From f85b8a70f3b44510a5cf3895bf7357ae90655f65 Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-skaware@skarnet.org>
Date: Mon, 30 Jan 2017 19:03:02 +0000
Subject:  Delay client cert support, but make s6-networking build against
 bearssl-0.3

---
 src/include/s6-networking/sbearssl.h |  4 ++--
 src/sbearssl/sbearssl_s6tlsc.c       |  2 +-
 src/sbearssl/sbearssl_s6tlsd.c       | 39 +++++-------------------------------
 3 files changed, 8 insertions(+), 37 deletions(-)

diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 785e647..a91eea9 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -192,7 +192,7 @@ extern int sbearssl_ta_readfile (char const *, genalloc *, stralloc *) ;
 extern int sbearssl_ta_readdir (char const *, genalloc *, stralloc *) ;
 
 extern size_t sbearssl_x500_name_len (sbearssl_ta const *, size_t) ;
-extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ;
+/* extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ; */
 
 
  /* Errors */
@@ -202,7 +202,7 @@ extern char const *sbearssl_error_str (int) ;
 
  /* Engine */
 
-extern int sbearssl_run (br_ssl_engine_context *, int *, unsigned int, uint32, tain_t const *) ;
+extern int sbearssl_run (br_ssl_engine_context *, int *, unsigned int, uint32_t, tain_t const *) ;
 
 
  /* s6-tlsc and s6-tlsd implementations */
diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c
index 1a0b5f0..c6ca4c1 100644
--- a/src/sbearssl/sbearssl_s6tlsc.c
+++ b/src/sbearssl/sbearssl_s6tlsc.c
@@ -23,7 +23,7 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
   size_t talen ;
 
   if (preoptions & 1)
-    strerr_dief1x(100, "client certificates are not supported by BearSSL yet") ;
+    strerr_dief1x(100, "client certificates are not supported yet") ;
 
   {
     int r ;
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
index 66d0542..816d746 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -1,7 +1,6 @@
 /* ISC license. */
 
 #include <sys/types.h>
-#include <stdint.h>
 #include <unistd.h>
 #include <errno.h>
 #include <bearssl.h>
@@ -21,10 +20,9 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
   sbearssl_skey skey ;
   genalloc certs = GENALLOC_ZERO ;
   size_t chainlen ;
-  size_t x500n = 1 ;
-  size_t x500len = 1 ;
-  stralloc tastorage = STRALLOC_ZERO ;
-  genalloc tas = GENALLOC_ZERO ;
+
+  if (preoptions & 1)
+    strerr_dief1x(100, "client certificates are not supported yet") ;
 
   {
     char const *x = env_get2(envp, "KEYFILE") ;
@@ -46,45 +44,17 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
     chainlen = genalloc_len(sbearssl_cert, &certs) ;
     if (!chainlen)
       strerr_diefu2x(96, "find a certificate in ", x) ;
-
-    if (preoptions & 1)
-    {
-      x = env_get2(envp, "CADIR") ;
-      if (x) r = sbearssl_ta_readdir(x, &tas, &tastorage) ;
-      else
-      {
-        x = env_get2(envp, "CAFILE") ;
-        if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
-        r = sbearssl_ta_readfile(x, &tas, &tastorage) ;
-      }
-
-      if (r < 0)
-        strerr_diefu2sys(111, "read trust anchors in ", x) ;
-      else if (r)
-        strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ;
-      x500n = genalloc_len(sbearssl_ta, &tas) ;
-      if (!x500n) strerr_dief2x(96, "no trust anchor found in ", x) ;
-      x500len = sbearssl_x500_name_len(genalloc_s(sbearssl_ta, &tas), x500n) ;
-    }
   }
 
   {
     int fds[4] = { 0, 1, 0, 1 } ;
     unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
-    char x500storage[x500len] ;
     br_ssl_server_context sc ;
     union br_skey_u key ;
     br_x509_certificate chain[chainlen] ;
-    br_x500_name x500names[x500n] ;
     size_t i = chainlen ;
     pid_t pid ;
 
-    if (preoptions & 1)
-    {
-      sbearssl_x500_from_ta(x500names, genalloc_s(sbearssl_ta, &tas), x500n, x500storage, tastorage.s) ;
-      genalloc_free(sbearssl_ta, &tas) ;
-      stralloc_free(&tastorage) ;
-    }
     stralloc_shrink(&storage) ;
     while (i--)
       sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
@@ -130,11 +100,12 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
       uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ;
       if (preoptions & 1)
       {
-        br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ;
+        /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */
         if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
       }
       br_ssl_engine_add_flags(&sc.eng, flags) ;
     }
+
     br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
     br_ssl_server_reset(&sc) ;
     tain_now_g() ;
-- 
cgit v1.2.3