summaryrefslogtreecommitdiff
path: root/src/sbearssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/sbearssl')
-rw-r--r--src/sbearssl/sbearssl_server_init_and_run.c104
-rw-r--r--src/sbearssl/sbearssl_sni_policy_vtable.c22
2 files changed, 74 insertions, 52 deletions
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index 467041a..cdd2804 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -5,6 +5,8 @@
#include <bearssl.h>
+#include <skalibs/posixplz.h>
+#include <skalibs/bytestr.h>
#include <skalibs/strerr2.h>
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
@@ -15,56 +17,64 @@
void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cbfunc_ref cb, sbearssl_handshake_cbarg *cbarg)
{
- sbearssl_skey skey ;
- genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */
- genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */
- stralloc storage = STRALLOC_ZERO ;
- size_t chainlen = sbearssl_get_keycert(&skey, &certs, &storage) ;
- size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &storage) : 0 ;
-
- sbearssl_drop() ;
- stralloc_shrink(&storage) ;
+ sbearssl_sni_policy_context pol ;
+ sbearssl_sni_policy_init(&pol) ;
+ if (!(preoptions & 8)) /* snilevel < 2 : add default keypair */
{
- union br_skey_u key ;
- br_ssl_server_context sc ;
- sbearssl_x509_small_context xc ;
- br_x509_certificate chain[chainlen] ;
- br_x509_trust_anchor btas[n ? n : 1] ;
- unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
-
- for (size_t i = 0 ; i < chainlen ; i++)
- sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
- genalloc_free(sbearssl_cert, &certs) ;
-
- for (size_t i = 0 ; i < n ; i++)
- sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
- genalloc_free(sbearssl_ta, &tas) ;
+ char const *keyfile ;
+ char const *certfile = getenv("CERTFILE") ;
+ if (!certfile) strerr_dienotset(100, "CERTFILE") ;
+ keyfile = getenv("KEYFILE") ;
+ if (!keyfile) strerr_dienotset(100, "KEYFILE") ;
+ if (!sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile))
+ strerr_diefu1sys(96, "add default keypair to policy context") ;
+ }
- switch (skey.type)
+ if (preoptions & 4) /* snilevel > 0 : add additional keypairs */
+ {
+ char const *const *envp = (char const *const *)environ ;
+ for (; *envp ; envp++)
{
- case BR_KEYTYPE_RSA :
- sbearssl_rsa_skey_to(&skey.data.rsa, &key.rsa, storage.s) ;
- br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
- break ;
- case BR_KEYTYPE_EC :
+ if (str_start(*envp, "KEYFILE:"))
{
- int kt, r ;
- sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
- r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
- switch (r)
+ size_t len = strlen(*envp) ;
+ size_t kequal = byte_chr(*envp, len, '=') ;
+ if (kequal == len) strerr_dief1x(100, "invalid environment") ;
+ if (kequal != 8)
{
- case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
- case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
- case 0 : break ;
- default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
+ char const *x ;
+ char certvar[len - kequal + 10] ;
+ memcpy(certvar, "CERTFILE:", 9) ;
+ memcpy(certvar + 9, *envp + 8, kequal - 8) ;
+ certvar[kequal + 1] = 0 ;
+ x = getenv(certvar) ;
+ if (!x)
+ strerr_dief3x(96, "environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
+ else if (!sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1))
+ strerr_diefu1sys(96, "sbearssl_sni_policy_add_keypair_file") ;
}
- br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ;
- break ;
}
- default :
- strerr_dief1x(96, "unsupported private key type") ;
}
+ }
+
+ sbearssl_drop() ;
+
+ {
+ br_ssl_server_context sc ;
+ sbearssl_x509_small_context xc ;
+ stralloc tastorage = STRALLOC_ZERO ;
+ genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */
+ size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &tastorage) : 0 ;
+ unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
+ br_x509_trust_anchor btas[n ? n : 1] ;
+
+ sbearssl_sctx_init_full_generic(&sc) ;
+ sbearssl_sctx_set_policy_sni(&sc, &pol) ;
+ random_string((char *)buf, 32) ;
+ random_finish() ;
+ br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
+ br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
{
uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ;
@@ -72,25 +82,23 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
br_ssl_engine_add_flags(&sc.eng, flags) ;
}
- if (n)
+ if (n) /* Set up client cert verification */
{
+ for (size_t i = 0 ; i < n ; i++)
+ sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, tastorage.s) ;
+ genalloc_free(sbearssl_ta, &tas) ;
sbearssl_x509_small_init_full(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash) ;
if (!sbearssl_x509_small_set_tain(&xc, &STAMP))
strerr_diefu1sys(111, "initialize validation time") ;
- br_ssl_engine_set_x509(&sc.eng, &xc.vtable) ;
br_ssl_engine_set_default_rsavrfy(&sc.eng) ;
br_ssl_engine_set_default_ecdsa(&sc.eng) ;
+ br_ssl_engine_set_x509(&sc.eng, &xc.vtable) ;
br_ssl_server_set_trust_anchor_names_alt(&sc, btas, n) ;
cbarg->exportmask |= 3 ;
}
- random_string((char *)buf, 32) ;
- random_finish() ;
- br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
- br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
if (!br_ssl_server_reset(&sc))
strerr_diefu2x(97, "reset server context: ", sbearssl_error_str(br_ssl_engine_last_error(&sc.eng))) ;
-
sbearssl_run(&sc.eng, fds, tto, options, verbosity, cb, cbarg) ;
}
}
diff --git a/src/sbearssl/sbearssl_sni_policy_vtable.c b/src/sbearssl/sbearssl_sni_policy_vtable.c
index eca198a..dc18805 100644
--- a/src/sbearssl/sbearssl_sni_policy_vtable.c
+++ b/src/sbearssl/sbearssl_sni_policy_vtable.c
@@ -6,7 +6,9 @@
#include <bearssl.h>
#include <skalibs/bytestr.h>
-#include <skalibs/strerr2.h>
+#ifdef DEBUG
+# include <skalibs/strerr2.h>
+#endif
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
#include <skalibs/avltree.h>
@@ -105,10 +107,22 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex
int r = sbearssl_ec_issuer_keytype(&kt, &choices->chain[0]) ;
switch (r)
{
- case -2 : strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ; return 0 ;
- case -1 : strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ; return 0 ;
+ case -2 :
+#ifdef DEBUG
+ strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
+#endif
+ return 0 ;
+ case -1 :
+#ifdef DEBUG
+ strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
+#endif
+ return 0 ;
case 0 : break ;
- default : strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ; return 0 ;
+ default :
+#ifdef DEBUG
+ strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ;
+#endif
+ return 0 ;
}
if (!sbearssl_choose_algos_ec(sc, choices, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt)) return 0 ;
pol->keyx.ec = sc->eng.iec ; /* the br_ssl_engine_get_ec() abstraction lacks a const */