6 files changed, 319 insertions, 2 deletions

diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 13df389..dfa4f29 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -3,6 +3,7 @@ sbearssl_cert_from.o
 sbearssl_cert_readbigpem.o
 sbearssl_cert_readfile.o
 sbearssl_cert_to.o
+sbearssl_client_init_and_run.o
 sbearssl_drop.o
 sbearssl_ec_issuer_keytype.o
 sbearssl_ec_pkey_from.o
@@ -21,9 +22,14 @@ sbearssl_rsa_pkey_to.o
 sbearssl_rsa_skey_from.o
 sbearssl_rsa_skey_to.o
 sbearssl_run.o
+sbearssl_send_environment.o
+sbearssl_server_init_and_run.o
 sbearssl_skey_from.o
 sbearssl_skey_readfile.o
 sbearssl_skey_to.o
+sbearssl_suite_bits.o
+sbearssl_suite_list.o
+sbearssl_suite_name.o
 sbearssl_ta_cert.o
 sbearssl_ta_certs.o
 sbearssl_ta_from.o
@@ -33,7 +39,5 @@ sbearssl_ta_to.o
 sbearssl_x500_name_len.o
 sbearssl_x500_from_ta.o
 sbearssl_x509_minimal_set_tai.o
-sbearssl_client_init_and_run.o
-sbearssl_server_init_and_run.o
 -lbearssl
 -lskarnet
diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h
index 2d98680..bfaad73 100644
--- a/src/sbearssl/sbearssl-internal.h
+++ b/src/sbearssl/sbearssl-internal.h
@@ -5,9 +5,12 @@
 
 #include <sys/types.h>
 #include <stdint.h>
+
 #include <bearssl.h>
+
 #include <skalibs/stralloc.h>
 #include <skalibs/genalloc.h>
+
 #include <s6-networking/sbearssl.h>
 
 typedef struct sbearssl_strallocerr_s sbearssl_strallocerr, *sbearssl_strallocerr_ref ;
@@ -17,8 +20,56 @@ struct sbearssl_strallocerr_s
   int err ;
 } ;
 
+typedef enum sbearssl_suite_prop_e sbearssl_suite_prop ;
+enum sbearssl_suite_prop_e
+{
+ /* key exchange */
+  kRSA      = 1<<0,
+  ECDHE     = 1<<1,
+
+ /* authentication */
+  aRSA      = 1<<2,
+  ECDSA     = 1<<3,
+
+ /* encryption */
+  TRIPLEDES = 1<<4,
+  AES128    = 1<<5,
+  AES256    = 1<<6,
+  AESGCM    = 1<<7,
+  AESCCM    = 1<<8,
+  AESCCM8   = 1<<9,
+  CHACHA20  = 1<<10,
+
+ /* MAC */
+  AEAD      = 1<<11,
+  SHA1      = 1<<12,
+  SHA256    = 1<<13,
+  SHA384    = 1<<14,
+
+ /* minimum TLS version */
+  TLS10     = 1<<15,
+  TLS12     = 1<<16,
+
+ /* strength */
+  HIGH      = 1<<17,
+  MEDIUM    = 1<<18,
+  LOW       = 1<<19,
+} ;
+
+typedef struct sbearssl_suiteinfo_s sbearssl_suiteinfo, *sbearssl_suiteinfo_ref ;
+struct sbearssl_suiteinfo_s
+{
+  char name[32] ;
+  uint16_t id ;
+  sbearssl_suite_prop prop ;
+  uint16_t bits ;
+} ;
+
 extern void sbearssl_drop (void) ;
 extern void sbearssl_append (void *, void const *, size_t) ;
 extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ;
 
+extern sbearssl_suiteinfo const *const sbearssl_suite_list ;
+extern size_t const sbearssl_suite_list_len ;
+
 #endif
diff --git a/src/sbearssl/sbearssl_send_environment.c b/src/sbearssl/sbearssl_send_environment.c
new file mode 100644
index 0000000..3e1f1e1
--- /dev/null
+++ b/src/sbearssl/sbearssl_send_environment.c
@@ -0,0 +1,31 @@
+/* ISC license. */
+
+#include <skalibs/bytestr.h>
+#include <skalibs/buffer.h>
+
+#include <bearssl.h>
+
+#include <s6-networking/sbearssl.h>
+
+int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd)
+{
+  char buf[4096] ;
+  buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ;
+  unsigned int v = br_ssl_engine_get_version(ctx) ;
+  char const *suite ;
+  br_ssl_session_parameters params ;
+
+  br_ssl_engine_get_session_parameters(ctx, &params) ;
+  suite = sbearssl_suite_name(&params) ;
+  byte_zzero((char *)params.master_secret, 48) ;
+  if (!suite) suite = "" ;
+
+  if (buffer_puts(&b, "SSL_PROTOCOL=") < 0
+   || buffer_puts(&b, v == BR_TLS12 ? "TLSv1.2" : v == BR_TLS11 ? "TLSv1.1" : v == BR_TLS10 ? "TLSv1" : "unknown") < 0
+   || buffer_put(&b, "", 1) < 0
+   || buffer_puts(&b, "SSL_CIPHER=") < 0
+   || buffer_puts(&b, suite) < 0
+   || buffer_putflush(&b, "\0", 2) < 0)
+    return 0 ;
+  return 1 ;
+}
diff --git a/src/sbearssl/sbearssl_suite_bits.c b/src/sbearssl/sbearssl_suite_bits.c
new file mode 100644
index 0000000..8e2584e
--- /dev/null
+++ b/src/sbearssl/sbearssl_suite_bits.c
@@ -0,0 +1,16 @@
+/* ISC license. */
+
+#include <stdint.h>
+
+#include <bearssl.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+uint16_t sbearssl_suite_bits (br_ssl_session_parameters const *params)
+{
+  for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++)
+    if (sbearssl_suite_list[i].id == params->cipher_suite)
+      return sbearssl_suite_list[i].bits ;
+  return 0 ;
+}
diff --git a/src/sbearssl/sbearssl_suite_list.c b/src/sbearssl/sbearssl_suite_list.c
new file mode 100644
index 0000000..b51c480
--- /dev/null
+++ b/src/sbearssl/sbearssl_suite_list.c
@@ -0,0 +1,201 @@
+/* ISC license. */
+
+/* Copied from Michael Forney's libtls-bearssl */
+
+#include "sbearssl-internal.h"
+
+static sbearssl_suiteinfo const sbearssl_suite_list_[] =
+{
+  {
+    "ECDHE-ECDSA-CHACHA20-POLY1305",
+    BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    ECDHE|ECDSA|CHACHA20|AEAD|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-RSA-CHACHA20-POLY1305",
+    BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    ECDHE|aRSA|CHACHA20|AEAD|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    ECDHE|ECDSA|AES128|AESGCM|AEAD|TLS12|HIGH,
+    128,
+  },
+  {
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    ECDHE|aRSA|AES128|AESGCM|AEAD|TLS12|HIGH,
+    128,
+  },
+  {
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    ECDHE|ECDSA|AES256|AESGCM|AEAD|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    ECDHE|aRSA|AES256|AESGCM|AEAD|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-ECDSA-AES128-CCM",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+    ECDHE|ECDSA|AES128|AESCCM|AEAD|TLS12|HIGH,
+    128,
+  },
+  {
+    "ECDHE-ECDSA-AES256-CCM",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+    ECDHE|ECDSA|AES256|AESCCM|AEAD|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-ECDSA-AES128-CCM8",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    ECDHE|ECDSA|AES128|AESCCM8|AEAD|TLS12|HIGH,
+    128,
+  },
+  {
+    "ECDHE-ECDSA-AES256-CCM8",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    ECDHE|ECDSA|AES256|AESCCM8|AEAD|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-ECDSA-AES128-SHA256",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    ECDHE|ECDSA|AES128|SHA256|TLS12|HIGH,
+    128,
+  },
+  {
+    "ECDHE-RSA-AES128-SHA256",
+    BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    ECDHE|aRSA|AES128|SHA256|TLS12|HIGH,
+    128,
+  },
+  {
+    "ECDHE-ECDSA-AES256-SHA384",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    ECDHE|ECDSA|AES256|SHA384|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-RSA-AES256-SHA384",
+    BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    ECDHE|aRSA|AES256|SHA384|TLS12|HIGH,
+    256,
+  },
+  {
+    "ECDHE-ECDSA-AES128-SHA",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    ECDHE|ECDSA|AES128|SHA1|TLS10|HIGH,
+    128,
+  },
+  {
+    "ECDHE-RSA-AES128-SHA",
+    BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    ECDHE|aRSA|AES128|SHA1|TLS10|HIGH,
+    128,
+  },
+  {
+    "ECDHE-ECDSA-AES256-SHA",
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    ECDHE|ECDSA|AES256|SHA1|TLS10|HIGH,
+    256,
+  },
+  {
+    "ECDHE-RSA-AES256-SHA",
+    BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    ECDHE|aRSA|AES256|SHA1|TLS10|HIGH,
+    256,
+  },
+ /* ECDH suites, used in BearSSL "full" profile do
+  * not have corresponding OpenSSL
+  */
+  {
+    "AES128-GCM-SHA256",
+    BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
+    kRSA|aRSA|AES128|AESGCM|SHA256|TLS12|HIGH,
+    128,
+  },
+  {
+    "AES256-GCM-SHA384",
+    BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
+    kRSA|aRSA|AES256|AESGCM|SHA384|TLS12|HIGH,
+    256,
+  },
+  {
+    "AES128-CCM",
+    BR_TLS_RSA_WITH_AES_128_CCM,
+    kRSA|aRSA|AES128|AESCCM|TLS12|HIGH,
+    128,
+  },
+  {
+    "AES256-CCM",
+    BR_TLS_RSA_WITH_AES_256_CCM,
+    kRSA|aRSA|AES256|AESCCM|TLS12|HIGH,
+    256,
+  },
+  {
+    "AES128-CCM8",
+    BR_TLS_RSA_WITH_AES_128_CCM_8,
+    kRSA|aRSA|AES128|AESCCM8|TLS12|HIGH,
+    128,
+  },
+  {
+    "AES256-CCM8",
+    BR_TLS_RSA_WITH_AES_256_CCM_8,
+    kRSA|aRSA|AES256|AESCCM8|TLS12|HIGH,
+    256,
+  },
+  {
+    "AES128-SHA256",
+    BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
+    kRSA|aRSA|AES128|SHA256|TLS12|HIGH,
+    128,
+  },
+  {
+    "AES256-SHA256",
+    BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
+    kRSA|aRSA|AES256|SHA256|TLS12|HIGH,
+    256,
+  },
+  {
+    "AES128-SHA",
+    BR_TLS_RSA_WITH_AES_128_CBC_SHA,
+    kRSA|aRSA|AES128|SHA1|TLS10|HIGH,
+    128,
+  },
+  {
+    "AES256-SHA",
+    BR_TLS_RSA_WITH_AES_256_CBC_SHA,
+    kRSA|aRSA|AES256|SHA1|TLS10|HIGH,
+    256,
+  },
+  {
+    "ECDHE-ECDSA-DES-CBC3-SHA",
+    BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    ECDHE|ECDSA|TRIPLEDES|SHA1|TLS10|MEDIUM,
+    112,
+  },
+  {
+    "ECDHE-RSA-DES-CBC3-SHA",
+    BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    ECDHE|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM,
+    112,
+  },
+  {
+    "DES-CBC3-SHA",
+    BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    kRSA|aRSA|TRIPLEDES|SHA1|TLS10|MEDIUM,
+    112,
+  },
+};
+
+sbearssl_suiteinfo const *const sbearssl_suite_list = sbearssl_suite_list_ ;
+size_t const sbearssl_suite_list_len = sizeof(sbearssl_suite_list_) / sizeof(sbearssl_suiteinfo) ;
diff --git a/src/sbearssl/sbearssl_suite_name.c b/src/sbearssl/sbearssl_suite_name.c
new file mode 100644
index 0000000..97cc593
--- /dev/null
+++ b/src/sbearssl/sbearssl_suite_name.c
@@ -0,0 +1,14 @@
+/* ISC license. */
+
+#include <bearssl.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+char const *sbearssl_suite_name (br_ssl_session_parameters const *params)
+{
+  for (size_t i = 0 ; i < sbearssl_suite_list_len ; i++)
+    if (sbearssl_suite_list[i].id == params->cipher_suite)
+      return sbearssl_suite_list[i].name ;
+  return 0 ;
+}