From 08e88c5efc65a6f49da40aa002bc5f4b0ebee49d Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sat, 26 Nov 2016 10:04:40 +0000 Subject: Add -z option to s6-tlsc/s6-tlsd to clean TLS env vars before spawning (default) --- src/conn-tools/deps-exe/s6-tlsc | 1 + src/conn-tools/deps-exe/s6-tlsd | 1 + src/conn-tools/s6-tlsc.c | 8 +++++--- src/conn-tools/s6-tlsclient.c | 11 ++++++++--- src/conn-tools/s6-tlsd.c | 8 +++++--- src/conn-tools/s6-tlsserver.c | 11 ++++++++--- src/include/s6-networking/s6net-utils.h | 10 ++++++++++ src/include/s6-networking/s6net.h | 1 + src/libs6net/deps-lib/s6net | 1 + src/libs6net/s6net_clean_tls_and_spawn.c | 21 +++++++++++++++++++++ src/sbearssl/deps-lib/sbearssl | 1 + src/sbearssl/sbearssl_s6tlsc.c | 3 ++- src/sbearssl/sbearssl_s6tlsd.c | 3 ++- src/stls/deps-lib/stls | 1 + src/stls/stls_s6tlsc.c | 3 ++- src/stls/stls_s6tlsd.c | 3 ++- 16 files changed, 71 insertions(+), 16 deletions(-) create mode 100644 src/include/s6-networking/s6net-utils.h create mode 100644 src/libs6net/s6net_clean_tls_and_spawn.c (limited to 'src') diff --git a/src/conn-tools/deps-exe/s6-tlsc b/src/conn-tools/deps-exe/s6-tlsc index d00d2b8..5ae8124 100644 --- a/src/conn-tools/deps-exe/s6-tlsc +++ b/src/conn-tools/deps-exe/s6-tlsc @@ -1,4 +1,5 @@ ${LIBCRYPTOSUPPORT} +${LIBS6NET} -lskarnet ${CRYPTO_LIB} ${SOCKET_LIB} diff --git a/src/conn-tools/deps-exe/s6-tlsd b/src/conn-tools/deps-exe/s6-tlsd index d00d2b8..5ae8124 100644 --- a/src/conn-tools/deps-exe/s6-tlsd +++ b/src/conn-tools/deps-exe/s6-tlsd @@ -1,4 +1,5 @@ ${LIBCRYPTOSUPPORT} +${LIBS6NET} -lskarnet ${CRYPTO_LIB} ${SOCKET_LIB} diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c index 4476690..0c26ab0 100644 --- a/src/conn-tools/s6-tlsc.c +++ b/src/conn-tools/s6-tlsc.c @@ -31,7 +31,7 @@ #endif -#define USAGE "s6-tlsc [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -6 rfd ] [ -7 wfd ] prog..." +#define USAGE "s6-tlsc [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -Z | -z ] [ -6 rfd ] [ -7 wfd ] prog..." #define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) @@ -41,7 +41,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int verbosity = 1 ; uid_t uid = 0 ; gid_t gid = 0 ; - uint32_t preoptions = 0 ; + uint32_t preoptions = 2 ; uint32_t options = 1 ; int fds[2] = { 6, 7 } ; @@ -51,7 +51,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int t = 0 ; for (;;) { - register int opt = subgetopt_r(argc, argv, "SsYyv:K:k:6:7:", &l) ; + register int opt = subgetopt_r(argc, argv, "SsYyv:K:k:Zz6:7:", &l) ; if (opt == -1) break ; switch (opt) { @@ -62,6 +62,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; case 'k' : servername = l.arg ; break ; + case 'Z' : preoptions &= ~(uint32_t)2 ; break ; + case 'z' : preoptions |= 2 ; break ; case '6' : { unsigned int fd ; diff --git a/src/conn-tools/s6-tlsclient.c b/src/conn-tools/s6-tlsclient.c index a1cd75d..1aa66fb 100644 --- a/src/conn-tools/s6-tlsclient.c +++ b/src/conn-tools/s6-tlsclient.c @@ -11,7 +11,7 @@ #define USAGE "s6-tlsclient [ options ] host port prog...\n" \ "s6-tcpclient options: [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -r | -R ] [ -h | -H ] [ -n | -N ] [ -t timeout ] [ -l localname ] [ -T timeoutconn ] [ -i localip ] [ -p localport ]\n" \ -"s6-tlsc options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ]" +"s6-tlsc options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -k servername ] [ -Z | -z ]" #define dieusage() strerr_dieusage(100, USAGE) @@ -35,6 +35,7 @@ struct options_s unsigned int flagN : 1 ; unsigned int flagS : 1 ; unsigned int flagy : 1 ; + unsigned int flagZ : 1 ; unsigned int doxy : 1 ; } ; @@ -57,6 +58,7 @@ struct options_s .flagN = 0, \ .flagS = 0, \ .flagy = 0, \ + .flagZ = 0, \ .doxy = 0 \ } @@ -68,7 +70,7 @@ int main (int argc, char const *const *argv, char const *const *envp) subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - register int opt = subgetopt_r(argc, argv, "qQv46DdHhRrnNt:l:T:i:p:SsYyK:k:", &l) ; + register int opt = subgetopt_r(argc, argv, "qQv46DdHhRrnNt:l:T:i:p:SsYyK:k:Zz", &l) ; if (opt == -1) break ; switch (opt) { @@ -109,6 +111,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'y' : o.flagy = 1 ; break ; case 'K' : if (!uint0_scan(l.arg, &o.kimeout)) dieusage() ; break ; case 'k' : o.servername = l.arg ; break ; + case 'Z' : o.flagZ = 1 ; break ; + case 'z' : o.flagZ = 0 ; break ; default : dieusage() ; } } @@ -127,7 +131,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int m = 0 ; unsigned int pos = 0 ; char fmt[UINT_FMT * 4 + UINT16_FMT + IP46_FMT] ; - char const *newargv[28 + argc] ; + char const *newargv[29 + argc] ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpclient" ; if (o.verbosity != 1) newargv[m++] = o.verbosity ? "-v" : "-q" ; if (o.flag4) newargv[m++] = "-4" ; @@ -187,6 +191,7 @@ int main (int argc, char const *const *argv, char const *const *envp) newargv[m++] = "-k" ; newargv[m++] = o.servername ; } + if (o.flagZ) newargv[m++] = "-Z" ; newargv[m++] = "--" ; while (*argv) newargv[m++] = *argv++ ; newargv[m++] = 0 ; diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c index 6a6d4ef..a4a1d4c 100644 --- a/src/conn-tools/s6-tlsd.c +++ b/src/conn-tools/s6-tlsd.c @@ -30,7 +30,7 @@ #endif -#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] prog..." +#define USAGE "s6-tlsd [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..." #define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) @@ -39,7 +39,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int verbosity = 1 ; uid_t uid = 0 ; gid_t gid = 0 ; - uint32_t preoptions = 0 ; + uint32_t preoptions = 2 ; uint32_t options = 1 ; PROG = "s6-tlsd" ; @@ -48,7 +48,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int t = 0 ; for (;;) { - register int opt = subgetopt_r(argc, argv, "SsYyv:K:", &l) ; + register int opt = subgetopt_r(argc, argv, "SsYyv:K:Zz", &l) ; if (opt == -1) break ; switch (opt) { @@ -58,6 +58,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'y' : preoptions |= 1 ; break ; case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ; + case 'Z' : preoptions &= ~(uint32_t)2 ; break ; + case 'z' : preoptions |= 2 ; break ; default : dieusage() ; } } diff --git a/src/conn-tools/s6-tlsserver.c b/src/conn-tools/s6-tlsserver.c index ef5abe4..d7604a9 100644 --- a/src/conn-tools/s6-tlsserver.c +++ b/src/conn-tools/s6-tlsserver.c @@ -14,7 +14,7 @@ #define USAGE "s6-tlsserver [ options ] ip port prog...\n" \ "s6-tcpserver options: [ -q | -Q | -v ] [ -4 | -6 ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ]\n" \ "s6-tcpserver-access options: [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ]\n" \ -"s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ]" +"s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -Z | -z ]" #define dieusage() strerr_dieusage(100, USAGE) @@ -45,6 +45,7 @@ struct options_s unsigned int ruleswhat : 2 ; unsigned int flagS : 1 ; unsigned int flagy : 1 ; + unsigned int flagZ : 1 ; unsigned int doaccess : 1 ; unsigned int doapply : 1 ; } ; @@ -74,6 +75,7 @@ struct options_s .ruleswhat = 0, \ .flagS = 0, \ .flagy = 0, \ + .flagZ = 0, \ .doaccess = 0, \ .doapply = 0 \ } @@ -86,7 +88,7 @@ int main (int argc, char const *const *argv, char const *const *envp) subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - register int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpl:B:t:i:x:SsYyK:", &l) ; + register int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpl:B:t:i:x:SsYyK:Zz", &l) ; if (opt == -1) break ; switch (opt) { @@ -123,6 +125,8 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'Y' : o.flagy = 0 ; break ; case 'y' : o.flagy = 1 ; break ; case 'K' : if (!uint0_scan(l.arg, &o.kimeout)) dieusage() ; break ; + case 'Z' : o.flagZ = 1 ; break ; + case 'z' : o.flagZ = 0 ; break ; default : dieusage() ; } } @@ -134,7 +138,7 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int m = 0 ; unsigned int pos = 0 ; char fmt[UINT_FMT * 5 + GID_FMT * (NGROUPS_MAX + 1) + UINT64_FMT] ; - char const *newargv[46 + argc] ; + char const *newargv[47 + argc] ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver" ; if (o.verbosity != 1) newargv[m++] = o.verbosity ? "-v" : "-q" ; if (o.flag46) newargv[m++] = o.flag46 == 1 ? "-4" : "-6" ; @@ -215,6 +219,7 @@ int main (int argc, char const *const *argv, char const *const *envp) pos += uint_fmt(fmt + pos, o.kimeout) ; fmt[pos++] = 0 ; } + if (o.flagZ) newargv[m++] = "-Z" ; newargv[m++] = "--" ; if (o.doapply) { diff --git a/src/include/s6-networking/s6net-utils.h b/src/include/s6-networking/s6net-utils.h new file mode 100644 index 0000000..2e7d2f9 --- /dev/null +++ b/src/include/s6-networking/s6net-utils.h @@ -0,0 +1,10 @@ +/* ISC license. */ + +#ifndef S6NET_UTILS_H +#define S6NET_UTILS_H + +#include + +extern pid_t s6net_clean_tls_and_spawn (char const *const *, char const *const *, int *, uint32_t) ; + +#endif diff --git a/src/include/s6-networking/s6net.h b/src/include/s6-networking/s6net.h index 8778527..fef4ef7 100644 --- a/src/include/s6-networking/s6net.h +++ b/src/include/s6-networking/s6net.h @@ -4,5 +4,6 @@ #define S6NET_H #include +#include #endif diff --git a/src/libs6net/deps-lib/s6net b/src/libs6net/deps-lib/s6net index 27067c4..b8be843 100644 --- a/src/libs6net/deps-lib/s6net +++ b/src/libs6net/deps-lib/s6net @@ -2,4 +2,5 @@ s6net_ident_client.o s6net_ident_reply_get.o s6net_ident_reply_parse.o s6net_ident_error.o +s6net_clean_tls_and_spawn.o -lskarnet diff --git a/src/libs6net/s6net_clean_tls_and_spawn.c b/src/libs6net/s6net_clean_tls_and_spawn.c new file mode 100644 index 0000000..67ba79b --- /dev/null +++ b/src/libs6net/s6net_clean_tls_and_spawn.c @@ -0,0 +1,21 @@ +/* ISC license. */ + +#include +#include +#include +#include + +pid_t s6net_clean_tls_and_spawn (char const *const *argv, char const *const *envp, int *fds, uint32_t options) +{ + if (!(options & 1)) return child_spawn2(argv[0], argv, envp, fds) ; + else + { + char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ; + size_t modiflen = sizeof(modifs) ; + size_t n = env_len(envp) ; + char const *newenv[n + 7] ; + size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ; + if (!newenvlen) return 0 ; + return child_spawn2(argv[0], argv, newenv, fds) ; + } +} diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index 0b7b02f..4e2d76c 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -31,4 +31,5 @@ sbearssl_ta_to.o sbearssl_s6tlsc.o sbearssl_s6tlsd.o -lbearssl +-ls6net -lskarnet diff --git a/src/sbearssl/sbearssl_s6tlsc.c b/src/sbearssl/sbearssl_s6tlsc.c index 8bc8f65..5665edc 100644 --- a/src/sbearssl/sbearssl_s6tlsc.c +++ b/src/sbearssl/sbearssl_s6tlsc.c @@ -11,6 +11,7 @@ #include #include #include +#include #include int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity, char const *servername, int *sfd) @@ -65,7 +66,7 @@ int sbearssl_s6tlsc (char const *const *argv, char const *const *envp, tain_t co br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ; random_finish() ; - pid = child_spawn2(argv[0], argv, envp, fds) ; + pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ; if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index 35dd18a..3a27e9f 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -11,6 +11,7 @@ #include #include #include +#include #include int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t const *tto, uint32_t preoptions, uint32_t options, uid_t uid, gid_t gid, unsigned int verbosity) @@ -90,7 +91,7 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co br_ssl_engine_inject_entropy(&sc.eng, buf, 32) ; random_finish() ; - pid = child_spawn2(argv[0], argv, envp, fds) ; + pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ; if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls index 799c7ae..f215998 100644 --- a/src/stls/deps-lib/stls +++ b/src/stls/deps-lib/stls @@ -2,4 +2,5 @@ stls_run.o stls_s6tlsc.o stls_s6tlsd.o -ltls +-ls6net -lskarnet diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c index aa82087..194afb9 100644 --- a/src/stls/stls_s6tlsc.c +++ b/src/stls/stls_s6tlsc.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) @@ -73,7 +74,7 @@ int stls_s6tlsc (char const *const *argv, char const *const *envp, tain_t const if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; tls_config_free(cfg) ; - pid = child_spawn2(argv[0], argv, envp, fds) ; + pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ; if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c index 61b1343..ff1b308 100644 --- a/src/stls/stls_s6tlsd.c +++ b/src/stls/stls_s6tlsd.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #define diecfg(cfg, s) strerr_diefu3x(96, (s), ": ", tls_config_error(cfg)) @@ -70,7 +71,7 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; tls_config_free(cfg) ; - pid = child_spawn2(argv[0], argv, envp, fds) ; + pid = s6net_clean_tls_and_spawn(argv, envp, fds, !!(preoptions & 2)) ; if (!pid) strerr_diefu2sys(111, "spawn ", argv[0]) ; if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; -- cgit v1.2.3