1 files changed, 10 insertions, 19 deletions

diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c
index e01e25e..267d79c 100644
--- a/src/sbearssl/sbearssl_s6tlsc.c
+++ b/src/sbearssl/sbearssl_s6tlsc.c
@@ -14,10 +14,11 @@
 
 int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd)
 {
-  int fds[4] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
+  int fds[5] = { sfd[0], sfd[1], sfd[0], sfd[1] } ;
   stralloc storage = STRALLOC_ZERO ;
   genalloc tas = GENALLOC_ZERO ;
   size_t talen ;
+  pid_t pid ;
 
   if (preoptions & 1)
     strerr_dief1x(100, "client certificates are not supported yet") ;
@@ -44,31 +45,26 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
       strerr_dief2x(96, "no trust anchor found in ", x) ;
   }
 
+  if (!random_init()) strerr_diefu1sys(111, "initialize random generator") ;
+
+  pid = sbearssl_prep_spawn_drop(argv, envp, fds, uid, gid, !!(preoptions & 2)) ;
+
   {
     unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
     br_x509_minimal_context xc ;
     br_ssl_client_context cc ;
     br_x509_trust_anchor btas[talen] ;
     size_t i = talen ;
-    pid_t pid ;
+    int wstat ;
 
     stralloc_shrink(&storage) ;
     while (i--)
       sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ;
     genalloc_free(sbearssl_ta, &tas) ;
-    
     br_ssl_client_init_full(&cc, &xc, btas, talen) ;
-
-    if (!random_init())
-      strerr_diefu1sys(111, "initialize random generator") ;
     random_string((char *)buf, 32) ;
     br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ;
     random_finish() ;
-
-    pid = sbearssl_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ;
-    if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
-    if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
-
     br_ssl_engine_set_buffer(&cc.eng, buf, sizeof(buf), 1) ;
     if (!br_ssl_client_reset(&cc, servername, 0))
       strerr_diefu2x(97, "reset client context: ", sbearssl_error_str(br_ssl_engine_last_error(&cc.eng))) ;
@@ -76,13 +72,8 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co
     if (!sbearssl_x509_minimal_set_tain(&xc, &STAMP))
       strerr_diefu1sys(111, "initialize validation time") ;
 
-    {
-      int wstat ;
-      int r = sbearssl_run(&cc.eng, fds, verbosity, options, tto) ;
-      if (r < 0) strerr_diefu1sys(111, "run SSL engine") ;
-      else if (r) strerr_diefu2x(98, "establish or maintain SSL connection to peer: ", sbearssl_error_str(r)) ;
-      if (wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
-      return wait_estatus(wstat) ;
-    }
+    wstat = sbearssl_run(&cc.eng, fds, pid, verbosity, options, tto) ;
+    if (wstat < 0 && wait_pid(pid, &wstat) < 0) strerr_diefu1sys(111, "wait_pid") ;
+    return wait_estatus(wstat) ;
   }
 }