tenzir · lava · Feb 3, 2023 · Feb 3, 2023 · Feb 3, 2023 · Feb 15, 2023
diff --git a/libcaf_openssl/caf/openssl/session.hpp b/libcaf_openssl/caf/openssl/session.hpp
@@ -41,7 +41,7 @@ class CAF_OPENSSL_EXPORT session {
   rw_state read_some(size_t& result, native_socket fd, void* buf, size_t len);
   rw_state
   write_some(size_t& result, native_socket fd, const void* buf, size_t len);
-  bool try_connect(native_socket fd);
+  bool try_connect(native_socket fd, const std::string& sni_servername);
   bool try_accept(native_socket fd);
 
   bool must_read_more(native_socket, size_t threshold);
@@ -68,6 +68,7 @@ using session_ptr = std::unique_ptr<session>;
 
 /// @relates session
 CAF_OPENSSL_EXPORT session_ptr make_session(actor_system& sys, native_socket fd,
+                                            const std::string& servername,
                                             bool from_accepted_socket);
 
 } // namespace caf::openssl
diff --git a/libcaf_openssl/src/openssl/middleman_actor.cpp b/libcaf_openssl/src/openssl/middleman_actor.cpp
@@ -213,7 +213,7 @@ class doorman_impl : public io::network::doorman_impl {
     auto fd = acceptor_.accepted_socket();
     detail::socket_guard sguard{fd};
     io::network::nonblocking(fd, true);
-    auto sssn = make_session(parent()->system(), fd, true);
+    auto sssn = make_session(parent()->system(), fd, "", true);
     if (sssn == nullptr) {
       CAF_LOG_ERROR("Unable to create SSL session for accepted socket");
       return false;
@@ -245,7 +245,7 @@ class middleman_actor_impl : public io::middleman_actor_impl {
     if (!fd)
       return std::move(fd.error());
     io::network::nonblocking(*fd, true);
-    auto sssn = make_session(system(), *fd, false);
+    auto sssn = make_session(system(), *fd, host, false);
     if (!sssn) {
       CAF_LOG_ERROR("Unable to create SSL session for connection");
       return sec::cannot_connect_to_node;

diff --git a/libcaf_openssl/src/openssl/session.cpp b/libcaf_openssl/src/openssl/session.cpp
@@ -4,6 +4,9 @@
 
 #include "caf/openssl/session.hpp"
 
+#include <optional>
+#include <openssl/decoder.h>
+
 CAF_PUSH_WARNINGS
 #include <openssl/err.h>
 CAF_POP_WARNINGS
@@ -56,6 +59,33 @@ int pem_passwd_cb(char* buf, int size, int, void* ptr) {
   return static_cast<int>(strlen(buf));
 }
 
+// If the input is a string like `env:SOME_VARIABLE` and the environment variable
+// `SOME_VARIABLE` exists, returns a string with the value of `SOME_VARIABLE`.
+// Otherwise, returns `std::nullopt`.
+std::optional<std::string> contents_from_indirect_envvar(const std::string& str) {
+  if (str.find("env:") != 0)
+    return std::nullopt;
+  auto var = str.substr(4);
+  auto const* contents = ::getenv(var.c_str());
+  if (contents == nullptr)
+    return std::nullopt;
+  return std::string{contents};
+}
+
+// If the input is a string like `env:SOME_VARIABLE` and the environment variable
+// `SOME_VARIABLE` exists, returns a string with the value of `SOME_VARIABLE`.
+std::optional<std::string> tmpfile_from_indirect_envvar(const std::string& str) {
+  auto contents = contents_from_indirect_envvar(str);
+  if (!contents)
+    return contents;  
+  auto filename = std::string{"/tmp/caf-openssl.XXXXXX"};
+  ::mkstemp(&filename[0]);
+  std::ofstream ofs(filename);
+  ofs << *contents;
+  ofs.close();
+  return filename;
+}
+
 } // namespace
 
 session::session(actor_system& sys)
@@ -154,11 +184,20 @@ rw_state session::write_some(size_t& result, native_socket, const void* buf,
   return do_some(wr_fun, result, const_cast<void*>(buf), len, "write_some");
 }
 
-bool session::try_connect(native_socket fd) {
+bool session::try_connect(native_socket fd, const std::string& sni_servername) {
   CAF_LOG_TRACE(CAF_ARG(fd));
   CAF_BLOCK_SIGPIPE();
   SSL_set_fd(ssl_, fd);
   SSL_set_connect_state(ssl_);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  // FIXME: Re-enable this.
+  // Enable hostname validation.
+  // SSL_set_hostflags(ssl_, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+  // if (SSL_set1_host(ssl_, sni_servername.c_str()) != 1)
+  //   return false;
+#endif
+  // Send SNI when connecting.
+  SSL_set_tlsext_host_name(ssl_, sni_servername.c_str());
   auto ret = SSL_connect(ssl_);
   if (ret == 1)
     return true;
@@ -198,16 +237,47 @@ SSL_CTX* session::create_ssl_context() {
   if (sys_.openssl_manager().authentication_enabled()) {
     // Require valid certificates on both sides.
     auto& cfg = sys_.config();
-    if (!cfg.openssl_certificate.empty()
+    // OpenSSL doesn't expose an API to read a certificate chain PEM from
+    // memory (as far as I can tell, there might be something in OSSL_DECODER)
+    // and the implementation of `SSL_CTX_use_certificate_chain_file`
+    // is huge, so we just write into a temporary file.
+    if (auto filename = tmpfile_from_indirect_envvar(cfg.openssl_certificate)) {
+      if (SSL_CTX_use_certificate_chain_file(ctx, filename->c_str())
+             != 1)
+        CAF_RAISE_ERROR("cannot load certificate from environt variable");
+    } else if (!cfg.openssl_certificate.empty()
         && SSL_CTX_use_certificate_chain_file(ctx,
                                               cfg.openssl_certificate.c_str())
-             != 1)
+             != 1) {
       CAF_RAISE_ERROR("cannot load certificate");
+    }
     if (!cfg.openssl_passphrase.empty()) {
       openssl_passphrase_ = cfg.openssl_passphrase;
       SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
       SSL_CTX_set_default_passwd_cb_userdata(ctx, this);
     }
+    if (auto var = contents_from_indirect_envvar(cfg.openssl_key)) {
+      EVP_PKEY *pkey = nullptr;
+      const char *format = "PEM";   // NULL for any format
+      const char *structure = nullptr; // Any structure
+      const char *keytype = nullptr;  // Any key
+      auto const* datap = reinterpret_cast<const unsigned char*>(var->data());
+      auto len = var->size();
+      int selection = 0; // Autodetect selection.
+      // TODO: We might as well read `openssl_passphrase` here and pass it
+      // to the decoder.
+      auto* dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, format, structure,
+                                     keytype,
+                                     selection,
+                                     nullptr, nullptr);
+      if (dctx == nullptr)
+        CAF_RAISE_ERROR("couldn't create openssl decoder context");
+      if (OSSL_DECODER_from_data(dctx, &datap, &len) != 0)
+        CAF_RAISE_ERROR("failed to decode private key");
+      // Use the private key.
+      SSL_CTX_use_PrivateKey(ctx, pkey);
+      OSSL_DECODER_CTX_free(dctx);
+    }
     if (!cfg.openssl_key.empty()
         && SSL_CTX_use_PrivateKey_file(ctx, cfg.openssl_key.c_str(),
                                        SSL_FILETYPE_PEM)
@@ -217,6 +287,9 @@ SSL_CTX* session::create_ssl_context() {
                                                : nullptr);
     auto capath = (!cfg.openssl_capath.empty() ? cfg.openssl_capath.c_str()
                                                : nullptr);
+    auto tmpfile = tmpfile_from_indirect_envvar(cafile);
+    if (tmpfile)
+      cafile = tmpfile->c_str();
     if (cafile || capath) {
       if (SSL_CTX_load_verify_locations(ctx, cafile, capath) != 1)
         CAF_RAISE_ERROR("cannot load trusted CA certificates");
@@ -285,6 +358,7 @@ bool session::handle_ssl_result(int ret) {
 }
 
 session_ptr make_session(actor_system& sys, native_socket fd,
+                         const std::string& servername,
                          bool from_accepted_socket) {
   session_ptr ptr{new session(sys)};
   if (!ptr->init())
@@ -293,7 +367,7 @@ session_ptr make_session(actor_system& sys, native_socket fd,
     if (!ptr->try_accept(fd))
       return nullptr;
   } else {
-    if (!ptr->try_connect(fd))
+    if (!ptr->try_connect(fd, servername))
       return nullptr;
   }
   return ptr;