diff --git a/configure b/configure
index 70a19b193d6e33b41b5cc7ef13511bb0f5b4e076..7b55a2580018cc69b2f52c9bc53832cc9faadc4f 100755
--- a/configure
+++ b/configure
@@ -4,6 +4,7 @@ eval ". $srcdir/config.sh"
gmni() {
genrules gmni \
src/certs.c \
src/client.c \
src/escape.c \
src/gmni.c \
diff --git a/doc/gmni.scd b/doc/gmni.scd
index 1f20672f1fb0c8ff6a4f3a97a3324a25d2a0a01d..866dd418a510ccd141d9c23afb4b321b84a5f9ec 100644
--- a/doc/gmni.scd
+++ b/doc/gmni.scd
@@ -38,11 +38,9 @@ If the server requests user input, path is opened and read, and a
second request is performed with the contents of _path_ as the user
input.
--E path[:password]
+-E path:key
-l
For *text/\** responses, *gmni* normally adds a line feed if stdout is a
diff --git a/include/gmni/certs.h b/include/gmni/certs.h
new file mode 100644
index 0000000000000000000000000000000000000000..22e226d6b4252dddd8526970cec0a947f12242d1
--- /dev/null
+++ b/include/gmni/certs.h
@@ -0,0 +1,27 @@
+#ifndef GEMINI_CERTS_H
+#define GEMINI_CERTS_H
+#include <bearssl.h>
+#include <stdio.h>
+struct gmni_options;
+struct gmni_client_certificate {
+};
+struct gmni_private_key {
br_rsa_private_key rsa;
br_ec_private_key ec;
+};
+// Returns nonzero on failure and sets errno
+int gmni_ccert_load(struct gmni_client_certificate *cert,
FILE *certin, FILE *skin);
+#endif
diff --git a/include/gmni/gmni.h b/include/gmni/gmni.h
index 16bef51024275bbb6ade9c90a11ae68876df387a..22295e20fb36d492a979c060de8dcdca14df5a34 100644
--- a/include/gmni/gmni.h
+++ b/include/gmni/gmni.h
@@ -1,6 +1,6 @@
#ifndef GEMINI_CLIENT_H
#define GEMINI_CLIENT_H
-#include <bearssl_ssl.h>
+#include <bearssl.h>
#include <netdb.h>
#include <stdbool.h>
#include <sys/socket.h>
@@ -61,6 +61,8 @@ br_ssl_client_context *sc;
int fd;
};
+struct gmni_client_certificate;
struct gemini_options {
// If ai_family != AF_UNSPEC (the default value on most systems), the
// client will connect to this address and skip name resolution.
@@ -69,6 +71,10 @@
// If non-NULL, these hints are provided to getaddrinfo. Useful, for
// example, to force IPv4/IPv6.
struct addrinfo *hints;
};
struct gemini_tofu;
diff --git a/include/gmni/tofu.h b/include/gmni/tofu.h
index a0981a5296421541a766846bc36c733dab1dfd1a..51d1d60a3719469a1f8cd295b9d85e21d7affb43 100644
--- a/include/gmni/tofu.h
+++ b/include/gmni/tofu.h
@@ -1,6 +1,6 @@
#ifndef GEMINI_TOFU_H
#define GEMINI_TOFU_H
-#include <bearssl_x509.h>
+#include <bearssl.h>
#include <limits.h>
enum tofu_error {
diff --git a/src/certs.c b/src/certs.c
new file mode 100644
index 0000000000000000000000000000000000000000..f40bfa7d27925baaa2fe6dbdf0d6c18ce4e10014
--- /dev/null
+++ b/src/certs.c
@@ -0,0 +1,156 @@
+#include <assert.h>
+#include <bearssl.h>
+#include <errno.h>
+#include <gmni/certs.h>
+#include <gmni/gmni.h>
+#include <stdio.h>
+#include <stdlib.h>
+static void
+crt_append(void *ctx, const void *src, size_t len)
+{
+}
+static void
+key_append(void *ctx, const void *src, size_t len)
+{
+}
+int
+gmni_ccert_load(struct gmni_client_certificate *cert, FILE *certin, FILE *skin)
+{
size_t n = fread(&buf, 1, sizeof(buf), certin);
if (ferror(certin)) {
goto error;
}
size_t q = 0;
while (q < n) {
q += br_pem_decoder_push(&pemdec, &buf[q], n - q);
switch (br_pem_decoder_event(&pemdec)) {
case BR_PEM_BEGIN_OBJ:
if (strcmp(br_pem_decoder_name(&pemdec), certname) != 0) {
break;
}
cert->chain = realloc(cert->chain,
sizeof(br_x509_certificate) * (cert->nchain + 1));
memset(&cert->chain[cert->nchain], 0, sizeof(*cert->chain));
br_pem_decoder_setdest(&pemdec, &crt_append,
&cert->chain[cert->nchain]);
++cert->nchain;
break;
case BR_PEM_END_OBJ:
break;
case BR_PEM_ERROR:
fprintf(stderr, "Error decoding PEM certificate\n");
errno = EINVAL;
goto error;
}
}
fprintf(stderr, "No certificates found in provided client certificate file\n");
errno = EINVAL;
goto error;
size_t n = fread(&buf, 1, sizeof(buf), skin);
if (ferror(skin)) {
goto error;
}
size_t q = 0;
while (q < n) {
q += br_pem_decoder_push(&pemdec, &buf[q], n - q);
switch (br_pem_decoder_event(&pemdec)) {
case BR_PEM_BEGIN_OBJ:
br_pem_decoder_setdest(&pemdec, &key_append, &skdec);
break;
case BR_PEM_END_OBJ:
// no-op
break;
case BR_PEM_ERROR:
fprintf(stderr, "Error decoding PEM private key\n");
errno = EINVAL;
goto error;
}
}
fprintf(stderr, "Error loading private key: %d\n", err);
errno = EINVAL;
goto error;
struct gmni_private_key *k;
const br_ec_private_key *ec;
const br_rsa_private_key *rsa;
rsa = br_skey_decoder_get_rsa(&skdec);
cert->key = k = malloc(sizeof(*k)
+ rsa->plen + rsa->qlen
+ rsa->dplen + rsa->dqlen
+ rsa->iqlen);
assert(k);
k->type = BR_KEYTYPE_RSA;
k->rsa = *rsa;
k->rsa.p = k->data;
k->rsa.q = k->rsa.p + k->rsa.plen;
k->rsa.dp = k->rsa.q + k->rsa.qlen;
k->rsa.dq = k->rsa.dp + k->rsa.dplen;
k->rsa.iq = k->rsa.dq + k->rsa.dqlen;
memcpy(k->rsa.p, rsa->p, rsa->plen);
memcpy(k->rsa.q, rsa->q, rsa->qlen);
memcpy(k->rsa.dp, rsa->dp, rsa->dplen);
memcpy(k->rsa.dq, rsa->dq, rsa->dqlen);
memcpy(k->rsa.iq, rsa->iq, rsa->iqlen);
break;
ec = br_skey_decoder_get_ec(&skdec);
cert->key = k = malloc(sizeof(*k) + ec->xlen);
assert(k);
k->type = BR_KEYTYPE_EC;
k->ec.curve = ec->curve;
k->ec.x = k->data;
k->ec.xlen = ec->xlen;
memcpy(k->ec.x, ec->x, ec->xlen);
break;
assert(0);
+error:
+}
diff --git a/src/client.c b/src/client.c
index e402cc97d96a904a2a8e9e2db40345b222cb85ae..127a56ca59859e645fea6f1e4ac62431d734e4fd 100644
--- a/src/client.c
+++ b/src/client.c
@@ -1,13 +1,14 @@
#include <assert.h>
#include <errno.h>
#include <netdb.h>
-#include <bearssl_ssl.h>
+#include <bearssl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
+#include <gmni/certs.h>
#include <gmni/gmni.h>
#include <gmni/tofu.h>
#include <gmni/url.h>
@@ -169,7 +170,26 @@ }
// TODO: session reuse
resp->sc = &tofu->sc;
struct gmni_client_certificate *cert = options->client_cert;
struct gmni_private_key *key = cert->key;
switch (key->type) {
case BR_KEYTYPE_RSA:
br_ssl_client_set_single_rsa(resp->sc,
cert->chain, cert->nchain, &key->rsa,
br_rsa_pkcs1_sign_get_default());
break;
case BR_KEYTYPE_EC:
br_ssl_client_set_single_ec(resp->sc,
cert->chain, cert->nchain, &key->ec,
BR_KEYTYPE_SIGN, 0,
br_ec_get_default(),
br_ecdsa_sign_asn1_get_default());
break;
}
br_ssl_client_reset(resp->sc, host, 0);
br_sslio_init(&resp->body, &resp->sc->eng,
sock_read, &resp->fd, sock_write, &resp->fd);
diff --git a/src/gmni.c b/src/gmni.c
index a8321d06c367128706d19ac283a53e55d95d0a92..f3015ac679eba77397fb4aac5068f3a63e1cdbab 100644
--- a/src/gmni.c
+++ b/src/gmni.c
@@ -1,5 +1,5 @@
#include <assert.h>
-#include <bearssl_ssl.h>
+#include <bearssl.h>
#include <errno.h>
#include <getopt.h>
#include <netdb.h>
@@ -11,6 +11,7 @@ #include <sys/socket.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
+#include <gmni/certs.h>
#include <gmni/gmni.h>
#include <gmni/tofu.h>
#include <gmni/url.h>
@@ -109,6 +110,45 @@
return action;
}
+static struct gmni_client_certificate *
+load_client_cert(char *argv_0, char *path)
+{
usage(argv_0);
exit(1);
fprintf(stderr, "Failed to open certificate: %s\n",
strerror(errno));
exit(1);
usage(argv_0);
exit(1);
fprintf(stderr, "Failed to open certificate: %s\n",
strerror(errno));
exit(1);
calloc(1, sizeof(struct gmni_client_certificate));
fprintf(stderr, "Failed to load client certificate: %s\n",
strerror(errno));
exit(1);
+}
int
main(int argc, char *argv[])
{
@@ -165,7 +205,7 @@ }
}
break;
case 'E':
assert(0); // TODO: Client certificates
opts.client_cert = load_client_cert(argv[0], optarg);
break;
case 'h':
usage(argv[0]);
@@ -226,7 +266,7 @@
bool exit = false;
struct Curl_URL *url = curl_url();
// TODO: Better error
fprintf(stderr, "Error: invalid URL\n");
return 1;
@@ -238,8 +278,8 @@ char *buf;
curl_url_get(url, CURLUPART_URL, &buf, 0);
struct gemini_response resp;
enum gemini_result r = gemini_request(
buf, &opts, &cfg.tofu, &resp);
enum gemini_result r = gemini_request(buf,
&opts, &cfg.tofu, &resp);
free(buf);
diff --git a/src/gmnlm.c b/src/gmnlm.c
index 0ea492bb85fe024bd250c304808dcb8f0a915f90..aeb0c834d49c799fcdae54acfcbd3925dcedd392 100644
--- a/src/gmnlm.c
+++ b/src/gmnlm.c
@@ -1,5 +1,5 @@
#include <assert.h>
-#include <bearssl_ssl.h>
+#include <bearssl.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
diff --git a/src/tofu.c b/src/tofu.c
index 570bd41c885cd9bb007b58bffca957ace6916bea..0acdf33a50bb4957741f4789472ffe56035a7159 100644
--- a/src/tofu.c
+++ b/src/tofu.c
@@ -1,6 +1,5 @@
#include <assert.h>
-#include <bearssl_hash.h>
-#include <bearssl_x509.h>
+#include <bearssl.h>
#include <errno.h>
#include <gmni/gmni.h>
#include <gmni/tofu.h>
diff --git a/src/util.c b/src/util.c
index 780d0e8803ab9179683bd9a92cbead05624f2681..1cb0bf42b6319e6bd1b0cf0cc94e28627e4f9c68 100644
--- a/src/util.c
+++ b/src/util.c
@@ -1,5 +1,5 @@
#include <assert.h>
-#include <bearssl_ssl.h>
+#include <bearssl.h>
#include <errno.h>
#include <gmni/gmni.h>
#include <libgen.h>
text/gemini
This content has been proxied by September (ba2dc).