diff options
Diffstat (limited to 'bounce.c')
| -rw-r--r-- | bounce.c | 57 |
1 files changed, 13 insertions, 44 deletions
diff --git a/bounce.c b/bounce.c index 9ab0f1d..556c682 100644 --- a/bounce.c +++ b/bounce.c @@ -135,7 +135,7 @@ static struct timeval parseInterval(const char *str) { } static void hashPass(void); -static void genCert(const char *path, const char *ca); +static void genCert(const char *path); int main(int argc, char *argv[]) { int error; @@ -256,7 +256,7 @@ int main(int argc, char *argv[]) { } } if (blindReq & CapUnsupported) errx(EX_USAGE, "unsupported capability"); - if (genPath) genCert(genPath, caPath); + if (genPath) genCert(genPath); if (bindPath[0]) { struct stat st; @@ -498,56 +498,25 @@ static void hashPass(void) { } #endif -static void genReq(const char *path) { - const char *name = strrchr(path, '/'); - name = (name ? &name[1] : path); - char subj[256]; - snprintf(subj, sizeof(subj), "/CN=%.*s", (int)strcspn(name, "."), name); - execlp( - OPENSSL_BIN, "openssl", "req", - "-new", "-newkey", "rsa:4096", "-sha256", "-nodes", - "-subj", subj, "-keyout", path, - NULL - ); - err(EX_UNAVAILABLE, "openssl"); -} - -static void redir(int dst, int src) { - int fd = dup2(src, dst); - if (fd < 0) err(EX_OSERR, "dup2"); - close(src); -} - -static void genCert(const char *path, const char *ca) { - int out = open(path, O_WRONLY | O_APPEND | O_CREAT, 0600); - if (out < 0) err(EX_CANTCREAT, "%s", path); - +static void genCert(const char *path) { int error; + #ifdef __OpenBSD__ error = pledge("stdio proc exec", NULL); if (error) err(EX_OSERR, "pledge"); #endif - int rw[2]; - error = pipe(rw); - if (error) err(EX_OSERR, "pipe"); - - pid_t pid = fork(); - if (pid < 0) err(EX_OSERR, "fork"); - if (!pid) { - close(rw[0]); - redir(STDOUT_FILENO, rw[1]); - genReq(path); - } + const char *name = strrchr(path, '/'); + name = (name ? &name[1] : path); + char subj[256]; + snprintf(subj, sizeof(subj), "/CN=%.*s", (int)strcspn(name, "."), name); - close(rw[1]); - redir(STDIN_FILENO, rw[0]); - redir(STDOUT_FILENO, out); + umask(0066); execlp( - OPENSSL_BIN, "openssl", "x509", - "-req", "-days", "3650", "-CAcreateserial", - (ca ? "-CA" : "-signkey"), (ca ? ca : path), + OPENSSL_BIN, "openssl", "req", + "-x509", "-new", "-newkey", "rsa:4096", "-sha256", "-days", "3650", + "-nodes", "-subj", subj, "-out", path, "-keyout", path, NULL ); - err(EX_UNAVAILABLE, "openssl"); + err(127, "openssl"); } |