aboutsummaryrefslogtreecommitdiffstats
path: root/src/sbearssl/sbearssl_client_init_and_run.c
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
commit5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (patch)
treecf3e992dce2d426727b535703b0b73dbafb41dbb /src/sbearssl/sbearssl_client_init_and_run.c
parent1fea1f6ed53cae7f752c9a78271c7c8367b0ad03 (diff)
downloads6-networking-5715c21a077ee1c2fe8957cb4adcea14fd2eda6b.tar.gz
Refactor tls code to support ucspi-tls
That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it.
Diffstat (limited to 'src/sbearssl/sbearssl_client_init_and_run.c')
-rw-r--r--src/sbearssl/sbearssl_client_init_and_run.c71
1 files changed, 71 insertions, 0 deletions
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
new file mode 100644
index 0000000..a95e9e1
--- /dev/null
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -0,0 +1,71 @@
+/* ISC license. */
+
+#include <stddef.h>
+#include <stdlib.h>
+
+#include <bearssl.h>
+
+#include <skalibs/strerr2.h>
+#include <skalibs/stralloc.h>
+#include <skalibs/genalloc.h>
+#include <skalibs/random.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif)
+{
+ stralloc storage = STRALLOC_ZERO ;
+ genalloc tas = GENALLOC_ZERO ;
+ size_t talen ;
+
+ if (preoptions & 1)
+ strerr_dief1x(100, "client certificates are not supported yet") ;
+
+ {
+ int r ;
+ char const *x = getenv("CADIR") ;
+ if (x)
+ r = sbearssl_ta_readdir(x, &tas, &storage) ;
+ else
+ {
+ x = getenv("CAFILE") ;
+ if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
+ r = sbearssl_ta_readfile(x, &tas, &storage) ;
+ }
+
+ if (r < 0)
+ strerr_diefu2sys(111, "read trust anchors in ", x) ;
+ else if (r)
+ strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ;
+
+ talen = genalloc_len(sbearssl_ta, &tas) ;
+ if (!talen)
+ strerr_dief2x(96, "no trust anchor found in ", x) ;
+ }
+
+ {
+ sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
+ unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
+ br_x509_minimal_context xc ;
+ br_ssl_client_context cc ;
+ br_x509_trust_anchor btas[talen] ;
+ size_t i = talen ;
+
+ stralloc_shrink(&storage) ;
+ while (i--)
+ sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
+ genalloc_free(sbearssl_ta, &tas) ;
+ br_ssl_client_init_full(&cc, &xc, btas, talen) ;
+ random_string((char *)buf, 32) ;
+ random_finish() ;
+ br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
+ br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ;
+ if (!br_ssl_client_reset(&cc, servername, 0))
+ strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ;
+ if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP))
+ strerr_diefu1sys(111, "initialize validation time") ;
+
+ sbearssl_run(&cc.eng, fds, tto, options, verbosity, cb, &cbarg) ;
+ }
+}