From 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 20 Nov 2020 23:24:29 +0000 Subject: Refactor tls code to support ucspi-tls That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it. --- src/stls/stls_s6tlsd.c | 90 -------------------------------------------------- 1 file changed, 90 deletions(-) delete mode 100644 src/stls/stls_s6tlsd.c (limited to 'src/stls/stls_s6tlsd.c') diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c deleted file mode 100644 index a791e89..0000000 --- a/src/stls/stls_s6tlsd.c +++ /dev/null @@ -1,90 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include "stls-internal.h" - -#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) -#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx)) - -int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity) -{ - int fds[5] = { 0, 1, 0, 1 } ; - struct tls *cctx ; - struct tls *ctx ; - struct tls_config *cfg ; - pid_t pid ; - char const *x ; - int wstat ; - - if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ; - cfg = tls_config_new() ; - if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; - - x = env_get2(envp, "CERTFILE") ; - if (!x) strerr_dienotset(100, "CERTFILE") ; - if (tls_config_set_cert_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_cert_file") ; - - x = env_get2(envp, "KEYFILE") ; - if (!x) strerr_dienotset(100, "KEYFILE") ; - if (tls_config_set_key_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_key_file") ; - - if (tls_config_set_ciphers(cfg, "secure") < 0) - diecfg(cfg, "tls_config_set_ciphers") ; - - if (tls_config_set_dheparams(cfg, "auto") < 0) - diecfg(cfg, "tls_config_set_dheparams") ; - - if (tls_config_set_ecdhecurve(cfg, "auto") < 0) - diecfg(cfg, "tls_config_set_ecdhecurve") ; - - if (preoptions & 1) - { - x = env_get2(envp, "CADIR") ; - if (x) - { - if (tls_config_set_ca_path(cfg, x) < 0) - diecfg(cfg, "tls_config_set_ca_path") ; - } - else - { - x = env_get2(envp, "CAFILE") ; - if (x) - { - if (tls_config_set_ca_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_ca_file") ; - } - else strerr_dienotset(100, "CADIR or CAFILE") ; - } - if (preoptions & 4) tls_config_verify_client(cfg) ; - else tls_config_verify_client_optional(cfg) ; - } - else tls_config_insecure_noverifycert(cfg) ; - - tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; - tls_config_prefer_ciphers_server(cfg) ; - - ctx = tls_server() ; - if (!ctx) strerr_diefu1sys(111, "tls_server") ; - if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; - tls_config_free(cfg) ; - - pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; - - if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0) - diectx(97, ctx, "tls_accept_fds") ; - tls_free(ctx) ; - if (tls_handshake(cctx) < 0) diectx(97, cctx, "perform SSL handshake") ; - - wstat = stls_run(cctx, fds, pid, verbosity, options, tto) ; - if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; -} -- cgit v1.2.3