X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=src%2Ftlsproxy.c;h=40729f08c8240938ea24dca75597a96115c2c474;hp=70cf49d8b85b545bfe85c3aeddf1bf0729d2e7e2;hb=4b64428fe11db22f70c304de1bc9f0cc95f1d189;hpb=643caf202af98fa5ebe83f642db459a04067e92f diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 70cf49d..40729f0 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -1,7 +1,9 @@ /* - * tlsproxy is a transparent TLS proxy for HTTPS connections. + * tlsproxy is a TLS proxy for HTTPS which intercepts the connections and + * ensures the server certificate doesn't change. Normally this isn't detected + * if a trusted CA for the new server certificate is installed. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -21,29 +23,43 @@ #include "sem.h" #include "connection.h" -/* socket(), bind(), accept(), listen() */ -#include -#include -/* close() */ -#include -/* htons() */ #include -/* sigaction() */ -#include -/* errno */ #include -/* pthread_*() */ #include +#include +#include +#include +#include +#include + +#if GNUTLS_VERSION_NUMBER <= 0x020b00 +/* Necessary for GnuTLS when used with threads. */ +#include +GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif + /* Size of ringbuffer. */ #define RINGBUFFER_SIZE 10 +/* Bit size of Diffie-Hellman key exchange parameters. */ +#define DH_SIZE 1024 + + +/* For gnutls_*() functions. */ +#define GNUTLS_ERROR_EXIT(error, message) \ + if (error != GNUTLS_E_SUCCESS) { \ + fprintf(stderr, "%s: %s\n", message, gnutls_strerror(error)); \ + exit(EXIT_FAILURE); \ + } + /* Server should shut down. Set by SIGINT handler. */ -static volatile int done; +static volatile int done; /* = 0 */ /* Number of threads. */ static size_t thread_count; + /* Synchronized ring buffer storing accept()ed client sockets. */ static int ringbuffer[RINGBUFFER_SIZE]; static int ringbuffer_read; @@ -53,39 +69,57 @@ static SEM *ringbuffer_free; /* Space for another element in the buffer? */ static SEM *ringbuffer_lock; /* Read lock. */ +#ifdef DEBUG static void sigint_handler(int signal); +#endif static void parse_arguments(int argc, char **argv); static void print_usage(const char *argv); +static char *slurp_file(const char *path); + +static void initialize_gnutls(void); +static void deinitialize_gnutls(void); -static void worker_thread(void); +static void *worker_thread(void *unused); int main(int argc, char **argv) { int port; int client_socket, server_socket; +#ifdef USE_IPV4_ONLY + struct sockaddr_in server_in; +#else struct sockaddr_in6 server_in; +#endif size_t i; pthread_t *threads; struct sigaction action; + /* Required in a few places. */ + ct_assert(sizeof(size_t) >= sizeof(int)); + ct_assert(sizeof(size_t) >= sizeof(ssize_t)); + parse_arguments(argc, argv); port = atoi(argv[argc - 1]); - if (0 >= port || 0xffff < port) { - print_usage(argv[0]); - fprintf(stderr, "\ninvalid port"); + if (port <= 0 || port > 0xffff ) { + fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]); return EXIT_FAILURE; } - /* Setup our SIGINT signal handler which allows a "normal" termination of - * the server. */ + memset(&action, 0, sizeof(action)); sigemptyset(&action.sa_mask); +#ifdef DEBUG + /* Setup our SIGINT signal handler which allows a "normal" termination of + * the server in DEBUG mode. */ action.sa_handler = sigint_handler; - action.sa_flags = 0; sigaction(SIGINT, &action, NULL); +#endif + /* Ignore SIGPIPEs. */ + action.sa_handler = SIG_IGN; + sigaction(SIGPIPE, &action, NULL); /* Initialize ring buffer. */ ringbuffer_read = 0; @@ -100,75 +134,80 @@ int main(int argc, char **argv) { return EXIT_FAILURE; } + initialize_gnutls(); + /* Spawn worker threads to handle requests. */ - threads = (pthread_t *)malloc(thread_count * sizeof(pthread_t)); - if (NULL == threads) { + threads = malloc(thread_count * sizeof(*threads)); + if (threads == NULL) { perror("thread malloc failed"); return EXIT_FAILURE; } for (i = 0; i < thread_count; i++) { - int result; - pthread_t thread; - - result = pthread_create(&thread, NULL, - (void * (*)(void *))&worker_thread, - NULL); - if (0 != result) { - printf("failed to create worker thread: %s\n", strerror(result)); + errno = pthread_create(threads + i, NULL, &worker_thread, NULL); + if (errno != 0) { + perror("failed to create worker thread"); return EXIT_FAILURE; } - - threads[i] = thread; } +#ifdef USE_IPV4_ONLY + server_socket = socket(PF_INET, SOCK_STREAM, 0); +#else server_socket = socket(PF_INET6, SOCK_STREAM, 0); - if (-1 == server_socket) { +#endif + if (server_socket < 0) { perror("socket()"); return EXIT_FAILURE; } -#ifdef DEBUG /* Fast rebinding for debug mode, could cause invalid packets. */ - { + if (global_log_level >= LOG_DEBUG1_LEVEL) { int socket_option = 1; setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR, &socket_option, sizeof(socket_option)); } -#endif /* Bind to the listen socket. */ memset(&server_in, 0, sizeof(server_in)); +#ifdef USE_IPV4_ONLY + server_in.sin_family = AF_INET; /* IPv4 only */ + server_in.sin_addr.s_addr = htonl(INADDR_ANY); /* bind to any address */ + server_in.sin_port = htons((uint16_t)port); /* port to bind to */ +#else server_in.sin6_family = AF_INET6; /* IPv6 (and IPv4) */ server_in.sin6_addr = in6addr_any; /* bind to any address */ server_in.sin6_port = htons((uint16_t)port); /* port to bind to */ - if (-1 == bind(server_socket, (struct sockaddr *)&server_in, - sizeof(server_in))) { +#endif + if (bind(server_socket, (struct sockaddr *)&server_in, + sizeof(server_in)) != 0) { perror("bind()"); return EXIT_FAILURE; } /* And accept connections. */ - if (-1 == listen(server_socket, 5)) { + if (listen(server_socket, 5) != 0) { perror("listen()"); return EXIT_FAILURE; } -#ifdef DEBUG - printf("Listening for connections on port %d.\n", port); + if (global_log_level >= LOG_DEBUG1_LEVEL) { + printf("tlsproxy %s\n", VERSION); + printf("Listening for connections on port %d.\n", port); - if (NULL != use_proxy_host && NULL != use_proxy_port) { - printf("Using proxy: %s:%s.\n", use_proxy_host, use_proxy_port); + if (global_proxy_host != NULL && global_proxy_port != NULL) { + printf("Using proxy: %s:%s.\n", global_proxy_host, + global_proxy_port); + } } -#endif while (!done) { /* Accept new connection. */ client_socket = accept(server_socket, NULL, NULL); - if (-1 == client_socket) { + if (client_socket < 0) { perror("accept()"); break; } - /* No lock, we only have one producer! */ + /* No lock necessary, we only have one producer! */ P(ringbuffer_free); ringbuffer[ringbuffer_write] = client_socket; ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE; @@ -186,76 +225,118 @@ int main(int argc, char **argv) { } for (i = 0; i < thread_count; i++) { errno = pthread_join(threads[i], NULL); - if (0 != errno) { + if (errno != 0) { perror("pthread_join()"); - continue; } } - free(ringbuffer_full); - free(ringbuffer_free); - free(ringbuffer_lock); + sem_del(ringbuffer_full); + sem_del(ringbuffer_free); + sem_del(ringbuffer_lock); free(threads); - free(use_proxy_host); - free(use_proxy_port); + deinitialize_gnutls(); + + free(global_proxy_host); + free(global_proxy_port); return EXIT_FAILURE; } +#ifdef DEBUG static void sigint_handler(int signal_number) { (void)signal_number; done = 1; } +#endif static void parse_arguments(int argc, char **argv) { int option; /* Default values. */ thread_count = 10; +#ifdef DEBUG + global_log_level = LOG_DEBUG_LEVEL; +#else + global_log_level = LOG_WARNING_LEVEL; +#endif + global_passthrough_unknown = 0; - while (-1 != (option = getopt(argc, argv, "p:t:h?"))) { + while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) { switch (option) { + case 'a': { + http_digest_authorization = slurp_file(optarg); + if (http_digest_authorization == NULL) { + fprintf(stderr, "failed to open authorization file '%s': ", + optarg); + perror(""); + exit(EXIT_FAILURE); + } else if (strlen(http_digest_authorization) == 0) { + fprintf(stderr, "empty authorization file '%s'\n", + optarg); + exit(EXIT_FAILURE); + } + + /* Just in case the file has a trailing newline. */ + strtok(http_digest_authorization, "\r\n"); + + break; + } + case 'd': { + global_log_level = atoi(optarg); + if (global_log_level < 0) { + fprintf(stderr, "-d positive number required: '%s'\n", + optarg); + exit(EXIT_FAILURE); + } + break; + } case 'p': { char *position; /* -p must have the format host:port. */ - if (NULL == (position = strchr(optarg, ':')) - || position == optarg - || 0 == strlen(position + 1) - || 0 >= atoi(position + 1) - || 0xffff < atoi(position + 1)) { - fprintf(stderr, "-p host:port\n"); + if ((position = strchr(optarg, ':')) == NULL + || optarg == position + || strlen(position + 1) == 0 + || atoi(position + 1) <= 0 + || atoi(position + 1) > 0xffff) { + fprintf(stderr, "invalid -p: '%s', format host:port\n", + optarg); exit(EXIT_FAILURE); } - use_proxy_host = malloc((size_t)(position - optarg) + 1); - if (NULL == use_proxy_host) { + global_proxy_host = malloc((size_t)(position - optarg) + 1); + if (global_proxy_host == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } - memcpy(use_proxy_host, optarg, (size_t)(position - optarg)); - use_proxy_host[position - optarg] = '\0'; + memcpy(global_proxy_host, optarg, (size_t)(position - optarg)); + global_proxy_host[position - optarg] = '\0'; - use_proxy_port = malloc(strlen(position + 1) + 1); - if (NULL == use_proxy_port) { + global_proxy_port = malloc(strlen(position + 1) + 1); + if (global_proxy_port == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } - strcpy(use_proxy_port, position + 1); + strcpy(global_proxy_port, position + 1); break; } case 't': { - if (0 >= atoi(optarg)) { - fprintf(stderr, "-t positive number required\n"); + if (atoi(optarg) <= 0) { + fprintf(stderr, "-t positive number required: '%s'\n", + optarg); exit(EXIT_FAILURE); } thread_count = (size_t)atoi(optarg); break; } + case 'u': { + global_passthrough_unknown = 1; + break; + } case 'h': default: /* '?' */ print_usage(argv[0]); @@ -264,20 +345,74 @@ static void parse_arguments(int argc, char **argv) { } if (optind >= argc) { - print_usage(argv[0]); + fprintf(stderr, "port missing\n"); exit(EXIT_FAILURE); } } static void print_usage(const char *argv) { - fprintf(stderr, "Usage: %s [-p host:port] port\n", argv); + fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n", + VERSION); + fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n", + argv); fprintf(stderr, "\n"); + fprintf(stderr, "-a digest authentication file [default: none]\n"); + fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n"); fprintf(stderr, "-p proxy hostname and port\n"); fprintf(stderr, "-t number of threads [default: 10]\n"); + fprintf(stderr, "-u passthrough connection if no certificate is stored \ +[default: error]\n"); + fprintf(stderr, " WARNING: might be a security problem!\n"); +} + +static void initialize_gnutls(void) { + int result; +/* Recent versions of GnuTLS automatically initialize the cryptography layer + * in gnutls_global_init(). */ +#if GNUTLS_VERSION_NUMBER <= 0x020b00 + gcry_error_t error; + + /* Thread safe setup. Must be called before gnutls_global_init(). */ + error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); + if (error != 0) { + fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error), + gcry_strerror(error)); + exit(EXIT_FAILURE); + } + /* Prevent usage of blocking /dev/random. */ + error = gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); + if (error != 0) { + fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error), + gcry_strerror(error)); + exit(EXIT_FAILURE); + } +#endif + + /* Initialize GnuTLS. */ + result = gnutls_global_init(); + GNUTLS_ERROR_EXIT(result, "gnutls_global_init()"); + + /* Setup GnuTLS cipher suites. */ + result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL); + GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()"); + + /* Generate Diffie-Hellman parameters. */ + result = gnutls_dh_params_init(&global_tls_dh_params); + GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()"); + result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE); + GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()"); } +static void deinitialize_gnutls(void) { + gnutls_dh_params_deinit(global_tls_dh_params); + gnutls_priority_deinit(global_tls_priority_cache); -static void worker_thread(void) { + gnutls_global_deinit(); +} + +static void *worker_thread(void *unused) { int client_socket; + (void)unused; + for (;;) { /* Get next element from ring buffer. */ P(ringbuffer_full); @@ -294,4 +429,48 @@ static void worker_thread(void) { handle_connection(client_socket); } + + return NULL; +} + +static char *slurp_file(const char *path) { + struct stat stat; + size_t size_read; + char *content = NULL; + + FILE *file = fopen(path, "r"); + if (file == NULL) { + return NULL; + } + + ct_assert(sizeof(stat.st_size) <= sizeof(size_t)); + + if (fstat(fileno(file), &stat) != 0) { + goto out; + } + if (stat.st_size < 0) { /* just in case ... */ + abort(); + } else if ((size_t)stat.st_size >= SIZE_MAX - 1) { + errno = 0; + goto out; + } + + content = malloc((size_t)stat.st_size + 1); + if (content == NULL) { + goto out; + } + + errno = 0; + size_read = fread(content, 1, (size_t)stat.st_size, file); + if (size_read != (size_t)stat.st_size) { + free(content); + content = NULL; + goto out; + } + content[size_read] = '\0'; + +out: + fclose(file); + + return content; }