Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support all command line options in the conf file as well

Browse Source 
Update with the latest sslsplit-devel changes
pull/13/head
Soner Tari 6 years ago
parent 48aeb3945b
commit 27650fab69
15 changed files with 1443 additions and 851 deletions
Show Stats Download Patch File Download Diff File

1
AUTHORS.md
Unescape Escape View File

@ -21,6 +21,7 @@ patches or pull requests, in chronological order of their first contribution:
- Petr Vaněk ([arkamar](https://github.com/arkamar))
- Hilko Bengen ([hillu](https://github.com/hillu))
- Philip Duldig ([pduldig-at-tw](https://github.com/pduldig-at-tw))
- Levente Polyak ([anthraxx](https://github.com/anthraxx))
Many more individuals have contributed by reporting bugs or feature requests.
See [issue tracker on Github][1], `NEWS.md` and `git log` for details.

13
GNUmakefile
Unescape Escape View File

@ -176,6 +176,7 @@ GREP?= grep
INSTALL?= install
MKDIR?= mkdir
SED?= sed
SORT?= sort
### Variables only used for developer targets
@ -357,7 +358,7 @@ export WGET
ifndef MAKE_RESTARTS
$(info ------------------------------------------------------------------------------)
$(info $(PNAME) $(VERSION))
$(info $(PKGLABEL) $(VERSION))
$(info ------------------------------------------------------------------------------)
$(info Report bugs at https://github.com/sonertari/SSLproxy/issues/new)
$(info Please supply this header for diagnostics when reporting build issues)
@ -375,6 +376,7 @@ ifdef CHECK_FOUND
$(info CHECK_BASE: $(strip $(CHECK_FOUND)))
endif
$(info Build options: $(FEATURES))
$(info Build info: $(BUILD_INFO))
ifeq ($(shell uname),Darwin)
$(info OSX_VERSION: $(OSX_VERSION))
$(info XNU_VERSION: $(XNU_VERSION) ($(XNU_METHOD), have $(XNU_HAVE)))
@ -426,7 +428,7 @@ install: $(TARGET)
test -d $(DESTDIR)$(PREFIX)/$(MANDIR)/man5 || \
$(MKDIR) -p $(DESTDIR)$(PREFIX)/$(MANDIR)/man5
test -d $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/sslproxy || \
$(MKDIR) -p $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/sslproxy
$(MKDIR) -p $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/$(TARGET)
$(INSTALL) $(BINOWNERFLAGS) -m $(BINMODE) \
$(TARGET) $(DESTDIR)$(PREFIX)/bin/
$(INSTALL) $(MANOWNERFLAGS) -m $(MANMODE) \
@ -434,12 +436,12 @@ install: $(TARGET)
$(INSTALL) $(MANOWNERFLAGS) -m $(MANMODE) \
$(TARGET).conf.5 $(DESTDIR)$(PREFIX)/$(MANDIR)/man5/
$(INSTALL) $(MANOWNERFLAGS) -m $(EXAMPLESMODE) \
$(TARGET).conf $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/sslproxy/
$(TARGET).conf $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/$(TARGET)/
deinstall:
$(RM) -f $(DESTDIR)$(PREFIX)/bin/$(TARGET) $(DESTDIR)$(PREFIX)/$(MANDIR)/man1/$(TARGET).1 \
$(DESTDIR)$(PREFIX)/$(MANDIR)/man5/$(TARGET).conf.5
$(RM) -rf $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/sslproxy/
$(RM) -rf $(DESTDIR)$(PREFIX)/$(EXAMPLESDIR)/$(TARGET)/
ifdef GITDIR
lint:
@ -481,9 +483,12 @@ dist: $(PKGNAME)-$(VERSION).tar.bz2 $(PKGNAME)-$(VERSION).tar.bz2.asc
$(PKGNAME)-$(VERSION).tar.bz2:
$(MKDIR) -p $(PKGNAME)-$(VERSION)
echo $(VERSION) >$(PKGNAME)-$(VERSION)/VERSION
$(OPENSSL) dgst -sha1 -r *.[hc] | $(SORT) -k 2 \
>$(PKGNAME)-$(VERSION)/HASHES
$(GIT) archive --prefix=$(PKGNAME)-$(VERSION)/ HEAD \
>$(PKGNAME)-$(VERSION).tar
$(TAR) -f $(PKGNAME)-$(VERSION).tar -r $(PKGNAME)-$(VERSION)/VERSION
$(TAR) -f $(PKGNAME)-$(VERSION).tar -r $(PKGNAME)-$(VERSION)/HASHES
$(BZIP2) <$(PKGNAME)-$(VERSION).tar >$(PKGNAME)-$(VERSION).tar.bz2
$(RM) $(PKGNAME)-$(VERSION).tar
$(RM) -r $(PKGNAME)-$(VERSION)

34
Mk/buildinfo.mk
Unescape Escape View File

@ -1,26 +1,41 @@
# in: PKGNAME
# in: FEATURES (optional)
# in: BUILD_INFO (optional)
# in: OPENSSL (optional)
# in: OPENSSL_FOUND (optional)
ifndef PKGNAME
$(error PKGNAME not defined)
endif
ifndef OPENSSL
ifdef OPENSSL_FOUND
OPENSSL= $(OPENSSL_FOUND)/bin/openssl
else
OPENSSL= openssl
endif
endif
BASENAME?= basename
CUT?= cut
DATE?= date
DIFF?= diff
GIT?= git
GREP?= grep
OPENSSL?= openssl
RM?= rm
SED?= sed
SORT?= sort
TR?= tr
WC?= wc
GITDIR:= $(wildcard .git)
VERSION_FILE:= $(wildcard VERSION)
HASHES_FILE:= $(wildcard HASHES)
NEWS_FILE:= $(firstword $(wildcard NEWS*))
ifdef GITDIR
BUILD_VERSION:= $(shell $(GIT) describe --tags --dirty --always)
BUILD_INFO+= V:GIT
GITDIR:=
else
ifdef VERSION_FILE
BUILD_VERSION:= $(shell $(CAT) VERSION)
@ -31,6 +46,13 @@ BUILD_VERSION:= $(shell $(BASENAME) $(PWD)|\
$(SED) 's/.*$(PKGNAME)-\(.*\)/\1/g')
BUILD_INFO+= V:DIR
endif
ifdef HASHES_FILE
BUILD_INFO+= HDIFF:$(shell $(OPENSSL) dgst -sha1 -r *.[hc]|\
$(SORT) -k 2 >HASHES~;\
$(DIFF) -u HASHES HASHES~|\
$(GREP) '^-[^-]'|$(WC) -l|$(TR) -d ' ';\
$(RM) HASHES~)
endif
ifdef NEWS_FILE
NEWS_SHA:= $(shell $(OPENSSL) dgst -sha1 -r $(NEWS_FILE) |\
$(CUT) -c -7)
@ -38,7 +60,14 @@ BUILD_INFO+= N:$(NEWS_SHA)
endif
endif # GITDIR
ifdef SOURCE_DATE_EPOCH
BUILD_DATE:= $(shell \
$(DATE) -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null||\
$(DATE) -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null||\
$(DATE) -u "+%Y-%m-%d")
else
BUILD_DATE:= $(shell date +%Y-%m-%d)
endif
BUILD_CPPFLAGS+=-D"BUILD_PKGNAME=\"$(PKGNAME)\"" \
-D"BUILD_VERSION=\"$(BUILD_VERSION)\"" \
-D"BUILD_DATE=\"$(BUILD_DATE)\"" \
@ -48,6 +77,7 @@ BUILD_CPPFLAGS+=-D"BUILD_PKGNAME=\"$(PKGNAME)\"" \
# out: NEWS_FILE
# out: NEWS_SHA
# out: VERSION_FILE
# out: GITDIR
# out: BUILD_VERSION
# out: BUILD_DATE
# out: BUILD_INFO

4
NEWS.md
Unescape Escape View File

@ -1,6 +1,10 @@
### SSLsplit develop
- Respect `SOURCE_DATE_EPOCH` for reproducible builds (pull req #192 by
@anthraxx).
- Sign using SHA-256 instead of SHA-1 when key type of server and key type
of used CA certificate differ (issue #189).
- Fix build with OpenSSL 1.1.1 (pull req #186 by @sonertari, issue #183).
- Fix build on FreeBSD 12 (patch-proc.c r436571 from FreeBSD ports).
- Minor bugfixes and improvements.

640
main.c
Unescape Escape View File

@ -63,8 +63,6 @@
extern int daemon(int, int);
#endif /* __APPLE__ */
int descriptor_table_size = 0;
/*
* Print version information to stderr.
*/
@ -129,6 +127,7 @@ main_usage(void)
const char *dflt, *warn;
const char *usagefmt =
"Usage: %s [options...] [proxyspecs...]\n"
" -f conffile use conffile to load configuration from\n"
" -c pemfile use CA cert (and key) from pemfile to sign forged certs\n"
" -k pemfile use CA key (and cert) from pemfile to sign forged certs\n"
" -C pemfile use CA chain from pemfile (intermediate and root CA certs)\n"
@ -275,373 +274,6 @@ main_loadtgcrt(const char *filename, void *arg)
return 0;
}
/*
* Handle out of memory conditions in early stages of main().
* Print error message and exit with failure status code.
* Does not return.
*/
void NORET
oom_die(const char *argv0)
{
fprintf(stderr, "%s: out of memory\n", argv0);
exit(EXIT_FAILURE);
}
static void
set_cacrt(opts_t *opts, const char *argv0, char *optarg)
{
if (opts->cacrt)
X509_free(opts->cacrt);
opts->cacrt = ssl_x509_load(optarg);
if (!opts->cacrt) {
fprintf(stderr, "%s: error loading CA "
"cert from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
ssl_x509_refcount_inc(opts->cacrt);
sk_X509_insert(opts->chain, opts->cacrt, 0);
if (!opts->cakey) {
opts->cakey = ssl_key_load(optarg);
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
fprintf(stderr, "CACrt: %s\n", optarg);
}
static void
set_cakey(opts_t *opts, const char *argv0, char *optarg)
{
if (opts->cakey)
EVP_PKEY_free(opts->cakey);
opts->cakey = ssl_key_load(optarg);
if (!opts->cakey) {
fprintf(stderr, "%s: error loading CA "
"key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
if (!opts->cacrt) {
opts->cacrt = ssl_x509_load(optarg);
if (opts->cacrt) {
ssl_x509_refcount_inc(
opts->cacrt);
sk_X509_insert(opts->chain,
opts->cacrt, 0);
}
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
fprintf(stderr, "CAKey: %s\n", optarg);
}
static void
set_user(opts_t *opts, const char *argv0, char *optarg)
{
if (!sys_isuser(optarg)) {
fprintf(stderr, "%s: '%s' is not an "
"existing user\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (opts->dropuser)
free(opts->dropuser);
opts->dropuser = strdup(optarg);
if (!opts->dropuser)
oom_die(argv0);
fprintf(stderr, "User: %s\n", opts->dropuser);
}
static void
set_group(opts_t *opts, const char *argv0, char *optarg)
{
if (!sys_isgroup(optarg)) {
fprintf(stderr, "%s: '%s' is not an "
"existing group\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (opts->dropgroup)
free(opts->dropgroup);
opts->dropgroup = strdup(optarg);
if (!opts->dropgroup)
oom_die(argv0);
fprintf(stderr, "Group: %s\n", opts->dropgroup);
}
static void
set_pidfile(opts_t *opts, const char *argv0, char *optarg)
{
if (opts->pidfile)
free(opts->pidfile);
opts->pidfile = strdup(optarg);
if (!opts->pidfile)
oom_die(argv0);
fprintf(stderr, "PidFile: %s\n", opts->pidfile);
}
static void
set_ciphers(opts_t *opts, const char *argv0, char *optarg)
{
if (opts->ciphers)
free(opts->ciphers);
opts->ciphers = strdup(optarg);
if (!opts->ciphers)
oom_die(argv0);
fprintf(stderr, "Ciphers: %s\n", opts->ciphers);
}
static int
load_conffile(opts_t *opts, const char *argv0, const char *natengine)
{
FILE *f;
int rv, line_num, found;
size_t line_len;
char *n, *value, *v, *value_end;
char *line, *name;
f = fopen(opts->conffile, "r");
if (!f) {
fprintf(stderr, "Error opening conf file %s: %s\n", opts->conffile, strerror(errno));
return -1;
}
line = NULL;
line_num = 0;
while (!feof(f)) {
rv = getline(&line, &line_len, f);
if (rv == -1) {
break;
}
if (line == NULL) {
fprintf(stderr, "getline() buf=NULL");
return -1;
}
line_num++;
// skip white space
for (name = line; *name == ' ' || *name == '\t'; name++);
// skip comments and empty lines
if ((name[0] == '\0') || (name[0] == '#') || (name[0] == ';') ||
(name[0] == '\r') || (name[0] == '\n')) {
continue;
}
// skip to the end of option name and terminate it with '\0'
for (n = name;; n++) {
if (*n == ' ' || *n == '\t') {
*n = '\0';
n++;
break;
}
if (*n == '\0') {
n = NULL;
break;
}
}
// no value
if (n == NULL) {
fprintf(stderr, "Conf error at line %d\n", line_num);
fclose(f);
if (line) {
free(line);
}
return -1;
}
// skip white space before value
while (*n == ' ' || *n == '\t') {
n++;
}
value = n;
// find end of value and terminate it with '\0'
// find first occurrence of trailing white space
value_end = NULL;
for (v = value;; v++) {
if (*v == '\0') {
break;
}
if (*v == '\r' || *v == '\n') {
*v = '\0';
break;
}
if (*v == ' ' || *v == '\t') {
if (!value_end) {
value_end = v;
}
} else {
value_end = NULL;
}
}
if (value_end) {
*value_end = '\0';
}
found = 0;
if (!strncasecmp(name, "CACert", 6)) {
set_cacrt(opts, argv0, value);
found = 1;
} else if (!strncasecmp(name, "CAKey", 5)) {
set_cakey(opts, argv0, value);
found = 1;
} else if (!strncasecmp(name, "ProxySpec", 9)) {
char **argv = malloc(strlen(value) + 1);
char **save_argv = argv;
int argc = 0;
char *p, *last;
for ((p = strtok_r(value, " ", &last)); p; (p = strtok_r(NULL, " ", &last))) {
// Limit max # token
if (argc < 10) {
argv[argc++] = p;
}
}
proxyspec_parse(&argc, &argv, natengine, opts);
free(save_argv);
found = 1;
} else if (!strncasecmp(name, "ConnIdleTimeout", 15)) {
unsigned int rv = atoi(value);
if (rv >= 10 && rv <= 3600) {
opts->conn_idle_timeout = rv;
} else {
fprintf(stderr, "Invalid ConnIdleTimeout %s at line %d, use 10-3600\n", value, line_num);
}
fprintf(stderr, "ConnIdleTimeout: %u\n", opts->conn_idle_timeout);
found = 1;
} else if (!strncasecmp(name, "ExpiredConnCheckPeriod", 22)) {
unsigned int rv = atoi(value);
if (rv >= 10 && rv <= 60) {
opts->expired_conn_check_period = rv;
} else {
fprintf(stderr, "Invalid ExpiredConnCheckPeriod %s at line %d, use 10-60\n", value, line_num);
}
fprintf(stderr, "ExpiredConnCheckPeriod: %u\n", opts->expired_conn_check_period);
found = 1;
} else if (!strncasecmp(name, "SSLShutdownRetryDelay", 21)) {
unsigned int rv = atoi(value);
if (rv >= 100 && rv <= 10000) {
opts->ssl_shutdown_retry_delay = rv;
} else {
fprintf(stderr, "Invalid SSLShutdownRetryDelay %s at line %d, use 100-10000\n", value, line_num);
}
fprintf(stderr, "SSLShutdownRetryDelay: %u\n", opts->ssl_shutdown_retry_delay);
found = 1;
} else if (!strncasecmp(name, "PidFile", 7)) {
set_pidfile(opts, argv0, value);
found = 1;
} else if (!strncasecmp(name, "LogStats", 8)) {
if (!strncasecmp(value, "yes", 3)) {
opts->statslog = 1;
} else if (!strncasecmp(value, "no", 3)) {
opts->statslog = 0;
} else {
fprintf(stderr, "Invalid LogStats %s at line %d, use yes|no\n", value, line_num);
}
fprintf(stderr, "LogStats: %u\n", opts->statslog);
found = 1;
} else if (!strncasecmp(name, "StatsPeriod", 11)) {
unsigned int rv = atoi(value);
if (rv >= 1 && rv <= 10) {
opts->stats_period = rv;
} else {
fprintf(stderr, "Invalid StatsPeriod %s at line %d, use 1-10\n", value, line_num);
}
fprintf(stderr, "StatsPeriod: %u\n", opts->stats_period);
found = 1;
} else if (!strncasecmp(name, "User", 4)) {
set_user(opts, argv0, value);
found = 1;
} else if (!strncasecmp(name, "Group", 5)) {
set_group(opts, argv0, value);
found = 1;
} else if (!strncasecmp(name, "RemoveHTTPAcceptEncoding", 24)) {
if (!strncasecmp(value, "yes", 3)) {
opts->remove_http_accept_encoding = 1;
} else if (!strncasecmp(value, "no", 3)) {
opts->remove_http_accept_encoding = 0;
} else {
fprintf(stderr, "Invalid RemoveHTTPAcceptEncoding %s at line %d, use yes|no\n", value, line_num);
}
fprintf(stderr, "RemoveHTTPAcceptEncoding: %u\n", opts->remove_http_accept_encoding);
found = 1;
} else if (!strncasecmp(name, "RemoveHTTPReferer", 17)) {
if (!strncasecmp(value, "yes", 3)) {
opts->remove_http_referer = 1;
} else if (!strncasecmp(value, "no", 3)) {
opts->remove_http_referer = 0;
} else {
fprintf(stderr, "Invalid RemoveHTTPReferer %s at line %d, use yes|no\n", value, line_num);
}
fprintf(stderr, "RemoveHTTPReferer: %u\n", opts->remove_http_referer);
found = 1;
} else if (!strncasecmp(name, "VerifyPeer", 10)) {
if (!strncasecmp(value, "yes", 3)) {
opts->verify_peer = 1;
} else if (!strncasecmp(value, "no", 3)) {
opts->verify_peer = 0;
} else {
fprintf(stderr, "Invalid VerifyPeer %s at line %d, use yes|no\n", value, line_num);
}
fprintf(stderr, "VerifyPeer: %u\n", opts->verify_peer);
found = 1;
} else if (!strncasecmp(name, "AllowWrongHost", 14)) {
if (!strncasecmp(value, "yes", 3)) {
opts->allow_wrong_host = 1;
} else if (!strncasecmp(value, "no", 3)) {
opts->allow_wrong_host = 0;
} else {
fprintf(stderr, "Invalid AllowWrongHost %s at line %d, use yes|no\n", value, line_num);
}
fprintf(stderr, "AllowWrongHost: %u\n", opts->allow_wrong_host);
found = 1;
} else if (!strncasecmp(name, "Ciphers", 7)) {
set_ciphers(opts, argv0, value);
found = 1;
}
if (found) {
continue;
}
fprintf(stderr, "Unknown option '%s' at %s line %d\n", name, opts->conffile, line_num);
fclose(f);
if (line) {
free(line);
}
return -1;
}
fclose(f);
if (line) {
free(line);
}
return 0;
}
/*
* Main entry point.
*/
@ -677,7 +309,7 @@ main(int argc, char *argv[])
opts->allow_wrong_host = 0;
while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i "k:c:C:K:t:"
"OPs:r:R:e:Eu:m:j:p:l:L:S:F:M:dD::VhW:w:If:q:")) != -1) {
"OPs:r:R:e:Eu:m:j:p:l:L:S:F:M:dD::VhW:w:q:f:I")) != -1) {
switch (ch) {
case 'f':
if (opts->conffile)
@ -688,126 +320,58 @@ main(int argc, char *argv[])
fprintf(stderr, "Conf file: %s\n", opts->conffile);
break;
case 'c':
set_cacrt(opts, argv0, optarg);
opts_set_cacrt(opts, argv0, optarg);
break;
case 'k':
set_cakey(opts, argv0, optarg);
opts_set_cakey(opts, argv0, optarg);
break;
case 'C':
if (ssl_x509chain_load(NULL, &opts->chain,
optarg) == -1) {
fprintf(stderr, "%s: error loading "
"chain from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
opts_set_chain(opts, argv0, optarg);
break;
case 'K':
if (opts->key)
EVP_PKEY_free(opts->key);
opts->key = ssl_key_load(optarg);
if (!opts->key) {
fprintf(stderr, "%s: error loading lea"
"f key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
opts_set_key(opts, argv0, optarg);
break;
case 't':
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a "
"directory\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (opts->tgcrtdir)
free(opts->tgcrtdir);
opts->tgcrtdir = strdup(optarg);
if (!opts->tgcrtdir)
oom_die(argv0);
opts_set_tgcrtdir(opts, argv0, optarg);
break;
case 'q':
if (opts->crlurl)
free(opts->crlurl);
opts->crlurl = strdup(optarg);
opts_set_crl(opts, optarg);
break;
case 'O':
opts->deny_ocsp = 1;
opts_set_deny_ocsp(opts);
break;
case 'P':
opts->passthrough = 1;
opts_set_passthrough(opts);
break;
#ifndef OPENSSL_NO_DH
case 'g':
if (opts->dh)
DH_free(opts->dh);
opts->dh = ssl_dh_load(optarg);
if (!opts->dh) {
fprintf(stderr, "%s: error loading DH "
"params from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
opts_set_dh(opts, argv0, optarg);
break;
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
case 'G':
{
EC_KEY *ec;
if (opts->ecdhcurve)
free(opts->ecdhcurve);
if (!(ec = ssl_ec_by_name(optarg))) {
fprintf(stderr, "%s: unknown curve "
"'%s'\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
EC_KEY_free(ec);
opts->ecdhcurve = strdup(optarg);
if (!opts->ecdhcurve)
oom_die(argv0);
opts_set_ecdhcurve(opts, argv0, optarg);
break;
}
#endif /* !OPENSSL_NO_ECDH */
#ifdef SSL_OP_NO_COMPRESSION
case 'Z':
opts->sslcomp = 0;
opts_unset_sslcomp(opts);
break;
#endif /* SSL_OP_NO_COMPRESSION */
case 's':
set_ciphers(opts, argv0, optarg);
opts_set_ciphers(opts, argv0, optarg);
break;
case 'r':
opts_proto_force(opts, optarg, argv0);
opts_force_proto(opts, argv0, optarg);
break;
case 'R':
opts_proto_disable(opts, optarg, argv0);
opts_disable_proto(opts, argv0, optarg);
break;
case 'e':
free(natengine);
if (natengine)
free(natengine);
natengine = strdup(optarg);
if (!natengine)
oom_die(argv0);
@ -817,186 +381,54 @@ main(int argc, char *argv[])
exit(EXIT_SUCCESS);
break;
case 'u':
set_user(opts, argv0, optarg);
opts_set_user(opts, argv0, optarg);
break;
case 'm':
set_group(opts, argv0, optarg);
opts_set_group(opts, argv0, optarg);
break;
case 'p':
set_pidfile(opts, argv0, optarg);
opts_set_pidfile(opts, argv0, optarg);
break;
case 'j':
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a "
"directory\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (opts->jaildir)
free(opts->jaildir);
opts->jaildir = realpath(optarg, NULL);
if (!opts->jaildir) {
fprintf(stderr, "%s: Failed to "
"canonicalize '%s': "
"%s (%i)\n",
argv0, optarg,
strerror(errno), errno);
exit(EXIT_FAILURE);
}
opts_set_jaildir(opts, argv0, optarg);
break;
case 'l':
if (opts->connectlog)
free(opts->connectlog);
opts->connectlog = strdup(optarg);
if (!opts->connectlog)
oom_die(argv0);
opts_set_connectlog(opts, argv0, optarg);
break;
case 'I':
opts->statslog = 1;
opts_set_statslog(opts);
break;
case 'L':
if (opts->contentlog)
free(opts->contentlog);
opts->contentlog = strdup(optarg);
if (!opts->contentlog)
oom_die(argv0);
opts->contentlog_isdir = 0;
opts->contentlog_isspec = 0;
opts_set_contentlog(opts, argv0, optarg);
break;
case 'S':
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a "
"directory\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (opts->contentlog)
free(opts->contentlog);
opts->contentlog = realpath(optarg, NULL);
if (!opts->contentlog) {
fprintf(stderr, "%s: Failed to "
"canonicalize '%s': "
"%s (%i)\n",
argv0, optarg,
strerror(errno), errno);
exit(EXIT_FAILURE);
}
opts->contentlog_isdir = 1;
opts->contentlog_isspec = 0;
opts_set_contentlogdir(opts, argv0, optarg);
break;
case 'F': {
char *lhs, *rhs, *p, *q;
size_t n;
if (opts->contentlog_basedir)
free(opts->contentlog_basedir);
if (opts->contentlog)
free(opts->contentlog);
if (log_content_split_pathspec(optarg, &lhs,
&rhs) == -1) {
fprintf(stderr, "%s: Failed to split "
"'%s' in lhs/rhs: "
"%s (%i)\n",
argv0, optarg,
strerror(errno), errno);
exit(EXIT_FAILURE);
}
/* eliminate %% from lhs */
for (p = q = lhs; *p; p++, q++) {
if (q < p)
*q = *p;
if (*p == '%' && *(p+1) == '%')
p++;
}
*q = '\0';
/* all %% in lhs resolved to % */
if (sys_mkpath(lhs, 0777) == -1) {
fprintf(stderr, "%s: Failed to create "
"'%s': %s (%i)\n",
argv0, lhs,
strerror(errno), errno);
exit(EXIT_FAILURE);
}
opts->contentlog_basedir = realpath(lhs, NULL);
if (!opts->contentlog_basedir) {
fprintf(stderr, "%s: Failed to "
"canonicalize '%s': "
"%s (%i)\n",
argv0, lhs,
strerror(errno), errno);
exit(EXIT_FAILURE);
}
/* count '%' in opts->contentlog_basedir */
for (n = 0, p = opts->contentlog_basedir;
*p;
p++) {
if (*p == '%')
n++;
}
free(lhs);
n += strlen(opts->contentlog_basedir);
if (!(lhs = malloc(n + 1)))
oom_die(argv0);
/* re-encoding % to %%, copying basedir to lhs */
for (p = opts->contentlog_basedir, q = lhs;
*p;
p++, q++) {
*q = *p;
if (*q == '%')
*(++q) = '%';
}
*q = '\0';
/* lhs contains encoded realpathed basedir */
if (asprintf(&opts->contentlog,
"%s/%s", lhs, rhs) < 0)
oom_die(argv0);
opts->contentlog_isdir = 0;
opts->contentlog_isspec = 1;
free(lhs);
free(rhs);
opts_set_contentlogpathspec(opts, argv0, optarg);
break;
case 'W':
opts->certgen_writeall = 1;
if (opts->certgendir)
free(opts->certgendir);
opts->certgendir = strdup(optarg);
if (!opts->certgendir)
oom_die(argv0);
opts_set_certgendir_writeall(opts, argv0, optarg);
break;
case 'w':
opts->certgen_writeall = 0;
if (opts->certgendir)
free(opts->certgendir);
opts->certgendir = strdup(optarg);
if (!opts->certgendir)
oom_die(argv0);
opts_set_certgendir_writegencerts(opts, argv0, optarg);
break;
}
#ifdef HAVE_LOCAL_PROCINFO
case 'i':
opts->lprocinfo = 1;
opts_set_lprocinfo(opts);
break;
#endif /* HAVE_LOCAL_PROCINFO */
case 'M':
if (opts->masterkeylog)
free(opts->masterkeylog);
opts->masterkeylog = strdup(optarg);
if (!opts->masterkeylog)
oom_die(argv0);
opts_set_masterkeylog(opts, argv0, optarg);
break;
case 'd':
opts->detach = 1;
opts_set_daemon(opts);
break;
case 'D':
opts->debug = 1;
if (optarg && strncmp(optarg, "2", 1) == 0) {
log_dbg_mode(LOG_DBG_MODE_FINE);
} else if (optarg && strncmp(optarg, "3", 1) == 0) {
log_dbg_mode(LOG_DBG_MODE_FINER);
} else if (optarg && strncmp(optarg, "4", 1) == 0) {
log_dbg_mode(LOG_DBG_MODE_FINEST);
} else {
log_dbg_mode(LOG_DBG_MODE_ERRLOG);
opts_set_debug(opts);
if (optarg) {
opts_set_debug_level(optarg);
}
break;
case 'V':
@ -1014,7 +446,7 @@ main(int argc, char *argv[])
}
argc -= optind;
argv += optind;
proxyspec_parse(&argc, &argv, natengine, opts);
proxyspec_parse(&argc, &argv, natengine, &opts->spec);
if (opts->conffile) {
if (load_conffile(opts, argv0, natengine) == -1) {

3
nat.h
Unescape Escape View File

@ -36,6 +36,9 @@
#include <event2/util.h>
// The longest natengine is "netfilter"
#define NATENGINE_SIZE 10
typedef int (*nat_lookup_cb_t)(struct sockaddr *, socklen_t *, evutil_socket_t,
struct sockaddr *, socklen_t);
typedef int (*nat_socket_cb_t)(evutil_socket_t);

1222
opts.c
View File

File diff suppressed because it is too large Load Diff

47
opts.h
Unescape Escape View File

@ -58,7 +58,6 @@ typedef struct proxyspec {
nat_socket_cb_t natsocket;
struct proxyspec *next;
// @todo Make these config options
struct sockaddr_storage parent_dst_addr;
socklen_t parent_dst_addrlen;
@ -133,19 +132,57 @@ typedef struct opts {
int allow_wrong_host;
} opts_t;
void NORET oom_die(const char *) NONNULL(1);
opts_t *opts_new(void) MALLOC;
void opts_free(opts_t *) NONNULL(1);
int opts_has_ssl_spec(opts_t *) NONNULL(1) WUNRES;
int opts_has_dns_spec(opts_t *) NONNULL(1) WUNRES;
void opts_proto_force(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_proto_disable(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_proto_dbg_dump(opts_t *) NONNULL(1);
#define OPTS_DEBUG(opts) unlikely((opts)->debug)
void proxyspec_parse(int *, char **[], const char *, opts_t *);
void proxyspec_parse(int *, char **[], const char *, proxyspec_t **);
void proxyspec_free(proxyspec_t *) NONNULL(1);
char * proxyspec_str(proxyspec_t *) NONNULL(1) MALLOC;
char *proxyspec_str(proxyspec_t *) NONNULL(1) MALLOC;
void opts_set_cacrt(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_cakey(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_chain(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_key(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_crl(opts_t *, const char *) NONNULL(1,2);
void opts_set_tgcrtdir(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_certgendir_writeall(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_certgendir_writegencerts(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_deny_ocsp(opts_t *) NONNULL(1);
void opts_set_passthrough(opts_t *) NONNULL(1);
#ifndef OPENSSL_NO_DH
void opts_set_dh(opts_t *, const char *, const char *) NONNULL(1,2,3);
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
void opts_set_ecdhcurve(opts_t *, const char *, const char *) NONNULL(1,2,3);
#endif /* !OPENSSL_NO_ECDH */
void opts_unset_sslcomp(opts_t *) NONNULL(1);
void opts_force_proto(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_disable_proto(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_ciphers(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_user(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_group(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_jaildir(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_pidfile(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_connectlog(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_contentlog(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_contentlogdir(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_contentlogpathspec(opts_t *, const char *, const char *) NONNULL(1,2,3);
#ifdef HAVE_LOCAL_PROCINFO
void opts_set_lprocinfo(opts_t *) NONNULL(1);
#endif /* HAVE_LOCAL_PROCINFO */
void opts_set_masterkeylog(opts_t *, const char *, const char *) NONNULL(1,2,3);
void opts_set_daemon(opts_t *) NONNULL(1);
void opts_set_debug(opts_t *) NONNULL(1);
void opts_set_debug_level(const char *) NONNULL(1);
void opts_set_statslog(opts_t *) NONNULL(1);
int load_conffile(opts_t *, const char *, const char *) NONNULL(1,2,3);
#endif /* !OPTS_H */
/* vim: set noet ft=c: */

73
opts.t.c
Unescape Escape View File

@ -35,6 +35,7 @@
#include <unistd.h>
#include <netinet/in.h>
// @todo Fix unit tests, up:port in the sslproxy proxspec format is mandatory
static char *argv01[] = {
"https", "127.0.0.1", "10443", "127.0.0.2", "443"
};
@ -86,11 +87,11 @@ static char *argv14[] = {
START_TEST(proxyspec_parse_01)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv01;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -110,11 +111,11 @@ END_TEST
START_TEST(proxyspec_parse_02)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv02;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -134,12 +135,12 @@ END_TEST
START_TEST(proxyspec_parse_03)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 2;
char **argv = argv01;
close(2);
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
if (spec)
proxyspec_free(spec);
}
@ -147,12 +148,12 @@ END_TEST
START_TEST(proxyspec_parse_04)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 4;
char **argv = argv01;
close(2);
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
if (spec)
proxyspec_free(spec);
}
@ -160,11 +161,11 @@ END_TEST
START_TEST(proxyspec_parse_05)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv03;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(!spec->ssl, "SSL");
fail_unless(spec->http, "not HTTP");
@ -184,11 +185,11 @@ END_TEST
START_TEST(proxyspec_parse_06)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv04;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(!spec->http, "HTTP");
@ -208,11 +209,11 @@ END_TEST
START_TEST(proxyspec_parse_07)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv05;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(!spec->ssl, "SSL");
fail_unless(!spec->http, "HTTP");
@ -232,11 +233,11 @@ END_TEST
START_TEST(proxyspec_parse_08)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv06;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -255,12 +256,12 @@ END_TEST
START_TEST(proxyspec_parse_09)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv07;
close(2);
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
if (spec)
proxyspec_free(spec);
}
@ -268,12 +269,12 @@ END_TEST
START_TEST(proxyspec_parse_10)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 4;
char **argv = argv06;
close(2);
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
if (spec)
proxyspec_free(spec);
}
@ -281,11 +282,11 @@ END_TEST
START_TEST(proxyspec_parse_11)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 3;
char **argv = argv08;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -305,12 +306,12 @@ END_TEST
START_TEST(proxyspec_parse_12)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 4;
char **argv = argv08;
close(2);
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
if (spec)
proxyspec_free(spec);
}
@ -318,11 +319,11 @@ END_TEST
START_TEST(proxyspec_parse_13)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 10;
char **argv = argv09;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -353,11 +354,11 @@ END_TEST
START_TEST(proxyspec_parse_14)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 6;
char **argv = argv10;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -389,11 +390,11 @@ END_TEST
START_TEST(proxyspec_parse_15)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 3;
char **argv = argv11;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(!spec->ssl, "SSL");
fail_unless(!spec->http, "HTTP");
@ -412,11 +413,11 @@ END_TEST
START_TEST(proxyspec_parse_16)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 10;
char **argv = argv12;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(spec->ssl, "not SSL");
fail_unless(spec->http, "not HTTP");
@ -447,12 +448,12 @@ END_TEST
START_TEST(proxyspec_parse_17)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 5;
char **argv = argv13;
close(2);
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
if (spec)
proxyspec_free(spec);
}
@ -460,11 +461,11 @@ END_TEST
START_TEST(proxyspec_parse_18)
{
proxyspec_t *spec;
proxyspec_t *spec = NULL;
int argc = 8;
char **argv = argv14;
spec = proxyspec_parse(&argc, &argv, NATENGINE);
proxyspec_parse(&argc, &argv, NATENGINE, &spec);
fail_unless(!!spec, "failed to parse spec");
fail_unless(!spec->ssl, "SSL");
fail_unless(!spec->http, "HTTP");

2
pxyconn.c
Unescape Escape View File

@ -112,6 +112,8 @@ typedef struct pxy_conn_lproc_desc {
#define SSLPROXY_KEY "SSLproxy:"
#define SSLPROXY_KEY_LEN strlen(SSLPROXY_KEY)
int descriptor_table_size = 0;
static pxy_conn_ctx_t * MALLOC NONNULL(2,3,4)
pxy_conn_ctx_new(evutil_socket_t fd,
pxy_thrmgr_ctx_t *thrmgr,

20
ssl.c
Unescape Escape View File

@ -1022,6 +1022,9 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
case NID_ripemd160WithRSA:
md = EVP_ripemd160();
break;
case NID_sha1WithRSAEncryption:
md = EVP_sha1();
break;
case NID_sha224WithRSAEncryption:
md = EVP_sha224();
break;
@ -1039,9 +1042,8 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
md = EVP_sha();
break;
#endif /* !OPENSSL_NO_SHA0 */
case NID_sha1WithRSAEncryption:
default:
md = EVP_sha1();
md = EVP_sha256();
break;
}
break;
@ -1049,6 +1051,10 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
#ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
switch (X509_get_signature_nid(origcrt)) {
case NID_dsaWithSHA1:
case NID_dsaWithSHA1_2:
md = EVP_sha1();
break;
case NID_dsa_with_SHA224:
md = EVP_sha224();
break;
@ -1060,10 +1066,8 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
md = EVP_sha();
break;
#endif /* !OPENSSL_NO_SHA0 */
case NID_dsaWithSHA1:
case NID_dsaWithSHA1_2:
default:
md = EVP_sha1();
md = EVP_sha256();
break;
}
break;
@ -1071,6 +1075,9 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
#ifndef OPENSSL_NO_ECDSA
case EVP_PKEY_EC:
switch (X509_get_signature_nid(origcrt)) {
case NID_ecdsa_with_SHA1:
md = EVP_sha1();
break;
case NID_ecdsa_with_SHA224:
md = EVP_sha224();
break;
@ -1083,9 +1090,8 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
case NID_ecdsa_with_SHA512:
md = EVP_sha512();
break;
case NID_ecdsa_with_SHA1:
default:
md = EVP_sha1();
md = EVP_sha256();
break;
}
break;

3
sslproxy.1
Unescape Escape View File

@ -685,7 +685,8 @@ The following individuals have contributed code or documentation to the
SSLsplit project, in chronological order of their first contribution:
Steve Wills, Landon Fuller, Wayne Jensen, Rory McNamara, Alexander Neumann,
Adam Jacob Muller, Richard Poole, Maciej Kotowicz, Eun Soo Park and Christian
Groschupp.
Groschupp, Alexander Savchenkov, Soner Tari, Petr Vanek, Hilko Bengen,
Philip Duldig and Levente Polyak.
.SH BUGS
Use Github for submission of bug reports or patches:
.LP

96
sslproxy.conf
Unescape Escape View File

@ -2,9 +2,95 @@
# Use CA cert (and key) to sign forged certs
CACert /etc/sslproxy/ca.crt
# Use CA key (and cert) to sign forged certs
CAKey /etc/sslproxy/ca.key
# Use CA chain from pemfile (intermediate and root CA certs)
#CAChain /etc/sslproxy/chain.crt
# Use key from pemfile for leaf certs (default: generate)
#LeafCerts /etc/sslproxy/leaf.key
# Use URL as CRL distribution point for all forged certs
#CRL http://example.com
# Use cert+chain+key PEM files from certdir to target all sites
# matching the common names (non-matching: generate if CA)
#TargetCertDir /etc/sslproxy/target
# Write leaf key and only generated certificates to gendir
#WriteGenCertsDir /var/run/sslproxy
# Write leaf key and all certificates to gendir
#WriteAllCertsDir /var/run/sslproxy
# Deny all OCSP requests on all proxyspecs
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of
# client cert auth or no matching cert and no CA (default: drop)
#Passthrough yes
# Use DH group params from pemfile (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem
# Use ECDH named curve (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections
#SSLCompression no
# Force SSL/TLS protocol version only (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version (default: none)
#DisableSSLProto tls10
# Cipher specification for both server and client SSL/TLS connections
# (default: ALL:-aNULL)
Ciphers ALL:!RC4
# Specify default NAT engine to use
#NATEngine netfilter
# Drop privileges to user and group (default if run as root: nobody)
User _sslproxy
Group _sslproxy
# chroot() to jaildir (impacts sni proxyspecs, see manual page)
#Chroot /var/run/sslproxy
# Write pid to pidfile (default: no pid file)
PidFile /var/run/sslproxy.pid
# Connect log: log one line summary per connection to logfile
#ConnectLog /var/log/sslproxy/connect.log
# Content log: full data to file or named pipe (excludes -S/-F)
#ContentLog /var/log/sslproxy/content.log
# Content log: full data to separate files in dir (excludes -L/-F)
#ContentLogDir /var/log/sslproxy/content
# Content log: full data to sep files with %% subst (excl. -L/-S)
#ContentLogPathSpec /var/log/sslproxy/%%X/%%u-%%s-%%d-%%T.log
# Look up local process owning each connection for logging
#LogProcInfo yes
# Log master keys to logfile in SSLKEYLOGFILE format
#MasterKeyLog /var/log/sslproxy/masterkeys.log
# Daemon mode: run in background, log error messages to syslog
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr
#Debug yes
# Verbose debug level
#DebugLevel 4
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
@ -16,19 +102,12 @@ ExpiredConnCheckPeriod 10
# but increases resource usage, such as file desriptors and memory
SSLShutdownRetryDelay 100
# Write pid to file
PidFile /var/run/sslproxy.pid
# Log statistics to syslog
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Drop privileges to user and group
User _sslproxy
Group _sslproxy
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
@ -41,9 +120,6 @@ VerifyPeer yes
# Allow wrong host names in certificates
AllowWrongHost no
# Cipher specification for both server and client SSL/TLS connections
Ciphers ALL:!RC4
# Proxy specifications
# type listenaddr+port up:utmport
ProxySpec https 127.0.0.1 8443 up:8080

120
sslproxy.conf.5
Unescape Escape View File

@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "sslproxy.conf" "5" "March 26, 2018" "sslproxy 0.5.5" "SSLproxy"
.TH "sslproxy.conf" "5" "May 7, 2018" "sslproxy 0.5.5" "SSLproxy"
.SH "NAME"
.LP
\fBsslproxy.conf\fR \- Configuration file for SSLproxy
@ -51,6 +51,108 @@ Use CA cert (and key) to sign forged certs.
\fBCAKey STRING\fR
Use CA key (and cert) to sign forged certs.
.TP
\fBCAChain STRING\fR
Use CA chain from pemfile (intermediate and root CA certs).
.TP
\fBLeafCerts STRING\fR
Use key from pemfile for leaf certs.
.br
Default: generate
.TP
\fBCRL STRING\fR
Use URL as CRL distribution point for all forged certs.
.TP
\fBTargetCertDir STRING\fR
Use cert+chain+key PEM files from certdir to target all sites matching the common names (non-matching: generate if CA).
.TP
\fBWriteGenCertsDir STRING\fR
Write leaf key and only generated certificates to gendir.
.TP
\fBWriteAllCertsDir STRING\fR
Write leaf key and all certificates to gendir.
.TP
\fBDenyOCSP BOOL\fR
Deny all OCSP requests on all proxyspecs.
.TP
\fBPassthrough BOOL\fR
Passthrough SSL connections if they cannot be split because of client cert auth or no matching cert and no CA.
.br
Default: drop
.TP
\fBDHGroupParams STRING\fR
Use DH group params from pemfile.
.br
Default: keyfiles or auto
.TP
\fBECDHCurve STRING\fR
Use ECDH named curve.
.br
Default: prime256v1
.TP
\fBSSLCompression BOOL\fR
Enable/disable SSL/TLS compression on all connections.
.TP
\fBForceSSLProto STRING\fR
Force SSL/TLS protocol version only.
.br
Default: all
.TP
\fBDisableSSLProto STRING\fR
Disable SSL/TLS protocol version.
.br
Default: none
.TP
\fBCiphers STRING\fR
Cipher specification for both server and client SSL/TLS connections.
.br
Default: ALL:-aNULL
.TP
\fBNATEngine STRING\fR
Specify default NAT engine to use.
.TP
\fBUser STRING\fR
Drop privileges to user.
.br
Default: nobody, if run as root
.TP
\fBGroup STRING\fR
Drop privileges to group.
.br
Default: Primary group of user
.TP
\fBChroot STRING\fR
chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
.TP
\fBPidFile STRING\fR
Write pid to file.
.TP
\fBConnectLog STRING\fR
Connect log: log one line summary per connection to logfile.
.TP
\fBContentLog STRING\fR
Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec).
.TP
\fBContentLogDir STRING\fR
Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec).
.TP
\fBContentLogPathSpec STRING\fR
Content log: full data to sep files with %% subst (excludes ContentLog/ContentLogDir).
.TP
\fBLogProcInfo BOOL\fR
Look up local process owning each connection for logging.
.TP
\fBMasterKeyLog STRING\fR
Log master keys to logfile in SSLKEYLOGFILE format.
.TP
\fBDaemon BOOL\fR
Daemon mode: run in background, log error messages to syslog.
.TP
\fBDebug BOOL\fR
Debug mode: run in foreground, log debug messages on stderr.
.TP
\fBDebugLevel NUMBER\fR
Verbose debug level, 2-4.
.TP
\fBConnIdleTimeout NUMBER\fR
Close connections after this many seconds of idle time.
.br
@ -65,9 +167,6 @@ Default: 10.
Retry to shut ssl conns down after this many micro seconds. Increasing this delay may avoid dirty shutdowns on slow connections, but increases resource usage, such as file desriptors and memory.
.br
Default: 100
.TP
\fBPidFile STRING\fR
Write pid to file.
.TP
\fBLogStats BOOL\fR
Log statistics to syslog.
@ -78,16 +177,6 @@ Default: yes
Log statistics every this many ExpiredConnCheckPeriod periods.
.br
Default: 1
.TP
\fBUser STRING\fR
Drop privileges to user.
.br
Default: nobody, if run as root
.TP
\fBGroup STRING\fR
Drop privileges to group.
.br
Default: Primary group of user
.TP
\fBRemoveHTTPAcceptEncoding BOOL\fR
Remove HTTP header line for Accept-Encoding.
@ -108,9 +197,6 @@ Default: yes
Allow wrong host names in certificates.
.br
Default: no
.TP
\fBCiphers STRING\fR
Cipher specification for both server and client SSL/TLS connections.
.TP
\fBProxySpec STRING\fR
Proxy specification: type listenaddr+port up:utmport. Multiple specs are allowed, one on each line.

16
xnu/GNUmakefile
Unescape Escape View File

@ -8,6 +8,8 @@ WGET?= wget
# corresponding source code has not been published by Apple yet.
# If there were no API or ABI changes to the pf ioctl interface,
# falling back to the latest published version should work fine.
# Mac OS X Snow Leopard
XNU_RELS+= 1456.1.26 # 10.6
XNU_RELS+= 1456.1.26 # 10.6.1
XNU_RELS+= 1486.2.11 # 10.6.2
@ -17,30 +19,40 @@ XNU_RELS+= 1504.9.17 # 10.6.5
XNU_RELS+= 1504.9.26 # 10.6.6
XNU_RELS+= 1504.9.37 # 10.6.7
XNU_RELS+= 1504.15.3 # 10.6.8
# Mac OS X Lion
XNU_RELS+= 1699.22.73 # 10.7
XNU_RELS+= 1699.22.81 # 10.7.1
XNU_RELS+= 1699.24.8 # 10.7.2
XNU_RELS+= 1699.24.23 # 10.7.3
XNU_RELS+= 1699.26.8 # 10.7.4
XNU_RELS+= 1699.32.7 # 10.7.5
# OS X Mountain Lion
XNU_RELS+= 2050.7.9 # 10.8
XNU_RELS+= 2050.9.2 # 10.8.1
XNU_RELS+= 2050.18.24 # 10.8.2
XNU_RELS+= 2050.22.13 # 10.8.3
XNU_RELS+= 2050.24.15 # 10.8.4
XNU_RELS+= 2050.48.11 # 10.8.5
# OS X Mavericks
XNU_RELS+= 2422.1.72 # 10.9
XNU_RELS+= 2422.1.72 # 10.9.1
XNU_RELS+= 2422.90.20 # 10.9.2
XNU_RELS+= 2422.100.13 # 10.9.3
XNU_RELS+= 2422.110.17 # 10.9.4
XNU_RELS+= 2422.115.4 # 10.9.5
# OS X Yosemite
XNU_RELS+= 2782.1.97 # 10.10
XNU_RELS+= 2782.1.97 # 10.10.1
XNU_RELS+= 2782.10.72 # 10.10.2
XNU_RELS+= 2782.20.48 # 10.10.3
XNU_RELS+= 2782.30.5 # 10.10.4
XNU_RELS+= 2782.40.9 # 10.10.5
# OS X El Capitan
XNU_RELS+= 3247.1.106 # 10.11
XNU_RELS+= 3247.10.11 # 10.11.1
XNU_RELS+= 3248.20.55 # 10.11.2
@ -48,6 +60,8 @@ XNU_RELS+= 3248.30.4 # 10.11.3
XNU_RELS+= 3248.40.184 # 10.11.4
XNU_RELS+= 3248.50.21 # 10.11.5
XNU_RELS+= 3248.60.10 # 10.11.6
# macOS Sierra
XNU_RELS+= 3789.1.32 # 10.12
XNU_RELS+= 3789.21.4 # 10.12.1
XNU_RELS+= 3789.31.2 # 10.12.2
@ -55,6 +69,8 @@ XNU_RELS+= 3789.41.3 # 10.12.3
XNU_RELS+= 3789.51.2 # 10.12.4
XNU_RELS+= 3789.60.24 # 10.12.5
XNU_RELS+= 3789.70.16 # 10.12.6
# macOS High Sierra
XNU_RELS+= 4570.1.46 # 10.13
# defaults

Write Preview
Loading…
Cancel
Save