X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=src%2Ftlsproxy.c;h=40729f08c8240938ea24dca75597a96115c2c474;hp=ba8386b2125c9ddf56efae46848eb772ff484701;hb=4b64428fe11db22f70c304de1bc9f0cc95f1d189;hpb=f4eb585e927d86ece30067bdf8e96abe8058f5d2 diff --git a/src/tlsproxy.c b/src/tlsproxy.c index ba8386b..40729f0 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -28,12 +28,15 @@ #include #include #include +#include #include #include +#if GNUTLS_VERSION_NUMBER <= 0x020b00 /* Necessary for GnuTLS when used with threads. */ #include GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif /* Size of ringbuffer. */ @@ -52,7 +55,7 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; /* Server should shut down. Set by SIGINT handler. */ -static volatile int done = 0; +static volatile int done; /* = 0 */ /* Number of threads. */ static size_t thread_count; @@ -72,6 +75,7 @@ static void sigint_handler(int signal); static void parse_arguments(int argc, char **argv); static void print_usage(const char *argv); +static char *slurp_file(const char *path); static void initialize_gnutls(void); static void deinitialize_gnutls(void); @@ -93,6 +97,10 @@ int main(int argc, char **argv) { struct sigaction action; + /* Required in a few places. */ + ct_assert(sizeof(size_t) >= sizeof(int)); + ct_assert(sizeof(size_t) >= sizeof(ssize_t)); + parse_arguments(argc, argv); port = atoi(argv[argc - 1]); @@ -101,8 +109,8 @@ int main(int argc, char **argv) { return EXIT_FAILURE; } + memset(&action, 0, sizeof(action)); sigemptyset(&action.sa_mask); - action.sa_flags = 0; #ifdef DEBUG /* Setup our SIGINT signal handler which allows a "normal" termination of * the server in DEBUG mode. */ @@ -147,13 +155,13 @@ int main(int argc, char **argv) { #else server_socket = socket(PF_INET6, SOCK_STREAM, 0); #endif - if (server_socket == -1) { + if (server_socket < 0) { perror("socket()"); return EXIT_FAILURE; } /* Fast rebinding for debug mode, could cause invalid packets. */ - if (global_log_level >= LOG_DEBUG_LEVEL) { + if (global_log_level >= LOG_DEBUG1_LEVEL) { int socket_option = 1; setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR, &socket_option, sizeof(socket_option)); @@ -171,17 +179,17 @@ int main(int argc, char **argv) { server_in.sin6_port = htons((uint16_t)port); /* port to bind to */ #endif if (bind(server_socket, (struct sockaddr *)&server_in, - sizeof(server_in)) == -1) { + sizeof(server_in)) != 0) { perror("bind()"); return EXIT_FAILURE; } /* And accept connections. */ - if (listen(server_socket, 5) == -1) { + if (listen(server_socket, 5) != 0) { perror("listen()"); return EXIT_FAILURE; } - if (global_log_level >= LOG_DEBUG_LEVEL) { + if (global_log_level >= LOG_DEBUG1_LEVEL) { printf("tlsproxy %s\n", VERSION); printf("Listening for connections on port %d.\n", port); @@ -194,7 +202,7 @@ int main(int argc, char **argv) { while (!done) { /* Accept new connection. */ client_socket = accept(server_socket, NULL, NULL); - if (client_socket == -1) { + if (client_socket < 0) { perror("accept()"); break; } @@ -256,8 +264,26 @@ static void parse_arguments(int argc, char **argv) { #endif global_passthrough_unknown = 0; - while ((option = getopt(argc, argv, "d:p:t:uh?")) != -1) { + while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) { switch (option) { + case 'a': { + http_digest_authorization = slurp_file(optarg); + if (http_digest_authorization == NULL) { + fprintf(stderr, "failed to open authorization file '%s': ", + optarg); + perror(""); + exit(EXIT_FAILURE); + } else if (strlen(http_digest_authorization) == 0) { + fprintf(stderr, "empty authorization file '%s'\n", + optarg); + exit(EXIT_FAILURE); + } + + /* Just in case the file has a trailing newline. */ + strtok(http_digest_authorization, "\r\n"); + + break; + } case 'd': { global_log_level = atoi(optarg); if (global_log_level < 0) { @@ -326,9 +352,10 @@ static void parse_arguments(int argc, char **argv) { static void print_usage(const char *argv) { fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n", VERSION); - fprintf(stderr, "Usage: %s [-d level] [-p host:port] [-t count] [-u] port\n", + fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n", argv); fprintf(stderr, "\n"); + fprintf(stderr, "-a digest authentication file [default: none]\n"); fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n"); fprintf(stderr, "-p proxy hostname and port\n"); fprintf(stderr, "-t number of threads [default: 10]\n"); @@ -339,6 +366,9 @@ static void print_usage(const char *argv) { static void initialize_gnutls(void) { int result; +/* Recent versions of GnuTLS automatically initialize the cryptography layer + * in gnutls_global_init(). */ +#if GNUTLS_VERSION_NUMBER <= 0x020b00 gcry_error_t error; /* Thread safe setup. Must be called before gnutls_global_init(). */ @@ -355,6 +385,7 @@ static void initialize_gnutls(void) { gcry_strerror(error)); exit(EXIT_FAILURE); } +#endif /* Initialize GnuTLS. */ result = gnutls_global_init(); @@ -401,3 +432,45 @@ static void *worker_thread(void *unused) { return NULL; } + +static char *slurp_file(const char *path) { + struct stat stat; + size_t size_read; + char *content = NULL; + + FILE *file = fopen(path, "r"); + if (file == NULL) { + return NULL; + } + + ct_assert(sizeof(stat.st_size) <= sizeof(size_t)); + + if (fstat(fileno(file), &stat) != 0) { + goto out; + } + if (stat.st_size < 0) { /* just in case ... */ + abort(); + } else if ((size_t)stat.st_size >= SIZE_MAX - 1) { + errno = 0; + goto out; + } + + content = malloc((size_t)stat.st_size + 1); + if (content == NULL) { + goto out; + } + + errno = 0; + size_read = fread(content, 1, (size_t)stat.st_size, file); + if (size_read != (size_t)stat.st_size) { + free(content); + content = NULL; + goto out; + } + content[size_read] = '\0'; + +out: + fclose(file); + + return content; +}