diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2021-05-28 01:05:56 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2021-05-28 01:05:56 +0000 |
commit | 02afa553cc33400ead38ac85f8f7f2f3fe79f49d (patch) | |
tree | d0d22ad521d9d3b8e28af128bae0ec796b35ff74 /src/stls | |
parent | d5ce828c97505e429e0cc87b5e87da4f7d291ad4 (diff) | |
download | s6-networking-02afa553cc33400ead38ac85f8f7f2f3fe79f49d.tar.xz |
Server-side SNI, libtls version
Implementation for bearssl coming soon.
Diffstat (limited to 'src/stls')
-rw-r--r-- | src/stls/stls_server_init_and_handshake.c | 48 |
1 files changed, 38 insertions, 10 deletions
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c index 4a5b2ff..2cc9585 100644 --- a/src/stls/stls_server_init_and_handshake.c +++ b/src/stls/stls_server_init_and_handshake.c @@ -4,6 +4,8 @@ #include <tls.h> +#include <skalibs/posixplz.h> +#include <skalibs/bytestr.h> #include <skalibs/strerr2.h> #include <s6-networking/stls.h> @@ -23,15 +25,40 @@ struct tls *stls_server_init_and_handshake (int const *fds, tain_t const *tto, u cfg = tls_config_new() ; if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; - x = getenv("CERTFILE") ; - if (!x) strerr_dienotset(100, "CERTFILE") ; - if (tls_config_set_cert_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_cert_file") ; - - x = getenv("KEYFILE") ; - if (!x) strerr_dienotset(100, "KEYFILE") ; - if (tls_config_set_key_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_key_file") ; + if (!(preoptions & 8)) /* snilevel < 2 */ + { + char const *y = getenv("CERTFILE") ; + if (!y) strerr_dienotset(100, "CERTFILE") ; + x = getenv("KEYFILE") ; + if (!x) strerr_dienotset(100, "KEYFILE") ; + if (tls_config_set_keypair_file(cfg, y, x) < 0) + diecfg(cfg, "tls_config_set_keypair_file") ; + } + if (preoptions & 4) /* snilevel > 0 */ + { + char const *const *envp = (char const *const *)environ ; + for (; *envp ; envp++) + { + if (str_start(*envp, "KEYFILE:")) + { + size_t len = strlen(*envp) ; + size_t kequal = byte_chr(*envp, len, '=') ; + if (kequal == len) strerr_dief1x(100, "invalid environment") ; + if (kequal != 8) + { + char certvar[len - kequal + 10] ; + memcpy(certvar, "CERTFILE:", 9 ; + memcpy(certvar + 9, *envp + 8, kequal - 8) ; + certvar[kequal + 1] = 0 ; + x = getenv(certvar) ; + if (!x) + strerr_dief3x("environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ; + else if (tls_config_add_keypair_file(cfg, x, *envp + kequal + 1) < 0) + diecfg(cfg, "tls_config_add_keypair_file") ; + } + } + } + } stls_drop() ; @@ -76,7 +103,8 @@ struct tls *stls_server_init_and_handshake (int const *fds, tain_t const *tto, u tls_config_free(cfg) ; if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0) diectx(97, sctx, "tls_accept_fds") ; - tls_free(sctx) ; + /* We can't free sctx, ctx has pointers into it! Stupid API. We let sctx leak. */ + /* tls_free(sctx) ; */ stls_handshake(ctx, tto) ; return ctx ; } |