commit c92aa18514694938b21439afff0b8d1ece617b18
parent 0c2fa66d5056ca6cdd6cf69aa7feb416b21a3ff0
Author: Christoph Lohmann <20h@r-36.net>
Date: Sun, 7 Jun 2020 22:29:26 +0200
Add -DENABLE_TLS feature for people not wanting TLS.
Diffstat:
2 files changed, 38 insertions(+), 7 deletions(-)
diff --git a/Makefile b/Makefile
@@ -9,8 +9,12 @@ PREFIX = /usr/local
BINDIR = ${PREFIX}/sbin
MANDIR = ${PREFIX}/share/man/man8
-GEOM_CFLAGS = -D_DEFAULT_SOURCE -I. -I/usr/include ${CFLAGS}
-GEOM_LDFLAGS = -L/usr/lib -L. -ltls ${LDFLAGS}
+# Comment to disable TLS support
+TLS_CFLAGS = -DENABLE_TLS
+TLS_LDFLAGS = -ltls
+
+GEOM_CFLAGS = -D_DEFAULT_SOURCE -I. -I/usr/include ${TLS_CFLAGS} ${CFLAGS}
+GEOM_LDFLAGS = -L/usr/lib -L. ${TLS_LDFLAGS} ${LDFLAGS}
SRC = main.c ind.c handlr.c
OBJ = ${SRC:.c=.o}
diff --git a/main.c b/main.c
@@ -25,7 +25,10 @@
#include <arpa/inet.h>
#include <sys/select.h>
#include <sys/time.h>
+
+#ifdef ENABLE_TLS
#include <tls.h>
+#endif /* ENABLE_TLS */
#include "ind.h"
#include "handlr.h"
@@ -398,7 +401,9 @@ void
usage(void)
{
dprintf(2, "usage: %s [-46cden] [-l logfile] "
+#ifdef ENABLE_TLS
"[-t keyfile certfile] "
+#endif /* ENABLE_TLS */
"[-v loglvl] [-b base] [-p port] [-o sport] "
"[-u user] [-g group] [-h host] [-i interface ...]\n",
argv0);
@@ -413,18 +418,27 @@ main(int argc, char *argv[])
socklen_t cltlen;
int sock, dofork = 1, inetf = AF_UNSPEC, usechroot = 0,
nocgi = 0, errno_save, nbindips = 0, i, j,
- nlfdret, *lfdret, listfd, maxlfd, dotls = 0, istls = 0,
- shuflen, wlen, shufpos, tlspipe[2], maxrecv, retl,
+ nlfdret, *lfdret, listfd, maxlfd, istls = 0,
+#ifdef ENABLE_TLS
+ dotls = 0, tlspipe[2], shufbuf[1025],
+ shuflen, wlen, shufpos,
+#endif /* ENABLE_TLS */
+ maxrecv, retl,
rlen = 0;
fd_set rfd;
char *port, *base, clienth[NI_MAXHOST], clientp[NI_MAXSERV],
*user = NULL, *group = NULL, **bindips = NULL,
- *ohost = NULL, *sport = NULL, *p, *certfile = NULL,
- *keyfile = NULL, shufbuf[1025], byte0, recvb[1025];
+ *ohost = NULL, *sport = NULL, *p,
+#ifdef ENABLE_TLS
+ *certfile = NULL, *keyfile = NULL,
+#endif /* ENABLE_TLS */
+ byte0, recvb[1025];
struct passwd *us = NULL;
struct group *gr = NULL;
+#ifdef ENABLE_TLS
struct tls_config *tlsconfig = NULL;
struct tls *tlsctx = NULL, *tlsclientctx;
+#endif /* ENABLE_TLS */
base = stdbase;
port = stdport;
@@ -478,11 +492,13 @@ main(int argc, char *argv[])
case 'n':
revlookup = 0;
break;
+#ifdef ENABLE_TLS
case 't':
dotls = 1;
keyfile = EARGF(usage());
certfile = EARGF(usage());
break;
+#endif /* ENABLE_TLS */
default:
usage();
} ARGEND;
@@ -493,6 +509,7 @@ main(int argc, char *argv[])
if (argc != 0)
usage();
+#ifdef ENABLE_TLS
if (dotls) {
if (tls_init() < 0) {
perror("tls_init");
@@ -519,6 +536,7 @@ main(int argc, char *argv[])
return 1;
}
}
+#endif /* ENABLE_TLS */
if (ohost == NULL) {
/* Do not use HOST_NAME_MAX, it is not defined on NetBSD. */
@@ -746,6 +764,7 @@ main(int argc, char *argv[])
if (recv(sock, &byte0, 1, MSG_PEEK) < 1)
return 1;
+#ifdef ENABLE_TLS
/*
* First byte is 0x16 == 22, which is the TLS
* Handshake first byte.
@@ -758,15 +777,19 @@ main(int argc, char *argv[])
if (tls_handshake(tlsclientctx) < 0)
return 1;
}
+#endif /* ENABLE_TLS */
maxrecv = sizeof(recvb) - 1;
do {
+#ifdef ENABLE_TLS
if (istls) {
retl = tls_read(tlsclientctx,
recvb+rlen, sizeof(recvb)-1-rlen);
if (retl < 0)
fprintf(stderr, "tls_read failed: %s\n", tls_error(tlsclientctx));
- } else {
+ } else
+#endif /* ENABLE_TLS */
+ {
retl = read(sock, recvb+rlen,
sizeof(recvb)-1-rlen);
if (retl < 0)
@@ -780,6 +803,7 @@ main(int argc, char *argv[])
if (rlen <= 0)
return 1;
+#ifdef ENABLE_TLS
if (istls) {
if (pipe(tlspipe) < 0) {
perror("tls_pipe");
@@ -819,6 +843,7 @@ main(int argc, char *argv[])
return 0;
}
}
+#endif /* ENABLE_TLS */
handlerequest(sock, recvb, rlen, base,
ohost, sport, clienth,
@@ -855,11 +880,13 @@ main(int argc, char *argv[])
}
free(listfds);
+#ifdef ENABLE_TLS
if (dotls) {
tls_close(tlsctx);
tls_free(tlsctx);
tls_config_free(tlsconfig);
}
+#endif /* ENABLE_TLS */
return 0;
}
