From 9cfe27834a3014235526c60c52652399411993de Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Wed, 2 Jun 2021 08:54:17 +0000 Subject: Correctly clean up the environment for -z --- package/deps.mak | 7 ++++--- package/info | 2 +- src/tls/deps-lib/s6tls | 1 + src/tls/s6tls-internal.h | 5 ++--- src/tls/s6tls_clean_and_exec.c | 43 +++++++++++++++++++++++++++++++++++++++ src/tls/s6tls_sync_and_exec_app.c | 23 ++++++--------------- src/tls/s6tls_ucspi_exec_app.c | 11 ++-------- 7 files changed, 59 insertions(+), 33 deletions(-) create mode 100644 src/tls/s6tls_clean_and_exec.c diff --git a/package/deps.mak b/package/deps.mak index 953a7cd..030f842 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -97,6 +97,7 @@ src/tls/s6-tlsd.o src/tls/s6-tlsd.lo: src/tls/s6-tlsd.c src/tls/s6tls-internal.h src/tls/s6-tlsserver.o src/tls/s6-tlsserver.lo: src/tls/s6-tlsserver.c src/include/s6-networking/config.h src/tls/s6-ucspitlsc.o src/tls/s6-ucspitlsc.lo: src/tls/s6-ucspitlsc.c src/include/s6-networking/config.h src/tls/s6tls-internal.h src/tls/s6-ucspitlsd.o src/tls/s6-ucspitlsd.lo: src/tls/s6-ucspitlsd.c src/include/s6-networking/config.h src/tls/s6tls-internal.h +src/tls/s6tls_clean_and_exec.o src/tls/s6tls_clean_and_exec.lo: src/tls/s6tls_clean_and_exec.c src/tls/s6tls-internal.h src/tls/s6tls_exec_tlscio.o src/tls/s6tls_exec_tlscio.lo: src/tls/s6tls_exec_tlscio.c src/include/s6-networking/config.h src/tls/s6tls-internal.h src/tls/s6tls_exec_tlsdio.o src/tls/s6tls_exec_tlsdio.lo: src/tls/s6tls_exec_tlsdio.c src/include/s6-networking/config.h src/tls/s6tls-internal.h src/tls/s6tls_sync_and_exec_app.o src/tls/s6tls_sync_and_exec_app.lo: src/tls/s6tls_sync_and_exec_app.c src/tls/s6tls-internal.h @@ -158,12 +159,12 @@ endif libstls.so.xyzzy: EXTRA_LIBS := ${CRYPTO_LIB} -lskarnet ${TIMER_LIB} libstls.so.xyzzy: src/stls/stls_drop.lo src/stls/stls_handshake.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo src/stls/stls_send_environment.lo ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),) -libs6tls.a.xyzzy: src/tls/s6tls_exec_tlscio.o src/tls/s6tls_exec_tlsdio.o src/tls/s6tls_sync_and_exec_app.o src/tls/s6tls_ucspi_exec_app.o +libs6tls.a.xyzzy: src/tls/s6tls_clean_and_exec.o src/tls/s6tls_exec_tlscio.o src/tls/s6tls_exec_tlsdio.o src/tls/s6tls_sync_and_exec_app.o src/tls/s6tls_ucspi_exec_app.o else -libs6tls.a.xyzzy: src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo +libs6tls.a.xyzzy: src/tls/s6tls_clean_and_exec.lo src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo endif libs6tls.so.xyzzy: EXTRA_LIBS := -lskarnet -libs6tls.so.xyzzy: src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo +libs6tls.so.xyzzy: src/tls/s6tls_clean_and_exec.lo src/tls/s6tls_exec_tlscio.lo src/tls/s6tls_exec_tlsdio.lo src/tls/s6tls_sync_and_exec_app.lo src/tls/s6tls_ucspi_exec_app.lo s6-tlsc: EXTRA_LIBS := -lskarnet s6-tlsc: src/tls/s6-tlsc.o libs6tls.a.xyzzy s6-tlsc-io: EXTRA_LIBS := -lskarnet ${CRYPTO_LIB} ${SOCKET_LIB} ${SYSCLOCK_LIB} diff --git a/package/info b/package/info index 4eaf40a..342e4dd 100644 --- a/package/info +++ b/package/info @@ -1,4 +1,4 @@ package=s6-networking -version=2.4.2.1 +version=2.4.2.0 category=net package_macro_name=S6_NETWORKING diff --git a/src/tls/deps-lib/s6tls b/src/tls/deps-lib/s6tls index caa9872..f2306ac 100644 --- a/src/tls/deps-lib/s6tls +++ b/src/tls/deps-lib/s6tls @@ -1,3 +1,4 @@ +s6tls_clean_and_exec.o s6tls_exec_tlscio.o s6tls_exec_tlsdio.o s6tls_sync_and_exec_app.o diff --git a/src/tls/s6tls-internal.h b/src/tls/s6tls-internal.h index 2ef3b81..d232266 100644 --- a/src/tls/s6tls-internal.h +++ b/src/tls/s6tls-internal.h @@ -3,16 +3,15 @@ #ifndef S6TLS_INTERNAL_H #define S6TLS_INTERNAL_H +#include #include -#include #include -#define s6tls_envvars "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" - extern void s6tls_exec_tlscio (int const *, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ; extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int, unsigned int) gccattr_noreturn ; extern void s6tls_sync_and_exec_app (char const *const *, int const [4][2], pid_t, uint32_t) gccattr_noreturn ; extern void s6tls_ucspi_exec_app (char const *const *, int const [4][2], uint32_t) gccattr_noreturn ; +extern void s6tls_clean_and_exec (char const *const *, uint32_t, char const *, size_t) gccattr_noreturn ; #endif diff --git a/src/tls/s6tls_clean_and_exec.c b/src/tls/s6tls_clean_and_exec.c new file mode 100644 index 0000000..9432e3a --- /dev/null +++ b/src/tls/s6tls_clean_and_exec.c @@ -0,0 +1,43 @@ +/* ISC license. */ + +#include + +#include +#include +#include +#include + +#include "s6tls-internal.h" + +void s6tls_clean_and_exec (char const *const *argv, uint32_t options, char const *modif, size_t modiflen) +{ + if (options & 1) + { + static char const *const toclean[] = + { + "CADIR=", + "CAFILE=", + "KEYFILE=", + "CERTFILE=", + "TLS_UID=", + "TLS_GID=", + "KEYFILE:", + "CERTFILE:", + 0 + } ; + char const *const *envp = (char const *const *)environ ; + size_t m = 0 ; + size_t n = env_len(envp) ; + char const *newenvp[n + 1] ; + for (; *envp ; envp++) + { + char const *const *var = toclean ; + for (; *var ; var++) + if (str_start(*envp, *var)) break ; + if (!*var) newenvp[m++] = *envp ; + } + newenvp[m] = 0 ; + xmexec_fm(argv, newenvp, m, modif, modiflen) ; + } + else xmexec_m(argv, modif, modiflen) ; +} diff --git a/src/tls/s6tls_sync_and_exec_app.c b/src/tls/s6tls_sync_and_exec_app.c index ff42d73..5c0180c 100644 --- a/src/tls/s6tls_sync_and_exec_app.c +++ b/src/tls/s6tls_sync_and_exec_app.c @@ -1,43 +1,32 @@ /* ISC license. */ -#include -#include #include #include #include -#include #include "s6tls-internal.h" -#define MAXENVSIZE 2048 +#define MAXENVSIZE 4096 void s6tls_sync_and_exec_app (char const *const *argv, int const p[4][2], pid_t pid, uint32_t options) { - char buf[sizeof(s6tls_envvars) + MAXENVSIZE] ; - size_t m = 0 ; + char buf[MAXENVSIZE] ; ssize_t r ; close(p[2][1]) ; close(p[1][1]) ; close(p[0][0]) ; if (fd_move(p[3][0], p[1][0]) < 0 || fd_move(p[3][1], p[0][1]) < 0) strerr_diefu1sys(111, "move file descriptors") ; - if (options & 1) - { - memcpy(buf + m, s6tls_envvars, sizeof(s6tls_envvars)) ; - m += sizeof(s6tls_envvars) ; - } - r = read(p[2][0], buf + m, MAXENVSIZE) ; + r = read(p[2][0], buf, MAXENVSIZE) ; if (r < 0) strerr_diefu1sys(111, "read from handshake notification pipe") ; if (!r) { int wstat ; if (wait_pid(pid, &wstat) < 0) - strerr_diefu1sys(111, "wait") ; + strerr_diefu1sys(111, "waitpid") ; _exit(wait_estatus(wstat)) ; } - if (r >= MAXENVSIZE) - strerr_dief1x(100, "SSL data too large") ; - m += r - 1 ; - xmexec_m(argv, buf, m) ; + if (r >= MAXENVSIZE) strerr_dief1x(101, "SSL data too large; recompile with a bigger MAXENVSIZE") ; + s6tls_clean_and_exec(argv, options, buf, r-1) ; } diff --git a/src/tls/s6tls_ucspi_exec_app.c b/src/tls/s6tls_ucspi_exec_app.c index 34c05e2..6a319b6 100644 --- a/src/tls/s6tls_ucspi_exec_app.c +++ b/src/tls/s6tls_ucspi_exec_app.c @@ -1,26 +1,19 @@ /* ISC license. */ -#include #include #include #include -#include #include "s6tls-internal.h" void s6tls_ucspi_exec_app (char const *const *argv, int const p[4][2], uint32_t options) { size_t m = 0 ; - char modif[sizeof(s6tls_envvars) + 33 + 3 * UINT_FMT] ; + char modif[33 + 3 * UINT_FMT] ; close(p[2][1]) ; close(p[1][1]) ; close(p[0][0]) ; - if (options & 1) - { - memcpy(modif + m, s6tls_envvars, sizeof(s6tls_envvars)) ; - m += sizeof(s6tls_envvars) ; - } memcpy(modif + m, "SSLCTLFD=", 9) ; m += 9 ; m += uint_fmt(modif + m, p[2][0]) ; modif[m++] = 0 ; @@ -30,5 +23,5 @@ void s6tls_ucspi_exec_app (char const *const *argv, int const p[4][2], uint32_t memcpy(modif + m, "SSLWRITEFD=", 11) ; m += 11 ; m += uint_fmt(modif + m, p[0][1]) ; modif[m++] = 0 ; - xmexec_m(argv, modif, m) ; + s6tls_clean_and_exec(argv, options, modif, m) ; } -- cgit v1.2.3