Alpha version of the SSL work.

 Doesn't build yet, but I'm scared of losing it, so using git as
storage.
 Will fix the stupid bugs now, the tricky bugs later.

4 files changed, 465 insertions, 0 deletions

diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
new file mode 100644
index 0000000..799c7ae
--- /dev/null
+++ b/src/stls/deps-lib/stls
@@ -0,0 +1,5 @@
+stls_run.o
+stls_s6tlsc.o
+stls_s6tlsd.o
+-ltls
+-lskarnet
diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c
new file mode 100644
index 0000000..24ff801
--- /dev/null
+++ b/src/stls/stls_run.c
@@ -0,0 +1,274 @@
+/* ISC license. */
+
+#include <skalibs/nonposix.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <signal.h>
+#include <tls.h>
+#include <skalibs/uint32.h>
+#include <skalibs/allreadwrite.h>
+#include <skalibs/error.h>
+#include <skalibs/buffer.h>
+#include <skalibs/sig.h>
+#include <skalibs/selfpipe.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/tai.h>
+#include <skalibs/iopause.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/siovec.h>
+#include <s6-networking/stls.h>
+
+typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ;
+struct tlsbuf_s
+{
+  char buf[STLS_BUFSIZE] ;
+  buffer b ;
+  unsigned int blockedonother : 1 ;
+} ;
+
+static inline int buffer_tls_flush (struct tls *ctx, tlsbuf_t *b)
+{
+  siovec_t v[2] ;
+  ssize_t r, w ;
+  buffer_rpeek(&b[0].b, v) ;
+  r = tls_write(ctx, v[0].s, v[0].len) ;
+  switch (r)
+  {
+    case -1 : return -1 ;
+    case TLS_WANT_POLLIN :
+      if (b[1].blockedonother) strerr_dief1x(101, "TLS deadlock") ;
+      b[0].blockedonother = 1 ;
+    case TLS_WANT_POLLOUT : return 0 ;
+    default : break ;
+  }
+  w = r ;
+  if (v[1].len)
+  {
+    r = tls_write(ctx, v[1].s, v[1].len) ;
+    switch (r)
+    {
+      case TLS_WANT_POLLIN :
+        if (b[1].blockedonother) strerr_dief1x(101, "TLS deadlock") ;
+        b[0].blockedonother = 1 ;
+      case -1 :
+      case TLS_WANT_POLLOUT :
+        buffer_rseek(&b[0].b, w) ;
+        return 0 ;
+      default : break ;
+    }
+    w += r ;
+  }
+  buffer_rseek(&b[0].b, w) ;
+  return 1 ;
+}
+
+static inline int buffer_tls_fill (struct tls *ctx, tlsbuf_t *b)
+{
+  siovec_t v[2] ;
+  ssize_t r, w ;
+  int ok = 1 ;
+  buffer_wpeek(&b[1].b, v) ;
+  r = tls_read(ctx, v[0].s, v[0].len) ;
+  switch (r)
+  {
+    case 0 : return -2 ;
+    case -1 : return -1 ;
+    case TLS_WANT_POLLOUT :
+      if (b[0].blockedonother) strerr_dief1x(101, "TLS deadlock") ;
+      b[1].blockedonother = 1 ;
+    case TLS_WANT_POLLIN : return 0 ;
+    default : break ;
+  }
+  w = r ;
+  if (v[1].len)
+  {
+    r = tls_read(ctx, v[1].s, v[1].len) ;
+    switch (r)
+    {
+      case TLS_WANT_POLLOUT :
+        if (b[0].blockedonother) strerr_dief1x(101, "TLS deadlock") ;
+        b[1].blockedonother = 1 ;
+      case -1 :
+      case TLS_WANT_POLLIN :
+        buffer_wseek(&b[1].b, w) ;
+        return 0 ;
+      case 0 : ok = -1 ;
+      default : break ;
+    }
+    w += r ;
+  }
+  buffer_wseek(&b[1].b, w) ;
+  return ok ;
+}
+
+static void do_tls_close (struct tls *ctx, int fd)
+{
+  iopause_fd x = { .fd = fd, .events = IOPAUSE_WRITE } ;
+  while (tls_close(ctx) == TLS_WANT_POLLOUT) 
+    if (iopause_g(&x, 1, 0) < 0)
+      strerr_diefu1sys(111, "iopause") ;
+}
+
+int stls_run (struct tls *ctx, int *fds, unsigned int verbosity, uint32 options, tain_t const *tto)
+{
+  tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ;
+  iopause_fd x[4] ;
+  unsigned int xindex[4] ;
+  register unsigned int i ;
+
+  for (i = 0 ; i < 2 ; i++)
+  {
+    buffer_init(&b[i].b, i ? &buffer_write : &buffer_read, fds[i], b[i].buf, STLS_BUFSIZE) ;
+    if (ndelay_on(fds[2+i]) < 0) strerr_diefu1sys(111, "set fds non-blocking") ;
+  }
+  if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
+
+  tain_now_g() ;
+
+  for (;;)
+  {
+    tain_t deadline ;
+    unsigned int xlen = 0 ;
+    register int r ;
+
+    tain_add_g(&deadline, buffer_isempty(&b[0].b) && buffer_isempty(&b[1].b) ? tto : &tain_infinite_relative) ;
+
+
+   /* poll() preparation */
+
+    if (fds[0] >= 0 && buffer_isreadable(&b[0].b))
+    {
+      x[xlen].fd = fds[0] ;
+      x[xlen].events = IOPAUSE_READ ;
+      xindex[0] = xlen++ ;
+    }
+    else xindex[0] = 4 ;
+
+    if (fds[1] >= 0 && buffer_iswritable(&b[1].b))
+    {
+      x[xlen].fd = fds[1] ;
+      x[xlen].events = IOPAUSE_WRITE ;
+      xindex[1] = xlen++ ;
+    }
+    else xindex[1] = 4 ;
+
+    if (fds[2] >= 0 && !b[1].blockedonother && buffer_isreadable(&b[1].b))
+    {
+      x[xlen].fd = fds[2] ;
+      x[xlen].events = IOPAUSE_READ ;
+      xindex[2] = xlen++ ;
+    }
+    else xindex[2] = 4 ;
+
+    if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b))
+    {
+      x[xlen].fd = fds[3] ;
+      x[xlen].events = IOPAUSE_WRITE ;
+      xindex[3] = xlen++ ;
+    }
+    else xindex[3] = 4 ;
+
+    if (!xlen) break ;
+
+
+   /* poll() */
+
+    r = iopause_g(x, xlen, &deadline) ;
+    if (r < 0) strerr_diefu1sys(111, "iopause") ;
+    else if (!r)
+    {
+      fd_close(fds[0]) ;
+      tls_close(ctx) ;
+      continue ;
+    }
+
+    while (xlen--)
+      if (x[xlen].revents & IOPAUSE_EXCEPT)
+        x[xlen].revents |= IOPAUSE_READ | IOPAUSE_WRITE ;
+
+
+   /* Flush to local */
+
+    if (xindex[1] < 4 && x[xindex[1]].revents & IOPAUSE_WRITE)
+    {
+      r = buffer_flush(&b[1].b) ;
+      if (!r && !error_isagain(errno))
+      {
+        strerr_warnwu1sys("write to application") ;
+        if (fds[2] >= 0)
+        {
+          if (options & 1) shutdown(fds[2], SHUT_RD) ;
+          fd_close(fds[2]) ; fds[2] = -1 ;
+        }
+        r = 1 ;
+      }
+      if (r && fds[2] < 0)
+      {
+        fd_close(fds[1]) ; fds[1] = -1 ;
+      }
+    }
+
+
+   /* Flush to remote */
+
+    if (xindex[3] < 4 && x[xindex[3]].revents & IOPAUSE_WRITE)
+    {
+      r = buffer_tls_flush(ctx, b) ;
+      if (r < 0)
+      {
+        strerr_warnwu2x("write to peer: ", tls_error(ctx)) ;
+        fd_close(fds[0]) ; fds[0] = -1 ;
+      }
+      if (r && fds[0] < 0)
+      {
+        if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ;
+        if (options & 1) shutdown(fds[3], SHUT_WR) ;
+        fd_close(fds[3]) ; fds[3] = -1 ;
+      }
+    }
+
+
+   /* Fill from local */
+
+    if (xindex[0] < 4 && x[xindex[0]].revents & IOPAUSE_READ)
+    {
+      r = sanitize_read(buffer_fill(&b[0].b)) ;
+      if (r < 0)
+      {
+        if (r == -1) strerr_warnwu1sys("read from application") ;
+        fd_close(fds[0]) ; fds[0] = -1 ;
+        if (buffer_isempty(&b[0].b))
+        {
+          if (fds[2] >= 0) do_tls_close(ctx, fds[3]) ;
+          if (options & 1) shutdown(fds[3], SHUT_WR) ;
+          fd_close(fds[3]) ; fds[3] = -1 ;
+        }
+      }
+    }
+
+
+   /* Fill from remote */
+
+    if (xindex[2] < 4 && x[xindex[2]].revents & IOPAUSE_READ)
+    {
+      r = buffer_tls_fill(ctx, b) ;
+      if (r < 0)
+      {
+        if (errno != EPIPE) strerr_warnwu1sys("read from peer") ;
+        if (options & 1) shutdown(fds[2], SHUT_RD) ;
+        fd_close(fds[2]) ; fds[2] = -1 ;
+        if (buffer_isempty(&b[1].b))
+        {
+          fd_close(fds[1]) ; fds[1] = -1 ;
+        }
+      }
+    }
+  }
+
+  if (fds[1] >= 0) fd_close(fds[1]) ;
+  if (fds[0] >= 0) fd_close(fds[0]) ;
+  if (fds[3] >= 0) fd_close(fds[3]) ;
+  if (fds[2] >= 0) fd_close(fds[2]) ;
+  return 0 ;
+}
diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c
new file mode 100644
index 0000000..7fd4325
--- /dev/null
+++ b/src/stls/stls_s6tlsc.c
@@ -0,0 +1,95 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+#include <tls.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/tai.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+#include <s6-networking/stls.h>
+
+#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
+#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
+
+int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, int *sfd)
+{
+  int fds[4] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
+  struct tls *cctx ;
+  struct tls *ctx ;
+  struct tls_config *cfg ;
+  pid_t pid ;
+  char const *x ;
+
+  if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
+  cfg = tls_config_new() ;
+  if (!cfg) strerr_diefu1sys(111, "tls_config_new")
+
+  x = env_get2(envp, "CADIR") ;
+  if (x)
+  {
+    if (tls_config_set_ca_path(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_ca_path") ;
+  }
+  else
+  {
+    x = env_get2(envp, "CAFILE") ;
+    if (x)
+    {
+      if (tls_config_set_ca_file(cfg, x) < 0)
+        diecfg(cfg, "tls_config_set_ca_file") ;
+    }
+    else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ;
+  }
+
+  if (preoptions & 1)
+  {
+    x = env_get2(envp, "CERTFILE") ;
+    if (!x) strerr_dienotset(100, "CERTFILE") ;
+    if (tls_config_set_cert_file(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_cert_file") ;
+
+    x = env_get2(envp, "KEYFILE") ;
+    if (!x) strerr_dienotset(100, "KEYFILE") ;
+    if (tls_config_set_key_file(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_cert_file") ;
+  }
+
+  if (tls_config_set_ciphers(cfg, "secure") < 0)
+    diecfg(cfg, "tls_config_set_ciphers") ;
+
+  if (tls_config_set_dheparams(cfg, "auto") < 0)
+    diecfg(cfg, "tls_config_set_dheparams") ;
+
+  if (tls_config_set_ecdhecurve(cfg, "auto") < 0)
+    diecfg("tls_config_set_ecdhecurve") ;
+
+  tls_config_verify(cfg) ;
+  tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
+  tls_config_prefer_ciphers_server(cfg) ;
+
+  ctx = tls_client() ;
+  if (!ctx) strerr_diefu1sys(111, "tls_client") ;
+  if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure) ;
+  tls_config_free(cfg) ;
+
+  pid = child_spawn2(argv[0], argv, envp, fds) ;
+  if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
+  if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+  if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+
+  if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0)
+    diectx(ctx, "tls_accept_fds") ;
+
+  tls_free(ctx) ;
+
+  {
+    int wstat ;
+    int r = stls_run(cctx, fds, verbosity, options, tto) ;
+    if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
+    else if (r) diectx(98, cctx, "run SSL engine") ;
+    if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
+    return wait_estatus(wstat) ;
+  }
+}
diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c
new file mode 100644
index 0000000..f6d5e7c
--- /dev/null
+++ b/src/stls/stls_s6tlsd.c
@@ -0,0 +1,91 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+#include <tls.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/tai.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+#include <s6-networking/stls.h>
+
+#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
+#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
+
+int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
+{
+  int fds[4] = { 0, 1, 0, 1 } ;
+  struct tls *cctx ;
+  struct tls *ctx ;
+  struct tls_config *cfg ;
+  pid_t pid ;
+  char const *x ;
+
+  if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
+  cfg = tls_config_new() ;
+  if (!cfg) strerr_diefu1sys(111, "tls_config_new")
+
+  x = env_get2(envp, "CAFILE") ;
+  if (x)
+  {
+    if (tls_config_set_ca_file(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_ca_file") ;
+  }
+
+  x = env_get2(envp, "CADIR") ;
+  if (x)
+  {
+    if (tls_config_set_ca_path(cfg, x) < 0)
+      diecfg(cfg, "tls_config_set_ca_path") ;
+  }
+
+  x = env_get2(envp, "CERTFILE") ;
+  if (!x) strerr_dienotset(100, "CERTFILE") ;
+  if (tls_config_set_cert_file(cfg, x) < 0)
+    diecfg(cfg, "tls_config_set_cert_file") ;
+
+  x = env_get2(envp, "KEYFILE") ;
+  if (!x) strerr_dienotset(100, "KEYFILE") ;
+  if (tls_config_set_key_file(cfg, x) < 0)
+    diecfg(cfg, "tls_config_set_cert_file") ;
+
+  if (tls_config_set_ciphers(cfg, "secure") < 0)
+    diecfg(cfg, "tls_config_set_ciphers") ;
+
+  if (tls_config_set_dheparams(cfg, "auto") < 0)
+    diecfg(cfg, "tls_config_set_dheparams") ;
+
+  if (tls_config_set_ecdhecurve(cfg, "auto") < 0)
+    diecfg("tls_config_set_ecdhecurve") ;
+
+  if (preoptions & 1) tls_config_verify_client(cfg) ;
+  else tls_config_verify_client_optional(cfg) ;
+
+  tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;
+  tls_config_prefer_ciphers_server(cfg) ;
+
+  ctx = tls_server() ;
+  if (!ctx) strerr_diefu1sys(111, "tls_server") ;
+  if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
+  tls_config_free(cfg) ;
+
+  pid = child_spawn2(argv[0], argv, envp, fds) ;
+  if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
+  if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+  if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+
+  if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0)
+    diectx(ctx, "tls_accept_fds") ;
+
+  tls_free(ctx) ;
+
+  {
+    int wstat ;
+    int r = stls_run(cctx, fds, verbosity, options, tto) ;
+    if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
+    else if (r) diectx(98, cctx, "run SSL engine") ;
+    if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
+    return wait_estatus(wstat) ;
+  }
+}