From 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 20 Nov 2020 23:24:29 +0000 Subject: Refactor tls code to support ucspi-tls That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it. --- src/sbearssl/sbearssl_s6tlsc.c | 79 ------------------------------------------ 1 file changed, 79 deletions(-) delete mode 100644 src/sbearssl/sbearssl_s6tlsc.c (limited to 'src/sbearssl/sbearssl_s6tlsc.c') diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c deleted file mode 100644 index 267d79c..0000000 --- a/src/sbearssl/sbearssl_s6tlsc.c +++ /dev/null @@ -1,79 +0,0 @@ -/* ISC license. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "sbearssl-internal.h" - -int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd) -{ - int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ; - stralloc storage = STRALLOC_ZERO ; - genalloc tas = GENALLOC_ZERO ; - size_t talen ; - pid_t pid ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported yet") ; - - { - int r ; - char const *x = env_get2(envp, "CADIR") ; - if (x) - r = sbearssl_ta_readdir(x, &tas, &storage) ; - else - { - x = env_get2(envp, "CAFILE") ; - if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; - r = sbearssl_ta_readfile(x, &tas, &storage) ; - } - - if (r < 0) - strerr_diefu2sys(111, "read trust anchors in ", x) ; - else if (r) - strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; - - talen = genalloc_len(sbearssl_ta, &tas) ; - if (!talen) - strerr_dief2x(96, "no trust anchor found in ", x) ; - } - - if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ; - - pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; - - { - unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - br_x509_minimal_context xc ; - br_ssl_client_context cc ; - br_x509_trust_anchor btas[talen] ; - size_t i = talen ; - int wstat ; - - stralloc_shrink(&storage) ; - while (i--) - sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; - genalloc_free(sbearssl_ta, &tas) ; - br_ssl_client_init_full(&cc, &xc, btas, talen) ; - random_string((char *)buf, 32) ; - br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ; - random_finish() ; - br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ; - if (!br_ssl_client_reset(&cc, servername, 0)) - strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ; - tain_now_g() ; - if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP)) - strerr_diefu1sys(111, "initialize validation time") ; - - wstat = sbearssl_run(&cc.eng, fds, pid, verbosity, options, tto) ; - if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; - } -} -- cgit v1.3.1