From a6c4fb25b60cbc83a4b8bdb756fcf9c69310e6ae Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Wed, 2 Jun 2021 01:15:12 +0000 Subject: Debug session. Now works. The environment given to the application still needs to be cleaned up of SNI variables. --- src/include/s6-networking/sbearssl.h | 1 + src/sbearssl/deps-lib/sbearssl | 1 + src/sbearssl/sbearssl_sctx_set_policy_sni.c | 2 +- src/sbearssl/sbearssl_server_init_and_run.c | 17 ++++++-- .../sbearssl_sni_policy_add_keypair_file.c | 19 +++++---- src/sbearssl/sbearssl_sni_policy_nkeypairs.c | 11 +++++ src/sbearssl/sbearssl_sni_policy_vtable.c | 49 +++++++--------------- 7 files changed, 54 insertions(+), 46 deletions(-) create mode 100644 src/sbearssl/sbearssl_sni_policy_nkeypairs.c (limited to 'src') diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index 7ed4e5b..5e7c42a 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -290,6 +290,7 @@ struct sbearssl_sni_policy_context_s extern br_ssl_server_policy_class const sbearssl_sni_policy_vtable ; extern void sbearssl_sni_policy_init (sbearssl_sni_policy_context *) ; extern int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *, char const *, char const *, char const *) ; +extern size_t sbearssl_sni_policy_nkeypairs (sbearssl_sni_policy_context const *) ; extern void sbearssl_sctx_init_full_generic (br_ssl_server_context *) ; extern void sbearssl_sctx_set_policy_sni (br_ssl_server_context *, sbearssl_sni_policy_context *) ; diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index 4b6ea70..5241e56 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -38,6 +38,7 @@ sbearssl_skey_to.o sbearssl_skey_wipe.o sbearssl_sni_policy_add_keypair_file.o sbearssl_sni_policy_init.o +sbearssl_sni_policy_nkeypairs.o sbearssl_sni_policy_vtable.o sbearssl_suite_bits.o sbearssl_suite_list.o diff --git a/src/sbearssl/sbearssl_sctx_set_policy_sni.c b/src/sbearssl/sbearssl_sctx_set_policy_sni.c index 166cd97..f5f3c8a 100644 --- a/src/sbearssl/sbearssl_sctx_set_policy_sni.c +++ b/src/sbearssl/sbearssl_sctx_set_policy_sni.c @@ -7,5 +7,5 @@ void sbearssl_sctx_set_policy_sni (br_ssl_server_context *sc, sbearssl_sni_policy_context *pol) { sc->chain_handler.vtable = pol->vtable ; - sc->policy_vtable = &sc->chain_handler.vtable ; + sc->policy_vtable = &pol->vtable ; } diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c index cdd2804..f8d8b31 100644 --- a/src/sbearssl/sbearssl_server_init_and_run.c +++ b/src/sbearssl/sbearssl_server_init_and_run.c @@ -22,13 +22,17 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti if (!(preoptions & 8)) /* snilevel < 2 : add default keypair */ { + int e ; char const *keyfile ; char const *certfile = getenv("CERTFILE") ; if (!certfile) strerr_dienotset(100, "CERTFILE") ; keyfile = getenv("KEYFILE") ; if (!keyfile) strerr_dienotset(100, "KEYFILE") ; - if (!sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile)) + e = sbearssl_sni_policy_add_keypair_file(&pol, "", certfile, keyfile) ; + if (e < 0) strerr_diefu1sys(96, "add default keypair to policy context") ; + else if (e) + strerr_diefu3x(96, "add default keypair to policy context", ": ", sbearssl_error_str(e)) ; } if (preoptions & 4) /* snilevel > 0 : add additional keypairs */ @@ -43,6 +47,7 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti if (kequal == len) strerr_dief1x(100, "invalid environment") ; if (kequal != 8) { + int e ; char const *x ; char certvar[len - kequal + 10] ; memcpy(certvar, "CERTFILE:", 9) ; @@ -51,8 +56,11 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti x = getenv(certvar) ; if (!x) strerr_dief3x(96, "environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ; - else if (!sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1)) - strerr_diefu1sys(96, "sbearssl_sni_policy_add_keypair_file") ; + e = sbearssl_sni_policy_add_keypair_file(&pol, certvar + 9, x, *envp + kequal + 1) ; + if (e < 0) + strerr_diefu3sys(96, "add keypair for servername ", certvar + 9, " to policy context") ; + else if (e) + strerr_diefu5x(96, "add default keypair for servername ", certvar + 9, " to policy context", ": ", sbearssl_error_str(e)) ; } } } @@ -60,6 +68,9 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti sbearssl_drop() ; + if (!sbearssl_sni_policy_nkeypairs(&pol)) + strerr_dief1x(96, "no suitable keypairs found in the environment") ; + { br_ssl_server_context sc ; sbearssl_x509_small_context xc ; diff --git a/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c b/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c index 2462645..6334f64 100644 --- a/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c +++ b/src/sbearssl/sbearssl_sni_policy_add_keypair_file.c @@ -17,14 +17,19 @@ int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *pol, char size_t gabase = genalloc_len(sbearssl_cert, &pol->certga) ; size_t mbase = genalloc_len(sbearssl_sni_policy_node, &pol->mapga) ; sbearssl_sni_policy_node node = { .servername = sabase, .chainindex = gabase } ; + int e ; - if (!stralloc_catb(&pol->storage, servername, strlen(servername) + 1)) return 0 ; - if (!sbearssl_cert_readbigpem(certfile, &pol->certga, &pol->storage)) goto err0 ; + if (!stralloc_catb(&pol->storage, servername, strlen(servername) + 1)) return -1 ; + e = sbearssl_cert_readbigpem(certfile, &pol->certga, &pol->storage) ; + if (e) goto err0 ; node.chainlen = genalloc_len(sbearssl_cert, &pol->certga) - node.chainindex ; - if (!sbearssl_skey_readfile(keyfile, &node.skey, &pol->storage)) goto err1 ; - if (!genalloc_catb(sbearssl_sni_policy_node, &pol->mapga, &node, 1)) goto err2 ; - if (!avltree_insert(&pol->map, mbase)) goto err3 ; - return 1 ; + e = sbearssl_skey_readfile(keyfile, &node.skey, &pol->storage) ; + if (e) goto err1 ; + e = genalloc_catb(sbearssl_sni_policy_node, &pol->mapga, &node, 1) ? 0 : -1 ; + if (e) goto err2 ; + e = avltree_insert(&pol->map, mbase) ? 0 : -1 ; + if (e) goto err3 ; + return 0 ; err3: if (mbase) genalloc_setlen(sbearssl_sni_policy_node, &pol->mapga, mbase) ; @@ -37,5 +42,5 @@ int sbearssl_sni_policy_add_keypair_file (sbearssl_sni_policy_context *pol, char err0: if (sabase) pol->storage.len = sabase ; else stralloc_free(&pol->storage) ; - return 0 ; + return e ; } diff --git a/src/sbearssl/sbearssl_sni_policy_nkeypairs.c b/src/sbearssl/sbearssl_sni_policy_nkeypairs.c new file mode 100644 index 0000000..43a2d98 --- /dev/null +++ b/src/sbearssl/sbearssl_sni_policy_nkeypairs.c @@ -0,0 +1,11 @@ +/* ISC license. */ + +#include + +#include +#include "sbearssl-internal.h" + +size_t sbearssl_sni_policy_nkeypairs (sbearssl_sni_policy_context const *pol) +{ + return genalloc_len(sbearssl_sni_policy_node, &pol->mapga) ; +} diff --git a/src/sbearssl/sbearssl_sni_policy_vtable.c b/src/sbearssl/sbearssl_sni_policy_vtable.c index 6d6bcc3..26bc9a6 100644 --- a/src/sbearssl/sbearssl_sni_policy_vtable.c +++ b/src/sbearssl/sbearssl_sni_policy_vtable.c @@ -6,9 +6,6 @@ #include #include -#ifdef DEBUG -# include -#endif #include #include #include @@ -18,28 +15,27 @@ #define INSTANCE(c) ((sbearssl_sni_policy_context *)(c)) -#define COPY(x) do { k.data.rsa.x = m ; memcpy(s + m, t + k.data.rsa.x, k.data.rsa.x##len) ; m += k.data.rsa.x##len ; } while (0) +#define COPY(x) do { k->data.rsa.x##len = l->data.rsa.x##len ; k->data.rsa.x = (unsigned char *)s + m ; memcpy(s + m, t + l->data.rsa.x, l->data.rsa.x##len) ; m += l->data.rsa.x##len ; } while (0) -static inline size_t skey_copy (br_skey *key, sbearssl_skey const *l, char *s, char const *t) +static inline size_t skey_copy (br_skey *k, sbearssl_skey const *l, char *s, char const *t) { - sbearssl_skey k = *l ; size_t m = 0 ; - switch (k.type) + k->type = l->type ; + switch (l->type) { case BR_KEYTYPE_RSA : - { + k->data.rsa.n_bitlen = l->data.rsa.n_bitlen ; COPY(p) ; COPY(q) ; COPY(dp) ; COPY(dq) ; COPY(iq) ; break ; - } case BR_KEYTYPE_EC : - k.data.ec.x = m ; memcpy(s + m, t + k.data.ec.x, k.data.ec.xlen) ; m += k.data.ec.xlen ; + k->data.ec.curve = l->data.ec.curve ; + k->data.ec.xlen = l->data.ec.xlen ; k->data.ec.x = (unsigned char *)s + m ; memcpy(s + m, t + l->data.ec.x, l->data.ec.xlen) ; m += l->data.ec.xlen ; break ; } - sbearssl_skey_to(&k, key, s) ; return m ; } -static size_t cert_copy (br_x509_certificate *newc, sbearssl_cert const *oldc, char *s, char const *t) +static inline size_t cert_copy (br_x509_certificate *newc, sbearssl_cert const *oldc, char *s, char const *t) { memcpy(s, t + oldc->data, oldc->datalen) ; newc->data = (unsigned char *)s ; @@ -56,9 +52,11 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex /* Get the node corresponding to the ServerName sent by the client. "" for no SNI. */ { uint32_t n ; - if (!avltree_search(&pol->map, servername, &n) - && (!servername[0] || !avltree_search(&pol->map, "", &n))) - return 0 ; + if (!avltree_search(&pol->map, servername, &n)) + { + if (!servername[0]) return 0 ; + if (!avltree_search(&pol->map, "", &n)) return 0 ; + } avltree_free(&pol->map) ; node = genalloc_s(sbearssl_sni_policy_node, &pol->mapga) + n ; } @@ -104,26 +102,7 @@ static int choose (br_ssl_server_policy_class const **pctx, br_ssl_server_contex case BR_KEYTYPE_EC : { int kt ; - int r = sbearssl_ec_issuer_keytype(&kt, &choices->chain[0]) ; - switch (r) - { - case -2 : -#ifdef DEBUG - strerr_warnw3x("certificate issuer key type not recognized", servername[0] ? " for name " : "", servername[0] ? servername : "") ; -#endif - return 0 ; - case -1 : -#ifdef DEBUG - strerr_warnwu3sys("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "") ; -#endif - return 0 ; - case 0 : break ; - default : -#ifdef DEBUG - strerr_warnwu5x("get certificate issuer key type", servername[0] ? " for name " : "", servername[0] ? servername : "", ": ", sbearssl_error_str(r)) ; -#endif - return 0 ; - } + if (sbearssl_ec_issuer_keytype(&kt, &choices->chain[0])) return 0 ; if (!sbearssl_choose_algos_ec(sc, choices, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt)) return 0 ; pol->keyx.ec = sc->eng.iec ; /* the br_ssl_engine_get_ec() abstraction lacks a const */ pol->sign.ec = br_ecdsa_i31_sign_asn1 ; /* have to hardcode, no access to BR_LOMUL */ -- cgit v1.2.3