2018-02-27 19:20:58 +00:00
|
|
|
/*-
|
2015-02-24 18:19:20 +00:00
|
|
|
* SSLsplit - transparent SSL/TLS interception
|
2018-02-27 19:20:58 +00:00
|
|
|
* https://www.roe.ch/SSLsplit
|
|
|
|
*
|
2019-08-08 09:23:04 +00:00
|
|
|
* Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
|
2012-04-13 12:47:30 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
2018-02-27 19:20:58 +00:00
|
|
|
* modification, are permitted provided that the following conditions are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
* and/or other materials provided with the distribution.
|
2012-04-13 12:47:30 +00:00
|
|
|
*
|
2018-02-27 19:20:58 +00:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
|
|
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
2012-04-13 12:47:30 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "cachessess.h"
|
|
|
|
|
|
|
|
#include "dynbuf.h"
|
|
|
|
#include "ssl.h"
|
|
|
|
#include "khash.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Cache for incoming src connection SSL sessions.
|
|
|
|
*
|
|
|
|
* key: dynbuf_t * SSL session ID
|
|
|
|
* val: dynbuf_t * ASN.1 serialized SSL_SESSION
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline khint_t
|
|
|
|
kh_dynbuf_hash_func(dynbuf_t *b)
|
|
|
|
{
|
|
|
|
khint_t *p = (khint_t *)b->buf;
|
2018-02-27 19:20:58 +00:00
|
|
|
khint_t h = 0;
|
2012-04-13 12:47:30 +00:00
|
|
|
int rem;
|
|
|
|
|
|
|
|
if ((rem = b->sz % sizeof(khint_t))) {
|
|
|
|
memcpy(&h, b->buf + b->sz - rem, rem);
|
|
|
|
}
|
|
|
|
|
|
|
|
while (p < (khint_t*)(b->buf + b->sz - rem)) {
|
|
|
|
h ^= *p++;
|
|
|
|
}
|
|
|
|
|
|
|
|
return h;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define kh_dynbuf_hash_equal(a, b) \
|
|
|
|
(((a)->sz == (b)->sz) && \
|
|
|
|
(memcmp((a)->buf, (b)->buf, (a)->sz) == 0))
|
|
|
|
|
|
|
|
KHASH_INIT(dynbufmap_t, dynbuf_t*, dynbuf_t*, 1, kh_dynbuf_hash_func,
|
|
|
|
kh_dynbuf_hash_equal)
|
|
|
|
|
|
|
|
static khash_t(dynbufmap_t) *srcsessmap;
|
|
|
|
|
|
|
|
static cache_iter_t
|
|
|
|
cachessess_begin_cb(void)
|
|
|
|
{
|
|
|
|
return kh_begin(srcsessmap);
|
|
|
|
}
|
|
|
|
|
|
|
|
static cache_iter_t
|
|
|
|
cachessess_end_cb(void)
|
|
|
|
{
|
|
|
|
return kh_end(srcsessmap);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
cachessess_exist_cb(cache_iter_t it)
|
|
|
|
{
|
|
|
|
return kh_exist(srcsessmap, it);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
cachessess_del_cb(cache_iter_t it)
|
|
|
|
{
|
|
|
|
kh_del(dynbufmap_t, srcsessmap, it);
|
|
|
|
}
|
|
|
|
|
|
|
|
static cache_iter_t
|
|
|
|
cachessess_get_cb(cache_key_t key)
|
|
|
|
{
|
|
|
|
return kh_get(dynbufmap_t, srcsessmap, key);
|
|
|
|
}
|
|
|
|
|
|
|
|
static cache_iter_t
|
|
|
|
cachessess_put_cb(cache_key_t key, int *ret)
|
|
|
|
{
|
|
|
|
return kh_put(dynbufmap_t, srcsessmap, key, ret);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
cachessess_free_key_cb(cache_key_t key)
|
|
|
|
{
|
|
|
|
dynbuf_free(key);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
cachessess_free_val_cb(cache_val_t val)
|
|
|
|
{
|
|
|
|
dynbuf_free(val);
|
|
|
|
}
|
|
|
|
|
|
|
|
static cache_key_t
|
|
|
|
cachessess_get_key_cb(cache_iter_t it)
|
|
|
|
{
|
|
|
|
return kh_key(srcsessmap, it);
|
|
|
|
}
|
|
|
|
|
|
|
|
static cache_val_t
|
|
|
|
cachessess_get_val_cb(cache_iter_t it)
|
|
|
|
{
|
|
|
|
return kh_val(srcsessmap, it);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
cachessess_set_val_cb(cache_iter_t it, cache_val_t val)
|
|
|
|
{
|
|
|
|
kh_val(srcsessmap, it) = val;
|
|
|
|
}
|
|
|
|
|
|
|
|
static cache_val_t
|
|
|
|
cachessess_unpackverify_val_cb(cache_val_t val, int copy)
|
|
|
|
{
|
|
|
|
dynbuf_t *valbuf = val;
|
|
|
|
SSL_SESSION *sess;
|
|
|
|
const unsigned char *p;
|
|
|
|
|
|
|
|
p = (const unsigned char *)valbuf->buf;
|
|
|
|
sess = d2i_SSL_SESSION(NULL, &p, valbuf->sz); /* increments p */
|
|
|
|
if (!sess)
|
|
|
|
return NULL;
|
|
|
|
if (!ssl_session_is_valid(sess)) {
|
|
|
|
SSL_SESSION_free(sess);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
if (copy)
|
|
|
|
return sess;
|
|
|
|
SSL_SESSION_free(sess);
|
2014-11-06 20:17:41 +00:00
|
|
|
return ((void*)-1);
|
2012-04-13 12:47:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
cachessess_fini_cb(void)
|
|
|
|
{
|
|
|
|
kh_destroy(dynbufmap_t, srcsessmap);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
cachessess_init_cb(cache_t *cache)
|
|
|
|
{
|
|
|
|
srcsessmap = kh_init(dynbufmap_t);
|
|
|
|
|
|
|
|
cache->begin_cb = cachessess_begin_cb;
|
|
|
|
cache->end_cb = cachessess_end_cb;
|
|
|
|
cache->exist_cb = cachessess_exist_cb;
|
|
|
|
cache->del_cb = cachessess_del_cb;
|
|
|
|
cache->get_cb = cachessess_get_cb;
|
|
|
|
cache->put_cb = cachessess_put_cb;
|
|
|
|
cache->free_key_cb = cachessess_free_key_cb;
|
|
|
|
cache->free_val_cb = cachessess_free_val_cb;
|
|
|
|
cache->get_key_cb = cachessess_get_key_cb;
|
|
|
|
cache->get_val_cb = cachessess_get_val_cb;
|
|
|
|
cache->set_val_cb = cachessess_set_val_cb;
|
|
|
|
cache->unpackverify_val_cb = cachessess_unpackverify_val_cb;
|
|
|
|
cache->fini_cb = cachessess_fini_cb;
|
|
|
|
}
|
|
|
|
|
|
|
|
cache_key_t
|
|
|
|
cachessess_mkkey(const unsigned char *id, const size_t idlen)
|
|
|
|
{
|
|
|
|
return dynbuf_new_copy(id, idlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
cache_val_t
|
|
|
|
cachessess_mkval(SSL_SESSION *sess)
|
|
|
|
{
|
|
|
|
dynbuf_t *db;
|
|
|
|
unsigned char *p;
|
|
|
|
size_t asn1sz;
|
|
|
|
|
|
|
|
asn1sz = i2d_SSL_SESSION(sess, NULL);
|
|
|
|
if (!asn1sz || !(db = dynbuf_new_alloc(asn1sz))) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
p = db->buf;
|
|
|
|
i2d_SSL_SESSION(sess, &p); /* updates p */
|
|
|
|
return db;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* vim: set noet ft=c: */
|