Commit Graph

627 Commits

Author SHA1 Message Date
Daniel Roethlisberger
79d570fe2e Use direct access workaround with LibreSSL
LibreSSL defines OPENSSL_VERSION_NUMBER == 0x20000000L and therefore
needs special treatment when detecting OpenSSL API features based on
OPENSSL_VERSION_NUMBER.  LibreSSL currently does not seem to implement
SSL_CTX_get0_chain_certs().  Once it does, there will be a need for a
specific version check on LIBRESSL_VERSION_NUMBER.

Reported by:		Jérémie Courrèges-Anglas
2015-08-02 21:34:43 +02:00
Daniel Roethlisberger
a084aa62ec Update NEWS.md 2015-07-28 23:58:57 +02:00
Daniel Roethlisberger
57a2ab8588 Rewrite protocol version macros and refactoring
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL.  This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations.  This fixes the build with
OpenSSL versions which have SSLv3 support removed.

While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.

Reported by:	Jérémie Courrèges-Anglas
2015-07-28 23:39:51 +02:00
Daniel Roethlisberger
769da7565e Style fix 2015-07-28 22:02:04 +02:00
Daniel Roethlisberger
a08a7233ab Move free() to the else branch where it belongs
This prevents free(NULL) in case of failures in ssl_x509_fingerprint().

Issue:		#103
Reported by:	@david-stratusee
2015-07-10 12:01:52 +02:00
Daniel Roethlisberger
f12dd5bb92 Fix debug mode memory leak of cert fingerprint
Issue:		#103
Reported by:	Scot Loach
2015-07-07 18:12:32 +02:00
Daniel Roethlisberger
3f39f589f2 Warn on OpenSSL version mismatch in debug mode
Issue:		#88
2015-06-23 19:07:23 +02:00
Daniel Roethlisberger
74f62c3e5e Refactor and unify ClientHello parsers
Refactor and unify ssl_tls_clienthello_identify() and the earlier
ssl_tls_clienthello_parse_sni() into a single
ssl_tls_clienthello_parse() function that handles parsing ClientHello
messages for different purposes.  As a result, rename the debug knob
DEBUG_SNI_PARSER into DEBUG_CLIENTHELLO_PARSER.
2015-05-17 20:27:58 +02:00
Daniel Roethlisberger
558ffb8d33 List the dependencies in the install notes 2015-05-02 12:52:37 +02:00
Daniel Roethlisberger
29f7ae7bb4 Add a note that pkg-config is used when available 2015-05-02 12:47:10 +02:00
Daniel Roethlisberger
64cc8ffcde Fix lib search w/o pkg-config w/multiple instances
Fix automatic search for dependencies when multiple instances of the
same library are installed in different prefixes that we search, by
using the first one found.  Automatic search is only used when
pkg-config was not found.  This fixes compiler errors caused by spurious
path names within compiler or linker flags, such as

    ld: can't map file, errno=22 file '/usr/lib' for architecture x86_64
    clang: error: linker command failed with exit code 1 (use -v to see
    invocation)

While here, also make XNU header version fallback more robust and add
(diabled) version mappings for 10.10.2 and 10.10.3 which are not
published by Apple yet.

Issue:		#96
Reported by:	Jan Vilhuber
2015-05-02 12:23:14 +02:00
Daniel Roethlisberger
ad5de848c7 Refrain from naming a specific OpenSSL release 2015-05-01 12:13:12 +02:00
Daniel Roethlisberger
bbbeb7c3a4 Further improve wording for clarity 2015-05-01 12:11:44 +02:00
Daniel Roethlisberger
a0a27742dc Rewrite description for clarity
Issue:		#60, #93
2015-05-01 11:59:59 +02:00
Daniel Roethlisberger
b765cb7e0f Update NEWS.md for #92 2015-04-30 17:00:06 +02:00
Daniel Roethlisberger
95d4a9bc35 Explicitly initialize OpenSSL with SSL proxy specs
Make sure we always initialize OpenSSL explicitly, even if there are no
certificates or keys loaded or generated.  Previously, OpenSSL would
only have been initialized if the configuration actually uses
certificates or keys, which is not always the case, e.g. with -t
pointing to an empty directory.

Issue:		#92
Reported by:	xelalexv
2015-04-30 16:58:35 +02:00
Daniel Roethlisberger
dd0d3238ca Add sha1(NEWS.md) to BUILD_INFO when VERSION from dir
Issue:		#85
2015-04-22 23:12:03 +02:00
Daniel Roethlisberger
6671a82aed Rename genericstarttls to autossl and improve docs
Issue:		#87
2015-04-21 16:00:55 +02:00
Daniel Roethlisberger
d7cccacc05 Move ssl_tls_clienthello_identify out of !OPENSSL_NO_TLSEXT
Issue:		#87
2015-04-21 15:52:39 +02:00
Daniel Roethlisberger
96b038ef9b Merge branch 'feature/starttls' of https://github.com/RichardPoole42/sslsplit into feature/autossl 2015-04-21 15:09:31 +02:00
Daniel Roethlisberger
c28ca34fe1 Revert "bugfix: actually parse resolv.conf at startup"
This reverts commit aaa4e94f84.

The initialize_nameservers argument to evdns_base_new was deliberately
not set to 1 because we call evdns_resolv_conf_parse manually later, as
we want more differentiated error reporting.

Issue:		#86
2015-04-21 13:42:29 +02:00
Daniel Roethlisberger
a9863c012b Add Richard Poole to contributor lists 2015-04-21 11:53:39 +02:00
Daniel Roethlisberger
c7ba155ce9 Merge branch 'issue/86' into develop
Issue:		#86
Reported by:	Richard Poole
2015-04-21 11:51:42 +02:00
Richard Poole
5c8b5e30d5 connection upgrade feature: upgrade tcp to ssl on client hello
This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
2015-04-18 13:34:04 +01:00
Richard Poole
aaa4e94f84 bugfix: actually parse resolv.conf at startup 2015-04-18 13:02:33 +01:00
Richard Poole
0f2714ed8a spelling fix 2015-04-18 11:51:28 +01:00
Richard Poole
1f1f7b5559 bugfix: correct calls to log_dbg_printf 2015-04-18 11:50:26 +01:00
Daniel Roethlisberger
330ea4a74c Clarify explanation of -t
Issue:		#84
2015-03-29 14:19:39 +02:00
Daniel Roethlisberger
62b4848998 Add debug mode output to list of things to provide 2015-03-26 09:39:24 +01:00
Daniel Roethlisberger
7badc2fc13 Move all test RSA keys from 1024 bit to 2048 bit
Issue:		#83
2015-03-24 20:40:15 +01:00
Daniel Roethlisberger
77109df8d2 Improve docs on autogenerated 1024 bit RSA leaf key
Issue:		#83
2015-03-24 20:33:38 +01:00
Daniel Roethlisberger
6e53e93d0f Move from sha1 to sha256 in examples and tests
Note that OpenSSL may not support -sha256 on all platforms so we
actually check for support before using it in `make test`.  For the
examples, a modern version of OpenSSL that supports -sha256 is assumed.

Issue:		#83
2015-03-24 20:33:09 +01:00
Daniel Roethlisberger
35dae31624 Rename badly named local var to avoid grep FPs
Issue:		#83
2015-03-24 20:28:40 +01:00
Daniel Roethlisberger
9b5006d6f7 Add PCFLAGS for additional pkg-config flags
Allow for additional flags to pkg-config by means of a PCFLAGS variable.
This e.g. allows to set PCFLAGS='--static' for static builds in
combination with CFLAGS='-static' and LDFLAGS='-static'.

Issue:		#82
Reported by:	@kickwindbg
2015-03-23 22:10:00 +01:00
Daniel Roethlisberger
a14354d18b Allow uid, gid and mode of installed files to be tuned
Introducing the overridable variables INSTALLUID, INSTALLGID, BINUID,
BINGID, BINMODE, MANUID, MANGID, MANMODE that allow overriding of uid,
gid and mode of installed files.  Note that this solution still has the
limitation that uid, gid and mode of created directories cannot be set.

Issue:		#81
Reported by:	Shiloh Heurich
2015-03-17 00:09:19 +01:00
Daniel Roethlisberger
7ae02fa6d0 Merge branch 'master' into develop after 0.4.11 2015-03-16 00:58:27 +01:00
Daniel Roethlisberger
22b4d3c108 SSLsplit 0.4.11 maintenance release 2015-03-16 00:24:02 +01:00
Daniel Roethlisberger
317cd8190f Reorder major bug fixes 2015-03-16 00:20:18 +01:00
Daniel Roethlisberger
c8e9f231bd Fix loading of certificate chains with OpenSSL 1.0.2
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain.  When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.

Issue:		#79
2015-03-16 00:18:41 +01:00
Daniel Roethlisberger
580d2286b9 Record the actual XNU version detected 2015-03-16 00:13:04 +01:00
Daniel Roethlisberger
89860add8a Add XNU header selection fallback
If the proper headers matching either the reported XNU version or OS X
version exactly cannot be found, use the latest headers that SSLsplit
knows about.  This fixes build on new releases of OS X that have no
source code published by Apple yet.
2015-03-16 00:13:04 +01:00
Daniel Roethlisberger
992c90db3b Escape # in shell invocation
This fixes the following make error on Mac OS X versions that we don't
explicitly support yet due to missing sources:

    GNUmakefile:55: *** unterminated call to function `shell': missing `)'.
    Stop.

Reported by:	Justin Garrick
2015-03-16 00:13:04 +01:00
Daniel Roethlisberger
00253f34db Quote dollar signs in shell invocation
Reported by:	Justin Garrick
2015-03-16 00:13:04 +01:00
Daniel Roethlisberger
d5e9d989d6 Remove make config from travis script 2015-03-15 23:00:25 +01:00
Daniel Roethlisberger
80b727054b Refactor proxyspec printing into proxyspec_str() 2015-03-15 22:55:34 +01:00
Daniel Roethlisberger
da47cd3fe1 Improve documentation of build process 2015-03-15 22:38:29 +01:00
Daniel Roethlisberger
e384d89b35 Replace percent in IPv6 addrs in filenames
Percent is used to specify the interface for link-local addresses.
Even though this is not strictly necessary for NTFS, it makes sense to
replace percent with underscore as well to have cleaner filenames.

Also add some unit tests for sys_ip46str_sanitize() that actually test
the intended behaviour.
2015-03-15 20:08:11 +01:00
Daniel Roethlisberger
0a67f845e6 Merge branch 'issue/74' into develop
Issue:		#74
Submitted by:	Adam Jacob Muller
2015-03-15 18:43:13 +01:00
Daniel Roethlisberger
568b5a681c Update documentation for new -F formats 2015-03-15 18:41:49 +01:00
Daniel Roethlisberger
ce002378b8 Use more intuitive letters for new format specs
%D for Destination host, %p for the (more interesting) destination port,
%S for Source host, %q for the (less interesting) source port.
2015-03-15 18:39:36 +01:00