#include "connection.h"
#include <arpa/inet.h>
+#include <assert.h>
#include <errno.h>
#include <pthread.h>
#include <signal.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
+#include <limits.h>
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
/* Necessary for GnuTLS when used with threads. */
#include <gcrypt.h>
GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
/* Size of ringbuffer. */
#define RINGBUFFER_SIZE 10
-/* Bit size of Diffie-Hellman key exchange parameters. */
-#define DH_SIZE 1024
-
/* For gnutls_*() functions. */
#define GNUTLS_ERROR_EXIT(error, message) \
/* Server should shut down. Set by SIGINT handler. */
-static volatile int done = 0;
+static volatile int done; /* = 0 */
/* Number of threads. */
static size_t thread_count;
static void parse_arguments(int argc, char **argv);
static void print_usage(const char *argv);
+static char *slurp_text_file(const char *path);
static void initialize_gnutls(void);
static void deinitialize_gnutls(void);
-static void worker_thread(void);
+static void *worker_thread(void *unused);
int main(int argc, char **argv) {
struct sigaction action;
+ /* Required in a few places. */
+ ct_assert(sizeof(size_t) >= sizeof(int));
+ ct_assert(sizeof(size_t) >= sizeof(ssize_t));
+
parse_arguments(argc, argv);
port = atoi(argv[argc - 1]);
if (port <= 0 || port > 0xffff ) {
- print_usage(argv[0]);
- fprintf(stderr, "\ninvalid port: '%s'\n", argv[argc - 1]);
+ fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]);
return EXIT_FAILURE;
}
+ memset(&action, 0, sizeof(action));
sigemptyset(&action.sa_mask);
- action.sa_flags = 0;
#ifdef DEBUG
/* Setup our SIGINT signal handler which allows a "normal" termination of
* the server in DEBUG mode. */
return EXIT_FAILURE;
}
for (i = 0; i < thread_count; i++) {
- errno = pthread_create(threads + i, NULL,
- (void * (*)(void *))&worker_thread,
- NULL);
+ errno = pthread_create(threads + i, NULL, &worker_thread, NULL);
if (errno != 0) {
perror("failed to create worker thread");
return EXIT_FAILURE;
#else
server_socket = socket(PF_INET6, SOCK_STREAM, 0);
#endif
- if (server_socket == -1) {
+ if (server_socket < 0) {
perror("socket()");
return EXIT_FAILURE;
}
/* Fast rebinding for debug mode, could cause invalid packets. */
- if (global_log_level >= LOG_DEBUG_LEVEL) {
+ if (global_log_level >= LOG_DEBUG1_LEVEL) {
int socket_option = 1;
setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR,
&socket_option, sizeof(socket_option));
server_in.sin6_port = htons((uint16_t)port); /* port to bind to */
#endif
if (bind(server_socket, (struct sockaddr *)&server_in,
- sizeof(server_in)) == -1) {
+ sizeof(server_in)) != 0) {
perror("bind()");
return EXIT_FAILURE;
}
/* And accept connections. */
- if (listen(server_socket, 5) == -1) {
+ if (listen(server_socket, 5) != 0) {
perror("listen()");
return EXIT_FAILURE;
}
- if (global_log_level >= LOG_DEBUG_LEVEL) {
+ if (global_log_level >= LOG_DEBUG1_LEVEL) {
printf("tlsproxy %s\n", VERSION);
printf("Listening for connections on port %d.\n", port);
+ printf("Priority string: %s.\n", PROXY_TLS_PRIORITIES);
if (global_proxy_host != NULL && global_proxy_port != NULL) {
printf("Using proxy: %s:%s.\n", global_proxy_host,
while (!done) {
/* Accept new connection. */
client_socket = accept(server_socket, NULL, NULL);
- if (client_socket == -1) {
+ if (client_socket < 0) {
perror("accept()");
break;
}
}
}
- free(ringbuffer_full);
- free(ringbuffer_free);
- free(ringbuffer_lock);
+ sem_del(ringbuffer_full);
+ sem_del(ringbuffer_free);
+ sem_del(ringbuffer_lock);
free(threads);
free(global_proxy_host);
free(global_proxy_port);
+ free(global_http_digest_authorization);
return EXIT_FAILURE;
}
/* Default values. */
thread_count = 10;
#ifdef DEBUG
- global_log_level = LOG_DEBUG_LEVEL;
+ global_log_level = LOG_DEBUG2_LEVEL;
#else
global_log_level = LOG_WARNING_LEVEL;
#endif
global_passthrough_unknown = 0;
- while ((option = getopt(argc, argv, "d:p:t:uh?")) != -1) {
+ while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) {
switch (option) {
+ case 'a': {
+ global_http_digest_authorization = slurp_text_file(optarg);
+ if (global_http_digest_authorization == NULL) {
+ fprintf(stderr, "failed to open authorization file '%s': ",
+ optarg);
+ perror("");
+ exit(EXIT_FAILURE);
+ } else if (strlen(global_http_digest_authorization) == 0) {
+ fprintf(stderr, "empty authorization file '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+
+ /* Just in case the file has a trailing newline. */
+ strtok(global_http_digest_authorization, "\r\n");
+
+ break;
+ }
case 'd': {
global_log_level = atoi(optarg);
if (global_log_level < 0) {
- print_usage(argv[0]);
- fprintf(stderr, "\n-d positive number required: '%s'\n",
+ fprintf(stderr, "-d positive number required: '%s'\n",
optarg);
exit(EXIT_FAILURE);
}
|| strlen(position + 1) == 0
|| atoi(position + 1) <= 0
|| atoi(position + 1) > 0xffff) {
- print_usage(argv[0]);
- fprintf(stderr, "\ninvalid -p: '%s', format host:port\n",
- optarg);
+ fprintf(stderr, "invalid -p: '%s', format host:port\n",
+ optarg);
exit(EXIT_FAILURE);
}
}
case 't': {
if (atoi(optarg) <= 0) {
- print_usage(argv[0]);
- fprintf(stderr, "\n-t positive number required: '%s'\n",
+ fprintf(stderr, "-t positive number required: '%s'\n",
optarg);
exit(EXIT_FAILURE);
}
}
if (optind >= argc) {
- print_usage(argv[0]);
- fprintf(stderr, "\nport missing\n");
+ fprintf(stderr, "port missing\n");
exit(EXIT_FAILURE);
}
}
static void print_usage(const char *argv) {
fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n",
VERSION);
- fprintf(stderr, "Usage: %s [-d level] [-p host:port] [-t count] [-u] port\n",
+ fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n",
argv);
fprintf(stderr, "\n");
- fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n");
+ fprintf(stderr, "-a digest authentication file [default: none]\n");
+ fprintf(stderr, "-d debug level: 0=errors only, 2=debug, 3=more debug [default: 1]\n");
fprintf(stderr, "-p proxy hostname and port\n");
fprintf(stderr, "-t number of threads [default: 10]\n");
fprintf(stderr, "-u passthrough connection if no certificate is stored \
fprintf(stderr, " WARNING: might be a security problem!\n");
}
+#if 0
+static void log_function_gnutls(int level, const char *string) {
+ (void)level;
+ fprintf(stderr, " => %s", string);
+}
+#endif
+
static void initialize_gnutls(void) {
int result;
+ char *dh_parameters;
+ gnutls_datum_t dh_parameters_datum;
+
+/* Recent versions of GnuTLS automatically initialize the cryptography layer
+ * in gnutls_global_init(), including a thread-safe setup. */
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
gcry_error_t error;
/* Thread safe setup. Must be called before gnutls_global_init(). */
gcry_strerror(error));
exit(EXIT_FAILURE);
}
+#endif
+
+ if (gnutls_check_version(GNUTLS_VERSION) == NULL) {
+ fprintf(stderr, "gnutls_check_version(): version mismatch, "
+ "expected at least '" GNUTLS_VERSION "'\n");
+ exit(EXIT_FAILURE);
+ }
/* Initialize GnuTLS. */
result = gnutls_global_init();
GNUTLS_ERROR_EXIT(result, "gnutls_global_init()");
+#if 0
+ gnutls_global_set_log_level(10);
+ gnutls_global_set_log_function(log_function_gnutls);
+#endif
+
/* Setup GnuTLS cipher suites. */
- result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
+ result = gnutls_priority_init(&global_tls_priority_cache,
+ PROXY_TLS_PRIORITIES, NULL);
GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
- /* Generate Diffie-Hellman parameters. */
+ /* Read Diffie-Hellman parameters. */
+ dh_parameters = slurp_text_file(PROXY_DH_PATH);
+ if (dh_parameters == NULL) {
+ fprintf(stderr, PROXY_DH_PATH " missing, "
+ "use `tlsproxy-setup` to create it\n");
+ exit(EXIT_FAILURE);
+ }
+ dh_parameters_datum.data = (unsigned char *)dh_parameters;
+ assert(strlen(dh_parameters) <= UINT_MAX);
+ dh_parameters_datum.size = (unsigned int)(strlen(dh_parameters));
+
result = gnutls_dh_params_init(&global_tls_dh_params);
GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
- result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
- GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
+ result = gnutls_dh_params_import_pkcs3(global_tls_dh_params,
+ &dh_parameters_datum,
+ GNUTLS_X509_FMT_PEM);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()");
+
+ free(dh_parameters);
}
static void deinitialize_gnutls(void) {
gnutls_dh_params_deinit(global_tls_dh_params);
gnutls_global_deinit();
}
-static void worker_thread(void) {
+static void *worker_thread(void *unused) {
int client_socket;
+ (void)unused;
+
for (;;) {
/* Get next element from ring buffer. */
P(ringbuffer_full);
handle_connection(client_socket);
}
+
+ return NULL;
+}
+
+static char *slurp_text_file(const char *path) {
+ struct stat stat;
+ size_t size_read;
+ char *content = NULL;
+
+ FILE *file = fopen(path, "r");
+ if (file == NULL) {
+ return NULL;
+ }
+
+ ct_assert(sizeof(stat.st_size) <= sizeof(size_t));
+
+ if (fstat(fileno(file), &stat) != 0) {
+ goto out;
+ }
+ if (stat.st_size < 0) { /* just in case ... */
+ abort();
+ } else if ((size_t)stat.st_size >= SIZE_MAX - 1) {
+ errno = 0;
+ goto out;
+ }
+
+ content = malloc((size_t)stat.st_size + 1);
+ if (content == NULL) {
+ goto out;
+ }
+
+ errno = 0;
+ size_read = fread(content, 1, (size_t)stat.st_size, file);
+ if (size_read != (size_t)stat.st_size) {
+ free(content);
+ content = NULL;
+ goto out;
+ }
+ content[size_read] = '\0';
+
+out:
+ fclose(file);
+
+ return content;
}
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff