Add -J and -j to the TLS tools to check for peer close_notify.

 Also, and more importantly, significantly rewrite stls_run()
for better full-duplex support. This implementation isn't fully
tested yet.

Signed-off-by: Laurent Bercot <ska@appnovation.com>

8 files changed, 28 insertions, 6 deletions

diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html
index f4a81a2..17a4e26 100644
--- a/doc/s6-tlsc-io.html
+++ b/doc/s6-tlsc-io.html
@@ -38,7 +38,7 @@ the options given when configuring s6-networking.
 <h2> Interface </h2>
 
 <pre>
-     s6-tlsc-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
+     s6-tlsc-io [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
 </pre>
 
 <ul>
@@ -190,6 +190,10 @@ no effect. </li>
 and break the connection when receiving a local EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as an error: print a fatal error message and exit 98. </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as a normal exit condition. This is the default. </li>
  <li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
  <li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
  <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index 1d11c5b..aff6828 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -29,7 +29,7 @@ TLS/SSL.
 <h2> Interface </h2>
 
 <pre>
-     s6-tlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
+     s6-tlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -126,6 +126,9 @@ before execing <em>prog...</em>. This is the default. </li>
 and break the connection when <em>prog</em> sends EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsc-io.html">s6-tlsc-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
  <li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
  <li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
  <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
diff --git a/doc/s6-tlsclient.html b/doc/s6-tlsclient.html
index 287c02c..09276d4 100644
--- a/doc/s6-tlsclient.html
+++ b/doc/s6-tlsclient.html
@@ -144,6 +144,7 @@ generally work: the defaults are sensible.
  <li> <tt>-Z</tt>, <tt>-z</tt>&nbsp;: keep or remove the <a href="s6-tlsc-io.html">s6-tlsc-io</a>-specific
 variables from the application's environment </li>
  <li> <tt>-S</tt>, <tt>-s</tt>&nbsp;: use close_notify or EOF to signal the end of a TLS connection </li>
+ <li> <tt>-J</tt>, <tt>-j</tt>&nbsp;: exit nonzero with an error message when the peer fails to close_notify, or ignore it </li>
  <li> <tt>-Y</tt>, <tt>-y</tt>&nbsp;: don't send, or send, a client certificate </li>
  <li> <tt>-k <em>servername</em></tt>&nbsp;: use SNI and provide a server name </li>
  <li> <tt>-K <em>kimeout</em></tt>&nbsp;: set a timeout for the TLS handshake </li>
diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html
index 0f3b922..55e293f 100644
--- a/doc/s6-tlsd-io.html
+++ b/doc/s6-tlsd-io.html
@@ -38,7 +38,7 @@ the options given when configuring s6-networking.
 <h2> Interface </h2>
 
 <pre>
-     s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
+     s6-tlsd-io [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
 </pre>
 
 <ul>
@@ -210,6 +210,10 @@ no effect. </li>
 and break the connection when receiving a local EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as an error: print a fatal error message and exit 98. </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as a normal exit condition. This is the default. </li>
  <li> <tt>-Y</tt>&nbsp;: Request a client certificate.
 The certificate is optional: if the client gives none, the connection
 proceeds. </li>
diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html
index 883777b..73a9f9b 100644
--- a/doc/s6-tlsd.html
+++ b/doc/s6-tlsd.html
@@ -38,7 +38,7 @@ the options given when configuring <tt>s6-networking</tt>.
 <h2> Interface </h2>
 
 <pre>
-     s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em>
+     s6-tlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -139,6 +139,9 @@ before execing <em>prog...</em>. This is the default. </li>
 and break the connection when <em>prog</em> sends EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsd-io.html">s6-tlsd-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
  <li> <tt>-Y</tt>&nbsp;: Request an optional client certificate. </li>
  <li> <tt>-y</tt>&nbsp;: Request a mandatory client certificate.
 The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option,
diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html
index d1ca3e2..8713235 100644
--- a/doc/s6-tlsserver.html
+++ b/doc/s6-tlsserver.html
@@ -177,6 +177,7 @@ certificates, you probably still want TCP access rules.
  <li> <tt>-Z</tt>, <tt>-z</tt>&nbsp;: keep or remove the <a href="s6-tlsd-io.html">s6-tlsd-io</a>-specific
 variables from the application's environment </li>
  <li> <tt>-S</tt>, <tt>-s</tt>&nbsp;: use close_notify or EOF to signal the end of a TLS connection </li>
+ <li> <tt>-J</tt>, <tt>-j</tt>&nbsp;: exit nonzero with an error message when the peer fails to close_notify, or ignore it </li>
  <li> <tt>-Y</tt>, <tt>-y</tt>&nbsp;: request an optional or a mandatory client certificate </li>
  <li> <tt>-K <em>kimeout</em></tt>&nbsp;: set a timeout for the TLS handshake </li>
  <li> <tt>-k <em>snilevel</em></tt>&nbsp;: support SNI-based certificate chains </li>
diff --git a/doc/s6-ucspitlsc.html b/doc/s6-ucspitlsc.html
index e096e24..52af6db 100644
--- a/doc/s6-ucspitlsc.html
+++ b/doc/s6-ucspitlsc.html
@@ -36,7 +36,7 @@ TLS stack in the client itself.
 <h2> Interface </h2>
 
 <pre>
-     s6-ucspitlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
+     s6-ucspitlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -142,6 +142,9 @@ before execing <em>prog...</em>. This is the default. </li>
 and break the connection when <em>prog</em> sends EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsc-io.html">s6-tlsc-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
  <li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
  <li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
  <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
diff --git a/doc/s6-ucspitlsd.html b/doc/s6-ucspitlsd.html
index 8488942..314cc39 100644
--- a/doc/s6-ucspitlsd.html
+++ b/doc/s6-ucspitlsd.html
@@ -36,7 +36,7 @@ TLS stack in the server itself.
 <h2> Interface </h2>
 
 <pre>
-     s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em>
+     s6-ucspitlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -146,6 +146,9 @@ before execing <em>prog...</em>. This is the default. </li>
 and break the connection when <em>prog</em> sends EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsd-io.html">s6-tlsd-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
  <li> <tt>-Y</tt>&nbsp;: Request an optional client certificate. </li>
  <li> <tt>-y</tt>&nbsp;: Request a mandatory client certificate.
 The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option,