Refactor tls code to support ucspi-tls

 That includes:
 - new architecture: the tls binary is now a child of the app
instead of the other way around
 - the sbearssl_run engine now takes a post-handshake callback.
This allows s6-tlsc and s6-tlsd to only exec into the app when
the handshake succeeds (which was already the case with libressl).
 - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto
code; they init and run the engine, connecting to 4 already open
fds (stdin/stdout = network, argv[1] and argv[2] = local)
 - s6-tlsc is now a simple wrapper around s6-tlsc-io
 - s6-tlsd is now a simple wrapper around s6-tlsd-io
 - new binary: s6-ucspitlsd, which is also a wrapper around
s6-tlsd-io, but differently: the parent execs the app which should
be ucspi-tls-aware, the child waits for a command from the parent
and execs into s6-tlsd-io if it receives it.

5 files changed, 68 insertions, 173 deletions

diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
index 7ecfa0b..61137c5 100644
--- a/src/stls/deps-lib/stls
+++ b/src/stls/deps-lib/stls
@@ -1,6 +1,5 @@
-stls_prep_spawn_drop.o
 stls_run.o
-stls_s6tlsc.o
-stls_s6tlsd.o
--ltls
+stls_client_init_and_handshake.o
+stls_server_init_and_handshake.o
+${CRYPTO_LIB}
 -lskarnet
diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_client_init_and_handshake.c
index 9a6dcc3..e207d8c 100644
--- a/src/stls/stls_s6tlsc.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -1,31 +1,28 @@
 /* ISC license. */
 
-#include <unistd.h>
-#include <errno.h>
+#include <stdlib.h>
+
 #include <tls.h>
+
 #include <skalibs/strerr2.h>
-#include <skalibs/env.h>
-#include <skalibs/djbunix.h>
+
 #include <s6-networking/stls.h>
 #include "stls-internal.h"
 
 #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
 #define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
 
-int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
+struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, char const *servername)
 {
-  int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
   struct tls *ctx ;
   struct tls_config *cfg ;
-  pid_t pid ;
   char const *x ;
-  int wstat ;
 
   if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
   cfg = tls_config_new() ;
   if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
 
-  x = env_get2(envp, "CADIR") ;
+  x = getenv("CADIR") ;
   if (x)
   {
     if (tls_config_set_ca_path(cfg, x) < 0)
@@ -33,7 +30,7 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
   }
   else
   {
-    x = env_get2(envp, "CAFILE") ;
+    x = getenv("CAFILE") ;
     if (x)
     {
       if (tls_config_set_ca_file(cfg, x) < 0)
@@ -44,12 +41,12 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
 
   if (preoptions & 1)
   {
-    x = env_get2(envp, "CERTFILE") ;
+    x = getenv("CERTFILE") ;
     if (!x) strerr_dienotset(100, "CERTFILE") ;
     if (tls_config_set_cert_file(cfg, x) < 0)
       diecfg(cfg, "tls_config_set_cert_file") ;
 
-    x = env_get2(envp, "KEYFILE") ;
+    x = getenv("KEYFILE") ;
     if (!x) strerr_dienotset(100, "KEYFILE") ;
     if (tls_config_set_key_file(cfg, x) < 0)
       diecfg(cfg, "tls_config_set_key_file") ;
@@ -73,14 +70,9 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
   if (!ctx) strerr_diefu1sys(111, "tls_client") ;
   if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
 
-  pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
-  if (tls_connect_fds(ctx, fds[2], fds[3], servername) < 0)
+  if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0)
     diectx(97, ctx, "tls_connect_fds") ;
   tls_config_free(cfg) ;
   if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ;
-
-  wstat = stls_run(ctx, fds, pid, verbosity, options, tto) ;
-  if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
-  return wait_estatus(wstat) ;
+  return ctx ;
 }
diff --git a/src/stls/stls_prep_spawn_drop.c b/src/stls/stls_prep_spawn_drop.c
deleted file mode 100644
index c6f4e13..0000000
--- a/src/stls/stls_prep_spawn_drop.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/* ISC license. */
-
-#include <unistd.h>
-#include <signal.h>
-#include <skalibs/env.h>
-#include <skalibs/strerr2.h>
-#include <skalibs/djbunix.h>
-#include <skalibs/selfpipe.h>
-#include "stls-internal.h"
-
-pid_t stls_prep_spawn_drop (char const *const *argv, char const *const *envp, int *fds, uid_t uid, gid_t gid, uint32_t options)
-{
-  pid_t pid ;
-
-  fds[4] = selfpipe_init() ;
-  if (fds[4] < 0) strerr_diefu1sys(111, "init selfpipe") ;
-  if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ;
-
-  if (!(options & 1)) pid = child_spawn2(argv[0], argv, envp, fds) ;
-  else
-  {
-    char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ;
-    size_t modiflen = sizeof(modifs) ;
-    size_t n = env_len(envp) ;
-    char const *newenv[n + 7] ;
-    size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ;
-    if (!newenvlen) return 0 ;
-    pid = child_spawn2(argv[0], argv, newenv, fds) ;
-  }
-
-  if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
-  if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
-  if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
-  return pid ;
-}
diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c
index 11a7234..e6ab609 100644
--- a/src/stls/stls_run.c
+++ b/src/stls/stls_run.c
@@ -1,20 +1,18 @@
 /* ISC license. */
 
-#include <skalibs/nonposix.h>
 #include <sys/uio.h>
-#include <sys/socket.h>
 #include <errno.h>
-#include <signal.h>
+#include <unistd.h>
+
 #include <tls.h>
-#include <skalibs/allreadwrite.h>
+
 #include <skalibs/error.h>
 #include <skalibs/buffer.h>
-#include <skalibs/sig.h>
-#include <skalibs/selfpipe.h>
 #include <skalibs/strerr2.h>
 #include <skalibs/tai.h>
 #include <skalibs/iopause.h>
 #include <skalibs/djbunix.h>
+
 #include <s6-networking/stls.h>
 
 typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ;
@@ -109,50 +107,24 @@ static void send_closenotify (struct tls *ctx, int const *fds)
 
 static void closeit (struct tls *ctx, int *fds, int brutal)
 {
-  if (brutal) shutdown(fds[3], SHUT_WR) ;
+  if (brutal) fd_shutdown(fds[3], 1) ;
   else if (fds[2] >= 0) send_closenotify(ctx, fds) ;
   fd_close(fds[3]) ; fds[3] = -1 ;
 }
 
-static void handle_signals (pid_t pid, int *e)
-{
-  for (;;) switch (selfpipe_read())
-  {
-    case -1 : strerr_diefu1sys(111, "read selfpipe") ;
-    case 0 : return ;
-    case SIGCHLD :
-    {
-      int wstat ;
-      if (wait_pid_nohang(pid, &wstat) == pid)
-      {
-        *e = wstat ;
-        return ;
-      }
-    }
-  }
-}
-
-int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint32_t options, tain_t const *tto)
+void stls_run (struct tls *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity)
 {
   tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ;
-  iopause_fd x[5] = { { .fd = fds[4], .events = IOPAUSE_READ } } ;
+  iopause_fd x[4] ;
   unsigned int xindex[4] ;
-  unsigned int i = 0 ;
-  int e = -1 ;
-
-  for (; i < 2 ; i++)
-  {
-    buffer_init(&b[i].b, i ? &buffer_write : &buffer_read, fds[i], b[i].buf, STLS_BUFSIZE) ;
-    if (ndelay_on(fds[2+i]) < 0) strerr_diefu1sys(111, "set fds non-blocking") ;
-  }
-  if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
 
-  tain_now_g() ;
+  buffer_init(&b[0].b, &buffer_read, fds[0], b[0].buf, STLS_BUFSIZE) ;
+  buffer_init(&b[1].b, &buffer_write, fds[1], b[1].buf, STLS_BUFSIZE) ;
 
   for (;;)
   {
     tain_t deadline ;
-    unsigned int xlen = 1 ;
+    unsigned int j = 0 ;
     int r ;
 
     tain_add_g(&deadline, fds[0] >= 0 && fds[2] >= 0 && buffer_isempty(&b[0].b) && buffer_isempty(&b[1].b) ? tto : &tain_infinite_relative) ;
@@ -162,68 +134,54 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
 
     if (fds[0] >= 0 && buffer_isreadable(&b[0].b))
     {
-      x[xlen].fd = fds[0] ;
-      x[xlen].events = IOPAUSE_READ ;
-      xindex[0] = xlen++ ;
+      x[j].fd = fds[0] ;
+      x[j].events = IOPAUSE_READ ;
+      xindex[0] = j++ ;
     }
-    else xindex[0] = 5 ;
+    else xindex[0] = 4 ;
 
     if (fds[1] >= 0 && buffer_iswritable(&b[1].b))
     {
-      x[xlen].fd = fds[1] ;
-      x[xlen].events = IOPAUSE_WRITE ;
-      xindex[1] = xlen++ ;
+      x[j].fd = fds[1] ;
+      x[j].events = IOPAUSE_WRITE ;
+      xindex[1] = j++ ;
     }
-    else xindex[1] = 5 ;
+    else xindex[1] = 4 ;
 
     if (fds[2] >= 0 && !b[1].blockedonother && buffer_isreadable(&b[1].b))
     {
-      x[xlen].fd = fds[2] ;
-      x[xlen].events = IOPAUSE_READ ;
-      xindex[2] = xlen++ ;
+      x[j].fd = fds[2] ;
+      x[j].events = IOPAUSE_READ ;
+      xindex[2] = j++ ;
     }
-    else xindex[2] = 5 ;
+    else xindex[2] = 4 ;
 
     if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b))
     {
-      x[xlen].fd = fds[3] ;
-      x[xlen].events = IOPAUSE_WRITE ;
-      xindex[3] = xlen++ ;
+      x[j].fd = fds[3] ;
+      x[j].events = IOPAUSE_WRITE ;
+      xindex[3] = j++ ;
     }
-    else xindex[3] = 5 ;
+    else xindex[3] = 4 ;
 
-    if (xlen == 1) break ;
+    if (xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4) break ;
 
 
    /* poll() */
 
-    r = iopause_g(x, xlen, &deadline) ;
+    r = iopause_g(x, j, &deadline) ;
     if (r < 0) strerr_diefu1sys(111, "iopause") ;
-    else if (!r)
-    {
-      fd_close(fds[0]) ; fds[0] = -1 ;
-      closeit(ctx, fds, options & 1) ;
-      if (e >= 0) break ;
-      continue ;
-    }
+    else if (!r) break ;
 
-    while (xlen--)
-      if (x[xlen].revents & IOPAUSE_EXCEPT)
-        x[xlen].revents |= IOPAUSE_READ | IOPAUSE_WRITE ;
+    while (j--)
+      if (x[j].revents & IOPAUSE_EXCEPT)
+        x[j].revents |= IOPAUSE_READ | IOPAUSE_WRITE ;
 
 
-   /* Signal */
-
-    if (x[0].revents & IOPAUSE_READ)
-    {
-      handle_signals(pid, &e) ;
-      if (e >= 0 && xindex[0] == 5 && xindex[3] == 5) break ;
-    }
-
 
    /* Flush to local */
 
-    if (xindex[1] < 5 && x[xindex[1]].revents & IOPAUSE_WRITE)
+    if (xindex[1] < 4 && x[xindex[1]].revents & IOPAUSE_WRITE)
     {
       r = buffer_flush(&b[1].b) ;
       if (!r && !error_isagain(errno))
@@ -231,7 +189,7 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
         strerr_warnwu1sys("write to application") ;
         if (fds[2] >= 0)
         {
-          if (options & 1) shutdown(fds[2], SHUT_RD) ;
+          if (options & 1) fd_shutdown(fds[2], 0) ;
           fd_close(fds[2]) ; fds[2] = -1 ;
           xindex[2] = 4 ;
         }
@@ -246,25 +204,23 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
 
    /* Flush to remote */
 
-    if (xindex[3] < 5 && x[xindex[3]].revents & IOPAUSE_WRITE)
+    if (xindex[3] < 4 && x[xindex[3]].revents & IOPAUSE_WRITE)
     {
       r = buffer_tls_flush(ctx, b) ;
       if (r < 0)
       {
         strerr_warnwu2x("write to peer: ", tls_error(ctx)) ;
         fd_close(fds[0]) ; fds[0] = -1 ;
+        xindex[0] = 4 ;
       }
       if (r && fds[0] < 0)
-      {
         closeit(ctx, fds, options & 1) ;
-        if (e >= 0) break ;
-      }
     }
 
 
    /* Fill from local */
 
-    if (xindex[0] < 5 && x[xindex[0]].revents & IOPAUSE_READ)
+    if (xindex[0] < 4 && x[xindex[0]].revents & IOPAUSE_READ)
     {
       r = sanitize_read(buffer_fill(&b[0].b)) ;
       if (r < 0)
@@ -272,23 +228,20 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
         if (errno != EPIPE) strerr_warnwu1sys("read from application") ;
         fd_close(fds[0]) ; fds[0] = -1 ;
         if (buffer_isempty(&b[0].b))
-        {
           closeit(ctx, fds, options & 1) ;
-          if (e >= 0) break ;
-        }
       }
     }
 
 
    /* Fill from remote */
 
-    if (xindex[2] < 5 && x[xindex[2]].revents & IOPAUSE_READ)
+    if (xindex[2] < 4 && x[xindex[2]].revents & IOPAUSE_READ)
     {
       r = buffer_tls_fill(ctx, b) ;
       if (r < 0)
       {
         if (r == -1) strerr_warnwu2x("read from peer: ", tls_error(ctx)) ;
-        if (options & 1) shutdown(fds[2], SHUT_RD) ;
+        if (options & 1) fd_shutdown(fds[2], 0) ;
         /*
            XXX: We need a way to detect when we've received a close_notify,
            because then we need to trigger a write and then shut the engine
@@ -305,10 +258,5 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
       }
     }
   }
-
-  if (fds[1] >= 0) fd_close(fds[1]) ;
-  if (fds[0] >= 0) fd_close(fds[0]) ;
-  if (fds[3] >= 0) fd_close(fds[3]) ;
-  if (fds[2] >= 0) fd_close(fds[2]) ;
-  return e ;
+  _exit(0) ;
 }
diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_server_init_and_handshake.c
index a791e89..58d812e 100644
--- a/src/stls/stls_s6tlsd.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -1,38 +1,34 @@
 /* ISC license. */
 
-#include <stdint.h>
-#include <unistd.h>
-#include <errno.h>
+#include <stdlib.h>
+
 #include <tls.h>
+
 #include <skalibs/strerr2.h>
-#include <skalibs/env.h>
-#include <skalibs/djbunix.h>
+
 #include <s6-networking/stls.h>
 #include "stls-internal.h"
 
 #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
 #define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
 
-int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
+struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
 {
-  int fds[5] = { 0, 1, 0, 1 } ;
   struct tls *cctx ;
   struct tls *ctx ;
   struct tls_config *cfg ;
-  pid_t pid ;
   char const *x ;
-  int wstat ;
 
   if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
   cfg = tls_config_new() ;
   if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
 
-  x = env_get2(envp, "CERTFILE") ;
+  x = getenv("CERTFILE") ;
   if (!x) strerr_dienotset(100, "CERTFILE") ;
   if (tls_config_set_cert_file(cfg, x) < 0)
     diecfg(cfg, "tls_config_set_cert_file") ;
 
-  x = env_get2(envp, "KEYFILE") ;
+  x = getenv("KEYFILE") ;
   if (!x) strerr_dienotset(100, "KEYFILE") ;
   if (tls_config_set_key_file(cfg, x) < 0)
     diecfg(cfg, "tls_config_set_key_file") ;
@@ -48,7 +44,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
 
   if (preoptions & 1)
   {
-    x = env_get2(envp, "CADIR") ;
+    x = getenv("CADIR") ;
     if (x)
     {
       if (tls_config_set_ca_path(cfg, x) < 0)
@@ -56,7 +52,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
     }
     else
     {
-      x = env_get2(envp, "CAFILE") ;
+      x = getenv("CAFILE") ;
       if (x)
       {
         if (tls_config_set_ca_file(cfg, x) < 0)
@@ -64,7 +60,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
       }
       else strerr_dienotset(100, "CADIR or CAFILE") ;
     }
-    if (preoptions & 4) tls_config_verify_client(cfg) ;
+    if (preoptions & 2) tls_config_verify_client(cfg) ;
     else tls_config_verify_client_optional(cfg) ;
   }
   else tls_config_insecure_noverifycert(cfg) ;
@@ -76,15 +72,10 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
   if (!ctx) strerr_diefu1sys(111, "tls_server") ;
   if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
   tls_config_free(cfg) ;
-
-  pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
-  if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0)
+  if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0)
     diectx(97, ctx, "tls_accept_fds") ;
   tls_free(ctx) ;
-  if (tls_handshake(cctx) < 0) diectx(97, cctx, "perform SSL handshake") ;
-
-  wstat = stls_run(cctx, fds, pid, verbosity, options, tto) ;
-  if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
-  return wait_estatus(wstat) ;
+  if (tls_handshake(cctx) < 0)
+    diectx(97, cctx, "perform SSL handshake") ;
+  return cctx ;
 }