Commit Graph

72 Commits

Author SHA1 Message Date
Soner Tari
8d752b4d31 Add documentation for filtering rules
Also bump version to 0.8.7
2021-09-13 23:10:41 +03:00
Soner Tari
982880ccfe Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.

This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.

And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.

Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.

Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.

Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 18:52:52 +03:00
Soner Tari
69753b250c Add split mode of operation similar to SSLsplit
The -n command line option enables split mode for all proxyspecs,
effectively making sslproxy behave like sslsplit.
Divert option can be set/unset globally and per-proxyspec.
Add e2e tests for split mode, and update make file for tests
accordingly.
Update documentation accordingly.
Improve code reuse, remove duplicate functions.

This change deserves a release of its own, hence v0.8.4.
2021-08-29 17:31:05 +03:00
Soner Tari
f8ada5100a Fix initialization of content logging in lp (issue #30)
readcb fires before connect eventcb, so we enable it in readcb now. But
perhaps lp should behave like sslproxy and not enable readcb until after
connect eventcb.

Note that there is no problem with sslproxy, it's just lp.
2021-07-17 16:13:50 +03:00
Soner Tari
596aebb2f3 Update version to 0.8.3 and copyright year to 2021 2021-02-11 00:25:09 +03:00
Soner Tari
aded848043 Release v0.8.2 2020-12-15 17:12:50 +03:00
Soner Tari
6c0b981831 Update version to 0.8.1
Update TLS 1.3 documentation.
2020-09-08 14:33:25 +03:00
Soner Tari
6f5a7ceeb1 Add WITHOUT_USERAUTH switch 2020-08-25 23:32:32 +03:00
Soner Tari
ca79405769 Fix doc for MaxSSLProto default as tls13 2020-07-25 11:35:52 +03:00
Soner Tari
af27340889 Add -U CipherSuites option 2020-06-27 23:54:56 +03:00
Soner Tari
fade72ec0d Move main.mk under Mk folder and improve make files 2020-06-23 13:00:05 +03:00
Soner Tari
2f89a27551 Use Testproxy v0.0.3 2020-06-21 13:10:27 +03:00
Soner Tari
8989873332 Add sni assertions to testproxy e2e tests for tls12 and tls13 2020-06-21 12:02:21 +03:00
Soner Tari
1403c4eda1 Fix travis for ssl libs without tls13, add no_tls13 e2e tests 2020-06-20 23:31:32 +03:00
Soner Tari
ee41c72666 Add tls13 support
Add e2e tests for tls13 too
2020-06-20 21:24:53 +03:00
Soner Tari
9da7437919 Release v0.8.0 2020-05-24 00:22:23 +03:00
Soner Tari
826b612c1e Fix build version
Improve documentation
2020-05-21 16:22:32 +03:00
Soner Tari
3fe0e5f1eb Move tmp global opts vars to new tmp struct
The global opts strings in this new tmp struct are used while cloning
global opts into proxyspec opts. A var of this type is passed around as
a flag to indicate if these opts are global (if non-NULL), so should be
stored in that struct and used as such, or proxyspec specific (if NULL),
so should not be used as global. This var is temporary, hence freed
immediately after configuration is complete.
Also improve and clean up.
2020-05-15 19:18:13 +03:00
Soner Tari
e3b0ba94d8 Accept space, tab, cr, and nl chars after POP3 and SMTP commands
POP3 clients may and do append CRLF to commands.
So use the new util_get_first_word_len() function.
2020-05-12 15:48:05 +03:00
Soner Tari
ef2edff60a Improve string comparisons
We need case-insensitive comparison validating POP3 and SMTP commands.
Define macro function to check string equality.
2020-05-12 01:28:41 +03:00
Soner Tari
ac4285cef1 Fix POP3 and SMTP protocol validation, thanks to the new testproxy e2e tests
Add testproxy e2e tests for POP3 and SMTP protocol validation.

We have detected that POP3 and SMTP protocol validation was broken
thanks to these new testproxy e2e tests. This is yet another example why
e2e tests are important.
2020-05-11 17:01:38 +03:00
Soner Tari
313da5cfca Add -A DefaultLeafCert option
Rename LeafCerts to LeafKey, TargetCertDir to LeafCertDir, CRL to
LeafCRLURL
2020-05-09 22:14:50 +03:00
Soner Tari
aba07a53ee Disable conn ids unless debugging
We don't need parent or child ids unless debugging. IDLE and EXPIRED
conn logs do not need to report ids either. Ids are useful only in
detailed debug logs.
2020-05-08 01:11:50 +03:00
Soner Tari
5285b9e433 Fix valgrind REDIR warning about strncpy(), use memcpy() instead
REDIR: 0x562c100 (libc.so.6:__strncpy_ssse3) redirected to 0x4c32fb0
(strncpy)
The src strings are not NULL terminated at the correct positions.
2020-05-07 14:06:09 +03:00
Soner Tari
be80523036 Use the new inline max() function instead of MAX() macro function in sslproxy
Do not pass pxy_thr_print_children() or bufferevent_getfd() to MAX() or
util_max() macro functions as params, or else they are called twice.
Since MAX() macro call duplicates params, do not call it nested either,
or else we get very long macro expansions.
2020-05-07 00:10:42 +03:00
Soner Tari
e63d6dd3aa Remove BEV_OPT_THREADSAFE in lp too
thrmgr and conn handling threads in lp are cleanly decoupled now.
2020-05-06 23:54:50 +03:00
Soner Tari
8a96565d99 Zero out msg buf as in sslsplit
ce5f409dbe
("Zero all bytes when passing file descriptors over AF_UNIX sockets",
2018-11-12)

Also, bufferevent_getfd() returns -1 if no file descriptor is associated
with the bufferevent.
2020-05-06 12:45:55 +03:00
Soner Tari
128838c70f Fix -g flag for lp, use Mk/buildinfo.mk of sslproxy
This is necessary to detect the .git folder at the project root. So
remove Mk/buildinfo.mk of lp.
2020-05-06 02:08:23 +03:00
Soner Tari
3e706ea022 Fix leaks and errors reported by valgrind
Free vars.
Finalize sqlite3 statements.
Close sqlite3 db.
Init memory.
Do not close fd -1.

Some of these may be harmless, but we fix them anyway. Now valgrind
reports 0 "lost" memory, but some "still reachable", both for sslproxy
and lp.
2020-05-06 02:06:08 +03:00
Soner Tari
1d75bfb17f Fix a possible sync issue between thr load and conn children list on error
Refactor and rename functions, struct fields, and vars
Simplify if conditions and fix/improve logs
Clean up
2020-05-05 15:42:41 +03:00
Soner Tari
14cfd3286b Update ctime and first atime on conn handling thr, not on thrmgr
This offloads the thrmgr by saving a time() call.
Also remove an unnecessary NULL assignment.
2020-05-04 21:30:50 +03:00
Soner Tari
71dff82305 Terminate conn on socket connect error
And rename a function.
2020-05-04 21:05:35 +03:00
Soner Tari
18c882ad37 Refactor and rename assign/attach conn to thr functions
And fix comments.
2020-05-04 12:16:03 +03:00
Soner Tari
f069637fda Include errno.h in pxyconn.c too to fix travis issue 2020-05-04 00:21:42 +03:00
Soner Tari
61edeeedb1 Include errno.h, revert log.h to fix travis issue 2020-05-04 00:16:12 +03:00
Soner Tari
906d961168 Fix travis issue due to errno
errno and EMFILE are provided by <unistd.h>, but we need log.h anyway,
which includes logger.h, and which includes <unistd.h> in turn.
2020-05-04 00:05:17 +03:00
Soner Tari
6c5165fa6e Update lp with sslproxy changes and clean up 2020-05-03 23:28:21 +03:00
Soner Tari
05654e3bee Avoid possible crashes caused by passing NULL pointers to str*() functions 2020-04-18 11:28:55 +03:00
Soner Tari
a1f24e26d0 Clean up 2020-04-17 22:14:19 +03:00
Soner Tari
fd3aa5a394 Update lp with sslproxy changes, fix dst events
Enable dst r/w events before socket connect.
Improve verbose debug logs using common header fields to better identify
connections.
Create function macros for fine* debug logs.
2020-04-17 19:36:41 +03:00
Soner Tari
554fd3bd3a Improve code reuse, reduce code, clean up whitespace 2020-04-17 15:31:30 +03:00
Soner Tari
2b702495b0 Remove comixwall.org 2020-04-16 15:33:50 +03:00
Soner Tari
64c0078ecb Update comments about writecb before connected 2020-04-15 22:04:18 +03:00
Soner Tari
a0d74baa43 Update copyright year to 2020 2020-04-14 18:12:16 +03:00
Soner Tari
c3c228d8ce Remove ssl_shutdown_retry_delay and SSLShutdownRetryDelay, not used anymore 2020-04-12 16:05:16 +03:00
Soner Tari
10573a1b7c Copy BSDmakefile to subfolders
So we can individually make clean them
2020-04-12 15:51:41 +03:00
Soner Tari
4503203c1b Remove MEDIUM ciphers
Cipher assertions become useless if we set ciphers to MEDIUM:HIGH, too
many ciphers would be possible
2020-04-05 22:22:36 +03:00
Soner Tari
c2e93dbbc0 Remove NO_TLS10 test case
The problem with LibreSSL 2.7.4 was not that it didn't support tls10,
but that MEDIUM and HIGH cipher definitions were different from the
openssl version of testproxy, hence tests were failing due to no shared
ciphers
2020-04-05 21:52:02 +03:00
Soner Tari
f1c2e9e881 Detect tls protos using output of sslproxy -V
But this is not going to work, because LibreSSL 2.7.4 says it supports
tls10, but SSL handshake fails if testproxy e2e tests for tls10 are
enabled.
2020-04-05 21:43:44 +03:00
Soner Tari
73724bd673 Fix assertions for tls10 tests, TLSv1.0 == SSLv3 2020-04-04 19:11:18 +03:00