├── .gitignore ├── CONTRIBUTING ├── LICENSE ├── Makefile.am ├── README.md ├── bootstrap.sh ├── configure.ac └── src ├── client-proxy.c ├── common.c ├── common.h └── wrap.c /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.o 3 | *.in 4 | configure 5 | compile 6 | depcomp 7 | install-sh 8 | stamp-h1 9 | aclocal.m4 10 | autom4te.cache 11 | config.guess 12 | config.log 13 | config.status 14 | config.sub 15 | Makefile 16 | config.h 17 | missing 18 | .deps 19 | .dirstamp 20 | -------------------------------------------------------------------------------- /CONTRIBUTING: -------------------------------------------------------------------------------- 1 | Want to contribute? Great! First, read this page (including the small 2 | print at the end). 3 | 4 | ### Before you contribute 5 | Before we can use your code, you must sign the 6 | [Google Individual Contributor License Agreement] 7 | (https://cla.developers.google.com/about/google-individual) 8 | (CLA), which you can do online. The CLA is necessary mainly because you own the 9 | copyright to your changes, even after your contribution becomes part of our 10 | codebase, so we need your permission to use and distribute your code. We also 11 | need to be sure of various other things—for instance that you'll tell us if you 12 | know that your code infringes on other people's patents. You don't have to sign 13 | the CLA until after you've submitted your code for review and a member has 14 | approved it, but you must do it before we can put your code into our codebase. 15 | Before you start working on a larger contribution, you should get in touch with 16 | us first through the issue tracker with your idea so that we can help out and 17 | possibly guide you. Coordinating up front makes it much easier to avoid 18 | frustration later on. 19 | 20 | ### Code reviews 21 | All submissions, including submissions by project members, require review. We 22 | use Github pull requests for this purpose. 23 | 24 | ### The small print 25 | Contributions made by corporations are covered by a different agreement than 26 | the one above, the 27 | [Software Grant and Corporate Contributor License Agreement] 28 | (https://cla.developers.google.com/about/google-corporate). 29 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign subdir-objects 2 | DISTCLEANFILES = *~ 3 | 4 | bin_PROGRAMS=tcpauth-client-proxy tcpauth-wrap 5 | 6 | tcpauth_client_proxy_SOURCES=\ 7 | src/client-proxy.c\ 8 | src/common.c 9 | 10 | tcpauth_wrap_SOURCES=\ 11 | src/wrap.c\ 12 | src/common.c 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tcpauth 2 | 3 | Copyright 2016 Google Inc. All Rights Reserved. 4 | 5 | https://github.com/google/tcpauth 6 | 7 | ## Introduction 8 | 9 | tcpauth allows you to wrap TCP connections in RFC2385 MD5 signatures, to prevent 10 | any attacker from talking to a server without first having the shared secret. 11 | 12 | This protects against any preauth attacks in the server application itself. You 13 | could compare it to port knocking, in that this could let you keep SSH open for 14 | connections from all over the world, as long as they know the shared 15 | secret. Normal authentication would take place after connection, so it doesn't 16 | reduce security. 17 | 18 | Another benefit is that when MD5 signatures are turned on an attacker can't 19 | spoof RST packets to kill your connection. 20 | 21 | ## Installing 22 | 23 | If building from git repo: 24 | 25 | ```shell 26 | ./boostrap.sh 27 | ``` 28 | 29 | then 30 | 31 | ```shell 32 | ./configure && make && make install 33 | ``` 34 | 35 | ## Running 36 | 37 | Example of running an SSH server on port 12345. 38 | 39 | On the server: 40 | 41 | ```shell 42 | echo "correct horse battery staple" > pw.txt 43 | chmod 600 pw.txt 44 | sudo ./tcpauth-wrap -p 12345 -P pw.txt -- /usr/sbin/sshd -i 45 | ``` 46 | 47 | On the client: 48 | 49 | ```shell 50 | echo "correct horse battery staple" > pw.txt 51 | chmod 600 pw.txt 52 | ssh "-oProxyCommand=./tcpauth-client-proxy -P pw.txt %h %p" -p 12345 shell.example.com 53 | ``` 54 | -------------------------------------------------------------------------------- /bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | autoreconf -i 3 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | AC_PREREQ(2.61) 2 | AC_INIT(tcpauth, 0.01, habets@google.com) 3 | AC_CANONICAL_SYSTEM 4 | AC_CONFIG_SRCDIR([src/wrap.c]) 5 | AM_INIT_AUTOMAKE 6 | AM_MAINTAINER_MODE 7 | AC_CONFIG_HEADER(config.h) 8 | 9 | # Checks for programs. 10 | AC_PROG_CC 11 | AC_PROG_INSTALL 12 | AC_PROG_MAKE_SET 13 | 14 | AC_CHECK_LIB([pthread], [pthread_create]) 15 | 16 | CFLAGS="-std=gnu11 -Wall $CFLAGS" 17 | 18 | AC_CONFIG_FILES([Makefile]) 19 | AC_OUTPUT 20 | 21 | echo " 22 | $PACKAGE_NAME version $PACKAGE_VERSION 23 | Prefix.........: $prefix 24 | Debug Build....: $debug 25 | C Compiler.....: $CC $CFLAGS $CPPFLAGS 26 | Linker.........: $LD $LDFLAGS $LIBS 27 | " 28 | -------------------------------------------------------------------------------- /src/client-proxy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Proxy on the client side to connect to servers using MD5SIG. 3 | * 4 | * Example: 5 | * echo "correct horse battery staple" > pw.txt 6 | * chmod 600 pw.txt 7 | * ssh -oProxyCommand="./tcpauth-client-proxy -P pw.txt %h %p" shell.example.com 8 | */ 9 | /* 10 | * Copyright 2016 Google Inc. All Rights Reserved. 11 | * 12 | * Licensed under the Apache License, Version 2.0 (the "License"); 13 | * you may not use this file except in compliance with the License. 14 | * You may obtain a copy of the License at 15 | * 16 | * http://www.apache.org/licenses/LICENSE-2.0 17 | * 18 | * Unless required by applicable law or agreed to in writing, software 19 | * distributed under the License is distributed on an "AS IS" BASIS, 20 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | * See the License for the specific language governing permissions and 22 | * limitations under the License. 23 | * 24 | * This is not an official Google product. 25 | */ 26 | #include"config.h" 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | 38 | #include 39 | #include 40 | 41 | #include"common.h" 42 | 43 | const char* password = NULL; 44 | 45 | void 46 | usage(int err) 47 | { 48 | printf("Usage: %s [options] \n" 49 | " -h Show this usage text.\n" 50 | " -P File containing MD5SIG password.\n" 51 | "", argv0); 52 | exit(err); 53 | } 54 | 55 | typedef struct { 56 | int src, dst; 57 | } reader; 58 | 59 | static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; 60 | static int shutting_down_var = 0; 61 | static void 62 | set_shutting_down() 63 | { 64 | int n; 65 | if ((n = pthread_mutex_lock(&mutex))) { 66 | xerror("mutex lock error: code %d", n); 67 | } 68 | shutting_down_var = 1; 69 | if ((n = pthread_mutex_unlock(&mutex))) { 70 | xerror("mutex lock error: code %d", n); 71 | } 72 | } 73 | 74 | static int 75 | shutting_down() 76 | { 77 | int n; 78 | int ret; 79 | if ((n = pthread_mutex_lock(&mutex))) { 80 | xerror("mutex lock error: code %d", n); 81 | } 82 | ret = shutting_down_var; 83 | if ((n = pthread_mutex_unlock(&mutex))) { 84 | xerror("mutex lock error: code %d", n); 85 | } 86 | return ret; 87 | } 88 | 89 | // read data from one and and write to the other. 90 | static void* 91 | reader_main(void* rin) 92 | { 93 | const reader* r = (reader*)rin; 94 | char buf[1024]; 95 | for (;;) { 96 | ssize_t n = read(r->src, buf, sizeof(buf)); 97 | if (shutting_down()) { 98 | return NULL; 99 | } 100 | if (n == 0) { 101 | set_shutting_down(); 102 | return NULL; 103 | } 104 | if (0 > n) { 105 | xerror("read(%d): %s", r->src, strerror(errno)); 106 | } 107 | const char* p = buf; 108 | while (n > 0) { 109 | const ssize_t wn = write(r->dst, p, n); 110 | if (0 > wn) { 111 | xerror("write(): %s", strerror(errno)); 112 | } 113 | n -= wn; 114 | p += wn; 115 | } 116 | } 117 | } 118 | 119 | // Handle a new connection after connect() returns. 120 | // * Enable MD5SIG 121 | // * Funnel data back and forth. 122 | int 123 | handle(int fd) 124 | { 125 | if (1) { 126 | struct tcp_md5sig md5sig; 127 | socklen_t t = sizeof(struct sockaddr_storage); 128 | 129 | memset(&md5sig, 0, sizeof(md5sig)); 130 | strncpy((char*)md5sig.tcpm_key, password, TCP_MD5SIG_MAXKEYLEN); 131 | 132 | if (getpeername(fd, 133 | (struct sockaddr*)&md5sig.tcpm_addr, &t)) { 134 | xerror("getpeername(): %.100s", strerror(errno)); 135 | } 136 | md5sig.tcpm_keylen = strlen((char*)md5sig.tcpm_key); 137 | if (-1 == setsockopt(fd, 138 | IPPROTO_TCP, TCP_MD5SIG, 139 | &md5sig, sizeof(md5sig))) { 140 | xerror("setsockopt(TCP_MD5SIG): %.100s", strerror(errno)); 141 | } 142 | } 143 | 144 | // Start one half of the data shuffling. 145 | pthread_t other; 146 | reader other_r; 147 | other_r.src = fd; 148 | other_r.dst = STDOUT_FILENO; 149 | if (pthread_create(&other, NULL, &reader_main, &other_r)) { 150 | xerror("pthread_create(): %s", strerror(errno)); 151 | } 152 | 153 | // Start the other half. 154 | reader this_r; 155 | this_r.src = STDIN_FILENO; 156 | this_r.dst = fd; 157 | reader_main(&this_r); 158 | int n; 159 | if ((n = pthread_join(other, NULL))) { 160 | xerror("pthread_join: %s", strerror(n)); 161 | } 162 | exit(0); 163 | } 164 | 165 | int 166 | main(int argc, char** argv) 167 | { 168 | const char* password_file = NULL; // -P 169 | argv0 = argv[0]; 170 | 171 | int c; 172 | while (EOF != (c = getopt(argc, argv, "hP:"))) { 173 | switch (c) { 174 | case 'h': 175 | usage(0); 176 | case 'P': 177 | password_file = optarg; 178 | break; 179 | default: 180 | usage(1); 181 | } 182 | } 183 | 184 | if (optind + 2 != argc) { 185 | fprintf(stderr, "%s: Provide exactly two non-option args: host and port.\n", argv0); 186 | exit(1); 187 | } 188 | const char* node = argv[optind]; 189 | const char* port = argv[optind+1]; 190 | password = get_password(password_file); 191 | 192 | // Create socket and bind. 193 | int fd = -1; 194 | { 195 | struct addrinfo hints; 196 | memset(&hints, 0, sizeof(hints)); 197 | hints.ai_flags = AI_ADDRCONFIG; 198 | hints.ai_family = AF_UNSPEC; 199 | hints.ai_socktype = SOCK_STREAM; 200 | struct addrinfo *ai; 201 | 202 | if (0 != getaddrinfo(node, port, &hints, &ai)) { 203 | xerror("getaddrinfo(%s, %s): %s", node, port, strerror(errno)); 204 | } 205 | 206 | for (const struct addrinfo *rp = ai; rp != NULL; rp = rp->ai_next) { 207 | fd = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); 208 | if (0 > fd) { 209 | fprintf(stderr, "%s: socket(): %s\n", argv0, strerror(errno)); 210 | continue; 211 | } 212 | if (!connect(fd, rp->ai_addr, ai->ai_addrlen)) { 213 | break; 214 | } 215 | fprintf(stderr, "%s: connect failed: %s\n", argv0, strerror(errno)); 216 | if (0 != close(fd)) { 217 | fprintf(stderr, "%s: closing failed socket: %s\n", argv0, strerror(errno)); 218 | } 219 | fd = -1; 220 | } 221 | if (0 > fd) { 222 | xerror("%s: Could not connect to %s %s\n", argv0, node, port); 223 | } 224 | freeaddrinfo(ai); 225 | } 226 | 227 | fprintf(stderr, "Connected to %s port %s\n", node, port); 228 | 229 | return handle(fd); 230 | } 231 | /* ---- Emacs Variables ---- 232 | * Local Variables: 233 | * c-basic-offset: 8 234 | * indent-tabs-mode: nil 235 | * End: 236 | * 237 | * vim: ts=8 sw=8 238 | */ 239 | -------------------------------------------------------------------------------- /src/common.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2016 Google Inc. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * This is not an official Google product. 17 | */ 18 | #include"config.h" 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include"common.h" 27 | 28 | const char* argv0 = NULL; 29 | const char* password_env = "MD5SIG_PASSWORD"; 30 | 31 | char* 32 | get_password(const char* opt) 33 | { 34 | // If there's a password file, use that. 35 | if (opt) { 36 | FILE* f; 37 | 38 | if (!(f = fopen(opt, "r"))) { 39 | xerror("fopen(%s): %s", opt, strerror(errno)); 40 | } 41 | char buf[128] = {0}; 42 | const char* ret = fgets(buf, sizeof(buf), f); 43 | const int err = errno; 44 | fclose(f); 45 | if (!ret) { 46 | xerror("fgets(%s): %s", opt, strerror(err)); 47 | } 48 | for (size_t c = strlen(buf)-1; c; c--) { 49 | if (buf[c] == '\n') { 50 | buf[c] = 0; 51 | } 52 | } 53 | return strdup(ret); 54 | } 55 | const char* ret = getenv(password_env); 56 | if (!ret) { 57 | xerror("No password provided in file or environment"); 58 | } 59 | return strdup(ret); 60 | } 61 | 62 | void 63 | xerror(const char* fmt, ...) 64 | { 65 | char buffer[1024]; 66 | va_list args; 67 | va_start(args, fmt); 68 | vsnprintf(buffer, sizeof(buffer), fmt, args); 69 | fprintf(stderr, "%s: %s\n", argv0, buffer); 70 | va_end(args); 71 | exit(1); 72 | } 73 | /* ---- Emacs Variables ---- 74 | * Local Variables: 75 | * c-basic-offset: 8 76 | * indent-tabs-mode: nil 77 | * End: 78 | * 79 | * vim: ts=8 sw=8 80 | */ 81 | -------------------------------------------------------------------------------- /src/common.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2016 Google Inc. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * This is not an official Google product. 17 | */ 18 | extern const char* argv0; 19 | void xerror(const char* fmt, ...); 20 | 21 | // Get a copy of the password. Caller free()s. 22 | char* get_password(const char* opt); 23 | -------------------------------------------------------------------------------- /src/wrap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Wrap a server in MD5SIG. The TCP socket connected to the client is 3 | * passed on to the binary in fd 0 and 1. 4 | * 5 | * Example: 6 | * echo "correct horse battery staple" > pw.txt 7 | * chmod 600 pw.txt 8 | * sudo ./tcpauth-wrap -p 12345 -P pw.txt -- /usr/sbin/sshd -i 9 | */ 10 | /* 11 | * Copyright 2016 Google Inc. All Rights Reserved. 12 | * 13 | * Licensed under the Apache License, Version 2.0 (the "License"); 14 | * you may not use this file except in compliance with the License. 15 | * You may obtain a copy of the License at 16 | * 17 | * http://www.apache.org/licenses/LICENSE-2.0 18 | * 19 | * Unless required by applicable law or agreed to in writing, software 20 | * distributed under the License is distributed on an "AS IS" BASIS, 21 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 | * See the License for the specific language governing permissions and 23 | * limitations under the License. 24 | * 25 | * This is not an official Google product. 26 | */ 27 | #include"config.h" 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | 38 | #include 39 | #include 40 | 41 | #include"common.h" 42 | 43 | const char* next_binary = NULL; 44 | char* const* next_args = NULL; 45 | const char* default_opt_H = "::"; 46 | char* password = NULL; 47 | 48 | void 49 | usage(int err) 50 | { 51 | printf("Usage: %s [options] -- /path/to/binary [options to binary...]\n" 52 | " -h Show this usage text.\n" 53 | " -H Address to listen to (default: \"%s\").\n" 54 | " -p Port to listen on.\n" 55 | " -P File containing MD5SIG password.\n" 56 | "", argv0, default_opt_H); 57 | exit(err); 58 | } 59 | 60 | // Handle a new connection that's come in: 61 | // * Enable MD5SIG 62 | // * Exec next binary. 63 | void 64 | handle(int fd) 65 | { 66 | if (1) { 67 | struct tcp_md5sig md5sig; 68 | socklen_t t = sizeof(struct sockaddr_storage); 69 | 70 | memset(&md5sig, 0, sizeof(md5sig)); 71 | strncpy((char*)md5sig.tcpm_key, password, TCP_MD5SIG_MAXKEYLEN); 72 | 73 | if (getpeername(fd, 74 | (struct sockaddr*)&md5sig.tcpm_addr, &t)) { 75 | xerror("getpeername(): %.100s", strerror(errno)); 76 | } 77 | md5sig.tcpm_keylen = strlen((char*)md5sig.tcpm_key); 78 | if (-1 == setsockopt(fd, 79 | IPPROTO_TCP, TCP_MD5SIG, 80 | &md5sig, sizeof(md5sig))) { 81 | xerror("setsockopt(TCP_MD5SIG): %.100s", strerror(errno)); 82 | } 83 | } 84 | if (0 > dup2(fd, 0) 85 | || 0 > dup2(fd, 1)) { 86 | xerror("dup2(): %s", strerror(errno)); 87 | } 88 | close(fd); 89 | execvp(next_binary, next_args); 90 | xerror("execv(): %s", strerror(errno)); 91 | } 92 | 93 | // Main loop listening for connections and calling handle() on them. 94 | int 95 | main_loop(int fd) 96 | { 97 | for (;;) { 98 | int newsock; 99 | struct sockaddr_storage from; 100 | socklen_t fromlen; 101 | 102 | fromlen = sizeof(from); 103 | newsock = accept(fd, (struct sockaddr*)&from, &fromlen); 104 | if (0 > newsock) { 105 | fprintf(stderr, "%s: accept(): %s\n", argv0, strerror(errno)); 106 | continue; 107 | } 108 | 109 | pid_t pid; 110 | switch (pid = fork()) { 111 | case -1: 112 | fprintf(stderr, "%s: fork(): %s\n", argv0, strerror(errno)); 113 | close(newsock); 114 | continue; 115 | case 0: 116 | handle(newsock); 117 | exit(1); 118 | default: 119 | close(newsock); 120 | break; 121 | } 122 | } 123 | } 124 | 125 | int 126 | main(int argc, char** argv) 127 | { 128 | const char* port = NULL; // -p 129 | const char* node = default_opt_H; // -H 130 | const char* password_file = NULL; // -P 131 | 132 | argv0 = argv[0]; 133 | 134 | int c; 135 | while (EOF != (c = getopt(argc, argv, "hH:p:P:"))) { 136 | switch (c) { 137 | case 'h': 138 | usage(0); 139 | case 'H': 140 | node = optarg; 141 | break; 142 | case 'p': 143 | port = optarg; 144 | break; 145 | case 'P': 146 | password_file = optarg; 147 | break; 148 | default: 149 | usage(1); 150 | } 151 | } 152 | 153 | if (port == NULL) { 154 | fprintf(stderr, "%s: Need to specify port (-p)\n", argv0); 155 | exit(1); 156 | } 157 | 158 | { 159 | password = get_password(password_file); 160 | next_binary = argv[optind]; 161 | next_args = &argv[optind]; 162 | } 163 | 164 | // Create socket and bind. 165 | int fd = -1; 166 | { 167 | struct addrinfo hints; 168 | memset(&hints, 0, sizeof(hints)); 169 | hints.ai_flags = AI_ADDRCONFIG | AI_PASSIVE; 170 | hints.ai_family = AF_UNSPEC; 171 | hints.ai_socktype = SOCK_STREAM; 172 | struct addrinfo *ai; 173 | 174 | if (0 != getaddrinfo(node, port, &hints, &ai)) { 175 | fprintf(stderr, "%s: getaddrinfo(%s, %s): %s\n", argv0, node, port, strerror(errno)); 176 | exit(1); 177 | } 178 | 179 | for (const struct addrinfo *rp = ai; rp != NULL; rp = rp->ai_next) { 180 | fd = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); 181 | if (0 > fd) { 182 | fprintf(stderr, "%s: socket(): %s\n", argv0, strerror(errno)); 183 | continue; 184 | } 185 | const int on = 1; 186 | if (0 > setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on))) { 187 | fprintf(stderr, "%s: setsockopt(SO_REUSEADDR): %s\n", argv0, strerror(errno)); 188 | } 189 | if (!bind(fd, rp->ai_addr, ai->ai_addrlen)) { 190 | break; 191 | } 192 | if (0 != close(fd)) { 193 | fprintf(stderr, "%s: closing failed socket: %s\n", argv0, strerror(errno)); 194 | } 195 | fd = -1; 196 | } 197 | if (0 > fd) { 198 | xerror("Could not bind to \"%s\" port \"%s\"", node, port); 199 | } 200 | freeaddrinfo(ai); 201 | 202 | if (listen(fd, 5)) { 203 | xerror("listen(): %s", strerror(errno)); 204 | } 205 | } 206 | 207 | { 208 | fprintf(stderr, "Listening on %s port %s\n", node, port); 209 | fprintf(stderr, "Next binary: %s\n", next_binary); 210 | fprintf(stderr, "Args:\n"); 211 | int c; 212 | for (c = 0; next_args[c]; c++) { 213 | fprintf(stderr, " %s\n", next_args[c]); 214 | } 215 | } 216 | return main_loop(fd); 217 | } 218 | /* ---- Emacs Variables ---- 219 | * Local Variables: 220 | * c-basic-offset: 8 221 | * indent-tabs-mode: nil 222 | * End: 223 | * 224 | * vim: ts=8 sw=8 225 | */ 226 | --------------------------------------------------------------------------------