diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-18 00:49:46 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-18 00:56:40 +0100 |
| commit | 42a8f9813716ed3495b6f49edea429b127eef0f0 (patch) | |
| tree | 616e5c25b1f16d661f842d96f059680668006c6d /lacme-accountd | |
| parent | d72df441f86f759bf143df745ff13fd9b90597bf (diff) | |
accountd: replace internal option --conn-fd=FD with flag --stdio.
Using stdin/stdout makes it possible to tunnel the accountd connection
through ssh.
Diffstat (limited to 'lacme-accountd')
| -rwxr-xr-x | lacme-accountd | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/lacme-accountd b/lacme-accountd index c00530f..7b9b1ff 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -60,7 +60,7 @@ sub usage(;$$) { } exit $rv; } -usage(1) unless GetOptions(\%OPTS, qw/config=s privkey=s socket=s conn-fd=i quiet|q debug help|h/); +usage(1) unless GetOptions(\%OPTS, qw/config=s privkey=s socket=s stdio quiet|q debug help|h/); usage(0) if $OPTS{help}; do { @@ -137,11 +137,7 @@ my $JWK_STR = JSON::->new->encode($JWK); # to support the abstract namespace.) The downside is that we have to # delete the file manually. # -if (defined $OPTS{'conn-fd'}) { - die "Invalid file descriptor" unless $OPTS{'conn-fd'} =~ /\A(\d+)\z/; - # untaint and fdopen(3) our end of the socket pair - open ($S, '+<&=', $1+0) or die "fdopen($1): $!"; -} else { +unless (defined $OPTS{stdio}) { my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef); die "Missing socket option\n" unless defined $sockname; $sockname = $sockname =~ /\A(\p{Print}+)\z/ ? $1 : die "Invalid socket name\n"; # untaint $sockname @@ -169,22 +165,21 @@ if (defined $OPTS{'conn-fd'}) { # For each new connection, send the protocol version and the account key's # public parameters, then sign whatever comes in # -sub conn($;$) { - my $conn = shift; - my $count = shift; - $conn->printflush( "$PROTOCOL_VERSION OK", "\r\n", $JWK_STR, "\r\n" ) or warn "print: $!"; +sub conn($$;$) { + my ($in, $out, $id) = @_; + $out->printflush( "$PROTOCOL_VERSION OK", "\r\n", $JWK_STR, "\r\n" ) or warn "print: $!"; # sign whatever comes in - while (defined (my $data = $conn->getline())) { + while (defined (my $data = $in->getline())) { $data =~ s/\r\n\z// or die; - print STDERR "[$count] >>> Issuing SHA-256 signature for: $data\n" unless $OPTS{quiet}; + print STDERR "[$id] >>> Issuing SHA-256 signature for: $data\n" unless $OPTS{quiet}; my $sig = $SIGN->($data); - $conn->printflush( encode_base64url($sig), "\r\n" ) or warn "print: $!"; + $out->printflush( encode_base64url($sig), "\r\n" ) or warn "print: $!"; } } -if (defined $OPTS{'conn-fd'}) { - conn($S, $$); +if (defined $OPTS{stdio}) { + conn(\*STDIN, \*STDOUT, $$); } else { $SIG{PIPE} = 'IGNORE'; # ignore broken pipes for (my $count = 0;; $count++) { @@ -193,7 +188,7 @@ if (defined $OPTS{'conn-fd'}) { die "accept: $!"; }; print STDERR "[$count] >>> Accepted new connection\n" unless $OPTS{quiet}; - conn($conn, $count); + conn($conn, $conn, $count); print STDERR "[$count] >>> Connection terminated\n" unless $OPTS{quiet}; $conn->close() or warn "close: $!"; } |