void matrixPkiClose(void) { sslCloseOsdep(); }
int ssl_io(unsigned int newsession, const char **prog) { if (client) { fdstdin =6; fdstdou =7; } bad_certificate = env_get("SSLIO_BAD_CERTIFICATE"); if ((s =env_get("SSLIO_BUFIN"))) scan_ulong(s, &bufsizein); if ((s =env_get("SSLIO_BUFOU"))) scan_ulong(s, &bufsizeou); if (bufsizein < 64) bufsizein =64; if (bufsizeou < 64) bufsizeou =64; if ((s =env_get("SSLIO_HANDSHAKE_TIMEOUT"))) scan_ulong(s, &handshake_timeout); if (handshake_timeout < 1) handshake_timeout =1; if (pipe(encpipe) == -1) fatalm("unable to create pipe for encoding"); if (pipe(decpipe) == -1) fatalm("unable to create pipe for decoding"); if ((pid =fork()) == -1) fatalm("unable to fork"); if (pid == 0) { if (close(encpipe[1]) == -1) fatalm("unable to close encoding pipe output"); if (close(decpipe[0]) == -1) fatalm("unable to close decoding pipe input"); if (newsession) if (matrixSslOpen() < 0) fatalm("unable to initialize ssl"); if (root) { if (chdir(root) == -1) fatalm("unable to change to new root directory"); if (chroot(".") == -1) fatalm("unable to chroot"); } if (ssluser) { /* drop permissions */ if (setgroups(sslugid.gids, sslugid.gid) == -1) fatal("unable to set groups"); if (setgid(*sslugid.gid) == -1) fatal("unable to set gid"); if (prot_uid(sslugid.uid) == -1) fatalm("unable to set uid"); } if (newsession) { if (matrixSslReadKeys(&keys, cert, key, 0, ca) < 0) { if (client) fatalm("unable to read cert, key, or ca file"); fatalm("unable to read cert or key file"); } if (matrixSslNewSession(&ssl, keys, 0, client?0:SSL_FLAGS_SERVER) < 0) fatalmx("unable to create ssl session"); } if (client) if (ca || bad_certificate) matrixSslSetCertValidator(ssl, &validate, 0); sig_catch(sig_term, sig_term_handler); sig_ignore(sig_pipe); doio(); finish(); _exit(0); } if (close(encpipe[0]) == -1) fatalm("unable to close encoding pipe input"); if (close(decpipe[1]) == -1) fatalm("unable to close decoding pipe output"); if (fd_move(fdstdin, decpipe[0]) == -1) fatalm("unable to setup filedescriptor for decoding"); if (fd_move(fdstdou, encpipe[1]) == -1) fatalm("unable to setup filedescriptor for encoding"); sslCloseOsdep(); if (svuser) { if (setgroups(ugid.gids, ugid.gid) == -1) fatal("unable to set groups for prog"); if (setgid(*ugid.gid) == -1) fatal("unable to set gid for prog"); if (prot_uid(ugid.uid) == -1) fatalm("unable to set uid for prog"); } pathexec(prog); fatalm("unable to run prog"); return(111); }