aboutsummaryrefslogtreecommitdiffstats
path: root/src/sbearssl/sbearssl_client_init_and_run.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/sbearssl/sbearssl_client_init_and_run.c')
-rw-r--r--src/sbearssl/sbearssl_client_init_and_run.c82
1 files changed, 48 insertions, 34 deletions
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
index d7bedec..db68096 100644
--- a/src/sbearssl/sbearssl_client_init_and_run.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -15,50 +15,64 @@
void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif)
{
+ sbearssl_skey skey ;
+ genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */
+ genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */
stralloc storage = STRALLOC_ZERO ;
- genalloc tas = GENALLOC_ZERO ;
- size_t talen ;
-
- if (preoptions & 1)
- strerr_dief1x(100, "client certificates are not supported yet") ;
-
- {
- int r ;
- char const *x = getenv("CADIR") ;
- if (x)
- r = sbearssl_ta_readdir(x, &tas, &storage) ;
- else
- {
- x = getenv("CAFILE") ;
- if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
- r = sbearssl_ta_readfile(x, &tas, &storage) ;
- }
-
- if (r < 0)
- strerr_diefu2sys(111, "read trust anchors in ", x) ;
- else if (r)
- strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ;
-
- talen = genalloc_len(sbearssl_ta, &tas) ;
- if (!talen)
- strerr_dief2x(96, "no trust anchor found in ", x) ;
- }
+ size_t chainlen = preoptions & 1 ? sbearssl_get_keycert(&skey, &certs, &storage) : 0 ;
+ size_t n = sbearssl_get_tas(&tas, &storage) ;
sbearssl_drop() ;
+ stralloc_shrink(&storage) ;
{
sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
- unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
- br_x509_minimal_context xc ;
+ union br_skey_u key ;
br_ssl_client_context cc ;
- br_x509_trust_anchor btas[talen] ;
- size_t i = talen ;
+ br_x509_minimal_context xc ;
+ br_x509_certificate chain[chainlen ? chainlen : 1] ;
+ br_x509_trust_anchor btas[n] ;
+ unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
+
+ for (size_t i = 0 ; i < chainlen ; i++)
+ sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
+ genalloc_free(sbearssl_cert, &certs) ;
- stralloc_shrink(&storage) ;
- while (i--)
+ for (size_t i = 0 ; i < n ; i++)
sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
genalloc_free(sbearssl_ta, &tas) ;
- br_ssl_client_init_full(&cc, &xc, btas, talen) ;
+
+ br_ssl_client_init_full(&cc, &xc, btas, n) ;
+
+ if (chainlen)
+ {
+ switch (skey.type)
+ {
+ case BR_KEYTYPE_RSA :
+ sbearssl_rsa_skey_to(&skey.data.rsa, &key.rsa, storage.s) ;
+ br_ssl_client_set_single_rsa(&cc, chain, chainlen, &key.rsa, br_rsa_pkcs1_sign_get_default()) ;
+ break ;
+ case BR_KEYTYPE_EC :
+ {
+ int kt, r ;
+ sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
+ r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
+ switch (r)
+ {
+ case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
+ case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
+ case 0 : break ;
+ default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
+ }
+
+ br_ssl_client_set_single_ec(&cc, chain, chainlen, &key.ec, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt, br_ec_get_default(), br_ecdsa_sign_asn1_get_default()) ;
+ break ;
+ }
+ default :
+ strerr_dief1x(96, "unsupported private key type") ;
+ }
+ }
+
br_ssl_engine_add_flags(&cc.eng, BR_OPT_NO_RENEGOTIATION) ;
random_string((char *)buf, 32) ;
random_finish() ;