summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2021-05-28 01:05:56 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2021-05-28 01:05:56 +0000
commit02afa553cc33400ead38ac85f8f7f2f3fe79f49d (patch)
treed0d22ad521d9d3b8e28af128bae0ec796b35ff74
parentd5ce828c97505e429e0cc87b5e87da4f7d291ad4 (diff)
downloads6-networking-02afa553cc33400ead38ac85f8f7f2f3fe79f49d.tar.xz
Server-side SNI, libtls version
Implementation for bearssl coming soon.
-rw-r--r--doc/s6-tlsc.html7
-rw-r--r--doc/s6-tlsd-io.html28
-rw-r--r--doc/s6-tlsd.html33
-rw-r--r--doc/s6-tlsserver.html1
-rw-r--r--doc/s6-ucspitlsd.html26
-rw-r--r--src/stls/stls_server_init_and_handshake.c48
-rw-r--r--src/tls/s6-tlsd-io.c14
-rw-r--r--src/tls/s6-tlsd.c14
-rw-r--r--src/tls/s6-tlsserver.c11
-rw-r--r--src/tls/s6-ucspitlsd.c16
-rw-r--r--src/tls/s6tls-internal.h2
-rw-r--r--src/tls/s6tls_exec_tlsdio.c11
12 files changed, 169 insertions, 42 deletions
diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index b83ae57..95cc44f 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -98,6 +98,13 @@ used. </li>
<li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains <em>servername</em>,
if the <tt>-k</tt> option has been given; otherwise it is removed
from the environment. </li>
+ <li> <tt>SSL_PEER_CERT_HASH</tt> contains the hash of the peer's
+End Entity certificate, prefixed by the name of the hash and a colon
+(typically <tt>SHA256:</tt>). </li>
+ <li> <tt>SSL_PEER_CERT_SUBJECT</tt> contains the decoded subjectDN
+of the peer's End Entity certificate, i.e. identifying information.
+What is traditionally called the "name" of the certificate is the
+CN field in that data. </li>
<li> More similar environment variables containing information
about the connection may be added in the future. </li>
</ul>
diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html
index 29f75c3..b2a4a1e 100644
--- a/doc/s6-tlsd-io.html
+++ b/doc/s6-tlsd-io.html
@@ -38,7 +38,7 @@ the options given when configuring s6-networking.
<h2> Interface </h2>
<pre>
- s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -d notif ] [ -- ] <em>fdr</em> <em>fdw</em>
+ s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
</pre>
<ul>
@@ -107,7 +107,7 @@ environment variables set:
<li> <tt>KEYFILE</tt>: a path to the file
containing the server's private key, DER- or PEM-encoded. </li>
<li> <tt>CERTFILE</tt>: a path to the file
-containing the server's certificate, DER- or PEM-encoded.
+containing the server's certificate chain, DER- or PEM-encoded.
If PEM-encoded, the file can actually contain a chain
of certificates. </li>
</ul>
@@ -118,6 +118,17 @@ will refuse to run.
</p>
<p>
+ Alternatively, if <em>snilevel</em> is nonzero, the private
+key for the server named <em>x</em> should be held in a file
+whose name is contained in the <tt>KEYFILE:<em>x</em></tt>
+environment variable, and the corresponding certificate chain
+file should be named in the <tt>CERTFILE:<em>x</em></tt>
+environment variable. If <em>snilevel</em> is 2 or more, the
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables will be
+entirely ignored.
+</p>
+
+<p>
If you are using client certificates, <tt>s6-tlsd-io</tt>
also requires either one of the following variables to be set:
</p>
@@ -196,6 +207,19 @@ is not to require a client certificate at all. </li>
to send data for <em>kimeout</em> milliseconds during the handshake,
close the connection. The default is 0, which means infinite timeout
(never kill the connection). </li>
+ <li> <tt>-k&nbsp;<em>snilevel</em></tt>&nbsp;: support alternative
+certificate chains for SNI. If <em>snilevel</em> is nonzero, private
+key file names are read from every environment variable of the form
+<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that
+the client may require, and a corresponding certificate chain for the name
+<em>x</em> should exist in the file named after the contents of the
+<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em>
+is 2 or more, <em>only</em> those files are read, and the generic
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored.
+If <em>snilevel</em> is 0, or if the option is not given, which is the
+default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private
+key / certificate chain pair that are loaded, no other environment
+variable is read for keypairs. </li>
<li> <tt>-d&nbsp;<em>notif</em></tt>&nbsp;: handshake notification.
<em>notif</em> must be a file descriptor open for writing. When the
TLS handshake has completed, some data (terminated by two null
diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html
index 6b0228f..c1c6a59 100644
--- a/doc/s6-tlsd.html
+++ b/doc/s6-tlsd.html
@@ -38,7 +38,7 @@ the options given when configuring <tt>s6-networking</tt>.
<h2> Interface </h2>
<pre>
- s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -- ] <em>prog...</em>
+ s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em>
</pre>
<ul>
@@ -78,7 +78,10 @@ So it should pay attention to the following variables:
</p>
<ul>
- <li> <tt>KEYFILE</tt> and <tt>CERTFILE</tt> </li>
+ <li> <tt>KEYFILE</tt> and <tt>CERTFILE</tt>. Also (or alternatively),
+if the <tt>-k</tt> option is given: a series of
+<tt>KEYFILE:<em>x</em></tt> and <tt>CERTFILE:<em>x</em></tt> variables,
+for every <em>x</em> in the set of server names </li>
<li> (if the -y or -Y option has been given) <tt>CADIR</tt> or <tt>CAFILE</tt> </li>
<li> <tt>TLS_UID</tt> and <tt>TLS_GID</tt>
</ul>
@@ -88,10 +91,12 @@ So it should pay attention to the following variables:
<p>
By default, <em>prog...</em> is run with all these
variables <em>unset</em>: CADIR, CAFILE,
-KEYFILE, CERTFILE, TLS_UID and TLS_GID. They're passed to
+KEYFILE, CERTFILE, KEYFILE:<em>x</em> and CERTFILE:<em>x</em> for
+every <em>x</em>, TLS_UID and TLS_GID. They're passed to
the <a href="s6-tlsd-io.html">s6-tlsd-io</a> child but
not to <em>prog...</em>.
-The <tt>-Z</tt> option prevents that behaviour.
+The <tt>-Z</tt> option prevents that behaviour and keeps them
+accessible in the child.
</p>
<p>
@@ -107,6 +112,13 @@ used. </li>
<li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains the required SNI
server name, if any. It is removed from the environment if no SNI
has been sent by the client. </li>
+ <li> <tt>SSL_PEER_CERT_HASH</tt> contains the hash of the peer's
+End Entity certificate, prefixed by the name of the hash and a colon
+(typically <tt>SHA256:</tt>). </li>
+ <li> <tt>SSL_PEER_CERT_SUBJECT</tt> contains the decoded subjectDN
+of the peer's End Entity certificate, i.e. identifying information.
+What is traditionally called the "name" of the certificate is the
+CN field in that data. </li>
<li> More similar environment variables containing information
about the connection may be added in the future. </li>
</ul>
@@ -136,6 +148,19 @@ is not to require a client certificate at all. </li>
to send data for <em>kimeout</em> milliseconds during the handshake,
close the connection. The default is 0, which means infinite timeout
(never kill the connection). </li>
+ <li> <tt>-k&nbsp;<em>snilevel</em></tt>&nbsp;: support alternative
+certificate chains for SNI. If <em>snilevel</em> is nonzero, private
+key file names are read from every environment variable of the form
+<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that
+the client may require, and a corresponding certificate chain for the name
+<em>x</em> should exist in the file named after the contents of the
+<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em>
+is 2 or more, <em>only</em> those files are read, and the generic
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored.
+If <em>snilevel</em> is 0, or if the option is not given, which is the
+default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private
+key / certificate chain pair that are loaded, no other environment
+variable is read for keypairs. </li>
</ul>
<h2> Notes </h2>
diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html
index 12de659..2ec3327 100644
--- a/doc/s6-tlsserver.html
+++ b/doc/s6-tlsserver.html
@@ -194,6 +194,7 @@ given but no <tt>-i</tt> or <tt>-x</tt> option. </li>
<li> <tt>-S</tt>, <tt>-s</tt> </li>
<li> <tt>-Y</tt>, <tt>-y</tt> </li>
<li> <tt>-K <em>kimeout</em></tt> </li>
+ <li> <tt>-k <em>snilevel</em></tt> </li>
</ul>
<h3> Options passed to s6-applyuidgid </h3>
diff --git a/doc/s6-ucspitlsd.html b/doc/s6-ucspitlsd.html
index 7d7ef9b..be172c0 100644
--- a/doc/s6-ucspitlsd.html
+++ b/doc/s6-ucspitlsd.html
@@ -36,7 +36,7 @@ TLS stack in the server itself.
<h2> Interface </h2>
<pre>
- s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -- ] <em>prog...</em>
+ s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em>
</pre>
<ul>
@@ -84,7 +84,10 @@ So it should pay attention to the following variables:
</p>
<ul>
- <li> <tt>CERTFILE</tt> and <tt>KEYFILE</tt> </li>
+ <li> <tt>CERTFILE</tt> and <tt>KEYFILE</tt>. Also (or alternatively),
+if the <tt>-k</tt> option is given: a series of
+<tt>KEYFILE:<em>x</em></tt> and <tt>CERTFILE:<em>x</em></tt> variables,
+for every <em>x</em> in the set of server names </li>
<li> (if the <tt>-Y</tt> or <tt>-y</tt> option has been given) <tt>CADIR</tt> or <tt>CAFILE</tt> </li>
<li> <tt>TLS_UID</tt> and <tt>TLS_GID</tt>
</ul>
@@ -94,10 +97,12 @@ So it should pay attention to the following variables:
<p>
By default, <em>prog...</em> is run with all these
variables <em>unset</em>: CADIR, CAFILE,
-KEYFILE, CERTFILE, TLS_UID and TLS_GID. They're passed to
+KEYFILE, CERTFILE, KEYFILE:<em>x</em> and CERTFILE:<em>x</em> for
+every <em>x</em>, TLS_UID and TLS_GID. The variables are passed to
the <a href="s6-tlsd-io.html">s6-tlsd-io</a> child but
not to <em>prog...</em>.
-The <tt>-Z</tt> option prevents that behaviour.
+The <tt>-Z</tt> option prevents that behaviour and keeps them
+accessible in the child.
</p>
<p>
@@ -150,6 +155,19 @@ is not to require a client certificate at all. </li>
the handshake takes more than <em>kimeout</em> milliseconds to complete.
The default is 0, which means infinite timeout: let the handshake complete
at its own pace, no matter how slow. </li>
+ <li> <tt>-k&nbsp;<em>snilevel</em></tt>&nbsp;: support alternative
+certificate chains for SNI. If <em>snilevel</em> is nonzero, private
+key file names are read from every environment variable of the form
+<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that
+the client may require, and a corresponding certificate chain for the name
+<em>x</em> should exist in the file named after the contents of the
+<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em>
+is 2 or more, <em>only</em> those files are read, and the generic
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored.
+If <em>snilevel</em> is 0, or if the option is not given, which is the
+default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private
+key / certificate chain pair that are loaded, no other environment
+variable is read for keypairs. </li>
</ul>
<h2> Notes </h2>
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 4a5b2ff..2cc9585 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -4,6 +4,8 @@
#include <tls.h>
+#include <skalibs/posixplz.h>
+#include <skalibs/bytestr.h>
#include <skalibs/strerr2.h>
#include <s6-networking/stls.h>
@@ -23,15 +25,40 @@ struct tls *stls_server_init_and_handshake (int const *fds, tain_t const *tto, u
cfg = tls_config_new() ;
if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
- x = getenv("CERTFILE") ;
- if (!x) strerr_dienotset(100, "CERTFILE") ;
- if (tls_config_set_cert_file(cfg, x) < 0)
- diecfg(cfg, "tls_config_set_cert_file") ;
-
- x = getenv("KEYFILE") ;
- if (!x) strerr_dienotset(100, "KEYFILE") ;
- if (tls_config_set_key_file(cfg, x) < 0)
- diecfg(cfg, "tls_config_set_key_file") ;
+ if (!(preoptions & 8)) /* snilevel < 2 */
+ {
+ char const *y = getenv("CERTFILE") ;
+ if (!y) strerr_dienotset(100, "CERTFILE") ;
+ x = getenv("KEYFILE") ;
+ if (!x) strerr_dienotset(100, "KEYFILE") ;
+ if (tls_config_set_keypair_file(cfg, y, x) < 0)
+ diecfg(cfg, "tls_config_set_keypair_file") ;
+ }
+ if (preoptions & 4) /* snilevel > 0 */
+ {
+ char const *const *envp = (char const *const *)environ ;
+ for (; *envp ; envp++)
+ {
+ if (str_start(*envp, "KEYFILE:"))
+ {
+ size_t len = strlen(*envp) ;
+ size_t kequal = byte_chr(*envp, len, '=') ;
+ if (kequal == len) strerr_dief1x(100, "invalid environment") ;
+ if (kequal != 8)
+ {
+ char certvar[len - kequal + 10] ;
+ memcpy(certvar, "CERTFILE:", 9 ;
+ memcpy(certvar + 9, *envp + 8, kequal - 8) ;
+ certvar[kequal + 1] = 0 ;
+ x = getenv(certvar) ;
+ if (!x)
+ strerr_dief3x("environment variable KEYFILE:", certvar + 9, " not paired with the corresponding CERTFILE") ;
+ else if (tls_config_add_keypair_file(cfg, x, *envp + kequal + 1) < 0)
+ diecfg(cfg, "tls_config_add_keypair_file") ;
+ }
+ }
+ }
+ }
stls_drop() ;
@@ -76,7 +103,8 @@ struct tls *stls_server_init_and_handshake (int const *fds, tain_t const *tto, u
tls_config_free(cfg) ;
if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0)
diectx(97, sctx, "tls_accept_fds") ;
- tls_free(sctx) ;
+ /* We can't free sctx, ctx has pointers into it! Stupid API. We let sctx leak. */
+ /* tls_free(sctx) ; */
stls_handshake(ctx, tto) ;
return ctx ;
}
diff --git a/src/tls/s6-tlsd-io.c b/src/tls/s6-tlsd-io.c
index 060537a..f4a58ce 100644
--- a/src/tls/s6-tlsd-io.c
+++ b/src/tls/s6-tlsd-io.c
@@ -13,7 +13,7 @@
#include <s6-networking/config.h>
-#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw"
+#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k snilevel ] fdr fdw"
#define dieusage() strerr_dieusage(100, USAGE)
static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
@@ -66,7 +66,7 @@ static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint3
#endif
#endif
-int main (int argc, char const *const *argv, char const *const *envp)
+int main (int argc, char const *const *argv)
{
tain_t tto ;
int fds[4] = { 0, 1, 0, 1 } ;
@@ -81,7 +81,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int t = 0 ;
for (;;)
{
- int opt = subgetopt_r(argc, argv, "d:SsYyv:K:", &l) ;
+ int opt = subgetopt_r(argc, argv, "d:SsYyv:K:k:", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -92,6 +92,14 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'Y' : preoptions |= 1 ; preoptions &= ~2 ; break ;
case 'y' : preoptions |= 3 ; break ;
case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
+ case 'k' :
+ {
+ unsigned int snilevel ;
+ if (!uint0_scan(l.arg, &snilevel)) dieusage() ;
+ if (snilevel) preoptions |= 4 ;
+ if (snilevel >= 2) preoptions |= 8 ;
+ break ;
+ }
default : dieusage() ;
}
}
diff --git a/src/tls/s6-tlsd.c b/src/tls/s6-tlsd.c
index 361502e..9432bd7 100644
--- a/src/tls/s6-tlsd.c
+++ b/src/tls/s6-tlsd.c
@@ -12,24 +12,25 @@
#include "s6tls-internal.h"
-#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
+#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -k snilevel ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
-static void child (int const [4][2], uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
-static void child (int const p[4][2], uint32_t options, unsigned int verbosity, unsigned int kimeout)
+static void child (int const [4][2], uint32_t, unsigned int, unsigned int, unsigned int) gccattr_noreturn ;
+static void child (int const p[4][2], uint32_t options, unsigned int verbosity, unsigned int kimeout, unsigned int snilevel)
{
int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
PROG = "s6-tlsd (child)" ;
close(p[2][0]) ;
close(p[0][1]) ;
close(p[1][0]) ;
- s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ;
+ s6tls_exec_tlsdio(fds, options, verbosity, kimeout, snilevel) ;
}
int main (int argc, char const *const *argv)
{
unsigned int verbosity = 1 ;
unsigned int kimeout = 0 ;
+ unsigned int snilevel = 0 ;
int p[4][2] = { [3] = { 0, 1 } } ;
uint32_t coptions = 0 ;
uint32_t poptions = 1 ;
@@ -40,7 +41,7 @@ int main (int argc, char const *const *argv)
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
- int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ;
+ int opt = subgetopt_r(argc, argv, "SsYyv:K:Zzk:", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -52,6 +53,7 @@ int main (int argc, char const *const *argv)
case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
case 'Z' : poptions &= ~1 ; break ;
case 'z' : poptions |= 1 ; break ;
+ case 'k' : if (!uint0_scan(l.arg, &snilevel)) dieusage() ; break ;
default : dieusage() ;
}
}
@@ -65,7 +67,7 @@ int main (int argc, char const *const *argv)
switch (pid)
{
case -1 : strerr_diefu1sys(111, "fork") ;
- case 0 : child(p, coptions, verbosity, kimeout) ;
+ case 0 : child(p, coptions, verbosity, kimeout, snilevel) ;
default : break ;
}
s6tls_sync_and_exec_app(argv, p, pid, poptions) ;
diff --git a/src/tls/s6-tlsserver.c b/src/tls/s6-tlsserver.c
index 0a6ae78..623bbfa 100644
--- a/src/tls/s6-tlsserver.c
+++ b/src/tls/s6-tlsserver.c
@@ -15,7 +15,7 @@
#define USAGE "s6-tlsserver [ -e ] [ options ] ip port prog...\n" \
"s6-tcpserver options: [ -q | -Q | -v ] [ -4 | -6 ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ]\n" \
"s6-tcpserver-access options: [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ]\n" \
-"s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -Z | -z ]"
+"s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -Z | -z ] [ -k snilevel ]"
#define dieusage() strerr_dieusage(100, USAGE)
@@ -34,6 +34,7 @@ struct options_s
unsigned int backlog ;
unsigned int timeout ;
unsigned int kimeout ;
+ unsigned int snilevel ;
unsigned int verbosity : 2 ;
unsigned int flag46 : 2 ;
unsigned int flag1 : 1 ;
@@ -66,6 +67,7 @@ struct options_s
.timeout = 0, \
.kimeout = 0, \
.verbosity = 1, \
+ .snilevel = 0, \
.flag46 = 0, \
.flag1 = 0, \
.flagU = 0, \
@@ -91,7 +93,7 @@ int main (int argc, char const *const *argv)
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
- int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpleB:t:i:x:SsYyK:Zz", &l) ;
+ int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpleB:t:i:x:SsYyK:Zzk:", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -131,6 +133,7 @@ int main (int argc, char const *const *argv)
case 'K' : if (!uint0_scan(l.arg, &o.kimeout)) dieusage() ; break ;
case 'Z' : o.flagZ = 1 ; break ;
case 'z' : o.flagZ = 0 ; break ;
+ case 'k' : if (!uint0_scan(l.arg, &o.snilevel)) dieusage() ; break ;
default : dieusage() ;
}
}
@@ -142,7 +145,7 @@ int main (int argc, char const *const *argv)
size_t pos = 0 ;
unsigned int m = 0 ;
char fmt[UINT_FMT * 5 + UID_FMT + GID_FMT * (NGROUPS_MAX + 1)] ;
- char const *newargv[45 + argc] ;
+ char const *newargv[46 + argc] ;
newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver" ;
if (o.verbosity != 1) newargv[m++] = o.verbosity ? "-v" : "-q" ;
if (o.flag46) newargv[m++] = o.flag46 == 1 ? "-4" : "-6" ;
@@ -223,6 +226,8 @@ int main (int argc, char const *const *argv)
fmt[pos++] = 0 ;
}
if (o.flagZ) newargv[m++] = "-Z" ;
+ if (o.snilevel >= 2) newargv[m++] = "-k2" ;
+ else if (o.snilevel) newargv[m++] = "-k1" ;
newargv[m++] = "--" ;
if (o.doapply)
{
diff --git a/src/tls/s6-ucspitlsd.c b/src/tls/s6-ucspitlsd.c
index 2ece32f..d24cf99 100644
--- a/src/tls/s6-ucspitlsd.c
+++ b/src/tls/s6-ucspitlsd.c
@@ -13,11 +13,11 @@
#include <s6-networking/config.h>
#include "s6tls-internal.h"
-#define USAGE "s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
+#define USAGE "s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -k snilevel ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
-static inline void child (int [4][2], uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
-static inline void child (int p[4][2], uint32_t options, unsigned int verbosity, unsigned int kimeout)
+static inline void child (int [4][2], uint32_t, unsigned int, unsigned int, unsigned int) gccattr_noreturn ;
+static inline void child (int p[4][2], uint32_t options, unsigned int verbosity, unsigned int kimeout, unsigned int snilevel)
{
int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
ssize_t r ;
@@ -41,13 +41,14 @@ static inline void child (int p[4][2], uint32_t options, unsigned int verbosity,
default :
strerr_dief1x(100, "unrecognized command on control socket") ;
}
- s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ;
+ s6tls_exec_tlsdio(fds, options, verbosity, kimeout, snilevel) ;
}
-int main (int argc, char const *const *argv, char const *const *envp)
+int main (int argc, char const *const *argv)
{
unsigned int verbosity = 1 ;
unsigned int kimeout = 0 ;
+ unsigned int snilevel = 0 ;
int p[4][2] = { [3] = { 0, 1 } } ;
uint32_t coptions = 0 ;
uint32_t poptions = 1 ;
@@ -57,7 +58,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
- int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ;
+ int opt = subgetopt_r(argc, argv, "SsYyv:K:Zzk:", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -69,6 +70,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
case 'Z' : poptions &= ~1 ; break ;
case 'z' : poptions |= 1 ; break ;
+ case 'k' : if (!uint0_scan(l.arg, &snilevel)) dieusage() ; break ;
default : dieusage() ;
}
}
@@ -82,7 +84,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
switch (fork())
{
case -1 : strerr_diefu1sys(111, "fork") ;
- case 0 : child(p, coptions, verbosity, kimeout) ;
+ case 0 : child(p, coptions, verbosity, kimeout, snilevel) ;
default : break ;
}
s6tls_ucspi_exec_app(argv, p, poptions) ;
diff --git a/src/tls/s6tls-internal.h b/src/tls/s6tls-internal.h
index 09be544..2ef3b81 100644
--- a/src/tls/s6tls-internal.h
+++ b/src/tls/s6tls-internal.h
@@ -11,7 +11,7 @@
#define s6tls_envvars "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID"
extern void s6tls_exec_tlscio (int const *, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ;
-extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
+extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int, unsigned int) gccattr_noreturn ;
extern void s6tls_sync_and_exec_app (char const *const *, int const [4][2], pid_t, uint32_t) gccattr_noreturn ;
extern void s6tls_ucspi_exec_app (char const *const *, int const [4][2], uint32_t) gccattr_noreturn ;
diff --git a/src/tls/s6tls_exec_tlsdio.c b/src/tls/s6tls_exec_tlsdio.c
index 3007cf0..f3bc999 100644
--- a/src/tls/s6tls_exec_tlsdio.c
+++ b/src/tls/s6tls_exec_tlsdio.c
@@ -6,15 +6,16 @@
#include <s6-networking/config.h>
#include "s6tls-internal.h"
-void s6tls_exec_tlsdio (int const *fds, uint32_t options, unsigned int verbosity, unsigned int kimeout)
+void s6tls_exec_tlsdio (int const *fds, uint32_t options, unsigned int verbosity, unsigned int kimeout, unsigned int snilevel)
{
- char const *newargv[13] ;
+ char const *newargv[15] ;
unsigned int m = 0 ;
char fmtv[UINT_FMT] ;
char fmtd[UINT_FMT] ;
char fmtk[UINT_FMT] ;
char fmtr[UINT_FMT] ;
char fmtw[UINT_FMT] ;
+ char fmti[UINT_FMT] ;
newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tlsd-io" ;
if (verbosity != 1)
@@ -38,6 +39,12 @@ void s6tls_exec_tlsdio (int const *fds, uint32_t options, unsigned int verbosity
newargv[m++] = fmtk ;
fmtk[uint_fmt(fmtk, kimeout)] = 0 ;
}
+ if (snilevel)
+ {
+ newargv[m++] = "-k" ;
+ newargv[m++] = fmti ;
+ fmti[uint_fmt(fmti, snilevel)] = 0 ;
+ }
newargv[m++] = "--" ;
newargv[m++] = fmtr ;
fmtr[uint_fmt(fmtr, fds[0])] = 0 ;