Commit 5bc75a08 authored by Mati's avatar Mati

Merge tag 'upstream/0.4.8'

Upstream version 0.4.8
parents 0d7303da 9e145eb7
/*.o
/*.ot
/*.dSYM
/sslsplit
/sslsplit.test
/extra/pki/dh*.param
/extra/pki/dsa.pem
/extra/pki/dsa.crt
/extra/pki/dsa.key
/extra/pki/dsa.param
/extra/pki/ec.pem
/extra/pki/ec.crt
/extra/pki/ec.key
/extra/pki/pwd.key
/extra/pki/rsa.pem
/extra/pki/rsa.crt
/extra/pki/rsa.key
/extra/pki/server.pem
/extra/pki/server.crt
/extra/pki/server.key
/extra/pki/session.pem
/extra/pki/targets/*
### OpenSSL tweaking
# Define to use dubious hacks to decrease OpenSSL memory consumption.
#FEATURES+= -DUSE_FOOTPRINT_HACKS
# Define to disable server-mode SSL session caching for SSLv2 clients.
# This is needed if SSL session resumption fails with a bufferevent error:
# "illegal padding in SSL routines SSL2_READ_INTERNAL".
......@@ -40,12 +37,44 @@ DEBUG_CFLAGS?= -g
# Define to add thread debugging; dump thread state when choosing a thread.
#FEATURES+= -DDEBUG_THREAD
# When debugging OpenSSL related issues, make sure you use a debug build of
# OpenSSL and consider enabling its debugging options -DREF_PRINT -DREF_CHECK
# for debugging reference counting of OpenSSL objects and/or
# -DPURIFY for using valgrind and similar tools.
### Mac OS X missing pf headers hacks
# For a list of kernel versions versus release versions, see
# https://en.wikipedia.org/wiki/Darwin_%28operating_system%29
ifeq ($(shell uname),Darwin)
ifeq ($(basename $(basename $(shell uname -r))),11)
# Mac OS X Lion
FEATURES+= -DHAVE_PF
PKG_CPPFLAGS+= -I./xnu/10.7
else ifeq ($(basename $(basename $(shell uname -r))),12)
# Mac OS X Mountain Lion
FEATURES+= -DHAVE_PF
PKG_CPPFLAGS+= -I./xnu/10.8
else ifeq ($(basename $(basename $(shell uname -r))),13)
# Mac OS X Mavericks
FEATURES+= -DHAVE_PF
PKG_CPPFLAGS+= -I./xnu/10.9
#else ifeq ($(basename $(basename $(shell uname -r))),14)
# Mac OS X Syrah
#FEATURES+= -DHAVE_PF
#PKG_CPPFLAGS+= -I./xnu/10.10
endif
endif
### Autodetected features
# Autodetect pf
ifneq ($(wildcard /usr/include/net/pfvar.h),)
FEATURES+= -DHAVE_PF
# OpenBSD 4.7+ and FreeBSD 9.0+ also include ipfw-style divert-to in pf
FEATURES+= -DHAVE_IPFW
endif
# Autodetect ipfw
......@@ -82,12 +111,14 @@ SED?= sed
### Variables only used for developer targets
KHASH_URL?= https://github.com/attractivechaos/klib/raw/master/khash.h
XNU_URL?= https://github.com/opensource-apple/xnu/raw/
GPGSIGNKEY?= 0xB5D3397E
CPPCHECK?= cppcheck
GPG?= gpg
GIT?= git
WGET?= wget
WGET_FLAGS?= --no-check-certificate
BZIP2?= bzip2
COL?= col
......@@ -227,16 +258,22 @@ endif
PKG_CPPFLAGS:= $(subst -I,-isystem,$(PKG_CPPFLAGS))
TPKG_CPPFLAGS:= $(subst -I,-isystem,$(TPKG_CPPFLAGS))
FEATURES:= $(sort $(FEATURES))
CFLAGS+= $(PKG_CFLAGS) -pthread \
CFLAGS+= $(PKG_CFLAGS) \
-std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2
CPPFLAGS+= -D_GNU_SOURCE $(PKG_CPPFLAGS) $(FEATURES) \
-D"BNAME=\"$(TARGET)\"" -D"PNAME=\"$(PNAME)\"" \
-D"VERSION=\"$(VERSION)\"" -D"BUILD_DATE=\"$(BUILD_DATE)\"" \
-D"FEATURES=\"$(FEATURES)\""
LDFLAGS+= $(PKG_LDFLAGS) -pthread
LDFLAGS+= $(PKG_LDFLAGS)
LIBS+= $(PKG_LIBS)
ifneq ($(shell uname),Darwin)
CFLAGS+= -pthread
LDFLAGS+= -pthread
endif
export VERSION
export OPENSSL
export MKDIR
......@@ -319,7 +356,34 @@ manclean:
$(RM) -f $(TARGET)-*.1.txt
fetchdeps:
$(WGET) --no-check-certificate -O- $(KHASH_URL) >khash.h
$(WGET) $(WGET_FLAGS) -O- $(KHASH_URL) >khash.h
$(MKDIR) -p xnu/10.7/libkern xnu/10.7/net
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.7/APPLE_LICENSE \
>xnu/10.7/APPLE_LICENSE
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.7/libkern/libkern/tree.h \
>xnu/10.7/libkern/tree.h
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.7/bsd/net/radix.h \
>xnu/10.7/net/radix.h
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.7/bsd/net/pfvar.h \
>xnu/10.7/net/pfvar.h
$(MKDIR) -p xnu/10.8/libkern xnu/10.8/net
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.8/APPLE_LICENSE \
>xnu/10.8/APPLE_LICENSE
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.8/libkern/libkern/tree.h \
>xnu/10.8/libkern/tree.h
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.8/bsd/net/radix.h \
>xnu/10.8/net/radix.h
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.8/bsd/net/pfvar.h \
>xnu/10.8/net/pfvar.h
$(MKDIR) -p xnu/10.9/libkern xnu/10.9/net
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.9/APPLE_LICENSE \
>xnu/10.9/APPLE_LICENSE
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.9/libkern/libkern/tree.h \
>xnu/10.9/libkern/tree.h
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.9/bsd/net/radix.h \
>xnu/10.9/net/radix.h
$(WGET) $(WGET_FLAGS) -O- $(XNU_URL)10.9/bsd/net/pfvar.h \
>xnu/10.9/net/pfvar.h
dist: $(TARGET)-$(VERSION).tar.bz2 $(TARGET)-$(VERSION).tar.bz2.asc
......
SSLsplit - transparent and scalable SSL/TLS interception
Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
All rights reserved.
http://www.roe.ch/SSLsplit
......
### SSLsplit 0.4.8 2014-01-15
- Filter out Alternate-Protocol response header to suppress SPDY/QUIC.
- Add experimental support for pf on Mac OS X 10.7+ (issue #15).
- Also build ipfw NAT engine if pf is detected to support pf divert-to.
- Unit tests (make test) no longer require Internet connectivity.
- Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per
connection memory footprint significantly when using OpenSSL 1.0.0+.
- Fix memory corruption after the certificate in the cache had to be updated
during connection setup (issue #16).
- Fix file descriptor leak in passthrough mode (-P) after SSL errors.
- Fix OpenSSL data structures memory leak on certificate forgery.
- Fix segmentation fault on connections without SNI hostname, caused by
compilers optimizing away a NULL pointer check (issue #14).
- Fix thread manager startup failure under some circumstances (issue #17).
- Fix segmentation faults if thread manager fails to start (issue #10).
### SSLsplit 0.4.7 2013-07-02
- Fix remaining threading issues in daemon mode.
- Filter HPKP header lines from HTTP(S) response headers in order to prevent
public key pinning based on draft-ietf-websec-key-pinning-06.
- Add HTTP status code and content-length to connection log.
### SSLsplit 0.4.6 2013-06-03
- Fix fallback to passthrough (-P) when no matching certificate is found
......
SSLsplit - transparent and scalable SSL/TLS interception
Copyright (C) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
Copyright (C) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
......@@ -20,6 +20,7 @@ Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and
ECDHE cipher suites. SSLsplit can also use existing certificates of which the
private key is available, instead of generating forged ones. SSLsplit supports
NULL-prefix CN certificates and can deny OCSP requests in a generic way.
SSLsplit removes HPKP response headers in order to prevent public key pinning.
See the manual page sslsplit(1) for details on using SSLsplit and setting up
the various NAT engines.
......@@ -29,13 +30,13 @@ the various NAT engines.
SSLsplit depends on the OpenSSL and libevent 2.x libraries.
The build depends on GNU make and a POSIX.2 environment in `PATH`.
The (optional) unit tests depend on check.
The optional unit tests depend on the check library.
SSLsplit currently supports the following operating systems and NAT engines:
- FreeBSD: pf rdr, ipfw fwd, ipfilter rdr
- OpenBSD: pf rdr
SSLsplit currently supports the following operating systems and NAT mechanisms:
- FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
- OpenBSD: pf rdr-to and divert-to
- Linux: netfilter REDIRECT and TPROXY
- Mac OS X: ipfw fwd
- Mac OS X: ipfw fwd and pf rdr (experimental)
## Installation
......@@ -63,7 +64,7 @@ https://github.com/droe/sslsplit
## License
SSLsplit is provided under the simplified BSD license.
SSLsplit contains components licensed under the MIT license.
SSLsplit contains components licensed under the MIT and APSL licenses.
See the respective source file headers for details.
......
- Strip HPKP headers from responses to prevent pinning
- Rewrite header munging
- Control SSL_OP_SINGLE_ECDH_USE and other de-optimizations by a
"prefer speed to security" command line option
- Optionally add ephemeral RSA key to SSL_CTX to allow export cipher suites
http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html
- Dump cipher suites sent by the client in debug mode
- Consider memory pools for use by per-connection state
- Parse some information from HTTP responses (status, size)
- Handle renego & client cert authentication more gracefully
- Separate orig cert retrieval from actual fwd address/proto config
- CRL denial mode based on targetdir cert's CDPs or by identifying CRL ASN.1
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -153,7 +153,6 @@ base64_enc(const unsigned char *in, size_t insz, size_t *outsz)
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/' };
size_t i, o;
int tmp;
char *out;
if (insz == 0) {
......@@ -168,6 +167,7 @@ base64_enc(const unsigned char *in, size_t insz, size_t *outsz)
}
for (i = 0, o = 0; i < insz; i += 3, o += 4) {
int tmp;
tmp = in[i ] << 16;
if (i + 1 < insz)
tmp += in[i + 1] << 8;
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -33,8 +33,8 @@
#include <stdlib.h>
unsigned char * base64_dec(const char *, size_t, size_t *) NONNULL() MALLOC;
char * base64_enc(const unsigned char *, size_t, size_t *) NONNULL() MALLOC;
unsigned char * base64_dec(const char *, size_t, size_t *) NONNULL(1,3) MALLOC;
char * base64_enc(const unsigned char *, size_t, size_t *) NONNULL(1,3) MALLOC;
#endif /* !BASE64_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -108,7 +108,6 @@ cache_val_t
cache_get(cache_t *cache, cache_key_t key)
{
cache_val_t rval = NULL;
cache_val_t val;
khiter_t it;
if (!key)
......@@ -117,6 +116,7 @@ cache_get(cache_t *cache, cache_key_t key)
pthread_mutex_lock(&cache->mutex);
it = cache->get_cb(key);
if (it != cache->end_cb()) {
cache_val_t val;
val = cache->get_val_cb(it);
if (!(rval = cache->unpackverify_val_cb(val, 1))) {
cache->free_val_cb(val);
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -72,12 +72,12 @@ typedef struct cache {
typedef void (*cache_init_cb_t)(struct cache *);
cache_t * cache_new(cache_init_cb_t) MALLOC;
void cache_reinit(cache_t *) NONNULL();
void cache_free(cache_t *) NONNULL();
void cache_gc(cache_t *) NONNULL();
cache_val_t cache_get(cache_t *, cache_key_t) NONNULL() WUNRES;
void cache_set(cache_t *, cache_key_t, cache_val_t) NONNULL();
void cache_del(cache_t *, cache_key_t) NONNULL();
void cache_reinit(cache_t *) NONNULL(1);
void cache_free(cache_t *) NONNULL(1);
void cache_gc(cache_t *) NONNULL(1);
cache_val_t cache_get(cache_t *, cache_key_t) NONNULL(1) WUNRES;
void cache_set(cache_t *, cache_key_t, cache_val_t) NONNULL(1);
void cache_del(cache_t *, cache_key_t) NONNULL(1);
#endif /* !CACHE_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -37,11 +37,11 @@
#include <openssl/ssl.h>
void cachedsess_init_cb(struct cache *) NONNULL();
void cachedsess_init_cb(struct cache *) NONNULL(1);
cache_key_t cachedsess_mkkey(const struct sockaddr *, const socklen_t,
const char *) NONNULL() WUNRES;
cache_val_t cachedsess_mkval(SSL_SESSION *) NONNULL() WUNRES;
const char *) NONNULL(1) WUNRES;
cache_val_t cachedsess_mkval(SSL_SESSION *) NONNULL(1) WUNRES;
#endif /* !CACHEDSESS_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -34,10 +34,10 @@
#include <openssl/x509.h>
void cachefkcrt_init_cb(struct cache *) NONNULL();
void cachefkcrt_init_cb(struct cache *) NONNULL(1);
cache_key_t cachefkcrt_mkkey(X509 *) NONNULL() WUNRES;
cache_val_t cachefkcrt_mkval(X509 *) NONNULL() WUNRES;
cache_key_t cachefkcrt_mkkey(X509 *) NONNULL(1) WUNRES;
cache_val_t cachefkcrt_mkval(X509 *) NONNULL(1) WUNRES;
#endif /* !CACHEFKCRT_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -34,11 +34,11 @@
#include <openssl/ssl.h>
void cachessess_init_cb(struct cache *) NONNULL();
void cachessess_init_cb(struct cache *) NONNULL(1);
cache_key_t cachessess_mkkey(const unsigned char *, const size_t)
NONNULL() WUNRES;
cache_val_t cachessess_mkval(SSL_SESSION *) NONNULL() WUNRES;
NONNULL(1) WUNRES;
cache_val_t cachessess_mkval(SSL_SESSION *) NONNULL(1) WUNRES;
#endif /* !CACHESSESS_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -33,10 +33,10 @@
#include "attrib.h"
#include "cert.h"
void cachetgcrt_init_cb(struct cache *) NONNULL();
void cachetgcrt_init_cb(struct cache *) NONNULL(1);
cache_key_t cachetgcrt_mkkey(const char *) NONNULL() WUNRES;
cache_val_t cachetgcrt_mkval(cert_t *) NONNULL() WUNRES;
cache_key_t cachetgcrt_mkkey(const char *) NONNULL(1) WUNRES;
cache_val_t cachetgcrt_mkval(cert_t *) NONNULL(1) WUNRES;
#endif /* !CACHETGCRT_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -46,11 +46,11 @@ cert_t * cert_new(void) MALLOC;
cert_t * cert_new_load(const char *) MALLOC;
cert_t * cert_new3(EVP_PKEY *, X509 *, STACK_OF(X509) *) MALLOC;
cert_t * cert_new3_copy(EVP_PKEY *, X509 *, STACK_OF(X509) *) MALLOC;
void cert_refcount_inc(cert_t *) NONNULL();
void cert_refcount_inc(cert_t *) NONNULL(1);
void cert_set_key(cert_t *, EVP_PKEY *) NONNULL(1);
void cert_set_crt(cert_t *, X509 *) NONNULL(1);
void cert_set_chain(cert_t *, STACK_OF(X509) *) NONNULL(1);
void cert_free(cert_t *) NONNULL();
void cert_free(cert_t *) NONNULL(1);
#endif /* !CERT_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -42,7 +42,7 @@ dynbuf_t * dynbuf_new(unsigned char *, size_t) MALLOC;
dynbuf_t * dynbuf_new_alloc(size_t) MALLOC;
dynbuf_t * dynbuf_new_copy(const unsigned char *, const size_t) MALLOC;
dynbuf_t * dynbuf_new_file(const char *) MALLOC;
void dynbuf_free(dynbuf_t *) NONNULL();
void dynbuf_free(dynbuf_t *) NONNULL(1);
#endif /* !DYNBUF_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......
......@@ -101,15 +101,14 @@ targets: rsa.crt
>targets/wildcard.roe.ch.pem
$(RM) targets/wildcard.roe.ch.{key,csr,crt} rsa.srl
# openssl s_server cannot be easily controlled from scripts; it is
# more robust to just connect to a real server to create a session
# localhost network connectivity is required
session.pem:
( \
echo 'GET /test/SSLsplit-$(VERSION) HTTP/1.1'; \
echo 'Host: daniel.roe.ch'; \
echo 'Connection: close'; \
echo ) | $(OPENSSL) s_client -connect daniel.roe.ch:443 \
-quiet -crlf -no_ign_eof -sess_out $@ >/dev/null 2>&1
openssl s_server -accept 46143 -cert server.pem -quiet -no_ssl2 & \
pid=$$! ; \
sleep 1 ; \
echo q | $(OPENSSL) s_client -connect localhost:46143 \
-quiet -no_ign_eof -sess_out $@ ; \
kill $$pid
test -r $@
clean:
......
This diff is collapsed.
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -251,11 +251,6 @@ log_content_close_singlefile(void)
void
log_content_open(log_content_ctx_t *ctx, char *srcaddr, char *dstaddr)
{
char filename[1024];
char timebuf[24];
time_t epoch;
struct tm *utc;
if (ctx->open)
return;
......@@ -264,6 +259,11 @@ log_content_open(log_content_ctx_t *ctx, char *srcaddr, char *dstaddr)
asprintf(&ctx->header_in, "%s -> %s", srcaddr, dstaddr);
asprintf(&ctx->header_out, "%s -> %s", dstaddr, srcaddr);
} else {
char filename[1024];
char timebuf[24];
time_t epoch;
struct tm *utc;
time(&epoch);
utc = gmtime(&epoch);
strftime(timebuf, sizeof(timebuf), "%Y%m%dT%H%M%SZ", utc);
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -64,12 +64,12 @@ typedef struct log_content_ctx {
char *header_in;
char *header_out;
} log_content_ctx_t;
void log_content_open(log_content_ctx_t *, char *, char *) NONNULL();
void log_content_submit(log_content_ctx_t *, logbuf_t *, int) NONNULL();
void log_content_close(log_content_ctx_t *) NONNULL();
void log_content_open(log_content_ctx_t *, char *, char *) NONNULL(1,2,3);
void log_content_submit(log_content_ctx_t *, logbuf_t *, int) NONNULL(1,2);
void log_content_close(log_content_ctx_t *) NONNULL(1);
int log_preinit(opts_t *) NONNULL() WUNRES;
int log_init(opts_t *) NONNULL() WUNRES;
int log_preinit(opts_t *) NONNULL(1) WUNRES;
int log_init(opts_t *) NONNULL(1) WUNRES;
void log_fini(void);
#endif /* !LOG_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -143,7 +143,7 @@ logbuf_size(logbuf_t *lb)
ssize_t
logbuf_write_free(logbuf_t *lb, writefunc_t writefunc)
{
ssize_t rv1, rv2;
ssize_t rv1, rv2 = 0;
rv1 = writefunc(lb->fd, lb->buf, lb->sz);
free(lb->buf);
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception
* Copyright (c) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
* Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
* All rights reserved.
* http://www.roe.ch/SSLsplit
*
......@@ -48,9 +48,9 @@ logbuf_t * logbuf_new_alloc(size_t, int, logbuf_t *) MALLOC;
logbuf_t * logbuf_new_copy(const void *, size_t, int, logbuf_t *) MALLOC;
logbuf_t * logbuf_new_printf(int, logbuf_t *, const char *, ...)
MALLOC PRINTF(3,4);
ssize_t logbuf_size(logbuf_t *) NONNULL() WUNRES;
ssize_t logbuf_size(logbuf_t *) NONNULL(1) WUNRES;
ssize_t logbuf_write_free(logbuf_t *, writefunc_t) NONNULL(1);
void logbuf_free(logbuf_t *) NONNULL();
void logbuf_free(logbuf_t *) NONNULL(1);
#endif /* !LOGBUF_H */
......
/*
* SSLsplit - transparent and scalable SSL/TLS interception