/*****************************/
static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
- const char *CAfile, const char *cert, const char *key);
+ const char *CAfile, const char *cert, const char *key,
+ const char *cipher_list, int out_state, int out_verify,
+ int verify_mode);
static void selector_init(tunala_selector_t *selector);
static void selector_add_listener(tunala_selector_t *selector, int fd);
static void selector_add_tunala(tunala_selector_t *selector, tunala_item_t *t);
/* MAIN FUNCTION (and its utility functions) */
/*********************************************/
-/* For now, hard-coded as follows;
- * (a) We're like "tunala -listen 127.0.0.1:9001 -proxy 127.0.0.1:9002"
- * (b) We max out at 50 simultaneous tunnels, listening will stop while we have
- * that many tunnels operating and will recommence as/when tunnels close.
- * (c) We are an SSL client proxy
- * (d) We use the "openssl" ENGINE
- * (e) We use the CA cert file "cacert.pem"
- * */
-
static const char *def_proxyhost = "127.0.0.1:443";
static const char *def_listenhost = "127.0.0.1:8080";
static int def_max_tunnels = 50;
static const char *def_key = NULL;
static const char *def_engine_id = NULL;
static int def_server_mode = 0;
+static const char *def_cipher_list = NULL;
+static int def_out_state = 0;
+static int def_out_verify = 0;
+static int def_verify_mode = 0;
static const char *helpstring =
"\n'Tunala' (A tunneler with a New Zealand accent)\n"
" -key <path|NULL> (default = whatever '-cert' is)\n"
" -engine <id|NULL> (default = NULL)\n"
" -server <0|1> (default = 0, ie. an SSL client)\n"
+ " -cipher <list> (specifies cipher list to use)\n"
+ " -out_state (prints SSL handshake states)\n"
+ " -out_verify (prints certificate verification states)\n"
+ " -v_peer (verify the peer certificate)\n"
+ " -v_strict (do not continue if peer validation fails)\n"
+ " -v_once (no verification in renegotiates)\n"
" -<h|help|?> (displays this help screen)\n"
"NB: It is recommended to specify a cert+key when operating as an\n"
"SSL server. If you only specify '-cert', the same file must\n"
const char *key = def_key;
const char *engine_id = def_engine_id;
int server_mode = def_server_mode;
+ const char *cipher_list = def_cipher_list;
+ int out_state = def_out_state;
+ int out_verify = def_out_verify;
+ int verify_mode = def_verify_mode;
/* Parse command-line arguments */
next_arg:
if(!parse_server_mode(*argv, &server_mode))
return 1;
goto next_arg;
+ } else if(strcmp(*argv, "-cipher") == 0) {
+ if(argc < 2)
+ return usage("-cipher requires an argument", 0);
+ argc--; argv++;
+ cipher_list = *argv;
+ goto next_arg;
+ } else if(strcmp(*argv, "-out_state") == 0) {
+ out_state = 1;
+ goto next_arg;
+ } else if(strcmp(*argv, "-out_verify") == 0) {
+ out_verify = 1;
+ goto next_arg;
+ } else if(strcmp(*argv, "-v_peer") == 0) {
+ verify_mode |= SSL_VERIFY_PEER;
+ goto next_arg;
+ } else if(strcmp(*argv, "-v_strict") == 0) {
+ verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ goto next_arg;
+ } else if(strcmp(*argv, "-v_once") == 0) {
+ verify_mode |= SSL_VERIFY_CLIENT_ONCE;
+ goto next_arg;
} else if((strcmp(*argv, "-h") == 0) ||
(strcmp(*argv, "-help") == 0) ||
(strcmp(*argv, "-?") == 0)) {
err_str0("ip_initialise succeeded");
/* Create the SSL_CTX */
if((world.ssl_ctx = initialise_ssl_ctx(server_mode, engine_id,
- cacert, cert, key)) == NULL)
+ cacert, cert, key, cipher_list, out_state, out_verify,
+ verify_mode)) == NULL)
return err_str1("initialise_ssl_ctx(engine_id=%s) failed",
(engine_id == NULL) ? "NULL" : engine_id);
err_str1("initialise_ssl_ctx(engine_id=%s) succeeded",
fprintf(stderr, "selector_select returned a badness error.\n");
abort();
case 0:
- fprintf(stderr, "Warn, selector_select return 0 - signal??\n");
+ fprintf(stderr, "Warn, selector_select returned 0 - signal??\n");
goto main_loop;
default:
break;
&newfd) == 1)) {
/* We have a new connection */
if(!tunala_world_new_item(&world, newfd,
- proxy_ip, proxy_port)) {
+ proxy_ip, proxy_port))
fprintf(stderr, "tunala_world_new_item failed\n");
- abort();
- }
- fprintf(stderr, "Info, new tunnel opened, now up to %d\n",
- world.tunnels_used);
+ else
+ fprintf(stderr, "Info, new tunnel opened, now up to "
+ "%d\n", world.tunnels_used);
}
/* Give each tunnel its moment, note the while loop is because it makes
* the logic easier than with "for" to deal with an array that may shift
/****************/
static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
- const char *CAfile, const char *cert, const char *key)
+ const char *CAfile, const char *cert, const char *key,
+ const char *cipher_list, int out_state, int out_verify,
+ int verify_mode)
{
SSL_CTX *ctx, *ret = NULL;
SSL_METHOD *meth;
} else
fprintf(stderr, "Info, operating without a cert or key\n");
+ /* cipher_list */
+ if(cipher_list) {
+ if(!SSL_CTX_set_cipher_list(ctx, cipher_list)) {
+ fprintf(stderr, "Error setting cipher list '%s'\n",
+ cipher_list);
+ goto err;
+ }
+ fprintf(stderr, "Info, set cipher list '%s'\n", cipher_list);
+ } else
+ fprintf(stderr, "Info, operating with default cipher list\n");
+
+ /* out_state (output of SSL handshake states to screen). */
+ if(out_state)
+ cb_ssl_info_set_output(stderr);
+
+ /* out_verify & verify_mode */
+ if(out_verify)
+ cb_ssl_verify_set_output(stderr);
+
/* Success! */
+ SSL_CTX_set_info_callback(ctx, cb_ssl_info);
+ SSL_CTX_set_verify(ctx, verify_mode, cb_ssl_verify);
ret = ctx;
err:
if(!ret) {
{
tunala_item_t *item;
int newfd;
+ SSL *new_ssl = NULL;
if(!tunala_world_make_room(world))
return 0;
+ if((new_ssl = SSL_new(world->ssl_ctx)) == NULL) {
+ fprintf(stderr, "Error creating new SSL\n");
+ ERR_print_errors_fp(stderr);
+ return 0;
+ }
item = world->tunnels + (world->tunnels_used++);
state_machine_init(&item->sm);
item->clean_read = item->clean_send =
item->clean_read = item->clean_send = fd;
item->dirty_read = item->dirty_send = newfd;
}
- state_machine_set_SSL(&item->sm, SSL_new(world->ssl_ctx),
- world->server_mode);
+ /* We use the SSL's "app_data" to indicate a call-back induced "kill" */
+ SSL_set_app_data(new_ssl, NULL);
+ if(!state_machine_set_SSL(&item->sm, new_ssl, world->server_mode))
+ goto err;
return 1;
err:
- state_machine_close(&item->sm);
+ tunala_world_del_item(world, world->tunnels_used - 1);
return 0;
}
item->clean_send = -1;
item->clean_read = -1;
}
- if(c_s) {
+ if(c_s && (item->clean_send != -1)) {
close(item->clean_send);
if(item->clean_send == item->clean_read)
item->clean_read = -1;
item->dirty_send = -1;
item->dirty_read = -1;
}
- if(d_s) {
+ if(d_s && (item->dirty_send != -1)) {
close(item->dirty_send);
if(item->dirty_send == item->dirty_read)
item->dirty_read = -1;