mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-03-03 07:29:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Redbean SSL identification (#360)

Browse source 
* Let Fetch() be used earlier in initialization
* Have ssl log messages show cert name
* Introduce GetSslIdentity Lua API
This commit is contained in:
Paul Kulchenko 2022-03-14 17:11:05 -07:00 committed by GitHub
parent abac6f729c
commit 22409b2b5e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 59 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
tool/net/help.txt
View file

@ -672,6 +672,10 @@ FUNCTIONS
GetScheme() → str GetScheme() → str
Returns scheme from Request-URL, if any. Returns scheme from Request-URL, if any.
GetSslIdentity() → str
Returns certificate subject or PSK identity from the current SSL
session. `nil` is returned for regular (non-SSL) connections.
GetStatus() → int GetStatus() → int
Returns current status (as set by an earlier SetStatus call) or Returns current status (as set by an earlier SetStatus call) or
`nil` if the status hasn't been set yet. `nil` if the status hasn't been set yet.

71
tool/net/redbean.c
View file

@ -347,6 +347,7 @@ static bool invalidated;
static bool logmessages; static bool logmessages;
static bool isinitialized; static bool isinitialized;
static bool checkedmethod; static bool checkedmethod;
static bool sslinitialized;
static bool sslfetchverify; static bool sslfetchverify;
static bool sslclientverify; static bool sslclientverify;
static bool connectionclose; static bool connectionclose;
@ -371,6 +372,7 @@ static int client;
static int changeuid; static int changeuid;
static int changegid; static int changegid;
static int statuscode; static int statuscode;
static int sslpskindex;
static int oldloglevel; static int oldloglevel;
static int maxpayloadsize; static int maxpayloadsize;
static int messageshandled; static int messageshandled;
@ -448,6 +450,8 @@ static char *HandleAsset(struct Asset *, const char *, size_t);
static char *ServeAsset(struct Asset *, const char *, size_t); static char *ServeAsset(struct Asset *, const char *, size_t);
static char *SetStatus(unsigned, const char *); static char *SetStatus(unsigned, const char *);
static void TlsInit(void);
static void OnChld(void) { static void OnChld(void) {
zombied = true; zombied = true;
} }
@ -601,9 +605,9 @@ static void InternCertificate(mbedtls_x509_crt *cert, mbedtls_x509_crt *prev) {
} }
} }
if (mbedtls_x509_time_is_past(&cert->valid_to)) { if (mbedtls_x509_time_is_past(&cert->valid_to)) {
WARNF("(ssl) certificate is expired", gc(FormatX509Name(&cert->subject))); WARNF("(ssl) certificate %`'s is expired", gc(FormatX509Name(&cert->subject)));
} else if (mbedtls_x509_time_is_future(&cert->valid_from)) { } else if (mbedtls_x509_time_is_future(&cert->valid_from)) {
WARNF("(ssl) certificate is from the future", WARNF("(ssl) certificate %`'s is from the future",
gc(FormatX509Name(&cert->subject))); gc(FormatX509Name(&cert->subject)));
} }
for (i = 0; i < certs.n; ++i) { for (i = 0; i < certs.n; ++i) {
@ -1470,6 +1474,8 @@ static int TlsRoutePsk(void *ctx, mbedtls_ssl_context *ssl,
psks.p[i].identity_len)) { psks.p[i].identity_len)) {
DEBUGF("(ssl) TlsRoutePsk(%`'.*s)", identity_len, identity); DEBUGF("(ssl) TlsRoutePsk(%`'.*s)", identity_len, identity);
mbedtls_ssl_set_hs_psk(ssl, psks.p[i].key, psks.p[i].key_len); mbedtls_ssl_set_hs_psk(ssl, psks.p[i].key, psks.p[i].key_len);
// keep track of selected psk to report its identity
sslpskindex = i+1; // use index+1 to check against 0 (when not set)
return 0; return 0;
} }
} }
@ -1489,6 +1495,7 @@ static bool TlsSetup(void) {
g_bio.a = 0; g_bio.a = 0;
g_bio.b = 0; g_bio.b = 0;
g_bio.c = 0; g_bio.c = 0;
sslpskindex = 0;
for (;;) { for (;;) {
if (!(r = mbedtls_ssl_handshake(&ssl)) && TlsFlush(&g_bio, 0, 0) != -1) { if (!(r = mbedtls_ssl_handshake(&ssl)) && TlsFlush(&g_bio, 0, 0) != -1) {
LockInc(&shared->c.sslhandshakes); LockInc(&shared->c.sslhandshakes);
@ -3191,6 +3198,25 @@ static int LuaGetStatus(lua_State *L) {
return 1; return 1;
} }
static int LuaGetSslIdentity(lua_State *L) {
const mbedtls_x509_crt *cert;
OnlyCallDuringRequest(L, "GetSslIdentity");
if (!usessl) {
lua_pushnil(L);
} else {
if (sslpskindex) {
CHECK((sslpskindex-1) >= 0 && (sslpskindex-1) < psks.n);
lua_pushlstring(L, psks.p[sslpskindex-1].identity,
psks.p[sslpskindex-1].identity_len);
} else {
cert = mbedtls_ssl_get_peer_cert(&ssl);
lua_pushstring(L, cert ? gc(FormatX509Name(&cert->subject)) : "");
}
}
return 1;
}
static int LuaServeError(lua_State *L) { static int LuaServeError(lua_State *L) {
return LuaRespond(L, ServeError); return LuaRespond(L, ServeError);
} }
@ -3565,12 +3591,6 @@ static int LuaFetch(lua_State *L) {
.ai_protocol = IPPROTO_TCP, .ai_protocol = IPPROTO_TCP,
.ai_flags = AI_NUMERICSERV}; .ai_flags = AI_NUMERICSERV};
if (!isinitialized) {
luaL_error(L, "Fetch() can't be called from .init.lua global scope;"
" try calling it from your OnServerStart() hook");
unreachable;
}
/* /*
* Get args: url [, body | {method = "PUT", body = "..."}] * Get args: url [, body | {method = "PUT", body = "..."}]
*/ */
@ -3622,6 +3642,9 @@ static int LuaFetch(lua_State *L) {
unreachable; unreachable;
} }
} }
if (usessl && !sslinitialized) TlsInit();
if (url.host.n) { if (url.host.n) {
host = gc(strndup(url.host.p, url.host.n)); host = gc(strndup(url.host.p, url.host.n));
if (url.port.n) { if (url.port.n) {
@ -5153,6 +5176,11 @@ static int LuaProgramSslFetchVerify(lua_State *L) {
return LuaProgramBool(L, &sslfetchverify); return LuaProgramBool(L, &sslfetchverify);
} }
static int LuaProgramSslInit(lua_State *L) {
TlsInit();
return 0;
}
static int LuaProgramLogMessages(lua_State *L) { static int LuaProgramLogMessages(lua_State *L) {
return LuaProgramBool(L, &logmessages); return LuaProgramBool(L, &logmessages);
} }
@ -5601,6 +5629,7 @@ static const luaL_Reg kLuaFuncs[] = {
{"GetRemoteAddr", LuaGetRemoteAddr}, // {"GetRemoteAddr", LuaGetRemoteAddr}, //
{"GetScheme", LuaGetScheme}, // {"GetScheme", LuaGetScheme}, //
{"GetServerAddr", LuaGetServerAddr}, // {"GetServerAddr", LuaGetServerAddr}, //
{"GetSslIdentity", LuaGetSslIdentity}, //
{"GetStatus", LuaGetStatus}, // {"GetStatus", LuaGetStatus}, //
{"GetTime", LuaGetTime}, // {"GetTime", LuaGetTime}, //
{"GetUrl", LuaGetUrl}, // {"GetUrl", LuaGetUrl}, //
@ -5651,6 +5680,7 @@ static const luaL_Reg kLuaFuncs[] = {
{"ProgramSslCiphersuite", LuaProgramSslCiphersuite}, // {"ProgramSslCiphersuite", LuaProgramSslCiphersuite}, //
{"ProgramSslClientVerify", LuaProgramSslClientVerify}, // {"ProgramSslClientVerify", LuaProgramSslClientVerify}, //
{"ProgramSslCompression", LuaProgramSslCompression}, // {"ProgramSslCompression", LuaProgramSslCompression}, //
{"ProgramSslInit", LuaProgramSslInit}, //
{"ProgramSslFetchVerify", LuaProgramSslFetchVerify}, // {"ProgramSslFetchVerify", LuaProgramSslFetchVerify}, //
{"ProgramSslPresharedKey", LuaProgramSslPresharedKey}, // {"ProgramSslPresharedKey", LuaProgramSslPresharedKey}, //
{"ProgramSslTicketLifetime", LuaProgramSslTicketLifetime}, // {"ProgramSslTicketLifetime", LuaProgramSslTicketLifetime}, //
@ -6973,14 +7003,19 @@ static void SigInit(void) {
static void TlsInit(void) { static void TlsInit(void) {
#ifndef UNSECURE #ifndef UNSECURE
int suite; int suite;
InitializeRng(&rng);
InitializeRng(&rngcli); if (!sslinitialized) {
cachain = GetSslRoots(); InitializeRng(&rng);
suite = suiteb ? MBEDTLS_SSL_PRESET_SUITEB : MBEDTLS_SSL_PRESET_SUITEC; InitializeRng(&rngcli);
mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, cachain = GetSslRoots();
MBEDTLS_SSL_TRANSPORT_STREAM, suite); suite = suiteb ? MBEDTLS_SSL_PRESET_SUITEB : MBEDTLS_SSL_PRESET_SUITEC;
mbedtls_ssl_config_defaults(&confcli, MBEDTLS_SSL_IS_CLIENT, mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM, suite); MBEDTLS_SSL_TRANSPORT_STREAM, suite);
mbedtls_ssl_config_defaults(&confcli, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM, suite);
}
// the following setting can be re-applied even when SSL/TLS is initialized
if (suites.n) { if (suites.n) {
mbedtls_ssl_conf_ciphersuites(&conf, suites.p); mbedtls_ssl_conf_ciphersuites(&conf, suites.p);
mbedtls_ssl_conf_ciphersuites(&confcli, suites.p); mbedtls_ssl_conf_ciphersuites(&confcli, suites.p);
@ -6997,6 +7032,10 @@ static void TlsInit(void) {
mbedtls_ssl_conf_session_tickets_cb(&conf, mbedtls_ssl_ticket_write, mbedtls_ssl_conf_session_tickets_cb(&conf, mbedtls_ssl_ticket_write,
mbedtls_ssl_ticket_parse, &ssltick); mbedtls_ssl_ticket_parse, &ssltick);
} }
if (sslinitialized) return;
sslinitialized = true;
LoadCertificates(); LoadCertificates();
mbedtls_ssl_conf_sni(&conf, TlsRoute, 0); mbedtls_ssl_conf_sni(&conf, TlsRoute, 0);
mbedtls_ssl_conf_dbg(&conf, TlsDebug, 0); mbedtls_ssl_conf_dbg(&conf, TlsDebug, 0);