debmon
/
stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
stunnel4/src/stunnel.c

730 lines
22 KiB
C
Raw Blame History

/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/* http://www.openssl.org/support/faq.html#PROG2 */
#ifdef USE_WIN32
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-pedantic"
#endif /* __GNUC__ */
#include <openssl/applink.c>
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
#endif /* USE_WIN32 */
/**************************************** prototypes */
#ifdef __INNOTEK_LIBC__
struct sockaddr_un {
u_char sun_len; /* sockaddr len including null */
u_char sun_family; /* AF_OS2 or AF_UNIX */
char sun_path[108]; /* path name */
};
#endif
#ifndef USE_WIN32
static int main_unix(int, char*[]);
#endif
static int accept_connection(SERVICE_OPTIONS *);
#ifdef HAVE_CHROOT
static int change_root(void);
#endif
#if !defined(USE_WIN32) && !defined(__vms)
static int daemonize(int);
static int create_pid(void);
static void delete_pid(void);
#endif
#if !defined(USE_WIN32) && !defined(USE_OS2)
static void signal_handler(int);
#endif
static int signal_pipe_init(void);
static int signal_pipe_dispatch(void);
#ifdef USE_FORK
static void client_status(void); /* dead children detected */
#endif
/**************************************** global variables */
static int signal_pipe[2]={-1, -1};
#ifndef USE_FORK
int max_clients=0;
volatile int num_clients=0; /* current number of clients */
#endif
s_poll_set *fds; /* file descriptors of listening sockets */
/**************************************** startup */
#ifndef USE_WIN32
int main(int argc, char* argv[]) { /* execution begins here 8-) */
int retval;
#ifdef M_MMAP_THRESHOLD
mallopt(M_MMAP_THRESHOLD, 4096);
#endif
str_init(); /* initialize per-thread string management */
retval=main_unix(argc, argv);
unbind_ports();
s_poll_free(fds);
fds=NULL;
str_stats();
log_flush(LOG_MODE_ERROR);
return retval;
}
static int main_unix(int argc, char* argv[]) {
#if !defined(__vms) && !defined(USE_OS2)
int fd;
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
if(fd<0)
fatal("Could not open /dev/null");
#endif /* standard Unix */
main_initialize();
if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
return 1;
if(service_options.next) { /* there are service sections -> daemon mode */
#if !defined(__vms) && !defined(USE_OS2)
if(daemonize(fd))
return 1;
close(fd);
/* create_pid() must be called after drop_privileges()
* or it won't be possible to remove the file on exit */
/* create_pid() must be called after daemonize()
* since the final pid is not known beforehand */
if(create_pid())
return 1;
#endif /* standard Unix */
signal(SIGCHLD, signal_handler); /* handle dead children */
signal(SIGHUP, signal_handler); /* configuration reload */
signal(SIGUSR1, signal_handler); /* log reopen */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
signal(SIGTERM, signal_handler); /* fatal */
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
signal(SIGQUIT, signal_handler); /* fatal */
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
signal(SIGINT, signal_handler); /* fatal */
daemon_loop();
} else { /* inetd mode */
#if !defined(__vms) && !defined(USE_OS2)
close(fd);
#endif /* standard Unix */
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
client_main(alloc_client_session(&service_options, 0, 1));
}
return 0;
}
#endif
void main_initialize() { /* one-time initialization */
/* basic initialization contains essential functions required for logging
* subsystem to function properly, thus all errors here are fatal */
if(ssl_init()) /* initialize SSL library */
fatal("SSL initialization failed");
if(sthreads_init()) /* initialize critical sections & SSL callbacks */
fatal("Threads initialization failed");
#ifndef USE_FORK
get_limits(); /* required by setup_fd() */
#endif
fds=s_poll_alloc();
if(signal_pipe_init())
fatal("Signal pipe initialization failed: "
"check your personal firewall");
stunnel_info(LOG_NOTICE);
}
/* configuration-dependent initialization */
int main_configure(char *arg1, char *arg2) {
if(parse_commandline(arg1, arg2))
return 1;
str_canary_init(); /* needs prng initialization from parse_commandline */
#if !defined(USE_WIN32) && !defined(__vms)
/* syslog_open() must be called before change_root()
* to be able to access /dev/log socket */
syslog_open();
#endif /* !defined(USE_WIN32) && !defined(__vms) */
if(bind_ports())
return 1;
#ifdef HAVE_CHROOT
/* change_root() must be called before drop_privileges()
* since chroot() needs root privileges */
if(change_root())
return 1;
#endif /* HAVE_CHROOT */
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2)
if(drop_privileges(1))
return 1;
#endif /* standard Unix */
/* log_open() must be be called after drop_privileges()
* or logfile rotation won't be possible */
/* log_open() must be be called before daemonize()
* since daemonize() invalidates stderr */
log_open();
return 0;
}
/**************************************** main loop accepting connections */
void daemon_loop(void) {
SERVICE_OPTIONS *opt;
int temporary_lack_of_resources;
while(1) {
temporary_lack_of_resources=0;
if(s_poll_wait(fds, -1, -1)>=0) {
if(s_poll_canread(fds, signal_pipe[0]))
if(signal_pipe_dispatch()) /* received SIGNAL_TERMINATE */
break; /* terminate daemon_loop */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept && s_poll_canread(fds, opt->fd))
if(accept_connection(opt))
temporary_lack_of_resources=1;
} else {
log_error(LOG_NOTICE, get_last_socket_error(),
"daemon_loop: s_poll_wait");
temporary_lack_of_resources=1;
}
if(temporary_lack_of_resources) {
s_log(LOG_NOTICE,
"Accepting new connections suspended for 1 second");
sleep(1); /* to avoid log trashing */
}
}
}
/* return 1 when a short delay is needed before another try */
static int accept_connection(SERVICE_OPTIONS *opt) {
SOCKADDR_UNION addr;
char *from_address;
int s;
socklen_t addrlen;
addrlen=sizeof addr;
for(;;) {
s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket");
if(s>=0) /* success! */
break;
switch(get_last_socket_error()) {
case S_EINTR: /* interrupted by a signal */
break; /* retry now */
case S_EMFILE:
#ifdef S_ENFILE
case S_ENFILE:
#endif
#ifdef S_ENOBUFS
case S_ENOBUFS:
#endif
#ifdef S_ENOMEM
case S_ENOMEM:
#endif
return 1; /* temporary lack of resources */
default:
return 0; /* any other error */
}
}
from_address=s_ntop(&addr, addrlen);
s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s",
opt->servname, s, from_address);
str_free(from_address);
#ifndef USE_FORK
if(max_clients && num_clients>=max_clients) {
s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)",
max_clients);
closesocket(s);
return 0;
}
#endif
if(create_client(opt->fd, s,
alloc_client_session(opt, s, s), client_thread)) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
closesocket(s);
return 0;
}
return 0;
}
/**************************************** initialization helpers */
/* clear fds, close old ports */
void unbind_ports(void) {
SERVICE_OPTIONS *opt;
#ifdef HAVE_STRUCT_SOCKADDR_UN
struct stat st; /* buffer for stat */
#endif
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept && opt->fd>=0) {
closesocket(opt->fd);
s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)",
opt->servname, opt->fd);
opt->fd=-1;
#ifdef HAVE_STRUCT_SOCKADDR_UN
if(opt->local_addr.sa.sa_family==AF_UNIX) {
if(lstat(opt->local_addr.un.sun_path, &st))
sockerror(opt->local_addr.un.sun_path);
else if(!S_ISSOCK(st.st_mode))
s_log(LOG_ERR, "Not a socket: %s",
opt->local_addr.un.sun_path);
else if(unlink(opt->local_addr.un.sun_path))
sockerror(opt->local_addr.un.sun_path);
else
s_log(LOG_DEBUG, "Socket removed: %s",
opt->local_addr.un.sun_path);
}
#endif
}
}
/* open new ports, update fds */
int bind_ports(void) {
SERVICE_OPTIONS *opt;
char *local_address;
#ifdef USE_LIBWRAP
/* execute after parse_commandline() to know service_options.next,
* but as early as possible to avoid leaking file descriptors */
/* retry on each bind_ports() in case stunnel.conf was reloaded
without "libwrap = no" */
libwrap_init();
#endif /* USE_LIBWRAP */
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
/* allow clean unbind_ports() even though
bind_ports() was not fully performed */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept)
opt->fd=-1;
for(opt=service_options.next; opt; opt=opt->next) {
if(opt->option.accept) {
opt->fd=s_socket(opt->local_addr.sa.sa_family,
SOCK_STREAM, 0, 1, "accept socket");
if(opt->fd<0)
return 1;
if(set_socket_options(opt->fd, 0)<0) {
closesocket(opt->fd);
return 1;
}
/* local socket can't be unnamed */
local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
s_log(LOG_ERR, "Error binding service [%s] to %s",
opt->servname, local_address);
sockerror("bind");
closesocket(opt->fd);
str_free(local_address);
return 1;
}
if(listen(opt->fd, SOMAXCONN)) {
sockerror("listen");
closesocket(opt->fd);
str_free(local_address);
return 1;
}
s_poll_add(fds, opt->fd, 1, 0);
s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
opt->servname, opt->fd, local_address);
str_free(local_address);
} else if(opt->option.program && opt->option.remote) {
/* create exec+connect services */
create_client(-1, -1,
alloc_client_session(opt, -1, -1), client_thread);
}
}
return 0; /* OK */
}
#ifdef HAVE_CHROOT
static int change_root(void) {
if(!global_options.chroot_dir)
return 0;
if(chroot(global_options.chroot_dir)) {
sockerror("chroot");
return 1;
}
if(chdir("/")) {
sockerror("chdir");
return 1;
}
return 0;
}
#endif /* HAVE_CHROOT */
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2)
int drop_privileges(int critical) {
#ifdef HAVE_SETGROUPS
gid_t gr_list[1];
#endif
/* set uid and gid */
if(global_options.gid) {
if(setgid(global_options.gid) && critical) {
sockerror("setgid");
return 1;
}
#ifdef HAVE_SETGROUPS
gr_list[0]=global_options.gid;
if(setgroups(1, gr_list) && critical) {
sockerror("setgroups");
return 1;
}
#endif
}
if(global_options.uid) {
if(setuid(global_options.uid) && critical) {
sockerror("setuid");
return 1;
}
}
return 0;
}
static int daemonize(int fd) { /* go to background */
if(global_options.option.foreground)
return 0;
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
#if defined(HAVE_DAEMON) && !defined(__BEOS__)
/* set noclose option when calling daemon() function,
* so it does not require /dev/null device in the chrooted directory */
if(daemon(0, 1)==-1) {
ioerror("daemon");
return 1;
}
#else
chdir("/");
switch(fork()) {
case -1: /* fork failed */
ioerror("fork");
return 1;
case 0: /* child */
break;
default: /* parent */
exit(0);
}
#endif
#ifdef HAVE_SETSID
setsid(); /* ignore the error */
#endif
return 0;
}
static int create_pid(void) {
int pf;
char *pid;
if(!global_options.pidfile) {
s_log(LOG_DEBUG, "No pid file being created");
return 0;
}
if(global_options.pidfile[0]!='/') {
/* to prevent creating pid file relative to '/' after daemonize() */
s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile);
return 1;
}
global_options.dpid=(unsigned long)getpid();
/* silently remove old pid file */
unlink(global_options.pidfile);
pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644);
if(pf==-1) {
s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile);
ioerror("create");
return 1;
}
pid=str_printf("%lu\n", global_options.dpid);
write(pf, pid, strlen(pid));
str_free(pid);
close(pf);
s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile);
atexit(delete_pid);
return 0;
}
static void delete_pid(void) {
if((unsigned long)getpid()!=global_options.dpid)
return; /* current process is not main daemon process */
s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile);
if(unlink(global_options.pidfile)<0)
ioerror(global_options.pidfile); /* not critical */
}
#endif /* standard Unix */
/**************************************** signal pipe handling */
static int signal_pipe_init(void) {
#ifdef USE_WIN32
if(make_sockets(signal_pipe))
return 1;
#elif defined(__INNOTEK_LIBC__)
/* Innotek port of GCC can not use select on a pipe:
* use local socket instead */
struct sockaddr_un un;
fd_set set_pipe;
int pipe_in;
FD_ZERO(&set_pipe);
signal_pipe[0]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#1");
signal_pipe[1]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#2");
/* connect the two endpoints */
memset(&un, 0, sizeof un);
un.sun_len=sizeof un;
un.sun_family=AF_OS2;
sprintf(un.sun_path, "\\socket\\stunnel-%u", getpid());
/* make the first endpoint listen */
bind(signal_pipe[0], (struct sockaddr *)&un, sizeof un);
listen(signal_pipe[0], 1);
connect(signal_pipe[1], (struct sockaddr *)&un, sizeof un);
FD_SET(signal_pipe[0], &set_pipe);
if(select(signal_pipe[0]+1, &set_pipe, NULL, NULL, NULL)>0) {
pipe_in=signal_pipe[0];
signal_pipe[0]=s_accept(signal_pipe[0], NULL, 0, 0, "accept");
closesocket(pipe_in);
} else {
sockerror("select");
return 1;
}
#else /* Unix */
if(s_pipe(signal_pipe, 1, "signal_pipe"))
return 1;
#endif /* USE_WIN32 */
return 0;
}
void signal_post(int sig) {
writesocket(signal_pipe[1], (char *)&sig, sizeof sig);
}
static int signal_pipe_dispatch(void) {
int sig, err;
s_log(LOG_DEBUG, "Dispatching signals from the signal pipe");
while(readsocket(signal_pipe[0], (char *)&sig, sizeof sig)==sizeof sig) {
switch(sig) {
#ifndef USE_WIN32
case SIGCHLD:
s_log(LOG_DEBUG, "Processing SIGCHLD");
#ifdef USE_FORK
client_status(); /* report status of client process */
#else /* USE_UCONTEXT || USE_PTHREAD */
child_status(); /* report status of libwrap or 'exec' process */
#endif /* defined USE_FORK */
break;
#endif /* !defind USE_WIN32 */
case SIGNAL_RELOAD_CONFIG:
s_log(LOG_DEBUG, "Processing SIGNAL_RELOAD_CONFIG");
err=parse_conf(NULL, CONF_RELOAD);
if(err) {
s_log(LOG_ERR, "Failed to reload the configuration file");
} else {
unbind_ports();
log_close();
apply_conf();
log_open();
if(bind_ports()) {
/* FIXME: handle the error */
}
}
break;
case SIGNAL_REOPEN_LOG:
s_log(LOG_DEBUG, "Processing SIGNAL_REOPEN_LOG");
log_close();
log_open();
s_log(LOG_NOTICE, "Log file reopened");
break;
case SIGNAL_TERMINATE:
s_log(LOG_DEBUG, "Processing SIGNAL_TERMINATE");
s_log(LOG_NOTICE, "Terminated");
return 2;
default:
s_log(LOG_ERR, "Received signal %d; terminating", sig);
return 1;
}
}
s_log(LOG_DEBUG, "Signal pipe is empty");
return 0;
}
#ifdef USE_FORK
static void client_status(void) { /* dead children detected */
int pid, status;
#ifdef HAVE_WAIT_FOR_PID
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
#else
if((pid=wait(&status))>0) {
#endif
#ifdef WIFSIGNALED
if(WIFSIGNALED(status)) {
s_log(LOG_DEBUG, "Process %d terminated on signal %d",
pid, WTERMSIG(status));
} else {
s_log(LOG_DEBUG, "Process %d finished with code %d",
pid, WEXITSTATUS(status));
}
}
#else
s_log(LOG_DEBUG, "Process %d finished with code %d",
pid, status);
}
#endif
}
#endif /* defined USE_FORK */
#if !defined(USE_WIN32) && !defined(USE_OS2)
void child_status(void) { /* dead libwrap or 'exec' process detected */
int pid, status;
#ifdef HAVE_WAIT_FOR_PID
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
#else
if((pid=wait(&status))>0) {
#endif
#ifdef WIFSIGNALED
if(WIFSIGNALED(status)) {
s_log(LOG_INFO, "Child process %d terminated on signal %d",
pid, WTERMSIG(status));
} else {
s_log(LOG_INFO, "Child process %d finished with code %d",
pid, WEXITSTATUS(status));
}
#else
s_log(LOG_INFO, "Child process %d finished with status %d",
pid, status);
#endif
}
}
static void signal_handler(int sig) {
int saved_errno;
saved_errno=errno;
signal_post(sig);
signal(sig, signal_handler);
errno=saved_errno;
}
#endif /* !defined(USE_WIN32) && !defined(USE_OS2) */
/**************************************** log messages to identify build */
void stunnel_info(int level) {
s_log(level, "stunnel " STUNNEL_VERSION " on " HOST " platform");
if(SSLeay()==SSLEAY_VERSION_NUMBER) {
s_log(level, "Compiled/running with " OPENSSL_VERSION_TEXT);
} else {
s_log(level, "Compiled with " OPENSSL_VERSION_TEXT);
s_log(level, "Running with %s", SSLeay_version(SSLEAY_VERSION));
s_log(level, "Update OpenSSL shared libraries or rebuild stunnel");
}
s_log(level,
"Threading:"
#ifdef USE_UCONTEXT
"UCONTEXT"
#endif
#ifdef USE_PTHREAD
"PTHREAD"
#endif
#ifdef USE_WIN32
"WIN32"
#endif
#ifdef USE_FORK
"FORK"
#endif
" SSL:"
#if defined HAVE_OSSL_ENGINE_H || defined HAVE_OSSL_OCSP_H || defined USE_FIPS
#ifdef HAVE_OSSL_ENGINE_H
"+ENGINE"
#endif
#ifdef HAVE_OSSL_OCSP_H
"+OCSP"
#endif
#ifdef USE_FIPS
"+FIPS"
#endif
#else
"none"
#endif
" Auth:"
#ifdef USE_LIBWRAP
"LIBWRAP"
#else
"none"
#endif
" Sockets:"
#ifdef USE_POLL
"POLL"
#else /* defined(USE_POLL) */
"SELECT"
#endif /* defined(USE_POLL) */
"+IPv%c",
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
s_getaddrinfo ? '6' : '4'
#else /* defined(USE_WIN32) */
#if defined(USE_IPv6)
'6'
#else /* defined(USE_IPv6) */
'4'
#endif /* defined(USE_IPv6) */
#endif /* defined(USE_WIN32) */
);
}
/* end of stunnel.c */
Reference in New Issue View Git Blame Copy Permalink