From a6c4fb25b60cbc83a4b8bdb756fcf9c69310e6ae Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-skaware@skarnet.org>
Date: Wed, 2 Jun 2021 01:15:12 +0000
Subject:  Debug session. Now works.

 The environment given to the application still needs to be
cleaned up of SNI variables.
---
 src/include/s6-networking/sbearssl.h               |  1 +
 src/sbearssl/deps-lib/sbearssl                     |  1 +
 src/sbearssl/sbearssl_sctx_set_policy_sni.c        |  2 +-
 src/sbearssl/sbearssl_server_init_and_run.c        | 17 ++++++--
 .../sbearssl_sni_policy_add_keypair_file.c         | 19 +++++----
 src/sbearssl/sbearssl_sni_policy_nkeypairs.c       | 11 +++++
 src/sbearssl/sbearssl_sni_policy_vtable.c          | 49 +++++++---------------
 7 files changed, 54 insertions(+), 46 deletions(-)
 create mode 100644 src/sbearssl/sbearssl_sni_policy_nkeypairs.c

(limited to 'src')

diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 7ed4e5b..5e7c42a 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -290,6 +290,7 @@ struct sbearssl_sni_policy_context_s
 extern br_ssl_server_policy_class const sbearssl_sni_policy_vtable ;
 extern void sbearssl_sni_policy_init (sbearssl_sni_policy_context *) ;
 extern int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *, char const *, char const *, char const *) ;
+extern size_t sbearssl_sni_policy_nkeypairs (sbearssl_sni_policy_context const *) ;
 
 extern void sbearssl_sctx_init_full_generic (br_ssl_server_context *) ;
 extern void sbearssl_sctx_set_policy_sni (br_ssl_server_context *, sbearssl_sni_policy_context *) ;
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 4b6ea70..5241e56 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -38,6 +38,7 @@ sbearssl_skey_to.o
 sbearssl_skey_wipe.o
 sbearssl_sni_policy_add_keypair_file.o
 sbearssl_sni_policy_init.o
+sbearssl_sni_policy_nkeypairs.o
 sbearssl_sni_policy_vtable.o
 sbearssl_suite_bits.o
 sbearssl_suite_list.o
diff --git a/src/sbearssl/sbearssl_sctx_set_policy_sni.c b/src/sbearssl/sbearssl_sctx_set_policy_sni.c
index 166cd97..f5f3c8a 100644
--- a/src/sbearssl/sbearssl_sctx_set_policy_sni.c
+++ b/src/sbearssl/sbearssl_sctx_set_policy_sni.c
@@ -7,5 +7,5 @@
 void sbearssl_sctx_set_policy_sni (br_ssl_server_context *sc, sbearssl_sni_policy_context *pol)
 {
   sc->chain_handler.vtable = pol->vtable ;
-  sc->policy_vtable = &sc->chain_handler.vtable ;
+  sc->policy_vtable = &pol->vtable ;
 }
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index cdd2804..f8d8b31 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -22,13 +22,17 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
 
   if (!(preoptions & 8))  /* snilevel < 2 : add default keypair */
   {
+    int e ;
     char const *keyfile ;
     char const *certfile = getenv("CERTFILE") ;
     if (!certfile) strerr_dienotset(100, "CERTFILE") ;
     keyfile = getenv("KEYFILE") ;
     if (!keyfile) strerr_dienotset(100, "KEYFILE") ;
-    if (!sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile))
+    e = sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile) ;
+    if (e < 0)
       strerr_diefu1sys(96, "add default keypair to policy context") ;
+    else if (e)
+      strerr_diefu3x(96, "add default keypair to policy context", ": ", sbearssl_error_str(e)) ;
   }
 
   if (preoptions & 4)  /* snilevel > 0 : add additional keypairs */
@@ -43,6 +47,7 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
         if (kequal == len) strerr_dief1x(100, "invalid environment") ;
         if (kequal != 8)
         {
+          int e ;
           char const *x ;
           char certvar[len - kequal + 10] ;
           memcpy(certvar, "CERTFILE:", 9) ;
@@ -51,8 +56,11 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
           x = getenv(certvar) ;
           if (!x)
             strerr_dief3x(96, "environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
-          else if (!sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1))
-            strerr_diefu1sys(96, "sbearssl_sni_policy_add_keypair_file") ;
+          e = sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1) ;
+          if (e < 0)
+            strerr_diefu3sys(96, "add keypair for servername ", certvar + 9, " to policy context") ;
+          else if (e)
+            strerr_diefu5x(96, "add default keypair for servername ", certvar + 9, " to policy context", ": ", sbearssl_error_str(e)) ;
         }
       }
     }
@@ -60,6 +68,9 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
 
   sbearssl_drop() ;
 
+  if (!sbearssl_sni_policy_nkeypairs(&pol))
+    strerr_dief1x(96, "no suitable keypairs found in the environment") ;
+
   {
     br_ssl_server_context sc ;
     sbearssl_x509_small_context xc ;
diff --git a/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c b/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c
index 2462645..6334f64 100644
--- a/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c
+++ b/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c
@@ -17,14 +17,19 @@ int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *pol, char
   size_t gabase = genalloc_len(sbearssl_cert, &pol->certga) ;
   size_t mbase = genalloc_len(sbearssl_sni_policy_node, &pol->mapga) ;
   sbearssl_sni_policy_node node = { .servername = sabase, .chainindex = gabase } ;
+  int e ;
 
-  if (!stralloc_catb(&pol->storage, servername, strlen(servername) + 1)) return 0 ;
-  if (!sbearssl_cert_readbigpem(certfile, &pol->certga, &pol->storage)) goto err0 ;
+  if (!stralloc_catb(&pol->storage, servername, strlen(servername) + 1)) return -1 ;
+  e = sbearssl_cert_readbigpem(certfile, &pol->certga, &pol->storage) ;
+  if (e) goto err0 ;
   node.chainlen = genalloc_len(sbearssl_cert, &pol->certga) - node.chainindex ;
-  if (!sbearssl_skey_readfile(keyfile, &node.skey, &pol->storage)) goto err1 ;
-  if (!genalloc_catb(sbearssl_sni_policy_node, &pol->mapga, &node, 1)) goto err2 ;
-  if (!avltree_insert(&pol->map, mbase)) goto err3 ;
-  return 1 ;
+  e = sbearssl_skey_readfile(keyfile, &node.skey, &pol->storage) ;
+  if (e) goto err1 ;
+  e = genalloc_catb(sbearssl_sni_policy_node, &pol->mapga, &node, 1) ? 0 : -1 ;
+  if (e) goto err2 ;
+  e = avltree_insert(&pol->map, mbase) ? 0 : -1 ;
+  if (e) goto err3 ;
+  return 0 ;
 
  err3:
   if (mbase) genalloc_setlen(sbearssl_sni_policy_node, &pol->mapga, mbase) ;
@@ -37,5 +42,5 @@ int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *pol, char
  err0:
   if (sabase) pol->storage.len = sabase ;
   else stralloc_free(&pol->storage) ;
-  return 0 ;
+  return e ;
 }
diff --git a/src/sbearssl/sbearssl_sni_policy_nkeypairs.c b/src/sbearssl/sbearssl_sni_policy_nkeypairs.c
new file mode 100644
index 0000000..43a2d98
--- /dev/null
+++ b/src/sbearssl/sbearssl_sni_policy_nkeypairs.c
@@ -0,0 +1,11 @@
+/* ISC license. */
+
+#include <skalibs/genalloc.h>
+
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+size_t sbearssl_sni_policy_nkeypairs (sbearssl_sni_policy_context const *pol)
+{
+  return genalloc_len(sbearssl_sni_policy_node, &pol->mapga) ;
+}
diff --git a/src/sbearssl/sbearssl_sni_policy_vtable.c b/src/sbearssl/sbearssl_sni_policy_vtable.c
index 6d6bcc3..26bc9a6 100644
--- a/src/sbearssl/sbearssl_sni_policy_vtable.c
+++ b/src/sbearssl/sbearssl_sni_policy_vtable.c
@@ -6,9 +6,6 @@
 #include <bearssl.h>
 
 #include <skalibs/bytestr.h>
-#ifdef DEBUG
-# include <skalibs/strerr2.h>
-#endif
 #include <skalibs/stralloc.h>
 #include <skalibs/genalloc.h>
 #include <skalibs/avltree.h>
@@ -18,28 +15,27 @@
 
 #define INSTANCE(c) ((sbearssl_sni_policy_context *)(c))
 
-#define COPY(x) do { k.data.rsa.x = m ; memcpy(s + m, t + k.data.rsa.x, k.data.rsa.x##len) ; m += k.data.rsa.x##len ; } while (0)
+#define COPY(x) do { k->data.rsa.x##len = l->data.rsa.x##len ; k->data.rsa.x = (unsigned char *)s + m ; memcpy(s + m, t + l->data.rsa.x, l->data.rsa.x##len) ; m += l->data.rsa.x##len ; } while (0)
 
-static inline size_t skey_copy (br_skey *key, sbearssl_skey const *l, char *s, char const *t)
+static inline size_t skey_copy (br_skey *k, sbearssl_skey const *l, char *s, char const *t)
 {
-  sbearssl_skey k = *l ;
   size_t m = 0 ;
-  switch (k.type)
+  k->type = l->type ;
+  switch (l->type)
   {
     case BR_KEYTYPE_RSA :
-    {
+      k->data.rsa.n_bitlen = l->data.rsa.n_bitlen ;
       COPY(p) ; COPY(q) ; COPY(dp) ; COPY(dq) ; COPY(iq) ;
       break ;
-    }
     case BR_KEYTYPE_EC :
-      k.data.ec.x = m ; memcpy(s + m, t + k.data.ec.x, k.data.ec.xlen) ; m += k.data.ec.xlen ;
+      k->data.ec.curve = l->data.ec.curve ;
+      k->data.ec.xlen = l->data.ec.xlen ; k->data.ec.x = (unsigned char *)s + m ; memcpy(s + m, t + l->data.ec.x, l->data.ec.xlen) ; m += l->data.ec.xlen ;
       break ;
   }
-  sbearssl_skey_to(&k, key, s) ;
   return m ;
 }
 
-static size_t cert_copy (br_x509_certificate *newc, sbearssl_cert const *oldc, char *s, char const *t)
+static inline size_t cert_copy (br_x509_certificate *newc, sbearssl_cert const *oldc, char *s, char const *t)
 {
   memcpy(s, t + oldc->data, oldc->datalen) ;
   newc->data = (unsigned char *)s ;
@@ -56,9 +52,11 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex
  /* Get the node corresponding to the ServerName sent by the client. "" for no SNI. */
   {
     uint32_t n ;
-    if (!avltree_search(&pol->map, servername, &n)
-     && (!servername[0] || !avltree_search(&pol->map, "", &n)))
-      return 0 ;
+    if (!avltree_search(&pol->map, servername, &n))
+    {
+      if (!servername[0]) return 0 ;
+      if (!avltree_search(&pol->map, "", &n)) return 0 ;
+    }
     avltree_free(&pol->map) ;
     node = genalloc_s(sbearssl_sni_policy_node, &pol->mapga) + n ;
   }
@@ -104,26 +102,7 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex
     case BR_KEYTYPE_EC :
     {
       int kt ;
-      int r = sbearssl_ec_issuer_keytype(&kt, &choices->chain[0]) ;
-      switch (r)
-      {
-        case -2 :
-#ifdef DEBUG
-          strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
-#endif
-          return 0 ;
-        case -1 :
-#ifdef DEBUG
-          strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ;
-#endif
-          return 0 ;
-        case 0 : break ;
-        default :
-#ifdef DEBUG
-          strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ;
-#endif
-          return 0 ;
-      }
+      if (sbearssl_ec_issuer_keytype(&kt, &choices->chain[0])) return 0 ;
       if (!sbearssl_choose_algos_ec(sc, choices, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt)) return 0 ;
       pol->keyx.ec = sc->eng.iec ;  /* the br_ssl_engine_get_ec() abstraction lacks a const */
       pol->sign.ec = br_ecdsa_i31_sign_asn1 ;  /* have to hardcode, no access to BR_LOMUL */
-- 
cgit v1.2.3