Commit 1debd464 authored by Hilko Bengen's avatar Hilko Bengen

Merge tag 'upstream/0.5.4' into debian/master

Upstream version 0.5.4
parents a58fb62e b72ac3ad
Please supply the following with bug reports to allow for diagnostics:
Please only open issues for bug reports or feature requests.
The developers do not have the resources to provide individual support.
For support, please turn to the most applicable Stack Exchange site, such as
[Information Security](https://security.stackexchange.com/),
[Network Engineering](https://networkengineering.stackexchange.com/) or
[Super User](https://superuser.com/).
For user discussions, there is an experimental Gitter chat at
[gitter.im/droe/sslsplit](https://gitter.im/droe/sslsplit).
For bug reports, please supply:
- Output of `sslsplit -V`
- Output of `uname -a`
......
# Authors
SSLsplit was written and is being maintained by
[Daniel Roethlisberger](https://daniel.roe.ch/).
SSLsplit was written by
[Daniel Roethlisberger](https://github.com/droe).
SSLsplit is currently maintained by
[Daniel Roethlisberger](https://github.com/droe) and
[Soner Tari](https://github.com/sonertari).
The following individuals have contributed to the codebase by submitting
patches or pull requests, in chronological order of their first contribution:
......@@ -23,6 +26,7 @@ patches or pull requests, in chronological order of their first contribution:
- Philip Duldig ([pduldig-at-tw](https://github.com/pduldig-at-tw))
- Levente Polyak ([anthraxx](https://github.com/anthraxx))
- Nick French ([naf419](https://github.com/naf419))
- Cihan Kömeçoğlu ([cihankom](https://github.com/cihankom))
Many more individuals have contributed by reporting bugs or feature requests.
See [issue tracker on Github][1], `NEWS.md` and `git log` for details.
......
This diff is collapsed.
......@@ -8,59 +8,63 @@ e1e4cfd752c10a19cd27595076bd7d38fa3baf02 *base64.t.c
4043f3c26bb5671ac1a072afff40a57f383cfb4a *cache.h
a3c99dc46f4de2f5a90bc2e6e1a7641b6fca9a26 *cachedsess.c
9e96ba6dd78b5e2a77dbcde464811bef914b5e6d *cachedsess.h
41d393831ba11b9359b1c0f8b975e7b9354dda44 *cachedsess.t.c
65b18ac4f192eef52175c86b458b33766299afd1 *cachedsess.t.c
efb2ee4651c49dae780d18edf1a365d668643ec7 *cachefkcrt.c
58b9173a8b5dcc7559c3c1c35fec069206ec4691 *cachefkcrt.h
620c4637bdd63188b6061f70715df0ffd3d275a9 *cachefkcrt.t.c
e7bc608c06892aad7868be4371e7dc4767c9cbf8 *cachefkcrt.t.c
60c4ca7e06414a5da6d5f9ee5c2eb76a19e61fd0 *cachemgr.c
ef4128dc5505239c2d66ee2b62fb6edf576b121c *cachemgr.h
1aeee7b70e3996669174389b340a6586dd8ccbde *cachemgr.t.c
d8424fc53a0d2c276589b64006be30925ef6928d *cachessess.c
d3b146ace5abeab8eb8003b91e3627520ced5933 *cachessess.h
1f60ac658b1f8510440c14d671a1b84a760ec52e *cachessess.t.c
18df10bb5b080f1bdef09f94ba4a4f4b267d9afa *cachessess.t.c
f53c400b429ae3b1ece40671964638c56e710a60 *cachetgcrt.c
6c3351f925c8b360e4da3a8d4d70d685321b0281 *cachetgcrt.h
c8ffe1c8a1fc42066880ced641f58c1f3a23acfd *cachetgcrt.t.c
2fe4c50226f9231f4667dead63a69963c7fd621a *cachetgcrt.t.c
40dcae4b10bdde922d6cd37c9b3fe436eddc61ae *cert.c
d1a6e0a1d47dc4a2d0a689b4e0760b7b5a5a34a1 *cert.h
7197b13d63d55c37f8849d142564a49c048d3979 *cert.t.c
2021a02fa01f36a2ad277bb183c9815ee2e04ec6 *defaults.h
d513672c844418224cfde104d497c3c648bcb515 *cert.t.c
b5a710d76e3f0f365c6f89c90de4e2150ebc9e8e *defaults.h
d1a1cba7109da63c0ceec53a19ba1e0f6ca5db90 *defaults.t.c
b07faf6eaf93c84fc470aaf79c98b57c40a2e855 *dynbuf.c
dc609e1aa0024e18f2ce926a72bbe4640b44243b *dynbuf.h
41483fcb558729fd17bf4d8eaaa00562424ac2d4 *dynbuf.t.c
8d39d77399439e53466d1e6c559ac73b449f2831 *khash.h
eebac6a917aec0288ef9d5de0142d6e394f7002f *log.c
2d70bd5e21ed4dce921969e423aa5fe37d759dce *log.h
f1d69439b67053a8ddf6356e3fad5be28f22e60c *logbuf.c
06ac5b4f7b8a2fb139e52f4354e89ece51c384a0 *logbuf.h
fb572742e3953e441c0664cd94aaadc8adb8ceff *logger.c
7c373315f34d86d38703695351163383be17c8d9 *logger.h
584421beb990efbe5a609c93bd6343d9388db762 *main.c
26ea87f4993aeeccfc767991b590f8ce4200a00b *main.t.c
b202d29cb5bb26a95181edb98fcc3f60000782df *log.c
0c1fd577572c5394fe27a505ac4cd91ae5cbdd28 *log.h
84d39b5892e97a52043df3b320db80f11253a493 *logbuf.c
4455a586c77a71bae630fdc8fc86f1b04a23757d *logbuf.h
88cb6b043c30d5980b9b6cddf6d3a2fa17c53fb4 *logbuf.t.c
b82f759c40e7cdad40557d46e7ba52ca7d99258b *logger.c
71e8424463ff28e5ab7fb03fe9427a06782418fc *logger.h
9dac3d4a80784fcb5b3f1e4347e90a0a01cd122f *logpkt.c
3770aeb8b48506741f787b3488efb5ede02d5726 *logpkt.h
de33817a10deb2293169d993005bab8e11f6b4c9 *main.c
b67542e40d234fca7a28798de792160608e79a27 *main.t.c
a41f56de157b21b751d3f553d3aa6aa0e8492bb8 *nat.c
0b810ce0ff0211f3414dedadbc41677356c308e5 *nat.h
34563afcab7fd301b45426c57e210f1e96631f22 *opts.c
48fcbea12ea76ac2cd7ab0ef5b4c17e3975c68e7 *opts.h
999f28a810ad1fe1db7e363f36039f487c9c4617 *opts.t.c
03f5b8249db639a658243e370d99fdf68b258cbb *privsep.c
1a7fa593184ddbe7db5859063aa14eb5e28caae7 *opts.c
d8ec45ad1f93daeec008107b20c83d1902ee23cf *opts.h
d2fb35f68146b937968f5d9bce4952ef6b41f394 *opts.t.c
b5fd89400f882b09b52b650a321b7550efaf2fdf *privsep.c
ae815a3c98460a9bc87006bdc85b0426ac838772 *privsep.h
c2e8c93088f1bc7a24ea31f7d50b3fa90db63aa4 *proc.c
5c3357f2df969c7f4c6783ff9657ec56908816a9 *proc.c
05e9efa6c2cd14b9664218087d289a560a9e7030 *proc.h
e78dff78a0c80bd964c6efeb05d4967cafcd5ae8 *proxy.c
e230abfc59b7f89f726ce31bf0f347f8a5cd3589 *proxy.h
347f664bc8fabac7ef9b4596798c53cf1c1b3511 *pxyconn.c
2ad5526aab976b2c783fe0f7686899dabd8bafd3 *pxyconn.c
7b13bd7712e5c6e106cf8622018e36eb53cc6446 *pxyconn.h
8dd6d1512dc9058f9ed429d25b09e07d0ce617a9 *pxysslshut.c
31a238d9c35d4cd3f000b0e5f4203f24f1d11cbe *pxysslshut.h
f212cef02f14c6e057c7de95e1662cafc97278c8 *pxythrmgr.c
13fdf17c8c74480bbaae9f33720f1a75c92be1b2 *pxythrmgr.h
28aeb5e6bc99641644b4cc5698b68a159280251d *pxythrmgr.t.c
4e36f228e9d9785482c8a24ecc2387bd0e960c5e *ssl.c
cd5141d39da0495e2333740ddf499eebc2044446 *ssl.h
92e18ef1342726d447778f48cf4724ac0f72e519 *ssl.t.c
ecd67e440d2945ba2b5b18d51fd378643286b532 *sys.c
fd9337c62e2a7e6f709c891212e917bdc12f5cad *sys.h
e8a4615039b095f05d61d1076ac57d093e54a674 *sys.t.c
ad1b356de5faa05aae17b8164d759818e93e160e *ssl.c
73278b86eacebbc40d568be16a009c09ed3bf1d7 *ssl.h
3d153e28a3a1f39aff5c1286fad12d24c59b3579 *ssl.t.c
477033dcc49652f395f69d2d6ce2dd25f61b648e *sys.c
e705f9abfda4bc0015c08b3be8b941c478cac166 *sys.h
3715e4c33c614c2284be03f10a5d25da82ab411e *sys.t.c
1f5064b6869176c9c3da1f0a02a9bd52ad3a0fbd *thrqueue.c
568f42b5fbe81ab62a6b3be3bf83f1ba20fbbfb8 *thrqueue.h
d944c2365f32a665970a7cfca36e3d9434ae9c97 *url.c
......
......@@ -4,19 +4,24 @@ different copyright and license terms:
khash.h:
Copyright (c) 2008, 2009, 2011, Attractive Chaos.
All rights reserved.
Licensed under the MIT license.
https://github.com/attractivechaos/klib
xnu/xnu-*:
Copyright (c) 1988-2017, Apple Inc. and original copyright holders.
All rights reserved.
Licensed under the APSL.
https://opensource.apple.com/
extra/log*.py:
Copyright (C) 2015, Maciej Kotowicz and Daniel Roethlisberger.
All rights reserved.
Licensed under a 2-clause BSD license.
Mk/xcode.mk:
Copyright (c) Daniel Roethlisberger.
Released under the Unlicense.
https://github.com/droe/example.kext
See the respective source and/or license files for details.
......@@ -62,6 +62,8 @@ def mangle(outfile, infile):
for fn in sys.argv[1:]:
with open(fn, 'r') as infile:
with open(fn + '~', 'w') as outfile:
mode = os.fstat(infile.fileno()).st_mode
os.fchmod(outfile.fileno(), mode)
mangle(outfile, infile)
os.rename(fn + '~', fn)
#!/bin/sh
if [ -z "$SSL" ]; then
echo '$SSL not set, aborting' >&2
exit 1
fi
if [ -z "$EVENT" ]; then
echo '$EVENT not set, aborting' >&2
exit 1
fi
case "$SSL" in
openssl-0.9.*)
SSLURL=https://www.openssl.org/source/old/0.9.x/$SSL.tar.gz
;;
openssl-1.0.0*)
SSLURL=https://www.openssl.org/source/old/1.0.0/$SSL.tar.gz
;;
openssl-1.0.1*)
SSLURL=https://www.openssl.org/source/old/1.0.1/$SSL.tar.gz
;;
openssl-*)
SSLURL=https://www.openssl.org/source/$SSL.tar.gz
;;
libressl-*)
#SSLURL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$SSL.tar.gz
SSLURL=http://ftp.fau.de/pub/OpenBSD/LibreSSL/$SSL.tar.gz
;;
*)
exit 1
;;
esac
case "$EVENT" in
libevent-2.1.8)
EVENTURL=https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz
EVENTPATCH=Mk/patches/libevent-2.1.8.diff
EVENTOPTS="$EVENTOPTS --disable-libevent-regress --disable-samples"
;;
libevent-2.0.22)
EVENTURL=https://github.com/libevent/libevent/releases/download/release-2.0.22-stable/libevent-2.0.22-stable.tar.gz
;;
*)
exit 1
;;
esac
if [ ! -d "$HOME/opt/$SSL" ]; then
if [ "`uname`" = "Linux" ]; then
SSLOPTS="$SSLOPTS -Wl,-rpath=$HOME/opt/$SSL/lib"
fi
wget "$SSLURL" || exit 1
tar -xzvf "$SSL.tar.gz" || exit 1
cd "$SSL" || exit 1
./config shared \
--prefix="$HOME/opt/$SSL" \
--openssldir="$HOME/opt/$SSL" \
$SSLOPTS || exit 1
make && make install || { rm -rf "$HOME/opt/$SSL"; exit 1; }
cd ..
fi
export CPPFLAGS="-I$HOME/opt/$SSL/include"
export LDFLAGS="-L$HOME/opt/$SSL/lib"
if [ ! -d "$HOME/opt/$EVENT" ]; then
wget "$EVENTURL" || exit 1
tar -xzvf "$EVENT-stable.tar.gz" || exit 1
cd "$EVENT-stable" || exit 1
if [ -n "$EVENTPATCH" ]; then
patch -p0 < ../$EVENTPATCH || exit 1
fi
./configure --prefix="$HOME/opt/$EVENT" $EVENTOPTS || exit 1
make && make install || { rm -rf "$HOME/opt/$EVENT"; exit 1; }
cd ..
fi
......@@ -3,6 +3,7 @@
# in: BUILD_INFO (optional)
# in: OPENSSL (optional)
# in: OPENSSL_FOUND (optional)
# in: SOURCE_DATE_EPOCH (optional)
ifndef PKGNAME
$(error PKGNAME not defined)
......
From 28b8075400c70b2d2da2ce07e590c2ec6d11783d Mon Sep 17 00:00:00 2001
From: Bernard Spil <brnrd@FreeBSD.org>
Date: Mon, 2 Apr 2018 13:18:27 +0200
Subject: [PATCH] Fix build with LibreSSL 2.7
LibreSSL 2.7 implements OpenSSL 1.1 API except for BIO_get_init()
See also: https://bugs.freebsd.org/226900
Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
Closes: #617 (cherry-pick)
--- openssl-compat.h.orig 2017-01-25 23:37:15 UTC
+++ openssl-compat.h
@@ -1,7 +1,8 @@
#ifndef OPENSSL_COMPAT_H
#define OPENSSL_COMPAT_H
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
{
@@ -30,6 +31,11 @@ static inline BIO_METHOD *BIO_meth_new(i
#define TLS_method SSLv23_method
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */
+
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20700000L
+#define BIO_get_init(b) (b)->init
+#endif
#endif /* OPENSSL_COMPAT_H */
--- sample/https-client.c.orig 2017-01-25 23:37:15 UTC
+++ sample/https-client.c
@@ -312,7 +312,8 @@ main(int argc, char **argv)
}
uri[sizeof(uri) - 1] = '\0';
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
// Initialize OpenSSL
SSL_library_init();
ERR_load_crypto_strings();
@@ -480,7 +481,8 @@ cleanup:
SSL_CTX_free(ssl_ctx);
if (type == HTTP && ssl)
SSL_free(ssl);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
EVP_cleanup();
ERR_free_strings();
@@ -492,7 +494,8 @@ cleanup:
CRYPTO_cleanup_all_ex_data();
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
-#endif /*OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */
#ifdef _WIN32
WSACleanup();
--- sample/le-proxy.c.orig 2017-01-25 23:37:15 UTC
+++ sample/le-proxy.c
@@ -259,7 +259,8 @@ main(int argc, char **argv)
if (use_ssl) {
int r;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
SSL_library_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
--- sample/openssl_hostname_validation.c.orig 2017-01-25 23:37:15 UTC
+++ sample/openssl_hostname_validation.c
@@ -48,7 +48,8 @@ SOFTWARE.
#define HOSTNAME_MAX_SIZE 255
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
#define ASN1_STRING_get0_data ASN1_STRING_data
#endif
--- test/regress_ssl.c.orig 2017-01-25 23:37:15 UTC
+++ test/regress_ssl.c
@@ -186,7 +186,8 @@ get_ssl_ctx(void)
void
init_ssl(void)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
SSL_library_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
# macOS Xcode and SDK selection makefile
# Authored 2018, Daniel Roethlisberger
# Provided under the Unlicense
# https://github.com/droe/example.kext
# DEVELOPER_DIR override Xcode Command Line Developer Tools directory
# MACOSX_VERSION_MIN minimal version of macOS to target, e.g. 10.11
# SDK SDK name to build against (e.g. macosx, macosx10.11, ...);
# for kernel extensions, use macosx$(MACOSX_VERSION_MIN)
# target specific macOS min version
ifdef MACOSX_VERSION_MIN
CFLAGS+= -mmacosx-version-min=$(MACOSX_VERSION_MIN)
LDFLAGS+= -mmacosx-version-min=$(MACOSX_VERSION_MIN)
endif
# select specific Xcode
ifdef DEVELOPER_DIR
ifndef SDK
SDK:= macosx
endif
else
DEVELOPER_DIR:= $(shell xcode-select -p)
endif
# activate the selected Xcode and SDK
ifdef SDK
SDKPATH:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) --show-sdk-path||echo none)
ifeq "$(SDKPATH)" "none"
$(error SDK not found)
endif
CPPFLAGS+= -isysroot $(SDKPATH)
LDFLAGS+= -isysroot $(SDKPATH)
CC:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) cc||echo false)
CXX:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) c++||echo false)
CODESIGN:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) codesign||echo false)
else
CC?= cc
CXX?= c++
CODESIGN?= codesign
endif
### SSLsplit 0.5.4 2018-10-29
This release includes work sponsored by HackerOne.
- Add PCAP content log modes (-X, -Y, -y) and a packet mirroring content log
mode (-T, -I) to encapsulate decrypted traffic segments in emulated TCP, IP
and Ethernet headers and write the result to PCAP files or send it to a
packet capture host on the local network segment (issue #215, based on pull
req #149 by @cihankom).
- Suppress Expect-CT header in order to avoid Certificate Transparency log
lookup failures (issue #205).
- Add -x option for activating an OpenSSL engine (issue #204, pull req #206).
- Add -f option for loading configuration from file, including a new manual
page, sslsplit.conf(5) (pull req #193).
- Bypass privilege separation overhead for when privileges are not actually
dropped; this allows the use of `-u root` to actively prevent privilege
separation and remove the associated IPC overhead (issue #222).
- Add `sudotest` target for optional unit tests which require privileges to
run successfully.
- Fix crash when using LibreSSL (pull req #207).
- Add XNU headers for macOS High Sierra 10.13.1 to 10.13.6.
- Release sig PGP/GPG key rollover from 0xB5D3397E to 0xE1520675375F5E35.
- Minor bugfixes and improvements.
### SSLsplit 0.5.3 2018-07-20
- Add -a and -b for initial basic client certificate support (pull req #194
......
# SSLsplit - transparent SSL/TLS interception [![Build Status](https://travis-ci.org/droe/sslsplit.svg?branch=master)](https://travis-ci.org/droe/sslsplit)
Copyright (C) 2009-2018, [Daniel Roethlisberger](//daniel.roe.ch/).
# SSLsplit - transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
## Overview
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted
......@@ -37,10 +35,15 @@ SSLsplit implements a number of defences against mechanisms which would
normally prevent MitM attacks or make them more difficult. SSLsplit can deny
OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit
mangles headers to prevent server-instructed public key pinning (HPKP), avoid
strict transport security restrictions (HSTS), and prevent switching to
QUIC/SPDY, HTTP/2 or WebSockets (Upgrade, Alternate Protocols). HTTP
compression, encodings and keep-alive are disabled to make the logs more
readable.
strict transport security restrictions (HSTS), avoid Certificate Transparency
enforcement (Expect-CT) and prevent switching to QUIC/SPDY, HTTP/2 or
WebSockets (Upgrade, Alternate Protocols). HTTP compression, encodings and
keep-alive are disabled to make the logs more readable.
Logging options include traditional SSLsplit connect and content log files as
well as PCAP files and mirroring decrypted traffic to a network interface.
Additionally, certificates, master secrets and local process information can be
logged.
See the manual page sslsplit(1) for details on using SSLsplit and setting up
the various NAT engines.
......@@ -48,10 +51,11 @@ the various NAT engines.
## Requirements
SSLsplit depends on the OpenSSL and libevent 2.x libraries.
The build depends on GNU make and a POSIX.2 environment in `PATH`.
If available, pkg-config is used to locate and configure the dependencies.
The optional unit tests depend on the check library.
SSLsplit depends on the OpenSSL, libevent 2.x, libpcap and libnet 1.1.x
libraries bydefault; libpcap and libnet are not needed if the mirroring feature
is omitted. The build depends on GNU make and a POSIX.2 environment in `PATH`.
If available, pkg-config is used to locate and configure the dependencies. The
optional unit tests depend on the check library.
SSLsplit currently supports the following operating systems and NAT mechanisms:
......@@ -64,44 +68,49 @@ Support for local process information (`-i`) is currently available on Mac OS X
and FreeBSD.
SSL/TLS features and compatibility greatly depend on the version of OpenSSL
linked against; for optimal results, use a recent release of OpenSSL proper.
OpenSSL forks like LibreSSL and BoringSSL may or may not work.
linked against. For optimal results, use a recent release of OpenSSL or
LibreSSL.
## Installation
With OpenSSL, libevent 2.x, pkg-config and check available, run:
With the requirements above available, run:
make
make test # optional unit tests
make sudotest # optional unit tests requiring privileges
make install # optional install
Dependencies are autoconfigured using pkg-config. If dependencies are not
picked up and fixing `PKG_CONFIG_PATH` does not help, you can specify their
respective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE` and/or
`CHECK_BASE` to the respective prefixes.
respective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE`,
`LIBPCAP_BASE`, `LIBNET_BASE` and/or `CHECK_BASE` to the respective prefixes.
You can override the default install prefix (`/usr/local`) by setting `PREFIX`.
For more build options see `GNUmakefile`.
For more build options and build-time defaults see [`GNUmakefile`](GNUmakefile)
and [`defaults.h`](defaults.h).
## Documentation
See the manual page `sslsplit.1` for user documentation.
See `NEWS.md` for release notes listing significant changes between releases.
See the manual pages `sslsplit(1)` and `sslsplit.conf(5)` for user
documentation. See [`NEWS.md`](NEWS.md) for release notes listing significant
changes between releases and [`SECURITY.md`](SECURITY.md) for information on
security vulnerability disclosure.
## License
SSLsplit is provided under a 2-clause BSD license.
SSLsplit contains components licensed under the MIT and APSL licenses.
See `LICENSE`, `LICENSE.contrib` and `LICENSE.third` as well as the respective
source file headers for details.
See [`LICENSE`](LICENSE), [`LICENSE.contrib`](LICENSE.contrib) and
[`LICENSE.third`](LICENSE.third) as well as the respective source file headers
for details.
## Credits
See `AUTHORS.md` for the list of contributors.
See [`AUTHORS.md`](AUTHORS.md) for the list of contributors.
SSLsplit was inspired by `mitm-ssl` by Claes M. Nyberg and `sslsniff` by Moxie
Marlinspike, but shares no source code with them.
......
# Security
Please report all security issues privately to
[Daniel Roethlisberger](mailto:daniel@roe.ch).
The maintainers pledge to act on all reported security issues in a timely and
professional manner, working with the reporter to reproduce, understand,
address and disclose vulnerabilities in a coordinated manner. For critical
vulnerabilities, we will prepare a bugfix release based on the last release,
obtain CVE numbers and notify distributions shipping affected packages in
advance of the release.
......@@ -34,10 +34,15 @@
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
#include <time.h>
#include <check.h>
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20501000L
#define TMP_SESS_FILE "extra/pki/session-libressl-2.5.0.pem"
#else
#define TMP_SESS_FILE "extra/pki/session.pem"
#endif
static SSL_SESSION *
ssl_session_from_file(const char *filename)
......@@ -50,6 +55,8 @@ ssl_session_from_file(const char *filename)
return NULL;
sess = PEM_read_SSL_SESSION(f, NULL, NULL, NULL);
fclose(f);
/* to avoid having to regenerate the session, just bump its time */
SSL_SESSION_set_time(sess, time(NULL) - 1);
return sess;
}
......@@ -121,7 +128,7 @@ START_TEST(cache_dsess_03)
}
END_TEST
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
START_TEST(cache_dsess_04)
{
SSL_SESSION *s1, *s2;
......@@ -162,7 +169,7 @@ cachedsess_suite(void)
tcase_add_test(tc, cache_dsess_01);
tcase_add_test(tc, cache_dsess_02);
tcase_add_test(tc, cache_dsess_03);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
tcase_add_test(tc, cache_dsess_04);
#endif
suite_add_tcase(s, tc);
......
......@@ -58,6 +58,7 @@ START_TEST(cache_fkcrt_01)
fail_unless(!!c1, "loading certificate failed");
cachemgr_fkcrt_set(c1, c1);
c2 = cachemgr_fkcrt_get(c1);
fail_unless(!!c2, "cache did not return a certificate");
fail_unless(c2 == c1, "cache did not return same pointer");
X509_free(c1);
X509_free(c2);
......@@ -90,7 +91,7 @@ START_TEST(cache_fkcrt_03)
}
END_TEST
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
START_TEST(cache_fkcrt_04)
{
X509 *c1, *c2;
......@@ -113,8 +114,10 @@ START_TEST(cache_fkcrt_04)
cachemgr_fini();
fail_unless(c1->references == 1, "refcount != 1");
X509_free(c2);
#if 0
/* deliberate access of free'd X509* */
fail_unless(c1->references == 0, "refcount != 0");
#endif
fail_unless(cachemgr_preinit() != -1, "reinit");
}
END_TEST
......@@ -133,7 +136,7 @@ cachefkcrt_suite(void)
tcase_add_test(tc, cache_fkcrt_01);
tcase_add_test(tc, cache_fkcrt_02);
tcase_add_test(tc, cache_fkcrt_03);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
tcase_add_test(tc, cache_fkcrt_04);
#endif
suite_add_tcase(s, tc);
......
......@@ -33,10 +33,16 @@
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <check.h>
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20501000L
#define TMP_SESS_FILE "extra/pki/session-libressl-2.5.0.pem"
#else
#define TMP_SESS_FILE "extra/pki/session.pem"
#endif
static SSL_SESSION *
ssl_session_from_file(const char *filename)
......@@ -49,6 +55,8 @@ ssl_session_from_file(const char *filename)
return NULL;
sess = PEM_read_SSL_SESSION(f, NULL, NULL, NULL);
fclose(f);
/* to avoid having to regenerate the session, just bump its time */
SSL_SESSION_set_time(sess, time(NULL) - 1);
return sess;
}
......@@ -122,7 +130,7 @@ START_TEST(cache_ssess_03)
}
END_TEST
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
START_TEST(cache_ssess_04)
{
SSL_SESSION *s1, *s2;
......@@ -166,7 +174,7 @@ cachessess_suite(void)
tcase_add_test(tc, cache_ssess_01);
tcase_add_test(tc, cache_ssess_02);
tcase_add_test(tc, cache_ssess_03);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
tcase_add_test(tc, cache_ssess_04);
#endif
suite_add_tcase(s, tc);
......
......@@ -59,6 +59,7 @@ START_TEST(cache_tgcrt_01)
fail_unless(!!c1, "loading certificate failed");
cachemgr_tgcrt_set("daniel.roe.ch", c1);
c2 = cachemgr_tgcrt_get("daniel.roe.ch");
fail_unless(!!c2, "cache did not return a certificate");
fail_unless(c2 == c1, "cache did not return same pointer");
cert_free(c1);
cert_free(c2);
......@@ -110,8 +111,10 @@ START_TEST(cache_tgcrt_04)
cachemgr_fini();
fail_unless(c1->references == 1, "refcount != 1");
cert_free(c2);
#if 0
/* deliberate access of free'd cert_t* */
fail_unless(c1->references == 0, "refcount != 0");
#endif
fail_unless(cachemgr_preinit() != -1, "reinit");
}
END_TEST
......
......@@ -62,8 +62,10 @@ START_TEST(cert_refcount_inc_01)
cert_free(c);
fail_unless(c->references == 1, "refcount mismatch");
cert_free(c);
#if 0
/* deliberate access after last free() */
fail_unless(c->references == 0, "refcount mismatch");
#endif
}
END_TEST
......
......@@ -34,10 +34,16 @@
*/
/*
* User to drop privileges to by default.
* User to drop privileges to by default. This user needs to be allowed to
* create outbound TCP connections, and in some configurations, perform DNS
* resolution.
*
* Packagers may want to use a specific service user account instead of
* overloading nobody with yet another use case. Using nobody for source
* builds makes sense because chances are high that it exists.
* builds makes sense because chances are high that it exists. Good practice
* is to create a dedicated user for sslsplit.
*
* Make sure to also patch the manual page if you patch this.
*/
#define DFLT_DROPUSER "nobody"
......@@ -63,6 +69,17 @@
*/
#define DFLT_CURVE "prime256v1"
/*
* Default leaf key RSA keysize in bits.
*
* While browsers still generally accept it, use a leaf key size of 1024 bit
* for leaf keys. When browsers start to sunset 1024 bit RSA in leaf keys, we
* will need to make this value bigger, and/or configurable.
* Until then, users who want a different size can always use their own
* pre-generated leaf key instead of generating one automatically.
*/
#define DFLT_LEAFKEY_RSABITS 1024
#endif /* !DEFAULTS_H */
/* vim: set noet ft=c: */
/*-
* SSLsplit - transparent SSL/TLS interception
* https://www.roe.ch/SSLsplit
*
* Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
* All rights reserved.
*