diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2017-03-22 21:37:30 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2017-03-22 21:37:30 +0000 |
| commit | dddbfab568d42e443f102d35c84432824cc59fee (patch) | |
| tree | 4983b1f5b44f861a3abc60ba7d47476820fcbb2f /src/sbearssl/sbearssl_s6tlsd.c | |
| parent | 6278e21405c40df65f8de6a9799576d1eb346164 (diff) | |
| download | s6-networking-dddbfab568d42e443f102d35c84432824cc59fee.tar.xz | |
Fix case where s6-tls[cd] would sometimes not detect an application and remain there forever with its zombie, both condemned to err in limbo for all eternity, the living and the dead, hand in hand
Diffstat (limited to 'src/sbearssl/sbearssl_s6tlsd.c')
| -rw-r--r-- | src/sbearssl/sbearssl_s6tlsd.c | 34 |
1 files changed, 13 insertions, 21 deletions
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index dd7f52a..6c3d163 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -14,10 +14,12 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity) { + int fds[5] = { 0, 1, 0, 1 } ; stralloc storage = STRALLOC_ZERO ; sbearssl_skey skey ; genalloc certs = GENALLOC_ZERO ; size_t chainlen ; + pid_t pid ; if (preoptions & 1) strerr_dief1x(100, "client certificates are not supported yet") ; @@ -44,14 +46,17 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co strerr_diefu2x(96, "find a certificate in ", x) ; } + if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ; + + pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; + { - int fds[4] = { 0, 1, 0, 1 } ; unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; br_ssl_server_context sc ; union br_skey_u key ; br_x509_certificate chain[chainlen] ; size_t i = chainlen ; - pid_t pid ; + int wstat ; stralloc_shrink(&storage) ; while (i--) @@ -83,17 +88,6 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co strerr_dief1x(96, "unsupported private key type") ; } - if (!random_init()) - strerr_diefu1sys(111, "initialize random generator") ; - random_string((char *)buf, 32) ; - br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; - random_finish() ; - - pid = sbearssl_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ; - if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; - if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; - if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; - { uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ; if (preoptions & 1) @@ -104,17 +98,15 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co br_ssl_engine_add_flags(&sc.eng, flags) ; } + random_string((char *)buf, 32) ; + br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; + random_finish() ; br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ; br_ssl_server_reset(&sc) ; tain_now_g() ; - { - int wstat ; - int r = sbearssl_run(&sc.eng, fds, verbosity, options, tto) ; - if (r < 0) strerr_diefu1sys(111, "run SSL engine") ; - else if (r) strerr_diefu2x(98, "establish or maintain SSL connection to peer: ", sbearssl_error_str(r)) ; - if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; - } + wstat = sbearssl_run(&sc.eng, fds, pid, verbosity, options, tto) ; + if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; + return wait_estatus(wstat) ; } } |