Make exciting improvements

- Add Lua backtraces to redbean!
- Wipe serving keys after redbean forks
- Audit redbean to remove free via exit
- Log SSL client ciphersuite preferences
- Increase ASAN malloc() backtrace depth
- Make GetSslRoots() behave as a singleton
- Move leaks.c from LIBC_TESTLIB to LIBC_LOG
- Add undocumented %n to printf() for newlines
- Fix redbean memory leak reindexing inode change
- Fix redbean memory leak with Fetch() DNS object
- Restore original environ after __cxa_finalize()
- Make backtrace always work after __cxa_finalize()
- Introduce COUNTEXPR() diagnostic / benchmark tool
- Fix a few more instances of errno being clobbered
- Consolidate the ANSI color disabling internal APIs

third_party/lua/lapi.c

@@ -726,6 +726,7 @@ LUA_API void lua_pushcclosure (lua_State *L, lua_CFunction fn, int n) {
  */
 LUA_API void lua_pushboolean (lua_State *L, int b) {
   lua_lock(L);
+  /* a.k.a. L->top->val.tt_ = b ? LUA_VTRUE : LUA_VFALSE; */
   if (b)
     setbtvalue(s2v(L->top));
   else

third_party/mbedtls/formatclientciphers.c

@@ -0,0 +1,41 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2022 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/bits/bits.h"
+#include "libc/macros.internal.h"
+#include "libc/stdio/append.internal.h"
+#include "third_party/mbedtls/iana.h"
+
+/**
+ * Returns string of joined list of first 𝑘 client preferred ciphers.
+ * @return string that must be free'd, or null if none set
+ */
+nodiscard char *FormatSslClientCiphers(const mbedtls_ssl_context *ssl) {
+  int i;
+  char *b = 0;
+  for (i = 0; i < ARRAYLEN(ssl->client_ciphers); ++i) {
+    if (!ssl->client_ciphers[i]) break;
+    if (i) appendw(&b, READ16LE(", "));
+    appendf(&b, "%s[0x%04x]", GetCipherSuiteName(ssl->client_ciphers[i]),
+            ssl->client_ciphers[i]);
+  }
+  if (i == ARRAYLEN(ssl->client_ciphers)) {
+    appends(&b, ", ...");
+  }
+  return b;
+}

third_party/mbedtls/iana.h

@@ -1,11 +1,13 @@
 #ifndef COSMOPOLITAN_THIRD_PARTY_MBEDTLS_IANA_H_
 #define COSMOPOLITAN_THIRD_PARTY_MBEDTLS_IANA_H_
+#include "third_party/mbedtls/ssl.h"
 #if !(__ASSEMBLER__ + __LINKER__ + 0)
 COSMOPOLITAN_C_START_
 
 bool IsCipherSuiteGood(uint16_t);
 const char *GetCipherSuiteName(uint16_t);
 const char *GetAlertDescription(unsigned char);
+nodiscard char *FormatSslClientCiphers(const mbedtls_ssl_context *);
 
 COSMOPOLITAN_C_END_
 #endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */

third_party/mbedtls/ssl.h

@@ -1250,6 +1250,7 @@ struct mbedtls_ssl_context
                             *   Possible values are #MBEDTLS_SSL_CID_ENABLED
                             *   and #MBEDTLS_SSL_CID_DISABLED. */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+  uint16_t client_ciphers[16]; /* [jart] clarifies MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE */
 };
 
 /**

third_party/mbedtls/ssl_srv.c

@@ -16,6 +16,8 @@
 │ limitations under the License.                                               │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/log/log.h"
+#include "libc/macros.internal.h"
+#include "libc/str/str.h"
 #include "third_party/mbedtls/common.h"
 #include "third_party/mbedtls/debug.h"
 #include "third_party/mbedtls/ecp.h"
@@ -1159,9 +1161,9 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
 {
-    int ret, got_common_suite;
-    unsigned int i, j;
     size_t n;
+    unsigned int i, j;
+    int ret, got_common_suite;
     unsigned int ciph_len, sess_len, chal_len;
     unsigned char *buf, *p;
     const uint16_t *ciphersuites;
@@ -1357,6 +1359,13 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
     got_common_suite = 0;
     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
     ciphersuite_info = NULL;
+
+    /* [jart] grab some client ciphers for error messages */
+    bzero(ssl->client_ciphers, sizeof(ssl->client_ciphers));
+    for( i = j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+        if( !p[0] && i < ARRAYLEN( ssl->client_ciphers ) )
+            ssl->client_ciphers[i++] = p[1] << 8 | p[2];
+
 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
     for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
         for( i = 0; ciphersuites[i] != 0; i++ )
@@ -1365,9 +1374,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
 #endif
         {
-            if( p[0] != 0 ||
-                p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
-                p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
+            if( p[0] || (p[1] << 8 | p[2]) != ciphersuites[i] )
                 continue;
 
             got_common_suite = 1;
@@ -2198,6 +2205,12 @@ read_record_header:
         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
     }
 
+    /* [jart] grab some client ciphers for error messages */
+    bzero(ssl->client_ciphers, sizeof(ssl->client_ciphers));
+    for( i = j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+        if( i < ARRAYLEN( ssl->client_ciphers ) )
+            ssl->client_ciphers[i++] = p[0] << 8 | p[1];
+
     /*
      * Search for a matching ciphersuite
      * (At the end because we need information from the EC-based extensions

third_party/python/Modules/tlsmodule.c

@@ -62,7 +62,6 @@ struct Tls {
 
 static PyObject *TlsError;
 static PyTypeObject tls_type;
-static mbedtls_x509_crt *roots;
 
 static PyObject *
 SetTlsError(int rc)
@@ -130,7 +129,7 @@ tls_new(int fd, const char *host, PyObject *todo)
                                     MBEDTLS_SSL_TRANSPORT_STREAM,
                                     MBEDTLS_SSL_PRESET_DEFAULT);
         mbedtls_ssl_conf_rng(&self->conf, mbedtls_ctr_drbg_random, &self->rng);
-        mbedtls_ssl_conf_ca_chain(&self->conf, roots, 0);
+        mbedtls_ssl_conf_ca_chain(&self->conf, GetSslRoots(), 0);
         /* mbedtls_ssl_conf_dbg(&self->conf, TlsDebug, 0); */
         /* mbedtls_debug_threshold = 5; */
         if (host && *host) {
@@ -493,7 +492,6 @@ PyInit_tls(void)
     TlsError = PyErr_NewException("tls.TlsError", NULL, NULL);
     Py_INCREF(TlsError);
     PyModule_AddObject(m, "TlsError", TlsError);
-    roots = GetSslRoots();
     return m;
 }