merged proxyprotocol linking

Makefile.in

@@ -10,10 +10,7 @@ ENABLE_SANITIZER= # Enable ASAN/LSAN/UBSAN
 ENABLE_REGEX=1  # Enable regex probes
 USELIBCONFIG=1	# Use libconfig? (necessary to use configuration files)
 USELIBEV=1	# Use libev?
-USELIBWRAP?=	# Use libwrap?
-USELIBCAP=	# Use libcap?
 USESYSTEMD=     # Make use of systemd socket activation
-USELIBBSD?=     # Use libbsd (needed to update process name in `ps`)
 COV_TEST= 	# Perform test coverage?
 PREFIX?=/usr
 BINDIR?=$(PREFIX)/sbin
@@ -46,11 +43,6 @@ EV_OBJS=processes.o udp-listener.o sslh-ev.o hash.o tcp-listener.o $(OBJS_A)
 
 CONDITIONAL_TARGETS=
 
-ifneq ($(strip $(USELIBWRAP)),)
-	LIBS:=$(LIBS) -lwrap
-	CPPFLAGS+=-DLIBWRAP
-endif
-
 ifneq ($(strip $(ENABLE_REGEX)),)
 	CPPFLAGS+=-DENABLE_REGEX
 endif
@@ -60,22 +52,12 @@ ifneq ($(strip $(USELIBCONFIG)),)
 	CPPFLAGS+=-DLIBCONFIG
 endif
 
-ifneq ($(strip $(USELIBCAP)),)
-	LIBS:=$(LIBS) -lcap
-	CPPFLAGS+=-DLIBCAP
-endif
-
 ifneq ($(strip $(USESYSTEMD)),)
         LIBS:=$(LIBS) -lsystemd
         CPPFLAGS+=-DSYSTEMD
 	CONDITIONAL_TARGETS+=systemd-sslh-generator
 endif
 
-ifneq ($(strip $(USELIBBSD)),)
-        LIBS:=$(LIBS) -lbsd
-        CPPFLAGS+=-DLIBBSD
-endif
-
 ifneq ($(strip $(USELIBEV)),)
         CONDITIONAL_TARGETS+=sslh-ev
 endif

common.c

@@ -19,6 +19,11 @@
 #include "log.h"
 #include "sslh-conf.h"
 
+#if HAVE_LIBCAP
+#include <sys/capability.h>
+#include <sys/prctl.h>
+#endif
+
 /* Added to make the code compilable under CYGWIN
  * */
 #ifndef SA_NOCLDWAIT
@@ -31,7 +36,7 @@
 #include <systemd/sd-daemon.h>
 #endif
 
-#ifdef LIBBSD
+#ifdef HAVE_LIBBSD
 #include <bsd/unistd.h>
 #endif
 
@@ -43,7 +48,7 @@ struct sslhcfg_item cfg;
 struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */
 
 
-#ifdef LIBWRAP
+#ifdef HAVE_LIBWRAP
 #include <tcpd.h>
 int allow_severity =0, deny_severity = 0;
 #endif
@@ -750,7 +755,7 @@ int get_connection_desc(struct connection_desc* desc, const struct connection *c
 
 void set_proctitle_shovel(struct connection_desc* desc, const struct connection *cnx)
 {
-#ifdef LIBBSD
+#ifdef HAVE_LIBBSD
     struct connection_desc d;
 
     if (!desc) {
@@ -775,7 +780,7 @@ void set_proctitle_shovel(struct connection_desc* desc, const struct connection
  */
 int check_access_rights(int in_socket, const char* service)
 {
-#ifdef LIBWRAP
+#ifdef HAVE_LIBWRAP
     union {
         struct sockaddr saddr;
         struct sockaddr_storage ss;
@@ -802,7 +807,7 @@ int check_access_rights(int in_socket, const char* service)
         }
     }
 
-    if (!hosts_ctl(service, host, addr_str, STRING_UNKNOWN)) {
+    if (!hosts_ctl((char*)service, host, addr_str, STRING_UNKNOWN)) {
         print_message(msg_connections, "connection from %s(%s): access denied", host, addr_str);
         close(in_socket);
         return -1;
@@ -841,7 +846,7 @@ void setup_signals(void)
 
 /* Ask OS to keep capabilities over a setuid(nonzero) */
 void set_keepcaps(int val) {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     int res;
     res = prctl(PR_SET_KEEPCAPS, val, 0, 0, 0);
     if (res) {
@@ -854,7 +859,7 @@ void set_keepcaps(int val) {
 /* Returns true if anything requires transparent proxying. */
 static int use_transparent(void)
 {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     if (cfg.transparent)
         return 1;
 
@@ -870,7 +875,7 @@ static int use_transparent(void)
  * IN: cap_net_admin: set to 1 to set CAP_NET_RAW
  * */
 void set_capabilities(int cap_net_admin) {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     int res;
     cap_t caps;
     cap_value_t cap_list[10];

common.h

@@ -34,6 +34,7 @@
 #include <sys/capability.h>
 #endif
 
+#include "config.h"
 #include "version.h"
 
 #define MAX(a, b)  (((a) > (b)) ? (a) : (b))

config.h.in

@@ -3,10 +3,19 @@
 #ifndef CONFIG_H
 /* Template for config.h, filled by `configure`. */
 
+/* Libwrap, to support host_ctl, /etc/allow and /etc/deny */
+#undef HAVE_LIBWRAP
+
 /* Landlock sandboxing Linux LSM */
 #undef HAVE_LANDLOCK
 
 /* Support for Proxy-protocol using libproxyprotocol */
 #undef HAVE_PROXYPROTOCOL
 
+/* libcap support, to use Linux capabilities */
+#undef HAVE_LIBCAP
+
+/* libbsd, to change process name */
+#undef HAVE_LIBBSD
+
 #endif

configure

@@ -1445,6 +1445,53 @@ fi
 
 } # ac_fn_c_try_compile
 
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest.beam conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+printf "%s\n" "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 test -x conftest$ac_exeext
+       }
+then :
+  ac_retval=0
+else $as_nop
+  printf "%s\n" "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_link
+
 # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
 # -------------------------------------------------------
 # Tests whether HEADER exists and can be compiled using the include files in
@@ -2163,7 +2210,6 @@ ac_config_headers="$ac_config_headers config.h"
 ac_config_files="$ac_config_files Makefile"
 
 
-have_proxyprotocol=0
 
 
 
@@ -3160,6 +3206,130 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for hosts_ctl in -lwrap" >&5
+printf %s "checking for hosts_ctl in -lwrap... " >&6; }
+if test ${ac_cv_lib_wrap_hosts_ctl+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lwrap  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+char hosts_ctl ();
+int
+main (void)
+{
+return hosts_ctl ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  ac_cv_lib_wrap_hosts_ctl=yes
+else $as_nop
+  ac_cv_lib_wrap_hosts_ctl=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_wrap_hosts_ctl" >&5
+printf "%s\n" "$ac_cv_lib_wrap_hosts_ctl" >&6; }
+if test "x$ac_cv_lib_wrap_hosts_ctl" = xyes
+then :
+  printf "%s\n" "#define HAVE_LIBWRAP 1" >>confdefs.h
+ LIBS="$LIBS -lwrap"
+fi
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for cap_get_proc in -lcap" >&5
+printf %s "checking for cap_get_proc in -lcap... " >&6; }
+if test ${ac_cv_lib_cap_cap_get_proc+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+char cap_get_proc ();
+int
+main (void)
+{
+return cap_get_proc ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  ac_cv_lib_cap_cap_get_proc=yes
+else $as_nop
+  ac_cv_lib_cap_cap_get_proc=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_get_proc" >&5
+printf "%s\n" "$ac_cv_lib_cap_cap_get_proc" >&6; }
+if test "x$ac_cv_lib_cap_cap_get_proc" = xyes
+then :
+  printf "%s\n" "#define HAVE_LIBCAP 1" >>confdefs.h
+ LIBS="$LIBS -lcap"
+fi
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for setproctitle in -lbsd" >&5
+printf %s "checking for setproctitle in -lbsd... " >&6; }
+if test ${ac_cv_lib_bsd_setproctitle+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lbsd  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+char setproctitle ();
+int
+main (void)
+{
+return setproctitle ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  ac_cv_lib_bsd_setproctitle=yes
+else $as_nop
+  ac_cv_lib_bsd_setproctitle=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bsd_setproctitle" >&5
+printf "%s\n" "$ac_cv_lib_bsd_setproctitle" >&6; }
+if test "x$ac_cv_lib_bsd_setproctitle" = xyes
+then :
+  printf "%s\n" "#define HAVE_LIBBSD 1" >>confdefs.h
+ LIBS="$LIBS -lbsd"
+fi
+
+
 ac_header= ac_cache=
 for ac_item in $ac_header_c_list
 do
@@ -3207,16 +3377,10 @@ if test "x$ac_cv_header_proxy_protocol_h" = xyes
 then :
   printf "%s\n" "#define HAVE_PROXY_PROTOCOL_H 1" >>confdefs.h
  printf "%s\n" "#define HAVE_PROXYPROTOCOL 1" >>confdefs.h
-
-else $as_nop
-  have_proxyprotocol=1
+ LIBS="$LIBS -lproxyprotocol"
 fi
 
 done
-if test $have_proxyprotocol == 0
-then
-    LIBS="$LIBS -lproxyprotocol"
-fi
 
 LIBS="$LIBS"
 

configure.ac

@@ -7,13 +7,12 @@ AC_INIT
 AC_CONFIG_HEADERS(config.h)
 AC_CONFIG_FILES([Makefile])
 
-have_proxyprotocol=0
+AC_CHECK_LIB([wrap], [hosts_ctl], [AC_DEFINE(HAVE_LIBWRAP) LIBS="$LIBS -lwrap" ], [])
+AC_CHECK_LIB([cap], [cap_get_proc], [AC_DEFINE(HAVE_LIBCAP) LIBS="$LIBS -lcap" ], [])
+AC_CHECK_LIB([bsd], [setproctitle], [AC_DEFINE(HAVE_LIBBSD) LIBS="$LIBS -lbsd" ], [])
+
 AC_CHECK_HEADERS(linux/landlock.h, AC_DEFINE(HAVE_LANDLOCK), [])
-AC_CHECK_HEADERS(proxy_protocol.h, AC_DEFINE(HAVE_PROXYPROTOCOL), [have_proxyprotocol=1])
-if test $have_proxyprotocol == 0
-then
-    LIBS="$LIBS -lproxyprotocol"
-fi
+AC_CHECK_HEADERS(proxy_protocol.h, [AC_DEFINE(HAVE_PROXYPROTOCOL) LIBS="$LIBS -lproxyprotocol" ], [])
 
 LIBS="$LIBS"
 AC_SUBST([LIBS])

doc/INSTALL.md

@@ -22,19 +22,20 @@ Dependencies
 
 * [libwrap](http://packages.debian.org/source/unstable/tcp-wrappers).
   For Debian, this is contained in packages `libwrap0-dev`.
-  You can compile with or without it using USELIBWRAP in the Makefile.
+  Presence of libwrap is checked by the configure script.
 
 * [libsystemd](http://packages.debian.org/source/unstable/libsystemd-dev), in package `libsystemd-dev`.
   You can compile with or without it using USESYSTEMD in the Makefile.
 
 * [libcap](http://packages.debian.org/source/unstable/libcap-dev), in package `libcap-dev`.
-  You can compile with or without it using USELIBCAP in the Makefile
+  Presence of libcap is checked by the configure script.
 
 * [libconfig++-dev](https://packages.debian.org/bookworm/libconfig++-dev), in package `lìbconfig++-dev`
     
 * libbsd, to enable to change the process name (as shown in `ps`,
   so each forked process shows what protocol and what connection it is serving),
   which requires `libbsd` at runtime, and `libbsd-dev` at compile-time.
+  Presence of libbsd is checked by the configure script.
 
 * libpcre2, in package `libpcre2-dev`.
   You can compile with or without it using ENABLE_REGEX in the Makefile.

sslh-fork.c

@@ -26,7 +26,7 @@
 #include "tcp-probe.h"
 #include "log.h"
 
-#ifdef LIBBSD
+#if HAVE_LIBBSD
 #include <bsd/unistd.h>
 #endif
 
@@ -147,7 +147,7 @@ void stop_listeners(int sig)
 
 void set_listen_procname(struct listen_endpoint *listen_socket)
 {
-#ifdef LIBBSD
+#if HAVE_LIBBSD
     int res;
     struct addrinfo addr;
     struct sockaddr_storage ss;

sslh-main.c

@@ -30,20 +30,24 @@
 #include <pcre2.h>
 #endif
 
-#ifdef LIBBSD
-#include <bsd/unistd.h>
-#endif
-
 #include "common.h"
 #include "probe.h"
 #include "log.h"
 #include "tcp-probe.h"
 
+#if HAVE_LIBBSD
+#include <bsd/unistd.h>
+#endif
+
+#if HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
+
 /* Constants for options that have no one-character shorthand */
 #define OPT_ONTIMEOUT   257
 
 static void printcaps(void) {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     cap_t caps;
     char* desc;
     ssize_t len;
@@ -282,7 +286,7 @@ int main(int argc, char *argv[], char* envp[])
    int res, num_addr_listen;
    struct listen_endpoint *listen_sockets;
 
-#ifdef LIBBSD
+#if HAVE_LIBBSD
    setproctitle_init(argc, argv, envp);
 #endif
 

version.h

@@ -1,5 +1,5 @@
 #ifndef VERSION_H 
 #define VERSION_H 
 
-#define VERSION "v2.1.4-25-gbf08229-dirty"
+#define VERSION "v2.1.4-29-ge527b8e-dirty"
 #endif