"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/configuration.c" between
hitch-1.5.2.tar.gz and hitch-1.6.0.tar.gz

About: Hitch is a libev-based high performance SSL/TLS proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend.

configuration.c  (hitch-1.5.2):configuration.c  (hitch-1.6.0)
skipping to change at line 151 skipping to change at line 151
front_arg_new(void) front_arg_new(void)
{ {
struct front_arg *fa; struct front_arg *fa;
ALLOC_OBJ(fa, FRONT_ARG_MAGIC); ALLOC_OBJ(fa, FRONT_ARG_MAGIC);
AN(fa); AN(fa);
fa->match_global_certs = -1; fa->match_global_certs = -1;
fa->sni_nomatch_abort = -1; fa->sni_nomatch_abort = -1;
fa->selected_protos = 0; fa->selected_protos = 0;
fa->prefer_server_ciphers = -1; fa->prefer_server_ciphers = -1;
fa->client_verify = -1;
return (fa); return (fa);
} }
void void
front_arg_destroy(struct front_arg *fa) front_arg_destroy(struct front_arg *fa)
{ {
struct cfg_cert_file *cf, *cftmp; struct cfg_cert_file *cf, *cftmp;
CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC); CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC);
free(fa->ip); free(fa->ip);
free(fa->port); free(fa->port);
free(fa->pspec); free(fa->pspec);
free(fa->ciphers); free(fa->ciphers_tlsv12);
free(fa->ciphersuites_tlsv13);
HASH_ITER(hh, fa->certs, cf, cftmp) { HASH_ITER(hh, fa->certs, cf, cftmp) {
CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC); CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC);
HASH_DEL(fa->certs, cf); HASH_DEL(fa->certs, cf);
cfg_cert_file_free(&cf); cfg_cert_file_free(&cf);
} }
FREE_OBJ(fa); FREE_OBJ(fa);
} }
hitch_config * hitch_config *
config_new(void) config_new(void)
skipping to change at line 203 skipping to change at line 205
r->PROXY_PROXY_LINE = 0; r->PROXY_PROXY_LINE = 0;
r->ALPN_PROTOS = NULL; r->ALPN_PROTOS = NULL;
r->ALPN_PROTOS_LV = NULL; r->ALPN_PROTOS_LV = NULL;
r->ALPN_PROTOS_LV_LEN = 0; r->ALPN_PROTOS_LV_LEN = 0;
r->CHROOT = NULL; r->CHROOT = NULL;
r->UID = -1; r->UID = -1;
r->GID = -1; r->GID = -1;
r->BACK_IP = strdup("127.0.0.1"); r->BACK_IP = strdup("127.0.0.1");
r->BACK_PORT = strdup("8000"); r->BACK_PORT = strdup("8000");
r->NCORES = 1; r->NCORES = 1;
r->CIPHER_SUITE = strdup(CFG_DEFAULT_CIPHERS); r->CIPHERS_TLSv12 = strdup(CFG_DEFAULT_CIPHERS);
r->ENGINE = NULL; r->ENGINE = NULL;
r->BACKLOG = 100; r->BACKLOG = 100;
r->SNI_NOMATCH_ABORT = 0; r->SNI_NOMATCH_ABORT = 0;
r->CERT_DEFAULT = NULL; r->CERT_DEFAULT = NULL;
r->CERT_FILES = NULL; r->CERT_FILES = NULL;
r->LISTEN_ARGS = NULL; r->LISTEN_ARGS = NULL;
r->PEM_DIR = NULL; r->PEM_DIR = NULL;
r->OCSP_DIR = strdup("/var/lib/hitch/"); r->OCSP_DIR = strdup("/var/lib/hitch/");
AN(r->OCSP_DIR); AN(r->OCSP_DIR);
r->OCSP_VFY = 0; r->OCSP_VFY = 0;
r->OCSP_RESP_TMO = 10.0; r->OCSP_RESP_TMO = 10.0;
r->OCSP_CONN_TMO = 4.0; r->OCSP_CONN_TMO = 4.0;
r->OCSP_REFRESH_INTERVAL = 1800; r->OCSP_REFRESH_INTERVAL = 1800;
r->CLIENT_VERIFY = SSL_VERIFY_NONE;
r->CLIENT_VERIFY_CA = NULL;
#ifdef TCP_FASTOPEN_WORKS #ifdef TCP_FASTOPEN_WORKS
r->TFO = 0; r->TFO = 0;
#endif #endif
#ifdef USE_SHARED_CACHE #ifdef USE_SHARED_CACHE
r->SHARED_CACHE = 0; r->SHARED_CACHE = 0;
r->SHCUPD_IP = NULL; r->SHCUPD_IP = NULL;
r->SHCUPD_PORT = NULL; r->SHCUPD_PORT = NULL;
for (i = 0 ; i < MAX_SHCUPD_PEERS; i++) for (i = 0 ; i < MAX_SHCUPD_PEERS; i++)
memset(&r->SHCUPD_PEERS[i], 0, sizeof(shcupd_peer_opt)); memset(&r->SHCUPD_PEERS[i], 0, sizeof(shcupd_peer_opt));
r->SHCUPD_MCASTIF = NULL; r->SHCUPD_MCASTIF = NULL;
r->SHCUPD_MCASTTTL = NULL; r->SHCUPD_MCASTTTL = NULL;
#endif #endif
r->LOG_LEVEL = 0; r->LOG_LEVEL = 1;
r->SYSLOG = 0; r->SYSLOG = 0;
r->SYSLOG_FACILITY = LOG_DAEMON; r->SYSLOG_FACILITY = LOG_DAEMON;
r->TCP_KEEPALIVE_TIME = 3600; r->TCP_KEEPALIVE_TIME = 3600;
r->BACKEND_REFRESH_TIME = 0; r->BACKEND_REFRESH_TIME = 0;
r->DAEMONIZE = 0; r->DAEMONIZE = 0;
r->PREFER_SERVER_CIPHERS = 0; r->PREFER_SERVER_CIPHERS = 0;
r->TEST = 0; r->TEST = 0;
r->BACKEND_CONNECT_TIMEOUT = 30; r->BACKEND_CONNECT_TIMEOUT = 30;
r->SSL_HANDSHAKE_TIMEOUT = 30; r->SSL_HANDSHAKE_TIMEOUT = 30;
skipping to change at line 292 skipping to change at line 296
free(cfg->BACK_PORT); free(cfg->BACK_PORT);
HASH_ITER(hh, cfg->CERT_FILES, cf, cftmp) { HASH_ITER(hh, cfg->CERT_FILES, cf, cftmp) {
CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC); CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC);
HASH_DEL(cfg->CERT_FILES, cf); HASH_DEL(cfg->CERT_FILES, cf);
cfg_cert_file_free(&cf); cfg_cert_file_free(&cf);
} }
if (cfg->CERT_DEFAULT != NULL) if (cfg->CERT_DEFAULT != NULL)
cfg_cert_file_free(&cfg->CERT_DEFAULT); cfg_cert_file_free(&cfg->CERT_DEFAULT);
free(cfg->CIPHER_SUITE); free(cfg->CIPHERS_TLSv12);
free(cfg->CIPHERSUITES_TLSv13);
free(cfg->ENGINE); free(cfg->ENGINE);
free(cfg->PIDFILE); free(cfg->PIDFILE);
free(cfg->OCSP_DIR); free(cfg->OCSP_DIR);
free(cfg->ALPN_PROTOS); free(cfg->ALPN_PROTOS);
free(cfg->ALPN_PROTOS_LV); free(cfg->ALPN_PROTOS_LV);
free(cfg->PEM_DIR); free(cfg->PEM_DIR);
free(cfg->PEM_DIR_GLOB); free(cfg->PEM_DIR_GLOB);
free(cfg->CLIENT_VERIFY_CA);
#ifdef USE_SHARED_CACHE #ifdef USE_SHARED_CACHE
int i; int i;
free(cfg->SHCUPD_IP); free(cfg->SHCUPD_IP);
free(cfg->SHCUPD_PORT); free(cfg->SHCUPD_PORT);
for (i = 0; i < MAX_SHCUPD_PEERS; i++) { for (i = 0; i < MAX_SHCUPD_PEERS; i++) {
free(cfg->SHCUPD_PEERS[i].ip); free(cfg->SHCUPD_PEERS[i].ip);
free(cfg->SHCUPD_PEERS[i].port); free(cfg->SHCUPD_PEERS[i].port);
} }
skipping to change at line 842 skipping to change at line 848
assert(k != NULL); assert(k != NULL);
assert(v != NULL); assert(v != NULL);
assert(strlen(k) >= 2); assert(strlen(k) >= 2);
if (strcmp(k, "tls") == 0) { if (strcmp(k, "tls") == 0) {
cfg->SELECTED_TLS_PROTOS = TLS_OPTION_PROTOS; cfg->SELECTED_TLS_PROTOS = TLS_OPTION_PROTOS;
} else if (strcmp(k, "ssl") == 0) { } else if (strcmp(k, "ssl") == 0) {
cfg->SELECTED_TLS_PROTOS = SSL_OPTION_PROTOS; cfg->SELECTED_TLS_PROTOS = SSL_OPTION_PROTOS;
} else if (strcmp(k, CFG_CIPHERS) == 0) { } else if (strcmp(k, CFG_CIPHERS) == 0) {
if (strlen(v) > 0) { if (strlen(v) > 0) {
config_assign_str(&cfg->CIPHER_SUITE, v); config_assign_str(&cfg->CIPHERS_TLSv12, v);
} }
} else if (strcmp(k, CFG_SSL_ENGINE) == 0) { } else if (strcmp(k, CFG_SSL_ENGINE) == 0) {
if (strlen(v) > 0) { if (strlen(v) > 0) {
config_assign_str(&cfg->ENGINE, v); config_assign_str(&cfg->ENGINE, v);
} }
} else if (strcmp(k, CFG_PREFER_SERVER_CIPHERS) == 0) { } else if (strcmp(k, CFG_PREFER_SERVER_CIPHERS) == 0) {
r = config_param_val_bool(v, &cfg->PREFER_SERVER_CIPHERS); r = config_param_val_bool(v, &cfg->PREFER_SERVER_CIPHERS);
} else if (strcmp(k, CFG_FRONTEND) == 0) { } else if (strcmp(k, CFG_FRONTEND) == 0) {
struct front_arg *fa; struct front_arg *fa;
struct cfg_cert_file *cert; struct cfg_cert_file *cert;
skipping to change at line 1231 skipping to change at line 1237
fprintf(out, "Usage: %s [OPTIONS] PEM\n\n", basename(prog)); fprintf(out, "Usage: %s [OPTIONS] PEM\n\n", basename(prog));
fprintf(out, "This is hitch, The Scalable TLS Unwrapping Daemon.\n\n"); fprintf(out, "This is hitch, The Scalable TLS Unwrapping Daemon.\n\n");
fprintf(out, "CONFIGURATION:\n"); fprintf(out, "CONFIGURATION:\n");
fprintf(out, "\n"); fprintf(out, "\n");
fprintf(out, " --config=FILE Load configuration from specifie d file.\n"); fprintf(out, " --config=FILE Load configuration from specifie d file.\n");
fprintf(out, "\n"); fprintf(out, "\n");
fprintf(out, "ENCRYPTION METHODS:\n"); fprintf(out, "ENCRYPTION METHODS:\n");
fprintf(out, "\n"); fprintf(out, "\n");
fprintf(out, " --tls TLSv1 (default. No SSLv3)\n") ; fprintf(out, " --tls TLSv1 (default. No SSLv3)\n") ;
fprintf(out, " --ssl SSLv3 (enables SSLv3)\n"); fprintf(out, " --ssl SSLv3 (enables SSLv3)\n");
fprintf(out, " -c --ciphers=SUITE Sets allowed ciphers (Default : \"%s\")\n", config_disp_str(cfg->CIPHER_SUITE)); fprintf(out, " -c --ciphers=SUITE Sets allowed ciphers (Default : \"%s\")\n", config_disp_str(cfg->CIPHERS_TLSv12));
fprintf(out, " -e --ssl-engine=NAME Sets OpenSSL engine (Default: \"%s\")\n", config_disp_str(cfg->ENGINE)); fprintf(out, " -e --ssl-engine=NAME Sets OpenSSL engine (Default: \"%s\")\n", config_disp_str(cfg->ENGINE));
fprintf(out, " -O --prefer-server-ciphers Prefer server list order\n"); fprintf(out, " -O --prefer-server-ciphers Prefer server list order\n");
fprintf(out, "\n"); fprintf(out, "\n");
fprintf(out, "SOCKET:\n"); fprintf(out, "SOCKET:\n");
fprintf(out, "\n"); fprintf(out, "\n");
fprintf(out, " --client Enable client proxy mode\n"); fprintf(out, " --client Enable client proxy mode\n");
fprintf(out, " -b --backend=[HOST]:PORT Backend [connect] (default is \"%s\")\n", config_disp_hostport(cfg->BACK_IP, cfg->BACK_PORT)); fprintf(out, " -b --backend=[HOST]:PORT Backend [connect] (default is \"%s\")\n", config_disp_hostport(cfg->BACK_IP, cfg->BACK_PORT));
fprintf(out, " The -b argument can also take a UNIX domain socket path\n"); fprintf(out, " The -b argument can also take a UNIX domain socket path\n");
fprintf(out, " E.g. --backend=\"/path/to/soc k\"\n"); fprintf(out, " E.g. --backend=\"/path/to/soc k\"\n");
fprintf(out, " -f --frontend=[HOST]:PORT[+CERT] Frontend [bind] (def ault is \"%s\")\n", config_disp_hostport(cfg->LISTEN_DEFAULT->ip, cfg->LISTEN_DE FAULT->port)); fprintf(out, " -f --frontend=[HOST]:PORT[+CERT] Frontend [bind] (def ault is \"%s\")\n", config_disp_hostport(cfg->LISTEN_DEFAULT->ip, cfg->LISTEN_DE FAULT->port));
skipping to change at line 1383 skipping to change at line 1389
cfg->ALPN_PROTOS_LV[i] = (unsigned char)(j - i - 1); cfg->ALPN_PROTOS_LV[i] = (unsigned char)(j - i - 1);
cfg->ALPN_PROTOS_LV_LEN = l + 1; cfg->ALPN_PROTOS_LV_LEN = l + 1;
} }
return (1); // ok! return (1); // ok!
} }
int int
config_parse_cli(int argc, char **argv, hitch_config *cfg) config_parse_cli(int argc, char **argv, hitch_config *cfg)
{ {
static int tls = 0, ssl = 0; static int tls = 0, ssl = 0;
struct front_arg *fa, *fatmp;
static int client = 0; static int client = 0;
int c, i; int c, i;
optind = 1; optind = 1;
struct option long_options[] = { struct option long_options[] = {
{ CFG_CONFIG, 1, NULL, CFG_PARAM_CFGFILE }, { CFG_CONFIG, 1, NULL, CFG_PARAM_CFGFILE },
{ "tls", 0, &tls, 1}, { "tls", 0, &tls, 1},
{ "ssl", 0, &ssl, 1}, { "ssl", 0, &ssl, 1},
{ "client", 0, &client, 1}, { "client", 0, &client, 1},
skipping to change at line 1572 skipping to change at line 1579
cfg->PMODE = SSL_CLIENT; cfg->PMODE = SSL_CLIENT;
if ((!!cfg->WRITE_IP_OCTET + !!cfg->PROXY_PROXY_LINE + if ((!!cfg->WRITE_IP_OCTET + !!cfg->PROXY_PROXY_LINE +
!!cfg->WRITE_PROXY_LINE_V1 + !!cfg->WRITE_PROXY_LINE_V2) >= 2) { !!cfg->WRITE_PROXY_LINE_V1 + !!cfg->WRITE_PROXY_LINE_V2) >= 2) {
config_error_set("Options --write-ip, --write-proxy-proxy," config_error_set("Options --write-ip, --write-proxy-proxy,"
" --write-proxy-v1 and --write-proxy-v2 are" " --write-proxy-v1 and --write-proxy-v2 are"
" mutually exclusive."); " mutually exclusive.");
return (1); return (1);
} }
if (cfg->CLIENT_VERIFY != SSL_VERIFY_NONE &&
cfg->CLIENT_VERIFY_CA == NULL) {
config_error_set("Setting 'client-verify-ca' is required when"
" configuring client-verify");
return (1);
}
HASH_ITER(hh, cfg->LISTEN_ARGS, fa, fatmp) {
if (fa->client_verify != -1 &&
fa->client_verify != SSL_VERIFY_NONE) {
if (!fa->client_verify_ca && !cfg->CLIENT_VERIFY_CA) {
config_error_set("No 'client-verify-ca' "
"configured for frontend '%s'",
fa->pspec);
return (1);
}
}
}
#ifdef USE_SHARED_CACHE #ifdef USE_SHARED_CACHE
if (cfg->SHCUPD_IP != NULL && ! cfg->SHARED_CACHE) { if (cfg->SHCUPD_IP != NULL && ! cfg->SHARED_CACHE) {
config_error_set("Shared cache update listener is defined," config_error_set("Shared cache update listener is defined,"
" but shared cache is disabled."); " but shared cache is disabled.");
return (1); return (1);
} }
#endif #endif
/* ALPN/NPN protocol negotiation additional configuration and error /* ALPN/NPN protocol negotiation additional configuration and error
handling */ handling */
skipping to change at line 1653 skipping to change at line 1680
return (1); return (1);
} }
} }
if (cfg->PEM_DIR != NULL) { if (cfg->PEM_DIR != NULL) {
if (config_scan_pem_dir(cfg->PEM_DIR, cfg)) if (config_scan_pem_dir(cfg->PEM_DIR, cfg))
return (1); return (1);
} }
if (cfg->PMODE == SSL_SERVER && cfg->CERT_DEFAULT == NULL) { if (cfg->PMODE == SSL_SERVER && cfg->CERT_DEFAULT == NULL) {
struct front_arg *fa, *fatmp;
HASH_ITER(hh, cfg->LISTEN_ARGS, fa, fatmp) HASH_ITER(hh, cfg->LISTEN_ARGS, fa, fatmp)
if (HASH_CNT(hh, fa->certs) == 0) { if (HASH_CNT(hh, fa->certs) == 0) {
config_error_set("No x509 certificate PEM file " config_error_set("No x509 certificate PEM file "
"specified for frontend '%s'!", fa->pspec); "specified for frontend '%s'!", fa->pspec);
return (1); return (1);
} }
} }
if (cfg->OCSP_DIR != NULL) { if (cfg->OCSP_DIR != NULL) {
struct stat sb; struct stat sb;
 End of changes. 12 change blocks. 
7 lines changed or deleted 33 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)