Add ALPN protocol based probe

Fix daemon start syntax

.gitignore

@@ -0,0 +1,10 @@
+*.swp
+*.swo
+*.o
+cscope.*
+echosrv
+sslh-fork
+sslh-select
+sslh.8.gz
+tags
+version.h

COPYING

@@ -0,0 +1,339 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

ChangeLog

@@ -0,0 +1,297 @@
+vNEXT:
+	Added USELIBPCRE to make use of regex engine
+	optional.
+
+	Added support for RFC4366 SNI and RFC7301 ALPN
+	(Travis Burtrum)
+
+	Changed connection log to include the name of the probe that
+	triggered.
+
+	Changed configuration file format: 'probe' field is
+	no longer required, 'name' field can now contain
+	'tls' or 'regex', with corresponding options (see
+	example.cfg)
+	Added 'log_level' option to each protocol, which
+	allows to turn off generation of log at each
+	connection.
+
+v1.17: 	09MAR2015
+	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
+
+	Transparant proxy support for FreeBSD.
+	(Ruben van Staveren)
+
+	Using -F with no argument will try
+	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
+	configuration files. (argument to -F can no longer
+	be separated from the option by a space, e.g. must
+	be -Ffoo.cfg)
+
+	Call setgroups() before setgid() (fixes potential
+	privilege escalation).
+	(Lars Vogdt)
+
+	Use portable way of getting modified time for OSX
+	support.
+	(Aaron Madlon-Kay)
+
+	Example configuration for fail2ban.
+	(Every Mouw)
+
+v1.16:	11FEB2014
+	Probes made more resilient, to incoming data
+	containing NULLs. Also made them behave properly
+	when receiving too short packets to probe on the
+	first incoming packet.
+	(Ondrej Kuzník)
+
+	Libcap support: Keep only CAP_NET_ADMIN if started
+	as root with transparent proxying and dropping
+	priviledges (enable USELIBCAP in Makefile). This
+	avoids having to mess with filesystem capabilities.
+	(Sebastian Schmidt/yath)
+
+	Fixed bugs related to getpeername that would cause
+	sslh to quit erroneously (getpeername can return
+	actual errors if connections are dropped before
+	getting to getpeername).
+
+	Set IP_FREEDBIND if available to bind to addresses
+	that don't yet exist.
+
+v1.15:	27JUL2013
+	Added --transparent option for transparent proxying.
+	See README for iptables magic and capability
+	management.
+
+	Fixed bug in sslh-select: if number of opened file
+	descriptor became bigger than FD_SETSIZE, bad things
+	would happen.
+
+	Fixed bug in sslh-select: if socket dropped while
+	deferred_data was present, sslh-select would crash.
+
+	Increased FD_SETSIZE for Cygwin, as the default 64
+	is too low for even moderate load.
+
+v1.14: 21DEC2012
+	Corrected OpenVPN probe to support pre-shared secret
+	mode (OpenVPN port-sharing code is... wrong). Thanks
+	to Kai Ellinger for help in investigating and
+	testing.
+
+	Added an actual TLS/SSL probe.
+
+	Added configurable --on-timeout protocol
+	specification.
+
+	Added a --anyprot protocol probe (equivalent to what
+	--ssl was).
+
+	Makefile respects the user's compiler and CFLAG
+	choices (falling back to the current values if
+	undefined), as well as LDFLAGS. 
+	(Michael Palimaka)
+
+	Added "After" and "KillMode" to systemd.sslh.service
+	(Thomas Weißschuh).
+
+	Added LSB tags to etc.init.d.sslh
+	(Thomas Varis).
+
+v1.13: 18MAY2012
+	Write PID file before dropping privileges.
+
+	Added --background, which overrides 'foreground'
+	configuration file setting.
+
+	Added example systemd service file from Archlinux in
+	scripts/
+	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
+	(Sébastien Luttringer)
+
+v1.12: 08MAY2012
+	Added support for configuration file.
+
+	New protocol probes can be defined using regular
+	expressions that match the first packet sent by the
+	client.
+
+	sslh now connects timed out connections to the first
+	configured protocol instead of 'ssh' (just make sure
+	ssh is the first defined protocol).
+
+	sslh now tries protocols in the order in which they
+	are defined (just make sure sslh is the last defined
+	protocol).
+
+v1.11: 21APR2012
+	WARNING: defaults have been removed for --user and
+	--pidfile options, update your start-up scripts!
+
+	No longer stop sslh when reverse DNS requests fail
+	for logging.
+
+	Added HTTP probe.
+
+	No longer create new session if running in
+	foreground.
+
+	No longer default to changing user to 'nobody'. If
+	--user isn't specified, just run as current user.
+
+	No longer create PID file by default, it should be
+	explicitely set with --pidfile.
+
+	No longer log to syslog if in foreground. Logs are
+	instead output to stderr.
+
+	The four changes above make it straightforward to
+	integrate sslh with systemd, and should help with
+	launchd.
+
+v1.10: 27NOV2011
+	Fixed calls referring to sockaddr length so they work
+	with FreeBSD.
+
+	Try target addresses in turn until one works if
+	there are several (e.g. "localhost:22" resolves to
+	an IPv6 address and an IPv4 address and sshd does
+	not listen on IPv6).
+
+	Fixed sslh-fork so killing the head process kills
+	the listener processes.
+
+	Heavily cleaned up test suite. Added stress test
+	t_load script. Added coverage (requires lcov).
+
+	Support for XMPP (Arnaud Gendre).
+
+	Updated README.MacOSX (Aaron Madlon-Kay).
+
+v1.9: 02AUG2011
+	WARNING: This version does not work with FreeBSD and
+	derivatives!
+
+	WARNING: Options changed, you'll need to update your
+	start-up scripts! Log format changed, you'll need to
+	update log processing scripts!
+
+	Now supports IPv6 throughout (both on listening and
+	forwarding)
+
+	Logs now contain IPv6 addresses, local forwarding
+	address, and resolves names (unless --numeric is
+	specified).
+
+	Introduced long options.
+
+	Options -l, -s and -o replaced by their long
+	counterparts.
+
+	Defaults for SSL and SSH options suppressed (it's 
+	legitimate to want to use sslh to mux OpenVPN and 
+	tinc while not caring about SSH nor SSL).
+
+	Bind to multiple addresses with multiple -p options.
+
+	Support for tinc VPN (experimental).
+
+	Numeric logging option.
+
+v1.8: 15JUL2011
+	Changed log format to make it possible to link
+	connections to subsequent logs from other services.
+
+	Updated CentOS init.d script (Andre Krajnik).
+
+	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
+	propagated to the child process, so we set up signals after
+	the fork.) (François FRITZ)
+
+	Added -o "OpenVPN" and OpenVPN probing and support.
+
+	Added single-threaded, select(2)-based version.
+
+	Added support for "Bold" SSH clients (clients that speak first)
+	Thanks to Guillaume Ricaud for spotting a regression
+	bug.
+
+	Added -f "foreground" option.
+
+	Added test suite. (only tests connexions. No test for libwrap,
+	setsid, setuid and so on) and corresponding 'make
+	test' target.
+
+	Added README.MacOSX (thanks Aaron Madlon-Kay)
+
+	Documented use with proxytunnel and corkscrew in
+	README.
+
+	
+v1.7: 01FEB2010
+	Added CentOS init.d script (Andre Krajnik).
+
+	Fixed default ssl address inconsistancy, now
+	defaults to "localhost:443" and fixed documentation
+	accordingly (pointed by Markus Schalke).
+
+	Children no longer bind to the listen socket, so
+	parent server can be stopped without killing an
+	active child (pointed by Matthias Buecher).
+
+	Inetd support (Dima Barsky).
+
+v1.6: 25APR2009
+	Added -V, version option.
+
+	Install target directory configurable in Makefile
+
+	Changed syslog prefix in auth.log to "sslh[%pid]"
+
+	Man page
+
+	new 'make install' and 'make install-debian' targets
+
+	PID file now specified using -P command line option
+
+	Actually fixed zombie generation (the v1.5 patch got
+	lost, doh!)
+
+
+v1.5: 10DEC2008
+	Fixed zombie generation.
+
+	Added support scripts (), Makefile.
+
+	Changed all 'connexions' to 'connections' to please
+	pesky users. Damn users.
+
+v1.4: 13JUL2008
+	Added libwrap support for ssh service (Christian Weinberger)
+	Only SSH is libwraped, not SSL.
+
+v1.3: 14MAY2008
+	Added parsing for local interface to listen on
+
+	Changed default SSL connection to port 442 (443 doesn't make
+	sense as a default as we're already listening on 443)
+
+	Syslog incoming connections
+
+v1.2: 12MAY2008
+	Fixed compilation warning for AMD64 (Thx Daniel Lange)
+
+v1.1: 21MAY2007
+	Making sslhc more like a real daemon:
+	* If $PIDFILE is defined, write first PID to it upon startup
+	* Fork at startup (detach from terminal)
+	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
+	* Less memory usage (?)
+
+v1.0: 
+	Basic functionality: privilege dropping, target hostnames and ports
+	configurable.
+
+

Makefile

@@ -0,0 +1,107 @@
+# Configuration
+
+VERSION=$(shell ./genver.sh -r)
+USELIBCONFIG=1	# Use libconfig? (necessary to use configuration files)
+USELIBPCRE=1	# Use libpcre? (necessary to use regex probe)
+USELIBWRAP?=	# Use libwrap?
+USELIBCAP=	# Use libcap?
+COV_TEST= 	# Perform test coverage?
+PREFIX?=/usr
+BINDIR?=$(PREFIX)/sbin
+MANDIR?=$(PREFIX)/share/man/man8
+
+MAN=sslh.8.gz	# man page name
+
+# End of configuration -- the rest should take care of
+# itself
+
+ifneq ($(strip $(COV_TEST)),)
+    CFLAGS_COV=-fprofile-arcs -ftest-coverage
+endif
+
+CC ?= gcc
+CFLAGS ?=-Wall -g $(CFLAGS_COV)
+
+LIBS=
+OBJS=common.o sslh-main.o probe.o tls.o
+
+ifneq ($(strip $(USELIBWRAP)),)
+	LIBS:=$(LIBS) -lwrap
+	CPPFLAGS+=-DLIBWRAP
+endif
+
+ifneq ($(strip $(USELIBPCRE)),)
+	CPPFLAGS+=-DLIBPCRE
+endif
+
+ifneq ($(strip $(USELIBCONFIG)),)
+	LIBS:=$(LIBS) -lconfig
+	CPPFLAGS+=-DLIBCONFIG
+endif
+
+ifneq ($(strip $(USELIBCAP)),)
+	LIBS:=$(LIBS) -lcap
+	CPPFLAGS+=-DLIBCAP
+endif
+
+all: sslh $(MAN) echosrv
+
+.c.o: *.h
+	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+
+version.h:
+	./genver.sh >version.h
+
+sslh: sslh-fork sslh-select
+
+sslh-fork: version.h $(OBJS) sslh-fork.o Makefile common.h
+	$(CC) $(CFLAGS) $(LDFLAGS) -o sslh-fork sslh-fork.o $(OBJS) $(LIBS)
+	#strip sslh-fork
+
+sslh-select: version.h $(OBJS) sslh-select.o Makefile common.h
+	$(CC) $(CFLAGS) $(LDFLAGS) -o sslh-select sslh-select.o $(OBJS) $(LIBS)
+	#strip sslh-select
+
+echosrv: $(OBJS) echosrv.o
+	$(CC) $(CFLAGS) $(LDFLAGS) -o echosrv echosrv.o probe.o common.o tls.o $(LIBS)
+
+$(MAN): sslh.pod Makefile
+	pod2man --section=8 --release=$(VERSION) --center=" " sslh.pod | gzip -9 - > $(MAN)
+
+# Create release: export clean tree and tag current
+# configuration
+release:
+	git archive master --prefix="sslh-$(VERSION)/" | gzip > /tmp/sslh-$(VERSION).tar.gz
+
+# generic install: install binary and man page
+install: sslh $(MAN)
+	mkdir -p $(DESTDIR)/$(BINDIR)
+	mkdir -p $(DESTDIR)/$(MANDIR)
+	install -p sslh-fork $(DESTDIR)/$(BINDIR)/sslh
+	install -p -m 0644 $(MAN) $(DESTDIR)/$(MANDIR)/$(MAN)
+
+# "extended" install for Debian: install startup script
+install-debian: install sslh $(MAN)
+	sed -e "s+^PREFIX=+PREFIX=$(PREFIX)+" scripts/etc.init.d.sslh > /etc/init.d/sslh
+	chmod 755 /etc/init.d/sslh
+	update-rc.d sslh defaults
+
+uninstall:
+	rm -f $(DESTDIR)$(BINDIR)/sslh $(DESTDIR)$(MANDIR)/$(MAN) $(DESTDIR)/etc/init.d/sslh $(DESTDIR)/etc/default/sslh
+	update-rc.d sslh remove
+
+distclean: clean
+	rm -f tags cscope.*
+
+clean:
+	rm -f sslh-fork sslh-select echosrv version.h $(MAN) *.o *.gcov *.gcno *.gcda *.png *.html *.css *.info
+
+tags:
+	ctags --globals -T *.[ch]
+
+cscope:
+	-find . -name "*.[chS]" >cscope.files
+	-cscope -b -R
+
+test:
+	./t

README.MacOSX

@@ -0,0 +1,54 @@
+
+sslh is available for Mac OS X via MacPorts. If you have
+MacPorts installed on your system you can install sslh by
+executing the following in the Terminal:
+
+port install sslh
+
+Also, the following is a helpful launchd configuration that
+covers the most common use case of sslh. Save the following
+into a text file, e.g.
+/Library/LaunchDaemons/net.rutschle.sslh.plist, then load it
+with launchctl or simply reboot.
+
+----BEGIN FILE----
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Disabled</key>
+	<false/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>Label</key>
+	<string>net.rutschle.sslh</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/opt/local/sbin/sslh</string>
+		<string>-f</string>
+		<string>-v</string>
+		<string>-u</string>
+		<string>nobody</string>
+		<string>-p</string>
+		<string>0.0.0.0:443</string>
+		<string>--ssh</string>
+		<string>localhost:22</string>
+		<string>--ssl</string>
+		<string>localhost:443</string>
+	</array>
+	<key>QueueDirectories</key>
+	<array/>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>StandardErrorPath</key>
+	<string>/Library/Logs/sslh.log</string>
+	<key>StandardOutPath</key>
+	<string>/Library/Logs/sslh.log</string>
+	<key>WatchPaths</key>
+	<array/>
+</dict>
+</plist>
+
+----END FILE----
+
+

README.md

@@ -0,0 +1,327 @@
+sslh -- A ssl/ssh multiplexer
+=============================
+
+`sslh` accepts connections on specified ports, and forwards
+them further based on tests performed on the first data
+packet sent by the remote client.
+
+Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
+implemented, and any other protocol that can be tested using
+a regular expression, can be recognised. A typical use case
+is to allow serving several services on port 443 (e.g. to
+connect to SSH from inside a corporate firewall, which
+almost never block port 443) while still serving HTTPS on
+that port. 
+
+Hence `sslh` acts as a protocol demultiplexer, or a
+switchboard. Its name comes from its original function to
+serve SSH and HTTPS on the same port.
+
+Compile and install
+===================
+
+Dependencies
+------------
+
+`sslh` uses [libconfig](http://www.hyperrealm.com/libconfig/)
+and [libwrap](http://packages.debian.org/source/unstable/tcp-wrappers).
+
+For Debian, these are contained in packages `libwrap0-dev` and
+`libconfig8-dev`.
+
+For OpenSUSE, these are contained in packages libconfig9 and
+libconfig-dev in repository
+<http://download.opensuse.org/repositories/multimedia:/libs/openSUSE_12.1/>
+
+For Fedora, you'll need packages `libconfig` and
+`libconfig-devel`:
+
+	yum install libconfig libconfig-devel
+
+If you can't find `libconfig`, or just don't want a
+configuration file, set `USELIBCONFIG=` in the Makefile.
+
+Compilation
+-----------
+
+After this, the Makefile should work:
+
+	make install
+
+There are a couple of configuration options at the beginning
+of the Makefile: 
+
+* `USELIBWRAP` compiles support for host access control (see
+  `hosts_access(3)`), you will need `libwrap` headers and
+  library to compile (`libwrap0-dev` in Debian).
+
+* `USELIBCONFIG` compiles support for the configuration
+  file. You will need `libconfig` headers to compile
+  (`libconfig8-dev` in Debian).
+
+
+Binaries
+--------
+
+The Makefile produces two different executables: `sslh-fork`
+and `sslh-select`:
+
+* `sslh-fork` forks a new process for each incoming connection.
+It is well-tested and very reliable, but incurs the overhead
+of many processes.  
+If you are going to use `sslh` for a "small" setup (less than
+a dozen ssh connections and a low-traffic https server) then
+`sslh-fork` is probably more suited for you. 
+
+* `sslh-select` uses only one thread, which monitors all connections
+at once. It is more recent and less tested, but only incurs a 16
+byte overhead per connection. Also, if it stops, you'll lose all
+connections, which means you can't upgrade it remotely.  
+If you are going to use `sslh` on a "medium" setup (a few thousand ssh
+connections, and another few thousand ssl connections),
+`sslh-select` will be better.
+
+If you have a very large site (tens of thousands of connections),
+you'll need a vapourware version that would use libevent or
+something like that.
+
+
+Installation
+------------
+
+* In general:
+
+		make
+		cp sslh-fork /usr/local/sbin/sslh
+		cp basic.cfg /etc/sslh.cfg
+                vi /etc/sslh.cfg
+
+* For Debian:
+
+		cp scripts/etc.init.d.sslh /etc/init.d/sslh
+	
+* For CentOS:
+
+		cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh
+
+
+You might need to create links in /etc/rc<x>.d so that the server
+start automatically at boot-up, e.g. under Debian:
+
+	update-rc.d sslh defaults
+
+
+Configuration
+=============
+
+If you use the scripts provided, sslh will get its
+configuration from /etc/sslh.cfg. Please refer to
+example.cfg for an overview of all the settings.
+
+A good scheme is to use the external name of the machine in
+`listen`, and bind `httpd` to `localhost:443` (instead of all
+binding to all interfaces): that way, HTTPS connections
+coming from inside your network don't need to go through
+`sslh`, and `sslh` is only there as a frontal for connections
+coming from the internet.
+
+Note that 'external name' in this context refers to the
+actual IP address of the machine as seen from your network,
+i.e. that that is not `127.0.0.1` in the output of
+`ifconfig(8)`.
+
+Libwrap support
+---------------
+
+Sslh can optionnaly perform `libwrap` checks for the sshd
+service: because the connection to `sshd` will be coming
+locally from `sslh`, `sshd` cannot determine the IP of the
+client.
+
+OpenVPN support
+---------------
+
+OpenVPN clients connecting to OpenVPN running with
+`-port-share` reportedly take more than one second between
+the time the TCP connexion is established and the time they
+send the first data packet. This results in `sslh` with
+default settings timing out and assuming an SSH connexion.
+To support OpenVPN connexions reliably, it is necessary to
+increase `sslh`'s timeout to 5 seconds.
+
+Instead of using OpenVPN's port sharing, it is more reliable
+to use `sslh`'s `--openvpn` option to get `sslh` to do the
+port sharing.
+
+Using proxytunnel with sslh
+---------------------------
+
+If you are connecting through a proxy that checks that the
+outgoing connection really is SSL and rejects SSH, you can
+encapsulate all your traffic in SSL using `proxytunnel` (this
+should work with `corkscrew` as well). On the server side you
+receive the traffic with `stunnel` to decapsulate SSL, then
+pipe through `sslh` to switch HTTP on one side and SSL on the
+other.
+
+In that case, you end up with something like this:
+
+	ssh -> proxytunnel -e ----[ssh/ssl]---> stunnel ---[ssh]---> sslh --> sshd
+	Web browser -------------[http/ssl]---> stunnel ---[http]--> sslh --> httpd
+
+Configuration goes like this on the server side, using `stunnel3`:
+
+	stunnel -f -p mycert.pem  -d thelonious:443 -l /usr/local/sbin/sslh -- \
+		sslh -i  --http localhost:80 --ssh localhost:22
+
+* stunnel options:
+  * `-f` for foreground/debugging
+  * `-p` for specifying the key and certificate
+  * `-d` for specifying which interface and port
+	we're listening to for incoming connexions
+  * `-l` summons `sslh` in inetd mode.
+
+* sslh options:
+  * `-i` for inetd mode
+  * `--http` to forward HTTP connexions to port 80,
+	and SSH connexions to port 22.
+
+Capabilities support
+--------------------
+
+On Linux (only?), you can compile sslh with `USELIBCAP=1` to
+make use of POSIX capabilities; this will save the required
+capabilities needed for transparent proxying for unprivileged
+processes.
+
+Alternatively, you may use filesystem capabilities instead
+of starting sslh as root and asking it to drop privileges.
+You will need `CAP_NET_BIND_SERVICE` for listening on port 443
+and `CAP_NET_ADMIN` for transparent proxying (see
+`capabilities(7)`).
+
+You can use the `setcap(8)` utility to give these capabilities
+to the executable:
+
+	# setcap cap_net_bind_service,cap_net_admin+pe sslh-select
+
+Then you can run sslh-select as an unpriviledged user, e.g.:
+
+	$ sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443
+
+Caveat: `CAP_NET_ADMIN` does give sslh too many rights, e.g.
+configuring the interface. If you're not going to use
+transparent proxying, just don't use it (or use the libcap method).
+
+Transparent proxy support
+-------------------------
+
+On Linux and FreeBSD you can use the `--transparent` option to
+request transparent proxying. This means services behind `sslh`
+(Apache, `sshd` and so on) will see the external IP and ports
+as if the external world connected directly to them. This
+simplifies IP-based access control (or makes it possible at
+all).
+
+Linux:
+
+`sslh` needs extended rights to perform this: you'll need to
+give it `CAP_NET_ADMIN` capabilities (see appropriate chapter)
+or run it as root (but don't do that).
+
+The firewalling tables also need to be adjusted as follow.
+The example connects to HTTPS on 4443 -- adapt to your needs ;
+I don't think it is possible to have `httpd` listen to 443 in
+this scheme -- let me know if you manage that:
+
+	# iptables -t mangle -N SSLH
+	# iptables -t mangle -A  OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
+	# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
+	# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
+	# iptables -t mangle -A SSLH --jump ACCEPT
+	# ip rule add fwmark 0x1 lookup 100
+	# ip route add local 0.0.0.0/0 dev lo table 100
+
+Tranparent proxying with IPv6 is similarly set up as follows:
+
+        # ip6tables -t mangle -N SSLH
+        # ip6tables -t mangle -A  OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
+        # ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
+        # ip6tables -t mangle -A SSLH --jump MARK --set-mark 0x1
+        # ip6tables -t mangle -A SSLH --jump ACCEPT
+        # ip -6 rule add fwmark 0x1 lookup 100
+        # ip -6 route add local ::/0 dev lo table 100
+
+Note that these rules will prevent from connecting directly
+to ssh on the port 22, as packets coming out of sshd will be
+tagged. If you need to retain direct access to ssh on port
+22 as well as through sslh, you can make sshd listen to
+22 AND another port (e.g. 2222), and change the above rules
+accordingly.
+
+FreeBSD:
+
+Given you have no firewall defined yet, you can use the following configuration
+to have ipfw properly redirect traffic back to sslh
+
+	/etc/rc.conf
+	firewall_enable="YES"
+	firewall_type="open"
+	firewall_logif="YES"
+	firewall_coscripts="/etc/ipfw/sslh.rules"
+
+
+/etc/ipfw/sslh.rules
+
+	#! /bin/sh
+
+	# ssl
+	ipfw add 20000 fwd 192.0.2.1,443 log tcp from 192.0.2.1 8443 to any out
+	ipfw add 20010 fwd 2001:db8::1,443 log tcp from 2001:db8::1 8443 to any out
+
+	# ssh
+	ipfw add 20100 fwd 192.0.2.1,443 log tcp from 192.0.2.1 8022 to any out
+	ipfw add 20110 fwd 2001:db8::1,443 log tcp from 2001:db8::1 8022 to any out
+
+	# xmpp
+	ipfw add 20200 fwd 192.0.2.1,443 log tcp from 192.0.2.1 5222 to any out
+	ipfw add 20210 fwd 2001:db8::1,443 log tcp from 2001:db8::1 5222 to any out
+
+	# openvpn (running on other internal system)
+	ipfw add 20300 fwd 192.0.2.1,443 log tcp from 198.51.100.7 1194 to any out
+	ipfw add 20310 fwd 2001:db8::1,443 log tcp from 2001:db8:1::7 1194 to any out
+
+General notes:
+
+
+This will only work if `sslh` does not use any loopback
+addresses (no `127.0.0.1` or `localhost`), you'll need to use
+explicit IP addresses (or names):
+
+	sslh --listen 192.168.0.1:443 --ssh 192.168.0.1:22 --ssl 192.168.0.1:4443
+
+This will not work:
+
+	sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443
+
+Fail2ban
+--------
+
+If using transparent proxying, just use the standard ssh
+rules. If you can't or don't want to use transparent
+proxying, you can set `fail2ban` rules to block repeated ssh
+connections from a same IP address (obviously this depends
+on the site, there might be legimite reasons you would get
+many connections to ssh from the same IP address...)
+
+See example files in scripts/fail2ban.
+
+Comments? Questions?
+====================
+
+You can subscribe to the `sslh` mailing list here:
+<http://rutschle.net/cgi-bin/mailman/listinfo/sslh>
+
+This mailing list should be used for discussion, feature
+requests, and will be the prefered channel for announcements.
+

TODO

@@ -0,0 +1,25 @@
+Here's a list of features that have been suggested or
+sometimes requested. This list is not a roadmap and
+shouldn't be construed to mean that any of this will happen.
+
+- configurable behaviour depending on services (e.g.
+  select() for ssl but fork() for ssh).
+
+- have certain services available only from specified subnets
+
+- some sort of "service knocking" allowing to activate a
+  service upon some external even, similar to port knocking;
+for example, go to a specific URL to enable sslh forwarding
+to sshd for a set period of time:
+    * sslh listens on 443 and only directs to httpd
+    * user goes somewhere to https://example.org/open_ssh.cgi
+    * open_ssh.cgi tells sslh
+    * sslh starts checking if incoming connections are ssh, and
+    if they are, forward to sshd
+    * 10 minutes later, sslh stops forwarding to ssh
+
+That would make it almost impossible for an observer
+(someone who'd telnet regularly on 443) to ever notice both
+services are available on 443.
+
+

basic.cfg

@@ -0,0 +1,29 @@
+# This is a basic configuration file that should provide
+# sensible values for "standard" setup.
+
+verbose: false;
+foreground: false;
+inetd: false;
+numeric: false;
+transparent: false;
+timeout: "2";
+user: "nobody";
+pidfile: "/var/run/sslh.pid";
+
+
+# Change hostname with your external address name.
+listen:
+(
+    { host: "thelonious"; port: "443"; }
+);
+
+protocols:
+(
+     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
+     { name: "openvpn"; host: "localhost"; port: "1194"; },
+     { name: "xmpp"; host: "localhost"; port: "5222"; },
+     { name: "http"; host: "localhost"; port: "80"; },
+     { name: "ssl"; host: "localhost"; port: "443"; log_level: 0; },
+     { name: "anyprot"; host: "localhost"; port: "443"; }
+);
+

common.c

@@ -0,0 +1,654 @@
+/* Code and variables that is common to both fork and select-based
+ * servers.
+ *
+ * No code here should assume whether sockets are blocking or not.
+ **/
+
+#define _GNU_SOURCE
+#include <stdarg.h>
+#include <grp.h>
+
+#include "common.h"
+#include "probe.h"
+
+/* Added to make the code compilable under CYGWIN 
+ * */
+#ifndef SA_NOCLDWAIT
+#define SA_NOCLDWAIT 0
+#endif
+
+/* 
+ * Settings that depend on the command line.  They're set in main(), but also
+ * used in other places in common.c, and it'd be heavy-handed to pass it all as
+ * parameters
+ */
+int verbose = 0;
+int probing_timeout = 2;
+int inetd = 0;
+int foreground = 0;
+int background = 0;
+int transparent = 0;
+int numeric = 0;
+const char *user_name, *pid_file;
+
+struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */
+
+#ifdef LIBWRAP
+#include <tcpd.h>
+int allow_severity =0, deny_severity = 0;
+#endif
+
+/* check result and die, printing the offending address and error */
+void check_res_dumpdie(int res, struct addrinfo *addr, char* syscall)
+{
+    char buf[NI_MAXHOST];
+
+    if (res == -1) {
+        fprintf(stderr, "%s:%s: %s\n", 
+                sprintaddr(buf, sizeof(buf), addr), 
+                syscall, 
+                strerror(errno));
+        exit(1);
+    }
+}
+
+/* Starts listening sockets on specified addresses.
+ * IN: addr[], num_addr
+ * OUT: *sockfd[]  pointer to newly-allocated array of file descriptors
+ * Returns number of addresses bound
+ * Bound file descriptors are returned in newly-allocated *sockfd pointer
+   */
+int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list)
+{
+   struct sockaddr_storage *saddr;
+   struct addrinfo *addr;
+   int i, res, one;
+   int num_addr = 0;
+
+   for (addr = addr_list; addr; addr = addr->ai_next)
+       num_addr++;
+
+   if (verbose)
+       fprintf(stderr, "listening to %d addresses\n", num_addr);
+
+   *sockfd = malloc(num_addr * sizeof(*sockfd[0]));
+
+   for (i = 0, addr = addr_list; i < num_addr && addr; i++, addr = addr->ai_next) {
+       if (!addr) {
+           fprintf(stderr, "FATAL: Inconsistent listen number. This should not happen.\n");
+           exit(1);
+       }
+       saddr = (struct sockaddr_storage*)addr->ai_addr;
+
+       (*sockfd)[i] = socket(saddr->ss_family, SOCK_STREAM, 0);
+       check_res_dumpdie((*sockfd)[i], addr, "socket");
+
+       one = 1;
+       res = setsockopt((*sockfd)[i], SOL_SOCKET, SO_REUSEADDR, (char*)&one, sizeof(one));
+       check_res_dumpdie(res, addr, "setsockopt(SO_REUSEADDR)");
+
+       if (IP_FREEBIND) {
+           res = setsockopt((*sockfd)[i], IPPROTO_IP, IP_FREEBIND, (char*)&one, sizeof(one));
+           check_res_dumpdie(res, addr, "setsockopt(IP_FREEBIND)");
+       }
+
+       res = bind((*sockfd)[i], addr->ai_addr, addr->ai_addrlen);
+       check_res_dumpdie(res, addr, "bind");
+
+       res = listen ((*sockfd)[i], 50);
+       check_res_dumpdie(res, addr, "listen");
+
+   }
+
+   return num_addr;
+}
+
+/* Transparent proxying: bind the peer address of fd to the peer address of
+ * fd_from */
+#define IP_TRANSPARENT 19
+int bind_peer(int fd, int fd_from)
+{
+    struct addrinfo from;
+    struct sockaddr_storage ss;
+    int res, trans = 1;
+
+    memset(&from, 0, sizeof(from));
+    from.ai_addr = (struct sockaddr*)&ss;
+    from.ai_addrlen = sizeof(ss);
+
+    /* getpeername can fail with ENOTCONN if connection was dropped before we
+     * got here */
+    res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen);
+    CHECK_RES_RETURN(res, "getpeername");
+#ifndef IP_BINDANY /* use IP_TRANSPARENT */
+    res = setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &trans, sizeof(trans));
+    CHECK_RES_DIE(res, "setsockopt");
+#else
+    if (from.ai_addr->sa_family==AF_INET) { /* IPv4 */
+        res = setsockopt(fd, IPPROTO_IP, IP_BINDANY, &trans, sizeof(trans));
+        CHECK_RES_RETURN(res, "setsockopt IP_BINDANY");
+#ifdef IPV6_BINDANY
+    } else { /* IPv6 */
+        res = setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, &trans, sizeof(trans));
+        CHECK_RES_RETURN(res, "setsockopt IPV6_BINDANY");
+#endif /* IPV6_BINDANY */
+    }
+#endif /* IP_TRANSPARENT / IP_BINDANY */
+    res = bind(fd, from.ai_addr, from.ai_addrlen);
+    CHECK_RES_RETURN(res, "bind");
+
+    return 0;
+}
+
+/* Connect to first address that works and returns a file descriptor, or -1 if
+ * none work. 
+ * If transparent proxying is on, use fd_from peer address on external address
+ * of new file descriptor. */
+int connect_addr(struct connection *cnx, int fd_from)
+{
+    struct addrinfo *a, from;
+    struct sockaddr_storage ss;
+    char buf[NI_MAXHOST];
+    int fd, res;
+
+    memset(&from, 0, sizeof(from));
+    from.ai_addr = (struct sockaddr*)&ss;
+    from.ai_addrlen = sizeof(ss);
+
+    res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen);
+    CHECK_RES_RETURN(res, "getpeername");
+
+    for (a = cnx->proto->saddr; a; a = a->ai_next) {
+        /* When transparent, make sure both connections use the same address family */
+        if (transparent && a->ai_family != from.ai_addr->sa_family)
+            continue;
+        if (verbose) 
+            fprintf(stderr, "connecting to %s family %d len %d\n", 
+                    sprintaddr(buf, sizeof(buf), a),
+                    a->ai_addr->sa_family, a->ai_addrlen);
+
+        /* XXX Needs to match ai_family from fd_from when being transparent! */
+        fd = socket(a->ai_family, SOCK_STREAM, 0);
+        if (fd == -1) {
+            log_message(LOG_ERR, "forward to %s failed:socket: %s\n",
+                        cnx->proto->description, strerror(errno));
+        } else {
+            if (transparent) {
+                res = bind_peer(fd, fd_from);
+                CHECK_RES_RETURN(res, "bind_peer");
+            }
+            res = connect(fd, a->ai_addr, a->ai_addrlen);
+            if (res == -1) {
+                log_message(LOG_ERR, "forward to %s failed:connect: %s\n", 
+                            cnx->proto->description, strerror(errno));
+                close(fd);
+            } else {
+                return fd;
+            }
+        }
+    }
+    return -1;
+}
+
+/* Store some data to write to the queue later */
+int defer_write(struct queue *q, void* data, int data_size) 
+{
+    char *p;
+    if (verbose) 
+        fprintf(stderr, "**** writing deferred on fd %d\n", q->fd);
+
+    p = realloc(q->begin_deferred_data, q->deferred_data_size + data_size);
+    if (!p) {
+        perror("realloc");
+        exit(1);
+    }
+
+    q->deferred_data = q->begin_deferred_data = p;
+    p += q->deferred_data_size;
+    q->deferred_data_size += data_size;
+    memcpy(p, data, data_size);
+
+    return 0;
+}
+
+/* tries to flush some of the data for specified queue
+ * Upon success, the number of bytes written is returned.
+ * Upon failure, -1 returned (e.g. connexion closed)
+ * */
+int flush_deferred(struct queue *q)
+{
+    int n;
+
+    if (verbose)
+        fprintf(stderr, "flushing deferred data to fd %d\n", q->fd);
+
+    n = write(q->fd, q->deferred_data, q->deferred_data_size);
+    if (n == -1)
+        return n;
+
+    if (n == q->deferred_data_size) {
+        /* All has been written -- release the memory */
+        free(q->begin_deferred_data);
+        q->begin_deferred_data = NULL;
+        q->deferred_data = NULL;
+        q->deferred_data_size = 0;
+    } else {
+        /* There is data left */
+        q->deferred_data += n;
+        q->deferred_data_size -= n;
+    }
+
+    return n;
+}
+
+
+void init_cnx(struct connection *cnx)
+{
+    memset(cnx, 0, sizeof(*cnx));
+    cnx->q[0].fd = -1;
+    cnx->q[1].fd = -1;
+    cnx->proto = get_first_protocol();
+}
+
+void dump_connection(struct connection *cnx)
+{
+    printf("state: %d\n", cnx->state);
+    printf("fd %d, %d deferred\n", cnx->q[0].fd, cnx->q[0].deferred_data_size);
+    printf("fd %d, %d deferred\n", cnx->q[1].fd, cnx->q[1].deferred_data_size);
+}
+
+
+/* 
+ * moves data from one fd to other
+ *
+ * returns number of bytes copied if success
+ * returns 0 (FD_CNXCLOSED) if incoming socket closed
+ * returns FD_NODATA if no data was available
+ * returns FD_STALLED if data was read, could not be written, and has been
+ * stored in temporary buffer.
+ */
+int fd2fd(struct queue *target_q, struct queue *from_q)
+{
+   char buffer[BUFSIZ];
+   int target, from, size_r, size_w;
+
+   target = target_q->fd;
+   from = from_q->fd;
+
+   size_r = read(from, buffer, sizeof(buffer));
+   if (size_r == -1) {
+       switch (errno) {
+       case EAGAIN:
+           if (verbose)
+               fprintf(stderr, "reading 0 from %d\n", from);
+           return FD_NODATA;
+
+       case ECONNRESET:
+       case EPIPE:
+           return FD_CNXCLOSED;
+       }
+   }
+
+   CHECK_RES_RETURN(size_r, "read");
+
+   if (size_r == 0)
+      return FD_CNXCLOSED;
+
+   size_w = write(target, buffer, size_r);
+   /* process -1 when we know how to deal with it */
+   if (size_w == -1) {
+       switch (errno) {
+       case EAGAIN:
+           /* write blocked: Defer data */
+           defer_write(target_q, buffer, size_r);
+           return FD_STALLED;
+
+       case ECONNRESET:
+       case EPIPE:
+           /* remove end closed -- drop the connection */
+           return FD_CNXCLOSED;
+       }
+   } else if (size_w < size_r) {
+       /* incomplete write -- defer the rest of the data */
+       defer_write(target_q, buffer + size_w, size_r - size_w);
+       return FD_STALLED;
+   }
+
+   CHECK_RES_RETURN(size_w, "write");
+
+   return size_w;
+}
+
+/* returns a string that prints the IP and port of the sockaddr */
+char* sprintaddr(char* buf, size_t size, struct addrinfo *a)
+{
+   char host[NI_MAXHOST], serv[NI_MAXSERV];
+   int res;
+
+   res = getnameinfo(a->ai_addr, a->ai_addrlen,
+               host, sizeof(host), 
+               serv, sizeof(serv), 
+               numeric ? NI_NUMERICHOST | NI_NUMERICSERV : 0 );
+
+   if (res) {
+       log_message(LOG_ERR, "sprintaddr:getnameinfo: %s\n", gai_strerror(res));
+       /* Name resolution failed: do it numerically instead */
+       res = getnameinfo(a->ai_addr, a->ai_addrlen,
+                         host, sizeof(host), 
+                         serv, sizeof(serv), 
+                         NI_NUMERICHOST | NI_NUMERICSERV);
+       /* should not fail but... */
+       if (res) {
+           log_message(LOG_ERR, "sprintaddr:getnameinfo(NUM): %s\n", gai_strerror(res));
+           strcpy(host, "?");
+           strcpy(serv, "?");
+       }
+   }
+
+   snprintf(buf, size, "%s:%s", host, serv);
+
+   return buf;
+}
+
+/* Turns a hostname and port (or service) into a list of struct addrinfo 
+ * returns 0 on success, -1 otherwise and logs error
+ **/
+int resolve_split_name(struct addrinfo **out, const char* host, const char* serv)
+{
+   struct addrinfo hint;
+   int res;
+
+   memset(&hint, 0, sizeof(hint));
+   hint.ai_family = PF_UNSPEC;
+   hint.ai_socktype = SOCK_STREAM;
+
+   res = getaddrinfo(host, serv, &hint, out);
+   if (res)
+      log_message(LOG_ERR, "%s `%s:%s'\n", gai_strerror(res), host, serv);
+   return res;
+}
+
+/* turns a "hostname:port" string into a list of struct addrinfo;
+out: list of newly allocated addrinfo (see getaddrinfo(3)); freeaddrinfo(3) when done
+fullname: input string -- it gets clobbered
+*/
+void resolve_name(struct addrinfo **out, char* fullname)
+{
+   char *serv, *host, *end;
+   int res;
+
+   /* Find port */
+   char *sep = strrchr(fullname, ':');
+   if (!sep) { /* No separator: parameter is just a port */
+      fprintf(stderr, "%s: names must be fully specified as hostname:port\n", fullname);
+      exit(1);
+   }
+   serv = sep+1;
+   *sep = 0;
+
+   host = fullname;
+
+   /* If it is a RFC-Compliant IPv6 address ("[1234::12]:443"), remove brackets
+    * around IP address */
+   if (host[0] == '[') {
+       end = strrchr(host, ']');
+       if (!end) {
+           fprintf(stderr, "%s: no closing bracket in IPv6 address?\n", host);
+       }
+       host++; /* skip first bracket */
+       *end = 0; /* remove last bracket */
+   }
+
+   res = resolve_split_name(out, host, serv);
+   if (res) {
+      fprintf(stderr, "%s `%s'\n", gai_strerror(res), fullname);
+      if (res == EAI_SERVICE)
+         fprintf(stderr, "(Check you have specified all ports)\n");
+      exit(4);
+   }
+}
+
+/* Log to syslog or stderr if foreground */
+void log_message(int type, char* msg, ...)
+{
+    va_list ap;
+
+    va_start(ap, msg);
+    if (foreground)
+        vfprintf(stderr, msg, ap);
+    else
+        vsyslog(type, msg, ap);
+    va_end(ap);
+}
+
+/* syslogs who connected to where */
+void log_connection(struct connection *cnx)
+{
+    struct addrinfo addr;
+    struct sockaddr_storage ss;
+#define MAX_NAMELENGTH (NI_MAXHOST + NI_MAXSERV + 1)
+    char peer[MAX_NAMELENGTH], service[MAX_NAMELENGTH],
+        local[MAX_NAMELENGTH], target[MAX_NAMELENGTH];
+    int res;
+
+    if (cnx->proto->log_level < 1)
+        return;
+
+    addr.ai_addr = (struct sockaddr*)&ss;
+    addr.ai_addrlen = sizeof(ss);
+
+    res = getpeername(cnx->q[0].fd, addr.ai_addr, &addr.ai_addrlen);
+    if (res == -1) return; /* Can happen if connection drops before we get here. 
+                               In that case, don't log anything (there is no connection) */
+    sprintaddr(peer, sizeof(peer), &addr);
+
+    addr.ai_addrlen = sizeof(ss);
+    res = getsockname(cnx->q[0].fd, addr.ai_addr, &addr.ai_addrlen);
+    if (res == -1) return;
+    sprintaddr(service, sizeof(service), &addr);
+
+    addr.ai_addrlen = sizeof(ss);
+    res = getpeername(cnx->q[1].fd, addr.ai_addr, &addr.ai_addrlen);
+    if (res == -1) return;
+    sprintaddr(target, sizeof(target), &addr);
+
+    addr.ai_addrlen = sizeof(ss);
+    res = getsockname(cnx->q[1].fd, addr.ai_addr, &addr.ai_addrlen);
+    if (res == -1) return;
+    sprintaddr(local, sizeof(local), &addr);
+
+    log_message(LOG_INFO, "%s:connection from %s to %s forwarded from %s to %s\n",
+                cnx->proto->description,
+                peer,
+                service,
+                local,
+                target);
+}
+
+
+/* libwrap (tcpd): check the connection is legal. This is necessary because
+ * the actual server will only see a connection coming from localhost and can't
+ * apply the rules itself.
+ *
+ * Returns -1 if access is denied, 0 otherwise
+ */
+int check_access_rights(int in_socket, const char* service)
+{
+#ifdef LIBWRAP
+    union {
+        struct sockaddr saddr;
+        struct sockaddr_storage ss;
+    } peer;
+    socklen_t size = sizeof(peer);
+    char addr_str[NI_MAXHOST], host[NI_MAXHOST];
+    int res;
+
+    res = getpeername(in_socket, &peer.saddr, &size);
+    CHECK_RES_RETURN(res, "getpeername");
+
+    /* extract peer address */
+    res = getnameinfo(&peer.saddr, size, addr_str, sizeof(addr_str), NULL, 0, NI_NUMERICHOST);
+    if (res) {
+        if (verbose)
+            fprintf(stderr, "getnameinfo(NI_NUMERICHOST):%s\n", gai_strerror(res));
+        strcpy(addr_str, STRING_UNKNOWN);
+    }
+    /* extract peer name */
+    strcpy(host, STRING_UNKNOWN);
+    if (!numeric) {
+        res = getnameinfo(&peer.saddr, size, host, sizeof(host), NULL, 0, NI_NAMEREQD);
+        if (res) {
+            if (verbose)
+                fprintf(stderr, "getnameinfo(NI_NAMEREQD):%s\n", gai_strerror(res));
+        }
+    }
+
+    if (!hosts_ctl(service, host, addr_str, STRING_UNKNOWN)) {
+        if (verbose)
+            fprintf(stderr, "access denied\n");
+        log_message(LOG_INFO, "connection from %s(%s): access denied", host, addr_str);
+        close(in_socket);
+        return -1;
+    }
+#endif
+    return 0;
+}
+
+void setup_signals(void)
+{
+    int res;
+    struct sigaction action;
+
+    /* Request no SIGCHLD is sent upon termination of
+     * the children */
+    memset(&action, 0, sizeof(action));
+    action.sa_handler = NULL;
+    action.sa_flags = SA_NOCLDWAIT;
+    res = sigaction(SIGCHLD, &action, NULL);
+    CHECK_RES_DIE(res, "sigaction");
+
+    /* Set SIGTERM to exit. For some reason if it's not set explicitly,
+     * coverage information is lost when killing the process */
+    memset(&action, 0, sizeof(action));
+    action.sa_handler = exit;
+    res = sigaction(SIGTERM, &action, NULL);
+    CHECK_RES_DIE(res, "sigaction");
+
+    /* Ignore SIGPIPE . */
+    action.sa_handler = SIG_IGN;
+    res = sigaction(SIGPIPE, &action, NULL);
+    CHECK_RES_DIE(res, "sigaction");
+
+}
+
+/* Open syslog connection with appropriate banner; 
+ * banner is made up of basename(bin_name)+"[pid]" */
+void setup_syslog(const char* bin_name) {
+    char *name1, *name2;
+    int res;
+
+    name1 = strdup(bin_name);
+    res = asprintf(&name2, "%s[%d]", basename(name1), getpid());
+    CHECK_RES_DIE(res, "asprintf");
+    openlog(name2, LOG_CONS, LOG_AUTH);
+    free(name1); 
+    /* Don't free name2, as openlog(3) uses it (at least in glibc) */
+
+    log_message(LOG_INFO, "%s %s started\n", server_type, VERSION);
+}
+
+/* Ask OS to keep capabilities over a setuid(nonzero) */
+void set_keepcaps(int val) {
+#ifdef LIBCAP
+    int res;
+    res = prctl(PR_SET_KEEPCAPS, val, 0, 0, 0);
+    if (res) {
+        perror("prctl");
+        exit(1);
+    }
+#endif
+}
+
+/* set needed capabilities for effective and permitted, clear rest */
+void set_capabilities(void) {
+#ifdef LIBCAP
+    int res;
+    cap_t caps;
+    cap_value_t cap_list[10];
+    int ncap = 0;
+
+    if (transparent)
+        cap_list[ncap++] = CAP_NET_ADMIN;
+
+    caps = cap_init();
+
+#define _cap_set_flag(flag) do { \
+        res = cap_clear_flag(caps, flag); \
+        CHECK_RES_DIE(res, "cap_clear_flag(" #flag ")"); \
+        if (ncap > 0) { \
+            res = cap_set_flag(caps, flag, ncap, cap_list, CAP_SET); \
+            CHECK_RES_DIE(res, "cap_set_flag(" #flag ")"); \
+        } \
+    } while(0)
+
+    _cap_set_flag(CAP_EFFECTIVE);
+    _cap_set_flag(CAP_PERMITTED);
+
+#undef _cap_set_flag
+
+    res = cap_set_proc(caps);
+    CHECK_RES_DIE(res, "cap_set_proc");
+
+    res = cap_free(caps);
+    if (res) {
+        perror("cap_free");
+        exit(1);
+    }
+#endif
+}
+
+/* We don't want to run as root -- drop privileges if required */
+void drop_privileges(const char* user_name)
+{
+    int res;
+    struct passwd *pw = getpwnam(user_name);
+    if (!pw) {
+        fprintf(stderr, "%s: not found\n", user_name);
+        exit(2);
+    }
+    if (verbose)
+        fprintf(stderr, "turning into %s\n", user_name);
+
+    set_keepcaps(1);
+
+    /* remove extraneous groups in case we belong to several extra groups that
+     * may have unwanted rights. If non-root when calling setgroups(), it
+     * fails, which is fine because... we have no unwanted rights 
+     * (see POS36-C for security context)
+     * */
+    setgroups(0, NULL);
+
+    res = setgid(pw->pw_gid);
+    CHECK_RES_DIE(res, "setgid");
+    res = setuid(pw->pw_uid);
+    CHECK_RES_DIE(res, "setuid");
+
+    set_capabilities();
+    set_keepcaps(0);
+}
+
+/* Writes my PID */
+void write_pid_file(const char* pidfile)
+{
+    FILE *f;
+
+    f = fopen(pidfile, "w");
+    if (!f) {
+        perror(pidfile);
+        exit(3);
+    }
+
+    fprintf(f, "%d\n", getpid());
+    fclose(f);
+}
+

common.h

@@ -0,0 +1,129 @@
+#ifndef __COMMON_H_
+#define __COMMON_H_
+
+/* FD_SETSIZE is 64 on Cygwin, which is really low. Just redefining it is
+ * enough for the macros to adapt (http://support.microsoft.com/kb/111855)
+ */
+#ifdef __CYGWIN__
+#define FD_SETSIZE 4096
+#endif
+
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <signal.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <syslog.h>
+#include <libgen.h>
+#include <time.h>
+#include <getopt.h>
+
+#ifdef LIBCAP
+#include <sys/prctl.h>
+#include <sys/capability.h>
+#endif
+
+#include "version.h"
+
+#define CHECK_RES_DIE(res, str) \
+    if (res == -1) {    \
+       perror(str);     \
+       exit(1);         \
+    }
+
+#define CHECK_RES_RETURN(res, str) \
+    if (res == -1) {                                    \
+        log_message(LOG_CRIT, "%s:%d:%s\n", str, errno, strerror(errno));  \
+        return res;                                     \
+    } 
+
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
+
+#if 1
+#define TRACE fprintf(stderr, "%s:%d\n", __FILE__, __LINE__);
+#else
+#define TRACE
+#endif
+
+#ifndef IP_FREEBIND
+#define IP_FREEBIND 0
+#endif
+
+enum connection_state {
+    ST_PROBING=1,    /* Waiting for timeout to find where to forward */
+    ST_SHOVELING   /* Connexion is established */
+};
+
+/* this is used to pass protocols through the command-line parameter parsing */
+#define PROT_SHIFT 1000  /* protocol options will be 1000, 1001, etc */
+
+/* A 'queue' is composed of a file descriptor (which can be read from or
+ * written to), and a queue for deferred write data */
+struct queue {
+    int fd;
+    void *begin_deferred_data;
+    void *deferred_data;
+    int deferred_data_size;
+};
+
+struct connection {
+    enum connection_state state;
+    time_t probe_timeout;
+    struct proto *proto;
+
+    /* q[0]: queue for external connection (client);
+     * q[1]: queue for internal connection (httpd or sshd);
+     * */
+    struct queue q[2];
+};
+
+#define FD_CNXCLOSED    0
+#define FD_NODATA       -1
+#define FD_STALLED      -2
+
+
+/* common.c */
+void init_cnx(struct connection *cnx);
+int connect_addr(struct connection *cnx, int fd_from);
+int fd2fd(struct queue *target, struct queue *from);
+char* sprintaddr(char* buf, size_t size, struct addrinfo *a);
+void resolve_name(struct addrinfo **out, char* fullname);
+void log_connection(struct connection *cnx);
+int check_access_rights(int in_socket, const char* service);
+void setup_signals(void);
+void setup_syslog(const char* bin_name);
+void drop_privileges(const char* user_name);
+void write_pid_file(const char* pidfile);
+void log_message(int type, char* msg, ...);
+void dump_connection(struct connection *cnx);
+int resolve_split_name(struct addrinfo **out, const char* hostname, const char* port);
+
+int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list);
+
+int defer_write(struct queue *q, void* data, int data_size);
+int flush_deferred(struct queue *q);
+
+extern int probing_timeout, verbose, inetd, foreground, 
+       background, transparent, numeric;
+extern struct sockaddr_storage addr_ssl, addr_ssh, addr_openvpn;
+extern struct addrinfo *addr_listen;
+extern const char* USAGE_STRING;
+extern const char* user_name, *pid_file;
+extern const char* server_type;
+
+/* sslh-fork.c */
+void start_shoveler(int);
+
+void main_loop(int *listen_sockets, int num_addr_listen);
+
+#endif

echosrv.c

@@ -0,0 +1,160 @@
+/* echosrv: a simple line echo server with optional prefix adding.
+ *
+ * echsrv --listen localhost6:1234 --prefix "ssl: "
+ *
+ * This will bind to 1234, and echo every line pre-pending "ssl: ". This is
+ * used for testing: we create several such servers with different prefixes,
+ * then we connect test clients that can then check they get the proper data
+ * back (thus testing that shoveling works both ways) with the correct prefix
+ * (thus testing it connected to the expected service).
+ * **/
+
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <signal.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <syslog.h>
+#include <libgen.h>
+#include <getopt.h>
+
+#include "common.h"
+
+/* Added to make the code compilable under CYGWIN 
+ * */
+#ifndef SA_NOCLDWAIT
+#define SA_NOCLDWAIT 0
+#endif
+
+const char* USAGE_STRING =
+"echosrv\n" \
+"usage:\n" \
+"\techosrv  [-v] --listen <address:port> [--prefix <prefix>]\n"
+"-v: verbose\n" \
+"--listen: address to listen on. Can be specified multiple times.\n" \
+"--prefix: add specified prefix before every line echoed.\n"
+"";
+
+const char* server_type = "echsrv"; /* keep setup_syslog happy */
+
+/* 
+ * Settings that depend on the command line. 
+ */
+char* prefix = "";
+int port;
+
+void parse_cmdline(int argc, char* argv[])
+{
+    int c;
+    struct option options[] = {
+        { "verbose",    no_argument,            &verbose,       1 },
+        { "numeric",    no_argument,            &numeric,       1 },
+        { "listen",     required_argument,      0,              'l' },
+        { "prefix",     required_argument,      0,              'p' },
+    };
+    struct addrinfo **a;
+
+    while ((c = getopt_long_only(argc, argv, "l:p:", options, NULL)) != -1) {
+        if (c == 0) continue;
+
+        switch (c) {
+
+        case 'l':
+            /* find the end of the listen list */
+            for (a = &addr_listen; *a; a = &((*a)->ai_next));
+            /* append the specified addresses */
+            resolve_name(a, optarg);
+            break;
+
+        case 'p':
+            prefix = optarg;
+            break;
+
+        default:
+            fprintf(stderr, "%s", USAGE_STRING);
+            exit(2);
+        }
+    }
+
+    if (!addr_listen) {
+        fprintf(stderr, "No listening port specified\n");
+        exit(1);
+    }
+}
+
+void start_echo(int fd)
+{
+    int res;
+    char buffer[1 << 20];
+    int ret, prefix_len;
+
+    prefix_len = strlen(prefix);
+
+    memset(buffer, 0, sizeof(buffer));
+    strcpy(buffer, prefix);
+
+    while (1) {
+        ret = read(fd, buffer + prefix_len, sizeof(buffer));
+        if (ret == -1) {
+            fprintf(stderr, "%s", strerror(errno));
+            return;
+        }
+        res = write(fd, buffer, ret + prefix_len);
+        if (res < 0) {
+            fprintf(stderr, "%s", strerror(errno));
+            return;
+        }
+    }
+}
+
+void main_loop(int listen_sockets[], int num_addr_listen)
+{
+    int in_socket, i;
+
+    for (i = 0; i < num_addr_listen; i++) {
+        if (!fork()) {
+            while (1)
+            {
+                in_socket = accept(listen_sockets[i], 0, 0);
+                if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket);
+
+                if (!fork())
+                {
+                    close(listen_sockets[i]);
+                    start_echo(in_socket);
+                    exit(0);
+                }
+                close(in_socket);
+            }
+        }
+    }
+    wait(NULL);
+}
+
+int main(int argc, char *argv[])
+{
+
+   extern char *optarg;
+   extern int optind;
+   int num_addr_listen;
+
+   int *listen_sockets;
+
+   parse_cmdline(argc, argv);
+
+   num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen);
+
+   main_loop(listen_sockets, num_addr_listen);
+
+   return 0;
+}

example.cfg

@@ -0,0 +1,87 @@
+# This file is provided as documentation to show what is
+# possible. It should not be used as-is, and probably should
+# not be used as a starting point for a working
+# configuration. Instead use basic.cfg.
+
+verbose: true;
+foreground: true;
+inetd: false;
+numeric: false;
+transparent: false;
+timeout: "2";
+user: "nobody";
+pidfile: "/var/run/sslh.pid";
+
+
+# List of interfaces on which we should listen
+listen:
+(
+    { host: "thelonious"; port: "443"; },
+    { host: "thelonious"; port: "8080"; }
+);
+
+# List of protocols
+#
+# Each protocol entry consists of:
+#   name: name of the probe. These are listed on the command
+#   line (ssh -?), plus 'regex' and 'timeout'.
+
+#   service: (optional) libwrap service name (see hosts_access(5))
+#   host, port: where to connect when this probe succeeds
+#
+#  Probe-specific options:
+#       tls:
+#               sni_hostnames:  list of FQDN for that target
+#               alpn_protocols: list of ALPN protocols for that target, see:
+#               https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
+#
+#               if both sni_hostnames AND alpn_protocols are specified, both must match
+#               if neither are set, it is just checked whether this is the TLS protocol or not
+#       regex:
+#               regex_patterns: list of patterns to match for
+#               that target.
+#   
+# sslh will try each probe in order they are declared, and
+# connect to the first that matches.
+#
+# You can specify several of 'regex' and 'tls'.
+ 
+protocols:
+(
+     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
+     { name: "http"; host: "localhost"; port: "80"; },
+
+# match BOTH ALPN/SNI
+     { name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; sni_hostnames: [ "im.somethingelse.net" ]; log_level: 0;},
+
+# just match ALPN
+     { name: "tls"; host: "localhost"; port: "443"; alpn_protocols: [ "h2", "http/1.1", "spdy/1", "spdy/2", "spdy/3" ]; log_level: 0; },
+     { name: "tls"; host: "localhost"; port: "xmpp-client"; alpn_protocols: [ "xmpp-client" ];  log_level: 0;},
+
+# just match SNI
+     { name: "tls"; host: "localhost"; port: "993"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; log_level: 0; },
+     { name: "tls"; host: "localhost"; port: "xmpp-client"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ];  log_level: 0;},
+
+# catch anything else TLS
+     { name: "tls"; host: "localhost"; port: "443"; },
+
+# OpenVPN
+     { name: "regex"; host: "localhost"; port: "1194"; regex_patterns: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
+# Jabber
+     { name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; },
+
+# Catch-all
+     { name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "" ]; },
+
+# Where to connect in case of timeout (defaults to ssh)
+     { name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
+);
+
+# Optionally, specify to which protocol to connect in case
+# of timeout (defaults to "ssh").
+# You can timeout to any arbitrary address by setting an
+# entry in 'protocols' named "timeout".
+# This enables you to set a tcpd service name for this
+# protocol too.
+on-timeout: "timeout";
+

genver.sh

@@ -0,0 +1,49 @@
+#! /bin/sh
+
+if [ ${#} -eq 1 ] && [ "x$1" = "x-r" ]; then
+	# release text only
+	QUIET=1
+else
+	QUIET=0
+fi
+
+if ! `(git status | grep -q "On branch") 2> /dev/null`; then
+        # If we don't have git, we can't work out what
+        # version this is. It must have been downloaded as a
+        # zip file. 
+        
+        # If downloaded from the release page, the directory
+        # has the version number.
+        release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"`
+        
+        if [ "x$release" = "x" ]; then
+            # If downloaded from the head, Github creates the
+            # zip file with all files dated from the last
+            # change: use the Makefile's modification time as a
+            # release number
+            release=head-`perl -MPOSIX -e 'print strftime "%Y-%m-%d",localtime((stat "Makefile")[9])'`
+        fi
+fi
+
+if head=`git rev-parse --verify HEAD 2>/dev/null`; then
+	# generate the version info based on the tag
+	release=`(git describe --tags || git --describe || git describe --all --long) \
+		2>/dev/null | tr -d '\n'`
+
+	# Are there uncommitted changes?
+	git update-index --refresh --unmerged > /dev/null
+	if git diff-index --name-only HEAD | grep -v "^scripts/package" \
+	    | read dummy; then
+		release="$release-dirty"
+	fi
+fi
+
+
+if [ $QUIET -ne 1 ]; then
+	printf "#ifndef _VERSION_H_ \n"
+	printf "#define _VERSION_H_ \n\n"
+	printf "#define VERSION \"$release\"\n"
+	printf "#endif\n"
+else
+	printf "$release\n"
+fi

probe.c

@@ -0,0 +1,363 @@
+/*
+# probe.c: Code for probing protocols
+#
+# Copyright (C) 2007-2015  Yves Rutschle
+# 
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later
+# version.
+# 
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more
+# details.
+# 
+# The full text for the General Public License is here:
+# http://www.gnu.org/licenses/gpl.html
+*/
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#ifdef LIBPCRE
+#include <regex.h>
+#endif
+#include <ctype.h>
+#include "probe.h"
+
+
+
+static int is_ssh_protocol(const char *p, int len, struct proto*);
+static int is_openvpn_protocol(const char *p, int len, struct proto*);
+static int is_tinc_protocol(const char *p, int len, struct proto*);
+static int is_xmpp_protocol(const char *p, int len, struct proto*);
+static int is_http_protocol(const char *p, int len, struct proto*);
+static int is_tls_protocol(const char *p, int len, struct proto*);
+static int is_adb_protocol(const char *p, int len, struct proto*);
+static int is_true(const char *p, int len, struct proto* proto) { return 1; }
+
+/* Table of protocols that have a built-in probe
+ */
+static struct proto builtins[] = {
+    /* description   service  saddr  log_level   probe  */
+    { "ssh",         "sshd",   NULL,  1,         is_ssh_protocol},
+    { "openvpn",     NULL,     NULL,  1,         is_openvpn_protocol },
+    { "tinc",        NULL,     NULL,  1,         is_tinc_protocol },
+    { "xmpp",        NULL,     NULL,  1,         is_xmpp_protocol },
+    { "http",        NULL,     NULL,  1,         is_http_protocol },
+    { "ssl",         NULL,     NULL,  1,         is_tls_protocol },
+    { "tls",         NULL,     NULL,  1,         is_tls_protocol },
+    { "adb",         NULL,     NULL,  1,         is_adb_protocol },
+    { "anyprot",     NULL,     NULL,  1,         is_true }
+};
+
+static struct proto *protocols;
+static char* on_timeout = "ssh";
+
+struct proto*  get_builtins(void) {
+    return builtins;
+}
+
+int get_num_builtins(void) {
+    return ARRAY_SIZE(builtins);
+}
+
+/* Sets the protocol name to connect to in case of timeout */
+void set_ontimeout(const char* name)
+{
+    int res = asprintf(&on_timeout, "%s", name);
+    CHECK_RES_DIE(res, "asprintf");
+}
+
+/* Returns the protocol to connect to in case of timeout; 
+ * if not found, return the first protocol specified 
+ */
+struct proto* timeout_protocol(void) 
+{
+    struct proto* p = get_first_protocol();
+    for (; p && strcmp(p->description, on_timeout); p = p->next);
+    if (p) return p;
+    return get_first_protocol();
+}
+
+/* returns the first protocol (caller can then follow the *next pointers) */
+struct proto* get_first_protocol(void)
+{
+    return protocols;
+}
+
+void set_protocol_list(struct proto* prots)
+{
+    protocols = prots;
+}
+
+/* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */
+#define HEXDUMP_COLS 16
+void hexdump(const char *mem, unsigned int len)
+{
+    unsigned int i, j;
+
+    for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
+    {
+        /* print offset */
+        if(i % HEXDUMP_COLS == 0)
+            printf("0x%06x: ", i);
+
+        /* print hex data */
+        if(i < len)
+            printf("%02x ", 0xFF & mem[i]);
+        else /* end of block, just aligning for ASCII dump */
+            printf("   ");
+
+        /* print ASCII dump */
+        if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) {
+            for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) {
+                if(j >= len) /* end of block, not really printing */
+                    putchar(' ');
+                else if(isprint(mem[j])) /* printable char */
+                    putchar(0xFF & mem[j]);        
+                else /* other char */
+                    putchar('.');
+            }
+            putchar('\n');
+        }
+    }
+}
+
+/* Is the buffer the beginning of an SSH connection? */
+static int is_ssh_protocol(const char *p, int len, struct proto *proto)
+{
+    if (len < 4)
+        return PROBE_AGAIN;
+
+    return !strncmp(p, "SSH-", 4);
+}
+
+/* Is the buffer the beginning of an OpenVPN connection?
+ *
+ * Code inspired from OpenVPN port-share option; however, OpenVPN code is
+ * wrong: users using pre-shared secrets have non-initialised key_id fields so
+ * p[3] & 7 should not be looked at, and also the key_method can be specified
+ * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1.
+ * See:
+ * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
+ * and OpenVPN ssl.c, ssl.h and options.c
+ */
+static int is_openvpn_protocol (const char*p,int len, struct proto *proto)
+{
+    int packet_len;
+
+    if (len < 2)
+        return PROBE_AGAIN;
+
+    packet_len = ntohs(*(uint16_t*)p);
+    return packet_len == len - 2;
+}
+
+/* Is the buffer the beginning of a tinc connections?
+ * Protocol is documented here: http://www.tinc-vpn.org/documentation/tinc.pdf
+ * First connection starts with "0 " in 1.0.15)
+ * */
+static int is_tinc_protocol( const char *p, int len, struct proto *proto)
+{
+    if (len < 2)
+        return PROBE_AGAIN;
+
+    return !strncmp(p, "0 ", 2);
+}
+
+/* Is the buffer the beginning of a jabber (XMPP) connections?
+ * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy
+ * clients, just checking first frame containing "jabber" in xml entity)
+ * */
+static int is_xmpp_protocol( const char *p, int len, struct proto *proto)
+{
+    /* sometimes the word 'jabber' shows up late in the initial string,
+       sometimes after a newline. this makes sure we snarf the entire preamble
+       and detect it. (fixed for adium/pidgin) */
+    if (len < 50)
+        return PROBE_AGAIN;
+
+    return memmem(p, len, "jabber", 6) ? 1 : 0;
+}
+
+static int probe_http_method(const char *p, int len, const char *opt)
+{
+    if (len < strlen(opt))
+        return PROBE_AGAIN;
+
+    return !strncmp(p, opt, len);
+}
+
+/* Is the buffer the beginning of an HTTP connection?  */
+static int is_http_protocol(const char *p, int len, struct proto *proto)
+{
+    int res;
+    /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */
+    if (memmem(p, len, "HTTP", 4))
+        return PROBE_MATCH;
+
+#define PROBE_HTTP_METHOD(opt) if ((res = probe_http_method(p, len, opt)) != PROBE_NEXT) return res
+
+    /* Otherwise it could be HTTP/1.0 without version: check if it's got an
+     * HTTP method (RFC2616 5.1.1) */
+    PROBE_HTTP_METHOD("OPTIONS");
+    PROBE_HTTP_METHOD("GET");
+    PROBE_HTTP_METHOD("HEAD");
+    PROBE_HTTP_METHOD("POST");
+    PROBE_HTTP_METHOD("PUT");
+    PROBE_HTTP_METHOD("DELETE");
+    PROBE_HTTP_METHOD("TRACE");
+    PROBE_HTTP_METHOD("CONNECT");
+
+#undef PROBE_HTTP_METHOD
+
+    return PROBE_NEXT;
+}
+
+static int is_sni_alpn_protocol(const char *p, int len, struct proto *proto)
+{
+    int valid_tls;
+
+    valid_tls = parse_tls_header(proto->data, p, len);
+
+    if(valid_tls < 0)
+        return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT;
+
+    /* There *was* a valid match */
+    return PROBE_MATCH;
+}
+
+static int is_tls_protocol(const char *p, int len, struct proto *proto)
+{
+    if (len < 3)
+        return PROBE_AGAIN;
+
+    /* TLS packet starts with a record "Hello" (0x16), followed by version
+     * (0x03 0x00-0x03) (RFC6101 A.1)
+     * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176)
+     */
+    return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03);
+}
+
+static int is_adb_protocol(const char *p, int len, struct proto *proto)
+{
+    if (len < 30)
+        return PROBE_AGAIN;
+
+    /* The initial ADB host->device packet has a command type of CNXN, and a
+     * data payload starting with "host:".  Note that current versions of the
+     * client hardcode "host::" (with empty serialno and banner fields) but
+     * other clients may populate those fields.
+     *
+     * We aren't checking amessage.data_length, under the assumption that
+     * a packet >= 30 bytes long will have "something" in the payload field.
+     */
+    return !memcmp(&p[0], "CNXN", 4) && !memcmp(&p[24], "host:", 5);
+}
+
+static int regex_probe(const char *p, int len, struct proto *proto)
+{
+#ifdef LIBPCRE
+    regex_t **probe = proto->data;
+    regmatch_t pos = { 0, len };
+
+    for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++)
+        /* try them all */;
+
+    return (*probe != NULL);
+#else
+    /* Should never happen as we check when loading config file */
+    fprintf(stderr, "FATAL: regex probe called but not built in\n");
+    exit(5);
+#endif
+}
+
+/* 
+ * Read the beginning of data coming from the client connection and check if
+ * it's a known protocol. 
+ * Return PROBE_AGAIN if not enough data, or PROBE_MATCH if it succeeded in
+ * which case cnx->proto is set to the appropriate protocol.
+ */
+int probe_client_protocol(struct connection *cnx)
+{
+    char buffer[BUFSIZ];
+    struct proto *p;
+    int n;
+
+    n = read(cnx->q[0].fd, buffer, sizeof(buffer));
+    /* It's possible that read() returns an error, e.g. if the client
+     * disconnected between the previous call to select() and now. If that
+     * happens, we just connect to the default protocol so the caller of this
+     * function does not have to deal with a specific  failure condition (the
+     * connection will just fail later normally). */
+    if (n > 0) {
+        int res = PROBE_NEXT;
+
+        defer_write(&cnx->q[1], buffer, n);
+
+        for (p = cnx->proto; p && res == PROBE_NEXT; p = p->next) {
+            if (! p->probe) continue;
+            if (verbose) fprintf(stderr, "probing for %s\n", p->description);
+
+            cnx->proto = p;
+            res = p->probe(cnx->q[1].begin_deferred_data, cnx->q[1].deferred_data_size, p);
+        }
+        if (res != PROBE_NEXT)
+            return res;
+    }
+
+    if (verbose) 
+        fprintf(stderr, 
+                "all probes failed, connecting to first protocol: %s\n", 
+                protocols->description);
+
+    /* If none worked, return the first one affected (that's completely
+     * arbitrary) */
+    cnx->proto = protocols;
+    return PROBE_MATCH;
+}
+
+/* Returns the structure for specified protocol or NULL if not found */
+static struct proto* get_protocol(const char* description)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(builtins); i++) {
+        if (!strcmp(builtins[i].description, description)) {
+            return &builtins[i];
+        }
+    }
+    return NULL;
+}
+
+/* Returns the probe for specified protocol:
+ * parameter is the description in builtins[], or "regex" 
+ * */
+T_PROBE* get_probe(const char* description) {
+    struct proto* p = get_protocol(description);
+
+    if (p)
+        return p->probe;
+
+    /* Special case of "regex" probe (we don't want to set it in builtins
+     * because builtins is also used to build the command-line options and
+     * regexp is not legal on the command line)*/
+    if (!strcmp(description, "regex"))
+        return regex_probe;
+
+    /* Special case of "sni/alpn" probe for same reason as above*/
+    if (!strcmp(description, "sni_alpn"))
+        return is_sni_alpn_protocol;
+
+    /* Special case of "timeout" is allowed as a probe name in the
+     * configuration file even though it's not really a probe */
+    if (!strcmp(description, "timeout"))
+        return is_true;
+
+    return NULL;
+}
+
+

probe.h

@@ -0,0 +1,70 @@
+/* API for probe.c */
+
+#ifndef __PROBE_H_
+#define __PROBE_H_
+
+#include "common.h"
+#include "tls.h"
+
+typedef enum {
+    PROBE_NEXT,  /* Enough data, probe failed -- it's some other protocol */
+    PROBE_MATCH, /* Enough data, probe successful -- it's the current protocol */
+    PROBE_AGAIN, /* Not enough data for this probe, try again with more data */
+} probe_result;
+
+struct proto;
+typedef int T_PROBE(const char*, int, struct proto*);
+
+/* For each protocol we need: */
+struct proto {
+    const char* description;  /* a string that says what it is (for logging and command-line parsing) */
+    const char* service;      /* service name to do libwrap checks */
+    struct addrinfo *saddr; /* list of addresses to try and switch that protocol */
+    int log_level;  /* 0: No logging of connection
+                     * 1: Log incoming connection
+                     */
+
+    /* function to probe that protocol; parameters are buffer and length
+     * containing the data to probe, and a pointer to the protocol structure */
+    T_PROBE* probe;
+    /* opaque pointer ; used to pass list of regex to regex probe, or TLSProtocol struct to sni/alpn probe */
+    void* data;
+    struct proto *next; /* pointer to next protocol in list, NULL if last */
+};
+
+/* Returns a pointer to the array of builtin protocols */
+struct proto * get_builtins(void);
+
+/* Returns the number of builtin protocols */
+int get_num_builtins(void);
+
+/* Returns the probe for specified protocol */
+T_PROBE* get_probe(const char* description);
+
+/* Returns the head of the configured protocols */
+struct proto* get_first_protocol(void);
+
+/* Set the list of configured protocols */
+void set_protocol_list(struct proto*);
+
+/* probe_client_protocol
+ *
+ * Read the beginning of data coming from the client connection and check if
+ * it's a known protocol. Then leave the data on the deferred
+ * write buffer of the connection and returns a pointer to the protocol
+ * structure
+ */
+int probe_client_protocol(struct connection *cnx);
+
+/* set the protocol to connect to in case of timeout */
+void set_ontimeout(const char* name);
+
+/* timeout_protocol
+ *
+ * Returns the protocol to connect to in case of timeout
+ */
+struct proto* timeout_protocol(void);
+
+void hexdump(const char*, unsigned int);
+
+#endif

scripts/etc.init.d.sslh

@@ -0,0 +1,59 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides:		sslh
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:	2 3 4 5
+# Default-Stop:		1
+# Short-Description:	sslh proxy ssl & ssh connections
+### END INIT INFO
+
+set -e
+tag=sslh
+facility=user.info
+
+# /etc/init.d/sslh: start and stop the sslh proxy daemon
+
+if test -f /etc/default/sslh; then
+    . /etc/default/sslh
+fi
+
+# The prefix is normally filled by make install. If
+# installing by hand, fill it in yourself!
+PREFIX=
+DAEMON=$PREFIX/sbin/sslh 
+
+start()
+{
+        echo "Start services: sslh"
+        $DAEMON -F/etc/sslh.cfg
+        logger -t ${tag} -p ${facility} -i 'Started sslh'
+}
+
+stop()
+{
+        echo "Stop services: sslh"
+	killall $DAEMON
+      	logger -t ${tag} -p ${facility} -i 'Stopped sslh'
+}
+
+
+case "$1" in
+	  start)
+		    start
+		    ;;
+	  stop)
+		    stop
+		    ;;
+    restart)
+		    stop
+		    sleep 5
+		    start
+		    ;;
+	  *)
+		    echo "Usage: /etc/init.d/sslh {start|stop|restart}" >&2
+		    ;;
+esac
+
+exit 0

scripts/etc.rc.d.init.d.sslh.centos

@@ -0,0 +1,75 @@
+#!/bin/bash
+#
+# sslh         Startup script for the SSL/SSH multiplexer
+#
+# chkconfig: - 13 87
+# description: Sslh accepts connections on specified ports, and forwards
+#              them further based on tests performed on the first data
+#              packet sent by the remote client.
+# processname: sslh
+# config: /etc/sslh.cfg
+# config: /etc/sysconfig/sslh
+# pidfile: /var/run/sslh/sslh.pid
+#
+# Authors:
+# Andre Krajnik akrajnik@gmail.com - 2010-03-20
+# Julien Thomas julthomas@free.fr - 2013-08-25
+
+# Source function library.
+. /etc/init.d/functions
+
+if [ -f /etc/sysconfig/sslh ]; then
+        . /etc/sysconfig/sslh
+fi
+
+PROGNAME=sslh
+SSLH=${SSLH:-/usr/sbin/sslh-select}
+SSLH_LANG=${SSLH_LANG:-C}
+CONFIG=${CONFIG:-/etc/sslh.cfg}
+PIDFILE=${PIDFILE:-/var/run/sslh/sslh.pid}
+LOCKFILE=${LOCKFILE:-/var/lock/subsys/sslh}
+STOP_TIMEOUT=${STOP_TIMEOUT:-10}
+RETVAL=0
+
+start() {
+    echo -n "Starting $PROGNAME: "
+    LANG=$SSLH_LANG daemon --pidfile="$PIDFILE" \
+                           ${SSLH_USER:+--user="${SSLH_USER}"} \
+                           "$SSLH" ${CONFIG:+-F "$CONFIG"} "$OPTIONS"
+    RETVAL=$?
+    echo
+    [ $RETVAL = 0 ] && touch "$LOCKFILE"
+    return $RETVAL
+}
+
+stop() {
+    echo -n "Stopping $PROGNAME: "
+    killproc -p "$PIDFILE" -d "$STOP_TIMEOUT" "$SSLH"
+    RETVAL=$?
+    echo
+    [ $RETVAL = 0 ] && rm -f "$LOCKFILE" "$PIDFILE"
+}
+
+# See how we were called.
+case "$1" in
+    start)
+        start
+        ;;
+    stop)
+        stop
+        ;;
+    status)
+        status -p "$PIDFILE" "$SSLH"
+        RETVAL=$?
+        ;;
+    restart)
+        stop
+        start
+        ;;
+    *)
+        echo "Usage: $PROGNAME {start|stop|status|restart}"
+        RETVAL=2
+        ;;
+esac
+
+exit $RETVAL

scripts/etc.sysconfig.sslh

@@ -0,0 +1,36 @@
+#
+# The default processing model uses select
+# A fork model is also available
+#
+#SSLH=/usr/sbin/sslh-select
+
+#
+# If transparent mode is enabled, the following
+# is needed in order to run as sslh user
+#
+#SSLH_USER=sslh
+#setcap cap_net_bind_service,cap_net_admin=+ep $SSLH
+
+#
+# Configuration file for sslh
+# Set empty to disable configuration file support
+#
+#CONFIG=/etc/sslh.cfg
+
+#
+# Extra option to pass on comand line
+# Those can supersede configuration file settings
+# 
+#OPTIONS=
+
+#
+# The sslh process is started by default with the C
+# locale, it can be changed here
+#
+#SSLH_LANG=C
+
+#
+# If an alternate location is specified in configuration
+# file, it needs to be reported here
+#
+#PIDFILE=/var/run/sslh/sslh.pid

scripts/fail2ban/jail.conf

@@ -0,0 +1,9 @@
+# Add the following to your fail2ban jail.conf
+# In Debian you'd append it to /etc/fail2ban/jail.local
+
+[sslh-ssh]
+enabled = true
+filter = sslh-ssh
+action = iptables-multiport[name=sslh,port="443"]
+logpath = /var/log/messages
+maxretry = 5

scripts/fail2ban/sslh-ssh.conf

@@ -0,0 +1,25 @@
+# Add the following to you fail2ban configuration file
+# In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf
+
+
+# Fail2Ban filter for sslh demultiplexed ssh
+#
+# Doesn't (and cannot) detect auth errors,
+# but many connection attempts from the same
+# origin is reason enough to block.
+#
+# Verion: 2014-03-28
+
+[INCLUDES]
+
+# no includes
+
+[Definition]
+
+failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded
+from .+ to .+:ssh\s*$
+
+ignoreregex =
+
+# Author: Evert Mouw <post@evert.net>
+

scripts/systemd.sslh.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=SSL/SSH multiplexer
+After=network.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/sslh
+ExecStart=/usr/bin/sslh --foreground $DAEMON_OPTS
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

sslh-fork.c

@@ -0,0 +1,184 @@
+/*
+   sslh-fork: forking server
+
+# Copyright (C) 2007-2012  Yves Rutschle
+# 
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later
+# version.
+# 
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more
+# details.
+# 
+# The full text for the General Public License is here:
+# http://www.gnu.org/licenses/gpl.html
+
+*/
+
+#include "common.h"
+#include "probe.h"
+
+const char* server_type = "sslh-fork";
+
+#define MAX(a, b)  (((a) > (b)) ? (a) : (b))
+
+/* shovels data from one fd to the other and vice-versa 
+   returns after one socket closed
+ */
+int shovel(struct connection *cnx)
+{
+   fd_set fds;
+   int res, i;
+   int max_fd = MAX(cnx->q[0].fd, cnx->q[1].fd) + 1;
+
+   FD_ZERO(&fds);
+   while (1) {
+      FD_SET(cnx->q[0].fd, &fds);
+      FD_SET(cnx->q[1].fd, &fds);
+
+      res = select(
+                   max_fd,
+                   &fds,
+                   NULL,
+                   NULL,
+                   NULL
+                  );
+      CHECK_RES_DIE(res, "select");
+
+      for (i = 0; i < 2; i++) {
+          if (FD_ISSET(cnx->q[i].fd, &fds)) {
+              res = fd2fd(&cnx->q[1-i], &cnx->q[i]);
+              if (!res) {
+                  if (verbose) 
+                      fprintf(stderr, "%s %s", i ? "client" : "server", "socket closed\n");
+                  return res;
+              }
+          }
+      }
+   }
+}
+
+/* Child process that finds out what to connect to and proxies 
+ */
+void start_shoveler(int in_socket)
+{
+   fd_set fds;
+   struct timeval tv;
+   int res = PROBE_AGAIN;
+   int out_socket;
+   struct connection cnx;
+
+   init_cnx(&cnx);
+   cnx.q[0].fd = in_socket;
+
+   FD_ZERO(&fds);
+   FD_SET(in_socket, &fds);
+   memset(&tv, 0, sizeof(tv));
+   tv.tv_sec = probing_timeout;
+
+   while (res == PROBE_AGAIN) {
+       /* POSIX does not guarantee that tv will be updated, but the client can
+        * only postpone the inevitable for so long */
+       res = select(in_socket + 1, &fds, NULL, NULL, &tv);
+       if (res == -1)
+           perror("select");
+
+       if (FD_ISSET(in_socket, &fds)) {
+           /* Received data: figure out what protocol it is */
+           res = probe_client_protocol(&cnx);
+       } else {
+           /* Timed out: it's necessarily SSH */
+           cnx.proto = timeout_protocol();
+           break;
+       }
+   }
+
+   if (cnx.proto->service &&
+       check_access_rights(in_socket, cnx.proto->service)) {
+       exit(0);
+   }
+
+   /* Connect the target socket */
+   out_socket = connect_addr(&cnx, in_socket);
+   CHECK_RES_DIE(out_socket, "connect");
+
+   cnx.q[1].fd = out_socket;
+
+   log_connection(&cnx);
+
+   flush_deferred(&cnx.q[1]);
+
+   shovel(&cnx);
+
+   close(in_socket);
+   close(out_socket);
+   
+   if (verbose)
+      fprintf(stderr, "connection closed down\n");
+
+   exit(0);
+}
+
+static int *listener_pid;
+static int listener_pid_number = 0;
+
+void stop_listeners(int sig)
+{
+    int i;
+
+    for (i = 0; i < listener_pid_number; i++) {
+        kill(listener_pid[i], sig);
+    }
+}
+
+void main_loop(int listen_sockets[], int num_addr_listen)
+{
+    int in_socket, i, res;
+    struct sigaction action;
+
+    listener_pid_number = num_addr_listen;
+    listener_pid = malloc(listener_pid_number * sizeof(listener_pid[0]));
+
+    /* Start one process for each listening address */
+    for (i = 0; i < num_addr_listen; i++) {
+        if (!(listener_pid[i] = fork())) {
+
+            /* Listening process just accepts a connection, forks, and goes
+             * back to listening */
+            while (1)
+            {
+                in_socket = accept(listen_sockets[i], 0, 0);
+                if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket);
+
+                if (!fork())
+                {
+                    for (i = 0; i < num_addr_listen; ++i)
+                        close(listen_sockets[i]);
+                    start_shoveler(in_socket);
+                    exit(0);
+                }
+                close(in_socket);
+            }
+        }
+    }
+
+    /* Set SIGTERM to "stop_listeners" which further kills all listener
+     * processes. Note this won't kill processes that listeners forked, which
+     * means active connections remain active. */
+    memset(&action, 0, sizeof(action));
+    action.sa_handler = stop_listeners;
+    res = sigaction(SIGTERM, &action, NULL);
+    CHECK_RES_DIE(res, "sigaction");
+
+    wait(NULL);
+}
+
+/* The actual main is in common.c: it's the same for both version of
+ * the server
+ */
+

sslh-main.c

@@ -0,0 +1,618 @@
+/*
+# main: processing of config file, command line options and start the main
+# loop.
+#
+# Copyright (C) 2007-2014  Yves Rutschle
+# 
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later
+# version.
+# 
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more
+# details.
+# 
+# The full text for the General Public License is here:
+# http://www.gnu.org/licenses/gpl.html
+
+*/
+
+#define _GNU_SOURCE
+#ifdef LIBCONFIG
+#include <libconfig.h>
+#endif
+#ifdef LIBPCRE
+#include <regex.h>
+#endif
+
+#include "common.h"
+#include "probe.h"
+
+const char* USAGE_STRING =
+"sslh " VERSION "\n" \
+"usage:\n" \
+"\tsslh  [-v] [-i] [-V] [-f] [-n] [--transparent] [-F <file>]\n"
+"\t[-t <timeout>] [-P <pidfile>] -u <username> -p <add> [-p <addr> ...] \n" \
+"%s\n\n" /* Dynamically built list of builtin protocols */  \
+"\t[--on-timeout <addr>]\n" \
+"-v: verbose\n" \
+"-V: version\n" \
+"-f: foreground\n" \
+"-n: numeric output\n" \
+"-u: specify under which user to run\n" \
+"--transparent: behave as a transparent proxy\n" \
+"-F: use configuration file\n" \
+"--on-timeout: connect to specified address upon timeout (default: ssh address)\n" \
+"-t: seconds to wait before connecting to --on-timeout address.\n" \
+"-p: address and port to listen on.\n    Can be used several times to bind to several addresses.\n" \
+"--[ssh,ssl,...]: where to connect connections from corresponding protocol.\n" \
+"-P: PID file.\n" \
+"-i: Run as a inetd service.\n" \
+"";
+
+/* Constants for options that have no one-character shorthand */
+#define OPT_ONTIMEOUT   257
+
+static struct option const_options[] = {
+    { "inetd",      no_argument,            &inetd,         1 },
+    { "foreground", no_argument,            &foreground,    1 },
+    { "background", no_argument,            &background,    1 },
+    { "transparent", no_argument,           &transparent,   1 },
+    { "numeric",    no_argument,            &numeric,       1 },
+    { "verbose",    no_argument,            &verbose,       1 },
+    { "user",       required_argument,      0,              'u' },
+    { "config",     optional_argument,      0,              'F' },
+    { "pidfile",    required_argument,      0,              'P' },
+    { "timeout",    required_argument,      0,              't' },
+    { "on-timeout", required_argument,      0,              OPT_ONTIMEOUT },
+    { "listen",     required_argument,      0,              'p' },
+    {}
+};
+static struct option* all_options;
+static struct proto* builtins;
+static const char *optstr = "vt:T:p:VP:F::";
+
+
+
+static void print_usage(void)
+{
+    struct proto *p;
+    int i;
+    int res;
+    char *prots = "";
+
+    p = get_builtins();
+    for (i = 0; i < get_num_builtins(); i++) {
+        res = asprintf(&prots, "%s\t[--%s <addr>]\n", prots, p[i].description);
+        CHECK_RES_DIE(res, "asprintf");
+    }
+
+    fprintf(stderr, USAGE_STRING, prots);
+}
+
+static void printcaps(void) {
+#ifdef LIBCAP
+    cap_t caps;
+    char* desc;
+    ssize_t len;
+
+    caps = cap_get_proc();
+
+    desc = cap_to_text(caps, &len);
+
+    fprintf(stderr, "capabilities: %s\n", desc);
+
+    cap_free(caps);
+    cap_free(desc);
+#endif
+}
+
+static void printsettings(void)
+{
+    char buf[NI_MAXHOST];
+    struct addrinfo *a;
+    struct proto *p;
+    
+    for (p = get_first_protocol(); p; p = p->next) {
+        fprintf(stderr,
+                "%s addr: %s. libwrap service: %s log_level: %d family %d %d\n", 
+                p->description, 
+                sprintaddr(buf, sizeof(buf), p->saddr), 
+                p->service,
+                p->log_level,
+                p->saddr->ai_family,
+                p->saddr->ai_addr->sa_family);
+    }
+    fprintf(stderr, "listening on:\n");
+    for (a = addr_listen; a; a = a->ai_next) {
+        fprintf(stderr, "\t%s\n", sprintaddr(buf, sizeof(buf), a));
+    }
+    fprintf(stderr, "timeout: %d\non-timeout: %s\n", probing_timeout,
+            timeout_protocol()->description);
+}
+
+
+/* Extract configuration on addresses and ports on which to listen.
+ * out: newly allocated list of addrinfo to listen to
+ */
+#ifdef LIBCONFIG
+static int config_listen(config_t *config, struct addrinfo **listen) 
+{
+    config_setting_t *setting, *addr;
+    int len, i;
+    const char *hostname, *port;
+
+    setting = config_lookup(config, "listen");
+    if (setting) {
+        len = config_setting_length(setting);
+        for (i = 0; i < len; i++) {
+            addr = config_setting_get_elem(setting, i);
+            if (! (config_setting_lookup_string(addr, "host", &hostname) &&
+                   config_setting_lookup_string(addr, "port", &port))) {
+                fprintf(stderr,
+                            "line %d:Incomplete specification (hostname and port required)\n",
+                            config_setting_source_line(addr));
+                return -1;
+            }
+
+            resolve_split_name(listen, hostname, port);
+
+            /* getaddrinfo returned a list of addresses corresponding to the
+             * specification; move the pointer to the end of that list before
+             * processing the next specification */
+            for (; *listen; listen = &((*listen)->ai_next));
+        }
+    }
+
+    return 0;
+}
+#endif
+
+
+
+#ifdef LIBCONFIG
+static void setup_regex_probe(struct proto *p, config_setting_t* probes)
+{
+#ifdef LIBPCRE
+    int num_probes, errsize, i, res;
+    char *err;
+    const char * expr;
+    regex_t** probe_list;
+
+    num_probes = config_setting_length(probes);
+    if (!num_probes) {
+        fprintf(stderr, "%s: no probes specified\n", p->description);
+        exit(1);
+    }
+
+    p->probe = get_probe("regex");
+    probe_list = calloc(num_probes + 1, sizeof(*probe_list));
+    p->data = (void*)probe_list;
+
+    for (i = 0; i < num_probes; i++) {
+        probe_list[i] = malloc(sizeof(*(probe_list[i])));
+        expr = config_setting_get_string_elem(probes, i);
+        res = regcomp(probe_list[i], expr, 0);
+        if (res) {
+            err = malloc(errsize = regerror(res, probe_list[i], NULL, 0));
+            regerror(res, probe_list[i], err, errsize);
+            fprintf(stderr, "%s:%s\n", expr, err);
+            free(err);
+            exit(1);
+        }
+    }
+#else
+    fprintf(stderr, "line %d: regex probe specified but not compiled in\n", config_setting_source_line(probes));
+    exit(5);
+#endif
+}
+#endif
+
+#ifdef LIBCONFIG
+static void setup_sni_alpn_list(struct proto *p, config_setting_t* config_items, const char* name, int alpn)
+{
+    int num_probes, i, max_server_name_len, server_name_len;
+    const char * config_item;
+    char** sni_hostname_list;
+
+    if(!config_items || !config_setting_is_array(config_items)) {
+        fprintf(stderr, "%s: no %s specified\n", p->description, name);
+        return;
+    }
+    num_probes = config_setting_length(config_items);
+    if (!num_probes) {
+        fprintf(stderr, "%s: no %s specified\n", p->description, name);
+        return;
+    }
+
+    max_server_name_len = 0;
+    for (i = 0; i < num_probes; i++) {
+        server_name_len = strlen(config_setting_get_string_elem(config_items, i));
+        if(server_name_len > max_server_name_len)
+            max_server_name_len = server_name_len;
+    }
+
+    sni_hostname_list = calloc(num_probes + 1, ++max_server_name_len);
+
+    for (i = 0; i < num_probes; i++) {
+        config_item = config_setting_get_string_elem(config_items, i);
+        sni_hostname_list[i] = malloc(max_server_name_len);
+        strcpy (sni_hostname_list[i], config_item);
+        if(verbose) fprintf(stderr, "%s: %s[%d]: %s\n", p->description, name, i, sni_hostname_list[i]);
+    }
+
+    p->data = (void*)tls_data_set_list(p->data, alpn, sni_hostname_list);
+}
+
+static void setup_sni_alpn(struct proto *p, config_setting_t* sni_hostnames, config_setting_t* alpn_protocols)
+{
+    p->data = (void*)new_tls_data();
+    p->probe = get_probe("sni_alpn");
+    setup_sni_alpn_list(p, sni_hostnames, "sni_hostnames", 0);
+    setup_sni_alpn_list(p, alpn_protocols, "alpn_protocols", 1);
+}
+#endif
+
+/* Extract configuration for protocols to connect to.
+ * out: newly-allocated list of protocols
+ */
+#ifdef LIBCONFIG
+static int config_protocols(config_t *config, struct proto **prots)
+{
+    config_setting_t *setting, *prot, *patterns, *sni_hostnames, *alpn_protocols;
+    const char *hostname, *port, *name;
+    int i, num_prots;
+    struct proto *p, *prev = NULL;
+
+    setting = config_lookup(config, "protocols");
+    if (setting) {
+        num_prots = config_setting_length(setting);
+        for (i = 0; i < num_prots; i++) {
+            p = calloc(1, sizeof(*p));
+            if (i == 0) *prots = p;
+            if (prev) prev->next = p;
+            prev = p;
+
+            prot = config_setting_get_elem(setting, i);
+            if ((config_setting_lookup_string(prot, "name", &name) &&
+                 config_setting_lookup_string(prot, "host", &hostname) &&
+                 config_setting_lookup_string(prot, "port", &port)
+                )) {
+                p->description = name;
+                config_setting_lookup_string(prot, "service", &(p->service));
+
+                if (config_setting_lookup_int(prot, "log_level", &p->log_level) == CONFIG_FALSE) {
+                    p->log_level = 1;
+                }
+
+                resolve_split_name(&(p->saddr), hostname, port);
+
+                p->probe = get_probe(name);
+                if (!p->probe || !strcmp(name, "sni_alpn")) {
+                    fprintf(stderr, "line %d: %s: probe unknown\n", config_setting_source_line(prot), name);
+                    exit(1);
+                }
+
+                /* Probe-specific options: regex patterns */
+                if (!strcmp(name, "regex")) {
+                    patterns = config_setting_get_member(prot, "regex_patterns");
+                    if (patterns && config_setting_is_array(patterns)) {
+                        setup_regex_probe(p, patterns);
+                    }
+                }
+
+                /* Probe-specific options: SNI/ALPN */
+                if (!strcmp(name, "tls")) {
+                    sni_hostnames = config_setting_get_member(prot, "sni_hostnames");
+                    alpn_protocols = config_setting_get_member(prot, "alpn_protocols");
+
+                    if((sni_hostnames && config_setting_is_array(sni_hostnames)) || (alpn_protocols && config_setting_is_array(alpn_protocols))) {
+                        setup_sni_alpn(p, sni_hostnames, alpn_protocols);
+                    }
+                }
+
+            }
+        }
+    }
+
+    return 0;
+}
+#endif
+
+/* Parses a config file
+ * in: *filename
+ * out: *listen, a newly-allocated linked list of listen addrinfo
+ *      *prots, a newly-allocated linked list of protocols
+ *      1 on error, 0 on success
+ */
+#ifdef LIBCONFIG
+static int config_parse(char *filename, struct addrinfo **listen, struct proto **prots)
+{
+    config_t config;
+    int timeout;
+    const char* str;
+
+    config_init(&config);
+    if (config_read_file(&config, filename) == CONFIG_FALSE) {
+        /* If it's a parse error then there will be a line number for the failure
+         * an I/O error (such as non-existent file) will have the error line as 0
+         */
+        if (config_error_line(&config) != 0) {
+            fprintf(stderr, "%s:%d:%s\n", 
+                    filename,
+                    config_error_line(&config),
+                    config_error_text(&config));
+            exit(1);
+        }
+        fprintf(stderr, "%s:%s\n", 
+                filename,
+                config_error_text(&config));
+        return 1;
+    }
+
+    config_lookup_bool(&config, "verbose", &verbose);
+    config_lookup_bool(&config, "inetd", &inetd);
+    config_lookup_bool(&config, "foreground", &foreground);
+    config_lookup_bool(&config, "numeric", &numeric);
+    config_lookup_bool(&config, "transparent", &transparent);
+
+    if (config_lookup_int(&config, "timeout", (int *)&timeout) == CONFIG_TRUE) {
+        probing_timeout = timeout;
+    }
+
+    if (config_lookup_string(&config, "on-timeout", &str)) {
+        set_ontimeout(str);
+    }
+
+    config_lookup_string(&config, "user", &user_name);
+    config_lookup_string(&config, "pidfile", &pid_file);
+
+    config_listen(&config, listen);
+    config_protocols(&config, prots);
+
+    return 0;
+}
+#endif
+
+/* Adds protocols to the list of options, so command-line parsing uses the
+ * protocol definition array 
+ * options: array of options to add to; must be big enough
+ * n_opts: number of options in *options before calling (i.e. where to append)
+ * prot: array of protocols
+ * n_prots: number of protocols in *prot
+ * */
+static void append_protocols(struct option *options, int n_opts, struct proto *prot , int n_prots)
+{
+    int o, p;
+
+    for (o = n_opts, p = 0; p < n_prots; o++, p++) {
+        options[o].name = prot[p].description;
+        options[o].has_arg = required_argument;
+        options[o].flag = 0;
+        options[o].val = p + PROT_SHIFT;
+    }
+}
+
+static void make_alloptions(void)
+{
+    builtins = get_builtins();
+
+    /* Create all_options, composed of const_options followed by one option per
+     * known protocol */
+    all_options = calloc(ARRAY_SIZE(const_options) + get_num_builtins(), sizeof(struct option));
+    memcpy(all_options, const_options, sizeof(const_options));
+    append_protocols(all_options, ARRAY_SIZE(const_options) - 1, builtins, get_num_builtins());
+}
+
+/* Performs a first scan of command line options to see if a configuration file
+ * is specified. If there is one, parse it now before all other options (so
+ * configuration file settings can be overridden from the command line).
+ *
+ * prots: newly-allocated list of configured protocols, if any.
+ */
+static void cmdline_config(int argc, char* argv[], struct proto** prots)
+{
+#ifdef LIBCONFIG
+    int c, res;
+    char *config_filename;
+#endif
+
+    make_alloptions();
+
+#ifdef LIBCONFIG
+    optind = 1;
+    opterr = 0; /* we're missing protocol options at this stage so don't output errors */
+    while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) {
+        if (c == 'v') {
+            verbose++;
+        }
+        if (c == 'F') {
+            config_filename = optarg;
+            if (config_filename) {
+                res = config_parse(config_filename, &addr_listen, prots);
+            } else {
+                /* No configuration file specified -- try default file locations */
+                res = config_parse("/etc/sslh/sslh.cfg", &addr_listen, prots);
+                if (!res && verbose) fprintf(stderr, "Using /etc/sslh/sslh.cfg\n");
+                if (res) {
+                    res = config_parse("/etc/sslh.cfg", &addr_listen, prots);
+                    if (!res && verbose) fprintf(stderr, "Using /etc/sslh.cfg\n");
+                }
+            }
+            if (res)
+                exit(4);
+            break;
+        }
+    }
+#endif
+}
+
+
+/* Parse command-line options. prots points to a list of configured protocols,
+ * potentially non-allocated */
+static void parse_cmdline(int argc, char* argv[], struct proto* prots)
+{
+    int c;
+    struct addrinfo **a;
+    struct proto *p;
+
+    optind = 1;
+    opterr = 1;
+next_arg:
+    while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) {
+        if (c == 0) continue;
+
+        if (c >= PROT_SHIFT) {
+            if (prots)
+                for (p = prots; p && p->next; p = p->next) {
+                    /* override if protocol was already defined by config file 
+                     * (note it only overrides address and use builtin probe) */
+                    if (!strcmp(p->description, builtins[c-PROT_SHIFT].description)) {
+                        resolve_name(&(p->saddr), optarg);
+                        p->probe = builtins[c-PROT_SHIFT].probe;
+                        goto next_arg;
+                    }
+                }
+            /* At this stage, it's a new protocol: add it to the end of the
+             * list */
+            if (!prots) {
+                /* No protocols yet -- create the list */
+                p = prots = calloc(1, sizeof(*p));
+            } else {
+                p->next = calloc(1, sizeof(*p));
+                p = p->next;
+            }
+            memcpy(p, &builtins[c-PROT_SHIFT], sizeof(*p));
+            resolve_name(&(p->saddr), optarg);
+            continue;
+        }
+
+        switch (c) {
+
+        case 'F':
+            /* Legal option, but do nothing, it was already processed in
+             * cmdline_config() */
+#ifndef LIBCONFIG
+            fprintf(stderr, "Built without libconfig support: configuration file not available.\n");
+            exit(1);
+#endif
+            break;
+
+        case 't':
+             probing_timeout = atoi(optarg);
+            break;
+
+        case OPT_ONTIMEOUT:
+            set_ontimeout(optarg);
+            break;
+
+        case 'p':
+            /* find the end of the listen list */
+            for (a = &addr_listen; *a; a = &((*a)->ai_next));
+            /* append the specified addresses */
+            resolve_name(a, optarg);
+            
+            break;
+
+        case 'V':
+            printf("%s %s\n", server_type, VERSION);
+            exit(0);
+
+        case 'u':
+            user_name = optarg;
+            break;
+
+        case 'P':
+            pid_file = optarg;
+            break;
+
+        case 'v':
+            verbose++;
+            break;
+
+        default:
+            print_usage();
+            exit(2);
+        }
+    }
+
+    if (!prots) {
+        fprintf(stderr, "At least one target protocol must be specified.\n");
+        exit(2);
+    }
+
+    set_protocol_list(prots);
+
+    if (!addr_listen && !inetd) {
+        fprintf(stderr, "No listening address specified; use at least one -p option\n");
+        exit(1);
+    }
+
+    /* Did command-line override foreground setting? */
+    if (background)
+        foreground = 0;
+
+}
+
+int main(int argc, char *argv[])
+{
+
+   extern char *optarg;
+   extern int optind;
+   int res, num_addr_listen;
+   struct proto* protocols = NULL;
+
+   int *listen_sockets;
+
+   /* Init defaults */
+   pid_file = NULL;
+   user_name = NULL;
+
+   cmdline_config(argc, argv, &protocols);
+   parse_cmdline(argc, argv, protocols);
+
+   if (inetd)
+   {
+       verbose = 0;
+       start_shoveler(0);
+       exit(0);
+   }
+
+   if (verbose)
+       printsettings();
+
+   num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen);
+
+   if (!foreground) {
+       if (fork() > 0) exit(0); /* Detach */
+
+       /* New session -- become group leader */
+       if (getuid() == 0) {
+           res = setsid();
+           CHECK_RES_DIE(res, "setsid: already process leader");
+       }
+   }
+
+   setup_signals();
+
+   if (pid_file)
+       write_pid_file(pid_file);
+
+   if (user_name)
+       drop_privileges(user_name);
+
+
+   /* Open syslog connection */
+   setup_syslog(argv[0]);
+
+   if (verbose)
+       printcaps();
+
+   main_loop(listen_sockets, num_addr_listen);
+
+   return 0;
+}

sslh-select.c

@@ -0,0 +1,355 @@
+/*
+   sslh-select: mono-processus server
+
+# Copyright (C) 2007-2010  Yves Rutschle
+# 
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later
+# version.
+# 
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more
+# details.
+# 
+# The full text for the General Public License is here:
+# http://www.gnu.org/licenses/gpl.html
+
+*/
+
+#define __LINUX__
+
+#include "common.h"
+#include "probe.h"
+
+const char* server_type = "sslh-select";
+
+/* cnx_num_alloc is the number of connection to allocate at once (at start-up,
+ * and then every time we get too many simultaneous connections: e.g. start
+ * with 100 slots, then if we get more than 100 connections allocate another
+ * 100 slots, and so on). We never free up connection structures. We try to
+ * allocate as many structures at once as will fit in one page (which is 102
+ * in sslh 1.9 on Linux on x86)
+ */
+static long cnx_num_alloc;
+
+/* Make the file descriptor non-block  */
+int set_nonblock(int fd)
+{
+    int flags;
+
+    flags = fcntl(fd, F_GETFL);
+    CHECK_RES_RETURN(flags, "fcntl");
+
+    flags |= O_NONBLOCK;
+
+    flags = fcntl(fd, F_SETFL, flags);
+    CHECK_RES_RETURN(flags, "fcntl");
+
+    return flags;
+}
+
+int tidy_connection(struct connection *cnx, fd_set *fds, fd_set *fds2)
+{
+    int i;
+
+    for (i = 0; i < 2; i++) {
+        if (cnx->q[i].fd != -1) {
+            if (verbose)
+                fprintf(stderr, "closing fd %d\n", cnx->q[i].fd);
+
+            close(cnx->q[i].fd);
+            FD_CLR(cnx->q[i].fd, fds);
+            FD_CLR(cnx->q[i].fd, fds2);
+            if (cnx->q[i].deferred_data)
+                free(cnx->q[i].deferred_data);
+        }
+    }
+    init_cnx(cnx);
+    return 0;
+}
+
+/* if fd becomes higher than FD_SETSIZE, things won't work so well with FD_SET
+ * and FD_CLR. Need to drop connections if we go above that limit */
+int fd_is_in_range(int fd) {
+    if (fd >= FD_SETSIZE) {
+        log_message(LOG_ERR, "too many open file descriptor to monitor them all -- dropping connection\n");
+        return 0;
+    }
+    return 1;
+}
+
+/* Accepts a connection from the main socket and assigns it to an empty slot.
+ * If no slots are available, allocate another few. If that fails, drop the
+ * connexion */
+int accept_new_connection(int listen_socket, struct connection *cnx[], int* cnx_size) 
+{
+    int in_socket, free, i, res;
+    struct connection *new;
+
+    in_socket = accept(listen_socket, 0, 0);
+    CHECK_RES_RETURN(in_socket, "accept");
+
+    if (!fd_is_in_range(in_socket))
+        return -1;
+
+    res = set_nonblock(in_socket);
+    if (res == -1) return -1;
+
+    /* Find an empty slot */
+    for (free = 0; (free < *cnx_size) && ((*cnx)[free].q[0].fd != -1); free++) {
+        /* nothing */
+    }
+    if (free >= *cnx_size)  {
+        if (verbose)
+            fprintf(stderr, "buying more slots from the slot machine.\n");
+        new = realloc(*cnx, (*cnx_size + cnx_num_alloc) * sizeof((*cnx)[0]));
+        if (!new) {
+            log_message(LOG_ERR, "unable to realloc -- dropping connection\n");
+            return -1;
+        }
+        *cnx = new;
+        *cnx_size += cnx_num_alloc;
+        for (i = free; i < *cnx_size; i++) {
+            init_cnx(&(*cnx)[i]); 
+        }
+    }
+    (*cnx)[free].q[0].fd = in_socket;
+    (*cnx)[free].state = ST_PROBING;
+    (*cnx)[free].probe_timeout = time(NULL) + probing_timeout;
+
+    if (verbose) 
+        fprintf(stderr, "accepted fd %d on slot %d\n", in_socket, free);
+
+    return in_socket;
+}
+
+
+/* Connect queue 1 of connection to SSL; returns new file descriptor */
+int connect_queue(struct connection *cnx, fd_set *fds_r, fd_set *fds_w)
+{
+    struct queue *q = &cnx->q[1];
+
+    q->fd = connect_addr(cnx, cnx->q[0].fd);
+    if ((q->fd != -1) && fd_is_in_range(q->fd)) {
+        log_connection(cnx);
+        set_nonblock(q->fd);
+        flush_deferred(q);
+        if (q->deferred_data) {
+            FD_SET(q->fd, fds_w);
+        } else {
+            FD_SET(q->fd, fds_r);
+        }
+        return q->fd;
+    } else {
+        tidy_connection(cnx, fds_r, fds_w);
+        return -1;
+    }
+}
+
+/* shovels data from active fd to the other
+   returns after one socket closed or operation would block
+ */
+void shovel(struct connection *cnx, int active_fd, 
+            fd_set *fds_r, fd_set *fds_w)
+{
+    struct queue *read_q, *write_q;
+
+    read_q = &cnx->q[active_fd];
+    write_q = &cnx->q[1-active_fd];
+
+    if (verbose)
+        fprintf(stderr, "activity on fd%d\n", read_q->fd);
+
+    switch(fd2fd(write_q, read_q)) {
+    case -1:
+    case FD_CNXCLOSED:
+        tidy_connection(cnx, fds_r, fds_w);
+        break;
+
+    case FD_STALLED:
+        FD_SET(write_q->fd, fds_w);
+        FD_CLR(read_q->fd, fds_r);
+        break;
+
+    default: /* Nothing */
+        break;
+    }
+}
+
+/* returns true if specified fd is initialised and present in fd_set */
+int is_fd_active(int fd, fd_set* set)
+{
+    if (fd == -1) return 0;
+    return FD_ISSET(fd, set);
+}
+
+/* Main loop: the idea is as follow:
+ * - fds_r and fds_w contain the file descriptors to monitor in read and write
+ * - When a file descriptor goes off, process it: read from it, write the data
+ * to its corresponding pair.
+ * - When a file descriptor blocks when writing, remove the read fd from fds_r,
+ * move the data to a deferred buffer, and add the write fd to fds_w. Defered
+ * buffer is allocated dynamically.
+ * - When we can write to a file descriptor that has deferred data, we try to
+ * write as much as we can. Once all data is written, remove the fd from fds_w
+ * and add its corresponding pair to fds_r, free the buffer.
+ *
+ * That way, each pair of file descriptor (read from one, write to the other)
+ * is monitored either for read or for write, but never for both.
+ */
+void main_loop(int listen_sockets[], int num_addr_listen)
+{
+    fd_set fds_r, fds_w;  /* reference fd sets (used to init the next 2) */
+    fd_set readfds, writefds; /* working read and write fd sets */
+    struct timeval tv;
+    int max_fd, in_socket, i, j, res;
+    struct connection *cnx;
+    int num_cnx;  /* Number of connections in *cnx */
+    int num_probing = 0; /* Number of connections currently probing 
+                          * We use this to know if we need to time out of
+                          * select() */
+
+    FD_ZERO(&fds_r);
+    FD_ZERO(&fds_w);
+
+    for (i = 0; i < num_addr_listen; i++) {
+        FD_SET(listen_sockets[i], &fds_r); 
+        set_nonblock(listen_sockets[i]);
+    }
+    max_fd = listen_sockets[num_addr_listen-1] + 1;
+
+    cnx_num_alloc = getpagesize() / sizeof(struct connection);
+
+    num_cnx = cnx_num_alloc; /* Start with a set pool of slots */
+    cnx = malloc(num_cnx * sizeof(struct connection));
+    for (i = 0; i < num_cnx; i++)
+        init_cnx(&cnx[i]);
+
+    while (1)
+    {
+        memset(&tv, 0, sizeof(tv));
+        tv.tv_sec = probing_timeout;
+
+        memcpy(&readfds, &fds_r, sizeof(readfds));
+        memcpy(&writefds, &fds_w, sizeof(writefds));
+
+        if (verbose)
+            fprintf(stderr, "selecting... max_fd=%d num_probing=%d\n", max_fd, num_probing);
+        res = select(max_fd, &readfds, &writefds, NULL, num_probing ? &tv : NULL);
+        if (res < 0)
+            perror("select");
+
+
+        /* Check main socket for new connections */
+        for (i = 0; i < num_addr_listen; i++) {
+            if (FD_ISSET(listen_sockets[i], &readfds)) {
+                in_socket = accept_new_connection(listen_sockets[i], &cnx, &num_cnx);
+                if (in_socket != -1)
+                    num_probing++;
+
+                if (in_socket > 0) {
+                    FD_SET(in_socket, &fds_r);
+                    if (in_socket >= max_fd)
+                        max_fd = in_socket + 1;;
+                }
+                FD_CLR(listen_sockets[i], &readfds);
+            }
+        }
+
+        /* Check all sockets for write activity */
+        for (i = 0; i < num_cnx; i++) {
+            if (cnx[i].q[0].fd != -1) {
+                for (j = 0; j < 2; j++) {
+                    if (is_fd_active(cnx[i].q[j].fd, &writefds)) {
+                        res = flush_deferred(&cnx[i].q[j]);
+                        if ((res == -1) && ((errno == EPIPE) || (errno == ECONNRESET))) {
+                            if (cnx[i].state == ST_PROBING) num_probing--;
+                            tidy_connection(&cnx[i], &fds_r, &fds_w);
+                            if (verbose)
+                                fprintf(stderr, "closed slot %d\n", i);
+                        } else {
+                            /* If no deferred data is left, stop monitoring the fd 
+                             * for write, and restart monitoring the other one for reads*/
+                            if (!cnx[i].q[j].deferred_data_size) {
+                                FD_CLR(cnx[i].q[j].fd, &fds_w);
+                                FD_SET(cnx[i].q[1-j].fd, &fds_r);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        /* Check all sockets for read activity */
+        for (i = 0; i < num_cnx; i++) {
+            for (j = 0; j < 2; j++) {
+                if (is_fd_active(cnx[i].q[j].fd, &readfds) || 
+                    ((cnx[i].state == ST_PROBING) && (cnx[i].probe_timeout < time(NULL)))) {
+                    if (verbose)
+                        fprintf(stderr, "processing fd%d slot %d\n", j, i);
+
+                    switch (cnx[i].state) {
+
+                    case ST_PROBING:
+                        if (j == 1) {
+                            fprintf(stderr, "Activity on fd2 while probing, impossible\n");
+                            dump_connection(&cnx[i]);
+                            exit(1);
+                        }
+
+                        /* If timed out it's SSH, otherwise the client sent
+                         * data so probe the protocol */
+                        if ((cnx[i].probe_timeout < time(NULL))) {
+                            cnx[i].proto = timeout_protocol();
+                        } else {
+                            res = probe_client_protocol(&cnx[i]);
+                            if (res == PROBE_AGAIN)
+                                continue;
+                        }
+
+                        num_probing--;
+                        cnx[i].state = ST_SHOVELING;
+
+                        /* libwrap check if required for this protocol */
+                        if (cnx[i].proto->service &&
+                            check_access_rights(in_socket, cnx[i].proto->service)) {
+                            tidy_connection(&cnx[i], &fds_r, &fds_w);
+                            res = -1;
+                        } else {
+                            res = connect_queue(&cnx[i], &fds_r, &fds_w);
+                        }
+
+                        if (res >= max_fd)
+                            max_fd = res + 1;;
+                        break;
+
+                    case ST_SHOVELING:
+                        shovel(&cnx[i], j, &fds_r, &fds_w);
+                        break;
+
+                    default: /* illegal */
+                        log_message(LOG_ERR, "Illegal connection state %d\n", cnx[i].state);
+                        exit(1);
+                    }
+                }
+            }
+        }
+    }
+}
+
+
+void start_shoveler(int listen_socket) {
+    fprintf(stderr, "inetd mode is not supported in select mode\n");
+    exit(1);
+}
+
+
+/* The actual main is in common.c: it's the same for both version of
+ * the server
+ */
+
+

sslh.c

@@ -1,371 +0,0 @@
-/*
-   Reimplementation of sslh in C
-
-# Copyright (C) 2007  Yves Rutschle
-# 
-# This program is free software; you can redistribute it
-# and/or modify it under the terms of the GNU General Public
-# License as published by the Free Software Foundation; either
-# version 2 of the License, or (at your option) any later
-# version.
-# 
-# This program is distributed in the hope that it will be
-# useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-# PURPOSE.  See the GNU General Public License for more
-# details.
-# 
-# The full text for the General Public License is here:
-# http://www.gnu.org/licenses/gpl.html
-
-Comments? questions? sslh@rutschle.net
-
-Compilation instructions:
-
-Solaris:
-  cc -o sslh sslh.c -lresolv -lsocket -lnsl
-
-LynxOS:
-  gcc -o tcproxy tcproxy.c -lnetinet
-
-*/
-
-#define VERSION "1.0"
-
-#include <sys/types.h>
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <signal.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <pwd.h>
-
-#define CHECK_RES_DIE(res, str) \
-if (res == -1) {    \
-   perror(str);     \
-   exit(1);         \
-}
-
-#define USAGE_STRING "usage:\n\tsslh [-t <timeout>] -u <username> -p <listenport> -s [sshhost:]port -l [sslhost:]port [-v]\n"
-
-
-/* Starts a listening socket on specified port.
-   Returns file descriptor
-   */
-int start_listen_socket(int port)
-{
-   struct sockaddr_in saddr;
-   int sockfd, res, reuse;
-
-   sockfd = socket(AF_INET, SOCK_STREAM, 0);
-   CHECK_RES_DIE(sockfd, "socket");
-
-   reuse = 1;
-   res = setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char*)&reuse, sizeof(reuse));
-   CHECK_RES_DIE(res, "setsockopt");
-
-   memset(&saddr, 0, sizeof(saddr));
-   saddr.sin_port = htons(port);
-
-   res = bind (sockfd, (struct sockaddr*)&saddr, sizeof(saddr));
-   CHECK_RES_DIE(res, "bind");
-
-   res = listen (sockfd, 5);
-   CHECK_RES_DIE(res, "listen");
-
-   return sockfd;
-}
-
-
-/* 
- * moves data from one fd to other
- * returns 0 if incoming socket closed, size moved otherwise
- */
-int fd2fd(int target, int from)
-{
-   char buffer[BUFSIZ];
-   int size;
-
-   size = read(from, buffer, sizeof(buffer));
-   CHECK_RES_DIE(size, "read");
-
-   if (size == 0)
-      return 0;
-
-   size = write(target, buffer, size);
-   CHECK_RES_DIE(size, "write");
-
-   return size;
-}
-
-/* shovels data from one fd to the other and vice-versa 
-   returns after one socket closed
- */
-int shovel(int fd1, int fd2)
-{
-   fd_set fds;
-   int res;
-
-   FD_ZERO(&fds);
-   while (1) {
-      FD_SET(fd1, &fds);
-      FD_SET(fd2, &fds);
-
-      res = select( 
-                      (fd1 > fd2 ? fd1 : fd2 ) + 1,
-                      &fds,
-                      NULL,
-                      NULL,
-                      NULL
-            );
-      CHECK_RES_DIE(res, "select");
-
-      if (FD_ISSET(fd1, &fds)) {
-         res = fd2fd(fd2, fd1);
-         if (!res) {
-            printf("client socket closed\n");
-            return res;
-         }
-      }
-
-      if (FD_ISSET(fd2, &fds)) {
-         res = fd2fd(fd1, fd2);
-         if (!res) {
-            printf("server socket closed\n");
-            return res;
-         }
-      }
-   }
-}
-
-/* returns a static string that prints the IP and port of the sockaddr */
-char* get_addr(struct sockaddr* s)
-{
-   char addr_str[1024];
-   static char addr_name[1024];
-
-   inet_ntop(AF_INET, &((struct sockaddr_in*)s)->sin_addr, addr_str, sizeof(addr_str));
-   snprintf(addr_name, sizeof(addr_name), "%s:%d", addr_str,ntohs(((struct sockaddr_in*)s)->sin_port));
-   return addr_name;
-}
-
-/* turns a "hostname:port" string into a struct sockaddr;
-sock: socket address to which to copy the addr
-fullname: input string -- it gets clobbered
-serv: default service/port
-(defaults don't work yet)
-*/
-int resolve_name(struct sockaddr *sock, char* fullname, int port) {
-   struct addrinfo *addr, hint;
-   char *serv, *host;
-   int res;
-
-   char *sep = strchr(fullname, ':');
-
-   if (!sep) /* No separator: parameter is just a port */
-   {
-      serv = fullname;
-      fprintf(stderr, "names must be fully specified as hostname:port for the moment\n");
-      exit(1);
-   }
-   else {
-      host = fullname;
-      serv = sep+1;
-      *sep = 0;
-   }
-
-   memset(&hint, 0, sizeof(hint));
-   hint.ai_family = PF_INET;
-   hint.ai_socktype = SOCK_STREAM;
-
-   res = getaddrinfo(host, serv, &hint, &addr);
-   if (res) {
-      fprintf(stderr, "%s\n", gai_strerror(res));
-      if (res == EAI_SERVICE)
-         fprintf(stderr, "(Check you have specified all ports)\n");
-      exit(1);
-   }
-
-   memcpy(sock, addr->ai_addr, sizeof(*sock));
-}
-
-/* 
- * Settings that depend on the command line.
- * They're set in main(), but also used in start_shoveler(), and it'd be heavy-handed
- * to pass it all as parameters
- */
-int verbose = 0;
-int timeout = 2;
-int listen_port = 443;
-struct sockaddr addr_ssl, addr_ssh;
-
-
-/* Child process that finds out what to connect to and proxies 
- */
-void start_shoveler(int in_socket)
-{
-   fd_set fds;
-   struct timeval tv;
-   struct sockaddr *saddr;
-   int res;
-   int out_socket;
-
-   FD_ZERO(&fds);
-   FD_SET(in_socket, &fds);
-   memset(&tv, 0, sizeof(tv));
-   tv.tv_sec = timeout;
-   res = select(in_socket + 1, &fds, NULL, NULL, &tv);
-   if (res == -1)
-      perror("select");
-
-   /* Pick the target address depending on whether we timed out or not */
-   if (FD_ISSET(in_socket, &fds)) {
-      /* The client wrote something to the socket: it's an SSL connection */
-      saddr = &addr_ssl;
-      if (verbose)
-         fprintf(stderr, "Forwarding to SSL\n");
-   } else {
-      /* The client hasn't written anything and we timed out: connect to SSH */
-      saddr = &addr_ssh;
-      if (verbose)
-         fprintf(stderr, "Forwarding to SSH\n");
-   }
-
-   /* Connect the target socket */
-   out_socket = socket(AF_INET, SOCK_STREAM, 0);
-   res = connect(out_socket, saddr, sizeof(addr_ssl));
-   CHECK_RES_DIE(res, "connect");
-   if (verbose)
-      fprintf(stderr, "connected to something\n");
-
-   shovel(in_socket, out_socket);
-
-   close(in_socket);
-   close(out_socket);
-   
-   if (verbose)
-      fprintf(stderr, "connection closed down\n");
-
-   exit(0);
-}
-
-/* SIGCHLD handling:
- * we need to reap our children
- */
-void child_handler(int signo)
-{
-    signal(SIGCHLD, &child_handler);
-    wait(NULL);
-}
-void setup_signals(void)
-{
-    int res;
-
-    res = (int)signal(SIGCHLD, &child_handler);
-    CHECK_RES_DIE(res, "signal");
-}
-
-
-/* We don't want to run as root -- drop priviledges if required */
-void drop_privileges(char* user_name)
-{
-    int res;
-    struct passwd *pw = getpwnam(user_name);
-    if (!pw) {
-        fprintf(stderr, "%s: not found\n", user_name);
-        exit(1);
-    }
-    if (verbose)
-        fprintf(stderr, "turning into %s\n", user_name);
-
-    res = setgid(pw->pw_gid);
-    CHECK_RES_DIE(res, "setgid");
-    setuid(pw->pw_uid);
-    CHECK_RES_DIE(res, "setuid");
-}
-
-int main(int argc, char *argv[])
-{
-
-   extern char *optarg;
-   extern int optind;
-   int c, res;
-
-   int in_socket, out_socket, listen_socket;
-
-   /* Init defaults */
-   char *user_name = "nobody";
-   char ssl_str[] = "localhost:443"; /* need to copy -- Linux doesn't let write to BSS? */
-   char ssh_str[] = "localhost:22";
-   resolve_name(&addr_ssl, ssl_str, 443);
-   resolve_name(&addr_ssh, ssh_str, 22);
-
-   while ((c = getopt(argc, argv, "t:l:s:p:vu:")) != EOF) {
-      switch (c) {
-
-              case 't':
-                      timeout = atoi(optarg);
-                      break;
-
-              case 'p':
-                      listen_port = atoi(optarg);
-                      break;
-
-              case 'l':
-                      resolve_name(&addr_ssl, optarg, 443);
-                      break;
-
-              case 's':
-                      resolve_name(&addr_ssh, optarg, 22);
-                      break;
-
-              case 'v':
-                      verbose += 1;
-                      break;
-
-              case 'u':
-                      user_name = optarg;
-                      break;
-
-              default:
-                      fprintf(stderr, USAGE_STRING);
-                      exit(2);
-      }
-   }
-
-   if (verbose) {
-      fprintf(stderr, "SSL addr: %s (after timeout %ds)\n", get_addr(&addr_ssl), timeout);
-      fprintf(stderr, "SSH addr: %s\n", get_addr(&addr_ssh));
-      fprintf(stderr, "listening on port %d\n", listen_port);
-   }
-
-
-   setup_signals();
-
-   listen_socket = start_listen_socket(listen_port);
-
-   drop_privileges(user_name);
-
-   /* Main server loop: accept connections, find what they are, fork shovelers */
-   while (1)
-   {
-      in_socket = accept(listen_socket, 0, 0);
-      fprintf(stderr, "accepted fd %d\n", in_socket);
-
-      if (!fork())
-      {
-         start_shoveler(in_socket);
-         exit(0);
-      }
-      close(in_socket);
-   }
-
-   return 0;
-}
-
-

sslh.pod

@@ -0,0 +1,235 @@
+# I'm just not gonna write troff :-)
+
+=head1 NAME
+
+ sslh - protocol demultiplexer
+
+=head1 SYNOPSIS
+
+sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
+
+=head1 DESCRIPTION
+
+B<sslh> accepts connections on specified ports, and forwards
+them further based on tests performed on the first data
+packet sent by the remote client.
+
+Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
+implemented, and any other protocol that can be tested using
+a regular expression, can be recognised. A typical use case
+is to allow serving several services on port 443 (e.g. to
+connect to ssh from inside a corporate firewall, which
+almost never block port 443) while still serving HTTPS on
+that port. 
+
+Hence B<sslh> acts as a protocol demultiplexer, or a
+switchboard. Its name comes from its original function to
+serve SSH and HTTPS on the same port.
+
+=head2 Libwrap support
+
+One drawback of B<sslh> is that the servers do not see the
+original IP address of the client anymore, as the connection
+is forwarded through B<sslh>.
+
+For this reason, B<sslh> can be compiled with B<libwrap> to
+check accesses defined in F</etc/hosts.allow> and
+F</etc/hosts.deny>.  Libwrap services can be defined using
+the configuration file.
+
+=head2 Configuration file
+
+A configuration file can be supplied to B<sslh>. Command
+line arguments override file settings. B<sslh> uses
+B<libconfig> to parse the configuration file, so the general
+file format is indicated in
+L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
+Please refer to the example configuration file provided with
+B<sslh> for the specific format (Options have the same names
+as on the command line, except for the list of listen ports
+and the list of protocols).
+
+The configuration file makes it possible to specify
+protocols using regular expressions: a list of regular
+expressions is given as the I<regex_patterns> parameter, and if the
+first packet received from the client matches any of these
+expressions, B<sslh> connects to that protocol.
+
+=head2 Probing protocols
+
+When receiving an incoming connection, B<sslh> will read the
+first bytes sent be the connecting client. It will then
+probe for the protocol in the order specified on the command
+line (or the configuration file). Therefore B<--anyprot>
+should alway be used last, as it always succeeds and further
+protocols will never be tried.
+
+If no data is sent by the client, B<sslh> will eventually
+time out and connect to the protocol specified with
+B<--on-timeout>, or I<ssh> if none is specified.
+
+=head2 Logging
+
+As a security/authorization program, B<sslh> logs to the
+LOG_AUTH facility, with priority LOG_INFO for normal
+connections and LOG_ERR for failures.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-F> I<filename>, B<--config> I<filename>
+
+Uses I<filename> has configuration file. If other
+command-line options are specified, they will override the
+configuration file's settings.
+
+=item B<-t> I<num>, B<--timeout> I<num>
+
+Timeout before forwarding the connection to the timeout
+protocol (which should usually be SSH). Default is 2s.
+
+=item B<--on-timeout> I<protocol name>
+
+Name of the protocol to connect to after the timeout period
+is over. Default is 'ssh'.
+
+=item B<--transparent>
+
+Makes B<sslh> behave as a transparent proxy, i.e. the
+receiving service sees the original client's IP address.
+This works on Linux only and involves B<iptables> settings.
+Refer to the README for more information.
+
+=item B<-p> I<listening address>, B<--listen> I<listening address>
+
+Interface and port on which to listen, e.g. I<foobar:443>,
+where I<foobar> is the name of an interface (typically the
+IP address on which the Internet connection ends up).
+
+This can be specified several times to bind B<sslh> to
+several addresses.
+
+=item B<--ssl> I<target address>
+
+=item B<--tls> I<target address>
+
+Interface and port on which to forward SSL connection,
+typically I<localhost:443>.
+
+Note that you can set B<sslh> to listen on I<ext_ip:443> and
+B<httpd> to listen on I<localhost:443>: this allows clients
+inside your network to just connect directly to B<httpd>.
+
+Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
+reject connections from clients requesting SSLv2. This is
+compliant to RFC6176 which prohibits the usage of SSLv2. If
+you wish to accept SSLv2, use B<--default> instead.
+
+=item B<--ssh> I<target address>
+
+Interface and port on which to forward SSH connections,
+typically I<localhost:22>.
+
+=item B<--openvpn> I<target address>
+
+Interface and port on which to forward OpenVPN connections,
+typically I<localhost:1194>.
+
+=item B<--xmpp> I<target address>
+
+Interface and port on which to forward XMPP connections,
+typically I<localhost:5222>.
+
+=item B<--http> I<target address>
+
+Interface and port on which to forward HTTP connections,
+typically I<localhost:80>.
+
+=item B<--tinc> I<target address>
+
+Interface and port on which to forward tinc connections,
+typically I<localhost:655>.
+
+This is experimental. If you use this feature, please report
+the results (even if it works!)
+
+=item B<--anyprot> I<target address>
+
+Interface and port on which to forward if no other protocol
+has been found. Because B<sslh> tries protocols in the order
+specified on the command line, this should be specified
+last. If no default is specified, B<sslh> will forward
+unknown protocols to the first protocol specified.
+
+=item B<-v>, B<--verbose>
+
+Increase verboseness.
+
+=item B<-n>, B<--numeric>
+
+Do not attempt to resolve hostnames: logs will contain IP
+addresses. This is mostly useful if the system's DNS is slow
+and running the I<sslh-select> variant, as DNS requests will
+hang all connections.
+
+=item B<-V>
+
+Prints B<sslh> version.
+
+=item B<-u> I<username>, B<--user> I<username>
+
+Requires to run under the specified username. 
+
+=item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
+
+Specifies a file in which to write the PID of the main
+server.
+
+=item B<-i>, B<--inetd>
+
+Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
+(listen address), B<-u> (user) are ignored.
+
+=item B<-f>, B<--foreground>
+
+Runs in foreground. The server will not fork and will remain connected
+to the terminal. Messages normally sent to B<syslog> will also be sent
+to I<stderr>.
+
+=item B<--background>
+
+Runs in background. This overrides B<foreground> if set in
+the configuration file (or on the command line, but there is
+no point setting both on the command line unless you have a
+personality disorder).
+
+=back
+
+=head1 FILES
+
+=over 4
+
+=item F</etc/init.d/sslh>
+
+Start-up script. The standard actions B<start>, B<stop> and
+B<restart> are supported.
+
+=item F</etc/default/sslh>
+
+Server configuration. These are environment variables
+loaded by the start-up script and passed to B<sslh> as
+command-line arguments. Refer to the OPTIONS section for a
+detailed explanation of the variables used by B<sslh>.
+
+=back
+
+=head1 SEE ALSO
+
+Last version available from
+L<http://www.rutschle.net/tech/sslh>, and can be tracked
+from L<http://freecode.com/projects/sslh>.
+
+=head1 AUTHOR
+
+Written by Yves Rutschle

t

@@ -0,0 +1,317 @@
+#! /usr/bin/perl -w
+
+# Test script for sslh
+
+use strict;
+use IO::Socket::INET6;
+use Test::More qw/no_plan/;
+
+# We use ports 9000, 9001 and 9002 -- hope that won't clash
+# with anything...
+my $ssh_address = "ip6-localhost:9000";
+my $ssl_address = "ip6-localhost:9001";
+my $sslh_port = 9002;
+my $no_listen = 9003;  # Port on which no-one listens
+my $pidfile = "/tmp/sslh_test.pid";
+
+# Which tests do we run
+my $SSL_CNX =           1;
+my $SSH_SHY_CNX =       1;
+my $SSH_BOLD_CNX =      1;
+my $SSH_PROBE_AGAIN =   1;
+my $SSL_MIX_SSH =       1;
+my $SSH_MIX_SSL =       1;
+my $BIG_MSG =           0; # This test is unreliable
+my $STALL_CNX =         0; # This test needs fixing
+
+# Robustness tests. These are mostly to achieve full test
+# coverage, but do not necessarily result in an actual test
+# (e.g. some tests need to be run with valgrind to check all
+# memory management code).
+my $RB_CNX_NOSERVER =           1;
+my $RB_PARAM_NOHOST =           1;
+my $RB_WRONG_USERNAME =         1;
+my $RB_OPEN_PID_FILE =          1;
+my $RB_BIND_ADDRESS =           1;
+my $RB_RESOLVE_ADDRESS =        1;
+
+`lcov --directory . --zerocounters`;
+
+
+my ($ssh_pid, $ssl_pid);
+
+if (!($ssh_pid = fork)) {
+    exec "./echosrv --listen $ssh_address --prefix 'ssh: '";
+}
+
+if (!($ssl_pid = fork)) {
+    exec "./echosrv --listen $ssl_address --prefix 'ssl: '";
+}
+
+my @binaries = ('sslh-select', 'sslh-fork');
+for my $binary (@binaries) {
+    warn "Testing $binary\n";
+
+# Start sslh with the right plumbing
+    my $sslh_pid;
+    if (!($sslh_pid = fork)) {
+        my $user = (getpwuid $<)[0]; # Run under current username
+        my $cmd = "./$binary -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile";
+        warn "$cmd\n";
+        #exec $cmd;
+        exec "valgrind --leak-check=full ./$binary -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address -ssl $ssl_address -P $pidfile";
+        exit 0;
+    }
+    warn "spawned $sslh_pid\n";
+    sleep 5;  # valgrind can be heavy -- wait 5 seconds
+
+
+    my $test_data = "hello world\n";
+#    my $ssl_test_data = (pack 'n', ((length $test_data) + 2)) .  $test_data;
+    my $ssl_test_data = "\x16\x03\x03$test_data\n";
+
+# Test: SSL connection
+    if ($SSL_CNX) {
+        print "***Test: SSL connection\n";
+        my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_l;
+        if (defined $cnx_l) {
+            print $cnx_l $ssl_test_data;
+            my $data;
+            my $n = sysread $cnx_l, $data, 1024;
+            is($data, "ssl: $ssl_test_data", "SSL connection");
+        }
+    }
+
+# Test: Shy SSH connection
+    if ($SSH_SHY_CNX) {
+        print "***Test: Shy SSH connection\n";
+        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_h;
+        if (defined $cnx_h) {
+            sleep 3;
+            print $cnx_h $test_data;
+            my $data = <$cnx_h>;
+            is($data, "ssh: $test_data", "Shy SSH connection");
+        }
+    }
+
+# Test: Bold SSH connection
+    if ($SSH_BOLD_CNX) {
+        print "***Test: Bold SSH connection\n";
+        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_h;
+        if (defined $cnx_h) {
+            my $td = "SSH-2.0 testsuite\t$test_data";
+            print $cnx_h $td;
+            my $data = <$cnx_h>;
+            is($data, "ssh: $td", "Bold SSH connection");
+        }
+    }
+
+# Test: PROBE_AGAIN, incomplete first frame
+    if ($SSH_PROBE_AGAIN) {
+        print "***Test: incomplete SSH first frame\n";
+        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_h;
+        if (defined $cnx_h) {
+            my $td = "SSH-2.0 testsuite\t$test_data";
+            print $cnx_h substr $td, 0, 2;
+            sleep 1;
+            print $cnx_h substr $td, 2;
+            my $data = <$cnx_h>;
+            is($data, "ssh: $td", "Incomplete first SSH frame");
+        }
+    }
+
+
+# Test: One SSL half-started then one SSH
+    if ($SSL_MIX_SSH) {
+        print "***Test: One SSL half-started then one SSH\n";
+        my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_l;
+        if (defined $cnx_l) {
+            print $cnx_l $ssl_test_data;
+            my $cnx_h= new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+            warn "$!\n" unless $cnx_h;
+            if (defined $cnx_h) {
+                sleep 3;
+                print $cnx_h $test_data;
+                my $data_h = <$cnx_h>;
+                is($data_h, "ssh: $test_data", "SSH during SSL being established");
+            }
+            my $data;
+            my $n = sysread $cnx_l, $data, 1024;
+            is($data, "ssl: $ssl_test_data", "SSL connection interrupted by SSH");
+        }
+    }
+
+# Test: One SSH half-started then one SSL
+    if ($SSH_MIX_SSL) {
+        print "***Test: One SSH half-started then one SSL\n";
+        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_h;
+        if (defined $cnx_h) {
+            sleep 3;
+            my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+            warn "$!\n" unless $cnx_l;
+            if (defined $cnx_l) {
+                print $cnx_l $ssl_test_data;
+                my $data;
+                my $n = sysread $cnx_l, $data, 1024;
+                is($data, "ssl: $ssl_test_data", "SSL during SSH being established");
+            }
+            print $cnx_h $test_data;
+            my $data = <$cnx_h>;
+            is($data, "ssh: $test_data", "SSH connection interrupted by SSL");
+        }
+    }
+
+
+# Test: Big messages (careful: don't go over echosrv's buffer limit (1M))
+    if ($BIG_MSG) {
+        print "***Test: big message\n";
+        my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless $cnx_l;
+        my $rept = 1000;
+        my $test_data2 = $ssl_test_data . ("helloworld"x$rept);
+        if (defined $cnx_l) {
+            my $n = syswrite $cnx_l, $test_data2;
+            my ($data);
+            $n = sysread $cnx_l, $data, 1 << 20;
+            is($data, "ssl: ". $test_data2, "Big message");
+        }
+    }
+
+# Test: Stalled connection
+# Create two connections, stall one, check the other one
+# works, unstall first and check it works fine
+# This test needs fixing.
+# Now that echosrv no longer works on "lines" (finishing
+# with '\n'), it may cut blocks randomly with prefixes.
+# The whole thing needs to be re-thought as it'll only
+# work by chance.
+    if ($STALL_CNX) {
+        print "***Test: Stalled connection\n";
+        my $cnx_1 = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless defined $cnx_1;
+        my $cnx_2 = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+        warn "$!\n" unless defined $cnx_2;
+        my $test_data2 = "helloworld";
+        sleep 4;
+        my $rept = 1000;
+        if (defined $cnx_1 and defined $cnx_2) {
+            print $cnx_1 ($test_data2 x $rept);
+            print $cnx_1 "\n";
+            print $cnx_2 ($test_data2 x $rept);
+            print $cnx_2 "\n";
+            my $data = <$cnx_2>;
+            is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (1)");
+            print $cnx_2 ($test_data2 x $rept);
+            print $cnx_2 "\n";
+            $data = <$cnx_2>;
+            is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (2)");
+            $data = <$cnx_1>;
+            is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (3)");
+
+        }
+    }
+
+    my $pid = `cat $pidfile`;
+    warn "killing $pid\n";
+    kill TERM => $pid or warn "kill process: $!\n";
+    sleep 1;
+}
+
+# Robustness: Connecting to non-existant server
+if ($RB_CNX_NOSERVER) {
+    print "***Test: Connecting to non-existant server\n";
+    my $sslh_pid;
+    if (!($sslh_pid = fork)) {
+        my $user = (getpwuid $<)[0]; # Run under current username
+        exec "./sslh-select -v -f -u $user --listen localhost:$sslh_port --ssh localhost:$no_listen --ssl localhost:$no_listen -P $pidfile";
+    }
+    warn "spawned $sslh_pid\n";
+
+    sleep 1;
+
+    my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+    warn "$!\n" unless $cnx_h;
+    if (defined $cnx_h) {
+        sleep 1;
+        my $test_data = "hello";
+        print $cnx_h $test_data;
+    }
+    # Ideally we should check a log is emitted.
+
+    kill TERM => `cat $pidfile` or warn "kill: $!\n";
+    sleep 1;
+}
+
+
+# Robustness: No hostname in address
+if ($RB_PARAM_NOHOST) {
+    print "***Test: No hostname in address\n";
+    my $sslh_pid;
+    if (!($sslh_pid = fork)) {
+        my $user = (getpwuid $<)[0]; # Run under current username
+        exec "./sslh-select -v -f -u $user --listen $sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile";
+    }
+    warn "spawned $sslh_pid\n";
+    waitpid $sslh_pid, 0;
+    my $code = $? >> 8;
+    warn "exited with $code\n";
+    is($code, 1, "Exit status on illegal option");
+}
+
+# Robustness: User does not exist
+if ($RB_WRONG_USERNAME) {
+    print "***Test: Changing to non-existant username\n";
+    my $sslh_pid;
+    if (!($sslh_pid = fork)) {
+        my $user = (getpwuid $<)[0]; # Run under current username
+        exec "./sslh-select -v -f -u ${user}_doesnt_exist --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile";
+    }
+    warn "spawned $sslh_pid\n";
+    waitpid $sslh_pid, 0;
+    my $code = $? >> 8;
+    warn "exited with $code\n";
+    is($code, 2, "Exit status on non-existant username");
+}
+
+# Robustness: Can't open PID file
+if ($RB_OPEN_PID_FILE) {
+    print "***Test: Can't open PID file\n";
+    my $sslh_pid;
+    if (!($sslh_pid = fork)) {
+        my $user = (getpwuid $<)[0]; # Run under current username
+        exec "./sslh-select -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P /dont_exist/$pidfile";
+        # You don't have a /dont_exist/ directory, do you?!
+    }
+    warn "spawned $sslh_pid\n";
+    waitpid $sslh_pid, 0;
+    my $code = $? >> 8;
+    warn "exited with $code\n";
+    is($code, 3, "Exit status if can't open PID file");
+}
+
+# Robustness: Can't resolve address
+if ($RB_RESOLVE_ADDRESS) {
+    print "***Test: Can't resolve address\n";
+    my $sslh_pid;
+    if (!($sslh_pid = fork)) {
+        my $user = (getpwuid $<)[0]; # Run under current username
+        exec "./sslh-select -v -f -u $user --listen blahblah.dontexist:9000 --ssh $ssh_address --ssl $ssl_address -P $pidfile";
+    }
+    warn "spawned $sslh_pid\n";
+    waitpid $sslh_pid, 0;
+    my $code = $? >> 8;
+    warn "exited with $code\n";
+    is($code, 4, "Exit status if can't resolve address");
+}
+
+`lcov --directory . --capture --output-file sslh_cov.info`;
+`genhtml sslh_cov.info`;
+
+`killall echosrv`;
+

t_load

@@ -0,0 +1,128 @@
+#! /usr/bin/perl -w
+
+# Test script for sslh -- mass communication
+
+# This creates many clients that perform concurrent
+# connections, disconnect at any time, and try to generally
+# behave as badly as possible.
+
+# It can be used to test sslh behaves properly with many
+# clients, however its main use is to get an idea of how
+# much load it can take on your system before things start
+# to go wrong.
+
+use strict;
+use IO::Socket::INET6;
+use Data::Dumper;
+
+## BEGIN TEST CONFIG
+
+# Do we test sslh-select or sslh-fork?
+my $sslh_binary = "./sslh-select";
+
+# How many clients to we start for each protocol?
+my $NUM_CNX = 30;
+
+# Delay between starting new processes when starting up. If
+# you start 200 processes in under a second, things go wrong
+# and it's not sslh's fault (typically the echosrv won't be
+# forking fast enough).
+my $start_time_delay = 1;
+
+# If you test 4 protocols, you'll start $NUM_CNX * 4 clients
+# (e.g. 40), starting one every $start_time_delay seconds.
+
+# Max times we repeat the test string: allows to test for
+# large messages.
+my $block_rpt = 4096;
+
+# Probability to stop a client after a message (e.g. with
+# .01 a client will send an average of 100 messages before
+# disconnecting).
+my $stop_client_probability = .001;
+
+# What protocols we test, and on what ports
+# Just comment out protocols you don't want to use.
+my %protocols = (
+    "ssh" => { address => "localhost:9001", client => client("ssh") },
+    "ssl" => { address => "localhost:9002", client => client("ssl") },
+    "openvpn" => {address => "localhost:9003", client => client("openvpn") },
+    "tinc" => {address => "localhost:9004", client => client("tinc") },
+);
+
+##END CONFIG
+
+
+# We use ports 9000, 9001 and 9002 -- hope that won't clash
+# with anything...
+my $sslh_address = "localhost:9000";
+my $pidfile = "/tmp/sslh_test.pid";
+
+sub client {
+    my ($service) = @_;
+
+    return sub {
+        while (1) {
+            my $cnx = new IO::Socket::INET(PeerHost => $sslh_address);
+            my $test_data = "$service testing " x int(rand($block_rpt)+1) . "\n";
+
+            sleep 5 if $service eq "ssh";
+            if ($service eq "openvpn") {
+                syswrite $cnx, "\x00\x0F\x38\n";
+                my $msg;
+                sysread $cnx, $msg, 14; # length "openvpn: \x0\xF\x38\n" => 14
+            }
+            if ($service eq "tinc") {
+                syswrite $cnx, "0 \n";
+                my $msg;
+                sysread $cnx, $msg, 10; # length "tinc: 0 \n" => 10 
+            }
+            while (1) {
+                print $cnx $test_data;
+                my $r = <$cnx>;
+                ($? = 1, die "$service got [$r]\n") if ($r ne "$service: $test_data");
+                last if rand(1) < $stop_client_probability;
+            }
+        }
+        exit 0;
+    }
+}
+
+foreach my $p (keys %protocols) {
+    if (!fork) {
+        exec "./echosrv --listen $protocols{$p}->{address} --prefix '$p: '";
+    }
+}
+
+# Start sslh with the right plumbing
+my $sslh_pid;
+if (!($sslh_pid = fork)) {
+    my $user = (getpwuid $<)[0]; # Run under current username
+    my $prots = join " ", map "--$_ $protocols{$_}->{address}", keys %protocols;
+    my $cmd = "$sslh_binary -f -t 3 -u $user --listen $sslh_address $prots -P $pidfile";
+    print "$cmd\n";
+    exec $cmd;
+    exit 0;
+}
+warn "spawned $sslh_pid\n";
+sleep 2;  # valgrind can be heavy -- wait 5 seconds
+
+
+for (1 .. $NUM_CNX) {
+    foreach my $p (keys %protocols) {
+        if (!fork) {
+            warn "starting $p\n";
+            &{$protocols{$p}->{client}};
+            exit;
+        }
+        # Give a little time so we don't overrun the
+        # listen(2) backlog.
+        select undef, undef, undef, $start_time_delay;
+    }
+}
+
+wait;
+
+
+`killall echosrv`;
+

tls.c

@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2011 and 2012, Dustin Lundquist <dustin@null-ptr.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * This is a minimal TLS implementation intended only to parse the server name
+ * extension.  This was created based primarily on Wireshark dissection of a
+ * TLS handshake and RFC4366.
+ */
+#include <stdio.h>
+#include <stdlib.h> /* malloc() */
+#include "tls.h"
+
+#define TLS_HEADER_LEN 5
+#define TLS_HANDSHAKE_CONTENT_TYPE 0x16
+#define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01
+
+#ifndef MIN
+#define MIN(X, Y) ((X) < (Y) ? (X) : (Y))
+#endif
+
+
+struct TLSProtocol {
+    int use_alpn;
+    char** sni_hostname_list;
+    char** alpn_protocol_list;
+};
+
+static int parse_extensions(const struct TLSProtocol *, const char *, size_t);
+static int parse_server_name_extension(const struct TLSProtocol *, const char *, size_t);
+static int parse_alpn_extension(const struct TLSProtocol *, const char *, size_t);
+static int has_match(char**, const char*, size_t);
+
+/* Parse a TLS packet for the Server Name Indication and ALPN extension in the client
+ * hello handshake, returning a status code
+ *
+ * Returns:
+ *  >=0  - length of the hostname and updates *hostname
+ *         caller is responsible for freeing *hostname
+ *  -1   - Incomplete request
+ *  -2   - No Host header included in this request
+ *  -3   - Invalid hostname pointer
+ *  < -4 - Invalid TLS client hello
+ */
+int
+parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
+    char tls_content_type;
+    char tls_version_major;
+    char tls_version_minor;
+    size_t pos = TLS_HEADER_LEN;
+    size_t len;
+
+    /* Check that our TCP payload is at least large enough for a TLS header */
+    if (data_len < TLS_HEADER_LEN)
+        return -1;
+
+    tls_content_type = data[0];
+    if (tls_content_type != TLS_HANDSHAKE_CONTENT_TYPE) {
+        if (verbose) fprintf(stderr, "Request did not begin with TLS handshake.\n");
+        return -5;
+    }
+
+    tls_version_major = data[1];
+    tls_version_minor = data[2];
+    if (tls_version_major < 3) {
+        if (verbose) fprintf(stderr, "Received SSL %d.%d handshake which cannot be parsed.\n",
+              tls_version_major, tls_version_minor);
+
+        return -2;
+    }
+
+    /* TLS record length */
+    len = ((unsigned char)data[3] << 8) +
+          (unsigned char)data[4] + TLS_HEADER_LEN;
+    data_len = MIN(data_len, len);
+
+    /* Check we received entire TLS record length */
+    if (data_len < len)
+        return -1;
+
+    /*
+     * Handshake
+     */
+    if (pos + 1 > data_len) {
+        return -5;
+    }
+    if (data[pos] != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
+        if (verbose) fprintf(stderr, "Not a client hello\n");
+
+        return -5;
+    }
+
+    /* Skip past fixed length records:
+       1	Handshake Type
+       3	Length
+       2	Version (again)
+       32	Random
+       to	Session ID Length
+     */
+    pos += 38;
+
+    /* Session ID */
+    if (pos + 1 > data_len)
+        return -5;
+    len = (unsigned char)data[pos];
+    pos += 1 + len;
+
+    /* Cipher Suites */
+    if (pos + 2 > data_len)
+        return -5;
+    len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1];
+    pos += 2 + len;
+
+    /* Compression Methods */
+    if (pos + 1 > data_len)
+        return -5;
+    len = (unsigned char)data[pos];
+    pos += 1 + len;
+
+    if (pos == data_len && tls_version_major == 3 && tls_version_minor == 0) {
+        if (verbose) fprintf(stderr, "Received SSL 3.0 handshake without extensions\n");
+        return -2;
+    }
+
+    /* Extensions */
+    if (pos + 2 > data_len)
+        return -5;
+    len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1];
+    pos += 2;
+
+    if (pos + len > data_len)
+        return -5;
+    return parse_extensions(tls_data, data + pos, len);
+}
+
+static int
+parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
+    size_t pos = 0;
+    size_t len;
+    int last_matched = 0;
+
+    if (tls_data == NULL)
+        return -3;
+
+    /* Parse each 4 bytes for the extension header */
+    while (pos + 4 <= data_len) {
+        /* Extension Length */
+        len = ((unsigned char) data[pos + 2] << 8) +
+              (unsigned char) data[pos + 3];
+
+        if (pos + 4 + len > data_len)
+            return -5;
+
+        size_t extension_type = ((unsigned char) data[pos] << 8) +
+                                (unsigned char) data[pos + 1];
+
+
+        /* Check if it's a server name extension */
+        /* There can be only one extension of each type, so we break
+           our state and move pos to beginning of the extension here */
+        if (tls_data->use_alpn == 2) {
+            /* we want BOTH alpn and sni to match */
+            if (extension_type == 0x00) { /* Server Name */
+                if (parse_server_name_extension(tls_data, data + pos + 4, len)) {
+                    /* SNI matched */
+                    if(last_matched) {
+                        /* this is only true if ALPN matched, so return true */
+                        return last_matched;
+                    } else {
+                        /* otherwise store that SNI matched */
+                        last_matched = 1;
+                    }
+                } else {
+                    // both can't match
+                    return -2;
+                }
+            } else if (extension_type == 0x10) { /* ALPN */
+                if (parse_alpn_extension(tls_data, data + pos + 4, len)) {
+                    /* ALPN matched */
+                    if(last_matched) {
+                        /* this is only true if SNI matched, so return true */
+                        return last_matched;
+                    } else {
+                        /* otherwise store that ALPN matched */
+                        last_matched = 1;
+                    }
+                } else {
+                    // both can't match
+                    return -2;
+                }
+            }
+
+        } else if (extension_type == 0x00 && tls_data->use_alpn == 0) { /* Server Name */
+            return parse_server_name_extension(tls_data, data + pos + 4, len);
+        } else if (extension_type == 0x10 && tls_data->use_alpn == 1) { /* ALPN */
+            return parse_alpn_extension(tls_data, data + pos + 4, len);
+        }
+
+        pos += 4 + len; /* Advance to the next extension header */
+    }
+
+    /* Check we ended where we expected to */
+    if (pos != data_len)
+        return -5;
+
+    return -2;
+}
+
+static int
+parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
+    size_t pos = 2; /* skip server name list length */
+    size_t len;
+
+    while (pos + 3 < data_len) {
+        len = ((unsigned char)data[pos + 1] << 8) +
+              (unsigned char)data[pos + 2];
+
+        if (pos + 3 + len > data_len)
+            return -5;
+
+        switch (data[pos]) { /* name type */
+            case 0x00: /* host_name */
+                if(has_match(tls_data->sni_hostname_list, data + pos + 3, len)) {
+                    return len;
+                } else {
+                    return -2;
+                }
+            default:
+                if (verbose) fprintf(stderr, "Unknown server name extension name type: %d\n",
+                      data[pos]);
+        }
+        pos += 3 + len;
+    }
+    /* Check we ended where we expected to */
+    if (pos != data_len)
+        return -5;
+
+    return -2;
+}
+
+static int
+parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
+    size_t pos = 2;
+    size_t len;
+
+    while (pos + 1 < data_len) {
+        len = (unsigned char)data[pos];
+
+        if (pos + 1 + len > data_len)
+            return -5;
+
+        if (len > 0 && has_match(tls_data->alpn_protocol_list, data + pos + 1, len)) {
+            return len;
+        } else if (len > 0) {
+            if (verbose) fprintf(stderr, "Unknown ALPN name: %.*s\n", (int)len, data + pos + 1);
+        }
+        pos += 1 + len;
+    }
+    /* Check we ended where we expected to */
+    if (pos != data_len)
+        return -5;
+
+    return -2;
+}
+
+static int
+has_match(char** list, const char* name, size_t name_len) {
+    char **item;
+
+    for (item = list; *item; item++) {
+        if (verbose) fprintf(stderr, "matching [%.*s] with [%s]\n", (int)name_len, name, *item);
+        if(!strncmp(*item, name, name_len)) {
+            return 1;
+        }
+    }
+    return 0;
+}
+
+struct TLSProtocol *
+new_tls_data() {
+    struct TLSProtocol *tls_data = malloc(sizeof(struct TLSProtocol));
+    if (tls_data != NULL) {
+        tls_data->use_alpn = -1;
+    }
+
+    return tls_data;
+}
+
+struct TLSProtocol *
+tls_data_set_list(struct TLSProtocol *tls_data, int alpn, char** list) {
+    if (alpn) {
+        tls_data->alpn_protocol_list = list;
+        if(tls_data->use_alpn == 0)
+            tls_data->use_alpn = 2;
+        else
+            tls_data->use_alpn = 1;
+    } else {
+        tls_data->sni_hostname_list = list;
+        if(tls_data->use_alpn == 1)
+            tls_data->use_alpn = 2;
+        else
+            tls_data->use_alpn = 0;
+    }
+
+    return tls_data;
+}

tls.h

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2011 and 2012, Dustin Lundquist <dustin@null-ptr.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef TLS_H
+#define TLS_H
+
+#include "common.h"
+
+struct TLSProtocol;
+
+int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len);
+
+struct TLSProtocol *new_tls_data();
+struct TLSProtocol *tls_data_set_list(struct TLSProtocol *, int, char**);
+
+#endif