aboutsummaryrefslogtreecommitdiffstats
path: root/src/stls/stls_server_init_and_handshake.c
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
commit5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (patch)
treecf3e992dce2d426727b535703b0b73dbafb41dbb /src/stls/stls_server_init_and_handshake.c
parent1fea1f6ed53cae7f752c9a78271c7c8367b0ad03 (diff)
downloads6-networking-5715c21a077ee1c2fe8957cb4adcea14fd2eda6b.tar.gz
Refactor tls code to support ucspi-tls
That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it.
Diffstat (limited to 'src/stls/stls_server_init_and_handshake.c')
-rw-r--r--src/stls/stls_server_init_and_handshake.c81
1 files changed, 81 insertions, 0 deletions
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
new file mode 100644
index 0000000..58d812e
--- /dev/null
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -0,0 +1,81 @@
+/* ISC license. */
+
+#include <stdlib.h>
+
+#include <tls.h>
+
+#include <skalibs/strerr2.h>
+
+#include <s6-networking/stls.h>
+#include "stls-internal.h"
+
+#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
+#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
+
+struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
+{
+ struct tls *cctx ;
+ struct tls *ctx ;
+ struct tls_config *cfg ;
+ char const *x ;
+
+ if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
+ cfg = tls_config_new() ;
+ if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
+
+ x = getenv("CERTFILE") ;
+ if (!x) strerr_dienotset(100, "CERTFILE") ;
+ if (tls_config_set_cert_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_cert_file") ;
+
+ x = getenv("KEYFILE") ;
+ if (!x) strerr_dienotset(100, "KEYFILE") ;
+ if (tls_config_set_key_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_key_file") ;
+
+ if (tls_config_set_ciphers(cfg, "secure") < 0)
+ diecfg(cfg, "tls_config_set_ciphers") ;
+
+ if (tls_config_set_dheparams(cfg, "auto") < 0)
+ diecfg(cfg, "tls_config_set_dheparams") ;
+
+ if (tls_config_set_ecdhecurve(cfg, "auto") < 0)
+ diecfg(cfg, "tls_config_set_ecdhecurve") ;
+
+ if (preoptions & 1)
+ {
+ x = getenv("CADIR") ;
+ if (x)
+ {
+ if (tls_config_set_ca_path(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_ca_path") ;
+ }
+ else
+ {
+ x = getenv("CAFILE") ;
+ if (x)
+ {
+ if (tls_config_set_ca_file(cfg, x) < 0)
+ diecfg(cfg, "tls_config_set_ca_file") ;
+ }
+ else strerr_dienotset(100, "CADIR or CAFILE") ;
+ }
+ if (preoptions & 2) tls_config_verify_client(cfg) ;
+ else tls_config_verify_client_optional(cfg) ;
+ }
+ else tls_config_insecure_noverifycert(cfg) ;
+
+ tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
+ tls_config_prefer_ciphers_server(cfg) ;
+
+ ctx = tls_server() ;
+ if (!ctx) strerr_diefu1sys(111, "tls_server") ;
+ if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
+ tls_config_free(cfg) ;
+ if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0)
+ diectx(97, ctx, "tls_accept_fds") ;
+ tls_free(ctx) ;
+ if (tls_handshake(cctx) < 0)
+ diectx(97, cctx, "perform SSL handshake") ;
+ return cctx ;
+}