summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2020-11-20 23:24:29 +0000
commit5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (patch)
treecf3e992dce2d426727b535703b0b73dbafb41dbb /src
parent1fea1f6ed53cae7f752c9a78271c7c8367b0ad03 (diff)
downloads6-networking-5715c21a077ee1c2fe8957cb4adcea14fd2eda6b.tar.xz
Refactor tls code to support ucspi-tls
That includes: - new architecture: the tls binary is now a child of the app instead of the other way around - the sbearssl_run engine now takes a post-handshake callback. This allows s6-tlsc and s6-tlsd to only exec into the app when the handshake succeeds (which was already the case with libressl). - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto code; they init and run the engine, connecting to 4 already open fds (stdin/stdout = network, argv[1] and argv[2] = local) - s6-tlsc is now a simple wrapper around s6-tlsc-io - s6-tlsd is now a simple wrapper around s6-tlsd-io - new binary: s6-ucspitlsd, which is also a wrapper around s6-tlsd-io, but differently: the parent execs the app which should be ucspi-tls-aware, the child waits for a command from the parent and execs into s6-tlsd-io if it receives it.
Diffstat (limited to 'src')
-rw-r--r--src/conn-tools/deps-exe/s6-tlsc6
-rw-r--r--src/conn-tools/deps-exe/s6-tlsc-io5
-rw-r--r--src/conn-tools/deps-exe/s6-tlsd6
-rw-r--r--src/conn-tools/deps-exe/s6-tlsd-io5
-rw-r--r--src/conn-tools/deps-exe/s6-ucspitlsd3
-rw-r--r--src/conn-tools/deps-lib/s6tls4
-rw-r--r--src/conn-tools/s6-tlsc-io.c128
-rw-r--r--src/conn-tools/s6-tlsc.c88
-rw-r--r--src/conn-tools/s6-tlsd-io.c126
-rw-r--r--src/conn-tools/s6-tlsd.c80
-rw-r--r--src/conn-tools/s6-ucspitlsd.c114
-rw-r--r--src/conn-tools/s6tls-internal.h18
-rw-r--r--src/conn-tools/s6tls_drop.c24
-rw-r--r--src/conn-tools/s6tls_exec_tlscio.c53
-rw-r--r--src/conn-tools/s6tls_exec_tlsdio.c49
-rw-r--r--src/conn-tools/s6tls_wait_and_exec_app.c43
-rw-r--r--src/include/s6-networking/sbearssl.h20
-rw-r--r--src/include/s6-networking/stls.h12
-rw-r--r--src/sbearssl/deps-lib/sbearssl5
-rw-r--r--src/sbearssl/sbearssl-internal.h1
-rw-r--r--src/sbearssl/sbearssl_client_init_and_run.c (renamed from src/sbearssl/sbearssl_s6tlsc.c)30
-rw-r--r--src/sbearssl/sbearssl_prep_spawn_drop.c35
-rw-r--r--src/sbearssl/sbearssl_run.c107
-rw-r--r--src/sbearssl/sbearssl_server_init_and_run.c (renamed from src/sbearssl/sbearssl_s6tlsd.c)33
-rw-r--r--src/stls/deps-lib/stls7
-rw-r--r--src/stls/stls_client_init_and_handshake.c (renamed from src/stls/stls_s6tlsc.c)30
-rw-r--r--src/stls/stls_prep_spawn_drop.c35
-rw-r--r--src/stls/stls_run.c132
-rw-r--r--src/stls/stls_server_init_and_handshake.c (renamed from src/stls/stls_s6tlsd.c)37
29 files changed, 804 insertions, 432 deletions
diff --git a/src/conn-tools/deps-exe/s6-tlsc b/src/conn-tools/deps-exe/s6-tlsc
index 6e89a02..37405fd 100644
--- a/src/conn-tools/deps-exe/s6-tlsc
+++ b/src/conn-tools/deps-exe/s6-tlsc
@@ -1,6 +1,2 @@
-${LIBCRYPTOSUPPORT}
+libs6tls.a.xyzzy
-lskarnet
-${CRYPTO_LIB}
-${SOCKET_LIB}
-${SPAWN_LIB}
-${SYSCLOCK_LIB}
diff --git a/src/conn-tools/deps-exe/s6-tlsc-io b/src/conn-tools/deps-exe/s6-tlsc-io
new file mode 100644
index 0000000..3e2653d
--- /dev/null
+++ b/src/conn-tools/deps-exe/s6-tlsc-io
@@ -0,0 +1,5 @@
+${LIBCRYPTOSUPPORT}
+-lskarnet
+${CRYPTO_LIB}
+${SOCKET_LIB}
+${SYSCLOCK_LIB}
diff --git a/src/conn-tools/deps-exe/s6-tlsd b/src/conn-tools/deps-exe/s6-tlsd
index 6e89a02..37405fd 100644
--- a/src/conn-tools/deps-exe/s6-tlsd
+++ b/src/conn-tools/deps-exe/s6-tlsd
@@ -1,6 +1,2 @@
-${LIBCRYPTOSUPPORT}
+libs6tls.a.xyzzy
-lskarnet
-${CRYPTO_LIB}
-${SOCKET_LIB}
-${SPAWN_LIB}
-${SYSCLOCK_LIB}
diff --git a/src/conn-tools/deps-exe/s6-tlsd-io b/src/conn-tools/deps-exe/s6-tlsd-io
new file mode 100644
index 0000000..3e2653d
--- /dev/null
+++ b/src/conn-tools/deps-exe/s6-tlsd-io
@@ -0,0 +1,5 @@
+${LIBCRYPTOSUPPORT}
+-lskarnet
+${CRYPTO_LIB}
+${SOCKET_LIB}
+${SYSCLOCK_LIB}
diff --git a/src/conn-tools/deps-exe/s6-ucspitlsd b/src/conn-tools/deps-exe/s6-ucspitlsd
new file mode 100644
index 0000000..ac1b327
--- /dev/null
+++ b/src/conn-tools/deps-exe/s6-ucspitlsd
@@ -0,0 +1,3 @@
+libs6tls.a.xyzzy
+-lskarnet
+${SOCKET_LIB}
diff --git a/src/conn-tools/deps-lib/s6tls b/src/conn-tools/deps-lib/s6tls
new file mode 100644
index 0000000..ad78cfd
--- /dev/null
+++ b/src/conn-tools/deps-lib/s6tls
@@ -0,0 +1,4 @@
+s6tls_drop.o
+s6tls_exec_tlscio.o
+s6tls_exec_tlsdio.o
+s6tls_wait_and_exec_app.o
diff --git a/src/conn-tools/s6-tlsc-io.c b/src/conn-tools/s6-tlsc-io.c
new file mode 100644
index 0000000..79dd25d
--- /dev/null
+++ b/src/conn-tools/s6-tlsc-io.c
@@ -0,0 +1,128 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <skalibs/gccattributes.h>
+#include <skalibs/types.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/allreadwrite.h>
+#include <skalibs/tai.h>
+#include <skalibs/env.h>
+#include <skalibs/sig.h>
+#include <skalibs/djbunix.h>
+
+#include <s6-networking/config.h>
+
+#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0"
+
+static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, char const *, unsigned int) gccattr_noreturn ;
+
+#ifdef S6_NETWORKING_USE_TLS
+
+#include <s6-networking/stls.h>
+
+static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, unsigned int notif)
+{
+ struct tls *ctx = stls_client_init_and_handshake(fds + 2, preoptions, servername) ;
+ if (notif)
+ {
+ if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
+ strerr_diefu1sys(111, "write post-handshake data") ;
+ fd_close(notif) ;
+ }
+ stls_run(ctx, fds, tto, options, verbosity) ;
+}
+
+#else
+#ifdef S6_NETWORKING_USE_BEARSSL
+
+#include <skalibs/random.h>
+
+#include <s6-networking/sbearssl.h>
+
+static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
+{
+ (void)ctx ;
+ (void)cbarg ;
+ return 1 ;
+}
+
+static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
+{
+ if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
+ return 0 ;
+ fd_close(cbarg->notif) ;
+ return 1 ;
+}
+
+static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, unsigned int notif)
+{
+ if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0)
+ strerr_diefu1sys(111, "set local fds non-blocking") ;
+ if (!random_init()) strerr_diefu1sys(111, "initialize random device") ;
+ sbearssl_client_init_and_run(fds, tto, preoptions, options, verbosity, servername, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ;
+}
+
+#else
+
+#error No SSL backend configured.
+
+#endif
+#endif
+
+
+#define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw"
+#define dieusage() strerr_dieusage(100, USAGE)
+
+int main (int argc, char const *const *argv, char const *const *envp)
+{
+ char const *servername = 0 ;
+ tain_t tto ;
+ int fds[4] = { 0, 1, 0, 1 } ;
+ unsigned int verbosity = 1 ;
+ unsigned int notif = 0 ;
+ uint32_t preoptions = 0 ;
+ uint32_t options = 1 ;
+
+ PROG = "s6-tlsc-io" ;
+ {
+ subgetopt_t l = SUBGETOPT_ZERO ;
+ unsigned int t = 0 ;
+ for (;;)
+ {
+ int opt = subgetopt_r(argc, argv, "d:SsYyv:K:k:", &l) ;
+ if (opt == -1) break ;
+ switch (opt)
+ {
+ case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
+ case 'd' : if (!uint0_scan(l.arg, &notif)) dieusage() ; break ;
+ case 'S' : options &= ~1 ; break ;
+ case 's' : options |= 1 ; break ;
+ case 'Y' : preoptions &= ~1 ; break ;
+ case 'y' : preoptions |= 1 ; break ;
+ case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
+ case 'k' : servername = l.arg ; break ;
+ default : dieusage() ;
+ }
+ }
+ argc -= l.ind ; argv += l.ind ;
+ if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
+ }
+ if (argc < 2) dieusage() ;
+ {
+ unsigned int u ;
+ if (!uint0_scan(argv[0], &u)) dieusage() ;
+ fds[0] = u ;
+ if (!uint0_scan(argv[1], &u)) dieusage() ;
+ fds[1] = u ;
+ }
+
+ if (ndelay_on(0) < 0 || ndelay_on(1) < 0)
+ strerr_diefu1sys(111, "set stdin/stdout non-blocking") ;
+ if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
+ tain_now_set_stopwatch_g() ;
+ doit(fds, &tto, preoptions, options, verbosity, servername, notif) ;
+}
diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c
index d9df81c..6431ccb 100644
--- a/src/conn-tools/s6-tlsc.c
+++ b/src/conn-tools/s6-tlsc.c
@@ -2,67 +2,63 @@
#include <stdint.h>
#include <unistd.h>
-#include <errno.h>
+#include <fcntl.h>
+
+#include <skalibs/gccattributes.h>
#include <skalibs/types.h>
#include <skalibs/sgetopt.h>
#include <skalibs/strerr2.h>
-#include <skalibs/tai.h>
#include <skalibs/env.h>
#include <skalibs/djbunix.h>
-#include <s6-networking/config.h>
-
-#ifdef S6_NETWORKING_USE_TLS
-
-#include <s6-networking/stls.h>
-#define s6tlsc stls_s6tlsc
-
-#else
-#ifdef S6_NETWORKING_USE_BEARSSL
-
-#include <s6-networking/sbearssl.h>
-#define s6tlsc sbearssl_s6tlsc
-
-#else
-
-#error No SSL backend configured.
-
-#endif
-#endif
+#include "s6tls-internal.h"
#define USAGE "s6-tlsc [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -Z | -z ] [ -6 rfd ] [ -7 wfd ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
-int main (int argc, char const *const *argv, char const *const *envp)
+static void child (int const [3][2], int, int, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ;
+static void child (int const p[3][2], int fdr, int fdw, uint32_t options, unsigned int verbosity, unsigned int kimeout, char const *servername)
+{
+ int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
+ PROG = "s6-tlsc (child)" ;
+ s6tls_drop() ;
+ close(p[2][0]) ;
+ close(p[0][1]) ;
+ close(p[1][0]) ;
+ if (fd_move(0, fdr) < 0 || fd_move(1, fdw) < 0)
+ strerr_diefu1sys(111, "move network fds to stdin/stdout") ;
+ s6tls_exec_tlscio(fds, options, verbosity, kimeout, servername) ;
+}
+
+int main (int argc, char const *const *argv)
{
+ int fds[2] = { 6, 7 } ;
char const *servername = 0 ;
- tain_t tto ;
unsigned int verbosity = 1 ;
- uid_t uid = 0 ;
- gid_t gid = 0 ;
- uint32_t preoptions = 2 ;
- uint32_t options = 1 ;
- int fds[2] = { 6, 7 } ;
+ unsigned int kimeout = 0 ;
+ int p[3][2] ;
+ uint32_t options = 0 ;
+ int cleanenv = 1 ;
+ pid_t pid ;
PROG = "s6-tlsc" ;
{
subgetopt_t l = SUBGETOPT_ZERO ;
- unsigned int t = 0 ;
for (;;)
{
int opt = subgetopt_r(argc, argv, "SsYyv:K:k:Zz6:7:", &l) ;
if (opt == -1) break ;
switch (opt)
{
- case 'S' : options &= ~(uint32_t)1 ; break ;
- case 's' : options |= 1 ; break ;
- case 'Y' : preoptions &= ~(uint32_t)1 ; break ;
- case 'y' : preoptions |= 1 ; break ;
+ case 'S' : options &= ~4 ; break ;
+ case 's' : options |= 4 ; break ;
+ case 'Y' : options &= ~1 ; break ;
+ case 'y' : options |= 1 ; break ;
case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
- case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
+ case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
case 'k' : servername = l.arg ; break ;
- case 'Z' : preoptions &= ~(uint32_t)2 ; break ;
- case 'z' : preoptions |= 2 ; break ;
+ case 'Z' : cleanenv = 0 ; break ;
+ case 'z' : cleanenv = 1 ; break ;
case '6' :
{
unsigned int fd ;
@@ -81,18 +77,20 @@ int main (int argc, char const *const *argv, char const *const *envp)
}
}
argc -= l.ind ; argv += l.ind ;
- if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
}
if (!argc) dieusage() ;
-
- if (!getuid())
+ fd_sanitize() ;
+ if (fcntl(fds[0], F_GETFD) < 0 || fcntl(fds[1], F_GETFD) < 0)
+ strerr_diefu1sys(111, "check network fds") ;
+ if (pipe(p[0]) < 0 || pipe(p[1]) < 0 || pipe(p[2]) < 0)
+ strerr_diefu1sys(111, "pipe") ;
+ pid = fork() ;
+ switch (pid)
{
- char const *x = env_get2(envp, "TLS_UID") ;
- if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
- x = env_get2(envp, "TLS_GID") ;
- if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+ case -1 : strerr_diefu1sys(111, "fork") ;
+ case 0 : child(p, fds[0], fds[1], options, verbosity, kimeout, servername) ;
+ default : break ;
}
- tain_now_set_stopwatch_g() ;
- return s6tlsc(argv, envp, &tto, preoptions, options, uid, gid, verbosity, servername, fds) ;
+ s6tls_wait_and_exec_app(argv, p, pid, fds[0], fds[1], cleanenv ? 1 : 0) ;
}
diff --git a/src/conn-tools/s6-tlsd-io.c b/src/conn-tools/s6-tlsd-io.c
new file mode 100644
index 0000000..0b42b3b
--- /dev/null
+++ b/src/conn-tools/s6-tlsd-io.c
@@ -0,0 +1,126 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <skalibs/gccattributes.h>
+#include <skalibs/types.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/allreadwrite.h>
+#include <skalibs/sig.h>
+#include <skalibs/tai.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+
+#include <s6-networking/config.h>
+
+#define HANDSHAKE_BANNER "SSL_PROTOCOL=TLSv1\0"
+
+static inline void doit (int *, tain_t const *tto, uint32_t, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
+
+#ifdef S6_NETWORKING_USE_TLS
+
+#include <s6-networking/stls.h>
+
+static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, unsigned int notif)
+{
+ struct tls *ctx = stls_server_init_and_handshake(fds + 2, preoptions) ;
+ if (notif)
+ {
+ if (allwrite(notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
+ strerr_diefu1sys(111, "write post-handshake data") ;
+ fd_close(notif) ;
+ }
+ stls_run(ctx, fds, tto, options, verbosity) ;
+}
+
+#else
+#ifdef S6_NETWORKING_USE_BEARSSL
+
+#include <skalibs/random.h>
+
+#include <s6-networking/sbearssl.h>
+
+static int handshake_cb_nop (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
+{
+ (void)ctx ;
+ (void)cbarg ;
+ return 1 ;
+}
+
+static int handshake_cb_sendvars (br_ssl_engine_context *ctx, sbearssl_handshake_cb_context_t *cbarg)
+{
+ if (allwrite(cbarg->notif, HANDSHAKE_BANNER, sizeof(HANDSHAKE_BANNER)) < sizeof(HANDSHAKE_BANNER))
+ return 0 ;
+ fd_close(cbarg->notif) ;
+ return 1 ;
+}
+
+static inline void doit (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, unsigned int notif)
+{
+ if (ndelay_on(fds[0]) < 0 || ndelay_on(fds[1]) < 0)
+ strerr_diefu1sys(111, "set local fds non-blocking") ;
+ if (!random_init()) strerr_diefu1sys(111, "initialize random device") ;
+ sbearssl_server_init_and_run(fds, tto, preoptions, options, verbosity, notif ? &handshake_cb_sendvars : &handshake_cb_nop, notif) ;
+}
+
+#else
+
+#error No SSL backend configured.
+
+#endif
+#endif
+
+
+#define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -Y | -y ] [ -K timeout ] fdr fdw"
+#define dieusage() strerr_dieusage(100, USAGE)
+
+int main (int argc, char const *const *argv, char const *const *envp)
+{
+ tain_t tto ;
+ int fds[4] = { 0, 1, 0, 1 } ;
+ unsigned int verbosity = 1 ;
+ unsigned int notif = 0 ;
+ uint32_t preoptions = 0 ;
+ uint32_t options = 1 ;
+
+ PROG = "s6-tlsd-io" ;
+ {
+ subgetopt_t l = SUBGETOPT_ZERO ;
+ unsigned int t = 0 ;
+ for (;;)
+ {
+ int opt = subgetopt_r(argc, argv, "d:SsYyv:K:", &l) ;
+ if (opt == -1) break ;
+ switch (opt)
+ {
+ case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
+ case 'd' : if (!uint0_scan(l.arg, &notif)) dieusage() ; break ;
+ case 'S' : options &= ~1 ; break ;
+ case 's' : options |= 1 ; break ;
+ case 'Y' : preoptions |= 1 ; preoptions &= ~2 ; break ;
+ case 'y' : preoptions |= 3 ; break ;
+ case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
+ default : dieusage() ;
+ }
+ }
+ argc -= l.ind ; argv += l.ind ;
+ if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
+ }
+ if (argc < 2) dieusage() ;
+ {
+ unsigned int u ;
+ if (!uint0_scan(argv[0], &u)) dieusage() ;
+ fds[0] = u ;
+ if (!uint0_scan(argv[1], &u)) dieusage() ;
+ fds[1] = u ;
+ }
+
+ if (ndelay_on(0) < 0 || ndelay_on(1) < 0)
+ strerr_diefu1sys(111, "set stdin/stdout non-blocking") ;
+ if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
+ tain_now_set_stopwatch_g() ;
+ doit(fds, &tto, preoptions, options, verbosity, notif) ;
+}
diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c
index 923ac47..e26ba49 100644
--- a/src/conn-tools/s6-tlsd.c
+++ b/src/conn-tools/s6-tlsd.c
@@ -2,79 +2,73 @@
#include <stdint.h>
#include <unistd.h>
+
+#include <skalibs/gccattributes.h>
#include <skalibs/types.h>
#include <skalibs/sgetopt.h>
#include <skalibs/strerr2.h>
-#include <skalibs/tai.h>
#include <skalibs/env.h>
#include <skalibs/djbunix.h>
-#include <s6-networking/config.h>
-
-#ifdef S6_NETWORKING_USE_TLS
-
-#include <s6-networking/stls.h>
-#define s6tlsd stls_s6tlsd
-
-#else
-#ifdef S6_NETWORKING_USE_BEARSSL
-
-#include <s6-networking/sbearssl.h>
-#define s6tlsd sbearssl_s6tlsd
-
-#else
-
-#error No SSL backend configured.
-
-#endif
-#endif
+#include "s6tls-internal.h"
#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
#define dieusage() strerr_dieusage(100, USAGE)
-int main (int argc, char const *const *argv, char const *const *envp)
+static void child (int const [3][2], uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
+static void child (int const p[3][2], uint32_t options, unsigned int verbosity, unsigned int kimeout)
+{
+ int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
+ PROG = "s6-tlsd (child)" ;
+ close(p[2][0]) ;
+ close(p[0][1]) ;
+ close(p[1][0]) ;
+ s6tls_drop() ;
+ s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ;
+}
+
+int main (int argc, char const *const *argv)
{
- tain_t tto ;
unsigned int verbosity = 1 ;
- uid_t uid = 0 ;
- gid_t gid = 0 ;
- uint32_t preoptions = 2 ;
- uint32_t options = 1 ;
+ unsigned int kimeout = 0 ;
+ int p[3][2] ;
+ uint32_t options = 0 ;
+ int cleanenv = 1 ;
+ pid_t pid ;
- PROG = "s6-tlsd" ;
+ PROG = "s6-tlsd (parent)" ;
{
subgetopt_t l = SUBGETOPT_ZERO ;
- unsigned int t = 0 ;
for (;;)
{
int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ;
if (opt == -1) break ;
switch (opt)
{
- case 'S' : options &= ~(uint32_t)1 ; break ;
- case 's' : options |= 1 ; break ;
- case 'Y' : preoptions |= 1 ; preoptions &= ~(uint32_t)4 ; break ;
- case 'y' : preoptions |= 5 ; break ;
+ case 'S' : options |= 4 ; break ;
+ case 's' : options &= ~4 ; break ;
+ case 'Y' : options |= 1 ; options &= ~2 ; break ;
+ case 'y' : options |= 3 ; break ;
case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
- case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
- case 'Z' : preoptions &= ~(uint32_t)2 ; break ;
- case 'z' : preoptions |= 2 ; break ;
+ case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
+ case 'Z' : cleanenv = 0 ; break ;
+ case 'z' : cleanenv = 1 ; break ;
default : dieusage() ;
}
}
argc -= l.ind ; argv += l.ind ;
- if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
}
if (!argc) dieusage() ;
- if (!getuid())
+ if (pipe(p[0]) < 0 || pipe(p[1]) < 0 || pipe(p[2]) < 0)
+ strerr_diefu1sys(111, "pipe") ;
+ pid = fork() ;
+ switch (pid)
{
- char const *x = env_get2(envp, "TLS_UID") ;
- if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
- x = env_get2(envp, "TLS_GID") ;
- if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+ case -1 : strerr_diefu1sys(111, "fork") ;
+ case 0 : child(p, options, verbosity, kimeout) ;
+ default : break ;
}
- tain_now_set_stopwatch_g() ;
- return s6tlsd(argv, envp, &tto, preoptions, options, uid, gid, verbosity) ;
+ s6tls_wait_and_exec_app(argv, p, pid, 0, 1, cleanenv ? 1 : 0) ;
}
diff --git a/src/conn-tools/s6-ucspitlsd.c b/src/conn-tools/s6-ucspitlsd.c
new file mode 100644
index 0000000..ae2ca41
--- /dev/null
+++ b/src/conn-tools/s6-ucspitlsd.c
@@ -0,0 +1,114 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <skalibs/gccattributes.h>
+#include <skalibs/types.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/webipc.h>
+
+#include <s6-networking/config.h>
+#include "s6tls-internal.h"
+
+#define USAGE "s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
+#define dieusage() strerr_dieusage(100, USAGE)
+
+static inline void child (int [3][2], uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
+static inline void child (int p[3][2], uint32_t options, unsigned int verbosity, unsigned int kimeout)
+{
+ int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
+ ssize_t r ;
+ char c ;
+ PROG = "s6-ucspitlsd" ;
+ close(p[2][0]) ;
+ close(p[0][1]) ;
+ close(p[1][0]) ;
+ s6tls_drop() ;
+ r = read(p[2][1], &c, 1) ;
+ if (r < 0) strerr_diefu1sys(111, "read from control socket") ;
+ if (!r) _exit(0) ;
+ switch (c)
+ {
+ case 'y' :
+ close(p[2][1]) ;
+ p[2][1] = 0 ; /* we know 0 is open so it's a correct invalid value */
+ case 'Y' :
+ fd_shutdown(p[2][1], 0) ;
+ break ;
+ default :
+ strerr_dief1x(100, "unrecognized command on control socket") ;
+ }
+ s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ;
+}
+
+int main (int argc, char const *const *argv, char const *const *envp)
+{
+ unsigned int kimeout = 0 ;
+ unsigned int verbosity = 1 ;
+ uint32_t options = 0 ;
+ int cleanenv = 1 ;
+ int p[3][2] ;
+
+ PROG = "s6-ucspitlsd (parent)" ;
+ {
+ subgetopt_t l = SUBGETOPT_ZERO ;
+ for (;;)
+ {
+ int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ;
+ if (opt == -1) break ;
+ switch (opt)
+ {
+ case 'S' : options |= 4 ; break ;
+ case 's' : options &= ~4 ; break ;
+ case 'Y' : options |= 1 ; options &= ~2 ; break ;
+ case 'y' : options |= 3 ; break ;
+ case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
+ case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
+ case 'Z' : cleanenv = 0 ; break ;
+ case 'z' : cleanenv = 1 ; break ;
+ default : dieusage() ;
+ }
+ }
+ argc -= l.ind ; argv += l.ind ;
+ }
+ if (!argc) dieusage() ;
+
+ if (ipc_pair_b(p[2]) < 0) strerr_diefu1sys(111, "ipc_pair") ;
+ if (pipe(p[0]) < 0 || pipe(p[1]) < 0) strerr_diefu1sys(111, "pipe") ;
+
+ switch (fork())
+ {
+ case -1 : strerr_diefu1sys(111, "fork") ;
+ case 0 : child(p, options, verbosity, kimeout) ;
+ default : break ;
+ }
+
+ {
+ size_t m = 0 ;
+ char modif[sizeof(s6tls_envvars) + 33 + 3 * UINT_FMT] ;
+ close(p[2][1]) ;
+ close(p[1][1]) ;
+ close(p[0][0]) ;
+ if (cleanenv)
+ {
+ memcpy(modif + m, s6tls_envvars, sizeof(s6tls_envvars)) ;
+ m += sizeof(s6tls_envvars) ;
+ }
+ memcpy(modif + m, "SSLCTLFD=", 9) ; m += 9 ;
+ m += uint_fmt(modif + m, p[2][0]) ;
+ modif[m++] = 0 ;
+ memcpy(modif + m, "SSLREADFD=", 10) ; m += 10 ;
+ m += uint_fmt(modif + m, p[1][0]) ;
+ modif[m++] = 0 ;
+ memcpy(modif + m, "SSLWRITEFD=", 11) ; m += 11 ;
+ m += uint_fmt(modif + m, p[0][1]) ;
+ modif[m++] = 0 ;
+ xpathexec_r(argv, envp, env_len(envp), modif, m) ;
+ }
+}
diff --git a/src/conn-tools/s6tls-internal.h b/src/conn-tools/s6tls-internal.h
new file mode 100644
index 0000000..48df60f
--- /dev/null
+++ b/src/conn-tools/s6tls-internal.h
@@ -0,0 +1,18 @@
+/* ISC license */
+
+#ifndef S6TLS_INTERNAL_H
+#define S6TLS_INTERNAL_H
+
+#include <stdint.h>
+#include <unistd.h>
+
+#include <skalibs/gccattributes.h>
+
+#define s6tls_envvars "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID"
+
+extern void s6tls_drop (void) ;
+extern void s6tls_exec_tlscio (int const *, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ;
+extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
+extern void s6tls_wait_and_exec_app (char const *const *, int const [3][2], pid_t, int, int, uint32_t) gccattr_noreturn ;
+
+#endif
diff --git a/src/conn-tools/s6tls_drop.c b/src/conn-tools/s6tls_drop.c
new file mode 100644
index 0000000..6b6f67f
--- /dev/null
+++ b/src/conn-tools/s6tls_drop.c
@@ -0,0 +1,24 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <skalibs/strerr2.h>
+#include <skalibs/types.h>
+
+#include "s6tls-internal.h"
+
+void s6tls_drop (void)
+{
+ if (!getuid())
+ {
+ uid_t uid ;
+ gid_t gid ;
+ char const *x = getenv("TLS_UID") ;
+ if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
+ x = getenv("TLS_GID") ;
+ if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+ if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+ if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+ }
+}
diff --git a/src/conn-tools/s6tls_exec_tlscio.c b/src/conn-tools/s6tls_exec_tlscio.c
new file mode 100644
index 0000000..ad00ecd
--- /dev/null
+++ b/src/conn-tools/s6tls_exec_tlscio.c
@@ -0,0 +1,53 @@
+/* ISC license. */
+
+#include <skalibs/posixplz.h>
+#include <skalibs/types.h>
+#include <skalibs/djbunix.h>
+
+#include <s6-networking/config.h>
+#include "s6tls-internal.h"
+
+void s6tls_exec_tlscio (int const *fds, uint32_t options, unsigned int verbosity, unsigned int kimeout, char const *servername)
+{
+ char const *newargv[15] ;
+ unsigned int m = 0 ;
+ char fmtv[UINT_FMT] ;
+ char fmtd[UINT_FMT] ;
+ char fmtk[UINT_FMT] ;
+ char fmtr[UINT_FMT] ;
+ char fmtw[UINT_FMT] ;
+
+ newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tlsc-io" ;
+ if (verbosity != 1)
+ {
+ newargv[m++] = "-v" ;
+ newargv[m++] = fmtv ;
+ fmtv[uint_fmt(fmtv, verbosity)] = 0 ;
+ }
+ if (fds[2])
+ {
+ newargv[m++] = "-d" ;
+ newargv[m++] = fmtd ;
+ fmtd[uint_fmt(fmtd, fds[2])] = 0 ;
+ }
+ newargv[m++] = options & 4 ? "-S" : "-s" ;
+ newargv[m++] = options & 1 ? "-y" : "-Y" ;
+ if (kimeout)
+ {
+ newargv[m++] = "-K" ;
+ newargv[m++] = fmtk ;
+ fmtk[uint_fmt(fmtk, kimeout)] = 0 ;
+ }
+ if (servername)
+ {
+ newargv[m++] = "-k" ;
+ newargv[m++] = servername ;
+ }
+ newargv[m++] = "--" ;
+ newargv[m++] = fmtr ;
+ fmtr[uint_fmt(fmtr, fds[0])] = 0 ;
+ newargv[m++] = fmtw ;
+ fmtw[uint_fmt(fmtw, fds[1])] = 0 ;
+ newargv[m++] = 0 ;
+ xpathexec_run(newargv[0], newargv, (char const *const *)environ) ;
+}
diff --git a/src/conn-tools/s6tls_exec_tlsdio.c b/src/conn-tools/s6tls_exec_tlsdio.c
new file mode 100644
index 0000000..b00adb2
--- /dev/null
+++ b/src/conn-tools/s6tls_exec_tlsdio.c
@@ -0,0 +1,49 @@
+/* ISC license. */
+
+#include <skalibs/posixplz.h>
+#include <skalibs/types.h>
+#include <skalibs/djbunix.h>
+
+#include <s6-networking/config.h>
+#include "s6tls-internal.h"
+
+void s6tls_exec_tlsdio (int const *fds, uint32_t options, unsigned int verbosity, unsigned int kimeout)
+{
+ char const *newargv[13] ;
+ unsigned int m = 0 ;
+ char fmtv[UINT_FMT] ;
+ char fmtd[UINT_FMT] ;
+ char fmtk[UINT_FMT] ;
+ char fmtr[UINT_FMT] ;
+ char fmtw[UINT_FMT] ;
+
+ newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tlsd-io" ;
+ if (verbosity != 1)
+ {
+ newargv[m++] = "-v" ;
+ newargv[m++] = fmtv ;
+ fmtv[uint_fmt(fmtv, verbosity)] = 0 ;
+ }
+ if (fds[2])
+ {
+ newargv[m++] = "-d" ;
+ newargv[m++] = fmtd ;
+ fmtd[uint_fmt(fmtd, fds[2])] = 0 ;
+ }
+ newargv[m++] = options & 4 ? "-S" : "-s" ;
+ if (options & 1)
+ newargv[m++] = options & 2 ? "-y" : "-Y" ;
+ if (kimeout)
+ {
+ newargv[m++] = "-K" ;
+ newargv[m++] = fmtk ;
+ fmtk[uint_fmt(fmtk, kimeout)] = 0 ;
+ }
+ newargv[m++] = "--" ;
+ newargv[m++] = fmtr ;
+ fmtr[uint_fmt(fmtr, fds[0])] = 0 ;
+ newargv[m++] = fmtw ;
+ fmtw[uint_fmt(fmtw, fds[1])] = 0 ;
+ newargv[m++] = 0 ;
+ xpathexec_run(newargv[0], newargv, (char const *const *)environ) ;
+}
diff --git a/src/conn-tools/s6tls_wait_and_exec_app.c b/src/conn-tools/s6tls_wait_and_exec_app.c
new file mode 100644
index 0000000..20828f6
--- /dev/null
+++ b/src/conn-tools/s6tls_wait_and_exec_app.c
@@ -0,0 +1,43 @@
+/* ISC license. */
+
+#include <stdint.h>
+#include <unistd.h>
+
+#include <skalibs/posixplz.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+
+#include "s6tls-internal.h"
+
+#define MAXENVSIZE 2048
+
+void s6tls_wait_and_exec_app (char const *const *argv, int const p[3][2], pid_t pid, int fdr, int fdw, uint32_t options)
+{
+ char buf[sizeof(s6tls_envvars) + MAXENVSIZE] ;
+ size_t m = 0 ;
+ ssize_t r ;
+ close(p[2][1]) ;
+ close(p[1][1]) ;
+ close(p[0][0]) ;
+ if (fd_move(fdr, p[1][0]) < 0 || fd_move(fdw, p[0][1]) < 0)
+ strerr_diefu1sys(111, "move file descriptors") ;
+ if (options & 1)
+ {
+ memcpy(buf + m, s6tls_envvars, sizeof(s6tls_envvars)) ;
+ m += sizeof(s6tls_envvars) ;
+ }
+ r = read(p[2][0], buf + m, MAXENVSIZE) ;
+ if (r < 0) strerr_diefu1sys(111, "read from handshake notification pipe") ;
+ if (!r)
+ {
+ int wstat ;
+ if (wait_pid(pid, &wstat) < 0)
+ strerr_diefu1sys(111, "wait") ;
+ _exit(wait_estatus(wstat)) ;
+ }
+ if (r >= MAXENVSIZE)
+ strerr_dief1x(100, "SSL data too large") ;
+ m += r - 1 ;
+ xpathexec_r(argv, (char const *const *)environ, env_len((char const *const *)environ), buf, m) ;
+}
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index ab94d75..9fb8792 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -5,7 +5,10 @@
#include <sys/types.h>
#include <stdint.h>
+
#include <bearssl.h>
+
+#include <skalibs/gccattributes.h>
#include <skalibs/buffer.h>
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
@@ -202,12 +205,21 @@ extern char const *sbearssl_error_str (int) ;
/* Engine */
-extern int sbearssl_run (br_ssl_engine_context *, int *, pid_t, unsigned int, uint32_t, tain_t const *) ;
+typedef struct sbearssl_handshake_cb_context_s sbearssl_handshake_cb_context_t, *sbearssl_handshake_cb_context_t_ref ;
+struct sbearssl_handshake_cb_context_s
+{
+ unsigned int notif ;
+} ;
+
+typedef int sbearssl_handshake_cb_t (br_ssl_engine_context *, sbearssl_handshake_cb_context_t *) ;
+typedef sbearssl_handshake_cb_t *sbearssl_handshake_cb_t_ref ;
+
+extern void sbearssl_run (br_ssl_engine_context *, int *, tain_t const *, uint32_t, unsigned int, sbearssl_handshake_cb_t_ref, sbearssl_handshake_cb_context_t *) gccattr_noreturn ;
- /* s6-tlsc and s6-tlsd implementations */
+ /* s6-tlsc-io and s6-tlsd-io implementations */
-extern int sbearssl_s6tlsc (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int, char const *, int *) ;
-extern int sbearssl_s6tlsd (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int) ;
+extern void sbearssl_client_init_and_run (int *, tain_t const *, uint32_t, uint32_t, unsigned int, char const *, sbearssl_handshake_cb_t_ref, unsigned int) gccattr_noreturn ;
+extern void sbearssl_server_init_and_run (int *, tain_t const *, uint32_t, uint32_t, unsigned int, sbearssl_handshake_cb_t_ref, unsigned int) gccattr_noreturn ;
#endif
diff --git a/src/include/s6-networking/stls.h b/src/include/s6-networking/stls.h
index 963e7a1..76acdd8 100644
--- a/src/include/s6-networking/stls.h
+++ b/src/include/s6-networking/stls.h
@@ -3,9 +3,11 @@
#ifndef STLS_H
#define STLS_H
-#include <sys/types.h>
#include <stdint.h>
+
#include <tls.h>
+
+#include <skalibs/gccattributes.h>
#include <skalibs/tai.h>
#define STLS_BUFSIZE (16384 + 325 + 1)
@@ -13,12 +15,12 @@
/* Engine */
-extern int stls_run (struct tls *, int *, pid_t, unsigned int, uint32_t, tain_t const *) ;
+extern void stls_run (struct tls *, int *, tain_t const *, uint32_t, unsigned int) gccattr_noreturn ;
- /* s6-tlsc and s6-tlsd implementations */
+ /* s6-tlsc-io and s6-tlsd-io */
-extern int stls_s6tlsc (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int, char const *, int *) ;
-extern int stls_s6tlsd (char const *const *, char const *const *, tain_t const *, uint32_t, uint32_t, uid_t, gid_t, unsigned int) ;
+struct tls *stls_client_init_and_handshake (int const *, uint32_t, char const *) ;
+struct tls *stls_server_init_and_handshake (int const *, uint32_t) ;
#endif
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index c0acfb6..55729f6 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -1,5 +1,4 @@
sbearssl_append.o
-sbearssl_prep_spawn_drop.o
sbearssl_cert_from.o
sbearssl_cert_readbigpem.o
sbearssl_cert_readfile.o
@@ -33,7 +32,7 @@ sbearssl_ta_to.o
sbearssl_x500_name_len.o
sbearssl_x500_from_ta.o
sbearssl_x509_minimal_set_tai.o
-sbearssl_s6tlsc.o
-sbearssl_s6tlsd.o
+sbearssl_client_init_and_run.o
+sbearssl_server_init_and_run.o
-lbearssl
-lskarnet
diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h
index cbf355b..25f6468 100644
--- a/src/sbearssl/sbearssl-internal.h
+++ b/src/sbearssl/sbearssl-internal.h
@@ -19,6 +19,5 @@ struct sbearssl_strallocerr_s
extern void sbearssl_append (void *, void const *, size_t) ;
extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ;
-extern pid_t sbearssl_prep_spawn_drop (char const *const *, char const *const *, int *, uid_t, gid_t, uint32_t) ;
#endif
diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_client_init_and_run.c
index 267d79c..a95e9e1 100644
--- a/src/sbearssl/sbearssl_s6tlsc.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -1,36 +1,35 @@
/* ISC license. */
-#include <unistd.h>
-#include <errno.h>
+#include <stddef.h>
+#include <stdlib.h>
+
#include <bearssl.h>
+
#include <skalibs/strerr2.h>
-#include <skalibs/env.h>
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
-#include <skalibs/djbunix.h>
#include <skalibs/random.h>
+
#include <s6-networking/sbearssl.h>
#include "sbearssl-internal.h"
-int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
+void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, char const *servername, sbearssl_handshake_cb_t_ref cb, unsigned int notif)
{
- int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
stralloc storage = STRALLOC_ZERO ;
genalloc tas = GENALLOC_ZERO ;
size_t talen ;
- pid_t pid ;
if (preoptions & 1)
strerr_dief1x(100, "client certificates are not supported yet") ;
{
int r ;
- char const *x = env_get2(envp, "CADIR") ;
+ char const *x = getenv("CADIR") ;
if (x)
r = sbearssl_ta_readdir(x, &tas, &storage) ;
else
{
- x = env_get2(envp, "CAFILE") ;
+ x = getenv("CAFILE") ;
if (!x) strerr_dienotset(100, "CADIR or CAFILE") ;
r = sbearssl_ta_readfile(x, &tas, &storage) ;
}
@@ -45,17 +44,13 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
strerr_dief2x(96, "no trust anchor found in ", x) ;
}
- if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ;
-
- pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
{
+ sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
br_x509_minimal_context xc ;
br_ssl_client_context cc ;
br_x509_trust_anchor btas[talen] ;
size_t i = talen ;
- int wstat ;
stralloc_shrink(&storage) ;
while (i--)
@@ -63,17 +58,14 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
genalloc_free(sbearssl_ta, &tas) ;
br_ssl_client_init_full(&cc, &xc, btas, talen) ;
random_string((char *)buf, 32) ;
- br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
random_finish() ;
+ br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ;
if (!br_ssl_client_reset(&cc, servername, 0))
strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ;
- tain_now_g() ;
if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP))
strerr_diefu1sys(111, "initialize validation time") ;
- wstat = sbearssl_run(&cc.eng, fds, pid, verbosity, options, tto) ;
- if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
- return wait_estatus(wstat) ;
+ sbearssl_run(&cc.eng, fds, tto, options, verbosity, cb, &cbarg) ;
}
}
diff --git a/src/sbearssl/sbearssl_prep_spawn_drop.c b/src/sbearssl/sbearssl_prep_spawn_drop.c
deleted file mode 100644
index 1ca7eb8..0000000
--- a/src/sbearssl/sbearssl_prep_spawn_drop.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/* ISC license. */
-
-#include <unistd.h>
-#include <signal.h>
-#include <skalibs/env.h>
-#include <skalibs/strerr2.h>
-#include <skalibs/djbunix.h>
-#include <skalibs/selfpipe.h>
-#include "sbearssl-internal.h"
-
-pid_t sbearssl_prep_spawn_drop (char const *const *argv, char const *const *envp, int *fds, uid_t uid, gid_t gid, uint32_t options)
-{
- pid_t pid ;
-
- fds[4] = selfpipe_init() ;
- if (fds[4] < 0) strerr_diefu1sys(111, "init selfpipe") ;
- if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ;
-
- if (!(options & 1)) pid = child_spawn2(argv[0], argv, envp, fds) ;
- else
- {
- char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ;
- size_t modiflen = sizeof(modifs) ;
- size_t n = env_len(envp) ;
- char const *newenv[n + 7] ;
- size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ;
- if (!newenvlen) return 0 ;
- pid = child_spawn2(argv[0], argv, newenv, fds) ;
- }
-
- if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
- if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
- if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
- return pid ;
-}
diff --git a/src/sbearssl/sbearssl_run.c b/src/sbearssl/sbearssl_run.c
index 177a252..c8ff2fe 100644
--- a/src/sbearssl/sbearssl_run.c
+++ b/src/sbearssl/sbearssl_run.c
@@ -1,53 +1,30 @@
/* ISC license. */
-#include <skalibs/nonposix.h>
-#include <sys/socket.h>
+#include <unistd.h>
#include <errno.h>
-#include <signal.h>
+
#include <bearssl.h>
+
#include <skalibs/error.h>
#include <skalibs/strerr2.h>
-#include <skalibs/sig.h>
#include <skalibs/tai.h>
#include <skalibs/iopause.h>
#include <skalibs/djbunix.h>
-#include <skalibs/selfpipe.h>
-#include <s6-networking/sbearssl.h>
-static inline void handle_signals (pid_t pid, int *e)
-{
- for (;;) switch (selfpipe_read())
- {
- case -1 : strerr_diefu1sys(111, "read selfpipe") ;
- case 0 : return ;
- case SIGCHLD :
- {
- int wstat ;
- if (wait_pid_nohang(pid, &wstat) == pid)
- {
- *e = wstat ;
- return ;
- }
- }
- }
-}
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
-int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int verbosity, uint32_t options, tain_t const *tto)
+void sbearssl_run (br_ssl_engine_context *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, sbearssl_handshake_cb_context_t *cbarg)
{
- iopause_fd x[5] = { { .fd = fds[4], .events = IOPAUSE_READ } } ;
+ iopause_fd x[4] ;
unsigned int xindex[4] ;
int markedforflush = 0 ;
- int e = -1 ;
-
- if (ndelay_on(fds[2]) < 0 || ndelay_on(fds[3]) < 0)
- strerr_diefu1sys(111, "set fds non-blocking") ;
- if (sig_ignore(SIGPIPE) < 0)
- strerr_diefu1sys(111, "ignore SIGPIPE") ;
+ int handshake_done = 0 ;
for (;;)
{
tain_t deadline ;
- unsigned int j = 1 ;
+ unsigned int j = 0 ;
unsigned int state = br_ssl_engine_current_state(ctx) ;
int r ;
@@ -58,6 +35,17 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
break ;
}
+ if (!handshake_done)
+ {
+ size_t dummy ;
+ if (br_ssl_engine_recvapp_buf(ctx, &dummy))
+ {
+ if (!(*cb)(ctx, cbarg))
+ strerr_diefu1sys(111, "post-handshake callback failed") ;
+ handshake_done = 1 ;
+ }
+ }
+
tain_add_g(&deadline, fds[0] >= 0 && fds[2] >= 0 && state & (BR_SSL_SENDAPP | BR_SSL_RECVREC) ? tto : &tain_infinite_relative) ;
if (fds[0] >= 0 && state & BR_SSL_SENDAPP)
@@ -66,62 +54,42 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
x[j].events = IOPAUSE_READ ;
xindex[0] = j++ ;
}
- else xindex[0] = 5 ;
+ else xindex[0] = 4 ;
if (fds[1] >= 0 && state & BR_SSL_RECVAPP)
{
x[j].fd = fds[1] ;
x[j].events = IOPAUSE_WRITE ;
xindex[1] = j++ ;
}
- else xindex[1] = 5 ;
+ else xindex[1] = 4 ;
if (fds[2] >= 0 && state & BR_SSL_RECVREC)
{
x[j].fd = fds[2] ;
x[j].events = IOPAUSE_READ ;
xindex[2] = j++ ;
}
- else xindex[2] = 5 ;
+ else xindex[2] = 4 ;
if (fds[3] >= 0 && state & BR_SSL_SENDREC)
{
x[j].fd = fds[3] ;
x[j].events = IOPAUSE_WRITE ;
xindex[3] = j++ ;
}
- else xindex[3] = 5 ;
+ else xindex[3] = 4 ;
- if (j == 1) break ;
+ if (xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4) break ;
r = iopause_g(x, j, &deadline) ;
if (r < 0) strerr_diefu1sys(111, "iopause") ;
- else if (!r)
- {
- fd_close(fds[0]) ; fds[0] = -1 ;
- if (options & 1)
- {
- shutdown(fds[3], SHUT_WR) ;
- fd_close(fds[3]) ; fds[3] = -1 ;
- }
- else br_ssl_engine_close(ctx) ;
- if (e >= 0) break ;
- continue ;
- }
+ else if (!r) break ;
while (j--)
if (x[j].revents & IOPAUSE_EXCEPT)
x[j].revents |= IOPAUSE_READ | IOPAUSE_WRITE ;
- /* Signal */
-
- if (x[0].revents & IOPAUSE_READ)
- {
- handle_signals(pid, &e) ;
- if (e >= 0 && xindex[0] == 5 && xindex[3] == 5) break ;
- }
-
-
/* Flush to local */
- if (state & BR_SSL_RECVAPP && x[xindex[1]].events & x[xindex[1]].revents & IOPAUSE_WRITE)
+ if (state & BR_SSL_RECVAPP && xindex[1] < 4 && x[xindex[1]].events & x[xindex[1]].revents & IOPAUSE_WRITE)
{
size_t len ;
unsigned char const *s = br_ssl_engine_recvapp_buf(ctx, &len) ;
@@ -145,7 +113,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
/* Flush to remote */
- if (state & BR_SSL_SENDREC && xindex[3] < 5 && x[xindex[3]].events & x[xindex[3]].revents & IOPAUSE_WRITE)
+ if (state & BR_SSL_SENDREC && xindex[3] < 4 && x[xindex[3]].events & x[xindex[3]].revents & IOPAUSE_WRITE)
{
size_t len ;
unsigned char const *s = br_ssl_engine_sendrec_buf(ctx, &len) ;
@@ -162,11 +130,10 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
{
if (options & 1)
{
- shutdown(fds[3], SHUT_WR) ;
+ fd_shutdown(fds[3], 1) ;
fd_close(fds[3]) ; fds[3] = -1 ;
}
else br_ssl_engine_close(ctx) ;
- if (e >= 0) break ;
}
state = br_ssl_engine_current_state(ctx) ;
}
@@ -175,7 +142,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
/* Fill from local */
- if (state & BR_SSL_SENDAPP && xindex[0] < 5 && x[xindex[0]].events & IOPAUSE_READ && (markedforflush || x[xindex[0]].revents & IOPAUSE_READ))
+ if (state & BR_SSL_SENDAPP && xindex[0] < 4 && x[xindex[0]].events & IOPAUSE_READ && (markedforflush || x[xindex[0]].revents & IOPAUSE_READ))
{
size_t len ;
unsigned char *s = br_ssl_engine_sendapp_buf(ctx, &len) ;
@@ -191,11 +158,10 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
{
if (options & 1)
{
- shutdown(fds[3], SHUT_WR) ;
+ fd_shutdown(fds[3], 1) ;
fd_close(fds[3]) ; fds[3] = -1 ;
}
else br_ssl_engine_close(ctx) ;
- if (e >= 0) break ;
}
}
}
@@ -215,7 +181,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
/* Fill from remote */
- if (state & BR_SSL_RECVREC && xindex[2] < 5 && x[xindex[2]].events & x[xindex[2]].revents & IOPAUSE_READ)
+ if (state & BR_SSL_RECVREC && xindex[2] < 4 && x[xindex[2]].events & x[xindex[2]].revents & IOPAUSE_READ)
{
size_t len ;
unsigned char *s = br_ssl_engine_recvrec_buf(ctx, &len) ;
@@ -224,7 +190,7 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
{
if (!error_isagain(errno))
{
- if (options & 1) shutdown(fds[2], SHUT_RD) ;
+ if (options & 1) fd_shutdown(fds[2], 0) ;
fd_close(fds[2]) ; fds[2] = -1 ;
if (fds[1] >= 0 && !br_ssl_engine_recvapp_buf(ctx, &len))
{
@@ -235,10 +201,5 @@ int sbearssl_run (br_ssl_engine_context *ctx, int *fds, pid_t pid, unsigned int
else br_ssl_engine_recvrec_ack(ctx, w) ;
}
}
-
- if (fds[1] >= 0) fd_close(fds[1]) ;
- if (fds[0] >= 0) fd_close(fds[0]) ;
- if (fds[3] >= 0) fd_close(fds[3]) ;
- if (fds[2] >= 0) fd_close(fds[2]) ;
- return e ;
+ _exit(0) ;
}
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_server_init_and_run.c
index 6c3d163..778fdbd 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -1,31 +1,30 @@
/* ISC license. */
-#include <unistd.h>
-#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
+
#include <bearssl.h>
+
#include <skalibs/strerr2.h>
-#include <skalibs/env.h>
#include <skalibs/stralloc.h>
#include <skalibs/genalloc.h>
-#include <skalibs/djbunix.h>
#include <skalibs/random.h>
+
#include <s6-networking/sbearssl.h>
#include "sbearssl-internal.h"
-int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
+void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preoptions, uint32_t options, unsigned int verbosity, sbearssl_handshake_cb_t_ref cb, unsigned int notif)
{
- int fds[5] = { 0, 1, 0, 1 } ;
stralloc storage = STRALLOC_ZERO ;
sbearssl_skey skey ;
genalloc certs = GENALLOC_ZERO ;
size_t chainlen ;
- pid_t pid ;
if (preoptions & 1)
strerr_dief1x(100, "client certificates are not supported yet") ;
{
- char const *x = env_get2(envp, "KEYFILE") ;
+ char const *x = getenv("KEYFILE") ;
int r ;
if (!x) strerr_dienotset(100, "KEYFILE") ;
r = sbearssl_skey_readfile(x, &skey, &storage) ;
@@ -34,7 +33,7 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
else if (r)
strerr_diefu4x(96, "decode private key in ", x, ": ", sbearssl_error_str(r)) ;
- x = env_get2(envp, "CERTFILE") ;
+ x = getenv("CERTFILE") ;
if (!x) strerr_dienotset(100, "CERTFILE") ;
r = sbearssl_cert_readbigpem(x, &certs, &storage) ;
if (r < 0)
@@ -46,17 +45,13 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
strerr_diefu2x(96, "find a certificate in ", x) ;
}
- if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ;
-
- pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
{
+ sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
br_ssl_server_context sc ;
union br_skey_u key ;
br_x509_certificate chain[chainlen] ;
size_t i = chainlen ;
- int wstat ;
stralloc_shrink(&storage) ;
while (i--)
@@ -93,20 +88,16 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
if (preoptions & 1)
{
/* br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; */
- if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
+ if (!(preoptions & 2)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ;
}
br_ssl_engine_add_flags(&sc.eng, flags) ;
}
random_string((char *)buf, 32) ;
- br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
random_finish() ;
+ br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ;
br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ;
br_ssl_server_reset(&sc) ;
- tain_now_g() ;
-
- wstat = sbearssl_run(&sc.eng, fds, pid, verbosity, options, tto) ;
- if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
- return wait_estatus(wstat) ;
+ sbearssl_run(&sc.eng, fds, tto, options, verbosity, cb, &cbarg) ;
}
}
diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
index 7ecfa0b..61137c5 100644
--- a/src/stls/deps-lib/stls
+++ b/src/stls/deps-lib/stls
@@ -1,6 +1,5 @@
-stls_prep_spawn_drop.o
stls_run.o
-stls_s6tlsc.o
-stls_s6tlsd.o
--ltls
+stls_client_init_and_handshake.o
+stls_server_init_and_handshake.o
+${CRYPTO_LIB}
-lskarnet
diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_client_init_and_handshake.c
index 9a6dcc3..e207d8c 100644
--- a/src/stls/stls_s6tlsc.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -1,31 +1,28 @@
/* ISC license. */
-#include <unistd.h>
-#include <errno.h>
+#include <stdlib.h>
+
#include <tls.h>
+
#include <skalibs/strerr2.h>
-#include <skalibs/env.h>
-#include <skalibs/djbunix.h>
+
#include <s6-networking/stls.h>
#include "stls-internal.h"
#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
-int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
+struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, char const *servername)
{
- int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
struct tls *ctx ;
struct tls_config *cfg ;
- pid_t pid ;
char const *x ;
- int wstat ;
if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
cfg = tls_config_new() ;
if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
- x = env_get2(envp, "CADIR") ;
+ x = getenv("CADIR") ;
if (x)
{
if (tls_config_set_ca_path(cfg, x) < 0)
@@ -33,7 +30,7 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
}
else
{
- x = env_get2(envp, "CAFILE") ;
+ x = getenv("CAFILE") ;
if (x)
{
if (tls_config_set_ca_file(cfg, x) < 0)
@@ -44,12 +41,12 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
if (preoptions & 1)
{
- x = env_get2(envp, "CERTFILE") ;
+ x = getenv("CERTFILE") ;
if (!x) strerr_dienotset(100, "CERTFILE") ;
if (tls_config_set_cert_file(cfg, x) < 0)
diecfg(cfg, "tls_config_set_cert_file") ;
- x = env_get2(envp, "KEYFILE") ;
+ x = getenv("KEYFILE") ;
if (!x) strerr_dienotset(100, "KEYFILE") ;
if (tls_config_set_key_file(cfg, x) < 0)
diecfg(cfg, "tls_config_set_key_file") ;
@@ -73,14 +70,9 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const
if (!ctx) strerr_diefu1sys(111, "tls_client") ;
if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
- pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
- if (tls_connect_fds(ctx, fds[2], fds[3], servername) < 0)
+ if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0)
diectx(97, ctx, "tls_connect_fds") ;
tls_config_free(cfg) ;
if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ;
-
- wstat = stls_run(ctx, fds, pid, verbosity, options, tto) ;
- if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
- return wait_estatus(wstat) ;
+ return ctx ;
}
diff --git a/src/stls/stls_prep_spawn_drop.c b/src/stls/stls_prep_spawn_drop.c
deleted file mode 100644
index c6f4e13..0000000
--- a/src/stls/stls_prep_spawn_drop.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/* ISC license. */
-
-#include <unistd.h>
-#include <signal.h>
-#include <skalibs/env.h>
-#include <skalibs/strerr2.h>
-#include <skalibs/djbunix.h>
-#include <skalibs/selfpipe.h>
-#include "stls-internal.h"
-
-pid_t stls_prep_spawn_drop (char const *const *argv, char const *const *envp, int *fds, uid_t uid, gid_t gid, uint32_t options)
-{
- pid_t pid ;
-
- fds[4] = selfpipe_init() ;
- if (fds[4] < 0) strerr_diefu1sys(111, "init selfpipe") ;
- if (selfpipe_trap(SIGCHLD) < 0) strerr_diefu1sys(111, "trap SIGCHLD") ;
-
- if (!(options & 1)) pid = child_spawn2(argv[0], argv, envp, fds) ;
- else
- {
- char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ;
- size_t modiflen = sizeof(modifs) ;
- size_t n = env_len(envp) ;
- char const *newenv[n + 7] ;
- size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ;
- if (!newenvlen) return 0 ;
- pid = child_spawn2(argv[0], argv, newenv, fds) ;
- }
-
- if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ;
- if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
- if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
- return pid ;
-}
diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c
index 11a7234..e6ab609 100644
--- a/src/stls/stls_run.c
+++ b/src/stls/stls_run.c
@@ -1,20 +1,18 @@
/* ISC license. */
-#include <skalibs/nonposix.h>
#include <sys/uio.h>
-#include <sys/socket.h>
#include <errno.h>
-#include <signal.h>
+#include <unistd.h>
+
#include <tls.h>
-#include <skalibs/allreadwrite.h>
+
#include <skalibs/error.h>
#include <skalibs/buffer.h>
-#include <skalibs/sig.h>
-#include <skalibs/selfpipe.h>
#include <skalibs/strerr2.h>
#include <skalibs/tai.h>
#include <skalibs/iopause.h>
#include <skalibs/djbunix.h>
+
#include <s6-networking/stls.h>
typedef struct tlsbuf_s tlsbuf_t, *tlsbuf_t_ref ;
@@ -109,50 +107,24 @@ static void send_closenotify (struct tls *ctx, int const *fds)
static void closeit (struct tls *ctx, int *fds, int brutal)
{
- if (brutal) shutdown(fds[3], SHUT_WR) ;
+ if (brutal) fd_shutdown(fds[3], 1) ;
else if (fds[2] >= 0) send_closenotify(ctx, fds) ;
fd_close(fds[3]) ; fds[3] = -1 ;
}
-static void handle_signals (pid_t pid, int *e)
-{
- for (;;) switch (selfpipe_read())
- {
- case -1 : strerr_diefu1sys(111, "read selfpipe") ;
- case 0 : return ;
- case SIGCHLD :
- {
- int wstat ;
- if (wait_pid_nohang(pid, &wstat) == pid)
- {
- *e = wstat ;
- return ;
- }
- }
- }
-}
-
-int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint32_t options, tain_t const *tto)
+void stls_run (struct tls *ctx, int *fds, tain_t const *tto, uint32_t options, unsigned int verbosity)
{
tlsbuf_t b[2] = { { .blockedonother = 0 }, { .blockedonother = 0 } } ;
- iopause_fd x[5] = { { .fd = fds[4], .events = IOPAUSE_READ } } ;
+ iopause_fd x[4] ;
unsigned int xindex[4] ;
- unsigned int i = 0 ;
- int e = -1 ;
-
- for (; i < 2 ; i++)
- {
- buffer_init(&b[i].b, i ? &buffer_write : &buffer_read, fds[i], b[i].buf, STLS_BUFSIZE) ;
- if (ndelay_on(fds[2+i]) < 0) strerr_diefu1sys(111, "set fds non-blocking") ;
- }
- if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ;
- tain_now_g() ;
+ buffer_init(&b[0].b, &buffer_read, fds[0], b[0].buf, STLS_BUFSIZE) ;
+ buffer_init(&b[1].b, &buffer_write, fds[1], b[1].buf, STLS_BUFSIZE) ;
for (;;)
{
tain_t deadline ;
- unsigned int xlen = 1 ;
+ unsigned int j = 0 ;
int r ;
tain_add_g(&deadline, fds[0] >= 0 && fds[2] >= 0 && buffer_isempty(&b[0].b) && buffer_isempty(&b[1].b) ? tto : &tain_infinite_relative) ;
@@ -162,68 +134,54 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
if (fds[0] >= 0 && buffer_isreadable(&b[0].b))
{
- x[xlen].fd = fds[0] ;
- x[xlen].events = IOPAUSE_READ ;
- xindex[0] = xlen++ ;
+ x[j].fd = fds[0] ;
+ x[j].events = IOPAUSE_READ ;
+ xindex[0] = j++ ;
}
- else xindex[0] = 5 ;
+ else xindex[0] = 4 ;
if (fds[1] >= 0 && buffer_iswritable(&b[1].b))
{
- x[xlen].fd = fds[1] ;
- x[xlen].events = IOPAUSE_WRITE ;
- xindex[1] = xlen++ ;
+ x[j].fd = fds[1] ;
+ x[j].events = IOPAUSE_WRITE ;
+ xindex[1] = j++ ;
}
- else xindex[1] = 5 ;
+ else xindex[1] = 4 ;
if (fds[2] >= 0 && !b[1].blockedonother && buffer_isreadable(&b[1].b))
{
- x[xlen].fd = fds[2] ;
- x[xlen].events = IOPAUSE_READ ;
- xindex[2] = xlen++ ;
+ x[j].fd = fds[2] ;
+ x[j].events = IOPAUSE_READ ;
+ xindex[2] = j++ ;
}
- else xindex[2] = 5 ;
+ else xindex[2] = 4 ;
if (fds[3] >= 0 && !b[0].blockedonother && buffer_iswritable(&b[0].b))
{
- x[xlen].fd = fds[3] ;
- x[xlen].events = IOPAUSE_WRITE ;
- xindex[3] = xlen++ ;
+ x[j].fd = fds[3] ;
+ x[j].events = IOPAUSE_WRITE ;
+ xindex[3] = j++ ;
}
- else xindex[3] = 5 ;
+ else xindex[3] = 4 ;
- if (xlen == 1) break ;
+ if (xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4) break ;
/* poll() */
- r = iopause_g(x, xlen, &deadline) ;
+ r = iopause_g(x, j, &deadline) ;
if (r < 0) strerr_diefu1sys(111, "iopause") ;
- else if (!r)
- {
- fd_close(fds[0]) ; fds[0] = -1 ;
- closeit(ctx, fds, options & 1) ;
- if (e >= 0) break ;
- continue ;
- }
+ else if (!r) break ;
- while (xlen--)
- if (x[xlen].revents & IOPAUSE_EXCEPT)
- x[xlen].revents |= IOPAUSE_READ | IOPAUSE_WRITE ;
+ while (j--)
+ if (x[j].revents & IOPAUSE_EXCEPT)
+ x[j].revents |= IOPAUSE_READ | IOPAUSE_WRITE ;
- /* Signal */
-
- if (x[0].revents & IOPAUSE_READ)
- {
- handle_signals(pid, &e) ;
- if (e >= 0 && xindex[0] == 5 && xindex[3] == 5) break ;
- }
-
/* Flush to local */
- if (xindex[1] < 5 && x[xindex[1]].revents & IOPAUSE_WRITE)
+ if (xindex[1] < 4 && x[xindex[1]].revents & IOPAUSE_WRITE)
{
r = buffer_flush(&b[1].b) ;
if (!r && !error_isagain(errno))
@@ -231,7 +189,7 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
strerr_warnwu1sys("write to application") ;
if (fds[2] >= 0)
{
- if (options & 1) shutdown(fds[2], SHUT_RD) ;
+ if (options & 1) fd_shutdown(fds[2], 0) ;
fd_close(fds[2]) ; fds[2] = -1 ;
xindex[2] = 4 ;
}
@@ -246,25 +204,23 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
/* Flush to remote */
- if (xindex[3] < 5 && x[xindex[3]].revents & IOPAUSE_WRITE)
+ if (xindex[3] < 4 && x[xindex[3]].revents & IOPAUSE_WRITE)
{
r = buffer_tls_flush(ctx, b) ;
if (r < 0)
{
strerr_warnwu2x("write to peer: ", tls_error(ctx)) ;
fd_close(fds[0]) ; fds[0] = -1 ;
+ xindex[0] = 4 ;
}
if (r && fds[0] < 0)
- {
closeit(ctx, fds, options & 1) ;
- if (e >= 0) break ;
- }
}
/* Fill from local */
- if (xindex[0] < 5 && x[xindex[0]].revents & IOPAUSE_READ)
+ if (xindex[0] < 4 && x[xindex[0]].revents & IOPAUSE_READ)
{
r = sanitize_read(buffer_fill(&b[0].b)) ;
if (r < 0)
@@ -272,23 +228,20 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
if (errno != EPIPE) strerr_warnwu1sys("read from application") ;
fd_close(fds[0]) ; fds[0] = -1 ;
if (buffer_isempty(&b[0].b))
- {
closeit(ctx, fds, options & 1) ;
- if (e >= 0) break ;
- }
}
}
/* Fill from remote */
- if (xindex[2] < 5 && x[xindex[2]].revents & IOPAUSE_READ)
+ if (xindex[2] < 4 && x[xindex[2]].revents & IOPAUSE_READ)
{
r = buffer_tls_fill(ctx, b) ;
if (r < 0)
{
if (r == -1) strerr_warnwu2x("read from peer: ", tls_error(ctx)) ;
- if (options & 1) shutdown(fds[2], SHUT_RD) ;
+ if (options & 1) fd_shutdown(fds[2], 0) ;
/*
XXX: We need a way to detect when we've received a close_notify,
because then we need to trigger a write and then shut the engine
@@ -305,10 +258,5 @@ int stls_run (struct tls *ctx, int *fds, pid_t pid, unsigned int verbosity, uint
}
}
}
-
- if (fds[1] >= 0) fd_close(fds[1]) ;
- if (fds[0] >= 0) fd_close(fds[0]) ;
- if (fds[3] >= 0) fd_close(fds[3]) ;
- if (fds[2] >= 0) fd_close(fds[2]) ;
- return e ;
+ _exit(0) ;
}
diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_server_init_and_handshake.c
index a791e89..58d812e 100644
--- a/src/stls/stls_s6tlsd.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -1,38 +1,34 @@
/* ISC license. */
-#include <stdint.h>
-#include <unistd.h>
-#include <errno.h>
+#include <stdlib.h>
+
#include <tls.h>
+
#include <skalibs/strerr2.h>
-#include <skalibs/env.h>
-#include <skalibs/djbunix.h>
+
#include <s6-networking/stls.h>
#include "stls-internal.h"
#define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg))
#define diectx(e, ctx, s) strerr_diefu3x(e, (s), ": ", tls_error(ctx))
-int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity)
+struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
{
- int fds[5] = { 0, 1, 0, 1 } ;
struct tls *cctx ;
struct tls *ctx ;
struct tls_config *cfg ;
- pid_t pid ;
char const *x ;
- int wstat ;
if (tls_init() < 0) strerr_diefu1sys(111, "tls_init") ;
cfg = tls_config_new() ;
if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
- x = env_get2(envp, "CERTFILE") ;
+ x = getenv("CERTFILE") ;
if (!x) strerr_dienotset(100, "CERTFILE") ;
if (tls_config_set_cert_file(cfg, x) < 0)
diecfg(cfg, "tls_config_set_cert_file") ;
- x = env_get2(envp, "KEYFILE") ;
+ x = getenv("KEYFILE") ;
if (!x) strerr_dienotset(100, "KEYFILE") ;
if (tls_config_set_key_file(cfg, x) < 0)
diecfg(cfg, "tls_config_set_key_file") ;
@@ -48,7 +44,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
if (preoptions & 1)
{
- x = env_get2(envp, "CADIR") ;
+ x = getenv("CADIR") ;
if (x)
{
if (tls_config_set_ca_path(cfg, x) < 0)
@@ -56,7 +52,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
}
else
{
- x = env_get2(envp, "CAFILE") ;
+ x = getenv("CAFILE") ;
if (x)
{
if (tls_config_set_ca_file(cfg, x) < 0)
@@ -64,7 +60,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
}
else strerr_dienotset(100, "CADIR or CAFILE") ;
}
- if (preoptions & 4) tls_config_verify_client(cfg) ;
+ if (preoptions & 2) tls_config_verify_client(cfg) ;
else tls_config_verify_client_optional(cfg) ;
}
else tls_config_insecure_noverifycert(cfg) ;
@@ -76,15 +72,10 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
if (!ctx) strerr_diefu1sys(111, "tls_server") ;
if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ;
tls_config_free(cfg) ;
-
- pid = stls_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
-
- if (tls_accept_fds(ctx, &cctx, fds[2], fds[3]) < 0)
+ if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0)
diectx(97, ctx, "tls_accept_fds") ;
tls_free(ctx) ;
- if (tls_handshake(cctx) < 0) diectx(97, cctx, "perform SSL handshake") ;
-
- wstat = stls_run(cctx, fds, pid, verbosity, options, tto) ;
- if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
- return wait_estatus(wstat) ;
+ if (tls_handshake(cctx) < 0)
+ diectx(97, cctx, "perform SSL handshake") ;
+ return cctx ;
}