Corrections in Python wrappers

root · root · commit e0fdf3a046ed · 2018-10-24T12:27:09.000Z
Management of file descriptors was leaking.  The cryptfd was closed
by the tlspool_starttls() call or TLS Pool but also by Python, for
instance when garbage collecting the cryptfd.  This allowed closing
the same socket twice or, more accurately put, closing of the same
file descriptor number.  An intermediate process might have opened
another stream with the same number, and seen it closed.  Yet an
other process might have opened it once again and receive spurious
information from the stashed file descriptor in, say, the syslog()
API or Python sockets.
diff --git a/lib/python/Makefile b/lib/python/Makefile
@@ -41,7 +41,7 @@ _tlspool.so: tlspool.c
 	python setup.py build_ext --inplace
 
 tlspool.c: py-tlspool.i ../swig-tlspool.i
-	grep -h '^#define \(PIOF_\|PIOC_\|TLSPOOL_\)' ../../include/tlspool/commands.h ../../include/tlspool/starttls.h | grep -v 'PATH.*\\' | sort | uniq > defines.h
+	grep -h '^#define \(PIOF_\|PIOC_\|TLSPOOL_\)' ../../include/tlspool/commands.h ../../include/tlspool/starttls.h | grep -v 'PATH.*\\' | grep -v 'windows' | sort | uniq > defines.h
 	$(SWIG) -python -threads -o "$@" "$<"
 
 .c.o:
diff --git a/lib/python/py-tlspool.i b/lib/python/py-tlspool.i
@@ -179,6 +179,19 @@ class Connection:
 		   access afterwards.  The variables that are required at
 		   this point are service and, already obliged when making
 		   a new instance, cryptfd.
+
+                   Quoting the library documentation on file handles and
+                   who should close them:
+
+                   The cryptfd handle supplies the TLS connection that is
+                   assumed to have been setup.  When the function ends,
+                   either in success or failure, this handle will no longer
+                   be available to the caller; the responsibility of closing
+                   it is passed on to the function and/or the TLS Pool.
+
+                   And on plainfd:  The file handle returned [in privdata],
+                   if it is >= 0, should be closed by the caller, both in
+                   case of success and failure.
 		"""
 		assert (self.cryptsk is not None)
 		assert (self.cryptfd >= 0)
@@ -198,12 +211,18 @@ class Connection:
 			socktp = socket.SOCK_STREAM
 		plainsockptr = socket_data ()
 		plainsockptr.unix_socket = self.plainfd
+                # Clone cryptfd so _starttls() and Python can each close it
+                unix_cryptfd = os.dup (self.cryptfd)
+                if unix_cryptfd < 0:
+                        _tlspool.raise_errno ()
+                # We close cryptsk now and it will not repeat during garbage collection
+                self.cryptsk.close ()
+		self.cryptsk = None
+		self.cryptfd = -1
 		# Provide None for the callback function, SWIG won't support it
 		# We might at some point desire a library of C routine options?
-		rv = _starttls (self.cryptfd, self.tlsdata, plainsockptr, None)
+		rv = _starttls (unix_cryptfd, self.tlsdata, plainsockptr, None)
 		self.plainfd = -1
-		self.cryptfd = -1
-		self.cryptsk = None
 		if rv < 0:
 			_tlspool.raise_errno ()
 		if self.plainsk is None:
@@ -347,17 +366,24 @@ class SecurityMixIn:
 			socktp = socket.SOCK_STREAM
 		plainsockptr = socket_data ()
 		plainsockptr.unix_socket = -1
-		rv = _starttls (sox.fileno (), self.tlsdata, plainsockptr, None)
+                unix_sox = os.dup (sox.fileno ())
+                if unix_sox < 0:
+                        _tlspool.raise_errno ()
+		sox.close ()
+		rv = _starttls (unix_sox, self.tlsdata, plainsockptr, None)
 		if rv < 0:
 			_tlspool.raise_errno ()
 		assert (plainsockptr.unix_socket >= 0)
 		sox2 = socket.fromfd (plainsockptr.unix_socket, af, socktp)
+                # Now, since socket.fromfd() used os.dup(), we close the original
+                os.close (plainsockptr.unix_socket)
+                plainsockptr.unix_socket = -1
 		if type (self.request) == tuple:
+                        #TODO# This is not permitted, editing a tuple
 			self.request [1] = sox2
 		else:
 			self.request     = sox2
 		self.handle_secure ()
-		sox2.close ()
 
 	def startssh (self):
 		raise NotImplementedError ("Python wrapper does not implement STARTSSH")
diff --git a/lib/python/tlspool.c b/lib/python/tlspool.c
@@ -6390,6 +6390,7 @@ SWIG_init(void) {
   SWIG_Python_SetConstant(d, "PIOF_LIDENTRY_SKIP_NOTROOT",SWIG_From_int((int)(0x00000088)));
   SWIG_Python_SetConstant(d, "PIOF_LIDENTRY_SKIP_USER",SWIG_From_int((int)(0x00000081)));
   SWIG_Python_SetConstant(d, "PIOF_LIDENTRY_WANT_DBENTRY",SWIG_From_int((int)(0x00000100)));
+  SWIG_Python_SetConstant(d, "PIOF_STARTTLS_BOTHROLES_PEER",SWIG_From_int((int)(0x0000000f)));
   SWIG_Python_SetConstant(d, "PIOF_STARTTLS_DETACH",SWIG_From_int((int)(0x00002000)));
   SWIG_Python_SetConstant(d, "PIOF_STARTTLS_DOMAIN_REPRESENTS_USER",SWIG_From_int((int)(0x00008000)));
   SWIG_Python_SetConstant(d, "PIOF_STARTTLS_DTLS",SWIG_From_int((int)(0x00000100)));
@@ -6408,6 +6409,7 @@ SWIG_init(void) {
   SWIG_Python_SetConstant(d, "PIOF_STARTTLS_REQUEST_REMOTEID",SWIG_From_int((int)(0x00000800)));
   SWIG_Python_SetConstant(d, "PIOF_STARTTLS_WITHOUT_SNI",SWIG_From_int((int)(0x00000200)));
   SWIG_Python_SetConstant(d, "TLSPOOL_CTLKEYLEN",SWIG_From_int((int)(16)));
+  SWIG_Python_SetConstant(d, "TLSPOOL_DEFAULT_CONFIG_PATH",SWIG_FromCharPtr("/etc/tlspool.conf"));
   SWIG_Python_SetConstant(d, "TLSPOOL_DEFAULT_PIDFILE_PATH",SWIG_FromCharPtr("/var/run/tlspool.pid"));
   SWIG_Python_SetConstant(d, "TLSPOOL_DEFAULT_SOCKET_PATH",SWIG_FromCharPtr("/var/run/tlspool.sock"));
   SWIG_Python_SetConstant(d, "TLSPOOL_IDENTITY_V2",SWIG_FromCharPtr("20151111api@tlspool.arpa2.net"));
diff --git a/lib/python/tlspool.py b/lib/python/tlspool.py
@@ -444,6 +444,19 @@ def starttls (self):
 		   access afterwards.  The variables that are required at
 		   this point are service and, already obliged when making
 		   a new instance, cryptfd.
+
+                   Quoting the library documentation on file handles and
+                   who should close them:
+
+                   The cryptfd handle supplies the TLS connection that is
+                   assumed to have been setup.  When the function ends,
+                   either in success or failure, this handle will no longer
+                   be available to the caller; the responsibility of closing
+                   it is passed on to the function and/or the TLS Pool.
+
+                   And on plainfd:  The file handle returned [in privdata],
+                   if it is >= 0, should be closed by the caller, both in
+                   case of success and failure.
 		"""
 		assert (self.cryptsk is not None)
 		assert (self.cryptfd >= 0)
@@ -463,12 +476,18 @@ def starttls (self):
 			socktp = socket.SOCK_STREAM
 		plainsockptr = socket_data ()
 		plainsockptr.unix_socket = self.plainfd
+# Clone cryptfd so _starttls() and Python can each close it
+                unix_cryptfd = os.dup (self.cryptfd)
+                if unix_cryptfd < 0:
+                        _tlspool.raise_errno ()
+# We close cryptsk now and it will not repeat during garbage collection
+                self.cryptsk.close ()
+		self.cryptsk = None
+		self.cryptfd = -1
 # Provide None for the callback function, SWIG won't support it
 # We might at some point desire a library of C routine options?
-		rv = _starttls (self.cryptfd, self.tlsdata, plainsockptr, None)
+		rv = _starttls (unix_cryptfd, self.tlsdata, plainsockptr, None)
 		self.plainfd = -1
-		self.cryptfd = -1
-		self.cryptsk = None
 		if rv < 0:
 			_tlspool.raise_errno ()
 		if self.plainsk is None:
@@ -612,17 +631,24 @@ def starttls (self):
 			socktp = socket.SOCK_STREAM
 		plainsockptr = socket_data ()
 		plainsockptr.unix_socket = -1
-		rv = _starttls (sox.fileno (), self.tlsdata, plainsockptr, None)
+                unix_sox = os.dup (sox.fileno ())
+                if unix_sox < 0:
+                        _tlspool.raise_errno ()
+		sox.close ()
+		rv = _starttls (unix_sox, self.tlsdata, plainsockptr, None)
 		if rv < 0:
 			_tlspool.raise_errno ()
 		assert (plainsockptr.unix_socket >= 0)
 		sox2 = socket.fromfd (plainsockptr.unix_socket, af, socktp)
+# Now, since socket.fromfd() used os.dup(), we close the original
+                os.close (plainsockptr.unix_socket)
+                plainsockptr.unix_socket = -1
 		if type (self.request) == tuple:
+#TODO# This is not permitted, editing a tuple
 			self.request [1] = sox2
 		else:
 			self.request     = sox2
 		self.handle_secure ()
-		sox2.close ()
 
 	def startssh (self):
 		raise NotImplementedError ("Python wrapper does not implement STARTSSH")
@@ -694,6 +720,7 @@ def handle_secure (self):
 PIOF_LIDENTRY_SKIP_NOTROOT = _tlspool.PIOF_LIDENTRY_SKIP_NOTROOT
 PIOF_LIDENTRY_SKIP_USER = _tlspool.PIOF_LIDENTRY_SKIP_USER
 PIOF_LIDENTRY_WANT_DBENTRY = _tlspool.PIOF_LIDENTRY_WANT_DBENTRY
+PIOF_STARTTLS_BOTHROLES_PEER = _tlspool.PIOF_STARTTLS_BOTHROLES_PEER
 PIOF_STARTTLS_DETACH = _tlspool.PIOF_STARTTLS_DETACH
 PIOF_STARTTLS_DOMAIN_REPRESENTS_USER = _tlspool.PIOF_STARTTLS_DOMAIN_REPRESENTS_USER
 PIOF_STARTTLS_DTLS = _tlspool.PIOF_STARTTLS_DTLS
@@ -712,6 +739,7 @@ def handle_secure (self):
 PIOF_STARTTLS_REQUEST_REMOTEID = _tlspool.PIOF_STARTTLS_REQUEST_REMOTEID
 PIOF_STARTTLS_WITHOUT_SNI = _tlspool.PIOF_STARTTLS_WITHOUT_SNI
 TLSPOOL_CTLKEYLEN = _tlspool.TLSPOOL_CTLKEYLEN
+TLSPOOL_DEFAULT_CONFIG_PATH = _tlspool.TLSPOOL_DEFAULT_CONFIG_PATH
 TLSPOOL_DEFAULT_PIDFILE_PATH = _tlspool.TLSPOOL_DEFAULT_PIDFILE_PATH
 TLSPOOL_DEFAULT_SOCKET_PATH = _tlspool.TLSPOOL_DEFAULT_SOCKET_PATH
 TLSPOOL_IDENTITY_V2 = _tlspool.TLSPOOL_IDENTITY_V2
