X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=src%2Ftlsproxy.c;h=751c8604c83e7ae22fb4106eb0a34c27d35a027d;hp=625ed0803e93fc05d96bed988d85c98c052e79b5;hb=9f7ef8fa5c5216ac2510d2b4acb3b1b5c26886d1;hpb=a6880da1a7e80f74bed1caf0d2ed6e9034ea2245 diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 625ed08..751c860 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -3,7 +3,7 @@ * ensures the server certificate doesn't change. Normally this isn't detected * if a trusted CA for the new server certificate is installed. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -23,43 +23,38 @@ #include "sem.h" #include "connection.h" -/* socket(), bind(), accept(), listen() */ -#include -#include -/* close() */ -#include -/* htons() */ #include -/* sigaction() */ -#include -/* errno */ +#include #include -/* pthread_*() */ #include +#include +#include +#include +#include +#include +#include -/* For GnuTLS. */ +#if GNUTLS_VERSION_NUMBER <= 0x020b00 +/* Necessary for GnuTLS when used with threads. */ #include - GCRY_THREAD_OPTION_PTHREAD_IMPL; +#endif /* Size of ringbuffer. */ #define RINGBUFFER_SIZE 10 -/* Bit size of Diffie-Hellman key exchange parameters. */ -#define DH_SIZE 1024 - /* For gnutls_*() functions. */ #define GNUTLS_ERROR_EXIT(error, message) \ - if (GNUTLS_E_SUCCESS != error) { \ + if (error != GNUTLS_E_SUCCESS) { \ fprintf(stderr, "%s: %s\n", message, gnutls_strerror(error)); \ exit(EXIT_FAILURE); \ } /* Server should shut down. Set by SIGINT handler. */ -static volatile int done = 0; +static volatile int done; /* = 0 */ /* Number of threads. */ static size_t thread_count; @@ -79,11 +74,12 @@ static void sigint_handler(int signal); static void parse_arguments(int argc, char **argv); static void print_usage(const char *argv); +static char *slurp_text_file(const char *path); static void initialize_gnutls(void); static void deinitialize_gnutls(void); -static void worker_thread(void); +static void *worker_thread(void *unused); int main(int argc, char **argv) { @@ -100,20 +96,23 @@ int main(int argc, char **argv) { struct sigaction action; + /* Required in a few places. */ + ct_assert(sizeof(size_t) >= sizeof(int)); + ct_assert(sizeof(size_t) >= sizeof(ssize_t)); + parse_arguments(argc, argv); port = atoi(argv[argc - 1]); - if (0 >= port || 0xffff < port) { - print_usage(argv[0]); - fprintf(stderr, "\ninvalid port\n"); + if (port <= 0 || port > 0xffff ) { + fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]); return EXIT_FAILURE; } - /* Setup our SIGINT signal handler which allows a "normal" termination of - * the server in DEBUG mode. */ + memset(&action, 0, sizeof(action)); sigemptyset(&action.sa_mask); - action.sa_flags = 0; #ifdef DEBUG + /* Setup our SIGINT signal handler which allows a "normal" termination of + * the server in DEBUG mode. */ action.sa_handler = sigint_handler; sigaction(SIGINT, &action, NULL); #endif @@ -137,25 +136,17 @@ int main(int argc, char **argv) { initialize_gnutls(); /* Spawn worker threads to handle requests. */ - threads = (pthread_t *)malloc(thread_count * sizeof(pthread_t)); - if (NULL == threads) { + threads = malloc(thread_count * sizeof(*threads)); + if (threads == NULL) { perror("thread malloc failed"); return EXIT_FAILURE; } for (i = 0; i < thread_count; i++) { - int result; - pthread_t thread; - - result = pthread_create(&thread, NULL, - (void * (*)(void *))&worker_thread, - NULL); - if (0 != result) { - fprintf(stderr, "failed to create worker thread: %s\n", - strerror(result)); + errno = pthread_create(threads + i, NULL, &worker_thread, NULL); + if (errno != 0) { + perror("failed to create worker thread"); return EXIT_FAILURE; } - - threads[i] = thread; } #ifdef USE_IPV4_ONLY @@ -163,13 +154,13 @@ int main(int argc, char **argv) { #else server_socket = socket(PF_INET6, SOCK_STREAM, 0); #endif - if (-1 == server_socket) { + if (server_socket < 0) { perror("socket()"); return EXIT_FAILURE; } /* Fast rebinding for debug mode, could cause invalid packets. */ - if (LOG_DEBUG <= global_log_level) { + if (global_log_level >= LOG_DEBUG1_LEVEL) { int socket_option = 1; setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR, &socket_option, sizeof(socket_option)); @@ -186,21 +177,22 @@ int main(int argc, char **argv) { server_in.sin6_addr = in6addr_any; /* bind to any address */ server_in.sin6_port = htons((uint16_t)port); /* port to bind to */ #endif - if (-1 == bind(server_socket, (struct sockaddr *)&server_in, - sizeof(server_in))) { + if (bind(server_socket, (struct sockaddr *)&server_in, + sizeof(server_in)) != 0) { perror("bind()"); return EXIT_FAILURE; } /* And accept connections. */ - if (-1 == listen(server_socket, 5)) { + if (listen(server_socket, 5) != 0) { perror("listen()"); return EXIT_FAILURE; } - if (LOG_DEBUG <= global_log_level) { + if (global_log_level >= LOG_DEBUG1_LEVEL) { + printf("tlsproxy %s\n", VERSION); printf("Listening for connections on port %d.\n", port); - if (NULL != global_proxy_host && NULL != global_proxy_port) { + if (global_proxy_host != NULL && global_proxy_port != NULL) { printf("Using proxy: %s:%s.\n", global_proxy_host, global_proxy_port); } @@ -209,12 +201,12 @@ int main(int argc, char **argv) { while (!done) { /* Accept new connection. */ client_socket = accept(server_socket, NULL, NULL); - if (-1 == client_socket) { + if (client_socket < 0) { perror("accept()"); break; } - /* No lock, we only have one producer! */ + /* No lock necessary, we only have one producer! */ P(ringbuffer_free); ringbuffer[ringbuffer_write] = client_socket; ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE; @@ -232,15 +224,14 @@ int main(int argc, char **argv) { } for (i = 0; i < thread_count; i++) { errno = pthread_join(threads[i], NULL); - if (0 != errno) { + if (errno != 0) { perror("pthread_join()"); - continue; } } - free(ringbuffer_full); - free(ringbuffer_free); - free(ringbuffer_lock); + sem_del(ringbuffer_full); + sem_del(ringbuffer_free); + sem_del(ringbuffer_lock); free(threads); @@ -248,6 +239,7 @@ int main(int argc, char **argv) { free(global_proxy_host); free(global_proxy_port); + free(global_http_digest_authorization); return EXIT_FAILURE; } @@ -266,39 +258,57 @@ static void parse_arguments(int argc, char **argv) { /* Default values. */ thread_count = 10; #ifdef DEBUG - global_log_level = LOG_DEBUG; + global_log_level = LOG_DEBUG2_LEVEL; #else - global_log_level = LOG_WARNING; + global_log_level = LOG_WARNING_LEVEL; #endif global_passthrough_unknown = 0; - while (-1 != (option = getopt(argc, argv, "d:p:t:uh?"))) { + while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) { switch (option) { - case 'd': { - if (0 > atoi(optarg)) { - print_usage(argv[0]); - fprintf(stderr, "\n-d positive number required\n"); + case 'a': { + global_http_digest_authorization = slurp_text_file(optarg); + if (global_http_digest_authorization == NULL) { + fprintf(stderr, "failed to open authorization file '%s': ", + optarg); + perror(""); + exit(EXIT_FAILURE); + } else if (strlen(global_http_digest_authorization) == 0) { + fprintf(stderr, "empty authorization file '%s'\n", + optarg); exit(EXIT_FAILURE); } + + /* Just in case the file has a trailing newline. */ + strtok(global_http_digest_authorization, "\r\n"); + + break; + } + case 'd': { global_log_level = atoi(optarg); + if (global_log_level < 0) { + fprintf(stderr, "-d positive number required: '%s'\n", + optarg); + exit(EXIT_FAILURE); + } break; } case 'p': { char *position; /* -p must have the format host:port. */ - if (NULL == (position = strchr(optarg, ':')) - || position == optarg - || 0 == strlen(position + 1) - || 0 >= atoi(position + 1) - || 0xffff < atoi(position + 1)) { - print_usage(argv[0]); - fprintf(stderr, "\ninvalid -p, format host:port\n"); + if ((position = strchr(optarg, ':')) == NULL + || optarg == position + || strlen(position + 1) == 0 + || atoi(position + 1) <= 0 + || atoi(position + 1) > 0xffff) { + fprintf(stderr, "invalid -p: '%s', format host:port\n", + optarg); exit(EXIT_FAILURE); } global_proxy_host = malloc((size_t)(position - optarg) + 1); - if (NULL == global_proxy_host) { + if (global_proxy_host == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } @@ -306,7 +316,7 @@ static void parse_arguments(int argc, char **argv) { global_proxy_host[position - optarg] = '\0'; global_proxy_port = malloc(strlen(position + 1) + 1); - if (NULL == global_proxy_port) { + if (global_proxy_port == NULL) { perror("malloc()"); exit(EXIT_FAILURE); } @@ -315,9 +325,9 @@ static void parse_arguments(int argc, char **argv) { break; } case 't': { - if (0 >= atoi(optarg)) { - print_usage(argv[0]); - fprintf(stderr, "\n-t positive number required\n"); + if (atoi(optarg) <= 0) { + fprintf(stderr, "-t positive number required: '%s'\n", + optarg); exit(EXIT_FAILURE); } thread_count = (size_t)atoi(optarg); @@ -335,16 +345,18 @@ static void parse_arguments(int argc, char **argv) { } if (optind >= argc) { - print_usage(argv[0]); - fprintf(stderr, "\nport missing\n"); + fprintf(stderr, "port missing\n"); exit(EXIT_FAILURE); } } static void print_usage(const char *argv) { - fprintf(stderr, "Usage: %s [-d level] [-p host:port] [-t count] [-u] port\n", + fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n", + VERSION); + fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n", argv); fprintf(stderr, "\n"); - fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n"); + fprintf(stderr, "-a digest authentication file [default: none]\n"); + fprintf(stderr, "-d debug level: 0=errors only, 2=debug, 3=more debug [default: 1]\n"); fprintf(stderr, "-p proxy hostname and port\n"); fprintf(stderr, "-t number of threads [default: 10]\n"); fprintf(stderr, "-u passthrough connection if no certificate is stored \ @@ -352,38 +364,78 @@ static void print_usage(const char *argv) { fprintf(stderr, " WARNING: might be a security problem!\n"); } +#if 0 +static void log_function_gnutls(int level, const char *string) { + (void)level; + fprintf(stderr, " => %s", string); +} +#endif + static void initialize_gnutls(void) { int result; - gcry_error_t error = 0; + char *dh_parameters; + gnutls_datum_t dh_parameters_datum; + +/* Recent versions of GnuTLS automatically initialize the cryptography layer + * in gnutls_global_init(), including a thread-safe setup. */ +#if GNUTLS_VERSION_NUMBER <= 0x020b00 + gcry_error_t error; /* Thread safe setup. Must be called before gnutls_global_init(). */ error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); - if (error) { + if (error != 0) { fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error), gcry_strerror(error)); exit(EXIT_FAILURE); } /* Prevent usage of blocking /dev/random. */ error = gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); - if (error) { + if (error != 0) { fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error), gcry_strerror(error)); exit(EXIT_FAILURE); } +#endif + + if (gnutls_check_version(GNUTLS_VERSION) == NULL) { + fprintf(stderr, "gnutls_check_version(): version mismatch, " + "expected at least '" GNUTLS_VERSION "'\n"); + exit(EXIT_FAILURE); + } /* Initialize GnuTLS. */ result = gnutls_global_init(); GNUTLS_ERROR_EXIT(result, "gnutls_global_init()"); +#if 0 + gnutls_global_set_log_level(10); + gnutls_global_set_log_function(log_function_gnutls); +#endif + /* Setup GnuTLS cipher suites. */ - result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL); + result = gnutls_priority_init(&global_tls_priority_cache, + PROXY_TLS_PRIORITIES, NULL); GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()"); - /* Generate Diffie-Hellman parameters. */ + /* Read Diffie-Hellman parameters. */ + dh_parameters = slurp_text_file(PROXY_DH_PATH); + if (dh_parameters == NULL) { + fprintf(stderr, PROXY_DH_PATH " missing, " + "use `tlsproxy-setup` to create it\n"); + exit(EXIT_FAILURE); + } + dh_parameters_datum.data = (unsigned char *)dh_parameters; + assert(strlen(dh_parameters) <= UINT_MAX); + dh_parameters_datum.size = (unsigned int)(strlen(dh_parameters)); + result = gnutls_dh_params_init(&global_tls_dh_params); GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()"); - result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE); - GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()"); + result = gnutls_dh_params_import_pkcs3(global_tls_dh_params, + &dh_parameters_datum, + GNUTLS_X509_FMT_PEM); + GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()"); + + free(dh_parameters); } static void deinitialize_gnutls(void) { gnutls_dh_params_deinit(global_tls_dh_params); @@ -392,9 +444,11 @@ static void deinitialize_gnutls(void) { gnutls_global_deinit(); } -static void worker_thread(void) { +static void *worker_thread(void *unused) { int client_socket; + (void)unused; + for (;;) { /* Get next element from ring buffer. */ P(ringbuffer_full); @@ -405,10 +459,54 @@ static void worker_thread(void) { V(ringbuffer_free); /* Negative value indicates we should shut down our thread. */ - if (0 > client_socket) { + if (client_socket < 0) { break; } handle_connection(client_socket); } + + return NULL; +} + +static char *slurp_text_file(const char *path) { + struct stat stat; + size_t size_read; + char *content = NULL; + + FILE *file = fopen(path, "r"); + if (file == NULL) { + return NULL; + } + + ct_assert(sizeof(stat.st_size) <= sizeof(size_t)); + + if (fstat(fileno(file), &stat) != 0) { + goto out; + } + if (stat.st_size < 0) { /* just in case ... */ + abort(); + } else if ((size_t)stat.st_size >= SIZE_MAX - 1) { + errno = 0; + goto out; + } + + content = malloc((size_t)stat.st_size + 1); + if (content == NULL) { + goto out; + } + + errno = 0; + size_read = fread(content, 1, (size_t)stat.st_size, file); + if (size_read != (size_t)stat.st_size) { + free(content); + content = NULL; + goto out; + } + content[size_read] = '\0'; + +out: + fclose(file); + + return content; }