From ea532a9464e458153bb6e60fc50883ff0f954f99 Mon Sep 17 00:00:00 2001 From: Soner Tari Date: Tue, 26 Mar 2019 15:54:42 +0300 Subject: [PATCH] Update with sslsplit develop ssl ctx improvements --- protossl.c | 44 ++++++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/protossl.c b/protossl.c index ca91c41..2bbe397 100644 --- a/protossl.c +++ b/protossl.c @@ -309,6 +309,12 @@ protossl_sslctx_setoptions(SSL_CTX *sslctx, pxy_conn_ctx_t *ctx) #endif /* SSL_OP_NO_COMPRESSION */ SSL_CTX_set_cipher_list(sslctx, ctx->opts->ciphers); + +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) + /* If the security level of OpenSSL is set to 2+ in system configuration, + * our forged certificates with 1024-bit RSA key size will be rejected */ + SSL_CTX_set_security_level(sslctx, 1); +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ } /* @@ -320,8 +326,10 @@ protossl_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain, EVP_PKEY *key) { SSL_CTX *sslctx = SSL_CTX_new(ctx->opts->sslmethod()); - if (!sslctx) + if (!sslctx) { + ctx->enomem = 1; return NULL; + } protossl_sslctx_setoptions(sslctx, ctx); @@ -366,8 +374,16 @@ protossl_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain, EC_KEY_free(ecdh); } #endif /* !OPENSSL_NO_ECDH */ - SSL_CTX_use_certificate(sslctx, crt); - SSL_CTX_use_PrivateKey(sslctx, key); + if (SSL_CTX_use_certificate(sslctx, crt) != 1) { + log_dbg_printf("loading src server certificate failed\n"); + SSL_CTX_free(sslctx); + return NULL; + } + if (SSL_CTX_use_PrivateKey(sslctx, key) != 1) { + log_dbg_printf("loading src server key failed\n"); + SSL_CTX_free(sslctx); + return NULL; + } for (int i = 0; i < sk_X509_num(chain); i++) { X509 *c = sk_X509_value(chain, i); ssl_x509_refcount_inc(c); /* next call consumes a reference */ @@ -575,10 +591,8 @@ protossl_srcssl_create(pxy_conn_ctx_t *ctx, SSL *origssl) SSL_CTX *sslctx = protossl_srcsslctx_create(ctx, cert->crt, cert->chain, cert->key); cert_free(cert); - if (!sslctx) { - ctx->enomem = 1; + if (!sslctx) return NULL; - } SSL *ssl = SSL_new(sslctx); SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ if (!ssl) { @@ -690,7 +704,6 @@ protossl_ossl_servername_cb(SSL *ssl, UNUSED int *al, void *arg) ctx->opts->key); if (!newsslctx) { X509_free(newcrt); - ctx->enomem = 1; return SSL_TLSEXT_ERR_NOACK; } SSL_set_SSL_CTX(ssl, newsslctx); /* decr's old incr new refc */ @@ -729,7 +742,6 @@ protossl_dstssl_create(pxy_conn_ctx_t *ctx) if (SSL_CTX_set_min_proto_version(sslctx, ctx->opts->sslversion) == 0 || SSL_CTX_set_max_proto_version(sslctx, ctx->opts->sslversion) == 0) { SSL_CTX_free(sslctx); - ctx->enomem = 1; return NULL; } } @@ -742,13 +754,17 @@ protossl_dstssl_create(pxy_conn_ctx_t *ctx) SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); } - if (ctx->opts->clientcrt) { - if (!SSL_CTX_use_certificate(sslctx, ctx->opts->clientcrt)) - log_dbg_printf("loading client certificate failed"); + if (ctx->opts->clientcrt && + (SSL_CTX_use_certificate(sslctx, ctx->opts->clientcrt) != 1)) { + log_dbg_printf("loading dst client certificate failed\n"); + SSL_CTX_free(sslctx); + return NULL; } - if (ctx->opts->clientkey) { - if (!SSL_CTX_use_PrivateKey(sslctx, ctx->opts->clientkey)) - log_dbg_printf("loading client key failed"); + if (ctx->opts->clientkey && + (SSL_CTX_use_PrivateKey(sslctx, ctx->opts->clientkey) != 1)) { + log_dbg_printf("loading dst client key failed\n"); + SSL_CTX_free(sslctx); + return NULL; } ssl = SSL_new(sslctx);