Unify copyright comment format

[ucspi.git] / cmd / tlss / main.go

// ucspi/cmd/tlss -- UCSPI TCP proxy server
// Copyright (C) 2021-2024 Sergey Matveev <stargrave@stargrave.org>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, version 3 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package main

import (
        "crypto/tls"
        "crypto/x509"
        "flag"
        "fmt"
        "io"
        "log"
        "os"
        "os/exec"

        "go.cypherpunks.ru/ucspi"
)

func main() {
        crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate")
        prvPath := flag.String("key", "prv.pem", "Path to server PKCS#8 private key")
        casPath := flag.String("client-ca", "", "Require client authentication, path to CA certificates file")
        flag.Usage = func() {
                fmt.Fprintf(os.Stderr, `Usage: tcpserver host port tlss [-client-ca CAs.pem]
        -cert cert.pem -key prv.pem program [args...]

`)
                flag.PrintDefaults()
        }
        flag.Parse()
        log.SetFlags(log.Lshortfile)

        crtRaw, _, err := ucspi.CertificateFromFile(*crtPath)
        if err != nil {
                log.Fatalln(err)
        }
        prv, err := ucspi.PrivateKeyFromFile(*prvPath)
        if err != nil {
                log.Fatalln(err)
        }
        var cas *x509.CertPool
        if *casPath != "" {
                _, cas, err = ucspi.CertPoolFromFile(*casPath)
                if err != nil {
                        log.Fatalln(err)
                }
        }

        cfg := &tls.Config{
                Certificates: []tls.Certificate{{
                        Certificate: [][]byte{crtRaw},
                        PrivateKey:  prv,
                }},
                ClientCAs: cas,
        }
        if *casPath != "" {
                cfg.ClientAuth = tls.RequireAndVerifyClientCert
        }

        conn, _ := ucspi.NewConn(os.Stdin, os.Stdout)
        tlsConn := tls.Server(conn, cfg)
        if err = tlsConn.Handshake(); err != nil {
                log.Fatalln(err)
        }
        var dn string
        if *casPath != "" {
                dn = tlsConn.ConnectionState().PeerCertificates[0].Subject.String()
        }

        rr, rw, err := os.Pipe()
        if err != nil {
                log.Fatalln(err)
        }
        wr, ww, err := os.Pipe()
        if err != nil {
                log.Fatalln(err)
        }
        args := flag.Args()
        cmd := exec.Command(args[0], args[1:]...)
        cmd.Stdin = rr
        cmd.Stdout = ww
        cmd.Stderr = os.Stderr
        cmd.Env = append(os.Environ(), "PROTO=TLS")
        if dn != "" {
                cmd.Env = append(cmd.Env, "TLSREMOTEDN="+dn)
        }

        if err = cmd.Start(); err != nil {
                log.Fatalln(err)
        }
        worker := make(chan struct{})
        go func() {
                io.Copy(rw, tlsConn)
                rw.Close()
        }()
        go func() {
                io.Copy(tlsConn, wr)
                tlsConn.Close()
                close(worker)
        }()
        err = cmd.Wait()
        ww.Close()
        <-worker
        if err != nil {
                log.Fatalln(err)
        }
}