1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
/* ISC license. */
#include <sys/types.h>
#include <stdint.h>
#include <unistd.h>
#include <errno.h>
#include <bearssl.h>
#include <skalibs/strerr2.h>
#include <skalibs/tai.h>
#include <skalibs/env.h>
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
#include <skalibs/djbunix.h>
#include <skalibs/random.h>
#include <s6-networking/sbearssl.h>
#include "sbearssl-internal.h"
int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
{
stralloc storage = STRALLOC_ZERO ;
sbearssl_skey skey ;
genalloc certs = GENALLOC_ZERO ;
size_t chainlen ;
size_t x500n = 1 ;
size_t x500len = 1 ;
stralloc tastorage = STRALLOC_ZERO ;
genalloc tas = GENALLOC_ZERO ;
{
char const *x = env_get2(envp, "KEYFILE") ;
int r ;
if (!x) strerr_dienotset(100, "KEYFILE") ;
r = sbearssl_skey_readfile(x, &skey, &storage) ;
if (r < 0)
strerr_diefu2sys(111, "read private key in ", x) ;
else if (r)
strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ;
x = env_get2(envp, "CERTFILE") ;
if (!x) strerr_dienotset(100, "CERTFILE") ;
r = sbearssl_cert_readbigpem(x, &certs, &storage) ;
if (r < 0)
strerr_diefu2sys(111, "read certificate chain in ", x) ;
else if (r)
strerr_diefu4sys(96, "read certificate chain in ", x, ": ", sbearssl_error_str(r)) ;
chainlen = genalloc_len(sbearssl_cert, &certs) ;
if (!chainlen)
strerr_diefu2x(96, "find a certificate in ", x) ;
if (preoptions & 1)
{
x = env_get2(envp, "CADIR") ;
if (x) r = sbearssl_ta_readdir(x, &tas, &tastorage) ;
else
{
x = env_get2(envp, "CAFILE") ;
if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
r = sbearssl_ta_readfile(x, &tas, &tastorage) ;
}
if (r < 0)
strerr_diefu2sys(111, "read trust anchors in ", x) ;
else if (r)
strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ;
x500n = genalloc_len(sbearssl_ta, &tas) ;
if (!x500n) strerr_dief2x(96, "no trust anchor found in ", x) ;
x500len = sbearssl_x500_name_len(genalloc_s(sbearssl_ta, &tas), x500n) ;
}
}
{
int fds[4] = { 0, 1, 0, 1 } ;
unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
char x500storage[x500len] ;
br_ssl_server_context sc ;
union br_skey_u key ;
br_x509_certificate chain[chainlen] ;
br_x500_name x500names[x500n] ;
size_t i = chainlen ;
pid_t pid ;
if (preoptions & 1)
{
sbearssl_x500_from_ta(x500names, genalloc_s(sbearssl_ta, &tas), x500n, x500storage, tastorage.s) ;
genalloc_free(sbearssl_ta, &tas) ;
stralloc_free(&tastorage) ;
}
stralloc_shrink(&storage) ;
while (i--)
sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
genalloc_free(sbearssl_cert, &certs) ;
switch (skey.type)
{
case BR_KEYTYPE_RSA :
sbearssl_rsa_skey_to(&skey.data.rsa, &key.rsa, storage.s) ;
br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
break ;
case BR_KEYTYPE_EC :
{
int kt, r ;
sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
switch (r)
{
case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
case 0 : break ;
default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
}
br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ;
break ;
}
default :
strerr_dief1x(96, "unsupported private key type") ;
}
if (!random_init())
strerr_diefu1sys(111, "initialize random generator") ;
random_string((char *)buf, 32) ;
br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
random_finish() ;
pid = sbearssl_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
{
uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ;
if (preoptions & 1)
{
br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ;
if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
}
br_ssl_engine_add_flags(&sc.eng, flags) ;
}
br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
br_ssl_server_reset(&sc) ;
tain_now_g() ;
{
int wstat ;
int r = sbearssl_run(&sc.eng, fds, verbosity, options, tto) ;
if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
else if (r) strerr_diefu2x(98, "establish or maintain SSL connection to peer: ", sbearssl_error_str(r)) ;
if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
return wait_estatus(wstat) ;
}
}
}
|
