From 880f2a22304b393b43397c3ec8de83052a2584ce Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Thu, 1 Dec 2016 02:24:09 +0000 Subject: Fix several bugs in stls, make the engine work --- src/conn-tools/deps-exe/s6-tlsc | 1 + src/conn-tools/deps-exe/s6-tlsd | 1 + src/sbearssl/sbearssl_run.c | 10 --------- src/stls/stls_run.c | 47 +++++++++++++++++++++++------------------ src/stls/stls_s6tlsc.c | 15 +++++++++++-- src/stls/stls_s6tlsd.c | 4 ++-- 6 files changed, 43 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/src/conn-tools/deps-exe/s6-tlsc b/src/conn-tools/deps-exe/s6-tlsc index 5ae8124..953d34f 100644 --- a/src/conn-tools/deps-exe/s6-tlsc +++ b/src/conn-tools/deps-exe/s6-tlsc @@ -3,4 +3,5 @@ ${LIBS6NET} -lskarnet ${CRYPTO_LIB} ${SOCKET_LIB} +${SPAWN_LIB} ${TAINNOW_LIB} diff --git a/src/conn-tools/deps-exe/s6-tlsd b/src/conn-tools/deps-exe/s6-tlsd index 5ae8124..953d34f 100644 --- a/src/conn-tools/deps-exe/s6-tlsd +++ b/src/conn-tools/deps-exe/s6-tlsd @@ -3,4 +3,5 @@ ${LIBS6NET} -lskarnet ${CRYPTO_LIB} ${SOCKET_LIB} +${SPAWN_LIB} ${TAINNOW_LIB} diff --git a/src/sbearssl/sbearssl_run.c b/src/sbearssl/sbearssl_run.c index 1617e98..efd711c 100644 --- a/src/sbearssl/sbearssl_run.c +++ b/src/sbearssl/sbearssl_run.c @@ -14,16 +14,6 @@ #include #include -#ifdef DEBUG -# include -# include -# include -# define PLM(...) (bprintf(buffer_2, "%s: debug: ", PROG), bprintf(buffer_2, __VA_ARGS__), buffer_putflush(buffer_2, "\n", 1)) -#else -# define PLM(...) -#endif - - int sbearssl_run (br_ssl_engine_context *ctx, int *fds, unsigned int verbosity, uint32_t options, tain_t const *tto) { iopause_fd x[4] ; diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c index 5c67034..09f9bc0 100644 --- a/src/stls/stls_run.c +++ b/src/stls/stls_run.c @@ -22,9 +22,9 @@ typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ; struct tlsbuf_s { - char buf[STLS_BUFSIZE] ; buffer b ; - unsigned int blockedonother : 1 ; + unsigned char blockedonother : 1 ; + char buf[STLS_BUFSIZE] ; } ; static inline int buffer_tls_flush (struct tls *ctx, tlsbuf_t *b) @@ -43,7 +43,7 @@ static inline int buffer_tls_flush (struct tls *ctx, tlsbuf_t *b) default : break ; } w = r ; - if (v[1].len) + if ((size_t)w == v[0].len && v[1].len) { r = tls_write(ctx, v[1].s, v[1].len) ; switch (r) @@ -81,7 +81,7 @@ static inline int buffer_tls_fill (struct tls *ctx, tlsbuf_t *b) default : break ; } w = r ; - if (v[1].len) + if ((size_t)w == v[0].len && v[1].len) { r = tls_read(ctx, v[1].s, v[1].len) ; switch (r) @@ -102,12 +102,15 @@ static inline int buffer_tls_fill (struct tls *ctx, tlsbuf_t *b) return ok ; } -static void do_tls_close (struct tls *ctx, int fd) +static void closeit (struct tls *ctx, int *fds, int doshd) { - iopause_fd x = { .fd = fd, .events = IOPAUSE_WRITE } ; - while (tls_close(ctx) == TLS_WANT_POLLOUT) - if (iopause_g(&x, 1, 0) < 0) - strerr_diefu1sys(111, "iopause") ; + if (fds[2] >= 0) + { + ndelay_off(fds[3]) ; + tls_close(ctx) ; + } + if (doshd) shutdown(fds[3], SHUT_WR) ; + fd_close(fds[3]) ; fds[3] = -1 ; } int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, tain_t const *tto) @@ -115,6 +118,7 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ; iopause_fd x[4] ; unsigned int xindex[4] ; + int closing = 0 ; register unsigned int i ; for (i = 0 ; i < 2 ; i++) @@ -161,7 +165,7 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, } else xindex[2] = 4 ; - if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b)) + if (fds[3] >= 0 && (!b[0].blockedonother && buffer_iswritable(&b[0].b) || closing)) { x[xlen].fd = fds[3] ; x[xlen].events = IOPAUSE_WRITE ; @@ -220,11 +224,17 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, strerr_warnwu2x("write to peer: ", tls_error(ctx)) ; fd_close(fds[0]) ; fds[0] = -1 ; } - if (r && fds[0] < 0) + if (r) { - if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ; - if (options & 1) shutdown(fds[3], SHUT_WR) ; - fd_close(fds[3]) ; fds[3] = -1 ; + if (closing && buffer_isempty(&b[0].b)) + { + ndelay_off(fds[3]) ; + tls_close(ctx) ; + fd_close(fds[3]) ; fds[3] = -1 ; + if (fds[0] >= 0) { fd_close(fds[0]) ; fds[0] = -1 ; } + closing = 0 ; + } + else if (fds[0] < 0) closeit(ctx, fds, options & 1) ; } } @@ -238,12 +248,7 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, { if (errno != EPIPE) strerr_warnwu1sys("read from application") ; fd_close(fds[0]) ; fds[0] = -1 ; - if (buffer_isempty(&b[0].b)) - { - if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ; - if (options & 1) shutdown(fds[3], SHUT_WR) ; - fd_close(fds[3]) ; fds[3] = -1 ; - } + if (buffer_isempty(&b[0].b)) closeit(ctx, fds, options & 1) ; } } @@ -256,12 +261,12 @@ int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, if (r < 0) { if (r == -1) strerr_warnwu2x("read from peer: ", tls_error(ctx)) ; - if (options & 1) shutdown(fds[2], SHUT_RD) ; fd_close(fds[2]) ; fds[2] = -1 ; if (buffer_isempty(&b[1].b)) { fd_close(fds[1]) ; fds[1] = -1 ; } + closing = 1 ; } } } diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c index 1313cfe..70e8f20 100644 --- a/src/stls/stls_s6tlsc.c +++ b/src/stls/stls_s6tlsc.c @@ -14,6 +14,15 @@ #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) #define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx)) +#ifdef DEBUG +# include +# include +# include +# define PLM(...) (bprintf(buffer_2, "%s: debug: ", PROG), bprintf(buffer_2, __VA_ARGS__), buffer_putflush(buffer_2, "\n", 1)) +#else +# define PLM(...) +#endif + int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd) { int fds[4] = { sfd[0], sfd[1], sfd[0], sfd[1] } ; @@ -68,11 +77,11 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const tls_config_verify(cfg) ; tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; tls_config_prefer_ciphers_server(cfg) ; + if (!servername) tls_config_insecure_noverifyname(cfg) ; ctx = tls_client() ; if (!ctx) strerr_diefu1sys(111, "tls_client") ; if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; - tls_config_free(cfg) ; pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ; if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; @@ -81,12 +90,14 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const if (tls_connect_fds(ctx, fds[2], fds[3], servername) < 0) diectx(97, ctx, "tls_connect_fds") ; + tls_config_free(cfg) ; + if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ; { int wstat ; int r = stls_run(ctx, fds, verbosity, options, tto) ; if (r < 0) strerr_diefu1sys(111, "run SSL engine") ; - else if (r) diectx(98, ctx, "establish or maintain SSL connection to peer") ; + else if (r) diectx(98, ctx, "maintain SSL connection to peer") ; tls_free(ctx) ; if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; return wait_estatus(wstat) ; diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c index 1506556..64cf01f 100644 --- a/src/stls/stls_s6tlsd.c +++ b/src/stls/stls_s6tlsd.c @@ -78,14 +78,14 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0) diectx(97, ctx, "tls_accept_fds") ; - tls_free(ctx) ; + if (tls_handshake(cctx) < 0) diectx(97, cctx, "perform SSL handshake") ; { int wstat ; int r = stls_run(cctx, fds, verbosity, options, tto) ; if (r < 0) strerr_diefu1sys(111, "run SSL engine") ; - else if (r) diectx(98, cctx, "establish or maintain SSL connection to peer") ; + else if (r) diectx(98, cctx, "maintain SSL connection to peer") ; if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; return wait_estatus(wstat) ; } -- cgit v1.2.3