version 1.188, 2017/10/24 17:49:35 |
version 1.189, 2017/11/28 16:59:10 |
|
|
#define BUFSIZE 16384 |
#define BUFSIZE 16384 |
#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" |
#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" |
|
|
#define TLS_ALL (1 << 1) |
#define TLS_NOVERIFY (1 << 1) |
#define TLS_NOVERIFY (1 << 2) |
#define TLS_NONAME (1 << 2) |
#define TLS_NONAME (1 << 3) |
#define TLS_CCERT (1 << 3) |
#define TLS_CCERT (1 << 4) |
#define TLS_MUSTSTAPLE (1 << 4) |
#define TLS_MUSTSTAPLE (1 << 5) |
|
#define TLS_COMPAT (1 << 6) |
|
|
|
/* Command Line Options */ |
/* Command Line Options */ |
int dflag; /* detached, no stdin */ |
int dflag; /* detached, no stdin */ |
|
|
int TLSopt; /* TLS options */ |
int TLSopt; /* TLS options */ |
char *tls_expectname; /* required name in peer cert */ |
char *tls_expectname; /* required name in peer cert */ |
char *tls_expecthash; /* required hash of peer cert */ |
char *tls_expecthash; /* required hash of peer cert */ |
|
char *tls_ciphers; /* TLS ciphers */ |
|
char *tls_protocols; /* TLS protocols */ |
FILE *Zflag; /* file to save peer cert */ |
FILE *Zflag; /* file to save peer cert */ |
|
|
int recvcount, recvlimit; |
int recvcount, recvlimit; |
|
|
int unix_connect(char *); |
int unix_connect(char *); |
int unix_listen(char *); |
int unix_listen(char *); |
void set_common_sockopts(int, int); |
void set_common_sockopts(int, int); |
int map_tos(char *, int *); |
int process_tos_opt(char *, int *); |
int map_tls(char *, int *); |
int process_tls_opt(char *, int *); |
void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); |
void save_peer_cert(struct tls *_tls_ctx, FILE *_fp); |
void report_connect(const struct sockaddr *, socklen_t, char *); |
void report_connect(const struct sockaddr *, socklen_t, char *); |
void report_tls(struct tls *tls_ctx, char * host); |
void report_tls(struct tls *tls_ctx, char * host); |
|
|
char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; |
char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE]; |
struct tls_config *tls_cfg = NULL; |
struct tls_config *tls_cfg = NULL; |
struct tls *tls_ctx = NULL; |
struct tls *tls_ctx = NULL; |
|
uint32_t protocols; |
|
|
ret = 1; |
ret = 1; |
socksv = 5; |
socksv = 5; |
|
|
case 'T': |
case 'T': |
errstr = NULL; |
errstr = NULL; |
errno = 0; |
errno = 0; |
if (map_tos(optarg, &Tflag)) |
if (process_tls_opt(optarg, &TLSopt)) |
break; |
break; |
if (map_tls(optarg, &TLSopt)) |
if (process_tos_opt(optarg, &Tflag)) |
break; |
break; |
if (strlen(optarg) > 1 && optarg[0] == '0' && |
if (strlen(optarg) > 1 && optarg[0] == '0' && |
optarg[1] == 'x') |
optarg[1] == 'x') |
|
|
errx(1, "cannot use -c and -F"); |
errx(1, "cannot use -c and -F"); |
if (TLSopt && !usetls) |
if (TLSopt && !usetls) |
errx(1, "you must specify -c to use TLS options"); |
errx(1, "you must specify -c to use TLS options"); |
if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) |
|
errx(1, "cannot use -T tlsall and -T tlscompat"); |
|
if (Cflag && !usetls) |
if (Cflag && !usetls) |
errx(1, "you must specify -c to use -C"); |
errx(1, "you must specify -c to use -C"); |
if (Kflag && !usetls) |
if (Kflag && !usetls) |
|
|
errx(1, "%s", tls_config_error(tls_cfg)); |
errx(1, "%s", tls_config_error(tls_cfg)); |
if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) |
if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) |
errx(1, "%s", tls_config_error(tls_cfg)); |
errx(1, "%s", tls_config_error(tls_cfg)); |
if (TLSopt & (TLS_ALL|TLS_COMPAT)) { |
if (tls_config_parse_protocols(&protocols, tls_protocols) == -1) |
if (tls_config_set_protocols(tls_cfg, |
errx(1, "invalid TLS protocols `%s'", tls_protocols); |
TLS_PROTOCOLS_ALL) != 0) |
if (tls_config_set_protocols(tls_cfg, protocols) == -1) |
errx(1, "%s", tls_config_error(tls_cfg)); |
errx(1, "%s", tls_config_error(tls_cfg)); |
if (tls_config_set_ciphers(tls_cfg, |
if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1) |
(TLSopt & TLS_ALL) ? "all" : "compat") != 0) |
errx(1, "%s", tls_config_error(tls_cfg)); |
errx(1, "%s", tls_config_error(tls_cfg)); |
|
} |
|
if (!lflag && (TLSopt & TLS_CCERT)) |
if (!lflag && (TLSopt & TLS_CCERT)) |
errx(1, "clientcert is only valid with -l"); |
errx(1, "clientcert is only valid with -l"); |
if (TLSopt & TLS_NONAME) |
if (TLSopt & TLS_NONAME) |
|
|
} |
} |
|
|
int |
int |
map_tos(char *s, int *val) |
process_tos_opt(char *s, int *val) |
{ |
{ |
/* DiffServ Codepoints and other TOS mappings */ |
/* DiffServ Codepoints and other TOS mappings */ |
const struct toskeywords { |
const struct toskeywords { |
|
|
} |
} |
|
|
int |
int |
map_tls(char *s, int *val) |
process_tls_opt(char *s, int *flags) |
{ |
{ |
|
size_t len; |
|
char *v; |
|
|
const struct tlskeywords { |
const struct tlskeywords { |
const char *keyword; |
const char *keyword; |
int val; |
int flag; |
|
char **value; |
} *t, tlskeywords[] = { |
} *t, tlskeywords[] = { |
{ "tlsall", TLS_ALL }, |
{ "ciphers", -1, &tls_ciphers }, |
{ "noverify", TLS_NOVERIFY }, |
{ "clientcert", TLS_CCERT, NULL }, |
{ "noname", TLS_NONAME }, |
{ "muststaple", TLS_MUSTSTAPLE, NULL }, |
{ "clientcert", TLS_CCERT}, |
{ "noverify", TLS_NOVERIFY, NULL }, |
{ "muststaple", TLS_MUSTSTAPLE}, |
{ "noname", TLS_NONAME, NULL }, |
{ "tlscompat", TLS_COMPAT }, |
{ "protocols", -1, &tls_protocols }, |
{ NULL, -1 }, |
{ NULL, -1, NULL }, |
}; |
}; |
|
|
|
len = strlen(s); |
|
if ((v = strchr(s, '=')) != NULL) { |
|
len = v - s; |
|
v++; |
|
} |
|
|
for (t = tlskeywords; t->keyword != NULL; t++) { |
for (t = tlskeywords; t->keyword != NULL; t++) { |
if (strcmp(s, t->keyword) == 0) { |
if (strlen(t->keyword) == len && |
*val |= t->val; |
strncmp(s, t->keyword, len) == 0) { |
|
if (t->value != NULL) { |
|
if (v == NULL) |
|
errx(1, "invalid tls value `%s'", s); |
|
*t->value = v; |
|
} else { |
|
*flags |= t->flag; |
|
} |
return 1; |
return 1; |
} |
} |
} |
} |