s6-networking/src/stls/stls_run.c, branch mainUCSPI TCP implementation and other networking utilitieshttps://git.skarnet.org/cgit/s6-networking/atom/src/stls/stls_run.c?h=main2025-09-09T16:28:56Z Catch obscure busyloop in stls_run2025-09-09T16:28:56ZLaurent Bercotska-skaware@skarnet.org2025-09-09T16:28:56Zurn:sha1:e5c171704e79ccb361bf6bbd51ecece19ec5df2f Fix stls_run; sbearssl_run needs a rewrite2023-11-17T03:04:59ZLaurent Bercotska-skaware@skarnet.org2023-11-17T03:04:59Zurn:sha1:e38a132e37fcd3307b7a93c5c867145454f79b4e
Signed-off-by: Laurent Bercot <ska@appnovation.com>
Add -J and -j to the TLS tools to check for peer close_notify.2023-11-16T05:13:06ZLaurent Bercotska-skaware@skarnet.org2023-11-16T05:13:06Zurn:sha1:26597a785ec2dd4e9ec9fb7d9765d2ee8779ee16
Also, and more importantly, significantly rewrite stls_run()
for better full-duplex support. This implementation isn't fully
tested yet.
Signed-off-by: Laurent Bercot <ska@appnovation.com>
New and fixed version of sbearssl_run2023-11-11T23:55:28ZLaurent Bercotska-skaware@skarnet.org2023-11-11T23:55:28Zurn:sha1:24d1860868682d33f60970119b1cff1bf088a497
Signed-off-by: Laurent Bercot <ska@appnovation.com>
Prepare for 2.5.1.22022-11-29T13:19:02ZLaurent Bercotska-skaware@skarnet.org2022-11-29T13:19:02Zurn:sha1:418a9deb23eca6fed25cc9feea476646a88a5184
Signed-off-by: Laurent Bercot <ska@appnovation.com>
Change -K semantics: timeout *during handshake*, not afterwards2020-12-07T12:53:54ZLaurent Bercotska-skaware@skarnet.org2020-12-07T12:53:54Zurn:sha1:f7e676abdc799fcee5138807447b5e91ab05508f
- the TLS tunnel itself should be transparent so it has no business
shutting down the connection no matter how long the app takes
- there's still an undetectable situation on some kernels where
EOF doesn't get transmitted from the network, and the engine is in
the handshake, and it can't do anything but wait forever. A timeout
is useful here: dawg, your peer is never going to send any more data,
you should just give up.
- if the situation happens after the handshake, the *app* should
have a timeout and die. The tunnel will follow suit.
- libtls has a blocking tls_handshake() blackbox, we cannot give it
a timeout. Too bad, use bearssl.
Fix a few bugs. sbearssl appears to be working.2020-11-22T21:49:58ZLaurent Bercotska-skaware@skarnet.org2020-11-22T21:49:58Zurn:sha1:bae11b88357db72b19413cd05c62ac9242b9b597 Refactor tls code to support ucspi-tls2020-11-20T23:24:29ZLaurent Bercotska-skaware@skarnet.org2020-11-20T23:24:29Zurn:sha1:5715c21a077ee1c2fe8957cb4adcea14fd2eda6b
That includes:
- new architecture: the tls binary is now a child of the app
instead of the other way around
- the sbearssl_run engine now takes a post-handshake callback.
This allows s6-tlsc and s6-tlsd to only exec into the app when
the handshake succeeds (which was already the case with libressl).
- new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto
code; they init and run the engine, connecting to 4 already open
fds (stdin/stdout = network, argv[1] and argv[2] = local)
- s6-tlsc is now a simple wrapper around s6-tlsc-io
- s6-tlsd is now a simple wrapper around s6-tlsd-io
- new binary: s6-ucspitlsd, which is also a wrapper around
s6-tlsd-io, but differently: the parent execs the app which should
be ucspi-tls-aware, the child waits for a command from the parent
and execs into s6-tlsd-io if it receives it.
Moderately big hammer: force kill on s6-tlsd when it has nothing to write to the network2017-08-28T21:10:03ZLaurent Bercotska-skaware@skarnet.org2017-08-28T21:10:03Zurn:sha1:5691bc64df8444cfbebe7a97480f49f79497b19b Revert big hammer. Data still needs to be flushed to the network even when the local app dies.2017-08-28T20:30:00ZLaurent Bercotska-skaware@skarnet.org2017-08-28T20:30:00Zurn:sha1:d594db1b68d6a2c890d385087799dd8cdf6dc966