summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2016-11-26 10:04:40 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2016-11-26 10:04:40 +0000
commit08e88c5efc65a6f49da40aa002bc5f4b0ebee49d (patch)
tree21a3feb40eb54e5f5152cc8605f4c5e07e85052b /src
parent9e6464c5f9d82158d81c027207594b5e12a94ca5 (diff)
downloads6-networking-08e88c5efc65a6f49da40aa002bc5f4b0ebee49d.tar.xz
Add -z option to s6-tlsc/s6-tlsd to clean TLS env vars before spawning (default)
Diffstat (limited to 'src')
-rw-r--r--src/conn-tools/deps-exe/s6-tlsc1
-rw-r--r--src/conn-tools/deps-exe/s6-tlsd1
-rw-r--r--src/conn-tools/s6-tlsc.c8
-rw-r--r--src/conn-tools/s6-tlsclient.c11
-rw-r--r--src/conn-tools/s6-tlsd.c8
-rw-r--r--src/conn-tools/s6-tlsserver.c11
-rw-r--r--src/include/s6-networking/s6net-utils.h10
-rw-r--r--src/include/s6-networking/s6net.h1
-rw-r--r--src/libs6net/deps-lib/s6net1
-rw-r--r--src/libs6net/s6net_clean_tls_and_spawn.c21
-rw-r--r--src/sbearssl/deps-lib/sbearssl1
-rw-r--r--src/sbearssl/sbearssl_s6tlsc.c3
-rw-r--r--src/sbearssl/sbearssl_s6tlsd.c3
-rw-r--r--src/stls/deps-lib/stls1
-rw-r--r--src/stls/stls_s6tlsc.c3
-rw-r--r--src/stls/stls_s6tlsd.c3
16 files changed, 71 insertions, 16 deletions
diff --git a/src/conn-tools/deps-exe/s6-tlsc b/src/conn-tools/deps-exe/s6-tlsc
index d00d2b8..5ae8124 100644
--- a/src/conn-tools/deps-exe/s6-tlsc
+++ b/src/conn-tools/deps-exe/s6-tlsc
@@ -1,4 +1,5 @@
${LIBCRYPTOSUPPORT}
+${LIBS6NET}
-lskarnet
${CRYPTO_LIB}
${SOCKET_LIB}
diff --git a/src/conn-tools/deps-exe/s6-tlsd b/src/conn-tools/deps-exe/s6-tlsd
index d00d2b8..5ae8124 100644
--- a/src/conn-tools/deps-exe/s6-tlsd
+++ b/src/conn-tools/deps-exe/s6-tlsd
@@ -1,4 +1,5 @@
${LIBCRYPTOSUPPORT}
+${LIBS6NET}
-lskarnet
${CRYPTO_LIB}
${SOCKET_LIB}
diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c
index 4476690..0c26ab0 100644
--- a/src/conn-tools/s6-tlsc.c
+++ b/src/conn-tools/s6-tlsc.c
@@ -31,7 +31,7 @@
#endif
-#define USAGE "s6-tlsc [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -6 rfd ] [ -7 wfd ] prog..."
+#define USAGE "s6-tlsc [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -Z | -z ] [ -6 rfd ] [ -7 wfd ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
int main (int argc, char const *const *argv, char const *const *envp)
@@ -41,7 +41,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int verbosity = 1 ;
uid_t uid = 0 ;
gid_t gid = 0 ;
- uint32_t preoptions = 0 ;
+ uint32_t preoptions = 2 ;
uint32_t options = 1 ;
int fds[2] = { 6, 7 } ;
@@ -51,7 +51,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int t = 0 ;
for (;;)
{
- register int opt = subgetopt_r(argc, argv, "SsYyv:K:k:6:7:", &l) ;
+ register int opt = subgetopt_r(argc, argv, "SsYyv:K:k:Zz6:7:", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -62,6 +62,8 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
case 'k' : servername = l.arg ; break ;
+ case 'Z' : preoptions &= ~(uint32_t)2 ; break ;
+ case 'z' : preoptions |= 2 ; break ;
case '6' :
{
unsigned int fd ;
diff --git a/src/conn-tools/s6-tlsclient.c b/src/conn-tools/s6-tlsclient.c
index a1cd75d..1aa66fb 100644
--- a/src/conn-tools/s6-tlsclient.c
+++ b/src/conn-tools/s6-tlsclient.c
@@ -11,7 +11,7 @@
#define USAGE "s6-tlsclient [ options ] host port prog...\n" \
"s6-tcpclient options: [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -r | -R ] [ -h | -H ] [ -n | -N ] [ -t timeout ] [ -l localname ] [ -T timeoutconn ] [ -i localip ] [ -p localport ]\n" \
-"s6-tlsc options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ]"
+"s6-tlsc options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] [ -Z | -z ]"
#define dieusage() strerr_dieusage(100, USAGE)
@@ -35,6 +35,7 @@ struct options_s
unsigned int flagN : 1 ;
unsigned int flagS : 1 ;
unsigned int flagy : 1 ;
+ unsigned int flagZ : 1 ;
unsigned int doxy : 1 ;
} ;
@@ -57,6 +58,7 @@ struct options_s
.flagN = 0, \
.flagS = 0, \
.flagy = 0, \
+ .flagZ = 0, \
.doxy = 0 \
}
@@ -68,7 +70,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
- register int opt = subgetopt_r(argc, argv, "qQv46DdHhRrnNt:l:T:i:p:SsYyK:k:", &l) ;
+ register int opt = subgetopt_r(argc, argv, "qQv46DdHhRrnNt:l:T:i:p:SsYyK:k:Zz", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -109,6 +111,8 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'y' : o.flagy = 1 ; break ;
case 'K' : if (!uint0_scan(l.arg, &o.kimeout)) dieusage() ; break ;
case 'k' : o.servername = l.arg ; break ;
+ case 'Z' : o.flagZ = 1 ; break ;
+ case 'z' : o.flagZ = 0 ; break ;
default : dieusage() ;
}
}
@@ -127,7 +131,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int m = 0 ;
unsigned int pos = 0 ;
char fmt[UINT_FMT * 4 + UINT16_FMT + IP46_FMT] ;
- char const *newargv[28 + argc] ;
+ char const *newargv[29 + argc] ;
newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpclient" ;
if (o.verbosity != 1) newargv[m++] = o.verbosity ? "-v" : "-q" ;
if (o.flag4) newargv[m++] = "-4" ;
@@ -187,6 +191,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
newargv[m++] = "-k" ;
newargv[m++] = o.servername ;
}
+ if (o.flagZ) newargv[m++] = "-Z" ;
newargv[m++] = "--" ;
while (*argv) newargv[m++] = *argv++ ;
newargv[m++] = 0 ;
diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c
index 6a6d4ef..a4a1d4c 100644
--- a/src/conn-tools/s6-tlsd.c
+++ b/src/conn-tools/s6-tlsd.c
@@ -30,7 +30,7 @@
#endif
-#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] prog..."
+#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
int main (int argc, char const *const *argv, char const *const *envp)
@@ -39,7 +39,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int verbosity = 1 ;
uid_t uid = 0 ;
gid_t gid = 0 ;
- uint32_t preoptions = 0 ;
+ uint32_t preoptions = 2 ;
uint32_t options = 1 ;
PROG = "s6-tlsd" ;
@@ -48,7 +48,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int t = 0 ;
for (;;)
{
- register int opt = subgetopt_r(argc, argv, "SsYyv:K:", &l) ;
+ register int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -58,6 +58,8 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'y' : preoptions |= 1 ; break ;
case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
+ case 'Z' : preoptions &= ~(uint32_t)2 ; break ;
+ case 'z' : preoptions |= 2 ; break ;
default : dieusage() ;
}
}
diff --git a/src/conn-tools/s6-tlsserver.c b/src/conn-tools/s6-tlsserver.c
index ef5abe4..d7604a9 100644
--- a/src/conn-tools/s6-tlsserver.c
+++ b/src/conn-tools/s6-tlsserver.c
@@ -14,7 +14,7 @@
#define USAGE "s6-tlsserver [ options ] ip port prog...\n" \
"s6-tcpserver options: [ -q | -Q | -v ] [ -4 | -6 ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ]\n" \
"s6-tcpserver-access options: [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ]\n" \
-"s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ]"
+"s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -Z | -z ]"
#define dieusage() strerr_dieusage(100, USAGE)
@@ -45,6 +45,7 @@ struct options_s
unsigned int ruleswhat : 2 ;
unsigned int flagS : 1 ;
unsigned int flagy : 1 ;
+ unsigned int flagZ : 1 ;
unsigned int doaccess : 1 ;
unsigned int doapply : 1 ;
} ;
@@ -74,6 +75,7 @@ struct options_s
.ruleswhat = 0, \
.flagS = 0, \
.flagy = 0, \
+ .flagZ = 0, \
.doaccess = 0, \
.doapply = 0 \
}
@@ -86,7 +88,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
- register int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpl:B:t:i:x:SsYyK:", &l) ;
+ register int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpl:B:t:i:x:SsYyK:Zz", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -123,6 +125,8 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'Y' : o.flagy = 0 ; break ;
case 'y' : o.flagy = 1 ; break ;
case 'K' : if (!uint0_scan(l.arg, &o.kimeout)) dieusage() ; break ;
+ case 'Z' : o.flagZ = 1 ; break ;
+ case 'z' : o.flagZ = 0 ; break ;
default : dieusage() ;
}
}
@@ -134,7 +138,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
unsigned int m = 0 ;
unsigned int pos = 0 ;
char fmt[UINT_FMT * 5 + GID_FMT * (NGROUPS_MAX + 1) + UINT64_FMT] ;
- char const *newargv[46 + argc] ;
+ char const *newargv[47 + argc] ;
newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver" ;
if (o.verbosity != 1) newargv[m++] = o.verbosity ? "-v" : "-q" ;
if (o.flag46) newargv[m++] = o.flag46 == 1 ? "-4" : "-6" ;
@@ -215,6 +219,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
pos += uint_fmt(fmt + pos, o.kimeout) ;
fmt[pos++] = 0 ;
}
+ if (o.flagZ) newargv[m++] = "-Z" ;
newargv[m++] = "--" ;
if (o.doapply)
{
diff --git a/src/include/s6-networking/s6net-utils.h b/src/include/s6-networking/s6net-utils.h
new file mode 100644
index 0000000..2e7d2f9
--- /dev/null
+++ b/src/include/s6-networking/s6net-utils.h
@@ -0,0 +1,10 @@
+/* ISC license. */
+
+#ifndef S6NET_UTILS_H
+#define S6NET_UTILS_H
+
+#include <sys/types.h>
+
+extern pid_t s6net_clean_tls_and_spawn (char const *const *, char const *const *, int *, uint32_t) ;
+
+#endif
diff --git a/src/include/s6-networking/s6net.h b/src/include/s6-networking/s6net.h
index 8778527..fef4ef7 100644
--- a/src/include/s6-networking/s6net.h
+++ b/src/include/s6-networking/s6net.h
@@ -4,5 +4,6 @@
#define S6NET_H
#include <s6-networking/ident.h>
+#include <s6-networking/s6net-utils.h>
#endif
diff --git a/src/libs6net/deps-lib/s6net b/src/libs6net/deps-lib/s6net
index 27067c4..b8be843 100644
--- a/src/libs6net/deps-lib/s6net
+++ b/src/libs6net/deps-lib/s6net
@@ -2,4 +2,5 @@ s6net_ident_client.o
s6net_ident_reply_get.o
s6net_ident_reply_parse.o
s6net_ident_error.o
+s6net_clean_tls_and_spawn.o
-lskarnet
diff --git a/src/libs6net/s6net_clean_tls_and_spawn.c b/src/libs6net/s6net_clean_tls_and_spawn.c
new file mode 100644
index 0000000..67ba79b
--- /dev/null
+++ b/src/libs6net/s6net_clean_tls_and_spawn.c
@@ -0,0 +1,21 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+#include <s6-networking/s6net-utils.h>
+
+pid_t s6net_clean_tls_and_spawn (char const *const *argv, char const *const *envp, int *fds, uint32_t options)
+{
+ if (!(options & 1)) return child_spawn2(argv[0], argv, envp, fds) ;
+ else
+ {
+ char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ;
+ size_t modiflen = sizeof(modifs) ;
+ size_t n = env_len(envp) ;
+ char const *newenv[n + 7] ;
+ size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ;
+ if (!newenvlen) return 0 ;
+ return child_spawn2(argv[0], argv, newenv, fds) ;
+ }
+}
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 0b7b02f..4e2d76c 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -31,4 +31,5 @@ sbearssl_ta_to.o
sbearssl_s6tlsc.o
sbearssl_s6tlsd.o
-lbearssl
+-ls6net
-lskarnet
diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c
index 8bc8f65..5665edc 100644
--- a/src/sbearssl/sbearssl_s6tlsc.c
+++ b/src/sbearssl/sbearssl_s6tlsc.c
@@ -11,6 +11,7 @@
#include <skalibs/genalloc.h>
#include <skalibs/djbunix.h>
#include <skalibs/random.h>
+#include <s6-networking/s6net-utils.h>
#include <s6-networking/sbearssl.h>
int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
@@ -65,7 +66,7 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
random_finish() ;
- pid = child_spawn2(argv[0], argv, envp, fds) ;
+ pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
index 35dd18a..3a27e9f 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -11,6 +11,7 @@
#include <skalibs/genalloc.h>
#include <skalibs/djbunix.h>
#include <skalibs/random.h>
+#include <s6-networking/s6net-utils.h>
#include <s6-networking/sbearssl.h>
int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
@@ -90,7 +91,7 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
random_finish() ;
- pid = child_spawn2(argv[0], argv, envp, fds) ;
+ pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
index 799c7ae..f215998 100644
--- a/src/stls/deps-lib/stls
+++ b/src/stls/deps-lib/stls
@@ -2,4 +2,5 @@ stls_run.o
stls_s6tlsc.o
stls_s6tlsd.o
-ltls
+-ls6net
-lskarnet
diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c
index aa82087..194afb9 100644
--- a/src/stls/stls_s6tlsc.c
+++ b/src/stls/stls_s6tlsc.c
@@ -8,6 +8,7 @@
#include <skalibs/tai.h>
#include <skalibs/env.h>
#include <skalibs/djbunix.h>
+#include <s6-networking/s6net-utils.h>
#include <s6-networking/stls.h>
#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
@@ -73,7 +74,7 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
tls_config_free(cfg) ;
- pid = child_spawn2(argv[0], argv, envp, fds) ;
+ pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c
index 61b1343..ff1b308 100644
--- a/src/stls/stls_s6tlsd.c
+++ b/src/stls/stls_s6tlsd.c
@@ -8,6 +8,7 @@
#include <skalibs/tai.h>
#include <skalibs/env.h>
#include <skalibs/djbunix.h>
+#include <s6-networking/s6net-utils.h>
#include <s6-networking/stls.h>
#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
@@ -70,7 +71,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
tls_config_free(cfg) ;
- pid = child_spawn2(argv[0], argv, envp, fds) ;
+ pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;