X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=src%2Ftlsproxy.c;h=40729f08c8240938ea24dca75597a96115c2c474;hp=5fed55427ae95468c88bed20b615472ba2bf8625;hb=4b64428fe11db22f70c304de1bc9f0cc95f1d189;hpb=3c4d48bc9f6d8228b4eb61ef7920bdc64fc2eec1 diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 5fed554..40729f0 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -3,7 +3,7 @@ * ensures the server certificate doesn't change. Normally this isn't detected * if a trusted CA for the new server certificate is installed. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -23,24 +23,20 @@ #include "sem.h" #include "connection.h" -/* socket(), bind(), accept(), listen() */ -#include -#include -/* close() */ -#include -/* htons() */ #include -/* sigaction() */ -#include -/* errno */ #include -/* pthread_*() */ #include +#include +#include +#include +#include +#include -/* For GnuTLS. */ +#if GNUTLS_VERSION_NUMBER <= 0x020b00 +/* Necessary for GnuTLS when used with threads. */ #include - GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif /* Size of ringbuffer. */ @@ -52,14 +48,14 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; /* For gnutls_*() functions. */ #define GNUTLS_ERROR_EXIT(error, message) \ - if (GNUTLS_E_SUCCESS != error) { \ + if (error != GNUTLS_E_SUCCESS) { \ fprintf(stderr, "%s: %s\n", message, gnutls_strerror(error)); \ exit(EXIT_FAILURE); \ } /* Server should shut down. Set by SIGINT handler. */ -static volatile int done; +static volatile int done; /* = 0 */ /* Number of threads. */ static size_t thread_count; @@ -79,37 +75,45 @@ static void sigint_handler(int signal); static void parse_arguments(int argc, char **argv); static void print_usage(const char *argv); +static char *slurp_file(const char *path); static void initialize_gnutls(void); static void deinitialize_gnutls(void); -static void worker_thread(void); +static void *worker_thread(void *unused); int main(int argc, char **argv) { int port; int client_socket, server_socket; +#ifdef USE_IPV4_ONLY + struct sockaddr_in server_in; +#else struct sockaddr_in6 server_in; +#endif size_t i; pthread_t *threads; struct sigaction action; + /* Required in a few places. */ + ct_assert(sizeof(size_t) >= sizeof(int)); + ct_assert(sizeof(size_t) >= sizeof(ssize_t)); + parse_arguments(argc, argv); port = atoi(argv[argc - 1]); - if (0 >= port || 0xffff < port) { - print_usage(argv[0]); - fprintf(stderr, "\ninvalid port\n"); + if (port <= 0 || port > 0xffff ) { + fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]); return EXIT_FAILURE; } - /* Setup our SIGINT signal handler which allows a "normal" termination of - * the server in DEBUG mode. */ + memset(&action, 0, sizeof(action)); sigemptyset(&action.sa_mask); - action.sa_flags = 0; #ifdef DEBUG + /* Setup our SIGINT signal handler which allows a "normal" termination of + * the server in DEBUG mode. */ action.sa_handler = sigint_handler; sigaction(SIGINT, &action, NULL); #endif @@ -133,62 +137,63 @@ int main(int argc, char **argv) { initialize_gnutls(); /* Spawn worker threads to handle requests. */ - threads = (pthread_t *)malloc(thread_count * sizeof(pthread_t)); - if (NULL == threads) { + threads = malloc(thread_count * sizeof(*threads)); + if (threads == NULL) { perror("thread malloc failed"); return EXIT_FAILURE; } for (i = 0; i < thread_count; i++) { - int result; - pthread_t thread; - - result = pthread_create(&thread, NULL, - (void * (*)(void *))&worker_thread, - NULL); - if (0 != result) { - fprintf(stderr, "failed to create worker thread: %s\n", - strerror(result)); + errno = pthread_create(threads + i, NULL, &worker_thread, NULL); + if (errno != 0) { + perror("failed to create worker thread"); return EXIT_FAILURE; } - - threads[i] = thread; } +#ifdef USE_IPV4_ONLY + server_socket = socket(PF_INET, SOCK_STREAM, 0); +#else server_socket = socket(PF_INET6, SOCK_STREAM, 0); - if (-1 == server_socket) { +#endif + if (server_socket < 0) { perror("socket()"); return EXIT_FAILURE; } -#ifdef DEBUG /* Fast rebinding for debug mode, could cause invalid packets. */ - { + if (global_log_level >= LOG_DEBUG1_LEVEL) { int socket_option = 1; setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR, &socket_option, sizeof(socket_option)); } -#endif /* Bind to the listen socket. */ memset(&server_in, 0, sizeof(server_in)); +#ifdef USE_IPV4_ONLY + server_in.sin_family = AF_INET; /* IPv4 only */ + server_in.sin_addr.s_addr = htonl(INADDR_ANY); /* bind to any address */ + server_in.sin_port = htons((uint16_t)port); /* port to bind to */ +#else server_in.sin6_family = AF_INET6; /* IPv6 (and IPv4) */ server_in.sin6_addr = in6addr_any; /* bind to any address */ server_in.sin6_port = htons((uint16_t)port); /* port to bind to */ - if (-1 == bind(server_socket, (struct sockaddr *)&server_in, - sizeof(server_in))) { +#endif + if (bind(server_socket, (struct sockaddr *)&server_in, + sizeof(server_in)) != 0) { perror("bind()"); return EXIT_FAILURE; } /* And accept connections. */ - if (-1 == listen(server_socket, 5)) { + if (listen(server_socket, 5) != 0) { perror("listen()"); return EXIT_FAILURE; } - if (LOG_DEBUG <= global_log_level) { + if (global_log_level >= LOG_DEBUG1_LEVEL) { + printf("tlsproxy %s\n", VERSION); printf("Listening for connections on port %d.\n", port); - if (NULL != global_proxy_host && NULL != global_proxy_port) { + if (global_proxy_host != NULL && global_proxy_port != NULL) { printf("Using proxy: %s:%s.\n", global_proxy_host, global_proxy_port); } @@ -197,12 +202,12 @@ int main(int argc, char **argv) { while (!done) { /* Accept new connection. */ client_socket = accept(server_socket, NULL, NULL); - if (-1 == client_socket) { + if (client_socket < 0) { perror("accept()"); break; } - /* No lock, we only have one producer! */ + /* No lock necessary, we only have one producer! */ P(ringbuffer_free); ringbuffer[ringbuffer_write] = client_socket; ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE; @@ -220,15 +225,14 @@ int main(int argc, char **argv) { } for (i = 0; i < thread_count; i++) { errno = pthread_join(threads[i], NULL); - if (0 != errno) { + if (errno != 0) { perror("pthread_join()"); - continue; } } - free(ringbuffer_full); - free(ringbuffer_free); - free(ringbuffer_lock); + sem_del(ringbuffer_full); + sem_del(ringbuffer_free); + sem_del(ringbuffer_lock); free(threads); @@ -254,38 +258,57 @@ static void parse_arguments(int argc, char **argv) { /* Default values. */ thread_count = 10; #ifdef DEBUG - global_log_level = LOG_DEBUG; + global_log_level = LOG_DEBUG_LEVEL; #else - global_log_level = LOG_WARNING; + global_log_level = LOG_WARNING_LEVEL; #endif + global_passthrough_unknown = 0; - while (-1 != (option = getopt(argc, argv, "d:p:t:h?"))) { + while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) { switch (option) { - case 'd': { - if (0 > atoi(optarg)) { - print_usage(argv[0]); - fprintf(stderr, "\n-d positive number required\n"); + case 'a': { + http_digest_authorization = slurp_file(optarg); + if (http_digest_authorization == NULL) { + fprintf(stderr, "failed to open authorization file '%s': ", + optarg); + perror(""); + exit(EXIT_FAILURE); + } else if (strlen(http_digest_authorization) == 0) { + fprintf(stderr, "empty authorization file '%s'\n", + optarg); exit(EXIT_FAILURE); } + + /* Just in case the file has a trailing newline. */ + strtok(http_digest_authorization, "\r\n"); + + break; + } + case 'd': { global_log_level = atoi(optarg); + if (global_log_level < 0) { + fprintf(stderr, "-d positive number required: '%s'\n", + optarg); + exit(EXIT_FAILURE); + } break; } case 'p': { char *position; /* -p must have the format host:port. */ - if (NULL == (position = strchr(optarg, ':')) - || position == optarg - || 0 == strlen(position + 1) - || 0 >= atoi(position + 1) - || 0xffff < atoi(position + 1)) { - print_usage(argv[0]); - fprintf(stderr, "\ninvalid -p, format host:port\n"); + if ((position = strchr(optarg, ':')) == NULL + || optarg == position + || strlen(position + 1) == 0 + || atoi(position + 1) <= 0 + || atoi(position + 1) > 0xffff) { + fprintf(stderr, "invalid -p: '%s', format host:port\n", + optarg); exit(EXIT_FAILURE); } global_proxy_host = malloc((size_t)(position - optarg) + 1); - if (NULL == global_proxy_host) { + if (global_proxy_host == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } @@ -293,7 +316,7 @@ static void parse_arguments(int argc, char **argv) { global_proxy_host[position - optarg] = '\0'; global_proxy_port = malloc(strlen(position + 1) + 1); - if (NULL == global_proxy_port) { + if (global_proxy_port == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } @@ -302,14 +325,18 @@ static void parse_arguments(int argc, char **argv) { break; } case 't': { - if (0 >= atoi(optarg)) { - print_usage(argv[0]); - fprintf(stderr, "\n-t positive number required\n"); + if (atoi(optarg) <= 0) { + fprintf(stderr, "-t positive number required: '%s'\n", + optarg); exit(EXIT_FAILURE); } thread_count = (size_t)atoi(optarg); break; } + case 'u': { + global_passthrough_unknown = 1; + break; + } case 'h': default: /* '?' */ print_usage(argv[0]); @@ -318,63 +345,74 @@ static void parse_arguments(int argc, char **argv) { } if (optind >= argc) { - print_usage(argv[0]); - fprintf(stderr, "\nport missing\n"); + fprintf(stderr, "port missing\n"); exit(EXIT_FAILURE); } } static void print_usage(const char *argv) { - fprintf(stderr, "Usage: %s [-d level] [-p host:port] [-t count] port\n", + fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n", + VERSION); + fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n", argv); fprintf(stderr, "\n"); + fprintf(stderr, "-a digest authentication file [default: none]\n"); fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n"); fprintf(stderr, "-p proxy hostname and port\n"); fprintf(stderr, "-t number of threads [default: 10]\n"); + fprintf(stderr, "-u passthrough connection if no certificate is stored \ +[default: error]\n"); + fprintf(stderr, " WARNING: might be a security problem!\n"); } static void initialize_gnutls(void) { int result; - gcry_error_t error = 0; +/* Recent versions of GnuTLS automatically initialize the cryptography layer + * in gnutls_global_init(). */ +#if GNUTLS_VERSION_NUMBER <= 0x020b00 + gcry_error_t error; /* Thread safe setup. Must be called before gnutls_global_init(). */ error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); - if (error) { + if (error != 0) { fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error), gcry_strerror(error)); exit(EXIT_FAILURE); } /* Prevent usage of blocking /dev/random. */ error = gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); - if (error) { + if (error != 0) { fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error), gcry_strerror(error)); exit(EXIT_FAILURE); } +#endif /* Initialize GnuTLS. */ result = gnutls_global_init(); GNUTLS_ERROR_EXIT(result, "gnutls_global_init()"); /* Setup GnuTLS cipher suites. */ - result = gnutls_priority_init(&tls_priority_cache, "NORMAL", NULL); + result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL); GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()"); /* Generate Diffie-Hellman parameters. */ - result = gnutls_dh_params_init(&tls_dh_params); + result = gnutls_dh_params_init(&global_tls_dh_params); GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()"); - result = gnutls_dh_params_generate2(tls_dh_params, DH_SIZE); + result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE); GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()"); } static void deinitialize_gnutls(void) { - gnutls_dh_params_deinit(tls_dh_params); - gnutls_priority_deinit(tls_priority_cache); + gnutls_dh_params_deinit(global_tls_dh_params); + gnutls_priority_deinit(global_tls_priority_cache); gnutls_global_deinit(); } -static void worker_thread(void) { +static void *worker_thread(void *unused) { int client_socket; + (void)unused; + for (;;) { /* Get next element from ring buffer. */ P(ringbuffer_full); @@ -385,10 +423,54 @@ static void worker_thread(void) { V(ringbuffer_free); /* Negative value indicates we should shut down our thread. */ - if (0 > client_socket) { + if (client_socket < 0) { break; } handle_connection(client_socket); } + + return NULL; +} + +static char *slurp_file(const char *path) { + struct stat stat; + size_t size_read; + char *content = NULL; + + FILE *file = fopen(path, "r"); + if (file == NULL) { + return NULL; + } + + ct_assert(sizeof(stat.st_size) <= sizeof(size_t)); + + if (fstat(fileno(file), &stat) != 0) { + goto out; + } + if (stat.st_size < 0) { /* just in case ... */ + abort(); + } else if ((size_t)stat.st_size >= SIZE_MAX - 1) { + errno = 0; + goto out; + } + + content = malloc((size_t)stat.st_size + 1); + if (content == NULL) { + goto out; + } + + errno = 0; + size_read = fread(content, 1, (size_t)stat.st_size, file); + if (size_read != (size_t)stat.st_size) { + free(content); + content = NULL; + goto out; + } + content[size_read] = '\0'; + +out: + fclose(file); + + return content; }