summaryrefslogtreecommitdiff
path: root/src/conn-tools/s6tls_drop.c
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
commit5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (patch)
treecf3e992dce2d426727b535703b0b73dbafb41dbb /src/conn-tools/s6tls_drop.c
parent1fea1f6ed53cae7f752c9a78271c7c8367b0ad03 (diff)
downloads6-networking-5715c21a077ee1c2fe8957cb4adcea14fd2eda6b.tar.xz
Refactor tls code to support ucspi-tls
That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it.
Diffstat (limited to 'src/conn-tools/s6tls_drop.c')
-rw-r--r--src/conn-tools/s6tls_drop.c24
1 files changed, 24 insertions, 0 deletions
diff --git a/src/conn-tools/s6tls_drop.c b/src/conn-tools/s6tls_drop.c
new file mode 100644
index 0000000..6b6f67f
--- /dev/null
+++ b/src/conn-tools/s6tls_drop.c
@@ -0,0 +1,24 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <skalibs/strerr2.h>
+#include <skalibs/types.h>
+
+#include "s6tls-internal.h"
+
+void s6tls_drop (void)
+{
+ if (!getuid())
+ {
+ uid_t uid ;
+ gid_t gid ;
+ char const *x = getenv("TLS_UID") ;
+ if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
+ x = getenv("TLS_GID") ;
+ if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+ if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+ if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+ }
+}