diff --git a/main.c b/main.c index 799f487..d6d28ba 100644 --- a/main.c +++ b/main.c @@ -112,7 +112,7 @@ main_usage(void) " -k pemfile use CA key (and cert) from pemfile to sign forged certs\n" " -C pemfile use CA chain from pemfile (intermediate and root CA certs)\n" " -K pemfile use key from pemfile for leaf certs (default: generate)\n" -" -X gendir write generated key/cert pairs to gendir\n" +" -w gendir write generated key/cert pairs to gendir\n" " -t certdir use cert+chain+key PEM files from certdir to target all sites\n" " matching the common names (non-matching: generate if CA)\n" " -O deny all OCSP requests on all proxyspecs\n" @@ -276,7 +276,7 @@ main(int argc, char *argv[]) } while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i - "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhX:")) != -1) { + "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhw:")) != -1) { switch (ch) { case 'c': if (opts->cacrt) @@ -520,7 +520,7 @@ main(int argc, char *argv[]) opts->contentlog_isdir = 0; opts->contentlog_isspec = 1; break; - case 'X': + case 'w': if (opts->certgendir) free(opts->certgendir); opts->certgendir = strdup(optarg); @@ -563,7 +563,7 @@ main(int argc, char *argv[]) exit(EXIT_FAILURE); } if (opts->certgendir && opts->key) { - fprintf(stderr, "%s: -K and -X are mutually exclusive.\n", + fprintf(stderr, "%s: -K and -w are mutually exclusive.\n", argv0); exit(EXIT_FAILURE); } diff --git a/opts.c b/opts.c index 0189af8..e21cc54 100644 --- a/opts.c +++ b/opts.c @@ -105,6 +105,9 @@ opts_free(opts_t *opts) if (opts->contentlog) { free(opts->contentlog); } + if (opts->certgendir) { + free(opts->certgendir); + } memset(opts, 0, sizeof(opts_t)); free(opts); } diff --git a/pxyconn.c b/pxyconn.c index 0180b94..6b4eae7 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -702,39 +702,6 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain, SSL_CTX_add_extra_chain_cert(sslctx, c); } - if (ctx->opts->certgendir) { - unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; - ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); - ssl_x509_fingerprint_sha1(crt, newfpr); - char *origfprstr, *newfprstr; - asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" - "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", - origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], - origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], - origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], - origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" - "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", - newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], - newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], - newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], - newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); - char *keyfn, *crtfn; - asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); - asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); - FILE *keyfd, *crtfd; - keyfd = fopen(keyfn, "w"); - crtfd = fopen(crtfn, "w"); - if (keyfd) { - PEM_write_PrivateKey(keyfd, key, NULL, 0, 0, NULL, NULL); - fclose(keyfd); - } - if (crtfd) { - PEM_write_X509(crtfd, crt); - fclose(crtfd); - } - } - #ifdef DEBUG_SESSION_CACHE if (OPTS_DEBUG(ctx->opts)) { int mode = SSL_CTX_get_session_cache_mode(sslctx); @@ -831,6 +798,39 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) cert_set_chain(cert, ctx->opts->chain); } + if (ctx->opts->certgendir) { + unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; + ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); + ssl_x509_fingerprint_sha1(cert->crt, newfpr); + char *origfprstr, *newfprstr; + asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], + origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], + origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], + origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); + asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], + newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], + newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], + newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); + char *keyfn, *crtfn; + asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); + asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); + FILE *keyfd, *crtfd; + keyfd = fopen(keyfn, "w"); + crtfd = fopen(crtfn, "w"); + if (keyfd) { + PEM_write_PrivateKey(keyfd, cert->key, NULL, 0, 0, NULL, NULL); + fclose(keyfd); + } + if (crtfd) { + PEM_write_X509(crtfd, cert->crt); + fclose(crtfd); + } + } + return cert; } diff --git a/sslsplit.1 b/sslsplit.1 index 278a58b..a67ed38 100644 --- a/sslsplit.1 +++ b/sslsplit.1 @@ -30,15 +30,15 @@ sslsplit \-\- transparent and scalable SSL/TLS interception .SH SYNOPSIS .na .B sslsplit -[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP +[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP +[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-OPZXdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP +[\fB-OPZwdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -E @@ -185,7 +185,7 @@ no matching certificate in the provided certificate directory. Use private key from \fIpemfile\fP for certificates forged on-the-fly. If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key. .TP -.B \-X \fIgendir\fP +.B \-w \fIgendir\fP Write generated keys and certificates to individual files in \fIgendir\fP. .TP .B \-l \fIlogfile\fP