summaryrefslogtreecommitdiff
path: root/src/sbearssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/sbearssl')
-rw-r--r--src/sbearssl/deps-lib/sbearssl1
-rw-r--r--src/sbearssl/sbearssl_sctx_set_policy_sni.c2
-rw-r--r--src/sbearssl/sbearssl_server_init_and_run.c17
-rw-r--r--src/sbearssl/sbearssl_sni_policy_add_keypair_file.c19
-rw-r--r--src/sbearssl/sbearssl_sni_policy_nkeypairs.c11
-rw-r--r--src/sbearssl/sbearssl_sni_policy_vtable.c49
6 files changed, 53 insertions, 46 deletions
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 4b6ea70..5241e56 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -38,6 +38,7 @@ sbearssl_skey_to.o
sbearssl_skey_wipe.o
sbearssl_sni_policy_add_keypair_file.o
sbearssl_sni_policy_init.o
+sbearssl_sni_policy_nkeypairs.o
sbearssl_sni_policy_vtable.o
sbearssl_suite_bits.o
sbearssl_suite_list.o
diff --git a/src/sbearssl/sbearssl_sctx_set_policy_sni.c b/src/sbearssl/sbearssl_sctx_set_policy_sni.c
index 166cd97..f5f3c8a 100644
--- a/src/sbearssl/sbearssl_sctx_set_policy_sni.c
+++ b/src/sbearssl/sbearssl_sctx_set_policy_sni.c
@@ -7,5 +7,5 @@
void sbearssl_sctx_set_policy_sni (br_ssl_server_context *sc, sbearssl_sni_policy_context *pol)
{
sc->chain_handler.vtable = pol->vtable ;
- sc->policy_vtable = &sc->chain_handler.vtable ;
+ sc->policy_vtable = &pol->vtable ;
}
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index cdd2804..f8d8b31 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -22,13 +22,17 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
if (!(preoptions & 8)) /* snilevel < 2 : add default keypair */
{
+ int e ;
char const *keyfile ;
char const *certfile = getenv("CERTFILE") ;
if (!certfile) strerr_dienotset(100, "CERTFILE") ;
keyfile = getenv("KEYFILE") ;
if (!keyfile) strerr_dienotset(100, "KEYFILE") ;
- if (!sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile))
+ e = sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile) ;
+ if (e < 0)
strerr_diefu1sys(96, "add default keypair to policy context") ;
+ else if (e)
+ strerr_diefu3x(96, "add default keypair to policy context", ": ", sbearssl_error_str(e)) ;
}
if (preoptions & 4) /* snilevel > 0 : add additional keypairs */
@@ -43,6 +47,7 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
if (kequal == len) strerr_dief1x(100, "invalid environment") ;
if (kequal != 8)
{
+ int e ;
char const *x ;
char certvar[len - kequal + 10] ;
memcpy(certvar, "CERTFILE:", 9) ;
@@ -51,8 +56,11 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
x = getenv(certvar) ;
if (!x)
strerr_dief3x(96, "environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
- else if (!sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1))
- strerr_diefu1sys(96, "sbearssl_sni_policy_add_keypair_file") ;
+ e = sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1) ;
+ if (e < 0)
+ strerr_diefu3sys(96, "add keypair for servername ", certvar + 9, " to policy context") ;
+ else if (e)
+ strerr_diefu5x(96, "add default keypair for servername ", certvar + 9, " to policy context", ": ", sbearssl_error_str(e)) ;
}
}
}
@@ -60,6 +68,9 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
sbearssl_drop() ;
+ if (!sbearssl_sni_policy_nkeypairs(&pol))
+ strerr_dief1x(96, "no suitable keypairs found in the environment") ;
+
{
br_ssl_server_context sc ;
sbearssl_x509_small_context xc ;
diff --git a/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c b/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c
index 2462645..6334f64 100644
--- a/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c
+++ b/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c
@@ -17,14 +17,19 @@ int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *pol, char
size_t gabase = genalloc_len(sbearssl_cert, &pol->certga) ;
size_t mbase = genalloc_len(sbearssl_sni_policy_node, &pol->mapga) ;
sbearssl_sni_policy_node node = { .servername = sabase, .chainindex = gabase } ;
+ int e ;
- if (!stralloc_catb(&pol->storage, servername, strlen(servername) + 1)) return 0 ;
- if (!sbearssl_cert_readbigpem(certfile, &pol->certga, &pol->storage)) goto err0 ;
+ if (!stralloc_catb(&pol->storage, servername, strlen(servername) + 1)) return -1 ;
+ e = sbearssl_cert_readbigpem(certfile, &pol->certga, &pol->storage) ;
+ if (e) goto err0 ;
node.chainlen = genalloc_len(sbearssl_cert, &pol->certga) - node.chainindex ;
- if (!sbearssl_skey_readfile(keyfile, &node.skey, &pol->storage)) goto err1 ;
- if (!genalloc_catb(sbearssl_sni_policy_node, &pol->mapga, &node, 1)) goto err2 ;
- if (!avltree_insert(&pol->map, mbase)) goto err3 ;
- return 1 ;
+ e = sbearssl_skey_readfile(keyfile, &node.skey, &pol->storage) ;
+ if (e) goto err1 ;
+ e = genalloc_catb(sbearssl_sni_policy_node, &pol->mapga, &node, 1) ? 0 : -1 ;
+ if (e) goto err2 ;
+ e = avltree_insert(&pol->map, mbase) ? 0 : -1 ;
+ if (e) goto err3 ;
+ return 0 ;
err3:
if (mbase) genalloc_setlen(sbearssl_sni_policy_node, &pol->mapga, mbase) ;
@@ -37,5 +42,5 @@ int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *pol, char
err0:
if (sabase) pol->storage.len = sabase ;
else stralloc_free(&pol->storage) ;
- return 0 ;
+ return e ;
}
diff --git a/src/sbearssl/sbearssl_sni_policy_nkeypairs.c b/src/sbearssl/sbearssl_sni_policy_nkeypairs.c
new file mode 100644
index 0000000..43a2d98
--- /dev/null
+++ b/src/sbearssl/sbearssl_sni_policy_nkeypairs.c
@@ -0,0 +1,11 @@
+/* ISC license. */
+
+#include <skalibs/genalloc.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+size_t sbearssl_sni_policy_nkeypairs (sbearssl_sni_policy_context const *pol)
+{
+ return genalloc_len(sbearssl_sni_policy_node, &pol->mapga) ;
+}
diff --git a/src/sbearssl/sbearssl_sni_policy_vtable.c b/src/sbearssl/sbearssl_sni_policy_vtable.c
index 6d6bcc3..26bc9a6 100644
--- a/src/sbearssl/sbearssl_sni_policy_vtable.c
+++ b/src/sbearssl/sbearssl_sni_policy_vtable.c
@@ -6,9 +6,6 @@
#include <bearssl.h>
#include <skalibs/bytestr.h>
-#ifdef DEBUG
-# include <skalibs/strerr2.h>
-#endif
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
#include <skalibs/avltree.h>
@@ -18,28 +15,27 @@
#define INSTANCE(c) ((sbearssl_sni_policy_context *)(c))
-#define COPY(x) do { k.data.rsa.x = m ; memcpy(s + m, t + k.data.rsa.x, k.data.rsa.x##len) ; m += k.data.rsa.x##len ; } while (0)
+#define COPY(x) do { k->data.rsa.x##len = l->data.rsa.x##len ; k->data.rsa.x = (unsigned char *)s + m ; memcpy(s + m, t + l->data.rsa.x, l->data.rsa.x##len) ; m += l->data.rsa.x##len ; } while (0)
-static inline size_t skey_copy (br_skey *key, sbearssl_skey const *l, char *s, char const *t)
+static inline size_t skey_copy (br_skey *k, sbearssl_skey const *l, char *s, char const *t)
{
- sbearssl_skey k = *l ;
size_t m = 0 ;
- switch (k.type)
+ k->type = l->type ;
+ switch (l->type)
{
case BR_KEYTYPE_RSA :
- {
+ k->data.rsa.n_bitlen = l->data.rsa.n_bitlen ;
COPY(p) ; COPY(q) ; COPY(dp) ; COPY(dq) ; COPY(iq) ;
break ;
- }
case BR_KEYTYPE_EC :
- k.data.ec.x = m ; memcpy(s + m, t + k.data.ec.x, k.data.ec.xlen) ; m += k.data.ec.xlen ;
+ k->data.ec.curve = l->data.ec.curve ;
+ k->data.ec.xlen = l->data.ec.xlen ; k->data.ec.x = (unsigned char *)s + m ; memcpy(s + m, t + l->data.ec.x, l->data.ec.xlen) ; m += l->data.ec.xlen ;
break ;
}
- sbearssl_skey_to(&k, key, s) ;
return m ;
}
-static size_t cert_copy (br_x509_certificate *newc, sbearssl_cert const *oldc, char *s, char const *t)
+static inline size_t cert_copy (br_x509_certificate *newc, sbearssl_cert const *oldc, char *s, char const *t)
{
memcpy(s, t + oldc->data, oldc->datalen) ;
newc->data = (unsigned char *)s ;
@@ -56,9 +52,11 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex
/* Get the node corresponding to the ServerName sent by the client. "" for no SNI. */
{
uint32_t n ;
- if (!avltree_search(&pol->map, servername, &n)
- && (!servername[0] || !avltree_search(&pol->map, "", &n)))
- return 0 ;
+ if (!avltree_search(&pol->map, servername, &n))
+ {
+ if (!servername[0]) return 0 ;
+ if (!avltree_search(&pol->map, "", &n)) return 0 ;
+ }
avltree_free(&pol->map) ;
node = genalloc_s(sbearssl_sni_policy_node, &pol->mapga) + n ;
}
@@ -104,26 +102,7 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex
case BR_KEYTYPE_EC :
{
int kt ;
- int r = sbearssl_ec_issuer_keytype(&kt, &choices->chain[0]) ;
- switch (r)
- {
- case -2 :
-#ifdef DEBUG
- strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
-#endif
- return 0 ;
- case -1 :
-#ifdef DEBUG
- strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
-#endif
- return 0 ;
- case 0 : break ;
- default :
-#ifdef DEBUG
- strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ;
-#endif
- return 0 ;
- }
+ if (sbearssl_ec_issuer_keytype(&kt, &choices->chain[0])) return 0 ;
if (!sbearssl_choose_algos_ec(sc, choices, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt)) return 0 ;
pol->keyx.ec = sc->eng.iec ; /* the br_ssl_engine_get_ec() abstraction lacks a const */
pol->sign.ec = br_ecdsa_i31_sign_asn1 ; /* have to hardcode, no access to BR_LOMUL */