diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-20 23:24:29 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-20 23:24:29 +0000 |
| commit | 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (patch) | |
| tree | cf3e992dce2d426727b535703b0b73dbafb41dbb /src | |
| parent | 1fea1f6ed53cae7f752c9a78271c7c8367b0ad03 (diff) | |
| download | s6-networking-5715c21a077ee1c2fe8957cb4adcea14fd2eda6b.tar.xz | |
Refactor tls code to support ucspi-tls
That includes:
- new architecture: the tls binary is now a child of the app
instead of the other way around
- the sbearssl_run engine now takes a post-handshake callback.
This allows s6-tlsc and s6-tlsd to only exec into the app when
the handshake succeeds (which was already the case with libressl).
- new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto
code; they init and run the engine, connecting to 4 already open
fds (stdin/stdout = network, argv[1] and argv[2] = local)
- s6-tlsc is now a simple wrapper around s6-tlsc-io
- s6-tlsd is now a simple wrapper around s6-tlsd-io
- new binary: s6-ucspitlsd, which is also a wrapper around
s6-tlsd-io, but differently: the parent execs the app which should
be ucspi-tls-aware, the child waits for a command from the parent
and execs into s6-tlsd-io if it receives it.
Diffstat (limited to 'src')
29 files changed, 804 insertions, 432 deletions
diff --git a/src/conn-tools/deps-exe/s6-tlsc b/src/conn-tools/deps-exe/s6-tlsc index 6e89a02..37405fd 100644 --- a/src/conn-tools/deps-exe/s6-tlsc +++ b/src/conn-tools/deps-exe/s6-tlsc @@ -1,6 +1,2 @@ -${LIBCRYPTOSUPPORT} +libs6tls.a.xyzzy -lskarnet -${CRYPTO_LIB} -${SOCKET_LIB} -${SPAWN_LIB} -${SYSCLOCK_LIB} diff --git a/src/conn-tools/deps-exe/s6-tlsc-io b/src/conn-tools/deps-exe/s6-tlsc-io new file mode 100644 index 0000000..3e2653d --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tlsc-io @@ -0,0 +1,5 @@ +${LIBCRYPTOSUPPORT} +-lskarnet +${CRYPTO_LIB} +${SOCKET_LIB} +${SYSCLOCK_LIB} diff --git a/src/conn-tools/deps-exe/s6-tlsd b/src/conn-tools/deps-exe/s6-tlsd index 6e89a02..37405fd 100644 --- a/src/conn-tools/deps-exe/s6-tlsd +++ b/src/conn-tools/deps-exe/s6-tlsd @@ -1,6 +1,2 @@ -${LIBCRYPTOSUPPORT} +libs6tls.a.xyzzy -lskarnet -${CRYPTO_LIB} -${SOCKET_LIB} -${SPAWN_LIB} -${SYSCLOCK_LIB} diff --git a/src/conn-tools/deps-exe/s6-tlsd-io b/src/conn-tools/deps-exe/s6-tlsd-io new file mode 100644 index 0000000..3e2653d --- /dev/null +++ b/src/conn-tools/deps-exe/s6-tlsd-io @@ -0,0 +1,5 @@ +${LIBCRYPTOSUPPORT} +-lskarnet +${CRYPTO_LIB} +${SOCKET_LIB} +${SYSCLOCK_LIB} diff --git a/src/conn-tools/deps-exe/s6-ucspitlsd b/src/conn-tools/deps-exe/s6-ucspitlsd new file mode 100644 index 0000000..ac1b327 --- /dev/null +++ b/src/conn-tools/deps-exe/s6-ucspitlsd @@ -0,0 +1,3 @@ +libs6tls.a.xyzzy +-lskarnet +${SOCKET_LIB} diff --git a/src/conn-tools/deps-lib/s6tls b/src/conn-tools/deps-lib/s6tls new file mode 100644 index 0000000..ad78cfd --- /dev/null +++ b/src/conn-tools/deps-lib/s6tls @@ -0,0 +1,4 @@ +s6tls_drop.o +s6tls_exec_tlscio.o +s6tls_exec_tlsdio.o +s6tls_wait_and_exec_app.o diff --git a/src/conn-tools/s6-tlsc-io.c b/src/conn-tools/s6-tlsc-io.c new file mode 100644 index 0000000..79dd25d --- /dev/null +++ b/src/conn-tools/s6-tlsc-io.c @@ -0,0 +1,128 @@ +/* ISC license. */ + +#include <stdint.h> +#include <unistd.h> +#include <signal.h> + +#include <skalibs/gccattributes.h> +#include <skalibs/types.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/tai.h> +#include <skalibs/env.h> +#include <skalibs/sig.h> +#include <skalibs/djbunix.h> + +#include <s6-networking/config.h> + +#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0" + +static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, char const *, unsigned int) gccattr_noreturn ; + +#ifdef S6_NETWORKING_USE_TLS + +#include <s6-networking/stls.h> + +static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, unsigned int notif) +{ + struct tls *ctx = stls_client_init_and_handshake(fds + 2, preoptions, servername) ; + if (notif) + { + if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) + strerr_diefu1sys(111, "write post-handshake data") ; + fd_close(notif) ; + } + stls_run(ctx, fds, tto, options, verbosity) ; +} + +#else +#ifdef S6_NETWORKING_USE_BEARSSL + +#include <skalibs/random.h> + +#include <s6-networking/sbearssl.h> + +static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) +{ + (void)ctx ; + (void)cbarg ; + return 1 ; +} + +static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) +{ + if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) + return 0 ; + fd_close(cbarg->notif) ; + return 1 ; +} + +static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, unsigned int notif) +{ + if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0) + strerr_diefu1sys(111, "set local fds non-blocking") ; + if (!random_init()) strerr_diefu1sys(111, "initialize random device") ; + sbearssl_client_init_and_run(fds, tto, preoptions, options, verbosity, servername, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ; +} + +#else + +#error No SSL backend configured. + +#endif +#endif + + +#define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw" +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv, char const *const *envp) +{ + char const *servername = 0 ; + tain_t tto ; + int fds[4] = { 0, 1, 0, 1 } ; + unsigned int verbosity = 1 ; + unsigned int notif = 0 ; + uint32_t preoptions = 0 ; + uint32_t options = 1 ; + + PROG = "s6-tlsc-io" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int t = 0 ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "d:SsYyv:K:k:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'd' : if (!uint0_scan(l.arg, ¬if)) dieusage() ; break ; + case 'S' : options &= ~1 ; break ; + case 's' : options |= 1 ; break ; + case 'Y' : preoptions &= ~1 ; break ; + case 'y' : preoptions |= 1 ; break ; + case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + case 'k' : servername = l.arg ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; + } + if (argc < 2) dieusage() ; + { + unsigned int u ; + if (!uint0_scan(argv[0], &u)) dieusage() ; + fds[0] = u ; + if (!uint0_scan(argv[1], &u)) dieusage() ; + fds[1] = u ; + } + + if (ndelay_on(0) < 0 || ndelay_on(1) < 0) + strerr_diefu1sys(111, "set stdin/stdout non-blocking") ; + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + tain_now_set_stopwatch_g() ; + doit(fds, &tto, preoptions, options, verbosity, servername, notif) ; +} diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c index d9df81c..6431ccb 100644 --- a/src/conn-tools/s6-tlsc.c +++ b/src/conn-tools/s6-tlsc.c @@ -2,67 +2,63 @@ #include <stdint.h> #include <unistd.h> -#include <errno.h> +#include <fcntl.h> + +#include <skalibs/gccattributes.h> #include <skalibs/types.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> -#include <skalibs/tai.h> #include <skalibs/env.h> #include <skalibs/djbunix.h> -#include <s6-networking/config.h> - -#ifdef S6_NETWORKING_USE_TLS - -#include <s6-networking/stls.h> -#define s6tlsc stls_s6tlsc - -#else -#ifdef S6_NETWORKING_USE_BEARSSL - -#include <s6-networking/sbearssl.h> -#define s6tlsc sbearssl_s6tlsc - -#else - -#error No SSL backend configured. - -#endif -#endif +#include "s6tls-internal.h" #define USAGE "s6-tlsc [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -Z | -z ] [ -6 rfd ] [ -7 wfd ] prog..." #define dieusage() strerr_dieusage(100, USAGE) -int main (int argc, char const *const *argv, char const *const *envp) +static void child (int const [3][2], int, int, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ; +static void child (int const p[3][2], int fdr, int fdw, uint32_t options, unsigned int verbosity, unsigned int kimeout, char const *servername) +{ + int fds[3] = { p[0][0], p[1][1], p[2][1] } ; + PROG = "s6-tlsc (child)" ; + s6tls_drop() ; + close(p[2][0]) ; + close(p[0][1]) ; + close(p[1][0]) ; + if (fd_move(0, fdr) < 0 || fd_move(1, fdw) < 0) + strerr_diefu1sys(111, "move network fds to stdin/stdout") ; + s6tls_exec_tlscio(fds, options, verbosity, kimeout, servername) ; +} + +int main (int argc, char const *const *argv) { + int fds[2] = { 6, 7 } ; char const *servername = 0 ; - tain_t tto ; unsigned int verbosity = 1 ; - uid_t uid = 0 ; - gid_t gid = 0 ; - uint32_t preoptions = 2 ; - uint32_t options = 1 ; - int fds[2] = { 6, 7 } ; + unsigned int kimeout = 0 ; + int p[3][2] ; + uint32_t options = 0 ; + int cleanenv = 1 ; + pid_t pid ; PROG = "s6-tlsc" ; { subgetopt_t l = SUBGETOPT_ZERO ; - unsigned int t = 0 ; for (;;) { int opt = subgetopt_r(argc, argv, "SsYyv:K:k:Zz6:7:", &l) ; if (opt == -1) break ; switch (opt) { - case 'S' : options &= ~(uint32_t)1 ; break ; - case 's' : options |= 1 ; break ; - case 'Y' : preoptions &= ~(uint32_t)1 ; break ; - case 'y' : preoptions |= 1 ; break ; + case 'S' : options &= ~4 ; break ; + case 's' : options |= 4 ; break ; + case 'Y' : options &= ~1 ; break ; + case 'y' : options |= 1 ; break ; case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; - case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ; case 'k' : servername = l.arg ; break ; - case 'Z' : preoptions &= ~(uint32_t)2 ; break ; - case 'z' : preoptions |= 2 ; break ; + case 'Z' : cleanenv = 0 ; break ; + case 'z' : cleanenv = 1 ; break ; case '6' : { unsigned int fd ; @@ -81,18 +77,20 @@ int main (int argc, char const *const *argv, char const *const *envp) } } argc -= l.ind ; argv += l.ind ; - if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; } if (!argc) dieusage() ; - - if (!getuid()) + fd_sanitize() ; + if (fcntl(fds[0], F_GETFD) < 0 || fcntl(fds[1], F_GETFD) < 0) + strerr_diefu1sys(111, "check network fds") ; + if (pipe(p[0]) < 0 || pipe(p[1]) < 0 || pipe(p[2]) < 0) + strerr_diefu1sys(111, "pipe") ; + pid = fork() ; + switch (pid) { - char const *x = env_get2(envp, "TLS_UID") ; - if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ; - x = env_get2(envp, "TLS_GID") ; - if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ; + case -1 : strerr_diefu1sys(111, "fork") ; + case 0 : child(p, fds[0], fds[1], options, verbosity, kimeout, servername) ; + default : break ; } - tain_now_set_stopwatch_g() ; - return s6tlsc(argv, envp, &tto, preoptions, options, uid, gid, verbosity, servername, fds) ; + s6tls_wait_and_exec_app(argv, p, pid, fds[0], fds[1], cleanenv ? 1 : 0) ; } diff --git a/src/conn-tools/s6-tlsd-io.c b/src/conn-tools/s6-tlsd-io.c new file mode 100644 index 0000000..0b42b3b --- /dev/null +++ b/src/conn-tools/s6-tlsd-io.c @@ -0,0 +1,126 @@ +/* ISC license. */ + +#include <stdint.h> +#include <unistd.h> +#include <signal.h> + +#include <skalibs/gccattributes.h> +#include <skalibs/types.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/allreadwrite.h> +#include <skalibs/sig.h> +#include <skalibs/tai.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> + +#include <s6-networking/config.h> + +#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0" + +static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, unsigned int) gccattr_noreturn ; + +#ifdef S6_NETWORKING_USE_TLS + +#include <s6-networking/stls.h> + +static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, unsigned int notif) +{ + struct tls *ctx = stls_server_init_and_handshake(fds + 2, preoptions) ; + if (notif) + { + if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) + strerr_diefu1sys(111, "write post-handshake data") ; + fd_close(notif) ; + } + stls_run(ctx, fds, tto, options, verbosity) ; +} + +#else +#ifdef S6_NETWORKING_USE_BEARSSL + +#include <skalibs/random.h> + +#include <s6-networking/sbearssl.h> + +static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) +{ + (void)ctx ; + (void)cbarg ; + return 1 ; +} + +static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg) +{ + if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER)) + return 0 ; + fd_close(cbarg->notif) ; + return 1 ; +} + +static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, unsigned int notif) +{ + if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0) + strerr_diefu1sys(111, "set local fds non-blocking") ; + if (!random_init()) strerr_diefu1sys(111, "initialize random device") ; + sbearssl_server_init_and_run(fds, tto, preoptions, options, verbosity, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ; +} + +#else + +#error No SSL backend configured. + +#endif +#endif + + +#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw" +#define dieusage() strerr_dieusage(100, USAGE) + +int main (int argc, char const *const *argv, char const *const *envp) +{ + tain_t tto ; + int fds[4] = { 0, 1, 0, 1 } ; + unsigned int verbosity = 1 ; + unsigned int notif = 0 ; + uint32_t preoptions = 0 ; + uint32_t options = 1 ; + + PROG = "s6-tlsd-io" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + unsigned int t = 0 ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "d:SsYyv:K:", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'd' : if (!uint0_scan(l.arg, ¬if)) dieusage() ; break ; + case 'S' : options &= ~1 ; break ; + case 's' : options |= 1 ; break ; + case 'Y' : preoptions |= 1 ; preoptions &= ~2 ; break ; + case 'y' : preoptions |= 3 ; break ; + case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; + } + if (argc < 2) dieusage() ; + { + unsigned int u ; + if (!uint0_scan(argv[0], &u)) dieusage() ; + fds[0] = u ; + if (!uint0_scan(argv[1], &u)) dieusage() ; + fds[1] = u ; + } + + if (ndelay_on(0) < 0 || ndelay_on(1) < 0) + strerr_diefu1sys(111, "set stdin/stdout non-blocking") ; + if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + tain_now_set_stopwatch_g() ; + doit(fds, &tto, preoptions, options, verbosity, notif) ; +} diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c index 923ac47..e26ba49 100644 --- a/src/conn-tools/s6-tlsd.c +++ b/src/conn-tools/s6-tlsd.c @@ -2,79 +2,73 @@ #include <stdint.h> #include <unistd.h> + +#include <skalibs/gccattributes.h> #include <skalibs/types.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> -#include <skalibs/tai.h> #include <skalibs/env.h> #include <skalibs/djbunix.h> -#include <s6-networking/config.h> - -#ifdef S6_NETWORKING_USE_TLS - -#include <s6-networking/stls.h> -#define s6tlsd stls_s6tlsd - -#else -#ifdef S6_NETWORKING_USE_BEARSSL - -#include <s6-networking/sbearssl.h> -#define s6tlsd sbearssl_s6tlsd - -#else - -#error No SSL backend configured. - -#endif -#endif +#include "s6tls-internal.h" #define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..." #define dieusage() strerr_dieusage(100, USAGE) -int main (int argc, char const *const *argv, char const *const *envp) +static void child (int const [3][2], uint32_t, unsigned int, unsigned int) gccattr_noreturn ; +static void child (int const p[3][2], uint32_t options, unsigned int verbosity, unsigned int kimeout) +{ + int fds[3] = { p[0][0], p[1][1], p[2][1] } ; + PROG = "s6-tlsd (child)" ; + close(p[2][0]) ; + close(p[0][1]) ; + close(p[1][0]) ; + s6tls_drop() ; + s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ; +} + +int main (int argc, char const *const *argv) { - tain_t tto ; unsigned int verbosity = 1 ; - uid_t uid = 0 ; - gid_t gid = 0 ; - uint32_t preoptions = 2 ; - uint32_t options = 1 ; + unsigned int kimeout = 0 ; + int p[3][2] ; + uint32_t options = 0 ; + int cleanenv = 1 ; + pid_t pid ; - PROG = "s6-tlsd" ; + PROG = "s6-tlsd (parent)" ; { subgetopt_t l = SUBGETOPT_ZERO ; - unsigned int t = 0 ; for (;;) { int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ; if (opt == -1) break ; switch (opt) { - case 'S' : options &= ~(uint32_t)1 ; break ; - case 's' : options |= 1 ; break ; - case 'Y' : preoptions |= 1 ; preoptions &= ~(uint32_t)4 ; break ; - case 'y' : preoptions |= 5 ; break ; + case 'S' : options |= 4 ; break ; + case 's' : options &= ~4 ; break ; + case 'Y' : options |= 1 ; options &= ~2 ; break ; + case 'y' : options |= 3 ; break ; case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; - case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; - case 'Z' : preoptions &= ~(uint32_t)2 ; break ; - case 'z' : preoptions |= 2 ; break ; + case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ; + case 'Z' : cleanenv = 0 ; break ; + case 'z' : cleanenv = 1 ; break ; default : dieusage() ; } } argc -= l.ind ; argv += l.ind ; - if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ; } if (!argc) dieusage() ; - if (!getuid()) + if (pipe(p[0]) < 0 || pipe(p[1]) < 0 || pipe(p[2]) < 0) + strerr_diefu1sys(111, "pipe") ; + pid = fork() ; + switch (pid) { - char const *x = env_get2(envp, "TLS_UID") ; - if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ; - x = env_get2(envp, "TLS_GID") ; - if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ; + case -1 : strerr_diefu1sys(111, "fork") ; + case 0 : child(p, options, verbosity, kimeout) ; + default : break ; } - tain_now_set_stopwatch_g() ; - return s6tlsd(argv, envp, &tto, preoptions, options, uid, gid, verbosity) ; + s6tls_wait_and_exec_app(argv, p, pid, 0, 1, cleanenv ? 1 : 0) ; } diff --git a/src/conn-tools/s6-ucspitlsd.c b/src/conn-tools/s6-ucspitlsd.c new file mode 100644 index 0000000..ae2ca41 --- /dev/null +++ b/src/conn-tools/s6-ucspitlsd.c @@ -0,0 +1,114 @@ +/* ISC license. */ + +#include <stdint.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> + +#include <skalibs/gccattributes.h> +#include <skalibs/types.h> +#include <skalibs/sgetopt.h> +#include <skalibs/strerr2.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> +#include <skalibs/webipc.h> + +#include <s6-networking/config.h> +#include "s6tls-internal.h" + +#define USAGE "s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..." +#define dieusage() strerr_dieusage(100, USAGE) + +static inline void child (int [3][2], uint32_t, unsigned int, unsigned int) gccattr_noreturn ; +static inline void child (int p[3][2], uint32_t options, unsigned int verbosity, unsigned int kimeout) +{ + int fds[3] = { p[0][0], p[1][1], p[2][1] } ; + ssize_t r ; + char c ; + PROG = "s6-ucspitlsd" ; + close(p[2][0]) ; + close(p[0][1]) ; + close(p[1][0]) ; + s6tls_drop() ; + r = read(p[2][1], &c, 1) ; + if (r < 0) strerr_diefu1sys(111, "read from control socket") ; + if (!r) _exit(0) ; + switch (c) + { + case 'y' : + close(p[2][1]) ; + p[2][1] = 0 ; /* we know 0 is open so it's a correct invalid value */ + case 'Y' : + fd_shutdown(p[2][1], 0) ; + break ; + default : + strerr_dief1x(100, "unrecognized command on control socket") ; + } + s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ; +} + +int main (int argc, char const *const *argv, char const *const *envp) +{ + unsigned int kimeout = 0 ; + unsigned int verbosity = 1 ; + uint32_t options = 0 ; + int cleanenv = 1 ; + int p[3][2] ; + + PROG = "s6-ucspitlsd (parent)" ; + { + subgetopt_t l = SUBGETOPT_ZERO ; + for (;;) + { + int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ; + if (opt == -1) break ; + switch (opt) + { + case 'S' : options |= 4 ; break ; + case 's' : options &= ~4 ; break ; + case 'Y' : options |= 1 ; options &= ~2 ; break ; + case 'y' : options |= 3 ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ; + case 'Z' : cleanenv = 0 ; break ; + case 'z' : cleanenv = 1 ; break ; + default : dieusage() ; + } + } + argc -= l.ind ; argv += l.ind ; + } + if (!argc) dieusage() ; + + if (ipc_pair_b(p[2]) < 0) strerr_diefu1sys(111, "ipc_pair") ; + if (pipe(p[0]) < 0 || pipe(p[1]) < 0) strerr_diefu1sys(111, "pipe") ; + + switch (fork()) + { + case -1 : strerr_diefu1sys(111, "fork") ; + case 0 : child(p, options, verbosity, kimeout) ; + default : break ; + } + + { + size_t m = 0 ; + char modif[sizeof(s6tls_envvars) + 33 + 3 * UINT_FMT] ; + close(p[2][1]) ; + close(p[1][1]) ; + close(p[0][0]) ; + if (cleanenv) + { + memcpy(modif + m, s6tls_envvars, sizeof(s6tls_envvars)) ; + m += sizeof(s6tls_envvars) ; + } + memcpy(modif + m, "SSLCTLFD=", 9) ; m += 9 ; + m += uint_fmt(modif + m, p[2][0]) ; + modif[m++] = 0 ; + memcpy(modif + m, "SSLREADFD=", 10) ; m += 10 ; + m += uint_fmt(modif + m, p[1][0]) ; + modif[m++] = 0 ; + memcpy(modif + m, "SSLWRITEFD=", 11) ; m += 11 ; + m += uint_fmt(modif + m, p[0][1]) ; + modif[m++] = 0 ; + xpathexec_r(argv, envp, env_len(envp), modif, m) ; + } +} diff --git a/src/conn-tools/s6tls-internal.h b/src/conn-tools/s6tls-internal.h new file mode 100644 index 0000000..48df60f --- /dev/null +++ b/src/conn-tools/s6tls-internal.h @@ -0,0 +1,18 @@ +/* ISC license */ + +#ifndef S6TLS_INTERNAL_H +#define S6TLS_INTERNAL_H + +#include <stdint.h> +#include <unistd.h> + +#include <skalibs/gccattributes.h> + +#define s6tls_envvars "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" + +extern void s6tls_drop (void) ; +extern void s6tls_exec_tlscio (int const *, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ; +extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int) gccattr_noreturn ; +extern void s6tls_wait_and_exec_app (char const *const *, int const [3][2], pid_t, int, int, uint32_t) gccattr_noreturn ; + +#endif diff --git a/src/conn-tools/s6tls_drop.c b/src/conn-tools/s6tls_drop.c new file mode 100644 index 0000000..6b6f67f --- /dev/null +++ b/src/conn-tools/s6tls_drop.c @@ -0,0 +1,24 @@ +/* ISC license. */ + +#include <unistd.h> +#include <stdlib.h> + +#include <skalibs/strerr2.h> +#include <skalibs/types.h> + +#include "s6tls-internal.h" + +void s6tls_drop (void) +{ + if (!getuid()) + { + uid_t uid ; + gid_t gid ; + char const *x = getenv("TLS_UID") ; + if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ; + x = getenv("TLS_GID") ; + if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ; + if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; + if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; + } +} diff --git a/src/conn-tools/s6tls_exec_tlscio.c b/src/conn-tools/s6tls_exec_tlscio.c new file mode 100644 index 0000000..ad00ecd --- /dev/null +++ b/src/conn-tools/s6tls_exec_tlscio.c @@ -0,0 +1,53 @@ +/* ISC license. */ + +#include <skalibs/posixplz.h> +#include <skalibs/types.h> +#include <skalibs/djbunix.h> + +#include <s6-networking/config.h> +#include "s6tls-internal.h" + +void s6tls_exec_tlscio (int const *fds, uint32_t options, unsigned int verbosity, unsigned int kimeout, char const *servername) +{ + char const *newargv[15] ; + unsigned int m = 0 ; + char fmtv[UINT_FMT] ; + char fmtd[UINT_FMT] ; + char fmtk[UINT_FMT] ; + char fmtr[UINT_FMT] ; + char fmtw[UINT_FMT] ; + + newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tlsc-io" ; + if (verbosity != 1) + { + newargv[m++] = "-v" ; + newargv[m++] = fmtv ; + fmtv[uint_fmt(fmtv, verbosity)] = 0 ; + } + if (fds[2]) + { + newargv[m++] = "-d" ; + newargv[m++] = fmtd ; + fmtd[uint_fmt(fmtd, fds[2])] = 0 ; + } + newargv[m++] = options & 4 ? "-S" : "-s" ; + newargv[m++] = options & 1 ? "-y" : "-Y" ; + if (kimeout) + { + newargv[m++] = "-K" ; + newargv[m++] = fmtk ; + fmtk[uint_fmt(fmtk, kimeout)] = 0 ; + } + if (servername) + { + newargv[m++] = "-k" ; + newargv[m++] = servername ; + } + newargv[m++] = "--" ; + newargv[m++] = fmtr ; + fmtr[uint_fmt(fmtr, fds[0])] = 0 ; + newargv[m++] = fmtw ; + fmtw[uint_fmt(fmtw, fds[1])] = 0 ; + newargv[m++] = 0 ; + xpathexec_run(newargv[0], newargv, (char const *const *)environ) ; +} diff --git a/src/conn-tools/s6tls_exec_tlsdio.c b/src/conn-tools/s6tls_exec_tlsdio.c new file mode 100644 index 0000000..b00adb2 --- /dev/null +++ b/src/conn-tools/s6tls_exec_tlsdio.c @@ -0,0 +1,49 @@ +/* ISC license. */ + +#include <skalibs/posixplz.h> +#include <skalibs/types.h> +#include <skalibs/djbunix.h> + +#include <s6-networking/config.h> +#include "s6tls-internal.h" + +void s6tls_exec_tlsdio (int const *fds, uint32_t options, unsigned int verbosity, unsigned int kimeout) +{ + char const *newargv[13] ; + unsigned int m = 0 ; + char fmtv[UINT_FMT] ; + char fmtd[UINT_FMT] ; + char fmtk[UINT_FMT] ; + char fmtr[UINT_FMT] ; + char fmtw[UINT_FMT] ; + + newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tlsd-io" ; + if (verbosity != 1) + { + newargv[m++] = "-v" ; + newargv[m++] = fmtv ; + fmtv[uint_fmt(fmtv, verbosity)] = 0 ; + } + if (fds[2]) + { + newargv[m++] = "-d" ; + newargv[m++] = fmtd ; + fmtd[uint_fmt(fmtd, fds[2])] = 0 ; + } + newargv[m++] = options & 4 ? "-S" : "-s" ; + if (options & 1) + newargv[m++] = options & 2 ? "-y" : "-Y" ; + if (kimeout) + { + newargv[m++] = "-K" ; + newargv[m++] = fmtk ; + fmtk[uint_fmt(fmtk, kimeout)] = 0 ; + } + newargv[m++] = "--" ; + newargv[m++] = fmtr ; + fmtr[uint_fmt(fmtr, fds[0])] = 0 ; + newargv[m++] = fmtw ; + fmtw[uint_fmt(fmtw, fds[1])] = 0 ; + newargv[m++] = 0 ; + xpathexec_run(newargv[0], newargv, (char const *const *)environ) ; +} diff --git a/src/conn-tools/s6tls_wait_and_exec_app.c b/src/conn-tools/s6tls_wait_and_exec_app.c new file mode 100644 index 0000000..20828f6 --- /dev/null +++ b/src/conn-tools/s6tls_wait_and_exec_app.c @@ -0,0 +1,43 @@ +/* ISC license. */ + +#include <stdint.h> +#include <unistd.h> + +#include <skalibs/posixplz.h> +#include <skalibs/strerr2.h> +#include <skalibs/env.h> +#include <skalibs/djbunix.h> + +#include "s6tls-internal.h" + +#define MAXENVSIZE 2048 + +void s6tls_wait_and_exec_app (char const *const *argv, int const p[3][2], pid_t pid, int fdr, int fdw, uint32_t options) +{ + char buf[sizeof(s6tls_envvars) + MAXENVSIZE] ; + size_t m = 0 ; + ssize_t r ; + close(p[2][1]) ; + close(p[1][1]) ; + close(p[0][0]) ; + if (fd_move(fdr, p[1][0]) < 0 || fd_move(fdw, p[0][1]) < 0) + strerr_diefu1sys(111, "move file descriptors") ; + if (options & 1) + { + memcpy(buf + m, s6tls_envvars, sizeof(s6tls_envvars)) ; + m += sizeof(s6tls_envvars) ; + } + r = read(p[2][0], buf + m, MAXENVSIZE) ; + if (r < 0) strerr_diefu1sys(111, "read from handshake notification pipe") ; + if (!r) + { + int wstat ; + if (wait_pid(pid, &wstat) < 0) + strerr_diefu1sys(111, "wait") ; + _exit(wait_estatus(wstat)) ; + } + if (r >= MAXENVSIZE) + strerr_dief1x(100, "SSL data too large") ; + m += r - 1 ; + xpathexec_r(argv, (char const *const *)environ, env_len((char const *const *)environ), buf, m) ; +} diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index ab94d75..9fb8792 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -5,7 +5,10 @@ #include <sys/types.h> #include <stdint.h> + #include <bearssl.h> + +#include <skalibs/gccattributes.h> #include <skalibs/buffer.h> #include <skalibs/stralloc.h> #include <skalibs/genalloc.h> @@ -202,12 +205,21 @@ extern char const *sbearssl_error_str (int) ; /* Engine */ -extern int sbearssl_run (br_ssl_engine_context *, int *, pid_t, unsigned int, uint32_t, tain_t const *) ; +typedef struct sbearssl_handshake_cb_context_s sbearssl_handshake_cb_context_t, *sbearssl_handshake_cb_context_t_ref ; +struct sbearssl_handshake_cb_context_s +{ + unsigned int notif ; +} ; + +typedef int sbearssl_handshake_cb_t (br_ssl_engine_context *, sbearssl_handshake_cb_context_t *) ; +typedef sbearssl_handshake_cb_t *sbearssl_handshake_cb_t_ref ; + +extern void sbearssl_run (br_ssl_engine_context *, int *, tain_t const *, uint32_t, unsigned int, sbearssl_handshake_cb_t_ref, sbearssl_handshake_cb_context_t *) gccattr_noreturn ; - /* s6-tlsc and s6-tlsd implementations */ + /* s6-tlsc-io and s6-tlsd-io implementations */ -extern int sbearssl_s6tlsc (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int, char const *, int *) ; -extern int sbearssl_s6tlsd (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int) ; +extern void sbearssl_client_init_and_run (int *, tain_t const *, uint32_t, uint32_t, unsigned int, char const *, sbearssl_handshake_cb_t_ref, unsigned int) gccattr_noreturn ; +extern void sbearssl_server_init_and_run (int *, tain_t const *, uint32_t, uint32_t, unsigned int, sbearssl_handshake_cb_t_ref, unsigned int) gccattr_noreturn ; #endif diff --git a/src/include/s6-networking/stls.h b/src/include/s6-networking/stls.h index 963e7a1..76acdd8 100644 --- a/src/include/s6-networking/stls.h +++ b/src/include/s6-networking/stls.h @@ -3,9 +3,11 @@ #ifndef STLS_H #define STLS_H -#include <sys/types.h> #include <stdint.h> + #include <tls.h> + +#include <skalibs/gccattributes.h> #include <skalibs/tai.h> #define STLS_BUFSIZE (16384 + 325 + 1) @@ -13,12 +15,12 @@ /* Engine */ -extern int stls_run (struct tls *, int *, pid_t, unsigned int, uint32_t, tain_t const *) ; +extern void stls_run (struct tls *, int *, tain_t const *, uint32_t, unsigned int) gccattr_noreturn ; - /* s6-tlsc and s6-tlsd implementations */ + /* s6-tlsc-io and s6-tlsd-io */ -extern int stls_s6tlsc (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int, char const *, int *) ; -extern int stls_s6tlsd (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int) ; +struct tls *stls_client_init_and_handshake (int const *, uint32_t, char const *) ; +struct tls *stls_server_init_and_handshake (int const *, uint32_t) ; #endif diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index c0acfb6..55729f6 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -1,5 +1,4 @@ sbearssl_append.o -sbearssl_prep_spawn_drop.o sbearssl_cert_from.o sbearssl_cert_readbigpem.o sbearssl_cert_readfile.o @@ -33,7 +32,7 @@ sbearssl_ta_to.o sbearssl_x500_name_len.o sbearssl_x500_from_ta.o sbearssl_x509_minimal_set_tai.o -sbearssl_s6tlsc.o -sbearssl_s6tlsd.o +sbearssl_client_init_and_run.o +sbearssl_server_init_and_run.o -lbearssl -lskarnet diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h index cbf355b..25f6468 100644 --- a/src/sbearssl/sbearssl-internal.h +++ b/src/sbearssl/sbearssl-internal.h @@ -19,6 +19,5 @@ struct sbearssl_strallocerr_s extern void sbearssl_append (void *, void const *, size_t) ; extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ; -extern pid_t sbearssl_prep_spawn_drop (char const *const *, char const *const *, int *, uid_t, gid_t, uint32_t) ; #endif diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_client_init_and_run.c index 267d79c..a95e9e1 100644 --- a/src/sbearssl/sbearssl_s6tlsc.c +++ b/src/sbearssl/sbearssl_client_init_and_run.c @@ -1,36 +1,35 @@ /* ISC license. */ -#include <unistd.h> -#include <errno.h> +#include <stddef.h> +#include <stdlib.h> + #include <bearssl.h> + #include <skalibs/strerr2.h> -#include <skalibs/env.h> #include <skalibs/stralloc.h> #include <skalibs/genalloc.h> -#include <skalibs/djbunix.h> #include <skalibs/random.h> + #include <s6-networking/sbearssl.h> #include "sbearssl-internal.h" -int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd) +void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif) { - int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ; stralloc storage = STRALLOC_ZERO ; genalloc tas = GENALLOC_ZERO ; size_t talen ; - pid_t pid ; if (preoptions & 1) strerr_dief1x(100, "client certificates are not supported yet") ; { int r ; - char const *x = env_get2(envp, "CADIR") ; + char const *x = getenv("CADIR") ; if (x) r = sbearssl_ta_readdir(x, &tas, &storage) ; else { - x = env_get2(envp, "CAFILE") ; + x = getenv("CAFILE") ; if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; r = sbearssl_ta_readfile(x, &tas, &storage) ; } @@ -45,17 +44,13 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co strerr_dief2x(96, "no trust anchor found in ", x) ; } - if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ; - - pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; - { + sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; br_x509_minimal_context xc ; br_ssl_client_context cc ; br_x509_trust_anchor btas[talen] ; size_t i = talen ; - int wstat ; stralloc_shrink(&storage) ; while (i--) @@ -63,17 +58,14 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co genalloc_free(sbearssl_ta, &tas) ; br_ssl_client_init_full(&cc, &xc, btas, talen) ; random_string((char *)buf, 32) ; - br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ; random_finish() ; + br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ; br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ; if (!br_ssl_client_reset(&cc, servername, 0)) strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ; - tain_now_g() ; if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP)) strerr_diefu1sys(111, "initialize validation time") ; - wstat = sbearssl_run(&cc.eng, fds, pid, verbosity, options, tto) ; - if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; + sbearssl_run(&cc.eng, fds, tto, options, verbosity, cb, &cbarg) ; } } diff --git a/src/sbearssl/sbearssl_prep_spawn_drop.c b/src/sbearssl/sbearssl_prep_spawn_drop.c deleted file mode 100644 index 1ca7eb8..0000000 --- a/src/sbearssl/sbearssl_prep_spawn_drop.c +++ /dev/null @@ -1,35 +0,0 @@ -/* ISC license. */ - -#include <unistd.h> -#include <signal.h> -#include <skalibs/env.h> -#include <skalibs/strerr2.h> -#include <skalibs/djbunix.h> -#include <skalibs/selfpipe.h> -#include "sbearssl-internal.h" - -pid_t sbearssl_prep_spawn_drop (char const *const *argv, char const *const *envp, int *fds, uid_t uid, gid_t gid, uint32_t options) -{ - pid_t pid ; - - fds[4] = selfpipe_init() ; - if (fds[4] < 0) strerr_diefu1sys(111, "init selfpipe") ; - if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ; - - if (!(options & 1)) pid = child_spawn2(argv[0], argv, envp, fds) ; - else - { - char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ; - size_t modiflen = sizeof(modifs) ; - size_t n = env_len(envp) ; - char const *newenv[n + 7] ; - size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ; - if (!newenvlen) return 0 ; - pid = child_spawn2(argv[0], argv, newenv, fds) ; - } - - if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; - if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; - if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; - return pid ; -} diff --git a/src/sbearssl/sbearssl_run.c b/src/sbearssl/sbearssl_run.c index 177a252..c8ff2fe 100644 --- a/src/sbearssl/sbearssl_run.c +++ b/src/sbearssl/sbearssl_run.c @@ -1,53 +1,30 @@ /* ISC license. */ -#include <skalibs/nonposix.h> -#include <sys/socket.h> +#include <unistd.h> #include <errno.h> -#include <signal.h> + #include <bearssl.h> + #include <skalibs/error.h> #include <skalibs/strerr2.h> -#include <skalibs/sig.h> #include <skalibs/tai.h> #include <skalibs/iopause.h> #include <skalibs/djbunix.h> -#include <skalibs/selfpipe.h> -#include <s6-networking/sbearssl.h> -static inline void handle_signals (pid_t pid, int *e) -{ - for (;;) switch (selfpipe_read()) - { - case -1 : strerr_diefu1sys(111, "read selfpipe") ; - case 0 : return ; - case SIGCHLD : - { - int wstat ; - if (wait_pid_nohang(pid, &wstat) == pid) - { - *e = wstat ; - return ; - } - } - } -} +#include <s6-networking/sbearssl.h> +#include "sbearssl-internal.h" -int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int verbosity, uint32_t options, tain_t const *tto) +void sbearssl_run (br_ssl_engine_context *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, sbearssl_handshake_cb_context_t *cbarg) { - iopause_fd x[5] = { { .fd = fds[4], .events = IOPAUSE_READ } } ; + iopause_fd x[4] ; unsigned int xindex[4] ; int markedforflush = 0 ; - int e = -1 ; - - if (ndelay_on(fds[2]) < 0 || ndelay_on(fds[3]) < 0) - strerr_diefu1sys(111, "set fds non-blocking") ; - if (sig_ignore(SIGPIPE) < 0) - strerr_diefu1sys(111, "ignore SIGPIPE") ; + int handshake_done = 0 ; for (;;) { tain_t deadline ; - unsigned int j = 1 ; + unsigned int j = 0 ; unsigned int state = br_ssl_engine_current_state(ctx) ; int r ; @@ -58,6 +35,17 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int break ; } + if (!handshake_done) + { + size_t dummy ; + if (br_ssl_engine_recvapp_buf(ctx, &dummy)) + { + if (!(*cb)(ctx, cbarg)) + strerr_diefu1sys(111, "post-handshake callback failed") ; + handshake_done = 1 ; + } + } + tain_add_g(&deadline, fds[0] >= 0 && fds[2] >= 0 && state & (BR_SSL_SENDAPP | BR_SSL_RECVREC) ? tto : &tain_infinite_relative) ; if (fds[0] >= 0 && state & BR_SSL_SENDAPP) @@ -66,62 +54,42 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int x[j].events = IOPAUSE_READ ; xindex[0] = j++ ; } - else xindex[0] = 5 ; + else xindex[0] = 4 ; if (fds[1] >= 0 && state & BR_SSL_RECVAPP) { x[j].fd = fds[1] ; x[j].events = IOPAUSE_WRITE ; xindex[1] = j++ ; } - else xindex[1] = 5 ; + else xindex[1] = 4 ; if (fds[2] >= 0 && state & BR_SSL_RECVREC) { x[j].fd = fds[2] ; x[j].events = IOPAUSE_READ ; xindex[2] = j++ ; } - else xindex[2] = 5 ; + else xindex[2] = 4 ; if (fds[3] >= 0 && state & BR_SSL_SENDREC) { x[j].fd = fds[3] ; x[j].events = IOPAUSE_WRITE ; xindex[3] = j++ ; } - else xindex[3] = 5 ; + else xindex[3] = 4 ; - if (j == 1) break ; + if (xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4) break ; r = iopause_g(x, j, &deadline) ; if (r < 0) strerr_diefu1sys(111, "iopause") ; - else if (!r) - { - fd_close(fds[0]) ; fds[0] = -1 ; - if (options & 1) - { - shutdown(fds[3], SHUT_WR) ; - fd_close(fds[3]) ; fds[3] = -1 ; - } - else br_ssl_engine_close(ctx) ; - if (e >= 0) break ; - continue ; - } + else if (!r) break ; while (j--) if (x[j].revents & IOPAUSE_EXCEPT) x[j].revents |= IOPAUSE_READ | IOPAUSE_WRITE ; - /* Signal */ - - if (x[0].revents & IOPAUSE_READ) - { - handle_signals(pid, &e) ; - if (e >= 0 && xindex[0] == 5 && xindex[3] == 5) break ; - } - - /* Flush to local */ - if (state & BR_SSL_RECVAPP && x[xindex[1]].events & x[xindex[1]].revents & IOPAUSE_WRITE) + if (state & BR_SSL_RECVAPP && xindex[1] < 4 && x[xindex[1]].events & x[xindex[1]].revents & IOPAUSE_WRITE) { size_t len ; unsigned char const *s = br_ssl_engine_recvapp_buf(ctx, &len) ; @@ -145,7 +113,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int /* Flush to remote */ - if (state & BR_SSL_SENDREC && xindex[3] < 5 && x[xindex[3]].events & x[xindex[3]].revents & IOPAUSE_WRITE) + if (state & BR_SSL_SENDREC && xindex[3] < 4 && x[xindex[3]].events & x[xindex[3]].revents & IOPAUSE_WRITE) { size_t len ; unsigned char const *s = br_ssl_engine_sendrec_buf(ctx, &len) ; @@ -162,11 +130,10 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int { if (options & 1) { - shutdown(fds[3], SHUT_WR) ; + fd_shutdown(fds[3], 1) ; fd_close(fds[3]) ; fds[3] = -1 ; } else br_ssl_engine_close(ctx) ; - if (e >= 0) break ; } state = br_ssl_engine_current_state(ctx) ; } @@ -175,7 +142,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int /* Fill from local */ - if (state & BR_SSL_SENDAPP && xindex[0] < 5 && x[xindex[0]].events & IOPAUSE_READ && (markedforflush || x[xindex[0]].revents & IOPAUSE_READ)) + if (state & BR_SSL_SENDAPP && xindex[0] < 4 && x[xindex[0]].events & IOPAUSE_READ && (markedforflush || x[xindex[0]].revents & IOPAUSE_READ)) { size_t len ; unsigned char *s = br_ssl_engine_sendapp_buf(ctx, &len) ; @@ -191,11 +158,10 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int { if (options & 1) { - shutdown(fds[3], SHUT_WR) ; + fd_shutdown(fds[3], 1) ; fd_close(fds[3]) ; fds[3] = -1 ; } else br_ssl_engine_close(ctx) ; - if (e >= 0) break ; } } } @@ -215,7 +181,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int /* Fill from remote */ - if (state & BR_SSL_RECVREC && xindex[2] < 5 && x[xindex[2]].events & x[xindex[2]].revents & IOPAUSE_READ) + if (state & BR_SSL_RECVREC && xindex[2] < 4 && x[xindex[2]].events & x[xindex[2]].revents & IOPAUSE_READ) { size_t len ; unsigned char *s = br_ssl_engine_recvrec_buf(ctx, &len) ; @@ -224,7 +190,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int { if (!error_isagain(errno)) { - if (options & 1) shutdown(fds[2], SHUT_RD) ; + if (options & 1) fd_shutdown(fds[2], 0) ; fd_close(fds[2]) ; fds[2] = -1 ; if (fds[1] >= 0 && !br_ssl_engine_recvapp_buf(ctx, &len)) { @@ -235,10 +201,5 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int else br_ssl_engine_recvrec_ack(ctx, w) ; } } - - if (fds[1] >= 0) fd_close(fds[1]) ; - if (fds[0] >= 0) fd_close(fds[0]) ; - if (fds[3] >= 0) fd_close(fds[3]) ; - if (fds[2] >= 0) fd_close(fds[2]) ; - return e ; + _exit(0) ; } diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_server_init_and_run.c index 6c3d163..778fdbd 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_server_init_and_run.c @@ -1,31 +1,30 @@ /* ISC license. */ -#include <unistd.h> -#include <errno.h> +#include <stdint.h> +#include <stdlib.h> + #include <bearssl.h> + #include <skalibs/strerr2.h> -#include <skalibs/env.h> #include <skalibs/stralloc.h> #include <skalibs/genalloc.h> -#include <skalibs/djbunix.h> #include <skalibs/random.h> + #include <s6-networking/sbearssl.h> #include "sbearssl-internal.h" -int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity) +void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, unsigned int notif) { - int fds[5] = { 0, 1, 0, 1 } ; stralloc storage = STRALLOC_ZERO ; sbearssl_skey skey ; genalloc certs = GENALLOC_ZERO ; size_t chainlen ; - pid_t pid ; if (preoptions & 1) strerr_dief1x(100, "client certificates are not supported yet") ; { - char const *x = env_get2(envp, "KEYFILE") ; + char const *x = getenv("KEYFILE") ; int r ; if (!x) strerr_dienotset(100, "KEYFILE") ; r = sbearssl_skey_readfile(x, &skey, &storage) ; @@ -34,7 +33,7 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co else if (r) strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ; - x = env_get2(envp, "CERTFILE") ; + x = getenv("CERTFILE") ; if (!x) strerr_dienotset(100, "CERTFILE") ; r = sbearssl_cert_readbigpem(x, &certs, &storage) ; if (r < 0) @@ -46,17 +45,13 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co strerr_diefu2x(96, "find a certificate in ", x) ; } - if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ; - - pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; - { + sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ; unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; br_ssl_server_context sc ; union br_skey_u key ; br_x509_certificate chain[chainlen] ; size_t i = chainlen ; - int wstat ; stralloc_shrink(&storage) ; while (i--) @@ -93,20 +88,16 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co if (preoptions & 1) { /* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */ - if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; + if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; } br_ssl_engine_add_flags(&sc.eng, flags) ; } random_string((char *)buf, 32) ; - br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; random_finish() ; + br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ; br_ssl_server_reset(&sc) ; - tain_now_g() ; - - wstat = sbearssl_run(&sc.eng, fds, pid, verbosity, options, tto) ; - if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; + sbearssl_run(&sc.eng, fds, tto, options, verbosity, cb, &cbarg) ; } } diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls index 7ecfa0b..61137c5 100644 --- a/src/stls/deps-lib/stls +++ b/src/stls/deps-lib/stls @@ -1,6 +1,5 @@ -stls_prep_spawn_drop.o stls_run.o -stls_s6tlsc.o -stls_s6tlsd.o --ltls +stls_client_init_and_handshake.o +stls_server_init_and_handshake.o +${CRYPTO_LIB} -lskarnet diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_client_init_and_handshake.c index 9a6dcc3..e207d8c 100644 --- a/src/stls/stls_s6tlsc.c +++ b/src/stls/stls_client_init_and_handshake.c @@ -1,31 +1,28 @@ /* ISC license. */ -#include <unistd.h> -#include <errno.h> +#include <stdlib.h> + #include <tls.h> + #include <skalibs/strerr2.h> -#include <skalibs/env.h> -#include <skalibs/djbunix.h> + #include <s6-networking/stls.h> #include "stls-internal.h" #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) #define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx)) -int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd) +struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, char const *servername) { - int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ; struct tls *ctx ; struct tls_config *cfg ; - pid_t pid ; char const *x ; - int wstat ; if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ; cfg = tls_config_new() ; if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; - x = env_get2(envp, "CADIR") ; + x = getenv("CADIR") ; if (x) { if (tls_config_set_ca_path(cfg, x) < 0) @@ -33,7 +30,7 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const } else { - x = env_get2(envp, "CAFILE") ; + x = getenv("CAFILE") ; if (x) { if (tls_config_set_ca_file(cfg, x) < 0) @@ -44,12 +41,12 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const if (preoptions & 1) { - x = env_get2(envp, "CERTFILE") ; + x = getenv("CERTFILE") ; if (!x) strerr_dienotset(100, "CERTFILE") ; if (tls_config_set_cert_file(cfg, x) < 0) diecfg(cfg, "tls_config_set_cert_file") ; - x = env_get2(envp, "KEYFILE") ; + x = getenv("KEYFILE") ; if (!x) strerr_dienotset(100, "KEYFILE") ; if (tls_config_set_key_file(cfg, x) < 0) diecfg(cfg, "tls_config_set_key_file") ; @@ -73,14 +70,9 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const if (!ctx) strerr_diefu1sys(111, "tls_client") ; if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; - pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; - - if (tls_connect_fds(ctx, fds[2], fds[3], servername) < 0) + if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0) diectx(97, ctx, "tls_connect_fds") ; tls_config_free(cfg) ; if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ; - - wstat = stls_run(ctx, fds, pid, verbosity, options, tto) ; - if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; + return ctx ; } diff --git a/src/stls/stls_prep_spawn_drop.c b/src/stls/stls_prep_spawn_drop.c deleted file mode 100644 index c6f4e13..0000000 --- a/src/stls/stls_prep_spawn_drop.c +++ /dev/null @@ -1,35 +0,0 @@ -/* ISC license. */ - -#include <unistd.h> -#include <signal.h> -#include <skalibs/env.h> -#include <skalibs/strerr2.h> -#include <skalibs/djbunix.h> -#include <skalibs/selfpipe.h> -#include "stls-internal.h" - -pid_t stls_prep_spawn_drop (char const *const *argv, char const *const *envp, int *fds, uid_t uid, gid_t gid, uint32_t options) -{ - pid_t pid ; - - fds[4] = selfpipe_init() ; - if (fds[4] < 0) strerr_diefu1sys(111, "init selfpipe") ; - if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ; - - if (!(options & 1)) pid = child_spawn2(argv[0], argv, envp, fds) ; - else - { - char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ; - size_t modiflen = sizeof(modifs) ; - size_t n = env_len(envp) ; - char const *newenv[n + 7] ; - size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ; - if (!newenvlen) return 0 ; - pid = child_spawn2(argv[0], argv, newenv, fds) ; - } - - if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; - if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; - if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; - return pid ; -} diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c index 11a7234..e6ab609 100644 --- a/src/stls/stls_run.c +++ b/src/stls/stls_run.c @@ -1,20 +1,18 @@ /* ISC license. */ -#include <skalibs/nonposix.h> #include <sys/uio.h> -#include <sys/socket.h> #include <errno.h> -#include <signal.h> +#include <unistd.h> + #include <tls.h> -#include <skalibs/allreadwrite.h> + #include <skalibs/error.h> #include <skalibs/buffer.h> -#include <skalibs/sig.h> -#include <skalibs/selfpipe.h> #include <skalibs/strerr2.h> #include <skalibs/tai.h> #include <skalibs/iopause.h> #include <skalibs/djbunix.h> + #include <s6-networking/stls.h> typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ; @@ -109,50 +107,24 @@ static void send_closenotify (struct tls *ctx, int const *fds) static void closeit (struct tls *ctx, int *fds, int brutal) { - if (brutal) shutdown(fds[3], SHUT_WR) ; + if (brutal) fd_shutdown(fds[3], 1) ; else if (fds[2] >= 0) send_closenotify(ctx, fds) ; fd_close(fds[3]) ; fds[3] = -1 ; } -static void handle_signals (pid_t pid, int *e) -{ - for (;;) switch (selfpipe_read()) - { - case -1 : strerr_diefu1sys(111, "read selfpipe") ; - case 0 : return ; - case SIGCHLD : - { - int wstat ; - if (wait_pid_nohang(pid, &wstat) == pid) - { - *e = wstat ; - return ; - } - } - } -} - -int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint32_t options, tain_t const *tto) +void stls_run (struct tls *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity) { tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ; - iopause_fd x[5] = { { .fd = fds[4], .events = IOPAUSE_READ } } ; + iopause_fd x[4] ; unsigned int xindex[4] ; - unsigned int i = 0 ; - int e = -1 ; - - for (; i < 2 ; i++) - { - buffer_init(&b[i].b, i ? &buffer_write : &buffer_read, fds[i], b[i].buf, STLS_BUFSIZE) ; - if (ndelay_on(fds[2+i]) < 0) strerr_diefu1sys(111, "set fds non-blocking") ; - } - if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; - tain_now_g() ; + buffer_init(&b[0].b, &buffer_read, fds[0], b[0].buf, STLS_BUFSIZE) ; + buffer_init(&b[1].b, &buffer_write, fds[1], b[1].buf, STLS_BUFSIZE) ; for (;;) { tain_t deadline ; - unsigned int xlen = 1 ; + unsigned int j = 0 ; int r ; tain_add_g(&deadline, fds[0] >= 0 && fds[2] >= 0 && buffer_isempty(&b[0].b) && buffer_isempty(&b[1].b) ? tto : &tain_infinite_relative) ; @@ -162,68 +134,54 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint if (fds[0] >= 0 && buffer_isreadable(&b[0].b)) { - x[xlen].fd = fds[0] ; - x[xlen].events = IOPAUSE_READ ; - xindex[0] = xlen++ ; + x[j].fd = fds[0] ; + x[j].events = IOPAUSE_READ ; + xindex[0] = j++ ; } - else xindex[0] = 5 ; + else xindex[0] = 4 ; if (fds[1] >= 0 && buffer_iswritable(&b[1].b)) { - x[xlen].fd = fds[1] ; - x[xlen].events = IOPAUSE_WRITE ; - xindex[1] = xlen++ ; + x[j].fd = fds[1] ; + x[j].events = IOPAUSE_WRITE ; + xindex[1] = j++ ; } - else xindex[1] = 5 ; + else xindex[1] = 4 ; if (fds[2] >= 0 && !b[1].blockedonother && buffer_isreadable(&b[1].b)) { - x[xlen].fd = fds[2] ; - x[xlen].events = IOPAUSE_READ ; - xindex[2] = xlen++ ; + x[j].fd = fds[2] ; + x[j].events = IOPAUSE_READ ; + xindex[2] = j++ ; } - else xindex[2] = 5 ; + else xindex[2] = 4 ; if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b)) { - x[xlen].fd = fds[3] ; - x[xlen].events = IOPAUSE_WRITE ; - xindex[3] = xlen++ ; + x[j].fd = fds[3] ; + x[j].events = IOPAUSE_WRITE ; + xindex[3] = j++ ; } - else xindex[3] = 5 ; + else xindex[3] = 4 ; - if (xlen == 1) break ; + if (xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4) break ; /* poll() */ - r = iopause_g(x, xlen, &deadline) ; + r = iopause_g(x, j, &deadline) ; if (r < 0) strerr_diefu1sys(111, "iopause") ; - else if (!r) - { - fd_close(fds[0]) ; fds[0] = -1 ; - closeit(ctx, fds, options & 1) ; - if (e >= 0) break ; - continue ; - } + else if (!r) break ; - while (xlen--) - if (x[xlen].revents & IOPAUSE_EXCEPT) - x[xlen].revents |= IOPAUSE_READ | IOPAUSE_WRITE ; + while (j--) + if (x[j].revents & IOPAUSE_EXCEPT) + x[j].revents |= IOPAUSE_READ | IOPAUSE_WRITE ; - /* Signal */ - - if (x[0].revents & IOPAUSE_READ) - { - handle_signals(pid, &e) ; - if (e >= 0 && xindex[0] == 5 && xindex[3] == 5) break ; - } - /* Flush to local */ - if (xindex[1] < 5 && x[xindex[1]].revents & IOPAUSE_WRITE) + if (xindex[1] < 4 && x[xindex[1]].revents & IOPAUSE_WRITE) { r = buffer_flush(&b[1].b) ; if (!r && !error_isagain(errno)) @@ -231,7 +189,7 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint strerr_warnwu1sys("write to application") ; if (fds[2] >= 0) { - if (options & 1) shutdown(fds[2], SHUT_RD) ; + if (options & 1) fd_shutdown(fds[2], 0) ; fd_close(fds[2]) ; fds[2] = -1 ; xindex[2] = 4 ; } @@ -246,25 +204,23 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint /* Flush to remote */ - if (xindex[3] < 5 && x[xindex[3]].revents & IOPAUSE_WRITE) + if (xindex[3] < 4 && x[xindex[3]].revents & IOPAUSE_WRITE) { r = buffer_tls_flush(ctx, b) ; if (r < 0) { strerr_warnwu2x("write to peer: ", tls_error(ctx)) ; fd_close(fds[0]) ; fds[0] = -1 ; + xindex[0] = 4 ; } if (r && fds[0] < 0) - { closeit(ctx, fds, options & 1) ; - if (e >= 0) break ; - } } /* Fill from local */ - if (xindex[0] < 5 && x[xindex[0]].revents & IOPAUSE_READ) + if (xindex[0] < 4 && x[xindex[0]].revents & IOPAUSE_READ) { r = sanitize_read(buffer_fill(&b[0].b)) ; if (r < 0) @@ -272,23 +228,20 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint if (errno != EPIPE) strerr_warnwu1sys("read from application") ; fd_close(fds[0]) ; fds[0] = -1 ; if (buffer_isempty(&b[0].b)) - { closeit(ctx, fds, options & 1) ; - if (e >= 0) break ; - } } } /* Fill from remote */ - if (xindex[2] < 5 && x[xindex[2]].revents & IOPAUSE_READ) + if (xindex[2] < 4 && x[xindex[2]].revents & IOPAUSE_READ) { r = buffer_tls_fill(ctx, b) ; if (r < 0) { if (r == -1) strerr_warnwu2x("read from peer: ", tls_error(ctx)) ; - if (options & 1) shutdown(fds[2], SHUT_RD) ; + if (options & 1) fd_shutdown(fds[2], 0) ; /* XXX: We need a way to detect when we've received a close_notify, because then we need to trigger a write and then shut the engine @@ -305,10 +258,5 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint } } } - - if (fds[1] >= 0) fd_close(fds[1]) ; - if (fds[0] >= 0) fd_close(fds[0]) ; - if (fds[3] >= 0) fd_close(fds[3]) ; - if (fds[2] >= 0) fd_close(fds[2]) ; - return e ; + _exit(0) ; } diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_server_init_and_handshake.c index a791e89..58d812e 100644 --- a/src/stls/stls_s6tlsd.c +++ b/src/stls/stls_server_init_and_handshake.c @@ -1,38 +1,34 @@ /* ISC license. */ -#include <stdint.h> -#include <unistd.h> -#include <errno.h> +#include <stdlib.h> + #include <tls.h> + #include <skalibs/strerr2.h> -#include <skalibs/env.h> -#include <skalibs/djbunix.h> + #include <s6-networking/stls.h> #include "stls-internal.h" #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) #define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx)) -int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity) +struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions) { - int fds[5] = { 0, 1, 0, 1 } ; struct tls *cctx ; struct tls *ctx ; struct tls_config *cfg ; - pid_t pid ; char const *x ; - int wstat ; if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ; cfg = tls_config_new() ; if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; - x = env_get2(envp, "CERTFILE") ; + x = getenv("CERTFILE") ; if (!x) strerr_dienotset(100, "CERTFILE") ; if (tls_config_set_cert_file(cfg, x) < 0) diecfg(cfg, "tls_config_set_cert_file") ; - x = env_get2(envp, "KEYFILE") ; + x = getenv("KEYFILE") ; if (!x) strerr_dienotset(100, "KEYFILE") ; if (tls_config_set_key_file(cfg, x) < 0) diecfg(cfg, "tls_config_set_key_file") ; @@ -48,7 +44,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const if (preoptions & 1) { - x = env_get2(envp, "CADIR") ; + x = getenv("CADIR") ; if (x) { if (tls_config_set_ca_path(cfg, x) < 0) @@ -56,7 +52,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const } else { - x = env_get2(envp, "CAFILE") ; + x = getenv("CAFILE") ; if (x) { if (tls_config_set_ca_file(cfg, x) < 0) @@ -64,7 +60,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const } else strerr_dienotset(100, "CADIR or CAFILE") ; } - if (preoptions & 4) tls_config_verify_client(cfg) ; + if (preoptions & 2) tls_config_verify_client(cfg) ; else tls_config_verify_client_optional(cfg) ; } else tls_config_insecure_noverifycert(cfg) ; @@ -76,15 +72,10 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const if (!ctx) strerr_diefu1sys(111, "tls_server") ; if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; tls_config_free(cfg) ; - - pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ; - - if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0) + if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0) diectx(97, ctx, "tls_accept_fds") ; tls_free(ctx) ; - if (tls_handshake(cctx) < 0) diectx(97, cctx, "perform SSL handshake") ; - - wstat = stls_run(cctx, fds, pid, verbosity, options, tto) ; - if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ; - return wait_estatus(wstat) ; + if (tls_handshake(cctx) < 0) + diectx(97, cctx, "perform SSL handshake") ; + return cctx ; } |