Make stuff build

Still not working: we need to add servername to the storage
author: Laurent Bercot <ska-skaware@skarnet.org> 2021-06-01 20:35:49 +0000
committer: Laurent Bercot <ska-skaware@skarnet.org> 2021-06-01 20:35:49 +0000
commit: e36fd79f212a4fbcb69ef6fa6add4d06e52956b5 (patch)
tree: c42cb01748ca5b2622f14d4acbea54b7fdc84601
parent: a84b9b4e5d985a5d8a37268a76e1d35210fd31c5 (diff)
download: s6-networking-e36fd79f212a4fbcb69ef6fa6add4d06e52956b5.tar.xz
3 files changed, 76 insertions, 54 deletions
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index 467041a..cdd2804 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -5,6 +5,8 @@
 
 #include <bearssl.h>
 
+#include <skalibs/posixplz.h>
+#include <skalibs/bytestr.h>
 #include <skalibs/strerr2.h>
 #include <skalibs/stralloc.h>
 #include <skalibs/genalloc.h>
@@ -15,56 +17,64 @@
 
 void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cbfunc_ref cb, sbearssl_handshake_cbarg *cbarg)
 {
-  sbearssl_skey skey ;
-  genalloc certs = GENALLOC_ZERO ;  /* sbearssl_cert */
-  genalloc tas = GENALLOC_ZERO ;  /* sbearssl_ta */
-  stralloc storage = STRALLOC_ZERO ;
-  size_t chainlen = sbearssl_get_keycert(&skey, &certs, &storage) ;
-  size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &storage) : 0 ;
-
-  sbearssl_drop() ;
-  stralloc_shrink(&storage) ;
+  sbearssl_sni_policy_context pol ;
+  sbearssl_sni_policy_init(&pol) ;
 
+  if (!(preoptions & 8))  /* snilevel < 2 : add default keypair */
   {
-    union br_skey_u key ;
-    br_ssl_server_context sc ;
-    sbearssl_x509_small_context xc ;
-    br_x509_certificate chain[chainlen] ;
-    br_x509_trust_anchor btas[n ? n : 1] ;
-    unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
-
-    for (size_t i = 0 ; i < chainlen ; i++)
-      sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
-    genalloc_free(sbearssl_cert, &certs) ;
-
-    for (size_t i = 0 ; i < n ; i++)
-      sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
-    genalloc_free(sbearssl_ta, &tas) ;
+    char const *keyfile ;
+    char const *certfile = getenv("CERTFILE") ;
+    if (!certfile) strerr_dienotset(100, "CERTFILE") ;
+    keyfile = getenv("KEYFILE") ;
+    if (!keyfile) strerr_dienotset(100, "KEYFILE") ;
+    if (!sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile))
+      strerr_diefu1sys(96, "add default keypair to policy context") ;
+  }
 
-    switch (skey.type)
+  if (preoptions & 4)  /* snilevel > 0 : add additional keypairs */
+  {
+    char const *const *envp = (char const *const *)environ ;
+    for (; *envp ; envp++)
     {
-      case BR_KEYTYPE_RSA :
-        sbearssl_rsa_skey_to(&skey.data.rsa, &key.rsa, storage.s) ;
-        br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
-        break ;
-      case BR_KEYTYPE_EC :
+      if (str_start(*envp, "KEYFILE:"))
       {
-        int kt, r ;
-        sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
-        r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
-        switch (r)
+        size_t len = strlen(*envp) ;
+        size_t kequal = byte_chr(*envp, len, '=') ;
+        if (kequal == len) strerr_dief1x(100, "invalid environment") ;
+        if (kequal != 8)
         {
-          case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
-          case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
-          case 0 : break ;
-          default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
+          char const *x ;
+          char certvar[len - kequal + 10] ;
+          memcpy(certvar, "CERTFILE:", 9) ;
+          memcpy(certvar + 9, *envp + 8, kequal - 8) ;
+          certvar[kequal + 1] = 0 ;
+          x = getenv(certvar) ;
+          if (!x)
+            strerr_dief3x(96, "environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
+          else if (!sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1))
+            strerr_diefu1sys(96, "sbearssl_sni_policy_add_keypair_file") ;
         }
-        br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ;
-        break ;
       }
-      default :
-        strerr_dief1x(96, "unsupported private key type") ;
     }
+  }
+
+  sbearssl_drop() ;
+
+  {
+    br_ssl_server_context sc ;
+    sbearssl_x509_small_context xc ;
+    stralloc tastorage = STRALLOC_ZERO ;
+    genalloc tas = GENALLOC_ZERO ;  /* sbearssl_ta */
+    size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &tastorage) : 0 ;
+    unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
+    br_x509_trust_anchor btas[n ? n : 1] ;
+
+    sbearssl_sctx_init_full_generic(&sc) ;
+    sbearssl_sctx_set_policy_sni(&sc, &pol) ;
+    random_string((char *)buf, 32) ;
+    random_finish() ;
+    br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
+    br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
 
     {
       uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ;
@@ -72,25 +82,23 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
       br_ssl_engine_add_flags(&sc.eng, flags) ;
     }
 
-    if (n)
+    if (n)  /* Set up client cert verification */
     {
+      for (size_t i = 0 ; i < n ; i++)
+        sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, tastorage.s) ;
+      genalloc_free(sbearssl_ta, &tas) ;
       sbearssl_x509_small_init_full(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash) ;
       if (!sbearssl_x509_small_set_tain(&xc, &STAMP))
         strerr_diefu1sys(111, "initialize validation time") ;
-      br_ssl_engine_set_x509(&sc.eng, &xc.vtable) ;
       br_ssl_engine_set_default_rsavrfy(&sc.eng) ;
       br_ssl_engine_set_default_ecdsa(&sc.eng) ;
+      br_ssl_engine_set_x509(&sc.eng, &xc.vtable) ;
       br_ssl_server_set_trust_anchor_names_alt(&sc, btas, n) ;
       cbarg->exportmask |= 3 ;
     }
 
-    random_string((char *)buf, 32) ;
-    random_finish() ;
-    br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
-    br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
     if (!br_ssl_server_reset(&sc))
       strerr_diefu2x(97, "reset server context: ", sbearssl_error_str(br_ssl_engine_last_error(&sc.eng))) ;
-
     sbearssl_run(&sc.eng, fds, tto, options, verbosity, cb, cbarg) ;
   }
 }
diff --git a/src/sbearssl/sbearssl_sni_policy_vtable.c b/src/sbearssl/sbearssl_sni_policy_vtable.c
index eca198a..dc18805 100644
--- a/src/sbearssl/sbearssl_sni_policy_vtable.c
+++ b/src/sbearssl/sbearssl_sni_policy_vtable.c
@@ -6,7 +6,9 @@
 #include <bearssl.h>
 
 #include <skalibs/bytestr.h>
-#include <skalibs/strerr2.h>
+#ifdef DEBUG
+# include <skalibs/strerr2.h>
+#endif
 #include <skalibs/stralloc.h>
 #include <skalibs/genalloc.h>
 #include <skalibs/avltree.h>
@@ -105,10 +107,22 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex
       int r = sbearssl_ec_issuer_keytype(&kt, &choices->chain[0]) ;
       switch (r)
       {
-        case -2 : strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ; return 0 ;
-        case -1 : strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ; return 0 ;
+        case -2 :
+#ifdef DEBUG
+          strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
+#endif
+          return 0 ;
+        case -1 :
+#ifdef DEBUG
+          strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
+#endif
+          return 0 ;
         case 0 : break ;
-        default : strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ; return 0 ;
+        default :
+#ifdef DEBUG
+          strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ;
+#endif
+          return 0 ;
       }
       if (!sbearssl_choose_algos_ec(sc, choices, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt)) return 0 ;
       pol->keyx.ec = sc->eng.iec ;  /* the br_ssl_engine_get_ec() abstraction lacks a const */
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 2cc9585..2a8c235 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -47,12 +47,12 @@ struct tls *stls_server_init_and_handshake (int const *fds, tain_t const *tto, u
         if (kequal != 8)
         {
           char certvar[len - kequal + 10] ;
-          memcpy(certvar, "CERTFILE:", 9 ;
+          memcpy(certvar, "CERTFILE:", 9) ;
           memcpy(certvar + 9, *envp + 8, kequal - 8) ;
           certvar[kequal + 1] = 0 ;
           x = getenv(certvar) ;
           if (!x)
-            strerr_dief3x("environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
+            strerr_dief3x(96, "environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
           else if (tls_config_add_keypair_file(cfg, x, *envp + kequal + 1) < 0)
             diecfg(cfg, "tls_config_add_keypair_file") ;
         }
author	Laurent Bercot <ska-skaware@skarnet.org>	2021-06-01 20:35:49 +0000
committer	Laurent Bercot <ska-skaware@skarnet.org>	2021-06-01 20:35:49 +0000
commit	e36fd79f212a4fbcb69ef6fa6add4d06e52956b5 (patch)
tree	c42cb01748ca5b2622f14d4acbea54b7fdc84601
parent	a84b9b4e5d985a5d8a37268a76e1d35210fd31c5 (diff)
download	s6-networking-e36fd79f212a4fbcb69ef6fa6add4d06e52956b5.tar.xz