pax_global_header00006660000000000000000000000064126765524510014527gustar00rootroot0000000000000052 comment=38447c815821ae8b6379d8005628ea3c9f94f1ee sslh-v1.18/000077500000000000000000000000001267655245100126175ustar00rootroot00000000000000sslh-v1.18/.gitignore000066400000000000000000000001201267655245100146000ustar00rootroot00000000000000*.swp *.swo *.o cscope.* echosrv sslh-fork sslh-select sslh.8.gz tags version.h sslh-v1.18/COPYING000066400000000000000000000432541267655245100136620ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. sslh-v1.18/ChangeLog000066400000000000000000000174671267655245100144100ustar00rootroot00000000000000v1.18: 29MAR2016 Added USELIBPCRE to make use of regex engine optional. Added support for RFC4366 SNI and RFC7301 ALPN (Travis Burtrum) Changed connection log to include the name of the probe that triggered. Changed configuration file format: 'probe' field is no longer required, 'name' field can now contain 'tls' or 'regex', with corresponding options (see example.cfg) Added 'log_level' option to each protocol, which allows to turn off generation of log at each connection. Added 'keepalive' option. v1.17: 09MAR2015 Support RFC5952-style IPv6 addresses, e.g. [::]:443. Transparant proxy support for FreeBSD. (Ruben van Staveren) Using -F with no argument will try /etc/sslh/sslh.cfg and then /etc/sslh.cfg as configuration files. (argument to -F can no longer be separated from the option by a space, e.g. must be -Ffoo.cfg) Call setgroups() before setgid() (fixes potential privilege escalation). (Lars Vogdt) Use portable way of getting modified time for OSX support. (Aaron Madlon-Kay) Example configuration for fail2ban. (Every Mouw) v1.16: 11FEB2014 Probes made more resilient, to incoming data containing NULLs. Also made them behave properly when receiving too short packets to probe on the first incoming packet. (Ondrej Kuzník) Libcap support: Keep only CAP_NET_ADMIN if started as root with transparent proxying and dropping priviledges (enable USELIBCAP in Makefile). This avoids having to mess with filesystem capabilities. (Sebastian Schmidt/yath) Fixed bugs related to getpeername that would cause sslh to quit erroneously (getpeername can return actual errors if connections are dropped before getting to getpeername). Set IP_FREEDBIND if available to bind to addresses that don't yet exist. v1.15: 27JUL2013 Added --transparent option for transparent proxying. See README for iptables magic and capability management. Fixed bug in sslh-select: if number of opened file descriptor became bigger than FD_SETSIZE, bad things would happen. Fixed bug in sslh-select: if socket dropped while deferred_data was present, sslh-select would crash. Increased FD_SETSIZE for Cygwin, as the default 64 is too low for even moderate load. v1.14: 21DEC2012 Corrected OpenVPN probe to support pre-shared secret mode (OpenVPN port-sharing code is... wrong). Thanks to Kai Ellinger for help in investigating and testing. Added an actual TLS/SSL probe. Added configurable --on-timeout protocol specification. Added a --anyprot protocol probe (equivalent to what --ssl was). Makefile respects the user's compiler and CFLAG choices (falling back to the current values if undefined), as well as LDFLAGS. (Michael Palimaka) Added "After" and "KillMode" to systemd.sslh.service (Thomas Weißschuh). Added LSB tags to etc.init.d.sslh (Thomas Varis). v1.13: 18MAY2012 Write PID file before dropping privileges. Added --background, which overrides 'foreground' configuration file setting. Added example systemd service file from Archlinux in scripts/ https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh (Sébastien Luttringer) v1.12: 08MAY2012 Added support for configuration file. New protocol probes can be defined using regular expressions that match the first packet sent by the client. sslh now connects timed out connections to the first configured protocol instead of 'ssh' (just make sure ssh is the first defined protocol). sslh now tries protocols in the order in which they are defined (just make sure sslh is the last defined protocol). v1.11: 21APR2012 WARNING: defaults have been removed for --user and --pidfile options, update your start-up scripts! No longer stop sslh when reverse DNS requests fail for logging. Added HTTP probe. No longer create new session if running in foreground. No longer default to changing user to 'nobody'. If --user isn't specified, just run as current user. No longer create PID file by default, it should be explicitely set with --pidfile. No longer log to syslog if in foreground. Logs are instead output to stderr. The four changes above make it straightforward to integrate sslh with systemd, and should help with launchd. v1.10: 27NOV2011 Fixed calls referring to sockaddr length so they work with FreeBSD. Try target addresses in turn until one works if there are several (e.g. "localhost:22" resolves to an IPv6 address and an IPv4 address and sshd does not listen on IPv6). Fixed sslh-fork so killing the head process kills the listener processes. Heavily cleaned up test suite. Added stress test t_load script. Added coverage (requires lcov). Support for XMPP (Arnaud Gendre). Updated README.MacOSX (Aaron Madlon-Kay). v1.9: 02AUG2011 WARNING: This version does not work with FreeBSD and derivatives! WARNING: Options changed, you'll need to update your start-up scripts! Log format changed, you'll need to update log processing scripts! Now supports IPv6 throughout (both on listening and forwarding) Logs now contain IPv6 addresses, local forwarding address, and resolves names (unless --numeric is specified). Introduced long options. Options -l, -s and -o replaced by their long counterparts. Defaults for SSL and SSH options suppressed (it's legitimate to want to use sslh to mux OpenVPN and tinc while not caring about SSH nor SSL). Bind to multiple addresses with multiple -p options. Support for tinc VPN (experimental). Numeric logging option. v1.8: 15JUL2011 Changed log format to make it possible to link connections to subsequent logs from other services. Updated CentOS init.d script (Andre Krajnik). Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not propagated to the child process, so we set up signals after the fork.) (François FRITZ) Added -o "OpenVPN" and OpenVPN probing and support. Added single-threaded, select(2)-based version. Added support for "Bold" SSH clients (clients that speak first) Thanks to Guillaume Ricaud for spotting a regression bug. Added -f "foreground" option. Added test suite. (only tests connexions. No test for libwrap, setsid, setuid and so on) and corresponding 'make test' target. Added README.MacOSX (thanks Aaron Madlon-Kay) Documented use with proxytunnel and corkscrew in README. v1.7: 01FEB2010 Added CentOS init.d script (Andre Krajnik). Fixed default ssl address inconsistancy, now defaults to "localhost:443" and fixed documentation accordingly (pointed by Markus Schalke). Children no longer bind to the listen socket, so parent server can be stopped without killing an active child (pointed by Matthias Buecher). Inetd support (Dima Barsky). v1.6: 25APR2009 Added -V, version option. Install target directory configurable in Makefile Changed syslog prefix in auth.log to "sslh[%pid]" Man page new 'make install' and 'make install-debian' targets PID file now specified using -P command line option Actually fixed zombie generation (the v1.5 patch got lost, doh!) v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. v1.4: 13JUL2008 Added libwrap support for ssh service (Christian Weinberger) Only SSH is libwraped, not SSL. v1.3: 14MAY2008 Added parsing for local interface to listen on Changed default SSL connection to port 442 (443 doesn't make sense as a default as we're already listening on 443) Syslog incoming connections v1.2: 12MAY2008 Fixed compilation warning for AMD64 (Thx Daniel Lange) v1.1: 21MAY2007 Making sslhc more like a real daemon: * If $PIDFILE is defined, write first PID to it upon startup * Fork at startup (detach from terminal) (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) * Less memory usage (?) v1.0: Basic functionality: privilege dropping, target hostnames and ports configurable. sslh-v1.18/Makefile000066400000000000000000000057561267655245100142740ustar00rootroot00000000000000# Configuration VERSION=$(shell ./genver.sh -r) ENABLE_REGEX=1 # Enable regex probes USELIBCONFIG=1 # Use libconfig? (necessary to use configuration files) USELIBPCRE= # Use libpcre? (needed for regex on musl) USELIBWRAP?= # Use libwrap? USELIBCAP= # Use libcap? USESYSTEMD= # Make use of systemd socket activation COV_TEST= # Perform test coverage? PREFIX?=/usr BINDIR?=$(PREFIX)/sbin MANDIR?=$(PREFIX)/share/man/man8 MAN=sslh.8.gz # man page name # End of configuration -- the rest should take care of # itself ifneq ($(strip $(COV_TEST)),) CFLAGS_COV=-fprofile-arcs -ftest-coverage endif CC ?= gcc CFLAGS ?=-Wall -g $(CFLAGS_COV) LIBS= OBJS=common.o sslh-main.o probe.o tls.o ifneq ($(strip $(USELIBWRAP)),) LIBS:=$(LIBS) -lwrap CPPFLAGS+=-DLIBWRAP endif ifneq ($(strip $(ENABLE_REGEX)),) CPPFLAGS+=-DENABLE_REGEX endif ifneq ($(strip $(USELIBPCRE)),) CPPFLAGS+=-DLIBPCRE LIBS:=$(LIBS) -lpcre endif ifneq ($(strip $(USELIBCONFIG)),) LIBS:=$(LIBS) -lconfig CPPFLAGS+=-DLIBCONFIG endif ifneq ($(strip $(USELIBCAP)),) LIBS:=$(LIBS) -lcap CPPFLAGS+=-DLIBCAP endif ifneq ($(strip $(USESYSTEMD)),) LIBS:=$(LIBS) -lsystemd CPPFLAGS+=-DSYSTEMD endif all: sslh $(MAN) echosrv .c.o: *.h $(CC) $(CFLAGS) $(CPPFLAGS) -c $< version.h: ./genver.sh >version.h sslh: sslh-fork sslh-select sslh-fork: version.h $(OBJS) sslh-fork.o Makefile common.h $(CC) $(CFLAGS) $(LDFLAGS) -o sslh-fork sslh-fork.o $(OBJS) $(LIBS) #strip sslh-fork sslh-select: version.h $(OBJS) sslh-select.o Makefile common.h $(CC) $(CFLAGS) $(LDFLAGS) -o sslh-select sslh-select.o $(OBJS) $(LIBS) #strip sslh-select systemd-sslh-generator: systemd-sslh-generator.o $(CC) $(CFLAGS) $(LDFLAGS) -o systemd-sslh-generator systemd-sslh-generator.o -lconfig echosrv: $(OBJS) echosrv.o $(CC) $(CFLAGS) $(LDFLAGS) -o echosrv echosrv.o probe.o common.o tls.o $(LIBS) $(MAN): sslh.pod Makefile pod2man --section=8 --release=$(VERSION) --center=" " sslh.pod | gzip -9 - > $(MAN) # Create release: export clean tree and tag current # configuration release: git archive master --prefix="sslh-$(VERSION)/" | gzip > /tmp/sslh-$(VERSION).tar.gz # generic install: install binary and man page install: sslh $(MAN) mkdir -p $(DESTDIR)/$(BINDIR) mkdir -p $(DESTDIR)/$(MANDIR) install -p sslh-fork $(DESTDIR)/$(BINDIR)/sslh install -p -m 0644 $(MAN) $(DESTDIR)/$(MANDIR)/$(MAN) # "extended" install for Debian: install startup script install-debian: install sslh $(MAN) sed -e "s+^PREFIX=+PREFIX=$(PREFIX)+" scripts/etc.init.d.sslh > /etc/init.d/sslh chmod 755 /etc/init.d/sslh update-rc.d sslh defaults uninstall: rm -f $(DESTDIR)$(BINDIR)/sslh $(DESTDIR)$(MANDIR)/$(MAN) $(DESTDIR)/etc/init.d/sslh $(DESTDIR)/etc/default/sslh update-rc.d sslh remove distclean: clean rm -f tags cscope.* clean: rm -f sslh-fork sslh-select echosrv version.h $(MAN) systemd-sslh-generator *.o *.gcov *.gcno *.gcda *.png *.html *.css *.info tags: ctags --globals -T *.[ch] cscope: -find . -name "*.[chS]" >cscope.files -cscope -b -R test: ./t sslh-v1.18/README.MacOSX000066400000000000000000000025051267655245100145720ustar00rootroot00000000000000 sslh is available for Mac OS X via MacPorts. If you have MacPorts installed on your system you can install sslh by executing the following in the Terminal: port install sslh Also, the following is a helpful launchd configuration that covers the most common use case of sslh. Save the following into a text file, e.g. /Library/LaunchDaemons/net.rutschle.sslh.plist, then load it with launchctl or simply reboot. ----BEGIN FILE---- Disabled KeepAlive Label net.rutschle.sslh ProgramArguments /opt/local/sbin/sslh -f -v -u nobody -p 0.0.0.0:443 --ssh localhost:22 --ssl localhost:443 QueueDirectories RunAtLoad StandardErrorPath /Library/Logs/sslh.log StandardOutPath /Library/Logs/sslh.log WatchPaths ----END FILE---- sslh-v1.18/README.md000066400000000000000000000343141267655245100141030ustar00rootroot00000000000000sslh -- A ssl/ssh multiplexer ============================= `sslh` accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client. Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to SSH from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port. Hence `sslh` acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port. Compile and install =================== Dependencies ------------ `sslh` uses [libconfig](http://www.hyperrealm.com/libconfig/) and [libwrap](http://packages.debian.org/source/unstable/tcp-wrappers). For Debian, these are contained in packages `libwrap0-dev` and `libconfig8-dev`. For OpenSUSE, these are contained in packages libconfig9 and libconfig-dev in repository For Fedora, you'll need packages `libconfig` and `libconfig-devel`: yum install libconfig libconfig-devel If you can't find `libconfig`, or just don't want a configuration file, set `USELIBCONFIG=` in the Makefile. Compilation ----------- After this, the Makefile should work: make install There are a couple of configuration options at the beginning of the Makefile: * `USELIBWRAP` compiles support for host access control (see `hosts_access(3)`), you will need `libwrap` headers and library to compile (`libwrap0-dev` in Debian). * `USELIBCONFIG` compiles support for the configuration file. You will need `libconfig` headers to compile (`libconfig8-dev` in Debian). * `USESYSTEMD` compiles support for using systemd socket activation. You will need `systemd` headers to compile (`systemd-devel` in Fedora). Binaries -------- The Makefile produces two different executables: `sslh-fork` and `sslh-select`: * `sslh-fork` forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes. If you are going to use `sslh` for a "small" setup (less than a dozen ssh connections and a low-traffic https server) then `sslh-fork` is probably more suited for you. * `sslh-select` uses only one thread, which monitors all connections at once. It is more recent and less tested, but only incurs a 16 byte overhead per connection. Also, if it stops, you'll lose all connections, which means you can't upgrade it remotely. If you are going to use `sslh` on a "medium" setup (a few thousand ssh connections, and another few thousand ssl connections), `sslh-select` will be better. If you have a very large site (tens of thousands of connections), you'll need a vapourware version that would use libevent or something like that. Installation ------------ * In general: make cp sslh-fork /usr/local/sbin/sslh cp basic.cfg /etc/sslh.cfg vi /etc/sslh.cfg * For Debian: cp scripts/etc.init.d.sslh /etc/init.d/sslh * For CentOS: cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh You might need to create links in /etc/rc.d so that the server start automatically at boot-up, e.g. under Debian: update-rc.d sslh defaults Configuration ============= If you use the scripts provided, sslh will get its configuration from /etc/sslh.cfg. Please refer to example.cfg for an overview of all the settings. A good scheme is to use the external name of the machine in `listen`, and bind `httpd` to `localhost:443` (instead of all binding to all interfaces): that way, HTTPS connections coming from inside your network don't need to go through `sslh`, and `sslh` is only there as a frontal for connections coming from the internet. Note that 'external name' in this context refers to the actual IP address of the machine as seen from your network, i.e. that that is not `127.0.0.1` in the output of `ifconfig(8)`. Libwrap support --------------- Sslh can optionnaly perform `libwrap` checks for the sshd service: because the connection to `sshd` will be coming locally from `sslh`, `sshd` cannot determine the IP of the client. OpenVPN support --------------- OpenVPN clients connecting to OpenVPN running with `-port-share` reportedly take more than one second between the time the TCP connexion is established and the time they send the first data packet. This results in `sslh` with default settings timing out and assuming an SSH connexion. To support OpenVPN connexions reliably, it is necessary to increase `sslh`'s timeout to 5 seconds. Instead of using OpenVPN's port sharing, it is more reliable to use `sslh`'s `--openvpn` option to get `sslh` to do the port sharing. Using proxytunnel with sslh --------------------------- If you are connecting through a proxy that checks that the outgoing connection really is SSL and rejects SSH, you can encapsulate all your traffic in SSL using `proxytunnel` (this should work with `corkscrew` as well). On the server side you receive the traffic with `stunnel` to decapsulate SSL, then pipe through `sslh` to switch HTTP on one side and SSL on the other. In that case, you end up with something like this: ssh -> proxytunnel -e ----[ssh/ssl]---> stunnel ---[ssh]---> sslh --> sshd Web browser -------------[http/ssl]---> stunnel ---[http]--> sslh --> httpd Configuration goes like this on the server side, using `stunnel3`: stunnel -f -p mycert.pem -d thelonious:443 -l /usr/local/sbin/sslh -- \ sslh -i --http localhost:80 --ssh localhost:22 * stunnel options: * `-f` for foreground/debugging * `-p` for specifying the key and certificate * `-d` for specifying which interface and port we're listening to for incoming connexions * `-l` summons `sslh` in inetd mode. * sslh options: * `-i` for inetd mode * `--http` to forward HTTP connexions to port 80, and SSH connexions to port 22. Capabilities support -------------------- On Linux (only?), you can compile sslh with `USELIBCAP=1` to make use of POSIX capabilities; this will save the required capabilities needed for transparent proxying for unprivileged processes. Alternatively, you may use filesystem capabilities instead of starting sslh as root and asking it to drop privileges. You will need `CAP_NET_BIND_SERVICE` for listening on port 443 and `CAP_NET_ADMIN` for transparent proxying (see `capabilities(7)`). You can use the `setcap(8)` utility to give these capabilities to the executable: # setcap cap_net_bind_service,cap_net_admin+pe sslh-select Then you can run sslh-select as an unpriviledged user, e.g.: $ sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443 Caveat: `CAP_NET_ADMIN` does give sslh too many rights, e.g. configuring the interface. If you're not going to use transparent proxying, just don't use it (or use the libcap method). Transparent proxy support ------------------------- On Linux and FreeBSD you can use the `--transparent` option to request transparent proxying. This means services behind `sslh` (Apache, `sshd` and so on) will see the external IP and ports as if the external world connected directly to them. This simplifies IP-based access control (or makes it possible at all). Linux: `sslh` needs extended rights to perform this: you'll need to give it `CAP_NET_ADMIN` capabilities (see appropriate chapter) or run it as root (but don't do that). The firewalling tables also need to be adjusted as follow. The example connects to HTTPS on 4443 -- adapt to your needs ; I don't think it is possible to have `httpd` listen to 443 in this scheme -- let me know if you manage that: # iptables -t mangle -N SSLH # iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH # iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH # iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 # iptables -t mangle -A SSLH --jump ACCEPT # ip rule add fwmark 0x1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100 Tranparent proxying with IPv6 is similarly set up as follows: # ip6tables -t mangle -N SSLH # ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH # ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH # ip6tables -t mangle -A SSLH --jump MARK --set-mark 0x1 # ip6tables -t mangle -A SSLH --jump ACCEPT # ip -6 rule add fwmark 0x1 lookup 100 # ip -6 route add local ::/0 dev lo table 100 Note that these rules will prevent from connecting directly to ssh on the port 22, as packets coming out of sshd will be tagged. If you need to retain direct access to ssh on port 22 as well as through sslh, you can make sshd listen to 22 AND another port (e.g. 2222), and change the above rules accordingly. FreeBSD: Given you have no firewall defined yet, you can use the following configuration to have ipfw properly redirect traffic back to sslh /etc/rc.conf firewall_enable="YES" firewall_type="open" firewall_logif="YES" firewall_coscripts="/etc/ipfw/sslh.rules" /etc/ipfw/sslh.rules #! /bin/sh # ssl ipfw add 20000 fwd 192.0.2.1,443 log tcp from 192.0.2.1 8443 to any out ipfw add 20010 fwd 2001:db8::1,443 log tcp from 2001:db8::1 8443 to any out # ssh ipfw add 20100 fwd 192.0.2.1,443 log tcp from 192.0.2.1 8022 to any out ipfw add 20110 fwd 2001:db8::1,443 log tcp from 2001:db8::1 8022 to any out # xmpp ipfw add 20200 fwd 192.0.2.1,443 log tcp from 192.0.2.1 5222 to any out ipfw add 20210 fwd 2001:db8::1,443 log tcp from 2001:db8::1 5222 to any out # openvpn (running on other internal system) ipfw add 20300 fwd 192.0.2.1,443 log tcp from 198.51.100.7 1194 to any out ipfw add 20310 fwd 2001:db8::1,443 log tcp from 2001:db8:1::7 1194 to any out General notes: This will only work if `sslh` does not use any loopback addresses (no `127.0.0.1` or `localhost`), you'll need to use explicit IP addresses (or names): sslh --listen 192.168.0.1:443 --ssh 192.168.0.1:22 --ssl 192.168.0.1:4443 This will not work: sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443 Transparent proxying means the target server sees the real origin address, so it means if the client connects using IPv6, the server must also support IPv6. It is easy to support both IPv4 and IPv6 by configuring the server accordingly, and setting `sslh` to connect to a name that resolves to both IPv4 and IPv6, e.g.: sslh --transparent --listen :443 --ssh insideaddr:22 /etc/hosts: 192.168.0.1 insideaddr 201::::2 insideaddr Upon incoming IPv6 connection, `sslh` will first try to connect to the IPv4 address (which will fail), then connect to the IPv6 address. Systemd Socket Activation ------------------------- If compiled with `USESYSTEMD` then it is possible to activate the service on demand and avoid running any code as root. In this mode any listen configuration options are ignored and the sockets are passed by systemd to the service. Example socket unit: [Unit] Before=sslh.service [Socket] ListenStream=1.2.3.4:443 ListenStream=5.6.7.8:444 ListenStream=9.10.11.12:445 FreeBind=true [Install] WantedBy=sockets.target Example service unit: [Unit] PartOf=sslh.socket [Service] ExecStart=/usr/sbin/sslh -v -f --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 KillMode=process CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID PrivateTmp=true PrivateDevices=true ProtectSystem=full ProtectHome=true User=sslh With this setup only the socket needs to be enabled. The sslh service will be started on demand and does not need to run as root to bind the sockets as systemd has already bound and passed them over. If the sslh service is started on its own without the sockets being passed by systemd then it will look to use those defined on the command line or config file as usual. Any number of ListenStreams can be defined in the socket file and systemd will pass them all over to sslh to use as usual. To avoid inconsistency between starting via socket and starting directly via the service Requires=sslh.socket can be added to the service unit to mandate the use of the socket configuration. Rather than overwriting the entire socket file drop in values can be placed in /etc/systemd/system/sslh.socket.d/.conf with additional ListenStream values that will be merged. In addition to the above with manual .socket file configuration there is an optional systemd generator which can be compiled - systemd-sslh-generator This parses the /etc/sslh.cfg (or /etc/sslh/sslh.cfg file if that exists instead) configuration file and dynamically generates a socket file to use. This will also merge with any sslh.socket.d drop in configuration but will be overriden by a /etc/systemd/system/sslh.socket file. To use the generator place it in /usr/lib/systemd/system-generators and then call systemctl daemon-reload after any changes to /etc/sslh.cfg to generate the new dynamic socket unit. Transparent proxying means the target server sees the real origin address, so it means if the client connects using IPv6, the server must also support IPv6. It is easy to support both IPv4 and IPv6 by configuring the server accordingly, and setting `sslh` to connect to a name that resolves to both IPv4 and IPv6, e.g.: sslh --transparent --listen :443 --ssh insideaddr:22 /etc/hosts: 192.168.0.1 insideaddr 201::::2 insideaddr Upon incoming IPv6 connection, `sslh` will first try to connect to the IPv4 address (which will fail), then connect to the IPv6 address. Fail2ban -------- If using transparent proxying, just use the standard ssh rules. If you can't or don't want to use transparent proxying, you can set `fail2ban` rules to block repeated ssh connections from a same IP address (obviously this depends on the site, there might be legimite reasons you would get many connections to ssh from the same IP address...) See example files in scripts/fail2ban. Comments? Questions? ==================== You can subscribe to the `sslh` mailing list here: This mailing list should be used for discussion, feature requests, and will be the prefered channel for announcements. sslh-v1.18/TODO000066400000000000000000000017221267655245100133110ustar00rootroot00000000000000Here's a list of features that have been suggested or sometimes requested. This list is not a roadmap and shouldn't be construed to mean that any of this will happen. - configurable behaviour depending on services (e.g. select() for ssl but fork() for ssh). - have certain services available only from specified subnets - some sort of "service knocking" allowing to activate a service upon some external even, similar to port knocking; for example, go to a specific URL to enable sslh forwarding to sshd for a set period of time: * sslh listens on 443 and only directs to httpd * user goes somewhere to https://example.org/open_ssh.cgi * open_ssh.cgi tells sslh * sslh starts checking if incoming connections are ssh, and if they are, forward to sshd * 10 minutes later, sslh stops forwarding to ssh That would make it almost impossible for an observer (someone who'd telnet regularly on 443) to ever notice both services are available on 443. sslh-v1.18/basic.cfg000066400000000000000000000013371267655245100143650ustar00rootroot00000000000000# This is a basic configuration file that should provide # sensible values for "standard" setup. verbose: false; foreground: false; inetd: false; numeric: false; transparent: false; timeout: 2; user: "nobody"; pidfile: "/var/run/sslh.pid"; # Change hostname with your external address name. listen: ( { host: "thelonious"; port: "443"; } ); protocols: ( { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; }, { name: "openvpn"; host: "localhost"; port: "1194"; }, { name: "xmpp"; host: "localhost"; port: "5222"; }, { name: "http"; host: "localhost"; port: "80"; }, { name: "ssl"; host: "localhost"; port: "443"; log_level: 0; }, { name: "anyprot"; host: "localhost"; port: "443"; } ); sslh-v1.18/common.c000066400000000000000000000465321267655245100142650ustar00rootroot00000000000000/* Code and variables that is common to both fork and select-based * servers. * * No code here should assume whether sockets are blocking or not. **/ #define _GNU_SOURCE #include #include #include "common.h" #include "probe.h" /* Added to make the code compilable under CYGWIN * */ #ifndef SA_NOCLDWAIT #define SA_NOCLDWAIT 0 #endif /* Make use of systemd socket activation * */ #ifdef SYSTEMD #include #endif /* * Settings that depend on the command line. They're set in main(), but also * used in other places in common.c, and it'd be heavy-handed to pass it all as * parameters */ int verbose = 0; int probing_timeout = 2; int inetd = 0; int foreground = 0; int background = 0; int transparent = 0; int numeric = 0; const char *user_name, *pid_file; struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */ #ifdef LIBWRAP #include int allow_severity =0, deny_severity = 0; #endif /* check result and die, printing the offending address and error */ void check_res_dumpdie(int res, struct addrinfo *addr, char* syscall) { char buf[NI_MAXHOST]; if (res == -1) { fprintf(stderr, "%s:%s: %s\n", sprintaddr(buf, sizeof(buf), addr), syscall, strerror(errno)); exit(1); } } int get_fd_sockets(int *sockfd[]) { int sd = 0; #ifdef SYSTEMD sd = sd_listen_fds(0); if (sd < 0) { fprintf(stderr, "sd_listen_fds(): %s\n", strerror(-sd)); exit(1); } if (sd > 0) { *sockfd = malloc(sd * sizeof(*sockfd[0])); for (int i = 0; i < sd; i++) { (*sockfd)[i] = SD_LISTEN_FDS_START + i; } } #endif return sd; } /* Starts listening sockets on specified addresses. * IN: addr[], num_addr * OUT: *sockfd[] pointer to newly-allocated array of file descriptors * Returns number of addresses bound * Bound file descriptors are returned in newly-allocated *sockfd pointer */ int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list) { struct sockaddr_storage *saddr; struct addrinfo *addr; int i, res, one; int num_addr = 0; int sd_socks = 0; sd_socks = get_fd_sockets(sockfd); if (sd_socks > 0) { return sd_socks; } for (addr = addr_list; addr; addr = addr->ai_next) num_addr++; if (verbose) fprintf(stderr, "listening to %d addresses\n", num_addr); *sockfd = malloc(num_addr * sizeof(*sockfd[0])); for (i = 0, addr = addr_list; i < num_addr && addr; i++, addr = addr->ai_next) { if (!addr) { fprintf(stderr, "FATAL: Inconsistent listen number. This should not happen.\n"); exit(1); } saddr = (struct sockaddr_storage*)addr->ai_addr; (*sockfd)[i] = socket(saddr->ss_family, SOCK_STREAM, 0); check_res_dumpdie((*sockfd)[i], addr, "socket"); one = 1; res = setsockopt((*sockfd)[i], SOL_SOCKET, SO_REUSEADDR, (char*)&one, sizeof(one)); check_res_dumpdie(res, addr, "setsockopt(SO_REUSEADDR)"); if (addr->ai_flags & SO_KEEPALIVE) { res = setsockopt((*sockfd)[i], SOL_SOCKET, SO_KEEPALIVE, (char*)&one, sizeof(one)); check_res_dumpdie(res, addr, "setsockopt(SO_KEEPALIVE)"); printf("set up keepalive\n"); } if (IP_FREEBIND) { res = setsockopt((*sockfd)[i], IPPROTO_IP, IP_FREEBIND, (char*)&one, sizeof(one)); check_res_dumpdie(res, addr, "setsockopt(IP_FREEBIND)"); } res = bind((*sockfd)[i], addr->ai_addr, addr->ai_addrlen); check_res_dumpdie(res, addr, "bind"); res = listen ((*sockfd)[i], 50); check_res_dumpdie(res, addr, "listen"); } return num_addr; } /* Transparent proxying: bind the peer address of fd to the peer address of * fd_from */ #define IP_TRANSPARENT 19 int bind_peer(int fd, int fd_from) { struct addrinfo from; struct sockaddr_storage ss; int res, trans = 1; memset(&from, 0, sizeof(from)); from.ai_addr = (struct sockaddr*)&ss; from.ai_addrlen = sizeof(ss); /* getpeername can fail with ENOTCONN if connection was dropped before we * got here */ res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen); CHECK_RES_RETURN(res, "getpeername"); #ifndef IP_BINDANY /* use IP_TRANSPARENT */ res = setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &trans, sizeof(trans)); CHECK_RES_DIE(res, "setsockopt"); #else if (from.ai_addr->sa_family==AF_INET) { /* IPv4 */ res = setsockopt(fd, IPPROTO_IP, IP_BINDANY, &trans, sizeof(trans)); CHECK_RES_RETURN(res, "setsockopt IP_BINDANY"); #ifdef IPV6_BINDANY } else { /* IPv6 */ res = setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, &trans, sizeof(trans)); CHECK_RES_RETURN(res, "setsockopt IPV6_BINDANY"); #endif /* IPV6_BINDANY */ } #endif /* IP_TRANSPARENT / IP_BINDANY */ res = bind(fd, from.ai_addr, from.ai_addrlen); CHECK_RES_RETURN(res, "bind"); return 0; } /* Connect to first address that works and returns a file descriptor, or -1 if * none work. * If transparent proxying is on, use fd_from peer address on external address * of new file descriptor. */ int connect_addr(struct connection *cnx, int fd_from) { struct addrinfo *a, from; struct sockaddr_storage ss; char buf[NI_MAXHOST]; int fd, res, one; memset(&from, 0, sizeof(from)); from.ai_addr = (struct sockaddr*)&ss; from.ai_addrlen = sizeof(ss); res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen); CHECK_RES_RETURN(res, "getpeername"); for (a = cnx->proto->saddr; a; a = a->ai_next) { /* When transparent, make sure both connections use the same address family */ if (transparent && a->ai_family != from.ai_addr->sa_family) continue; if (verbose) fprintf(stderr, "connecting to %s family %d len %d\n", sprintaddr(buf, sizeof(buf), a), a->ai_addr->sa_family, a->ai_addrlen); /* XXX Needs to match ai_family from fd_from when being transparent! */ fd = socket(a->ai_family, SOCK_STREAM, 0); if (fd == -1) { log_message(LOG_ERR, "forward to %s failed:socket: %s\n", cnx->proto->description, strerror(errno)); } else { if (transparent) { res = bind_peer(fd, fd_from); CHECK_RES_RETURN(res, "bind_peer"); } res = connect(fd, a->ai_addr, a->ai_addrlen); if (res == -1) { log_message(LOG_ERR, "forward to %s failed:connect: %s\n", cnx->proto->description, strerror(errno)); close(fd); } else { if (cnx->proto->keepalive) { one = 1; res = setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char*)&one, sizeof(one)); CHECK_RES_RETURN(res, "setsockopt(SO_KEEPALIVE)"); printf("set up keepalive\n"); } return fd; } } } return -1; } /* Store some data to write to the queue later */ int defer_write(struct queue *q, void* data, int data_size) { char *p; if (verbose) fprintf(stderr, "**** writing deferred on fd %d\n", q->fd); p = realloc(q->begin_deferred_data, q->deferred_data_size + data_size); if (!p) { perror("realloc"); exit(1); } q->deferred_data = q->begin_deferred_data = p; p += q->deferred_data_size; q->deferred_data_size += data_size; memcpy(p, data, data_size); return 0; } /* tries to flush some of the data for specified queue * Upon success, the number of bytes written is returned. * Upon failure, -1 returned (e.g. connexion closed) * */ int flush_deferred(struct queue *q) { int n; if (verbose) fprintf(stderr, "flushing deferred data to fd %d\n", q->fd); n = write(q->fd, q->deferred_data, q->deferred_data_size); if (n == -1) return n; if (n == q->deferred_data_size) { /* All has been written -- release the memory */ free(q->begin_deferred_data); q->begin_deferred_data = NULL; q->deferred_data = NULL; q->deferred_data_size = 0; } else { /* There is data left */ q->deferred_data += n; q->deferred_data_size -= n; } return n; } void init_cnx(struct connection *cnx) { memset(cnx, 0, sizeof(*cnx)); cnx->q[0].fd = -1; cnx->q[1].fd = -1; cnx->proto = get_first_protocol(); } void dump_connection(struct connection *cnx) { printf("state: %d\n", cnx->state); printf("fd %d, %d deferred\n", cnx->q[0].fd, cnx->q[0].deferred_data_size); printf("fd %d, %d deferred\n", cnx->q[1].fd, cnx->q[1].deferred_data_size); } /* * moves data from one fd to other * * returns number of bytes copied if success * returns 0 (FD_CNXCLOSED) if incoming socket closed * returns FD_NODATA if no data was available * returns FD_STALLED if data was read, could not be written, and has been * stored in temporary buffer. */ int fd2fd(struct queue *target_q, struct queue *from_q) { char buffer[BUFSIZ]; int target, from, size_r, size_w; target = target_q->fd; from = from_q->fd; size_r = read(from, buffer, sizeof(buffer)); if (size_r == -1) { switch (errno) { case EAGAIN: if (verbose) fprintf(stderr, "reading 0 from %d\n", from); return FD_NODATA; case ECONNRESET: case EPIPE: return FD_CNXCLOSED; } } CHECK_RES_RETURN(size_r, "read"); if (size_r == 0) return FD_CNXCLOSED; size_w = write(target, buffer, size_r); /* process -1 when we know how to deal with it */ if (size_w == -1) { switch (errno) { case EAGAIN: /* write blocked: Defer data */ defer_write(target_q, buffer, size_r); return FD_STALLED; case ECONNRESET: case EPIPE: /* remove end closed -- drop the connection */ return FD_CNXCLOSED; } } else if (size_w < size_r) { /* incomplete write -- defer the rest of the data */ defer_write(target_q, buffer + size_w, size_r - size_w); return FD_STALLED; } CHECK_RES_RETURN(size_w, "write"); return size_w; } /* returns a string that prints the IP and port of the sockaddr */ char* sprintaddr(char* buf, size_t size, struct addrinfo *a) { char host[NI_MAXHOST], serv[NI_MAXSERV]; int res; res = getnameinfo(a->ai_addr, a->ai_addrlen, host, sizeof(host), serv, sizeof(serv), numeric ? NI_NUMERICHOST | NI_NUMERICSERV : 0 ); if (res) { log_message(LOG_ERR, "sprintaddr:getnameinfo: %s\n", gai_strerror(res)); /* Name resolution failed: do it numerically instead */ res = getnameinfo(a->ai_addr, a->ai_addrlen, host, sizeof(host), serv, sizeof(serv), NI_NUMERICHOST | NI_NUMERICSERV); /* should not fail but... */ if (res) { log_message(LOG_ERR, "sprintaddr:getnameinfo(NUM): %s\n", gai_strerror(res)); strcpy(host, "?"); strcpy(serv, "?"); } } snprintf(buf, size, "%s:%s", host, serv); return buf; } /* Turns a hostname and port (or service) into a list of struct addrinfo * returns 0 on success, -1 otherwise and logs error **/ int resolve_split_name(struct addrinfo **out, const char* host, const char* serv) { struct addrinfo hint; int res; memset(&hint, 0, sizeof(hint)); hint.ai_family = PF_UNSPEC; hint.ai_socktype = SOCK_STREAM; res = getaddrinfo(host, serv, &hint, out); if (res) log_message(LOG_ERR, "%s `%s:%s'\n", gai_strerror(res), host, serv); return res; } /* turns a "hostname:port" string into a list of struct addrinfo; out: list of newly allocated addrinfo (see getaddrinfo(3)); freeaddrinfo(3) when done fullname: input string -- it gets clobbered */ void resolve_name(struct addrinfo **out, char* fullname) { char *serv, *host, *end; int res; /* Find port */ char *sep = strrchr(fullname, ':'); if (!sep) { /* No separator: parameter is just a port */ fprintf(stderr, "%s: names must be fully specified as hostname:port\n", fullname); exit(1); } serv = sep+1; *sep = 0; host = fullname; /* If it is a RFC-Compliant IPv6 address ("[1234::12]:443"), remove brackets * around IP address */ if (host[0] == '[') { end = strrchr(host, ']'); if (!end) { fprintf(stderr, "%s: no closing bracket in IPv6 address?\n", host); } host++; /* skip first bracket */ *end = 0; /* remove last bracket */ } res = resolve_split_name(out, host, serv); if (res) { fprintf(stderr, "%s `%s'\n", gai_strerror(res), fullname); if (res == EAI_SERVICE) fprintf(stderr, "(Check you have specified all ports)\n"); exit(4); } } /* Log to syslog or stderr if foreground */ void log_message(int type, char* msg, ...) { va_list ap; va_start(ap, msg); if (foreground) vfprintf(stderr, msg, ap); else vsyslog(type, msg, ap); va_end(ap); } /* syslogs who connected to where */ void log_connection(struct connection *cnx) { struct addrinfo addr; struct sockaddr_storage ss; #define MAX_NAMELENGTH (NI_MAXHOST + NI_MAXSERV + 1) char peer[MAX_NAMELENGTH], service[MAX_NAMELENGTH], local[MAX_NAMELENGTH], target[MAX_NAMELENGTH]; int res; if (cnx->proto->log_level < 1) return; addr.ai_addr = (struct sockaddr*)&ss; addr.ai_addrlen = sizeof(ss); res = getpeername(cnx->q[0].fd, addr.ai_addr, &addr.ai_addrlen); if (res == -1) return; /* Can happen if connection drops before we get here. In that case, don't log anything (there is no connection) */ sprintaddr(peer, sizeof(peer), &addr); addr.ai_addrlen = sizeof(ss); res = getsockname(cnx->q[0].fd, addr.ai_addr, &addr.ai_addrlen); if (res == -1) return; sprintaddr(service, sizeof(service), &addr); addr.ai_addrlen = sizeof(ss); res = getpeername(cnx->q[1].fd, addr.ai_addr, &addr.ai_addrlen); if (res == -1) return; sprintaddr(target, sizeof(target), &addr); addr.ai_addrlen = sizeof(ss); res = getsockname(cnx->q[1].fd, addr.ai_addr, &addr.ai_addrlen); if (res == -1) return; sprintaddr(local, sizeof(local), &addr); log_message(LOG_INFO, "%s:connection from %s to %s forwarded from %s to %s\n", cnx->proto->description, peer, service, local, target); } /* libwrap (tcpd): check the connection is legal. This is necessary because * the actual server will only see a connection coming from localhost and can't * apply the rules itself. * * Returns -1 if access is denied, 0 otherwise */ int check_access_rights(int in_socket, const char* service) { #ifdef LIBWRAP union { struct sockaddr saddr; struct sockaddr_storage ss; } peer; socklen_t size = sizeof(peer); char addr_str[NI_MAXHOST], host[NI_MAXHOST]; int res; res = getpeername(in_socket, &peer.saddr, &size); CHECK_RES_RETURN(res, "getpeername"); /* extract peer address */ res = getnameinfo(&peer.saddr, size, addr_str, sizeof(addr_str), NULL, 0, NI_NUMERICHOST); if (res) { if (verbose) fprintf(stderr, "getnameinfo(NI_NUMERICHOST):%s\n", gai_strerror(res)); strcpy(addr_str, STRING_UNKNOWN); } /* extract peer name */ strcpy(host, STRING_UNKNOWN); if (!numeric) { res = getnameinfo(&peer.saddr, size, host, sizeof(host), NULL, 0, NI_NAMEREQD); if (res) { if (verbose) fprintf(stderr, "getnameinfo(NI_NAMEREQD):%s\n", gai_strerror(res)); } } if (!hosts_ctl(service, host, addr_str, STRING_UNKNOWN)) { if (verbose) fprintf(stderr, "access denied\n"); log_message(LOG_INFO, "connection from %s(%s): access denied", host, addr_str); close(in_socket); return -1; } #endif return 0; } void setup_signals(void) { int res; struct sigaction action; /* Request no SIGCHLD is sent upon termination of * the children */ memset(&action, 0, sizeof(action)); action.sa_handler = NULL; action.sa_flags = SA_NOCLDWAIT; res = sigaction(SIGCHLD, &action, NULL); CHECK_RES_DIE(res, "sigaction"); /* Set SIGTERM to exit. For some reason if it's not set explicitly, * coverage information is lost when killing the process */ memset(&action, 0, sizeof(action)); action.sa_handler = exit; res = sigaction(SIGTERM, &action, NULL); CHECK_RES_DIE(res, "sigaction"); /* Ignore SIGPIPE . */ action.sa_handler = SIG_IGN; res = sigaction(SIGPIPE, &action, NULL); CHECK_RES_DIE(res, "sigaction"); } /* Open syslog connection with appropriate banner; * banner is made up of basename(bin_name)+"[pid]" */ void setup_syslog(const char* bin_name) { char *name1, *name2; int res; name1 = strdup(bin_name); res = asprintf(&name2, "%s[%d]", basename(name1), getpid()); CHECK_RES_DIE(res, "asprintf"); openlog(name2, LOG_CONS, LOG_AUTH); free(name1); /* Don't free name2, as openlog(3) uses it (at least in glibc) */ log_message(LOG_INFO, "%s %s started\n", server_type, VERSION); } /* Ask OS to keep capabilities over a setuid(nonzero) */ void set_keepcaps(int val) { #ifdef LIBCAP int res; res = prctl(PR_SET_KEEPCAPS, val, 0, 0, 0); if (res) { perror("prctl"); exit(1); } #endif } /* set needed capabilities for effective and permitted, clear rest */ void set_capabilities(void) { #ifdef LIBCAP int res; cap_t caps; cap_value_t cap_list[10]; int ncap = 0; if (transparent) cap_list[ncap++] = CAP_NET_ADMIN; caps = cap_init(); #define _cap_set_flag(flag) do { \ res = cap_clear_flag(caps, flag); \ CHECK_RES_DIE(res, "cap_clear_flag(" #flag ")"); \ if (ncap > 0) { \ res = cap_set_flag(caps, flag, ncap, cap_list, CAP_SET); \ CHECK_RES_DIE(res, "cap_set_flag(" #flag ")"); \ } \ } while(0) _cap_set_flag(CAP_EFFECTIVE); _cap_set_flag(CAP_PERMITTED); #undef _cap_set_flag res = cap_set_proc(caps); CHECK_RES_DIE(res, "cap_set_proc"); res = cap_free(caps); if (res) { perror("cap_free"); exit(1); } #endif } /* We don't want to run as root -- drop privileges if required */ void drop_privileges(const char* user_name) { int res; struct passwd *pw = getpwnam(user_name); if (!pw) { fprintf(stderr, "%s: not found\n", user_name); exit(2); } if (verbose) fprintf(stderr, "turning into %s\n", user_name); set_keepcaps(1); /* remove extraneous groups in case we belong to several extra groups that * may have unwanted rights. If non-root when calling setgroups(), it * fails, which is fine because... we have no unwanted rights * (see POS36-C for security context) * */ setgroups(0, NULL); res = setgid(pw->pw_gid); CHECK_RES_DIE(res, "setgid"); res = setuid(pw->pw_uid); CHECK_RES_DIE(res, "setuid"); set_capabilities(); set_keepcaps(0); } /* Writes my PID */ void write_pid_file(const char* pidfile) { FILE *f; f = fopen(pidfile, "w"); if (!f) { perror(pidfile); exit(3); } fprintf(f, "%d\n", getpid()); fclose(f); } sslh-v1.18/common.h000066400000000000000000000066101267655245100142630ustar00rootroot00000000000000#ifndef COMMON_H #define COMMON_H /* FD_SETSIZE is 64 on Cygwin, which is really low. Just redefining it is * enough for the macros to adapt (http://support.microsoft.com/kb/111855) */ #ifdef __CYGWIN__ #define FD_SETSIZE 4096 #endif #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef LIBCAP #include #include #endif #include "version.h" #define CHECK_RES_DIE(res, str) \ if (res == -1) { \ perror(str); \ exit(1); \ } #define CHECK_RES_RETURN(res, str) \ if (res == -1) { \ log_message(LOG_CRIT, "%s:%d:%s\n", str, errno, strerror(errno)); \ return res; \ } #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) #if 1 #define TRACE fprintf(stderr, "%s:%d\n", __FILE__, __LINE__); #else #define TRACE #endif #ifndef IP_FREEBIND #define IP_FREEBIND 0 #endif enum connection_state { ST_PROBING=1, /* Waiting for timeout to find where to forward */ ST_SHOVELING /* Connexion is established */ }; /* this is used to pass protocols through the command-line parameter parsing */ #define PROT_SHIFT 1000 /* protocol options will be 1000, 1001, etc */ /* A 'queue' is composed of a file descriptor (which can be read from or * written to), and a queue for deferred write data */ struct queue { int fd; void *begin_deferred_data; void *deferred_data; int deferred_data_size; }; struct connection { enum connection_state state; time_t probe_timeout; struct proto *proto; /* q[0]: queue for external connection (client); * q[1]: queue for internal connection (httpd or sshd); * */ struct queue q[2]; }; #define FD_CNXCLOSED 0 #define FD_NODATA -1 #define FD_STALLED -2 /* common.c */ void init_cnx(struct connection *cnx); int connect_addr(struct connection *cnx, int fd_from); int fd2fd(struct queue *target, struct queue *from); char* sprintaddr(char* buf, size_t size, struct addrinfo *a); void resolve_name(struct addrinfo **out, char* fullname); void log_connection(struct connection *cnx); int check_access_rights(int in_socket, const char* service); void setup_signals(void); void setup_syslog(const char* bin_name); void drop_privileges(const char* user_name); void write_pid_file(const char* pidfile); void log_message(int type, char* msg, ...); void dump_connection(struct connection *cnx); int resolve_split_name(struct addrinfo **out, const char* hostname, const char* port); int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list); int defer_write(struct queue *q, void* data, int data_size); int flush_deferred(struct queue *q); extern int probing_timeout, verbose, inetd, foreground, background, transparent, numeric; extern struct sockaddr_storage addr_ssl, addr_ssh, addr_openvpn; extern struct addrinfo *addr_listen; extern const char* USAGE_STRING; extern const char* user_name, *pid_file; extern const char* server_type; /* sslh-fork.c */ void start_shoveler(int); void main_loop(int *listen_sockets, int num_addr_listen); #endif sslh-v1.18/echosrv.c000066400000000000000000000074761267655245100144520ustar00rootroot00000000000000/* echosrv: a simple line echo server with optional prefix adding. * * echsrv --listen localhost6:1234 --prefix "ssl: " * * This will bind to 1234, and echo every line pre-pending "ssl: ". This is * used for testing: we create several such servers with different prefixes, * then we connect test clients that can then check they get the proper data * back (thus testing that shoveling works both ways) with the correct prefix * (thus testing it connected to the expected service). * **/ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "common.h" /* Added to make the code compilable under CYGWIN * */ #ifndef SA_NOCLDWAIT #define SA_NOCLDWAIT 0 #endif const char* USAGE_STRING = "echosrv\n" \ "usage:\n" \ "\techosrv [-v] --listen [--prefix ]\n" "-v: verbose\n" \ "--listen: address to listen on. Can be specified multiple times.\n" \ "--prefix: add specified prefix before every line echoed.\n" ""; const char* server_type = "echsrv"; /* keep setup_syslog happy */ /* * Settings that depend on the command line. */ char* prefix = ""; int port; void parse_cmdline(int argc, char* argv[]) { int c; struct option options[] = { { "verbose", no_argument, &verbose, 1 }, { "numeric", no_argument, &numeric, 1 }, { "listen", required_argument, 0, 'l' }, { "prefix", required_argument, 0, 'p' }, }; struct addrinfo **a; while ((c = getopt_long_only(argc, argv, "l:p:", options, NULL)) != -1) { if (c == 0) continue; switch (c) { case 'l': /* find the end of the listen list */ for (a = &addr_listen; *a; a = &((*a)->ai_next)); /* append the specified addresses */ resolve_name(a, optarg); break; case 'p': prefix = optarg; break; default: fprintf(stderr, "%s", USAGE_STRING); exit(2); } } if (!addr_listen) { fprintf(stderr, "No listening port specified\n"); exit(1); } } void start_echo(int fd) { int res; char buffer[1 << 20]; int ret, prefix_len; prefix_len = strlen(prefix); memset(buffer, 0, sizeof(buffer)); strcpy(buffer, prefix); while (1) { ret = read(fd, buffer + prefix_len, sizeof(buffer)); if (ret == -1) { fprintf(stderr, "%s", strerror(errno)); return; } res = write(fd, buffer, ret + prefix_len); if (res < 0) { fprintf(stderr, "%s", strerror(errno)); return; } } } void main_loop(int listen_sockets[], int num_addr_listen) { int in_socket, i; for (i = 0; i < num_addr_listen; i++) { if (!fork()) { while (1) { in_socket = accept(listen_sockets[i], 0, 0); if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket); if (!fork()) { close(listen_sockets[i]); start_echo(in_socket); exit(0); } close(in_socket); } } } wait(NULL); } int main(int argc, char *argv[]) { extern char *optarg; extern int optind; int num_addr_listen; int *listen_sockets; parse_cmdline(argc, argv); num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen); main_loop(listen_sockets, num_addr_listen); return 0; } sslh-v1.18/example.cfg000066400000000000000000000066301267655245100147400ustar00rootroot00000000000000# This file is provided as documentation to show what is # possible. It should not be used as-is, and probably should # not be used as a starting point for a working # configuration. Instead use basic.cfg. verbose: true; foreground: true; inetd: false; numeric: false; transparent: false; timeout: 2; user: "nobody"; pidfile: "/var/run/sslh.pid"; # List of interfaces on which we should listen # Options: listen: ( { host: "thelonious"; port: "443"; }, { host: "thelonious"; port: "8080"; keepalive: true; } ); # List of protocols # # Each protocol entry consists of: # name: name of the probe. These are listed on the command # line (ssh -?), plus 'regex' and 'timeout'. # service: (optional) libwrap service name (see hosts_access(5)) # host, port: where to connect when this probe succeeds # log_level: 0 to turn off logging # 1 to log each incoming connection # keepalive: Should TCP keepalive be on or off for that # connection (default is off) # # Probe-specific options: # tls: # sni_hostnames: list of FQDN for that target # alpn_protocols: list of ALPN protocols for that target, see: # https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids # # if both sni_hostnames AND alpn_protocols are specified, both must match # if neither are set, it is just checked whether this is the TLS protocol or not # regex: # regex_patterns: list of patterns to match for # that target. # # sslh will try each probe in order they are declared, and # connect to the first that matches. # # You can specify several of 'regex' and 'tls'. protocols: ( { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; keepalive: true; }, { name: "http"; host: "localhost"; port: "80"; }, # match BOTH ALPN/SNI { name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; sni_hostnames: [ "im.somethingelse.net" ]; log_level: 0;}, # just match ALPN { name: "tls"; host: "localhost"; port: "443"; alpn_protocols: [ "h2", "http/1.1", "spdy/1", "spdy/2", "spdy/3" ]; log_level: 0; }, { name: "tls"; host: "localhost"; port: "xmpp-client"; alpn_protocols: [ "xmpp-client" ]; log_level: 0;}, # just match SNI { name: "tls"; host: "localhost"; port: "993"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; log_level: 0; }, { name: "tls"; host: "localhost"; port: "xmpp-client"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ]; log_level: 0;}, # catch anything else TLS { name: "tls"; host: "localhost"; port: "443"; }, # OpenVPN { name: "regex"; host: "localhost"; port: "1194"; regex_patterns: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; }, # Jabber { name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; }, # Catch-all { name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "" ]; }, # Where to connect in case of timeout (defaults to ssh) { name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; } ); # Optionally, specify to which protocol to connect in case # of timeout (defaults to "ssh"). # You can timeout to any arbitrary address by setting an # entry in 'protocols' named "timeout". # This enables you to set a tcpd service name for this # protocol too. on-timeout: "timeout"; sslh-v1.18/genver.sh000077500000000000000000000026521267655245100144510ustar00rootroot00000000000000#! /bin/sh if [ ${#} -eq 1 ] && [ "x$1" = "x-r" ]; then # release text only QUIET=1 else QUIET=0 fi if ! `(git status | grep -q "On branch") 2> /dev/null`; then # If we don't have git, we can't work out what # version this is. It must have been downloaded as a # zip file. # If downloaded from the release page, the directory # has the version number. release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"` if [ "x$release" = "x" ]; then # If downloaded from the head, Github creates the # zip file with all files dated from the last # change: use the Makefile's modification time as a # release number release=head-`perl -MPOSIX -e 'print strftime "%Y-%m-%d",localtime((stat "Makefile")[9])'` fi fi if head=`git rev-parse --verify HEAD 2>/dev/null`; then # generate the version info based on the tag release=`(git describe --tags || git --describe || git describe --all --long) \ 2>/dev/null | tr -d '\n'` # Are there uncommitted changes? git update-index --refresh --unmerged > /dev/null if git diff-index --name-only HEAD | grep -v "^scripts/package" \ | read dummy; then release="$release-dirty" fi fi if [ $QUIET -ne 1 ]; then printf "#ifndef VERSION_H \n" printf "#define VERSION_H \n\n" printf "#define VERSION \"$release\"\n" printf "#endif\n" else printf "$release\n" fi sslh-v1.18/probe.c000066400000000000000000000265441267655245100141050ustar00rootroot00000000000000/* # probe.c: Code for probing protocols # # Copyright (C) 2007-2015 Yves Rutschle # # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later # version. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more # details. # # The full text for the General Public License is here: # http://www.gnu.org/licenses/gpl.html */ #define _GNU_SOURCE #include #ifdef ENABLE_REGEX #ifdef LIBPCRE #include #else #include #endif #endif #include #include "probe.h" static int is_ssh_protocol(const char *p, int len, struct proto*); static int is_openvpn_protocol(const char *p, int len, struct proto*); static int is_tinc_protocol(const char *p, int len, struct proto*); static int is_xmpp_protocol(const char *p, int len, struct proto*); static int is_http_protocol(const char *p, int len, struct proto*); static int is_tls_protocol(const char *p, int len, struct proto*); static int is_adb_protocol(const char *p, int len, struct proto*); static int is_true(const char *p, int len, struct proto* proto) { return 1; } /* Table of protocols that have a built-in probe */ static struct proto builtins[] = { /* description service saddr log_level keepalive probe */ { "ssh", "sshd", NULL, 1, 0, is_ssh_protocol}, { "openvpn", NULL, NULL, 1, 0, is_openvpn_protocol }, { "tinc", NULL, NULL, 1, 0, is_tinc_protocol }, { "xmpp", NULL, NULL, 1, 0, is_xmpp_protocol }, { "http", NULL, NULL, 1, 0, is_http_protocol }, { "ssl", NULL, NULL, 1, 0, is_tls_protocol }, { "tls", NULL, NULL, 1, 0, is_tls_protocol }, { "adb", NULL, NULL, 1, 0, is_adb_protocol }, { "anyprot", NULL, NULL, 1, 0, is_true } }; static struct proto *protocols; static char* on_timeout = "ssh"; struct proto* get_builtins(void) { return builtins; } int get_num_builtins(void) { return ARRAY_SIZE(builtins); } /* Sets the protocol name to connect to in case of timeout */ void set_ontimeout(const char* name) { int res = asprintf(&on_timeout, "%s", name); CHECK_RES_DIE(res, "asprintf"); } /* Returns the protocol to connect to in case of timeout; * if not found, return the first protocol specified */ struct proto* timeout_protocol(void) { struct proto* p = get_first_protocol(); for (; p && strcmp(p->description, on_timeout); p = p->next); if (p) return p; return get_first_protocol(); } /* returns the first protocol (caller can then follow the *next pointers) */ struct proto* get_first_protocol(void) { return protocols; } void set_protocol_list(struct proto* prots) { protocols = prots; } /* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */ #define HEXDUMP_COLS 16 void hexdump(const char *mem, unsigned int len) { unsigned int i, j; for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++) { /* print offset */ if(i % HEXDUMP_COLS == 0) printf("0x%06x: ", i); /* print hex data */ if(i < len) printf("%02x ", 0xFF & mem[i]); else /* end of block, just aligning for ASCII dump */ printf(" "); /* print ASCII dump */ if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) { for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) { if(j >= len) /* end of block, not really printing */ putchar(' '); else if(isprint(mem[j])) /* printable char */ putchar(0xFF & mem[j]); else /* other char */ putchar('.'); } putchar('\n'); } } } /* Is the buffer the beginning of an SSH connection? */ static int is_ssh_protocol(const char *p, int len, struct proto *proto) { if (len < 4) return PROBE_AGAIN; return !strncmp(p, "SSH-", 4); } /* Is the buffer the beginning of an OpenVPN connection? * * Code inspired from OpenVPN port-share option; however, OpenVPN code is * wrong: users using pre-shared secrets have non-initialised key_id fields so * p[3] & 7 should not be looked at, and also the key_method can be specified * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1. * See: * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html * and OpenVPN ssl.c, ssl.h and options.c */ static int is_openvpn_protocol (const char*p,int len, struct proto *proto) { int packet_len; if (len < 2) return PROBE_AGAIN; packet_len = ntohs(*(uint16_t*)p); return packet_len == len - 2; } /* Is the buffer the beginning of a tinc connections? * Protocol is documented here: http://www.tinc-vpn.org/documentation/tinc.pdf * First connection starts with "0 " in 1.0.15) * */ static int is_tinc_protocol( const char *p, int len, struct proto *proto) { if (len < 2) return PROBE_AGAIN; return !strncmp(p, "0 ", 2); } /* Is the buffer the beginning of a jabber (XMPP) connections? * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy * clients, just checking first frame containing "jabber" in xml entity) * */ static int is_xmpp_protocol( const char *p, int len, struct proto *proto) { /* sometimes the word 'jabber' shows up late in the initial string, sometimes after a newline. this makes sure we snarf the entire preamble and detect it. (fixed for adium/pidgin) */ if (len < 50) return PROBE_AGAIN; return memmem(p, len, "jabber", 6) ? 1 : 0; } static int probe_http_method(const char *p, int len, const char *opt) { if (len < strlen(opt)) return PROBE_AGAIN; return !strncmp(p, opt, len); } /* Is the buffer the beginning of an HTTP connection? */ static int is_http_protocol(const char *p, int len, struct proto *proto) { int res; /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */ if (memmem(p, len, "HTTP", 4)) return PROBE_MATCH; #define PROBE_HTTP_METHOD(opt) if ((res = probe_http_method(p, len, opt)) != PROBE_NEXT) return res /* Otherwise it could be HTTP/1.0 without version: check if it's got an * HTTP method (RFC2616 5.1.1) */ PROBE_HTTP_METHOD("OPTIONS"); PROBE_HTTP_METHOD("GET"); PROBE_HTTP_METHOD("HEAD"); PROBE_HTTP_METHOD("POST"); PROBE_HTTP_METHOD("PUT"); PROBE_HTTP_METHOD("DELETE"); PROBE_HTTP_METHOD("TRACE"); PROBE_HTTP_METHOD("CONNECT"); #undef PROBE_HTTP_METHOD return PROBE_NEXT; } static int is_sni_alpn_protocol(const char *p, int len, struct proto *proto) { int valid_tls; valid_tls = parse_tls_header(proto->data, p, len); if(valid_tls < 0) return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT; /* There *was* a valid match */ return PROBE_MATCH; } static int is_tls_protocol(const char *p, int len, struct proto *proto) { if (len < 3) return PROBE_AGAIN; /* TLS packet starts with a record "Hello" (0x16), followed by version * (0x03 0x00-0x03) (RFC6101 A.1) * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176) */ return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03); } static int is_adb_protocol(const char *p, int len, struct proto *proto) { if (len < 30) return PROBE_AGAIN; /* The initial ADB host->device packet has a command type of CNXN, and a * data payload starting with "host:". Note that current versions of the * client hardcode "host::" (with empty serialno and banner fields) but * other clients may populate those fields. * * We aren't checking amessage.data_length, under the assumption that * a packet >= 30 bytes long will have "something" in the payload field. */ return !memcmp(&p[0], "CNXN", 4) && !memcmp(&p[24], "host:", 5); } static int regex_probe(const char *p, int len, struct proto *proto) { #ifdef ENABLE_REGEX regex_t **probe = proto->data; regmatch_t pos = { 0, len }; for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++) /* try them all */; return (*probe != NULL); #else /* Should never happen as we check when loading config file */ fprintf(stderr, "FATAL: regex probe called but not built in\n"); exit(5); #endif } /* * Read the beginning of data coming from the client connection and check if * it's a known protocol. * Return PROBE_AGAIN if not enough data, or PROBE_MATCH if it succeeded in * which case cnx->proto is set to the appropriate protocol. */ int probe_client_protocol(struct connection *cnx) { char buffer[BUFSIZ]; struct proto *p; int n; n = read(cnx->q[0].fd, buffer, sizeof(buffer)); /* It's possible that read() returns an error, e.g. if the client * disconnected between the previous call to select() and now. If that * happens, we just connect to the default protocol so the caller of this * function does not have to deal with a specific failure condition (the * connection will just fail later normally). */ if (n > 0) { int res = PROBE_NEXT; defer_write(&cnx->q[1], buffer, n); for (p = cnx->proto; p && res == PROBE_NEXT; p = p->next) { if (! p->probe) continue; if (verbose) fprintf(stderr, "probing for %s\n", p->description); cnx->proto = p; res = p->probe(cnx->q[1].begin_deferred_data, cnx->q[1].deferred_data_size, p); } if (res != PROBE_NEXT) return res; } if (verbose) fprintf(stderr, "all probes failed, connecting to first protocol: %s\n", protocols->description); /* If none worked, return the first one affected (that's completely * arbitrary) */ cnx->proto = protocols; return PROBE_MATCH; } /* Returns the structure for specified protocol or NULL if not found */ static struct proto* get_protocol(const char* description) { int i; for (i = 0; i < ARRAY_SIZE(builtins); i++) { if (!strcmp(builtins[i].description, description)) { return &builtins[i]; } } return NULL; } /* Returns the probe for specified protocol: * parameter is the description in builtins[], or "regex" * */ T_PROBE* get_probe(const char* description) { struct proto* p = get_protocol(description); if (p) return p->probe; /* Special case of "regex" probe (we don't want to set it in builtins * because builtins is also used to build the command-line options and * regexp is not legal on the command line)*/ if (!strcmp(description, "regex")) return regex_probe; /* Special case of "sni/alpn" probe for same reason as above*/ if (!strcmp(description, "sni_alpn")) return is_sni_alpn_protocol; /* Special case of "timeout" is allowed as a probe name in the * configuration file even though it's not really a probe */ if (!strcmp(description, "timeout")) return is_true; return NULL; } sslh-v1.18/probe.h000066400000000000000000000044431267655245100141040ustar00rootroot00000000000000/* API for probe.c */ #ifndef PROBE_H #define PROBE_H #include "common.h" #include "tls.h" typedef enum { PROBE_NEXT, /* Enough data, probe failed -- it's some other protocol */ PROBE_MATCH, /* Enough data, probe successful -- it's the current protocol */ PROBE_AGAIN, /* Not enough data for this probe, try again with more data */ } probe_result; struct proto; typedef int T_PROBE(const char*, int, struct proto*); /* For each protocol we need: */ struct proto { const char* description; /* a string that says what it is (for logging and command-line parsing) */ const char* service; /* service name to do libwrap checks */ struct addrinfo *saddr; /* list of addresses to try and switch that protocol */ int log_level; /* 0: No logging of connection * 1: Log incoming connection */ int keepalive; /* 0: No keepalive ; 1: Set Keepalive for this connection */ /* function to probe that protocol; parameters are buffer and length * containing the data to probe, and a pointer to the protocol structure */ T_PROBE* probe; /* opaque pointer ; used to pass list of regex to regex probe, or TLSProtocol struct to sni/alpn probe */ void* data; struct proto *next; /* pointer to next protocol in list, NULL if last */ }; /* Returns a pointer to the array of builtin protocols */ struct proto * get_builtins(void); /* Returns the number of builtin protocols */ int get_num_builtins(void); /* Returns the probe for specified protocol */ T_PROBE* get_probe(const char* description); /* Returns the head of the configured protocols */ struct proto* get_first_protocol(void); /* Set the list of configured protocols */ void set_protocol_list(struct proto*); /* probe_client_protocol * * Read the beginning of data coming from the client connection and check if * it's a known protocol. Then leave the data on the deferred * write buffer of the connection and returns a pointer to the protocol * structure */ int probe_client_protocol(struct connection *cnx); /* set the protocol to connect to in case of timeout */ void set_ontimeout(const char* name); /* timeout_protocol * * Returns the protocol to connect to in case of timeout */ struct proto* timeout_protocol(void); void hexdump(const char*, unsigned int); #endif sslh-v1.18/scripts/000077500000000000000000000000001267655245100143065ustar00rootroot00000000000000sslh-v1.18/scripts/etc.init.d.sslh000077500000000000000000000017711267655245100171510ustar00rootroot00000000000000#! /bin/sh ### BEGIN INIT INFO # Provides: sslh # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 1 # Short-Description: sslh proxy ssl & ssh connections ### END INIT INFO set -e tag=sslh facility=user.info # /etc/init.d/sslh: start and stop the sslh proxy daemon if test -f /etc/default/sslh; then . /etc/default/sslh fi # The prefix is normally filled by make install. If # installing by hand, fill it in yourself! PREFIX= DAEMON=$PREFIX/sbin/sslh start() { echo "Start services: sslh" $DAEMON -F/etc/sslh.cfg logger -t ${tag} -p ${facility} -i 'Started sslh' } stop() { echo "Stop services: sslh" killall $DAEMON logger -t ${tag} -p ${facility} -i 'Stopped sslh' } case "$1" in start) start ;; stop) stop ;; restart) stop sleep 5 start ;; *) echo "Usage: /etc/init.d/sslh {start|stop|restart}" >&2 ;; esac exit 0 sslh-v1.18/scripts/etc.rc.d.init.d.sslh.centos000077500000000000000000000032551267655245100212670ustar00rootroot00000000000000#!/bin/bash # # sslh Startup script for the SSL/SSH multiplexer # # chkconfig: - 13 87 # description: Sslh accepts connections on specified ports, and forwards # them further based on tests performed on the first data # packet sent by the remote client. # processname: sslh # config: /etc/sslh.cfg # config: /etc/sysconfig/sslh # pidfile: /var/run/sslh/sslh.pid # # Authors: # Andre Krajnik akrajnik@gmail.com - 2010-03-20 # Julien Thomas julthomas@free.fr - 2013-08-25 # Source function library. . /etc/init.d/functions if [ -f /etc/sysconfig/sslh ]; then . /etc/sysconfig/sslh fi PROGNAME=sslh SSLH=${SSLH:-/usr/sbin/sslh-select} SSLH_LANG=${SSLH_LANG:-C} CONFIG=${CONFIG:-/etc/sslh.cfg} PIDFILE=${PIDFILE:-/var/run/sslh/sslh.pid} LOCKFILE=${LOCKFILE:-/var/lock/subsys/sslh} STOP_TIMEOUT=${STOP_TIMEOUT:-10} RETVAL=0 start() { echo -n "Starting $PROGNAME: " LANG=$SSLH_LANG daemon --pidfile="$PIDFILE" \ ${SSLH_USER:+--user="${SSLH_USER}"} \ "$SSLH" ${CONFIG:+-F "$CONFIG"} "$OPTIONS" RETVAL=$? echo [ $RETVAL = 0 ] && touch "$LOCKFILE" return $RETVAL } stop() { echo -n "Stopping $PROGNAME: " killproc -p "$PIDFILE" -d "$STOP_TIMEOUT" "$SSLH" RETVAL=$? echo [ $RETVAL = 0 ] && rm -f "$LOCKFILE" "$PIDFILE" } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) status -p "$PIDFILE" "$SSLH" RETVAL=$? ;; restart) stop start ;; *) echo "Usage: $PROGNAME {start|stop|status|restart}" RETVAL=2 ;; esac exit $RETVAL sslh-v1.18/scripts/etc.sysconfig.sslh000066400000000000000000000013141267655245100177560ustar00rootroot00000000000000# # The default processing model uses select # A fork model is also available # #SSLH=/usr/sbin/sslh-select # # If transparent mode is enabled, the following # is needed in order to run as sslh user # #SSLH_USER=sslh #setcap cap_net_bind_service,cap_net_admin=+ep $SSLH # # Configuration file for sslh # Set empty to disable configuration file support # #CONFIG=/etc/sslh.cfg # # Extra option to pass on comand line # Those can supersede configuration file settings # #OPTIONS= # # The sslh process is started by default with the C # locale, it can be changed here # #SSLH_LANG=C # # If an alternate location is specified in configuration # file, it needs to be reported here # #PIDFILE=/var/run/sslh/sslh.pid sslh-v1.18/scripts/fail2ban/000077500000000000000000000000001267655245100157645ustar00rootroot00000000000000sslh-v1.18/scripts/fail2ban/jail.conf000066400000000000000000000003571267655245100175570ustar00rootroot00000000000000# Add the following to your fail2ban jail.conf # In Debian you'd append it to /etc/fail2ban/jail.local [sslh-ssh] enabled = true filter = sslh-ssh action = iptables-multiport[name=sslh,port="443"] logpath = /var/log/messages maxretry = 5 sslh-v1.18/scripts/fail2ban/sslh-ssh.conf000066400000000000000000000007641267655245100204060ustar00rootroot00000000000000# Add the following to you fail2ban configuration file # In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf # Fail2Ban filter for sslh demultiplexed ssh # # Doesn't (and cannot) detect auth errors, # but many connection attempts from the same # origin is reason enough to block. # # Verion: 2014-03-28 [INCLUDES] # no includes [Definition] failregex = ^.+ sslh\[.+\]: connection from :.+ to .+ forwarded from .+ to .+:ssh\s*$ ignoreregex = # Author: Evert Mouw sslh-v1.18/scripts/systemd.sslh.service000066400000000000000000000003211267655245100203240ustar00rootroot00000000000000[Unit] Description=SSL/SSH multiplexer After=network.target [Service] EnvironmentFile=/etc/conf.d/sslh ExecStart=/usr/bin/sslh --foreground $DAEMON_OPTS KillMode=process [Install] WantedBy=multi-user.target sslh-v1.18/sslh-fork.c000066400000000000000000000112021267655245100146670ustar00rootroot00000000000000/* sslh-fork: forking server # Copyright (C) 2007-2012 Yves Rutschle # # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later # version. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more # details. # # The full text for the General Public License is here: # http://www.gnu.org/licenses/gpl.html */ #include "common.h" #include "probe.h" const char* server_type = "sslh-fork"; #define MAX(a, b) (((a) > (b)) ? (a) : (b)) /* shovels data from one fd to the other and vice-versa returns after one socket closed */ int shovel(struct connection *cnx) { fd_set fds; int res, i; int max_fd = MAX(cnx->q[0].fd, cnx->q[1].fd) + 1; FD_ZERO(&fds); while (1) { FD_SET(cnx->q[0].fd, &fds); FD_SET(cnx->q[1].fd, &fds); res = select( max_fd, &fds, NULL, NULL, NULL ); CHECK_RES_DIE(res, "select"); for (i = 0; i < 2; i++) { if (FD_ISSET(cnx->q[i].fd, &fds)) { res = fd2fd(&cnx->q[1-i], &cnx->q[i]); if (!res) { if (verbose) fprintf(stderr, "%s %s", i ? "client" : "server", "socket closed\n"); return res; } } } } } /* Child process that finds out what to connect to and proxies */ void start_shoveler(int in_socket) { fd_set fds; struct timeval tv; int res = PROBE_AGAIN; int out_socket; struct connection cnx; init_cnx(&cnx); cnx.q[0].fd = in_socket; FD_ZERO(&fds); FD_SET(in_socket, &fds); memset(&tv, 0, sizeof(tv)); tv.tv_sec = probing_timeout; while (res == PROBE_AGAIN) { /* POSIX does not guarantee that tv will be updated, but the client can * only postpone the inevitable for so long */ res = select(in_socket + 1, &fds, NULL, NULL, &tv); if (res == -1) perror("select"); if (FD_ISSET(in_socket, &fds)) { /* Received data: figure out what protocol it is */ res = probe_client_protocol(&cnx); } else { /* Timed out: it's necessarily SSH */ cnx.proto = timeout_protocol(); break; } } if (cnx.proto->service && check_access_rights(in_socket, cnx.proto->service)) { exit(0); } /* Connect the target socket */ out_socket = connect_addr(&cnx, in_socket); CHECK_RES_DIE(out_socket, "connect"); cnx.q[1].fd = out_socket; log_connection(&cnx); flush_deferred(&cnx.q[1]); shovel(&cnx); close(in_socket); close(out_socket); if (verbose) fprintf(stderr, "connection closed down\n"); exit(0); } static int *listener_pid; static int listener_pid_number = 0; void stop_listeners(int sig) { int i; for (i = 0; i < listener_pid_number; i++) { kill(listener_pid[i], sig); } } void main_loop(int listen_sockets[], int num_addr_listen) { int in_socket, i, res; struct sigaction action; listener_pid_number = num_addr_listen; listener_pid = malloc(listener_pid_number * sizeof(listener_pid[0])); /* Start one process for each listening address */ for (i = 0; i < num_addr_listen; i++) { if (!(listener_pid[i] = fork())) { /* Listening process just accepts a connection, forks, and goes * back to listening */ while (1) { in_socket = accept(listen_sockets[i], 0, 0); if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket); if (!fork()) { for (i = 0; i < num_addr_listen; ++i) close(listen_sockets[i]); start_shoveler(in_socket); exit(0); } close(in_socket); } } } /* Set SIGTERM to "stop_listeners" which further kills all listener * processes. Note this won't kill processes that listeners forked, which * means active connections remain active. */ memset(&action, 0, sizeof(action)); action.sa_handler = stop_listeners; res = sigaction(SIGTERM, &action, NULL); CHECK_RES_DIE(res, "sigaction"); wait(NULL); } /* The actual main is in common.c: it's the same for both version of * the server */ sslh-v1.18/sslh-main.c000066400000000000000000000471171267655245100146700ustar00rootroot00000000000000/* # main: processing of config file, command line options and start the main # loop. # # Copyright (C) 2007-2016 Yves Rutschle # # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later # version. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more # details. # # The full text for the General Public License is here: # http://www.gnu.org/licenses/gpl.html */ #define _GNU_SOURCE #ifdef LIBCONFIG #include #endif #ifdef ENABLE_REGEX #ifdef LIBPCRE #include #else #include #endif #endif #include "common.h" #include "probe.h" const char* USAGE_STRING = "sslh " VERSION "\n" \ "usage:\n" \ "\tsslh [-v] [-i] [-V] [-f] [-n] [--transparent] [-F ]\n" "\t[-t ] [-P ] -u -p [-p ...] \n" \ "%s\n\n" /* Dynamically built list of builtin protocols */ \ "\t[--on-timeout ]\n" \ "-v: verbose\n" \ "-V: version\n" \ "-f: foreground\n" \ "-n: numeric output\n" \ "-u: specify under which user to run\n" \ "--transparent: behave as a transparent proxy\n" \ "-F: use configuration file\n" \ "--on-timeout: connect to specified address upon timeout (default: ssh address)\n" \ "-t: seconds to wait before connecting to --on-timeout address.\n" \ "-p: address and port to listen on.\n Can be used several times to bind to several addresses.\n" \ "--[ssh,ssl,...]: where to connect connections from corresponding protocol.\n" \ "-P: PID file.\n" \ "-i: Run as a inetd service.\n" \ ""; /* Constants for options that have no one-character shorthand */ #define OPT_ONTIMEOUT 257 static struct option const_options[] = { { "inetd", no_argument, &inetd, 1 }, { "foreground", no_argument, &foreground, 1 }, { "background", no_argument, &background, 1 }, { "transparent", no_argument, &transparent, 1 }, { "numeric", no_argument, &numeric, 1 }, { "verbose", no_argument, &verbose, 1 }, { "user", required_argument, 0, 'u' }, { "config", optional_argument, 0, 'F' }, { "pidfile", required_argument, 0, 'P' }, { "timeout", required_argument, 0, 't' }, { "on-timeout", required_argument, 0, OPT_ONTIMEOUT }, { "listen", required_argument, 0, 'p' }, {} }; static struct option* all_options; static struct proto* builtins; static const char *optstr = "vt:T:p:VP:F::"; static void print_usage(void) { struct proto *p; int i; int res; char *prots = ""; p = get_builtins(); for (i = 0; i < get_num_builtins(); i++) { res = asprintf(&prots, "%s\t[--%s ]\n", prots, p[i].description); CHECK_RES_DIE(res, "asprintf"); } fprintf(stderr, USAGE_STRING, prots); } static void printcaps(void) { #ifdef LIBCAP cap_t caps; char* desc; ssize_t len; caps = cap_get_proc(); desc = cap_to_text(caps, &len); fprintf(stderr, "capabilities: %s\n", desc); cap_free(caps); cap_free(desc); #endif } static void printsettings(void) { char buf[NI_MAXHOST]; struct addrinfo *a; struct proto *p; for (p = get_first_protocol(); p; p = p->next) { fprintf(stderr, "%s addr: %s. libwrap service: %s log_level: %d family %d %d [%s]\n", p->description, sprintaddr(buf, sizeof(buf), p->saddr), p->service, p->log_level, p->saddr->ai_family, p->saddr->ai_addr->sa_family, p->keepalive ? "keepalive" : ""); } fprintf(stderr, "listening on:\n"); for (a = addr_listen; a; a = a->ai_next) { fprintf(stderr, "\t%s\t[%s]\n", sprintaddr(buf, sizeof(buf), a), a->ai_flags & SO_KEEPALIVE ? "keepalive" : ""); } fprintf(stderr, "timeout: %d\non-timeout: %s\n", probing_timeout, timeout_protocol()->description); } /* Extract configuration on addresses and ports on which to listen. * out: newly allocated list of addrinfo to listen to */ #ifdef LIBCONFIG static int config_listen(config_t *config, struct addrinfo **listen) { config_setting_t *setting, *addr; int len, i, keepalive; const char *hostname, *port; setting = config_lookup(config, "listen"); if (setting) { len = config_setting_length(setting); for (i = 0; i < len; i++) { addr = config_setting_get_elem(setting, i); if (! (config_setting_lookup_string(addr, "host", &hostname) && config_setting_lookup_string(addr, "port", &port))) { fprintf(stderr, "line %d:Incomplete specification (hostname and port required)\n", config_setting_source_line(addr)); return -1; } keepalive = 0; config_setting_lookup_bool(addr, "keepalive", &keepalive); resolve_split_name(listen, hostname, port); /* getaddrinfo returned a list of addresses corresponding to the * specification; move the pointer to the end of that list before * processing the next specification, while setting flags for * start_listen_sockets() through ai_flags (which is not meant for * that, but is only used as hint in getaddrinfo, so it's OK) */ for (; *listen; listen = &((*listen)->ai_next)) { if (keepalive) (*listen)->ai_flags = SO_KEEPALIVE; } } } return 0; } #endif #ifdef LIBCONFIG static void setup_regex_probe(struct proto *p, config_setting_t* probes) { #ifdef ENABLE_REGEX int num_probes, errsize, i, res; char *err; const char * expr; regex_t** probe_list; num_probes = config_setting_length(probes); if (!num_probes) { fprintf(stderr, "%s: no probes specified\n", p->description); exit(1); } p->probe = get_probe("regex"); probe_list = calloc(num_probes + 1, sizeof(*probe_list)); p->data = (void*)probe_list; for (i = 0; i < num_probes; i++) { probe_list[i] = malloc(sizeof(*(probe_list[i]))); expr = config_setting_get_string_elem(probes, i); res = regcomp(probe_list[i], expr, 0); if (res) { err = malloc(errsize = regerror(res, probe_list[i], NULL, 0)); regerror(res, probe_list[i], err, errsize); fprintf(stderr, "%s:%s\n", expr, err); free(err); exit(1); } } #else fprintf(stderr, "line %d: regex probe specified but not compiled in\n", config_setting_source_line(probes)); exit(5); #endif } #endif #ifdef LIBCONFIG static void setup_sni_alpn_list(struct proto *p, config_setting_t* config_items, const char* name, int alpn) { int num_probes, i, max_server_name_len, server_name_len; const char * config_item; char** sni_hostname_list; if(!config_items || !config_setting_is_array(config_items)) { fprintf(stderr, "%s: no %s specified\n", p->description, name); return; } num_probes = config_setting_length(config_items); if (!num_probes) { fprintf(stderr, "%s: no %s specified\n", p->description, name); return; } max_server_name_len = 0; for (i = 0; i < num_probes; i++) { server_name_len = strlen(config_setting_get_string_elem(config_items, i)); if(server_name_len > max_server_name_len) max_server_name_len = server_name_len; } sni_hostname_list = calloc(num_probes + 1, ++max_server_name_len); for (i = 0; i < num_probes; i++) { config_item = config_setting_get_string_elem(config_items, i); sni_hostname_list[i] = malloc(max_server_name_len); strcpy (sni_hostname_list[i], config_item); if(verbose) fprintf(stderr, "%s: %s[%d]: %s\n", p->description, name, i, sni_hostname_list[i]); } p->data = (void*)tls_data_set_list(p->data, alpn, sni_hostname_list); } static void setup_sni_alpn(struct proto *p, config_setting_t* sni_hostnames, config_setting_t* alpn_protocols) { p->data = (void*)new_tls_data(); p->probe = get_probe("sni_alpn"); setup_sni_alpn_list(p, sni_hostnames, "sni_hostnames", 0); setup_sni_alpn_list(p, alpn_protocols, "alpn_protocols", 1); } #endif /* Extract configuration for protocols to connect to. * out: newly-allocated list of protocols */ #ifdef LIBCONFIG static int config_protocols(config_t *config, struct proto **prots) { config_setting_t *setting, *prot, *patterns, *sni_hostnames, *alpn_protocols; const char *hostname, *port, *name; int i, num_prots; struct proto *p, *prev = NULL; setting = config_lookup(config, "protocols"); if (setting) { num_prots = config_setting_length(setting); for (i = 0; i < num_prots; i++) { p = calloc(1, sizeof(*p)); if (i == 0) *prots = p; if (prev) prev->next = p; prev = p; prot = config_setting_get_elem(setting, i); if ((config_setting_lookup_string(prot, "name", &name) && config_setting_lookup_string(prot, "host", &hostname) && config_setting_lookup_string(prot, "port", &port) )) { p->description = name; config_setting_lookup_string(prot, "service", &(p->service)); config_setting_lookup_bool(prot, "keepalive", &p->keepalive); if (config_setting_lookup_int(prot, "log_level", &p->log_level) == CONFIG_FALSE) { p->log_level = 1; } resolve_split_name(&(p->saddr), hostname, port); p->probe = get_probe(name); if (!p->probe || !strcmp(name, "sni_alpn")) { fprintf(stderr, "line %d: %s: probe unknown\n", config_setting_source_line(prot), name); exit(1); } /* Probe-specific options: regex patterns */ if (!strcmp(name, "regex")) { patterns = config_setting_get_member(prot, "regex_patterns"); if (patterns && config_setting_is_array(patterns)) { setup_regex_probe(p, patterns); } } /* Probe-specific options: SNI/ALPN */ if (!strcmp(name, "tls")) { sni_hostnames = config_setting_get_member(prot, "sni_hostnames"); alpn_protocols = config_setting_get_member(prot, "alpn_protocols"); if((sni_hostnames && config_setting_is_array(sni_hostnames)) || (alpn_protocols && config_setting_is_array(alpn_protocols))) { setup_sni_alpn(p, sni_hostnames, alpn_protocols); } } } } } return 0; } #endif /* Parses a config file * in: *filename * out: *listen, a newly-allocated linked list of listen addrinfo * *prots, a newly-allocated linked list of protocols * 1 on error, 0 on success */ #ifdef LIBCONFIG static int config_parse(char *filename, struct addrinfo **listen, struct proto **prots) { config_t config; int timeout; const char* str; config_init(&config); if (config_read_file(&config, filename) == CONFIG_FALSE) { /* If it's a parse error then there will be a line number for the failure * an I/O error (such as non-existent file) will have the error line as 0 */ if (config_error_line(&config) != 0) { fprintf(stderr, "%s:%d:%s\n", filename, config_error_line(&config), config_error_text(&config)); exit(1); } fprintf(stderr, "%s:%s\n", filename, config_error_text(&config)); return 1; } config_lookup_bool(&config, "verbose", &verbose); config_lookup_bool(&config, "inetd", &inetd); config_lookup_bool(&config, "foreground", &foreground); config_lookup_bool(&config, "numeric", &numeric); config_lookup_bool(&config, "transparent", &transparent); if (config_lookup_int(&config, "timeout", (int *)&timeout) == CONFIG_TRUE) { probing_timeout = timeout; } if (config_lookup_string(&config, "on-timeout", &str)) { set_ontimeout(str); } config_lookup_string(&config, "user", &user_name); config_lookup_string(&config, "pidfile", &pid_file); config_listen(&config, listen); config_protocols(&config, prots); return 0; } #endif /* Adds protocols to the list of options, so command-line parsing uses the * protocol definition array * options: array of options to add to; must be big enough * n_opts: number of options in *options before calling (i.e. where to append) * prot: array of protocols * n_prots: number of protocols in *prot * */ static void append_protocols(struct option *options, int n_opts, struct proto *prot , int n_prots) { int o, p; for (o = n_opts, p = 0; p < n_prots; o++, p++) { options[o].name = prot[p].description; options[o].has_arg = required_argument; options[o].flag = 0; options[o].val = p + PROT_SHIFT; } } static void make_alloptions(void) { builtins = get_builtins(); /* Create all_options, composed of const_options followed by one option per * known protocol */ all_options = calloc(ARRAY_SIZE(const_options) + get_num_builtins(), sizeof(struct option)); memcpy(all_options, const_options, sizeof(const_options)); append_protocols(all_options, ARRAY_SIZE(const_options) - 1, builtins, get_num_builtins()); } /* Performs a first scan of command line options to see if a configuration file * is specified. If there is one, parse it now before all other options (so * configuration file settings can be overridden from the command line). * * prots: newly-allocated list of configured protocols, if any. */ static void cmdline_config(int argc, char* argv[], struct proto** prots) { #ifdef LIBCONFIG int c, res; char *config_filename; #endif make_alloptions(); #ifdef LIBCONFIG optind = 1; opterr = 0; /* we're missing protocol options at this stage so don't output errors */ while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) { if (c == 'v') { verbose++; } if (c == 'F') { config_filename = optarg; if (config_filename) { res = config_parse(config_filename, &addr_listen, prots); } else { /* No configuration file specified -- try default file locations */ res = config_parse("/etc/sslh/sslh.cfg", &addr_listen, prots); if (!res && verbose) fprintf(stderr, "Using /etc/sslh/sslh.cfg\n"); if (res) { res = config_parse("/etc/sslh.cfg", &addr_listen, prots); if (!res && verbose) fprintf(stderr, "Using /etc/sslh.cfg\n"); } } if (res) exit(4); break; } } #endif } /* Parse command-line options. prots points to a list of configured protocols, * potentially non-allocated */ static void parse_cmdline(int argc, char* argv[], struct proto* prots) { int c; struct addrinfo **a; struct proto *p; optind = 1; opterr = 1; next_arg: while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) { if (c == 0) continue; if (c >= PROT_SHIFT) { if (prots) for (p = prots; p && p->next; p = p->next) { /* override if protocol was already defined by config file * (note it only overrides address and use builtin probe) */ if (!strcmp(p->description, builtins[c-PROT_SHIFT].description)) { resolve_name(&(p->saddr), optarg); p->probe = builtins[c-PROT_SHIFT].probe; goto next_arg; } } /* At this stage, it's a new protocol: add it to the end of the * list */ if (!prots) { /* No protocols yet -- create the list */ p = prots = calloc(1, sizeof(*p)); } else { p->next = calloc(1, sizeof(*p)); p = p->next; } memcpy(p, &builtins[c-PROT_SHIFT], sizeof(*p)); resolve_name(&(p->saddr), optarg); continue; } switch (c) { case 'F': /* Legal option, but do nothing, it was already processed in * cmdline_config() */ #ifndef LIBCONFIG fprintf(stderr, "Built without libconfig support: configuration file not available.\n"); exit(1); #endif break; case 't': probing_timeout = atoi(optarg); break; case OPT_ONTIMEOUT: set_ontimeout(optarg); break; case 'p': /* find the end of the listen list */ for (a = &addr_listen; *a; a = &((*a)->ai_next)); /* append the specified addresses */ resolve_name(a, optarg); break; case 'V': printf("%s %s\n", server_type, VERSION); exit(0); case 'u': user_name = optarg; break; case 'P': pid_file = optarg; break; case 'v': verbose++; break; default: print_usage(); exit(2); } } if (!prots) { fprintf(stderr, "At least one target protocol must be specified.\n"); exit(2); } set_protocol_list(prots); /* If compiling with systemd socket support no need to require listen address */ #ifndef SYSTEMD if (!addr_listen && !inetd) { fprintf(stderr, "No listening address specified; use at least one -p option\n"); exit(1); } #endif /* Did command-line override foreground setting? */ if (background) foreground = 0; } int main(int argc, char *argv[]) { extern char *optarg; extern int optind; int res, num_addr_listen; struct proto* protocols = NULL; int *listen_sockets; /* Init defaults */ pid_file = NULL; user_name = NULL; cmdline_config(argc, argv, &protocols); parse_cmdline(argc, argv, protocols); if (inetd) { verbose = 0; start_shoveler(0); exit(0); } if (verbose) printsettings(); num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen); #ifdef SYSTEMD if (num_addr_listen < 1) { fprintf(stderr, "No listening sockets found, restart sockets or specify addresses in config\n"); exit(1); } #endif if (!foreground) { if (fork() > 0) exit(0); /* Detach */ /* New session -- become group leader */ if (getuid() == 0) { res = setsid(); CHECK_RES_DIE(res, "setsid: already process leader"); } } setup_signals(); if (pid_file) write_pid_file(pid_file); if (user_name) drop_privileges(user_name); /* Open syslog connection */ setup_syslog(argv[0]); if (verbose) printcaps(); main_loop(listen_sockets, num_addr_listen); return 0; } sslh-v1.18/sslh-select.c000066400000000000000000000266671267655245100152320ustar00rootroot00000000000000/* sslh-select: mono-processus server # Copyright (C) 2007-2010 Yves Rutschle # # This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later # version. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more # details. # # The full text for the General Public License is here: # http://www.gnu.org/licenses/gpl.html */ #define __LINUX__ #include "common.h" #include "probe.h" const char* server_type = "sslh-select"; /* cnx_num_alloc is the number of connection to allocate at once (at start-up, * and then every time we get too many simultaneous connections: e.g. start * with 100 slots, then if we get more than 100 connections allocate another * 100 slots, and so on). We never free up connection structures. We try to * allocate as many structures at once as will fit in one page (which is 102 * in sslh 1.9 on Linux on x86) */ static long cnx_num_alloc; /* Make the file descriptor non-block */ int set_nonblock(int fd) { int flags; flags = fcntl(fd, F_GETFL); CHECK_RES_RETURN(flags, "fcntl"); flags |= O_NONBLOCK; flags = fcntl(fd, F_SETFL, flags); CHECK_RES_RETURN(flags, "fcntl"); return flags; } int tidy_connection(struct connection *cnx, fd_set *fds, fd_set *fds2) { int i; for (i = 0; i < 2; i++) { if (cnx->q[i].fd != -1) { if (verbose) fprintf(stderr, "closing fd %d\n", cnx->q[i].fd); close(cnx->q[i].fd); FD_CLR(cnx->q[i].fd, fds); FD_CLR(cnx->q[i].fd, fds2); if (cnx->q[i].deferred_data) free(cnx->q[i].deferred_data); } } init_cnx(cnx); return 0; } /* if fd becomes higher than FD_SETSIZE, things won't work so well with FD_SET * and FD_CLR. Need to drop connections if we go above that limit */ int fd_is_in_range(int fd) { if (fd >= FD_SETSIZE) { log_message(LOG_ERR, "too many open file descriptor to monitor them all -- dropping connection\n"); return 0; } return 1; } /* Accepts a connection from the main socket and assigns it to an empty slot. * If no slots are available, allocate another few. If that fails, drop the * connexion */ int accept_new_connection(int listen_socket, struct connection *cnx[], int* cnx_size) { int in_socket, free, i, res; struct connection *new; in_socket = accept(listen_socket, 0, 0); CHECK_RES_RETURN(in_socket, "accept"); if (!fd_is_in_range(in_socket)) return -1; res = set_nonblock(in_socket); if (res == -1) return -1; /* Find an empty slot */ for (free = 0; (free < *cnx_size) && ((*cnx)[free].q[0].fd != -1); free++) { /* nothing */ } if (free >= *cnx_size) { if (verbose) fprintf(stderr, "buying more slots from the slot machine.\n"); new = realloc(*cnx, (*cnx_size + cnx_num_alloc) * sizeof((*cnx)[0])); if (!new) { log_message(LOG_ERR, "unable to realloc -- dropping connection\n"); return -1; } *cnx = new; *cnx_size += cnx_num_alloc; for (i = free; i < *cnx_size; i++) { init_cnx(&(*cnx)[i]); } } (*cnx)[free].q[0].fd = in_socket; (*cnx)[free].state = ST_PROBING; (*cnx)[free].probe_timeout = time(NULL) + probing_timeout; if (verbose) fprintf(stderr, "accepted fd %d on slot %d\n", in_socket, free); return in_socket; } /* Connect queue 1 of connection to SSL; returns new file descriptor */ int connect_queue(struct connection *cnx, fd_set *fds_r, fd_set *fds_w) { struct queue *q = &cnx->q[1]; q->fd = connect_addr(cnx, cnx->q[0].fd); if ((q->fd != -1) && fd_is_in_range(q->fd)) { log_connection(cnx); set_nonblock(q->fd); flush_deferred(q); if (q->deferred_data) { FD_SET(q->fd, fds_w); } else { FD_SET(q->fd, fds_r); } return q->fd; } else { tidy_connection(cnx, fds_r, fds_w); return -1; } } /* shovels data from active fd to the other returns after one socket closed or operation would block */ void shovel(struct connection *cnx, int active_fd, fd_set *fds_r, fd_set *fds_w) { struct queue *read_q, *write_q; read_q = &cnx->q[active_fd]; write_q = &cnx->q[1-active_fd]; if (verbose) fprintf(stderr, "activity on fd%d\n", read_q->fd); switch(fd2fd(write_q, read_q)) { case -1: case FD_CNXCLOSED: tidy_connection(cnx, fds_r, fds_w); break; case FD_STALLED: FD_SET(write_q->fd, fds_w); FD_CLR(read_q->fd, fds_r); break; default: /* Nothing */ break; } } /* returns true if specified fd is initialised and present in fd_set */ int is_fd_active(int fd, fd_set* set) { if (fd == -1) return 0; return FD_ISSET(fd, set); } /* Main loop: the idea is as follow: * - fds_r and fds_w contain the file descriptors to monitor in read and write * - When a file descriptor goes off, process it: read from it, write the data * to its corresponding pair. * - When a file descriptor blocks when writing, remove the read fd from fds_r, * move the data to a deferred buffer, and add the write fd to fds_w. Defered * buffer is allocated dynamically. * - When we can write to a file descriptor that has deferred data, we try to * write as much as we can. Once all data is written, remove the fd from fds_w * and add its corresponding pair to fds_r, free the buffer. * * That way, each pair of file descriptor (read from one, write to the other) * is monitored either for read or for write, but never for both. */ void main_loop(int listen_sockets[], int num_addr_listen) { fd_set fds_r, fds_w; /* reference fd sets (used to init the next 2) */ fd_set readfds, writefds; /* working read and write fd sets */ struct timeval tv; int max_fd, in_socket, i, j, res; struct connection *cnx; int num_cnx; /* Number of connections in *cnx */ int num_probing = 0; /* Number of connections currently probing * We use this to know if we need to time out of * select() */ FD_ZERO(&fds_r); FD_ZERO(&fds_w); for (i = 0; i < num_addr_listen; i++) { FD_SET(listen_sockets[i], &fds_r); set_nonblock(listen_sockets[i]); } max_fd = listen_sockets[num_addr_listen-1] + 1; cnx_num_alloc = getpagesize() / sizeof(struct connection); num_cnx = cnx_num_alloc; /* Start with a set pool of slots */ cnx = malloc(num_cnx * sizeof(struct connection)); for (i = 0; i < num_cnx; i++) init_cnx(&cnx[i]); while (1) { memset(&tv, 0, sizeof(tv)); tv.tv_sec = probing_timeout; memcpy(&readfds, &fds_r, sizeof(readfds)); memcpy(&writefds, &fds_w, sizeof(writefds)); if (verbose) fprintf(stderr, "selecting... max_fd=%d num_probing=%d\n", max_fd, num_probing); res = select(max_fd, &readfds, &writefds, NULL, num_probing ? &tv : NULL); if (res < 0) perror("select"); /* Check main socket for new connections */ for (i = 0; i < num_addr_listen; i++) { if (FD_ISSET(listen_sockets[i], &readfds)) { in_socket = accept_new_connection(listen_sockets[i], &cnx, &num_cnx); if (in_socket != -1) num_probing++; if (in_socket > 0) { FD_SET(in_socket, &fds_r); if (in_socket >= max_fd) max_fd = in_socket + 1;; } FD_CLR(listen_sockets[i], &readfds); } } /* Check all sockets for write activity */ for (i = 0; i < num_cnx; i++) { if (cnx[i].q[0].fd != -1) { for (j = 0; j < 2; j++) { if (is_fd_active(cnx[i].q[j].fd, &writefds)) { res = flush_deferred(&cnx[i].q[j]); if ((res == -1) && ((errno == EPIPE) || (errno == ECONNRESET))) { if (cnx[i].state == ST_PROBING) num_probing--; tidy_connection(&cnx[i], &fds_r, &fds_w); if (verbose) fprintf(stderr, "closed slot %d\n", i); } else { /* If no deferred data is left, stop monitoring the fd * for write, and restart monitoring the other one for reads*/ if (!cnx[i].q[j].deferred_data_size) { FD_CLR(cnx[i].q[j].fd, &fds_w); FD_SET(cnx[i].q[1-j].fd, &fds_r); } } } } } } /* Check all sockets for read activity */ for (i = 0; i < num_cnx; i++) { for (j = 0; j < 2; j++) { if (is_fd_active(cnx[i].q[j].fd, &readfds) || ((cnx[i].state == ST_PROBING) && (cnx[i].probe_timeout < time(NULL)))) { if (verbose) fprintf(stderr, "processing fd%d slot %d\n", j, i); switch (cnx[i].state) { case ST_PROBING: if (j == 1) { fprintf(stderr, "Activity on fd2 while probing, impossible\n"); dump_connection(&cnx[i]); exit(1); } /* If timed out it's SSH, otherwise the client sent * data so probe the protocol */ if ((cnx[i].probe_timeout < time(NULL))) { cnx[i].proto = timeout_protocol(); } else { res = probe_client_protocol(&cnx[i]); if (res == PROBE_AGAIN) continue; } num_probing--; cnx[i].state = ST_SHOVELING; /* libwrap check if required for this protocol */ if (cnx[i].proto->service && check_access_rights(in_socket, cnx[i].proto->service)) { tidy_connection(&cnx[i], &fds_r, &fds_w); res = -1; } else { res = connect_queue(&cnx[i], &fds_r, &fds_w); } if (res >= max_fd) max_fd = res + 1;; break; case ST_SHOVELING: shovel(&cnx[i], j, &fds_r, &fds_w); break; default: /* illegal */ log_message(LOG_ERR, "Illegal connection state %d\n", cnx[i].state); exit(1); } } } } } } void start_shoveler(int listen_socket) { fprintf(stderr, "inetd mode is not supported in select mode\n"); exit(1); } /* The actual main is in common.c: it's the same for both version of * the server */ sslh-v1.18/sslh.pod000066400000000000000000000162431267655245100143020ustar00rootroot00000000000000# I'm just not gonna write troff :-) =head1 NAME sslh - protocol demultiplexer =head1 SYNOPSIS sslh [B<-F> I] [ B<-t> I ] [B<--transparent>] [B<-p> I [B<-p> I ...] [B<--ssl> I] [B<--ssh> I] [B<--openvpn> I] [B<--http> I] [B<--anyprot> I] [B<--on-timeout> I] [B<-u> I] [B<-P> I] [-v] [-i] [-V] [-f] [-n] =head1 DESCRIPTION B accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client. Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port. Hence B acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port. =head2 Libwrap support One drawback of B is that the servers do not see the original IP address of the client anymore, as the connection is forwarded through B. For this reason, B can be compiled with B to check accesses defined in F and F. Libwrap services can be defined using the configuration file. =head2 Configuration file A configuration file can be supplied to B. Command line arguments override file settings. B uses B to parse the configuration file, so the general file format is indicated in L. Please refer to the example configuration file provided with B for the specific format (Options have the same names as on the command line, except for the list of listen ports and the list of protocols). The configuration file makes it possible to specify protocols using regular expressions: a list of regular expressions is given as the I parameter, and if the first packet received from the client matches any of these expressions, B connects to that protocol. =head2 Probing protocols When receiving an incoming connection, B will read the first bytes sent be the connecting client. It will then probe for the protocol in the order specified on the command line (or the configuration file). Therefore B<--anyprot> should alway be used last, as it always succeeds and further protocols will never be tried. If no data is sent by the client, B will eventually time out and connect to the protocol specified with B<--on-timeout>, or I if none is specified. =head2 Logging As a security/authorization program, B logs to the LOG_AUTH facility, with priority LOG_INFO for normal connections and LOG_ERR for failures. =head1 OPTIONS =over 4 =item B<-F> I, B<--config> I Uses I has configuration file. If other command-line options are specified, they will override the configuration file's settings. =item B<-t> I, B<--timeout> I Timeout before forwarding the connection to the timeout protocol (which should usually be SSH). Default is 2s. =item B<--on-timeout> I Name of the protocol to connect to after the timeout period is over. Default is 'ssh'. =item B<--transparent> Makes B behave as a transparent proxy, i.e. the receiving service sees the original client's IP address. This works on Linux only and involves B settings. Refer to the README for more information. =item B<-p> I, B<--listen> I Interface and port on which to listen, e.g. I, where I is the name of an interface (typically the IP address on which the Internet connection ends up). This can be specified several times to bind B to several addresses. =item B<--ssl> I =item B<--tls> I Interface and port on which to forward SSL connection, typically I. Note that you can set B to listen on I and B to listen on I: this allows clients inside your network to just connect directly to B. Also, B probes for SSLv3 (or TLSv1) handshake and will reject connections from clients requesting SSLv2. This is compliant to RFC6176 which prohibits the usage of SSLv2. If you wish to accept SSLv2, use B<--default> instead. =item B<--ssh> I Interface and port on which to forward SSH connections, typically I. =item B<--openvpn> I Interface and port on which to forward OpenVPN connections, typically I. =item B<--xmpp> I Interface and port on which to forward XMPP connections, typically I. =item B<--http> I Interface and port on which to forward HTTP connections, typically I. =item B<--tinc> I Interface and port on which to forward tinc connections, typically I. This is experimental. If you use this feature, please report the results (even if it works!) =item B<--anyprot> I Interface and port on which to forward if no other protocol has been found. Because B tries protocols in the order specified on the command line, this should be specified last. If no default is specified, B will forward unknown protocols to the first protocol specified. =item B<-v>, B<--verbose> Increase verboseness. =item B<-n>, B<--numeric> Do not attempt to resolve hostnames: logs will contain IP addresses. This is mostly useful if the system's DNS is slow and running the I variant, as DNS requests will hang all connections. =item B<-V> Prints B version. =item B<-u> I, B<--user> I Requires to run under the specified username. =item B<-P> I, B<--pidfile> I Specifies a file in which to write the PID of the main server. =item B<-i>, B<--inetd> Runs as an I server. Options B<-P> (PID file), B<-p> (listen address), B<-u> (user) are ignored. =item B<-f>, B<--foreground> Runs in foreground. The server will not fork and will remain connected to the terminal. Messages normally sent to B will also be sent to I. =item B<--background> Runs in background. This overrides B if set in the configuration file (or on the command line, but there is no point setting both on the command line unless you have a personality disorder). =back =head1 FILES =over 4 =item F Start-up script. The standard actions B, B and B are supported. =item F Server configuration. These are environment variables loaded by the start-up script and passed to B as command-line arguments. Refer to the OPTIONS section for a detailed explanation of the variables used by B. =back =head1 SEE ALSO Last version available from L, and can be tracked from L. =head1 AUTHOR Written by Yves Rutschle sslh-v1.18/systemd-sslh-generator.c000066400000000000000000000075251267655245100174170ustar00rootroot00000000000000#include #include #include #include static char* resolve_listen(const char *hostname, const char *port) { /* Need room in the strcat for \0 and : * the format in the socket unit file is hostname:port */ char *conn = (char*)malloc(strlen(hostname)+strlen(port)+2); strcpy(conn, hostname); strcat(conn, ":"); strcat(conn, port); return conn; } static int get_listen_from_conf(const char *filename, char **listen) { config_t config; config_setting_t *setting, *addr; const char *hostname, *port; int len = 0; /* look up the listen stanzas in the config file so these * can be used in the socket file generated */ config_init(&config); if (config_read_file(&config, filename) == CONFIG_FALSE) { /* we don't care if file is missing, skip it */ if (config_error_line(&config) != 0) { fprintf(stderr, "%s:%d:%s\n", filename, config_error_line(&config), config_error_text(&config)); return -1; } } else { setting = config_lookup(&config, "listen"); if (setting) { len = config_setting_length(setting); for (int i = 0; i < len; i++) { addr = config_setting_get_elem(setting, i); if (! (config_setting_lookup_string(addr, "host", &hostname) && config_setting_lookup_string(addr, "port", &port))) { fprintf(stderr, "line %d:Incomplete specification (hostname and port required)\n", config_setting_source_line(addr)); return -1; } else { listen[i] = malloc(strlen(resolve_listen(hostname, port))); strcpy(listen[i], resolve_listen(hostname, port)); } } } } return len; } static int write_socket_unit(FILE *socket, char **listen, int num_addr, const char *source) { fprintf(socket, "# Automatically generated by systemd-sslh-generator\n\n" "[Unit]\n" "Before=sslh.service\n" "SourcePath=%s\n" "Documentation=man:sslh(8) man:systemd-sslh-generator(8)\n\n" "[Socket]\n" "FreeBind=true\n", source); for (int i = 0; i < num_addr; i++) { fprintf(socket, "ListenStream=%s\n", listen[i]); } return 0; } static int gen_sslh_config(char *runtime_unit_dir) { char *sslh_conf; int num_addr; FILE *config; char **listen; FILE *runtime_conf_fd = stdout; const char *unit_file; /* There are two default locations so check both with first given preference */ sslh_conf = "/etc/sslh.cfg"; config = fopen(sslh_conf, "r"); if (config == NULL) { sslh_conf="/etc/sslh/sslh.cfg"; config = fopen(sslh_conf, "r"); if (config == NULL) { return -1; } } fclose(config); num_addr = get_listen_from_conf(sslh_conf, listen); if (num_addr < 0) return -1; /* If this is run by systemd directly write to the location told to * otherwise write to standard out so that it's trivial to check what * will be written */ if (runtime_unit_dir != "") { unit_file = "/sslh.socket"; size_t uf_len = strlen(unit_file); size_t runtime_len = strlen(runtime_unit_dir) + uf_len + 1; char *runtime_conf = malloc(runtime_len); strcpy(runtime_conf, runtime_unit_dir); strcat(runtime_conf, unit_file); runtime_conf_fd = fopen(runtime_conf, "w"); } return write_socket_unit(runtime_conf_fd, listen, num_addr, sslh_conf); } int main(int argc, char *argv[]){ int r = 0; int k; char *runtime_unit_dest = ""; if (argc > 1 && (argc != 4) ) { printf("This program takes three or no arguments.\n"); return -1; } if (argc > 1) runtime_unit_dest = argv[1]; k = gen_sslh_config(runtime_unit_dest); if (k < 0) r = k; return r < 0 ? -1 : 0; } sslh-v1.18/t000077500000000000000000000251411267655245100130130ustar00rootroot00000000000000#! /usr/bin/perl -w # Test script for sslh use strict; use IO::Socket::INET6; use Test::More qw/no_plan/; # We use ports 9000, 9001 and 9002 -- hope that won't clash # with anything... my $ssh_address = "ip6-localhost:9000"; my $ssl_address = "ip6-localhost:9001"; my $sslh_port = 9002; my $no_listen = 9003; # Port on which no-one listens my $pidfile = "/tmp/sslh_test.pid"; # Which tests do we run my $SSL_CNX = 1; my $SSH_SHY_CNX = 1; my $SSH_BOLD_CNX = 1; my $SSH_PROBE_AGAIN = 1; my $SSL_MIX_SSH = 1; my $SSH_MIX_SSL = 1; my $BIG_MSG = 0; # This test is unreliable my $STALL_CNX = 0; # This test needs fixing # Robustness tests. These are mostly to achieve full test # coverage, but do not necessarily result in an actual test # (e.g. some tests need to be run with valgrind to check all # memory management code). my $RB_CNX_NOSERVER = 1; my $RB_PARAM_NOHOST = 1; my $RB_WRONG_USERNAME = 1; my $RB_OPEN_PID_FILE = 1; my $RB_BIND_ADDRESS = 1; my $RB_RESOLVE_ADDRESS = 1; `lcov --directory . --zerocounters`; my ($ssh_pid, $ssl_pid); if (!($ssh_pid = fork)) { exec "./echosrv --listen $ssh_address --prefix 'ssh: '"; } if (!($ssl_pid = fork)) { exec "./echosrv --listen $ssl_address --prefix 'ssl: '"; } my @binaries = ('sslh-select', 'sslh-fork'); for my $binary (@binaries) { warn "Testing $binary\n"; # Start sslh with the right plumbing my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username my $cmd = "./$binary -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile"; warn "$cmd\n"; #exec $cmd; exec "valgrind --leak-check=full ./$binary -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address -ssl $ssl_address -P $pidfile"; exit 0; } warn "spawned $sslh_pid\n"; sleep 5; # valgrind can be heavy -- wait 5 seconds my $test_data = "hello world\n"; # my $ssl_test_data = (pack 'n', ((length $test_data) + 2)) . $test_data; my $ssl_test_data = "\x16\x03\x03$test_data\n"; # Test: SSL connection if ($SSL_CNX) { print "***Test: SSL connection\n"; my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_l; if (defined $cnx_l) { print $cnx_l $ssl_test_data; my $data; my $n = sysread $cnx_l, $data, 1024; is($data, "ssl: $ssl_test_data", "SSL connection"); } } # Test: Shy SSH connection if ($SSH_SHY_CNX) { print "***Test: Shy SSH connection\n"; my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_h; if (defined $cnx_h) { sleep 3; print $cnx_h $test_data; my $data = <$cnx_h>; is($data, "ssh: $test_data", "Shy SSH connection"); } } # Test: Bold SSH connection if ($SSH_BOLD_CNX) { print "***Test: Bold SSH connection\n"; my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_h; if (defined $cnx_h) { my $td = "SSH-2.0 testsuite\t$test_data"; print $cnx_h $td; my $data = <$cnx_h>; is($data, "ssh: $td", "Bold SSH connection"); } } # Test: PROBE_AGAIN, incomplete first frame if ($SSH_PROBE_AGAIN) { print "***Test: incomplete SSH first frame\n"; my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_h; if (defined $cnx_h) { my $td = "SSH-2.0 testsuite\t$test_data"; print $cnx_h substr $td, 0, 2; sleep 1; print $cnx_h substr $td, 2; my $data = <$cnx_h>; is($data, "ssh: $td", "Incomplete first SSH frame"); } } # Test: One SSL half-started then one SSH if ($SSL_MIX_SSH) { print "***Test: One SSL half-started then one SSH\n"; my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_l; if (defined $cnx_l) { print $cnx_l $ssl_test_data; my $cnx_h= new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_h; if (defined $cnx_h) { sleep 3; print $cnx_h $test_data; my $data_h = <$cnx_h>; is($data_h, "ssh: $test_data", "SSH during SSL being established"); } my $data; my $n = sysread $cnx_l, $data, 1024; is($data, "ssl: $ssl_test_data", "SSL connection interrupted by SSH"); } } # Test: One SSH half-started then one SSL if ($SSH_MIX_SSL) { print "***Test: One SSH half-started then one SSL\n"; my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_h; if (defined $cnx_h) { sleep 3; my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_l; if (defined $cnx_l) { print $cnx_l $ssl_test_data; my $data; my $n = sysread $cnx_l, $data, 1024; is($data, "ssl: $ssl_test_data", "SSL during SSH being established"); } print $cnx_h $test_data; my $data = <$cnx_h>; is($data, "ssh: $test_data", "SSH connection interrupted by SSL"); } } # Test: Big messages (careful: don't go over echosrv's buffer limit (1M)) if ($BIG_MSG) { print "***Test: big message\n"; my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_l; my $rept = 1000; my $test_data2 = $ssl_test_data . ("helloworld"x$rept); if (defined $cnx_l) { my $n = syswrite $cnx_l, $test_data2; my ($data); $n = sysread $cnx_l, $data, 1 << 20; is($data, "ssl: ". $test_data2, "Big message"); } } # Test: Stalled connection # Create two connections, stall one, check the other one # works, unstall first and check it works fine # This test needs fixing. # Now that echosrv no longer works on "lines" (finishing # with '\n'), it may cut blocks randomly with prefixes. # The whole thing needs to be re-thought as it'll only # work by chance. if ($STALL_CNX) { print "***Test: Stalled connection\n"; my $cnx_1 = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless defined $cnx_1; my $cnx_2 = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless defined $cnx_2; my $test_data2 = "helloworld"; sleep 4; my $rept = 1000; if (defined $cnx_1 and defined $cnx_2) { print $cnx_1 ($test_data2 x $rept); print $cnx_1 "\n"; print $cnx_2 ($test_data2 x $rept); print $cnx_2 "\n"; my $data = <$cnx_2>; is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (1)"); print $cnx_2 ($test_data2 x $rept); print $cnx_2 "\n"; $data = <$cnx_2>; is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (2)"); $data = <$cnx_1>; is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (3)"); } } my $pid = `cat $pidfile`; warn "killing $pid\n"; kill TERM => $pid or warn "kill process: $!\n"; sleep 1; } # Robustness: Connecting to non-existant server if ($RB_CNX_NOSERVER) { print "***Test: Connecting to non-existant server\n"; my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username exec "./sslh-select -v -f -u $user --listen localhost:$sslh_port --ssh localhost:$no_listen --ssl localhost:$no_listen -P $pidfile"; } warn "spawned $sslh_pid\n"; sleep 1; my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port"); warn "$!\n" unless $cnx_h; if (defined $cnx_h) { sleep 1; my $test_data = "hello"; print $cnx_h $test_data; } # Ideally we should check a log is emitted. kill TERM => `cat $pidfile` or warn "kill: $!\n"; sleep 1; } # Robustness: No hostname in address if ($RB_PARAM_NOHOST) { print "***Test: No hostname in address\n"; my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username exec "./sslh-select -v -f -u $user --listen $sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile"; } warn "spawned $sslh_pid\n"; waitpid $sslh_pid, 0; my $code = $? >> 8; warn "exited with $code\n"; is($code, 1, "Exit status on illegal option"); } # Robustness: User does not exist if ($RB_WRONG_USERNAME) { print "***Test: Changing to non-existant username\n"; my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username exec "./sslh-select -v -f -u ${user}_doesnt_exist --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile"; } warn "spawned $sslh_pid\n"; waitpid $sslh_pid, 0; my $code = $? >> 8; warn "exited with $code\n"; is($code, 2, "Exit status on non-existant username"); } # Robustness: Can't open PID file if ($RB_OPEN_PID_FILE) { print "***Test: Can't open PID file\n"; my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username exec "./sslh-select -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P /dont_exist/$pidfile"; # You don't have a /dont_exist/ directory, do you?! } warn "spawned $sslh_pid\n"; waitpid $sslh_pid, 0; my $code = $? >> 8; warn "exited with $code\n"; is($code, 3, "Exit status if can't open PID file"); } # Robustness: Can't resolve address if ($RB_RESOLVE_ADDRESS) { print "***Test: Can't resolve address\n"; my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username exec "./sslh-select -v -f -u $user --listen blahblah.dontexist:9000 --ssh $ssh_address --ssl $ssl_address -P $pidfile"; } warn "spawned $sslh_pid\n"; waitpid $sslh_pid, 0; my $code = $? >> 8; warn "exited with $code\n"; is($code, 4, "Exit status if can't resolve address"); } `lcov --directory . --capture --output-file sslh_cov.info`; `genhtml sslh_cov.info`; `killall echosrv`; sslh-v1.18/t_load000077500000000000000000000072011267655245100140070ustar00rootroot00000000000000#! /usr/bin/perl -w # Test script for sslh -- mass communication # This creates many clients that perform concurrent # connections, disconnect at any time, and try to generally # behave as badly as possible. # It can be used to test sslh behaves properly with many # clients, however its main use is to get an idea of how # much load it can take on your system before things start # to go wrong. use strict; use IO::Socket::INET6; use Data::Dumper; ## BEGIN TEST CONFIG # Do we test sslh-select or sslh-fork? my $sslh_binary = "./sslh-select"; # How many clients to we start for each protocol? my $NUM_CNX = 30; # Delay between starting new processes when starting up. If # you start 200 processes in under a second, things go wrong # and it's not sslh's fault (typically the echosrv won't be # forking fast enough). my $start_time_delay = 1; # If you test 4 protocols, you'll start $NUM_CNX * 4 clients # (e.g. 40), starting one every $start_time_delay seconds. # Max times we repeat the test string: allows to test for # large messages. my $block_rpt = 4096; # Probability to stop a client after a message (e.g. with # .01 a client will send an average of 100 messages before # disconnecting). my $stop_client_probability = .001; # What protocols we test, and on what ports # Just comment out protocols you don't want to use. my %protocols = ( "ssh" => { address => "localhost:9001", client => client("ssh") }, "ssl" => { address => "localhost:9002", client => client("ssl") }, "openvpn" => {address => "localhost:9003", client => client("openvpn") }, "tinc" => {address => "localhost:9004", client => client("tinc") }, ); ##END CONFIG # We use ports 9000, 9001 and 9002 -- hope that won't clash # with anything... my $sslh_address = "localhost:9000"; my $pidfile = "/tmp/sslh_test.pid"; sub client { my ($service) = @_; return sub { while (1) { my $cnx = new IO::Socket::INET(PeerHost => $sslh_address); my $test_data = "$service testing " x int(rand($block_rpt)+1) . "\n"; sleep 5 if $service eq "ssh"; if ($service eq "openvpn") { syswrite $cnx, "\x00\x0F\x38\n"; my $msg; sysread $cnx, $msg, 14; # length "openvpn: \x0\xF\x38\n" => 14 } if ($service eq "tinc") { syswrite $cnx, "0 \n"; my $msg; sysread $cnx, $msg, 10; # length "tinc: 0 \n" => 10 } while (1) { print $cnx $test_data; my $r = <$cnx>; ($? = 1, die "$service got [$r]\n") if ($r ne "$service: $test_data"); last if rand(1) < $stop_client_probability; } } exit 0; } } foreach my $p (keys %protocols) { if (!fork) { exec "./echosrv --listen $protocols{$p}->{address} --prefix '$p: '"; } } # Start sslh with the right plumbing my $sslh_pid; if (!($sslh_pid = fork)) { my $user = (getpwuid $<)[0]; # Run under current username my $prots = join " ", map "--$_ $protocols{$_}->{address}", keys %protocols; my $cmd = "$sslh_binary -f -t 3 -u $user --listen $sslh_address $prots -P $pidfile"; print "$cmd\n"; exec $cmd; exit 0; } warn "spawned $sslh_pid\n"; sleep 2; # valgrind can be heavy -- wait 5 seconds for (1 .. $NUM_CNX) { foreach my $p (keys %protocols) { if (!fork) { warn "starting $p\n"; &{$protocols{$p}->{client}}; exit; } # Give a little time so we don't overrun the # listen(2) backlog. select undef, undef, undef, $start_time_delay; } } wait; `killall echosrv`; sslh-v1.18/tls.c000066400000000000000000000241321267655245100135670ustar00rootroot00000000000000/* * Copyright (c) 2011 and 2012, Dustin Lundquist * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ /* * This is a minimal TLS implementation intended only to parse the server name * extension. This was created based primarily on Wireshark dissection of a * TLS handshake and RFC4366. */ #include #include /* malloc() */ #include "tls.h" #define TLS_HEADER_LEN 5 #define TLS_HANDSHAKE_CONTENT_TYPE 0x16 #define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01 #ifndef MIN #define MIN(X, Y) ((X) < (Y) ? (X) : (Y)) #endif struct TLSProtocol { int use_alpn; char** sni_hostname_list; char** alpn_protocol_list; }; static int parse_extensions(const struct TLSProtocol *, const char *, size_t); static int parse_server_name_extension(const struct TLSProtocol *, const char *, size_t); static int parse_alpn_extension(const struct TLSProtocol *, const char *, size_t); static int has_match(char**, const char*, size_t); /* Parse a TLS packet for the Server Name Indication and ALPN extension in the client * hello handshake, returning a status code * * Returns: * >=0 - length of the hostname and updates *hostname * caller is responsible for freeing *hostname * -1 - Incomplete request * -2 - No Host header included in this request * -3 - Invalid hostname pointer * < -4 - Invalid TLS client hello */ int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len) { char tls_content_type; char tls_version_major; char tls_version_minor; size_t pos = TLS_HEADER_LEN; size_t len; /* Check that our TCP payload is at least large enough for a TLS header */ if (data_len < TLS_HEADER_LEN) return -1; tls_content_type = data[0]; if (tls_content_type != TLS_HANDSHAKE_CONTENT_TYPE) { if (verbose) fprintf(stderr, "Request did not begin with TLS handshake.\n"); return -5; } tls_version_major = data[1]; tls_version_minor = data[2]; if (tls_version_major < 3) { if (verbose) fprintf(stderr, "Received SSL %d.%d handshake which cannot be parsed.\n", tls_version_major, tls_version_minor); return -2; } /* TLS record length */ len = ((unsigned char)data[3] << 8) + (unsigned char)data[4] + TLS_HEADER_LEN; data_len = MIN(data_len, len); /* Check we received entire TLS record length */ if (data_len < len) return -1; /* * Handshake */ if (pos + 1 > data_len) { return -5; } if (data[pos] != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { if (verbose) fprintf(stderr, "Not a client hello\n"); return -5; } /* Skip past fixed length records: 1 Handshake Type 3 Length 2 Version (again) 32 Random to Session ID Length */ pos += 38; /* Session ID */ if (pos + 1 > data_len) return -5; len = (unsigned char)data[pos]; pos += 1 + len; /* Cipher Suites */ if (pos + 2 > data_len) return -5; len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1]; pos += 2 + len; /* Compression Methods */ if (pos + 1 > data_len) return -5; len = (unsigned char)data[pos]; pos += 1 + len; if (pos == data_len && tls_version_major == 3 && tls_version_minor == 0) { if (verbose) fprintf(stderr, "Received SSL 3.0 handshake without extensions\n"); return -2; } /* Extensions */ if (pos + 2 > data_len) return -5; len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1]; pos += 2; if (pos + len > data_len) return -5; return parse_extensions(tls_data, data + pos, len); } static int parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t data_len) { size_t pos = 0; size_t len; int last_matched = 0; if (tls_data == NULL) return -3; /* Parse each 4 bytes for the extension header */ while (pos + 4 <= data_len) { /* Extension Length */ len = ((unsigned char) data[pos + 2] << 8) + (unsigned char) data[pos + 3]; if (pos + 4 + len > data_len) return -5; size_t extension_type = ((unsigned char) data[pos] << 8) + (unsigned char) data[pos + 1]; /* Check if it's a server name extension */ /* There can be only one extension of each type, so we break our state and move pos to beginning of the extension here */ if (tls_data->use_alpn == 2) { /* we want BOTH alpn and sni to match */ if (extension_type == 0x00) { /* Server Name */ if (parse_server_name_extension(tls_data, data + pos + 4, len)) { /* SNI matched */ if(last_matched) { /* this is only true if ALPN matched, so return true */ return last_matched; } else { /* otherwise store that SNI matched */ last_matched = 1; } } else { // both can't match return -2; } } else if (extension_type == 0x10) { /* ALPN */ if (parse_alpn_extension(tls_data, data + pos + 4, len)) { /* ALPN matched */ if(last_matched) { /* this is only true if SNI matched, so return true */ return last_matched; } else { /* otherwise store that ALPN matched */ last_matched = 1; } } else { // both can't match return -2; } } } else if (extension_type == 0x00 && tls_data->use_alpn == 0) { /* Server Name */ return parse_server_name_extension(tls_data, data + pos + 4, len); } else if (extension_type == 0x10 && tls_data->use_alpn == 1) { /* ALPN */ return parse_alpn_extension(tls_data, data + pos + 4, len); } pos += 4 + len; /* Advance to the next extension header */ } /* Check we ended where we expected to */ if (pos != data_len) return -5; return -2; } static int parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data, size_t data_len) { size_t pos = 2; /* skip server name list length */ size_t len; while (pos + 3 < data_len) { len = ((unsigned char)data[pos + 1] << 8) + (unsigned char)data[pos + 2]; if (pos + 3 + len > data_len) return -5; switch (data[pos]) { /* name type */ case 0x00: /* host_name */ if(has_match(tls_data->sni_hostname_list, data + pos + 3, len)) { return len; } else { return -2; } default: if (verbose) fprintf(stderr, "Unknown server name extension name type: %d\n", data[pos]); } pos += 3 + len; } /* Check we ended where we expected to */ if (pos != data_len) return -5; return -2; } static int parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_t data_len) { size_t pos = 2; size_t len; while (pos + 1 < data_len) { len = (unsigned char)data[pos]; if (pos + 1 + len > data_len) return -5; if (len > 0 && has_match(tls_data->alpn_protocol_list, data + pos + 1, len)) { return len; } else if (len > 0) { if (verbose) fprintf(stderr, "Unknown ALPN name: %.*s\n", (int)len, data + pos + 1); } pos += 1 + len; } /* Check we ended where we expected to */ if (pos != data_len) return -5; return -2; } static int has_match(char** list, const char* name, size_t name_len) { char **item; for (item = list; *item; item++) { if (verbose) fprintf(stderr, "matching [%.*s] with [%s]\n", (int)name_len, name, *item); if(!strncmp(*item, name, name_len)) { return 1; } } return 0; } struct TLSProtocol * new_tls_data() { struct TLSProtocol *tls_data = malloc(sizeof(struct TLSProtocol)); if (tls_data != NULL) { tls_data->use_alpn = -1; } return tls_data; } struct TLSProtocol * tls_data_set_list(struct TLSProtocol *tls_data, int alpn, char** list) { if (alpn) { tls_data->alpn_protocol_list = list; if(tls_data->use_alpn == 0) tls_data->use_alpn = 2; else tls_data->use_alpn = 1; } else { tls_data->sni_hostname_list = list; if(tls_data->use_alpn == 1) tls_data->use_alpn = 2; else tls_data->use_alpn = 0; } return tls_data; } sslh-v1.18/tls.h000066400000000000000000000032321267655245100135720ustar00rootroot00000000000000/* * Copyright (c) 2011 and 2012, Dustin Lundquist * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #ifndef TLS_H #define TLS_H #include "common.h" struct TLSProtocol; int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len); struct TLSProtocol *new_tls_data(); struct TLSProtocol *tls_data_set_list(struct TLSProtocol *, int, char**); #endif