diff options
51 files changed, 337 insertions, 171 deletions
@@ -6,14 +6,15 @@ Build Instructions - A POSIX-compliant C development environment - GNU make version 3.81 or later - - skalibs version 2.4.0.2 or later: http://skarnet.org/software/skalibs/ - - execline version 2.2.0.0 or later: http://skarnet.org/software/execline/ - - s6 version 2.4.0.0 or later: http://skarnet.org/software/s6/ - - s6-dns version 2.1.0.0 or later: http://skarnet.org/software/s6-dns/ + - skalibs version 2.5.0.0 or later: http://skarnet.org/software/skalibs/ + - execline version 2.3.0.0 or later: http://skarnet.org/software/execline/ + - s6 version 2.5.0.0 or later: http://skarnet.org/software/s6/ + - s6-dns version 2.2.0.0 or later: http://skarnet.org/software/s6-dns/ - Depending on whether you build the SSL tools, libressl version 2.4.4 or later: http://libressl.org/ - or bearssl version 0.1 or later: http://bearssl.org/ - (BearSSL support is experimental for now, don't use it yet.) + or bearssl version 0.2 or later: http://bearssl.org/ + (BearSSL support is experimental for now, I encourage you to use it + but be aware it's bleeding-edge and APIs may change.) This software will run on any operating system that implements POSIX.1-2008, available at: diff --git a/doc/index.html b/doc/index.html index e19457e..48fed00 100644 --- a/doc/index.html +++ b/doc/index.html @@ -44,22 +44,22 @@ compiled with IPv6 support, s6-networking is IPv6-ready. <li> A POSIX-compliant system with a standard C development environment </li> <li> GNU make, version 3.81 or later </li> <li> <a href="http://skarnet.org/software/skalibs/">skalibs</a> version -2.4.0.2 or later. It's a build-time requirement. It's also a run-time +2.5.0.0 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the skalibs library. </li> <li> <a href="http://skarnet.org/software/execline/">execline</a> version -2.2.0.0 or later. It's a build-time and run-time requirement. </li> +2.3.0.0 or later. It's a build-time and run-time requirement. </li> <li> <a href="http://skarnet.org/software/s6/">s6</a> version -2.4.0.0 or later. It's a build-time and run-time requirement. </li> +2.5.0.0 or later. It's a build-time and run-time requirement. </li> <li> <a href="http://skarnet.org/software/s6-dns/">s6-dns</a> version -2.1.0.0 or later. It's a build-time requirement. It's also a run-time +2.2.0.0 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the s6-dns libraries. </li> <li> If you want to build the secure communication tools: <ul> <li> Either <a href="http://libressl.org/">LibreSSL</a> version 2.4.4 or later </li> - <li> Or <a href="http://bearssl.org/">BearSSL</a> version 0.1 + <li> Or <a href="http://bearssl.org/">BearSSL</a> version 0.2 or later. <strong>This is experimental.</strong> </li> </ul> The chosen library is a build-time requirement, and also a run-time requirement if you link against its shared version. </li> @@ -76,7 +76,7 @@ run-time requirement if you link against its shared version. </li> <ul> <li> The current released version of s6-networking is -<a href="s6-networking-2.2.1.0.tar.gz">2.2.1.0</a>. </li> +<a href="s6-networking-2.3.0.0.tar.gz">2.3.0.0</a>. </li> <li> Alternatively, you can checkout a copy of the <a href="http://git.skarnet.org/cgi-bin/cgit.cgi/s6-networking/">s6-networking git repository</a>: diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html index d40820c..39f4680 100644 --- a/doc/s6-tlsc.html +++ b/doc/s6-tlsc.html @@ -126,10 +126,7 @@ two more environment variables: <tt>KEYFILE</tt> contains the path to a file containing the private key, DER- or PEM-encoded; and <tt>CERTFILE</tt> contains the path to a file containing the client certificate, DER- or -PEM-encoded. Please note that for now, support for client -certificates is experimental, and only works -with the <a href="https://www.libressl.org/">LibreSSL</a> -backend (BearSSL does not support client certificates yet). +PEM-encoded. </p> <p> @@ -229,8 +226,7 @@ and break the connection when <em>prog</em> sends EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> <li> <tt>-Y</tt> : Do not send a client certificate. This is the default. </li> - <li> <tt>-y</tt> : Send a client certificate. This is experimental and -for now unsupported by BearSSL. </li> + <li> <tt>-y</tt> : Send a client certificate. </li> <li> <tt>-k <em>servername</em></tt> : use Server Name Indication, and send <em>servername</em>. The default is not to use SNI, which may be a security risk. </li> diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html index 16f13ec..cda5038 100644 --- a/doc/s6-tlsd.html +++ b/doc/s6-tlsd.html @@ -147,13 +147,6 @@ of trust anchors, PEM-encoded. </li> </ul> <p> -Please note that for now, support for client -certificates is experimental, and only works -with the <a href="https://www.libressl.org/">LibreSSL</a> -backend (BearSSL does not support client certificates yet). -</p> - -<p> If <tt>s6-tlsd</tt> is run as root, it can also read two more environment variables, <tt>TLS_UID</tt> and <tt>TLS_GID</tt>, which contain a numeric uid and a numeric gid; <tt>s6-tlsd</tt> @@ -251,9 +244,10 @@ This is the default. </li> and break the connection when <em>prog</em> sends EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> - <li> <tt>-Y</tt> : Do not require a client certificate. This is the default. </li> - <li> <tt>-y</tt> : Require a client certificate. This is experimental and -for now unsupported by BearSSL. </li> + <li> <tt>-Y</tt> : Require an optional client certificate. </li> + <li> <tt>-y</tt> : Require a mandatory client certificate. +The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option, +is not to require a client certificate at all. </li> <li> <tt>-K <em>kimeout</em></tt> : close the connection if <em>kimeout</em> milliseconds elapse without any data being received from either side. The default is 0, which means diff --git a/doc/upgrade.html b/doc/upgrade.html index dfd90f0..1cbd9b7 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -18,6 +18,18 @@ <h1> What has changed in s6-networking </h1> +<h2> in 2.3.0.0 </h2> + +<ul> + <li> BearSSL dependency bumped to 0.2. </li> + <li> skalibs dependency bumped to 2.5.0.0. </li> + <li> execline dependency bumped to 2.3.0.0. </li> + <li> s6 dependency bumped to 2.5.0.0. </li> + <li> s6-dns dependency bumped to 2.2.0.0. </li> + <li> The meaning of the <tt>-Y</tt> option in <a href="s6-tlsd.html">s6-tlsd</a> +has changed. Now it means "ask for an optional client certificate". </li> +</ul> + <h2> in 2.2.1.0 </h2> <ul> diff --git a/package/info b/package/info index 9cb961e..3c35957 100644 --- a/package/info +++ b/package/info @@ -1,4 +1,4 @@ package=s6-networking -version=2.2.1.0 +version=2.3.0.0 category=net package_macro_name=S6_NETWORKING diff --git a/src/clock/s6-sntpclock.c b/src/clock/s6-sntpclock.c index a7bcc22..22c6727 100644 --- a/src/clock/s6-sntpclock.c +++ b/src/clock/s6-sntpclock.c @@ -1,11 +1,13 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <skalibs/error.h> #include <skalibs/uint16.h> #include <skalibs/uint32.h> +#include <skalibs/uint64.h> #include <skalibs/uint.h> #include <skalibs/sgetopt.h> #include <skalibs/allreadwrite.h> @@ -31,8 +33,8 @@ int ntp_exchange (int s, ip46_t const *ip, uint16 port, tain_t *stamps, tain_t c tain_t starttime ; uint64 ntpstamp ; ip46_t dummyip ; - uint16 dummyport ; - int r ; + uint16_t dummyport ; + ssize_t r ; tain_copynow(&starttime) ; query[0] = 35 ; /* SNTPv4, client */ if (!ntp_from_tain(&ntpstamp, &starttime)) return 0 ; @@ -87,7 +89,7 @@ int main (int argc, char const *const *argv) int sock ; int flagforce = 0 ; ip46_t ipremote ; - uint16 portremote = 123 ; + uint16_t portremote = 123 ; PROG = "s6-sntpclock" ; { diff --git a/src/clock/s6-taiclock.c b/src/clock/s6-taiclock.c index d8d371f..bece37d 100644 --- a/src/clock/s6-taiclock.c +++ b/src/clock/s6-taiclock.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <skalibs/error.h> @@ -31,8 +32,8 @@ int tain_exchange (int s, ip46_t const *ip, uint16 port, tain_t *serversays, tai char query[N] = "ctai" ; char answer[N] ; ip46_t dummyip ; - int r ; - uint16 dummyport ; + ssize_t r ; + uint16_t dummyport ; tain_pack(query+4, &STAMP) ; random_string(query+20, N-20) ; /* cookie */ r = socket_sendnb46_g(s, query, N, ip, port, deadline) ; @@ -60,7 +61,7 @@ int main (int argc, char const *const *argv) ip46_t ipremote ; int sock ; int flagforce = 0 ; - uint16 portremote = 4014 ; + uint16_t portremote = 4014 ; PROG = "s6-taiclock" ; { diff --git a/src/clock/s6-taiclockd.c b/src/clock/s6-taiclockd.c index b206400..0477ec5 100644 --- a/src/clock/s6-taiclockd.c +++ b/src/clock/s6-taiclockd.c @@ -1,5 +1,8 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> +#include <skalibs/uint16.h> #include <skalibs/bytestr.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> @@ -16,7 +19,7 @@ int main (int argc, char const *const *argv) { int s ; ip46_t ip = IP46_ZERO ; - uint16 port = 4014 ; + uint16_t port = 4014 ; subgetopt_t l = SUBGETOPT_ZERO ; PROG = "s6-taiclockd" ; for (;;) @@ -40,7 +43,7 @@ int main (int argc, char const *const *argv) for (;;) { char packet[256] ; - register int r = socket_recv46(s, packet, 256, &ip, &port) ; + register ssize_t r = socket_recv46(s, packet, 256, &ip, &port) ; if ((r >= 20) && !byte_diff(packet, 4, "ctai")) { tain_t now ; diff --git a/src/conn-tools/s6-getservbyname.c b/src/conn-tools/s6-getservbyname.c index 0888df5..a7ccc9d 100644 --- a/src/conn-tools/s6-getservbyname.c +++ b/src/conn-tools/s6-getservbyname.c @@ -1,5 +1,6 @@ /* ISC license. */ +#include <stdint.h> #include <netdb.h> #include <skalibs/uint16.h> #include <skalibs/buffer.h> @@ -10,15 +11,15 @@ int main (int argc, char const *const *argv) { char fmt[UINT16_FMT] ; - uint16 port ; + uint16_t port ; PROG = "s6-getservbyname" ; if (argc < 3) strerr_dieusage(100, USAGE) ; if (!uint160_scan(argv[1], &port)) { struct servent *se = getservbyname(argv[1], argv[2]) ; - uint16 tmpport ; + uint16_t tmpport ; if (!se) return 1 ; - tmpport = (uint16)se->s_port ; + tmpport = (uint16_t)se->s_port ; uint16_unpack_big((char const *)&tmpport, &port) ; } if ((buffer_put(buffer_1small, fmt, uint16_fmt(fmt, port)) < 0) diff --git a/src/conn-tools/s6-ident-client.c b/src/conn-tools/s6-ident-client.c index e475870..d4876ae 100644 --- a/src/conn-tools/s6-ident-client.c +++ b/src/conn-tools/s6-ident-client.c @@ -1,5 +1,6 @@ /* ISC license. */ +#include <stdint.h> #include <errno.h> #include <skalibs/uint16.h> #include <skalibs/uint.h> @@ -19,7 +20,7 @@ int main (int argc, char const *const *argv) { tain_t deadline ; ip46_t ra, la ; - uint16 rp, lp ; + uint16_t rp, lp ; PROG = "s6-ident-client" ; { unsigned int t = 0 ; diff --git a/src/conn-tools/s6-tcpclient.c b/src/conn-tools/s6-tcpclient.c index f2cb9d7..3085e06 100644 --- a/src/conn-tools/s6-tcpclient.c +++ b/src/conn-tools/s6-tcpclient.c @@ -1,5 +1,7 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <errno.h> #include <skalibs/uint16.h> #include <skalibs/uint.h> @@ -39,7 +41,7 @@ struct tflags_s unsigned int timeout ; unsigned int timeoutconn[2] ; ip46_t localip ; - uint16 localport ; + uint16_t localport ; unsigned int verbosity : 2 ; #ifdef SKALIBS_IPV6_ENABLED unsigned int ip4 : 1 ; @@ -57,7 +59,7 @@ int main (int argc, char const *const *argv) { int s ; tflags flags = TFLAGS_DEFAULT ; - uint16 remoteport ; + uint16_t remoteport ; PROG = "s6-tcpclient" ; { subgetopt_t l = SUBGETOPT_ZERO ; @@ -86,7 +88,7 @@ int main (int argc, char const *const *argv) case 'l' : flags.localname = l.arg ; break ; case 'T' : { - unsigned int n = uint_scan(l.arg, &flags.timeoutconn[0]) ; + size_t n = uint_scan(l.arg, &flags.timeoutconn[0]) ; if (!n) usage() ; if (!l.arg[n]) { diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c index 2e14845..72a3d2f 100644 --- a/src/conn-tools/s6-tcpserver-access.c +++ b/src/conn-tools/s6-tcpserver-access.c @@ -1,5 +1,7 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <skalibs/gccattributes.h> @@ -62,12 +64,12 @@ int main (int argc, char const *const *argv, char const *const *envp) int cdbfd = -1 ; unsigned int rulestype = 0 ; unsigned int verbosity = 1 ; - unsigned int protolen ; + size_t protolen ; s6_accessrules_result_t accepted ; ip46_t remoteip, localip ; int flagfatal = 1, flagnodelay = 0, flagdnslookup = 1, flagident = 0, flagparanoid = 0, e = 0 ; - uint16 remoteport, localport ; + uint16_t remoteport, localport ; PROG = "s6-tcpserver-access" ; { unsigned int timeout = 0 ; @@ -92,7 +94,7 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'l' : localname = l.arg ; break ; case 'B' : { - register unsigned int n = str_len(l.arg) ; + register size_t n = str_len(l.arg) ; if (buffer_putnoflush(buffer_1small, l.arg, n) < n) strerr_dief1x(100, "banner too long") ; break ; diff --git a/src/conn-tools/s6-tcpserver.c b/src/conn-tools/s6-tcpserver.c index 751b2b8..3036ce7 100644 --- a/src/conn-tools/s6-tcpserver.c +++ b/src/conn-tools/s6-tcpserver.c @@ -2,6 +2,7 @@ #include <sys/types.h> #include <limits.h> +#include <skalibs/uint64.h> #include <skalibs/uint.h> #include <skalibs/gidstuff.h> #include <skalibs/sgetopt.h> @@ -20,7 +21,8 @@ int main (int argc, char const *const *argv, char const *const *envp) int flag1 = 0 ; int flagU = 0 ; int flagreuse = 1 ; - unsigned int uid = 0, gid = 0 ; + uint64 uid = 0 ; + gid_t gid = 0 ; gid_t gids[NGROUPS_MAX] ; unsigned int gidn = (unsigned int)-1 ; unsigned int maxconn = 0 ; @@ -46,8 +48,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; - case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; - case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'u' : if (!uint640_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!gid0_scan(l.arg, &gid)) dieusage() ; break ; case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; case '1' : flag1 = 1 ; break ; case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; @@ -66,9 +68,9 @@ int main (int argc, char const *const *argv, char const *const *envp) } { + size_t pos = 0 ; unsigned int m = 0 ; - unsigned int pos = 0 ; - char fmt[UINT_FMT * 5 + GID_FMT * NGROUPS_MAX] ; + char fmt[UINT_FMT * 3 + UINT64_FMT + GID_FMT * (NGROUPS_MAX + 1)] ; char const *newargv[23 + argc] ; newargv[m++] = what == 6 ? S6_NETWORKING_BINPREFIX "s6-tcpserver6-socketbinder" : S6_NETWORKING_BINPREFIX "s6-tcpserver4-socketbinder" ; if (!flagreuse) newargv[m++] = "-D" ; @@ -90,14 +92,14 @@ int main (int argc, char const *const *argv, char const *const *envp) { newargv[m++] = "-u" ; newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, uid) ; + pos += uint64_fmt(fmt + pos, uid) ; fmt[pos++] = 0 ; } if (gid) { newargv[m++] = "-g" ; newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, gid) ; + pos += gid_fmt(fmt + pos, gid) ; fmt[pos++] = 0 ; } if (gidn != (unsigned int)-1) diff --git a/src/conn-tools/s6-tcpserver4-socketbinder.c b/src/conn-tools/s6-tcpserver4-socketbinder.c index 5550820..a15e5f1 100644 --- a/src/conn-tools/s6-tcpserver4-socketbinder.c +++ b/src/conn-tools/s6-tcpserver4-socketbinder.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <sys/socket.h> #include <skalibs/uint16.h> @@ -20,7 +21,7 @@ int main (int argc, char const *const *argv, char const *const *envp) int flagreuse = 1 ; int flagudp = 0 ; char ip[4] ; - uint16 port ; + uint16_t port ; PROG = "s6-tcpserver4-socketbinder" ; { subgetopt_t l = SUBGETOPT_ZERO ; diff --git a/src/conn-tools/s6-tcpserver4.c b/src/conn-tools/s6-tcpserver4.c index 7baa66c..f0836d3 100644 --- a/src/conn-tools/s6-tcpserver4.c +++ b/src/conn-tools/s6-tcpserver4.c @@ -2,6 +2,7 @@ #include <sys/types.h> #include <limits.h> +#include <skalibs/uint64.h> #include <skalibs/uint.h> #include <skalibs/gidstuff.h> #include <skalibs/sgetopt.h> @@ -19,7 +20,8 @@ int main (int argc, char const *const *argv, char const *const *envp) int flag1 = 0 ; int flagU = 0 ; int flagreuse = 1 ; - unsigned int uid = 0, gid = 0 ; + uint64 uid = 0 ; + gid_t gid = 0 ; gid_t gids[NGROUPS_MAX] ; unsigned int gidn = (unsigned int)-1 ; unsigned int maxconn = 0 ; @@ -40,8 +42,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; - case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; - case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'u' : if (!uint640_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!gid0_scan(l.arg, &gid)) dieusage() ; break ; case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; case '1' : flag1 = 1 ; break ; case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; @@ -53,9 +55,9 @@ int main (int argc, char const *const *argv, char const *const *envp) } { + size_t pos = 0 ; unsigned int m = 0 ; - unsigned int pos = 0 ; - char fmt[UINT_FMT * 6 + GID_FMT * NGROUPS_MAX] ; + char fmt[UINT_FMT * 4 + UINT64_FMT + GID_FMT * (NGROUPS_MAX + 1)] ; char const *newargv[24 + argc] ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver4-socketbinder" ; if (!flagreuse) newargv[m++] = "-D" ; @@ -78,14 +80,14 @@ int main (int argc, char const *const *argv, char const *const *envp) { newargv[m++] = "-u" ; newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, uid) ; + pos += uint64_fmt(fmt + pos, uid) ; fmt[pos++] = 0 ; } if (gid) { newargv[m++] = "-g" ; newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, gid) ; + pos += gid_fmt(fmt + pos, gid) ; fmt[pos++] = 0 ; } if (gidn != (unsigned int)-1) diff --git a/src/conn-tools/s6-tcpserver4d.c b/src/conn-tools/s6-tcpserver4d.c index c594b41..e176ee5 100644 --- a/src/conn-tools/s6-tcpserver4d.c +++ b/src/conn-tools/s6-tcpserver4d.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <sys/stat.h> #include <sys/wait.h> #include <errno.h> @@ -94,7 +95,7 @@ static void log_status (void) strerr_warni3x("status: ", fmt, fmtmaxconn) ; } -static void log_deny (uint32 ip, uint16 port, unsigned int num) +static void log_deny (uint32_t ip, uint16_t port, unsigned int num) { char fmtip[UINT32_FMT] ; char fmtport[UINT16_FMT] ; @@ -105,12 +106,12 @@ static void log_deny (uint32 ip, uint16 port, unsigned int num) strerr_warni7sys("deny ", fmtip, ":", fmtport, " count ", fmtnum, fmtlocalmaxconn) ; } -static void log_accept (uint32 pid, uint32 ip, uint16 port, unsigned int num) +static void log_accept (uint32_t pid, uint32_t ip, uint16_t port, unsigned int num) { char fmtipport[IP4_FMT + UINT16_FMT + 1] ; char fmtpid[UINT32_FMT] ; char fmtnum[UINT_FMT] ; - register unsigned int n ; + register size_t n ; n = ip4_fmtu32(fmtipport, ip) ; fmtipport[n++] = ':' ; n += uint16_fmt(fmtipport + n, port) ; @@ -120,7 +121,7 @@ static void log_accept (uint32 pid, uint32 ip, uint16 port, unsigned int num) strerr_warni7x("allow ", fmtipport, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; } -static void log_close (uint32 pid, uint32 ip, int w) +static void log_close (uint32_t pid, uint32_t ip, int w) { char fmtpid[UINT32_FMT] ; char fmtip[IP4_FMT] = "?" ; @@ -146,7 +147,7 @@ static void wait_children (void) { unsigned int i ; int w ; - register int pid = wait_nohang(&w) ; + register pid_t pid = wait_nohang(&w) ; if (pid < 0) if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; else break ; @@ -154,7 +155,7 @@ static void wait_children (void) i = lookup_pid(pid) ; if (i < numconn) /* it's one of ours ! */ { - uint32 ip = pidip[i].right ; + uint32_t ip = pidip[i].right ; register unsigned int j = lookup_ip(ip) ; if (j >= iplen) X() ; if (!--ipnum[j].right) ipnum[j] = ipnum[--iplen] ; @@ -214,11 +215,11 @@ static void handle_signals (void) /* New connection handling */ -static void run_child (int, uint32, uint16, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; -static void run_child (int s, uint32 ip, uint16 port, unsigned int num, char const *const *argv, char const *const *envp) +static void run_child (int, uint32_t, uint16_t, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; +static void run_child (int s, uint32_t ip, uint16_t port, unsigned int num, char const *const *argv, char const *const *envp) { char fmt[74] ; - unsigned int n = 0 ; + size_t n = 0 ; PROG = "s6-tcpserver (child)" ; if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) strerr_diefu1sys(111, "move fds") ; @@ -232,11 +233,11 @@ static void run_child (int s, uint32 ip, uint16 port, unsigned int num, char con strerr_dieexec(111, argv[0]) ; } -static void new_connection (int s, uint32 ip, uint16 port, char const *const *argv, char const *const *envp) +static void new_connection (int s, uint32_t ip, uint16_t port, char const *const *argv, char const *const *envp) { unsigned int i = lookup_ip(ip) ; unsigned int num = (i < iplen) ? ipnum[i].right : 0 ; - register int pid ; + register pid_t pid ; if (num >= localmaxconn) { log_deny(ip, port, num) ; @@ -260,11 +261,11 @@ static void new_connection (int s, uint32 ip, uint16 port, char const *const *ar ipnum[iplen].left = ip ; ipnum[iplen++].right = 1 ; } - pidip[numconn].left = (uint32)pid ; + pidip[numconn].left = (uint32_t)pid ; pidip[numconn++].right = ip ; if (verbosity >= 2) { - log_accept((uint32)pid, ip, port, ipnum[i].right) ; + log_accept((uint32_t)pid, ip, port, ipnum[i].right) ; log_status() ; } } @@ -353,7 +354,7 @@ int main (int argc, char const *const *argv, char const *const *envp) if (x[1].revents & IOPAUSE_READ) { char packedip[4] ; - uint16 port ; + uint16_t port ; register int fd = socket_accept4(x[1].fd, packedip, &port) ; if (fd < 0) { @@ -361,7 +362,7 @@ int main (int argc, char const *const *argv, char const *const *envp) } else { - uint32 ip ; + uint32_t ip ; uint32_unpack_big(packedip, &ip) ; new_connection(fd, ip, port, argv, envp) ; fd_close(fd) ; diff --git a/src/conn-tools/s6-tcpserver6.c b/src/conn-tools/s6-tcpserver6.c index 90a6e8f..d48efe1 100644 --- a/src/conn-tools/s6-tcpserver6.c +++ b/src/conn-tools/s6-tcpserver6.c @@ -2,6 +2,7 @@ #include <sys/types.h> #include <limits.h> +#include <skalibs/uint64.h> #include <skalibs/uint.h> #include <skalibs/gidstuff.h> #include <skalibs/sgetopt.h> @@ -19,7 +20,8 @@ int main (int argc, char const *const *argv, char const *const *envp) int flag1 = 0 ; int flagU = 0 ; int flagreuse = 1 ; - unsigned int uid = 0, gid = 0 ; + uint64 uid = 0 ; + gid_t gid = 0 ; gid_t gids[NGROUPS_MAX] ; unsigned int gidn = (unsigned int)-1 ; unsigned int maxconn = 0 ; @@ -40,8 +42,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; - case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; - case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'u' : if (!uint640_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!gid0_scan(l.arg, &gid)) dieusage() ; break ; case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; case '1' : flag1 = 1 ; break ; case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; @@ -53,9 +55,9 @@ int main (int argc, char const *const *argv, char const *const *envp) } { + size_t pos = 0 ; unsigned int m = 0 ; - unsigned int pos = 0 ; - char fmt[UINT_FMT * 6 + GID_FMT * NGROUPS_MAX] ; + char fmt[UINT_FMT * 4 + UINT64_FMT + GID_FMT * (NGROUPS_MAX + 1)] ; char const *newargv[24 + argc] ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver6-socketbinder" ; if (!flagreuse) newargv[m++] = "-D" ; @@ -78,14 +80,14 @@ int main (int argc, char const *const *argv, char const *const *envp) { newargv[m++] = "-u" ; newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, uid) ; + pos += uint64_fmt(fmt + pos, uid) ; fmt[pos++] = 0 ; } if (gid) { newargv[m++] = "-g" ; newargv[m++] = fmt + pos ; - pos += uint_fmt(fmt + pos, gid) ; + pos += gid_fmt(fmt + pos, gid) ; fmt[pos++] = 0 ; } if (gidn != (unsigned int)-1) diff --git a/src/conn-tools/s6-tcpserver6d.c b/src/conn-tools/s6-tcpserver6d.c index 3e535c5..5079d2e 100644 --- a/src/conn-tools/s6-tcpserver6d.c +++ b/src/conn-tools/s6-tcpserver6d.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <sys/stat.h> #include <sys/wait.h> #include <errno.h> @@ -96,7 +97,7 @@ static void log_status (void) strerr_warni3x("status: ", fmt, fmtmaxconn) ; } -static void log_deny (char const *ip, uint16 port, unsigned int num) +static void log_deny (char const *ip, uint16_t port, unsigned int num) { char fmtip[IP6_FMT] ; char fmtport[UINT16_FMT] ; @@ -107,12 +108,12 @@ static void log_deny (char const *ip, uint16 port, unsigned int num) strerr_warni7sys("deny ", fmtip, " port ", fmtport, " count ", fmtnum, fmtlocalmaxconn) ; } -static void log_accept (unsigned int pid, char const *ip, uint16 port, unsigned int num) +static void log_accept (unsigned int pid, char const *ip, uint16_t port, unsigned int num) { char fmtipport[IP6_FMT + UINT16_FMT + 6] ; char fmtpid[UINT_FMT] ; char fmtnum[UINT_FMT] ; - register unsigned int n ; + register size_t n ; n = ip6_fmt(fmtipport, ip) ; byte_copy(fmtipport + n, 6, " port ") ; n += 6 ; n += uint16_fmt(fmtipport + n, port) ; @@ -216,11 +217,11 @@ static void handle_signals (void) /* New connection handling */ -static void run_child (int, char const *, uint16, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; -static void run_child (int s, char const *ip, uint16 port, unsigned int num, char const *const *argv, char const *const *envp) +static void run_child (int, char const *, uint16_t, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; +static void run_child (int s, char const *ip, uint16_t port, unsigned int num, char const *const *argv, char const *const *envp) { char fmt[98] ; - unsigned int n = 0 ; + size_t n = 0 ; PROG = "s6-tcpserver6 (child)" ; if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) strerr_diefu1sys(111, "move fds") ; @@ -234,7 +235,7 @@ static void run_child (int s, char const *ip, uint16 port, unsigned int num, cha strerr_dieexec(111, argv[0]) ; } -static void new_connection (int s, char const *ip, uint16 port, char const *const *argv, char const *const *envp) +static void new_connection (int s, char const *ip, uint16_t port, char const *const *argv, char const *const *envp) { unsigned int i = lookup_ip(ip) ; unsigned int num = (i < iplen) ? ipnum[i].num : 0 ; @@ -353,7 +354,7 @@ int main (int argc, char const *const *argv, char const *const *envp) if (x[1].revents & IOPAUSE_READ) { char ip[16] ; - uint16 port ; + uint16_t port ; register int fd = socket_accept6(x[1].fd, ip, &port) ; if (fd < 0) { diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c index 0c26ab0..3e355f1 100644 --- a/src/conn-tools/s6-tlsc.c +++ b/src/conn-tools/s6-tlsc.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <errno.h> #include <skalibs/uint64.h> #include <skalibs/uint.h> diff --git a/src/conn-tools/s6-tlsclient.c b/src/conn-tools/s6-tlsclient.c index a536171..eb5311d 100644 --- a/src/conn-tools/s6-tlsclient.c +++ b/src/conn-tools/s6-tlsclient.c @@ -1,5 +1,7 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <skalibs/uint16.h> #include <skalibs/uint.h> #include <skalibs/bytestr.h> @@ -24,7 +26,7 @@ struct options_s unsigned int ximeout ; unsigned int yimeout ; unsigned int kimeout ; - uint16 localport ; + uint16_t localport ; ip46full_t localip ; unsigned int verbosity : 2 ; unsigned int flag4 : 1 ; @@ -128,8 +130,8 @@ int main (int argc, char const *const *argv, char const *const *envp) } { + size_t pos = 0 ; unsigned int m = 0 ; - unsigned int pos = 0 ; char fmt[UINT_FMT * 4 + UINT16_FMT + IP46_FMT] ; char const *newargv[29 + argc] ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpclient" ; diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c index a4a1d4c..da90179 100644 --- a/src/conn-tools/s6-tlsd.c +++ b/src/conn-tools/s6-tlsd.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <skalibs/uint64.h> #include <skalibs/uint.h> #include <skalibs/gidstuff.h> @@ -54,8 +55,8 @@ int main (int argc, char const *const *argv, char const *const *envp) { case 'S' : options &= ~(uint32_t)1 ; break ; case 's' : options |= 1 ; break ; - case 'Y' : preoptions &= ~(uint32_t)1 ; break ; - case 'y' : preoptions |= 1 ; break ; + case 'Y' : preoptions |= 1 ; preoptions &= ~(uint32_t)4 ; break ; + case 'y' : preoptions |= 5 ; break ; case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; case 'Z' : preoptions &= ~(uint32_t)2 ; break ; diff --git a/src/conn-tools/s6-tlsserver.c b/src/conn-tools/s6-tlsserver.c index e0c3387..82f857a 100644 --- a/src/conn-tools/s6-tlsserver.c +++ b/src/conn-tools/s6-tlsserver.c @@ -135,8 +135,8 @@ int main (int argc, char const *const *argv, char const *const *envp) } { + size_t pos = 0 ; unsigned int m = 0 ; - unsigned int pos = 0 ; char fmt[UINT_FMT * 5 + GID_FMT * (NGROUPS_MAX + 1) + UINT64_FMT] ; char const *newargv[45 + argc] ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver" ; diff --git a/src/include/s6-networking/ident.h b/src/include/s6-networking/ident.h index 723fc89..4a406b5 100644 --- a/src/include/s6-networking/ident.h +++ b/src/include/s6-networking/ident.h @@ -3,7 +3,8 @@ #ifndef IDENT1413_H #define IDENT1413_H -#include <skalibs/uint16.h> +#include <sys/types.h> +#include <stdint.h> #include <skalibs/tai.h> #include <skalibs/ip46.h> @@ -12,15 +13,15 @@ /* High-level */ -extern int s6net_ident_client (char *, unsigned int, ip46_t const *, uint16, ip46_t const *, uint16, tain_t const *, tain_t *) ; +extern int s6net_ident_client (char *, size_t, ip46_t const *, uint16_t, ip46_t const *, uint16_t, tain_t const *, tain_t *) ; #define s6net_ident_client_g(s, max, ra, rp, la, lp, deadline) s6net_ident_client(s, max, ra, rp, la, lp, (deadline), &STAMP) extern char const *s6net_ident_error_str (int) ; /* Low-level */ -extern int s6net_ident_reply_get (char *, ip46_t const *, uint16, ip46_t const *, uint16, tain_t const *, tain_t *) ; +extern ssize_t s6net_ident_reply_get (char *, ip46_t const *, uint16_t, ip46_t const *, uint16_t, tain_t const *, tain_t *) ; #define s6net_ident_reply_get_g(s, ra, rp, la, lp, deadline) s6net_ident_reply_get(s, ra, rp, la, lp, (deadline), &STAMP) -extern int s6net_ident_reply_parse (char const *, uint16, uint16) ; +extern ssize_t s6net_ident_reply_parse (char const *, uint16_t, uint16_t) ; #endif diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index dba1742..785e647 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -4,6 +4,7 @@ #define SBEARSSL_H #include <sys/types.h> +#include <stdint.h> #include <bearssl.h> #include <skalibs/buffer.h> #include <skalibs/stralloc.h> @@ -190,6 +191,9 @@ extern int sbearssl_ta_certs (genalloc *, stralloc *, sbearssl_cert const *, siz extern int sbearssl_ta_readfile (char const *, genalloc *, stralloc *) ; extern int sbearssl_ta_readdir (char const *, genalloc *, stralloc *) ; +extern size_t sbearssl_x500_name_len (sbearssl_ta const *, size_t) ; +extern void sbearssl_x500_from_ta (br_x500_name *, sbearssl_ta const *, size_t, char *, char const *) ; + /* Errors */ diff --git a/src/include/s6-networking/stls.h b/src/include/s6-networking/stls.h index dbb55fe..9e418b1 100644 --- a/src/include/s6-networking/stls.h +++ b/src/include/s6-networking/stls.h @@ -4,6 +4,7 @@ #define STLS_H #include <sys/types.h> +#include <stdint.h> #include <tls.h> #include <skalibs/tai.h> diff --git a/src/libs6net/s6net_ident_client.c b/src/libs6net/s6net_ident_client.c index c6b9ac0..e4f4b87 100644 --- a/src/libs6net/s6net_ident_client.c +++ b/src/libs6net/s6net_ident_client.c @@ -1,17 +1,17 @@ /* ISC license. */ +#include <stdint.h> #include <errno.h> -#include <skalibs/uint16.h> #include <skalibs/bytestr.h> #include <skalibs/tai.h> #include <skalibs/ip46.h> #include <s6-networking/ident.h> -int s6net_ident_client (char *s, unsigned int max, ip46_t const *remoteip, uint16 remoteport, ip46_t const *localip, uint16 localport, tain_t const *deadline, tain_t *stamp) +int s6net_ident_client (char *s, size_t max, ip46_t const *remoteip, uint16_t remoteport, ip46_t const *localip, uint16_t localport, tain_t const *deadline, tain_t *stamp) { char buf[S6NET_IDENT_REPLY_SIZE] ; - unsigned int len ; - register int r = s6net_ident_reply_get(buf, remoteip, remoteport, localip, localport, deadline, stamp) ; + size_t len ; + register ssize_t r = s6net_ident_reply_get(buf, remoteip, remoteport, localip, localport, deadline, stamp) ; if (r < 0) return errno == EPIPE ? (errno = EIO, 0) : -1 ; /* the RFC says so */ len = r ; r = s6net_ident_reply_parse(buf, remoteport, localport) ; diff --git a/src/libs6net/s6net_ident_reply_get.c b/src/libs6net/s6net_ident_reply_get.c index b12925f..ee8c87e 100644 --- a/src/libs6net/s6net_ident_reply_get.c +++ b/src/libs6net/s6net_ident_reply_get.c @@ -1,5 +1,7 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <errno.h> #include <skalibs/uint16.h> #include <skalibs/allreadwrite.h> @@ -11,9 +13,9 @@ #include <skalibs/unix-timed.h> #include <s6-networking/ident.h> -int s6net_ident_reply_get (char *s, ip46_t const *remoteip, uint16 remoteport, ip46_t const *localip, uint16 localport, tain_t const *deadline, tain_t *stamp) +ssize_t s6net_ident_reply_get (char *s, ip46_t const *remoteip, uint16_t remoteport, ip46_t const *localip, uint16_t localport, tain_t const *deadline, tain_t *stamp) { - unsigned int len ; + unsigned int len ; /* XXX: change when skalibs changes */ int fd ; if (ip46_is6(remoteip) != ip46_is6(localip)) return (errno = EAFNOSUPPORT, -1) ; fd = socket_tcp46(ip46_is6(remoteip)) ; @@ -24,7 +26,7 @@ int s6net_ident_reply_get (char *s, ip46_t const *remoteip, uint16 remoteport, i char buf[S6NET_IDENT_REPLY_SIZE + 1] ; char fmt[UINT16_FMT] ; buffer b = BUFFER_INIT(&buffer_write, fd, buf, 256) ; - unsigned int n = uint16_fmt(fmt, remoteport) ; + size_t n = uint16_fmt(fmt, remoteport) ; buffer_putnoflush(&b, fmt, n) ; buffer_putnoflush(&b, " , ", 3) ; n = uint16_fmt(fmt, localport) ; @@ -37,7 +39,7 @@ int s6net_ident_reply_get (char *s, ip46_t const *remoteip, uint16 remoteport, i fd_close(fd) ; if (!len--) return (errno = EPROTO, -1) ; s[len] = 0 ; - return (int)len ; + return len ; err: fd_close(fd) ; diff --git a/src/libs6net/s6net_ident_reply_parse.c b/src/libs6net/s6net_ident_reply_parse.c index a895d60..dd3e84c 100644 --- a/src/libs6net/s6net_ident_reply_parse.c +++ b/src/libs6net/s6net_ident_reply_parse.c @@ -1,25 +1,27 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <errno.h> #include <skalibs/uint16.h> #include <skalibs/bytestr.h> #include <skalibs/error.h> #include <s6-networking/ident.h> -static unsigned int skipspace (char const *s) +static size_t skipspace (char const *s) { - register unsigned int n = 0 ; + register size_t n = 0 ; while ((s[n] == ' ') || (s[n] == '\t')) n++ ; return n ; } -int s6net_ident_reply_parse (char const *s, uint16 rp, uint16 lp) +ssize_t s6net_ident_reply_parse (char const *s, uint16_t rp, uint16_t lp) { - unsigned int n = 0 ; + size_t n = 0 ; n += skipspace(s+n) ; if (!s[n]) goto err ; { - unsigned int i ; - uint16 u ; + size_t i ; + uint16_t u ; i = uint16_scan(s+n, &u) ; if (!i) goto err ; n += i ; if (u != rp) goto err ; n += skipspace(s+n) ; if (!s[n]) goto err ; diff --git a/src/minidentd/mgetuid-default.c b/src/minidentd/mgetuid-default.c index 6c9ae9b..5c9f1d2 100644 --- a/src/minidentd/mgetuid-default.c +++ b/src/minidentd/mgetuid-default.c @@ -1,11 +1,12 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <errno.h> -#include <skalibs/uint16.h> -#include <skalibs/uint32.h> +#include <skalibs/ip46.h> #include "mgetuid.h" -int mgetuid (ip46_t const *localaddr, uint16 localport, ip46_t const *remoteaddr, uint16 remoteport) +uid_t mgetuid (ip46_t const *localaddr, uint16_t localport, ip46_t const *remoteaddr, uint16_t remoteport) { (void)localaddr ; (void)localport ; diff --git a/src/minidentd/mgetuid-linux.c b/src/minidentd/mgetuid-linux.c index 209318b..18caba7 100644 --- a/src/minidentd/mgetuid-linux.c +++ b/src/minidentd/mgetuid-linux.c @@ -1,7 +1,10 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <skalibs/uint16.h> #include <skalibs/uint32.h> +#include <skalibs/uint64.h> #include <skalibs/uint.h> #include <skalibs/bytestr.h> #include <skalibs/fmtscan.h> @@ -28,9 +31,9 @@ static int skipspace (char **s) return (int)**s ; } -static void reverse_address (char *s, unsigned int n) +static void reverse_address (char *s, size_t n) { - register unsigned int i = n >> 1 ; + register size_t i = n >> 1 ; while (i--) { register char tmp = s[i] ; @@ -39,11 +42,12 @@ static void reverse_address (char *s, unsigned int n) } } -static int parseline (char *s, unsigned int len, unsigned int *u, char *la, uint16 *lp, char *ra, uint16 *rp, int is6) +static int parseline (char *s, size_t len, uid_t *u, char *la, uint16_t *lp, char *ra, uint16_t *rp, int is6) { char *cur = s ; - unsigned int pos ; - uint32 junk ; + size_t pos ; + uint64 uu ; + uint32_t junk ; register unsigned int iplen = is6 ? 16 : 4 ; if (!skipspace(&cur)) bug("initial whitespace") ; @@ -102,15 +106,15 @@ static int parseline (char *s, unsigned int len, unsigned int *u, char *la, uint cur += pos ; if (!skipspace(&cur)) bug("retrnsmt SPACE") ; - pos = uint_scan(cur, u) ; /* uid */ + pos = uint64_scan(cur, &uu) ; /* uid */ if (!pos || (cur-s+1+pos) > len) bug("uid") ; - + *u = uu ; return 1 ; } #ifdef DEBUG -static void debuglog (uint16 a, uint16 b, unsigned int c, char const *d, char const *e, int is6) +static void debuglog (uint16_t a, uint16_t b, unsigned int c, char const *d, char const *e, int is6) { char sa[UINT16_FMT] ; char sb[UINT16_FMT] ; @@ -138,10 +142,10 @@ static void debuglog (uint16 a, uint16 b, unsigned int c, char const *d, char co #endif -int mgetuid (ip46_t const *localaddr, uint16 localport, ip46_t const *remoteaddr, uint16 remoteport) +uid_t mgetuid (ip46_t const *localaddr, uint16_t localport, ip46_t const *remoteaddr, uint16_t remoteport) { int r ; - int u = -2 ; + uid_t u = -2 ; stralloc line = STRALLOC_ZERO ; buffer b ; char y[BUFFER_INSIZE] ; @@ -158,8 +162,8 @@ int mgetuid (ip46_t const *localaddr, uint16 localport, ip46_t const *remoteaddr { char la[16] ; char ra[16] ; - unsigned int nu ; - uint16 lp, rp ; + uid_t nu ; + uint16_t lp, rp ; line.len = 0 ; r = skagetln(&b, &line, '\n') ; if (r <= 0) { u = -1 ; break ; } diff --git a/src/minidentd/mgetuid.h b/src/minidentd/mgetuid.h index 0572385..4b882e4 100644 --- a/src/minidentd/mgetuid.h +++ b/src/minidentd/mgetuid.h @@ -3,9 +3,10 @@ #ifndef MGETUID_H #define MGETUID_H -#include <skalibs/uint16.h> +#include <sys/types.h> +#include <stdint.h> #include <skalibs/ip46.h> -extern int mgetuid (ip46_t const *, uint16, ip46_t const *, uint16) ; +extern uid_t mgetuid (ip46_t const *, uint16_t, ip46_t const *, uint16_t) ; #endif diff --git a/src/minidentd/minidentd.c b/src/minidentd/minidentd.c index 287a492..4a73021 100644 --- a/src/minidentd/minidentd.c +++ b/src/minidentd/minidentd.c @@ -1,5 +1,7 @@ /* ISC license. */ +#include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <pwd.h> @@ -34,15 +36,16 @@ static char logfmt[UINT_FMT] ; #define DECIMAL "0123456789" #define godecimal(s) while (*(s) && !DECIMAL[str_chr(DECIMAL, *(s))]) (s)++ -static int parseline (char const *s, uint16 *localport, uint16 *remoteport) +static int parseline (char const *s, uint16_t *localport, uint16_t *remoteport) { - unsigned int pos = 0 ; - + size_t pos ; godecimal(s) ; if (!*s) return 0 ; - s += uint16_scan(s, localport) ; + pos = uint16_scan(s, localport) ; + if (!pos) return 0 ; + s += pos ; if (!*s) return 0 ; - s += str_chr(s+pos, ',') ; + s += str_chr(s, ',') ; if (*s) s++ ; godecimal(s) ; if (!*s) return 0 ; @@ -50,7 +53,7 @@ static int parseline (char const *s, uint16 *localport, uint16 *remoteport) return 1 ; } -static void formatlr (char *s, uint16 lp, uint16 rp) +static void formatlr (char *s, uint16_t lp, uint16_t rp) { s += uint16_fmt(s, lp) ; *s++ = ',' ; @@ -101,10 +104,10 @@ static void logreply (char const *type, char const *reply1, char const *reply2) static int userident (char *s, char const *home) { int fd ; - int r = 1 ; + size_t r = 1 ; { - unsigned int homelen = str_len(home) ; - unsigned int userlen = str_len(userfile) ; + size_t homelen = str_len(home) ; + size_t userlen = str_len(userfile) ; char tmp[homelen + userlen + 2] ; byte_copy(tmp, homelen, home) ; tmp[homelen] = '/' ; @@ -119,7 +122,6 @@ static int userident (char *s, char const *home) } r = allread(fd, s, 14) ; fd_close(fd) ; - if (r == -1) return -1 ; if (!r) return 1 ; s[r] = 0 ; s[byte_chr(s, r, '\n')] = 0 ; @@ -130,9 +132,9 @@ static int userident (char *s, char const *home) static void doit (char const *s, ip46_t const *localaddr, ip46_t const *remoteaddr) { char lr[15] ; - uint16 localport, remoteport ; + uint16_t localport, remoteport ; struct passwd *pw ; - int uid ; + uid_t uid ; if (!parseline(s, &localport, &remoteport)) { reply("0, 0", "ERROR", "INVALID-PORT") ; @@ -233,7 +235,7 @@ int main (int argc, char const *const *argv, char const *const *envp) if (!proto) strerr_dienotset(100, "PROTO") ; { char const *x ; - unsigned int protolen = str_len(proto) ; + size_t protolen = str_len(proto) ; char tmp[protolen + 9] ; byte_copy(tmp, protolen, proto) ; byte_copy(tmp + protolen, 8, "LOCALIP") ; diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index b3e69bb..4945ad8 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -30,6 +30,8 @@ sbearssl_ta_from.o sbearssl_ta_readdir.o sbearssl_ta_readfile.o sbearssl_ta_to.o +sbearssl_x500_name_len.o +sbearssl_x500_from_ta.o sbearssl_x509_minimal_set_tai.o sbearssl_s6tlsc.o sbearssl_s6tlsd.o diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h index ac5e4e2..df3e3e5 100644 --- a/src/sbearssl/sbearssl-internal.h +++ b/src/sbearssl/sbearssl-internal.h @@ -4,6 +4,7 @@ #define SBEARSSL_INTERNAL_H #include <sys/types.h> +#include <stdint.h> #include <bearssl.h> #include <skalibs/stralloc.h> #include <skalibs/genalloc.h> diff --git a/src/sbearssl/sbearssl_cert_readfile.c b/src/sbearssl/sbearssl_cert_readfile.c index dd34270..f63fde4 100644 --- a/src/sbearssl/sbearssl_cert_readfile.c +++ b/src/sbearssl/sbearssl_cert_readfile.c @@ -19,7 +19,7 @@ int sbearssl_cert_readfile (char const *fn, genalloc *certs, stralloc *sa) int certswasnull = !genalloc_s(sbearssl_cert, certs) ; int sawasnull = !sa->s ; { - register int r = openreadnclose(fn, buf, SBEARSSL_MAXCERTFILESIZE) ; + register ssize_t r = openreadnclose(fn, buf, SBEARSSL_MAXCERTFILESIZE) ; if (r < 0) return r ; n = r ; } diff --git a/src/sbearssl/sbearssl_clean_tls_and_spawn.c b/src/sbearssl/sbearssl_clean_tls_and_spawn.c index 258db90..d1bc9d8 100644 --- a/src/sbearssl/sbearssl_clean_tls_and_spawn.c +++ b/src/sbearssl/sbearssl_clean_tls_and_spawn.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <skalibs/env.h> #include <skalibs/djbunix.h> #include "sbearssl-internal.h" diff --git a/src/sbearssl/sbearssl_pem_decode_from_buffer.c b/src/sbearssl/sbearssl_pem_decode_from_buffer.c index 8aecfda..e246b87 100644 --- a/src/sbearssl/sbearssl_pem_decode_from_buffer.c +++ b/src/sbearssl/sbearssl_pem_decode_from_buffer.c @@ -21,15 +21,15 @@ int sbearssl_pem_decode_from_buffer (buffer *b, genalloc *list, stralloc *sa) int listwasnull = !genalloc_s(sbearssl_pemobject, list) ; int sawasnull = !sa->s ; int inobj = 0 ; - int r ; + int r = -1 ; br_pem_decoder_init(&ctx) ; for (;;) { siovec_t v[2] ; - r = buffer_fill(b) ; - if (r < 0) goto fail ; - if (!r) break ; + ssize_t rr = buffer_fill(b) ; + if (rr < 0) goto rfail ; + if (!rr) break ; buffer_rpeek(b, v) ; r = sbearssl_pem_push(&ctx, v[0].s, v[0].len, &po, list, &blah, &inobj) ; if (r) goto fail ; @@ -42,8 +42,9 @@ int sbearssl_pem_decode_from_buffer (buffer *b, genalloc *list, stralloc *sa) } if (!inobj) return 0 ; - r = -1 ; errno = EPROTO ; + rfail: + r = -1 ; fail: if (listwasnull) genalloc_free(sbearssl_pemobject, list) ; else genalloc_setlen(sbearssl_pemobject, list, listbase) ; diff --git a/src/sbearssl/sbearssl_run.c b/src/sbearssl/sbearssl_run.c index ca4a79e..c496cba 100644 --- a/src/sbearssl/sbearssl_run.c +++ b/src/sbearssl/sbearssl_run.c @@ -2,6 +2,7 @@ #include <skalibs/nonposix.h> #include <sys/types.h> +#include <stdint.h> #include <sys/socket.h> #include <errno.h> #include <signal.h> diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c index 3a257a5..1a0b5f0 100644 --- a/src/sbearssl/sbearssl_s6tlsc.c +++ b/src/sbearssl/sbearssl_s6tlsc.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <bearssl.h> diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index 6cb3f51..66d0542 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <bearssl.h> @@ -20,9 +21,10 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co sbearssl_skey skey ; genalloc certs = GENALLOC_ZERO ; size_t chainlen ; - - if (preoptions & 1) - strerr_dief1x(100, "client certificates are not supported by BearSSL yet") ; + size_t x500n = 1 ; + size_t x500len = 1 ; + stralloc tastorage = STRALLOC_ZERO ; + genalloc tas = GENALLOC_ZERO ; { char const *x = env_get2(envp, "KEYFILE") ; @@ -44,17 +46,45 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co chainlen = genalloc_len(sbearssl_cert, &certs) ; if (!chainlen) strerr_diefu2x(96, "find a certificate in ", x) ; + + if (preoptions & 1) + { + x = env_get2(envp, "CADIR") ; + if (x) r = sbearssl_ta_readdir(x, &tas, &tastorage) ; + else + { + x = env_get2(envp, "CAFILE") ; + if (!x) strerr_dienotset(100, "CADIR or CAFILE") ; + r = sbearssl_ta_readfile(x, &tas, &tastorage) ; + } + + if (r < 0) + strerr_diefu2sys(111, "read trust anchors in ", x) ; + else if (r) + strerr_diefu4x(96, "read trust anchors in ", x, ": ", sbearssl_error_str(r)) ; + x500n = genalloc_len(sbearssl_ta, &tas) ; + if (!x500n) strerr_dief2x(96, "no trust anchor found in ", x) ; + x500len = sbearssl_x500_name_len(genalloc_s(sbearssl_ta, &tas), x500n) ; + } } { int fds[4] = { 0, 1, 0, 1 } ; unsigned char buf[BR_SSL_BUFSIZE_BIDI] ; + char x500storage[x500len] ; br_ssl_server_context sc ; union br_skey_u key ; br_x509_certificate chain[chainlen] ; + br_x500_name x500names[x500n] ; size_t i = chainlen ; pid_t pid ; + if (preoptions & 1) + { + sbearssl_x500_from_ta(x500names, genalloc_s(sbearssl_ta, &tas), x500n, x500storage, tastorage.s) ; + genalloc_free(sbearssl_ta, &tas) ; + stralloc_free(&tastorage) ; + } stralloc_shrink(&storage) ; while (i--) sbearssl_cert_to(genalloc_s(sbearssl_cert, &certs) + i, chain + i, storage.s) ; @@ -96,6 +126,15 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; + { + uint32_t flags = BR_OPT_ENFORCE_SERVER_PREFERENCES | BR_OPT_NO_RENEGOTIATION ; + if (preoptions & 1) + { + br_ssl_server_set_trust_anchor_names(&sc, x500names, x500n) ; + if (!(preoptions & 4)) flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH ; + } + br_ssl_engine_add_flags(&sc.eng, flags) ; + } br_ssl_engine_set_buffer(&sc.eng, buf, sizeof(buf), 1) ; br_ssl_server_reset(&sc) ; tain_now_g() ; diff --git a/src/sbearssl/sbearssl_setclientcert.c b/src/sbearssl/sbearssl_setclientcert.c new file mode 100644 index 0000000..07b1385 --- /dev/null +++ b/src/sbearssl/sbearssl_setclientcert.c @@ -0,0 +1,29 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <bearssl.h> +#include <s6-networking/sbearssl.h> + +int sbearssl_setclientcert (br_ssl_client_context *cc, br_x509_certificate const *certs, size_t certlen, br_skey const *key) +{ + if (!certlen) return 0 ; + switch (key.type) + { + case BR_KEYTYPE_RSA : + br_ssl_client_set_single_rsa(cc, certs, certlen, &key->rsa, &br_rsa_i31_pkcs1_sign) ; + break ; + case BR_KEYTYPE_EC : + { + int kt, r ; + r = sbearssl_ec_issuer_keytype(&kt, &certs[0]) ; + if (r) return r ; + br_ssl_client_set_single_ec(cc, certs, certlen, &key->ec, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, kt, &br_ec_prime_i31, ) ; + break ; + } + default : + strerr_dief1x(96, "unsupported private key type") ; + } + + + return 0 ; +} diff --git a/src/sbearssl/sbearssl_skey_readfile.c b/src/sbearssl/sbearssl_skey_readfile.c index 675ba5b..c406de0 100644 --- a/src/sbearssl/sbearssl_skey_readfile.c +++ b/src/sbearssl/sbearssl_skey_readfile.c @@ -38,7 +38,7 @@ int sbearssl_skey_readfile (char const *fn, sbearssl_skey *key, stralloc *sa) sbearssl_pemobject *p ; size_t n ; size_t i = 0 ; - int r = openreadnclose(fn, buf, SBEARSSL_MAXSKEYFILESIZE) ; + int r = openreadnclose(fn, buf, SBEARSSL_MAXSKEYFILESIZE) ; /* fits in an int */ if (r < 0) return r ; n = r ; if (sbearssl_isder((unsigned char *)buf, n)) return decode_key(key, buf, n, sa) ; diff --git a/src/sbearssl/sbearssl_x500_from_ta.c b/src/sbearssl/sbearssl_x500_from_ta.c new file mode 100644 index 0000000..50a132b --- /dev/null +++ b/src/sbearssl/sbearssl_x500_from_ta.c @@ -0,0 +1,19 @@ +/* ISC license. */ + +#include <bearssl.h> +#include <skalibs/bytestr.h> +#include <s6-networking/sbearssl.h> + +void sbearssl_x500_from_ta (br_x500_name *names, sbearssl_ta const *sta, size_t n, char *storage, char const *tastorage) +{ + while (n--) + { + register size_t len = sta->dnlen ; + byte_copy(storage, len, tastorage + sta->dn) ; + sta++ ; + names->data = (unsigned char *)storage ; + names->len = len ; + names++ ; + storage += len ; + } +} diff --git a/src/sbearssl/sbearssl_x500_name_len.c b/src/sbearssl/sbearssl_x500_name_len.c new file mode 100644 index 0000000..02bc9d7 --- /dev/null +++ b/src/sbearssl/sbearssl_x500_name_len.c @@ -0,0 +1,15 @@ +/* ISC license. */ + +#include <bearssl.h> +#include <s6-networking/sbearssl.h> + +size_t sbearssl_x500_name_len (sbearssl_ta const *sta, size_t n) +{ + size_t total = 0 ; + while (n--) + { + total += sta->dnlen ; + sta++ ; + } + return total ; +} diff --git a/src/sbearssl/sbearssl_x509_minimal_set_tai.c b/src/sbearssl/sbearssl_x509_minimal_set_tai.c index 3d1a51d..11b1ad6 100644 --- a/src/sbearssl/sbearssl_x509_minimal_set_tai.c +++ b/src/sbearssl/sbearssl_x509_minimal_set_tai.c @@ -1,6 +1,6 @@ /* ISC license. */ -#include <sys/types.h> +#include <stdint.h> #include <bearssl.h> #include <skalibs/uint64.h> #include <skalibs/tai.h> diff --git a/src/stls/stls-internal.h b/src/stls/stls-internal.h index 85fc825..48a119e 100644 --- a/src/stls/stls-internal.h +++ b/src/stls/stls-internal.h @@ -4,6 +4,7 @@ #define STLS_INTERNAL_H #include <sys/types.h> +#include <stdint.h> extern pid_t stls_clean_tls_and_spawn (char const *const *, char const *const *, int *, uint32_t) ; diff --git a/src/stls/stls_clean_tls_and_spawn.c b/src/stls/stls_clean_tls_and_spawn.c index 37ea619..b7ee911 100644 --- a/src/stls/stls_clean_tls_and_spawn.c +++ b/src/stls/stls_clean_tls_and_spawn.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <skalibs/env.h> #include <skalibs/djbunix.h> #include "stls-internal.h" diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c index 86e0faa..0ba10b0 100644 --- a/src/stls/stls_run.c +++ b/src/stls/stls_run.c @@ -2,6 +2,7 @@ #include <skalibs/nonposix.h> #include <sys/types.h> +#include <stdint.h> #include <sys/socket.h> #include <errno.h> #include <signal.h> diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c index 9c30b60..001953d 100644 --- a/src/stls/stls_s6tlsc.c +++ b/src/stls/stls_s6tlsc.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <tls.h> diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c index 0e82ab0..4b04560 100644 --- a/src/stls/stls_s6tlsd.c +++ b/src/stls/stls_s6tlsd.c @@ -1,6 +1,7 @@ /* ISC license. */ #include <sys/types.h> +#include <stdint.h> #include <unistd.h> #include <errno.h> #include <tls.h> @@ -27,20 +28,6 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const cfg = tls_config_new() ; if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; - x = env_get2(envp, "CAFILE") ; - if (x) - { - if (tls_config_set_ca_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_ca_file") ; - } - - x = env_get2(envp, "CADIR") ; - if (x) - { - if (tls_config_set_ca_path(cfg, x) < 0) - diecfg(cfg, "tls_config_set_ca_path") ; - } - x = env_get2(envp, "CERTFILE") ; if (!x) strerr_dienotset(100, "CERTFILE") ; if (tls_config_set_cert_file(cfg, x) < 0) @@ -60,7 +47,27 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const if (tls_config_set_ecdhecurve(cfg, "auto") < 0) diecfg(cfg, "tls_config_set_ecdhecurve") ; - if (preoptions & 1) tls_config_verify_client(cfg) ; + if (preoptions & 1) + { + x = env_get2(envp, "CADIR") ; + if (x) + { + if (tls_config_set_ca_path(cfg, x) < 0) + diecfg(cfg, "tls_config_set_ca_path") ; + } + else + { + x = env_get2(envp, "CAFILE") ; + if (x) + { + if (tls_config_set_ca_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_ca_file") ; + } + else strerr_dienotset(100, "CADIR or CAFILE") ; + } + if (preoptions & 4) tls_config_verify_client(cfg) ; + else tls_config_verify_client_optional(cfg) ; + } else tls_config_insecure_noverifycert(cfg) ; tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; |