mirror of
https://github.com/sonertari/SSLproxy
synced 2024-11-04 12:00:15 +00:00
238 lines
7.1 KiB
C
238 lines
7.1 KiB
C
/*-
|
|
* SSLsplit - transparent SSL/TLS interception
|
|
* https://www.roe.ch/SSLsplit
|
|
*
|
|
* Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
* 1. Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "pxysslshut.h"
|
|
|
|
#include "log.h"
|
|
#include "attrib.h"
|
|
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
|
|
|
|
/*
|
|
* Cleanly shut down an SSL socket. Libevent currently has no support for
|
|
* cleanly shutting down an SSL socket so we work around that by using a
|
|
* low-level event. This works for recent versions of OpenSSL. OpenSSL
|
|
* with the older SSL_shutdown() semantics, not exposing WANT_READ/WRITE
|
|
* may or may not work.
|
|
*/
|
|
|
|
/*
|
|
* SSL shutdown context.
|
|
*/
|
|
|
|
typedef struct pxy_ssl_shutdown_ctx {
|
|
opts_t *opts;
|
|
struct event_base *evbase;
|
|
struct event *ev;
|
|
SSL *ssl;
|
|
unsigned int retries;
|
|
} pxy_ssl_shutdown_ctx_t;
|
|
|
|
static pxy_ssl_shutdown_ctx_t *
|
|
pxy_ssl_shutdown_ctx_new(opts_t *opts, struct event_base *evbase, SSL *ssl)
|
|
{
|
|
pxy_ssl_shutdown_ctx_t *ctx;
|
|
|
|
ctx = malloc(sizeof(pxy_ssl_shutdown_ctx_t));
|
|
if (!ctx)
|
|
return NULL;
|
|
ctx->opts = opts;
|
|
ctx->evbase = evbase;
|
|
ctx->ssl = ssl;
|
|
ctx->ev = NULL;
|
|
ctx->retries = 0;
|
|
return ctx;
|
|
}
|
|
|
|
static void
|
|
pxy_ssl_shutdown_ctx_free(pxy_ssl_shutdown_ctx_t *ctx)
|
|
{
|
|
free(ctx);
|
|
}
|
|
|
|
#ifdef DEBUG_PROXY
|
|
char *sslerr_names[] = {
|
|
"SSL_ERROR_WANT_READ",
|
|
"SSL_ERROR_WANT_WRITE",
|
|
"SSL_ERROR_ZERO_RETURN",
|
|
"SSL_ERROR_SYSCALL",
|
|
"SSL_ERROR_SSL",
|
|
"UNKWN"
|
|
};
|
|
|
|
static char *
|
|
pxy_ssl_shutdown_get_sslerr_name(int sslerr)
|
|
{
|
|
if (sslerr == SSL_ERROR_WANT_READ) {
|
|
return sslerr_names[0];
|
|
} else if (sslerr == SSL_ERROR_WANT_WRITE) {
|
|
return sslerr_names[1];
|
|
} else if (sslerr == SSL_ERROR_ZERO_RETURN) {
|
|
return sslerr_names[2];
|
|
} else if (sslerr == SSL_ERROR_SYSCALL) {
|
|
return sslerr_names[3];
|
|
} else if (sslerr == SSL_ERROR_SSL) {
|
|
return sslerr_names[4];
|
|
} else {
|
|
return sslerr_names[5];
|
|
}
|
|
}
|
|
#endif /* DEBUG_PROXY */
|
|
|
|
/*
|
|
* The shutdown socket event handler. This is either
|
|
* scheduled as a timeout-only event, or as a fd read or
|
|
* fd write event, depending on whether SSL_shutdown()
|
|
* indicates it needs read or write on the socket.
|
|
*/
|
|
static void
|
|
pxy_ssl_shutdown_cb(evutil_socket_t fd, UNUSED short what, void *arg)
|
|
{
|
|
pxy_ssl_shutdown_ctx_t *ctx = arg;
|
|
// @attention Increasing the delay to 500 or more fixes some ssl shutdown failures, they report SSL_ERROR_WANT_READ before eventually succeeding
|
|
// @todo Can/should we set an adaptive delay per conn here? Does it matter?
|
|
struct timeval retry_delay = {0, 100};
|
|
short want = 0;
|
|
int rv, sslerr;
|
|
|
|
if (ctx->ev) {
|
|
event_free(ctx->ev);
|
|
ctx->ev = NULL;
|
|
}
|
|
|
|
/*
|
|
* Use the new (post-2008) semantics for SSL_shutdown() on a
|
|
* non-blocking socket. SSL_shutdown() returns -1 and WANT_READ
|
|
* if the other end's close notify was not received yet, and
|
|
* WANT_WRITE it could not write our own close notify.
|
|
*
|
|
* This is a good collection of recent and relevant documents:
|
|
* http://bugs.python.org/issue8108
|
|
*/
|
|
rv = SSL_shutdown(ctx->ssl);
|
|
if (rv == 1)
|
|
goto complete;
|
|
if (rv != -1) {
|
|
goto retry;
|
|
}
|
|
|
|
sslerr = SSL_get_error(ctx->ssl, rv);
|
|
#ifdef DEBUG_PROXY
|
|
log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_ssl_shutdown_cb: %s, retries=%d, fd=%d\n", pxy_ssl_shutdown_get_sslerr_name(sslerr), ctx->retries, fd);
|
|
#endif /* DEBUG_PROXY */
|
|
switch (sslerr) {
|
|
case SSL_ERROR_WANT_READ:
|
|
want = EV_READ;
|
|
goto retry;
|
|
case SSL_ERROR_WANT_WRITE:
|
|
want = EV_WRITE;
|
|
goto retry;
|
|
case SSL_ERROR_ZERO_RETURN:
|
|
goto retry;
|
|
case SSL_ERROR_SYSCALL:
|
|
case SSL_ERROR_SSL:
|
|
goto complete;
|
|
default:
|
|
log_err_level_printf(LOG_CRIT, "Unhandled SSL_shutdown() error %i. Closing fd\n", sslerr);
|
|
#ifdef DEBUG_PROXY
|
|
log_dbg_level_printf(LOG_DBG_MODE_FINER, "Unhandled SSL_shutdown() error %i. Closing fd, fd=%d\n", sslerr, fd);
|
|
#endif /* DEBUG_PROXY */
|
|
goto complete;
|
|
}
|
|
goto complete;
|
|
|
|
retry:
|
|
if (ctx->retries++ >= 50) {
|
|
log_err_level_printf(LOG_WARNING, "Failed to shutdown SSL connection cleanly: Max retries reached. Closing fd\n");
|
|
#ifdef DEBUG_PROXY
|
|
log_dbg_level_printf(LOG_DBG_MODE_FINER, "WARNING: Failed to shutdown SSL connection cleanly: Max retries reached. Closing fd, fd=%d\n", fd);
|
|
#endif /* DEBUG_PROXY */
|
|
goto complete;
|
|
}
|
|
ctx->ev = event_new(ctx->evbase, fd, want, pxy_ssl_shutdown_cb, ctx);
|
|
if (ctx->ev) {
|
|
event_add(ctx->ev, &retry_delay);
|
|
return;
|
|
}
|
|
log_err_printf("Failed to shutdown SSL connection cleanly: Cannot create event. Closing fd\n");
|
|
#ifdef DEBUG_PROXY
|
|
log_dbg_level_printf(LOG_DBG_MODE_FINER, "ERROR: Failed to shutdown SSL connection cleanly: Cannot create event. Closing fd, fd=%d\n", fd);
|
|
#endif /* DEBUG_PROXY */
|
|
|
|
complete:
|
|
if (OPTS_DEBUG(ctx->opts)) {
|
|
char *msg;
|
|
if (asprintf(&msg, "pxy_ssl_shutdown_cb: fd=%d, SSL_free() in state ", fd) != -1) {
|
|
log_dbg_print_free(ssl_ssl_state_to_str(ctx->ssl, msg));
|
|
free(msg);
|
|
}
|
|
}
|
|
SSL_free(ctx->ssl);
|
|
evutil_closesocket(fd);
|
|
pxy_ssl_shutdown_ctx_free(ctx);
|
|
}
|
|
|
|
/*
|
|
* Cleanly shutdown an SSL session on file descriptor fd using low-level
|
|
* file descriptor readiness events on event base evbase.
|
|
* Guarantees that SSL and the corresponding SSL_CTX are freed and the
|
|
* socket is closed, eventually, or in the case of fatal errors, immediately.
|
|
*/
|
|
void
|
|
pxy_ssl_shutdown(opts_t *opts, struct event_base *evbase, SSL *ssl,
|
|
evutil_socket_t fd)
|
|
{
|
|
#ifdef DEBUG_PROXY
|
|
log_dbg_level_printf(LOG_DBG_MODE_FINEST, "pxy_ssl_shutdown: ENTER fd=%d\n", fd);
|
|
#endif /* DEBUG_PROXY */
|
|
|
|
pxy_ssl_shutdown_ctx_t *sslshutctx;
|
|
|
|
sslshutctx = pxy_ssl_shutdown_ctx_new(opts, evbase, ssl);
|
|
if (!sslshutctx) {
|
|
if (OPTS_DEBUG(opts)) {
|
|
char *msg;
|
|
if (asprintf(&msg, "pxy_ssl_shutdown: fd=%d, SSL_free() in state ", fd) != -1) {
|
|
log_dbg_print_free(ssl_ssl_state_to_str(ssl, msg));
|
|
free(msg);
|
|
}
|
|
}
|
|
SSL_free(ssl);
|
|
evutil_closesocket(fd);
|
|
return;
|
|
}
|
|
pxy_ssl_shutdown_cb(fd, 0, sslshutctx);
|
|
}
|
|
|
|
/* vim: set noet ft=c: */
|