diff options
author | June McEnroe <june@causal.agency> | 2019-10-27 20:33:27 -0400 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2019-11-01 01:01:12 -0400 |
commit | 227054387ce7abc295a693a7375b398db02ba222 (patch) | |
tree | 7c78ca4ef6e602f145ca488737a6bebe83981a98 | |
parent | Use explicit_bzero to clear passwords (diff) | |
download | pounce-227054387ce7abc295a693a7375b398db02ba222.tar.gz pounce-227054387ce7abc295a693a7375b398db02ba222.zip |
Use capsicum
-rw-r--r-- | bounce.c | 22 | ||||
-rw-r--r-- | server.c | 3 |
2 files changed, 25 insertions, 0 deletions
diff --git a/bounce.c b/bounce.c index 49bc0f9..bb4f902 100644 --- a/bounce.c +++ b/bounce.c @@ -34,6 +34,10 @@ #include <tls.h> #include <unistd.h> +#ifdef __FreeBSD__ +#include <sys/capsicum.h> +#endif + #ifndef SIGINFO #define SIGINFO SIGUSR2 #endif @@ -195,6 +199,24 @@ int main(int argc, char *argv[]) { size_t binds = listenBind(bind, 8, bindHost, bindPort); int server = serverConnect(insecure, host, port); + +#ifdef __FreeBSD__ + int error = cap_enter(); + if (error) err(EX_OSERR, "cap_enter"); + + cap_rights_t sockRights, bindRights; + cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT); + cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT); + cap_rights_merge(&bindRights, &sockRights); + + for (size_t i = 0; i < binds; ++i) { + error = cap_rights_limit(bind[i], &bindRights); + if (error) err(EX_OSERR, "cap_rights_limit"); + } + error = cap_rights_limit(server, &sockRights); + if (error) err(EX_OSERR, "cap_rights_limit"); +#endif + stateLogin(pass, auth, nick, user, real); if (pass) explicit_bzero(pass, strlen(pass)); if (auth) explicit_bzero(auth, strlen(auth)); diff --git a/server.c b/server.c index e1fc328..e23dc9a 100644 --- a/server.c +++ b/server.c @@ -80,6 +80,9 @@ int serverConnect(bool insecure, const char *host, const char *port) { error = tls_connect_socket(client, sock, host); if (error) errx(EX_PROTOCOL, "tls_connect: %s", tls_error(client)); + error = tls_handshake(client); + if (error) errx(EX_PROTOCOL, "tls_handshake: %s", tls_error(client)); + return sock; } |