/stls/stls_send_environment.c @@ -9,9 +9,22 @@ #include <s6-networking/stls.h> +static int add (buffer *b, int h, char const *key, char const *value) +{ + if (buffer_puts(b, key) < 0) return 0 ; + if (h && value && value[0]) + { + if (buffer_put(b, "=", 1) < 0 + || buffer_puts(b, value) < 0) + return 0 ; + } + if (buffer_put(b, "", 1) < 0) return 0 ; + return 1 ; +} + + int stls_send_environment (struct tls *ctx, int fd) { - char const *name = tls_conn_servername(ctx) ; char buf[4096] ; buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ; if (buffer_puts(&b, "SSL_PROTOCOL=") < 0 @@ -19,15 +32,13 @@ int stls_send_environment (struct tls *ctx, int fd) || buffer_put(&b, "", 1) < 0 || buffer_puts(&b, "SSL_CIPHER=") < 0 || buffer_puts(&b, tls_conn_cipher(ctx)) < 0 - || buffer_put(&b, "", 1) < 0 - || buffer_puts(&b, "SSL_TLS_SNI_SERVERNAME") < 0) + || buffer_put(&b, "", 1) < 0) return 0 ; - if (name && name[0]) - { - if (buffer_put(&b, "=", 1) < 0 - || buffer_puts(&b, name) < 0) - return 0 ; - } - if (buffer_putflush(&b, "\0", 2) < 0) return 0 ; + + if (!add(&b, 1, "SSL_TLS_SNI_SERVERNAME", tls_conn_servername(ctx))) return 0 ; + if (!add(&b, tls_peer_cert_provided(ctx), "SSL_PEER_CERT_HASH", tls_peer_cert_hash(ctx))) return 0 ; + if (!add(&b, tls_peer_cert_provided(ctx), "SSL_PEER_CERT_SUBJECT", tls_peer_cert_subject(ctx))) return 0 ; + + if (buffer_putflush(&b, "", 1) < 0) return 0 ; return 1 ; } |