diff --git a/ChangeLog b/ChangeLog index 5e4ad26..e75849a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +vNEXT: + New log system: instead of --verbose with arbitrary + levels, there are now several message classes. Each + message class can be set to go to stderr, syslog, or + both. Classes are documented in example.cfg. + + inetd merges stderr output to what is sent to the + client, which is a security issue as it might give + information to an attacker. When inetd is activated, + stderr is forcibly closed. + v1.22: 17AUG2021 sslh-select now supports UDP protocols. Probes specified in the `protocols` diff --git a/example.cfg b/example.cfg index 974a3f9..2542420 100644 --- a/example.cfg +++ b/example.cfg @@ -12,11 +12,21 @@ user: "nobody"; pidfile: "/var/run/sslh.pid"; chroot: "/var/empty"; -verbose: 0; - # Logging configuration # Value: 1: stdout; 2: syslog; 3: both -verbose-config: 0; # config: print configuration at startup +# Defaults are indicated here, and should be sensible. Generally, you want *-error +# to be always enabled, to know if something is going wrong. +verbose-config: 0; # print configuration at startup +verbose-config-error: 3; # print configuration errors +verbose-connections: 3; # trace established incoming address to forward address +verbose-connections-error: 3; # connection errors +verbose-connections-try: 0; # connection attempts towards targets +verbose-fd: 0; # file descriptor activity, open/close/whatnot +verbose-packets: 0; # hexdump packets on which probing is done +verbose-probe-info: 0; # what's happening during the probe process +verbose-probe-error: 3; # failures and problems during probing +verbose-system-error: 3; # system call problem, i.e. malloc, fork, failing +verbose-int-error: 3; # internal errors, the kind that should never happen # Specify which syslog facility to use (names for your diff --git a/probe.c b/probe.c index a1171b7..ee9f423 100644 --- a/probe.c +++ b/probe.c @@ -350,10 +350,8 @@ int probe_buffer(char* buf, int len, struct sslhcfg_protocols_item** proto) struct sslhcfg_protocols_item* p; int i, res, again = 0; - if (cfg.verbose > 1) { - print_message(msg_packets, "hexdump of incoming packet:\n"); - hexdump(msg_packets, buf, len); - } + print_message(msg_packets, "hexdump of incoming packet:\n"); + hexdump(msg_packets, buf, len); *proto = NULL; for (i = 0; i < cfg.protocols_len; i++) { diff --git a/sslh-conf.c b/sslh-conf.c index 9f7da74..0afdfb6 100644 --- a/sslh-conf.c +++ b/sslh-conf.c @@ -1,5 +1,5 @@ /* Generated by conf2struct (https://www.rutschle.net/tech/conf2struct/README) - * on Sun Sep 26 16:54:06 2021. + * on Mon Sep 27 13:21:48 2021. # conf2struct: generate libconf parsers that read to structs # Copyright (C) 2018-2021 Yves Rutschle @@ -454,7 +454,6 @@ struct arg_file* sslhcfg_conffile; struct arg_int* sslhcfg_verbose_probe_error; struct arg_int* sslhcfg_verbose_system_error; struct arg_int* sslhcfg_verbose_int_error; - struct arg_int* sslhcfg_verbose; struct arg_lit* sslhcfg_version; struct arg_lit* sslhcfg_foreground; struct arg_lit* sslhcfg_inetd; @@ -794,7 +793,7 @@ static struct config_desc table_sslhcfg_listen[] = { }, { 0 } }; - + static struct config_desc table_sslhcfg[] = { @@ -974,22 +973,6 @@ static struct config_desc table_sslhcfg[] = { /* default_val*/ .default_val.def_int = 3 }, - { - /* name */ "verbose", - /* type */ CFG_INT, - /* sub_group*/ NULL, - /* arg_cl */ & sslhcfg_verbose, - /* base_addr */ NULL, - /* offset */ offsetof(struct sslhcfg_item, verbose), - /* offset_len */ 0, - /* offset_present */ 0, - /* size */ sizeof(int), - /* array_type */ -1, - /* mandatory */ 1, - /* optional */ 0, - /* default_val*/ .default_val.def_int = 0 - }, - { /* name */ "version", /* type */ CFG_BOOL, @@ -1310,7 +1293,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: listen */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_listen, - .base_entry = & table_sslhcfg [24], + .base_entry = & table_sslhcfg [23], .targets = sslhcfg_listen_targets, @@ -1322,7 +1305,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: ssh */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_ssh, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_ssh_targets, @@ -1334,7 +1317,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: tls */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_tls, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_tls_targets, @@ -1346,7 +1329,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: openvpn */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_openvpn, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_openvpn_targets, @@ -1358,7 +1341,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: tinc */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_tinc, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_tinc_targets, @@ -1370,7 +1353,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: xmpp */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_xmpp, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_xmpp_targets, @@ -1382,7 +1365,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: http */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_http, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_http_targets, @@ -1394,7 +1377,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: adb */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_adb, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_adb_targets, @@ -1406,7 +1389,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: socks5 */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_socks5, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_socks5_targets, @@ -1418,7 +1401,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: syslog */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_syslog, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_syslog_targets, @@ -1430,7 +1413,7 @@ static struct compound_cl_arg compound_cl_args[] = { { /* arg: anyprot */ .regex = "(.+):(\\w+)", .arg_cl = & sslhcfg_anyprot, - .base_entry = & table_sslhcfg [25], + .base_entry = & table_sslhcfg [24], .targets = sslhcfg_anyprot_targets, @@ -2106,7 +2089,6 @@ int sslhcfg_cl_parse(int argc, char* argv[], struct sslhcfg_item* cfg) sslhcfg_verbose_probe_error = arg_intn(NULL, "verbose-probe-error", "", 0, 1, ""), sslhcfg_verbose_system_error = arg_intn(NULL, "verbose-system-error", "", 0, 1, ""), sslhcfg_verbose_int_error = arg_intn(NULL, "verbose-int-error", "", 0, 1, ""), - sslhcfg_verbose = arg_intn("v", "verbose", "", 0, 1, ""), sslhcfg_version = arg_litn("V", "version", 0, 1, "Print version information and exit"), sslhcfg_foreground = arg_litn("f", "foreground", 0, 1, "Run in foreground instead of as a daemon"), sslhcfg_inetd = arg_litn("i", "inetd", 0, 1, "Run in inetd mode: use stdin/stdout instead of network listen"), @@ -2308,9 +2290,6 @@ void sslhcfg_fprint( fprintf(out, "verbose_int_error: %d", sslhcfg->verbose_int_error); fprintf(out, "\n"); indent(out, depth); - fprintf(out, "verbose: %d", sslhcfg->verbose); - fprintf(out, "\n"); - indent(out, depth); fprintf(out, "version: %d", sslhcfg->version); fprintf(out, "\n"); indent(out, depth); diff --git a/sslh-conf.h b/sslh-conf.h index 192ae76..e50197d 100644 --- a/sslh-conf.h +++ b/sslh-conf.h @@ -1,5 +1,5 @@ /* Generated by conf2struct (https://www.rutschle.net/tech/conf2struct/README) - * on Sun Sep 26 16:54:06 2021. + * on Mon Sep 27 13:21:48 2021. # conf2struct: generate libconf parsers that read to structs # Copyright (C) 2018-2021 Yves Rutschle @@ -85,7 +85,6 @@ struct sslhcfg_item { int verbose_probe_error; int verbose_system_error; int verbose_int_error; - int verbose; int version; int foreground; int inetd; diff --git a/sslh-main.c b/sslh-main.c index c1076f6..9f326a5 100644 --- a/sslh-main.c +++ b/sslh-main.c @@ -196,7 +196,6 @@ int main(int argc, char *argv[], char* envp[]) if (cfg.inetd) { - cfg.verbose = 0; close(fileno(stderr)); /* Make sure no error will go to client */ start_shoveler(0); exit(0); diff --git a/sslhconf.cfg b/sslhconf.cfg index c03b8ea..d84c081 100644 --- a/sslhconf.cfg +++ b/sslhconf.cfg @@ -39,7 +39,6 @@ config: { { name: "verbose-system-error"; type: "int"; default: 3; }, { name: "verbose-int-error"; type: "int"; default: 3; }, - { name: "verbose"; type: "int"; short: "v" }, # to delete { name: "version"; type: "bool"; default: false; short: "V"; description: "Print version information and exit"; }, diff --git a/test.cfg b/test.cfg index 2b95c65..4330cfa 100644 --- a/test.cfg +++ b/test.cfg @@ -1,7 +1,6 @@ # Configuration file for testing (use both by sslh under # test and the test script `t`) -verbose: 4; foreground: true; inetd: false; numeric: true; @@ -15,16 +14,17 @@ syslog_facility: "auth"; # Value: 1: stdout; 2: syslog; 3: both # Defaults should be sensible. Generally, you want *-error # to be always enabled, to know if something is going wrong. -#verbose-config: 3; # config: print configuration at startup -#verbose-config-error: 3; #config-error: print configuration errors -#verbose-connections: 3; #config-connections: track connections -#verbose-fd: 3; # file descriptor activity, open/close/whatnot +verbose-config: 3; # print configuration at startup +verbose-config-error: 3; # print configuration errors +verbose-connections: 3; # trace established incoming address to forward address +verbose-connections-error: 3; # connection errors +verbose-connections-try: 3; # connection attempts towards targets +verbose-fd: 3; # file descriptor activity, open/close/whatnot verbose-packets: 3; # hexdump packets on which probing is done -#verbose-system-error: 3; # system call problem, i.e. malloc, fork, failing -#verbose-int-error: 3; # internal errors, the kind that should never happen -#verbose-connections-try: 3; # connection attempts towards targets -#verbose-connections: 3; # trace established incoming address to forward address -# verbose-connections-error: 3; # connection errors +verbose-probe-info: 3; # what's happening during the probe process +verbose-probe-error: 3; # failures and problems during probing +verbose-system-error: 3; # system call problem, i.e. malloc, fork, failing +verbose-int-error: 3; # internal errors, the kind that should never happen # List of interfaces on which we should listen # Options: