op public repos

Blame

Date:: Fri Feb 4 23:41:07 2022 UTC
Message:: add kamiproxy: a 9p-over-tls proxy for plaintext 9p kamiproxy is a TLS-capable proxy that forwards the traffic it gets over plaintext 9p on a local port to a remote 9p server. It uses (and mandates) tls client certificates.
Actions:: History | Blob | Raw File
  1 d188f690 2022-02-04 op /*
  2 d188f690 2022-02-04 op  * Copyright (c) 2022 Omar Polo <op@omarpolo.com>
  3 d188f690 2022-02-04 op  *
  4 d188f690 2022-02-04 op  * Permission to use, copy, modify, and distribute this software for any
  5 d188f690 2022-02-04 op  * purpose with or without fee is hereby granted, provided that the above
  6 d188f690 2022-02-04 op  * copyright notice and this permission notice appear in all copies.
  7 d188f690 2022-02-04 op  *
  8 d188f690 2022-02-04 op  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  9 d188f690 2022-02-04 op  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 10 d188f690 2022-02-04 op  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 11 d188f690 2022-02-04 op  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 12 d188f690 2022-02-04 op  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 13 d188f690 2022-02-04 op  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 14 d188f690 2022-02-04 op  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 15 d188f690 2022-02-04 op  */
 16 d188f690 2022-02-04 op 
 17 d188f690 2022-02-04 op #include "compat.h"
 18 d188f690 2022-02-04 op 
 19 d188f690 2022-02-04 op #include <sys/types.h>
 20 d188f690 2022-02-04 op #include <sys/socket.h>
 21 d188f690 2022-02-04 op 
 22 d188f690 2022-02-04 op #include <netdb.h>
 23 d188f690 2022-02-04 op 
 24 d188f690 2022-02-04 op #include <errno.h>
 25 d188f690 2022-02-04 op #include <signal.h>
 26 d188f690 2022-02-04 op #include <stdio.h>
 27 d188f690 2022-02-04 op #include <stdlib.h>
 28 d188f690 2022-02-04 op #include <string.h>
 29 d188f690 2022-02-04 op #include <syslog.h>
 30 d188f690 2022-02-04 op #include <tls.h>
 31 d188f690 2022-02-04 op #include <unistd.h>
 32 d188f690 2022-02-04 op 
 33 d188f690 2022-02-04 op #include "log.h"
 34 d188f690 2022-02-04 op 
 35 d188f690 2022-02-04 op #define MIN(a, b) ((a) < (b) ? (a) : (b))
 36 d188f690 2022-02-04 op 
 37 d188f690 2022-02-04 op int		 debug;
 38 d188f690 2022-02-04 op int		 verbose;
 39 d188f690 2022-02-04 op const char	*tohost;
 40 d188f690 2022-02-04 op const char	*fromhost;
 41 d188f690 2022-02-04 op 
 42 d188f690 2022-02-04 op uint8_t		*cert;
 43 d188f690 2022-02-04 op size_t		 certlen;
 44 d188f690 2022-02-04 op uint8_t		*key;
 45 d188f690 2022-02-04 op size_t		 keylen;
 46 d188f690 2022-02-04 op 
 47 d188f690 2022-02-04 op #define MAXSOCK 32
 48 d188f690 2022-02-04 op struct event	sockev[MAXSOCK];
 49 d188f690 2022-02-04 op int		socks[MAXSOCK];
 50 d188f690 2022-02-04 op int		nsock;
 51 d188f690 2022-02-04 op 
 52 d188f690 2022-02-04 op char		kamihost[64];
 53 d188f690 2022-02-04 op char		kamiport[8];
 54 d188f690 2022-02-04 op 
 55 d188f690 2022-02-04 op struct conn {
 56 d188f690 2022-02-04 op 	struct tls		*ctx;
 57 d188f690 2022-02-04 op 	struct bufferevent	*server;
 58 d188f690 2022-02-04 op 	int			 kfd;
 59 d188f690 2022-02-04 op 	struct bufferevent	*client;
 60 d188f690 2022-02-04 op 	int			 lfd;
 61 d188f690 2022-02-04 op };
 62 d188f690 2022-02-04 op 
 63 d188f690 2022-02-04 op #ifndef __OpenBSD__
 64 d188f690 2022-02-04 op # define pledge(a, b) (0)
 65 d188f690 2022-02-04 op #endif
 66 d188f690 2022-02-04 op 
 67 d188f690 2022-02-04 op static const char *
 68 d188f690 2022-02-04 op copysec(const char *s, char *d, size_t len)
 69 d188f690 2022-02-04 op {
 70 d188f690 2022-02-04 op 	const char *c;
 71 d188f690 2022-02-04 op 
 72 d188f690 2022-02-04 op 	if ((c = strchr(s, ':')) == NULL)
 73 d188f690 2022-02-04 op 		return NULL;
 74 d188f690 2022-02-04 op 	if ((size_t)(c-s) >= len-1)
 75 d188f690 2022-02-04 op 		return NULL;
 76 d188f690 2022-02-04 op 	memset(d, 0, len);
 77 d188f690 2022-02-04 op 	memcpy(d, s, c - s);
 78 d188f690 2022-02-04 op 	return c;
 79 d188f690 2022-02-04 op }
 80 d188f690 2022-02-04 op 
 81 d188f690 2022-02-04 op static void
 82 d188f690 2022-02-04 op parse_tohost(void)
 83 d188f690 2022-02-04 op {
 84 d188f690 2022-02-04 op 	const char *c;
 85 d188f690 2022-02-04 op 
 86 d188f690 2022-02-04 op 	if ((c = strchr(tohost, ':')) == NULL) {
 87 d188f690 2022-02-04 op 		strlcpy(kamihost, tohost, sizeof(kamihost));
 88 d188f690 2022-02-04 op 		strlcpy(kamiport, "1337", sizeof(kamiport));
 89 d188f690 2022-02-04 op 		return;
 90 d188f690 2022-02-04 op 	}
 91 d188f690 2022-02-04 op 
 92 d188f690 2022-02-04 op 	if ((c = copysec(tohost, kamihost, sizeof(kamihost))) == NULL)
 93 d188f690 2022-02-04 op 		fatalx("hostname too long: %s", tohost);
 94 d188f690 2022-02-04 op 
 95 d188f690 2022-02-04 op 	strlcpy(kamiport, c+1, sizeof(kamiport));
 96 d188f690 2022-02-04 op }
 97 d188f690 2022-02-04 op 
 98 d188f690 2022-02-04 op static void
 99 d188f690 2022-02-04 op tls_readcb(int fd, short event, void *d)
100 d188f690 2022-02-04 op {
101 d188f690 2022-02-04 op 	struct bufferevent	*bufev = d;
102 d188f690 2022-02-04 op 	struct conn		*conn = bufev->cbarg;
103 d188f690 2022-02-04 op 	char			 buf[IBUF_READ_SIZE];
104 d188f690 2022-02-04 op 	int			 what = EVBUFFER_READ;
105 d188f690 2022-02-04 op 	int			 howmuch = IBUF_READ_SIZE;
106 d188f690 2022-02-04 op 	ssize_t			 ret;
107 d188f690 2022-02-04 op 	size_t			 len;
108 d188f690 2022-02-04 op 
109 d188f690 2022-02-04 op 	if (event == EV_TIMEOUT) {
110 d188f690 2022-02-04 op 		what |= EVBUFFER_TIMEOUT;
111 d188f690 2022-02-04 op 		goto err;
112 d188f690 2022-02-04 op 	}
113 d188f690 2022-02-04 op 
114 d188f690 2022-02-04 op 	if (bufev->wm_read.high != 0)
115 d188f690 2022-02-04 op 		howmuch = MIN(sizeof(buf), bufev->wm_read.high);
116 d188f690 2022-02-04 op 
117 d188f690 2022-02-04 op 	switch (ret = tls_read(conn->ctx, buf, howmuch)) {
118 d188f690 2022-02-04 op 	case TLS_WANT_POLLIN:
119 d188f690 2022-02-04 op 	case TLS_WANT_POLLOUT:
120 d188f690 2022-02-04 op 		goto retry;
121 d188f690 2022-02-04 op 	case -1:
122 d188f690 2022-02-04 op 		what |= EVBUFFER_ERROR;
123 d188f690 2022-02-04 op 		goto err;
124 d188f690 2022-02-04 op 	}
125 d188f690 2022-02-04 op 	len = ret;
126 d188f690 2022-02-04 op 
127 d188f690 2022-02-04 op 	if (len == 0) {
128 d188f690 2022-02-04 op 		what |= EVBUFFER_EOF;
129 d188f690 2022-02-04 op 		goto err;
130 d188f690 2022-02-04 op 	}
131 d188f690 2022-02-04 op 
132 d188f690 2022-02-04 op 	if (evbuffer_add(bufev->input, buf, len) == -1) {
133 d188f690 2022-02-04 op 		what |= EVBUFFER_ERROR;
134 d188f690 2022-02-04 op 		goto err;
135 d188f690 2022-02-04 op 	}
136 d188f690 2022-02-04 op 
137 d188f690 2022-02-04 op 	event_add(&bufev->ev_read, NULL);
138 d188f690 2022-02-04 op 
139 d188f690 2022-02-04 op 	len = EVBUFFER_LENGTH(bufev->input);
140 d188f690 2022-02-04 op 	if (bufev->wm_read.low != 0 && len < bufev->wm_read.low)
141 d188f690 2022-02-04 op 		return;
142 d188f690 2022-02-04 op 	if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) {
143 d188f690 2022-02-04 op 		/*
144 d188f690 2022-02-04 op 		 * here we could implement some read pressure
145 d188f690 2022-02-04 op 		 * mechanism.
146 d188f690 2022-02-04 op 		 */
147 d188f690 2022-02-04 op 	}
148 d188f690 2022-02-04 op 
149 d188f690 2022-02-04 op 	if (bufev->readcb != NULL)
150 d188f690 2022-02-04 op 		(*bufev->readcb)(bufev, bufev->cbarg);
151 d188f690 2022-02-04 op 
152 d188f690 2022-02-04 op 	return;
153 d188f690 2022-02-04 op 
154 d188f690 2022-02-04 op retry:
155 d188f690 2022-02-04 op 	event_add(&bufev->ev_read, NULL);
156 d188f690 2022-02-04 op 	return;
157 d188f690 2022-02-04 op 
158 d188f690 2022-02-04 op err:
159 d188f690 2022-02-04 op 	(*bufev->errorcb)(bufev, what, bufev->cbarg);
160 d188f690 2022-02-04 op }
161 d188f690 2022-02-04 op 
162 d188f690 2022-02-04 op static void
163 d188f690 2022-02-04 op tls_writecb(int fd, short event, void *d)
164 d188f690 2022-02-04 op {
165 d188f690 2022-02-04 op 	struct bufferevent	*bufev = d;
166 d188f690 2022-02-04 op 	struct conn		*conn = bufev->cbarg;
167 d188f690 2022-02-04 op 	ssize_t			 ret;
168 d188f690 2022-02-04 op 	size_t			 len;
169 d188f690 2022-02-04 op 	short			 what = EVBUFFER_WRITE;
170 d188f690 2022-02-04 op 
171 d188f690 2022-02-04 op 	if (event == EV_TIMEOUT) {
172 d188f690 2022-02-04 op 		what |= EVBUFFER_TIMEOUT;
173 d188f690 2022-02-04 op 		goto err;
174 d188f690 2022-02-04 op 	}
175 d188f690 2022-02-04 op 
176 d188f690 2022-02-04 op 	if (EVBUFFER_LENGTH(bufev->output) != 0) {
177 d188f690 2022-02-04 op 		ret = tls_write(conn->ctx,
178 d188f690 2022-02-04 op 		    EVBUFFER_DATA(bufev->output),
179 d188f690 2022-02-04 op 		    EVBUFFER_LENGTH(bufev->output));
180 d188f690 2022-02-04 op 		switch (ret) {
181 d188f690 2022-02-04 op 		case TLS_WANT_POLLIN:
182 d188f690 2022-02-04 op 		case TLS_WANT_POLLOUT:
183 d188f690 2022-02-04 op 			goto retry;
184 d188f690 2022-02-04 op 		case -1:
185 d188f690 2022-02-04 op 			what |= EVBUFFER_ERROR;
186 d188f690 2022-02-04 op 			goto err;
187 d188f690 2022-02-04 op 		}
188 d188f690 2022-02-04 op 		len = ret;
189 d188f690 2022-02-04 op 		evbuffer_drain(bufev->output, len);
190 d188f690 2022-02-04 op 	}
191 d188f690 2022-02-04 op 
192 d188f690 2022-02-04 op 	if (EVBUFFER_LENGTH(bufev->output) != 0)
193 d188f690 2022-02-04 op 		event_add(&bufev->ev_write, NULL);
194 d188f690 2022-02-04 op 
195 d188f690 2022-02-04 op 	if (bufev->writecb != NULL &&
196 d188f690 2022-02-04 op 	    EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low)
197 d188f690 2022-02-04 op 		(*bufev->writecb)(bufev, bufev->cbarg);
198 d188f690 2022-02-04 op 	return;
199 d188f690 2022-02-04 op 
200 d188f690 2022-02-04 op retry:
201 d188f690 2022-02-04 op 	event_add(&bufev->ev_write, NULL);
202 d188f690 2022-02-04 op 	return;
203 d188f690 2022-02-04 op 
204 d188f690 2022-02-04 op err:
205 d188f690 2022-02-04 op 	(*bufev->errorcb)(bufev, what, bufev->cbarg);
206 d188f690 2022-02-04 op }
207 d188f690 2022-02-04 op 
208 d188f690 2022-02-04 op static void
209 d188f690 2022-02-04 op setup(void)
210 d188f690 2022-02-04 op {
211 d188f690 2022-02-04 op 	struct addrinfo	 hints, *res, *res0;
212 d188f690 2022-02-04 op 	int		 v, r, saved_errno;
213 d188f690 2022-02-04 op 	char		 host[64];
214 d188f690 2022-02-04 op 	const char	*c, *h, *port, *cause;
215 d188f690 2022-02-04 op 
216 d188f690 2022-02-04 op 	if ((c = strchr(fromhost, ':')) == NULL) {
217 d188f690 2022-02-04 op 		h = NULL;
218 d188f690 2022-02-04 op 		port = fromhost;
219 d188f690 2022-02-04 op 	} else {
220 d188f690 2022-02-04 op 		if ((c = copysec(fromhost, host, sizeof(host))) == NULL)
221 d188f690 2022-02-04 op 			fatalx("hostname too long: %s", fromhost);
222 d188f690 2022-02-04 op 		h = host;
223 d188f690 2022-02-04 op 		port = c+1;
224 d188f690 2022-02-04 op 	}
225 d188f690 2022-02-04 op 
226 d188f690 2022-02-04 op 	memset(&hints, 0, sizeof(hints));
227 d188f690 2022-02-04 op 	hints.ai_family = AF_UNSPEC;
228 d188f690 2022-02-04 op 	hints.ai_socktype = SOCK_STREAM;
229 d188f690 2022-02-04 op 	hints.ai_flags = AI_PASSIVE;
230 d188f690 2022-02-04 op 
231 d188f690 2022-02-04 op 	r = getaddrinfo(h, port, &hints, &res0);
232 d188f690 2022-02-04 op 	if (r != 0)
233 d188f690 2022-02-04 op 		fatalx("getaddrinfo(%s): %s", fromhost,
234 d188f690 2022-02-04 op 		    gai_strerror(r));
235 d188f690 2022-02-04 op 
236 d188f690 2022-02-04 op 	for (res = res0; res && nsock < MAXSOCK; res = res->ai_next) {
237 d188f690 2022-02-04 op 		socks[nsock] = socket(res->ai_family, res->ai_socktype,
238 d188f690 2022-02-04 op 		    res->ai_protocol);
239 d188f690 2022-02-04 op 		if (socks[nsock] == -1) {
240 d188f690 2022-02-04 op 			cause = "socket";
241 d188f690 2022-02-04 op 			continue;
242 d188f690 2022-02-04 op 		}
243 d188f690 2022-02-04 op 
244 d188f690 2022-02-04 op 		if (bind(socks[nsock], res->ai_addr, res->ai_addrlen) == -1) {
245 d188f690 2022-02-04 op 			cause = "bind";
246 d188f690 2022-02-04 op 			saved_errno = errno;
247 d188f690 2022-02-04 op 			close(socks[nsock]);
248 d188f690 2022-02-04 op 			errno = saved_errno;
249 d188f690 2022-02-04 op 			continue;
250 d188f690 2022-02-04 op 		}
251 d188f690 2022-02-04 op 
252 d188f690 2022-02-04 op 		v = 1;
253 d188f690 2022-02-04 op 		if (setsockopt(socks[nsock], SOL_SOCKET, SO_REUSEADDR, &v,
254 d188f690 2022-02-04 op 		    sizeof(v)) == -1)
255 d188f690 2022-02-04 op 			err(1, "setsockopt(SO_REUSEADDR)");
256 d188f690 2022-02-04 op 
257 d188f690 2022-02-04 op 		v = 1;
258 d188f690 2022-02-04 op 		if (setsockopt(socks[nsock], SOL_SOCKET, SO_REUSEPORT, &v,
259 d188f690 2022-02-04 op 		    sizeof(v)) == -1)
260 d188f690 2022-02-04 op 			err(1, "setsockopt(SO_REUSEPORT)");
261 d188f690 2022-02-04 op 
262 d188f690 2022-02-04 op 		listen(socks[nsock], 5);
263 d188f690 2022-02-04 op 		nsock++;
264 d188f690 2022-02-04 op 	}
265 d188f690 2022-02-04 op 
266 d188f690 2022-02-04 op 	if (nsock == 0)
267 d188f690 2022-02-04 op 		fatal("%s", cause);
268 d188f690 2022-02-04 op 
269 d188f690 2022-02-04 op 	freeaddrinfo(res0);
270 d188f690 2022-02-04 op }
271 d188f690 2022-02-04 op 
272 d188f690 2022-02-04 op static int
273 d188f690 2022-02-04 op servconnect(void)
274 d188f690 2022-02-04 op {
275 d188f690 2022-02-04 op 	struct addrinfo	 hints, *res, *res0;
276 d188f690 2022-02-04 op 	int		 r, saved_errno, sock;
277 d188f690 2022-02-04 op 	const char	*cause;
278 d188f690 2022-02-04 op 
279 d188f690 2022-02-04 op 	memset(&hints, 0, sizeof(hints));
280 d188f690 2022-02-04 op 	hints.ai_family = AF_UNSPEC;
281 d188f690 2022-02-04 op 	hints.ai_socktype = SOCK_STREAM;
282 d188f690 2022-02-04 op 
283 d188f690 2022-02-04 op 	r = getaddrinfo(kamihost, kamiport, &hints, &res0);
284 d188f690 2022-02-04 op 	if (r != 0) {
285 d188f690 2022-02-04 op 		log_warnx("getaddrinfo(%s, %s): %s", kamihost, kamiport,
286 d188f690 2022-02-04 op 		    gai_strerror(r));
287 d188f690 2022-02-04 op 		return -1;
288 d188f690 2022-02-04 op 	}
289 d188f690 2022-02-04 op 
290 d188f690 2022-02-04 op 	for (res = res0; res != NULL; res = res->ai_next) {
291 d188f690 2022-02-04 op 		sock = socket(res->ai_family, res->ai_socktype,
292 d188f690 2022-02-04 op 		    res->ai_protocol);
293 d188f690 2022-02-04 op 		if (sock == -1) {
294 d188f690 2022-02-04 op 			cause = "socket";
295 d188f690 2022-02-04 op 			continue;
296 d188f690 2022-02-04 op 		}
297 d188f690 2022-02-04 op 
298 d188f690 2022-02-04 op 		if (connect(sock, res->ai_addr, res->ai_addrlen) == -1) {
299 d188f690 2022-02-04 op 			cause = "connect";
300 d188f690 2022-02-04 op 			saved_errno = errno;
301 d188f690 2022-02-04 op 			close(sock);
302 d188f690 2022-02-04 op 			errno = saved_errno;
303 d188f690 2022-02-04 op 			sock = -1;
304 d188f690 2022-02-04 op 			continue;
305 d188f690 2022-02-04 op 		}
306 d188f690 2022-02-04 op 
307 d188f690 2022-02-04 op 		/* found one */
308 d188f690 2022-02-04 op 		break;
309 d188f690 2022-02-04 op 	}
310 d188f690 2022-02-04 op 
311 d188f690 2022-02-04 op 	if (sock == -1)
312 d188f690 2022-02-04 op 		log_warn("%s", cause);
313 d188f690 2022-02-04 op 
314 d188f690 2022-02-04 op 	freeaddrinfo(res0);
315 d188f690 2022-02-04 op 	return sock;
316 d188f690 2022-02-04 op }
317 d188f690 2022-02-04 op 
318 d188f690 2022-02-04 op static void
319 d188f690 2022-02-04 op copy_to_server(struct bufferevent *bev, void *d)
320 d188f690 2022-02-04 op {
321 d188f690 2022-02-04 op 	struct conn *c = d;
322 d188f690 2022-02-04 op 
323 d188f690 2022-02-04 op 	bufferevent_write_buffer(c->server, EVBUFFER_INPUT(bev));
324 d188f690 2022-02-04 op }
325 d188f690 2022-02-04 op 
326 d188f690 2022-02-04 op static void
327 d188f690 2022-02-04 op copy_to_client(struct bufferevent *bev, void *d)
328 d188f690 2022-02-04 op {
329 d188f690 2022-02-04 op 	struct conn *c = d;
330 d188f690 2022-02-04 op 
331 d188f690 2022-02-04 op 	bufferevent_write_buffer(c->client, EVBUFFER_INPUT(bev));
332 d188f690 2022-02-04 op }
333 d188f690 2022-02-04 op 
334 d188f690 2022-02-04 op static void
335 d188f690 2022-02-04 op nopcb(struct bufferevent *bev, void *d)
336 d188f690 2022-02-04 op {
337 d188f690 2022-02-04 op 	return;
338 d188f690 2022-02-04 op }
339 d188f690 2022-02-04 op 
340 d188f690 2022-02-04 op static void
341 d188f690 2022-02-04 op errcb(struct bufferevent *bev, short ev, void *d)
342 d188f690 2022-02-04 op {
343 d188f690 2022-02-04 op 	struct conn *c = d;
344 d188f690 2022-02-04 op 
345 d188f690 2022-02-04 op 	log_debug("closing connection (event=%x / side=%s)", ev,
346 d188f690 2022-02-04 op 	    bev == c->server ? "server" : "client");
347 d188f690 2022-02-04 op 
348 d188f690 2022-02-04 op 	bufferevent_free(c->server);
349 d188f690 2022-02-04 op 	bufferevent_free(c->client);
350 d188f690 2022-02-04 op 
351 d188f690 2022-02-04 op 	tls_close(c->ctx);
352 d188f690 2022-02-04 op 	tls_free(c->ctx);
353 d188f690 2022-02-04 op 
354 d188f690 2022-02-04 op 	close(c->lfd);
355 d188f690 2022-02-04 op 	close(c->kfd);
356 d188f690 2022-02-04 op 
357 d188f690 2022-02-04 op 	free(c);
358 d188f690 2022-02-04 op }
359 d188f690 2022-02-04 op 
360 d188f690 2022-02-04 op static void
361 d188f690 2022-02-04 op doaccept(int fd, short ev, void *data)
362 d188f690 2022-02-04 op {
363 d188f690 2022-02-04 op 	struct tls_config	*conf;
364 d188f690 2022-02-04 op 	struct conn		*c;
365 d188f690 2022-02-04 op 	int			 r;
366 d188f690 2022-02-04 op 
367 d188f690 2022-02-04 op 	if ((c = calloc(1, sizeof(*c))) == NULL)
368 d188f690 2022-02-04 op 		fatal("calloc");
369 d188f690 2022-02-04 op 
370 d188f690 2022-02-04 op 	if ((c->lfd = accept(fd, NULL, 0)) == -1) {
371 d188f690 2022-02-04 op 		log_warn("accept");
372 d188f690 2022-02-04 op 		free(c);
373 d188f690 2022-02-04 op 		return;
374 d188f690 2022-02-04 op 	}
375 d188f690 2022-02-04 op 
376 d188f690 2022-02-04 op 	if ((c->kfd = servconnect()) == -1) {
377 d188f690 2022-02-04 op 		close(c->lfd);
378 d188f690 2022-02-04 op 		free(c);
379 d188f690 2022-02-04 op 		return;
380 d188f690 2022-02-04 op 	}
381 d188f690 2022-02-04 op 
382 d188f690 2022-02-04 op 	if ((c->ctx = tls_client()) == NULL)
383 d188f690 2022-02-04 op 		fatal("tls_client");
384 d188f690 2022-02-04 op 
385 d188f690 2022-02-04 op 	if ((conf = tls_config_new()) == NULL)
386 d188f690 2022-02-04 op 		fatal("tls_config_new");
387 d188f690 2022-02-04 op 
388 d188f690 2022-02-04 op 	if (tls_config_set_cert_mem(conf, cert, certlen) == -1 ||
389 d188f690 2022-02-04 op 	    tls_config_set_key_mem(conf, key, keylen) == -1)
390 d188f690 2022-02-04 op 		fatalx("tls_config_set_{cert,key}: %s", tls_config_error(conf));
391 d188f690 2022-02-04 op 	tls_config_insecure_noverifycert(conf);
392 d188f690 2022-02-04 op 
393 d188f690 2022-02-04 op 	if (tls_configure(c->ctx, conf) == -1)
394 d188f690 2022-02-04 op 		fatalx("tls_configure");
395 d188f690 2022-02-04 op 
396 d188f690 2022-02-04 op 	tls_config_free(conf);
397 d188f690 2022-02-04 op 
398 d188f690 2022-02-04 op 	if (tls_connect_socket(c->ctx, c->kfd, kamihost) == -1)
399 d188f690 2022-02-04 op 		fatal("tls_connect_socket");
400 d188f690 2022-02-04 op 
401 d188f690 2022-02-04 op again:	switch (r = tls_handshake(c->ctx)) {
402 d188f690 2022-02-04 op 	case -1:
403 d188f690 2022-02-04 op 		log_warnx("tls_handshake: %s", tls_error(c->ctx));
404 d188f690 2022-02-04 op 		tls_close(c->ctx);
405 d188f690 2022-02-04 op 		tls_free(c->ctx);
406 d188f690 2022-02-04 op 		close(c->lfd);
407 d188f690 2022-02-04 op 		close(c->kfd);
408 d188f690 2022-02-04 op 		free(c);
409 d188f690 2022-02-04 op 		return;
410 d188f690 2022-02-04 op 	case TLS_WANT_POLLIN:
411 d188f690 2022-02-04 op 	case TLS_WANT_POLLOUT:
412 d188f690 2022-02-04 op 		goto again;
413 d188f690 2022-02-04 op 	}
414 d188f690 2022-02-04 op 
415 d188f690 2022-02-04 op 	c->server = bufferevent_new(c->kfd, copy_to_client, nopcb, errcb, c);
416 d188f690 2022-02-04 op 	if (c->server == NULL)
417 d188f690 2022-02-04 op 		fatal("bufferevent_new");
418 d188f690 2022-02-04 op 
419 d188f690 2022-02-04 op 	event_set(&c->server->ev_read, c->kfd, EV_READ, tls_readcb,
420 d188f690 2022-02-04 op 	    c->server);
421 d188f690 2022-02-04 op 	event_set(&c->server->ev_write, c->kfd, EV_WRITE, tls_writecb,
422 d188f690 2022-02-04 op 	    c->server);
423 d188f690 2022-02-04 op 
424 d188f690 2022-02-04 op #if HAVE_EVENT2
425 d188f690 2022-02-04 op 	evbuffer_unfreeze(c->server->input, 0);
426 d188f690 2022-02-04 op 	evbuffer_unfreeze(c->server->output, 1);
427 d188f690 2022-02-04 op #endif
428 d188f690 2022-02-04 op 
429 d188f690 2022-02-04 op 	c->client = bufferevent_new(c->lfd, copy_to_server, nopcb, errcb, c);
430 d188f690 2022-02-04 op 	if (c->client == NULL)
431 d188f690 2022-02-04 op 		fatal("bufferevent_new");
432 d188f690 2022-02-04 op 
433 d188f690 2022-02-04 op 	bufferevent_enable(c->server, EV_READ|EV_WRITE);
434 d188f690 2022-02-04 op 	bufferevent_enable(c->client, EV_READ|EV_WRITE);
435 d188f690 2022-02-04 op }
436 d188f690 2022-02-04 op 
437 d188f690 2022-02-04 op __dead static void
438 d188f690 2022-02-04 op usage(void)
439 d188f690 2022-02-04 op {
440 d188f690 2022-02-04 op 	fprintf(stderr,
441 d188f690 2022-02-04 op 	    "usage: %s [-dv] -c host[:port] -l [host:]port -C cert [-K key]\n",
442 d188f690 2022-02-04 op 	    getprogname());
443 d188f690 2022-02-04 op 	exit(1);
444 d188f690 2022-02-04 op }
445 d188f690 2022-02-04 op 
446 d188f690 2022-02-04 op int
447 d188f690 2022-02-04 op main(int argc, char **argv)
448 d188f690 2022-02-04 op {
449 d188f690 2022-02-04 op 	int		 ch, i;
450 d188f690 2022-02-04 op 	const char	*certf = NULL, *keyf = NULL;
451 d188f690 2022-02-04 op 
452 d188f690 2022-02-04 op 	log_init(1, LOG_DAEMON);
453 d188f690 2022-02-04 op 	log_setverbose(1);
454 d188f690 2022-02-04 op 
455 d188f690 2022-02-04 op 	while ((ch = getopt(argc, argv, "C:c:dK:l:v")) != -1) {
456 d188f690 2022-02-04 op 		switch (ch) {
457 d188f690 2022-02-04 op 		case 'C':
458 d188f690 2022-02-04 op 			certf = optarg;
459 d188f690 2022-02-04 op 			break;
460 d188f690 2022-02-04 op 		case 'c':
461 d188f690 2022-02-04 op 			tohost = optarg;
462 d188f690 2022-02-04 op 			break;
463 d188f690 2022-02-04 op 		case 'd':
464 d188f690 2022-02-04 op 			debug = 1;
465 d188f690 2022-02-04 op 			break;
466 d188f690 2022-02-04 op 		case 'K':
467 d188f690 2022-02-04 op 			keyf = optarg;
468 d188f690 2022-02-04 op 			break;
469 d188f690 2022-02-04 op 		case 'l':
470 d188f690 2022-02-04 op 			fromhost = optarg;
471 d188f690 2022-02-04 op 			break;
472 d188f690 2022-02-04 op 		case 'v':
473 d188f690 2022-02-04 op 			verbose = 1;
474 d188f690 2022-02-04 op 			break;
475 d188f690 2022-02-04 op 		default:
476 d188f690 2022-02-04 op 			usage();
477 d188f690 2022-02-04 op 		}
478 d188f690 2022-02-04 op 	}
479 d188f690 2022-02-04 op 	argc -= optind;
480 d188f690 2022-02-04 op 	argv += optind;
481 d188f690 2022-02-04 op 
482 d188f690 2022-02-04 op 	if (argc != 0)
483 d188f690 2022-02-04 op 		usage();
484 d188f690 2022-02-04 op 	if (certf == NULL || tohost == NULL || fromhost == NULL)
485 d188f690 2022-02-04 op 		usage();
486 d188f690 2022-02-04 op 	if (keyf == NULL)
487 d188f690 2022-02-04 op 		keyf = certf;
488 d188f690 2022-02-04 op 
489 d188f690 2022-02-04 op 	parse_tohost();
490 d188f690 2022-02-04 op 
491 d188f690 2022-02-04 op 	if ((cert = tls_load_file(certf, &certlen, NULL)) == NULL)
492 d188f690 2022-02-04 op 		fatal("can't load %s", certf);
493 d188f690 2022-02-04 op 	if ((key = tls_load_file(keyf, &keylen, NULL)) == NULL)
494 d188f690 2022-02-04 op 		fatal("can't load %s", keyf);
495 d188f690 2022-02-04 op 
496 d188f690 2022-02-04 op 	log_init(debug, LOG_DAEMON);
497 d188f690 2022-02-04 op 	log_setverbose(verbose);
498 d188f690 2022-02-04 op 
499 d188f690 2022-02-04 op 	if (!debug)
500 d188f690 2022-02-04 op 		daemon(1, 0);
501 d188f690 2022-02-04 op 
502 d188f690 2022-02-04 op 	signal(SIGPIPE, SIG_IGN);
503 d188f690 2022-02-04 op 
504 d188f690 2022-02-04 op 	event_init();
505 d188f690 2022-02-04 op 
506 d188f690 2022-02-04 op 	setup();
507 d188f690 2022-02-04 op 	for (i = 0; i < nsock; ++i) {
508 d188f690 2022-02-04 op 		event_set(&sockev[i], socks[i], EV_READ|EV_PERSIST,
509 d188f690 2022-02-04 op 		    doaccept, NULL);
510 d188f690 2022-02-04 op 		event_add(&sockev[i], NULL);
511 d188f690 2022-02-04 op 	}
512 d188f690 2022-02-04 op 
513 d188f690 2022-02-04 op 	if (pledge("stdio dns inet", NULL) == -1)
514 d188f690 2022-02-04 op 		err(1, "pledge");
515 d188f690 2022-02-04 op 
516 d188f690 2022-02-04 op 	log_info("starting");
517 d188f690 2022-02-04 op 	event_dispatch();
518 d188f690 2022-02-04 op 
519 d188f690 2022-02-04 op 	return 0;
520 d188f690 2022-02-04 op }