/*
- * tlsproxy is a transparent TLS proxy for HTTPS connections.
+ * tlsproxy is a TLS proxy for HTTPS which intercepts the connections and
+ * ensures the server certificate doesn't change. Normally this isn't detected
+ * if a trusted CA for the new server certificate is installed.
*
- * Copyright (C) 2011 Simon Ruderich
+ * Copyright (C) 2011-2013 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
#include "sem.h"
#include "connection.h"
-/* socket(), bind(), accept(), listen() */
-#include <sys/types.h>
-#include <sys/socket.h>
-/* close() */
-#include <unistd.h>
-/* htons() */
#include <arpa/inet.h>
-/* sigaction() */
-#include <signal.h>
-/* errno */
#include <errno.h>
-/* pthread_*() */
#include <pthread.h>
+#include <signal.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
+/* Necessary for GnuTLS when used with threads. */
+#include <gcrypt.h>
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
+
/* Size of ringbuffer. */
#define RINGBUFFER_SIZE 10
+/* Bit size of Diffie-Hellman key exchange parameters. */
+#define DH_SIZE 1024
+
+
+/* For gnutls_*() functions. */
+#define GNUTLS_ERROR_EXIT(error, message) \
+ if (error != GNUTLS_E_SUCCESS) { \
+ fprintf(stderr, "%s: %s\n", message, gnutls_strerror(error)); \
+ exit(EXIT_FAILURE); \
+ }
+
/* Server should shut down. Set by SIGINT handler. */
-static volatile int done;
+static volatile int done; /* = 0 */
/* Number of threads. */
static size_t thread_count;
+
/* Synchronized ring buffer storing accept()ed client sockets. */
static int ringbuffer[RINGBUFFER_SIZE];
static int ringbuffer_read;
static SEM *ringbuffer_lock; /* Read lock. */
+#ifdef DEBUG
static void sigint_handler(int signal);
+#endif
static void parse_arguments(int argc, char **argv);
static void print_usage(const char *argv);
+static char *slurp_file(const char *path);
-static void worker_thread(void);
+static void initialize_gnutls(void);
+static void deinitialize_gnutls(void);
+
+static void *worker_thread(void *unused);
int main(int argc, char **argv) {
int port;
int client_socket, server_socket;
+#ifdef USE_IPV4_ONLY
+ struct sockaddr_in server_in;
+#else
struct sockaddr_in6 server_in;
+#endif
size_t i;
pthread_t *threads;
struct sigaction action;
+ /* Required in a few places. */
+ ct_assert(sizeof(size_t) >= sizeof(int));
+ ct_assert(sizeof(size_t) >= sizeof(ssize_t));
+
parse_arguments(argc, argv);
port = atoi(argv[argc - 1]);
- if (0 >= port || 0xffff < port) {
- print_usage(argv[0]);
- fprintf(stderr, "\ninvalid port\n");
+ if (port <= 0 || port > 0xffff ) {
+ fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]);
return EXIT_FAILURE;
}
- /* Setup our SIGINT signal handler which allows a "normal" termination of
- * the server. */
+ memset(&action, 0, sizeof(action));
sigemptyset(&action.sa_mask);
+#ifdef DEBUG
+ /* Setup our SIGINT signal handler which allows a "normal" termination of
+ * the server in DEBUG mode. */
action.sa_handler = sigint_handler;
- action.sa_flags = 0;
sigaction(SIGINT, &action, NULL);
+#endif
+ /* Ignore SIGPIPEs. */
+ action.sa_handler = SIG_IGN;
+ sigaction(SIGPIPE, &action, NULL);
/* Initialize ring buffer. */
ringbuffer_read = 0;
return EXIT_FAILURE;
}
+ initialize_gnutls();
+
/* Spawn worker threads to handle requests. */
- threads = (pthread_t *)malloc(thread_count * sizeof(pthread_t));
- if (NULL == threads) {
+ threads = malloc(thread_count * sizeof(*threads));
+ if (threads == NULL) {
perror("thread malloc failed");
return EXIT_FAILURE;
}
for (i = 0; i < thread_count; i++) {
- int result;
- pthread_t thread;
-
- result = pthread_create(&thread, NULL,
- (void * (*)(void *))&worker_thread,
- NULL);
- if (0 != result) {
- printf("failed to create worker thread: %s\n", strerror(result));
+ errno = pthread_create(threads + i, NULL, &worker_thread, NULL);
+ if (errno != 0) {
+ perror("failed to create worker thread");
return EXIT_FAILURE;
}
-
- threads[i] = thread;
}
+#ifdef USE_IPV4_ONLY
+ server_socket = socket(PF_INET, SOCK_STREAM, 0);
+#else
server_socket = socket(PF_INET6, SOCK_STREAM, 0);
- if (-1 == server_socket) {
+#endif
+ if (server_socket < 0) {
perror("socket()");
return EXIT_FAILURE;
}
-#ifdef DEBUG
/* Fast rebinding for debug mode, could cause invalid packets. */
- {
+ if (global_log_level >= LOG_DEBUG1_LEVEL) {
int socket_option = 1;
setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR,
&socket_option, sizeof(socket_option));
}
-#endif
/* Bind to the listen socket. */
memset(&server_in, 0, sizeof(server_in));
+#ifdef USE_IPV4_ONLY
+ server_in.sin_family = AF_INET; /* IPv4 only */
+ server_in.sin_addr.s_addr = htonl(INADDR_ANY); /* bind to any address */
+ server_in.sin_port = htons((uint16_t)port); /* port to bind to */
+#else
server_in.sin6_family = AF_INET6; /* IPv6 (and IPv4) */
server_in.sin6_addr = in6addr_any; /* bind to any address */
server_in.sin6_port = htons((uint16_t)port); /* port to bind to */
- if (-1 == bind(server_socket, (struct sockaddr *)&server_in,
- sizeof(server_in))) {
+#endif
+ if (bind(server_socket, (struct sockaddr *)&server_in,
+ sizeof(server_in)) != 0) {
perror("bind()");
return EXIT_FAILURE;
}
/* And accept connections. */
- if (-1 == listen(server_socket, 5)) {
+ if (listen(server_socket, 5) != 0) {
perror("listen()");
return EXIT_FAILURE;
}
-#ifdef DEBUG
- printf("Listening for connections on port %d.\n", port);
+ if (global_log_level >= LOG_DEBUG1_LEVEL) {
+ printf("tlsproxy %s\n", VERSION);
+ printf("Listening for connections on port %d.\n", port);
- if (NULL != use_proxy_host && NULL != use_proxy_port) {
- printf("Using proxy: %s:%s.\n", use_proxy_host, use_proxy_port);
+ if (global_proxy_host != NULL && global_proxy_port != NULL) {
+ printf("Using proxy: %s:%s.\n", global_proxy_host,
+ global_proxy_port);
+ }
}
-#endif
while (!done) {
/* Accept new connection. */
client_socket = accept(server_socket, NULL, NULL);
- if (-1 == client_socket) {
+ if (client_socket < 0) {
perror("accept()");
break;
}
- /* No lock, we only have one producer! */
+ /* No lock necessary, we only have one producer! */
P(ringbuffer_free);
ringbuffer[ringbuffer_write] = client_socket;
ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE;
}
for (i = 0; i < thread_count; i++) {
errno = pthread_join(threads[i], NULL);
- if (0 != errno) {
+ if (errno != 0) {
perror("pthread_join()");
- continue;
}
}
- free(ringbuffer_full);
- free(ringbuffer_free);
- free(ringbuffer_lock);
+ sem_del(ringbuffer_full);
+ sem_del(ringbuffer_free);
+ sem_del(ringbuffer_lock);
free(threads);
- free(use_proxy_host);
- free(use_proxy_port);
+ deinitialize_gnutls();
+
+ free(global_proxy_host);
+ free(global_proxy_port);
return EXIT_FAILURE;
}
+#ifdef DEBUG
static void sigint_handler(int signal_number) {
(void)signal_number;
done = 1;
}
+#endif
static void parse_arguments(int argc, char **argv) {
int option;
/* Default values. */
thread_count = 10;
+#ifdef DEBUG
+ global_log_level = LOG_DEBUG_LEVEL;
+#else
+ global_log_level = LOG_WARNING_LEVEL;
+#endif
+ global_passthrough_unknown = 0;
- while (-1 != (option = getopt(argc, argv, "p:t:h?"))) {
+ while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) {
switch (option) {
+ case 'a': {
+ http_digest_authorization = slurp_file(optarg);
+ if (http_digest_authorization == NULL) {
+ fprintf(stderr, "failed to open authorization file '%s': ",
+ optarg);
+ perror("");
+ exit(EXIT_FAILURE);
+ } else if (strlen(http_digest_authorization) == 0) {
+ fprintf(stderr, "empty authorization file '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+
+ /* Just in case the file has a trailing newline. */
+ strtok(http_digest_authorization, "\r\n");
+
+ break;
+ }
+ case 'd': {
+ global_log_level = atoi(optarg);
+ if (global_log_level < 0) {
+ fprintf(stderr, "-d positive number required: '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+ break;
+ }
case 'p': {
char *position;
/* -p must have the format host:port. */
- if (NULL == (position = strchr(optarg, ':'))
- || position == optarg
- || 0 == strlen(position + 1)
- || 0 >= atoi(position + 1)
- || 0xffff < atoi(position + 1)) {
- print_usage(argv[0]);
- fprintf(stderr, "\ninvalid -p, format host:port\n");
+ if ((position = strchr(optarg, ':')) == NULL
+ || optarg == position
+ || strlen(position + 1) == 0
+ || atoi(position + 1) <= 0
+ || atoi(position + 1) > 0xffff) {
+ fprintf(stderr, "invalid -p: '%s', format host:port\n",
+ optarg);
exit(EXIT_FAILURE);
}
- use_proxy_host = malloc((size_t)(position - optarg) + 1);
- if (NULL == use_proxy_host) {
+ global_proxy_host = malloc((size_t)(position - optarg) + 1);
+ if (global_proxy_host == NULL) {
perror("malloc()");
exit(EXIT_FAILURE);
}
- memcpy(use_proxy_host, optarg, (size_t)(position - optarg));
- use_proxy_host[position - optarg] = '\0';
+ memcpy(global_proxy_host, optarg, (size_t)(position - optarg));
+ global_proxy_host[position - optarg] = '\0';
- use_proxy_port = malloc(strlen(position + 1) + 1);
- if (NULL == use_proxy_port) {
+ global_proxy_port = malloc(strlen(position + 1) + 1);
+ if (global_proxy_port == NULL) {
perror("malloc()");
exit(EXIT_FAILURE);
}
- strcpy(use_proxy_port, position + 1);
+ strcpy(global_proxy_port, position + 1);
break;
}
case 't': {
- if (0 >= atoi(optarg)) {
- print_usage(argv[0]);
- fprintf(stderr, "\n-t positive number required\n");
+ if (atoi(optarg) <= 0) {
+ fprintf(stderr, "-t positive number required: '%s'\n",
+ optarg);
exit(EXIT_FAILURE);
}
thread_count = (size_t)atoi(optarg);
break;
}
+ case 'u': {
+ global_passthrough_unknown = 1;
+ break;
+ }
case 'h':
default: /* '?' */
print_usage(argv[0]);
}
if (optind >= argc) {
- print_usage(argv[0]);
- fprintf(stderr, "\nport missing\n");
+ fprintf(stderr, "port missing\n");
exit(EXIT_FAILURE);
}
}
static void print_usage(const char *argv) {
- fprintf(stderr, "Usage: %s [-p host:port] port\n", argv);
+ fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n",
+ VERSION);
+ fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n",
+ argv);
fprintf(stderr, "\n");
+ fprintf(stderr, "-a digest authentication file [default: none]\n");
+ fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n");
fprintf(stderr, "-p proxy hostname and port\n");
fprintf(stderr, "-t number of threads [default: 10]\n");
+ fprintf(stderr, "-u passthrough connection if no certificate is stored \
+[default: error]\n");
+ fprintf(stderr, " WARNING: might be a security problem!\n");
+}
+
+static void initialize_gnutls(void) {
+ int result;
+/* Recent versions of GnuTLS automatically initialize the cryptography layer
+ * in gnutls_global_init(). */
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
+ gcry_error_t error;
+
+ /* Thread safe setup. Must be called before gnutls_global_init(). */
+ error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+ if (error != 0) {
+ fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error),
+ gcry_strerror(error));
+ exit(EXIT_FAILURE);
+ }
+ /* Prevent usage of blocking /dev/random. */
+ error = gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+ if (error != 0) {
+ fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error),
+ gcry_strerror(error));
+ exit(EXIT_FAILURE);
+ }
+#endif
+
+ /* Initialize GnuTLS. */
+ result = gnutls_global_init();
+ GNUTLS_ERROR_EXIT(result, "gnutls_global_init()");
+
+ /* Setup GnuTLS cipher suites. */
+ result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
+ GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
+
+ /* Generate Diffie-Hellman parameters. */
+ result = gnutls_dh_params_init(&global_tls_dh_params);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
+ result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
}
+static void deinitialize_gnutls(void) {
+ gnutls_dh_params_deinit(global_tls_dh_params);
+ gnutls_priority_deinit(global_tls_priority_cache);
-static void worker_thread(void) {
+ gnutls_global_deinit();
+}
+
+static void *worker_thread(void *unused) {
int client_socket;
+ (void)unused;
+
for (;;) {
/* Get next element from ring buffer. */
P(ringbuffer_full);
V(ringbuffer_free);
/* Negative value indicates we should shut down our thread. */
- if (0 > client_socket) {
+ if (client_socket < 0) {
break;
}
handle_connection(client_socket);
}
+
+ return NULL;
+}
+
+static char *slurp_file(const char *path) {
+ struct stat stat;
+ size_t size_read;
+ char *content = NULL;
+
+ FILE *file = fopen(path, "r");
+ if (file == NULL) {
+ return NULL;
+ }
+
+ ct_assert(sizeof(stat.st_size) <= sizeof(size_t));
+
+ if (fstat(fileno(file), &stat) != 0) {
+ goto out;
+ }
+ if (stat.st_size < 0) { /* just in case ... */
+ abort();
+ } else if ((size_t)stat.st_size >= SIZE_MAX - 1) {
+ errno = 0;
+ goto out;
+ }
+
+ content = malloc((size_t)stat.st_size + 1);
+ if (content == NULL) {
+ goto out;
+ }
+
+ errno = 0;
+ size_read = fread(content, 1, (size_t)stat.st_size, file);
+ if (size_read != (size_t)stat.st_size) {
+ free(content);
+ content = NULL;
+ goto out;
+ }
+ content[size_read] = '\0';
+
+out:
+ fclose(file);
+
+ return content;
}
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff