third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-04-12 15:17:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

sync and resolve merge conflict

Browse Source
This commit is contained in:
clement 2023-08-09 23:36:01 +08:00
commit 9e7b4b751f
17 changed files with 127 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ChangeLog
View File

@ -1,5 +1,5 @@
v2.0: v2.0:
New sslh-ev: this is functionaly equivalent to New sslh-ev: this is functionally equivalent to
sslh-select (mono-process, only forks for specified sslh-select (mono-process, only forks for specified
protocols), but based on libev, which should make it protocols), but based on libev, which should make it
scalable to large numbers of connections. scalable to large numbers of connections.
@ -41,7 +41,7 @@ v1.22: 17AUG2021
combined with incoming TLS with SNI. UDP clients combined with incoming TLS with SNI. UDP clients
and servers need to agree on the IPv4/IPv6 they use: and servers need to agree on the IPv4/IPv6 they use:
use the same protocol on all sides! Often, this use the same protocol on all sides! Often, this
means explicitely using 'ip4-localhost'. means explicitly using 'ip4-localhost'.
UDP sender-receiver pairs (connections, so to speak) UDP sender-receiver pairs (connections, so to speak)
are kept for 60s, which can be changed with are kept for 60s, which can be changed with
`udp_timeout` in the configuration. `udp_timeout` in the configuration.
@ -83,7 +83,7 @@ v1.21: 11JUL2020
Added TCP_FASTOPEN support for client sockets (if Added TCP_FASTOPEN support for client sockets (if
tfo_ok is specified in their configuration) and for tfo_ok is specified in their configuration) and for
listenint socket, if all client protocols support it. listening socket, if all client protocols support it.
(Craig Andrews) (Craig Andrews)
Added 'minlength' option to skip a probe if less Added 'minlength' option to skip a probe if less
@ -109,8 +109,8 @@ v1.20: 20NOV2018
Before, probes were tried in order, repeating on the Before, probes were tried in order, repeating on the
same probe as long it returned PROBE_AGAIN before same probe as long it returned PROBE_AGAIN before
moving to the next one. This means a probe which moving to the next one. This means a probe which
requires a lot of data (i.e. returne PROBE_AGAIN for requires a lot of data (i.e. return PROBE_AGAIN for
a long time) could prevent sucessful matches from a long time) could prevent successful matches from
subsequent probes. The configuration file needed to subsequent probes. The configuration file needed to
take that into account. take that into account.
@ -171,7 +171,7 @@ v1.18: 29MAR2016
v1.17: 09MAR2015 v1.17: 09MAR2015
Support RFC5952-style IPv6 addresses, e.g. [::]:443. Support RFC5952-style IPv6 addresses, e.g. [::]:443.
Transparant proxy support for FreeBSD. Transparent proxy support for FreeBSD.
(Ruben van Staveren) (Ruben van Staveren)
Using -F with no argument will try Using -F with no argument will try
@ -200,7 +200,7 @@ v1.16: 11FEB2014
Libcap support: Keep only CAP_NET_ADMIN if started Libcap support: Keep only CAP_NET_ADMIN if started
as root with transparent proxying and dropping as root with transparent proxying and dropping
priviledges (enable USELIBCAP in Makefile). This privileges (enable USELIBCAP in Makefile). This
avoids having to mess with filesystem capabilities. avoids having to mess with filesystem capabilities.
(Sebastian Schmidt/yath) (Sebastian Schmidt/yath)
@ -209,7 +209,7 @@ v1.16: 11FEB2014
actual errors if connections are dropped before actual errors if connections are dropped before
getting to getpeername). getting to getpeername).
Set IP_FREEDBIND if available to bind to addresses Set IP_FREEBIND if available to bind to addresses
that don't yet exist. that don't yet exist.
v1.15: 27JUL2013 v1.15: 27JUL2013
@ -294,7 +294,7 @@ v1.11: 21APR2012
--user isn't specified, just run as current user. --user isn't specified, just run as current user.
No longer create PID file by default, it should be No longer create PID file by default, it should be
explicitely set with --pidfile. explicitly set with --pidfile.
No longer log to syslog if in foreground. Logs are No longer log to syslog if in foreground. Logs are
instead output to stderr. instead output to stderr.
@ -385,7 +385,7 @@ v1.8: 15JUL2011
v1.7: 01FEB2010 v1.7: 01FEB2010
Added CentOS init.d script (Andre Krajnik). Added CentOS init.d script (Andre Krajnik).
Fixed default ssl address inconsistancy, now Fixed default ssl address inconsistency, now
defaults to "localhost:443" and fixed documentation defaults to "localhost:443" and fixed documentation
accordingly (pointed by Markus Schalke). accordingly (pointed by Markus Schalke).

33
Dockerfile
View File

@ -1,23 +1,38 @@
FROM alpine:latest as build ARG ALPINE_VERSION="latest"
ARG TARGET_ARCH="library"
FROM docker.io/${TARGET_ARCH}/alpine:${ALPINE_VERSION} AS build
WORKDIR /sslh WORKDIR /sslh
RUN apk add gcc libconfig-dev make musl-dev pcre2-dev perl RUN apk add --no-cache \
'gcc' \
'libconfig-dev' \
'make' \
'musl-dev' \
'pcre2-dev' \
'perl' \
;
COPY . /sslh COPY . /sslh
RUN make sslh-select && strip sslh-select RUN make sslh-select && strip sslh-select
FROM alpine:latest FROM docker.io/${TARGET_ARCH}/alpine:${ALPINE_VERSION}
RUN apk --no-cache add libconfig pcre2 iptables ip6tables libcap
RUN adduser sslh --shell /bin/sh --disabled-password
COPY --from=build "/sslh/sslh-select" "/usr/local/bin/sslh" COPY --from=build "/sslh/sslh-select" "/usr/local/bin/sslh"
RUN setcap cap_net_bind_service,cap_net_raw+ep /usr/local/bin/sslh RUN apk add --no-cache \
'libconfig' \
'pcre2' \
'iptables' \
'ip6tables' \
'libcap' \
&& \
adduser -s '/bin/sh' -S -D sslh && \
setcap cap_net_bind_service,cap_net_raw+ep /usr/local/bin/sslh
COPY "./container-entrypoint.sh" "/init" COPY "./container-entrypoint.sh" "/init"
ENTRYPOINT [ "/init" ] ENTRYPOINT [ "/init" ]
# required for updating iptables # required for updating iptables
USER root:root USER root:root

26
argtable3.c
View File

@ -2876,9 +2876,9 @@ static void arg_file_resetfn(struct arg_file* parent) {
static const char* arg_basename(const char* filename) { static const char* arg_basename(const char* filename) {
const char *result = NULL, *result1, *result2; const char *result = NULL, *result1, *result2;
/* Find the last occurrence of eother file separator character. */ /* Find the last occurrence of other file separator character. */
/* Two alternative file separator chars are supported as legal */ /* Two alternative file separator chars are supported as legal */
/* file separators but not both together in the same filename. */ /* file separators but not both together in the same filename. */
result1 = (filename ? strrchr(filename, FILESEPARATOR1) : NULL); result1 = (filename ? strrchr(filename, FILESEPARATOR1) : NULL);
result2 = (filename ? strrchr(filename, FILESEPARATOR2) : NULL); result2 = (filename ? strrchr(filename, FILESEPARATOR2) : NULL);
@ -2927,7 +2927,7 @@ static int arg_file_scanfn(struct arg_file* parent, const char* argval) {
} else if (!argval) { } else if (!argval) {
/* a valid argument with no argument value was given. */ /* a valid argument with no argument value was given. */
/* This happens when an optional argument value was invoked. */ /* This happens when an optional argument value was invoked. */
/* leave parent arguiment value unaltered but still count the argument. */ /* leave parent argument value unaltered but still count the argument. */
parent->count++; parent->count++;
} else { } else {
parent->filename[parent->count] = argval; parent->filename[parent->count] = argval;
@ -3173,7 +3173,7 @@ static int arg_int_scanfn(struct arg_int* parent, const char* argval) {
} else if (!argval) { } else if (!argval) {
/* a valid argument with no argument value was given. */ /* a valid argument with no argument value was given. */
/* This happens when an optional argument value was invoked. */ /* This happens when an optional argument value was invoked. */
/* leave parent arguiment value unaltered but still count the argument. */ /* leave parent argument value unaltered but still count the argument. */
parent->count++; parent->count++;
} else { } else {
long int val; long int val;
@ -3813,8 +3813,8 @@ static const TRexChar* g_nnames[] = {_SC("NONE"), _SC("OP_GREEDY"), _SC("OP_O
#endif #endif
#define OP_GREEDY (MAX_CHAR + 1) /* * + ? {n} */ #define OP_GREEDY (MAX_CHAR + 1) /* * + ? {n} */
#define OP_OR (MAX_CHAR + 2) #define OP_OR (MAX_CHAR + 2)
#define OP_EXPR (MAX_CHAR + 3) /* parentesis () */ #define OP_EXPR (MAX_CHAR + 3) /* parenthesis () */
#define OP_NOCAPEXPR (MAX_CHAR + 4) /* parentesis (?:) */ #define OP_NOCAPEXPR (MAX_CHAR + 4) /* parenthesis (?:) */
#define OP_DOT (MAX_CHAR + 5) #define OP_DOT (MAX_CHAR + 5)
#define OP_CLASS (MAX_CHAR + 6) #define OP_CLASS (MAX_CHAR + 6)
#define OP_CCLASS (MAX_CHAR + 7) #define OP_CCLASS (MAX_CHAR + 7)
@ -5313,7 +5313,7 @@ static void arg_parse_untagged(int argc, char** argv, struct arg_hdr** table, st
} }
} }
/* if a tenative error still remains at this point then register it as a proper error */ /* if a tentative error still remains at this point then register it as a proper error */
if (errorlast) { if (errorlast) {
arg_register_error(endtable, parentlast, errorlast, optarglast); arg_register_error(endtable, parentlast, errorlast, optarglast);
optind++; optind++;
@ -5384,7 +5384,7 @@ int arg_parse(int argc, char** argv, void** argtable) {
/* /*
Fill in the local copy of argv[]. We need a local copy Fill in the local copy of argv[]. We need a local copy
because getopt rearranges argv[] which adversely affects because getopt rearranges argv[] which adversely affects
susbsequent parsing attempts. subsequent parsing attempts.
*/ */
for (i = 0; i < argc; i++) for (i = 0; i < argc; i++)
argvcopy[i] = argv[i]; argvcopy[i] = argv[i];
@ -5451,7 +5451,7 @@ static void arg_cat_option(char* dest, size_t ndest, const char* shortopts, cons
if (shortopts) { if (shortopts) {
char option[3]; char option[3];
/* note: option array[] is initialiazed dynamically here to satisfy */ /* note: option array[] is initialized dynamically here to satisfy */
/* a deficiency in the watcom compiler wrt static array initializers. */ /* a deficiency in the watcom compiler wrt static array initializers. */
option[0] = '-'; option[0] = '-';
option[1] = shortopts[0]; option[1] = shortopts[0];
@ -5509,7 +5509,7 @@ static void arg_cat_optionv(char* dest, size_t ndest, const char* shortopts, con
/* "-a|-b|-c" */ /* "-a|-b|-c" */
char shortopt[3]; char shortopt[3];
/* note: shortopt array[] is initialiazed dynamically here to satisfy */ /* note: shortopt array[] is initialized dynamically here to satisfy */
/* a deficiency in the watcom compiler wrt static array initializers. */ /* a deficiency in the watcom compiler wrt static array initializers. */
shortopt[0] = '-'; shortopt[0] = '-';
shortopt[1] = *c; shortopt[1] = *c;
@ -5881,7 +5881,7 @@ static void arg_print_formatted_ds(arg_dstr_t ds, const unsigned lmargin, const
* Prints the glossary in strict GNU format. * Prints the glossary in strict GNU format.
* Differences to arg_print_glossary() are: * Differences to arg_print_glossary() are:
* - wraps lines after 80 chars * - wraps lines after 80 chars
* - indents lines without shortops * - indents lines without shortopts
* - does not accept formatstrings * - does not accept formatstrings
* *
* Contributed by Uli Fouquet * Contributed by Uli Fouquet
@ -5956,7 +5956,7 @@ int arg_nullcheck(void** argtable) {
* that entry were still allocated ok. Those subsequent allocations will not be * that entry were still allocated ok. Those subsequent allocations will not be
* deallocated by arg_free(). * deallocated by arg_free().
* Despite the unlikeliness of the problem occurring, and the even unlikelier event * Despite the unlikeliness of the problem occurring, and the even unlikelier event
* that it has any deliterious effect, it is fixed regardless by replacing arg_free() * that it has any deleterious effect, it is fixed regardless by replacing arg_free()
* with the newer arg_freetable() function. * with the newer arg_freetable() function.
* We still keep arg_free() for backwards compatibility. * We still keep arg_free() for backwards compatibility.
*/ */

4
argtable3.h
View File

@ -87,7 +87,7 @@ typedef int(arg_comparefn)(const void* k1, const void* k2);
* that particular arg_xxx arguments, performing post-parse checks, and * that particular arg_xxx arguments, performing post-parse checks, and
* reporting errors. * reporting errors.
* These functions are private to the individual arg_xxx source code * These functions are private to the individual arg_xxx source code
* and are the pointer to them are initiliased by that arg_xxx struct's * and are the pointer to them are initialised by that arg_xxx struct's
* constructor function. The user could alter them after construction * constructor function. The user could alter them after construction
* if desired, but the original intention is for them to be set by the * if desired, but the original intention is for them to be set by the
* constructor and left unaltered. * constructor and left unaltered.
@ -95,7 +95,7 @@ typedef int(arg_comparefn)(const void* k1, const void* k2);
typedef struct arg_hdr { typedef struct arg_hdr {
char flag; /* Modifier flags: ARG_TERMINATOR, ARG_HASVALUE. */ char flag; /* Modifier flags: ARG_TERMINATOR, ARG_HASVALUE. */
const char* shortopts; /* String defining the short options */ const char* shortopts; /* String defining the short options */
const char* longopts; /* String defiing the long options */ const char* longopts; /* String defining the long options */
const char* datatype; /* Description of the argument data type */ const char* datatype; /* Description of the argument data type */
const char* glossary; /* Description of the option as shown by arg_print_glossary function */ const char* glossary; /* Description of the option as shown by arg_print_glossary function */
int mincount; /* Minimum number of occurences of this option accepted */ int mincount; /* Minimum number of occurences of this option accepted */

111
container-entrypoint.sh
View File

@ -1,5 +1,4 @@
#!/bin/sh #!/bin/sh
# SPDX-License-Identifier: GPL2-or-later # SPDX-License-Identifier: GPL2-or-later
# #
# Copyright (C) 2023 Olliver Schinagl <oliver@schinagl.nl> # Copyright (C) 2023 Olliver Schinagl <oliver@schinagl.nl>
@ -20,81 +19,79 @@ if [ "${#}" -le 0 ] || \
entrypoint='true' entrypoint='true'
fi fi
############################################################################
unconfigure_iptables() { unconfigure_iptables() {
echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes" echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes"
set +e # Don't exit if got error set +e # Don't exit if got error
set -x set -x
iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
ip rule del fwmark 0x1 lookup 100 ip rule del fwmark 0x1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100 ip route del local 0.0.0.0/0 dev lo table 100
if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then
ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP
ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP
ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
ip -6 rule del fwmark 0x1 lookup 100 ip -6 rule del fwmark 0x1 lookup 100
ip -6 route del local ::/0 dev lo table 100 ip -6 route del local ::/0 dev lo table 100
fi fi
set -e set -e
set +x set +x
} }
configure_iptables() { configure_iptables() {
echo "Configuring iptables and routing..." echo "Configuring iptables and routing..."
set +e # Don't exit if got error set +e # Don't exit if got error
set -x set -x
iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
ip rule add fwmark 0x1 lookup 100 ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100 ip route add local 0.0.0.0/0 dev lo table 100
if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then
ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP
ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP
ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
ip -6 rule add fwmark 0x1 lookup 100 ip -6 rule add fwmark 0x1 lookup 100
ip -6 route add local ::/0 dev lo table 100 ip -6 route add local ::/0 dev lo table 100
fi fi
set -e set -e
set +x set +x
} }
for i in "$@" ; do for _args in "${@}" ; do
if [ "${i}" = "--transparent" ] ; then if [ "${_args:-}" = '--transparent' ] ; then
echo "--transparent is set" echo '--transparent flag is set'
configure_iptables configure_iptables
trap unconfigure_iptables TERM INT KILL trap unconfigure_iptables TERM INT KILL
break break
fi fi
done done
#run command as sslh user # Drop privileges and run as sslh user
command="${entrypoint:+${bin}} ${@}" sslh_cmd="${entrypoint:+${bin}} ${@}"
echo "executing with user 'sslh': $command" echo "Executing with user 'sslh': ${sslh_cmd}"
exec su - sslh -c "$command" & exec su - sslh -c "${sslh_cmd}" &
wait $! wait "${!}"
exit 0 exit 0

2
doc/FAQ.md
View File

@ -7,7 +7,7 @@ doesn't work, report how what was suggested here went.
It's also worth reading [how to ask It's also worth reading [how to ask
questions](http://www.catb.org/~esr/faqs/smart-questions.html) questions](http://www.catb.org/~esr/faqs/smart-questions.html)
before posting on the mailing list or opening an issue in before posting on the mailing list or opening an issue in
Github. GitHub.
Getting more info Getting more info
================= =================

6
doc/config.md
View File

@ -92,7 +92,7 @@ to the executable:
sudo setcap cap_net_bind_service,cap_net_raw+pe sslh-select sudo setcap cap_net_bind_service,cap_net_raw+pe sslh-select
Then you can run sslh-select as an unpriviledged user, e.g.: Then you can run sslh-select as an unprivileged user, e.g.:
sslh-select -p myname:443 --ssh localhost:22 --tls localhost:443 sslh-select -p myname:443 --ssh localhost:22 --tls localhost:443
@ -167,7 +167,7 @@ This parses the /etc/sslh.cfg (or /etc/sslh/sslh.cfg file if that exists
instead) configuration file and dynamically generates a socket file to use. instead) configuration file and dynamically generates a socket file to use.
This will also merge with any sslh.socket.d drop in configuration but will be This will also merge with any sslh.socket.d drop in configuration but will be
overriden by a /etc/systemd/system/sslh.socket file. overridden by a /etc/systemd/system/sslh.socket file.
To use the generator place it in /usr/lib/systemd/system-generators and then To use the generator place it in /usr/lib/systemd/system-generators and then
call systemctl daemon-reload after any changes to /etc/sslh.cfg to generate call systemctl daemon-reload after any changes to /etc/sslh.cfg to generate
@ -196,7 +196,7 @@ will wait for incoming UDP packets, run the probes in the
usual fashion, and forward packets to the appropriate usual fashion, and forward packets to the appropriate
target. `sslh` will then remember the association between target. `sslh` will then remember the association between
remote host to target server for 60 seconds by default, remote host to target server for 60 seconds by default,
which can be overriden with `udp_timeout`. This allows to which can be overridden with `udp_timeout`. This allows to
process both single-datagram protocols such as DNS, and process both single-datagram protocols such as DNS, and
connection-based protocols such as QUIC. connection-based protocols such as QUIC.

2
doc/tproxy.md
View File

@ -60,7 +60,7 @@ this scheme -- let me know if you manage that:
ip rule add fwmark 0x1 lookup 100 ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100 ip route add local 0.0.0.0/0 dev lo table 100
Tranparent proxying with IPv6 is similarly set up as follows: Transparent proxying with IPv6 is similarly set up as follows:
# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination
# Not sure if this is needed for ipv6 though # Not sure if this is needed for ipv6 though

6
echosrv-conf.c
View File

@ -365,7 +365,7 @@ static int clcpy(config_type type, void* target, const void* cl_arg)
return 0; return 0;
} }
/* Copy the value of a string argument to arbitary memory /* Copy the value of a string argument to arbitrary memory
* location that must be large enough, converting on the way * location that must be large enough, converting on the way
* (i.e. CFG_INT gets atoi() and so on) */ * (i.e. CFG_INT gets atoi() and so on) */
/* 0: success /* 0: success
@ -862,7 +862,7 @@ static int set_target_fields(void* target_addr, struct compound_cl_arg* arg, con
if (pmatch[pmatch_cnt].rm_so == -1) { if (pmatch[pmatch_cnt].rm_so == -1) {
/* This should not happen as regexec() did /* This should not happen as regexec() did
* match before, unless there is a * match before, unless there is a
* discrepency between the regex and the * discrepancy between the regex and the
* number of backreferences */ * number of backreferences */
return 0; return 0;
} }
@ -1155,7 +1155,7 @@ static void scalar_to_string(char** strp, config_setting_t* s)
/* Typesets all the settings in a configuration as a /* Typesets all the settings in a configuration as a
* newly-allocated string. The string management is caller's * newly-allocated string. The string management is caller's
* responsability. * responsibility.
* Returns the number of scalars in the configuration */ * Returns the number of scalars in the configuration */
static int cfg_as_string(config_setting_t* parent, const char* path, char** strp) static int cfg_as_string(config_setting_t* parent, const char* path, char** strp)
{ {

2
echosrv.c
View File

@ -1,6 +1,6 @@
/* echosrv: a simple line echo server with optional prefix adding. /* echosrv: a simple line echo server with optional prefix adding.
* *
* echsrv --listen localhost6:1234 --prefix "ssl: " * echosrv --listen localhost6:1234 --prefix "ssl: "
* *
* This will bind to 1234, and echo every line pre-pending "ssl: ". This is * This will bind to 1234, and echo every line pre-pending "ssl: ". This is
* used for testing: we create several such servers with different prefixes, * used for testing: we create several such servers with different prefixes,

10
genver.sh
View File

@ -10,14 +10,14 @@ fi
if [ ! -d .git ] || ! `(git status | grep -q "On branch") 2> /dev/null`; then if [ ! -d .git ] || ! `(git status | grep -q "On branch") 2> /dev/null`; then
# If we don't have git, we can't work out what # If we don't have git, we can't work out what
# version this is. It must have been downloaded as a # version this is. It must have been downloaded as a
# zip file. # zip file.
# If downloaded from the release page, the directory # If downloaded from the release page, the directory
# has the version number. # has the version number.
release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"` release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"`
if [ "x$release" = "x" ]; then if [ "x$release" = "x" ]; then
# If downloaded from the head, Github creates the # If downloaded from the head, GitHub creates the
# zip file with all files dated from the last # zip file with all files dated from the last
# change: use the Makefile's modification time as a # change: use the Makefile's modification time as a
# release number # release number
@ -28,7 +28,7 @@ fi
if [ -d .git ] && head=`git rev-parse --verify HEAD 2>/dev/null`; then if [ -d .git ] && head=`git rev-parse --verify HEAD 2>/dev/null`; then
# generate the version info based on the tag # generate the version info based on the tag
release=`(git describe --tags || git --describe || git describe --all --long) \ release=`(git describe --tags || git --describe || git describe --all --long) \
2>/dev/null | tr -d '\n'` 2>/dev/null | tr -s '/' '-' | tr -d '\n'`
# Are there uncommitted changes? # Are there uncommitted changes?
git update-index --refresh --unmerged > /dev/null git update-index --refresh --unmerged > /dev/null

2
hashtest/run
View File

@ -5,7 +5,7 @@
# Tests scripts are in *.tst files. # Tests scripts are in *.tst files.
# Corresponding output is put in *.out. # Corresponding output is put in *.out.
# Reference output is put in *.ref. # Reference output is put in *.ref.
# Any discrepency will be reported! # Any discrepancy will be reported!
use strict; use strict;

2
scripts/etc.sysconfig.sslh
View File

@ -18,7 +18,7 @@
#CONFIG=/etc/sslh.cfg #CONFIG=/etc/sslh.cfg
# #
# Extra option to pass on comand line # Extra option to pass on command line
# Those can supersede configuration file settings # Those can supersede configuration file settings
# #
#OPTIONS= #OPTIONS=

2
scripts/fail2ban/sslh-ssh.conf
View File

@ -8,7 +8,7 @@
# but many connection attempts from the same # but many connection attempts from the same
# origin is reason enough to block. # origin is reason enough to block.
# #
# Verion: 2014-03-28 # Version: 2014-03-28
[INCLUDES] [INCLUDES]

6
sslh-conf.c
View File

@ -365,7 +365,7 @@ static int clcpy(config_type type, void* target, const void* cl_arg)
return 0; return 0;
} }
/* Copy the value of a string argument to arbitary memory /* Copy the value of a string argument to arbitrary memory
* location that must be large enough, converting on the way * location that must be large enough, converting on the way
* (i.e. CFG_INT gets atoi() and so on) */ * (i.e. CFG_INT gets atoi() and so on) */
/* 0: success /* 0: success
@ -1818,7 +1818,7 @@ static int set_target_fields(void* target_addr, struct compound_cl_arg* arg, con
if (pmatch[pmatch_cnt].rm_so == -1) { if (pmatch[pmatch_cnt].rm_so == -1) {
/* This should not happen as regexec() did /* This should not happen as regexec() did
* match before, unless there is a * match before, unless there is a
* discrepency between the regex and the * discrepancy between the regex and the
* number of backreferences */ * number of backreferences */
return 0; return 0;
} }
@ -2111,7 +2111,7 @@ static void scalar_to_string(char** strp, config_setting_t* s)
/* Typesets all the settings in a configuration as a /* Typesets all the settings in a configuration as a
* newly-allocated string. The string management is caller's * newly-allocated string. The string management is caller's
* responsability. * responsibility.
* Returns the number of scalars in the configuration */ * Returns the number of scalars in the configuration */
static int cfg_as_string(config_setting_t* parent, const char* path, char** strp) static int cfg_as_string(config_setting_t* parent, const char* path, char** strp)
{ {

2
t
View File

@ -396,7 +396,7 @@ if ($RB_RESOLVE_ADDRESS) {
my $sslh_pid; my $sslh_pid;
if (!($sslh_pid = fork)) { if (!($sslh_pid = fork)) {
my $user = (getpwuid $<)[0]; # Run under current username my $user = (getpwuid $<)[0]; # Run under current username
exec "./sslh-select -v 3 -f -u $user --listen blahblah.dontexist:9000 --ssh $ssh_address --tls $ssl_address -P $pidfile"; exec "./sslh-select -v 3 -f -u $user --listen blahblah.nonexistent:9000 --ssh $ssh_address --tls $ssl_address -P $pidfile";
} }
warn "spawned $sslh_pid\n"; warn "spawned $sslh_pid\n";
waitpid $sslh_pid, 0; waitpid $sslh_pid, 0;

6
udp-listener.c
View File

@ -92,7 +92,7 @@ static void udp_protocol_list_init(void)
} }
/* Configuration sanity check for UDP: /* Configuration sanity check for UDP:
* - If there is a listening addres, there must be at least one target * - If there is a listening address, there must be at least one target
*/ */
static void udp_sanity_check(void) static void udp_sanity_check(void)
{ {
@ -251,7 +251,7 @@ struct connection* udp_c2s_forward(int sockfd, struct loop_info* fd_info)
ssize_t len; ssize_t len;
socklen_t addrlen; socklen_t addrlen;
int res, target, out = -1; int res, target, out = -1;
char data[65536]; /* Theoritical max is 65507 (https://en.wikipedia.org/wiki/User_Datagram_Protocol). char data[65536]; /* Theoretical max is 65507 (https://en.wikipedia.org/wiki/User_Datagram_Protocol).
This will do. Dynamic allocation is possible with the MSG_PEEK flag in recvfrom(2), but that'd imply This will do. Dynamic allocation is possible with the MSG_PEEK flag in recvfrom(2), but that'd imply
malloc/free overhead for each packet, when really 64K is not that much */ malloc/free overhead for each packet, when really 64K is not that much */
@ -294,7 +294,7 @@ struct connection* udp_c2s_forward(int sockfd, struct loop_info* fd_info)
res = new_source(fd_info->hash_sources, cnx); res = new_source(fd_info->hash_sources, cnx);
if (res == -1) { if (res == -1) {
print_message(msg_connections_error, "Out of hash space for new incoming UDP connection -- increaѕe udp_max_connections"); print_message(msg_connections_error, "Out of hash space for new incoming UDP connection -- increase udp_max_connections");
collection_remove_cnx(collection, cnx); collection_remove_cnx(collection, cnx);
return NULL; return NULL;
} }