Alpha version of the SSL work.

 Doesn't build yet, but I'm scared of losing it, so using git as
storage.
 Will fix the stupid bugs now, the tricky bugs later.

1 files changed, 99 insertions, 0 deletions

diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
new file mode 100644
index 0000000..1bc1114
--- /dev/null
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -0,0 +1,99 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+#include <bearssl.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/tai.h>
+#include <skalibs/env.h>
+#include <skalibs/stralloc.h>
+#include <skalibs/genalloc.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/random.h>
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
+{
+  stralloc storage = STRALLOC_ZERO ;
+  sbearssl_skey skey ;
+  genalloc certs = GENALLOC_ZERO ;
+  size_t chainlen ;
+
+  if (preoptions & 1)
+    strerr_dief1x(100, "client certificates are not supported by BearSSL yet") ;
+
+  {
+    char const *x = env_get2(envp, "KEYFILE") ;
+    int r ;
+    if (!x) strerr_dienotset(100, "KEYFILE") ;
+    r = sbearssl_skey_readfile(x, &skey, &storage) ;
+    if (r < 0)
+      strerr_diefu2sys(111, "read private key in ", x) ;
+    else if (r)
+      strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ;
+
+    x = env_get2(envp, "CERTFILE") ;
+    if (!x) strerr_dienotset(100, "CERTFILE") ;
+    r = sbearssl_cert_readfile(x, &certs, &storage) ;
+    if (r < 0)
+      strerr_diefu2sys(111, "read certificate chain in ", x) ;
+    else if (r)
+      strerr_diefu4sys(96, "read certificate chain in ", x, ": ", sbearssl_error_str(r)) ;
+    chainlen = genalloc_len(sbearssl_cert, &certs) ;
+    if (!chainlen)
+      strerr_diefu2x(96, "find a certificate in ", x) ;
+  }
+
+  {
+    int fds[4] = { 0, 1, 0, 1 } ;
+    unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
+    br_ssl_server_context sc ;
+    union br_skey_u key ;
+    br_x509_certificate chain[chainlen] ;
+    size_t i = chainlen ;
+    pid_t pid ;
+
+    stralloc_shrink(&storage) ;
+    while (i--)
+      sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
+    genalloc_free(sbearssl_cert, &certs) ;
+
+    switch (skey.type)
+    {
+      case BR_KEYTYPE_RSA :
+        sbearssl_rsa_skey_to(&skey.rsa, &key.rsa, storage.s) ;
+        br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
+        break ;
+      case BR_KEYTYPE_EC :
+        sbearssl_ec_skey_to(&skey.ec, &key.ec, storage.s) ;
+        br_ssl_server_init_full_ec(&sc, chain, chainlen, &key.ec) ;
+        break ;
+      default :
+      strerr_dief1x(96, "unsupported private key type") ;
+    }
+
+    if (!random_init())
+      strerr_diefu1sys(111, "initialize random generator") ;
+    random_string(buf, 32) ;
+    br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
+    random_finish() ;
+
+    pid = child_spawn2(argv[0], argv, envp, fds) ;
+    if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
+    if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+    if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+
+    br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
+    br_ssl_server_reset(&sc) ;
+
+    {
+      int wstat ;
+      int r = sbearssl_run(&sc.eng, fds, verbosity, options, tto) ;
+      if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
+      else if (r) strerr_diefu3x(98, "run SSL engine", ": ", sbearssl_error_str(r)) ;
+      if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
+      return wait_estatus(wstat) ;
+    }
+  }
+}