2 * tlsproxy is a TLS proxy for HTTPS which intercepts the connections and
3 * ensures the server certificate doesn't change. Normally this isn't detected
4 * if a trusted CA for the new server certificate is installed.
6 * Copyright (C) 2011-2013 Simon Ruderich
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "connection.h"
26 #include <arpa/inet.h>
31 #include <sys/socket.h>
33 #include <sys/types.h>
37 #if GNUTLS_VERSION_NUMBER <= 0x020b00
38 /* Necessary for GnuTLS when used with threads. */
40 GCRY_THREAD_OPTION_PTHREAD_IMPL;
44 /* Size of ringbuffer. */
45 #define RINGBUFFER_SIZE 10
48 /* For gnutls_*() functions. */
49 #define GNUTLS_ERROR_EXIT(error, message) \
50 if (error != GNUTLS_E_SUCCESS) { \
51 fprintf(stderr, "%s: %s\n", message, gnutls_strerror(error)); \
56 /* Server should shut down. Set by SIGINT handler. */
57 static volatile int done; /* = 0 */
59 /* Number of threads. */
60 static size_t thread_count;
62 /* Synchronized ring buffer storing accept()ed client sockets. */
63 static int ringbuffer[RINGBUFFER_SIZE];
64 static int ringbuffer_read;
65 static int ringbuffer_write;
66 static SEM *ringbuffer_full; /* At least one element in the buffer? */
67 static SEM *ringbuffer_free; /* Space for another element in the buffer? */
68 static SEM *ringbuffer_lock; /* Read lock. */
72 static void sigint_handler(int signal);
75 static void parse_arguments(int argc, char **argv);
76 static void print_usage(const char *argv);
77 static char *slurp_text_file(const char *path);
79 static void initialize_gnutls(void);
80 static void deinitialize_gnutls(void);
82 static void *worker_thread(void *unused);
85 int main(int argc, char **argv) {
87 int client_socket, server_socket;
89 struct sockaddr_in server_in;
91 struct sockaddr_in6 server_in;
97 struct sigaction action;
99 /* Required in a few places. */
100 ct_assert(sizeof(size_t) >= sizeof(int));
101 ct_assert(sizeof(size_t) >= sizeof(ssize_t));
103 parse_arguments(argc, argv);
105 port = atoi(argv[argc - 1]);
106 if (port <= 0 || port > 0xffff ) {
107 fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]);
111 memset(&action, 0, sizeof(action));
112 sigemptyset(&action.sa_mask);
114 /* Setup our SIGINT signal handler which allows a "normal" termination of
115 * the server in DEBUG mode. */
116 action.sa_handler = sigint_handler;
117 sigaction(SIGINT, &action, NULL);
119 /* Ignore SIGPIPEs. */
120 action.sa_handler = SIG_IGN;
121 sigaction(SIGPIPE, &action, NULL);
123 /* Initialize ring buffer. */
125 ringbuffer_write = 0;
126 ringbuffer_full = sem_init(0);
127 ringbuffer_free = sem_init(RINGBUFFER_SIZE);
128 ringbuffer_lock = sem_init(1);
129 if (NULL == ringbuffer_full
130 || NULL == ringbuffer_free
131 || NULL == ringbuffer_lock) {
132 perror("sem_init()");
138 /* Spawn worker threads to handle requests. */
139 threads = malloc(thread_count * sizeof(*threads));
140 if (threads == NULL) {
141 perror("thread malloc failed");
144 for (i = 0; i < thread_count; i++) {
145 errno = pthread_create(threads + i, NULL, &worker_thread, NULL);
147 perror("failed to create worker thread");
153 server_socket = socket(PF_INET, SOCK_STREAM, 0);
155 server_socket = socket(PF_INET6, SOCK_STREAM, 0);
157 if (server_socket < 0) {
162 /* Fast rebinding for debug mode, could cause invalid packets. */
163 if (global_log_level >= LOG_DEBUG1_LEVEL) {
164 int socket_option = 1;
165 setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR,
166 &socket_option, sizeof(socket_option));
169 /* Bind to the listen socket. */
170 memset(&server_in, 0, sizeof(server_in));
172 server_in.sin_family = AF_INET; /* IPv4 only */
173 server_in.sin_addr.s_addr = htonl(INADDR_ANY); /* bind to any address */
174 server_in.sin_port = htons((uint16_t)port); /* port to bind to */
176 server_in.sin6_family = AF_INET6; /* IPv6 (and IPv4) */
177 server_in.sin6_addr = in6addr_any; /* bind to any address */
178 server_in.sin6_port = htons((uint16_t)port); /* port to bind to */
180 if (bind(server_socket, (struct sockaddr *)&server_in,
181 sizeof(server_in)) != 0) {
185 /* And accept connections. */
186 if (listen(server_socket, 5) != 0) {
191 if (global_log_level >= LOG_DEBUG1_LEVEL) {
192 printf("tlsproxy %s\n", VERSION);
193 printf("Listening for connections on port %d.\n", port);
195 if (global_proxy_host != NULL && global_proxy_port != NULL) {
196 printf("Using proxy: %s:%s.\n", global_proxy_host,
202 /* Accept new connection. */
203 client_socket = accept(server_socket, NULL, NULL);
204 if (client_socket < 0) {
209 /* No lock necessary, we only have one producer! */
211 ringbuffer[ringbuffer_write] = client_socket;
212 ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE;
216 close(server_socket);
218 /* Poison all threads and shut them down. */
219 for (i = 0; i < thread_count; i++) {
221 ringbuffer[ringbuffer_write] = -1; /* poison */
222 ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE;
225 for (i = 0; i < thread_count; i++) {
226 errno = pthread_join(threads[i], NULL);
228 perror("pthread_join()");
232 sem_del(ringbuffer_full);
233 sem_del(ringbuffer_free);
234 sem_del(ringbuffer_lock);
238 deinitialize_gnutls();
240 free(global_proxy_host);
241 free(global_proxy_port);
242 free(global_http_digest_authorization);
248 static void sigint_handler(int signal_number) {
255 static void parse_arguments(int argc, char **argv) {
258 /* Default values. */
261 global_log_level = LOG_DEBUG2_LEVEL;
263 global_log_level = LOG_WARNING_LEVEL;
265 global_passthrough_unknown = 0;
267 while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) {
270 global_http_digest_authorization = slurp_text_file(optarg);
271 if (global_http_digest_authorization == NULL) {
272 fprintf(stderr, "failed to open authorization file '%s': ",
276 } else if (strlen(global_http_digest_authorization) == 0) {
277 fprintf(stderr, "empty authorization file '%s'\n",
282 /* Just in case the file has a trailing newline. */
283 strtok(global_http_digest_authorization, "\r\n");
288 global_log_level = atoi(optarg);
289 if (global_log_level < 0) {
290 fprintf(stderr, "-d positive number required: '%s'\n",
299 /* -p must have the format host:port. */
300 if ((position = strchr(optarg, ':')) == NULL
301 || optarg == position
302 || strlen(position + 1) == 0
303 || atoi(position + 1) <= 0
304 || atoi(position + 1) > 0xffff) {
305 fprintf(stderr, "invalid -p: '%s', format host:port\n",
310 global_proxy_host = malloc((size_t)(position - optarg) + 1);
311 if (global_proxy_host == NULL) {
315 memcpy(global_proxy_host, optarg, (size_t)(position - optarg));
316 global_proxy_host[position - optarg] = '\0';
318 global_proxy_port = malloc(strlen(position + 1) + 1);
319 if (global_proxy_port == NULL) {
323 strcpy(global_proxy_port, position + 1);
328 if (atoi(optarg) <= 0) {
329 fprintf(stderr, "-t positive number required: '%s'\n",
333 thread_count = (size_t)atoi(optarg);
337 global_passthrough_unknown = 1;
342 print_usage(argv[0]);
347 if (optind >= argc) {
348 fprintf(stderr, "port missing\n");
352 static void print_usage(const char *argv) {
353 fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n",
355 fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n",
357 fprintf(stderr, "\n");
358 fprintf(stderr, "-a digest authentication file [default: none]\n");
359 fprintf(stderr, "-d debug level: 0=errors only, 2=debug, 3=more debug [default: 1]\n");
360 fprintf(stderr, "-p proxy hostname and port\n");
361 fprintf(stderr, "-t number of threads [default: 10]\n");
362 fprintf(stderr, "-u passthrough connection if no certificate is stored \
363 [default: error]\n");
364 fprintf(stderr, " WARNING: might be a security problem!\n");
368 static void log_function_gnutls(int level, const char *string) {
370 fprintf(stderr, " => %s", string);
374 static void initialize_gnutls(void) {
377 gnutls_datum_t dh_parameters_datum;
379 /* Recent versions of GnuTLS automatically initialize the cryptography layer
380 * in gnutls_global_init(), including a thread-safe setup. */
381 #if GNUTLS_VERSION_NUMBER <= 0x020b00
384 /* Thread safe setup. Must be called before gnutls_global_init(). */
385 error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
387 fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error),
388 gcry_strerror(error));
391 /* Prevent usage of blocking /dev/random. */
392 error = gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
394 fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error),
395 gcry_strerror(error));
400 if (gnutls_check_version(GNUTLS_VERSION) == NULL) {
401 fprintf(stderr, "gnutls_check_version(): version mismatch, "
402 "expected at least '" GNUTLS_VERSION "'\n");
406 /* Initialize GnuTLS. */
407 result = gnutls_global_init();
408 GNUTLS_ERROR_EXIT(result, "gnutls_global_init()");
411 gnutls_global_set_log_level(10);
412 gnutls_global_set_log_function(log_function_gnutls);
415 /* Setup GnuTLS cipher suites. */
416 result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
417 GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
419 /* Read Diffie-Hellman parameters. */
420 dh_parameters = slurp_text_file(PROXY_DH_PATH);
421 if (dh_parameters == NULL) {
422 fprintf(stderr, PROXY_DH_PATH " missing, "
423 "use `tlsproxy-setup` to create it\n");
426 dh_parameters_datum.data = (unsigned char *)dh_parameters;
427 assert(strlen(dh_parameters) <= UINT_MAX);
428 dh_parameters_datum.size = (unsigned int)(strlen(dh_parameters));
430 result = gnutls_dh_params_init(&global_tls_dh_params);
431 GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
432 result = gnutls_dh_params_import_pkcs3(global_tls_dh_params,
433 &dh_parameters_datum,
434 GNUTLS_X509_FMT_PEM);
435 GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()");
439 static void deinitialize_gnutls(void) {
440 gnutls_dh_params_deinit(global_tls_dh_params);
441 gnutls_priority_deinit(global_tls_priority_cache);
443 gnutls_global_deinit();
446 static void *worker_thread(void *unused) {
452 /* Get next element from ring buffer. */
455 client_socket = ringbuffer[ringbuffer_read];
456 ringbuffer_read = (ringbuffer_read + 1) % RINGBUFFER_SIZE;
460 /* Negative value indicates we should shut down our thread. */
461 if (client_socket < 0) {
465 handle_connection(client_socket);
471 static char *slurp_text_file(const char *path) {
474 char *content = NULL;
476 FILE *file = fopen(path, "r");
481 ct_assert(sizeof(stat.st_size) <= sizeof(size_t));
483 if (fstat(fileno(file), &stat) != 0) {
486 if (stat.st_size < 0) { /* just in case ... */
488 } else if ((size_t)stat.st_size >= SIZE_MAX - 1) {
493 content = malloc((size_t)stat.st_size + 1);
494 if (content == NULL) {
499 size_read = fread(content, 1, (size_t)stat.st_size, file);
500 if (size_read != (size_t)stat.st_size) {
505 content[size_read] = '\0';