Add ALPN protocol based probe

Changed connection log to include the name of the probe that triggered.
Added log_level option to configuration file, which switches off log at each connection
2024-11-16 14:15:09 -05:00 · 2016-01-05 00:32:10 -05:00 · 2015-12-15 16:06:14 +01:00 · 2015-12-15 15:51:18 +01:00 · 2015-10-20 10:58:58 +02:00 · 2015-10-19 13:40:51 -05:00
30 changed files with 5117 additions and 465 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,10 @@
 *.swp
 *.swo
 *.o
 cscope.*
 echosrv
 sslh-fork
 sslh-select
 sslh.8.gz
 tags
 version.h
--- a/339
+++ b/339
@ -0,0 +1,339 @@
                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
                            Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
 License is intended to guarantee your freedom to share and change free
 software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
 the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 this service if you wish), that you receive source code or can get it
 if you want it, that you can change the software or use pieces of it
 in new free programs; and that you know you can do these things.
  To protect your rights, we need to make restrictions that forbid
 anyone to deny you these rights or to ask you to surrender the rights.
 These restrictions translate to certain responsibilities for you if you
 distribute copies of the software, or if you modify it.
  For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must give the recipients all the rights that
 you have.  You must make sure that they, too, receive or can get the
 source code.  And you must show them these terms so they know their
 rights.
  We protect your rights with two steps: (1) copyright the software, and
 (2) offer you this license which gives you legal permission to copy,
 distribute and/or modify the software.
  Also, for each author's protection and ours, we want to make certain
 that everyone understands that there is no warranty for this free
 software.  If the software is modified by someone else and passed on, we
 want its recipients to know that what they have is not the original, so
 that any problems introduced by others will not reflect on the original
 authors' reputations.
  Finally, any free program is threatened constantly by software
 patents.  We wish to avoid the danger that redistributors of a free
 program will individually obtain patent licenses, in effect making the
 program proprietary.  To prevent this, we have made it clear that any
 patent must be licensed for everyone's free use or not licensed at all.
  The precise terms and conditions for copying, distribution and
 modification follow.
                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License applies to any program or other work which contains
 a notice placed by the copyright holder saying it may be distributed
 under the terms of this General Public License.  The "Program", below,
 refers to any such program or work, and a "work based on the Program"
 means either the Program or any derivative work under copyright law:
 that is to say, a work containing the Program or a portion of it,
 either verbatim or with modifications and/or translated into another
 language.  (Hereinafter, translation is included without limitation in
 the term "modification".)  Each licensee is addressed as "you".
 Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.  The act of
 running the Program is not restricted, and the output from the Program
 is covered only if its contents constitute a work based on the
 Program (independent of having been made by running the Program).
 Whether that is true depends on what the Program does.
  1. You may copy and distribute verbatim copies of the Program's
 source code as you receive it, in any medium, provided that you
 conspicuously and appropriately publish on each copy an appropriate
 copyright notice and disclaimer of warranty; keep intact all the
 notices that refer to this License and to the absence of any warranty;
 and give any other recipients of the Program a copy of this License
 along with the Program.
 You may charge a fee for the physical act of transferring a copy, and
 you may at your option offer warranty protection in exchange for a fee.
  2. You may modify your copy or copies of the Program or any portion
 of it, thus forming a work based on the Program, and copy and
 distribute such modifications or work under the terms of Section 1
 above, provided that you also meet all of these conditions:
    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.
    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.
    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
 themselves, then this License, and its terms, do not apply to those
 sections when you distribute them as separate works.  But when you
 distribute the same sections as part of a whole which is a work based
 on the Program, the distribution of the whole must be on the terms of
 this License, whose permissions for other licensees extend to the
 entire whole, and thus to each and every part regardless of who wrote it.
 Thus, it is not the intent of this section to claim rights or contest
 your rights to work written entirely by you; rather, the intent is to
 exercise the right to control the distribution of derivative or
 collective works based on the Program.
 In addition, mere aggregation of another work not based on the Program
 with the Program (or with a work based on the Program) on a volume of
 a storage or distribution medium does not bring the other work under
 the scope of this License.
  3. You may copy and distribute the Program (or a work based on it,
 under Section 2) in object code or executable form under the terms of
 Sections 1 and 2 above provided that you also do one of the following:
    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,
    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,
    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)
 The source code for a work means the preferred form of the work for
 making modifications to it.  For an executable work, complete source
 code means all the source code for all modules it contains, plus any
 associated interface definition files, plus the scripts used to
 control compilation and installation of the executable.  However, as a
 special exception, the source code distributed need not include
 anything that is normally distributed (in either source or binary
 form) with the major components (compiler, kernel, and so on) of the
 operating system on which the executable runs, unless that component
 itself accompanies the executable.
 If distribution of executable or object code is made by offering
 access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
 void, and will automatically terminate your rights under this License.
 However, parties who have received copies, or rights, from you under
 this License will not have their licenses terminated so long as such
 parties remain in full compliance.
  5. You are not required to accept this License, since you have not
 signed it.  However, nothing else grants you permission to modify or
 distribute the Program or its derivative works.  These actions are
 prohibited by law if you do not accept this License.  Therefore, by
 modifying or distributing the Program (or any work based on the
 Program), you indicate your acceptance of this License to do so, and
 all its terms and conditions for copying, distributing or modifying
 the Program or works based on it.
  6. Each time you redistribute the Program (or any work based on the
 Program), the recipient automatically receives a license from the
 original licensor to copy, distribute or modify the Program subject to
 these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties to
 this License.
  7. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot
 distribute so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you
 may not distribute the Program at all.  For example, if a patent
 license would not permit royalty-free redistribution of the Program by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
 refrain entirely from distribution of the Program.
 If any portion of this section is held invalid or unenforceable under
 any particular circumstance, the balance of the section is intended to
 apply and the section as a whole is intended to apply in other
 circumstances.
 It is not the purpose of this section to induce you to infringe any
 patents or other property right claims or to contest validity of any
 such claims; this section has the sole purpose of protecting the
 integrity of the free software distribution system, which is
 implemented by public license practices.  Many people have made
 generous contributions to the wide range of software distributed
 through that system in reliance on consistent application of that
 system; it is up to the author/donor to decide if he or she is willing
 to distribute software through any other system and a licensee cannot
 impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
 may add an explicit geographical distribution limitation excluding
 those countries, so that distribution is permitted only in or among
 countries not thus excluded.  In such case, this License incorporates
 the limitation as if written in the body of this License.
  9. The Free Software Foundation may publish revised and/or new versions
 of the General Public License from time to time.  Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
 Each version is given a distinguishing version number.  If the Program
 specifies a version number of this License which applies to it and "any
 later version", you have the option of following the terms and conditions
 either of that version or of any later version published by the Free
 Software Foundation.  If the Program does not specify a version number of
 this License, you may choose any version ever published by the Free Software
 Foundation.
  10. If you wish to incorporate parts of the Program into other free
 programs whose distribution conditions are different, write to the author
 to ask for permission.  For software which is copyrighted by the Free
 Software Foundation, write to the Free Software Foundation; we sometimes
 make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
                            NO WARRANTY
  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
 REPAIR OR CORRECTION.
  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 Also add information on how to contact you by electronic and paper mail.
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
    Gnomovision version 69, Copyright (C) year name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, the commands you use may
 be called something other than `show w' and `show c'; they could even be
 mouse-clicks or menu items--whatever suits your program.
 You should also get your employer (if you work as a programmer) or your
 school, if any, to sign a "copyright disclaimer" for the program, if
 necessary.  Here is a sample; alter the names:
  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.
  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.
--- a/297
+++ b/297
@ -0,0 +1,297 @@
 vNEXT:
 	Added USELIBPCRE to make use of regex engine
 	optional.
 	Added support for RFC4366 SNI and RFC7301 ALPN
 	(Travis Burtrum)
 	Changed connection log to include the name of the probe that
 	triggered.
 	Changed configuration file format: 'probe' field is
 	no longer required, 'name' field can now contain
 	'tls' or 'regex', with corresponding options (see
 	example.cfg)
 	Added 'log_level' option to each protocol, which
 	allows to turn off generation of log at each
 	connection.
 v1.17: 	09MAR2015
 	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
 	Transparant proxy support for FreeBSD.
 	(Ruben van Staveren)
 	Using -F with no argument will try
 	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
 	configuration files. (argument to -F can no longer
 	be separated from the option by a space, e.g. must
 	be -Ffoo.cfg)
 	Call setgroups() before setgid() (fixes potential
 	privilege escalation).
 	(Lars Vogdt)
 	Use portable way of getting modified time for OSX
 	support.
 	(Aaron Madlon-Kay)
 	Example configuration for fail2ban.
 	(Every Mouw)
 v1.16:	11FEB2014
 	Probes made more resilient, to incoming data
 	containing NULLs. Also made them behave properly
 	when receiving too short packets to probe on the
 	first incoming packet.
 	(Ondrej Kuzník)
 	Libcap support: Keep only CAP_NET_ADMIN if started
 	as root with transparent proxying and dropping
 	priviledges (enable USELIBCAP in Makefile). This
 	avoids having to mess with filesystem capabilities.
 	(Sebastian Schmidt/yath)
 	Fixed bugs related to getpeername that would cause
 	sslh to quit erroneously (getpeername can return
 	actual errors if connections are dropped before
 	getting to getpeername).
 	Set IP_FREEDBIND if available to bind to addresses
 	that don't yet exist.
 v1.15:	27JUL2013
 	Added --transparent option for transparent proxying.
 	See README for iptables magic and capability
 	management.
 	Fixed bug in sslh-select: if number of opened file
 	descriptor became bigger than FD_SETSIZE, bad things
 	would happen.
 	Fixed bug in sslh-select: if socket dropped while
 	deferred_data was present, sslh-select would crash.
 	Increased FD_SETSIZE for Cygwin, as the default 64
 	is too low for even moderate load.
 v1.14: 21DEC2012
 	Corrected OpenVPN probe to support pre-shared secret
 	mode (OpenVPN port-sharing code is... wrong). Thanks
 	to Kai Ellinger for help in investigating and
 	testing.
 	Added an actual TLS/SSL probe.
 	Added configurable --on-timeout protocol
 	specification.
 	Added a --anyprot protocol probe (equivalent to what
 	--ssl was).
 	Makefile respects the user's compiler and CFLAG
 	choices (falling back to the current values if
 	undefined), as well as LDFLAGS. 
 	(Michael Palimaka)
 	Added "After" and "KillMode" to systemd.sslh.service
 	(Thomas Weißschuh).
 	Added LSB tags to etc.init.d.sslh
 	(Thomas Varis).
 v1.13: 18MAY2012
 	Write PID file before dropping privileges.
 	Added --background, which overrides 'foreground'
 	configuration file setting.
 	Added example systemd service file from Archlinux in
 	scripts/
 	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
 	(Sébastien Luttringer)
 v1.12: 08MAY2012
 	Added support for configuration file.
 	New protocol probes can be defined using regular
 	expressions that match the first packet sent by the
 	client.
 	sslh now connects timed out connections to the first
 	configured protocol instead of 'ssh' (just make sure
 	ssh is the first defined protocol).
 	sslh now tries protocols in the order in which they
 	are defined (just make sure sslh is the last defined
 	protocol).
 v1.11: 21APR2012
 	WARNING: defaults have been removed for --user and
 	--pidfile options, update your start-up scripts!
 	No longer stop sslh when reverse DNS requests fail
 	for logging.
 	Added HTTP probe.
 	No longer create new session if running in
 	foreground.
 	No longer default to changing user to 'nobody'. If
 	--user isn't specified, just run as current user.
 	No longer create PID file by default, it should be
 	explicitely set with --pidfile.
 	No longer log to syslog if in foreground. Logs are
 	instead output to stderr.
 	The four changes above make it straightforward to
 	integrate sslh with systemd, and should help with
 	launchd.
 v1.10: 27NOV2011
 	Fixed calls referring to sockaddr length so they work
 	with FreeBSD.
 	Try target addresses in turn until one works if
 	there are several (e.g. "localhost:22" resolves to
 	an IPv6 address and an IPv4 address and sshd does
 	not listen on IPv6).
 	Fixed sslh-fork so killing the head process kills
 	the listener processes.
 	Heavily cleaned up test suite. Added stress test
 	t_load script. Added coverage (requires lcov).
 	Support for XMPP (Arnaud Gendre).
 	Updated README.MacOSX (Aaron Madlon-Kay).
 v1.9: 02AUG2011
 	WARNING: This version does not work with FreeBSD and
 	derivatives!
 	WARNING: Options changed, you'll need to update your
 	start-up scripts! Log format changed, you'll need to
 	update log processing scripts!
 	Now supports IPv6 throughout (both on listening and
 	forwarding)
 	Logs now contain IPv6 addresses, local forwarding
 	address, and resolves names (unless --numeric is
 	specified).
 	Introduced long options.
 	Options -l, -s and -o replaced by their long
 	counterparts.
 	Defaults for SSL and SSH options suppressed (it's 
 	legitimate to want to use sslh to mux OpenVPN and 
 	tinc while not caring about SSH nor SSL).
 	Bind to multiple addresses with multiple -p options.
 	Support for tinc VPN (experimental).
 	Numeric logging option.
 v1.8: 15JUL2011
 	Changed log format to make it possible to link
 	connections to subsequent logs from other services.
 	Updated CentOS init.d script (Andre Krajnik).
 	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
 	propagated to the child process, so we set up signals after
 	the fork.) (François FRITZ)
 	Added -o "OpenVPN" and OpenVPN probing and support.
 	Added single-threaded, select(2)-based version.
 	Added support for "Bold" SSH clients (clients that speak first)
 	Thanks to Guillaume Ricaud for spotting a regression
 	bug.
 	Added -f "foreground" option.
 	Added test suite. (only tests connexions. No test for libwrap,
 	setsid, setuid and so on) and corresponding 'make
 	test' target.
 	Added README.MacOSX (thanks Aaron Madlon-Kay)
 	Documented use with proxytunnel and corkscrew in
 	README.
 v1.7: 01FEB2010
 	Added CentOS init.d script (Andre Krajnik).
 	Fixed default ssl address inconsistancy, now
 	defaults to "localhost:443" and fixed documentation
 	accordingly (pointed by Markus Schalke).
 	Children no longer bind to the listen socket, so
 	parent server can be stopped without killing an
 	active child (pointed by Matthias Buecher).
 	Inetd support (Dima Barsky).
 v1.6: 25APR2009
 	Added -V, version option.
 	Install target directory configurable in Makefile
 	Changed syslog prefix in auth.log to "sslh[%pid]"
 	Man page
 	new 'make install' and 'make install-debian' targets
 	PID file now specified using -P command line option
 	Actually fixed zombie generation (the v1.5 patch got
 	lost, doh!)
 v1.5: 10DEC2008
 	Fixed zombie generation.
 	Added support scripts (), Makefile.
 	Changed all 'connexions' to 'connections' to please
 	pesky users. Damn users.
 v1.4: 13JUL2008
 	Added libwrap support for ssh service (Christian Weinberger)
 	Only SSH is libwraped, not SSL.
 v1.3: 14MAY2008
 	Added parsing for local interface to listen on
 	Changed default SSL connection to port 442 (443 doesn't make
 	sense as a default as we're already listening on 443)
 	Syslog incoming connections
 v1.2: 12MAY2008
 	Fixed compilation warning for AMD64 (Thx Daniel Lange)
 v1.1: 21MAY2007
 	Making sslhc more like a real daemon:
 	* If $PIDFILE is defined, write first PID to it upon startup
 	* Fork at startup (detach from terminal)
 	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
 	* Less memory usage (?)
 v1.0: 
 	Basic functionality: privilege dropping, target hostnames and ports
 	configurable.
--- a/107
+++ b/107
@ -0,0 +1,107 @@
 # Configuration
 VERSION=$(shell ./genver.sh -r)
 USELIBCONFIG=1	# Use libconfig? (necessary to use configuration files)
 USELIBPCRE=1	# Use libpcre? (necessary to use regex probe)
 USELIBWRAP?=	# Use libwrap?
 USELIBCAP=	# Use libcap?
 COV_TEST= 	# Perform test coverage?
 PREFIX?=/usr
 BINDIR?=$(PREFIX)/sbin
 MANDIR?=$(PREFIX)/share/man/man8
 MAN=sslh.8.gz	# man page name
 # End of configuration -- the rest should take care of
 # itself
 ifneq ($(strip $(COV_TEST)),)
    CFLAGS_COV=-fprofile-arcs -ftest-coverage
 endif
 CC ?= gcc
 CFLAGS ?=-Wall -g $(CFLAGS_COV)
 LIBS=
 OBJS=common.o sslh-main.o probe.o tls.o
 ifneq ($(strip $(USELIBWRAP)),)
 	LIBS:=$(LIBS) -lwrap
 	CPPFLAGS+=-DLIBWRAP
 endif
 ifneq ($(strip $(USELIBPCRE)),)
 	CPPFLAGS+=-DLIBPCRE
 endif
 ifneq ($(strip $(USELIBCONFIG)),)
 	LIBS:=$(LIBS) -lconfig
 	CPPFLAGS+=-DLIBCONFIG
 endif
 ifneq ($(strip $(USELIBCAP)),)
 	LIBS:=$(LIBS) -lcap
 	CPPFLAGS+=-DLIBCAP
 endif
 all: sslh $(MAN) echosrv
 .c.o: *.h
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
 version.h:
 	./genver.sh >version.h
 sslh: sslh-fork sslh-select
 sslh-fork: version.h $(OBJS) sslh-fork.o Makefile common.h
 	$(CC) $(CFLAGS) $(LDFLAGS) -o sslh-fork sslh-fork.o $(OBJS) $(LIBS)
 	#strip sslh-fork
 sslh-select: version.h $(OBJS) sslh-select.o Makefile common.h
 	$(CC) $(CFLAGS) $(LDFLAGS) -o sslh-select sslh-select.o $(OBJS) $(LIBS)
 	#strip sslh-select
 echosrv: $(OBJS) echosrv.o
 	$(CC) $(CFLAGS) $(LDFLAGS) -o echosrv echosrv.o probe.o common.o tls.o $(LIBS)
 $(MAN): sslh.pod Makefile
 	pod2man --section=8 --release=$(VERSION) --center=" " sslh.pod | gzip -9 - > $(MAN)
 # Create release: export clean tree and tag current
 # configuration
 release:
 	git archive master --prefix="sslh-$(VERSION)/" | gzip > /tmp/sslh-$(VERSION).tar.gz
 # generic install: install binary and man page
 install: sslh $(MAN)
 	mkdir -p $(DESTDIR)/$(BINDIR)
 	mkdir -p $(DESTDIR)/$(MANDIR)
 	install -p sslh-fork $(DESTDIR)/$(BINDIR)/sslh
 	install -p -m 0644 $(MAN) $(DESTDIR)/$(MANDIR)/$(MAN)
 # "extended" install for Debian: install startup script
 install-debian: install sslh $(MAN)
 	sed -e "s+^PREFIX=+PREFIX=$(PREFIX)+" scripts/etc.init.d.sslh > /etc/init.d/sslh
 	chmod 755 /etc/init.d/sslh
 	update-rc.d sslh defaults
 uninstall:
 	rm -f $(DESTDIR)$(BINDIR)/sslh $(DESTDIR)$(MANDIR)/$(MAN) $(DESTDIR)/etc/init.d/sslh $(DESTDIR)/etc/default/sslh
 	update-rc.d sslh remove
 distclean: clean
 	rm -f tags cscope.*
 clean:
 	rm -f sslh-fork sslh-select echosrv version.h $(MAN) *.o *.gcov *.gcno *.gcda *.png *.html *.css *.info
 tags:
 	ctags --globals -T *.[ch]
 cscope:
 	-find . -name "*.[chS]" >cscope.files
 	-cscope -b -R
 test:
 	./t
--- a/README.MacOSX
+++ b/README.MacOSX
@ -0,0 +1,54 @@
 sslh is available for Mac OS X via MacPorts. If you have
 MacPorts installed on your system you can install sslh by
 executing the following in the Terminal:
 port install sslh
 Also, the following is a helpful launchd configuration that
 covers the most common use case of sslh. Save the following
 into a text file, e.g.
 /Library/LaunchDaemons/net.rutschle.sslh.plist, then load it
 with launchctl or simply reboot.
 ----BEGIN FILE----
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>Disabled</key>
 	<false/>
 	<key>KeepAlive</key>
 	<true/>
 	<key>Label</key>
 	<string>net.rutschle.sslh</string>
 	<key>ProgramArguments</key>
 	<array>
 		<string>/opt/local/sbin/sslh</string>
 		<string>-f</string>
 		<string>-v</string>
 		<string>-u</string>
 		<string>nobody</string>
 		<string>-p</string>
 		<string>0.0.0.0:443</string>
 		<string>--ssh</string>
 		<string>localhost:22</string>
 		<string>--ssl</string>
 		<string>localhost:443</string>
 	</array>
 	<key>QueueDirectories</key>
 	<array/>
 	<key>RunAtLoad</key>
 	<true/>
 	<key>StandardErrorPath</key>
 	<string>/Library/Logs/sslh.log</string>
 	<key>StandardOutPath</key>
 	<string>/Library/Logs/sslh.log</string>
 	<key>WatchPaths</key>
 	<array/>
 </dict>
 </plist>
 ----END FILE----
--- a/README.md
+++ b/README.md
@ -0,0 +1,327 @@
 sslh -- A ssl/ssh multiplexer
 =============================
 `sslh` accepts connections on specified ports, and forwards
 them further based on tests performed on the first data
 packet sent by the remote client.
 Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
 implemented, and any other protocol that can be tested using
 a regular expression, can be recognised. A typical use case
 is to allow serving several services on port 443 (e.g. to
 connect to SSH from inside a corporate firewall, which
 almost never block port 443) while still serving HTTPS on
 that port. 
 Hence `sslh` acts as a protocol demultiplexer, or a
 switchboard. Its name comes from its original function to
 serve SSH and HTTPS on the same port.
 Compile and install
 ===================
 Dependencies
 ------------
 `sslh` uses [libconfig](http://www.hyperrealm.com/libconfig/)
 and [libwrap](http://packages.debian.org/source/unstable/tcp-wrappers).
 For Debian, these are contained in packages `libwrap0-dev` and
 `libconfig8-dev`.
 For OpenSUSE, these are contained in packages libconfig9 and
 libconfig-dev in repository
 <http://download.opensuse.org/repositories/multimedia:/libs/openSUSE_12.1/>
 For Fedora, you'll need packages `libconfig` and
 `libconfig-devel`:
 	yum install libconfig libconfig-devel
 If you can't find `libconfig`, or just don't want a
 configuration file, set `USELIBCONFIG=` in the Makefile.
 Compilation
 -----------
 After this, the Makefile should work:
 	make install
 There are a couple of configuration options at the beginning
 of the Makefile: 
 * `USELIBWRAP` compiles support for host access control (see
  `hosts_access(3)`), you will need `libwrap` headers and
  library to compile (`libwrap0-dev` in Debian).
 * `USELIBCONFIG` compiles support for the configuration
  file. You will need `libconfig` headers to compile
  (`libconfig8-dev` in Debian).
 Binaries
 --------
 The Makefile produces two different executables: `sslh-fork`
 and `sslh-select`:
 * `sslh-fork` forks a new process for each incoming connection.
 It is well-tested and very reliable, but incurs the overhead
 of many processes.  
 If you are going to use `sslh` for a "small" setup (less than
 a dozen ssh connections and a low-traffic https server) then
 `sslh-fork` is probably more suited for you. 
 * `sslh-select` uses only one thread, which monitors all connections
 at once. It is more recent and less tested, but only incurs a 16
 byte overhead per connection. Also, if it stops, you'll lose all
 connections, which means you can't upgrade it remotely.  
 If you are going to use `sslh` on a "medium" setup (a few thousand ssh
 connections, and another few thousand ssl connections),
 `sslh-select` will be better.
 If you have a very large site (tens of thousands of connections),
 you'll need a vapourware version that would use libevent or
 something like that.
 Installation
 ------------
 * In general:
 		make
 		cp sslh-fork /usr/local/sbin/sslh
 		cp basic.cfg /etc/sslh.cfg
                vi /etc/sslh.cfg
 * For Debian:
 		cp scripts/etc.init.d.sslh /etc/init.d/sslh
 * For CentOS:
 		cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh
 You might need to create links in /etc/rc<x>.d so that the server
 start automatically at boot-up, e.g. under Debian:
 	update-rc.d sslh defaults
 Configuration
 =============
 If you use the scripts provided, sslh will get its
 configuration from /etc/sslh.cfg. Please refer to
 example.cfg for an overview of all the settings.
 A good scheme is to use the external name of the machine in
 `listen`, and bind `httpd` to `localhost:443` (instead of all
 binding to all interfaces): that way, HTTPS connections
 coming from inside your network don't need to go through
 `sslh`, and `sslh` is only there as a frontal for connections
 coming from the internet.
 Note that 'external name' in this context refers to the
 actual IP address of the machine as seen from your network,
 i.e. that that is not `127.0.0.1` in the output of
 `ifconfig(8)`.
 Libwrap support
 ---------------
 Sslh can optionnaly perform `libwrap` checks for the sshd
 service: because the connection to `sshd` will be coming
 locally from `sslh`, `sshd` cannot determine the IP of the
 client.
 OpenVPN support
 ---------------
 OpenVPN clients connecting to OpenVPN running with
 `-port-share` reportedly take more than one second between
 the time the TCP connexion is established and the time they
 send the first data packet. This results in `sslh` with
 default settings timing out and assuming an SSH connexion.
 To support OpenVPN connexions reliably, it is necessary to
 increase `sslh`'s timeout to 5 seconds.
 Instead of using OpenVPN's port sharing, it is more reliable
 to use `sslh`'s `--openvpn` option to get `sslh` to do the
 port sharing.
 Using proxytunnel with sslh
 ---------------------------
 If you are connecting through a proxy that checks that the
 outgoing connection really is SSL and rejects SSH, you can
 encapsulate all your traffic in SSL using `proxytunnel` (this
 should work with `corkscrew` as well). On the server side you
 receive the traffic with `stunnel` to decapsulate SSL, then
 pipe through `sslh` to switch HTTP on one side and SSL on the
 other.
 In that case, you end up with something like this:
 	ssh -> proxytunnel -e ----[ssh/ssl]---> stunnel ---[ssh]---> sslh --> sshd
 	Web browser -------------[http/ssl]---> stunnel ---[http]--> sslh --> httpd
 Configuration goes like this on the server side, using `stunnel3`:
 	stunnel -f -p mycert.pem  -d thelonious:443 -l /usr/local/sbin/sslh -- \
 		sslh -i  --http localhost:80 --ssh localhost:22
 * stunnel options:
  * `-f` for foreground/debugging
  * `-p` for specifying the key and certificate
  * `-d` for specifying which interface and port
 	we're listening to for incoming connexions
  * `-l` summons `sslh` in inetd mode.
 * sslh options:
  * `-i` for inetd mode
  * `--http` to forward HTTP connexions to port 80,
 	and SSH connexions to port 22.
 Capabilities support
 --------------------
 On Linux (only?), you can compile sslh with `USELIBCAP=1` to
 make use of POSIX capabilities; this will save the required
 capabilities needed for transparent proxying for unprivileged
 processes.
 Alternatively, you may use filesystem capabilities instead
 of starting sslh as root and asking it to drop privileges.
 You will need `CAP_NET_BIND_SERVICE` for listening on port 443
 and `CAP_NET_ADMIN` for transparent proxying (see
 `capabilities(7)`).
 You can use the `setcap(8)` utility to give these capabilities
 to the executable:
 	# setcap cap_net_bind_service,cap_net_admin+pe sslh-select
 Then you can run sslh-select as an unpriviledged user, e.g.:
 	$ sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443
 Caveat: `CAP_NET_ADMIN` does give sslh too many rights, e.g.
 configuring the interface. If you're not going to use
 transparent proxying, just don't use it (or use the libcap method).
 Transparent proxy support
 -------------------------
 On Linux and FreeBSD you can use the `--transparent` option to
 request transparent proxying. This means services behind `sslh`
 (Apache, `sshd` and so on) will see the external IP and ports
 as if the external world connected directly to them. This
 simplifies IP-based access control (or makes it possible at
 all).
 Linux:
 `sslh` needs extended rights to perform this: you'll need to
 give it `CAP_NET_ADMIN` capabilities (see appropriate chapter)
 or run it as root (but don't do that).
 The firewalling tables also need to be adjusted as follow.
 The example connects to HTTPS on 4443 -- adapt to your needs ;
 I don't think it is possible to have `httpd` listen to 443 in
 this scheme -- let me know if you manage that:
 	# iptables -t mangle -N SSLH
 	# iptables -t mangle -A  OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
 	# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
 	# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
 	# iptables -t mangle -A SSLH --jump ACCEPT
 	# ip rule add fwmark 0x1 lookup 100
 	# ip route add local 0.0.0.0/0 dev lo table 100
 Tranparent proxying with IPv6 is similarly set up as follows:
        # ip6tables -t mangle -N SSLH
        # ip6tables -t mangle -A  OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH
        # ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
        # ip6tables -t mangle -A SSLH --jump MARK --set-mark 0x1
        # ip6tables -t mangle -A SSLH --jump ACCEPT
        # ip -6 rule add fwmark 0x1 lookup 100
        # ip -6 route add local ::/0 dev lo table 100
 Note that these rules will prevent from connecting directly
 to ssh on the port 22, as packets coming out of sshd will be
 tagged. If you need to retain direct access to ssh on port
 22 as well as through sslh, you can make sshd listen to
 22 AND another port (e.g. 2222), and change the above rules
 accordingly.
 FreeBSD:
 Given you have no firewall defined yet, you can use the following configuration
 to have ipfw properly redirect traffic back to sslh
 	/etc/rc.conf
 	firewall_enable="YES"
 	firewall_type="open"
 	firewall_logif="YES"
 	firewall_coscripts="/etc/ipfw/sslh.rules"
 /etc/ipfw/sslh.rules
 	#! /bin/sh
 	# ssl
 	ipfw add 20000 fwd 192.0.2.1,443 log tcp from 192.0.2.1 8443 to any out
 	ipfw add 20010 fwd 2001:db8::1,443 log tcp from 2001:db8::1 8443 to any out
 	# ssh
 	ipfw add 20100 fwd 192.0.2.1,443 log tcp from 192.0.2.1 8022 to any out
 	ipfw add 20110 fwd 2001:db8::1,443 log tcp from 2001:db8::1 8022 to any out
 	# xmpp
 	ipfw add 20200 fwd 192.0.2.1,443 log tcp from 192.0.2.1 5222 to any out
 	ipfw add 20210 fwd 2001:db8::1,443 log tcp from 2001:db8::1 5222 to any out
 	# openvpn (running on other internal system)
 	ipfw add 20300 fwd 192.0.2.1,443 log tcp from 198.51.100.7 1194 to any out
 	ipfw add 20310 fwd 2001:db8::1,443 log tcp from 2001:db8:1::7 1194 to any out
 General notes:
 This will only work if `sslh` does not use any loopback
 addresses (no `127.0.0.1` or `localhost`), you'll need to use
 explicit IP addresses (or names):
 	sslh --listen 192.168.0.1:443 --ssh 192.168.0.1:22 --ssl 192.168.0.1:4443
 This will not work:
 	sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443
 Fail2ban
 --------
 If using transparent proxying, just use the standard ssh
 rules. If you can't or don't want to use transparent
 proxying, you can set `fail2ban` rules to block repeated ssh
 connections from a same IP address (obviously this depends
 on the site, there might be legimite reasons you would get
 many connections to ssh from the same IP address...)
 See example files in scripts/fail2ban.
 Comments? Questions?
 ====================
 You can subscribe to the `sslh` mailing list here:
 <http://rutschle.net/cgi-bin/mailman/listinfo/sslh>
 This mailing list should be used for discussion, feature
 requests, and will be the prefered channel for announcements.
--- a/25
+++ b/25
@ -0,0 +1,25 @@
 Here's a list of features that have been suggested or
 sometimes requested. This list is not a roadmap and
 shouldn't be construed to mean that any of this will happen.
 - configurable behaviour depending on services (e.g.
  select() for ssl but fork() for ssh).
 - have certain services available only from specified subnets
 - some sort of "service knocking" allowing to activate a
  service upon some external even, similar to port knocking;
 for example, go to a specific URL to enable sslh forwarding
 to sshd for a set period of time:
    * sslh listens on 443 and only directs to httpd
    * user goes somewhere to https://example.org/open_ssh.cgi
    * open_ssh.cgi tells sslh
    * sslh starts checking if incoming connections are ssh, and
    if they are, forward to sshd
    * 10 minutes later, sslh stops forwarding to ssh
 That would make it almost impossible for an observer
 (someone who'd telnet regularly on 443) to ever notice both
 services are available on 443.
--- a/basic.cfg
+++ b/basic.cfg
@ -0,0 +1,29 @@
 # This is a basic configuration file that should provide
 # sensible values for "standard" setup.
 verbose: false;
 foreground: false;
 inetd: false;
 numeric: false;
 transparent: false;
 timeout: "2";
 user: "nobody";
 pidfile: "/var/run/sslh.pid";
 # Change hostname with your external address name.
 listen:
 (
    { host: "thelonious"; port: "443"; }
 );
 protocols:
 (
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
     { name: "openvpn"; host: "localhost"; port: "1194"; },
     { name: "xmpp"; host: "localhost"; port: "5222"; },
     { name: "http"; host: "localhost"; port: "80"; },
     { name: "ssl"; host: "localhost"; port: "443"; log_level: 0; },
     { name: "anyprot"; host: "localhost"; port: "443"; }
 );
--- a/common.c
+++ b/common.c
@ -0,0 +1,654 @@
 /* Code and variables that is common to both fork and select-based
 * servers.
 *
 * No code here should assume whether sockets are blocking or not.
 **/
 #define _GNU_SOURCE
 #include <stdarg.h>
 #include <grp.h>
 #include "common.h"
 #include "probe.h"
 /* Added to make the code compilable under CYGWIN 
 * */
 #ifndef SA_NOCLDWAIT
 #define SA_NOCLDWAIT 0
 #endif
 /* 
 * Settings that depend on the command line.  They're set in main(), but also
 * used in other places in common.c, and it'd be heavy-handed to pass it all as
 * parameters
 */
 int verbose = 0;
 int probing_timeout = 2;
 int inetd = 0;
 int foreground = 0;
 int background = 0;
 int transparent = 0;
 int numeric = 0;
 const char *user_name, *pid_file;
 struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */
 #ifdef LIBWRAP
 #include <tcpd.h>
 int allow_severity =0, deny_severity = 0;
 #endif
 /* check result and die, printing the offending address and error */
 void check_res_dumpdie(int res, struct addrinfo *addr, char* syscall)
 {
    char buf[NI_MAXHOST];
    if (res == -1) {
        fprintf(stderr, "%s:%s: %s\n", 
                sprintaddr(buf, sizeof(buf), addr), 
                syscall, 
                strerror(errno));
        exit(1);
    }
 }
 /* Starts listening sockets on specified addresses.
 * IN: addr[], num_addr
 * OUT: *sockfd[]  pointer to newly-allocated array of file descriptors
 * Returns number of addresses bound
 * Bound file descriptors are returned in newly-allocated *sockfd pointer
   */
 int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list)
 {
   struct sockaddr_storage *saddr;
   struct addrinfo *addr;
   int i, res, one;
   int num_addr = 0;
   for (addr = addr_list; addr; addr = addr->ai_next)
       num_addr++;
   if (verbose)
       fprintf(stderr, "listening to %d addresses\n", num_addr);
   *sockfd = malloc(num_addr * sizeof(*sockfd[0]));
   for (i = 0, addr = addr_list; i < num_addr && addr; i++, addr = addr->ai_next) {
       if (!addr) {
           fprintf(stderr, "FATAL: Inconsistent listen number. This should not happen.\n");
           exit(1);
       }
       saddr = (struct sockaddr_storage*)addr->ai_addr;
       (*sockfd)[i] = socket(saddr->ss_family, SOCK_STREAM, 0);
       check_res_dumpdie((*sockfd)[i], addr, "socket");
       one = 1;
       res = setsockopt((*sockfd)[i], SOL_SOCKET, SO_REUSEADDR, (char*)&one, sizeof(one));
       check_res_dumpdie(res, addr, "setsockopt(SO_REUSEADDR)");
       if (IP_FREEBIND) {
           res = setsockopt((*sockfd)[i], IPPROTO_IP, IP_FREEBIND, (char*)&one, sizeof(one));
           check_res_dumpdie(res, addr, "setsockopt(IP_FREEBIND)");
       }
       res = bind((*sockfd)[i], addr->ai_addr, addr->ai_addrlen);
       check_res_dumpdie(res, addr, "bind");
       res = listen ((*sockfd)[i], 50);
       check_res_dumpdie(res, addr, "listen");
   }
   return num_addr;
 }
 /* Transparent proxying: bind the peer address of fd to the peer address of
 * fd_from */
 #define IP_TRANSPARENT 19
 int bind_peer(int fd, int fd_from)
 {
    struct addrinfo from;
    struct sockaddr_storage ss;
    int res, trans = 1;
    memset(&from, 0, sizeof(from));
    from.ai_addr = (struct sockaddr*)&ss;
    from.ai_addrlen = sizeof(ss);
    /* getpeername can fail with ENOTCONN if connection was dropped before we
     * got here */
    res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen);
    CHECK_RES_RETURN(res, "getpeername");
 #ifndef IP_BINDANY /* use IP_TRANSPARENT */
    res = setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &trans, sizeof(trans));
    CHECK_RES_DIE(res, "setsockopt");
 #else
    if (from.ai_addr->sa_family==AF_INET) { /* IPv4 */
        res = setsockopt(fd, IPPROTO_IP, IP_BINDANY, &trans, sizeof(trans));
        CHECK_RES_RETURN(res, "setsockopt IP_BINDANY");
 #ifdef IPV6_BINDANY
    } else { /* IPv6 */
        res = setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, &trans, sizeof(trans));
        CHECK_RES_RETURN(res, "setsockopt IPV6_BINDANY");
 #endif /* IPV6_BINDANY */
    }
 #endif /* IP_TRANSPARENT / IP_BINDANY */
    res = bind(fd, from.ai_addr, from.ai_addrlen);
    CHECK_RES_RETURN(res, "bind");
    return 0;
 }
 /* Connect to first address that works and returns a file descriptor, or -1 if
 * none work. 
 * If transparent proxying is on, use fd_from peer address on external address
 * of new file descriptor. */
 int connect_addr(struct connection *cnx, int fd_from)
 {
    struct addrinfo *a, from;
    struct sockaddr_storage ss;
    char buf[NI_MAXHOST];
    int fd, res;
    memset(&from, 0, sizeof(from));
    from.ai_addr = (struct sockaddr*)&ss;
    from.ai_addrlen = sizeof(ss);
    res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen);
    CHECK_RES_RETURN(res, "getpeername");
    for (a = cnx->proto->saddr; a; a = a->ai_next) {
        /* When transparent, make sure both connections use the same address family */
        if (transparent && a->ai_family != from.ai_addr->sa_family)
            continue;
        if (verbose) 
            fprintf(stderr, "connecting to %s family %d len %d\n", 
                    sprintaddr(buf, sizeof(buf), a),
                    a->ai_addr->sa_family, a->ai_addrlen);
        /* XXX Needs to match ai_family from fd_from when being transparent! */
        fd = socket(a->ai_family, SOCK_STREAM, 0);
        if (fd == -1) {
            log_message(LOG_ERR, "forward to %s failed:socket: %s\n",
                        cnx->proto->description, strerror(errno));
        } else {
            if (transparent) {
                res = bind_peer(fd, fd_from);
                CHECK_RES_RETURN(res, "bind_peer");
            }
            res = connect(fd, a->ai_addr, a->ai_addrlen);
            if (res == -1) {
                log_message(LOG_ERR, "forward to %s failed:connect: %s\n", 
                            cnx->proto->description, strerror(errno));
                close(fd);
            } else {
                return fd;
            }
        }
    }
    return -1;
 }
 /* Store some data to write to the queue later */
 int defer_write(struct queue *q, void* data, int data_size) 
 {
    char *p;
    if (verbose) 
        fprintf(stderr, "**** writing deferred on fd %d\n", q->fd);
    p = realloc(q->begin_deferred_data, q->deferred_data_size + data_size);
    if (!p) {
        perror("realloc");
        exit(1);
    }
    q->deferred_data = q->begin_deferred_data = p;
    p += q->deferred_data_size;
    q->deferred_data_size += data_size;
    memcpy(p, data, data_size);
    return 0;
 }
 /* tries to flush some of the data for specified queue
 * Upon success, the number of bytes written is returned.
 * Upon failure, -1 returned (e.g. connexion closed)
 * */
 int flush_deferred(struct queue *q)
 {
    int n;
    if (verbose)
        fprintf(stderr, "flushing deferred data to fd %d\n", q->fd);
    n = write(q->fd, q->deferred_data, q->deferred_data_size);
    if (n == -1)
        return n;
    if (n == q->deferred_data_size) {
        /* All has been written -- release the memory */
        free(q->begin_deferred_data);
        q->begin_deferred_data = NULL;
        q->deferred_data = NULL;
        q->deferred_data_size = 0;
    } else {
        /* There is data left */
        q->deferred_data += n;
        q->deferred_data_size -= n;
    }
    return n;
 }
 void init_cnx(struct connection *cnx)
 {
    memset(cnx, 0, sizeof(*cnx));
    cnx->q[0].fd = -1;
    cnx->q[1].fd = -1;
    cnx->proto = get_first_protocol();
 }
 void dump_connection(struct connection *cnx)
 {
    printf("state: %d\n", cnx->state);
    printf("fd %d, %d deferred\n", cnx->q[0].fd, cnx->q[0].deferred_data_size);
    printf("fd %d, %d deferred\n", cnx->q[1].fd, cnx->q[1].deferred_data_size);
 }
 /* 
 * moves data from one fd to other
 *
 * returns number of bytes copied if success
 * returns 0 (FD_CNXCLOSED) if incoming socket closed
 * returns FD_NODATA if no data was available
 * returns FD_STALLED if data was read, could not be written, and has been
 * stored in temporary buffer.
 */
 int fd2fd(struct queue *target_q, struct queue *from_q)
 {
   char buffer[BUFSIZ];
   int target, from, size_r, size_w;
   target = target_q->fd;
   from = from_q->fd;
   size_r = read(from, buffer, sizeof(buffer));
   if (size_r == -1) {
       switch (errno) {
       case EAGAIN:
           if (verbose)
               fprintf(stderr, "reading 0 from %d\n", from);
           return FD_NODATA;
       case ECONNRESET:
       case EPIPE:
           return FD_CNXCLOSED;
       }
   }
   CHECK_RES_RETURN(size_r, "read");
   if (size_r == 0)
      return FD_CNXCLOSED;
   size_w = write(target, buffer, size_r);
   /* process -1 when we know how to deal with it */
   if (size_w == -1) {
       switch (errno) {
       case EAGAIN:
           /* write blocked: Defer data */
           defer_write(target_q, buffer, size_r);
           return FD_STALLED;
       case ECONNRESET:
       case EPIPE:
           /* remove end closed -- drop the connection */
           return FD_CNXCLOSED;
       }
   } else if (size_w < size_r) {
       /* incomplete write -- defer the rest of the data */
       defer_write(target_q, buffer + size_w, size_r - size_w);
       return FD_STALLED;
   }
   CHECK_RES_RETURN(size_w, "write");
   return size_w;
 }
 /* returns a string that prints the IP and port of the sockaddr */
 char* sprintaddr(char* buf, size_t size, struct addrinfo *a)
 {
   char host[NI_MAXHOST], serv[NI_MAXSERV];
   int res;
   res = getnameinfo(a->ai_addr, a->ai_addrlen,
               host, sizeof(host), 
               serv, sizeof(serv), 
               numeric ? NI_NUMERICHOST | NI_NUMERICSERV : 0 );
   if (res) {
       log_message(LOG_ERR, "sprintaddr:getnameinfo: %s\n", gai_strerror(res));
       /* Name resolution failed: do it numerically instead */
       res = getnameinfo(a->ai_addr, a->ai_addrlen,
                         host, sizeof(host), 
                         serv, sizeof(serv), 
                         NI_NUMERICHOST | NI_NUMERICSERV);
       /* should not fail but... */
       if (res) {
           log_message(LOG_ERR, "sprintaddr:getnameinfo(NUM): %s\n", gai_strerror(res));
           strcpy(host, "?");
           strcpy(serv, "?");
       }
   }
   snprintf(buf, size, "%s:%s", host, serv);
   return buf;
 }
 /* Turns a hostname and port (or service) into a list of struct addrinfo 
 * returns 0 on success, -1 otherwise and logs error
 **/
 int resolve_split_name(struct addrinfo **out, const char* host, const char* serv)
 {
   struct addrinfo hint;
   int res;
   memset(&hint, 0, sizeof(hint));
   hint.ai_family = PF_UNSPEC;
   hint.ai_socktype = SOCK_STREAM;
   res = getaddrinfo(host, serv, &hint, out);
   if (res)
      log_message(LOG_ERR, "%s `%s:%s'\n", gai_strerror(res), host, serv);
   return res;
 }
 /* turns a "hostname:port" string into a list of struct addrinfo;
 out: list of newly allocated addrinfo (see getaddrinfo(3)); freeaddrinfo(3) when done
 fullname: input string -- it gets clobbered
 */
 void resolve_name(struct addrinfo **out, char* fullname)
 {
   char *serv, *host, *end;
   int res;
   /* Find port */
   char *sep = strrchr(fullname, ':');
   if (!sep) { /* No separator: parameter is just a port */
      fprintf(stderr, "%s: names must be fully specified as hostname:port\n", fullname);
      exit(1);
   }
   serv = sep+1;
   *sep = 0;
   host = fullname;
   /* If it is a RFC-Compliant IPv6 address ("[1234::12]:443"), remove brackets
    * around IP address */
   if (host[0] == '[') {
       end = strrchr(host, ']');
       if (!end) {
           fprintf(stderr, "%s: no closing bracket in IPv6 address?\n", host);
       }
       host++; /* skip first bracket */
       *end = 0; /* remove last bracket */
   }
   res = resolve_split_name(out, host, serv);
   if (res) {
      fprintf(stderr, "%s `%s'\n", gai_strerror(res), fullname);
      if (res == EAI_SERVICE)
         fprintf(stderr, "(Check you have specified all ports)\n");
      exit(4);
   }
 }
 /* Log to syslog or stderr if foreground */
 void log_message(int type, char* msg, ...)
 {
    va_list ap;
    va_start(ap, msg);
    if (foreground)
        vfprintf(stderr, msg, ap);
    else
        vsyslog(type, msg, ap);
    va_end(ap);
 }
 /* syslogs who connected to where */
 void log_connection(struct connection *cnx)
 {
    struct addrinfo addr;
    struct sockaddr_storage ss;
 #define MAX_NAMELENGTH (NI_MAXHOST + NI_MAXSERV + 1)
    char peer[MAX_NAMELENGTH], service[MAX_NAMELENGTH],
        local[MAX_NAMELENGTH], target[MAX_NAMELENGTH];
    int res;
    if (cnx->proto->log_level < 1)
        return;
    addr.ai_addr = (struct sockaddr*)&ss;
    addr.ai_addrlen = sizeof(ss);
    res = getpeername(cnx->q[0].fd, addr.ai_addr, &addr.ai_addrlen);
    if (res == -1) return; /* Can happen if connection drops before we get here. 
                               In that case, don't log anything (there is no connection) */
    sprintaddr(peer, sizeof(peer), &addr);
    addr.ai_addrlen = sizeof(ss);
    res = getsockname(cnx->q[0].fd, addr.ai_addr, &addr.ai_addrlen);
    if (res == -1) return;
    sprintaddr(service, sizeof(service), &addr);
    addr.ai_addrlen = sizeof(ss);
    res = getpeername(cnx->q[1].fd, addr.ai_addr, &addr.ai_addrlen);
    if (res == -1) return;
    sprintaddr(target, sizeof(target), &addr);
    addr.ai_addrlen = sizeof(ss);
    res = getsockname(cnx->q[1].fd, addr.ai_addr, &addr.ai_addrlen);
    if (res == -1) return;
    sprintaddr(local, sizeof(local), &addr);
    log_message(LOG_INFO, "%s:connection from %s to %s forwarded from %s to %s\n",
                cnx->proto->description,
                peer,
                service,
                local,
                target);
 }
 /* libwrap (tcpd): check the connection is legal. This is necessary because
 * the actual server will only see a connection coming from localhost and can't
 * apply the rules itself.
 *
 * Returns -1 if access is denied, 0 otherwise
 */
 int check_access_rights(int in_socket, const char* service)
 {
 #ifdef LIBWRAP
    union {
        struct sockaddr saddr;
        struct sockaddr_storage ss;
    } peer;
    socklen_t size = sizeof(peer);
    char addr_str[NI_MAXHOST], host[NI_MAXHOST];
    int res;
    res = getpeername(in_socket, &peer.saddr, &size);
    CHECK_RES_RETURN(res, "getpeername");
    /* extract peer address */
    res = getnameinfo(&peer.saddr, size, addr_str, sizeof(addr_str), NULL, 0, NI_NUMERICHOST);
    if (res) {
        if (verbose)
            fprintf(stderr, "getnameinfo(NI_NUMERICHOST):%s\n", gai_strerror(res));
        strcpy(addr_str, STRING_UNKNOWN);
    }
    /* extract peer name */
    strcpy(host, STRING_UNKNOWN);
    if (!numeric) {
        res = getnameinfo(&peer.saddr, size, host, sizeof(host), NULL, 0, NI_NAMEREQD);
        if (res) {
            if (verbose)
                fprintf(stderr, "getnameinfo(NI_NAMEREQD):%s\n", gai_strerror(res));
        }
    }
    if (!hosts_ctl(service, host, addr_str, STRING_UNKNOWN)) {
        if (verbose)
            fprintf(stderr, "access denied\n");
        log_message(LOG_INFO, "connection from %s(%s): access denied", host, addr_str);
        close(in_socket);
        return -1;
    }
 #endif
    return 0;
 }
 void setup_signals(void)
 {
    int res;
    struct sigaction action;
    /* Request no SIGCHLD is sent upon termination of
     * the children */
    memset(&action, 0, sizeof(action));
    action.sa_handler = NULL;
    action.sa_flags = SA_NOCLDWAIT;
    res = sigaction(SIGCHLD, &action, NULL);
    CHECK_RES_DIE(res, "sigaction");
    /* Set SIGTERM to exit. For some reason if it's not set explicitly,
     * coverage information is lost when killing the process */
    memset(&action, 0, sizeof(action));
    action.sa_handler = exit;
    res = sigaction(SIGTERM, &action, NULL);
    CHECK_RES_DIE(res, "sigaction");
    /* Ignore SIGPIPE . */
    action.sa_handler = SIG_IGN;
    res = sigaction(SIGPIPE, &action, NULL);
    CHECK_RES_DIE(res, "sigaction");
 }
 /* Open syslog connection with appropriate banner; 
 * banner is made up of basename(bin_name)+"[pid]" */
 void setup_syslog(const char* bin_name) {
    char *name1, *name2;
    int res;
    name1 = strdup(bin_name);
    res = asprintf(&name2, "%s[%d]", basename(name1), getpid());
    CHECK_RES_DIE(res, "asprintf");
    openlog(name2, LOG_CONS, LOG_AUTH);
    free(name1); 
    /* Don't free name2, as openlog(3) uses it (at least in glibc) */
    log_message(LOG_INFO, "%s %s started\n", server_type, VERSION);
 }
 /* Ask OS to keep capabilities over a setuid(nonzero) */
 void set_keepcaps(int val) {
 #ifdef LIBCAP
    int res;
    res = prctl(PR_SET_KEEPCAPS, val, 0, 0, 0);
    if (res) {
        perror("prctl");
        exit(1);
    }
 #endif
 }
 /* set needed capabilities for effective and permitted, clear rest */
 void set_capabilities(void) {
 #ifdef LIBCAP
    int res;
    cap_t caps;
    cap_value_t cap_list[10];
    int ncap = 0;
    if (transparent)
        cap_list[ncap++] = CAP_NET_ADMIN;
    caps = cap_init();
 #define _cap_set_flag(flag) do { \
        res = cap_clear_flag(caps, flag); \
        CHECK_RES_DIE(res, "cap_clear_flag(" #flag ")"); \
        if (ncap > 0) { \
            res = cap_set_flag(caps, flag, ncap, cap_list, CAP_SET); \
            CHECK_RES_DIE(res, "cap_set_flag(" #flag ")"); \
        } \
    } while(0)
    _cap_set_flag(CAP_EFFECTIVE);
    _cap_set_flag(CAP_PERMITTED);
 #undef _cap_set_flag
    res = cap_set_proc(caps);
    CHECK_RES_DIE(res, "cap_set_proc");
    res = cap_free(caps);
    if (res) {
        perror("cap_free");
        exit(1);
    }
 #endif
 }
 /* We don't want to run as root -- drop privileges if required */
 void drop_privileges(const char* user_name)
 {
    int res;
    struct passwd *pw = getpwnam(user_name);
    if (!pw) {
        fprintf(stderr, "%s: not found\n", user_name);
        exit(2);
    }
    if (verbose)
        fprintf(stderr, "turning into %s\n", user_name);
    set_keepcaps(1);
    /* remove extraneous groups in case we belong to several extra groups that
     * may have unwanted rights. If non-root when calling setgroups(), it
     * fails, which is fine because... we have no unwanted rights 
     * (see POS36-C for security context)
     * */
    setgroups(0, NULL);
    res = setgid(pw->pw_gid);
    CHECK_RES_DIE(res, "setgid");
    res = setuid(pw->pw_uid);
    CHECK_RES_DIE(res, "setuid");
    set_capabilities();
    set_keepcaps(0);
 }
 /* Writes my PID */
 void write_pid_file(const char* pidfile)
 {
    FILE *f;
    f = fopen(pidfile, "w");
    if (!f) {
        perror(pidfile);
        exit(3);
    }
    fprintf(f, "%d\n", getpid());
    fclose(f);
 }
--- a/common.h
+++ b/common.h
@ -0,0 +1,129 @@
 #ifndef __COMMON_H_
 #define __COMMON_H_
 /* FD_SETSIZE is 64 on Cygwin, which is really low. Just redefining it is
 * enough for the macros to adapt (http://support.microsoft.com/kb/111855)
 */
 #ifdef __CYGWIN__
 #define FD_SETSIZE 4096
 #endif
 #define _GNU_SOURCE
 #include <sys/types.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <signal.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <syslog.h>
 #include <libgen.h>
 #include <time.h>
 #include <getopt.h>
 #ifdef LIBCAP
 #include <sys/prctl.h>
 #include <sys/capability.h>
 #endif
 #include "version.h"
 #define CHECK_RES_DIE(res, str) \
    if (res == -1) {    \
       perror(str);     \
       exit(1);         \
    }
 #define CHECK_RES_RETURN(res, str) \
    if (res == -1) {                                    \
        log_message(LOG_CRIT, "%s:%d:%s\n", str, errno, strerror(errno));  \
        return res;                                     \
    } 
 #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
 #if 1
 #define TRACE fprintf(stderr, "%s:%d\n", __FILE__, __LINE__);
 #else
 #define TRACE
 #endif
 #ifndef IP_FREEBIND
 #define IP_FREEBIND 0
 #endif
 enum connection_state {
    ST_PROBING=1,    /* Waiting for timeout to find where to forward */
    ST_SHOVELING   /* Connexion is established */
 };
 /* this is used to pass protocols through the command-line parameter parsing */
 #define PROT_SHIFT 1000  /* protocol options will be 1000, 1001, etc */
 /* A 'queue' is composed of a file descriptor (which can be read from or
 * written to), and a queue for deferred write data */
 struct queue {
    int fd;
    void *begin_deferred_data;
    void *deferred_data;
    int deferred_data_size;
 };
 struct connection {
    enum connection_state state;
    time_t probe_timeout;
    struct proto *proto;
    /* q[0]: queue for external connection (client);
     * q[1]: queue for internal connection (httpd or sshd);
     * */
    struct queue q[2];
 };
 #define FD_CNXCLOSED    0
 #define FD_NODATA       -1
 #define FD_STALLED      -2
 /* common.c */
 void init_cnx(struct connection *cnx);
 int connect_addr(struct connection *cnx, int fd_from);
 int fd2fd(struct queue *target, struct queue *from);
 char* sprintaddr(char* buf, size_t size, struct addrinfo *a);
 void resolve_name(struct addrinfo **out, char* fullname);
 void log_connection(struct connection *cnx);
 int check_access_rights(int in_socket, const char* service);
 void setup_signals(void);
 void setup_syslog(const char* bin_name);
 void drop_privileges(const char* user_name);
 void write_pid_file(const char* pidfile);
 void log_message(int type, char* msg, ...);
 void dump_connection(struct connection *cnx);
 int resolve_split_name(struct addrinfo **out, const char* hostname, const char* port);
 int start_listen_sockets(int *sockfd[], struct addrinfo *addr_list);
 int defer_write(struct queue *q, void* data, int data_size);
 int flush_deferred(struct queue *q);
 extern int probing_timeout, verbose, inetd, foreground, 
       background, transparent, numeric;
 extern struct sockaddr_storage addr_ssl, addr_ssh, addr_openvpn;
 extern struct addrinfo *addr_listen;
 extern const char* USAGE_STRING;
 extern const char* user_name, *pid_file;
 extern const char* server_type;
 /* sslh-fork.c */
 void start_shoveler(int);
 void main_loop(int *listen_sockets, int num_addr_listen);
 #endif
--- a/echosrv.c
+++ b/echosrv.c
@ -0,0 +1,160 @@
 /* echosrv: a simple line echo server with optional prefix adding.
 *
 * echsrv --listen localhost6:1234 --prefix "ssl: "
 *
 * This will bind to 1234, and echo every line pre-pending "ssl: ". This is
 * used for testing: we create several such servers with different prefixes,
 * then we connect test clients that can then check they get the proper data
 * back (thus testing that shoveling works both ways) with the correct prefix
 * (thus testing it connected to the expected service).
 * **/
 #define _GNU_SOURCE
 #include <sys/types.h>
 #include <fcntl.h>
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <signal.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <syslog.h>
 #include <libgen.h>
 #include <getopt.h>
 #include "common.h"
 /* Added to make the code compilable under CYGWIN 
 * */
 #ifndef SA_NOCLDWAIT
 #define SA_NOCLDWAIT 0
 #endif
 const char* USAGE_STRING =
 "echosrv\n" \
 "usage:\n" \
 "\techosrv  [-v] --listen <address:port> [--prefix <prefix>]\n"
 "-v: verbose\n" \
 "--listen: address to listen on. Can be specified multiple times.\n" \
 "--prefix: add specified prefix before every line echoed.\n"
 "";
 const char* server_type = "echsrv"; /* keep setup_syslog happy */
 /* 
 * Settings that depend on the command line. 
 */
 char* prefix = "";
 int port;
 void parse_cmdline(int argc, char* argv[])
 {
    int c;
    struct option options[] = {
        { "verbose",    no_argument,            &verbose,       1 },
        { "numeric",    no_argument,            &numeric,       1 },
        { "listen",     required_argument,      0,              'l' },
        { "prefix",     required_argument,      0,              'p' },
    };
    struct addrinfo **a;
    while ((c = getopt_long_only(argc, argv, "l:p:", options, NULL)) != -1) {
        if (c == 0) continue;
        switch (c) {
        case 'l':
            /* find the end of the listen list */
            for (a = &addr_listen; *a; a = &((*a)->ai_next));
            /* append the specified addresses */
            resolve_name(a, optarg);
            break;
        case 'p':
            prefix = optarg;
            break;
        default:
            fprintf(stderr, "%s", USAGE_STRING);
            exit(2);
        }
    }
    if (!addr_listen) {
        fprintf(stderr, "No listening port specified\n");
        exit(1);
    }
 }
 void start_echo(int fd)
 {
    int res;
    char buffer[1 << 20];
    int ret, prefix_len;
    prefix_len = strlen(prefix);
    memset(buffer, 0, sizeof(buffer));
    strcpy(buffer, prefix);
    while (1) {
        ret = read(fd, buffer + prefix_len, sizeof(buffer));
        if (ret == -1) {
            fprintf(stderr, "%s", strerror(errno));
            return;
        }
        res = write(fd, buffer, ret + prefix_len);
        if (res < 0) {
            fprintf(stderr, "%s", strerror(errno));
            return;
        }
    }
 }
 void main_loop(int listen_sockets[], int num_addr_listen)
 {
    int in_socket, i;
    for (i = 0; i < num_addr_listen; i++) {
        if (!fork()) {
            while (1)
            {
                in_socket = accept(listen_sockets[i], 0, 0);
                if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket);
                if (!fork())
                {
                    close(listen_sockets[i]);
                    start_echo(in_socket);
                    exit(0);
                }
                close(in_socket);
            }
        }
    }
    wait(NULL);
 }
 int main(int argc, char *argv[])
 {
   extern char *optarg;
   extern int optind;
   int num_addr_listen;
   int *listen_sockets;
   parse_cmdline(argc, argv);
   num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen);
   main_loop(listen_sockets, num_addr_listen);
   return 0;
 }
--- a/example.cfg
+++ b/example.cfg
@ -0,0 +1,87 @@
 # This file is provided as documentation to show what is
 # possible. It should not be used as-is, and probably should
 # not be used as a starting point for a working
 # configuration. Instead use basic.cfg.
 verbose: true;
 foreground: true;
 inetd: false;
 numeric: false;
 transparent: false;
 timeout: "2";
 user: "nobody";
 pidfile: "/var/run/sslh.pid";
 # List of interfaces on which we should listen
 listen:
 (
    { host: "thelonious"; port: "443"; },
    { host: "thelonious"; port: "8080"; }
 );
 # List of protocols
 #
 # Each protocol entry consists of:
 #   name: name of the probe. These are listed on the command
 #   line (ssh -?), plus 'regex' and 'timeout'.
 #   service: (optional) libwrap service name (see hosts_access(5))
 #   host, port: where to connect when this probe succeeds
 #
 #  Probe-specific options:
 #       tls:
 #               sni_hostnames:  list of FQDN for that target
 #               alpn_protocols: list of ALPN protocols for that target, see:
 #               https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
 #
 #               if both sni_hostnames AND alpn_protocols are specified, both must match
 #               if neither are set, it is just checked whether this is the TLS protocol or not
 #       regex:
 #               regex_patterns: list of patterns to match for
 #               that target.
 #   
 # sslh will try each probe in order they are declared, and
 # connect to the first that matches.
 #
 # You can specify several of 'regex' and 'tls'.
 protocols:
 (
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
     { name: "http"; host: "localhost"; port: "80"; },
 # match BOTH ALPN/SNI
     { name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; sni_hostnames: [ "im.somethingelse.net" ]; log_level: 0;},
 # just match ALPN
     { name: "tls"; host: "localhost"; port: "443"; alpn_protocols: [ "h2", "http/1.1", "spdy/1", "spdy/2", "spdy/3" ]; log_level: 0; },
     { name: "tls"; host: "localhost"; port: "xmpp-client"; alpn_protocols: [ "xmpp-client" ];  log_level: 0;},
 # just match SNI
     { name: "tls"; host: "localhost"; port: "993"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; log_level: 0; },
     { name: "tls"; host: "localhost"; port: "xmpp-client"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ];  log_level: 0;},
 # catch anything else TLS
     { name: "tls"; host: "localhost"; port: "443"; },
 # OpenVPN
     { name: "regex"; host: "localhost"; port: "1194"; regex_patterns: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
 # Jabber
     { name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; },
 # Catch-all
     { name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "" ]; },
 # Where to connect in case of timeout (defaults to ssh)
     { name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
 );
 # Optionally, specify to which protocol to connect in case
 # of timeout (defaults to "ssh").
 # You can timeout to any arbitrary address by setting an
 # entry in 'protocols' named "timeout".
 # This enables you to set a tcpd service name for this
 # protocol too.
 on-timeout: "timeout";
--- a/genver.sh
+++ b/genver.sh
@ -0,0 +1,49 @@
 #! /bin/sh
 if [ ${#} -eq 1 ] && [ "x$1" = "x-r" ]; then
 	# release text only
 	QUIET=1
 else
 	QUIET=0
 fi
 if ! `(git status | grep -q "On branch") 2> /dev/null`; then
        # If we don't have git, we can't work out what
        # version this is. It must have been downloaded as a
        # zip file. 
        # If downloaded from the release page, the directory
        # has the version number.
        release=`pwd | sed s/.*sslh-// | grep "[[:digit:]]"`
        if [ "x$release" = "x" ]; then
            # If downloaded from the head, Github creates the
            # zip file with all files dated from the last
            # change: use the Makefile's modification time as a
            # release number
            release=head-`perl -MPOSIX -e 'print strftime "%Y-%m-%d",localtime((stat "Makefile")[9])'`
        fi
 fi
 if head=`git rev-parse --verify HEAD 2>/dev/null`; then
 	# generate the version info based on the tag
 	release=`(git describe --tags || git --describe || git describe --all --long) \
 		2>/dev/null | tr -d '\n'`
 	# Are there uncommitted changes?
 	git update-index --refresh --unmerged > /dev/null
 	if git diff-index --name-only HEAD | grep -v "^scripts/package" \
 	    | read dummy; then
 		release="$release-dirty"
 	fi
 fi
 if [ $QUIET -ne 1 ]; then
 	printf "#ifndef _VERSION_H_ \n"
 	printf "#define _VERSION_H_ \n\n"
 	printf "#define VERSION \"$release\"\n"
 	printf "#endif\n"
 else
 	printf "$release\n"
 fi
--- a/probe.c
+++ b/probe.c
@ -0,0 +1,363 @@
 /*
 # probe.c: Code for probing protocols
 #
 # Copyright (C) 2007-2015  Yves Rutschle
 # 
 # This program is free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License as published by the Free Software Foundation; either
 # version 2 of the License, or (at your option) any later
 # version.
 # 
 # This program is distributed in the hope that it will be
 # useful, but WITHOUT ANY WARRANTY; without even the implied
 # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 # PURPOSE.  See the GNU General Public License for more
 # details.
 # 
 # The full text for the General Public License is here:
 # http://www.gnu.org/licenses/gpl.html
 */
 #define _GNU_SOURCE
 #include <stdio.h>
 #ifdef LIBPCRE
 #include <regex.h>
 #endif
 #include <ctype.h>
 #include "probe.h"
 static int is_ssh_protocol(const char *p, int len, struct proto*);
 static int is_openvpn_protocol(const char *p, int len, struct proto*);
 static int is_tinc_protocol(const char *p, int len, struct proto*);
 static int is_xmpp_protocol(const char *p, int len, struct proto*);
 static int is_http_protocol(const char *p, int len, struct proto*);
 static int is_tls_protocol(const char *p, int len, struct proto*);
 static int is_adb_protocol(const char *p, int len, struct proto*);
 static int is_true(const char *p, int len, struct proto* proto) { return 1; }
 /* Table of protocols that have a built-in probe
 */
 static struct proto builtins[] = {
    /* description   service  saddr  log_level   probe  */
    { "ssh",         "sshd",   NULL,  1,         is_ssh_protocol},
    { "openvpn",     NULL,     NULL,  1,         is_openvpn_protocol },
    { "tinc",        NULL,     NULL,  1,         is_tinc_protocol },
    { "xmpp",        NULL,     NULL,  1,         is_xmpp_protocol },
    { "http",        NULL,     NULL,  1,         is_http_protocol },
    { "ssl",         NULL,     NULL,  1,         is_tls_protocol },
    { "tls",         NULL,     NULL,  1,         is_tls_protocol },
    { "adb",         NULL,     NULL,  1,         is_adb_protocol },
    { "anyprot",     NULL,     NULL,  1,         is_true }
 };
 static struct proto *protocols;
 static char* on_timeout = "ssh";
 struct proto*  get_builtins(void) {
    return builtins;
 }
 int get_num_builtins(void) {
    return ARRAY_SIZE(builtins);
 }
 /* Sets the protocol name to connect to in case of timeout */
 void set_ontimeout(const char* name)
 {
    int res = asprintf(&on_timeout, "%s", name);
    CHECK_RES_DIE(res, "asprintf");
 }
 /* Returns the protocol to connect to in case of timeout; 
 * if not found, return the first protocol specified 
 */
 struct proto* timeout_protocol(void) 
 {
    struct proto* p = get_first_protocol();
    for (; p && strcmp(p->description, on_timeout); p = p->next);
    if (p) return p;
    return get_first_protocol();
 }
 /* returns the first protocol (caller can then follow the *next pointers) */
 struct proto* get_first_protocol(void)
 {
    return protocols;
 }
 void set_protocol_list(struct proto* prots)
 {
    protocols = prots;
 }
 /* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */
 #define HEXDUMP_COLS 16
 void hexdump(const char *mem, unsigned int len)
 {
    unsigned int i, j;
    for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
    {
        /* print offset */
        if(i % HEXDUMP_COLS == 0)
            printf("0x%06x: ", i);
        /* print hex data */
        if(i < len)
            printf("%02x ", 0xFF & mem[i]);
        else /* end of block, just aligning for ASCII dump */
            printf("   ");
        /* print ASCII dump */
        if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) {
            for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) {
                if(j >= len) /* end of block, not really printing */
                    putchar(' ');
                else if(isprint(mem[j])) /* printable char */
                    putchar(0xFF & mem[j]);        
                else /* other char */
                    putchar('.');
            }
            putchar('\n');
        }
    }
 }
 /* Is the buffer the beginning of an SSH connection? */
 static int is_ssh_protocol(const char *p, int len, struct proto *proto)
 {
    if (len < 4)
        return PROBE_AGAIN;
    return !strncmp(p, "SSH-", 4);
 }
 /* Is the buffer the beginning of an OpenVPN connection?
 *
 * Code inspired from OpenVPN port-share option; however, OpenVPN code is
 * wrong: users using pre-shared secrets have non-initialised key_id fields so
 * p[3] & 7 should not be looked at, and also the key_method can be specified
 * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1.
 * See:
 * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
 * and OpenVPN ssl.c, ssl.h and options.c
 */
 static int is_openvpn_protocol (const char*p,int len, struct proto *proto)
 {
    int packet_len;
    if (len < 2)
        return PROBE_AGAIN;
    packet_len = ntohs(*(uint16_t*)p);
    return packet_len == len - 2;
 }
 /* Is the buffer the beginning of a tinc connections?
 * Protocol is documented here: http://www.tinc-vpn.org/documentation/tinc.pdf
 * First connection starts with "0 " in 1.0.15)
 * */
 static int is_tinc_protocol( const char *p, int len, struct proto *proto)
 {
    if (len < 2)
        return PROBE_AGAIN;
    return !strncmp(p, "0 ", 2);
 }
 /* Is the buffer the beginning of a jabber (XMPP) connections?
 * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy
 * clients, just checking first frame containing "jabber" in xml entity)
 * */
 static int is_xmpp_protocol( const char *p, int len, struct proto *proto)
 {
    /* sometimes the word 'jabber' shows up late in the initial string,
       sometimes after a newline. this makes sure we snarf the entire preamble
       and detect it. (fixed for adium/pidgin) */
    if (len < 50)
        return PROBE_AGAIN;
    return memmem(p, len, "jabber", 6) ? 1 : 0;
 }
 static int probe_http_method(const char *p, int len, const char *opt)
 {
    if (len < strlen(opt))
        return PROBE_AGAIN;
    return !strncmp(p, opt, len);
 }
 /* Is the buffer the beginning of an HTTP connection?  */
 static int is_http_protocol(const char *p, int len, struct proto *proto)
 {
    int res;
    /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */
    if (memmem(p, len, "HTTP", 4))
        return PROBE_MATCH;
 #define PROBE_HTTP_METHOD(opt) if ((res = probe_http_method(p, len, opt)) != PROBE_NEXT) return res
    /* Otherwise it could be HTTP/1.0 without version: check if it's got an
     * HTTP method (RFC2616 5.1.1) */
    PROBE_HTTP_METHOD("OPTIONS");
    PROBE_HTTP_METHOD("GET");
    PROBE_HTTP_METHOD("HEAD");
    PROBE_HTTP_METHOD("POST");
    PROBE_HTTP_METHOD("PUT");
    PROBE_HTTP_METHOD("DELETE");
    PROBE_HTTP_METHOD("TRACE");
    PROBE_HTTP_METHOD("CONNECT");
 #undef PROBE_HTTP_METHOD
    return PROBE_NEXT;
 }
 static int is_sni_alpn_protocol(const char *p, int len, struct proto *proto)
 {
    int valid_tls;
    valid_tls = parse_tls_header(proto->data, p, len);
    if(valid_tls < 0)
        return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT;
    /* There *was* a valid match */
    return PROBE_MATCH;
 }
 static int is_tls_protocol(const char *p, int len, struct proto *proto)
 {
    if (len < 3)
        return PROBE_AGAIN;
    /* TLS packet starts with a record "Hello" (0x16), followed by version
     * (0x03 0x00-0x03) (RFC6101 A.1)
     * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176)
     */
    return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03);
 }
 static int is_adb_protocol(const char *p, int len, struct proto *proto)
 {
    if (len < 30)
        return PROBE_AGAIN;
    /* The initial ADB host->device packet has a command type of CNXN, and a
     * data payload starting with "host:".  Note that current versions of the
     * client hardcode "host::" (with empty serialno and banner fields) but
     * other clients may populate those fields.
     *
     * We aren't checking amessage.data_length, under the assumption that
     * a packet >= 30 bytes long will have "something" in the payload field.
     */
    return !memcmp(&p[0], "CNXN", 4) && !memcmp(&p[24], "host:", 5);
 }
 static int regex_probe(const char *p, int len, struct proto *proto)
 {
 #ifdef LIBPCRE
    regex_t **probe = proto->data;
    regmatch_t pos = { 0, len };
    for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++)
        /* try them all */;
    return (*probe != NULL);
 #else
    /* Should never happen as we check when loading config file */
    fprintf(stderr, "FATAL: regex probe called but not built in\n");
    exit(5);
 #endif
 }
 /* 
 * Read the beginning of data coming from the client connection and check if
 * it's a known protocol. 
 * Return PROBE_AGAIN if not enough data, or PROBE_MATCH if it succeeded in
 * which case cnx->proto is set to the appropriate protocol.
 */
 int probe_client_protocol(struct connection *cnx)
 {
    char buffer[BUFSIZ];
    struct proto *p;
    int n;
    n = read(cnx->q[0].fd, buffer, sizeof(buffer));
    /* It's possible that read() returns an error, e.g. if the client
     * disconnected between the previous call to select() and now. If that
     * happens, we just connect to the default protocol so the caller of this
     * function does not have to deal with a specific  failure condition (the
     * connection will just fail later normally). */
    if (n > 0) {
        int res = PROBE_NEXT;
        defer_write(&cnx->q[1], buffer, n);
        for (p = cnx->proto; p && res == PROBE_NEXT; p = p->next) {
            if (! p->probe) continue;
            if (verbose) fprintf(stderr, "probing for %s\n", p->description);
            cnx->proto = p;
            res = p->probe(cnx->q[1].begin_deferred_data, cnx->q[1].deferred_data_size, p);
        }
        if (res != PROBE_NEXT)
            return res;
    }
    if (verbose) 
        fprintf(stderr, 
                "all probes failed, connecting to first protocol: %s\n", 
                protocols->description);
    /* If none worked, return the first one affected (that's completely
     * arbitrary) */
    cnx->proto = protocols;
    return PROBE_MATCH;
 }
 /* Returns the structure for specified protocol or NULL if not found */
 static struct proto* get_protocol(const char* description)
 {
    int i;
    for (i = 0; i < ARRAY_SIZE(builtins); i++) {
        if (!strcmp(builtins[i].description, description)) {
            return &builtins[i];
        }
    }
    return NULL;
 }
 /* Returns the probe for specified protocol:
 * parameter is the description in builtins[], or "regex" 
 * */
 T_PROBE* get_probe(const char* description) {
    struct proto* p = get_protocol(description);
    if (p)
        return p->probe;
    /* Special case of "regex" probe (we don't want to set it in builtins
     * because builtins is also used to build the command-line options and
     * regexp is not legal on the command line)*/
    if (!strcmp(description, "regex"))
        return regex_probe;
    /* Special case of "sni/alpn" probe for same reason as above*/
    if (!strcmp(description, "sni_alpn"))
        return is_sni_alpn_protocol;
    /* Special case of "timeout" is allowed as a probe name in the
     * configuration file even though it's not really a probe */
    if (!strcmp(description, "timeout"))
        return is_true;
    return NULL;
 }
--- a/probe.h
+++ b/probe.h
@ -0,0 +1,70 @@
 /* API for probe.c */
 #ifndef __PROBE_H_
 #define __PROBE_H_
 #include "common.h"
 #include "tls.h"
 typedef enum {
    PROBE_NEXT,  /* Enough data, probe failed -- it's some other protocol */
    PROBE_MATCH, /* Enough data, probe successful -- it's the current protocol */
    PROBE_AGAIN, /* Not enough data for this probe, try again with more data */
 } probe_result;
 struct proto;
 typedef int T_PROBE(const char*, int, struct proto*);
 /* For each protocol we need: */
 struct proto {
    const char* description;  /* a string that says what it is (for logging and command-line parsing) */
    const char* service;      /* service name to do libwrap checks */
    struct addrinfo *saddr; /* list of addresses to try and switch that protocol */
    int log_level;  /* 0: No logging of connection
                     * 1: Log incoming connection
                     */
    /* function to probe that protocol; parameters are buffer and length
     * containing the data to probe, and a pointer to the protocol structure */
    T_PROBE* probe;
    /* opaque pointer ; used to pass list of regex to regex probe, or TLSProtocol struct to sni/alpn probe */
    void* data;
    struct proto *next; /* pointer to next protocol in list, NULL if last */
 };
 /* Returns a pointer to the array of builtin protocols */
 struct proto * get_builtins(void);
 /* Returns the number of builtin protocols */
 int get_num_builtins(void);
 /* Returns the probe for specified protocol */
 T_PROBE* get_probe(const char* description);
 /* Returns the head of the configured protocols */
 struct proto* get_first_protocol(void);
 /* Set the list of configured protocols */
 void set_protocol_list(struct proto*);
 /* probe_client_protocol
 *
 * Read the beginning of data coming from the client connection and check if
 * it's a known protocol. Then leave the data on the deferred
 * write buffer of the connection and returns a pointer to the protocol
 * structure
 */
 int probe_client_protocol(struct connection *cnx);
 /* set the protocol to connect to in case of timeout */
 void set_ontimeout(const char* name);
 /* timeout_protocol
 *
 * Returns the protocol to connect to in case of timeout
 */
 struct proto* timeout_protocol(void);
 void hexdump(const char*, unsigned int);
 #endif
--- a/scripts/etc.init.d.sslh
+++ b/scripts/etc.init.d.sslh
@ -0,0 +1,59 @@
 #! /bin/sh
 ### BEGIN INIT INFO
 # Provides:		sslh
 # Required-Start:    $remote_fs $syslog
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:	2 3 4 5
 # Default-Stop:		1
 # Short-Description:	sslh proxy ssl & ssh connections
 ### END INIT INFO
 set -e
 tag=sslh
 facility=user.info
 # /etc/init.d/sslh: start and stop the sslh proxy daemon
 if test -f /etc/default/sslh; then
    . /etc/default/sslh
 fi
 # The prefix is normally filled by make install. If
 # installing by hand, fill it in yourself!
 PREFIX=
 DAEMON=$PREFIX/sbin/sslh 
 start()
 {
        echo "Start services: sslh"
        $DAEMON -F/etc/sslh.cfg
        logger -t ${tag} -p ${facility} -i 'Started sslh'
 }
 stop()
 {
        echo "Stop services: sslh"
 	killall $DAEMON
      	logger -t ${tag} -p ${facility} -i 'Stopped sslh'
 }
 case "$1" in
 	  start)
 		    start
 		    ;;
 	  stop)
 		    stop
 		    ;;
    restart)
 		    stop
 		    sleep 5
 		    start
 		    ;;
 	  *)
 		    echo "Usage: /etc/init.d/sslh {start|stop|restart}" >&2
 		    ;;
 esac
 exit 0
--- a/scripts/etc.rc.d.init.d.sslh.centos
+++ b/scripts/etc.rc.d.init.d.sslh.centos
@ -0,0 +1,75 @@
 #!/bin/bash
 #
 # sslh         Startup script for the SSL/SSH multiplexer
 #
 # chkconfig: - 13 87
 # description: Sslh accepts connections on specified ports, and forwards
 #              them further based on tests performed on the first data
 #              packet sent by the remote client.
 # processname: sslh
 # config: /etc/sslh.cfg
 # config: /etc/sysconfig/sslh
 # pidfile: /var/run/sslh/sslh.pid
 #
 # Authors:
 # Andre Krajnik akrajnik@gmail.com - 2010-03-20
 # Julien Thomas julthomas@free.fr - 2013-08-25
 # Source function library.
 . /etc/init.d/functions
 if [ -f /etc/sysconfig/sslh ]; then
        . /etc/sysconfig/sslh
 fi
 PROGNAME=sslh
 SSLH=${SSLH:-/usr/sbin/sslh-select}
 SSLH_LANG=${SSLH_LANG:-C}
 CONFIG=${CONFIG:-/etc/sslh.cfg}
 PIDFILE=${PIDFILE:-/var/run/sslh/sslh.pid}
 LOCKFILE=${LOCKFILE:-/var/lock/subsys/sslh}
 STOP_TIMEOUT=${STOP_TIMEOUT:-10}
 RETVAL=0
 start() {
    echo -n "Starting $PROGNAME: "
    LANG=$SSLH_LANG daemon --pidfile="$PIDFILE" \
                           ${SSLH_USER:+--user="${SSLH_USER}"} \
                           "$SSLH" ${CONFIG:+-F "$CONFIG"} "$OPTIONS"
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && touch "$LOCKFILE"
    return $RETVAL
 }
 stop() {
    echo -n "Stopping $PROGNAME: "
    killproc -p "$PIDFILE" -d "$STOP_TIMEOUT" "$SSLH"
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && rm -f "$LOCKFILE" "$PIDFILE"
 }
 # See how we were called.
 case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        status -p "$PIDFILE" "$SSLH"
        RETVAL=$?
        ;;
    restart)
        stop
        start
        ;;
    *)
        echo "Usage: $PROGNAME {start|stop|status|restart}"
        RETVAL=2
        ;;
 esac
 exit $RETVAL
--- a/scripts/etc.sysconfig.sslh
+++ b/scripts/etc.sysconfig.sslh
@ -0,0 +1,36 @@
 #
 # The default processing model uses select
 # A fork model is also available
 #
 #SSLH=/usr/sbin/sslh-select
 #
 # If transparent mode is enabled, the following
 # is needed in order to run as sslh user
 #
 #SSLH_USER=sslh
 #setcap cap_net_bind_service,cap_net_admin=+ep $SSLH
 #
 # Configuration file for sslh
 # Set empty to disable configuration file support
 #
 #CONFIG=/etc/sslh.cfg
 #
 # Extra option to pass on comand line
 # Those can supersede configuration file settings
 # 
 #OPTIONS=
 #
 # The sslh process is started by default with the C
 # locale, it can be changed here
 #
 #SSLH_LANG=C
 #
 # If an alternate location is specified in configuration
 # file, it needs to be reported here
 #
 #PIDFILE=/var/run/sslh/sslh.pid
--- a/scripts/fail2ban/jail.conf
+++ b/scripts/fail2ban/jail.conf
@ -0,0 +1,9 @@
 # Add the following to your fail2ban jail.conf
 # In Debian you'd append it to /etc/fail2ban/jail.local
 [sslh-ssh]
 enabled = true
 filter = sslh-ssh
 action = iptables-multiport[name=sslh,port="443"]
 logpath = /var/log/messages
 maxretry = 5
--- a/scripts/fail2ban/sslh-ssh.conf
+++ b/scripts/fail2ban/sslh-ssh.conf
@ -0,0 +1,25 @@
 # Add the following to you fail2ban configuration file
 # In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf
 # Fail2Ban filter for sslh demultiplexed ssh
 #
 # Doesn't (and cannot) detect auth errors,
 # but many connection attempts from the same
 # origin is reason enough to block.
 #
 # Verion: 2014-03-28
 [INCLUDES]
 # no includes
 [Definition]
 failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded
 from .+ to .+:ssh\s*$
 ignoreregex =
 # Author: Evert Mouw <post@evert.net>
--- a/scripts/systemd.sslh.service
+++ b/scripts/systemd.sslh.service
@ -0,0 +1,11 @@
 [Unit]
 Description=SSL/SSH multiplexer
 After=network.target
 [Service]
 EnvironmentFile=/etc/conf.d/sslh
 ExecStart=/usr/bin/sslh --foreground $DAEMON_OPTS
 KillMode=process
 [Install]
 WantedBy=multi-user.target
--- a/sslh-fork.c
+++ b/sslh-fork.c
@ -0,0 +1,184 @@
 /*
   sslh-fork: forking server
 # Copyright (C) 2007-2012  Yves Rutschle
 # 
 # This program is free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License as published by the Free Software Foundation; either
 # version 2 of the License, or (at your option) any later
 # version.
 # 
 # This program is distributed in the hope that it will be
 # useful, but WITHOUT ANY WARRANTY; without even the implied
 # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 # PURPOSE.  See the GNU General Public License for more
 # details.
 # 
 # The full text for the General Public License is here:
 # http://www.gnu.org/licenses/gpl.html
 */
 #include "common.h"
 #include "probe.h"
 const char* server_type = "sslh-fork";
 #define MAX(a, b)  (((a) > (b)) ? (a) : (b))
 /* shovels data from one fd to the other and vice-versa 
   returns after one socket closed
 */
 int shovel(struct connection *cnx)
 {
   fd_set fds;
   int res, i;
   int max_fd = MAX(cnx->q[0].fd, cnx->q[1].fd) + 1;
   FD_ZERO(&fds);
   while (1) {
      FD_SET(cnx->q[0].fd, &fds);
      FD_SET(cnx->q[1].fd, &fds);
      res = select(
                   max_fd,
                   &fds,
                   NULL,
                   NULL,
                   NULL
                  );
      CHECK_RES_DIE(res, "select");
      for (i = 0; i < 2; i++) {
          if (FD_ISSET(cnx->q[i].fd, &fds)) {
              res = fd2fd(&cnx->q[1-i], &cnx->q[i]);
              if (!res) {
                  if (verbose) 
                      fprintf(stderr, "%s %s", i ? "client" : "server", "socket closed\n");
                  return res;
              }
          }
      }
   }
 }
 /* Child process that finds out what to connect to and proxies 
 */
 void start_shoveler(int in_socket)
 {
   fd_set fds;
   struct timeval tv;
   int res = PROBE_AGAIN;
   int out_socket;
   struct connection cnx;
   init_cnx(&cnx);
   cnx.q[0].fd = in_socket;
   FD_ZERO(&fds);
   FD_SET(in_socket, &fds);
   memset(&tv, 0, sizeof(tv));
   tv.tv_sec = probing_timeout;
   while (res == PROBE_AGAIN) {
       /* POSIX does not guarantee that tv will be updated, but the client can
        * only postpone the inevitable for so long */
       res = select(in_socket + 1, &fds, NULL, NULL, &tv);
       if (res == -1)
           perror("select");
       if (FD_ISSET(in_socket, &fds)) {
           /* Received data: figure out what protocol it is */
           res = probe_client_protocol(&cnx);
       } else {
           /* Timed out: it's necessarily SSH */
           cnx.proto = timeout_protocol();
           break;
       }
   }
   if (cnx.proto->service &&
       check_access_rights(in_socket, cnx.proto->service)) {
       exit(0);
   }
   /* Connect the target socket */
   out_socket = connect_addr(&cnx, in_socket);
   CHECK_RES_DIE(out_socket, "connect");
   cnx.q[1].fd = out_socket;
   log_connection(&cnx);
   flush_deferred(&cnx.q[1]);
   shovel(&cnx);
   close(in_socket);
   close(out_socket);
   if (verbose)
      fprintf(stderr, "connection closed down\n");
   exit(0);
 }
 static int *listener_pid;
 static int listener_pid_number = 0;
 void stop_listeners(int sig)
 {
    int i;
    for (i = 0; i < listener_pid_number; i++) {
        kill(listener_pid[i], sig);
    }
 }
 void main_loop(int listen_sockets[], int num_addr_listen)
 {
    int in_socket, i, res;
    struct sigaction action;
    listener_pid_number = num_addr_listen;
    listener_pid = malloc(listener_pid_number * sizeof(listener_pid[0]));
    /* Start one process for each listening address */
    for (i = 0; i < num_addr_listen; i++) {
        if (!(listener_pid[i] = fork())) {
            /* Listening process just accepts a connection, forks, and goes
             * back to listening */
            while (1)
            {
                in_socket = accept(listen_sockets[i], 0, 0);
                if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket);
                if (!fork())
                {
                    for (i = 0; i < num_addr_listen; ++i)
                        close(listen_sockets[i]);
                    start_shoveler(in_socket);
                    exit(0);
                }
                close(in_socket);
            }
        }
    }
    /* Set SIGTERM to "stop_listeners" which further kills all listener
     * processes. Note this won't kill processes that listeners forked, which
     * means active connections remain active. */
    memset(&action, 0, sizeof(action));
    action.sa_handler = stop_listeners;
    res = sigaction(SIGTERM, &action, NULL);
    CHECK_RES_DIE(res, "sigaction");
    wait(NULL);
 }
 /* The actual main is in common.c: it's the same for both version of
 * the server
 */
--- a/sslh-main.c
+++ b/sslh-main.c
@ -0,0 +1,618 @@
 /*
 # main: processing of config file, command line options and start the main
 # loop.
 #
 # Copyright (C) 2007-2014  Yves Rutschle
 # 
 # This program is free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License as published by the Free Software Foundation; either
 # version 2 of the License, or (at your option) any later
 # version.
 # 
 # This program is distributed in the hope that it will be
 # useful, but WITHOUT ANY WARRANTY; without even the implied
 # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 # PURPOSE.  See the GNU General Public License for more
 # details.
 # 
 # The full text for the General Public License is here:
 # http://www.gnu.org/licenses/gpl.html
 */
 #define _GNU_SOURCE
 #ifdef LIBCONFIG
 #include <libconfig.h>
 #endif
 #ifdef LIBPCRE
 #include <regex.h>
 #endif
 #include "common.h"
 #include "probe.h"
 const char* USAGE_STRING =
 "sslh " VERSION "\n" \
 "usage:\n" \
 "\tsslh  [-v] [-i] [-V] [-f] [-n] [--transparent] [-F <file>]\n"
 "\t[-t <timeout>] [-P <pidfile>] -u <username> -p <add> [-p <addr> ...] \n" \
 "%s\n\n" /* Dynamically built list of builtin protocols */  \
 "\t[--on-timeout <addr>]\n" \
 "-v: verbose\n" \
 "-V: version\n" \
 "-f: foreground\n" \
 "-n: numeric output\n" \
 "-u: specify under which user to run\n" \
 "--transparent: behave as a transparent proxy\n" \
 "-F: use configuration file\n" \
 "--on-timeout: connect to specified address upon timeout (default: ssh address)\n" \
 "-t: seconds to wait before connecting to --on-timeout address.\n" \
 "-p: address and port to listen on.\n    Can be used several times to bind to several addresses.\n" \
 "--[ssh,ssl,...]: where to connect connections from corresponding protocol.\n" \
 "-P: PID file.\n" \
 "-i: Run as a inetd service.\n" \
 "";
 /* Constants for options that have no one-character shorthand */
 #define OPT_ONTIMEOUT   257
 static struct option const_options[] = {
    { "inetd",      no_argument,            &inetd,         1 },
    { "foreground", no_argument,            &foreground,    1 },
    { "background", no_argument,            &background,    1 },
    { "transparent", no_argument,           &transparent,   1 },
    { "numeric",    no_argument,            &numeric,       1 },
    { "verbose",    no_argument,            &verbose,       1 },
    { "user",       required_argument,      0,              'u' },
    { "config",     optional_argument,      0,              'F' },
    { "pidfile",    required_argument,      0,              'P' },
    { "timeout",    required_argument,      0,              't' },
    { "on-timeout", required_argument,      0,              OPT_ONTIMEOUT },
    { "listen",     required_argument,      0,              'p' },
    {}
 };
 static struct option* all_options;
 static struct proto* builtins;
 static const char *optstr = "vt:T:p:VP:F::";
 static void print_usage(void)
 {
    struct proto *p;
    int i;
    int res;
    char *prots = "";
    p = get_builtins();
    for (i = 0; i < get_num_builtins(); i++) {
        res = asprintf(&prots, "%s\t[--%s <addr>]\n", prots, p[i].description);
        CHECK_RES_DIE(res, "asprintf");
    }
    fprintf(stderr, USAGE_STRING, prots);
 }
 static void printcaps(void) {
 #ifdef LIBCAP
    cap_t caps;
    char* desc;
    ssize_t len;
    caps = cap_get_proc();
    desc = cap_to_text(caps, &len);
    fprintf(stderr, "capabilities: %s\n", desc);
    cap_free(caps);
    cap_free(desc);
 #endif
 }
 static void printsettings(void)
 {
    char buf[NI_MAXHOST];
    struct addrinfo *a;
    struct proto *p;
    for (p = get_first_protocol(); p; p = p->next) {
        fprintf(stderr,
                "%s addr: %s. libwrap service: %s log_level: %d family %d %d\n", 
                p->description, 
                sprintaddr(buf, sizeof(buf), p->saddr), 
                p->service,
                p->log_level,
                p->saddr->ai_family,
                p->saddr->ai_addr->sa_family);
    }
    fprintf(stderr, "listening on:\n");
    for (a = addr_listen; a; a = a->ai_next) {
        fprintf(stderr, "\t%s\n", sprintaddr(buf, sizeof(buf), a));
    }
    fprintf(stderr, "timeout: %d\non-timeout: %s\n", probing_timeout,
            timeout_protocol()->description);
 }
 /* Extract configuration on addresses and ports on which to listen.
 * out: newly allocated list of addrinfo to listen to
 */
 #ifdef LIBCONFIG
 static int config_listen(config_t *config, struct addrinfo **listen) 
 {
    config_setting_t *setting, *addr;
    int len, i;
    const char *hostname, *port;
    setting = config_lookup(config, "listen");
    if (setting) {
        len = config_setting_length(setting);
        for (i = 0; i < len; i++) {
            addr = config_setting_get_elem(setting, i);
            if (! (config_setting_lookup_string(addr, "host", &hostname) &&
                   config_setting_lookup_string(addr, "port", &port))) {
                fprintf(stderr,
                            "line %d:Incomplete specification (hostname and port required)\n",
                            config_setting_source_line(addr));
                return -1;
            }
            resolve_split_name(listen, hostname, port);
            /* getaddrinfo returned a list of addresses corresponding to the
             * specification; move the pointer to the end of that list before
             * processing the next specification */
            for (; *listen; listen = &((*listen)->ai_next));
        }
    }
    return 0;
 }
 #endif
 #ifdef LIBCONFIG
 static void setup_regex_probe(struct proto *p, config_setting_t* probes)
 {
 #ifdef LIBPCRE
    int num_probes, errsize, i, res;
    char *err;
    const char * expr;
    regex_t** probe_list;
    num_probes = config_setting_length(probes);
    if (!num_probes) {
        fprintf(stderr, "%s: no probes specified\n", p->description);
        exit(1);
    }
    p->probe = get_probe("regex");
    probe_list = calloc(num_probes + 1, sizeof(*probe_list));
    p->data = (void*)probe_list;
    for (i = 0; i < num_probes; i++) {
        probe_list[i] = malloc(sizeof(*(probe_list[i])));
        expr = config_setting_get_string_elem(probes, i);
        res = regcomp(probe_list[i], expr, 0);
        if (res) {
            err = malloc(errsize = regerror(res, probe_list[i], NULL, 0));
            regerror(res, probe_list[i], err, errsize);
            fprintf(stderr, "%s:%s\n", expr, err);
            free(err);
            exit(1);
        }
    }
 #else
    fprintf(stderr, "line %d: regex probe specified but not compiled in\n", config_setting_source_line(probes));
    exit(5);
 #endif
 }
 #endif
 #ifdef LIBCONFIG
 static void setup_sni_alpn_list(struct proto *p, config_setting_t* config_items, const char* name, int alpn)
 {
    int num_probes, i, max_server_name_len, server_name_len;
    const char * config_item;
    char** sni_hostname_list;
    if(!config_items || !config_setting_is_array(config_items)) {
        fprintf(stderr, "%s: no %s specified\n", p->description, name);
        return;
    }
    num_probes = config_setting_length(config_items);
    if (!num_probes) {
        fprintf(stderr, "%s: no %s specified\n", p->description, name);
        return;
    }
    max_server_name_len = 0;
    for (i = 0; i < num_probes; i++) {
        server_name_len = strlen(config_setting_get_string_elem(config_items, i));
        if(server_name_len > max_server_name_len)
            max_server_name_len = server_name_len;
    }
    sni_hostname_list = calloc(num_probes + 1, ++max_server_name_len);
    for (i = 0; i < num_probes; i++) {
        config_item = config_setting_get_string_elem(config_items, i);
        sni_hostname_list[i] = malloc(max_server_name_len);
        strcpy (sni_hostname_list[i], config_item);
        if(verbose) fprintf(stderr, "%s: %s[%d]: %s\n", p->description, name, i, sni_hostname_list[i]);
    }
    p->data = (void*)tls_data_set_list(p->data, alpn, sni_hostname_list);
 }
 static void setup_sni_alpn(struct proto *p, config_setting_t* sni_hostnames, config_setting_t* alpn_protocols)
 {
    p->data = (void*)new_tls_data();
    p->probe = get_probe("sni_alpn");
    setup_sni_alpn_list(p, sni_hostnames, "sni_hostnames", 0);
    setup_sni_alpn_list(p, alpn_protocols, "alpn_protocols", 1);
 }
 #endif
 /* Extract configuration for protocols to connect to.
 * out: newly-allocated list of protocols
 */
 #ifdef LIBCONFIG
 static int config_protocols(config_t *config, struct proto **prots)
 {
    config_setting_t *setting, *prot, *patterns, *sni_hostnames, *alpn_protocols;
    const char *hostname, *port, *name;
    int i, num_prots;
    struct proto *p, *prev = NULL;
    setting = config_lookup(config, "protocols");
    if (setting) {
        num_prots = config_setting_length(setting);
        for (i = 0; i < num_prots; i++) {
            p = calloc(1, sizeof(*p));
            if (i == 0) *prots = p;
            if (prev) prev->next = p;
            prev = p;
            prot = config_setting_get_elem(setting, i);
            if ((config_setting_lookup_string(prot, "name", &name) &&
                 config_setting_lookup_string(prot, "host", &hostname) &&
                 config_setting_lookup_string(prot, "port", &port)
                )) {
                p->description = name;
                config_setting_lookup_string(prot, "service", &(p->service));
                if (config_setting_lookup_int(prot, "log_level", &p->log_level) == CONFIG_FALSE) {
                    p->log_level = 1;
                }
                resolve_split_name(&(p->saddr), hostname, port);
                p->probe = get_probe(name);
                if (!p->probe || !strcmp(name, "sni_alpn")) {
                    fprintf(stderr, "line %d: %s: probe unknown\n", config_setting_source_line(prot), name);
                    exit(1);
                }
                /* Probe-specific options: regex patterns */
                if (!strcmp(name, "regex")) {
                    patterns = config_setting_get_member(prot, "regex_patterns");
                    if (patterns && config_setting_is_array(patterns)) {
                        setup_regex_probe(p, patterns);
                    }
                }
                /* Probe-specific options: SNI/ALPN */
                if (!strcmp(name, "tls")) {
                    sni_hostnames = config_setting_get_member(prot, "sni_hostnames");
                    alpn_protocols = config_setting_get_member(prot, "alpn_protocols");
                    if((sni_hostnames && config_setting_is_array(sni_hostnames)) || (alpn_protocols && config_setting_is_array(alpn_protocols))) {
                        setup_sni_alpn(p, sni_hostnames, alpn_protocols);
                    }
                }
            }
        }
    }
    return 0;
 }
 #endif
 /* Parses a config file
 * in: *filename
 * out: *listen, a newly-allocated linked list of listen addrinfo
 *      *prots, a newly-allocated linked list of protocols
 *      1 on error, 0 on success
 */
 #ifdef LIBCONFIG
 static int config_parse(char *filename, struct addrinfo **listen, struct proto **prots)
 {
    config_t config;
    int timeout;
    const char* str;
    config_init(&config);
    if (config_read_file(&config, filename) == CONFIG_FALSE) {
        /* If it's a parse error then there will be a line number for the failure
         * an I/O error (such as non-existent file) will have the error line as 0
         */
        if (config_error_line(&config) != 0) {
            fprintf(stderr, "%s:%d:%s\n", 
                    filename,
                    config_error_line(&config),
                    config_error_text(&config));
            exit(1);
        }
        fprintf(stderr, "%s:%s\n", 
                filename,
                config_error_text(&config));
        return 1;
    }
    config_lookup_bool(&config, "verbose", &verbose);
    config_lookup_bool(&config, "inetd", &inetd);
    config_lookup_bool(&config, "foreground", &foreground);
    config_lookup_bool(&config, "numeric", &numeric);
    config_lookup_bool(&config, "transparent", &transparent);
    if (config_lookup_int(&config, "timeout", (int *)&timeout) == CONFIG_TRUE) {
        probing_timeout = timeout;
    }
    if (config_lookup_string(&config, "on-timeout", &str)) {
        set_ontimeout(str);
    }
    config_lookup_string(&config, "user", &user_name);
    config_lookup_string(&config, "pidfile", &pid_file);
    config_listen(&config, listen);
    config_protocols(&config, prots);
    return 0;
 }
 #endif
 /* Adds protocols to the list of options, so command-line parsing uses the
 * protocol definition array 
 * options: array of options to add to; must be big enough
 * n_opts: number of options in *options before calling (i.e. where to append)
 * prot: array of protocols
 * n_prots: number of protocols in *prot
 * */
 static void append_protocols(struct option *options, int n_opts, struct proto *prot , int n_prots)
 {
    int o, p;
    for (o = n_opts, p = 0; p < n_prots; o++, p++) {
        options[o].name = prot[p].description;
        options[o].has_arg = required_argument;
        options[o].flag = 0;
        options[o].val = p + PROT_SHIFT;
    }
 }
 static void make_alloptions(void)
 {
    builtins = get_builtins();
    /* Create all_options, composed of const_options followed by one option per
     * known protocol */
    all_options = calloc(ARRAY_SIZE(const_options) + get_num_builtins(), sizeof(struct option));
    memcpy(all_options, const_options, sizeof(const_options));
    append_protocols(all_options, ARRAY_SIZE(const_options) - 1, builtins, get_num_builtins());
 }
 /* Performs a first scan of command line options to see if a configuration file
 * is specified. If there is one, parse it now before all other options (so
 * configuration file settings can be overridden from the command line).
 *
 * prots: newly-allocated list of configured protocols, if any.
 */
 static void cmdline_config(int argc, char* argv[], struct proto** prots)
 {
 #ifdef LIBCONFIG
    int c, res;
    char *config_filename;
 #endif
    make_alloptions();
 #ifdef LIBCONFIG
    optind = 1;
    opterr = 0; /* we're missing protocol options at this stage so don't output errors */
    while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) {
        if (c == 'v') {
            verbose++;
        }
        if (c == 'F') {
            config_filename = optarg;
            if (config_filename) {
                res = config_parse(config_filename, &addr_listen, prots);
            } else {
                /* No configuration file specified -- try default file locations */
                res = config_parse("/etc/sslh/sslh.cfg", &addr_listen, prots);
                if (!res && verbose) fprintf(stderr, "Using /etc/sslh/sslh.cfg\n");
                if (res) {
                    res = config_parse("/etc/sslh.cfg", &addr_listen, prots);
                    if (!res && verbose) fprintf(stderr, "Using /etc/sslh.cfg\n");
                }
            }
            if (res)
                exit(4);
            break;
        }
    }
 #endif
 }
 /* Parse command-line options. prots points to a list of configured protocols,
 * potentially non-allocated */
 static void parse_cmdline(int argc, char* argv[], struct proto* prots)
 {
    int c;
    struct addrinfo **a;
    struct proto *p;
    optind = 1;
    opterr = 1;
 next_arg:
    while ((c = getopt_long_only(argc, argv, optstr, all_options, NULL)) != -1) {
        if (c == 0) continue;
        if (c >= PROT_SHIFT) {
            if (prots)
                for (p = prots; p && p->next; p = p->next) {
                    /* override if protocol was already defined by config file 
                     * (note it only overrides address and use builtin probe) */
                    if (!strcmp(p->description, builtins[c-PROT_SHIFT].description)) {
                        resolve_name(&(p->saddr), optarg);
                        p->probe = builtins[c-PROT_SHIFT].probe;
                        goto next_arg;
                    }
                }
            /* At this stage, it's a new protocol: add it to the end of the
             * list */
            if (!prots) {
                /* No protocols yet -- create the list */
                p = prots = calloc(1, sizeof(*p));
            } else {
                p->next = calloc(1, sizeof(*p));
                p = p->next;
            }
            memcpy(p, &builtins[c-PROT_SHIFT], sizeof(*p));
            resolve_name(&(p->saddr), optarg);
            continue;
        }
        switch (c) {
        case 'F':
            /* Legal option, but do nothing, it was already processed in
             * cmdline_config() */
 #ifndef LIBCONFIG
            fprintf(stderr, "Built without libconfig support: configuration file not available.\n");
            exit(1);
 #endif
            break;
        case 't':
             probing_timeout = atoi(optarg);
            break;
        case OPT_ONTIMEOUT:
            set_ontimeout(optarg);
            break;
        case 'p':
            /* find the end of the listen list */
            for (a = &addr_listen; *a; a = &((*a)->ai_next));
            /* append the specified addresses */
            resolve_name(a, optarg);
            break;
        case 'V':
            printf("%s %s\n", server_type, VERSION);
            exit(0);
        case 'u':
            user_name = optarg;
            break;
        case 'P':
            pid_file = optarg;
            break;
        case 'v':
            verbose++;
            break;
        default:
            print_usage();
            exit(2);
        }
    }
    if (!prots) {
        fprintf(stderr, "At least one target protocol must be specified.\n");
        exit(2);
    }
    set_protocol_list(prots);
    if (!addr_listen && !inetd) {
        fprintf(stderr, "No listening address specified; use at least one -p option\n");
        exit(1);
    }
    /* Did command-line override foreground setting? */
    if (background)
        foreground = 0;
 }
 int main(int argc, char *argv[])
 {
   extern char *optarg;
   extern int optind;
   int res, num_addr_listen;
   struct proto* protocols = NULL;
   int *listen_sockets;
   /* Init defaults */
   pid_file = NULL;
   user_name = NULL;
   cmdline_config(argc, argv, &protocols);
   parse_cmdline(argc, argv, protocols);
   if (inetd)
   {
       verbose = 0;
       start_shoveler(0);
       exit(0);
   }
   if (verbose)
       printsettings();
   num_addr_listen = start_listen_sockets(&listen_sockets, addr_listen);
   if (!foreground) {
       if (fork() > 0) exit(0); /* Detach */
       /* New session -- become group leader */
       if (getuid() == 0) {
           res = setsid();
           CHECK_RES_DIE(res, "setsid: already process leader");
       }
   }
   setup_signals();
   if (pid_file)
       write_pid_file(pid_file);
   if (user_name)
       drop_privileges(user_name);
   /* Open syslog connection */
   setup_syslog(argv[0]);
   if (verbose)
       printcaps();
   main_loop(listen_sockets, num_addr_listen);
   return 0;
 }
--- a/sslh-select.c
+++ b/sslh-select.c
@ -0,0 +1,355 @@
 /*
   sslh-select: mono-processus server
 # Copyright (C) 2007-2010  Yves Rutschle
 # 
 # This program is free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License as published by the Free Software Foundation; either
 # version 2 of the License, or (at your option) any later
 # version.
 # 
 # This program is distributed in the hope that it will be
 # useful, but WITHOUT ANY WARRANTY; without even the implied
 # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 # PURPOSE.  See the GNU General Public License for more
 # details.
 # 
 # The full text for the General Public License is here:
 # http://www.gnu.org/licenses/gpl.html
 */
 #define __LINUX__
 #include "common.h"
 #include "probe.h"
 const char* server_type = "sslh-select";
 /* cnx_num_alloc is the number of connection to allocate at once (at start-up,
 * and then every time we get too many simultaneous connections: e.g. start
 * with 100 slots, then if we get more than 100 connections allocate another
 * 100 slots, and so on). We never free up connection structures. We try to
 * allocate as many structures at once as will fit in one page (which is 102
 * in sslh 1.9 on Linux on x86)
 */
 static long cnx_num_alloc;
 /* Make the file descriptor non-block  */
 int set_nonblock(int fd)
 {
    int flags;
    flags = fcntl(fd, F_GETFL);
    CHECK_RES_RETURN(flags, "fcntl");
    flags |= O_NONBLOCK;
    flags = fcntl(fd, F_SETFL, flags);
    CHECK_RES_RETURN(flags, "fcntl");
    return flags;
 }
 int tidy_connection(struct connection *cnx, fd_set *fds, fd_set *fds2)
 {
    int i;
    for (i = 0; i < 2; i++) {
        if (cnx->q[i].fd != -1) {
            if (verbose)
                fprintf(stderr, "closing fd %d\n", cnx->q[i].fd);
            close(cnx->q[i].fd);
            FD_CLR(cnx->q[i].fd, fds);
            FD_CLR(cnx->q[i].fd, fds2);
            if (cnx->q[i].deferred_data)
                free(cnx->q[i].deferred_data);
        }
    }
    init_cnx(cnx);
    return 0;
 }
 /* if fd becomes higher than FD_SETSIZE, things won't work so well with FD_SET
 * and FD_CLR. Need to drop connections if we go above that limit */
 int fd_is_in_range(int fd) {
    if (fd >= FD_SETSIZE) {
        log_message(LOG_ERR, "too many open file descriptor to monitor them all -- dropping connection\n");
        return 0;
    }
    return 1;
 }
 /* Accepts a connection from the main socket and assigns it to an empty slot.
 * If no slots are available, allocate another few. If that fails, drop the
 * connexion */
 int accept_new_connection(int listen_socket, struct connection *cnx[], int* cnx_size) 
 {
    int in_socket, free, i, res;
    struct connection *new;
    in_socket = accept(listen_socket, 0, 0);
    CHECK_RES_RETURN(in_socket, "accept");
    if (!fd_is_in_range(in_socket))
        return -1;
    res = set_nonblock(in_socket);
    if (res == -1) return -1;
    /* Find an empty slot */
    for (free = 0; (free < *cnx_size) && ((*cnx)[free].q[0].fd != -1); free++) {
        /* nothing */
    }
    if (free >= *cnx_size)  {
        if (verbose)
            fprintf(stderr, "buying more slots from the slot machine.\n");
        new = realloc(*cnx, (*cnx_size + cnx_num_alloc) * sizeof((*cnx)[0]));
        if (!new) {
            log_message(LOG_ERR, "unable to realloc -- dropping connection\n");
            return -1;
        }
        *cnx = new;
        *cnx_size += cnx_num_alloc;
        for (i = free; i < *cnx_size; i++) {
            init_cnx(&(*cnx)[i]); 
        }
    }
    (*cnx)[free].q[0].fd = in_socket;
    (*cnx)[free].state = ST_PROBING;
    (*cnx)[free].probe_timeout = time(NULL) + probing_timeout;
    if (verbose) 
        fprintf(stderr, "accepted fd %d on slot %d\n", in_socket, free);
    return in_socket;
 }
 /* Connect queue 1 of connection to SSL; returns new file descriptor */
 int connect_queue(struct connection *cnx, fd_set *fds_r, fd_set *fds_w)
 {
    struct queue *q = &cnx->q[1];
    q->fd = connect_addr(cnx, cnx->q[0].fd);
    if ((q->fd != -1) && fd_is_in_range(q->fd)) {
        log_connection(cnx);
        set_nonblock(q->fd);
        flush_deferred(q);
        if (q->deferred_data) {
            FD_SET(q->fd, fds_w);
        } else {
            FD_SET(q->fd, fds_r);
        }
        return q->fd;
    } else {
        tidy_connection(cnx, fds_r, fds_w);
        return -1;
    }
 }
 /* shovels data from active fd to the other
   returns after one socket closed or operation would block
 */
 void shovel(struct connection *cnx, int active_fd, 
            fd_set *fds_r, fd_set *fds_w)
 {
    struct queue *read_q, *write_q;
    read_q = &cnx->q[active_fd];
    write_q = &cnx->q[1-active_fd];
    if (verbose)
        fprintf(stderr, "activity on fd%d\n", read_q->fd);
    switch(fd2fd(write_q, read_q)) {
    case -1:
    case FD_CNXCLOSED:
        tidy_connection(cnx, fds_r, fds_w);
        break;
    case FD_STALLED:
        FD_SET(write_q->fd, fds_w);
        FD_CLR(read_q->fd, fds_r);
        break;
    default: /* Nothing */
        break;
    }
 }
 /* returns true if specified fd is initialised and present in fd_set */
 int is_fd_active(int fd, fd_set* set)
 {
    if (fd == -1) return 0;
    return FD_ISSET(fd, set);
 }
 /* Main loop: the idea is as follow:
 * - fds_r and fds_w contain the file descriptors to monitor in read and write
 * - When a file descriptor goes off, process it: read from it, write the data
 * to its corresponding pair.
 * - When a file descriptor blocks when writing, remove the read fd from fds_r,
 * move the data to a deferred buffer, and add the write fd to fds_w. Defered
 * buffer is allocated dynamically.
 * - When we can write to a file descriptor that has deferred data, we try to
 * write as much as we can. Once all data is written, remove the fd from fds_w
 * and add its corresponding pair to fds_r, free the buffer.
 *
 * That way, each pair of file descriptor (read from one, write to the other)
 * is monitored either for read or for write, but never for both.
 */
 void main_loop(int listen_sockets[], int num_addr_listen)
 {
    fd_set fds_r, fds_w;  /* reference fd sets (used to init the next 2) */
    fd_set readfds, writefds; /* working read and write fd sets */
    struct timeval tv;
    int max_fd, in_socket, i, j, res;
    struct connection *cnx;
    int num_cnx;  /* Number of connections in *cnx */
    int num_probing = 0; /* Number of connections currently probing 
                          * We use this to know if we need to time out of
                          * select() */
    FD_ZERO(&fds_r);
    FD_ZERO(&fds_w);
    for (i = 0; i < num_addr_listen; i++) {
        FD_SET(listen_sockets[i], &fds_r); 
        set_nonblock(listen_sockets[i]);
    }
    max_fd = listen_sockets[num_addr_listen-1] + 1;
    cnx_num_alloc = getpagesize() / sizeof(struct connection);
    num_cnx = cnx_num_alloc; /* Start with a set pool of slots */
    cnx = malloc(num_cnx * sizeof(struct connection));
    for (i = 0; i < num_cnx; i++)
        init_cnx(&cnx[i]);
    while (1)
    {
        memset(&tv, 0, sizeof(tv));
        tv.tv_sec = probing_timeout;
        memcpy(&readfds, &fds_r, sizeof(readfds));
        memcpy(&writefds, &fds_w, sizeof(writefds));
        if (verbose)
            fprintf(stderr, "selecting... max_fd=%d num_probing=%d\n", max_fd, num_probing);
        res = select(max_fd, &readfds, &writefds, NULL, num_probing ? &tv : NULL);
        if (res < 0)
            perror("select");
        /* Check main socket for new connections */
        for (i = 0; i < num_addr_listen; i++) {
            if (FD_ISSET(listen_sockets[i], &readfds)) {
                in_socket = accept_new_connection(listen_sockets[i], &cnx, &num_cnx);
                if (in_socket != -1)
                    num_probing++;
                if (in_socket > 0) {
                    FD_SET(in_socket, &fds_r);
                    if (in_socket >= max_fd)
                        max_fd = in_socket + 1;;
                }
                FD_CLR(listen_sockets[i], &readfds);
            }
        }
        /* Check all sockets for write activity */
        for (i = 0; i < num_cnx; i++) {
            if (cnx[i].q[0].fd != -1) {
                for (j = 0; j < 2; j++) {
                    if (is_fd_active(cnx[i].q[j].fd, &writefds)) {
                        res = flush_deferred(&cnx[i].q[j]);
                        if ((res == -1) && ((errno == EPIPE) || (errno == ECONNRESET))) {
                            if (cnx[i].state == ST_PROBING) num_probing--;
                            tidy_connection(&cnx[i], &fds_r, &fds_w);
                            if (verbose)
                                fprintf(stderr, "closed slot %d\n", i);
                        } else {
                            /* If no deferred data is left, stop monitoring the fd 
                             * for write, and restart monitoring the other one for reads*/
                            if (!cnx[i].q[j].deferred_data_size) {
                                FD_CLR(cnx[i].q[j].fd, &fds_w);
                                FD_SET(cnx[i].q[1-j].fd, &fds_r);
                            }
                        }
                    }
                }
            }
        }
        /* Check all sockets for read activity */
        for (i = 0; i < num_cnx; i++) {
            for (j = 0; j < 2; j++) {
                if (is_fd_active(cnx[i].q[j].fd, &readfds) || 
                    ((cnx[i].state == ST_PROBING) && (cnx[i].probe_timeout < time(NULL)))) {
                    if (verbose)
                        fprintf(stderr, "processing fd%d slot %d\n", j, i);
                    switch (cnx[i].state) {
                    case ST_PROBING:
                        if (j == 1) {
                            fprintf(stderr, "Activity on fd2 while probing, impossible\n");
                            dump_connection(&cnx[i]);
                            exit(1);
                        }
                        /* If timed out it's SSH, otherwise the client sent
                         * data so probe the protocol */
                        if ((cnx[i].probe_timeout < time(NULL))) {
                            cnx[i].proto = timeout_protocol();
                        } else {
                            res = probe_client_protocol(&cnx[i]);
                            if (res == PROBE_AGAIN)
                                continue;
                        }
                        num_probing--;
                        cnx[i].state = ST_SHOVELING;
                        /* libwrap check if required for this protocol */
                        if (cnx[i].proto->service &&
                            check_access_rights(in_socket, cnx[i].proto->service)) {
                            tidy_connection(&cnx[i], &fds_r, &fds_w);
                            res = -1;
                        } else {
                            res = connect_queue(&cnx[i], &fds_r, &fds_w);
                        }
                        if (res >= max_fd)
                            max_fd = res + 1;;
                        break;
                    case ST_SHOVELING:
                        shovel(&cnx[i], j, &fds_r, &fds_w);
                        break;
                    default: /* illegal */
                        log_message(LOG_ERR, "Illegal connection state %d\n", cnx[i].state);
                        exit(1);
                    }
                }
            }
        }
    }
 }
 void start_shoveler(int listen_socket) {
    fprintf(stderr, "inetd mode is not supported in select mode\n");
    exit(1);
 }
 /* The actual main is in common.c: it's the same for both version of
 * the server
 */
--- a/sslh.c
+++ b/sslh.c
@ -1,465 +0,0 @@
 /*
   Reimplementation of sslh in C
 # Copyright (C) 2007-2008  Yves Rutschle
 # 
 # This program is free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License as published by the Free Software Foundation; either
 # version 2 of the License, or (at your option) any later
 # version.
 # 
 # This program is distributed in the hope that it will be
 # useful, but WITHOUT ANY WARRANTY; without even the implied
 # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 # PURPOSE.  See the GNU General Public License for more
 # details.
 # 
 # The full text for the General Public License is here:
 # http://www.gnu.org/licenses/gpl.html
 Comments? questions? sslh@rutschle.net
 Compilation instructions:
 Solaris:
  cc -o sslh sslh.c -lresolv -lsocket -lnsl
 LynxOS:
  gcc -o tcproxy tcproxy.c -lnetinet
 Linux:
  cc -o sslh sslh.c -lnet
 HISTORY
 v1.3: 14MAY2008
        Added parsing for local interface to listen on
        Changed default SSL connexion to port 442 (443 doesn't make
        sense as a default as we're already listening on 443)
        Syslog incoming connexions
 v1.2: 12MAY2008
        Fixed compilation warning for AMD64 (Thx Daniel Lange)
 v1.1: 21MAY2007
        Making sslhc more like a real daemon:
        * If $PIDFILE is defined, write first PID to it upon startup
        * Fork at startup (detach from terminal)
        (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
        * Less memory usage (?)
 v1.0: 
        * Basic functionality: privilege dropping, target hostnames and ports
        configurable.
 */
 #define VERSION "1.3"
 #include <sys/types.h>
 #include <fcntl.h>
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <signal.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <syslog.h>
 #define CHECK_RES_DIE(res, str) \
 if (res == -1) {    \
   perror(str);     \
   exit(1);         \
 }
 #define USAGE_STRING \
 "sslh v" VERSION "\n" \
 "usage:\n" \
 "\texport PIDFILE=/var/run/sslhc.pid\n" \
 "\tsslh [-t <timeout>] -u <username> -p [listenaddr:]<listenport> \n" \
 "\t\t-s [sshhost:]port -l [sslhost:]port [-v]\n\n" \
 "-v: verbose\n" \
 "-p: address and port to listen on. default: 0.0.0.0:443\n" \
 "-s: SSH address: where to connect an SSH connexion. default: localhost:22\n" \
 "-l: SSL address: where to connect an SSL connexion.\n" \
 ""
 int verbose = 0; /* That's really quite global */
 /* Starts a listening socket on specified address.
   Returns file descriptor
   */
 int start_listen_socket(struct sockaddr *addr)
 {
   struct sockaddr_in *saddr = (struct sockaddr_in*)addr;
   int sockfd, res, reuse;
   sockfd = socket(AF_INET, SOCK_STREAM, 0);
   CHECK_RES_DIE(sockfd, "socket");
   reuse = 1;
   res = setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char*)&reuse, sizeof(reuse));
   CHECK_RES_DIE(res, "setsockopt");
   res = bind (sockfd, (struct sockaddr*)saddr, sizeof(*saddr));
   CHECK_RES_DIE(res, "bind");
   res = listen (sockfd, 5);
   CHECK_RES_DIE(res, "listen");
   return sockfd;
 }
 /* 
 * moves data from one fd to other
 * returns 0 if incoming socket closed, size moved otherwise
 */
 int fd2fd(int target, int from)
 {
   char buffer[BUFSIZ];
   int size;
   size = read(from, buffer, sizeof(buffer));
   CHECK_RES_DIE(size, "read");
   if (size == 0)
      return 0;
   size = write(target, buffer, size);
   CHECK_RES_DIE(size, "write");
   return size;
 }
 /* shovels data from one fd to the other and vice-versa 
   returns after one socket closed
 */
 int shovel(int fd1, int fd2)
 {
   fd_set fds;
   int res;
   FD_ZERO(&fds);
   while (1) {
      FD_SET(fd1, &fds);
      FD_SET(fd2, &fds);
      res = select( 
                      (fd1 > fd2 ? fd1 : fd2 ) + 1,
                      &fds,
                      NULL,
                      NULL,
                      NULL
            );
      CHECK_RES_DIE(res, "select");
      if (FD_ISSET(fd1, &fds)) {
         res = fd2fd(fd2, fd1);
         if (!res) {
            if (verbose) fprintf(stderr, "client socket closed\n");
            return res;
         }
      }
      if (FD_ISSET(fd2, &fds)) {
         res = fd2fd(fd1, fd2);
         if (!res) {
            if (verbose) fprintf(stderr, "server socket closed\n");
            return res;
         }
      }
   }
 }
 /* returns a string that prints the IP and port of the sockaddr */
 char* sprintaddr(char* buf, size_t size, struct sockaddr* s)
 {
   char addr_str[1024];
   inet_ntop(AF_INET, &((struct sockaddr_in*)s)->sin_addr, addr_str, sizeof(addr_str));
   snprintf(buf, size, "%s:%d", addr_str, ntohs(((struct sockaddr_in*)s)->sin_port));
   return buf;
 }
 /* turns a "hostname:port" string into a struct sockaddr;
 sock: socket address to which to copy the addr
 fullname: input string -- it gets clobbered
 */
 void resolve_name(struct sockaddr *sock, char* fullname) {
   struct addrinfo *addr, hint;
   char *serv, *host;
   int res;
   char *sep = strchr(fullname, ':');
   if (!sep) /* No separator: parameter is just a port */
   {
      serv = fullname;
      fprintf(stderr, "names must be fully specified as hostname:port\n");
      exit(1);
   }
   else {
      host = fullname;
      serv = sep+1;
      *sep = 0;
   }
   memset(&hint, 0, sizeof(hint));
   hint.ai_family = PF_INET;
   hint.ai_socktype = SOCK_STREAM;
   res = getaddrinfo(host, serv, &hint, &addr);
   if (res) {
      fprintf(stderr, "%s\n", gai_strerror(res));
      if (res == EAI_SERVICE)
         fprintf(stderr, "(Check you have specified all ports)\n");
      exit(1);
   }
   memcpy(sock, addr->ai_addr, sizeof(*sock));
 }
 /* syslogs who connected to where */
 void log_connexion(int socket, char* target)
 {
    struct sockaddr peeraddr;
    socklen_t size = sizeof(peeraddr);
    char buf[64];
    int res;
    res = getpeername(socket, &peeraddr, &size);
    CHECK_RES_DIE(res, "getpeername");
    syslog(LOG_INFO, "connexion from %s forwarded to %s\n", 
           sprintaddr(buf, sizeof(buf), &peeraddr), target);
 }
 /* 
 * Settings that depend on the command line. That's less global than verbose * :-)
 * They're set in main(), but also used in start_shoveler(), and it'd be heavy-handed
 * to pass it all as parameters
 */
 int timeout = 2;
 struct sockaddr addr_listen;
 struct sockaddr addr_ssl, addr_ssh;
 /* Child process that finds out what to connect to and proxies 
 */
 void start_shoveler(int in_socket)
 {
   fd_set fds;
   struct timeval tv;
   struct sockaddr *saddr;
   int res;
   int out_socket;
   char *target;
   FD_ZERO(&fds);
   FD_SET(in_socket, &fds);
   memset(&tv, 0, sizeof(tv));
   tv.tv_sec = timeout;
   res = select(in_socket + 1, &fds, NULL, NULL, &tv);
   if (res == -1)
      perror("select");
   /* Pick the target address depending on whether we timed out or not */
   if (FD_ISSET(in_socket, &fds)) {
      /* The client wrote something to the socket: it's an SSL connection */
      saddr = &addr_ssl;
      target = "SSL";
   } else {
      /* The client hasn't written anything and we timed out: connect to SSH */
      saddr = &addr_ssh;
      target = "SSH";
   }
   log_connexion(in_socket, target);
   /* Connect the target socket */
   out_socket = socket(AF_INET, SOCK_STREAM, 0);
   res = connect(out_socket, saddr, sizeof(addr_ssl));
   CHECK_RES_DIE(res, "connect");
   if (verbose)
      fprintf(stderr, "connected to something\n");
   shovel(in_socket, out_socket);
   close(in_socket);
   close(out_socket);
   if (verbose)
      fprintf(stderr, "connection closed down\n");
   exit(0);
 }
 /* SIGCHLD handling:
 * we need to reap our children
 */
 void child_handler(int signo)
 {
    signal(SIGCHLD, &child_handler);
    wait(NULL);
 }
 void setup_signals(void)
 {
    void* res;
    res = signal(SIGCHLD, &child_handler);
    if (res == SIG_ERR) {
        perror("signal");
        exit(1);
    }
 }
 /* We don't want to run as root -- drop priviledges if required */
 void drop_privileges(char* user_name)
 {
    int res;
    struct passwd *pw = getpwnam(user_name);
    if (!pw) {
        fprintf(stderr, "%s: not found\n", user_name);
        exit(1);
    }
    if (verbose)
        fprintf(stderr, "turning into %s\n", user_name);
    res = setgid(pw->pw_gid);
    CHECK_RES_DIE(res, "setgid");
    setuid(pw->pw_uid);
    CHECK_RES_DIE(res, "setuid");
 }
 /* Writes my PID if $PIDFILE is defined */
 void write_pid_file(void)
 {
    char *pidfile = getenv("PIDFILE");
    FILE *f;
    if (!pidfile)
        return;
    f = fopen(pidfile, "w");
    if (!f) {
        perror(pidfile);
        exit(1);
    }
    fprintf(f, "%d\n", getpid());
    fclose(f);
 }
 void printsettings(void)
 {
    char buf[64];
    fprintf(
            stderr, 
            "SSL addr: %s (after timeout %ds)\n",
            sprintaddr(buf, sizeof(buf), &addr_ssl), 
            timeout
           );
    fprintf(stderr, "SSH addr: %s\n", sprintaddr(buf, sizeof(buf), &addr_ssh));
    fprintf(stderr, "listening on %s\n", sprintaddr(buf, sizeof(buf), &addr_listen));
 }
 int main(int argc, char *argv[])
 {
   extern char *optarg;
   extern int optind;
   int c, res;
   int in_socket, listen_socket;
   /* Init defaults */
   char *user_name = "nobody";
   char listen_str[] = "0.0.0.0:443";
   char ssl_str[] = "localhost:442";
   char ssh_str[] = "localhost:22";
   resolve_name(&addr_listen, listen_str);
   resolve_name(&addr_ssl, ssl_str);
   resolve_name(&addr_ssh, ssh_str);
   while ((c = getopt(argc, argv, "t:l:s:p:vu:")) != EOF) {
      switch (c) {
              case 't':
                      timeout = atoi(optarg);
                      break;
              case 'p':
                      resolve_name(&addr_listen, optarg);
                      break;
              case 'l':
                      resolve_name(&addr_ssl, optarg);
                      break;
              case 's':
                      resolve_name(&addr_ssh, optarg);
                      break;
              case 'v':
                      verbose += 1;
                      break;
              case 'u':
                      user_name = optarg;
                      break;
              default:
                      fprintf(stderr, USAGE_STRING);
                      exit(2);
      }
   }
   if (verbose)
       printsettings();
   setup_signals();
   listen_socket = start_listen_socket(&addr_listen);
   if (fork() > 0) exit(0); /* Detach */
   write_pid_file();
   drop_privileges(user_name);
   /* New session -- become group leader */
   res = setsid();
   CHECK_RES_DIE(res, "setsid: already process leader");
   /* Open syslog connexion */
   openlog(argv[0], LOG_CONS, LOG_AUTH);
   /* Main server loop: accept connections, find what they are, fork shovelers */
   while (1)
   {
      in_socket = accept(listen_socket, 0, 0);
      if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket);
      if (!fork())
      {
         start_shoveler(in_socket);
         exit(0);
      }
      close(in_socket);
   }
   return 0;
 }
--- a/sslh.pod
+++ b/sslh.pod
@ -0,0 +1,235 @@
 # I'm just not gonna write troff :-)
 =head1 NAME
 sslh - protocol demultiplexer
 =head1 SYNOPSIS
 sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
 =head1 DESCRIPTION
 B<sslh> accepts connections on specified ports, and forwards
 them further based on tests performed on the first data
 packet sent by the remote client.
 Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
 implemented, and any other protocol that can be tested using
 a regular expression, can be recognised. A typical use case
 is to allow serving several services on port 443 (e.g. to
 connect to ssh from inside a corporate firewall, which
 almost never block port 443) while still serving HTTPS on
 that port. 
 Hence B<sslh> acts as a protocol demultiplexer, or a
 switchboard. Its name comes from its original function to
 serve SSH and HTTPS on the same port.
 =head2 Libwrap support
 One drawback of B<sslh> is that the servers do not see the
 original IP address of the client anymore, as the connection
 is forwarded through B<sslh>.
 For this reason, B<sslh> can be compiled with B<libwrap> to
 check accesses defined in F</etc/hosts.allow> and
 F</etc/hosts.deny>.  Libwrap services can be defined using
 the configuration file.
 =head2 Configuration file
 A configuration file can be supplied to B<sslh>. Command
 line arguments override file settings. B<sslh> uses
 B<libconfig> to parse the configuration file, so the general
 file format is indicated in
 L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
 Please refer to the example configuration file provided with
 B<sslh> for the specific format (Options have the same names
 as on the command line, except for the list of listen ports
 and the list of protocols).
 The configuration file makes it possible to specify
 protocols using regular expressions: a list of regular
 expressions is given as the I<regex_patterns> parameter, and if the
 first packet received from the client matches any of these
 expressions, B<sslh> connects to that protocol.
 =head2 Probing protocols
 When receiving an incoming connection, B<sslh> will read the
 first bytes sent be the connecting client. It will then
 probe for the protocol in the order specified on the command
 line (or the configuration file). Therefore B<--anyprot>
 should alway be used last, as it always succeeds and further
 protocols will never be tried.
 If no data is sent by the client, B<sslh> will eventually
 time out and connect to the protocol specified with
 B<--on-timeout>, or I<ssh> if none is specified.
 =head2 Logging
 As a security/authorization program, B<sslh> logs to the
 LOG_AUTH facility, with priority LOG_INFO for normal
 connections and LOG_ERR for failures.
 =head1 OPTIONS
 =over 4
 =item B<-F> I<filename>, B<--config> I<filename>
 Uses I<filename> has configuration file. If other
 command-line options are specified, they will override the
 configuration file's settings.
 =item B<-t> I<num>, B<--timeout> I<num>
 Timeout before forwarding the connection to the timeout
 protocol (which should usually be SSH). Default is 2s.
 =item B<--on-timeout> I<protocol name>
 Name of the protocol to connect to after the timeout period
 is over. Default is 'ssh'.
 =item B<--transparent>
 Makes B<sslh> behave as a transparent proxy, i.e. the
 receiving service sees the original client's IP address.
 This works on Linux only and involves B<iptables> settings.
 Refer to the README for more information.
 =item B<-p> I<listening address>, B<--listen> I<listening address>
 Interface and port on which to listen, e.g. I<foobar:443>,
 where I<foobar> is the name of an interface (typically the
 IP address on which the Internet connection ends up).
 This can be specified several times to bind B<sslh> to
 several addresses.
 =item B<--ssl> I<target address>
 =item B<--tls> I<target address>
 Interface and port on which to forward SSL connection,
 typically I<localhost:443>.
 Note that you can set B<sslh> to listen on I<ext_ip:443> and
 B<httpd> to listen on I<localhost:443>: this allows clients
 inside your network to just connect directly to B<httpd>.
 Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
 reject connections from clients requesting SSLv2. This is
 compliant to RFC6176 which prohibits the usage of SSLv2. If
 you wish to accept SSLv2, use B<--default> instead.
 =item B<--ssh> I<target address>
 Interface and port on which to forward SSH connections,
 typically I<localhost:22>.
 =item B<--openvpn> I<target address>
 Interface and port on which to forward OpenVPN connections,
 typically I<localhost:1194>.
 =item B<--xmpp> I<target address>
 Interface and port on which to forward XMPP connections,
 typically I<localhost:5222>.
 =item B<--http> I<target address>
 Interface and port on which to forward HTTP connections,
 typically I<localhost:80>.
 =item B<--tinc> I<target address>
 Interface and port on which to forward tinc connections,
 typically I<localhost:655>.
 This is experimental. If you use this feature, please report
 the results (even if it works!)
 =item B<--anyprot> I<target address>
 Interface and port on which to forward if no other protocol
 has been found. Because B<sslh> tries protocols in the order
 specified on the command line, this should be specified
 last. If no default is specified, B<sslh> will forward
 unknown protocols to the first protocol specified.
 =item B<-v>, B<--verbose>
 Increase verboseness.
 =item B<-n>, B<--numeric>
 Do not attempt to resolve hostnames: logs will contain IP
 addresses. This is mostly useful if the system's DNS is slow
 and running the I<sslh-select> variant, as DNS requests will
 hang all connections.
 =item B<-V>
 Prints B<sslh> version.
 =item B<-u> I<username>, B<--user> I<username>
 Requires to run under the specified username. 
 =item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
 Specifies a file in which to write the PID of the main
 server.
 =item B<-i>, B<--inetd>
 Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
 (listen address), B<-u> (user) are ignored.
 =item B<-f>, B<--foreground>
 Runs in foreground. The server will not fork and will remain connected
 to the terminal. Messages normally sent to B<syslog> will also be sent
 to I<stderr>.
 =item B<--background>
 Runs in background. This overrides B<foreground> if set in
 the configuration file (or on the command line, but there is
 no point setting both on the command line unless you have a
 personality disorder).
 =back
 =head1 FILES
 =over 4
 =item F</etc/init.d/sslh>
 Start-up script. The standard actions B<start>, B<stop> and
 B<restart> are supported.
 =item F</etc/default/sslh>
 Server configuration. These are environment variables
 loaded by the start-up script and passed to B<sslh> as
 command-line arguments. Refer to the OPTIONS section for a
 detailed explanation of the variables used by B<sslh>.
 =back
 =head1 SEE ALSO
 Last version available from
 L<http://www.rutschle.net/tech/sslh>, and can be tracked
 from L<http://freecode.com/projects/sslh>.
 =head1 AUTHOR
 Written by Yves Rutschle
--- a/317
+++ b/317
@ -0,0 +1,317 @@
 #! /usr/bin/perl -w
 # Test script for sslh
 use strict;
 use IO::Socket::INET6;
 use Test::More qw/no_plan/;
 # We use ports 9000, 9001 and 9002 -- hope that won't clash
 # with anything...
 my $ssh_address = "ip6-localhost:9000";
 my $ssl_address = "ip6-localhost:9001";
 my $sslh_port = 9002;
 my $no_listen = 9003;  # Port on which no-one listens
 my $pidfile = "/tmp/sslh_test.pid";
 # Which tests do we run
 my $SSL_CNX =           1;
 my $SSH_SHY_CNX =       1;
 my $SSH_BOLD_CNX =      1;
 my $SSH_PROBE_AGAIN =   1;
 my $SSL_MIX_SSH =       1;
 my $SSH_MIX_SSL =       1;
 my $BIG_MSG =           0; # This test is unreliable
 my $STALL_CNX =         0; # This test needs fixing
 # Robustness tests. These are mostly to achieve full test
 # coverage, but do not necessarily result in an actual test
 # (e.g. some tests need to be run with valgrind to check all
 # memory management code).
 my $RB_CNX_NOSERVER =           1;
 my $RB_PARAM_NOHOST =           1;
 my $RB_WRONG_USERNAME =         1;
 my $RB_OPEN_PID_FILE =          1;
 my $RB_BIND_ADDRESS =           1;
 my $RB_RESOLVE_ADDRESS =        1;
 `lcov --directory . --zerocounters`;
 my ($ssh_pid, $ssl_pid);
 if (!($ssh_pid = fork)) {
    exec "./echosrv --listen $ssh_address --prefix 'ssh: '";
 }
 if (!($ssl_pid = fork)) {
    exec "./echosrv --listen $ssl_address --prefix 'ssl: '";
 }
 my @binaries = ('sslh-select', 'sslh-fork');
 for my $binary (@binaries) {
    warn "Testing $binary\n";
 # Start sslh with the right plumbing
    my $sslh_pid;
    if (!($sslh_pid = fork)) {
        my $user = (getpwuid $<)[0]; # Run under current username
        my $cmd = "./$binary -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile";
        warn "$cmd\n";
        #exec $cmd;
        exec "valgrind --leak-check=full ./$binary -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address -ssl $ssl_address -P $pidfile";
        exit 0;
    }
    warn "spawned $sslh_pid\n";
    sleep 5;  # valgrind can be heavy -- wait 5 seconds
    my $test_data = "hello world\n";
 #    my $ssl_test_data = (pack 'n', ((length $test_data) + 2)) .  $test_data;
    my $ssl_test_data = "\x16\x03\x03$test_data\n";
 # Test: SSL connection
    if ($SSL_CNX) {
        print "***Test: SSL connection\n";
        my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_l;
        if (defined $cnx_l) {
            print $cnx_l $ssl_test_data;
            my $data;
            my $n = sysread $cnx_l, $data, 1024;
            is($data, "ssl: $ssl_test_data", "SSL connection");
        }
    }
 # Test: Shy SSH connection
    if ($SSH_SHY_CNX) {
        print "***Test: Shy SSH connection\n";
        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_h;
        if (defined $cnx_h) {
            sleep 3;
            print $cnx_h $test_data;
            my $data = <$cnx_h>;
            is($data, "ssh: $test_data", "Shy SSH connection");
        }
    }
 # Test: Bold SSH connection
    if ($SSH_BOLD_CNX) {
        print "***Test: Bold SSH connection\n";
        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_h;
        if (defined $cnx_h) {
            my $td = "SSH-2.0 testsuite\t$test_data";
            print $cnx_h $td;
            my $data = <$cnx_h>;
            is($data, "ssh: $td", "Bold SSH connection");
        }
    }
 # Test: PROBE_AGAIN, incomplete first frame
    if ($SSH_PROBE_AGAIN) {
        print "***Test: incomplete SSH first frame\n";
        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_h;
        if (defined $cnx_h) {
            my $td = "SSH-2.0 testsuite\t$test_data";
            print $cnx_h substr $td, 0, 2;
            sleep 1;
            print $cnx_h substr $td, 2;
            my $data = <$cnx_h>;
            is($data, "ssh: $td", "Incomplete first SSH frame");
        }
    }
 # Test: One SSL half-started then one SSH
    if ($SSL_MIX_SSH) {
        print "***Test: One SSL half-started then one SSH\n";
        my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_l;
        if (defined $cnx_l) {
            print $cnx_l $ssl_test_data;
            my $cnx_h= new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
            warn "$!\n" unless $cnx_h;
            if (defined $cnx_h) {
                sleep 3;
                print $cnx_h $test_data;
                my $data_h = <$cnx_h>;
                is($data_h, "ssh: $test_data", "SSH during SSL being established");
            }
            my $data;
            my $n = sysread $cnx_l, $data, 1024;
            is($data, "ssl: $ssl_test_data", "SSL connection interrupted by SSH");
        }
    }
 # Test: One SSH half-started then one SSL
    if ($SSH_MIX_SSL) {
        print "***Test: One SSH half-started then one SSL\n";
        my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_h;
        if (defined $cnx_h) {
            sleep 3;
            my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
            warn "$!\n" unless $cnx_l;
            if (defined $cnx_l) {
                print $cnx_l $ssl_test_data;
                my $data;
                my $n = sysread $cnx_l, $data, 1024;
                is($data, "ssl: $ssl_test_data", "SSL during SSH being established");
            }
            print $cnx_h $test_data;
            my $data = <$cnx_h>;
            is($data, "ssh: $test_data", "SSH connection interrupted by SSL");
        }
    }
 # Test: Big messages (careful: don't go over echosrv's buffer limit (1M))
    if ($BIG_MSG) {
        print "***Test: big message\n";
        my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless $cnx_l;
        my $rept = 1000;
        my $test_data2 = $ssl_test_data . ("helloworld"x$rept);
        if (defined $cnx_l) {
            my $n = syswrite $cnx_l, $test_data2;
            my ($data);
            $n = sysread $cnx_l, $data, 1 << 20;
            is($data, "ssl: ". $test_data2, "Big message");
        }
    }
 # Test: Stalled connection
 # Create two connections, stall one, check the other one
 # works, unstall first and check it works fine
 # This test needs fixing.
 # Now that echosrv no longer works on "lines" (finishing
 # with '\n'), it may cut blocks randomly with prefixes.
 # The whole thing needs to be re-thought as it'll only
 # work by chance.
    if ($STALL_CNX) {
        print "***Test: Stalled connection\n";
        my $cnx_1 = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless defined $cnx_1;
        my $cnx_2 = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
        warn "$!\n" unless defined $cnx_2;
        my $test_data2 = "helloworld";
        sleep 4;
        my $rept = 1000;
        if (defined $cnx_1 and defined $cnx_2) {
            print $cnx_1 ($test_data2 x $rept);
            print $cnx_1 "\n";
            print $cnx_2 ($test_data2 x $rept);
            print $cnx_2 "\n";
            my $data = <$cnx_2>;
            is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (1)");
            print $cnx_2 ($test_data2 x $rept);
            print $cnx_2 "\n";
            $data = <$cnx_2>;
            is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (2)");
            $data = <$cnx_1>;
            is($data, "ssh: " . ($test_data2 x $rept) . "\n", "Stalled connection (3)");
        }
    }
    my $pid = `cat $pidfile`;
    warn "killing $pid\n";
    kill TERM => $pid or warn "kill process: $!\n";
    sleep 1;
 }
 # Robustness: Connecting to non-existant server
 if ($RB_CNX_NOSERVER) {
    print "***Test: Connecting to non-existant server\n";
    my $sslh_pid;
    if (!($sslh_pid = fork)) {
        my $user = (getpwuid $<)[0]; # Run under current username
        exec "./sslh-select -v -f -u $user --listen localhost:$sslh_port --ssh localhost:$no_listen --ssl localhost:$no_listen -P $pidfile";
    }
    warn "spawned $sslh_pid\n";
    sleep 1;
    my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
    warn "$!\n" unless $cnx_h;
    if (defined $cnx_h) {
        sleep 1;
        my $test_data = "hello";
        print $cnx_h $test_data;
    }
    # Ideally we should check a log is emitted.
    kill TERM => `cat $pidfile` or warn "kill: $!\n";
    sleep 1;
 }
 # Robustness: No hostname in address
 if ($RB_PARAM_NOHOST) {
    print "***Test: No hostname in address\n";
    my $sslh_pid;
    if (!($sslh_pid = fork)) {
        my $user = (getpwuid $<)[0]; # Run under current username
        exec "./sslh-select -v -f -u $user --listen $sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile";
    }
    warn "spawned $sslh_pid\n";
    waitpid $sslh_pid, 0;
    my $code = $? >> 8;
    warn "exited with $code\n";
    is($code, 1, "Exit status on illegal option");
 }
 # Robustness: User does not exist
 if ($RB_WRONG_USERNAME) {
    print "***Test: Changing to non-existant username\n";
    my $sslh_pid;
    if (!($sslh_pid = fork)) {
        my $user = (getpwuid $<)[0]; # Run under current username
        exec "./sslh-select -v -f -u ${user}_doesnt_exist --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P $pidfile";
    }
    warn "spawned $sslh_pid\n";
    waitpid $sslh_pid, 0;
    my $code = $? >> 8;
    warn "exited with $code\n";
    is($code, 2, "Exit status on non-existant username");
 }
 # Robustness: Can't open PID file
 if ($RB_OPEN_PID_FILE) {
    print "***Test: Can't open PID file\n";
    my $sslh_pid;
    if (!($sslh_pid = fork)) {
        my $user = (getpwuid $<)[0]; # Run under current username
        exec "./sslh-select -v -f -u $user --listen localhost:$sslh_port --ssh $ssh_address --ssl $ssl_address -P /dont_exist/$pidfile";
        # You don't have a /dont_exist/ directory, do you?!
    }
    warn "spawned $sslh_pid\n";
    waitpid $sslh_pid, 0;
    my $code = $? >> 8;
    warn "exited with $code\n";
    is($code, 3, "Exit status if can't open PID file");
 }
 # Robustness: Can't resolve address
 if ($RB_RESOLVE_ADDRESS) {
    print "***Test: Can't resolve address\n";
    my $sslh_pid;
    if (!($sslh_pid = fork)) {
        my $user = (getpwuid $<)[0]; # Run under current username
        exec "./sslh-select -v -f -u $user --listen blahblah.dontexist:9000 --ssh $ssh_address --ssl $ssl_address -P $pidfile";
    }
    warn "spawned $sslh_pid\n";
    waitpid $sslh_pid, 0;
    my $code = $? >> 8;
    warn "exited with $code\n";
    is($code, 4, "Exit status if can't resolve address");
 }
 `lcov --directory . --capture --output-file sslh_cov.info`;
 `genhtml sslh_cov.info`;
 `killall echosrv`;
--- a/128
+++ b/128
@ -0,0 +1,128 @@
 #! /usr/bin/perl -w
 # Test script for sslh -- mass communication
 # This creates many clients that perform concurrent
 # connections, disconnect at any time, and try to generally
 # behave as badly as possible.
 # It can be used to test sslh behaves properly with many
 # clients, however its main use is to get an idea of how
 # much load it can take on your system before things start
 # to go wrong.
 use strict;
 use IO::Socket::INET6;
 use Data::Dumper;
 ## BEGIN TEST CONFIG
 # Do we test sslh-select or sslh-fork?
 my $sslh_binary = "./sslh-select";
 # How many clients to we start for each protocol?
 my $NUM_CNX = 30;
 # Delay between starting new processes when starting up. If
 # you start 200 processes in under a second, things go wrong
 # and it's not sslh's fault (typically the echosrv won't be
 # forking fast enough).
 my $start_time_delay = 1;
 # If you test 4 protocols, you'll start $NUM_CNX * 4 clients
 # (e.g. 40), starting one every $start_time_delay seconds.
 # Max times we repeat the test string: allows to test for
 # large messages.
 my $block_rpt = 4096;
 # Probability to stop a client after a message (e.g. with
 # .01 a client will send an average of 100 messages before
 # disconnecting).
 my $stop_client_probability = .001;
 # What protocols we test, and on what ports
 # Just comment out protocols you don't want to use.
 my %protocols = (
    "ssh" => { address => "localhost:9001", client => client("ssh") },
    "ssl" => { address => "localhost:9002", client => client("ssl") },
    "openvpn" => {address => "localhost:9003", client => client("openvpn") },
    "tinc" => {address => "localhost:9004", client => client("tinc") },
 );
 ##END CONFIG
 # We use ports 9000, 9001 and 9002 -- hope that won't clash
 # with anything...
 my $sslh_address = "localhost:9000";
 my $pidfile = "/tmp/sslh_test.pid";
 sub client {
    my ($service) = @_;
    return sub {
        while (1) {
            my $cnx = new IO::Socket::INET(PeerHost => $sslh_address);
            my $test_data = "$service testing " x int(rand($block_rpt)+1) . "\n";
            sleep 5 if $service eq "ssh";
            if ($service eq "openvpn") {
                syswrite $cnx, "\x00\x0F\x38\n";
                my $msg;
                sysread $cnx, $msg, 14; # length "openvpn: \x0\xF\x38\n" => 14
            }
            if ($service eq "tinc") {
                syswrite $cnx, "0 \n";
                my $msg;
                sysread $cnx, $msg, 10; # length "tinc: 0 \n" => 10 
            }
            while (1) {
                print $cnx $test_data;
                my $r = <$cnx>;
                ($? = 1, die "$service got [$r]\n") if ($r ne "$service: $test_data");
                last if rand(1) < $stop_client_probability;
            }
        }
        exit 0;
    }
 }
 foreach my $p (keys %protocols) {
    if (!fork) {
        exec "./echosrv --listen $protocols{$p}->{address} --prefix '$p: '";
    }
 }
 # Start sslh with the right plumbing
 my $sslh_pid;
 if (!($sslh_pid = fork)) {
    my $user = (getpwuid $<)[0]; # Run under current username
    my $prots = join " ", map "--$_ $protocols{$_}->{address}", keys %protocols;
    my $cmd = "$sslh_binary -f -t 3 -u $user --listen $sslh_address $prots -P $pidfile";
    print "$cmd\n";
    exec $cmd;
    exit 0;
 }
 warn "spawned $sslh_pid\n";
 sleep 2;  # valgrind can be heavy -- wait 5 seconds
 for (1 .. $NUM_CNX) {
    foreach my $p (keys %protocols) {
        if (!fork) {
            warn "starting $p\n";
            &{$protocols{$p}->{client}};
            exit;
        }
        # Give a little time so we don't overrun the
        # listen(2) backlog.
        select undef, undef, undef, $start_time_delay;
    }
 }
 wait;
 `killall echosrv`;
--- a/tls.c
+++ b/tls.c
@ -0,0 +1,327 @@
 /*
 * Copyright (c) 2011 and 2012, Dustin Lundquist <dustin@null-ptr.net>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */
 /*
 * This is a minimal TLS implementation intended only to parse the server name
 * extension.  This was created based primarily on Wireshark dissection of a
 * TLS handshake and RFC4366.
 */
 #include <stdio.h>
 #include <stdlib.h> /* malloc() */
 #include "tls.h"
 #define TLS_HEADER_LEN 5
 #define TLS_HANDSHAKE_CONTENT_TYPE 0x16
 #define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01
 #ifndef MIN
 #define MIN(X, Y) ((X) < (Y) ? (X) : (Y))
 #endif
 struct TLSProtocol {
    int use_alpn;
    char** sni_hostname_list;
    char** alpn_protocol_list;
 };
 static int parse_extensions(const struct TLSProtocol *, const char *, size_t);
 static int parse_server_name_extension(const struct TLSProtocol *, const char *, size_t);
 static int parse_alpn_extension(const struct TLSProtocol *, const char *, size_t);
 static int has_match(char**, const char*, size_t);
 /* Parse a TLS packet for the Server Name Indication and ALPN extension in the client
 * hello handshake, returning a status code
 *
 * Returns:
 *  >=0  - length of the hostname and updates *hostname
 *         caller is responsible for freeing *hostname
 *  -1   - Incomplete request
 *  -2   - No Host header included in this request
 *  -3   - Invalid hostname pointer
 *  < -4 - Invalid TLS client hello
 */
 int
 parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
    char tls_content_type;
    char tls_version_major;
    char tls_version_minor;
    size_t pos = TLS_HEADER_LEN;
    size_t len;
    /* Check that our TCP payload is at least large enough for a TLS header */
    if (data_len < TLS_HEADER_LEN)
        return -1;
    tls_content_type = data[0];
    if (tls_content_type != TLS_HANDSHAKE_CONTENT_TYPE) {
        if (verbose) fprintf(stderr, "Request did not begin with TLS handshake.\n");
        return -5;
    }
    tls_version_major = data[1];
    tls_version_minor = data[2];
    if (tls_version_major < 3) {
        if (verbose) fprintf(stderr, "Received SSL %d.%d handshake which cannot be parsed.\n",
              tls_version_major, tls_version_minor);
        return -2;
    }
    /* TLS record length */
    len = ((unsigned char)data[3] << 8) +
          (unsigned char)data[4] + TLS_HEADER_LEN;
    data_len = MIN(data_len, len);
    /* Check we received entire TLS record length */
    if (data_len < len)
        return -1;
    /*
     * Handshake
     */
    if (pos + 1 > data_len) {
        return -5;
    }
    if (data[pos] != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
        if (verbose) fprintf(stderr, "Not a client hello\n");
        return -5;
    }
    /* Skip past fixed length records:
       1	Handshake Type
       3	Length
       2	Version (again)
       32	Random
       to	Session ID Length
     */
    pos += 38;
    /* Session ID */
    if (pos + 1 > data_len)
        return -5;
    len = (unsigned char)data[pos];
    pos += 1 + len;
    /* Cipher Suites */
    if (pos + 2 > data_len)
        return -5;
    len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1];
    pos += 2 + len;
    /* Compression Methods */
    if (pos + 1 > data_len)
        return -5;
    len = (unsigned char)data[pos];
    pos += 1 + len;
    if (pos == data_len && tls_version_major == 3 && tls_version_minor == 0) {
        if (verbose) fprintf(stderr, "Received SSL 3.0 handshake without extensions\n");
        return -2;
    }
    /* Extensions */
    if (pos + 2 > data_len)
        return -5;
    len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1];
    pos += 2;
    if (pos + len > data_len)
        return -5;
    return parse_extensions(tls_data, data + pos, len);
 }
 static int
 parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
    size_t pos = 0;
    size_t len;
    int last_matched = 0;
    if (tls_data == NULL)
        return -3;
    /* Parse each 4 bytes for the extension header */
    while (pos + 4 <= data_len) {
        /* Extension Length */
        len = ((unsigned char) data[pos + 2] << 8) +
              (unsigned char) data[pos + 3];
        if (pos + 4 + len > data_len)
            return -5;
        size_t extension_type = ((unsigned char) data[pos] << 8) +
                                (unsigned char) data[pos + 1];
        /* Check if it's a server name extension */
        /* There can be only one extension of each type, so we break
           our state and move pos to beginning of the extension here */
        if (tls_data->use_alpn == 2) {
            /* we want BOTH alpn and sni to match */
            if (extension_type == 0x00) { /* Server Name */
                if (parse_server_name_extension(tls_data, data + pos + 4, len)) {
                    /* SNI matched */
                    if(last_matched) {
                        /* this is only true if ALPN matched, so return true */
                        return last_matched;
                    } else {
                        /* otherwise store that SNI matched */
                        last_matched = 1;
                    }
                } else {
                    // both can't match
                    return -2;
                }
            } else if (extension_type == 0x10) { /* ALPN */
                if (parse_alpn_extension(tls_data, data + pos + 4, len)) {
                    /* ALPN matched */
                    if(last_matched) {
                        /* this is only true if SNI matched, so return true */
                        return last_matched;
                    } else {
                        /* otherwise store that ALPN matched */
                        last_matched = 1;
                    }
                } else {
                    // both can't match
                    return -2;
                }
            }
        } else if (extension_type == 0x00 && tls_data->use_alpn == 0) { /* Server Name */
            return parse_server_name_extension(tls_data, data + pos + 4, len);
        } else if (extension_type == 0x10 && tls_data->use_alpn == 1) { /* ALPN */
            return parse_alpn_extension(tls_data, data + pos + 4, len);
        }
        pos += 4 + len; /* Advance to the next extension header */
    }
    /* Check we ended where we expected to */
    if (pos != data_len)
        return -5;
    return -2;
 }
 static int
 parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
    size_t pos = 2; /* skip server name list length */
    size_t len;
    while (pos + 3 < data_len) {
        len = ((unsigned char)data[pos + 1] << 8) +
              (unsigned char)data[pos + 2];
        if (pos + 3 + len > data_len)
            return -5;
        switch (data[pos]) { /* name type */
            case 0x00: /* host_name */
                if(has_match(tls_data->sni_hostname_list, data + pos + 3, len)) {
                    return len;
                } else {
                    return -2;
                }
            default:
                if (verbose) fprintf(stderr, "Unknown server name extension name type: %d\n",
                      data[pos]);
        }
        pos += 3 + len;
    }
    /* Check we ended where we expected to */
    if (pos != data_len)
        return -5;
    return -2;
 }
 static int
 parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
    size_t pos = 2;
    size_t len;
    while (pos + 1 < data_len) {
        len = (unsigned char)data[pos];
        if (pos + 1 + len > data_len)
            return -5;
        if (len > 0 && has_match(tls_data->alpn_protocol_list, data + pos + 1, len)) {
            return len;
        } else if (len > 0) {
            if (verbose) fprintf(stderr, "Unknown ALPN name: %.*s\n", (int)len, data + pos + 1);
        }
        pos += 1 + len;
    }
    /* Check we ended where we expected to */
    if (pos != data_len)
        return -5;
    return -2;
 }
 static int
 has_match(char** list, const char* name, size_t name_len) {
    char **item;
    for (item = list; *item; item++) {
        if (verbose) fprintf(stderr, "matching [%.*s] with [%s]\n", (int)name_len, name, *item);
        if(!strncmp(*item, name, name_len)) {
            return 1;
        }
    }
    return 0;
 }
 struct TLSProtocol *
 new_tls_data() {
    struct TLSProtocol *tls_data = malloc(sizeof(struct TLSProtocol));
    if (tls_data != NULL) {
        tls_data->use_alpn = -1;
    }
    return tls_data;
 }
 struct TLSProtocol *
 tls_data_set_list(struct TLSProtocol *tls_data, int alpn, char** list) {
    if (alpn) {
        tls_data->alpn_protocol_list = list;
        if(tls_data->use_alpn == 0)
            tls_data->use_alpn = 2;
        else
            tls_data->use_alpn = 1;
    } else {
        tls_data->sni_hostname_list = list;
        if(tls_data->use_alpn == 1)
            tls_data->use_alpn = 2;
        else
            tls_data->use_alpn = 0;
    }
    return tls_data;
 }
--- a/tls.h
+++ b/tls.h
@ -0,0 +1,38 @@
 /*
 * Copyright (c) 2011 and 2012, Dustin Lundquist <dustin@null-ptr.net>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */
 #ifndef TLS_H
 #define TLS_H
 #include "common.h"
 struct TLSProtocol;
 int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len);
 struct TLSProtocol *new_tls_data();
 struct TLSProtocol *tls_data_set_list(struct TLSProtocol *, int, char**);
 #endif