Commit Graph

179 Commits

Author SHA1 Message Date
Daniel Roethlisberger
914360eb5e Separate host and port into separate strings
Store host and port in separate strings internally and get rid of the
[host]:port representation where separate host and port would be
cleaner.  This includes the following user-visible changes:

-   Generated filenames that contain host and port, such as by -S and
    -F %d and %s, now use a host,port format instead of [host]:port.

-   Connect log now uses separate fields for host and port.

Issue:		#69 #74
Reported by:	Adam Jacob Muller
2015-03-15 17:23:46 +01:00
Daniel Roethlisberger
91da4674e5 Update copyright, license and tagline
-   Update copyright to 2015
-   Remove the non-standard "unmodified" from the 2-clause BSD license
-   Remove scalable from the tagline to avoid misinterpretations
2015-02-24 19:19:20 +01:00
Daniel Roethlisberger
f16783cee2 Move cert writer to logger thread using privsep
Make -w and -W work in conjunction with dropping privileges and
chrooting by moving the cert writer code to a separate logger thread and
using the privsep framework to open the files if they do not exist
already.

Issue:		#70
2014-12-13 23:52:17 +01:00
Daniel Roethlisberger
6ec6c56ded Refactored -w/-W and improved docs 2014-12-13 02:36:45 +01:00
PsychoMario
3aff928daf moved key output to main.c, caught some bugs 2014-12-12 17:28:06 +00:00
PsychoMario
a83cd68605 stored fpr as char* in ctx 2014-12-11 13:57:50 +00:00
PsychoMario
1736564b32 error handling 2014-12-09 23:26:00 +00:00
PsychoMario
4f310a877a implemented -W to write original certs 2014-12-09 21:43:05 +00:00
PsychoMario
a7e2d99b39 added logging of fingerprints, uppercased names 2014-12-09 21:13:04 +00:00
PsychoMario
13dce0aa35 moved write to pxy_srccert_create, -X to -w, opts_free use 2014-12-09 20:02:25 +00:00
PsychoMario
73042d4daa fix mutual exclusivity, sprintf->asprintf 2014-12-09 19:47:10 +00:00
PsychoMario
cbb2a179f9 naive implementation with -X, no help, validation, logging 2014-12-09 19:08:11 +00:00
Daniel Roethlisberger
c4b22efa5a Fix segmentation fault for aborted connections 2014-11-27 23:19:54 +01:00
Daniel Roethlisberger
65f56f634d Improve error handling on logging calls 2014-11-21 17:42:10 +01:00
Daniel Roethlisberger
b5e3856a97 Move open() and mkdir() to logger thread 2014-11-21 16:10:37 +01:00
Daniel Roethlisberger
007823b16e Fix connect logging for corner cases 2014-11-19 22:39:51 +01:00
Daniel Roethlisberger
c5b8fd127f Add version and ciphersuite to connect and debug log 2014-11-17 19:14:29 +01:00
Daniel Roethlisberger
fcd008df4b Unify asprintf error handling 2014-11-17 19:11:27 +01:00
Daniel Roethlisberger
b1ec5d0e09 Improve log_content_open() error handling 2014-11-16 22:31:54 +01:00
Daniel Roethlisberger
328e3320f9 Fix build for !HAVE_LOCAL_PROCINFO 2014-11-16 21:57:33 +01:00
Daniel Roethlisberger
e022b2af26 Add local process information to connect log 2014-11-16 20:11:25 +01:00
Daniel Roethlisberger
08ca5b2891 Also print pid if lookup (partially or fully) fails 2014-11-16 19:37:35 +01:00
Daniel Roethlisberger
150650c7e9 Make local procinfo run-time optional (-i) and use src host:port 2014-11-14 16:20:07 +01:00
Daniel Roethlisberger
42497693d1 Rename define for consistency 2014-11-14 15:36:16 +01:00
Daniel Roethlisberger
0237fe34dc Only build local process info code where supported 2014-11-14 15:31:30 +01:00
Daniel Roethlisberger
966fe80c0c Move process information code from sys to proc 2014-11-14 01:01:14 +01:00
Daniel Roethlisberger
c3922d9852 Refactor process lookup out of NAT engine code
Local process lookup is independent of the NAT engine used, it depends
only on the operating system's process enumeration API.  Moving the code
out of NAT lookup also makes it work for static and SNI proxyspecs.
2014-11-14 00:41:27 +01:00
Daniel Roethlisberger
dc7a3ee9e3 Break line to 80 cols 2014-11-13 23:50:59 +01:00
Landon Fuller
a4c518c8a0
Merge remote-tracking branch 'origin/fix-macosx' into logspec_path_support 2014-11-07 16:43:09 -07:00
Landon Fuller
efca8d73c9
Remove debugging statement. 2014-11-07 16:38:50 -07:00
Landon Fuller
81bf954c17
Merge commit '5ed49c498596995c79a5b7fda3d1ee1eb09ce8ec' into sys_proc_info 2014-11-07 16:37:50 -07:00
Landon Fuller
fe5eb66b53
Merge commit '9204418c806fc85ba04c3650dc4002bd440083ca' into nat_local_pid 2014-11-07 16:33:39 -07:00
Daniel Roethlisberger
375bf2a13c Clarify comment about logging 2014-11-06 18:12:49 +01:00
Daniel Roethlisberger
6b0e47dc89 Allow more control over used SSL/TLS versions
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.

Issue:		#30
Reported by:	@Apollo2342
2014-11-05 20:06:11 +01:00
Daniel Roethlisberger
5219d494f3 Protect session cache calls from sess == NULL 2014-11-03 22:10:01 +01:00
Daniel Roethlisberger
fcb64e85e7 Make SSLv2 support opt-in instead of opt-out
Migrate knobs from DISABLE_SSLV2_CLIENT and DISABLE_SSLV2_SERVER to
WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER and remove the
DISABLE_SSLV2_SESSION_CACHE knob entirely, automatically including the
respective code if SSLv2 support is compiled into SSLsplit.
2014-11-03 19:39:13 +01:00
Daniel Roethlisberger
769fbd042d Filter HSTS response headers to allow cert override
Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from
HTTP responses.  With HSTS active, the user is not allowed to accept
untrusted certificates.
2014-11-02 20:25:17 +01:00
Daniel Roethlisberger
b1a7b11aea Don't depend on the space when parsing HTTP headers 2014-10-28 23:31:07 +01:00
Daniel Roethlisberger
d85e5ddbe2 Disable SSLv2 support by default 2014-10-28 23:24:37 +01:00
Landon Fuller
8350b1deb0 Plumb user/group/path information through the logging API. 2014-10-18 14:35:49 -06:00
Landon Fuller
5ed49c4985 Implement user and group name lookup. 2014-10-18 14:16:50 -06:00
Landon Fuller
52d979e29d Add a standard API for fetching process name, uid, and gid. 2014-10-18 13:46:44 -06:00
Landon Fuller
9204418c80 Thread pid lookup support through the NAT API.
This exposes the pid lookup code as a standard attribute
of NAT lookup -- if a matching process cannot be found,
or if pid lookup isn't supported by the NAT backend,
a pid of -1 is returned.

This also adds the local_pid to the pxyconn context; this
will be used to populate log strings.
2014-10-18 13:16:02 -06:00
Daniel Roethlisberger
ac98c2d9cc Fix segmentation fault when using -t without a CA
The key type checks which are used to optimize the loading of DH and
ECDH parameters should check the type of the supplied server key, not
the global options key.
2014-01-30 22:21:08 +01:00
Daniel Roethlisberger
e1d8a2a965 Lint fix: define some variables in smaller scope 2014-01-14 17:37:57 +01:00
Daniel Roethlisberger
716139b169 Suppress SPDY/QUIC by removing Alternate-Protocol headers 2014-01-14 17:35:56 +01:00
Daniel Roethlisberger
2235e1aad9 Fix memory leak in fake cert generation code
The code in pxy_ossl_servername_cb() which generated the forged
certificates did not call SSL_CTX_free() on the newly allocated SSL_CTX
struct after associating it with the SSL struct, which increments the
reference count internally.  Also add some comments explaining OpenSSL
reference counting behaviour to be more explicit on what happens to the
instances that OpenSSL keeps track of.
2014-01-13 23:56:59 +01:00
Daniel Roethlisberger
05410fe9b3 Enable SSL_MODE_RELEASE_BUFFERS by default 2014-01-13 23:33:31 +01:00
Daniel Roethlisberger
56842b2f63 Fix file descriptor leak in passthrough mode (-P)
When using passthrough mode, if a connection to a server fails with an
SSL error, sslsplit falls back to plain TCP passthrough.  When
reconnecting with plain TCP, the SSL context was freed, but the file
descriptor was never closed.  The fix remedies that by calling the
proper cleanup function for the dst bev before reconnecting.

Reported by:	Peter Haag
2014-01-11 19:12:00 +01:00
Daniel Roethlisberger
e129041c1c Add some OpenSSL refcounting comments 2014-01-11 19:03:15 +01:00
Daniel Roethlisberger
e7ba15f184 Remove unused variable 2014-01-11 17:55:01 +01:00
Daniel Roethlisberger
4849a9738b Set ssl fields to NULL after freeing 2014-01-11 17:35:36 +01:00
Daniel Roethlisberger
7b09128ead Fix double free of SSL_CTX
Remove a superfluous call to SSL_CTX_free() which caused SSL_CTX
structures to be free'd twice under some circumstances.

Issue:		#16
Reported by:	Amit Chowdhary
2014-01-11 17:30:06 +01:00
Daniel Roethlisberger
b82ca9b414 Print status of free'd SSL structs in debug mode 2014-01-11 17:28:41 +01:00
Daniel Roethlisberger
de27f40b04 Fix two typos in comments 2014-01-11 15:17:31 +01:00
Daniel Roethlisberger
bccbdbf1cc Free SSL_CTX directly after calling SSL_new()
Since SSL_new() increments the refcount of the passed SSL_CTX, free it
directly after handing it to SSL_new() instead of later after SSL_free().
2014-01-11 00:39:28 +01:00
Daniel Roethlisberger
cfa5b15223 Fix dst bufferevent BEV_EVENT_CONNECTED handler
This removes the spurious "Unknown bufferevent 0x80" debug message but
does not have any change in functionality, since return would have been
called anyway after falling down the debug message.

While here, remove the useless "ignoring event" debug message unless
DEBUG_PROXY is defined, and also print the timeout flag in debug mode.
2014-01-10 12:08:26 +01:00
Daniel Roethlisberger
06a02f946a Always explicitly name the non-null arguments
Always explicitly name which arguments are non-null, even if all
arguments are non-null.  This is to avoid bugs where newly added
arguments are automatically non-null by accident, possibly leading to
optimisation errors.

This also fixes a few potential errors related to non-null arguments;
specifically it prevents the compiler optimising away a test for sni
being NULL in cachedsess_mkkey().

Issue:		#14
Reported by:	kythyria
2014-01-06 14:28:33 +01:00
Daniel Roethlisberger
ca923ee7f1 Update copyright notices to 2014 2014-01-06 14:09:18 +01:00
Daniel Roethlisberger
a94dbc8c3a Refactor event handler for clarity 2013-08-23 15:07:07 +02:00
Daniel Roethlisberger
38280818f8 Add HTTP content-length to connect log 2013-06-29 22:50:39 +02:00
Daniel Roethlisberger
b746a6f6bb Add HTTP response header filtering
Filter response headers in order to remove HPKP headers.  As an added
benefit, parse the HTTP status code and add it to the connection log.
2013-06-29 22:35:51 +02:00
Daniel Roethlisberger
2a4a9c8b23 Fix fallback to passthrough when no cert present
Properly reset connection state when reconnecting the dst part of the
connection.  This fixes the fallback to passthrough when no certficates
are present which can be used to split the SSL.

Issue:          #9
Reported by:    ceear
2013-05-27 00:22:45 +02:00
Daniel Roethlisberger
9f23fb31aa Log new bev connections to debug log 2013-05-27 00:03:05 +02:00
Daniel Roethlisberger
c972501063 Update copyright notices 2013-04-24 20:36:38 +02:00
Daniel Roethlisberger
146188b750 Improve SNI peek debugging 2013-04-03 18:12:52 +02:00
Daniel Roethlisberger
bb15224d11 Flush error queue prior to exiting
Reorganize the cleanup code after detaching from the TTY in order to be
able to flush the error queue before calling exit().  Addresses issue #6
2012-10-23 21:30:11 +02:00
Daniel Roethlisberger
457c2621b8 Fix warning when SSLv2 session cache is enabled 2012-05-13 15:29:39 +02:00
Daniel Roethlisberger
8eb5165760 Optimize debug branching using __builtin_expect() 2012-05-13 15:24:50 +02:00
Daniel Roethlisberger
38d22415af Generic EC loading, new default curve 'secp160r2' 2012-05-11 17:39:12 +02:00
Daniel Roethlisberger
a592f7149c Improve error handling for no origcrt situations 2012-05-02 15:37:47 +02:00
Daniel Roethlisberger
605c1ab6e6 Improve error recovery under low memory conditions 2012-05-02 15:02:59 +02:00
Daniel Roethlisberger
3fd9084fe1 Quickly decide on GET URIs obviously not OCSP 2012-04-22 21:55:19 +02:00
Daniel Roethlisberger
ee98c04b29 Add generic OCSP denial 2012-04-22 19:12:38 +02:00
Daniel Roethlisberger
9f40fbc473 Replace empty strings with dash when logging 2012-04-22 13:36:44 +02:00
Daniel Roethlisberger
07d591fccf Skip whitespace when parsing HTTP headers 2012-04-22 13:35:08 +02:00
Daniel Roethlisberger
083b02d78d Minor reformatting 2012-04-22 12:43:23 +02:00
Daniel Roethlisberger
d4be8c3e38 Refactor ssl_x509_names_to_str() for maintainability 2012-04-17 23:35:43 +02:00
Daniel Roethlisberger
4cfdef405a Initial import of sslsplit-0.4.2 2012-04-13 14:47:30 +02:00