From 948878cf1d882adef61f9bd7c26473089f3032ad Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 22:46:51 +0100 Subject: [PATCH 01/16] src/*,tests/*: Update copyright year. --- src/connection.c | 2 +- src/connection.h | 2 +- src/log.c | 2 +- src/log.h | 2 +- src/sem.c | 2 +- src/sem.h | 2 +- src/tlsproxy-add | 2 +- src/tlsproxy-setup | 2 +- src/tlsproxy.c | 2 +- src/tlsproxy.h | 2 +- src/verify.c | 2 +- src/verify.h | 2 +- tests/client.c | 2 +- tests/common.sh | 2 +- tests/tests-normal.sh | 2 +- tests/tests-passthrough.sh | 2 +- tests/tests.sh | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/connection.c b/src/connection.c index 700a354..e4b0b29 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1,7 +1,7 @@ /* * Handle connections. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/connection.h b/src/connection.h index 7271112..ec836b9 100644 --- a/src/connection.h +++ b/src/connection.h @@ -1,7 +1,7 @@ /* * Handle connections. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/log.c b/src/log.c index 23b90ee..4a3407b 100644 --- a/src/log.c +++ b/src/log.c @@ -1,7 +1,7 @@ /* * Log related functions/defines. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/log.h b/src/log.h index 54ce597..de732aa 100644 --- a/src/log.h +++ b/src/log.h @@ -1,7 +1,7 @@ /* * Log related functions/defines. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/sem.c b/src/sem.c index 0122390..86f1a15 100644 --- a/src/sem.c +++ b/src/sem.c @@ -1,7 +1,7 @@ /* * Simple semaphore implementation, P() and V(). * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/sem.h b/src/sem.h index 6108d22..3f3d3e9 100644 --- a/src/sem.h +++ b/src/sem.h @@ -1,7 +1,7 @@ /* * Simple semaphore implementation, P() and V(). * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy-add b/src/tlsproxy-add index 92e2086..1acd03d 100755 --- a/src/tlsproxy-add +++ b/src/tlsproxy-add @@ -4,7 +4,7 @@ # # Requires certtool (from GnuTLS). # -# Copyright (C) 2011 Simon Ruderich +# Copyright (C) 2011-2012 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy-setup b/src/tlsproxy-setup index 6f0094c..48a034f 100755 --- a/src/tlsproxy-setup +++ b/src/tlsproxy-setup @@ -4,7 +4,7 @@ # # Requires certtool (from GnuTLS). # -# Copyright (C) 2011 Simon Ruderich +# Copyright (C) 2011-2012 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy.c b/src/tlsproxy.c index b79e05d..ad257b5 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -3,7 +3,7 @@ * ensures the server certificate doesn't change. Normally this isn't detected * if a trusted CA for the new server certificate is installed. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy.h b/src/tlsproxy.h index 5f13a71..970b08d 100644 --- a/src/tlsproxy.h +++ b/src/tlsproxy.h @@ -1,7 +1,7 @@ /* * Global variables/defines. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/verify.c b/src/verify.c index 5de9d84..0888a30 100644 --- a/src/verify.c +++ b/src/verify.c @@ -1,7 +1,7 @@ /* * Verify established TLS connections. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/verify.h b/src/verify.h index 4935242..4771e29 100644 --- a/src/verify.h +++ b/src/verify.h @@ -1,7 +1,7 @@ /* * Verify established TLS connections. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/tests/client.c b/tests/client.c index 96f688b..75d4ab3 100644 --- a/tests/client.c +++ b/tests/client.c @@ -1,7 +1,7 @@ /* * Simple GnuTLS client used for testing. * - * Copyright (C) 2011 Simon Ruderich + * Copyright (C) 2011-2012 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/tests/common.sh b/tests/common.sh index e006698..3f046fb 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -1,6 +1,6 @@ # Functions used by all tests. # -# Copyright (C) 2011 Simon Ruderich +# Copyright (C) 2011-2012 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/tests-normal.sh b/tests/tests-normal.sh index d3ce46c..1d8f07b 100755 --- a/tests/tests-normal.sh +++ b/tests/tests-normal.sh @@ -2,7 +2,7 @@ # Normal tlsproxy tests. # -# Copyright (C) 2011 Simon Ruderich +# Copyright (C) 2011-2012 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/tests-passthrough.sh b/tests/tests-passthrough.sh index a25d923..253d160 100755 --- a/tests/tests-passthrough.sh +++ b/tests/tests-passthrough.sh @@ -2,7 +2,7 @@ # tlsproxy tests for the -u option. # -# Copyright (C) 2011 Simon Ruderich +# Copyright (C) 2011-2012 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/tests.sh b/tests/tests.sh index 6848f34..d831db3 100755 --- a/tests/tests.sh +++ b/tests/tests.sh @@ -2,7 +2,7 @@ # tlsproxy test "suite". # -# Copyright (C) 2011 Simon Ruderich +# Copyright (C) 2011-2012 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -- 2.44.2 From 62c37badd2e4d467ba5226c2f1eeda976d513c09 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 22:47:31 +0100 Subject: [PATCH 02/16] README: Minor update. --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 81bb4fc..3c80281 100644 --- a/README +++ b/README @@ -23,7 +23,7 @@ This creates the following files: - `proxy-ca.pem`: CA which is used for all connections to the client - `proxy-ca-key.pem`: private key for the CA -- `proxy-key.pem`: private key for the server +- `proxy-key.pem`: private key for the proxy - `proxy-invalid.pem`: special certificate used for invalid pages Then import the CA file `proxy-ca.pem` in your browser so it can validate the -- 2.44.2 From 44ab705f30eb1fcb7a86155a6abf01b9394a8db1 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 22:48:16 +0100 Subject: [PATCH 03/16] src/*,test/*: Add missing quotes to shell scripts. --- src/tlsproxy-add | 16 ++++++++-------- src/tlsproxy-setup | 24 ++++++++++++------------ tests/tests-normal.sh | 16 ++++++++-------- tests/tests-passthrough.sh | 16 ++++++++-------- tests/tests.sh | 4 ++-- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/src/tlsproxy-add b/src/tlsproxy-add index 1acd03d..c3acf3e 100755 --- a/src/tlsproxy-add +++ b/src/tlsproxy-add @@ -41,23 +41,23 @@ fi tempfile=`mktemp` || exit 1 die() { - rm -f $tempfile + rm -f "$tempfile" exit 1 } # Generate server certificate for given host. -echo 'organization = tlsproxy' > $tempfile -echo "cn = $1" >> $tempfile -echo tls_www_server >> $tempfile -echo encryption_key >> $tempfile -echo signing_key >> $tempfile +echo 'organization = tlsproxy' > "$tempfile" +echo "cn = $1" >> "$tempfile" +echo tls_www_server >> "$tempfile" +echo encryption_key >> "$tempfile" +echo signing_key >> "$tempfile" certtool --generate-certificate \ --load-privkey proxy-key.pem \ --load-ca-certificate proxy-ca.pem \ --load-ca-privkey proxy-ca-key.pem \ - --template $tempfile \ + --template "$tempfile" \ --outfile "certificate-$1-proxy.pem" || die -rm $tempfile +rm "$tempfile" if [ "x$2" = x ]; then echo please enter server certificate diff --git a/src/tlsproxy-setup b/src/tlsproxy-setup index 48a034f..24f1e0d 100755 --- a/src/tlsproxy-setup +++ b/src/tlsproxy-setup @@ -23,19 +23,19 @@ tempfile=`mktemp` || exit 1 die() { - rm -f $tempfile + rm -f "$tempfile" exit 1 } # Generate proxy CA key file. certtool --generate-privkey > proxy-ca-key.pem || die # Generate proxy CA. -echo 'cn = tlsproxy CA' > $tempfile -echo ca >> $tempfile -echo cert_signing_key >> $tempfile +echo 'cn = tlsproxy CA' > "$tempfile" +echo ca >> "$tempfile" +echo cert_signing_key >> "$tempfile" certtool --generate-self-signed \ --load-privkey proxy-ca-key.pem \ - --template $tempfile \ + --template "$tempfile" \ --outfile proxy-ca.pem || die # Generate proxy key file. @@ -43,16 +43,16 @@ certtool --generate-privkey > proxy-key.pem || die # Generate proxy "invalid" server certificate. It's used for problematic # connections. -echo 'organization = tlsproxy' > $tempfile -echo 'cn = invalid' >> $tempfile -echo tls_www_server >> $tempfile -echo encryption_key >> $tempfile -echo signing_key >> $tempfile +echo 'organization = tlsproxy' > "$tempfile" +echo 'cn = invalid' >> "$tempfile" +echo tls_www_server >> "$tempfile" +echo encryption_key >> "$tempfile" +echo signing_key >> "$tempfile" certtool --generate-self-signed \ --load-privkey proxy-key.pem \ - --template $tempfile \ + --template "$tempfile" \ --outfile proxy-invalid.pem || die -rm $tempfile +rm "$tempfile" echo done diff --git a/tests/tests-normal.sh b/tests/tests-normal.sh index 1d8f07b..11c5eaf 100755 --- a/tests/tests-normal.sh +++ b/tests/tests-normal.sh @@ -21,17 +21,17 @@ # Handle empty $srcdir. [ "x$srcdir" = x ] && srcdir=. -. $srcdir/common.sh +. "$srcdir/common.sh" # Create necessary files. cleanup -$srcdir/../src/tlsproxy-setup >/dev/null 2>/dev/null +"$srcdir/../src/tlsproxy-setup" >/dev/null 2>/dev/null # Normal tests. ../src/tlsproxy -d2 4711 >/dev/null & -server --x509certfile $srcdir/server.pem \ - --x509keyfile $srcdir/server-key.pem +server --x509certfile "$srcdir/server.pem" \ + --x509keyfile "$srcdir/server-key.pem" sleep 1 @@ -46,7 +46,7 @@ test_proxy_successful test_invalid_certificate # Create the proxy certificate. -$srcdir/../src/tlsproxy-add localhost $srcdir/server.pem \ +"$srcdir/../src/tlsproxy-add" localhost "$srcdir/server.pem" \ >/dev/null 2>/dev/null echo missing server certificate @@ -73,8 +73,8 @@ test_no_invalid_certificate # Stop server and try a "MITM" with a bad certificate. echo pkill -n gnutls-serv -server --x509certfile $srcdir/server-bad.pem \ - --x509keyfile $srcdir/server-key.pem +server --x509certfile "$srcdir/server-bad.pem" \ + --x509keyfile "$srcdir/server-key.pem" sleep 1 rm -f certificate-localhost-proxy.pem certificate-localhost-server.pem @@ -90,7 +90,7 @@ test_proxy_successful test_invalid_certificate # Create the proxy certificate. -$srcdir/../src/tlsproxy-add localhost $srcdir/server.pem \ +"$srcdir/../src/tlsproxy-add" localhost "$srcdir/server.pem" \ >/dev/null 2>/dev/null echo mitm missing server certificate diff --git a/tests/tests-passthrough.sh b/tests/tests-passthrough.sh index 253d160..c93fbba 100755 --- a/tests/tests-passthrough.sh +++ b/tests/tests-passthrough.sh @@ -21,17 +21,17 @@ # Handle empty $srcdir. [ "x$srcdir" = x ] && srcdir=. -. $srcdir/common.sh +. "$srcdir/common.sh" # Create necessary files. cleanup -$srcdir/../src/tlsproxy-setup >/dev/null 2>/dev/null +"$srcdir/../src/tlsproxy-setup" >/dev/null 2>/dev/null # Normal tests. ../src/tlsproxy -d2 -u 4711 >/dev/null & -server --x509certfile $srcdir/server.pem \ - --x509keyfile $srcdir/server-key.pem +server --x509certfile "$srcdir/server.pem" \ + --x509keyfile "$srcdir/server-key.pem" sleep 1 @@ -46,7 +46,7 @@ test_proxy_successful test_invalid_certificate # Create the proxy certificate. -$srcdir/../src/tlsproxy-add localhost $srcdir/server.pem \ +"$srcdir/../src/tlsproxy-add" localhost "$srcdir/server.pem" \ >/dev/null 2>/dev/null echo missing server certificate @@ -75,8 +75,8 @@ test_no_invalid_certificate # Stop server and try a "MITM" with a bad certificate. echo pkill -n gnutls-serv -server --x509certfile $srcdir/server-bad.pem \ - --x509keyfile $srcdir/server-key.pem +server --x509certfile "$srcdir/server-bad.pem" \ + --x509keyfile "$srcdir/server-key.pem" sleep 1 rm -f certificate-localhost-proxy.pem certificate-localhost-server.pem @@ -92,7 +92,7 @@ test_proxy_successful test_invalid_certificate # Create the proxy certificate. -$srcdir/../src/tlsproxy-add localhost $srcdir/server.pem \ +"$srcdir/../src/tlsproxy-add" localhost "$srcdir/server.pem" \ >/dev/null 2>/dev/null echo mitm missing server certificate diff --git a/tests/tests.sh b/tests/tests.sh index d831db3..6a87957 100755 --- a/tests/tests.sh +++ b/tests/tests.sh @@ -22,9 +22,9 @@ [ "x$srcdir" = x ] && srcdir=. echo "RUNNING NORMAL TESTS" -$srcdir/tests-normal.sh || exit 1 +"$srcdir/tests-normal.sh" || exit 1 echo echo "RUNNING PASSTHROUGH (-u) TESTS" -$srcdir/tests-passthrough.sh || exit 1 +"$srcdir/tests-passthrough.sh" || exit 1 -- 2.44.2 From 0f69065a13b6831dadd2aef7928ee9654b7f43d1 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 22:50:59 +0100 Subject: [PATCH 04/16] src/sem.c,src/tlsproxy.c: Minor cleanup. --- src/sem.c | 2 +- src/tlsproxy.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/sem.c b/src/sem.c index 86f1a15..563cea6 100644 --- a/src/sem.c +++ b/src/sem.c @@ -30,7 +30,7 @@ struct SEM { }; SEM *sem_init(int init_value) { - SEM *sem = (SEM *)malloc(sizeof(SEM)); + SEM *sem = malloc(sizeof(*sem)); if (NULL == sem) { return NULL; } diff --git a/src/tlsproxy.c b/src/tlsproxy.c index ad257b5..6ce976c 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -137,7 +137,7 @@ int main(int argc, char **argv) { initialize_gnutls(); /* Spawn worker threads to handle requests. */ - threads = (pthread_t *)malloc(thread_count * sizeof(pthread_t)); + threads = malloc(thread_count * sizeof(*threads)); if (NULL == threads) { perror("thread malloc failed"); return EXIT_FAILURE; @@ -234,7 +234,6 @@ int main(int argc, char **argv) { errno = pthread_join(threads[i], NULL); if (0 != errno) { perror("pthread_join()"); - continue; } } -- 2.44.2 From 118d7d263672c587a1e4268dbf35df3f913f4aeb Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 22:51:16 +0100 Subject: [PATCH 05/16] src/tlsproxy.c: Minor documentation update. --- src/tlsproxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 6ce976c..be4c5f3 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -214,7 +214,7 @@ int main(int argc, char **argv) { break; } - /* No lock, we only have one producer! */ + /* No lock necessary, we only have one producer! */ P(ringbuffer_free); ringbuffer[ringbuffer_write] = client_socket; ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE; -- 2.44.2 From 0b7b01d255126abef7b882c894412a85ad2bdecc Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 22:58:51 +0100 Subject: [PATCH 06/16] src/tlsproxy.c: Display version in help and debug startup message. --- src/tlsproxy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tlsproxy.c b/src/tlsproxy.c index be4c5f3..86ee227 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -198,6 +198,7 @@ int main(int argc, char **argv) { } if (LOG_DEBUG_LEVEL <= global_log_level) { + printf("tlsproxy %s\n", VERSION); printf("Listening for connections on port %d.\n", port); if (NULL != global_proxy_host && NULL != global_proxy_port) { @@ -340,6 +341,8 @@ static void parse_arguments(int argc, char **argv) { } } static void print_usage(const char *argv) { + fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n", + VERSION); fprintf(stderr, "Usage: %s [-d level] [-p host:port] [-t count] [-u] port\n", argv); fprintf(stderr, "\n"); -- 2.44.2 From 5b89dd9a588526e83fe43ca54c3caec96fca9575 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 23:01:04 +0100 Subject: [PATCH 07/16] src/connection.c,src/verify.c: Use a constant for path length. --- src/connection.c | 4 ++-- src/tlsproxy.h | 2 ++ src/verify.c | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/connection.c b/src/connection.c index e4b0b29..4e98f30 100644 --- a/src/connection.c +++ b/src/connection.c @@ -199,7 +199,7 @@ void handle_connection(int client_socket) { * certificate then just pass through the connection and let the client * verify the server certificate. */ if (global_passthrough_unknown) { - char path[1024]; + char path[TLSPROXY_MAX_PATH_LENGTH]; FILE *file = NULL; if (-2 == server_certificate_file(&file, host, path, sizeof(path))) { @@ -353,7 +353,7 @@ static int initialize_tls_session_client(int peer_socket, gnutls_certificate_credentials_t *x509_cred) { int result; int use_invalid_cert; - char path[1024]; + char path[TLSPROXY_MAX_PATH_LENGTH]; /* The "invalid" hostname is special. If it's used we send an invalid * certificate to let the client know something is wrong. */ diff --git a/src/tlsproxy.h b/src/tlsproxy.h index 970b08d..59b4a70 100644 --- a/src/tlsproxy.h +++ b/src/tlsproxy.h @@ -31,6 +31,8 @@ #include "log.h" +/* Length for path arrays. */ +#define TLSPROXY_MAX_PATH_LENGTH 1024 /* Paths to necessary TLS files: the CA and the server key. */ #define PROXY_CA_FILE "proxy-ca.pem" diff --git a/src/verify.c b/src/verify.c index 0888a30..6697865 100644 --- a/src/verify.c +++ b/src/verify.c @@ -32,7 +32,7 @@ static int get_certificate_path(const char *format, int verify_tls_connection(gnutls_session_t session, const char *hostname) { int result; - char path[1024]; + char path[TLSPROXY_MAX_PATH_LENGTH]; size_t size; unsigned int status; -- 2.44.2 From ef2260420e9544a36b53fadbbaeb7593d0d47769 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 11 Mar 2012 23:06:09 +0100 Subject: [PATCH 08/16] src/tlsproxy.c: Display value of invalid options. --- src/tlsproxy.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 86ee227..54509f3 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -105,7 +105,7 @@ int main(int argc, char **argv) { port = atoi(argv[argc - 1]); if (0 >= port || 0xffff < port) { print_usage(argv[0]); - fprintf(stderr, "\ninvalid port\n"); + fprintf(stderr, "\ninvalid port: '%s'\n", argv[argc - 1]); return EXIT_FAILURE; } @@ -277,7 +277,8 @@ static void parse_arguments(int argc, char **argv) { case 'd': { if (0 > atoi(optarg)) { print_usage(argv[0]); - fprintf(stderr, "\n-d positive number required\n"); + fprintf(stderr, "\n-d positive number required: '%s'\n", + optarg); exit(EXIT_FAILURE); } global_log_level = atoi(optarg); @@ -293,7 +294,8 @@ static void parse_arguments(int argc, char **argv) { || 0 >= atoi(position + 1) || 0xffff < atoi(position + 1)) { print_usage(argv[0]); - fprintf(stderr, "\ninvalid -p, format host:port\n"); + fprintf(stderr, "\ninvalid -p: '%s', format host:port\n", + optarg); exit(EXIT_FAILURE); } @@ -317,7 +319,8 @@ static void parse_arguments(int argc, char **argv) { case 't': { if (0 >= atoi(optarg)) { print_usage(argv[0]); - fprintf(stderr, "\n-t positive number required\n"); + fprintf(stderr, "\n-t positive number required: '%s'\n", + optarg); exit(EXIT_FAILURE); } thread_count = (size_t)atoi(optarg); -- 2.44.2 From ef57fa373cf6dfbbbc5cf21c144de008681635f4 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 22 Jul 2012 03:26:45 +0200 Subject: [PATCH 09/16] src/connection.c: Fix error check for gnutls_priority_set(). --- src/connection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/connection.c b/src/connection.c index 4e98f30..5c7f7ae 100644 --- a/src/connection.c +++ b/src/connection.c @@ -470,7 +470,7 @@ gnutls_certificate_allocate_credentials(): %s", gnutls_certificate_free_credentials(*x509_cred); return -1; } - gnutls_priority_set(*session, global_tls_priority_cache); + result = gnutls_priority_set(*session, global_tls_priority_cache); if (GNUTLS_E_SUCCESS != result) { LOG(LOG_ERROR, "initialize_tls_session_server(): gnutls_priority_set(): %s", -- 2.44.2 From 4279cb8baa24f71d4013a082d8a39e4c98fbde6b Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 31 Jul 2012 23:55:54 +0200 Subject: [PATCH 10/16] NEWS: Put latest versions on top. --- NEWS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index d36a440..184b0d6 100644 --- a/NEWS +++ b/NEWS @@ -1,12 +1,12 @@ NEWS ==== -0.1 ---- -- first release - 0.2 --- - add -u option, passthrough TLS connections to unknown hostnames - add ./configure --disable-ipv6 for IPv4 only machines - send HTML with error messages (not only headers) + +0.1 +--- +- first release -- 2.44.2 From c17c44dd331262722944e377537eef78acb1ca14 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 31 Jul 2012 23:59:13 +0200 Subject: [PATCH 11/16] NEWS: Use complete sentences. --- NEWS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 184b0d6..05be382 100644 --- a/NEWS +++ b/NEWS @@ -3,10 +3,10 @@ NEWS 0.2 --- -- add -u option, passthrough TLS connections to unknown hostnames -- add ./configure --disable-ipv6 for IPv4 only machines -- send HTML with error messages (not only headers) +- Add -u option, passthrough TLS connections to unknown hostnames. +- Add ./configure --disable-ipv6 for IPv4 only machines. +- Send HTML with error messages (not only headers). 0.1 --- -- first release +- First release. -- 2.44.2 From 5e1b777ab504b5ab4428e5850bc03039f0e680ff Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 1 Aug 2012 00:12:05 +0200 Subject: [PATCH 12/16] configure.ac: Use $CPPFLAGS for preprocessor flags. --- configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c71222a..db5285c 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,8 @@ AC_PROG_CC if test "x$GCC" = xyes; then CFLAGS="-std=c89 -pedantic -Wall -Wextra -Werror $CFLAGS" - CFLAGS="-D_XOPEN_SOURCE=500 -Wno-error=int-to-pointer-cast $CFLAGS" + CFLAGS="-Wno-error=int-to-pointer-cast $CFLAGS" + CPPFLAGS="-D_XOPEN_SOURCE=500 $CPPFLAGS" # Additional security flags. CFLAGS="$CFLAGS -Wformat -Wformat-security -Werror=format-security" CFLAGS="$CFLAGS -fstack-protector-all -Wstack-protector" -- 2.44.2 From 02e4f7c252b043dfb7f4a0e3af05b129781aae7e Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 1 Aug 2012 00:15:34 +0200 Subject: [PATCH 13/16] configure.ac: Cleanup hardening flags. --- configure.ac | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index db5285c..e2f5480 100644 --- a/configure.ac +++ b/configure.ac @@ -28,12 +28,10 @@ if test "x$GCC" = xyes; then CFLAGS="-std=c89 -pedantic -Wall -Wextra -Werror $CFLAGS" CFLAGS="-Wno-error=int-to-pointer-cast $CFLAGS" CPPFLAGS="-D_XOPEN_SOURCE=500 $CPPFLAGS" - # Additional security flags. - CFLAGS="$CFLAGS -Wformat -Wformat-security -Werror=format-security" - CFLAGS="$CFLAGS -fstack-protector-all -Wstack-protector" - CFLAGS="$CFLAGS --param ssp-buffer-size=1" - CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fPIE" - LDFLAGS="$LDFLAGS -Wl,-z,relro -Wl,-z,now -fPIE -pie" + # Additional hardening flags. + CFLAGS="-fPIE -fstack-protector-all --param=ssp-buffer-size=1 -Wformat -Werror=format-security $CFLAGS" + CPPFLAGS="-D_FORTIFY_SOURCE=2 $CPPFLAGS" + LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now $LDFLAGS" fi AC_CHECK_LIB([pthread], [pthread_create], -- 2.44.2 From b968543c8d621acf469a2aaab3f5e3dc42350e2d Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 15 Jan 2013 20:56:34 +0100 Subject: [PATCH 14/16] configure.ac: Remove --param=ssp-buffer-size=1. -fstack-protector-all already protects all functions. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index e2f5480..3da89e8 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ if test "x$GCC" = xyes; then CFLAGS="-Wno-error=int-to-pointer-cast $CFLAGS" CPPFLAGS="-D_XOPEN_SOURCE=500 $CPPFLAGS" # Additional hardening flags. - CFLAGS="-fPIE -fstack-protector-all --param=ssp-buffer-size=1 -Wformat -Werror=format-security $CFLAGS" + CFLAGS="-fPIE -fstack-protector-all -Wformat -Werror=format-security $CFLAGS" CPPFLAGS="-D_FORTIFY_SOURCE=2 $CPPFLAGS" LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now $LDFLAGS" fi -- 2.44.2 From d778944d0403b093d43d9cbd94bd298bfc3a8d42 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 15 Jan 2013 20:59:36 +0100 Subject: [PATCH 15/16] src/*,tests/*: Update copyright year. --- configure.ac | 2 +- src/connection.c | 2 +- src/connection.h | 2 +- src/log.c | 2 +- src/log.h | 2 +- src/sem.c | 2 +- src/sem.h | 2 +- src/tlsproxy-add | 2 +- src/tlsproxy-setup | 2 +- src/tlsproxy.c | 2 +- src/tlsproxy.h | 2 +- src/verify.c | 2 +- src/verify.h | 2 +- tests/client.c | 2 +- tests/common.sh | 2 +- tests/tests-normal.sh | 2 +- tests/tests-passthrough.sh | 2 +- tests/tests.sh | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/configure.ac b/configure.ac index 3da89e8..ab5135d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -dnl Copyright (C) 2011-2012 Simon Ruderich +dnl Copyright (C) 2011-2013 Simon Ruderich dnl dnl This program is free software: you can redistribute it and/or modify dnl it under the terms of the GNU General Public License as published by diff --git a/src/connection.c b/src/connection.c index 5c7f7ae..ac3bc21 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1,7 +1,7 @@ /* * Handle connections. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/connection.h b/src/connection.h index ec836b9..197d4d0 100644 --- a/src/connection.h +++ b/src/connection.h @@ -1,7 +1,7 @@ /* * Handle connections. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/log.c b/src/log.c index 4a3407b..5d05e4a 100644 --- a/src/log.c +++ b/src/log.c @@ -1,7 +1,7 @@ /* * Log related functions/defines. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/log.h b/src/log.h index de732aa..7fc45fb 100644 --- a/src/log.h +++ b/src/log.h @@ -1,7 +1,7 @@ /* * Log related functions/defines. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/sem.c b/src/sem.c index 563cea6..3c911cd 100644 --- a/src/sem.c +++ b/src/sem.c @@ -1,7 +1,7 @@ /* * Simple semaphore implementation, P() and V(). * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/sem.h b/src/sem.h index 3f3d3e9..a9c231c 100644 --- a/src/sem.h +++ b/src/sem.h @@ -1,7 +1,7 @@ /* * Simple semaphore implementation, P() and V(). * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy-add b/src/tlsproxy-add index c3acf3e..be8cb8a 100755 --- a/src/tlsproxy-add +++ b/src/tlsproxy-add @@ -4,7 +4,7 @@ # # Requires certtool (from GnuTLS). # -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy-setup b/src/tlsproxy-setup index 24f1e0d..1c65326 100755 --- a/src/tlsproxy-setup +++ b/src/tlsproxy-setup @@ -4,7 +4,7 @@ # # Requires certtool (from GnuTLS). # -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 54509f3..4bfc88d 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -3,7 +3,7 @@ * ensures the server certificate doesn't change. Normally this isn't detected * if a trusted CA for the new server certificate is installed. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/tlsproxy.h b/src/tlsproxy.h index 59b4a70..f23167e 100644 --- a/src/tlsproxy.h +++ b/src/tlsproxy.h @@ -1,7 +1,7 @@ /* * Global variables/defines. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/verify.c b/src/verify.c index 6697865..6ea5f1b 100644 --- a/src/verify.c +++ b/src/verify.c @@ -1,7 +1,7 @@ /* * Verify established TLS connections. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/src/verify.h b/src/verify.h index 4771e29..67df61b 100644 --- a/src/verify.h +++ b/src/verify.h @@ -1,7 +1,7 @@ /* * Verify established TLS connections. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/tests/client.c b/tests/client.c index 75d4ab3..5c230cf 100644 --- a/tests/client.c +++ b/tests/client.c @@ -1,7 +1,7 @@ /* * Simple GnuTLS client used for testing. * - * Copyright (C) 2011-2012 Simon Ruderich + * Copyright (C) 2011-2013 Simon Ruderich * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/tests/common.sh b/tests/common.sh index 3f046fb..769a78e 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -1,6 +1,6 @@ # Functions used by all tests. # -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/tests-normal.sh b/tests/tests-normal.sh index 11c5eaf..60c56ca 100755 --- a/tests/tests-normal.sh +++ b/tests/tests-normal.sh @@ -2,7 +2,7 @@ # Normal tlsproxy tests. # -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/tests-passthrough.sh b/tests/tests-passthrough.sh index c93fbba..dcd9688 100755 --- a/tests/tests-passthrough.sh +++ b/tests/tests-passthrough.sh @@ -2,7 +2,7 @@ # tlsproxy tests for the -u option. # -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/tests.sh b/tests/tests.sh index 6a87957..7794f80 100755 --- a/tests/tests.sh +++ b/tests/tests.sh @@ -2,7 +2,7 @@ # tlsproxy test "suite". # -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -- 2.44.2 From a64101800c79c852cc4ab9d445c35aad0a6457eb Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 27 Feb 2013 00:41:14 +0100 Subject: [PATCH 16/16] log.c: Use one printf() instead of two in log_message(). --- src/log.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/log.c b/src/log.c index 5d05e4a..e00a08d 100644 --- a/src/log.c +++ b/src/log.c @@ -41,14 +41,22 @@ void log_message(int level, const char *file, int line, const char *format, ...) default: level_string = "UNKNOWN"; } - va_start(ap, format); -#ifdef DEBUG - fprintf(stdout, "%-12s:%-3d ", file, line); -#else +#ifndef DEBUG + /* Prevent warnings. */ (void)file; (void)line; #endif - fprintf(stdout, "[%s] [%d] ", level_string, (int)pthread_self()); + + va_start(ap, format); + fprintf(stdout, +#ifdef DEBUG + "%-12s:%-3d " +#endif + "[%s] [%d] ", +#ifdef DEBUG + file, line, +#endif + level_string, (int)pthread_self()); vfprintf(stdout, format, ap); fprintf(stdout, "\n"); va_end(ap); -- 2.44.2