diff options
Diffstat (limited to 'src/sbearssl/sbearssl_client_init_and_run.c')
| -rw-r--r-- | src/sbearssl/sbearssl_client_init_and_run.c | 82 |
1 files changed, 48 insertions, 34 deletions
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c index d7bedec..db68096 100644 --- a/src/sbearssl/sbearssl_client_init_and_run.c +++ b/src/sbearssl/sbearssl_client_init_and_run.c @@ -15,50 +15,64 @@ void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif) { + sbearssl_skey skey ; + genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */ + genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */ stralloc storage = STRALLOC_ZERO ; - genalloc tas = GENALLOC_ZERO ; - size_t talen ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported yet") ; - - { - int r ; - char const *x = getenv("CADIR") ; - if (x) - r = sbearssl_ta_readdir(x, &tas, &storage) ; - else - { - x = getenv("CAFILE") ; - if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; - r = sbearssl_ta_readfile(x, &tas, &storage) ; - } - - if (r < 0) - strerr_diefu2sys(111, "read trust anchors in ", x) ; - else if (r) - strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; - - talen = genalloc_len(sbearssl_ta, &tas) ; - if (!talen) - strerr_dief2x(96, "no trust anchor found in ", x) ; - } + size_t chainlen = preoptions & 1 ? sbearssl_get_keycert(&skey, &certs, &storage) : 0 ; + size_t n = sbearssl_get_tas(&tas, &storage) ; sbearssl_drop() ; + stralloc_shrink(&storage) ; { sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; - unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - br_x509_minimal_context xc ; + union br_skey_u key ; br_ssl_client_context cc ; - br_x509_trust_anchor btas[talen] ; - size_t i = talen ; + br_x509_minimal_context xc ; + br_x509_certificate chain[chainlen ? chainlen : 1] ; + br_x509_trust_anchor btas[n] ; + unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; + + for (size_t i = 0 ; i < chainlen ; i++) + sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; + genalloc_free(sbearssl_cert, &certs) ; - stralloc_shrink(&storage) ; - while (i--) + for (size_t i = 0 ; i < n ; i++) sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; genalloc_free(sbearssl_ta, &tas) ; - br_ssl_client_init_full(&cc, &xc, btas, talen) ; + + br_ssl_client_init_full(&cc, &xc, btas, n) ; + + if (chainlen) + { + switch (skey.type) + { + case BR_KEYTYPE_RSA : + sbearssl_rsa_skey_to(&skey.data.rsa, &key.rsa, storage.s) ; + br_ssl_client_set_single_rsa(&cc, chain, chainlen, &key.rsa, br_rsa_pkcs1_sign_get_default()) ; + break ; + case BR_KEYTYPE_EC : + { + int kt, r ; + sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ; + r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ; + switch (r) + { + case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ; + case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ; + case 0 : break ; + default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ; + } + + br_ssl_client_set_single_ec(&cc, chain, chainlen, &key.ec, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt, br_ec_get_default(), br_ecdsa_sign_asn1_get_default()) ; + break ; + } + default : + strerr_dief1x(96, "unsupported private key type") ; + } + } + br_ssl_engine_add_flags(&cc.eng, BR_OPT_NO_RENEGOTIATION) ; random_string((char *)buf, 32) ; random_finish() ; |
