From 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 20 Nov 2020 23:24:29 +0000 Subject: Refactor tls code to support ucspi-tls That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it. --- src/sbearssl/sbearssl_client_init_and_run.c | 71 +++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 src/sbearssl/sbearssl_client_init_and_run.c (limited to 'src/sbearssl/sbearssl_client_init_and_run.c') diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c new file mode 100644 index 0000000..a95e9e1 --- /dev/null +++ b/src/sbearssl/sbearssl_client_init_and_run.c @@ -0,0 +1,71 @@ +/* ISC license. */ + +#include +#include + +#include + +#include +#include +#include +#include + +#include +#include "sbearssl-internal.h" + +void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif) +{ + stralloc storage = STRALLOC_ZERO ; + genalloc tas = GENALLOC_ZERO ; + size_t talen ; + + if (preoptions & 1) + strerr_dief1x(100, "client certificates are not supported yet") ; + + { + int r ; + char const *x = getenv("CADIR") ; + if (x) + r = sbearssl_ta_readdir(x, &tas, &storage) ; + else + { + x = getenv("CAFILE") ; + if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; + r = sbearssl_ta_readfile(x, &tas, &storage) ; + } + + if (r < 0) + strerr_diefu2sys(111, "read trust anchors in ", x) ; + else if (r) + strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; + + talen = genalloc_len(sbearssl_ta, &tas) ; + if (!talen) + strerr_dief2x(96, "no trust anchor found in ", x) ; + } + + { + sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; + unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; + br_x509_minimal_context xc ; + br_ssl_client_context cc ; + br_x509_trust_anchor btas[talen] ; + size_t i = talen ; + + stralloc_shrink(&storage) ; + while (i--) + sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; + genalloc_free(sbearssl_ta, &tas) ; + br_ssl_client_init_full(&cc, &xc, btas, talen) ; + random_string((char *)buf, 32) ; + random_finish() ; + br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ; + br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ; + if (!br_ssl_client_reset(&cc, servername, 0)) + strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ; + if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP)) + strerr_diefu1sys(111, "initialize validation time") ; + + sbearssl_run(&cc.eng, fds, tto, options, verbosity, cb, &cbarg) ; + } +} -- cgit v1.3.1