From 564631637bcd238b4c9aad5496aa9e049f948dd9 Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-skaware@skarnet.org>
Date: Mon, 23 Nov 2020 14:25:24 +0000
Subject:  Fix more bugs; disable renegociation in bearssl client

---
 src/sbearssl/sbearssl_client_init_and_run.c |  1 +
 src/sbearssl/sbearssl_ta_readdir.c          | 28 ++++++++++++----------
 src/stls/stls_client_init_and_handshake.c   | 36 ++++++++++++++---------------
 src/stls/stls_server_init_and_handshake.c   | 23 ++++++++----------
 4 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
index a6e7aca..73fac70 100644
--- a/src/sbearssl/sbearssl_client_init_and_run.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -59,6 +59,7 @@ void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
       sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
     genalloc_free(sbearssl_ta, &tas) ;
     br_ssl_client_init_full(&cc, &xc, btas, talen) ;
+    br_ssl_engine_add_flags(&cc.eng, BR_OPT_NO_RENEGOTIATION) ;
     random_string((char *)buf, 32) ;
     random_finish() ;
     br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
diff --git a/src/sbearssl/sbearssl_ta_readdir.c b/src/sbearssl/sbearssl_ta_readdir.c
index 4093bcf..f340503 100644
--- a/src/sbearssl/sbearssl_ta_readdir.c
+++ b/src/sbearssl/sbearssl_ta_readdir.c
@@ -1,11 +1,15 @@
 /* ISC license. */
 
+#include <stdint.h>
 #include <string.h>
 #include <errno.h>
+
+#include <skalibs/uint32.h>
 #include <skalibs/stralloc.h>
 #include <skalibs/genalloc.h>
 #include <skalibs/direntry.h>
 #include <skalibs/djbunix.h>
+
 #include <s6-networking/sbearssl.h>
 
 int sbearssl_ta_readdir (char const *dirfn, genalloc *taga, stralloc *tasa)
@@ -18,26 +22,26 @@ int sbearssl_ta_readdir (char const *dirfn, genalloc *taga, stralloc *tasa)
   stralloc certsa = STRALLOC_ZERO ;
   genalloc certga = GENALLOC_ZERO ;
   DIR *dir = opendir(dirfn) ;
+  char fn[dirfnlen + 12] ;
   if (!dir) return -1 ;
+  memcpy(fn, dirfn, dirfnlen) ;
+  fn[dirfnlen] = '/' ;
 
   for (;;)
   {
     direntry *d ;
+    uint32_t dummy ;
     errno = 0 ;
     d = readdir(dir) ;
     if (!d) break ;
-    if (d->d_name[0] == '.') continue ;
-    {
-      size_t dlen = strlen(d->d_name) ;
-      char fn[dirfnlen + dlen + 2] ;
-      memcpy(fn, dirfn, dirfnlen) ;
-      fn[dirfnlen] = '/' ;
-      memcpy(fn + dirfnlen + 1, d->d_name, dlen) ;
-      fn[dirfnlen + 1 + dlen] = 0 ;
-      genalloc_setlen(sbearssl_cert, &certga, 0) ;
-      certsa.len = 0 ;
-      if (sbearssl_cert_readfile(fn, &certga, &certsa)) continue ;
-    }
+
+   /* only process files with valid hash names */
+    if (uint32_xscan(d->d_name, &dummy) != 8 || d->d_name[8] != '.' || d->d_name[9] != '0' || d->d_name[10]) continue ;
+
+    memcpy(fn + dirfnlen + 1, d->d_name, 11) ;
+    genalloc_setlen(sbearssl_cert, &certga, 0) ;
+    certsa.len = 0 ;
+    if (sbearssl_cert_readfile(fn, &certga, &certsa)) continue ;
     sbearssl_ta_certs(taga, tasa, genalloc_s(sbearssl_cert, &certga), genalloc_len(sbearssl_cert, &certga), certsa.s) ;
   }
   if (errno) goto fail ;
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c
index 173942f..f0cc5be 100644
--- a/src/stls/stls_client_init_and_handshake.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -22,6 +22,21 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
   cfg = tls_config_new() ;
   if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
 
+  if (preoptions & 1)
+  {
+    x = getenv("CERTFILE") ;
+    if (!x) strerr_dienotset(100, "CERTFILE") ;
+    if (tls_config_set_cert_file(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_cert_file") ;
+
+    x = getenv("KEYFILE") ;
+    if (!x) strerr_dienotset(100, "KEYFILE") ;
+    if (tls_config_set_key_file(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_key_file") ;
+  }
+
+  stls_drop() ;
+
   x = getenv("CADIR") ;
   if (x)
   {
@@ -36,24 +51,9 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
       if (tls_config_set_ca_file(cfg, x) < 0)
         diecfg(cfg, "tls_config_set_ca_file") ;
     }
-    else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ;
+    else strerr_diefu1x(100, "get trust anchor list: neither CADIR nor CAFILE is set") ;
   }
 
-  if (preoptions & 1)
-  {
-    x = getenv("CERTFILE") ;
-    if (!x) strerr_dienotset(100, "CERTFILE") ;
-    if (tls_config_set_cert_file(cfg, x) < 0)
-      diecfg(cfg, "tls_config_set_cert_file") ;
-
-    x = getenv("KEYFILE") ;
-    if (!x) strerr_dienotset(100, "KEYFILE") ;
-    if (tls_config_set_key_file(cfg, x) < 0)
-      diecfg(cfg, "tls_config_set_key_file") ;
-  }
-
-  stls_drop() ;
-
   if (tls_config_set_ciphers(cfg, "secure") < 0)
     diecfg(cfg, "tls_config_set_ciphers") ;
 
@@ -75,8 +75,6 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
   if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0)
     diectx(97, ctx, "tls_connect_fds") ;
   tls_config_free(cfg) ;
-  strerr_warn1x("before handshake") ;
-  if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ;
-  strerr_warn1x("after handshake") ;
+  if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ;
   return ctx ;
 }
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 5dd5284..e6869be 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -14,8 +14,8 @@
 
 struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
 {
-  struct tls *cctx ;
-  struct tls *ctx ;
+  struct tls *ctx = 0 ;
+  struct tls *sctx ;
   struct tls_config *cfg ;
   char const *x ;
 
@@ -70,16 +70,13 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
   tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
   tls_config_prefer_ciphers_server(cfg) ;
 
-  ctx = tls_server() ;
-  if (!ctx) strerr_diefu1sys(111, "tls_server") ;
-  if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
+  sctx = tls_server() ;
+  if (!sctx) strerr_diefu1sys(111, "tls_server") ;
+  if (tls_configure(sctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
   tls_config_free(cfg) ;
-  if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0)
-    diectx(97, ctx, "tls_accept_fds") ;
-  tls_free(ctx) ;
-  strerr_warni1x("before handshake") ;
-  if (tls_handshake(cctx) < 0)
-    diectx(97, cctx, "perform SSL handshake") ;
-  strerr_warni1x("after handshake") ;
-  return cctx ;
+  if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0)
+    diectx(97, sctx, "tls_accept_fds") ;
+  tls_free(sctx) ;
+  if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ;
+  return ctx ;
 }
-- 
cgit v1.2.3