Display priority string when starting with debug level >= 1.

[tlsproxy/tlsproxy.git] / src / tlsproxy.c

diff --git a/src/tlsproxy.c b/src/tlsproxy.c
index 3d9e80fb532938679eab674ebe520b0cc9c599ee..6d49253681ea05ff92b27c8e3a3e71de3d7ee5fa 100644 (file)
--- a/src/tlsproxy.c
+++ b/src/tlsproxy.c
@@ -24,6 +24,7 @@
 #include "connection.h"
 
 #include <arpa/inet.h>
+#include <assert.h>
 #include <errno.h>
 #include <pthread.h>
 #include <signal.h>
@@ -31,6 +32,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <limits.h>
 
 #if GNUTLS_VERSION_NUMBER <= 0x020b00
 /* Necessary for GnuTLS when used with threads. */
@@ -42,9 +44,6 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL;
 /* Size of ringbuffer. */
 #define RINGBUFFER_SIZE 10
 
-/* Bit size of Diffie-Hellman key exchange parameters. */
-#define DH_SIZE 1024
-
 
 /* For gnutls_*() functions. */
 #define GNUTLS_ERROR_EXIT(error, message) \
@@ -192,6 +191,7 @@ int main(int argc, char **argv) {
     if (global_log_level >= LOG_DEBUG1_LEVEL) {
         printf("tlsproxy %s\n", VERSION);
         printf("Listening for connections on port %d.\n", port);
+        printf("Priority string: %s.\n", PROXY_TLS_PRIORITIES);
 
         if (global_proxy_host != NULL && global_proxy_port != NULL) {
             printf("Using proxy: %s:%s.\n", global_proxy_host,
@@ -240,6 +240,7 @@ int main(int argc, char **argv) {
 
     free(global_proxy_host);
     free(global_proxy_port);
+    free(global_http_digest_authorization);
 
     return EXIT_FAILURE;
 }
@@ -258,7 +259,7 @@ static void parse_arguments(int argc, char **argv) {
     /* Default values. */
     thread_count = 10;
 #ifdef DEBUG
-    global_log_level = LOG_DEBUG1_LEVEL;
+    global_log_level = LOG_DEBUG2_LEVEL;
 #else
     global_log_level = LOG_WARNING_LEVEL;
 #endif
@@ -267,20 +268,20 @@ static void parse_arguments(int argc, char **argv) {
     while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) {
         switch (option) {
             case 'a': {
-                http_digest_authorization = slurp_text_file(optarg);
-                if (http_digest_authorization == NULL) {
+                global_http_digest_authorization = slurp_text_file(optarg);
+                if (global_http_digest_authorization == NULL) {
                     fprintf(stderr, "failed to open authorization file '%s': ",
                                     optarg);
                     perror("");
                     exit(EXIT_FAILURE);
-                } else if (strlen(http_digest_authorization) == 0) {
+                } else if (strlen(global_http_digest_authorization) == 0) {
                     fprintf(stderr, "empty authorization file '%s'\n",
                                     optarg);
                     exit(EXIT_FAILURE);
                 }
 
                 /* Just in case the file has a trailing newline. */
-                strtok(http_digest_authorization, "\r\n");
+                strtok(global_http_digest_authorization, "\r\n");
 
                 break;
             }
@@ -356,7 +357,7 @@ static void print_usage(const char *argv) {
                     argv);
     fprintf(stderr, "\n");
     fprintf(stderr, "-a digest authentication file [default: none]\n");
-    fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n");
+    fprintf(stderr, "-d debug level: 0=errors only, 2=debug, 3=more debug [default: 1]\n");
     fprintf(stderr, "-p proxy hostname and port\n");
     fprintf(stderr, "-t number of threads [default: 10]\n");
     fprintf(stderr, "-u passthrough connection if no certificate is stored \
@@ -373,8 +374,11 @@ static void log_function_gnutls(int level, const char *string) {
 
 static void initialize_gnutls(void) {
     int result;
+    char *dh_parameters;
+    gnutls_datum_t dh_parameters_datum;
+
 /* Recent versions of GnuTLS automatically initialize the cryptography layer
- * in gnutls_global_init(). */
+ * in gnutls_global_init(), including a thread-safe setup. */
 #if GNUTLS_VERSION_NUMBER <= 0x020b00
     gcry_error_t error;
 
@@ -394,6 +398,12 @@ static void initialize_gnutls(void) {
     }
 #endif
 
+    if (gnutls_check_version(GNUTLS_VERSION) == NULL) {
+        fprintf(stderr, "gnutls_check_version(): version mismatch, "
+                        "expected at least '" GNUTLS_VERSION "'\n");
+        exit(EXIT_FAILURE);
+    }
+
     /* Initialize GnuTLS. */
     result = gnutls_global_init();
     GNUTLS_ERROR_EXIT(result, "gnutls_global_init()");
@@ -404,14 +414,29 @@ static void initialize_gnutls(void) {
 #endif
 
     /* Setup GnuTLS cipher suites. */
-    result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
+    result = gnutls_priority_init(&global_tls_priority_cache,
+                                  PROXY_TLS_PRIORITIES, NULL);
     GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
 
-    /* Generate Diffie-Hellman parameters. */
+    /* Read Diffie-Hellman parameters. */
+    dh_parameters = slurp_text_file(PROXY_DH_PATH);
+    if (dh_parameters == NULL) {
+        fprintf(stderr, PROXY_DH_PATH " missing, "
+                        "use `tlsproxy-setup` to create it\n");
+        exit(EXIT_FAILURE);
+    }
+    dh_parameters_datum.data = (unsigned char *)dh_parameters;
+    assert(strlen(dh_parameters) <= UINT_MAX);
+    dh_parameters_datum.size = (unsigned int)(strlen(dh_parameters));
+
     result = gnutls_dh_params_init(&global_tls_dh_params);
     GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
-    result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
-    GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
+    result = gnutls_dh_params_import_pkcs3(global_tls_dh_params,
+                                           &dh_parameters_datum,
+                                           GNUTLS_X509_FMT_PEM);
+    GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()");
+
+    free(dh_parameters);
 }
 static void deinitialize_gnutls(void) {
     gnutls_dh_params_deinit(global_tls_dh_params);