From f85b8a70f3b44510a5cf3895bf7357ae90655f65 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 30 Jan 2017 19:03:02 +0000 Subject: Delay client cert support, but make s6-networking build against bearssl-0.3 --- src/include/s6-networking/sbearssl.h | 4 ++-- src/sbearssl/sbearssl_s6tlsc.c | 2 +- src/sbearssl/sbearssl_s6tlsd.c | 39 +++++------------------------------- 3 files changed, 8 insertions(+), 37 deletions(-) (limited to 'src') diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index 785e647..a91eea9 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -192,7 +192,7 @@ extern int sbearssl_ta_readfile (char const *, genalloc *, stralloc *) ; extern int sbearssl_ta_readdir (char const *, genalloc *, stralloc *) ; extern size_t sbearssl_x500_name_len (sbearssl_ta const *, size_t) ; -extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ; +/* extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ; */ /* Errors */ @@ -202,7 +202,7 @@ extern char const *sbearssl_error_str (int) ; /* Engine */ -extern int sbearssl_run (br_ssl_engine_context *, int *, unsigned int, uint32, tain_t const *) ; +extern int sbearssl_run (br_ssl_engine_context *, int *, unsigned int, uint32_t, tain_t const *) ; /* s6-tlsc and s6-tlsd implementations */ diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c index 1a0b5f0..c6ca4c1 100644 --- a/src/sbearssl/sbearssl_s6tlsc.c +++ b/src/sbearssl/sbearssl_s6tlsc.c @@ -23,7 +23,7 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co size_t talen ; if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported by BearSSL yet") ; + strerr_dief1x(100, "client certificates are not supported yet") ; { int r ; diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index 66d0542..816d746 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -1,7 +1,6 @@ /* ISC license. */ #include -#include #include #include #include @@ -21,10 +20,9 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co sbearssl_skey skey ; genalloc certs = GENALLOC_ZERO ; size_t chainlen ; - size_t x500n = 1 ; - size_t x500len = 1 ; - stralloc tastorage = STRALLOC_ZERO ; - genalloc tas = GENALLOC_ZERO ; + + if (preoptions & 1) + strerr_dief1x(100, "client certificates are not supported yet") ; { char const *x = env_get2(envp, "KEYFILE") ; @@ -46,45 +44,17 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co chainlen = genalloc_len(sbearssl_cert, &certs) ; if (!chainlen) strerr_diefu2x(96, "find a certificate in ", x) ; - - if (preoptions & 1) - { - x = env_get2(envp, "CADIR") ; - if (x) r = sbearssl_ta_readdir(x, &tas, &tastorage) ; - else - { - x = env_get2(envp, "CAFILE") ; - if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; - r = sbearssl_ta_readfile(x, &tas, &tastorage) ; - } - - if (r < 0) - strerr_diefu2sys(111, "read trust anchors in ", x) ; - else if (r) - strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; - x500n = genalloc_len(sbearssl_ta, &tas) ; - if (!x500n) strerr_dief2x(96, "no trust anchor found in ", x) ; - x500len = sbearssl_x500_name_len(genalloc_s(sbearssl_ta, &tas), x500n) ; - } } { int fds[4] = { 0, 1, 0, 1 } ; unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - char x500storage[x500len] ; br_ssl_server_context sc ; union br_skey_u key ; br_x509_certificate chain[chainlen] ; - br_x500_name x500names[x500n] ; size_t i = chainlen ; pid_t pid ; - if (preoptions & 1) - { - sbearssl_x500_from_ta(x500names, genalloc_s(sbearssl_ta, &tas), x500n, x500storage, tastorage.s) ; - genalloc_free(sbearssl_ta, &tas) ; - stralloc_free(&tastorage) ; - } stralloc_shrink(&storage) ; while (i--) sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; @@ -130,11 +100,12 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ; if (preoptions & 1) { - br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; + /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */ if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; } br_ssl_engine_add_flags(&sc.eng, flags) ; } + br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ; br_ssl_server_reset(&sc) ; tain_now_g() ; -- cgit v1.2.3