diff --git a/Makefile.in b/Makefile.in index 343c6bf..6fa856a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -10,10 +10,7 @@ ENABLE_SANITIZER= # Enable ASAN/LSAN/UBSAN ENABLE_REGEX=1 # Enable regex probes USELIBCONFIG=1 # Use libconfig? (necessary to use configuration files) USELIBEV=1 # Use libev? -USELIBWRAP?= # Use libwrap? -USELIBCAP= # Use libcap? USESYSTEMD= # Make use of systemd socket activation -USELIBBSD?= # Use libbsd (needed to update process name in `ps`) COV_TEST= # Perform test coverage? PREFIX?=/usr BINDIR?=$(PREFIX)/sbin @@ -46,11 +43,6 @@ EV_OBJS=processes.o udp-listener.o sslh-ev.o hash.o tcp-listener.o $(OBJS_A) CONDITIONAL_TARGETS= -ifneq ($(strip $(USELIBWRAP)),) - LIBS:=$(LIBS) -lwrap - CPPFLAGS+=-DLIBWRAP -endif - ifneq ($(strip $(ENABLE_REGEX)),) CPPFLAGS+=-DENABLE_REGEX endif @@ -60,22 +52,12 @@ ifneq ($(strip $(USELIBCONFIG)),) CPPFLAGS+=-DLIBCONFIG endif -ifneq ($(strip $(USELIBCAP)),) - LIBS:=$(LIBS) -lcap - CPPFLAGS+=-DLIBCAP -endif - ifneq ($(strip $(USESYSTEMD)),) LIBS:=$(LIBS) -lsystemd CPPFLAGS+=-DSYSTEMD CONDITIONAL_TARGETS+=systemd-sslh-generator endif -ifneq ($(strip $(USELIBBSD)),) - LIBS:=$(LIBS) -lbsd - CPPFLAGS+=-DLIBBSD -endif - ifneq ($(strip $(USELIBEV)),) CONDITIONAL_TARGETS+=sslh-ev endif diff --git a/common.c b/common.c index 66a722d..d1ab402 100644 --- a/common.c +++ b/common.c @@ -19,6 +19,11 @@ #include "log.h" #include "sslh-conf.h" +#if HAVE_LIBCAP +#include +#include +#endif + /* Added to make the code compilable under CYGWIN * */ #ifndef SA_NOCLDWAIT @@ -31,7 +36,7 @@ #include #endif -#ifdef LIBBSD +#ifdef HAVE_LIBBSD #include #endif @@ -43,7 +48,7 @@ struct sslhcfg_item cfg; struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */ -#ifdef LIBWRAP +#ifdef HAVE_LIBWRAP #include int allow_severity =0, deny_severity = 0; #endif @@ -750,7 +755,7 @@ int get_connection_desc(struct connection_desc* desc, const struct connection *c void set_proctitle_shovel(struct connection_desc* desc, const struct connection *cnx) { -#ifdef LIBBSD +#ifdef HAVE_LIBBSD struct connection_desc d; if (!desc) { @@ -775,7 +780,7 @@ void set_proctitle_shovel(struct connection_desc* desc, const struct connection */ int check_access_rights(int in_socket, const char* service) { -#ifdef LIBWRAP +#ifdef HAVE_LIBWRAP union { struct sockaddr saddr; struct sockaddr_storage ss; @@ -802,7 +807,7 @@ int check_access_rights(int in_socket, const char* service) } } - if (!hosts_ctl(service, host, addr_str, STRING_UNKNOWN)) { + if (!hosts_ctl((char*)service, host, addr_str, STRING_UNKNOWN)) { print_message(msg_connections, "connection from %s(%s): access denied", host, addr_str); close(in_socket); return -1; @@ -841,7 +846,7 @@ void setup_signals(void) /* Ask OS to keep capabilities over a setuid(nonzero) */ void set_keepcaps(int val) { -#ifdef LIBCAP +#if HAVE_LIBCAP int res; res = prctl(PR_SET_KEEPCAPS, val, 0, 0, 0); if (res) { @@ -854,7 +859,7 @@ void set_keepcaps(int val) { /* Returns true if anything requires transparent proxying. */ static int use_transparent(void) { -#ifdef LIBCAP +#if HAVE_LIBCAP if (cfg.transparent) return 1; @@ -870,7 +875,7 @@ static int use_transparent(void) * IN: cap_net_admin: set to 1 to set CAP_NET_RAW * */ void set_capabilities(int cap_net_admin) { -#ifdef LIBCAP +#if HAVE_LIBCAP int res; cap_t caps; cap_value_t cap_list[10]; diff --git a/common.h b/common.h index 02666dc..d186015 100644 --- a/common.h +++ b/common.h @@ -34,6 +34,7 @@ #include #endif +#include "config.h" #include "version.h" #define MAX(a, b) (((a) > (b)) ? (a) : (b)) diff --git a/config.h.in b/config.h.in index 62ee771..983a8c7 100644 --- a/config.h.in +++ b/config.h.in @@ -3,10 +3,19 @@ #ifndef CONFIG_H /* Template for config.h, filled by `configure`. */ +/* Libwrap, to support host_ctl, /etc/allow and /etc/deny */ +#undef HAVE_LIBWRAP + /* Landlock sandboxing Linux LSM */ #undef HAVE_LANDLOCK /* Support for Proxy-protocol using libproxyprotocol */ #undef HAVE_PROXYPROTOCOL +/* libcap support, to use Linux capabilities */ +#undef HAVE_LIBCAP + +/* libbsd, to change process name */ +#undef HAVE_LIBBSD + #endif diff --git a/configure b/configure index 389f127..789c55e 100755 --- a/configure +++ b/configure @@ -1445,6 +1445,53 @@ fi } # ac_fn_c_try_compile +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest.beam conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +printf "%s\n" "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + } +then : + ac_retval=0 +else $as_nop + printf "%s\n" "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in @@ -2163,7 +2210,6 @@ ac_config_headers="$ac_config_headers config.h" ac_config_files="$ac_config_files Makefile" -have_proxyprotocol=0 @@ -3160,6 +3206,130 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for hosts_ctl in -lwrap" >&5 +printf %s "checking for hosts_ctl in -lwrap... " >&6; } +if test ${ac_cv_lib_wrap_hosts_ctl+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-lwrap $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char hosts_ctl (); +int +main (void) +{ +return hosts_ctl (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_wrap_hosts_ctl=yes +else $as_nop + ac_cv_lib_wrap_hosts_ctl=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_wrap_hosts_ctl" >&5 +printf "%s\n" "$ac_cv_lib_wrap_hosts_ctl" >&6; } +if test "x$ac_cv_lib_wrap_hosts_ctl" = xyes +then : + printf "%s\n" "#define HAVE_LIBWRAP 1" >>confdefs.h + LIBS="$LIBS -lwrap" +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for cap_get_proc in -lcap" >&5 +printf %s "checking for cap_get_proc in -lcap... " >&6; } +if test ${ac_cv_lib_cap_cap_get_proc+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcap $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char cap_get_proc (); +int +main (void) +{ +return cap_get_proc (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_cap_cap_get_proc=yes +else $as_nop + ac_cv_lib_cap_cap_get_proc=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_get_proc" >&5 +printf "%s\n" "$ac_cv_lib_cap_cap_get_proc" >&6; } +if test "x$ac_cv_lib_cap_cap_get_proc" = xyes +then : + printf "%s\n" "#define HAVE_LIBCAP 1" >>confdefs.h + LIBS="$LIBS -lcap" +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for setproctitle in -lbsd" >&5 +printf %s "checking for setproctitle in -lbsd... " >&6; } +if test ${ac_cv_lib_bsd_setproctitle+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-lbsd $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char setproctitle (); +int +main (void) +{ +return setproctitle (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_bsd_setproctitle=yes +else $as_nop + ac_cv_lib_bsd_setproctitle=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bsd_setproctitle" >&5 +printf "%s\n" "$ac_cv_lib_bsd_setproctitle" >&6; } +if test "x$ac_cv_lib_bsd_setproctitle" = xyes +then : + printf "%s\n" "#define HAVE_LIBBSD 1" >>confdefs.h + LIBS="$LIBS -lbsd" +fi + + ac_header= ac_cache= for ac_item in $ac_header_c_list do @@ -3207,16 +3377,10 @@ if test "x$ac_cv_header_proxy_protocol_h" = xyes then : printf "%s\n" "#define HAVE_PROXY_PROTOCOL_H 1" >>confdefs.h printf "%s\n" "#define HAVE_PROXYPROTOCOL 1" >>confdefs.h - -else $as_nop - have_proxyprotocol=1 + LIBS="$LIBS -lproxyprotocol" fi done -if test $have_proxyprotocol == 0 -then - LIBS="$LIBS -lproxyprotocol" -fi LIBS="$LIBS" diff --git a/configure.ac b/configure.ac index ab26206..c7d7e9d 100644 --- a/configure.ac +++ b/configure.ac @@ -7,13 +7,12 @@ AC_INIT AC_CONFIG_HEADERS(config.h) AC_CONFIG_FILES([Makefile]) -have_proxyprotocol=0 +AC_CHECK_LIB([wrap], [hosts_ctl], [AC_DEFINE(HAVE_LIBWRAP) LIBS="$LIBS -lwrap" ], []) +AC_CHECK_LIB([cap], [cap_get_proc], [AC_DEFINE(HAVE_LIBCAP) LIBS="$LIBS -lcap" ], []) +AC_CHECK_LIB([bsd], [setproctitle], [AC_DEFINE(HAVE_LIBBSD) LIBS="$LIBS -lbsd" ], []) + AC_CHECK_HEADERS(linux/landlock.h, AC_DEFINE(HAVE_LANDLOCK), []) -AC_CHECK_HEADERS(proxy_protocol.h, AC_DEFINE(HAVE_PROXYPROTOCOL), [have_proxyprotocol=1]) -if test $have_proxyprotocol == 0 -then - LIBS="$LIBS -lproxyprotocol" -fi +AC_CHECK_HEADERS(proxy_protocol.h, [AC_DEFINE(HAVE_PROXYPROTOCOL) LIBS="$LIBS -lproxyprotocol" ], []) LIBS="$LIBS" AC_SUBST([LIBS]) diff --git a/doc/INSTALL.md b/doc/INSTALL.md index 8ce26d2..983da2a 100644 --- a/doc/INSTALL.md +++ b/doc/INSTALL.md @@ -22,19 +22,20 @@ Dependencies * [libwrap](http://packages.debian.org/source/unstable/tcp-wrappers). For Debian, this is contained in packages `libwrap0-dev`. - You can compile with or without it using USELIBWRAP in the Makefile. + Presence of libwrap is checked by the configure script. * [libsystemd](http://packages.debian.org/source/unstable/libsystemd-dev), in package `libsystemd-dev`. You can compile with or without it using USESYSTEMD in the Makefile. * [libcap](http://packages.debian.org/source/unstable/libcap-dev), in package `libcap-dev`. - You can compile with or without it using USELIBCAP in the Makefile + Presence of libcap is checked by the configure script. * [libconfig++-dev](https://packages.debian.org/bookworm/libconfig++-dev), in package `lìbconfig++-dev` * libbsd, to enable to change the process name (as shown in `ps`, so each forked process shows what protocol and what connection it is serving), which requires `libbsd` at runtime, and `libbsd-dev` at compile-time. + Presence of libbsd is checked by the configure script. * libpcre2, in package `libpcre2-dev`. You can compile with or without it using ENABLE_REGEX in the Makefile. diff --git a/sslh-fork.c b/sslh-fork.c index 3418cc5..4cd7888 100644 --- a/sslh-fork.c +++ b/sslh-fork.c @@ -26,7 +26,7 @@ #include "tcp-probe.h" #include "log.h" -#ifdef LIBBSD +#if HAVE_LIBBSD #include #endif @@ -147,7 +147,7 @@ void stop_listeners(int sig) void set_listen_procname(struct listen_endpoint *listen_socket) { -#ifdef LIBBSD +#if HAVE_LIBBSD int res; struct addrinfo addr; struct sockaddr_storage ss; diff --git a/sslh-main.c b/sslh-main.c index 7c91400..160d9fc 100644 --- a/sslh-main.c +++ b/sslh-main.c @@ -30,20 +30,24 @@ #include #endif -#ifdef LIBBSD -#include -#endif - #include "common.h" #include "probe.h" #include "log.h" #include "tcp-probe.h" +#if HAVE_LIBBSD +#include +#endif + +#if HAVE_LIBCAP +#include +#endif + /* Constants for options that have no one-character shorthand */ #define OPT_ONTIMEOUT 257 static void printcaps(void) { -#ifdef LIBCAP +#if HAVE_LIBCAP cap_t caps; char* desc; ssize_t len; @@ -282,7 +286,7 @@ int main(int argc, char *argv[], char* envp[]) int res, num_addr_listen; struct listen_endpoint *listen_sockets; -#ifdef LIBBSD +#if HAVE_LIBBSD setproctitle_init(argc, argv, envp); #endif diff --git a/version.h b/version.h index 9514aee..2bfe6b1 100644 --- a/version.h +++ b/version.h @@ -1,5 +1,5 @@ #ifndef VERSION_H #define VERSION_H -#define VERSION "v2.1.4-25-gbf08229-dirty" +#define VERSION "v2.1.4-29-ge527b8e-dirty" #endif