aboutsummaryrefslogtreecommitdiffstats
path: root/src/sbearssl/sbearssl_server_init_and_run.c
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2021-05-18 11:19:19 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2021-05-18 11:19:19 +0000
commit6780eee3e0dbe37640f72ed1e37a95c506e23f8c (patch)
treefd89e47869fd422c6a2fb49e361c760a94b60668 /src/sbearssl/sbearssl_server_init_and_run.c
parent8f4d374c931ce12554beb9231c1af9171832e133 (diff)
downloads6-networking-6780eee3e0dbe37640f72ed1e37a95c506e23f8c.tar.gz
Prepare for 2.4.2.0; implement client certificates with bearssl
Also send a bit more environment with libtls
Diffstat (limited to 'src/sbearssl/sbearssl_server_init_and_run.c')
-rw-r--r--src/sbearssl/sbearssl_server_init_and_run.c64
1 files changed, 25 insertions, 39 deletions
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index a7ae22b..e6df30e 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -15,51 +15,33 @@
void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, unsigned int notif)
{
- stralloc storage = STRALLOC_ZERO ;
sbearssl_skey skey ;
- genalloc certs = GENALLOC_ZERO ;
- size_t chainlen ;
-
- if (preoptions & 1)
- strerr_dief1x(100, "client certificates are not supported yet") ;
-
- {
- char const *x = getenv("KEYFILE") ;
- int r ;
- if (!x) strerr_dienotset(100, "KEYFILE") ;
- r = sbearssl_skey_readfile(x, &skey, &storage) ;
- if (r < 0)
- strerr_diefu2sys(111, "read private key in ", x) ;
- else if (r)
- strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ;
-
- x = getenv("CERTFILE") ;
- if (!x) strerr_dienotset(100, "CERTFILE") ;
- r = sbearssl_cert_readbigpem(x, &certs, &storage) ;
- if (r < 0)
- strerr_diefu2sys(111, "read certificate chain in ", x) ;
- else if (r)
- strerr_diefu4sys(96, "read certificate chain in ", x, ": ", sbearssl_error_str(r)) ;
- chainlen = genalloc_len(sbearssl_cert, &certs) ;
- if (!chainlen)
- strerr_diefu2x(96, "find a certificate in ", x) ;
- }
+ genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */
+ genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */
+ stralloc storage = STRALLOC_ZERO ;
+ size_t chainlen = sbearssl_get_keycert(&skey, &certs, &storage) ;
+ size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &storage) : 0 ;
sbearssl_drop() ;
+ stralloc_shrink(&storage) ;
{
sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
- unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
- br_ssl_server_context sc ;
union br_skey_u key ;
+ br_ssl_server_context sc ;
+ br_x509_minimal_context xc ;
br_x509_certificate chain[chainlen] ;
- size_t i = chainlen ;
+ br_x509_trust_anchor btas[n ? n : 1] ;
+ unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
- stralloc_shrink(&storage) ;
- while (i--)
+ for (size_t i = 0 ; i < chainlen ; i++)
sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ;
genalloc_free(sbearssl_cert, &certs) ;
+ for (size_t i = 0 ; i < n ; i++)
+ sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
+ genalloc_free(sbearssl_ta, &tas) ;
+
switch (skey.type)
{
case BR_KEYTYPE_RSA :
@@ -82,19 +64,23 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
break ;
}
default :
- strerr_dief1x(96, "unsupported private key type") ;
+ strerr_dief1x(96, "unsupported private key type") ;
}
{
uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ;
- if (preoptions & 1)
- {
- /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */
- if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
- }
+ if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
br_ssl_engine_add_flags(&sc.eng, flags) ;
}
+ if (n)
+ {
+ sbearssl_x509_minimal_init_with_engine(&xc, &sc.eng, btas, n) ;
+ if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP))
+ strerr_diefu1sys(111, "initialize validation time") ;
+ br_ssl_server_set_trust_anchor_names_alt(&sc, btas, n) ;
+ }
+
random_string((char *)buf, 32) ;
random_finish() ;
br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;