Control: tags -1 +patch +pending Dear maintainer,
I've prepared an NMU for sniproxy (versioned as 0.6.1+git20240321-0.1) and uploaded it to DELAYED/14. Please feel free to tell me if I should delay it longer. Regards.
diff -Nru sniproxy-0.6.0/ChangeLog sniproxy-0.6.1+git20240321/ChangeLog
--- sniproxy-0.6.0/ChangeLog 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/ChangeLog 2024-03-21 01:16:44.000000000 -0400
@@ -1,3 +1,9 @@
+2023-03-16 Dustin Lundquist <dus...@null-ptr.net>
+ 0.6.1 Release
+
+ * Fix buffer overflow in address module
+ * Fix tests
+
2018-12-05 Dustin Lundquist <dus...@null-ptr.net>
0.6.0 Release
diff -Nru sniproxy-0.6.0/configure.ac sniproxy-0.6.1+git20240321/configure.ac
--- sniproxy-0.6.0/configure.ac 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/configure.ac 2024-03-21 01:16:44.000000000 -0400
@@ -1,83 +1,33 @@
# -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.
-AC_PREREQ([2.60])
-AC_INIT([sniproxy], [0.6.0])
-AC_CONFIG_SRCDIR([src/sniproxy.c])
-AC_CONFIG_MACRO_DIR([m4])
+AC_PREREQ([2.71])
+AC_INIT([sniproxy],[0.6.1])
AM_INIT_AUTOMAKE([subdir-objects])
AM_SILENT_RULES([yes])
-AC_GNU_SOURCE
+AC_USE_SYSTEM_EXTENSIONS
# Checks for programs.
-AC_PROG_CC_C99
-# Required by automake < 1.14
+AC_PROG_CC
AM_PROG_CC_C_O
# Checks for libraries.
-PKG_CHECK_MODULES([LIBEV], [libev], HAVE_LIBEV=yes; AC_DEFINE(HAVE_LIBEV, 1),
-[AC_LIB_HAVE_LINKFLAGS(ev,, [#include <ev.h>], [ev_run(0,0);])
- if test x$ac_cv_libev = xyes; then
- AC_SUBST([LIBEV_LIBS], [$LIBEV])
- else
- AC_MSG_ERROR([[***
-*** libev4 was not found.
-***]])
- fi
-])
-
-PKG_CHECK_MODULES([LIBPCRE], [libpcre], HAVE_LIBPCRE=yes; AC_DEFINE(HAVE_LIBPCRE, 1),
-[AC_LIB_HAVE_LINKFLAGS(pcre,, [#include <pcre.h>], [pcre_exec(0,0,0,0,0,0,0,0);])
- if test x$ac_cv_libpcre = xyes; then
- AC_SUBST([LIBPCRE_LIBS], [$LIBPCRE])
- else
- AC_MSG_ERROR([[***
-*** libpcre was not found.
-***]])
- fi
-])
+AC_CHECK_LIB([ev], [ev_run])
+AC_CHECK_LIB([pcre2-8], [pcre2_compile_8], [],
+ [AC_CHECK_LIB([pcre], [pcre_exec])])
AC_ARG_ENABLE([dns],
- [AS_HELP_STRING([--disable-dns], [Disable DNS resolution])],
- [dns="$withval"], [dns=yes])
+ [AS_HELP_STRING([--enable-dns], [Enable DNS resolution])])
-AM_CONDITIONAL([DNS_ENABLED], [test "x$dns" = "xyes"])
+AM_CONDITIONAL([DNS_ENABLED], [test "$enable_dns"])
-AS_IF([test "x$dns" = "xyes"],
- [PKG_CHECK_MODULES([LIBUDNS], [libudns], HAVE_LIBUDNS=yes; AC_DEFINE(HAVE_LIBUDNS, 1),
- [AC_LIB_HAVE_LINKFLAGS(udns,, [#include <udns.h>], [dns_init(0, 0);])
- AS_IF([test x$ac_cv_libudns = xyes], [AC_SUBST([LIBUDNS_LIBS], [$LIBUDNS])])
- ])
-])
+AS_IF([test "$enable_dns"],
+ [AC_CHECK_LIB([udns], [dns_init])])
AC_ARG_ENABLE([rfc3339-timestamps],
[AS_HELP_STRING([--enable-rfc3339-timestamps], [Enable RFC3339 timestamps])],
- [rfc3339_timestamps=${enableval}], [rfc3339_timestamps=no])
-
-AS_IF([test "x$rfc3339_timestamps" = "xyes"],
- [AC_DEFINE([RFC3339_TIMESTAMP], 1, [RFC3339 timestamps enabled])])
-
-# Checks for header files.
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h netdb.h netinet/in.h stddef.h stdint.h stdlib.h string.h strings.h sys/socket.h sys/time.h syslog.h unistd.h],,
- AC_MSG_ERROR([required header(s) not found]))
-
-# Checks for typedefs, structures, and compiler characteristics.
-AC_C_INLINE
-AC_TYPE_PID_T
-AC_TYPE_UID_T
-AC_TYPE_SIZE_T
-AC_TYPE_SSIZE_T
-AC_TYPE_UINT16_T
-AC_TYPE_UINT8_T
-
-# Checks for library functions.
-AC_FUNC_FORK
-AC_FUNC_MALLOC
-AC_FUNC_REALLOC
-AC_FUNC_STRTOD
-AC_CHECK_FUNCS([atexit daemon memset socket strcasecmp strchr strdup strerror strncasecmp strrchr strspn strtoul],,
- AC_MSG_ERROR([required functions(s) not found]))
+ [AC_DEFINE([RFC3339_TIMESTAMP], 1, [RFC3339 timestamps enabled])])
AC_CHECK_FUNCS([accept4])
diff -Nru sniproxy-0.6.0/debian/changelog sniproxy-0.6.1+git20240321/debian/changelog
--- sniproxy-0.6.0/debian/changelog 2023-04-29 13:03:02.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/changelog 2024-04-30 19:59:09.000000000 -0400
@@ -1,3 +1,20 @@
+sniproxy (0.6.1+git20240321-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream snapshot.
+ + Add libpcre2 support.
+ * debian/: Bump to debhelper compat v13.
+ * debian/control: Use libpcre2. (Closes: #999957)
+ * debian/control: Add placeholder ${misc:Pre-Depends}.
+ * debian/control: Drop obsolete dependency lsb-base.
+ * debian/control: Use pkgconf and Standards-Version 4.7.0.
+ * debian/gbp.conf: Relax requirement and allow different branch names.
+ * debian/patches: Dropped, merged upstream.
+ * debian/sniproxy.service: Force the program to run in foreground if
+ launched by systemd service. (Closes: #1032295)
+
+ -- Boyuan Yang <by...@debian.org> Tue, 30 Apr 2024 19:59:09 -0400
+
sniproxy (0.6.0-2.1) unstable; urgency=medium
* Non-maintainer upload by the LTS Team.
diff -Nru sniproxy-0.6.0/debian/compat sniproxy-0.6.1+git20240321/debian/compat
--- sniproxy-0.6.0/debian/compat 2020-07-23 16:27:57.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/compat 1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-11
diff -Nru sniproxy-0.6.0/debian/control sniproxy-0.6.1+git20240321/debian/control
--- sniproxy-0.6.0/debian/control 2020-07-23 16:27:57.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/control 2024-04-30 19:59:09.000000000 -0400
@@ -3,20 +3,21 @@
Priority: optional
Maintainer: Jan Dittberner <ja...@debian.org>
Build-Depends: curl,
- debhelper (>= 11.1),
+ debhelper-compat (= 13),
gettext,
libev-dev (>= 4.0),
- libpcre3-dev,
+ libpcre2-dev,
libudns-dev,
- pkg-config
-Standards-Version: 4.5.0
+ pkgconf,
+Standards-Version: 4.7.0
Homepage: https://github.com/dlundquist/sniproxy
Vcs-Git: https://salsa.debian.org/debian/sniproxy.git
Vcs-Browser: https://salsa.debian.org/debian/sniproxy
Package: sniproxy
Architecture: any
-Depends: lsb-base, ${misc:Depends}, ${shlibs:Depends}
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
Recommends: logrotate
Description: Transparent TLS and HTTP layer 4 proxy with SNI support
Proxies incoming HTTP and TLS connections based on the hostname contained in
diff -Nru sniproxy-0.6.0/debian/copyright sniproxy-0.6.1+git20240321/debian/copyright
--- sniproxy-0.6.0/debian/copyright 2020-07-23 16:27:57.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/copyright 2024-04-30 19:56:51.000000000 -0400
@@ -42,10 +42,6 @@
2017-2020 Jan Dittberner <ja...@debian.org>
License: BSD-2
-Files: debian/patches/01_fix_gcc-10-build.patch
-Copyright: 2020 Pierre-Olivier Mercier <nemuna...@nemunai.re>
-License: BSD-2
-
License: BSD-2
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
diff -Nru sniproxy-0.6.0/debian/gbp.conf sniproxy-0.6.1+git20240321/debian/gbp.conf
--- sniproxy-0.6.0/debian/gbp.conf 2020-07-23 16:27:57.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/gbp.conf 2024-04-30 19:47:51.000000000 -0400
@@ -1,4 +1,5 @@
-[buildpackage]
-debian-branch=debian
-upstream-tag=%(version)s
-upstream-branch=master
+[DEFAULT]
+ignore-branch = True
+debian-branch = debian
+upstream-tag = upstream/%(version)s
+upstream-branch = master
diff -Nru sniproxy-0.6.0/debian/patches/01_fix_gcc-10-build.patch sniproxy-0.6.1+git20240321/debian/patches/01_fix_gcc-10-build.patch
--- sniproxy-0.6.0/debian/patches/01_fix_gcc-10-build.patch 2020-07-23 16:27:57.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/patches/01_fix_gcc-10-build.patch 1969-12-31 19:00:00.000000000 -0500
@@ -1,44 +0,0 @@
-From 711dd14affd5d0d918cd5fd245328450e60c7111 Mon Sep 17 00:00:00 2001
-From: Pierre-Olivier Mercier <nemuna...@nemunai.re>
-Date: Tue, 3 Mar 2020 12:30:21 +0100
-Subject: [PATCH] Don't define http_protocol and tls_protocol variables
- multiple times.
-
-As of gcc 10, the code generator emits globals without explicit initializer
-from .bss to .data, leading to:
-
-ld: listener.o:(.rodata+0x60): multiple definition of `http_protocol'; http.o:(.data.rel.ro.local+0x0): first defined here
-ld: tls.o:(.data.rel.ro.local+0x0): multiple definition of `tls_protocol'; listener.o:(.rodata+0x68): first defined here
-collect2: error: ld returned 1 exit status
----
- src/http.h | 2 +-
- src/tls.h | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/http.h b/src/http.h
-index c93b8c2..828cee0 100644
---- a/src/http.h
-+++ b/src/http.h
-@@ -29,6 +29,6 @@
- #include <stdio.h>
- #include "protocol.h"
-
--const struct Protocol *const http_protocol;
-+extern const struct Protocol *const http_protocol;
-
- #endif
-diff --git a/src/tls.h b/src/tls.h
-index 9b3b1c4..14602c3 100644
---- a/src/tls.h
-+++ b/src/tls.h
-@@ -28,6 +28,6 @@
-
- #include "protocol.h"
-
--const struct Protocol *const tls_protocol;
-+extern const struct Protocol *const tls_protocol;
-
- #endif
---
-2.27.0
-
diff -Nru sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch sniproxy-0.6.1+git20240321/debian/patches/CVE-2023-25076.patch
--- sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch 2023-04-29 13:03:02.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/patches/CVE-2023-25076.patch 1969-12-31 19:00:00.000000000 -0500
@@ -1,71 +0,0 @@
-commit f8d9a433fe22ab2fa15c00179048ab02ae23d583
-Author: Dustin Lundquist <dus...@null-ptr.net>
-Date: Thu Mar 16 20:42:20 2023 -0700
-
- address: fix buffer overflow
-
- Update tests to work on Debian 11.
-
-Index: sniproxy-0.6.0/src/address.c
-===================================================================
---- sniproxy-0.6.0.orig/src/address.c 2023-04-29 19:26:00.397699547 +0200
-+++ sniproxy-0.6.0/src/address.c 2023-04-29 19:26:00.397699547 +0200
-@@ -143,6 +143,8 @@
- if (hostname_or_ip[0] == '[' &&
- (port = strchr(hostname_or_ip, ']')) != NULL) {
- len = (size_t)(port - hostname_or_ip - 1);
-+ if (len >= INET6_ADDRSTRLEN)
-+ return NULL;
-
- /* inet_pton() will not parse the IP correctly unless it is in a
- * separate string.
-Index: sniproxy-0.6.0/tests/Makefile.am
-===================================================================
---- sniproxy-0.6.0.orig/tests/Makefile.am 2023-04-29 19:26:00.397699547 +0200
-+++ sniproxy-0.6.0/tests/Makefile.am 2023-04-29 19:26:25.017710380 +0200
-@@ -1,5 +1,7 @@
- AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS)
-
-+.NOTPARALLEL:
-+
- TESTS = address_test \
- buffer_test \
- cfg_tokenizer_test \
-Index: sniproxy-0.6.0/tests/bad_dns_request_test
-===================================================================
---- sniproxy-0.6.0.orig/tests/bad_dns_request_test 2023-04-29 19:26:00.397699547 +0200
-+++ sniproxy-0.6.0/tests/bad_dns_request_test 2023-04-29 19:26:00.397699547 +0200
-@@ -36,6 +36,11 @@
- client => \&http_client,
- },
- {
-+ # Exceed hostname buffer size
-+ request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 . "example.com]\r\n\r\n",
-+ client => \&http_client,
-+ },
-+ {
- # Test client aborting connection before DNS response received
- request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
- client => \&http_client_abort,
-Index: sniproxy-0.6.0/tests/slow_client_test
-===================================================================
---- sniproxy-0.6.0.orig/tests/slow_client_test 2023-04-29 19:26:00.397699547 +0200
-+++ sniproxy-0.6.0/tests/slow_client_test 2023-04-29 19:26:00.397699547 +0200
-@@ -31,11 +31,16 @@
- my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
- PeerPort => $port,
- Proto => "tcp",
-- Type => SOCK_STREAM)
-+ Type => SOCK_STREAM,
-+ Timeout => 5)
- or die "couldn't connect $!";
-
- $socket->send($request);
- foreach (split("\r\n", $request)) {
-+ unless ($socket->connected()) {
-+ print "Disconnected\n";
-+ exit(0);
-+ }
- $socket->send("$_\r\n");
- sleep(1);
- }
diff -Nru sniproxy-0.6.0/debian/patches/series sniproxy-0.6.1+git20240321/debian/patches/series
--- sniproxy-0.6.0/debian/patches/series 2023-04-29 13:03:02.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
@@ -1,3 +0,0 @@
-01_fix_gcc-10-build.patch
-
-CVE-2023-25076.patch
diff -Nru sniproxy-0.6.0/debian/sniproxy.service sniproxy-0.6.1+git20240321/debian/sniproxy.service
--- sniproxy-0.6.0/debian/sniproxy.service 2020-07-23 16:27:57.000000000 -0400
+++ sniproxy-0.6.1+git20240321/debian/sniproxy.service 2024-04-30 19:53:49.000000000 -0400
@@ -5,7 +5,7 @@
[Service]
EnvironmentFile=-/etc/default/sniproxy
-ExecStart=/usr/sbin/sniproxy
+ExecStart=/usr/sbin/sniproxy -f
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
diff -Nru sniproxy-0.6.0/README sniproxy-0.6.1+git20240321/README
--- sniproxy-0.6.0/README 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/README 2024-03-21 01:16:44.000000000 -0400
@@ -6,16 +6,39 @@
hosting to separate backend servers without installing the private key on the
proxy machine.
+Status: Deprecated
+------------------
+2023-12-13
+
+When I started this project, there wasn't another proxy that filled this niche.
+Now, there are many proxies available to proxy layer-4 based on the TLS SNI
+extension, including Nginx. Additionally, web traffic is evolving: with HTTP/2,
+multiple hostnames can be multiplexed in a single TCP stream [preventing SNI
+Proxy](https://github.com/dlundquist/sniproxy/issues/178) from routing it
+correctly based on hostname, and HTTP/3 (QUIC) uses UDP transport. SNI Proxy
+just doesn't support these protocols, and adding support for them would
+complicate it significantly. For these reasons, I'm transitioning SNI Proxy to
+a deprecated status.
+
+Honestly, this has been the case for last several years, and I hadn't published
+anything to that affect. With CVE-2023-25076 it became clear that this
+situation needs to be communicated clearly.
+
+In some cases, SNI Proxy might be a better fit than a more general purpose
+proxy, so I'm not going to abandon the project completely. I'll still monitor
+issues and email requests; however, unless it is a significant security or
+reliablity issue, don't expect a response.
+
Features
--------
+ Name-based proxying of HTTPS without decrypting traffic. No keys or
certificates required.
+ Supports both TLS and HTTP protocols.
-+ Supports IPv4, IPv6 and Unix domain sockets for both back end servers and
++ Supports IPv4, IPv6 and Unix domain sockets for both back-end servers and
listeners.
+ Supports multiple listening sockets per instance.
+ Supports HAProxy proxy protocol to propagate original source address to
- backend servers.
+ back-end servers.
Usage
-----
@@ -35,12 +58,12 @@
**Prerequisites**
+ Autotools (autoconf, automake, gettext and libtool)
-+ libev4, libpcre and libudns development headers
++ libev4, libpcre2 (or libpcre) and libudns development headers
+ Perl and cURL for test suite
**Install**
- ./autogen.sh && ./configure && make check && sudo make install
+ ./autogen.sh && ./checonfigure --enable-dns && make check && sudo make install
**Building Debian/Ubuntu package**
@@ -48,7 +71,7 @@
1. Install required packages
- sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot devscripts
+ sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre2-dev libudns-dev pkg-config fakeroot devscripts
2. Build a Debian package
@@ -68,7 +91,7 @@
2. Build a distribution tarball:
- ./autogen.sh && ./configure && make dist
+ ./autogen.sh && ./configure --enable-dns && make dist
3. Build a RPM package
@@ -95,7 +118,7 @@
3. Make it so
- ./autogen.sh && ./configure && make
+ ./autogen.sh && ./configure --enable-dns && make
OS X support is a best effort, and isn't a primary target platform.
diff -Nru sniproxy-0.6.0/README.md sniproxy-0.6.1+git20240321/README.md
--- sniproxy-0.6.0/README.md 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/README.md 2024-03-21 01:16:44.000000000 -0400
@@ -6,16 +6,39 @@
hosting to separate backend servers without installing the private key on the
proxy machine.
+Status: Deprecated
+------------------
+2023-12-13
+
+When I started this project, there wasn't another proxy that filled this niche.
+Now, there are many proxies available to proxy layer-4 based on the TLS SNI
+extension, including Nginx. Additionally, web traffic is evolving: with HTTP/2,
+multiple hostnames can be multiplexed in a single TCP stream [preventing SNI
+Proxy](https://github.com/dlundquist/sniproxy/issues/178) from routing it
+correctly based on hostname, and HTTP/3 (QUIC) uses UDP transport. SNI Proxy
+just doesn't support these protocols, and adding support for them would
+complicate it significantly. For these reasons, I'm transitioning SNI Proxy to
+a deprecated status.
+
+Honestly, this has been the case for last several years, and I hadn't published
+anything to that affect. With CVE-2023-25076 it became clear that this
+situation needs to be communicated clearly.
+
+In some cases, SNI Proxy might be a better fit than a more general purpose
+proxy, so I'm not going to abandon the project completely. I'll still monitor
+issues and email requests; however, unless it is a significant security or
+reliablity issue, don't expect a response.
+
Features
--------
+ Name-based proxying of HTTPS without decrypting traffic. No keys or
certificates required.
+ Supports both TLS and HTTP protocols.
-+ Supports IPv4, IPv6 and Unix domain sockets for both back end servers and
++ Supports IPv4, IPv6 and Unix domain sockets for both back-end servers and
listeners.
+ Supports multiple listening sockets per instance.
+ Supports HAProxy proxy protocol to propagate original source address to
- backend servers.
+ back-end servers.
Usage
-----
@@ -35,12 +58,12 @@
**Prerequisites**
+ Autotools (autoconf, automake, gettext and libtool)
-+ libev4, libpcre and libudns development headers
++ libev4, libpcre2 (or libpcre) and libudns development headers
+ Perl and cURL for test suite
**Install**
- ./autogen.sh && ./configure && make check && sudo make install
+ ./autogen.sh && ./checonfigure --enable-dns && make check && sudo make install
**Building Debian/Ubuntu package**
@@ -48,7 +71,7 @@
1. Install required packages
- sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot devscripts
+ sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre2-dev libudns-dev pkg-config fakeroot devscripts
2. Build a Debian package
@@ -68,7 +91,7 @@
2. Build a distribution tarball:
- ./autogen.sh && ./configure && make dist
+ ./autogen.sh && ./configure --enable-dns && make dist
3. Build a RPM package
@@ -95,7 +118,7 @@
3. Make it so
- ./autogen.sh && ./configure && make
+ ./autogen.sh && ./configure --enable-dns && make
OS X support is a best effort, and isn't a primary target platform.
diff -Nru sniproxy-0.6.0/redhat/sniproxy.spec sniproxy-0.6.1+git20240321/redhat/sniproxy.spec
--- sniproxy-0.6.0/redhat/sniproxy.spec 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/redhat/sniproxy.spec 2024-03-21 01:16:44.000000000 -0400
@@ -1,5 +1,5 @@
Name: sniproxy
-Version: 0.6.0
+Version: 0.6.1
Release: 1%{?dist}
Summary: Transparent TLS and HTTP layer 4 proxy with SNI support
@@ -46,6 +46,10 @@
%changelog
+* Thu Mar 16 2023 Dustin Lundquist <dus...@null-ptr.net 0.6.1-1
+- Fix buffer overflow in address module
+- Fix tests
+
* Wed Dec 5 2018 Dustin Lundquist <dus...@null-ptr.net> 0.6.0-1
- PROXY v1 protocol support
- SO_REUSEPORT support on Linux 3.9 and later
diff -Nru sniproxy-0.6.0/setver.sh sniproxy-0.6.1+git20240321/setver.sh
--- sniproxy-0.6.0/setver.sh 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/setver.sh 2024-03-21 01:16:44.000000000 -0400
@@ -1,6 +1,6 @@
#!/bin/sh
-VERSION=0.6.0
+VERSION=0.6.1
SOURCE_DIR=$(dirname $0)
GIT_DIR=${SOURCE_DIR}/.git
diff -Nru sniproxy-0.6.0/src/address.c sniproxy-0.6.1+git20240321/src/address.c
--- sniproxy-0.6.0/src/address.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/address.c 2024-03-21 01:16:44.000000000 -0400
@@ -62,7 +62,13 @@
struct Address *
new_address(const char *hostname_or_ip) {
- struct sockaddr_storage sa;
+ union {
+ struct sockaddr a;
+ struct sockaddr_in in;
+ struct sockaddr_in6 in6;
+ struct sockaddr_un un;
+ struct sockaddr_storage s;
+ } s;
char ip_buf[ADDRESS_BUFFER_SIZE];
char *port;
size_t len;
@@ -74,28 +80,29 @@
/* we need to test for raw IPv6 address for IPv4 port combinations since a
* colon would give false positives
*/
- memset(&sa, 0, sizeof(sa));
+ memset(&s, 0, sizeof(s));
if (inet_pton(AF_INET6, hostname_or_ip,
- &((struct sockaddr_in6 *)&sa)->sin6_addr) == 1) {
- ((struct sockaddr_in6 *)&sa)->sin6_family = AF_INET6;
+ &s.in6.sin6_addr) == 1) {
+ s.in6.sin6_family = AF_INET6;
- return new_address_sa(
- (struct sockaddr *)&sa,
- sizeof(struct sockaddr_in6));
+ return new_address_sa(&s.a, sizeof(s.in6));
}
/* Unix socket */
- memset(&sa, 0, sizeof(sa));
+ memset(&s, 0, sizeof(s));
if (strncmp("unix:", hostname_or_ip, 5) == 0) {
+ if (strlen(hostname_or_ip) >=
+ sizeof(s.un.sun_path))
+ return NULL;
+
/* XXX: only supporting pathname unix sockets */
- ((struct sockaddr_un *)&sa)->sun_family = AF_UNIX;
- strncpy(((struct sockaddr_un *)&sa)->sun_path,
- hostname_or_ip + 5, sizeof(struct sockaddr_un) -
- offsetof(struct sockaddr_un, sun_path));
-
- return new_address_sa(
- (struct sockaddr *)&sa, offsetof(struct sockaddr_un, sun_path) +
- strlen(((struct sockaddr_un *)&sa)->sun_path) + 1);
+ s.un.sun_family = AF_UNIX;
+ strncpy(s.un.sun_path,
+ hostname_or_ip + 5,
+ sizeof(s.un.sun_path) - 1);
+
+ return new_address_sa(&s.a, offsetof(struct sockaddr_un, sun_path) +
+ strlen(s.un.sun_path) + 1);
}
/* Trailing port */
@@ -128,21 +135,21 @@
}
/* IPv4 address */
- memset(&sa, 0, sizeof(sa));
+ memset(&s, 0, sizeof(s));
if (inet_pton(AF_INET, hostname_or_ip,
- &((struct sockaddr_in *)&sa)->sin_addr) == 1) {
- ((struct sockaddr_in *)&sa)->sin_family = AF_INET;
+ &s.in.sin_addr) == 1) {
+ s.in.sin_family = AF_INET;
- return new_address_sa(
- (struct sockaddr *)&sa,
- sizeof(struct sockaddr_in));
+ return new_address_sa(&s.a, sizeof(s.in));
}
/* [IPv6 address] */
- memset(&sa, 0, sizeof(sa));
+ memset(&s, 0, sizeof(s));
if (hostname_or_ip[0] == '[' &&
(port = strchr(hostname_or_ip, ']')) != NULL) {
len = (size_t)(port - hostname_or_ip - 1);
+ if (len >= INET6_ADDRSTRLEN)
+ return NULL;
/* inet_pton() will not parse the IP correctly unless it is in a
* separate string.
@@ -151,12 +158,10 @@
ip_buf[len] = '\0';
if (inet_pton(AF_INET6, ip_buf,
- &((struct sockaddr_in6 *)&sa)->sin6_addr) == 1) {
- ((struct sockaddr_in6 *)&sa)->sin6_family = AF_INET6;
+ &s.in6.sin6_addr) == 1) {
+ s.in6.sin6_family = AF_INET6;
- return new_address_sa(
- (struct sockaddr *)&sa,
- sizeof(struct sockaddr_in6));
+ return new_address_sa(&s.a, sizeof(s.in6));
}
}
@@ -185,9 +190,7 @@
struct Address *
new_address_sa(const struct sockaddr *sa, socklen_t sa_len) {
- struct Address *addr = NULL;
-
- addr = malloc(offsetof(struct Address, data) + sa_len);
+ struct Address *addr = malloc(offsetof(struct Address, data) + sa_len);
if (addr != NULL) {
addr->type = SOCKADDR;
addr->len = sa_len;
@@ -363,7 +366,7 @@
if (port < 0 || port > 65535) {
return 0;
}
- address_set_port(addr, (uint16_t) port);
+ address_set_port(addr, (uint16_t)port);
return 1;
}
@@ -406,8 +409,8 @@
switch (((const struct sockaddr *)sa)->sa_family) {
case AF_INET:
inet_ntop(AF_INET,
- &((const struct sockaddr_in *)sa)->sin_addr,
- ip, sizeof(ip));
+ &((const struct sockaddr_in *)sa)->sin_addr,
+ ip, sizeof(ip));
if (((struct sockaddr_in *)sa)->sin_port != 0)
snprintf(buffer, buffer_len, "%s:%" PRIu16, ip,
@@ -418,19 +421,19 @@
break;
case AF_INET6:
inet_ntop(AF_INET6,
- &((const struct sockaddr_in6 *)sa)->sin6_addr,
- ip, sizeof(ip));
+ &((const struct sockaddr_in6 *)sa)->sin6_addr,
+ ip, sizeof(ip));
if (((struct sockaddr_in6 *)sa)->sin6_port != 0)
snprintf(buffer, buffer_len, "[%s]:%" PRIu16, ip,
- ntohs(((struct sockaddr_in6 *)sa)->sin6_port));
+ ntohs(((struct sockaddr_in6 *)sa)->sin6_port));
else
snprintf(buffer, buffer_len, "[%s]", ip);
break;
case AF_UNIX:
snprintf(buffer, buffer_len, "unix:%s",
- ((struct sockaddr_un *)sa)->sun_path);
+ ((struct sockaddr_un *)sa)->sun_path);
break;
case AF_UNSPEC:
snprintf(buffer, buffer_len, "NONE");
diff -Nru sniproxy-0.6.0/src/backend.c sniproxy-0.6.1+git20240321/src/backend.c
--- sniproxy-0.6.0/src/backend.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/backend.c 2024-03-21 01:16:44.000000000 -0400
@@ -27,7 +27,6 @@
#include <stdio.h>
#include <string.h>
#include <sys/queue.h>
-#include <pcre.h>
#include <assert.h>
#include "backend.h"
#include "address.h"
@@ -35,7 +34,7 @@
static void free_backend(struct Backend *);
-static char *backend_config_options(const struct Backend *);
+static const char *backend_config_options(const struct Backend *);
struct Backend *
@@ -96,6 +95,19 @@
int
init_backend(struct Backend *backend) {
if (backend->pattern_re == NULL) {
+
+#if defined(HAVE_LIBPCRE2_8)
+ int reerr;
+ size_t reerroffset;
+
+ backend->pattern_re =
+ pcre2_compile((const uint8_t *)backend->pattern, PCRE2_ZERO_TERMINATED, 0, &reerr, &reerroffset, NULL);
+ if (backend->pattern_re == NULL) {
+ err("Regex compilation of \"%s\" failed: %d, offset %zu",
+ backend->pattern, reerr, reerroffset);
+ return 0;
+ }
+#elif defined(HAVE_LIBPCRE)
const char *reerr;
int reerroffset;
@@ -106,6 +118,7 @@
backend->pattern, reerr, reerroffset);
return 0;
}
+#endif
char address[ADDRESS_BUFFER_SIZE];
debug("Parsed %s %s",
@@ -128,9 +141,17 @@
STAILQ_FOREACH(iter, head, entries) {
assert(iter->pattern_re != NULL);
+#if defined(HAVE_LIBPCRE2_8)
+ pcre2_match_data *md = pcre2_match_data_create_from_pattern(iter->pattern_re, NULL);
+ int ret = pcre2_match(iter->pattern_re, (const uint8_t *)name, name_len, 0, 0, md, NULL);
+ pcre2_match_data_free(md);
+ if (ret >= 0)
+ return iter;
+#elif defined(HAVE_LIBPCRE)
if (pcre_exec(iter->pattern_re, NULL,
name, name_len, 0, 0, NULL, 0) >= 0)
return iter;
+#endif
}
return NULL;
@@ -146,7 +167,7 @@
backend_config_options(backend));
}
-static char *
+static const char *
backend_config_options(const struct Backend *backend) {
if (backend->use_proxy_header)
return " proxy_protocol";
@@ -167,7 +188,12 @@
free(backend->pattern);
free(backend->address);
+#if defined(HAVE_LIBPCRE2_8)
+ if (backend->pattern_re != NULL)
+ pcre2_code_free(backend->pattern_re);
+#elif defined(HAVE_LIBPCRE)
if (backend->pattern_re != NULL)
pcre_free(backend->pattern_re);
+#endif
free(backend);
}
diff -Nru sniproxy-0.6.0/src/backend.h sniproxy-0.6.1+git20240321/src/backend.h
--- sniproxy-0.6.0/src/backend.h 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/backend.h 2024-03-21 01:16:44.000000000 -0400
@@ -28,7 +28,14 @@
#define BACKEND_H
#include <sys/queue.h>
+
+#if defined(HAVE_LIBPCRE2_8)
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include <pcre2.h>
+#elif defined(HAVE_LIBPCRE)
#include <pcre.h>
+#endif
+
#include "address.h"
STAILQ_HEAD(Backend_head, Backend);
@@ -39,7 +46,11 @@
int use_proxy_header;
/* Runtime fields */
+#if defined(HAVE_LIBPCRE2_8)
+ pcre2_code *pattern_re;
+#elif defined(HAVE_LIBPCRE)
pcre *pattern_re;
+#endif
STAILQ_ENTRY(Backend) entries;
};
diff -Nru sniproxy-0.6.0/src/config.c sniproxy-0.6.1+git20240321/src/config.c
--- sniproxy-0.6.0/src/config.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/config.c 2024-03-21 01:16:44.000000000 -0400
@@ -77,7 +77,9 @@
.keyword="priority",
.parse_arg=(int(*)(void *, const char *))accept_logger_priority,
},
- { NULL },
+ {
+ .keyword = NULL,
+ },
};
static const struct Keyword resolver_stanza_grammar[] = {
@@ -93,7 +95,9 @@
.keyword="mode",
.parse_arg=(int(*)(void *, const char *))accept_resolver_mode,
},
- { NULL },
+ {
+ .keyword = NULL,
+ },
};
static const struct Keyword listener_stanza_grammar[] = {
@@ -132,7 +136,9 @@
.keyword="bad_requests",
.parse_arg= (int(*)(void *, const char *))accept_listener_bad_request_action,
},
- { NULL },
+ {
+ .keyword = NULL,
+ },
};
static struct Keyword table_stanza_grammar[] = {
@@ -141,7 +147,9 @@
.parse_arg=(int(*)(void *, const char *))accept_backend_arg,
.finalize=(int(*)(void *, void *))end_backend,
},
- { NULL },
+ {
+ .keyword = NULL,
+ },
};
static struct Keyword global_grammar[] = {
@@ -189,7 +197,9 @@
.block_grammar=table_stanza_grammar,
.finalize=(int(*)(void *, void *))end_table_stanza,
},
- { NULL },
+ {
+ .keyword = NULL,
+ },
};
static const char *const resolver_mode_names[] = {
diff -Nru sniproxy-0.6.0/src/connection.c sniproxy-0.6.1+git20240321/src/connection.c
--- sniproxy-0.6.0/src/connection.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/connection.c 2024-03-21 01:16:44.000000000 -0400
@@ -49,6 +49,7 @@
#define IS_TEMPORARY_SOCKERR(_errno) (_errno == EAGAIN || \
_errno == EWOULDBLOCK || \
_errno == EINTR)
+#define MAX(a, b) ((a) > (b) ? (a) : (b))
struct resolv_cb_data {
@@ -277,7 +278,8 @@
}
}
- /* Handle any state specific logic */
+ /* Handle any state specific logic, note we may transition through several
+ * states during a single call */
if (is_client && con->state == ACCEPTED)
parse_client_request(con);
if (is_client && con->state == PARSED)
@@ -502,6 +504,10 @@
free((void *)result.address);
abort_connection(con);
+ (void)loop;
+ (void)free_resolv_cb_data;
+ (void)resolv_cb;
+
return;
#else
struct resolv_cb_data *cb_data = malloc(sizeof(struct resolv_cb_data));
@@ -571,7 +577,7 @@
struct ev_loop *loop = cb_data->loop;
if (con->state != RESOLVING) {
- info("resolv_cb() called for connection not in RESOLVING state");
+ warn("resolv_cb() called for connection not in RESOLVING state");
return;
}
@@ -628,8 +634,8 @@
if (con->listener->transparent_proxy &&
con->client.addr.ss_family == con->server.addr.ss_family) {
- int on = 1;
#ifdef IP_TRANSPARENT
+ int on = 1;
int result = setsockopt(sockfd, SOL_IP, IP_TRANSPARENT, &on, sizeof(on));
#else
int result = -EPERM;
@@ -768,8 +774,7 @@
close_connection(struct Connection *con, struct ev_loop *loop) {
assert(con->state != NEW); /* only used during initialization */
- if (con->state == CONNECTED
- || con->state == CLIENT_CLOSED)
+ if (server_socket_open(con))
close_server_socket(con, loop);
assert(con->state == ACCEPTED
@@ -779,11 +784,7 @@
|| con->state == SERVER_CLOSED
|| con->state == CLOSED);
- if (con->state == ACCEPTED
- || con->state == PARSED
- || con->state == RESOLVING
- || con->state == RESOLVED
- || con->state == SERVER_CLOSED)
+ if (client_socket_open(con))
close_client_socket(con, loop);
assert(con->state == CLOSED);
@@ -828,15 +829,13 @@
static void
log_connection(struct Connection *con) {
- ev_tstamp duration;
+ ev_tstamp duration = MAX(con->client.buffer->last_recv,
+ con->server.buffer->last_recv) -
+ con->established_timestamp;
char client_address[ADDRESS_BUFFER_SIZE];
char listener_address[ADDRESS_BUFFER_SIZE];
char server_address[ADDRESS_BUFFER_SIZE];
- if (con->client.buffer->last_recv > con->server.buffer->last_recv)
- duration = con->client.buffer->last_recv - con->established_timestamp;
- else
- duration = con->server.buffer->last_recv - con->established_timestamp;
display_sockaddr(&con->client.addr, client_address, sizeof(client_address));
display_sockaddr(&con->client.local_addr, listener_address, sizeof(listener_address));
diff -Nru sniproxy-0.6.0/src/http.c sniproxy-0.6.1+git20240321/src/http.c
--- sniproxy-0.6.0/src/http.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/http.c 2024-03-21 01:16:44.000000000 -0400
@@ -130,24 +130,27 @@
next_header(const char **data, size_t *len) {
size_t header_len;
+ if (*len == 0)
+ return 0;
+
/* perhaps we can optimize this to reuse the value of header_len, rather
* than scanning twice.
* Walk our data stream until the end of the header */
- while (*len > 2 && (*data)[0] != '\r' && (*data)[1] != '\n') {
+ while (*len > 1 && (*data)[0] != '\n') {
(*len)--;
(*data)++;
}
- /* advanced past the <CR><LF> pair */
- *data += 2;
- *len -= 2;
+ /* advanced past the <LF> */
+ (*data)++;
+ (*len)--;
/* Find the length of the next header */
header_len = 0;
- while (*len > header_len + 1
- && (*data)[header_len] != '\r'
- && (*data)[header_len + 1] != '\n')
+ while (*len > header_len && (*data)[header_len] != '\n')
header_len++;
-
+ /* ignore preceding <CR> */
+ if (header_len > 0 && (*data)[header_len - 1] == '\r')
+ header_len--;
return header_len;
}
diff -Nru sniproxy-0.6.0/src/http.h sniproxy-0.6.1+git20240321/src/http.h
--- sniproxy-0.6.0/src/http.h 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/http.h 2024-03-21 01:16:44.000000000 -0400
@@ -29,6 +29,6 @@
#include <stdio.h>
#include "protocol.h"
-const struct Protocol *const http_protocol;
+extern const struct Protocol *const http_protocol;
#endif
diff -Nru sniproxy-0.6.0/src/listener.c sniproxy-0.6.1+git20240321/src/listener.c
--- sniproxy-0.6.0/src/listener.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/listener.c 2024-03-21 01:16:44.000000000 -0400
@@ -128,6 +128,9 @@
display_address(new_listener->address,
address, sizeof(address)));
+ /* Using SLIST_REMOVE rather than remove_listener to defer
+ * decrementing reference count until after adding to the running
+ * config */
SLIST_REMOVE(new_listeners, new_listener, Listener, entries);
add_listener(existing_listeners, new_listener);
init_listener(new_listener, tables, loop);
@@ -151,11 +154,7 @@
display_address(removed_listener->address,
address, sizeof(address)));
- SLIST_REMOVE(existing_listeners, removed_listener, Listener, entries);
- close_listener(loop, removed_listener);
-
- /* -1 for removing from existing_listeners */
- listener_ref_put(removed_listener);
+ remove_listener(existing_listeners, removed_listener, loop);
}
}
}
@@ -444,8 +443,8 @@
void
remove_listener(struct Listener_head *listeners, struct Listener *listener, struct ev_loop *loop) {
- SLIST_REMOVE(listeners, listener, Listener, entries);
close_listener(loop, listener);
+ SLIST_REMOVE(listeners, listener, Listener, entries);
listener_ref_put(listener);
}
@@ -603,7 +602,6 @@
ev_io_init(&listener->watcher, accept_cb, sockfd, EV_READ);
listener->watcher.data = listener;
listener->backoff_timer.data = listener;
- listener_ref_get(listener);
ev_io_start(loop, &listener->watcher);
@@ -717,13 +715,13 @@
static void
close_listener(struct ev_loop *loop, struct Listener *listener) {
- if (listener->watcher.fd < 0)
- return;
-
ev_timer_stop(loop, &listener->backoff_timer);
- ev_io_stop(loop, &listener->watcher);
- close(listener->watcher.fd);
- listener_ref_put(listener);
+
+ if (listener->watcher.fd >= 0) {
+ ev_io_stop(loop, &listener->watcher);
+ close(listener->watcher.fd);
+ listener->watcher.fd = -1;
+ }
}
static void
@@ -762,9 +760,8 @@
* listeners list in the active configuration, and free them when their last
* connection closes.
*
- * Accomplishing this with reference counting, each connection counts as a one
- * reference, plus one for the active EV watchers and one for the listener
- * being a member on a configurations listeners list.
+ * Accomplishing this with reference counting: membership in a Config listener
+ * list counts as one as does each connection.
*/
void
listener_ref_put(struct Listener *listener) {
diff -Nru sniproxy-0.6.0/src/logger.c sniproxy-0.6.1+git20240321/src/logger.c
--- sniproxy-0.6.0/src/logger.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/logger.c 2024-03-21 01:16:44.000000000 -0400
@@ -401,24 +401,25 @@
return sink;
}
+ sink = malloc(sizeof(struct LogSink));
+ if (sink == NULL)
+ return NULL;
+
FILE *fd = fopen(filepath, "a");
if (fd == NULL) {
+ free(sink);
err("Failed to open new log file: %s", filepath);
return NULL;
}
setvbuf(fd, NULL, _IOLBF, 0);
+ sink->type = LOG_SINK_FILE;
+ sink->filepath = strdup(filepath);
+ sink->fd = fd;
+ sink->reference_count = 0;
- sink = malloc(sizeof(struct LogSink));
- if (sink != NULL) {
- sink->type = LOG_SINK_FILE;
- sink->filepath = strdup(filepath);
- sink->fd = fd;
- sink->reference_count = 0;
-
- SLIST_INSERT_HEAD(&sinks, sink, entries);
- }
+ SLIST_INSERT_HEAD(&sinks, sink, entries);
return sink;
}
diff -Nru sniproxy-0.6.0/src/Makefile.am sniproxy-0.6.1+git20240321/src/Makefile.am
--- sniproxy-0.6.0/src/Makefile.am 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/Makefile.am 2024-03-21 01:16:44.000000000 -0400
@@ -1,4 +1,4 @@
-AM_CPPFLAGS = $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS)
+AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wpedantic -Wwrite-strings
sbin_PROGRAMS = sniproxy
@@ -32,5 +32,3 @@
table.h \
tls.c \
tls.h
-
-sniproxy_LDADD = $(LIBEV_LIBS) $(LIBPCRE_LIBS) $(LIBUDNS_LIBS)
diff -Nru sniproxy-0.6.0/src/resolv.c sniproxy-0.6.1+git20240321/src/resolv.c
--- sniproxy-0.6.0/src/resolv.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/resolv.c 2024-03-21 01:16:44.000000000 -0400
@@ -48,22 +48,35 @@
int
resolv_init(struct ev_loop *loop, char **nameservers, char **search_domains,
int mode) {
+ (void)loop;
+ (void)nameservers;
+ (void)search_domains;
+ (void)mode;
+
return 0;
}
void
resolv_shutdown(struct ev_loop *loop) {
+ (void)loop;
}
struct ResolvQuery *
resolv_query(const char *hostname, int mode,
void (*client_cb)(struct Address *, void *),
void (*client_free_cb)(void *), void *client_cb_data) {
+ (void)hostname;
+ (void)mode;
+ (void)client_cb;
+ (void)client_free_cb;
+ (void)client_cb_data;
+
return NULL;
}
void
resolv_cancel(struct ResolvQuery *query_handle) {
+ (void)query_handle;
}
#else
diff -Nru sniproxy-0.6.0/src/tls.h sniproxy-0.6.1+git20240321/src/tls.h
--- sniproxy-0.6.0/src/tls.h 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/src/tls.h 2024-03-21 01:16:44.000000000 -0400
@@ -28,6 +28,6 @@
#include "protocol.h"
-const struct Protocol *const tls_protocol;
+extern const struct Protocol *const tls_protocol;
#endif
diff -Nru sniproxy-0.6.0/tests/address_test.c sniproxy-0.6.1+git20240321/tests/address_test.c
--- sniproxy-0.6.0/tests/address_test.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/address_test.c 2024-03-21 01:16:44.000000000 -0400
@@ -6,8 +6,8 @@
#include "address.h"
struct Test {
- char *input;
- char *output;
+ const char *input;
+ const char *output;
int expected_type;
int port;
};
diff -Nru sniproxy-0.6.0/tests/bad_dns_request_test sniproxy-0.6.1+git20240321/tests/bad_dns_request_test
--- sniproxy-0.6.0/tests/bad_dns_request_test 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/bad_dns_request_test 2024-03-21 01:16:44.000000000 -0400
@@ -36,6 +36,11 @@
client => \&http_client,
},
{
+ # Exceed hostname buffer size
+ request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 . "example.com]\r\n\r\n",
+ client => \&http_client,
+ },
+ {
# Test client aborting connection before DNS response received
request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
client => \&http_client_abort,
diff -Nru sniproxy-0.6.0/tests/binder_test.c sniproxy-0.6.1+git20240321/tests/binder_test.c
--- sniproxy-0.6.0/tests/binder_test.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/binder_test.c 2024-03-21 01:16:44.000000000 -0400
@@ -24,23 +24,19 @@
static int
test_binder(int port) {
- int fd;
- struct sockaddr_in addr = { 0 };
- struct sockaddr_storage addr_verify = { 0 };
- socklen_t len;
+ struct sockaddr_in addr = {
+ .sin_family = AF_INET,
+ .sin_addr.s_addr = htonl(INADDR_LOOPBACK),
+ .sin_port = htons(port),
+ };
- /* make valgrind happy by initializing to zero */
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
- addr.sin_port = htons(port);
- addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-
- fd = bind_socket((struct sockaddr *)&addr, sizeof(addr));
+ int fd = bind_socket((struct sockaddr *)&addr, sizeof(addr));
assert(fd > 0);
/* Verify we obtained the expected socket address */
- len = sizeof(addr_verify);
+ struct sockaddr_storage addr_verify;
+ socklen_t len = sizeof(addr_verify);
if (getsockname(fd, (struct sockaddr *)&addr_verify, &len) < 0) {
perror("getsockname:");
exit(1);
diff -Nru sniproxy-0.6.0/tests/cfg_tokenizer_test.c sniproxy-0.6.1+git20240321/tests/cfg_tokenizer_test.c
--- sniproxy-0.6.0/tests/cfg_tokenizer_test.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/cfg_tokenizer_test.c 2024-03-21 01:16:44.000000000 -0400
@@ -6,11 +6,11 @@
struct Result {
enum Token type;
- char *value;
+ const char *value;
};
struct Test {
- char *config;
+ const char *config;
struct Result *results;
int len;
};
diff -Nru sniproxy-0.6.0/tests/config_test.c sniproxy-0.6.1+git20240321/tests/config_test.c
--- sniproxy-0.6.0/tests/config_test.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/config_test.c 2024-03-21 01:16:44.000000000 -0400
@@ -2,7 +2,7 @@
#include "config.h"
int main(int argc, char **argv) {
- char *config_file = "../sniproxy.conf";
+ const char *config_file = "../sniproxy.conf";
struct Config *config;
if (argc >= 2)
diff -Nru sniproxy-0.6.0/tests/http_test.c sniproxy-0.6.1+git20240321/tests/http_test.c
--- sniproxy-0.6.0/tests/http_test.c 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/http_test.c 2024-03-21 01:16:44.000000000 -0400
@@ -20,6 +20,11 @@
"HOST:\t localhost:8080\r\n"
"Accept: */*\r\n"
"\r\n",
+ "GET / HTTP/1.1\n"
+ "User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18\n"
+ "Host: localhost\n"
+ "Accept: */*\n"
+ "\n"
};
static const char *bad[] = {
"GET / HTTP/1.0\r\n"
diff -Nru sniproxy-0.6.0/tests/Makefile.am sniproxy-0.6.1+git20240321/tests/Makefile.am
--- sniproxy-0.6.0/tests/Makefile.am 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/Makefile.am 2024-03-21 01:16:44.000000000 -0400
@@ -1,4 +1,7 @@
AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS)
+AM_CFLAGS = -fno-strict-aliasing -Wall -Wextra -Wpedantic -Wwrite-strings
+
+.NOTPARALLEL:
TESTS = address_test \
buffer_test \
diff -Nru sniproxy-0.6.0/tests/slow_client_test sniproxy-0.6.1+git20240321/tests/slow_client_test
--- sniproxy-0.6.0/tests/slow_client_test 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/tests/slow_client_test 2024-03-21 01:16:44.000000000 -0400
@@ -31,11 +31,16 @@
my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
PeerPort => $port,
Proto => "tcp",
- Type => SOCK_STREAM)
+ Type => SOCK_STREAM,
+ Timeout => 5)
or die "couldn't connect $!";
$socket->send($request);
foreach (split("\r\n", $request)) {
+ unless ($socket->connected()) {
+ print "Disconnected\n";
+ exit(0);
+ }
$socket->send("$_\r\n");
sleep(1);
}
diff -Nru sniproxy-0.6.0/.travis.yml sniproxy-0.6.1+git20240321/.travis.yml
--- sniproxy-0.6.0/.travis.yml 2018-12-05 23:14:58.000000000 -0500
+++ sniproxy-0.6.1+git20240321/.travis.yml 2024-03-21 01:16:44.000000000 -0400
@@ -4,13 +4,13 @@
- gcc
install:
- sudo apt-get update
- - DEBIAN_FRONTEND=noninteractive sudo apt-get install -y apache2-utils cdbs dh-autoreconf devscripts libev-dev libpcre3-dev libudns-dev lintian rpm valgrind
+ - DEBIAN_FRONTEND=noninteractive sudo apt-get install -y apache2-utils cdbs dh-autoreconf devscripts libev-dev libpcre2-dev libudns-dev lintian rpm valgrind
- mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
- ./autogen.sh
script:
- echo "Running unit and functional tests"
- ./configure
- - make all check
+ - make all check CFLAGS=-Werror
- bash -c "cd tests && sudo ./transparent_proxy_test"
- echo "Checking for memory leaks"
- bash -c "cd tests && ./bad_dns_request_test valgrind --leak-check=full --error-exitcode=1"
@@ -43,4 +43,4 @@
- sudo apt-get remove sniproxy
- echo "Rebuilding without DNS and rerunning unit tests"
- ./configure --disable-dns
- - make clean all check
+ - make clean all check CFLAGS="-Werror -Wno-error=unused-function -Wno-error=unused-parameter"
signature.asc
Description: This is a digitally signed message part
