2
0

secureserver.pl 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383
  1. #!/usr/bin/env perl
  2. #***************************************************************************
  3. # _ _ ____ _
  4. # Project ___| | | | _ \| |
  5. # / __| | | | |_) | |
  6. # | (__| |_| | _ <| |___
  7. # \___|\___/|_| \_\_____|
  8. #
  9. # Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  10. #
  11. # This software is licensed as described in the file COPYING, which
  12. # you should have received as part of this distribution. The terms
  13. # are also available at https://curl.se/docs/copyright.html.
  14. #
  15. # You may opt to use, copy, modify, merge, publish, distribute and/or sell
  16. # copies of the Software, and permit persons to whom the Software is
  17. # furnished to do so, under the terms of the COPYING file.
  18. #
  19. # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  20. # KIND, either express or implied.
  21. #
  22. # SPDX-License-Identifier: curl
  23. #
  24. #***************************************************************************
  25. # This is the HTTPS, FTPS, POP3S, IMAPS, SMTPS, server used for curl test
  26. # harness. Actually just a layer that runs stunnel properly using the
  27. # non-secure test harness servers.
  28. use strict;
  29. use warnings;
  30. BEGIN {
  31. push(@INC, $ENV{'srcdir'}) if(defined $ENV{'srcdir'});
  32. push(@INC, ".");
  33. }
  34. use Cwd;
  35. use Cwd 'abs_path';
  36. use File::Basename;
  37. use serverhelp qw(
  38. server_pidfilename
  39. server_logfilename
  40. );
  41. use pathhelp;
  42. my $stunnel = "stunnel";
  43. my $verbose=0; # set to 1 for debugging
  44. my $accept_port = 8991; # just our default, weird enough
  45. my $target_port = 8999; # default test http-server port
  46. my $stuncert;
  47. my $ver_major;
  48. my $ver_minor;
  49. my $fips_support;
  50. my $stunnel_version;
  51. my $tstunnel_windows;
  52. my $socketopt;
  53. my $cmd;
  54. my $pidfile; # stunnel pid file
  55. my $logfile; # stunnel log file
  56. my $loglevel = 5; # stunnel log level
  57. my $ipvnum = 4; # default IP version of stunneled server
  58. my $idnum = 1; # default stunneled server instance number
  59. my $proto = 'https'; # default secure server protocol
  60. my $conffile; # stunnel configuration file
  61. my $capath; # certificate chain PEM folder
  62. my $certfile; # certificate chain PEM file
  63. #***************************************************************************
  64. # stunnel requires full path specification for several files.
  65. #
  66. my $path = getcwd();
  67. my $srcdir = $path;
  68. my $logdir = $path .'/log';
  69. my $piddir;
  70. #***************************************************************************
  71. # Signal handler to remove our stunnel 4.00 and newer configuration file.
  72. #
  73. sub exit_signal_handler {
  74. my $signame = shift;
  75. local $!; # preserve errno
  76. local $?; # preserve exit status
  77. unlink($conffile) if($conffile && (-f $conffile));
  78. exit;
  79. }
  80. #***************************************************************************
  81. # Process command line options
  82. #
  83. while(@ARGV) {
  84. if($ARGV[0] eq '--verbose') {
  85. $verbose = 1;
  86. }
  87. elsif($ARGV[0] eq '--proto') {
  88. if($ARGV[1]) {
  89. $proto = $ARGV[1];
  90. shift @ARGV;
  91. }
  92. }
  93. elsif($ARGV[0] eq '--accept') {
  94. if($ARGV[1]) {
  95. if($ARGV[1] =~ /^(\d+)$/) {
  96. $accept_port = $1;
  97. shift @ARGV;
  98. }
  99. }
  100. }
  101. elsif($ARGV[0] eq '--connect') {
  102. if($ARGV[1]) {
  103. if($ARGV[1] =~ /^(\d+)$/) {
  104. $target_port = $1;
  105. shift @ARGV;
  106. }
  107. }
  108. }
  109. elsif($ARGV[0] eq '--stunnel') {
  110. if($ARGV[1]) {
  111. $stunnel = $ARGV[1];
  112. shift @ARGV;
  113. }
  114. }
  115. elsif($ARGV[0] eq '--srcdir') {
  116. if($ARGV[1]) {
  117. $srcdir = $ARGV[1];
  118. shift @ARGV;
  119. }
  120. }
  121. elsif($ARGV[0] eq '--certfile') {
  122. if($ARGV[1]) {
  123. $stuncert = $ARGV[1];
  124. shift @ARGV;
  125. }
  126. }
  127. elsif($ARGV[0] eq '--id') {
  128. if($ARGV[1]) {
  129. if($ARGV[1] =~ /^(\d+)$/) {
  130. $idnum = $1 if($1 > 0);
  131. shift @ARGV;
  132. }
  133. }
  134. }
  135. elsif($ARGV[0] eq '--ipv4') {
  136. $ipvnum = 4;
  137. }
  138. elsif($ARGV[0] eq '--ipv6') {
  139. $ipvnum = 6;
  140. }
  141. elsif($ARGV[0] eq '--pidfile') {
  142. if($ARGV[1]) {
  143. $pidfile = "$path/". $ARGV[1];
  144. shift @ARGV;
  145. }
  146. }
  147. elsif($ARGV[0] eq '--logfile') {
  148. if($ARGV[1]) {
  149. $logfile = "$path/". $ARGV[1];
  150. shift @ARGV;
  151. }
  152. }
  153. elsif($ARGV[0] eq '--logdir') {
  154. if($ARGV[1]) {
  155. $logdir = "$path/". $ARGV[1];
  156. shift @ARGV;
  157. }
  158. }
  159. else {
  160. print STDERR "\nWarning: secureserver.pl unknown parameter: $ARGV[0]\n";
  161. }
  162. shift @ARGV;
  163. }
  164. #***************************************************************************
  165. # Initialize command line option dependent variables
  166. #
  167. if($pidfile) {
  168. # Use our pidfile directory to store the conf files
  169. $piddir = dirname($pidfile);
  170. }
  171. else {
  172. # Use the current directory to store the conf files
  173. $piddir = $path;
  174. $pidfile = server_pidfilename($piddir, $proto, $ipvnum, $idnum);
  175. }
  176. if(!$logfile) {
  177. $logfile = server_logfilename($logdir, $proto, $ipvnum, $idnum);
  178. }
  179. $conffile = "$piddir/${proto}_stunnel.conf";
  180. $capath = abs_path($path);
  181. $certfile = "$srcdir/". ($stuncert?"certs/$stuncert":"stunnel.pem");
  182. $certfile = abs_path($certfile);
  183. my $ssltext = uc($proto) ." SSL/TLS:";
  184. my $host_ip = ($ipvnum == 6)? '::1' : '127.0.0.1';
  185. #***************************************************************************
  186. # Find out version info for the given stunnel binary
  187. #
  188. foreach my $veropt (('-version', '-V')) {
  189. foreach my $verstr (qx("$stunnel" $veropt 2>&1)) {
  190. if($verstr =~ /^stunnel (\d+)\.(\d+) on /) {
  191. $ver_major = $1;
  192. $ver_minor = $2;
  193. }
  194. elsif($verstr =~ /^sslVersion.*fips *= *yes/) {
  195. # the fips option causes an error if stunnel doesn't support it
  196. $fips_support = 1;
  197. last
  198. }
  199. }
  200. last if($ver_major);
  201. }
  202. if((!$ver_major) || !defined($ver_minor)) {
  203. if(-x "$stunnel" && ! -d "$stunnel") {
  204. print "$ssltext Unknown stunnel version\n";
  205. }
  206. else {
  207. print "$ssltext No stunnel\n";
  208. }
  209. exit 1;
  210. }
  211. $stunnel_version = (100*$ver_major) + $ver_minor;
  212. #***************************************************************************
  213. # Verify minimum stunnel required version
  214. #
  215. if($stunnel_version < 310) {
  216. print "$ssltext Unsupported stunnel version $ver_major.$ver_minor\n";
  217. exit 1;
  218. }
  219. #***************************************************************************
  220. # Find out if we are running on Windows using the tstunnel binary
  221. #
  222. if($stunnel =~ /tstunnel(\.exe)?$/) {
  223. $tstunnel_windows = 1;
  224. # convert Cygwin/MinGW paths to Windows format
  225. $capath = pathhelp::sys_native_abs_path($capath);
  226. $certfile = pathhelp::sys_native_abs_path($certfile);
  227. }
  228. #***************************************************************************
  229. # Build command to execute for stunnel 3.X versions
  230. #
  231. if($stunnel_version < 400) {
  232. if($stunnel_version >= 319) {
  233. $socketopt = "-O a:SO_REUSEADDR=1";
  234. }
  235. # TODO: we do not use $host_ip in this old version. I simply find
  236. # no documentation how to. But maybe ipv6 is not available anyway?
  237. $cmd = "\"$stunnel\" -p $certfile -P $pidfile ";
  238. $cmd .= "-d $accept_port -r $target_port -f -D $loglevel ";
  239. $cmd .= ($socketopt) ? "$socketopt " : "";
  240. $cmd .= ">$logfile 2>&1";
  241. if($verbose) {
  242. print uc($proto) ." server (stunnel $ver_major.$ver_minor)\n";
  243. print "cmd: $cmd\n";
  244. print "pem cert file: $certfile\n";
  245. print "pid file: $pidfile\n";
  246. print "log file: $logfile\n";
  247. print "log level: $loglevel\n";
  248. print "listen on port: $accept_port\n";
  249. print "connect to port: $target_port\n";
  250. }
  251. }
  252. #***************************************************************************
  253. # Build command to execute for stunnel 4.00 and newer
  254. #
  255. if($stunnel_version >= 400) {
  256. $socketopt = "a:SO_REUSEADDR=1";
  257. if(($stunnel_version >= 534) && $tstunnel_windows) {
  258. # SO_EXCLUSIVEADDRUSE is on by default on Vista or newer,
  259. # but does not work together with SO_REUSEADDR being on.
  260. $socketopt .= "\nsocket = a:SO_EXCLUSIVEADDRUSE=0";
  261. }
  262. $cmd = "\"$stunnel\" $conffile ";
  263. $cmd .= ">$logfile 2>&1";
  264. # setup signal handler
  265. $SIG{INT} = \&exit_signal_handler;
  266. $SIG{TERM} = \&exit_signal_handler;
  267. # stunnel configuration file
  268. if(open(my $stunconf, ">", "$conffile")) {
  269. print $stunconf "CApath = $capath\n";
  270. print $stunconf "cert = $certfile\n";
  271. print $stunconf "debug = $loglevel\n";
  272. print $stunconf "socket = $socketopt\n";
  273. if($fips_support) {
  274. # disable fips in case OpenSSL doesn't support it
  275. print $stunconf "fips = no\n";
  276. }
  277. if(!$tstunnel_windows) {
  278. # do not use Linux-specific options on Windows
  279. print $stunconf "output = $logfile\n";
  280. print $stunconf "pid = $pidfile\n";
  281. print $stunconf "foreground = yes\n";
  282. }
  283. print $stunconf "\n";
  284. print $stunconf "[curltest]\n";
  285. print $stunconf "accept = $host_ip:$accept_port\n";
  286. print $stunconf "connect = $host_ip:$target_port\n";
  287. if(!close($stunconf)) {
  288. print "$ssltext Error closing file $conffile\n";
  289. exit 1;
  290. }
  291. }
  292. else {
  293. print "$ssltext Error writing file $conffile\n";
  294. exit 1;
  295. }
  296. if($verbose) {
  297. print uc($proto) ." server (stunnel $ver_major.$ver_minor)\n";
  298. print "cmd: $cmd\n";
  299. print "CApath = $capath\n";
  300. print "cert = $certfile\n";
  301. print "debug = $loglevel\n";
  302. print "socket = $socketopt\n";
  303. if($fips_support) {
  304. print "fips = no\n";
  305. }
  306. if(!$tstunnel_windows) {
  307. print "pid = $pidfile\n";
  308. print "output = $logfile\n";
  309. print "foreground = yes\n";
  310. }
  311. print "\n";
  312. print "[curltest]\n";
  313. print "accept = $host_ip:$accept_port\n";
  314. print "connect = $host_ip:$target_port\n";
  315. }
  316. }
  317. #***************************************************************************
  318. # Set file permissions on certificate pem file.
  319. #
  320. chmod(0600, $certfile) if(-f $certfile);
  321. print STDERR "RUN: $cmd\n" if($verbose);
  322. #***************************************************************************
  323. # Run tstunnel on Windows.
  324. #
  325. if($tstunnel_windows) {
  326. # Fake pidfile for tstunnel on Windows.
  327. if(open(my $out, ">", "$pidfile")) {
  328. print $out $$ . "\n";
  329. close($out);
  330. }
  331. # Flush output.
  332. $| = 1;
  333. # Put an "exec" in front of the command so that the child process
  334. # keeps this child's process ID by being tied to the spawned shell.
  335. exec("exec $cmd") || die "Can't exec() $cmd: $!";
  336. # exec() will create a new process, but ties the existence of the
  337. # new process to the parent waiting perl.exe and sh.exe processes.
  338. # exec() should never return back here to this process. We protect
  339. # ourselves by calling die() just in case something goes really bad.
  340. die "error: exec() has returned";
  341. }
  342. #***************************************************************************
  343. # Run stunnel.
  344. #
  345. my $rc = system($cmd);
  346. $rc >>= 8;
  347. unlink($conffile) if($conffile && -f $conffile);
  348. exit $rc;