Files: ab3324be477b2663196e0cc73d96aa38d59da65a / sslh-main.c
18192 bytesRaw
1 | /* |
2 | # main: processing of config file, command line options and start the main |
3 | # loop. |
4 | # |
5 | # Copyright (C) 2007-2014 Yves Rutschle |
6 | # |
7 | # This program is free software; you can redistribute it |
8 | # and/or modify it under the terms of the GNU General Public |
9 | # License as published by the Free Software Foundation; either |
10 | # version 2 of the License, or (at your option) any later |
11 | # version. |
12 | # |
13 | # This program is distributed in the hope that it will be |
14 | # useful, but WITHOUT ANY WARRANTY; without even the implied |
15 | # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR |
16 | # PURPOSE. See the GNU General Public License for more |
17 | # details. |
18 | # |
19 | # The full text for the General Public License is here: |
20 | # http://www.gnu.org/licenses/gpl.html |
21 | |
22 | */ |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | |
31 | |
32 | |
33 | |
34 | |
35 | |
36 | |
37 | |
38 | |
39 | const char* USAGE_STRING = |
40 | "sslh " VERSION "\n" \ |
41 | "usage:\n" \ |
42 | "\tsslh [-v] [-i] [-V] [-f] [-n] [--transparent] [-F <file>]\n" |
43 | "\t[-t <timeout>] [-P <pidfile>] -u <username> -p <add> [-p <addr> ...] \n" \ |
44 | "%s\n\n" /* Dynamically built list of builtin protocols */ \ |
45 | "\t[--on-timeout <addr>]\n" \ |
46 | "-v: verbose\n" \ |
47 | "-V: version\n" \ |
48 | "-f: foreground\n" \ |
49 | "-n: numeric output\n" \ |
50 | "-u: specify under which user to run\n" \ |
51 | "--transparent: behave as a transparent proxy\n" \ |
52 | "-F: use configuration file\n" \ |
53 | "--on-timeout: connect to specified address upon timeout (default: ssh address)\n" \ |
54 | "-t: seconds to wait before connecting to --on-timeout address.\n" \ |
55 | "-p: address and port to listen on.\n Can be used several times to bind to several addresses.\n" \ |
56 | "--[ssh,ssl,...]: where to connect connections from corresponding protocol.\n" \ |
57 | "-P: PID file.\n" \ |
58 | "-i: Run as a inetd service.\n" \ |
59 | ""; |
60 | |
61 | /* Constants for options that have no one-character shorthand */ |
62 | |
63 | |
64 | static struct option const_options[] = { |
65 | { "inetd", no_argument, &inetd, 1 }, |
66 | { "foreground", no_argument, &foreground, 1 }, |
67 | { "background", no_argument, &background, 1 }, |
68 | { "transparent", no_argument, &transparent, 1 }, |
69 | { "numeric", no_argument, &numeric, 1 }, |
70 | { "verbose", no_argument, &verbose, 1 }, |
71 | { "user", required_argument, 0, 'u' }, |
72 | { "config", optional_argument, 0, 'F' }, |
73 | { "pidfile", required_argument, 0, 'P' }, |
74 | { "timeout", required_argument, 0, 't' }, |
75 | { "on-timeout", required_argument, 0, OPT_ONTIMEOUT }, |
76 | { "listen", required_argument, 0, 'p' }, |
77 | {} |
78 | }; |
79 | static struct option* all_options; |
80 | static struct proto* builtins; |
81 | static const char *optstr = "vt:T:p:VP:F::"; |
82 | |
83 | |
84 | |
85 | static void print_usage(void) |
86 | { |
87 | struct proto *p; |
88 | int i; |
89 | int res; |
90 | char *prots = ""; |
91 | |
92 | p = get_builtins(); |
93 | for (i = 0; i < get_num_builtins(); i++) { |
94 | res = asprintf(&prots, "%s\t[--%s <addr>]\n", prots, p[i].description); |
95 | CHECK_RES_DIE(res, "asprintf"); |
96 | } |
97 | |
98 | fprintf(stderr, USAGE_STRING, prots); |
99 | } |
100 | |
101 | static void printcaps(void) { |
102 | |
103 | cap_t caps; |
104 | char* desc; |
105 | ssize_t len; |
106 | |
107 | caps = cap_get_proc(); |
108 | |
109 | desc = cap_to_text(caps, &len); |
110 | |
111 | fprintf(stderr, "capabilities: %s\n", desc); |
112 | |
113 | cap_free(caps); |
114 | cap_free(desc); |
115 | |
116 | } |
117 | |
118 | static void printsettings(void) |
119 | { |
120 | char buf[NI_MAXHOST]; |
121 | struct addrinfo *a; |
122 | struct proto *p; |
123 | |
124 | for (p = get_first_protocol(); p; p = p->next) { |
125 | fprintf(stderr, |
126 | "%s addr: %s. libwrap service: %s family %d %d\n", |
127 | p->description, |
128 | sprintaddr(buf, sizeof(buf), p->saddr), |
129 | p->service, |
130 | p->saddr->ai_family, |
131 | p->saddr->ai_addr->sa_family); |
132 | } |
133 | fprintf(stderr, "listening on:\n"); |
134 | for (a = addr_listen; a; a = a->ai_next) { |
135 | fprintf(stderr, "\t%s\n", sprintaddr(buf, sizeof(buf), a)); |
136 | } |
137 | fprintf(stderr, "timeout: %d\non-timeout: %s\n", probing_timeout, |
138 | timeout_protocol()->description); |
139 | } |
140 | |
141 | |
142 | /* Extract configuration on addresses and ports on which to listen. |
143 | * out: newly allocated list of addrinfo to listen to |
144 | */ |
145 | |
146 | static int config_listen(config_t *config, struct addrinfo **listen) |
147 | { |
148 | config_setting_t *setting, *addr; |
149 | int len, i; |
150 | const char *hostname, *port; |
151 | |
152 | setting = config_lookup(config, "listen"); |
153 | if (setting) { |
154 | len = config_setting_length(setting); |
155 | for (i = 0; i < len; i++) { |
156 | addr = config_setting_get_elem(setting, i); |
157 | if (! (config_setting_lookup_string(addr, "host", &hostname) && |
158 | config_setting_lookup_string(addr, "port", &port))) { |
159 | fprintf(stderr, |
160 | "line %d:Incomplete specification (hostname and port required)\n", |
161 | config_setting_source_line(addr)); |
162 | return -1; |
163 | } |
164 | |
165 | resolve_split_name(listen, hostname, port); |
166 | |
167 | /* getaddrinfo returned a list of addresses corresponding to the |
168 | * specification; move the pointer to the end of that list before |
169 | * processing the next specification */ |
170 | for (; *listen; listen = &((*listen)->ai_next)); |
171 | } |
172 | } |
173 | |
174 | return 0; |
175 | } |
176 | |
177 | |
178 | |
179 | |
180 | |
181 | static void setup_regex_probe(struct proto *p, config_setting_t* probes) |
182 | { |
183 | |
184 | int num_probes, errsize, i, res; |
185 | char *err; |
186 | const char * expr; |
187 | regex_t** probe_list; |
188 | |
189 | num_probes = config_setting_length(probes); |
190 | if (!num_probes) { |
191 | fprintf(stderr, "%s: no probes specified\n", p->description); |
192 | exit(1); |
193 | } |
194 | |
195 | p->probe = get_probe("regex"); |
196 | probe_list = calloc(num_probes + 1, sizeof(*probe_list)); |
197 | p->data = (void*)probe_list; |
198 | |
199 | for (i = 0; i < num_probes; i++) { |
200 | probe_list[i] = malloc(sizeof(*(probe_list[i]))); |
201 | expr = config_setting_get_string_elem(probes, i); |
202 | res = regcomp(probe_list[i], expr, 0); |
203 | if (res) { |
204 | err = malloc(errsize = regerror(res, probe_list[i], NULL, 0)); |
205 | regerror(res, probe_list[i], err, errsize); |
206 | fprintf(stderr, "%s:%s\n", expr, err); |
207 | free(err); |
208 | exit(1); |
209 | } |
210 | } |
211 | |
212 | fprintf(stderr, "line %d: regex probe specified but not compiled in\n", config_setting_source_line(probes)); |
213 | exit(5); |
214 | |
215 | } |
216 | |
217 | |
218 | |
219 | static void setup_sni_hostnames(struct proto *p, config_setting_t* sni_hostnames) |
220 | { |
221 | int num_probes, i, max_server_name_len, server_name_len; |
222 | const char * sni_hostname; |
223 | char** sni_hostname_list; |
224 | |
225 | num_probes = config_setting_length(sni_hostnames); |
226 | if (!num_probes) { |
227 | fprintf(stderr, "%s: no sni_hostnames specified\n", p->description); |
228 | exit(1); |
229 | } |
230 | |
231 | max_server_name_len = 0; |
232 | for (i = 0; i < num_probes; i++) { |
233 | server_name_len = strlen(config_setting_get_string_elem(sni_hostnames, i)); |
234 | if(server_name_len > max_server_name_len) |
235 | max_server_name_len = server_name_len; |
236 | } |
237 | |
238 | sni_hostname_list = calloc(num_probes + 1, ++max_server_name_len); |
239 | p->data = (void*)sni_hostname_list; |
240 | |
241 | for (i = 0; i < num_probes; i++) { |
242 | sni_hostname = config_setting_get_string_elem(sni_hostnames, i); |
243 | sni_hostname_list[i] = malloc(max_server_name_len); |
244 | strcpy (sni_hostname_list[i], sni_hostname); |
245 | if(verbose) fprintf(stderr, "sni_hostnames[%d]: %s\n", i, sni_hostname_list[i]); |
246 | } |
247 | } |
248 | |
249 | |
250 | /* Extract configuration for protocols to connect to. |
251 | * out: newly-allocated list of protocols |
252 | */ |
253 | |
254 | static int config_protocols(config_t *config, struct proto **prots) |
255 | { |
256 | config_setting_t *setting, *prot, *patterns, *sni_hostnames; |
257 | const char *hostname, *port, *name; |
258 | int i, num_prots; |
259 | struct proto *p, *prev = NULL; |
260 | |
261 | setting = config_lookup(config, "protocols"); |
262 | if (setting) { |
263 | num_prots = config_setting_length(setting); |
264 | for (i = 0; i < num_prots; i++) { |
265 | p = calloc(1, sizeof(*p)); |
266 | if (i == 0) *prots = p; |
267 | if (prev) prev->next = p; |
268 | prev = p; |
269 | |
270 | prot = config_setting_get_elem(setting, i); |
271 | if ((config_setting_lookup_string(prot, "name", &name) && |
272 | config_setting_lookup_string(prot, "host", &hostname) && |
273 | config_setting_lookup_string(prot, "port", &port) |
274 | )) { |
275 | p->description = name; |
276 | config_setting_lookup_string(prot, "service", &(p->service)); |
277 | |
278 | resolve_split_name(&(p->saddr), hostname, port); |
279 | |
280 | p->probe = get_probe(name); |
281 | if (!p->probe) { |
282 | fprintf(stderr, "line %d: %s: probe unknown\n", config_setting_source_line(prot), name); |
283 | exit(1); |
284 | } |
285 | |
286 | /* Probe-specific options: regex patterns */ |
287 | if (!strcmp(name, "regex")) { |
288 | patterns = config_setting_get_member(prot, "regex_patterns"); |
289 | if (patterns && config_setting_is_array(patterns)) { |
290 | setup_regex_probe(p, patterns); |
291 | } |
292 | } |
293 | |
294 | /* Probe-specific options: SNI hostnames */ |
295 | if (!strcmp(name, "sni")) { |
296 | sni_hostnames = config_setting_get_member(prot, "sni_hostnames"); |
297 | if (sni_hostnames && config_setting_is_array(sni_hostnames)) { |
298 | setup_sni_hostnames(p, sni_hostnames); |
299 | } |
300 | } |
301 | } |
302 | } |
303 | } |
304 | |
305 | return 0; |
306 | } |
307 | |
308 | |
309 | /* Parses a config file |
310 | * in: *filename |
311 | * out: *listen, a newly-allocated linked list of listen addrinfo |
312 | * *prots, a newly-allocated linked list of protocols |
313 | * 1 on error, 0 on success |
314 | */ |
315 | |
316 | static int config_parse(char *filename, struct addrinfo **listen, struct proto **prots) |
317 | { |
318 | config_t config; |
319 | int timeout; |
320 | const char* str; |
321 | |
322 | config_init(&config); |
323 | if (config_read_file(&config, filename) == CONFIG_FALSE) { |
324 | /* If it's a parse error then there will be a line number for the failure |
325 | * an I/O error (such as non-existent file) will have the error line as 0 |
326 | */ |
327 | if (config_error_line(&config) != 0) { |
328 | fprintf(stderr, "%s:%d:%s\n", |
329 | filename, |
330 | config_error_line(&config), |
331 | config_error_text(&config)); |
332 | exit(1); |
333 | } |
334 | fprintf(stderr, "%s:%s\n", |
335 | filename, |
336 | config_error_text(&config)); |
337 | return 1; |
338 | } |
339 | |
340 | config_lookup_bool(&config, "verbose", &verbose); |
341 | config_lookup_bool(&config, "inetd", &inetd); |
342 | config_lookup_bool(&config, "foreground", &foreground); |
343 | config_lookup_bool(&config, "numeric", &numeric); |
344 | config_lookup_bool(&config, "transparent", &transparent); |
345 | |
346 | if (config_lookup_int(&config, "timeout", (int *)&timeout) == CONFIG_TRUE) { |
347 | probing_timeout = timeout; |
348 | } |
349 | |
350 | if (config_lookup_string(&config, "on-timeout", &str)) { |
351 | set_ontimeout(str); |
352 | } |
353 | |
354 | config_lookup_string(&config, "user", &user_name); |
355 | config_lookup_string(&config, "pidfile", &pid_file); |
356 | |
357 | config_listen(&config, listen); |
358 | config_protocols(&config, prots); |
359 | |
360 | return 0; |
361 | } |
362 | |
363 | |
364 | /* Adds protocols to the list of options, so command-line parsing uses the |
365 | * protocol definition array |
366 | * options: array of options to add to; must be big enough |
367 | * n_opts: number of options in *options before calling (i.e. where to append) |
368 | * prot: array of protocols |
369 | * n_prots: number of protocols in *prot |
370 | * */ |
371 | static void append_protocols(struct option *options, int n_opts, struct proto *prot , int n_prots) |
372 | { |
373 | int o, p; |
374 | |
375 | for (o = n_opts, p = 0; p < n_prots; o++, p++) { |
376 | options[o].name = prot[p].description; |
377 | options[o].has_arg = required_argument; |
378 | options[o].flag = 0; |
379 | options[o].val = p + PROT_SHIFT; |
380 | } |
381 | } |
382 | |
383 | static void make_alloptions(void) |
384 | { |
385 | builtins = get_builtins(); |
386 | |
387 | /* Create all_options, composed of const_options followed by one option per |
388 | * known protocol */ |
389 | all_options = calloc(ARRAY_SIZE(const_options) + get_num_builtins(), sizeof(struct option)); |
390 | memcpy(all_options, const_options, sizeof(const_options)); |
391 | append_protocols(all_options, ARRAY_SIZE(const_options) - 1, builtins, get_num_builtins()); |
392 | } |
393 | |
394 | /* Performs a first scan of command line options to see if a configuration file |
395 | * is specified. If there is one, parse it now before all other options (so |
396 | * configuration file settings can be overridden from the command line). |
397 | * |
398 | * prots: newly-allocated list of configured protocols, if any. |
399 | */ |
400 | static void cmdline_config(int argc, char* argv[], struct proto** prots) |
401 | { |
402 | |
403 | int c, res; |
404 | char *config_filename; |
405 | |
406 | |
407 | make_alloptions(); |
408 | |
409 | |
410 | optind = 1; |
411 | opterr = 0; /* we're missing protocol options at this stage so don't output errors */ |
412 | while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) { |
413 | if (c == 'v') { |
414 | verbose++; |
415 | } |
416 | if (c == 'F') { |
417 | config_filename = optarg; |
418 | if (config_filename) { |
419 | res = config_parse(config_filename, &addr_listen, prots); |
420 | } else { |
421 | /* No configuration file specified -- try default file locations */ |
422 | res = config_parse("/etc/sslh/sslh.cfg", &addr_listen, prots); |
423 | if (!res && verbose) fprintf(stderr, "Using /etc/sslh/sslh.cfg\n"); |
424 | if (res) { |
425 | res = config_parse("/etc/sslh.cfg", &addr_listen, prots); |
426 | if (!res && verbose) fprintf(stderr, "Using /etc/sslh.cfg\n"); |
427 | } |
428 | } |
429 | if (res) |
430 | exit(4); |
431 | break; |
432 | } |
433 | } |
434 | |
435 | } |
436 | |
437 | |
438 | /* Parse command-line options. prots points to a list of configured protocols, |
439 | * potentially non-allocated */ |
440 | static void parse_cmdline(int argc, char* argv[], struct proto* prots) |
441 | { |
442 | int c; |
443 | struct addrinfo **a; |
444 | struct proto *p; |
445 | |
446 | optind = 1; |
447 | opterr = 1; |
448 | next_arg: |
449 | while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) { |
450 | if (c == 0) continue; |
451 | |
452 | if (c >= PROT_SHIFT) { |
453 | if (prots) |
454 | for (p = prots; p && p->next; p = p->next) { |
455 | /* override if protocol was already defined by config file |
456 | * (note it only overrides address and use builtin probe) */ |
457 | if (!strcmp(p->description, builtins[c-PROT_SHIFT].description)) { |
458 | resolve_name(&(p->saddr), optarg); |
459 | p->probe = builtins[c-PROT_SHIFT].probe; |
460 | goto next_arg; |
461 | } |
462 | } |
463 | /* At this stage, it's a new protocol: add it to the end of the |
464 | * list */ |
465 | if (!prots) { |
466 | /* No protocols yet -- create the list */ |
467 | p = prots = calloc(1, sizeof(*p)); |
468 | } else { |
469 | p->next = calloc(1, sizeof(*p)); |
470 | p = p->next; |
471 | } |
472 | memcpy(p, &builtins[c-PROT_SHIFT], sizeof(*p)); |
473 | resolve_name(&(p->saddr), optarg); |
474 | continue; |
475 | } |
476 | |
477 | switch (c) { |
478 | |
479 | case 'F': |
480 | /* Legal option, but do nothing, it was already processed in |
481 | * cmdline_config() */ |
482 | |
483 | fprintf(stderr, "Built without libconfig support: configuration file not available.\n"); |
484 | exit(1); |
485 | |
486 | break; |
487 | |
488 | case 't': |
489 | probing_timeout = atoi(optarg); |
490 | break; |
491 | |
492 | case OPT_ONTIMEOUT: |
493 | set_ontimeout(optarg); |
494 | break; |
495 | |
496 | case 'p': |
497 | /* find the end of the listen list */ |
498 | for (a = &addr_listen; *a; a = &((*a)->ai_next)); |
499 | /* append the specified addresses */ |
500 | resolve_name(a, optarg); |
501 | |
502 | break; |
503 | |
504 | case 'V': |
505 | printf("%s %s\n", server_type, VERSION); |
506 | exit(0); |
507 | |
508 | case 'u': |
509 | user_name = optarg; |
510 | break; |
511 | |
512 | case 'P': |
513 | pid_file = optarg; |
514 | break; |
515 | |
516 | case 'v': |
517 | verbose++; |
518 | break; |
519 | |
520 | default: |
521 | print_usage(); |
522 | exit(2); |
523 | } |
524 | } |
525 | |
526 | if (!prots) { |
527 | fprintf(stderr, "At least one target protocol must be specified.\n"); |
528 | exit(2); |
529 | } |
530 | |
531 | set_protocol_list(prots); |
532 | |
533 | if (!addr_listen && !inetd) { |
534 | fprintf(stderr, "No listening address specified; use at least one -p option\n"); |
535 | exit(1); |
536 | } |
537 | |
538 | /* Did command-line override foreground setting? */ |
539 | if (background) |
540 | foreground = 0; |
541 | |
542 | } |
543 | |
544 | int main(int argc, char *argv[]) |
545 | { |
546 | |
547 | extern char *optarg; |
548 | extern int optind; |
549 | int res, num_addr_listen; |
550 | struct proto* protocols = NULL; |
551 | |
552 | int *listen_sockets; |
553 | |
554 | /* Init defaults */ |
555 | pid_file = NULL; |
556 | user_name = NULL; |
557 | |
558 | cmdline_config(argc, argv, &protocols); |
559 | parse_cmdline(argc, argv, protocols); |
560 | |
561 | if (inetd) |
562 | { |
563 | verbose = 0; |
564 | start_shoveler(0); |
565 | exit(0); |
566 | } |
567 | |
568 | if (verbose) |
569 | printsettings(); |
570 | |
571 | num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen); |
572 | |
573 | if (!foreground) { |
574 | if (fork() > 0) exit(0); /* Detach */ |
575 | |
576 | /* New session -- become group leader */ |
577 | if (getuid() == 0) { |
578 | res = setsid(); |
579 | CHECK_RES_DIE(res, "setsid: already process leader"); |
580 | } |
581 | } |
582 | |
583 | setup_signals(); |
584 | |
585 | if (pid_file) |
586 | write_pid_file(pid_file); |
587 | |
588 | if (user_name) |
589 | drop_privileges(user_name); |
590 | |
591 | |
592 | /* Open syslog connection */ |
593 | setup_syslog(argv[0]); |
594 | |
595 | if (verbose) |
596 | printcaps(); |
597 | |
598 | main_loop(listen_sockets, num_addr_listen); |
599 | |
600 | return 0; |
601 | } |
602 |
Built with git-ssb-web