diff options
Diffstat (limited to 'src/sbearssl/sbearssl_server_init_and_run.c')
| -rw-r--r-- | src/sbearssl/sbearssl_server_init_and_run.c | 64 |
1 files changed, 25 insertions, 39 deletions
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c index a7ae22b..e6df30e 100644 --- a/src/sbearssl/sbearssl_server_init_and_run.c +++ b/src/sbearssl/sbearssl_server_init_and_run.c @@ -15,51 +15,33 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, unsigned int notif) { - stralloc storage = STRALLOC_ZERO ; sbearssl_skey skey ; - genalloc certs = GENALLOC_ZERO ; - size_t chainlen ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported yet") ; - - { - char const *x = getenv("KEYFILE") ; - int r ; - if (!x) strerr_dienotset(100, "KEYFILE") ; - r = sbearssl_skey_readfile(x, &skey, &storage) ; - if (r < 0) - strerr_diefu2sys(111, "read private key in ", x) ; - else if (r) - strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ; - - x = getenv("CERTFILE") ; - if (!x) strerr_dienotset(100, "CERTFILE") ; - r = sbearssl_cert_readbigpem(x, &certs, &storage) ; - if (r < 0) - strerr_diefu2sys(111, "read certificate chain in ", x) ; - else if (r) - strerr_diefu4sys(96, "read certificate chain in ", x, ": ", sbearssl_error_str(r)) ; - chainlen = genalloc_len(sbearssl_cert, &certs) ; - if (!chainlen) - strerr_diefu2x(96, "find a certificate in ", x) ; - } + genalloc certs = GENALLOC_ZERO ; /* sbearssl_cert */ + genalloc tas = GENALLOC_ZERO ; /* sbearssl_ta */ + stralloc storage = STRALLOC_ZERO ; + size_t chainlen = sbearssl_get_keycert(&skey, &certs, &storage) ; + size_t n = preoptions & 1 ? sbearssl_get_tas(&tas, &storage) : 0 ; sbearssl_drop() ; + stralloc_shrink(&storage) ; { sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; - unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - br_ssl_server_context sc ; union br_skey_u key ; + br_ssl_server_context sc ; + br_x509_minimal_context xc ; br_x509_certificate chain[chainlen] ; - size_t i = chainlen ; + br_x509_trust_anchor btas[n ? n : 1] ; + unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; - stralloc_shrink(&storage) ; - while (i--) + for (size_t i = 0 ; i < chainlen ; i++) sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; genalloc_free(sbearssl_cert, &certs) ; + for (size_t i = 0 ; i < n ; i++) + sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; + genalloc_free(sbearssl_ta, &tas) ; + switch (skey.type) { case BR_KEYTYPE_RSA : @@ -82,19 +64,23 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti break ; } default : - strerr_dief1x(96, "unsupported private key type") ; + strerr_dief1x(96, "unsupported private key type") ; } { uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ; - if (preoptions & 1) - { - /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */ - if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; - } + if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; br_ssl_engine_add_flags(&sc.eng, flags) ; } + if (n) + { + sbearssl_x509_minimal_init_with_engine(&xc, &sc.eng, btas, n) ; + if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP)) + strerr_diefu1sys(111, "initialize validation time") ; + br_ssl_server_set_trust_anchor_names_alt(&sc, btas, n) ; + } + random_string((char *)buf, 32) ; random_finish() ; br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; |
