Commit Graph

104 Commits

Author SHA1 Message Date
Soner Tari
6c988b0f4a Add structured filtering rules to specify conn options
Now all connection oriented proxy options possible to specify
per-proxyspec or globally can be specified in structured filtering rules
to be selectively applied to connections too. One line filtering rules
can specify filter and log actions only.

For example, we can enable/disable user authentication, protocol
validation, server ssl verification, and many other options
per-connection, or configure SSL/TLS connection options per-connection.

So, now we replace the conn_opts struct of a connection's ctx with the
conn_opts struct of the matching structured filtering rule. (One line
filtering rules have a NULL conn_opts, so we first check if the
conn_opts is not NULL.)
2021-10-28 23:33:53 +03:00
Soner Tari
14c8d417c9 Move connection oriented options to a new conn_opts struct 2021-10-26 19:08:00 +03:00
Soner Tari
efc9f3175d Update version to 0.9.0 2021-10-16 20:49:53 +03:00
Soner Tari
f056f699c1 Add port option to all site specs, fix precedences in filtering rules
Now, all of the 'to' site fields in filtering rules can specify a port,
not just the dstip sites.

Fix the precedence of sites in the same type of rules. For example, if
we find a match with an sni site, we should not stop searching for a
match in cn, because a matching cn site may have a higher precedence
than the matching sni site. We should apply the action of the cn site,
although sni rules have precedence over cn. The same applies to http
host and uri rules too.

Fix the precedence of dstip rules.

Improve and update unit and e2e tests accordingly.
2021-10-07 22:22:23 +03:00
Soner Tari
9d2e523cd0 Use Aho-Corasick machines for substring matching
Now, the filter uses B-trees for exact string matching and Aho-Corasick
machines for substring matching. B-trees and AC machines are exported to
linked lists for debug logging only.

Also,
- Separate all_sites and all_ports filters from substring filters. They
are not related with substring filters actually, and ACM keywords cannot
be empty strings anyway. So now they should be handled separately too.
- Improve debug logging of filtering rules.
- Update unit tests accordingly, and improve.
- Fix pxyconn_filter(), keep searching for a match in substring filters
if exact match does not have a matching site rule.
- Increase common names max len and tokens. weather.gov has 73 tokens.
- Rename keyword to desc.
- Update documentation.
- Clean up.
2021-10-05 23:00:17 +03:00
Soner Tari
96ba8557d6 Add unit tests for substring 'from' fields in filtering rules
Also, improve code
2021-10-03 23:50:41 +03:00
Soner Tari
f44f12456c Fix unit tests with WITHOUT_USERAUTH
And update documentation
2021-10-03 00:56:45 +03:00
Soner Tari
2ff0f728e5 Use template macros for code reuse, and append to linked lists
Add to the end of linked lists for correct list ordering, but btrees
cannot obey this ordering.
Also, update the unit tests accordingly.
And fix compile with WITHOUT_USERAUTH.
2021-10-02 23:13:56 +03:00
Soner Tari
4f36a21c78 Use kbtree BST for exact match in site and port 'to' fields
So, for 'to' fields too, we use two separate data structures: binary
search trees (BST) for exact match and linked lists for substring match.

Now all 'from' and 'to' fields in filtering rules use these two data
structures.

To repeat, filtering rules should be written with exact matches instead
of substring matches, as much as possible. Because BST search must be
much faster than substring search over linked lists.

To repeat, we have modifed kbtree to support complex data structures in
from fields.

Also, update the unit tests accordingly.
2021-10-02 21:21:24 +03:00
Soner Tari
21fed37a92 Rename tmp_global_opts to global_tmp_opts 2021-09-27 14:35:16 +03:00
Soner Tari
fd6c852355 Move filtering rules to filter.c/h
Also, fix certain and possible memory leaks in debug printing
And improve code
2021-09-27 14:17:25 +03:00
Soner Tari
14f68457fb Fix the ordering of sites, ports, and macro values in filtering rules
all_sites and all_ports rules should be at the end of their lists, they
should be searched last, because they are the least specific rules in
their lists, hence have lower precedences.

Also, obey the order of rules in conf files by adding sites, ports, and
macro values to their lists in the same order they are in conf files.

Update the unit and e2e tests accordingly, and improve.
2021-09-26 21:11:48 +03:00
Soner Tari
c8f09d162a Add port field to Dst Host filter rules, and refactor for code reuse
Now the target IP address filters can use port specs too.
Refactor for code reuse, create filter_action struct used by rules,
sites, and ports.
Also, improve code and documentation.
2021-09-26 13:50:14 +03:00
Soner Tari
dc34bc1ccf Add e2e tests for filtering rules
End-to-end tests now require testproxy v0.0.4, which supports the new
Reconnect command for the Pass filtering rule.

Split mode with the -n option also supports filtering rules, so the
Divert rule can enable the divert mode even with the -n option. This is
because the purpose of the -n option is to convert sslproxy into an
sslsplit, and we want to support filtering rules in sslsplit-like
sslproxy too.
2021-09-25 11:40:44 +03:00
Soner Tari
17630340d2 Add unit tests for filtering rules
for both the parser and the translator

TODO: Add reject tests
2021-09-23 18:23:50 +03:00
Soner Tari
d877b9a635 Fix and improve get_name_value() and unit tests
Fix possible segfault if name has leading white space
Pass the name param to get_name_value() as char *, so it cannot be
modified ever

Improve unit tests for get_name_value and proxyspec_parse
2021-09-22 15:29:09 +03:00
Soner Tari
206734e4b6 Return -1 on error from all configuration functions, never exit()
And use all those return values.

Since we support include files now, we should be able to report in which
include file the error has occured. This is not possible if functions
just bail out calling exit(), because the user has to scroll back stderr
lines to find which include file has failed loading (a line starting
with 'Conf: ').

Plus, calling exit() on errors reduces unit testability of functions.

Also, handle all possible out of memory conditions in opts.c.
2021-09-22 00:51:36 +03:00
Soner Tari
446cc29f5f Don't change log action if not specified, and obey the order of filtering rules
Filtering rules can enable/disable or don't change logging. If a rule
does not mention a log action, its logging should not change. So, binary
log action fields were not enough to represent those 3 possibilities,
hence we have increased the size of those fields to 2-bits.

We should obey the order of rules as they are written in the conf file,
because latter rules should be able to override the log actions of
earlier rules. So, keep the order.
2021-09-19 16:24:35 +03:00
Soner Tari
cc7bd4a332 Add precedence to filtering rules
Now we assign precedence to each filtering rule. More specific rules
have higher precedence. So, filtering rules at lower precedence cannot
override the actions applied to a conn by filtering rules at higher
precedence.
The other precedence rules still apply.
2021-09-18 16:58:42 +03:00
Soner Tari
0c9fe83bb5 Update unit tests with master and cert log actions 2021-09-18 01:01:47 +03:00
Soner Tari
f0c2ca6819 Add Match action and connect|content|pcap|mirror log actions in filtering rules
- Match action is added to be used with log actions only, the other
filter actions can specify log actions too
- Log actions do not configure any loggers. Global loggers for
respective log actions should have been configured for those log actions
to have any effect.
- If no filter rules are defined for a proxyspec, all log actions are
enabled. Otherwise, all log actions are disabled, and filtering rules
should enable them specifically.
- Fix max number of tokens in proxyspec and filter parsers
- Fix issues with rejecting unknown args in filter rule parser
- Do not use filter_rules field of proxyspec after config finished, it
is used for filter configuration and freed afterwards
2021-09-16 21:34:23 +03:00
Soner Tari
37f82aa84e Simplify get_name_value() 2021-09-15 03:07:04 +03:00
Soner Tari
42fecffb70 Silence error message issued for Divert option non-yes|no value
If the value for the Divert option is not yes|no, it is assumed to be a
Divert filtering rule. So the parser for filtering rules should issue
any errors.
2021-09-14 18:32:57 +03:00
Soner Tari
9c8e56d5df Fix unit tests for proxyspec parser caused by tmp global opts change
Pass a non-NULL tmp global opts arg to proxyspec_parse() for its global
split flag accessed in the function.
2021-09-14 13:30:59 +03:00
Soner Tari
8d752b4d31 Add documentation for filtering rules
Also bump version to 0.8.7
2021-09-13 23:10:41 +03:00
Soner Tari
475a7ebcda Add Divert|Split|Pass|Block filtering rules
(Divert|Split|Pass|Block)
  ([from (
        user (username|*) [desc keyword]|
        ip (clientaddr|*)|
        *)]
    [to (
        sni (servername[*]|*)|
        cn (commonname[*]|*)|
        host (host[*]|*)|
        uri (uri[*]|*)|
        ip (serveraddr|*)|
        *)]
  |*)

Also, fix a couple of issues with filter rule handling
Clean up
2021-09-12 15:08:59 +03:00
Soner Tari
85fb1bd214 Add new data structure for general filtering rules
Now PassSite rules are considered as pass rule and added to the new data
structure. PassSite option will be deprecated in the future.
2021-09-10 22:53:08 +03:00
Soner Tari
6a4a70bb06 Avoid strdup() and simplify passsite search
Also, improve code, tests, and documentation
2021-09-08 00:21:52 +03:00
Soner Tari
982880ccfe Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.

This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.

And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.

Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.

Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.

Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 18:52:52 +03:00
Soner Tari
69753b250c Add split mode of operation similar to SSLsplit
The -n command line option enables split mode for all proxyspecs,
effectively making sslproxy behave like sslsplit.
Divert option can be set/unset globally and per-proxyspec.
Add e2e tests for split mode, and update make file for tests
accordingly.
Update documentation accordingly.
Improve code reuse, remove duplicate functions.

This change deserves a release of its own, hence v0.8.4.
2021-08-29 17:31:05 +03:00
Soner Tari
f8ada5100a Fix initialization of content logging in lp (issue #30)
readcb fires before connect eventcb, so we enable it in readcb now. But
perhaps lp should behave like sslproxy and not enable readcb until after
connect eventcb.

Note that there is no problem with sslproxy, it's just lp.
2021-07-17 16:13:50 +03:00
Soner Tari
596aebb2f3 Update version to 0.8.3 and copyright year to 2021 2021-02-11 00:25:09 +03:00
Soner Tari
aded848043 Release v0.8.2 2020-12-15 17:12:50 +03:00
Soner Tari
6c0b981831 Update version to 0.8.1
Update TLS 1.3 documentation.
2020-09-08 14:33:25 +03:00
Soner Tari
6f5a7ceeb1 Add WITHOUT_USERAUTH switch 2020-08-25 23:32:32 +03:00
Soner Tari
ca79405769 Fix doc for MaxSSLProto default as tls13 2020-07-25 11:35:52 +03:00
Soner Tari
af27340889 Add -U CipherSuites option 2020-06-27 23:54:56 +03:00
Soner Tari
fade72ec0d Move main.mk under Mk folder and improve make files 2020-06-23 13:00:05 +03:00
Soner Tari
2f89a27551 Use Testproxy v0.0.3 2020-06-21 13:10:27 +03:00
Soner Tari
8989873332 Add sni assertions to testproxy e2e tests for tls12 and tls13 2020-06-21 12:02:21 +03:00
Soner Tari
1403c4eda1 Fix travis for ssl libs without tls13, add no_tls13 e2e tests 2020-06-20 23:31:32 +03:00
Soner Tari
ee41c72666 Add tls13 support
Add e2e tests for tls13 too
2020-06-20 21:24:53 +03:00
Soner Tari
9da7437919 Release v0.8.0 2020-05-24 00:22:23 +03:00
Soner Tari
826b612c1e Fix build version
Improve documentation
2020-05-21 16:22:32 +03:00
Soner Tari
3fe0e5f1eb Move tmp global opts vars to new tmp struct
The global opts strings in this new tmp struct are used while cloning
global opts into proxyspec opts. A var of this type is passed around as
a flag to indicate if these opts are global (if non-NULL), so should be
stored in that struct and used as such, or proxyspec specific (if NULL),
so should not be used as global. This var is temporary, hence freed
immediately after configuration is complete.
Also improve and clean up.
2020-05-15 19:18:13 +03:00
Soner Tari
6abfa01252 Free all structs created for testing 2020-05-14 12:07:14 +03:00
Soner Tari
4a1980d4a5 Add check unit tests for protocol validation and util_get_first_word_len()
Also improve and clean up
2020-05-13 21:24:08 +03:00
Soner Tari
e3b0ba94d8 Accept space, tab, cr, and nl chars after POP3 and SMTP commands
POP3 clients may and do append CRLF to commands.
So use the new util_get_first_word_len() function.
2020-05-12 15:48:05 +03:00
Soner Tari
01577657fd Clean up DOCKER directives 2020-05-12 12:02:53 +03:00
Soner Tari
ef2edff60a Improve string comparisons
We need case-insensitive comparison validating POP3 and SMTP commands.
Define macro function to check string equality.
2020-05-12 01:28:41 +03:00