Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4a05b4bf05'
${ noResults }
SSLproxy/opts.c

2800 lines
70 KiB
C
Raw Blame History

/*-
* SSLsplit - transparent SSL/TLS interception
* https://www.roe.ch/SSLsplit
*
* Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
* Copyright (c) 2017-2019, Soner Tari <sonertari@gmail.com>.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "opts.h"
#include "sys.h"
#include "log.h"
#include "defaults.h"
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/resource.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif /* !OPENSSL_NO_DH */
#include <openssl/x509.h>
/*
* Handle out of memory conditions in early stages of main().
* Print error message and exit with failure status code.
* Does not return.
*/
void NORET
oom_die(const char *argv0)
{
fprintf(stderr, "%s: out of memory\n", argv0);
exit(EXIT_FAILURE);
}
opts_t *
opts_new(void)
{
opts_t *opts;
opts = malloc(sizeof(opts_t));
memset(opts, 0, sizeof(opts_t));
opts->sslcomp = 1;
opts->chain = sk_X509_new_null();
opts->sslmethod = SSLv23_method;
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
opts->minsslversion = TLS1_VERSION;
opts->maxsslversion = TLS1_2_VERSION;
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
opts->remove_http_referer = 1;
opts->verify_peer = 1;
opts->user_timeout = 300;
opts->max_http_header_size = 8192;
return opts;
}
global_t *
global_new(void)
{
global_t *global;
global = malloc(sizeof(global_t));
memset(global, 0, sizeof(global_t));
global->leafkey_rsabits = DFLT_LEAFKEY_RSABITS;
global->conn_idle_timeout = 120;
global->expired_conn_check_period = 10;
global->ssl_shutdown_retry_delay = 100;
global->stats_period = 1;
global->opts = opts_new();
global->opts->global = global;
return global;
}
void
opts_free(opts_t *opts)
{
if (opts->chain) {
sk_X509_pop_free(opts->chain, X509_free);
}
if (opts->clientcrt) {
X509_free(opts->clientcrt);
}
if (opts->clientkey) {
EVP_PKEY_free(opts->clientkey);
}
if (opts->cacrt) {
X509_free(opts->cacrt);
}
if (opts->cakey) {
EVP_PKEY_free(opts->cakey);
}
#ifndef OPENSSL_NO_DH
if (opts->dh) {
DH_free(opts->dh);
}
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
if (opts->ecdhcurve) {
free(opts->ecdhcurve);
}
#endif /* !OPENSSL_NO_ECDH */
if (opts->ciphers) {
free(opts->ciphers);
}
if (opts->user_auth_url) {
free(opts->user_auth_url);
}
passsite_t *passsite = opts->passsites;
while (passsite) {
passsite_t *next = passsite->next;
free(passsite->site);
if (passsite->ip)
free(passsite->ip);
if (passsite->user)
free(passsite->user);
if (passsite->keyword)
free(passsite->keyword);
free(passsite);
passsite = next;
}
memset(opts, 0, sizeof(opts_t));
free(opts);
}
/*
* Clear and free a proxy spec.
*/
void
proxyspec_free(proxyspec_t *spec)
{
if (spec->opts)
opts_free(spec->opts);
if (spec->natengine)
free(spec->natengine);
memset(spec, 0, sizeof(proxyspec_t));
free(spec);
}
/*
* Clear and free all proxy specs.
*/
void
global_proxyspec_free(proxyspec_t *spec)
{
do {
proxyspec_t *next = spec->next;
proxyspec_free(spec);
spec = next;
} while (spec);
}
void
global_free_opts_clone_strs(global_t *global)
{
if (global->cacrt_str) {
free(global->cacrt_str);
global->cacrt_str = NULL;
}
if (global->cakey_str) {
free(global->cakey_str);
global->cakey_str = NULL;
}
if (global->chain_str) {
free(global->chain_str);
global->chain_str = NULL;
}
if (global->clientcrt_str) {
free(global->clientcrt_str);
global->clientcrt_str = NULL;
}
if (global->clientkey_str) {
free(global->clientkey_str);
global->clientkey_str = NULL;
}
if (global->crl_str) {
free(global->crl_str);
global->crl_str = NULL;
}
if (global->dh_str) {
free(global->dh_str);
global->dh_str = NULL;
}
}
void
global_free(global_t *global)
{
if (global->spec) {
global_proxyspec_free(global->spec);
}
if (global->tgcrtdir) {
free(global->tgcrtdir);
}
if (global->dropuser) {
free(global->dropuser);
}
if (global->dropgroup) {
free(global->dropgroup);
}
if (global->jaildir) {
free(global->jaildir);
}
if (global->pidfile) {
free(global->pidfile);
}
if (global->connectlog) {
free(global->connectlog);
}
if (global->contentlog) {
free(global->contentlog);
}
if (global->certgendir) {
free(global->certgendir);
}
if (global->contentlog_basedir) {
free(global->contentlog_basedir);
}
if (global->masterkeylog) {
free(global->masterkeylog);
}
if (global->pcaplog) {
free(global->pcaplog);
}
if (global->pcaplog_basedir) {
free(global->pcaplog_basedir);
}
#ifndef WITHOUT_MIRROR
if (global->mirrorif) {
free(global->mirrorif);
}
if (global->mirrortarget) {
free(global->mirrortarget);
}
#endif /* !WITHOUT_MIRROR */
if (global->userdb_path) {
free(global->userdb_path);
}
if (global->opts) {
opts_free(global->opts);
}
if (global->key) {
EVP_PKEY_free(global->key);
}
#ifndef OPENSSL_NO_ENGINE
if (global->openssl_engine) {
free(global->openssl_engine);
}
#endif /* !OPENSSL_NO_ENGINE */
// Try free tmp strs again, for config reload
global_free_opts_clone_strs(global);
memset(global, 0, sizeof(global_t));
free(global);
}
/*
* Return 1 if global_t contains a proxyspec that (eventually) uses SSL/TLS,
* 0 otherwise. When 0, it is safe to assume that no SSL/TLS operations
* will take place with this configuration.
*/
int
global_has_ssl_spec(global_t *global)
{
proxyspec_t *p = global->spec;
while (p) {
if (p->ssl || p->upgrade)
return 1;
p = p->next;
}
return 0;
}
/*
* Return 1 if global_t contains a proxyspec with dns, 0 otherwise.
*/
int
global_has_dns_spec(global_t *global)
{
proxyspec_t *p = global->spec;
while (p) {
if (p->dns)
return 1;
p = p->next;
}
return 0;
}
/*
* Return 1 if global_t contains a proxyspec with user_auth, 0 otherwise.
*/
int
global_has_userauth_spec(global_t *global)
{
proxyspec_t *p = global->spec;
while (p) {
if (p->opts->user_auth)
return 1;
p = p->next;
}
return 0;
}
/*
* Return 1 if global_t contains a proxyspec with cakey defined, 0 otherwise.
*/
int
global_has_cakey_spec(global_t *global)
{
proxyspec_t *p = global->spec;
while (p) {
if (p->opts->cakey)
return 1;
p = p->next;
}
return 0;
}
/*
* Dump the SSL/TLS protocol related configuration.
*/
char *
opts_proto_dbg_dump(opts_t *opts)
{
char *s;
if (asprintf(&s, "SSL/TLS protocol: %s%s%s%s%s%s%s%s",
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20702000L)
#ifdef HAVE_SSLV2
(opts->sslmethod == SSLv2_method) ? "ssl2" :
#endif /* HAVE_SSLV2 */
#ifdef HAVE_SSLV3
(opts->sslmethod == SSLv3_method) ? "ssl3" :
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
(opts->sslmethod == TLSv1_method) ? "tls10" :
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
(opts->sslmethod == TLSv1_1_method) ? "tls11" :
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
(opts->sslmethod == TLSv1_2_method) ? "tls12" :
#endif /* HAVE_TLSV12 */
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
#ifdef HAVE_SSLV3
(opts->sslversion == SSL3_VERSION) ? "ssl3" :
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
(opts->sslversion == TLS1_VERSION) ? "tls10" :
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
(opts->sslversion == TLS1_1_VERSION) ? "tls11" :
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
(opts->sslversion == TLS1_2_VERSION) ? "tls12" :
#endif /* HAVE_TLSV12 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
"negotiate",
#ifdef HAVE_SSLV2
opts->no_ssl2 ? " -ssl2" :
#endif /* HAVE_SSLV2 */
"",
#ifdef HAVE_SSLV3
opts->no_ssl3 ? " -ssl3" :
#endif /* HAVE_SSLV3 */
"",
#ifdef HAVE_TLSV10
opts->no_tls10 ? " -tls10" :
#endif /* HAVE_TLSV10 */
"",
#ifdef HAVE_TLSV11
opts->no_tls11 ? " -tls11" :
#endif /* HAVE_TLSV11 */
"",
#ifdef HAVE_TLSV12
opts->no_tls12 ? " -tls12" :
#endif /* HAVE_TLSV12 */
"",
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
#ifdef HAVE_SSLV3
(opts->minsslversion == SSL3_VERSION) ? ">=ssl3" :
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
(opts->minsslversion == TLS1_VERSION) ? ">=tls10" :
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
(opts->minsslversion == TLS1_1_VERSION) ? ">=tls11" :
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
(opts->minsslversion == TLS1_2_VERSION) ? ">=tls12" :
#endif /* HAVE_TLSV12 */
"",
#ifdef HAVE_SSLV3
(opts->maxsslversion == SSL3_VERSION) ? "<=ssl3" :
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
(opts->maxsslversion == TLS1_VERSION) ? "<=tls10" :
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
(opts->maxsslversion == TLS1_1_VERSION) ? "<=tls11" :
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
(opts->maxsslversion == TLS1_2_VERSION) ? "<=tls12" :
#endif /* HAVE_TLSV12 */
""
#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
"", ""
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
) < 0) {
s = NULL;
}
return s;
}
static void
opts_set_user_auth_url(opts_t *opts, const char *optarg)
{
if (opts->user_auth_url)
free(opts->user_auth_url);
opts->user_auth_url = strdup(optarg);
#ifdef DEBUG_OPTS
log_dbg_printf("UserAuthURL: %s\n", opts->user_auth_url);
#endif /* DEBUG_OPTS */
}
static opts_t *
clone_global_opts(global_t *global, const char *argv0)
{
#ifdef DEBUG_OPTS
log_dbg_printf("Clone global opts\n");
#endif /* DEBUG_OPTS */
opts_t *opts = opts_new();
opts->sslcomp = global->opts->sslcomp;
#ifdef HAVE_SSLV2
opts->no_ssl2 = global->opts->no_ssl2;
#endif /* HAVE_SSLV2 */
#ifdef HAVE_SSLV3
opts->no_ssl3 = global->opts->no_ssl3;
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
opts->no_tls10 = global->opts->no_tls10;
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
opts->no_tls11 = global->opts->no_tls11;
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
opts->no_tls12 = global->opts->no_tls12;
#endif /* HAVE_TLSV12 */
opts->passthrough = global->opts->passthrough;
opts->deny_ocsp = global->opts->deny_ocsp;
opts->sslmethod = global->opts->sslmethod;
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
opts->sslversion = global->opts->sslversion;
opts->minsslversion = global->opts->minsslversion;
opts->maxsslversion = global->opts->maxsslversion;
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
opts->remove_http_accept_encoding = global->opts->remove_http_accept_encoding;
opts->remove_http_referer = global->opts->remove_http_referer;
opts->verify_peer = global->opts->verify_peer;
opts->allow_wrong_host = global->opts->allow_wrong_host;
opts->user_auth = global->opts->user_auth;
opts->user_timeout = global->opts->user_timeout;
opts->validate_proto = global->opts->validate_proto;
opts->max_http_header_size = global->opts->max_http_header_size;
if (global->chain_str) {
opts_set_chain(opts, argv0, global->chain_str);
}
if (global->cacrt_str) {
opts_set_cacrt(opts, argv0, global->cacrt_str);
}
if (global->cakey_str) {
opts_set_cakey(opts, argv0, global->cakey_str);
}
if (global->clientcrt_str) {
opts_set_clientcrt(opts, argv0, global->clientcrt_str);
}
if (global->clientkey_str) {
opts_set_clientkey(opts, argv0, global->clientkey_str);
}
#ifndef OPENSSL_NO_DH
if (global->dh_str) {
opts_set_dh(opts, argv0, global->dh_str);
}
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
if (global->opts->ecdhcurve) {
opts_set_ecdhcurve(opts, argv0, global->opts->ecdhcurve);
}
#endif /* !OPENSSL_NO_ECDH */
if (global->opts->ciphers) {
opts_set_ciphers(opts, argv0, global->opts->ciphers);
}
if (global->opts->user_auth_url) {
opts_set_user_auth_url(opts, global->opts->user_auth_url);
}
passsite_t *passsite = global->opts->passsites;
while (passsite) {
passsite_t *ps = malloc(sizeof(passsite_t));
memset(ps, 0, sizeof(passsite_t));
if (passsite->site)
ps->site = strdup(passsite->site);
if (passsite->ip)
ps->ip = strdup(passsite->ip);
if (passsite->user)
ps->user = strdup(passsite->user);
if (passsite->keyword)
ps->keyword = strdup(passsite->keyword);
ps->all = passsite->all;
ps->next = opts->passsites;
opts->passsites = ps;
passsite = passsite->next;
}
return opts;
}
proxyspec_t *
proxyspec_new(global_t *global, const char *argv0)
{
proxyspec_t *spec = malloc(sizeof(proxyspec_t));
memset(spec, 0, sizeof(proxyspec_t));
spec->opts = clone_global_opts(global, argv0);
return spec;
}
void
proxyspec_set_proto(proxyspec_t *spec, const char *value)
{
/* Defaults */
spec->ssl = 0;
spec->http = 0;
spec->upgrade = 0;
spec->pop3 = 0;
spec->smtp = 0;
if (!strcmp(value, "tcp")) {
/* use defaults */
} else
if (!strcmp(value, "ssl")) {
spec->ssl = 1;
} else
if (!strcmp(value, "http")) {
spec->http = 1;
} else
if (!strcmp(value, "https")) {
spec->ssl = 1;
spec->http = 1;
} else
if (!strcmp(value, "autossl")) {
spec->upgrade = 1;
} else
if (!strcmp(value, "pop3")) {
spec->pop3 = 1;
} else
if (!strcmp(value, "pop3s")) {
spec->ssl = 1;
spec->pop3 = 1;
} else
if (!strcmp(value, "smtp")) {
spec->smtp = 1;
} else
if (!strcmp(value, "smtps")) {
spec->ssl = 1;
spec->smtp = 1;
} else {
fprintf(stderr, "Unknown connection "
"type '%s'\n", value);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("Proto: %s\n", value);
#endif /* DEBUG_OPTS */
}
static void
proxyspec_set_listen_addr(proxyspec_t *spec, char *addr, char *port, const char *natengine)
{
spec->af = sys_sockaddr_parse(&spec->listen_addr,
&spec->listen_addrlen,
addr, port,
sys_get_af(addr),
EVUTIL_AI_PASSIVE);
if (spec->af == -1) {
exit(EXIT_FAILURE);
}
if (natengine) {
spec->natengine = strdup(natengine);
if (!spec->natengine) {
fprintf(stderr, "Out of memory\n");
exit(EXIT_FAILURE);
}
} else {
spec->natengine = NULL;
}
#ifdef DEBUG_OPTS
log_dbg_printf("Addr: [%s]:%s, %s\n", addr, port, natengine);
#endif /* DEBUG_OPTS */
}
static void
proxyspec_set_divert_addr(proxyspec_t *spec, char *addr, char *port)
{
if (sys_sockaddr_parse(&spec->conn_dst_addr,
&spec->conn_dst_addrlen,
addr, port, AF_INET, EVUTIL_AI_PASSIVE) == -1) {
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("DivertAddr: [%s]:%s\n", addr, port);
#endif /* DEBUG_OPTS */
}
static void
proxyspec_set_return_addr(proxyspec_t *spec, char *addr)
{
if (sys_sockaddr_parse(&spec->child_src_addr,
&spec->child_src_addrlen,
addr, "0", AF_INET, EVUTIL_AI_PASSIVE) == -1) {
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("ReturnAddr: [%s]\n", addr);
#endif /* DEBUG_OPTS */
}
static void
proxyspec_set_target_addr(proxyspec_t *spec, char *addr, char *port)
{
if (sys_sockaddr_parse(&spec->connect_addr,
&spec->connect_addrlen,
addr, port, spec->af, 0) == -1) {
exit(EXIT_FAILURE);
}
/* explicit target address */
free(spec->natengine);
spec->natengine = NULL;
#ifdef DEBUG_OPTS
log_dbg_printf("TargetAddr: [%s]:%s\n", addr, port);
#endif /* DEBUG_OPTS */
}
static void
proxyspec_set_sni_port(proxyspec_t *spec, char *port)
{
if (!spec->ssl) {
fprintf(stderr,
"SNI hostname lookup "
"only works for ssl "
"and https proxyspecs"
"\n");
exit(EXIT_FAILURE);
}
/* SNI dstport */
spec->sni_port = atoi(port);
if (!spec->sni_port) {
fprintf(stderr, "Invalid port '%s'\n", port);
exit(EXIT_FAILURE);
}
spec->dns = 1;
free(spec->natengine);
spec->natengine = NULL;
#ifdef DEBUG_OPTS
log_dbg_printf("SNIPort: %u\n", spec->sni_port);
#endif /* DEBUG_OPTS */
}
static void
proxyspec_set_natengine(proxyspec_t *spec, const char *natengine)
{
// Double checks if called by proxyspec_parse()
if (nat_exist(natengine)) {
/* natengine */
free(spec->natengine);
spec->natengine = strdup(natengine);
if (!spec->natengine) {
fprintf(stderr, "Out of memory\n");
exit(EXIT_FAILURE);
}
} else {
fprintf(stderr, "No such nat engine '%s'\n", natengine);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("NatEngine: %s\n", spec->natengine);
#endif /* DEBUG_OPTS */
}
/*
* Parse proxyspecs using a simple state machine.
*/
void
proxyspec_parse(int *argc, char **argv[], const char *natengine, global_t *global, const char *argv0)
{
proxyspec_t *spec = NULL;
char *addr = NULL;
int state = 0;
while ((*argc)--) {
switch (state) {
default:
case 0:
/* tcp | ssl | http | https | autossl | pop3 | pop3s | smtp | smtps */
spec = proxyspec_new(global, argv0);
spec->next = global->spec;
global->spec = spec;
proxyspec_set_proto(spec, **argv);
state++;
break;
case 1:
/* listenaddr */
addr = **argv;
state++;
break;
case 2:
/* listenport */
proxyspec_set_listen_addr(spec, addr, **argv, natengine);
state++;
break;
case 3:
// Divert port is mandatory
// The divert port is set/used in pf and UTM service config.
// @todo IPv6?
if (strstr(**argv, "up:")) {
char *dp = **argv + 3;
char *da = "127.0.0.1";
char *ra = "127.0.0.1";
// da and ra are optional, if both specified, da should come before ra
// Divert address
if (*argc && strstr(*((*argv) + 1), "ua:")) {
(*argv)++; (*argc)--;
da = **argv + 3;
}
// Return address
if (*argc && strstr(*((*argv) + 1), "ra:")) {
(*argv)++; (*argc)--;
ra = **argv + 3;
}
proxyspec_set_divert_addr(spec, da, dp);
proxyspec_set_return_addr(spec, ra);
state++;
}
break;
case 4:
/* [ natengine | dstaddr ] */
if (!strcmp(**argv, "tcp") ||
!strcmp(**argv, "ssl") ||
!strcmp(**argv, "http") ||
!strcmp(**argv, "https") ||
!strcmp(**argv, "autossl") ||
!strcmp(**argv, "pop3") ||
!strcmp(**argv, "pop3s") ||
!strcmp(**argv, "smtp") ||
!strcmp(**argv, "smtps")) {
/* implicit default natengine */
(*argv)--; (*argc)++; /* rewind */
state = 0;
} else
if (!strcmp(**argv, "sni")) {
state = 6;
} else
if (nat_exist(**argv)) {
/* natengine */
proxyspec_set_natengine(spec, natengine);
state = 0;
} else {
/* explicit target address */
addr = **argv;
state++;
}
break;
case 5:
/* explicit target port */
proxyspec_set_target_addr(spec, addr, **argv);
state = 0;
break;
case 6:
/* SNI dstport */
proxyspec_set_sni_port(spec, **argv);
state = 0;
break;
}
(*argv)++;
}
if (state != 0 && state != 4) {
fprintf(stderr, "Incomplete proxyspec!\n");
exit(EXIT_FAILURE);
}
}
char *
passsite_str(passsite_t *passsite)
{
char *ps = NULL;
if (!passsite) {
ps = strdup("");
goto out;
}
int count = 0;
while (passsite) {
char *p;
if (asprintf(&p, "site=%s,ip=%s,user=%s,keyword=%s,all=%d",
passsite->site, STRORNONE(passsite->ip), STRORNONE(passsite->user), STRORNONE(passsite->keyword), passsite->all) < 0) {
goto err;
}
char *nps;
if (asprintf(&nps, "%s%spasssite %d: %s",
STRORNONE(ps), ps ? "\n" : "", count, p) < 0) {
free(p);
goto err;
}
free(p);
if (ps)
free(ps);
ps = nps;
passsite = passsite->next;
count++;
}
goto out;
err:
if (ps) {
free(ps);
ps = NULL;
}
out:
return ps;
}
static char *
opts_str(opts_t *opts)
{
char *s;
char *proto_dump = NULL;
char *ps = passsite_str(opts->passsites);
if (!ps) {
s = NULL;
goto out;
}
proto_dump = opts_proto_dbg_dump(opts);
if (!proto_dump) {
s = NULL;
goto out;
}
if (asprintf(&s, "opts=%s"
#ifdef HAVE_SSLV2
"%s"
#endif /* HAVE_SSLV2 */
#ifdef HAVE_SSLV3
"%s"
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
"%s"
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
"%s"
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
"%s"
#endif /* HAVE_TLSV12 */
"%s%s"
"|%s"
#ifndef OPENSSL_NO_ECDH
"|%s"
#endif /* !OPENSSL_NO_ECDH */
"|%s%s%s%s%s%s|%s|%d%s|%d\n%s%s%s",
(!opts->sslcomp ? "no sslcomp" : ""),
#ifdef HAVE_SSLV2
(opts->no_ssl2 ? "|no_ssl2" : ""),
#endif /* HAVE_SSLV2 */
#ifdef HAVE_SSLV3
(opts->no_ssl3 ? "|no_ssl3" : ""),
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
(opts->no_tls10 ? "|no_tls10" : ""),
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
(opts->no_tls11 ? "|no_tls11" : ""),
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
(opts->no_tls12 ? "|no_tls12" : ""),
#endif /* HAVE_TLSV12 */
(opts->passthrough ? "|passthrough" : ""),
(opts->deny_ocsp ? "|deny_ocsp" : ""),
(opts->ciphers ? opts->ciphers : "no ciphers"),
#ifndef OPENSSL_NO_ECDH
(opts->ecdhcurve ? opts->ecdhcurve : "no ecdhcurve"),
#endif /* !OPENSSL_NO_ECDH */
(opts->crlurl ? opts->crlurl : "no crlurl"),
(opts->remove_http_accept_encoding ? "|remove_http_accept_encoding" : ""),
(opts->remove_http_referer ? "|remove_http_referer" : ""),
(opts->verify_peer ? "|verify_peer" : ""),
(opts->allow_wrong_host ? "|allow_wrong_host" : ""),
(opts->user_auth ? "|user_auth" : ""),
(opts->user_auth_url ? opts->user_auth_url : "no user_auth_url"),
opts->user_timeout,
(opts->validate_proto ? "|validate_proto" : ""),
opts->max_http_header_size,
proto_dump,
strlen(ps) ? "\n" : "", ps) < 0) {
s = NULL;
}
out:
if (ps)
free(ps);
if (proto_dump)
free(proto_dump);
return s;
}
/*
* Return text representation of proxy spec for display to the user.
* Returned string must be freed by caller.
*/
char *
proxyspec_str(proxyspec_t *spec)
{
char *s;
char *lhbuf, *lpbuf;
char *cbuf = NULL;
char *pdstbuf = NULL;
char *csrcbuf = NULL;
if (sys_sockaddr_str((struct sockaddr *)&spec->listen_addr,
spec->listen_addrlen, &lhbuf, &lpbuf) != 0) {
return NULL;
}
if (spec->connect_addrlen) {
char *chbuf, *cpbuf;
if (sys_sockaddr_str((struct sockaddr *)&spec->connect_addr,
spec->connect_addrlen,
&chbuf, &cpbuf) != 0) {
return NULL;
}
if (asprintf(&cbuf, "\nconnect= [%s]:%s", chbuf, cpbuf) < 0) {
return NULL;
}
free(chbuf);
free(cpbuf);
}
if (spec->conn_dst_addrlen) {
char *chbuf, *cpbuf;
if (sys_sockaddr_str((struct sockaddr *)&spec->conn_dst_addr,
spec->conn_dst_addrlen,
&chbuf, &cpbuf) != 0) {
return NULL;
}
if (asprintf(&pdstbuf, "\nparent dst addr= [%s]:%s", chbuf, cpbuf) < 0) {
return NULL;
}
free(chbuf);
free(cpbuf);
}
if (spec->child_src_addrlen) {
char *chbuf, *cpbuf;
if (sys_sockaddr_str((struct sockaddr *)&spec->child_src_addr,
spec->child_src_addrlen,
&chbuf, &cpbuf) != 0) {
return NULL;
}
if (asprintf(&csrcbuf, "\nchild src addr= [%s]:%s", chbuf, cpbuf) < 0) {
return NULL;
}
free(chbuf);
free(cpbuf);
}
if (spec->sni_port) {
if (asprintf(&cbuf, "\nsni %i", spec->sni_port) < 0) {
return NULL;
}
}
char *optsstr = opts_str(spec->opts);
if (!optsstr) {
return NULL;
}
if (asprintf(&s, "listen=[%s]:%s %s%s%s%s%s %s%s%s\n%s", lhbuf, lpbuf,
(spec->ssl ? "ssl" : "tcp"),
(spec->upgrade ? "|autossl" : ""),
(spec->http ? "|http" : ""),
(spec->pop3 ? "|pop3" : ""),
(spec->smtp ? "|smtp" : ""),
(spec->natengine ? spec->natengine : cbuf),
(pdstbuf),
(csrcbuf),
optsstr) < 0) {
s = NULL;
}
free(optsstr);
free(lhbuf);
free(lpbuf);
if (cbuf)
free(cbuf);
if (pdstbuf)
free(pdstbuf);
if (csrcbuf)
free(csrcbuf);
return s;
}
void
opts_set_cacrt(opts_t *opts, const char *argv0, const char *optarg)
{
if (opts->cacrt)
X509_free(opts->cacrt);
opts->cacrt = ssl_x509_load(optarg);
if (!opts->cacrt) {
fprintf(stderr, "%s: error loading CA cert from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
ssl_x509_refcount_inc(opts->cacrt);
sk_X509_insert(opts->chain, opts->cacrt, 0);
if (!opts->cakey) {
opts->cakey = ssl_key_load(optarg);
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
#ifdef DEBUG_OPTS
log_dbg_printf("CACert: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
opts_set_cakey(opts_t *opts, const char *argv0, const char *optarg)
{
if (opts->cakey)
EVP_PKEY_free(opts->cakey);
opts->cakey = ssl_key_load(optarg);
if (!opts->cakey) {
fprintf(stderr, "%s: error loading CA key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
if (!opts->cacrt) {
opts->cacrt = ssl_x509_load(optarg);
if (opts->cacrt) {
ssl_x509_refcount_inc(opts->cacrt);
sk_X509_insert(opts->chain, opts->cacrt, 0);
}
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
#ifdef DEBUG_OPTS
log_dbg_printf("CAKey: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
opts_set_chain(opts_t *opts, const char *argv0, const char *optarg)
{
if (ssl_x509chain_load(NULL, &opts->chain, optarg) == -1) {
fprintf(stderr, "%s: error loading chain from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("CAChain: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
opts_set_crl(opts_t *opts, const char *optarg)
{
if (opts->crlurl)
free(opts->crlurl);
opts->crlurl = strdup(optarg);
#ifdef DEBUG_OPTS
log_dbg_printf("CRL: %s\n", opts->crlurl);
#endif /* DEBUG_OPTS */
}
static void
set_certgendir(global_t *global, const char *argv0, const char *optarg)
{
if (global->certgendir)
free(global->certgendir);
global->certgendir = strdup(optarg);
if (!global->certgendir)
oom_die(argv0);
}
void
opts_set_deny_ocsp(opts_t *opts)
{
opts->deny_ocsp = 1;
}
void
opts_unset_deny_ocsp(opts_t *opts)
{
opts->deny_ocsp = 0;
}
void
opts_set_passthrough(opts_t *opts)
{
opts->passthrough = 1;
}
void
opts_unset_passthrough(opts_t *opts)
{
opts->passthrough = 0;
}
void
opts_set_clientcrt(opts_t *opts, const char *argv0, const char *optarg)
{
if (opts->clientcrt)
X509_free(opts->clientcrt);
opts->clientcrt = ssl_x509_load(optarg);
if (!opts->clientcrt) {
fprintf(stderr, "%s: error loading client cert from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("ClientCert: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
opts_set_clientkey(opts_t *opts, const char *argv0, const char *optarg)
{
if (opts->clientkey)
EVP_PKEY_free(opts->clientkey);
opts->clientkey = ssl_key_load(optarg);
if (!opts->clientkey) {
fprintf(stderr, "%s: error loading client key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("ClientKey: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
#ifndef OPENSSL_NO_DH
void
opts_set_dh(opts_t *opts, const char *argv0, const char *optarg)
{
if (opts->dh)
DH_free(opts->dh);
opts->dh = ssl_dh_load(optarg);
if (!opts->dh) {
fprintf(stderr, "%s: error loading DH params from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("DHGroupParams: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
void
opts_set_ecdhcurve(opts_t *opts, const char *argv0, const char *optarg)
{
EC_KEY *ec;
if (opts->ecdhcurve)
free(opts->ecdhcurve);
if (!(ec = ssl_ec_by_name(optarg))) {
fprintf(stderr, "%s: unknown curve '%s'\n", argv0, optarg);
exit(EXIT_FAILURE);
}
EC_KEY_free(ec);
opts->ecdhcurve = strdup(optarg);
if (!opts->ecdhcurve)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("ECDHCurve: %s\n", opts->ecdhcurve);
#endif /* DEBUG_OPTS */
}
#endif /* !OPENSSL_NO_ECDH */
void
opts_set_sslcomp(opts_t *opts)
{
opts->sslcomp = 1;
}
void
opts_unset_sslcomp(opts_t *opts)
{
opts->sslcomp = 0;
}
void
opts_set_ciphers(opts_t *opts, const char *argv0, const char *optarg)
{
if (opts->ciphers)
free(opts->ciphers);
opts->ciphers = strdup(optarg);
if (!opts->ciphers)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("Ciphers: %s\n", opts->ciphers);
#endif /* DEBUG_OPTS */
}
/*
* Parse SSL proto string in optarg and look up the corresponding SSL method.
* Calls exit() on failure.
*/
void
opts_force_proto(opts_t *opts, const char *argv0, const char *optarg)
{
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20702000L)
if (opts->sslmethod != SSLv23_method) {
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
if (opts->sslversion) {
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
fprintf(stderr, "%s: cannot use -r multiple times\n", argv0);
exit(EXIT_FAILURE);
}
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20702000L)
#ifdef HAVE_SSLV2
if (!strcmp(optarg, "ssl2")) {
opts->sslmethod = SSLv2_method;
} else
#endif /* HAVE_SSLV2 */
#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->sslmethod = SSLv3_method;
} else
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->sslmethod = TLSv1_method;
} else
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->sslmethod = TLSv1_1_method;
} else
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->sslmethod = TLSv1_2_method;
} else
#endif /* HAVE_TLSV12 */
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
/*
* Support for SSLv2 and the corresponding SSLv2_method(),
* SSLv2_server_method() and SSLv2_client_method() functions were
* removed in OpenSSL 1.1.0.
*/
#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->sslversion = SSL3_VERSION;
} else
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->sslversion = TLS1_VERSION;
} else
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->sslversion = TLS1_1_VERSION;
} else
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->sslversion = TLS1_2_VERSION;
} else
#endif /* HAVE_TLSV12 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("ForceSSLProto: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
/*
* Parse SSL proto string in optarg and set the corresponding no_foo bit.
* Calls exit() on failure.
*/
void
opts_disable_proto(opts_t *opts, const char *argv0, const char *optarg)
{
#ifdef HAVE_SSLV2
if (!strcmp(optarg, "ssl2")) {
opts->no_ssl2 = 1;
} else
#endif /* HAVE_SSLV2 */
#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->no_ssl3 = 1;
} else
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->no_tls10 = 1;
} else
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->no_tls11 = 1;
} else
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->no_tls12 = 1;
} else
#endif /* HAVE_TLSV12 */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("DisableSSLProto: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
opts_set_min_proto(UNUSED opts_t *opts, const char *argv0, const char *optarg)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->minsslversion = SSL3_VERSION;
} else
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->minsslversion = TLS1_VERSION;
} else
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->minsslversion = TLS1_1_VERSION;
} else
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->minsslversion = TLS1_2_VERSION;
} else
#endif /* HAVE_TLSV12 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("MinSSLProto: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
opts_set_max_proto(UNUSED opts_t *opts, const char *argv0, const char *optarg)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->maxsslversion = SSL3_VERSION;
} else
#endif /* HAVE_SSLV3 */
#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->maxsslversion = TLS1_VERSION;
} else
#endif /* HAVE_TLSV10 */
#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->maxsslversion = TLS1_1_VERSION;
} else
#endif /* HAVE_TLSV11 */
#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->maxsslversion = TLS1_2_VERSION;
} else
#endif /* HAVE_TLSV12 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("MaxSSLProto: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
static void
opts_set_remove_http_accept_encoding(opts_t *opts)
{
opts->remove_http_accept_encoding = 1;
}
static void
opts_unset_remove_http_accept_encoding(opts_t *opts)
{
opts->remove_http_accept_encoding = 0;
}
static void
opts_set_remove_http_referer(opts_t *opts)
{
opts->remove_http_referer = 1;
}
static void
opts_unset_remove_http_referer(opts_t *opts)
{
opts->remove_http_referer = 0;
}
static void
opts_set_verify_peer(opts_t *opts)
{
opts->verify_peer = 1;
}
static void
opts_unset_verify_peer(opts_t *opts)
{
opts->verify_peer = 0;
}
static void
opts_set_allow_wrong_host(opts_t *opts)
{
opts->allow_wrong_host = 1;
}
static void
opts_unset_allow_wrong_host(opts_t *opts)
{
opts->allow_wrong_host = 0;
}
static void
opts_set_user_auth(UNUSED opts_t *opts)
{
#if defined(__OpenBSD__) || defined(__linux__)
// Enable user auth on OpenBSD and Linux only
opts->user_auth = 1;
#endif /* __OpenBSD__ || __linux__ */
}
static void
opts_unset_user_auth(opts_t *opts)
{
opts->user_auth = 0;
}
static void
opts_set_validate_proto(opts_t *opts)
{
opts->validate_proto = 1;
}
static void
opts_unset_validate_proto(opts_t *opts)
{
opts->validate_proto = 0;
}
void
opts_set_pass_site(opts_t *opts, char *value, int line_num)
{
// site [(clientaddr|(user|*) [description keyword])]
char *argv[sizeof(char *) * 3];
int argc = 0;
char *p, *last = NULL;
for ((p = strtok_r(value, " ", &last));
p;
(p = strtok_r(NULL, " ", &last))) {
if (argc < 3) {
argv[argc++] = p;
} else {
break;
}
}
if (!argc) {
fprintf(stderr, "PassSite requires at least one parameter on line %d\n", line_num);
exit(EXIT_FAILURE);
}
passsite_t *ps = malloc(sizeof(passsite_t));
memset(ps, 0, sizeof(passsite_t));
size_t len = strlen(argv[0]);
// Common names are separated by slashes
char s[len + 3];
strncpy(s + 1, argv[0], len);
s[0] = '/';
s[len + 1] = '/';
s[len + 2] = '\0';
ps->site = strdup(s);
if (argc > 1) {
if (!strcmp(argv[1], "*")) {
ps->all = 1;
} else if (sys_isuser(argv[1])) {
if (!opts->user_auth) {
fprintf(stderr, "PassSite user filter requires user auth on line %d\n", line_num);
exit(EXIT_FAILURE);
}
ps->user = strdup(argv[1]);
} else {
ps->ip = strdup(argv[1]);
}
}
if (argc > 2) {
if (ps->ip) {
fprintf(stderr, "PassSite client ip cannot define keyword filter on line %d\n", line_num);
exit(EXIT_FAILURE);
}
ps->keyword = strdup(argv[2]);
}
ps->next = opts->passsites;
opts->passsites = ps;
#ifdef DEBUG_OPTS
log_dbg_printf("PassSite: %s, %s, %s, %s\n", ps->site, STRORDASH(ps->ip), ps->all ? "*" : STRORDASH(ps->user), STRORDASH(ps->keyword));
#endif /* DEBUG_OPTS */
}
void
global_set_key(global_t *global, const char *argv0, const char *optarg)
{
if (global->key)
EVP_PKEY_free(global->key);
global->key = ssl_key_load(optarg);
if (!global->key) {
fprintf(stderr, "%s: error loading leaf key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifndef OPENSSL_NO_DH
if (!global->opts->dh) {
global->opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
#ifdef DEBUG_OPTS
log_dbg_printf("LeafCerts: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
#ifndef OPENSSL_NO_ENGINE
void
global_set_openssl_engine(global_t *global, const char *argv0, const char *optarg)
{
if (global->openssl_engine)
free(global->openssl_engine);
global->openssl_engine = strdup(optarg);
if (!global->openssl_engine)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("OpenSSLEngine: %s\n", global->openssl_engine);
#endif /* DEBUG_OPTS */
}
#endif /* !OPENSSL_NO_ENGINE */
void
global_set_tgcrtdir(global_t *global, const char *argv0, const char *optarg)
{
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a directory\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (global->tgcrtdir)
free(global->tgcrtdir);
global->tgcrtdir = strdup(optarg);
if (!global->tgcrtdir)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("TargetCertDir: %s\n", global->tgcrtdir);
#endif /* DEBUG_OPTS */
}
void
global_set_certgendir_writegencerts(global_t *global, const char *argv0,
const char *optarg)
{
global->certgen_writeall = 0;
set_certgendir(global, argv0, optarg);
#ifdef DEBUG_OPTS
log_dbg_printf("WriteGenCertsDir: certgendir=%s, writeall=%u\n",
global->certgendir, global->certgen_writeall);
#endif /* DEBUG_OPTS */
}
void
global_set_certgendir_writeall(global_t *global, const char *argv0,
const char *optarg)
{
global->certgen_writeall = 1;
set_certgendir(global, argv0, optarg);
#ifdef DEBUG_OPTS
log_dbg_printf("WriteAllCertsDir: certgendir=%s, writeall=%u\n",
global->certgendir, global->certgen_writeall);
#endif /* DEBUG_OPTS */
}
void
global_set_user(global_t *global, const char *argv0, const char *optarg)
{
if (!sys_isuser(optarg)) {
fprintf(stderr, "%s: '%s' is not an existing user\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (global->dropuser)
free(global->dropuser);
global->dropuser = strdup(optarg);
if (!global->dropuser)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("User: %s\n", global->dropuser);
#endif /* DEBUG_OPTS */
}
void
global_set_group(global_t *global, const char *argv0, const char *optarg)
{
if (!sys_isgroup(optarg)) {
fprintf(stderr, "%s: '%s' is not an existing group\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (global->dropgroup)
free(global->dropgroup);
global->dropgroup = strdup(optarg);
if (!global->dropgroup)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("Group: %s\n", global->dropgroup);
#endif /* DEBUG_OPTS */
}
void
global_set_jaildir(global_t *global, const char *argv0, const char *optarg)
{
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a directory\n", argv0, optarg);
exit(EXIT_FAILURE);
}
if (global->jaildir)
free(global->jaildir);
global->jaildir = realpath(optarg, NULL);
if (!global->jaildir) {
fprintf(stderr, "%s: Failed to realpath '%s': %s (%i)\n",
argv0, optarg, strerror(errno), errno);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("Chroot: %s\n", global->jaildir);
#endif /* DEBUG_OPTS */
}
void
global_set_pidfile(global_t *global, const char *argv0, const char *optarg)
{
if (global->pidfile)
free(global->pidfile);
global->pidfile = strdup(optarg);
if (!global->pidfile)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("PidFile: %s\n", global->pidfile);
#endif /* DEBUG_OPTS */
}
void
global_set_connectlog(global_t *global, const char *argv0, const char *optarg)
{
if (global->connectlog)
free(global->connectlog);
if (!(global->connectlog = sys_realdir(optarg))) {
if (errno == ENOENT) {
fprintf(stderr, "Directory part of '%s' does not "
"exist\n", optarg);
exit(EXIT_FAILURE);
} else {
fprintf(stderr, "Failed to realpath '%s': %s (%i)\n",
optarg, strerror(errno), errno);
oom_die(argv0);
}
}
#ifdef DEBUG_OPTS
log_dbg_printf("ConnectLog: %s\n", global->connectlog);
#endif /* DEBUG_OPTS */
}
void
global_set_contentlog(global_t *global, const char *argv0, const char *optarg)
{
if (global->contentlog)
free(global->contentlog);
if (!(global->contentlog = sys_realdir(optarg))) {
if (errno == ENOENT) {
fprintf(stderr, "Directory part of '%s' does not "
"exist\n", optarg);
exit(EXIT_FAILURE);
} else {
fprintf(stderr, "Failed to realpath '%s': %s (%i)\n",
optarg, strerror(errno), errno);
oom_die(argv0);
}
}
global->contentlog_isdir = 0;
global->contentlog_isspec = 0;
#ifdef DEBUG_OPTS
log_dbg_printf("ContentLog: %s\n", global->contentlog);
#endif /* DEBUG_OPTS */
}
void
global_set_contentlogdir(global_t *global, const char *argv0, const char *optarg)
{
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a directory\n", argv0, optarg);
exit(EXIT_FAILURE);
}
if (global->contentlog)
free(global->contentlog);
global->contentlog = realpath(optarg, NULL);
if (!global->contentlog) {
fprintf(stderr, "%s: Failed to realpath '%s': %s (%i)\n",
argv0, optarg, strerror(errno), errno);
exit(EXIT_FAILURE);
}
global->contentlog_isdir = 1;
global->contentlog_isspec = 0;
#ifdef DEBUG_OPTS
log_dbg_printf("ContentLogDir: %s\n", global->contentlog);
#endif /* DEBUG_OPTS */
}
static void
global_set_logbasedir(const char *argv0, const char *optarg,
char **basedir, char **log)
{
char *lhs, *rhs, *p, *q;
size_t n;
if (*basedir)
free(*basedir);
if (*log)
free(*log);
if (log_content_split_pathspec(optarg, &lhs, &rhs) == -1) {
fprintf(stderr, "%s: Failed to split '%s' in lhs/rhs:"
" %s (%i)\n", argv0, optarg,
strerror(errno), errno);
exit(EXIT_FAILURE);
}
/* eliminate %% from lhs */
for (p = q = lhs; *p; p++, q++) {
if (q < p)
*q = *p;
if (*p == '%' && *(p+1) == '%')
p++;
}
*q = '\0';
/* all %% in lhs resolved to % */
if (sys_mkpath(lhs, 0777) == -1) {
fprintf(stderr, "%s: Failed to create '%s': %s (%i)\n",
argv0, lhs, strerror(errno), errno);
exit(EXIT_FAILURE);
}
*basedir = realpath(lhs, NULL);
if (!*basedir) {
fprintf(stderr, "%s: Failed to realpath '%s': %s (%i)\n",
argv0, lhs, strerror(errno), errno);
exit(EXIT_FAILURE);
}
/* count '%' in basedir */
for (n = 0, p = *basedir;
*p;
p++) {
if (*p == '%')
n++;
}
free(lhs);
n += strlen(*basedir);
if (!(lhs = malloc(n + 1)))
oom_die(argv0);
/* re-encoding % to %%, copying basedir to lhs */
for (p = *basedir, q = lhs;
*p;
p++, q++) {
*q = *p;
if (*q == '%')
*(++q) = '%';
}
*q = '\0';
/* lhs contains encoded realpathed basedir */
if (asprintf(log, "%s/%s", lhs, rhs) < 0)
oom_die(argv0);
free(lhs);
free(rhs);
}
void
global_set_contentlogpathspec(global_t *global, const char *argv0, const char *optarg)
{
global_set_logbasedir(argv0, optarg, &global->contentlog_basedir,
&global->contentlog);
global->contentlog_isdir = 0;
global->contentlog_isspec = 1;
#ifdef DEBUG_OPTS
log_dbg_printf("ContentLogPathSpec: basedir=%s, %s\n",
global->contentlog_basedir, global->contentlog);
#endif /* DEBUG_OPTS */
}
#ifdef HAVE_LOCAL_PROCINFO
void
global_set_lprocinfo(global_t *global)
{
global->lprocinfo = 1;
}
void
global_unset_lprocinfo(global_t *global)
{
global->lprocinfo = 0;
}
#endif /* HAVE_LOCAL_PROCINFO */
void
global_set_masterkeylog(global_t *global, const char *argv0, const char *optarg)
{
if (global->masterkeylog)
free(global->masterkeylog);
if (!(global->masterkeylog = sys_realdir(optarg))) {
if (errno == ENOENT) {
fprintf(stderr, "Directory part of '%s' does not "
"exist\n", optarg);
exit(EXIT_FAILURE);
} else {
fprintf(stderr, "Failed to realpath '%s': %s (%i)\n",
optarg, strerror(errno), errno);
oom_die(argv0);
}
}
#ifdef DEBUG_OPTS
log_dbg_printf("MasterKeyLog: %s\n", global->masterkeylog);
#endif /* DEBUG_OPTS */
}
void
global_set_pcaplog(global_t *global, const char *argv0, const char *optarg)
{
if (global->pcaplog)
free(global->pcaplog);
if (!(global->pcaplog = sys_realdir(optarg))) {
if (errno == ENOENT) {
fprintf(stderr, "Directory part of '%s' does not "
"exist\n", optarg);
exit(EXIT_FAILURE);
} else {
fprintf(stderr, "Failed to realpath '%s': %s (%i)\n",
optarg, strerror(errno), errno);
oom_die(argv0);
}
}
global->pcaplog_isdir = 0;
global->pcaplog_isspec = 0;
#ifdef DEBUG_OPTS
log_dbg_printf("PcapLog: %s\n", global->pcaplog);
#endif /* DEBUG_OPTS */
}
void
global_set_pcaplogdir(global_t *global, const char *argv0, const char *optarg)
{
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a directory\n", argv0, optarg);
exit(EXIT_FAILURE);
}
if (global->pcaplog)
free(global->pcaplog);
global->pcaplog = realpath(optarg, NULL);
if (!global->pcaplog) {
fprintf(stderr, "%s: Failed to realpath '%s': %s (%i)\n",
argv0, optarg, strerror(errno), errno);
exit(EXIT_FAILURE);
}
global->pcaplog_isdir = 1;
global->pcaplog_isspec = 0;
#ifdef DEBUG_OPTS
log_dbg_printf("PcapLogDir: %s\n", global->pcaplog);
#endif /* DEBUG_OPTS */
}
void
global_set_pcaplogpathspec(global_t *global, const char *argv0, const char *optarg)
{
global_set_logbasedir(argv0, optarg, &global->pcaplog_basedir,
&global->pcaplog);
global->pcaplog_isdir = 0;
global->pcaplog_isspec = 1;
#ifdef DEBUG_OPTS
log_dbg_printf("PcapLogPathSpec: basedir=%s, %s\n",
global->pcaplog_basedir, global->pcaplog);
#endif /* DEBUG_OPTS */
}
#ifndef WITHOUT_MIRROR
void
global_set_mirrorif(global_t *global, const char *argv0, const char *optarg)
{
if (global->mirrorif)
free(global->mirrorif);
global->mirrorif = strdup(optarg);
if (!global->mirrorif)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("MirrorIf: %s\n", global->mirrorif);
#endif /* DEBUG_OPTS */
}
void
global_set_mirrortarget(global_t *global, const char *argv0, const char *optarg)
{
if (global->mirrortarget)
free(global->mirrortarget);
global->mirrortarget = strdup(optarg);
if (!global->mirrortarget)
oom_die(argv0);
#ifdef DEBUG_OPTS
log_dbg_printf("MirrorTarget: %s\n", global->mirrortarget);
#endif /* DEBUG_OPTS */
}
#endif /* !WITHOUT_MIRROR */
void
global_set_daemon(global_t *global)
{
global->detach = 1;
}
void
global_unset_daemon(global_t *global)
{
global->detach = 0;
}
void
global_set_debug(global_t *global)
{
log_dbg_mode(LOG_DBG_MODE_ERRLOG);
global->debug = 1;
}
void
global_unset_debug(global_t *global)
{
log_dbg_mode(LOG_DBG_MODE_NONE);
global->debug = 0;
}
void
global_set_debug_level(const char *optarg)
{
// Compare strlen(s2)+1 chars to match exactly
if (strncmp(optarg, "2", 2) == 0) {
log_dbg_mode(LOG_DBG_MODE_FINE);
} else if (strncmp(optarg, "3", 2) == 0) {
log_dbg_mode(LOG_DBG_MODE_FINER);
} else if (strncmp(optarg, "4", 2) == 0) {
log_dbg_mode(LOG_DBG_MODE_FINEST);
} else {
fprintf(stderr, "Invalid DebugLevel '%s', use 2-4\n", optarg);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("DebugLevel: %s\n", optarg);
#endif /* DEBUG_OPTS */
}
void
global_set_statslog(global_t *global)
{
global->statslog = 1;
}
void
global_unset_statslog(global_t *global)
{
global->statslog = 0;
}
static void
global_set_userdb_path(global_t *global, const char *optarg)
{
if (global->userdb_path)
free(global->userdb_path);
global->userdb_path = strdup(optarg);
#ifdef DEBUG_OPTS
log_dbg_printf("UserDBPath: %s\n", global->userdb_path);
#endif /* DEBUG_OPTS */
}
int
check_value_yesno(const char *value, const char *name, int line_num)
{
/* Compare strlen(s2)+1 chars to match exactly */
if (!strncmp(value, "yes", 4)) {
return 1;
} else if (!strncmp(value, "no", 3)) {
return 0;
}
fprintf(stderr, "Error in conf: Invalid '%s' value '%s' on line %d, use yes|no\n", name, value, line_num);
return -1;
}
/*
* global_opt param is used to save certain global opts, so that we can use
* them cloning global opts while creating proxyspecs
*/
static int
set_option(opts_t *opts, const char *argv0,
const char *name, char *value, char **natengine, int line_num, int global_opt)
{
int yes;
int retval = -1;
if (!value) {
fprintf(stderr, "Error in conf: No value assigned for %s on line %d\n", name, line_num);
goto leave;
}
/* Compare strlen(s2)+1 chars to match exactly */
if (!strncmp(name, "CACert", 7)) {
if (global_opt)
opts->global->cacrt_str = strdup(value);
opts_set_cacrt(opts, argv0, value);
} else if (!strncmp(name, "CAKey", 6)) {
if (global_opt)
opts->global->cakey_str = strdup(value);
opts_set_cakey(opts, argv0, value);
} else if (!strncmp(name, "ClientCert", 11)) {
if (global_opt)
opts->global->clientcrt_str = strdup(value);
opts_set_clientcrt(opts, argv0, value);
} else if (!strncmp(name, "ClientKey", 10)) {
if (global_opt)
opts->global->clientkey_str = strdup(value);
opts_set_clientkey(opts, argv0, value);
} else if (!strncmp(name, "CAChain", 8)) {
if (global_opt)
opts->global->chain_str = strdup(value);
opts_set_chain(opts, argv0, value);
} else if (!strncmp(name, "CRL", 4)) {
if (global_opt)
opts->global->crl_str = strdup(value);
opts_set_crl(opts, value);
} else if (!strncmp(name, "DenyOCSP", 9)) {
yes = check_value_yesno(value, "DenyOCSP", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_deny_ocsp(opts) : opts_unset_deny_ocsp(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("DenyOCSP: %u\n", opts->deny_ocsp);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "Passthrough", 12)) {
yes = check_value_yesno(value, "Passthrough", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_passthrough(opts) : opts_unset_passthrough(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("Passthrough: %u\n", opts->passthrough);
#endif /* DEBUG_OPTS */
#ifndef OPENSSL_NO_DH
} else if (!strncmp(name, "DHGroupParams", 14)) {
if (global_opt)
opts->global->dh_str = strdup(value);
opts_set_dh(opts, argv0, value);
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
} else if (!strncmp(name, "ECDHCurve", 10)) {
opts_set_ecdhcurve(opts, argv0, value);
#endif /* !OPENSSL_NO_ECDH */
#ifdef SSL_OP_NO_COMPRESSION
} else if (!strncmp(name, "SSLCompression", 15)) {
yes = check_value_yesno(value, "SSLCompression", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_sslcomp(opts) : opts_unset_sslcomp(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("SSLCompression: %u\n", opts->sslcomp);
#endif /* DEBUG_OPTS */
#endif /* SSL_OP_NO_COMPRESSION */
} else if (!strncmp(name, "ForceSSLProto", 14)) {
opts_force_proto(opts, argv0, value);
} else if (!strncmp(name, "DisableSSLProto", 16)) {
opts_disable_proto(opts, argv0, value);
} else if (!strncmp(name, "MinSSLProto", 12)) {
opts_set_min_proto(opts, argv0, value);
} else if (!strncmp(name, "MaxSSLProto", 12)) {
opts_set_max_proto(opts, argv0, value);
} else if (!strncmp(name, "Ciphers", 8)) {
opts_set_ciphers(opts, argv0, value);
} else if (!strncmp(name, "NATEngine", 10)) {
if (*natengine)
free(*natengine);
*natengine = strdup(value);
if (!*natengine)
goto leave;
#ifdef DEBUG_OPTS
log_dbg_printf("NATEngine: %s\n", *natengine);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "UserAuth", 9)) {
yes = check_value_yesno(value, "UserAuth", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_user_auth(opts) : opts_unset_user_auth(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("UserAuth: %u\n", opts->user_auth);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "UserAuthURL", 12)) {
opts_set_user_auth_url(opts, value);
} else if (!strncmp(name, "UserTimeout", 12)) {
unsigned int i = atoi(value);
if (i <= 86400) {
opts->user_timeout = i;
} else {
fprintf(stderr, "Invalid UserTimeout %s on line %d, use 0-86400\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("UserTimeout: %u\n", opts->user_timeout);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "ValidateProto", 14)) {
yes = check_value_yesno(value, "ValidateProto", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_validate_proto(opts) : opts_unset_validate_proto(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("ValidateProto: %u\n", opts->validate_proto);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "MaxHTTPHeaderSize", 18)) {
unsigned int i = atoi(value);
if (i >= 1024 && i <= 65536) {
opts->max_http_header_size = i;
} else {
fprintf(stderr, "Invalid MaxHTTPHeaderSize %s on line %d, use 1024-65536\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("MaxHTTPHeaderSize: %u\n", opts->max_http_header_size);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "VerifyPeer", 11)) {
yes = check_value_yesno(value, "VerifyPeer", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_verify_peer(opts) : opts_unset_verify_peer(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("VerifyPeer: %u\n", opts->verify_peer);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "AllowWrongHost", 15)) {
yes = check_value_yesno(value, "AllowWrongHost", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_allow_wrong_host(opts)
: opts_unset_allow_wrong_host(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("AllowWrongHost: %u\n", opts->allow_wrong_host);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "RemoveHTTPAcceptEncoding", 25)) {
yes = check_value_yesno(value, "RemoveHTTPAcceptEncoding", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_remove_http_accept_encoding(opts) : opts_unset_remove_http_accept_encoding(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("RemoveHTTPAcceptEncoding: %u\n", opts->remove_http_accept_encoding);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "RemoveHTTPReferer", 18)) {
yes = check_value_yesno(value, "RemoveHTTPReferer", line_num);
if (yes == -1) {
goto leave;
}
yes ? opts_set_remove_http_referer(opts) : opts_unset_remove_http_referer(opts);
#ifdef DEBUG_OPTS
log_dbg_printf("RemoveHTTPReferer: %u\n", opts->remove_http_referer);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "PassSite", 9)) {
opts_set_pass_site(opts, value, line_num);
} else {
fprintf(stderr, "Error in conf: Unknown option "
"'%s' on line %d\n", name, line_num);
goto leave;
}
retval = 0;
leave:
return retval;
}
static int
set_proxyspec_option(proxyspec_t *spec, const char *argv0, const char *name, char *value, char **natengine, int line_num)
{
int retval = -1;
/* Compare strlen(s2)+1 chars to match exactly */
if (!strncmp(name, "Proto", 6)) {
proxyspec_set_proto(spec, value);
}
else if (!strncmp(name, "Addr", 5)) {
spec->addr = strdup(value);
}
else if (!strncmp(name, "Port", 5)) {
if (spec->addr) {
proxyspec_set_listen_addr(spec, spec->addr, value, *natengine);
free(spec->addr);
} else {
fprintf(stderr, "ProxySpec Port without Addr on line %d\n", line_num);
exit(EXIT_FAILURE);
}
}
else if (!strncmp(name, "DivertAddr", 11)) {
spec->divert_addr = strdup(value);
}
else if (!strncmp(name, "DivertPort", 11)) {
if (spec->divert_addr) {
proxyspec_set_divert_addr(spec, spec->divert_addr, value);
free(spec->divert_addr);
} else {
proxyspec_set_divert_addr(spec, "127.0.0.1", value);
}
}
else if (!strncmp(name, "ReturnAddr", 11)) {
proxyspec_set_return_addr(spec, value);
}
else if (!strncmp(name, "TargetAddr", 11)) {
spec->target_addr = strdup(value);
}
else if (!strncmp(name, "TargetPort", 11)) {
if (spec->target_addr) {
proxyspec_set_target_addr(spec, spec->target_addr, value);
free(spec->target_addr);
} else {
fprintf(stderr, "ProxySpec TargetPort without TargetAddr on line %d\n", line_num);
exit(EXIT_FAILURE);
}
}
else if (!strncmp(name, "SNIPort", 8)) {
proxyspec_set_sni_port(spec, value);
}
else if (!strncmp(name, "NatEngine", 10)) {
proxyspec_set_natengine(spec, value);
}
else if (!strncmp(name, "}", 2)) {
#ifdef DEBUG_OPTS
log_dbg_printf("ProxySpec } on line %d\n", line_num);
#endif /* DEBUG_OPTS */
retval = 1;
goto leave;
}
else {
retval = set_option(spec->opts, argv0, name, value, natengine, line_num, 0);
goto leave;
}
retval = 0;
leave:
return retval;
}
/*
* Separator param is needed for command line options only.
* Conf file option separator is ' '.
*/
int
get_name_value(char **name, char **value, const char sep, int line_num)
{
char *n, *v, *value_end;
int retval = -1;
/* Skip to the end of option name and terminate it with '\0' */
for (n = *name;; n++) {
/* White spaces possible around separator,
* if the command line option is passed between the quotes */
if (*n == ' ' || *n == '\t' || *n == sep) {
*n = '\0';
n++;
break;
}
if (*n == '\r' || *n == '\n') {
// No value, just name, e.g. "}"
*n = '\0';
*value = NULL;
goto leave2;
}
if (*n == '\0') {
n = NULL;
break;
}
}
/* No option name */
if (n == NULL) {
fprintf(stderr, "Error in option: No option name on line %d\n", line_num);
goto leave;
}
/* White spaces possible before value and around separator,
* if the command line option is passed between the quotes */
while (*n == ' ' || *n == '\t' || *n == sep) {
n++;
}
*value = n;
/* Find end of value and terminate it with '\0'
* Find first occurrence of trailing white space */
value_end = NULL;
for (v = *value;; v++) {
if (*v == '\0') {
break;
}
if (*v == '\r' || *v == '\n') {
*v = '\0';
break;
}
if (*v == ' ' || *v == '\t') {
if (!value_end) {
value_end = v;
}
} else {
value_end = NULL;
}
}
if (value_end) {
*value_end = '\0';
}
leave2:
retval = 0;
leave:
return retval;
}
#define MAX_TOKENS 10
static void
load_proxyspec_line(global_t *global, const char *argv0, char *value, char **natengine)
{
/* Use MAX_TOKENS instead of computing the actual number of tokens in value */
char **argv = malloc(sizeof(char *) * MAX_TOKENS);
char **save_argv = argv;
int argc = 0;
char *p, *last = NULL;
for ((p = strtok_r(value, " ", &last));
p;
(p = strtok_r(NULL, " ", &last))) {
/* Limit max # token */
if (argc < MAX_TOKENS) {
argv[argc++] = p;
} else {
break;
}
}
proxyspec_parse(&argc, &argv, *natengine, global, argv0);
free(save_argv);
}
static int WUNRES
load_proxyspec_struct(global_t *global, const char *argv0, char **natengine, int line_num, FILE *f)
{
int retval = -1;
char *line, *name, *value;
size_t line_len;
line = NULL;
proxyspec_t *spec = NULL;
spec = proxyspec_new(global, argv0);
spec->next = global->spec;
global->spec = spec;
// Set the default return addr
proxyspec_set_return_addr(spec, "127.0.0.1");
while (!feof(f)) {
if (getline(&line, &line_len, f) == -1) {
break;
}
if (line == NULL) {
fprintf(stderr, "Error in conf file: getline() returns NULL line after line %d\n", line_num);
goto leave;
}
line_num++;
/* Skip white space */
for (name = line; *name == ' ' || *name == '\t'; name++);
/* Skip comments and empty lines */
if ((name[0] == '\0') || (name[0] == '#') || (name[0] == ';') ||
(name[0] == '\r') || (name[0] == '\n')) {
continue;
}
retval = get_name_value(&name, &value, ' ', line_num);
if (retval == 0) {
retval = set_proxyspec_option(spec, argv0, name, value, natengine, line_num);
}
if (retval == -1) {
goto leave;
} else if (retval == 1) {
break;
}
}
retval = 0;
leave:
return retval;
}
static void
global_set_open_files_limit(const char *value, int line_num)
{
unsigned int i = atoi(value);
if (i >= 50 && i <= 10000) {
struct rlimit rl;
rl.rlim_cur = i;
rl.rlim_max = i;
if (setrlimit(RLIMIT_NOFILE, &rl) == -1) {
fprintf(stderr, "Failed setting OpenFilesLimit\n");
if (errno) {
fprintf(stderr, "%s\n", strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
} else {
fprintf(stderr, "Invalid OpenFilesLimit %s on line %d, use 50-10000\n", value, line_num);
exit(EXIT_FAILURE);
}
#ifdef DEBUG_OPTS
log_dbg_printf("OpenFilesLimit: %u\n", i);
#endif /* DEBUG_OPTS */
}
static int
set_global_option(global_t *global, const char *argv0,
const char *name, char *value, char **natengine, int line_num, FILE *f)
{
int yes;
int retval = -1;
if (!value) {
fprintf(stderr, "Error in conf: No value assigned for %s on line %d\n", name, line_num);
goto leave;
}
/* Compare strlen(s2)+1 chars to match exactly */
if (!strncmp(name, "TargetCertDir", 14)) {
global_set_tgcrtdir(global, argv0, value);
} else if (!strncmp(name, "WriteGenCertsDir", 17)) {
global_set_certgendir_writegencerts(global, argv0, value);
} else if (!strncmp(name, "WriteAllCertsDir", 17)) {
global_set_certgendir_writeall(global, argv0, value);
} else if (!strncmp(name, "User", 5)) {
global_set_user(global, argv0, value);
} else if (!strncmp(name, "Group", 6)) {
global_set_group(global, argv0, value);
} else if (!strncmp(name, "Chroot", 7)) {
global_set_jaildir(global, argv0, value);
} else if (!strncmp(name, "PidFile", 8)) {
global_set_pidfile(global, argv0, value);
} else if (!strncmp(name, "ConnectLog", 11)) {
global_set_connectlog(global, argv0, value);
} else if (!strncmp(name, "ContentLog", 11)) {
global_set_contentlog(global, argv0, value);
} else if (!strncmp(name, "ContentLogDir", 14)) {
global_set_contentlogdir(global, argv0, value);
} else if (!strncmp(name, "ContentLogPathSpec", 19)) {
global_set_contentlogpathspec(global, argv0, value);
#ifdef HAVE_LOCAL_PROCINFO
} else if (!strncmp(name, "LogProcInfo", 11)) {
yes = check_value_yesno(value, "LogProcInfo", line_num);
if (yes == -1) {
goto leave;
}
yes ? global_set_lprocinfo(global) : global_unset_lprocinfo(global);
#ifdef DEBUG_OPTS
log_dbg_printf("LogProcInfo: %u\n", global->lprocinfo);
#endif /* DEBUG_OPTS */
#endif /* HAVE_LOCAL_PROCINFO */
} else if (!strncmp(name, "MasterKeyLog", 13)) {
global_set_masterkeylog(global, argv0, value);
} else if (!strncmp(name, "PcapLog", 8)) {
global_set_pcaplog(global, argv0, value);
} else if (!strncmp(name, "PcapLogDir", 11)) {
global_set_pcaplogdir(global, argv0, value);
} else if (!strncmp(name, "PcapLogPathSpec", 16)) {
global_set_pcaplogpathspec(global, argv0, value);
#ifndef WITHOUT_MIRROR
} else if (!strncmp(name, "MirrorIf", 9)) {
global_set_mirrorif(global, argv0, value);
} else if (!strncmp(name, "MirrorTarget", 13)) {
global_set_mirrortarget(global, argv0, value);
#endif /* !WITHOUT_MIRROR */
} else if (!strncmp(name, "Daemon", 7)) {
yes = check_value_yesno(value, "Daemon", line_num);
if (yes == -1) {
goto leave;
}
yes ? global_set_daemon(global) : global_unset_daemon(global);
#ifdef DEBUG_OPTS
log_dbg_printf("Daemon: %u\n", global->detach);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "Debug", 6)) {
yes = check_value_yesno(value, "Debug", line_num);
if (yes == -1) {
goto leave;
}
yes ? global_set_debug(global) : global_unset_debug(global);
#ifdef DEBUG_OPTS
log_dbg_printf("Debug: %u\n", global->debug);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "DebugLevel", 11)) {
global_set_debug_level(value);
} else if (!strncmp(name, "UserDBPath", 11)) {
global_set_userdb_path(global, value);
} else if (!strncmp(name, "ProxySpec", 10)) {
if (!strncmp(value, "{", 2)) {
#ifdef DEBUG_OPTS
log_dbg_printf("ProxySpec { on line %d\n", line_num);
#endif /* DEBUG_OPTS */
if (load_proxyspec_struct(global, argv0, natengine, line_num, f) == -1) {
goto leave;
}
} else {
load_proxyspec_line(global, argv0, value, natengine);
}
} else if (!strncmp(name, "ConnIdleTimeout", 16)) {
unsigned int i = atoi(value);
if (i >= 10 && i <= 3600) {
global->conn_idle_timeout = i;
} else {
fprintf(stderr, "Invalid ConnIdleTimeout %s on line %d, use 10-3600\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("ConnIdleTimeout: %u\n", global->conn_idle_timeout);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "ExpiredConnCheckPeriod", 23)) {
unsigned int i = atoi(value);
if (i >= 10 && i <= 60) {
global->expired_conn_check_period = i;
} else {
fprintf(stderr, "Invalid ExpiredConnCheckPeriod %s on line %d, use 10-60\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("ExpiredConnCheckPeriod: %u\n", global->expired_conn_check_period);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "SSLShutdownRetryDelay", 22)) {
unsigned int i = atoi(value);
if (i >= 100 && i <= 10000) {
global->ssl_shutdown_retry_delay = i;
} else {
fprintf(stderr, "Invalid SSLShutdownRetryDelay %s on line %d, use 100-10000\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("SSLShutdownRetryDelay: %u\n", global->ssl_shutdown_retry_delay);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "LogStats", 9)) {
yes = check_value_yesno(value, "LogStats", line_num);
if (yes == -1) {
goto leave;
}
yes ? global_set_statslog(global) : global_unset_statslog(global);
#ifdef DEBUG_OPTS
log_dbg_printf("LogStats: %u\n", global->statslog);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "StatsPeriod", 12)) {
unsigned int i = atoi(value);
if (i >= 1 && i <= 10) {
global->stats_period = i;
} else {
fprintf(stderr, "Invalid StatsPeriod %s on line %d, use 1-10\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("StatsPeriod: %u\n", global->stats_period);
#endif /* DEBUG_OPTS */
} else if (!strncmp(name, "OpenFilesLimit", 15)) {
global_set_open_files_limit(value, line_num);
} else if (!strncmp(name, "LeafCerts", 10)) {
global_set_key(global, argv0, value);
} else if (!strncmp(name, "LeafKeyRSABits", 15)) {
unsigned int i = atoi(value);
if (i == 1024 || i == 2048 || i == 3072 || i == 4096) {
global->leafkey_rsabits = i;
} else {
fprintf(stderr, "Invalid LeafKeyRSABits %s on line %d, use 1024|2048|3072|4096\n", value, line_num);
goto leave;
}
#ifdef DEBUG_OPTS
log_dbg_printf("LeafKeyRSABits: %u\n", global->leafkey_rsabits);
#endif /* DEBUG_OPTS */
#ifndef OPENSSL_NO_ENGINE
} else if (!strncmp(name, "OpenSSLEngine", 14)) {
global_set_openssl_engine(global, argv0, value);
#endif /* !OPENSSL_NO_ENGINE */
} else {
retval = set_option(global->opts, argv0, name, value, natengine, line_num, 1);
goto leave;
}
retval = 0;
leave:
return retval;
}
int
global_set_option(global_t *global, const char *argv0, const char *optarg,
char **natengine)
{
char *name, *value;
int retval = -1;
char *line = strdup(optarg);
/* White spaces possible before option name,
* if the command line option is passed between the quotes */
for (name = line; *name == ' ' || *name == '\t'; name++);
/* Command line option separator is '=' */
retval = get_name_value(&name, &value, '=', 0);
if (retval == 0) {
/* Line number param is for conf file, pass 0 for command line options */
retval = set_global_option(global, argv0, name, value, natengine, 0, NULL);
}
if (line) {
free(line);
}
return retval;
}
int
global_load_conffile(global_t *global, const char *argv0, char **natengine)
{
int retval, line_num;
char *line, *name, *value;
size_t line_len;
FILE *f;
f = fopen(global->conffile, "r");
if (!f) {
fprintf(stderr, "Error opening conf file '%s': %s\n", global->conffile, strerror(errno));
return -1;
}
line = NULL;
line_num = 0;
retval = -1;
while (!feof(f)) {
if (getline(&line, &line_len, f) == -1) {
break;
}
if (line == NULL) {
fprintf(stderr, "Error in conf file: getline() returns NULL line after line %d\n", line_num);
goto leave;
}
line_num++;
/* Skip white space */
for (name = line; *name == ' ' || *name == '\t'; name++);
/* Skip comments and empty lines */
if ((name[0] == '\0') || (name[0] == '#') || (name[0] == ';') ||
(name[0] == '\r') || (name[0] == '\n')) {
continue;
}
retval = get_name_value(&name, &value, ' ', line_num);
if (retval == 0) {
retval = set_global_option(global, argv0, name, value, natengine, line_num, f);
}
if (retval == -1) {
goto leave;
}
}
leave:
fclose(f);
if (line) {
free(line);
}
return retval;
}
/* vim: set noet ft=c: */
Reference in New Issue View Git Blame Copy Permalink