summaryrefslogtreecommitdiff
path: root/src/sbearssl/sbearssl_send_environment.c
blob: 22c2dbb33153bd884bf446b45d389a1a57aeb1ac (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
/* ISC license. */

#include <stddef.h>
#include <stdint.h>

#include <skalibs/bytestr.h>
#include <skalibs/buffer.h>
#include <skalibs/fmtscan.h>

#include <bearssl.h>

#include <s6-networking/sbearssl.h>

static uint8_t class (char c)
{
  switch (c)
  {
    case '\0' : return 0 ;
    case ' ' : return 1 ;
    case ',' :
    case '=' :
    case '\n' :
    case '+' :
    case '<' :
    case '>' :
    case '#' :
    case '\\' : return 2 ;
    default : return 3 ;
  }
}

static int print_element (buffer *b, char const *s)
{
  static uint8_t const table[3][4] =
  {
    { 0x03, 0x00, 0x19, 0x09 },
    { 0x03, 0x62, 0x19, 0x09 },
    { 0x03, 0x42, 0x99, 0x89 }
  } ;
  size_t counter = 0 ;
  uint8_t state = 0 ;
  while (state < 3)
  {
    char ch = *s++ ;
    uint8_t c = table[state][class(ch)] ;
    state = c & 3 ;
    if (c & 0x10) if (buffer_put(b, "\\", 1) < 0) return 0 ;
    if (c & 0x20) counter = 0 ;
    if (c & 0x40) counter++ ;
    if (c & 0x80) while (counter--) if (buffer_put(b, " ", 1) < 0) return 0 ;
    if (c & 0x08) if (buffer_put(b, &ch, 1) < 0) return 0 ;
  }
  return 1 ;
}

struct eltinfo_s
{
  char const *keyword ;
  size_t offset ;
} ;


static int print_dn (buffer *b, sbearssl_dn const *dn, uint8_t eltstatus)
{
  static struct eltinfo_s const eltinfo[6] =
  {
    { .keyword = "C",  .offset = offsetof(sbearssl_dn, c)  },
    { .keyword = "ST", .offset = offsetof(sbearssl_dn, st) },
    { .keyword = "L",  .offset = offsetof(sbearssl_dn, l)  },
    { .keyword = "O",  .offset = offsetof(sbearssl_dn, o)  },
    { .keyword = "OU", .offset = offsetof(sbearssl_dn, ou) },
    { .keyword = "CN", .offset = offsetof(sbearssl_dn, cn) }
  } ;
  int got = 0 ;
  unsigned int mask = 1 ;
  for (unsigned int i = 0 ; i < 6 ; i++, mask <<= 1) if (eltstatus & mask)
  {
    if ((got && buffer_puts(b, ", ") < 0)
     || buffer_puts(b, eltinfo[i].keyword) < 0
     || buffer_put(b, "=", 1) < 0
     || !print_element(b, (char const *)dn + eltinfo[i].offset))
      return 0 ;
    got = 1 ;
  }
  return 1 ;
}

int sbearssl_send_environment (br_ssl_engine_context *ctx, sbearssl_handshake_cbarg *p)
{
  char buf[4096] ;
  buffer b = BUFFER_INIT(&buffer_write, p->notif, buf, 4096) ;
  unsigned int v = br_ssl_engine_get_version(ctx) ;
  char const *name = br_ssl_engine_get_server_name(ctx) ;
  char const *suite ;
  br_ssl_session_parameters params ;
  br_ssl_engine_get_session_parameters(ctx, &params) ;
  suite = sbearssl_suite_name(&params) ;
  byte_zzero((char *)params.master_secret, 48) ;
  if (!suite) suite = "" ;

  if (buffer_puts(&b, "SSL_PROTOCOL=") < 0
   || buffer_puts(&b, v == BR_TLS12 ? "TLSv1.2" : v == BR_TLS11 ? "TLSv1.1" : v == BR_TLS10 ? "TLSv1" : "unknown") < 0
   || buffer_put(&b, "", 1) < 0
   || buffer_puts(&b, "SSL_CIPHER=") < 0
   || buffer_puts(&b, suite) < 0
   || buffer_put(&b, "", 1) < 0) return 0 ;

  if (buffer_puts(&b, "SSL_TLS_SNI_SERVERNAME") < 0) return 0 ;
  if (name[0])
  {
    if (buffer_put(&b, "=", 1) < 0
     || buffer_puts(&b, name) < 0)
      return 0 ;
  }
  if (buffer_put(&b, "", 1) < 0) return 0 ;

  if (buffer_puts(&b, "SSL_PEER_CERT_HASH") < 0) return 0 ;
  if (p->exportmask & 1)
  {
    char eehash[64] ;
    ucharn_fmt(eehash, p->eehash, 32) ;
    if (buffer_puts(&b, "=SHA256:") < 0
     || buffer_put(&b, eehash, 64) < 0)
      return 0 ;
  }
  if (buffer_put(&b, "", 1) < 0) return 0 ;

  if (buffer_puts(&b, "SSL_PEER_CERT_SUBJECT") < 0) return 0 ;
  if (p->exportmask & 2 && p->eltstatus)
  {
    if (buffer_put(&b, "=", 1) < 0) return 0 ;
    if (p->eltstatus & 128)
    {
      if (buffer_puts(&b, "<invalid>") < 0) return 0 ;
    }
    else if (!print_dn(&b, &p->eedn, p->eltstatus)) return 0 ;
  }
  if (buffer_put(&b, "", 1) < 0) return 0 ;

  return buffer_putflush(&b, "", 1) >= 0 ;
}