├── BSDmakefile ├── src ├── BSDmakefile ├── url.h ├── build.h ├── protoautossl.h ├── base64.h ├── protopassthrough.h ├── build.c ├── cachetgcrt.h ├── cachefkcrt.h ├── protopop3.h ├── cachessess.h ├── protosmtp.h ├── util.h ├── cachedsess.h ├── dynbuf.h ├── privsep.h ├── thrqueue.h ├── cert.h ├── nat.h ├── pxythrmgr.h ├── util.c ├── proxy.h ├── logpkt.h ├── proc.h ├── protohttp.h ├── attrib.h ├── logbuf.h ├── pxythr.h ├── protossl.h ├── sys.h ├── cache.h └── logger.h ├── .github ├── FUNDING.yml ├── workflows │ └── ci.yml ├── PULL_REQUEST_TEMPLATE.md └── ISSUE_TEMPLATE │ └── general_issue.md ├── tests ├── check │ ├── BSDmakefile │ ├── pki │ │ ├── BSDmakefile │ │ ├── x509v3ca.cnf │ │ ├── session.pem │ │ └── session-libressl-2.5.0.pem │ ├── engine │ │ ├── GNUmakefile │ │ └── dummy-engine.c │ ├── GNUmakefile │ ├── cachemgr.t.c │ ├── logbuf.t.c │ ├── cert.t.c │ └── defaults.t.c └── testproxy │ ├── users.db │ ├── BSDmakefile │ ├── lp │ ├── BSDmakefile │ ├── build.h │ ├── prototcp.h │ ├── privsep.h │ ├── build.c │ ├── lp.conf │ ├── thrqueue.h │ ├── proxy.h │ ├── pxythrmgr.h │ ├── defaults.h │ ├── pxythr.h │ ├── attrib.h │ ├── sys.h │ └── logbuf.h │ ├── payload_ocsp_denied_response.bin │ ├── verifypeer_testset_2.json │ ├── ssl_tcp_testends_testset_1.json │ ├── userauth_testset_1.json │ ├── verifypeer_testset_1.json │ ├── userauth_testset_2.json │ ├── ca_testset_1.json │ ├── ca_testset_2.json │ ├── server.crt │ ├── server2.crt │ ├── passthrough_testset_1.json │ ├── tcp_ssl_testends_testset_1.json │ ├── testharness_no_tls11.json │ ├── testharness_split_no_tls11.json │ ├── ssl_testset_6.json │ ├── testharness_split_openssl3.json │ ├── ca.crt │ ├── testharness_no_tls13.json │ ├── ca.key │ ├── ca2.key │ ├── testharness_split_no_tls13.json │ ├── ca2.crt │ ├── server.key │ ├── server2.key │ ├── testharness_split.json │ ├── testharness_openssl3.json │ ├── testharness.json │ ├── proto_validate_testset_1.json │ ├── proto_validate_testset_2.json │ ├── http_testset_3.json │ ├── ssl_testset_2.json │ ├── ssl_testset_3.json │ ├── ssl_testset_4.json │ └── GNUmakefile ├── extra ├── sslsplit.sh.in └── nssdebug │ ├── GNUmakefile │ └── snoop-nss-verify.c ├── SECURITY.md ├── LICENSE.contrib ├── LICENSE.third ├── LICENSE ├── Mk ├── xcode.mk ├── buildinfo.mk └── bin │ ├── install-opt.sh │ └── copyright.py ├── GNUmakefile ├── AUTHORS.md └── CONTRIBUTING.md /BSDmakefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake $(.TARGETS) 3 | 4 | $(.TARGETS): all 5 | 6 | .PHONY: all 7 | -------------------------------------------------------------------------------- /src/BSDmakefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake $(.TARGETS) 3 | 4 | $(.TARGETS): all 5 | 6 | .PHONY: all 7 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: sonertari 2 | thanks_dev: u/gh/sonertari 3 | buy_me_a_coffee: sonertari 4 | -------------------------------------------------------------------------------- /tests/check/BSDmakefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake $(.TARGETS) 3 | 4 | $(.TARGETS): all 5 | 6 | .PHONY: all 7 | -------------------------------------------------------------------------------- /tests/testproxy/users.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sonertari/SSLproxy/HEAD/tests/testproxy/users.db -------------------------------------------------------------------------------- /tests/testproxy/BSDmakefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake $(.TARGETS) 3 | 4 | $(.TARGETS): all 5 | 6 | .PHONY: all 7 | -------------------------------------------------------------------------------- /tests/testproxy/lp/BSDmakefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake $(.TARGETS) 3 | 4 | $(.TARGETS): all 5 | 6 | .PHONY: all 7 | -------------------------------------------------------------------------------- /tests/check/pki/BSDmakefile: -------------------------------------------------------------------------------- 1 | USE_GNU: 2 | @gmake $(.TARGETS) 3 | 4 | $(.TARGETS): USE_GNU 5 | 6 | .PHONY: USE_GNU 7 | -------------------------------------------------------------------------------- /extra/sslsplit.sh.in: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ulimit -n @@maxfds@@ 3 | export LD_LIBRARY_PATH=@@localbase@@/lib:"$LD_LIBRARY_PATH" 4 | exec @@prefix@@/bin/sslproxy "$@" 5 | -------------------------------------------------------------------------------- /tests/testproxy/payload_ocsp_denied_response.bin: -------------------------------------------------------------------------------- 1 | HTTP/1.0 200 OK 2 | Content-Type: application/ocsp-response 3 | Content-Length: 5 4 | Connection: close 5 | 6 | 0 7 |  -------------------------------------------------------------------------------- /extra/nssdebug/GNUmakefile: -------------------------------------------------------------------------------- 1 | all: snoop-nss-verify.so 2 | 3 | snoop-nss-verify.so: snoop-nss-verify.c 4 | $(CC) -shared -fPIC -o $@ $< -ldl 5 | 6 | clean: 7 | rm -f snoop-nss-verify.so 8 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security 2 | 3 | Please report all security issues privately to 4 | [Soner Tari](mailto:sonertari@gmail.com). 5 | 6 | The maintainers pledge to act on all reported security issues in a timely and 7 | professional manner, working with the reporter to reproduce, understand, 8 | address and disclose vulnerabilities in a coordinated manner. For critical 9 | vulnerabilities, we will prepare a bugfix release based on the last release, 10 | obtain CVE numbers and notify distributions shipping affected packages in 11 | advance of the release. 12 | 13 | -------------------------------------------------------------------------------- /LICENSE.contrib: -------------------------------------------------------------------------------- 1 | By contributing to the software, the contributor releases their contribution 2 | under the copyright and license terms of this software. While contributors 3 | retain copyright to their contributions, they grant the main copyright holder 4 | of the software the irrevocable, transferable right to relicense the software 5 | as a whole or in part, including their contributions, under different open 6 | source licenses than the one currently used. 7 | 8 | Third-party components included as documented in `LICENSE.third` and the 9 | respective source files do not constitute contribution in this sense and retain 10 | their original copyright and license terms. 11 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Build and Test 2 | 3 | on: 4 | push: 5 | branches: [ develop, master ] 6 | pull_request: 7 | branches: [ develop, master ] 8 | workflow_dispatch: 9 | 10 | jobs: 11 | build-and-test: 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - name: Checkout code 16 | uses: actions/checkout@v4 17 | 18 | - name: Install dependencies 19 | run: | 20 | sudo apt-get update 21 | sudo apt-get install -y build-essential libevent-dev libssl-dev libnet1-dev libpcap-dev libsqlite3-dev check 22 | 23 | - name: Build 24 | run: make 25 | 26 | - name: Run unit tests 27 | run: make unittest 28 | 29 | - name: Print version 30 | run: src/sslproxy -V 31 | -------------------------------------------------------------------------------- /tests/check/engine/GNUmakefile: -------------------------------------------------------------------------------- 1 | UNAME_S:= $(shell uname -s) 2 | 3 | ifdef OPENSSL_FOUND 4 | OPENSSL_BASE= $(OPENSSL_FOUND) 5 | else 6 | ifndef OPENSSL_BASE 7 | OPENSSL_BASE= $(shell pkg-config --variable=prefix openssl) 8 | endif 9 | endif 10 | 11 | ifeq ($(UNAME_S),Darwin) 12 | SUFFIX:= dylib 13 | #CFLAGS+= -arch i386 14 | #CFLAGS+= -arch x86_64 15 | #CFLAGS+= -arch arm64 16 | else 17 | SUFFIX:= so 18 | endif 19 | 20 | CFLAGS+= -fPIC -I$(OPENSSL_BASE)/include 21 | LDFLAGS+= -L$(OPENSSL_BASE)/lib 22 | LIBS+= -lcrypto 23 | 24 | TARGET= dummy-engine 25 | 26 | all: $(TARGET).$(SUFFIX) 27 | 28 | $(TARGET).$(SUFFIX): $(TARGET).c GNUmakefile 29 | $(CC) -shared $(CFLAGS) $(LDFLAGS) -o $@ $< $(LIBS) 30 | 31 | clean: 32 | rm -f $(TARGET).$(SUFFIX) 33 | 34 | .PHONY: all clean 35 | -------------------------------------------------------------------------------- /tests/check/pki/x509v3ca.cnf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | distinguished_name = reqdn 3 | 4 | [ reqdn ] 5 | 6 | [ v3_ca ] 7 | basicConstraints = CA:TRUE 8 | subjectKeyIdentifier = hash 9 | authorityKeyIdentifier = keyid:always,issuer:always 10 | 11 | [ v3_crt ] 12 | basicConstraints = CA:FALSE 13 | subjectKeyIdentifier = hash 14 | authorityKeyIdentifier = keyid:always,issuer:always 15 | authorityInfoAccess = OCSP;URI:http://daniel.roe.ch/test/ocsp 16 | crlDistributionPoints = URI:http://daniel.roe.ch/test/crl 17 | subjectAltName = dirName:s1n,DNS:daniel.roe.ch,IP:127.0.0.1,email:daniel@roe.ch,DNS:www.roe.ch,DNS:*.roe.ch 18 | 19 | [ s1n ] 20 | C=CH 21 | O=SSLsplit Test Certificate 22 | CN=daniel.roe.ch 23 | 24 | -------------------------------------------------------------------------------- /tests/testproxy/verifypeer_testset_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for VerifyPeer", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8456" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9456", 15 | "crt": "server.crt", 16 | "key": "server.key" 17 | } 18 | } 19 | }, 20 | "tests": { 21 | "1": { 22 | "comment": "Rejects peer with verification", 23 | "states": { 24 | "1": { 25 | "testend": "client", 26 | "cmd": "sslconnectfail", 27 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 28 | }, 29 | "2": { 30 | "testend": "server", 31 | "cmd": "timeout", 32 | "payload": "" 33 | } 34 | } 35 | } 36 | } 37 | } -------------------------------------------------------------------------------- /tests/testproxy/ssl_tcp_testends_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for ssl connection on tcp proxyspec", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | }, 7 | "client": { 8 | "proto": "ssl", 9 | "ip": "127.0.0.1", 10 | "port": "8183" 11 | }, 12 | "server": { 13 | "proto": "tcp", 14 | "ip": "127.0.0.1", 15 | "port": "9183" 16 | } 17 | } 18 | }, 19 | "tests": { 20 | "1": { 21 | "comment": "Does not accept ssl connection on tcp proxyspec if validating HTTP only", 22 | "states": { 23 | "1": { 24 | "testend": "client", 25 | "cmd": "sslconnectfail", 26 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 27 | }, 28 | "2": { 29 | "testend": "server", 30 | "cmd": "recv", 31 | "payload": "" 32 | } 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /tests/testproxy/userauth_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for UserAuth with TCP", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "tcp" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8187" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9187" 15 | } 16 | } 17 | }, 18 | "tests": { 19 | "1": { 20 | "comment": "Rejects IP with user auth enabled", 21 | "states": { 22 | "1": { 23 | "testend": "client", 24 | "cmd": "send", 25 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 26 | "comment": "SSLproxy rejects conn because it cannot find the ethernet address of the client" 27 | }, 28 | "2": { 29 | "testend": "server", 30 | "cmd": "recv", 31 | "payload": "" 32 | } 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /tests/testproxy/verifypeer_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for VerifyPeer", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8455" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9455", 15 | "crt": "server.crt", 16 | "key": "server.key" 17 | } 18 | } 19 | }, 20 | "tests": { 21 | "1": { 22 | "comment": "Accepts peer without verification", 23 | "states": { 24 | "1": { 25 | "testend": "client", 26 | "cmd": "send", 27 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 28 | }, 29 | "2": { 30 | "testend": "server", 31 | "cmd": "recv", 32 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" 33 | } 34 | } 35 | } 36 | } 37 | } -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Pull Request 2 | 3 | Thank you for your contribution! 4 | 5 | Please use this template to help us review your changes efficiently. 6 | 7 | --- 8 | 9 | ## Description 10 | 11 | - What does this PR do? 12 | - What problem does it solve or what feature does it add? 13 | - Is this related to an open issue? If so, reference it here. 14 | 15 | ## Checklist 16 | 17 | - [ ] I have read and agreed to the [Code of Conduct](../CODE_OF_CONDUCT.md). 18 | - [ ] I have read the [Contributing Guidelines](../CONTRIBUTING.md). 19 | - [ ] My code builds and passes all tests (`make test` or equivalent). 20 | - [ ] I have added or updated documentation as needed. 21 | - [ ] I have tested the changes and verified new and existing functionality works as expected. 22 | 23 | ## Additional Information 24 | 25 | - Any special instructions for testing? 26 | - Screenshots, logs, or other supporting materials, if applicable. 27 | 28 | --- 29 | 30 | *Thank you for helping to improve this project!* -------------------------------------------------------------------------------- /tests/testproxy/userauth_testset_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for UserAuth with SSL", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8459" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9459", 15 | "crt": "server.crt", 16 | "key": "server.key" 17 | } 18 | } 19 | }, 20 | "tests": { 21 | "1": { 22 | "comment": "Rejects IP with user auth enabled", 23 | "states": { 24 | "1": { 25 | "testend": "client", 26 | "cmd": "sslconnectfail", 27 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 28 | "comment": "SSLproxy rejects conn because it cannot find the ethernet address of the client" 29 | }, 30 | "2": { 31 | "testend": "server", 32 | "cmd": "recv", 33 | "payload": "" 34 | } 35 | } 36 | } 37 | } 38 | } -------------------------------------------------------------------------------- /tests/testproxy/ca_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for CACert/CAKey", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8457" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9457", 15 | "crt": "server.crt", 16 | "key": "server.key" 17 | } 18 | } 19 | }, 20 | "tests": { 21 | "1": { 22 | "comment": "Forges certs using the global CA cert/key pair", 23 | "states": { 24 | "1": { 25 | "testend": "client", 26 | "cmd": "send", 27 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 28 | "assert": { 29 | "peer_certificate": { 30 | "==": [ 31 | "TR, Antalya, Serik, ComixWall, SSLproxy, comixwall.org, sonertari@gmail.com" 32 | ] 33 | } 34 | } 35 | }, 36 | "2": { 37 | "testend": "server", 38 | "cmd": "recv", 39 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" 40 | } 41 | } 42 | } 43 | } 44 | } -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/general_issue.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: General Issue 3 | about: Report a bug or request a feature. For support, please use Stack Exchange. 4 | --- 5 | 6 | Please only open issues for bug reports or feature requests. 7 | The developers do not have the resources to provide individual support. 8 | For support, please turn to the most applicable Stack Exchange site, such as 9 | [Information Security](https://security.stackexchange.com/), 10 | [Network Engineering](https://networkengineering.stackexchange.com/) or 11 | [Super User](https://superuser.com/). 12 | 13 | --- 14 | 15 | ### For bug reports, please supply: 16 | 17 | - Output of `sslproxy -V` 18 | - Output of `uname -a` 19 | - Exact command line arguments used to run `sslproxy` 20 | - Relevant part of debug mode (-D) output, if applicable 21 | - NAT redirection rules you are using, if applicable 22 | - List of failing unit tests in `make test` output 23 | - Other relevant data such as PCAPs, logs, screenshots etc 24 | 25 | --- 26 | 27 | ### For build problems, please supply: 28 | 29 | - Output of `uname -a` 30 | - Full output of failed `make` including the header 31 | - Version and origin of OpenSSL used 32 | - Version and origin of libevent used 33 | -------------------------------------------------------------------------------- /LICENSE.third: -------------------------------------------------------------------------------- 1 | The software includes the following third-party source code components with 2 | different copyright and license terms: 3 | 4 | khash.h: 5 | 6 | Copyright (c) 2008, 2009, 2011, Attractive Chaos. 7 | Licensed under the MIT license. 8 | https://github.com/attractivechaos/klib 9 | 10 | xnu/xnu-*: 11 | 12 | Copyright (c) 1988-2017, Apple Inc. and original copyright holders. 13 | Licensed under the APSL. 14 | https://opensource.apple.com/ 15 | 16 | extra/log*.py: 17 | 18 | Copyright (C) 2015, Maciej Kotowicz and Daniel Roethlisberger. 19 | Licensed under a 2-clause BSD license. 20 | 21 | Mk/xcode.mk: 22 | 23 | Copyright (c) Daniel Roethlisberger. 24 | Released under the Unlicense. 25 | https://github.com/droe/example.kext 26 | 27 | kbtree.h: 28 | 29 | Copyright 1997-1999, 2001, John-Mark Gurney. 30 | 2008-2009, Attractive Chaos. 31 | Licensed under a 2-clause BSD license. 32 | https://github.com/attractivechaos/klib 33 | 34 | aho_corasick_template*.h: 35 | 36 | Copyright 2017 Laurent Farhi 37 | Licensed under the LGPL-3.0. 38 | https://github.com/farhiongit/aho-corasick-1975 39 | 40 | See the respective source and/or license files for details. 41 | See the 'extra' folder for the full text of the GPL and LGPL licenses. 42 | -------------------------------------------------------------------------------- /tests/testproxy/ca_testset_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for CACert/CAKey", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8458" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9458", 15 | "crt": "server2.crt", 16 | "key": "server2.key", 17 | "comment": "We need a crt/key pair different from the other tests to avoid cache HIT" 18 | } 19 | } 20 | }, 21 | "tests": { 22 | "1": { 23 | "comment": "Forges certs using the proxyspec CA cert/key pair", 24 | "states": { 25 | "1": { 26 | "testend": "client", 27 | "cmd": "send", 28 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 29 | "assert": { 30 | "peer_certificate": { 31 | "==": [ 32 | "NZ, Wellington, Lower Hutt, ComixWallNZ, UTMFW, comixwallnz.org, sonertari@gmail.com" 33 | ] 34 | } 35 | } 36 | }, 37 | "2": { 38 | "testend": "server", 39 | "cmd": "recv", 40 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" 41 | } 42 | } 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /tests/testproxy/server.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDlDCCAnwCAQEwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlRSMRAwDgYD 3 | VQQIDAdBbnRhbHlhMQ4wDAYDVQQHDAVTZXJpazESMBAGA1UECgwJQ29taXhXYWxs 4 | MQ4wDAYDVQQLDAVVVE1GVzEWMBQGA1UEAwwNY29taXh3YWxsLm9yZzEiMCAGCSqG 5 | SIb3DQEJARYTc29uZXJ0YXJpQGdtYWlsLmNvbTAeFw0xOTA0MjcxMjIyNDlaFw0y 6 | MDA0MjYxMjIyNDlaMIGPMQswCQYDVQQGEwJUUjEQMA4GA1UECAwHQW50YWx5YTEO 7 | MAwGA1UEBwwFU2VyaWsxEjAQBgNVBAoMCUNvbWl4V2FsbDEOMAwGA1UECwwFVVRN 8 | RlcxFjAUBgNVBAMMDWNvbWl4d2FsbC5vcmcxIjAgBgkqhkiG9w0BCQEWE3NvbmVy 9 | dGFyaUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl 10 | KmwGjqh9BCtLRPM2VZBI0N7WM0ihygo21bp3f/Hb4/WH1+yxy5evqM96rlQz1z+l 11 | CP72AU5+qPf3niXXvYBqyXl0kd/ZlQ50qkUdvO85ttFcwZqCaZeEhJNeh+R0cUfj 12 | A0JBfJJf20sTTpRj0+GNHOtfoGoT9AI60TPZDygh62qRGWwxhfESc9g2UIu4Zbzc 13 | llBa+mi+sqkI+HRoJyT0f/QBK1yGRNYbZ3uChuKW4fBSfXQMzftK80kMpzRtLSUP 14 | TfKoUWcl/PMedyeRH4xOwmj79UrQkN8Nw/fX9N7EheUesxmUMri5KbaHtmWsCgd7 15 | vdAlZWR9Mkp6AmJihe69AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAELYz1kevbF2 16 | 8evTEUKf2MzWx4NXnpVeYvHKYQaZhs9Q8fbjRpPUfOv43QQoBQf8GObxXTikjne/ 17 | Egz+abXY99jvckc2SuU72EHq1wtnjcy6pkCiZ1X1NUlcjKvNWjFpzbqnZtMG+8/b 18 | qcTtz72HhEfu1yMk0v9yja0n7MIhTHDCXT25DhKE/kDEyUGyIIUEqOrmvloQcrpO 19 | LmXlLfh92tMh+3hcE/NdfwzUB+KcKFffYxbGcKDq3QjqxALzZQNjWKIcLIemjAbS 20 | EXrmlT7pO2aSXGY5W5cq/k4M9teZd19lRxd7NlIXxQ0nqfLLKAfModpto9buvVnY 21 | NLTngehTe2k= 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /tests/testproxy/server2.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDrDCCApQCAQAwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNVBAYTAk5aMRMwEQYD 3 | VQQIDApXZWxsaW5ndG9uMRMwEQYDVQQHDApMb3dlciBIdXR0MRQwEgYDVQQKDAtD 4 | b21peFdhbGxOWjEOMAwGA1UECwwFVVRNRlcxGDAWBgNVBAMMD2NvbWl4d2FsbG56 5 | Lm9yZzEiMCAGCSqGSIb3DQEJARYTc29uZXJ0YXJpQGdtYWlsLmNvbTAeFw0xOTA3 6 | MTYyMDE2MzFaFw0yMDA3MTUyMDE2MzFaMIGbMQswCQYDVQQGEwJOWjETMBEGA1UE 7 | CAwKV2VsbGluZ3RvbjETMBEGA1UEBwwKTG93ZXIgSHV0dDEUMBIGA1UECgwLQ29t 8 | aXhXYWxsTloxDjAMBgNVBAsMBVVUTUZXMRgwFgYDVQQDDA9jb21peHdhbGxuei5v 9 | cmcxIjAgBgkqhkiG9w0BCQEWE3NvbmVydGFyaUBnbWFpbC5jb20wggEiMA0GCSqG 10 | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrsqnVqGCBiBCpU0isyxlLiN9OGs/Re3ZZ 11 | ZEr9wVdEyn7x3UVmdYcYBrLwhCTVW1NRsJ1fVh4dQwDSC0fMENdsyNmhMt9yDO7P 12 | QGMvVu/ILzsBJJLUfyzzqffTsZfujQ7ftQu87zEgoy+91dehpjpH3/7NhwkjHkc4 13 | /a08EhhBbbYIgrjwaXbZLAvJOjQoPM5UHqK34i1uzCleFnI17hDzkZjNfbnk6TYv 14 | 5PLWLaGpRhQ39upg1hrvbTIHtF9eoBryApNyR5emYrQUGih26HszfefCg8vswI+e 15 | Cm2E5saSrrJWN7PF44yTsCgGkTV/Co1rNap0ATwyDsP4jGIGTaLrAgMBAAEwDQYJ 16 | KoZIhvcNAQELBQADggEBAJ9j+EQj/+JvOG890TtxS7RZG/FjKJjJ9I/WzKadpzaG 17 | fHlqDwz6xK3Z7LusxawXf+/NN3SmXRydRloHEYIGBk0x9DfIpzD/bXoD81+37vCD 18 | 2W1D7WrUAjnvdHr4P6bGIJLf8chZEKBV1UKV187iCvdXunV1TxZYV1Yp7ZayLlJD 19 | /cyEP5CY/ZFVXN17i/XfqiUt8tiX+P8gzI0snbfKXADcbR3ki4iZ7jtM4vP1FLsJ 20 | NvJJEvtc3+Ujifiyl8w0g4LF/tFStcQmXOfU1j6egj0a7RBItyfovEbRZWCAa5fV 21 | EKLkrXZROnLubRVZ4gPuwvSPZf3gvFsHaiYYsCrG5Jw= 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /tests/testproxy/passthrough_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for Passthrough", 3 | "configs": { 4 | "1": { 5 | "comment": "Passthrough should behave similar to direct connection, so test direct connection first", 6 | "proto": { 7 | "proto": "ssl", 8 | "verify_peer": "no" 9 | }, 10 | "client": { 11 | "ip": "127.0.0.1", 12 | "port": "9454" 13 | }, 14 | "server": { 15 | "ip": "127.0.0.1", 16 | "port": "9454", 17 | "crt": "server.crt", 18 | "key": "server.key" 19 | } 20 | }, 21 | "2": { 22 | "proto": { 23 | "proto": "ssl", 24 | "verify_peer": "no" 25 | }, 26 | "client": { 27 | "ip": "127.0.0.1", 28 | "port": "8454" 29 | }, 30 | "server": { 31 | "ip": "127.0.0.1", 32 | "port": "9454", 33 | "crt": "server.crt", 34 | "key": "server.key" 35 | } 36 | } 37 | }, 38 | "tests": { 39 | "1": { 40 | "comment": "Passes conn through if ssl handshake fails", 41 | "states": { 42 | "1": { 43 | "testend": "client", 44 | "cmd": "send", 45 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 46 | }, 47 | "2": { 48 | "testend": "server", 49 | "cmd": "recv", 50 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 51 | } 52 | } 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2017-2025, Soner Tari. 4 | Copyright (c) 2009-2019, Daniel Roethlisberger and contributors. 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 1. Redistributions of source code must retain the above copyright notice, 10 | this list of conditions and the following disclaimer. 11 | 2. Redistributions in binary form must reproduce the above copyright notice, 12 | this list of conditions and the following disclaimer in the documentation 13 | and/or other materials provided with the distribution. 14 | 15 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 16 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 | POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /Mk/xcode.mk: -------------------------------------------------------------------------------- 1 | # macOS Xcode and SDK selection makefile 2 | # Authored 2018, Daniel Roethlisberger 3 | # Provided under the Unlicense 4 | # https://github.com/droe/example.kext 5 | 6 | # DEVELOPER_DIR override Xcode Command Line Developer Tools directory 7 | # MACOSX_VERSION_MIN minimal version of macOS to target, e.g. 10.11 8 | # SDK SDK name to build against (e.g. macosx, macosx10.11, ...); 9 | # for kernel extensions, use macosx$(MACOSX_VERSION_MIN) 10 | 11 | # target specific macOS min version 12 | ifdef MACOSX_VERSION_MIN 13 | CFLAGS+= -mmacosx-version-min=$(MACOSX_VERSION_MIN) 14 | LDFLAGS+= -mmacosx-version-min=$(MACOSX_VERSION_MIN) 15 | endif 16 | 17 | # select specific Xcode 18 | ifdef DEVELOPER_DIR 19 | ifndef SDK 20 | SDK:= macosx 21 | endif 22 | else 23 | DEVELOPER_DIR:= $(shell xcode-select -p) 24 | endif 25 | 26 | # activate the selected Xcode and SDK 27 | ifdef SDK 28 | SDKPATH:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) --show-sdk-path||echo none) 29 | ifeq "$(SDKPATH)" "none" 30 | $(error SDK not found) 31 | endif 32 | CPPFLAGS+= -isysroot $(SDKPATH) 33 | LDFLAGS+= -isysroot $(SDKPATH) 34 | CC:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) cc||echo false) 35 | CXX:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) c++||echo false) 36 | CODESIGN:= $(shell DEVELOPER_DIR="$(DEVELOPER_DIR)" xcrun -find -sdk $(SDK) codesign||echo false) 37 | else 38 | CC?= cc 39 | CXX?= c++ 40 | CODESIGN?= codesign 41 | endif 42 | 43 | -------------------------------------------------------------------------------- /tests/testproxy/tcp_ssl_testends_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for tcp connection over ssl proxyspec", 3 | "configs": { 4 | "1": { 5 | "comment": "Test should pass without proto validation enabled", 6 | "proto": { 7 | "comment": "Test config should always have the proto key" 8 | }, 9 | "client": { 10 | "proto": "tcp", 11 | "ip": "127.0.0.1", 12 | "port": "8441" 13 | }, 14 | "server": { 15 | "proto": "ssl", 16 | "ip": "127.0.0.1", 17 | "port": "9441", 18 | "crt": "server.crt", 19 | "key": "server.key" 20 | } 21 | }, 22 | "2": { 23 | "comment": "Test should pass with proto validation enabled", 24 | "proto": { 25 | }, 26 | "client": { 27 | "proto": "tcp", 28 | "ip": "127.0.0.1", 29 | "port": "8442" 30 | }, 31 | "server": { 32 | "proto": "ssl", 33 | "ip": "127.0.0.1", 34 | "port": "9442", 35 | "crt": "server.crt", 36 | "key": "server.key" 37 | } 38 | } 39 | }, 40 | "tests": { 41 | "1": { 42 | "comment": "Does not pass tcp connection over ssl proxyspec", 43 | "states": { 44 | "1": { 45 | "testend": "client", 46 | "cmd": "send", 47 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 48 | }, 49 | "2": { 50 | "testend": "server", 51 | "cmd": "timeout", 52 | "payload": "" 53 | } 54 | } 55 | } 56 | } 57 | } -------------------------------------------------------------------------------- /tests/testproxy/testharness_no_tls11.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_2.json" 16 | } 17 | }, 18 | "3": { 19 | "comment": "Protocol validation tests", 20 | "testsets": { 21 | "1": "tcp_ssl_testends_testset_1.json", 22 | "2": "ssl_tcp_testends_testset_1.json", 23 | "3": "proto_validate_testset_1.json", 24 | "4": "proto_validate_testset_2.json", 25 | "5": "proto_validate_testset_3.json", 26 | "6": "proto_validate_testset_4.json" 27 | } 28 | }, 29 | "4": { 30 | "comment": "Various option tests", 31 | "testsets": { 32 | "1": "passthrough_testset_1.json", 33 | "2": "verifypeer_testset_1.json", 34 | "3": "verifypeer_testset_2.json", 35 | "4": "ca_testset_1.json", 36 | "5": "ca_testset_2.json", 37 | "6": "userauth_testset_1.json", 38 | "7": "userauth_testset_2.json" 39 | } 40 | }, 41 | "5": { 42 | "comment": "Filtering rules tests", 43 | "testsets": { 44 | "1": "filter_divert_testset_1.json", 45 | "2": "filter_split_testset_1.json", 46 | "3": "filter_pass_testset_1.json", 47 | "4": "filter_block_testset_1.json" 48 | } 49 | } 50 | } 51 | } -------------------------------------------------------------------------------- /tests/testproxy/testharness_split_no_tls11.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy split mode tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_split_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_2.json" 16 | } 17 | }, 18 | "3": { 19 | "comment": "Protocol validation tests", 20 | "testsets": { 21 | "1": "tcp_ssl_testends_testset_1.json", 22 | "2": "ssl_tcp_testends_testset_1.json", 23 | "3": "proto_validate_testset_1.json", 24 | "4": "proto_validate_testset_2.json", 25 | "5": "proto_validate_testset_3.json", 26 | "6": "proto_validate_testset_split_4.json" 27 | } 28 | }, 29 | "4": { 30 | "comment": "Various option tests", 31 | "testsets": { 32 | "1": "passthrough_testset_1.json", 33 | "2": "verifypeer_testset_1.json", 34 | "3": "verifypeer_testset_2.json", 35 | "4": "ca_testset_1.json", 36 | "5": "ca_testset_2.json", 37 | "6": "userauth_testset_1.json", 38 | "7": "userauth_testset_2.json" 39 | } 40 | }, 41 | "5": { 42 | "comment": "Filtering rules tests", 43 | "testsets": { 44 | "1": "filter_divert_testset_1.json", 45 | "2": "filter_split_testset_1.json", 46 | "3": "filter_pass_testset_1.json", 47 | "4": "filter_block_testset_1.json" 48 | } 49 | } 50 | } 51 | } -------------------------------------------------------------------------------- /tests/testproxy/ssl_testset_6.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for SSL configuration: Rejects unsupported SSL/TLS proto", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl", 7 | "no_ssl2": "yes", 8 | "no_ssl3": "yes", 9 | "no_tls10": "yes", 10 | "no_tls11": "yes", 11 | "no_tls12": "no", 12 | "no_tls13": "yes" 13 | }, 14 | "client": { 15 | "ip": "127.0.0.1", 16 | "port": "8452" 17 | }, 18 | "server": { 19 | "ip": "127.0.0.1", 20 | "port": "9452", 21 | "crt": "server.crt", 22 | "key": "server.key" 23 | } 24 | }, 25 | "2": { 26 | "proto": { 27 | "proto": "ssl", 28 | "no_ssl2": "yes", 29 | "no_ssl3": "yes", 30 | "no_tls10": "no", 31 | "no_tls11": "yes", 32 | "no_tls12": "yes", 33 | "no_tls13": "yes" 34 | }, 35 | "client": { 36 | "ip": "127.0.0.1", 37 | "port": "8453" 38 | }, 39 | "server": { 40 | "ip": "127.0.0.1", 41 | "port": "9453", 42 | "crt": "server.crt", 43 | "key": "server.key" 44 | } 45 | } 46 | }, 47 | "tests": { 48 | "1": { 49 | "comment": "Rejects tls10 over tls12 and tls12 over tls10 proxyspecs", 50 | "states": { 51 | "1": { 52 | "testend": "client", 53 | "cmd": "sslconnectfail", 54 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 55 | }, 56 | "2": { 57 | "testend": "server", 58 | "cmd": "timeout", 59 | "payload": "" 60 | } 61 | } 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /tests/testproxy/testharness_split_openssl3.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy split mode tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_split_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_4.json", 16 | "2": "ssl_testset_5.json", 17 | "3": "ssl_testset_6.json" 18 | } 19 | }, 20 | "3": { 21 | "comment": "Protocol validation tests", 22 | "testsets": { 23 | "1": "tcp_ssl_testends_testset_1.json", 24 | "2": "ssl_tcp_testends_testset_1.json", 25 | "3": "proto_validate_testset_1.json", 26 | "4": "proto_validate_testset_2.json", 27 | "5": "proto_validate_testset_3.json", 28 | "6": "proto_validate_testset_split_4.json" 29 | } 30 | }, 31 | "4": { 32 | "comment": "Various option tests", 33 | "testsets": { 34 | "1": "passthrough_testset_1.json", 35 | "2": "verifypeer_testset_1.json", 36 | "3": "verifypeer_testset_2.json", 37 | "4": "ca_testset_1.json", 38 | "5": "ca_testset_2.json", 39 | "6": "userauth_testset_1.json", 40 | "7": "userauth_testset_2.json" 41 | } 42 | }, 43 | "5": { 44 | "comment": "Filtering rules tests", 45 | "testsets": { 46 | "1": "filter_divert_testset_1.json", 47 | "2": "filter_split_testset_1.json", 48 | "3": "filter_pass_testset_1.json", 49 | "4": "filter_block_testset_1.json" 50 | } 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /tests/testproxy/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIElDCCA3ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCVFIx 3 | EDAOBgNVBAgMB0FudGFseWExDjAMBgNVBAcMBVNlcmlrMRIwEAYDVQQKDAlDb21p 4 | eFdhbGwxETAPBgNVBAsMCFNTTHByb3h5MRYwFAYDVQQDDA1jb21peHdhbGwub3Jn 5 | MSIwIAYJKoZIhvcNAQkBFhNzb25lcnRhcmlAZ21haWwuY29tMB4XDTE5MDQyNzEy 6 | MTY0MloXDTIwMDQyNjEyMTY0MlowgZIxCzAJBgNVBAYTAlRSMRAwDgYDVQQIDAdB 7 | bnRhbHlhMQ4wDAYDVQQHDAVTZXJpazESMBAGA1UECgwJQ29taXhXYWxsMREwDwYD 8 | VQQLDAhTU0xwcm94eTEWMBQGA1UEAwwNY29taXh3YWxsLm9yZzEiMCAGCSqGSIb3 9 | DQEJARYTc29uZXJ0YXJpQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP 10 | ADCCAQoCggEBANU+3/V8KIBopview+Kg3q4c2FRyR9SIe87sXhxGrHhAdQqmfhGv 11 | 7BcdLeROxjGHNmJkXJTD9yH0RY9C3cYdySwPx6sRrrQlHvKHLLPSs6xnPMDMnjwf 12 | BLxZRI5njZ+UI2FiqAnAxqy5DQn21N803gBlAG1YbWguDF7m8h0bkGmFKjXXBllU 13 | h3qZf/mYPV9TdIj7daUkz/4ZxkKfrwRYkCdet+b5jBFTaWYkakMaE62XjRS2TpYB 14 | 3UDrrnuwbR79NU54C4GlNV2i0sARRpK31baiuap40Nhz5wSfHwvMP+x+I+IsBhEW 15 | KePs/HWD2eOetsCy1rDEhi1Tpc+AKvGmqpECAwEAAaOB8jCB7zAMBgNVHRMEBTAD 16 | AQH/MB0GA1UdDgQWBBTtGNULL6e88kyjlAnOpyX6jX4M0TCBvwYDVR0jBIG3MIG0 17 | gBTtGNULL6e88kyjlAnOpyX6jX4M0aGBmKSBlTCBkjELMAkGA1UEBhMCVFIxEDAO 18 | BgNVBAgMB0FudGFseWExDjAMBgNVBAcMBVNlcmlrMRIwEAYDVQQKDAlDb21peFdh 19 | bGwxETAPBgNVBAsMCFNTTHByb3h5MRYwFAYDVQQDDA1jb21peHdhbGwub3JnMSIw 20 | IAYJKoZIhvcNAQkBFhNzb25lcnRhcmlAZ21haWwuY29tggEBMA0GCSqGSIb3DQEB 21 | CwUAA4IBAQAe3v0HBHuJbLbDOUDXcBxg8LXRfwatDcrAwktn1mYctMjJAI7zRhDy 22 | Y+Sm9Ke4VhBUWwdqgYEv7mQDkoUsaZ0+do+kgbIiCOwNwifPh8UuqTK1Kq7/BNYq 23 | UghtJFZKreB3CJDAyCzpK+fiXUnPpo8hdEnAUQDfGhDilmmb0VizdiINxRZqUkhZ 24 | LAmaHC9G56uO9zQKF7j1ngXeQ17pxn2XHkv53DRpcBFxNq4mX75O6dagKAmhllUw 25 | E2UCw5dOfHgoMJy2Cesvu+vr87MRfRH3MKw4dvOYFPEyMaBB6nZnScRiKZArSdlh 26 | frqk1iL+PKJAKeaY9AqR6+bAPXbsr8hb 27 | -----END CERTIFICATE----- 28 | -------------------------------------------------------------------------------- /tests/testproxy/testharness_no_tls13.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_1.json", 16 | "2": "ssl_testset_2.json", 17 | "3": "ssl_testset_3.json", 18 | "4": "ssl_testset_4.json", 19 | "6": "ssl_testset_6.json" 20 | } 21 | }, 22 | "3": { 23 | "comment": "Protocol validation tests", 24 | "testsets": { 25 | "1": "tcp_ssl_testends_testset_1.json", 26 | "2": "ssl_tcp_testends_testset_1.json", 27 | "3": "proto_validate_testset_1.json", 28 | "4": "proto_validate_testset_2.json", 29 | "5": "proto_validate_testset_3.json", 30 | "6": "proto_validate_testset_4.json" 31 | } 32 | }, 33 | "4": { 34 | "comment": "Various option tests", 35 | "testsets": { 36 | "1": "passthrough_testset_1.json", 37 | "2": "verifypeer_testset_1.json", 38 | "3": "verifypeer_testset_2.json", 39 | "4": "ca_testset_1.json", 40 | "5": "ca_testset_2.json", 41 | "6": "userauth_testset_1.json", 42 | "7": "userauth_testset_2.json" 43 | } 44 | }, 45 | "5": { 46 | "comment": "Filtering rules tests", 47 | "testsets": { 48 | "1": "filter_divert_testset_1.json", 49 | "2": "filter_split_testset_1.json", 50 | "3": "filter_pass_testset_1.json", 51 | "4": "filter_block_testset_1.json" 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /tests/testproxy/ca.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEA1T7f9XwogGim+J7D4qDerhzYVHJH1Ih7zuxeHEaseEB1CqZ+ 3 | Ea/sFx0t5E7GMYc2YmRclMP3IfRFj0Ldxh3JLA/HqxGutCUe8ocss9KzrGc8wMye 4 | PB8EvFlEjmeNn5QjYWKoCcDGrLkNCfbU3zTeAGUAbVhtaC4MXubyHRuQaYUqNdcG 5 | WVSHepl/+Zg9X1N0iPt1pSTP/hnGQp+vBFiQJ1635vmMEVNpZiRqQxoTrZeNFLZO 6 | lgHdQOuue7BtHv01TngLgaU1XaLSwBFGkrfVtqK5qnjQ2HPnBJ8fC8w/7H4j4iwG 7 | ERYp4+z8dYPZ4562wLLWsMSGLVOlz4Aq8aaqkQIDAQABAoIBAQDK9qohM8g01+a8 8 | UhhtVuI7ZBb+4Tq+7hyxCUZVsWqsleUQewEZApE6OrqYR+XZ9DDuG0oHCjHpLl8a 9 | iPEehPEZr/dCOnVG3uICwmfoy83ZdPVdKCQfYwKV5n0a8TLZxRybr1Py3Hn8obDo 10 | X/eibuYyB/ANIxIXC2UY2sVssPSViL2exoqi5IV8fwoHR4fMPME1tAxk5lKUf8qD 11 | GFzMomREREl678tPU1RuqvU/pd98Cup8mEwK3yGEbKBHBhjsWPiqlHNCPy0nPt87 12 | fe+4nWMUrWvwhKofHtzFDL/Ojjgm8fejISTXdcTiut3QH94fDi5ksanaRMUJRa/9 13 | h/ReMooBAoGBAO1IWZryMdGnV8+dexSXrr8P8MpcKag6chPw4eTwb34MIWFCqQbE 14 | fK66fh7vw5cSMZaMz679ejFFQvX3lGKFEkrauAbkGausv0R40QtxaOgewUq8sWI2 15 | Ryhh0jnVUTGj9VZOefa6Jm+sabyyCxNeME9iLtoUgtnNdr9JnTaXhoOxAoGBAOYR 16 | H/0RLNAcnFd5/UILplg1u9d4Q+ssI6TL/XGr/59/Us3GKfD9mlSaJOORYPB1Dm3Y 17 | ujodFjq7nUaVjvwIt0DvYok5Nf60ZdRbqOeSrL6To5cujig6m8TDgO3y+xeFXERu 18 | PAO0xxqVJv7TJYTn0jeaNH0ReYECt8g5zi4ZkqzhAoGBAN/9zmiQfSr2l9QrS0bT 19 | MWi3eYztl31xPsNIP1ZJClaoyNHxhXIYBcND1U8K804nJJyD7IG6UqE0StO6lV6z 20 | U+NJuTL4HKuM9TmD+4Kb2nZUog8VNTYLGv0p6rQhhPYhWrXQex3H+ASvc1lnkUEF 21 | RwGJI8VGW4eTh6dnrHseayLhAoGAM4NOGEnKMObXErcbv7gADOwrHPmuq298o5+R 22 | JeyPFdVaYvyl03HVJnBFJjcc73omOu419GEi4w+zDWTbWQ9SiNWQyIzozBj0W/IS 23 | BZfP2fQQwv8HkXZd/laP/bdUBVY07JWKFoJZulf/HTuFwRZu+UgrzH0nKX3ETK60 24 | vZm4P8ECgYAU1tgyXZPbKh3a7VZQbiVOW2AHPrpw+c/Jo8/ROqnV+/PzbtAEn9gW 25 | cKtEWRcYt0CxLqetW4ZpuMVHRPmjeQ5erEk9Wi+SMRGb0OAgjj5T+lgzzHXwCpYJ 26 | MOGenMH+/M4Y6/QeQ42vUaCtqMojpxiO8InMTYL0xHCvy76MgELb8Q== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /tests/testproxy/ca2.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAu/LjU9ekyfw7cULQRxTmBsSLOjSXsk39pJ/EcIGOfev6uFm6 3 | tszbl3nQXY/l2UZjehCIx+RjPoIgR9T6qZhpUbjZUmJBjUG7ugy+wbBQg58aVlGk 4 | C0dfvJ3RX05cXRZqWJLZPYMF5d2xIZiX8FGYGzSwEIfmRDOrruenALE4GMnnl3Cn 5 | nUifnokDWAtXeEVl/01/RiO4oGvynodc+O6DwtE+MyWdpHY3ITg27RR3ovZG1KuZ 6 | /MQrKbchzAcToyX0+JPYMUvAGy9FiNeCrl0vUKXaNxW9ETgu2Wh5G4OON2o2cAdE 7 | JgqjCRUi3zXBiUUyfVJIY42TcTtEKW8zVP7DLwIDAQABAoIBAQCbIdo9hAsCpW0z 8 | CWD8quVKxMPeoTZs+C7ZyP3Nl0JT8YmazIVvCRxfpS41a+beNlk5kZg01fCM0b9v 9 | Sv4zKhgUWi0W8P8GZzFaWdbB7JQocBS/Ftf+b0U4XFNLBVT7iNryjRM+0Hz3xMrF 10 | 3jvbIp4YJp8EpgeMV9HnplGUIrMY0XOx5zlOGPEIiHLwqox61NXf5AKJKebXlDXy 11 | s+IB+fyh4OaJM+xXKZXQNMSO8AkXsBJyxzMUi1AZnxOvOYrcT/9sEdG8OVHdqi4e 12 | WxTzbKVVi5VbiZfH7i2+fjx3j+Q+oWri5+NdrDM5FW/h3yc904uMzMBpiRYsoBbI 13 | XNnDc6aBAoGBAOo17oTaSZNw+w6m71oELVnpD0nIwdeU41pg9if45RRqyxFVEDVE 14 | Y+5TrRNnjjt0nuGBV0hXcwXLPAPHVmhI8mJqSX9Ucl7oagXEiBnGzFQ9bBQbgoAL 15 | JrrEHVmK7knye+3c+hWuZVj6e3MbHrG+iByAYr/nK6aR8GxkyXJsgnuhAoGBAM1v 16 | KXirV5GDky7ZWPVMLulMr67Q7YkDdHcBKY/WIqMqVrhyjK2sQ9uC8AXLG7c8ozNM 17 | hpQqwyFGmFuiUu/exhK2MGKyVjkBWBI/QUNMNYsTctCvLWrFNGZYpYJyVzcLTzeG 18 | wyKvfcJZ5pqnH0zpjY461du6rv2gbK7btyZOKUzPAoGAGTg/e9zJiW/kCNre8TF7 19 | 9K+M7uQIQ3+Lz8KbHwjFGiK5xR8ExMedfx9RhsJi5XIUXbIAxRBtmVUeHEYNvuMD 20 | /qb1TRm5yxB5wi88fJIUlImcprmjnsgUno3Znze/mwTaZW2jHEyQKzmlq2pjLr6W 21 | h4MnnwR0hdY3LmTX8FNQ5aECgYBhlYtSmbmIEsMofvAl3WFvSxEs7mvXKL/7A59V 22 | hvd/IE5/YVJ38Rtuu1z+s4Nf4Dr51EEdQs7cEKew54OUE/Ns0gRb7bDNdVj7mfaL 23 | XDkW7k8c2Amv7Ss97p/4Pg41xHaFvssUv93yIzhKgFZ693pZdJM/xAb5zWmzCgWO 24 | +ZPeuwKBgQDRRyGy3qQH6SxiKMNQ8FxjjagxKe/NR37EJTBmJoDaHfkcHU7fmov5 25 | qP6zAEdtpY2smZEsfkhKYSvLeiqPwdAYmppLWAnP2WJ+USbEFiENT4vNzX/3QmHK 26 | dBB/CetyXlqzdnSS21CsPA+CSChNJme8z+GLI8uq5RPVY09FrH0q5A== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /tests/testproxy/testharness_split_no_tls13.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy split mode tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_split_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_1.json", 16 | "2": "ssl_testset_2.json", 17 | "3": "ssl_testset_3.json", 18 | "4": "ssl_testset_4.json", 19 | "6": "ssl_testset_6.json" 20 | } 21 | }, 22 | "3": { 23 | "comment": "Protocol validation tests", 24 | "testsets": { 25 | "1": "tcp_ssl_testends_testset_1.json", 26 | "2": "ssl_tcp_testends_testset_1.json", 27 | "3": "proto_validate_testset_1.json", 28 | "4": "proto_validate_testset_2.json", 29 | "5": "proto_validate_testset_3.json", 30 | "6": "proto_validate_testset_split_4.json" 31 | } 32 | }, 33 | "4": { 34 | "comment": "Various option tests", 35 | "testsets": { 36 | "1": "passthrough_testset_1.json", 37 | "2": "verifypeer_testset_1.json", 38 | "3": "verifypeer_testset_2.json", 39 | "4": "ca_testset_1.json", 40 | "5": "ca_testset_2.json", 41 | "6": "userauth_testset_1.json", 42 | "7": "userauth_testset_2.json" 43 | } 44 | }, 45 | "5": { 46 | "comment": "Filtering rules tests", 47 | "testsets": { 48 | "1": "filter_divert_testset_1.json", 49 | "2": "filter_split_testset_1.json", 50 | "3": "filter_pass_testset_1.json", 51 | "4": "filter_block_testset_1.json" 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /tests/testproxy/ca2.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIErzCCA5egAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCTlox 3 | EzARBgNVBAgMCldlbGxpbmd0b24xEzARBgNVBAcMCkxvd2VyIEh1dHQxFDASBgNV 4 | BAoMC0NvbWl4V2FsbE5aMQ4wDAYDVQQLDAVVVE1GVzEYMBYGA1UEAwwPY29taXh3 5 | YWxsbnoub3JnMSIwIAYJKoZIhvcNAQkBFhNzb25lcnRhcmlAZ21haWwuY29tMB4X 6 | DTE5MDcxNjIwMDk1NloXDTIwMDcxNTIwMDk1NlowgZsxCzAJBgNVBAYTAk5aMRMw 7 | EQYDVQQIDApXZWxsaW5ndG9uMRMwEQYDVQQHDApMb3dlciBIdXR0MRQwEgYDVQQK 8 | DAtDb21peFdhbGxOWjEOMAwGA1UECwwFVVRNRlcxGDAWBgNVBAMMD2NvbWl4d2Fs 9 | bG56Lm9yZzEiMCAGCSqGSIb3DQEJARYTc29uZXJ0YXJpQGdtYWlsLmNvbTCCASIw 10 | DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvy41PXpMn8O3FC0EcU5gbEizo0 11 | l7JN/aSfxHCBjn3r+rhZurbM25d50F2P5dlGY3oQiMfkYz6CIEfU+qmYaVG42VJi 12 | QY1Bu7oMvsGwUIOfGlZRpAtHX7yd0V9OXF0WaliS2T2DBeXdsSGYl/BRmBs0sBCH 13 | 5kQzq67npwCxOBjJ55dwp51In56JA1gLV3hFZf9Nf0YjuKBr8p6HXPjug8LRPjMl 14 | naR2NyE4Nu0Ud6L2RtSrmfzEKym3IcwHE6Ml9PiT2DFLwBsvRYjXgq5dL1Cl2jcV 15 | vRE4LtloeRuDjjdqNnAHRCYKowkVIt81wYlFMn1SSGONk3E7RClvM1T+wy8CAwEA 16 | AaOB+zCB+DAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBSmCS1uoDAm9AKxVw/E7wL3 17 | sAwBYzCByAYDVR0jBIHAMIG9gBSmCS1uoDAm9AKxVw/E7wL3sAwBY6GBoaSBnjCB 18 | mzELMAkGA1UEBhMCTloxEzARBgNVBAgMCldlbGxpbmd0b24xEzARBgNVBAcMCkxv 19 | d2VyIEh1dHQxFDASBgNVBAoMC0NvbWl4V2FsbE5aMQ4wDAYDVQQLDAVVVE1GVzEY 20 | MBYGA1UEAwwPY29taXh3YWxsbnoub3JnMSIwIAYJKoZIhvcNAQkBFhNzb25lcnRh 21 | cmlAZ21haWwuY29tggEAMA0GCSqGSIb3DQEBCwUAA4IBAQA709412mgZaAI1k4Em 22 | N2ZwCaMJAFimQKWVNJtFUV+doa6oa0zwXEBHq8VnRC1mFX5BLmZ/XkXOA6Df/onQ 23 | qg9nNjFo0SnxSbh/Z/6WBmh2RmJOpXjY6QM7t/aEsmy+/e1LEcnZhXxSH+8PWYOl 24 | UqVzZxLfTXfIpxaH3F65CW//ziXzWng1AeQRqF9+YhJnsuDXxP4WWfAoaVk+95Uz 25 | 1Z5lPTjkGpJoDwwTJK5rMzfl/QPDJKzhUtnDkwP4PfsRIzzIJ5PEvJ8utBkoaz70 26 | /vuOaXX+oVgNg+1rLZv65UfJdbsBLiWam3dBpwxv/7jfqBcR3BpiSmGX+y6kEKBR 27 | OkNT 28 | -----END CERTIFICATE----- 29 | -------------------------------------------------------------------------------- /tests/testproxy/server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDlKmwGjqh9BCtL 3 | RPM2VZBI0N7WM0ihygo21bp3f/Hb4/WH1+yxy5evqM96rlQz1z+lCP72AU5+qPf3 4 | niXXvYBqyXl0kd/ZlQ50qkUdvO85ttFcwZqCaZeEhJNeh+R0cUfjA0JBfJJf20sT 5 | TpRj0+GNHOtfoGoT9AI60TPZDygh62qRGWwxhfESc9g2UIu4ZbzcllBa+mi+sqkI 6 | +HRoJyT0f/QBK1yGRNYbZ3uChuKW4fBSfXQMzftK80kMpzRtLSUPTfKoUWcl/PMe 7 | dyeRH4xOwmj79UrQkN8Nw/fX9N7EheUesxmUMri5KbaHtmWsCgd7vdAlZWR9Mkp6 8 | AmJihe69AgMBAAECggEBAKo0JsV8ARHRHeKqlET/qckbMNZAgqp/Z7SwauzEXzrl 9 | BYBeU9L9lmyF4YuJnMpgDUoi81J9R/J0xq7ni82/Vnh5qTZ1/Z8ZwQHPUMQ0hi0E 10 | Zl0RAhPoHvvyh43HOltto2mtCvGedwyw0ALH8xhtzvDC0OJWP1MQgPN0W6DUTAdb 11 | 7JvWSUsVtYGvAfodF4O+OpeExUhK5UmJLs4shx49QGwx2wiIGiBeppXUSXbeXFTS 12 | 7fH+/Jn1u1djJtUolmFqSVnQ+TlzdzAzJv3oI2Dh6Z/Zmmt253KmMwOIFSPb37Oj 13 | jIaNRjaUk8+/o218eAIxvP2PukqnleBhiKEajiC6YgECgYEA/5OjKcftaSPpwOJT 14 | l+KT3zfR87dRX64hK/QQl4tzk4jAfC5GGS3mZz+DLp7Tb9q2MJ05JMDY9nCw9dgX 15 | Y10qhmwx9QllV7eZAYj1PNyaHSJBwZW+nOHW3/8Wb5fm/08M2Ix1nqrFaWak+9MH 16 | ZJJJxmx1Yg8vrPk0gbs1HhEpXj0CgYEA5YuWKCaF5NeBg86poVO5q8EpFc5D+o/2 17 | sWO3NkXO3bCiPDpSB1lagoFk+YGsJFEavcMzA4fL56QyBRIII0Q7eC9xiMFaAmZ2 18 | df+6+WkG0p0y/3IysCIffPvit3wl0NyGELBV2RjyT+TWTnj1bhJB+cG9fnJYHED5 19 | aIbo1Hx8WoECgYEA7U10+09SRgR9f4XmHinYKTOYMtXsrY1t6XTFjyCBYORh7Su+ 20 | FJUE0KstL7VzFvGZpsvlChYxnakG9k39cVpJKOT/AckGmwqy+7TiF++w/QoYyhkz 21 | ElGzhOpCN71wU3BfuhW5BGkFwZb364aG37/g1mdQGouFNfNx6F8ds9w1b/UCgYB5 22 | RmtZ4SiChD2AJvLGMlb5YH9VbvnJasA6bmWAvhcSV10Plvx5t4KzSqvPiuwo79TC 23 | B1xvdBKN2tk2hpVYFJea4u4IA6eLdxkFNMxTM2MQaU9lWK9hEVYzkVzx9hyAodIP 24 | BSsGHUEAZvW21f9NXUYQL4TvRng4zTc4O3bNtMt6gQKBgCREU9pT8BFyMtd2Hye3 25 | xW9LnsUA+eIM85CrXaIgZiqqnhqogTy0UqMZzABs4B+CZLeUv5nutjBvicNzJmir 26 | TzFLGcIN35J2g3sZvA/wuL0U09nKywkOoYhq5lMEptmaPCLeh7XiuU9gM1wpvbNM 27 | EfnCgF6NRIF84AnhWU0i1iVx 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /tests/testproxy/server2.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrsqnVqGCBiBCp 3 | U0isyxlLiN9OGs/Re3ZZZEr9wVdEyn7x3UVmdYcYBrLwhCTVW1NRsJ1fVh4dQwDS 4 | C0fMENdsyNmhMt9yDO7PQGMvVu/ILzsBJJLUfyzzqffTsZfujQ7ftQu87zEgoy+9 5 | 1dehpjpH3/7NhwkjHkc4/a08EhhBbbYIgrjwaXbZLAvJOjQoPM5UHqK34i1uzCle 6 | FnI17hDzkZjNfbnk6TYv5PLWLaGpRhQ39upg1hrvbTIHtF9eoBryApNyR5emYrQU 7 | Gih26HszfefCg8vswI+eCm2E5saSrrJWN7PF44yTsCgGkTV/Co1rNap0ATwyDsP4 8 | jGIGTaLrAgMBAAECggEAbflU8OYVUkJNsbcHkK3R+OClb0ibHek/h8hGhDxnYkd1 9 | ggOhZRwYOJpp2MY7NXF2b5d5ZUwqo8F78A2LojiTUzles/J6znlcKOFr5jGACi++ 10 | UmATsAn5R+TxOOXCk+hDw6QZ7Z0jUW1UsfobUI3BPLJLaWd5wcWuBuHtKNHKOXU3 11 | wh1dNYALEFxe3YSsspV5uSrVJPXP0FvFfODRWDldh2s2VNq9p8hBSYl8HSULA2Df 12 | yPkGy0SpRL6PhdnG36YgtrjasWAq605aCGhai2jMgguRzeEtJMadcDvh6yUX94xW 13 | /DfZ/NJqdv08128Rn7QFydXe+jgIPgxi7ErCaJqx0QKBgQDivkQU/kn0pAbYu3/h 14 | ciSf3hkGUJRxKsKbjDIu3ix2RrBNJY7tLQj0RmKDr4lljk2RE6Xl/EZHAYisNRFI 15 | tHytZFcxM6pnBoJpmdGepN0V3PlroMbUveBtr0FbkRDFcaeqRXwEzpZIYIO/X1iD 16 | 9A46NpMZpqDkAIYjCZBsSeIGMwKBgQDB2ibu6pusFxUwdNCcsQs1O40soUuYn+io 17 | wNtBDKqPJnsutjP6lR1aQ9lgrNiMI/kShTY6P2BDAyvxChVgp/LxKV/46iZKTw/u 18 | UtK9D+soxiCK1S09gAARym4KtQuAHaQRDq9c8r/0Wtcm1uBUtKWt9Zu5Y0LTF28e 19 | VA7Ri3qIaQKBgEXDTKc45gBDR2f/qITw3ZvidcifmkyHX4EETZxl90Ac17mkyKjo 20 | pkyiK0VhCOEaO3tblDuCtwy5yBdT7JF2FrYynTEiOFeihRWAoiIxj2RerM8UlJh4 21 | I0kcFvvZUlOteGzHHDVOaqayK1cCOvW+bXIzwGawAeik0KCPHMR0pvpJAoGAKE3t 22 | LluFBmC+PRbskMeWpvi8v3zBtPf6bau7amjxxVWg4vNrFzyNn8jfl2QYmfqYvKsJ 23 | vU6T+xrbtf/8td31ewK5O42jbGvHyitaOYjnwdB/z53HDDRiz1AhVQSTYY3IIOvG 24 | tjKainmgpiii97mfgO3B9OeYaz9CETI06ohvb5ECgYBgNq1Qy1MjRP7takJnRB0p 25 | 3cRPs9eGvom0N0yLmsPZNbPsTQVgA6X2pQ8pIOHEXG8WE3AQ9BcRgI0GivERlr3+ 26 | 7nzcgMsF/6UsDOYQyAlqduBaIE+fmar1Mbbzkgm7PZ/FnhRQ967qH22+fvJaSDoY 27 | vwMYU2YZfUECNzIkk6FRiQ== 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /tests/testproxy/testharness_split.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy split mode tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_split_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_1.json", 16 | "2": "ssl_testset_2.json", 17 | "3": "ssl_testset_3.json", 18 | "4": "ssl_testset_4.json", 19 | "5": "ssl_testset_5.json", 20 | "6": "ssl_testset_6.json" 21 | } 22 | }, 23 | "3": { 24 | "comment": "Protocol validation tests", 25 | "testsets": { 26 | "1": "tcp_ssl_testends_testset_1.json", 27 | "2": "ssl_tcp_testends_testset_1.json", 28 | "3": "proto_validate_testset_1.json", 29 | "4": "proto_validate_testset_2.json", 30 | "5": "proto_validate_testset_3.json", 31 | "6": "proto_validate_testset_split_4.json" 32 | } 33 | }, 34 | "4": { 35 | "comment": "Various option tests", 36 | "testsets": { 37 | "1": "passthrough_testset_1.json", 38 | "2": "verifypeer_testset_1.json", 39 | "3": "verifypeer_testset_2.json", 40 | "4": "ca_testset_1.json", 41 | "5": "ca_testset_2.json", 42 | "6": "userauth_testset_1.json", 43 | "7": "userauth_testset_2.json" 44 | } 45 | }, 46 | "5": { 47 | "comment": "Filtering rules tests", 48 | "testsets": { 49 | "1": "filter_divert_testset_1.json", 50 | "2": "filter_split_testset_1.json", 51 | "3": "filter_pass_testset_1.json", 52 | "4": "filter_block_testset_1.json" 53 | } 54 | } 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/url.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef URL_H 30 | #define URL_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | char * url_dec(const char *, size_t, size_t *) NONNULL(1,3) MALLOC; 37 | 38 | #endif /* !URL_H */ 39 | 40 | /* vim: set noet ft=c: */ 41 | -------------------------------------------------------------------------------- /src/build.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef BUILD_H 30 | #define BUILD_H 31 | 32 | extern const char *build_pkgname; 33 | extern const char *build_version; 34 | extern const char *build_date; 35 | extern const char *build_info; 36 | extern const char *build_features; 37 | 38 | #endif /* !BUILD_H */ 39 | 40 | /* vim: set noet ft=c: */ 41 | -------------------------------------------------------------------------------- /tests/testproxy/lp/build.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef BUILD_H 30 | #define BUILD_H 31 | 32 | extern const char *build_pkgname; 33 | extern const char *build_version; 34 | extern const char *build_date; 35 | extern const char *build_info; 36 | extern const char *build_features; 37 | 38 | #endif /* !BUILD_H */ 39 | 40 | /* vim: set noet ft=c: */ 41 | -------------------------------------------------------------------------------- /tests/testproxy/lp/prototcp.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * Copyright (c) 2017-2025, Soner Tari . 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions are met: 11 | * 1. Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright notice, 14 | * this list of conditions and the following disclaimer in the documentation 15 | * and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | * POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef PROTOTCP_H 31 | #define PROTOTCP_H 32 | 33 | #include "pxyconn.h" 34 | 35 | void prototcp_connect(evutil_socket_t, short, void *); 36 | protocol_t prototcp_setup(pxy_conn_ctx_t *) NONNULL(1); 37 | 38 | #endif /* PROTOTCP_H */ 39 | 40 | -------------------------------------------------------------------------------- /src/protoautossl.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * Copyright (c) 2017-2025, Soner Tari . 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions are met: 11 | * 1. Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright notice, 14 | * this list of conditions and the following disclaimer in the documentation 15 | * and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | * POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef PROTOAUTOSSL_H 31 | #define PROTOAUTOSSL_H 32 | 33 | #include "pxyconn.h" 34 | 35 | protocol_t protoautossl_setup(pxy_conn_ctx_t *) NONNULL(1); 36 | protocol_t protoautossl_setup_child(pxy_conn_child_ctx_t *) NONNULL(1); 37 | 38 | #endif /* PROTOAUTOSSL_H */ 39 | -------------------------------------------------------------------------------- /src/base64.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef BASE64_H 30 | #define BASE64_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | unsigned char * base64_dec(const char *, size_t, size_t *) NONNULL(1,3) MALLOC; 37 | char * base64_enc(const unsigned char *, size_t, size_t *) NONNULL(1,3) MALLOC; 38 | 39 | #endif /* !BASE64_H */ 40 | 41 | /* vim: set noet ft=c: */ 42 | -------------------------------------------------------------------------------- /src/protopassthrough.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * Copyright (c) 2017-2025, Soner Tari . 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions are met: 11 | * 1. Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright notice, 14 | * this list of conditions and the following disclaimer in the documentation 15 | * and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | * POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef PROTOPASSTHROUGH_H 31 | #define PROTOPASSTHROUGH_H 32 | 33 | #include "pxyconn.h" 34 | 35 | void protopassthrough_engage(pxy_conn_ctx_t *) NONNULL(1); 36 | protocol_t protopassthrough_setup(pxy_conn_ctx_t *) NONNULL(1); 37 | 38 | #endif /* PROTOPASSTHROUGH_H */ 39 | -------------------------------------------------------------------------------- /tests/testproxy/lp/privsep.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PRIVSEP_H 30 | #define PRIVSEP_H 31 | 32 | #include "attrib.h" 33 | #include "opts.h" 34 | 35 | int privsep_fork(opts_t *, int[], size_t); 36 | 37 | int privsep_client_openfile(int, const char *, int); 38 | int privsep_client_opensock(int, const proxyspec_t *spec); 39 | int privsep_client_close(int); 40 | #endif /* !PRIVSEP_H */ 41 | 42 | /* vim: set noet ft=c: */ 43 | -------------------------------------------------------------------------------- /src/build.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include "build.h" 30 | 31 | /* 32 | * Volatile build-time information which can change between make runs. 33 | */ 34 | 35 | const char *build_pkgname = BUILD_PKGNAME; 36 | const char *build_version = BUILD_VERSION; 37 | const char *build_date = BUILD_DATE; 38 | const char *build_info = BUILD_INFO; 39 | const char *build_features = BUILD_FEATURES; 40 | 41 | /* vim: set noet ft=c: */ 42 | -------------------------------------------------------------------------------- /src/cachetgcrt.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef CACHETGCRT_H 30 | #define CACHETGCRT_H 31 | 32 | #include "cache.h" 33 | #include "attrib.h" 34 | #include "cert.h" 35 | 36 | void cachetgcrt_init_cb(struct cache *) NONNULL(1); 37 | 38 | cache_key_t cachetgcrt_mkkey(const char *) NONNULL(1) WUNRES; 39 | cache_val_t cachetgcrt_mkval(cert_t *) NONNULL(1) WUNRES; 40 | 41 | #endif /* !CACHETGCRT_H */ 42 | 43 | /* vim: set noet ft=c: */ 44 | -------------------------------------------------------------------------------- /src/cachefkcrt.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef CACHEFKCRT_H 30 | #define CACHEFKCRT_H 31 | 32 | #include "cache.h" 33 | #include "attrib.h" 34 | 35 | #include 36 | 37 | void cachefkcrt_init_cb(struct cache *) NONNULL(1); 38 | 39 | cache_key_t cachefkcrt_mkkey(X509 *) NONNULL(1) WUNRES; 40 | cache_val_t cachefkcrt_mkval(X509 *) NONNULL(1) WUNRES; 41 | 42 | #endif /* !CACHEFKCRT_H */ 43 | 44 | /* vim: set noet ft=c: */ 45 | -------------------------------------------------------------------------------- /tests/testproxy/lp/build.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include "build.h" 30 | 31 | /* 32 | * Volatile build-time information which can change between make runs. 33 | */ 34 | 35 | const char *build_pkgname = BUILD_PKGNAME; 36 | const char *build_version = BUILD_VERSION; 37 | const char *build_date = BUILD_DATE; 38 | const char *build_info = BUILD_INFO; 39 | const char *build_features = BUILD_FEATURES; 40 | 41 | /* vim: set noet ft=c: */ 42 | -------------------------------------------------------------------------------- /src/protopop3.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLproxy - transparent SSL/TLS proxy 3 | * 4 | * Copyright (c) 2017-2025, Soner Tari . 5 | * All rights reserved. 6 | * 7 | * Redistribution and use in source and binary forms, with or without 8 | * modification, are permitted provided that the following conditions are met: 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 16 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 | * POSSIBILITY OF SUCH DAMAGE. 26 | */ 27 | 28 | #ifndef PROTOPOP3_H 29 | #define PROTOPOP3_H 30 | 31 | #include "pxyconn.h" 32 | 33 | typedef struct protopop3_ctx { 34 | unsigned int not_valid : 1; 35 | unsigned int seen_command_count; 36 | } protopop3_ctx_t; 37 | 38 | int protopop3_validate(pxy_conn_ctx_t *, char *, size_t) NONNULL(1,2) WUNRES; 39 | 40 | protocol_t protopop3_setup(pxy_conn_ctx_t *) NONNULL(1); 41 | protocol_t protopop3s_setup(pxy_conn_ctx_t *) NONNULL(1); 42 | 43 | #endif /* PROTOPOP3_H */ 44 | -------------------------------------------------------------------------------- /GNUmakefile: -------------------------------------------------------------------------------- 1 | SRCDIR:= src 2 | CHECKTESTSDIR:= tests/check 3 | TESTPROXYTESTSDIR:= tests/testproxy 4 | 5 | TARGET:= sslproxy 6 | 7 | all: $(TARGET) 8 | 9 | $(TARGET): 10 | $(MAKE) -C $(SRCDIR) 11 | 12 | test: $(TARGET) 13 | $(MAKE) unittest 14 | $(MAKE) e2etest 15 | 16 | unittest: $(TARGET) 17 | $(MAKE) -C $(CHECKTESTSDIR) 18 | 19 | e2etest: $(TARGET) 20 | $(MAKE) -C $(TESTPROXYTESTSDIR) 21 | 22 | e2etest_split: $(TARGET) 23 | $(MAKE) -C $(TESTPROXYTESTSDIR) test_split 24 | 25 | clean: 26 | $(MAKE) -C $(SRCDIR) clean 27 | $(MAKE) -C $(CHECKTESTSDIR) clean 28 | 29 | travis: $(TARGET) 30 | $(MAKE) travisunittest 31 | # The e2e tests with all of the openssl/libressl versions in .travis.yml run 32 | # without any error locally, but fail on travis-ci.com now. So disable until fixed. 33 | #$(MAKE) travise2etest 34 | 35 | travisunittest: $(TARGET) 36 | $(MAKE) -C $(CHECKTESTSDIR) travis 37 | 38 | travise2etest: $(TARGET) 39 | $(MAKE) -C $(TESTPROXYTESTSDIR) travis 40 | 41 | install: 42 | $(MAKE) -C $(SRCDIR) install 43 | 44 | deinstall: 45 | $(MAKE) -C $(SRCDIR) deinstall 46 | 47 | lint: 48 | $(MAKE) -C $(SRCDIR) lint 49 | 50 | manlint: 51 | $(MAKE) -C $(SRCDIR) manlint 52 | 53 | mantest: 54 | $(MAKE) -C $(SRCDIR) mantest 55 | 56 | copyright: *.c *.h *.1 *.5 extra/*/*.c 57 | Mk/bin/copyright.py $^ 58 | 59 | man: 60 | $(MAKE) -C $(SRCDIR) man 61 | 62 | manclean: 63 | $(MAKE) -C $(SRCDIR) manclean 64 | 65 | fetchdeps: 66 | $(WGET) -O- $(KHASH_URL) >$(SRCDIR)/khash.h 67 | #$(RM) -rf xnu/xnu-* 68 | $(MAKE) -C xnu fetch 69 | 70 | dist: 71 | $(MAKE) -C $(SRCDIR) dist 72 | 73 | disttest: 74 | $(MAKE) -C $(SRCDIR) disttest 75 | 76 | distclean: 77 | $(MAKE) -C $(SRCDIR) distclean 78 | 79 | realclean: 80 | $(MAKE) -C $(SRCDIR) realclean 81 | $(MAKE) -C $(CHECKTESTSDIR) realclean 82 | FORCE: 83 | 84 | .PHONY: all config clean buildtest test sudotest travis lint \ 85 | install deinstall copyright manlint mantest man manclean fetchdeps \ 86 | dist disttest distclean realclean 87 | 88 | -------------------------------------------------------------------------------- /AUTHORS.md: -------------------------------------------------------------------------------- 1 | # Authors 2 | 3 | SSLsplit was written by 4 | [Daniel Roethlisberger](https://github.com/droe). 5 | SSLsplit is currently maintained by 6 | [Daniel Roethlisberger](https://github.com/droe) and 7 | [Soner Tari](https://github.com/sonertari). 8 | 9 | The following individuals have contributed to the codebase by submitting 10 | patches or pull requests, in chronological order of their first contribution: 11 | 12 | - Steve Wills ([swills](https://github.com/swills)) 13 | - Landon Fuller ([landonf](https://github.com/landonf)) 14 | - Wayne Jensen ([wjjensen](https://github.com/wjjensen)) 15 | - Rory McNamara ([psychomario](https://github.com/psychomario)) 16 | - Alexander Neumann ([fd0](https://github.com/fd0)) 17 | - Adam Jacob Muller ([AdamJacobMuller](https://github.com/AdamJacobMuller)) 18 | - Richard Poole ([RichardPoole42](https://github.com/RichardPoole42)) 19 | - Maciej Kotowicz ([mak](https://github.com/mak)) 20 | - Eun Soo Park ([eunsoopark](https://github.com/eunsoopark)) 21 | - Christian Groschupp ([cgroschupp](https://github.com/cgroschupp)) 22 | - Alexander Savchenkov ([antalos](https://github.com/antalos)) 23 | - Soner Tari ([sonertari](https://github.com/sonertari)) 24 | - Petr Vaněk ([arkamar](https://github.com/arkamar)) 25 | - Hilko Bengen ([hillu](https://github.com/hillu)) 26 | - Philip Duldig ([pduldig-at-tw](https://github.com/pduldig-at-tw)) 27 | - Levente Polyak ([anthraxx](https://github.com/anthraxx)) 28 | - Nick French ([naf419](https://github.com/naf419)) 29 | - Cihan Kömeçoğlu ([cihankom](https://github.com/cihankom)) 30 | 31 | Many more individuals have contributed by reporting bugs or feature requests. 32 | See [issue tracker on Github][1], `NEWS.md` and `git log` for details. 33 | 34 | [1]: https://github.com/droe/sslsplit/issues 35 | 36 | All your contributions are greatly appreciated; without you, SSLsplit would not 37 | be what it is today. 38 | 39 | SSLproxy is based on SSLsplit, and has been developed by 40 | [Soner Tari](https://github.com/sonertari). 41 | 42 | -------------------------------------------------------------------------------- /src/cachessess.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef CACHESSESS_H 30 | #define CACHESSESS_H 31 | 32 | #include "cache.h" 33 | #include "attrib.h" 34 | 35 | #include 36 | 37 | void cachessess_init_cb(struct cache *) NONNULL(1); 38 | 39 | cache_key_t cachessess_mkkey(const unsigned char *, const size_t) 40 | NONNULL(1) WUNRES; 41 | cache_val_t cachessess_mkval(SSL_SESSION *) NONNULL(1) WUNRES; 42 | 43 | #endif /* !CACHESSESS_H */ 44 | 45 | /* vim: set noet ft=c: */ 46 | -------------------------------------------------------------------------------- /tests/check/GNUmakefile: -------------------------------------------------------------------------------- 1 | PROJECT_ROOT= ../.. 2 | include $(PROJECT_ROOT)/Mk/main.mk 3 | 4 | ifndef SRCDIR 5 | $(error SRCDIR not defined) 6 | endif 7 | 8 | SRCS:= $(wildcard *.t.c) 9 | OBJS:= $(SRCS:.t.c=.t.o) 10 | 11 | SRCSRCS:= $(wildcard $(PROJECT_ROOT)/$(SRCDIR)/*.c) 12 | SRCHDRS:= $(wildcard $(PROJECT_ROOT)/$(SRCDIR)/*.h) 13 | SRCSOBJS:= $(SRCSRCS:.c=.o) 14 | OBJS+= $(filter-out $(PROJECT_ROOT)/$(SRCDIR)/main.o,$(SRCSOBJS)) 15 | MKFS:= $(wildcard GNUmakefile $(PROJECT_ROOT)/$(SRCDIR)/GNUmakefile $(PROJECT_ROOT)/GNUmakefile $(PROJECT_ROOT)/Mk/*.mk) 16 | 17 | all: test 18 | 19 | $(TARGET).test: $(OBJS) 20 | $(CC) $(LDFLAGS) $(TPKG_LDFLAGS) -o $@ $^ $(LIBS) $(TPKG_LIBS) 21 | 22 | %.t.o: %.t.c $(SRCHDRS) $(MKFS) 23 | ifdef CHECK_MISSING 24 | $(error unit test dependency 'check' not found; \ 25 | install it or point CHECK_BASE to base path) 26 | endif 27 | $(CC) -c $(CPPFLAGS) $(TCPPFLAGS) $(CFLAGS) $(TPKG_CFLAGS) -o $@ \ 28 | -x c $< 29 | 30 | buildtest: TCPPFLAGS+=-D"TEST_ZEROUSR=\"$(shell id -u -n root||echo 0)\"" 31 | buildtest: TCPPFLAGS+=-D"TEST_ZEROGRP=\"$(shell id -g -n root||echo 0)\"" 32 | buildtest: TCPPFLAGS+=-I$(PROJECT_ROOT)/$(SRCDIR) 33 | buildtest: $(TARGET).test 34 | $(MAKE) -C engine 35 | $(MAKE) -C pki testreqs 36 | 37 | ifeq ($(findstring -DDEBUG_PROXY,$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "Features: ")),-DDEBUG_PROXY) 38 | $(error Unit tests cannot run with DEBUG_PROXY feature enabled, disable DEBUG_PROXY feature in main makefile and try again) 39 | endif 40 | 41 | test: buildtest 42 | ./$(TARGET).test 43 | 44 | sudotest: buildtest 45 | sudo ./$(TARGET).test 46 | 47 | travis: TCPPFLAGS+=-DTRAVIS 48 | travis: test 49 | 50 | clean: 51 | $(MAKE) -C engine clean 52 | $(RM) -f $(TARGET).test *.o .*.o *.core *~ 53 | $(RM) -rf *.dSYM 54 | 55 | ifdef GITDIR 56 | lint: 57 | $(CPPCHECK) $(CPPCHECKFLAGS) --force --enable=all --error-exitcode=1 . 58 | 59 | realclean: clean 60 | $(MAKE) -C pki clean 61 | endif 62 | 63 | FORCE: 64 | 65 | .PHONY: all config clean buildtest test sudotest travis realclean 66 | 67 | -------------------------------------------------------------------------------- /src/protosmtp.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLproxy - transparent SSL/TLS proxy 3 | * 4 | * Copyright (c) 2017-2025, Soner Tari . 5 | * All rights reserved. 6 | * 7 | * Redistribution and use in source and binary forms, with or without 8 | * modification, are permitted provided that the following conditions are met: 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 16 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 | * POSSIBILITY OF SUCH DAMAGE. 26 | */ 27 | 28 | #ifndef PROTOSMTP_H 29 | #define PROTOSMTP_H 30 | 31 | #include "pxyconn.h" 32 | 33 | typedef struct protosmtp_ctx { 34 | unsigned int not_valid : 1; 35 | unsigned int seen_command_count; 36 | } protosmtp_ctx_t; 37 | 38 | int protosmtp_validate(pxy_conn_ctx_t *, char *, size_t) NONNULL(1,2) WUNRES; 39 | int protosmtp_validate_response(pxy_conn_ctx_t *, char *, size_t) NONNULL(1,2) WUNRES; 40 | 41 | protocol_t protosmtp_setup(pxy_conn_ctx_t *) NONNULL(1); 42 | protocol_t protosmtps_setup(pxy_conn_ctx_t *) NONNULL(1); 43 | 44 | #endif /* PROTOSMTP_H */ 45 | -------------------------------------------------------------------------------- /src/util.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef UTIL_H 30 | #define UTIL_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | char * util_skipws(const char *) NONNULL(1) PURE; 37 | size_t util_get_first_word_len(char *, size_t) NONNULL(1); 38 | 39 | #define util_max(a,b) ((a) > (b) ? (a) : (b)) 40 | 41 | #define equal(s1, s2) (strlen((s1)) == strlen((s2)) && !strcmp((s1), (s2))) 42 | 43 | inline int INLINE WUNRES 44 | max(int a, int b) 45 | { 46 | return a > b ? a : b; 47 | } 48 | 49 | #endif /* !UTIL_H */ 50 | 51 | /* vim: set noet ft=c: */ 52 | -------------------------------------------------------------------------------- /tests/testproxy/lp/lp.conf: -------------------------------------------------------------------------------- 1 | # Sample configuration for lp v0.8.0 2 | # 3 | # Use the -f command line option to start lp with a config file. 4 | 5 | # Drop privileges to user. 6 | # Equivalent to -u command line option. 7 | # (default: nobody, if run as root) 8 | #User soner 9 | 10 | # Drop privileges to group. 11 | # Equivalent to -m command line option. 12 | # (default: primary group of user) 13 | #Group soner 14 | 15 | # chroot() to jaildir (impacts sni proxyspecs, see lp(1)). 16 | # Equivalent to -j command line option. 17 | #Chroot /var/run/lp 18 | 19 | # Write pid to file. 20 | # Equivalent to -p command line option. 21 | # (default: no pid file) 22 | PidFile /var/run/lp.pid 23 | 24 | # Connect log: log one line summary per connection to logfile. 25 | # Equivalent to -l command line option. 26 | #ConnectLog /var/log/lp/connect.log 27 | 28 | # Content log: full data to file or named pipe 29 | # (excludes ContentLogDir/ContentLogPathSpec). 30 | # Equivalent to -L command line option. 31 | #ContentLog /var/log/lp/content.log 32 | 33 | # Content log: full data to separate files in dir 34 | # (excludes ContentLog/ContentLogPathSpec). 35 | # Equivalent to -S command line option. 36 | #ContentLogDir /var/log/lp/content 37 | 38 | # Content log: full data to sep files with % subst 39 | # (excludes ContentLog/ContentLogDir). 40 | # Equivalent to -F command line option. 41 | #ContentLogPathSpec /var/log/lp/%X/%u-%s-%d-%T.log 42 | 43 | # Daemon mode: run in background, log error messages to syslog. 44 | # Equivalent to -d command line option. 45 | Daemon yes 46 | 47 | # Debug mode: run in foreground, log debug messages on stderr. 48 | # Equivalent to -D command line option. 49 | #Debug yes 50 | 51 | # Verbose debug level 52 | #DebugLevel 4 53 | 54 | # Log statistics to syslog 55 | # Equivalent to -J command line option. 56 | LogStats yes 57 | 58 | # Log statistics every this many ExpiredConnCheckPeriod periods 59 | StatsPeriod 1 60 | 61 | # Set open files limit, use 50-10000 62 | #OpenFilesLimit 1024 63 | 64 | # Proxy specifications: listenaddr+port 65 | ProxySpec 127.0.0.1 8080 66 | ProxySpec 127.0.0.1 8110 67 | ProxySpec 127.0.0.1 9199 68 | -------------------------------------------------------------------------------- /src/cachedsess.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef CACHEDSESS_H 30 | #define CACHEDSESS_H 31 | 32 | #include "cache.h" 33 | #include "attrib.h" 34 | 35 | #include 36 | #include 37 | 38 | #include 39 | 40 | void cachedsess_init_cb(struct cache *) NONNULL(1); 41 | 42 | cache_key_t cachedsess_mkkey(const struct sockaddr *, const socklen_t, 43 | const char *) NONNULL(1) WUNRES; 44 | cache_val_t cachedsess_mkval(SSL_SESSION *) NONNULL(1) WUNRES; 45 | 46 | #endif /* !CACHEDSESS_H */ 47 | 48 | /* vim: set noet ft=c: */ 49 | -------------------------------------------------------------------------------- /src/dynbuf.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef DYNBUF_H 30 | #define DYNBUF_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | typedef struct dynbuf { 37 | unsigned char *buf; 38 | size_t sz; 39 | } dynbuf_t; 40 | 41 | dynbuf_t * dynbuf_new(unsigned char *, size_t) MALLOC; 42 | dynbuf_t * dynbuf_new_alloc(size_t) MALLOC; 43 | dynbuf_t * dynbuf_new_copy(const unsigned char *, const size_t) MALLOC; 44 | dynbuf_t * dynbuf_new_file(const char *) MALLOC; 45 | void dynbuf_free(dynbuf_t *) NONNULL(1); 46 | 47 | #endif /* !DYNBUF_H */ 48 | 49 | /* vim: set noet ft=c: */ 50 | -------------------------------------------------------------------------------- /src/privsep.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PRIVSEP_H 30 | #define PRIVSEP_H 31 | 32 | #include "attrib.h" 33 | #include "opts.h" 34 | 35 | int privsep_fork(global_t *, int[], size_t, int *); 36 | 37 | int privsep_client_openfile(int, const char *, int); 38 | int privsep_client_opensock(int, const proxyspec_t *spec); 39 | int privsep_client_certfile(int, const char *); 40 | int privsep_client_close(int); 41 | #ifndef WITHOUT_USERAUTH 42 | int privsep_client_update_atime(int, const userdbkeys_t *); 43 | #endif /* !WITHOUT_USERAUTH */ 44 | #endif /* !PRIVSEP_H */ 45 | 46 | /* vim: set noet ft=c: */ 47 | -------------------------------------------------------------------------------- /tests/check/cachemgr.t.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include "cachemgr.h" 30 | #include "khash.h" 31 | 32 | #include 33 | #include 34 | 35 | #include 36 | 37 | START_TEST(cache_types_01) 38 | { 39 | ck_assert_msg(sizeof(cache_iter_t) == sizeof(khiter_t), 40 | "type mismatch: cache_iter_t != khiter_t"); 41 | } 42 | END_TEST 43 | 44 | Suite * 45 | cachemgr_suite(void) 46 | { 47 | Suite *s; 48 | TCase *tc; 49 | 50 | s = suite_create("cachemgr"); 51 | 52 | tc = tcase_create("cache_types"); 53 | tcase_add_test(tc, cache_types_01); 54 | suite_add_tcase(s, tc); 55 | 56 | return s; 57 | } 58 | 59 | /* vim: set noet ft=c: */ 60 | -------------------------------------------------------------------------------- /tests/check/pki/session.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN SSL SESSION PARAMETERS----- 2 | MIIF4AIBAQICAwMEAsAwBCD99EQxVstbLQn6ooCm3xUqSFds8YTvPYyzEGSgyfCo 3 | eQQwkceATL9ka1XD0DXyTSeZgrTlOCXdgrKQAMCUbuG79oz51k61TRD3YtI41A9g 4 | N6rsoQYCBFt//ZSiBAICASyjggS1MIIEsTCCA5mgAwIBAgIBKjANBgkqhkiG9w0B 5 | AQsFADBJMQswCQYDVQQGEwJDSDEiMCAGA1UECgwZU1NMc3BsaXQgVGVzdCBDZXJ0 6 | aWZpY2F0ZTEWMBQGA1UEAwwNZGFuaWVsLnJvZS5jaDAeFw0xNjA3MTAxNDQ2Mjda 7 | Fw0xNzA3MTAxNDQ2MjdaMEkxCzAJBgNVBAYTAkNIMSIwIAYDVQQKDBlTU0xzcGxp 8 | dCBUZXN0IENlcnRpZmljYXRlMRYwFAYDVQQDDA1kYW5pZWwucm9lLmNoMIIBIjAN 9 | BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsmDmPE1fTVAj6ketPcQLm/GIarFk 10 | 75Ws6u+a33OfliUwl5jdOob2P7+iTI9jLjfCeQSOhN5oRi8wsD35ef0ZnORYe1MV 11 | /bB4KOR8IjS3GPdQUO5Vl5wg9tijSnjvcBLdlM9BpLDk0lCUpAC1AJ9kHmdKUmUe 12 | vmKtAl8f1URdm+MyProp7CcrRb0OXNDxCLLUiqUst85Ea88FbUaFLjO3vSKbSjP7 13 | gpaWE0rzdBIM8b0bQTi/KrNpkRdi0bgNkHP1krfcpoVG1Dh1vXU1k8ojfN9I79BZ 14 | rBZihw+dgriSgsntJ+GJ660qFGq7OKFg3qYb5F9CaelW8Cp9livQM611qwIDAQAB 15 | o4IBojCCAZ4wCQYDVR0TBAIwADAdBgNVHQ4EFgQU9gOZ22GLXy9k7xPQx+8FebKe 16 | w/0wcQYDVR0jBGowaIAU9gOZ22GLXy9k7xPQx+8FebKew/2hTaRLMEkxCzAJBgNV 17 | BAYTAkNIMSIwIAYDVQQKDBlTU0xzcGxpdCBUZXN0IENlcnRpZmljYXRlMRYwFAYD 18 | VQQDDA1kYW5pZWwucm9lLmNoggEqMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcw 19 | AYYeaHR0cDovL2RhbmllbC5yb2UuY2gvdGVzdC9vY3NwMC4GA1UdHwQnMCUwI6Ah 20 | oB+GHWh0dHA6Ly9kYW5pZWwucm9lLmNoL3Rlc3QvY3JsMIGSBgNVHREEgYowgYek 21 | SzBJMQswCQYDVQQGEwJDSDEiMCAGA1UECgwZU1NMc3BsaXQgVGVzdCBDZXJ0aWZp 22 | Y2F0ZTEWMBQGA1UEAwwNZGFuaWVsLnJvZS5jaIINZGFuaWVsLnJvZS5jaIcEfwAA 23 | AYENZGFuaWVsQHJvZS5jaIIKd3d3LnJvZS5jaIIIKi5yb2UuY2gwDQYJKoZIhvcN 24 | AQELBQADggEBACWKufl7k92NsxvW9igq0UnXgenh4EMfYSMARmwHPylRvG4LxIwb 25 | 41deKXjQmxx6F0WLLlUWm4CQlPnCxnCPWSB1rXl0ynEES4dM7VBYtl8iqt6rGnKh 26 | noECYnnnRcI7JGFE8s8+IAW/2839hNDwJZIZgF2DMe1VLV6eWPdKAv94Y6YHmwAp 27 | oP4v67+psWOfj4Nd6T5sVgx8/lH8k4XytHCt91fXMdEEcRhPS5mLwgkYz83cp9eK 28 | buY+ddcK3lcZYG9l9qA8ryRWYXvr2Ui5+fMpbLp5GUn2WF/fcKRbR3+Stb/Nsai6 29 | mLBehp2NgQKMadeZnKwletsVJ13pplqT576kAgQApQMCAQqpBAICASyqgaMEgaAo 30 | OJ0AEd8RMUttoTZnEiAcOfRkEFjjruP32TA985bq5ENIAtMhtULMV/hM+QWJTXup 31 | pwA64f7yN9NvmEXaHJro5ZAac7CPFaPQn+smlSdeLcV8fq6P1+TPVjJT7ORJagqH 32 | BO8xWgp7Xr7Pc7vfDHb1qsA21zBO67YBHH+NszphUG+8vHxVQVQqxMuWPN2yIpIy 33 | G/V2qk9Ou2RoqtzAC5PAqwMEAQE= 34 | -----END SSL SESSION PARAMETERS----- 35 | -------------------------------------------------------------------------------- /tests/check/pki/session-libressl-2.5.0.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN SSL SESSION PARAMETERS----- 2 | MIIF2wIBAQICAwMEAswTBCAcR74muuDRYJktM+apiD6VBY++VkYtTyskq0AuHkeD 3 | 8QQw/AnKuLIX0HVQifQCMP399upNn0X0epRhogLI2FmUyRkITEscs3qqEEKQPouT 4 | e0JHoQYCBFuGSRKiBAICASyjggS1MIIEsTCCA5mgAwIBAgIBKjANBgkqhkiG9w0B 5 | AQsFADBJMQswCQYDVQQGEwJDSDEiMCAGA1UECgwZU1NMc3BsaXQgVGVzdCBDZXJ0 6 | aWZpY2F0ZTEWMBQGA1UEAwwNZGFuaWVsLnJvZS5jaDAeFw0xODA4MjgyMzM3MjRa 7 | Fw0xOTA4MjgyMzM3MjRaMEkxCzAJBgNVBAYTAkNIMSIwIAYDVQQKDBlTU0xzcGxp 8 | dCBUZXN0IENlcnRpZmljYXRlMRYwFAYDVQQDDA1kYW5pZWwucm9lLmNoMIIBIjAN 9 | BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUmwWoteX9O8HSTleRps4yCPrEDA 10 | fxafGOdWFjUDZxcf+7gMt0SHKOH3XfqrWEeP+G6m1MfRoQeHuEN0OsX0+4+FkQnv 11 | xXN8fZh0gLFq2NmhUeqysNLnep3rYTqwMNGJ/Z0CBoXxTfezFhlJPdqx7lVnr2wu 12 | 7WHRnCIlY6pgaXHzPOF/P9qXMxKpjjU6NlVJC4pELPUJgSW9r9nBiIP6h/3AJct8 13 | JZEUTysQzZcC5KfzFPFSEhu/WfnoNFpe9TLswuEgBzHJSJOI6vho5yVGtc77DwCi 14 | 1j5tFYDkW109FzZM5sL+Ee5lc2VNi11hGg36ujnBLDfYQBM+yIipu/3AVQIDAQAB 15 | o4IBojCCAZ4wCQYDVR0TBAIwADAdBgNVHQ4EFgQUjbdZF2ENLvl4E3Adgs6GeiJD 16 | sTswcQYDVR0jBGowaIAUjbdZF2ENLvl4E3Adgs6GeiJDsTuhTaRLMEkxCzAJBgNV 17 | BAYTAkNIMSIwIAYDVQQKDBlTU0xzcGxpdCBUZXN0IENlcnRpZmljYXRlMRYwFAYD 18 | VQQDDA1kYW5pZWwucm9lLmNoggEqMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcw 19 | AYYeaHR0cDovL2RhbmllbC5yb2UuY2gvdGVzdC9vY3NwMC4GA1UdHwQnMCUwI6Ah 20 | oB+GHWh0dHA6Ly9kYW5pZWwucm9lLmNoL3Rlc3QvY3JsMIGSBgNVHREEgYowgYek 21 | SzBJMQswCQYDVQQGEwJDSDEiMCAGA1UECgwZU1NMc3BsaXQgVGVzdCBDZXJ0aWZp 22 | Y2F0ZTEWMBQGA1UEAwwNZGFuaWVsLnJvZS5jaIINZGFuaWVsLnJvZS5jaIcEfwAA 23 | AYENZGFuaWVsQHJvZS5jaIIKd3d3LnJvZS5jaIIIKi5yb2UuY2gwDQYJKoZIhvcN 24 | AQELBQADggEBAJarJbmOlJk/scb/sTd38v/y3GJ0Uho90RNJiBASokftJhBwHVVb 25 | zuY+1sqA5uD/oIN4af3Mq8quG6e8ZbRv8q/Q1eBDHsxG1sQnKHLSZQQD1su/ovAw 26 | 690Qyhosk86obS91PdtB81wfzb/KLdsV3D+9CTCTLZXyqE8vTwq1csDvFSgFuyY2 27 | NRxyPviyxaa9K6mM7KI0B8KPcwaOjfOj4Xjujr9Ejk9Sx2kBnpHHhtTCQ8k4oe/s 28 | avn/R2GPWSUCcwIQ5OdtW7YhhQxXl9X435GtCU430JPnDmSjxGpveN5ZofsgVsDT 29 | Ud07A8i3e915pltac5mtwtPqaxtIsUod3WmkAgQApQMCARKpBAICASyqgaMEgaAM 30 | WyMM1IB1slH1ghDpOWuKeroyfgGeQGetuqUjt/R64h66U559fUGhw96SjPmFh6YG 31 | dpkTry9kqIX35BJHZXj0NKQKwujfi5du5Ao/UpDDUK8PADlGX20LI5ElJt7lR8KX 32 | 2eIIk7zM7kIGxjEVznvwJX7e7L4y++tTWmGiB/FfF1FfffnsuBmbbIyKGkDlRv3q 33 | a0GfcZvanfTsuyrim0jA 34 | -----END SSL SESSION PARAMETERS----- 35 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to This Project 2 | 3 | Thank you for your interest in contributing! Your work helps improve and sustain this open source project. 4 | 5 | --- 6 | 7 | ## 🐞 Bug Reports & Feature Requests 8 | 9 | - **Please use GitHub Issues only for bug reports and feature requests.** 10 | - We do **not** provide individual support through GitHub issues. 11 | - For user support or troubleshooting, please use: 12 | - [Information Security Stack Exchange](https://security.stackexchange.com/) 13 | - [Network Engineering Stack Exchange](https://networkengineering.stackexchange.com/) 14 | - [Super User](https://superuser.com/) 15 | 16 | ### When Reporting a Bug 17 | 18 | Please include the following information where applicable: 19 | 20 | - Output of `sslproxy -V` 21 | - Output of `uname -a` 22 | - Exact command line arguments used to run the software 23 | - Relevant debug output (`-D`) 24 | - NAT redirection rules in use, if relevant 25 | - List of failing unit tests from `make test` 26 | - Logs, PCAPs, screenshots, or other supporting materials 27 | 28 | ### When Reporting Build Problems 29 | 30 | - Your OS version and output of `uname -a` 31 | - Full output of the failed `make` run (including the header) 32 | - Version and origin of OpenSSL and libevent 33 | 34 | --- 35 | 36 | ## 💡 Pull Requests 37 | 38 | We welcome pull requests that: 39 | 40 | - Fix bugs or security issues 41 | - Add features or usability improvements 42 | - Improve documentation or tests 43 | 44 | ### Guidelines 45 | 46 | - Fork the repository and create your branch from `main` or the default branch. 47 | - Write clear, descriptive commit messages. 48 | - Ensure your code passes existing tests (`make test` or equivalent). 49 | - Add new tests for new features or bug fixes if possible. 50 | - Document any new behavior or configuration options. 51 | - Make sure your code style is consistent with the rest of the project. 52 | 53 | --- 54 | 55 | ## 📝 Code of Conduct 56 | 57 | This project is governed by a [Code of Conduct](CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. 58 | 59 | --- 60 | 61 | ## 🙏 Thank You 62 | 63 | We appreciate your time and interest in making this project better! 64 | Your contributions help keep open source security strong. 65 | 66 | --- -------------------------------------------------------------------------------- /src/thrqueue.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef THRQUEUE_H 30 | #define THRQUEUE_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | typedef struct thrqueue thrqueue_t; 37 | 38 | thrqueue_t * thrqueue_new(size_t) MALLOC; 39 | void thrqueue_free(thrqueue_t *) NONNULL(1); 40 | 41 | void * thrqueue_enqueue(thrqueue_t *, void *) NONNULL(1) WUNRES; 42 | void * thrqueue_enqueue_nb(thrqueue_t *, void *) NONNULL(1) WUNRES; 43 | void * thrqueue_dequeue(thrqueue_t *) NONNULL(1) WUNRES; 44 | void * thrqueue_dequeue_nb(thrqueue_t *) NONNULL(1) WUNRES; 45 | void thrqueue_unblock_enqueue(thrqueue_t *) NONNULL(1); 46 | void thrqueue_unblock_dequeue(thrqueue_t *) NONNULL(1); 47 | 48 | #endif /* !THRQUEUE_H */ 49 | 50 | /* vim: set noet ft=c: */ 51 | -------------------------------------------------------------------------------- /tests/testproxy/lp/thrqueue.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef THRQUEUE_H 30 | #define THRQUEUE_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | typedef struct thrqueue thrqueue_t; 37 | 38 | thrqueue_t * thrqueue_new(size_t) MALLOC; 39 | void thrqueue_free(thrqueue_t *) NONNULL(1); 40 | 41 | void * thrqueue_enqueue(thrqueue_t *, void *) NONNULL(1) WUNRES; 42 | void * thrqueue_enqueue_nb(thrqueue_t *, void *) NONNULL(1) WUNRES; 43 | void * thrqueue_dequeue(thrqueue_t *) NONNULL(1) WUNRES; 44 | void * thrqueue_dequeue_nb(thrqueue_t *) NONNULL(1) WUNRES; 45 | void thrqueue_unblock_enqueue(thrqueue_t *) NONNULL(1); 46 | void thrqueue_unblock_dequeue(thrqueue_t *) NONNULL(1); 47 | 48 | #endif /* !THRQUEUE_H */ 49 | 50 | /* vim: set noet ft=c: */ 51 | -------------------------------------------------------------------------------- /tests/testproxy/testharness_openssl3.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_4.json", 16 | "2": "ssl_testset_5.json", 17 | "3": "ssl_testset_6.json" 18 | } 19 | }, 20 | "3": { 21 | "comment": "Protocol validation tests", 22 | "testsets": { 23 | "1": "tcp_ssl_testends_testset_1.json", 24 | "2": "ssl_tcp_testends_testset_1.json", 25 | "3": "proto_validate_testset_1.json", 26 | "4": "proto_validate_testset_2.json", 27 | "5": "proto_validate_testset_3.json", 28 | "6": "proto_validate_testset_4.json" 29 | } 30 | }, 31 | "4": { 32 | "comment": "Various option tests", 33 | "testsets": { 34 | "1": "passthrough_testset_1.json", 35 | "2": "verifypeer_testset_1.json", 36 | "3": "verifypeer_testset_2.json", 37 | "4": "ca_testset_1.json", 38 | "5": "ca_testset_2.json", 39 | "6": "userauth_testset_1.json", 40 | "7": "userauth_testset_2.json" 41 | } 42 | }, 43 | "5": { 44 | "comment": "Filtering rules tests", 45 | "testsets": { 46 | "1": "filter_divert_testset_1.json", 47 | "2": "filter_split_testset_1.json", 48 | "3": "filter_pass_testset_1.json", 49 | "4": "filter_block_testset_1.json", 50 | "5": "filter_sni_testset_1.json", 51 | "6": "filter_sni_testset_2.json", 52 | "7": "filter_cn_testset_1.json", 53 | "8": "filter_cn_testset_2.json", 54 | "9": "filter_host_testset_1.json", 55 | "10": "filter_host_testset_2.json", 56 | "11": "filter_uri_testset_1.json", 57 | "12": "filter_uri_testset_2.json", 58 | "13": "filter_struct_testset_1.json", 59 | "14": "filter_struct_reconnect_testset_1.json" 60 | } 61 | }, 62 | "6": { 63 | "comment": "Autossl tests", 64 | "testsets": { 65 | "1": "autossl_testset_1.json", 66 | "2": "autossl_testset_2.json" 67 | } 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /tests/testproxy/lp/proxy.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PROXY_H 30 | #define PROXY_H 31 | 32 | #include "opts.h" 33 | #include "attrib.h" 34 | #include "pxythrmgr.h" 35 | 36 | #include 37 | 38 | typedef struct proxy_ctx proxy_ctx_t; 39 | 40 | /* 41 | * Listener context. 42 | */ 43 | typedef struct proxy_listener_ctx { 44 | pxy_thrmgr_ctx_t *thrmgr; 45 | proxyspec_t *spec; 46 | opts_t *opts; 47 | struct evconnlistener *evcl; 48 | struct proxy_listener_ctx *next; 49 | } proxy_listener_ctx_t; 50 | 51 | proxy_ctx_t * proxy_new(opts_t *, int) NONNULL(1) MALLOC; 52 | void proxy_run(proxy_ctx_t *) NONNULL(1); 53 | void proxy_loopbreak(proxy_ctx_t *) NONNULL(1); 54 | void proxy_free(proxy_ctx_t *) NONNULL(1); 55 | void proxy_listener_errorcb(struct evconnlistener *, UNUSED void *); 56 | 57 | #endif /* !PROXY_H */ 58 | 59 | /* vim: set noet ft=c: */ 60 | -------------------------------------------------------------------------------- /src/cert.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef CERT_H 30 | #define CERT_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | typedef struct cert { 38 | EVP_PKEY *key; 39 | X509 *crt; 40 | STACK_OF(X509) * chain; 41 | pthread_mutex_t mutex; 42 | size_t references; 43 | } cert_t; 44 | 45 | cert_t * cert_new(void) MALLOC; 46 | cert_t * cert_new_load(const char *) MALLOC; 47 | cert_t * cert_new3(EVP_PKEY *, X509 *, STACK_OF(X509) *) MALLOC; 48 | cert_t * cert_new3_copy(EVP_PKEY *, X509 *, STACK_OF(X509) *) MALLOC; 49 | void cert_refcount_inc(cert_t *) NONNULL(1); 50 | void cert_set_key(cert_t *, EVP_PKEY *) NONNULL(1); 51 | void cert_set_crt(cert_t *, X509 *) NONNULL(1); 52 | void cert_set_chain(cert_t *, STACK_OF(X509) *) NONNULL(1); 53 | void cert_free(cert_t *) NONNULL(1); 54 | 55 | #endif /* !CERT_H */ 56 | 57 | /* vim: set noet ft=c: */ 58 | -------------------------------------------------------------------------------- /Mk/buildinfo.mk: -------------------------------------------------------------------------------- 1 | # in: PROJECT_ROOT 2 | # in: PKGNAME 3 | # in: FEATURES (optional) 4 | # in: BUILD_INFO (optional) 5 | # in: OPENSSL (optional) 6 | # in: OPENSSL_FOUND (optional) 7 | # in: SOURCE_DATE_EPOCH (optional) 8 | 9 | ifndef PROJECT_ROOT 10 | $(error PROJECT_ROOT not defined) 11 | endif 12 | 13 | ifndef PKGNAME 14 | $(error PKGNAME not defined) 15 | endif 16 | 17 | ifndef OPENSSL 18 | ifdef OPENSSL_FOUND 19 | OPENSSL= $(OPENSSL_FOUND)/bin/openssl 20 | else 21 | OPENSSL= openssl 22 | endif 23 | endif 24 | 25 | BASENAME?= basename 26 | CUT?= cut 27 | DATE?= date 28 | DIFF?= diff 29 | GIT?= git 30 | GREP?= grep 31 | RM?= rm 32 | SED?= sed 33 | SORT?= sort 34 | TR?= tr 35 | WC?= wc 36 | 37 | GITDIR:= $(wildcard $(PROJECT_ROOT)/.git) 38 | VERSION_FILE:= $(wildcard $(PROJECT_ROOT)/VERSION) 39 | HASHES_FILE:= $(wildcard $(PROJECT_ROOT)/HASHES) 40 | NEWS_FILE:= $(firstword $(wildcard $(PROJECT_ROOT)/NEWS*)) 41 | 42 | ifdef GITDIR 43 | BUILD_VERSION:= $(shell cd $(PROJECT_ROOT) && $(GIT) describe --tags --dirty --always) 44 | BUILD_INFO+= V:GIT 45 | else 46 | ifdef VERSION_FILE 47 | BUILD_VERSION:= $(shell $(CAT) $(VERSION_FILE)) 48 | BUILD_INFO+= V:FILE 49 | else 50 | BUILD_VERSION:= $(shell cd $(PROJECT_ROOT) && $(BASENAME) $(PWD)|\ 51 | $(GREP) $(PKGNAME)-|\ 52 | $(SED) 's/.*$(PKGNAME)-\(.*\)/\1/g') 53 | BUILD_INFO+= V:DIR 54 | endif 55 | ifdef HASHES_FILE 56 | BUILD_INFO+= HDIFF:$(shell $(OPENSSL) dgst -sha1 -r *.[hc]|\ 57 | $(SORT) -k 2 >HASHES~;\ 58 | $(DIFF) -u HASHES HASHES~|\ 59 | $(GREP) '^-[^-]'|$(WC) -l|$(TR) -d ' ';\ 60 | $(RM) HASHES~) 61 | endif 62 | ifdef NEWS_FILE 63 | NEWS_SHA:= $(shell $(OPENSSL) dgst -sha1 -r $(NEWS_FILE) |\ 64 | $(CUT) -c -7) 65 | BUILD_INFO+= N:$(NEWS_SHA) 66 | endif 67 | endif # GITDIR 68 | 69 | ifdef SOURCE_DATE_EPOCH 70 | BUILD_DATE:= $(shell \ 71 | $(DATE) -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null||\ 72 | $(DATE) -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null||\ 73 | $(DATE) -u "+%Y-%m-%d") 74 | else 75 | BUILD_DATE:= $(shell date +%Y-%m-%d) 76 | endif 77 | BUILD_CPPFLAGS+=-D"BUILD_PKGNAME=\"$(PKGNAME)\"" \ 78 | -D"BUILD_VERSION=\"$(BUILD_VERSION)\"" \ 79 | -D"BUILD_DATE=\"$(BUILD_DATE)\"" \ 80 | -D"BUILD_INFO=\"$(BUILD_INFO)\"" \ 81 | -D"BUILD_FEATURES=\"$(FEATURES)\"" 82 | 83 | # out: NEWS_FILE 84 | # out: NEWS_SHA 85 | # out: VERSION_FILE 86 | # out: GITDIR 87 | # out: BUILD_VERSION 88 | # out: BUILD_DATE 89 | # out: BUILD_INFO 90 | # out: BUILD_CPPFLAGS 91 | -------------------------------------------------------------------------------- /tests/testproxy/testharness.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "SSLproxy tests", 3 | "testharnesses": { 4 | "1": { 5 | "comment": "HTTP tests", 6 | "testsets": { 7 | "1": "http_testset_1.json", 8 | "2": "http_testset_2.json", 9 | "3": "http_testset_3.json" 10 | } 11 | }, 12 | "2": { 13 | "comment": "SSL config tests", 14 | "testsets": { 15 | "1": "ssl_testset_1.json", 16 | "2": "ssl_testset_2.json", 17 | "3": "ssl_testset_3.json", 18 | "4": "ssl_testset_4.json", 19 | "5": "ssl_testset_5.json", 20 | "6": "ssl_testset_6.json" 21 | } 22 | }, 23 | "3": { 24 | "comment": "Protocol validation tests", 25 | "testsets": { 26 | "1": "tcp_ssl_testends_testset_1.json", 27 | "2": "ssl_tcp_testends_testset_1.json", 28 | "3": "proto_validate_testset_1.json", 29 | "4": "proto_validate_testset_2.json", 30 | "5": "proto_validate_testset_3.json", 31 | "6": "proto_validate_testset_4.json" 32 | } 33 | }, 34 | "4": { 35 | "comment": "Various option tests", 36 | "testsets": { 37 | "1": "passthrough_testset_1.json", 38 | "2": "verifypeer_testset_1.json", 39 | "3": "verifypeer_testset_2.json", 40 | "4": "ca_testset_1.json", 41 | "5": "ca_testset_2.json", 42 | "6": "userauth_testset_1.json", 43 | "7": "userauth_testset_2.json" 44 | } 45 | }, 46 | "5": { 47 | "comment": "Filtering rules tests", 48 | "testsets": { 49 | "1": "filter_divert_testset_1.json", 50 | "2": "filter_split_testset_1.json", 51 | "3": "filter_pass_testset_1.json", 52 | "4": "filter_block_testset_1.json", 53 | "5": "filter_sni_testset_1.json", 54 | "6": "filter_sni_testset_2.json", 55 | "7": "filter_cn_testset_1.json", 56 | "8": "filter_cn_testset_2.json", 57 | "9": "filter_host_testset_1.json", 58 | "10": "filter_host_testset_2.json", 59 | "11": "filter_uri_testset_1.json", 60 | "12": "filter_uri_testset_2.json", 61 | "13": "filter_struct_testset_1.json", 62 | "14": "filter_struct_reconnect_testset_1.json" 63 | } 64 | }, 65 | "6": { 66 | "comment": "Autossl tests", 67 | "testsets": { 68 | "1": "autossl_testset_1.json", 69 | "2": "autossl_testset_2.json" 70 | } 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /tests/testproxy/lp/pxythrmgr.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PXYTHRMGR_H 30 | #define PXYTHRMGR_H 31 | 32 | #include "opts.h" 33 | #include "attrib.h" 34 | #include "pxythr.h" 35 | 36 | extern int descriptor_table_size; 37 | #define FD_RESERVE 10 38 | 39 | struct pxy_thrmgr_ctx { 40 | int num_thr; 41 | opts_t *opts; 42 | pxy_thr_ctx_t **thr; 43 | #ifdef DEBUG_PROXY 44 | // Provides unique conn id, always goes up, never down, used in debugging only 45 | // There is no risk of collision if/when it rolls back to 0 46 | long long unsigned int conn_count; 47 | #endif /* DEBUG_PROXY */ 48 | }; 49 | 50 | pxy_thrmgr_ctx_t * pxy_thrmgr_new(opts_t *) MALLOC; 51 | int pxy_thrmgr_run(pxy_thrmgr_ctx_t *) NONNULL(1) WUNRES; 52 | void pxy_thrmgr_free(pxy_thrmgr_ctx_t *) NONNULL(1); 53 | 54 | void pxy_thrmgr_assign_thr(pxy_conn_ctx_t *) NONNULL(1); 55 | 56 | #endif /* !PXYTHRMGR_H */ 57 | 58 | /* vim: set noet ft=c: */ 59 | -------------------------------------------------------------------------------- /src/nat.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef NAT_H 30 | #define NAT_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | #include 38 | 39 | typedef int (*nat_lookup_cb_t)(struct sockaddr *, socklen_t *, evutil_socket_t, 40 | struct sockaddr *, socklen_t); 41 | typedef int (*nat_socket_cb_t)(evutil_socket_t); 42 | 43 | int nat_exist(const char *) WUNRES; 44 | int nat_used(const char *) WUNRES; 45 | nat_lookup_cb_t nat_getlookupcb(const char *) WUNRES; 46 | nat_socket_cb_t nat_getsocketcb(const char *) WUNRES; 47 | int nat_ipv6ready(const char *) WUNRES; 48 | 49 | const char *nat_getdefaultname(void) WUNRES; 50 | void nat_list_engines(void); 51 | int nat_preinit(void) WUNRES; 52 | void nat_preinit_undo(void); 53 | int nat_init(void) WUNRES; 54 | void nat_fini(void); 55 | void nat_version(void); 56 | 57 | #endif /* !NAT_H */ 58 | 59 | /* vim: set noet ft=c: */ 60 | -------------------------------------------------------------------------------- /src/pxythrmgr.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * Copyright (c) 2017-2025, Soner Tari . 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions are met: 11 | * 1. Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright notice, 14 | * this list of conditions and the following disclaimer in the documentation 15 | * and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | * POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef PXYTHRMGR_H 31 | #define PXYTHRMGR_H 32 | 33 | #include "opts.h" 34 | #include "attrib.h" 35 | #include "pxythr.h" 36 | 37 | extern int descriptor_table_size; 38 | #define FD_RESERVE 10 39 | 40 | struct pxy_thrmgr_ctx { 41 | int num_thr; 42 | global_t *global; 43 | pxy_thr_ctx_t **thr; 44 | #ifdef DEBUG_PROXY 45 | // Provides unique conn id, always goes up, never down, used in debugging only 46 | // There is no risk of collision if/when it rolls back to 0 47 | long long unsigned int conn_count; 48 | #endif /* DEBUG_PROXY */ 49 | }; 50 | 51 | pxy_thrmgr_ctx_t * pxy_thrmgr_new(global_t *) MALLOC; 52 | int pxy_thrmgr_run(pxy_thrmgr_ctx_t *) NONNULL(1) WUNRES; 53 | void pxy_thrmgr_free(pxy_thrmgr_ctx_t *) NONNULL(1); 54 | 55 | void pxy_thrmgr_assign_thr(pxy_conn_ctx_t *) NONNULL(1); 56 | 57 | #endif /* !PXYTHRMGR_H */ 58 | 59 | /* vim: set noet ft=c: */ 60 | -------------------------------------------------------------------------------- /tests/check/logbuf.t.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include "logbuf.h" 30 | 31 | #include 32 | 33 | #include 34 | 35 | START_TEST(logbuf_make_contiguous_01) 36 | { 37 | logbuf_t *lb; 38 | 39 | lb = logbuf_new_printf(NULL, "%s", "789"); 40 | lb = logbuf_new_printf(lb, "%s", "456"); 41 | lb = logbuf_new_printf(lb, "%s", "123"); 42 | lb = logbuf_make_contiguous(lb); 43 | ck_assert_msg(!!lb, "logbuf_make_contiguous failed"); 44 | ck_assert_msg(!lb->next, "multiple buffers"); 45 | ck_assert_msg(logbuf_size(lb) == 9, "buffer size incorrect"); 46 | ck_assert_msg(!memcmp(lb->buf, "123456789", 9), "buffer value incorrect"); 47 | logbuf_free(lb); 48 | } 49 | END_TEST 50 | 51 | Suite * 52 | logbuf_suite(void) 53 | { 54 | Suite *s; 55 | TCase *tc; 56 | 57 | s = suite_create("logbuf"); 58 | 59 | tc = tcase_create(""); 60 | tcase_add_test(tc, logbuf_make_contiguous_01); 61 | suite_add_tcase(s, tc); 62 | 63 | return s; 64 | } 65 | 66 | /* vim: set noet ft=c: */ 67 | -------------------------------------------------------------------------------- /tests/testproxy/proto_validate_testset_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for HTTP GET method validation", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "tcp" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8184" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9184" 15 | } 16 | }, 17 | "2": { 18 | "proto": { 19 | "proto": "ssl" 20 | }, 21 | "client": { 22 | "ip": "127.0.0.1", 23 | "port": "8444" 24 | }, 25 | "server": { 26 | "ip": "127.0.0.1", 27 | "port": "9444", 28 | "crt": "server.crt", 29 | "key": "server.key" 30 | } 31 | } 32 | }, 33 | "tests": { 34 | "1": { 35 | "comment": "Validates GET", 36 | "states": { 37 | "1": { 38 | "testend": "client", 39 | "cmd": "send", 40 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" 41 | }, 42 | "2": { 43 | "testend": "server", 44 | "cmd": "recv", 45 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" 46 | } 47 | } 48 | }, 49 | "2": { 50 | "comment": "Does not validate GE as a method", 51 | "states": { 52 | "1": { 53 | "testend": "client", 54 | "cmd": "send", 55 | "payload": "GE / HTTP/1.1\r\nHost: example.com\r\n\r\n" 56 | }, 57 | "2": { 58 | "testend": "server", 59 | "cmd": "recv", 60 | "payload": "", 61 | "comment": "SSLproxy should not validate method GE, so should not send any data" 62 | } 63 | } 64 | }, 65 | "3": { 66 | "comment": "Does not validate GE1 as a method", 67 | "states": { 68 | "1": { 69 | "testend": "client", 70 | "cmd": "send", 71 | "payload": "GE1 / HTTP/1.1\r\nHost: example.com\r\n\r\n" 72 | }, 73 | "2": { 74 | "testend": "server", 75 | "cmd": "recv", 76 | "payload": "" 77 | } 78 | } 79 | }, 80 | "4": { 81 | "comment": "Does not validate GET1 as a method", 82 | "states": { 83 | "1": { 84 | "testend": "client", 85 | "cmd": "send", 86 | "payload": "GET1 / HTTP/1.1\r\nHost: example.com\r\n\r\n" 87 | }, 88 | "2": { 89 | "testend": "server", 90 | "cmd": "recv", 91 | "payload": "" 92 | } 93 | } 94 | } 95 | } 96 | } -------------------------------------------------------------------------------- /tests/testproxy/proto_validate_testset_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for HTTP POST method validation", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "tcp" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8185" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9185" 15 | } 16 | }, 17 | "2": { 18 | "proto": { 19 | "proto": "ssl" 20 | }, 21 | "client": { 22 | "ip": "127.0.0.1", 23 | "port": "8445" 24 | }, 25 | "server": { 26 | "ip": "127.0.0.1", 27 | "port": "9445", 28 | "crt": "server.crt", 29 | "key": "server.key" 30 | } 31 | } 32 | }, 33 | "tests": { 34 | "1": { 35 | "comment": "Validates POST", 36 | "states": { 37 | "1": { 38 | "testend": "client", 39 | "cmd": "send", 40 | "payload": "POST / HTTP/1.1\r\nHost: example.com\r\n\r\n" 41 | }, 42 | "2": { 43 | "testend": "server", 44 | "cmd": "recv", 45 | "payload": "POST / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" 46 | } 47 | } 48 | }, 49 | "2": { 50 | "comment": "Does not validate POS as a method", 51 | "states": { 52 | "1": { 53 | "testend": "client", 54 | "cmd": "send", 55 | "payload": "POS / HTTP/1.1\r\nHost: example.com\r\n\r\n" 56 | }, 57 | "2": { 58 | "testend": "server", 59 | "cmd": "recv", 60 | "payload": "", 61 | "comment": "SSLproxy should not validate method POS, so should not send any data" 62 | } 63 | } 64 | }, 65 | "3": { 66 | "comment": "Does not validate POS1 as a method", 67 | "states": { 68 | "1": { 69 | "testend": "client", 70 | "cmd": "send", 71 | "payload": "POS1 / HTTP/1.1\r\nHost: example.com\r\n\r\n" 72 | }, 73 | "2": { 74 | "testend": "server", 75 | "cmd": "recv", 76 | "payload": "" 77 | } 78 | } 79 | }, 80 | "4": { 81 | "comment": "Does not validate POST1 as a method", 82 | "states": { 83 | "1": { 84 | "testend": "client", 85 | "cmd": "send", 86 | "payload": "POST1 / HTTP/1.1\r\nHost: example.com\r\n\r\n" 87 | }, 88 | "2": { 89 | "testend": "server", 90 | "cmd": "recv", 91 | "payload": "" 92 | } 93 | } 94 | } 95 | } 96 | } -------------------------------------------------------------------------------- /src/util.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include 30 | 31 | /* 32 | * Various utility functions. 33 | */ 34 | 35 | /* 36 | * Returns a pointer to the first non-whitespace character in s. 37 | * Only space and tab characters are considered whitespace. 38 | */ 39 | char * 40 | util_skipws(const char *s) 41 | { 42 | return (char*) s + strspn(s, " \t"); 43 | } 44 | 45 | /* 46 | * Returns the length of the first word in a given memory area. 47 | * Memory area may not be null-terminated, hence we cannot use string 48 | * manipulation functions. 49 | */ 50 | size_t 51 | util_get_first_word_len(char *mem, size_t size) 52 | { 53 | char *end; 54 | // @attention The detection order of ws chars is important: space, tab, cr, and nl 55 | if ((end = memchr(mem, ' ', size)) || 56 | (end = memchr(mem, '\t', size)) || 57 | (end = memchr(mem, '\r', size)) || 58 | (end = memchr(mem, '\n', size)) || 59 | (end = memchr(mem, '\0', size))) { 60 | return (size_t)(end - mem); 61 | } 62 | return size; 63 | } 64 | 65 | /* vim: set noet ft=c: */ 66 | -------------------------------------------------------------------------------- /tests/testproxy/http_testset_3.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for HTTP response headers: Deny OCSP request, Remove Accept-Encoding, and Do not remove Referer", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "tcp" 7 | }, 8 | "client": { 9 | "ip": "127.0.0.1", 10 | "port": "8186" 11 | }, 12 | "server": { 13 | "ip": "127.0.0.1", 14 | "port": "9186" 15 | } 16 | }, 17 | "2": { 18 | "proto": { 19 | "proto": "ssl", 20 | "crt": "server.crt", 21 | "key": "server.key" 22 | }, 23 | "client": { 24 | "ip": "127.0.0.1", 25 | "port": "8448" 26 | }, 27 | "server": { 28 | "ip": "127.0.0.1", 29 | "port": "9448" 30 | } 31 | } 32 | }, 33 | "tests": { 34 | "1": { 35 | "comment": "Denies OCSP request", 36 | "states": { 37 | "1": { 38 | "testend": "client", 39 | "cmd": "send", 40 | "payload": "POST / HTTP/1.1\r\nHost: example.com\r\nContent-Type: application/ocsp-request\r\n\r\n", 41 | "comment": "It is easier to send a dummy POST ocsp request than a valid GET one" 42 | }, 43 | "2": { 44 | "testend": "client", 45 | "cmd": "recv", 46 | "payload_file": "payload_ocsp_denied_response.bin", 47 | "comment": "The client should certainly receive the ocsp denied response from SSLproxy", 48 | "comment": "But it is not certain if the server should receive the ocsp request of the client or not, it depends on libevent and various conditions at that moment" 49 | } 50 | } 51 | }, 52 | "2": { 53 | "comment": "Remove Accept-Encoding", 54 | "states": { 55 | "1": { 56 | "testend": "client", 57 | "cmd": "send", 58 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nAccept-Encoding: encoding\r\n\r\n" 59 | }, 60 | "2": { 61 | "testend": "server", 62 | "cmd": "recv", 63 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" 64 | } 65 | } 66 | }, 67 | "3": { 68 | "comment": "Does not remove Referer", 69 | "states": { 70 | "1": { 71 | "testend": "client", 72 | "cmd": "send", 73 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nReferer: referer\r\n\r\n" 74 | }, 75 | "2": { 76 | "testend": "server", 77 | "cmd": "recv", 78 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nReferer: referer\r\nConnection: close\r\n\r\n" 79 | } 80 | } 81 | } 82 | } 83 | } -------------------------------------------------------------------------------- /src/proxy.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PROXY_H 30 | #define PROXY_H 31 | 32 | #include "opts.h" 33 | #include "attrib.h" 34 | #include "pxythrmgr.h" 35 | 36 | #include 37 | 38 | typedef struct proxy_ctx proxy_ctx_t; 39 | 40 | /* 41 | * Listener context. 42 | */ 43 | typedef struct proxy_listener_ctx { 44 | pxy_thrmgr_ctx_t *thrmgr; 45 | proxyspec_t *spec; 46 | global_t *global; 47 | #ifndef WITHOUT_USERAUTH 48 | evutil_socket_t clisock; 49 | #endif /* !WITHOUT_USERAUTH */ 50 | struct evconnlistener *evcl; 51 | struct proxy_listener_ctx *next; 52 | } proxy_listener_ctx_t; 53 | 54 | proxy_ctx_t * proxy_new(global_t *, int) NONNULL(1) MALLOC; 55 | int proxy_run(proxy_ctx_t *) NONNULL(1); 56 | void proxy_loopbreak(proxy_ctx_t *, int) NONNULL(1); 57 | void proxy_free(proxy_ctx_t *) NONNULL(1); 58 | void proxy_listener_errorcb(struct evconnlistener *, UNUSED void *); 59 | 60 | pxy_conn_ctx_t *proxy_conn_ctx_new(evutil_socket_t, pxy_thrmgr_ctx_t *, proxyspec_t *, global_t * 61 | #ifndef WITHOUT_USERAUTH 62 | , evutil_socket_t 63 | #endif /* !WITHOUT_USERAUTH */ 64 | ) MALLOC NONNULL(2,3,4); 65 | #endif /* !PROXY_H */ 66 | 67 | /* vim: set noet ft=c: */ 68 | -------------------------------------------------------------------------------- /tests/testproxy/lp/defaults.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef DEFAULTS_H 30 | #define DEFAULTS_H 31 | 32 | /* 33 | * Defaults for convenient tweaking or patching. 34 | */ 35 | 36 | /* 37 | * User to drop privileges to by default. This user needs to be allowed to 38 | * create outbound TCP connections, and in some configurations, perform DNS 39 | * resolution. 40 | * 41 | * Packagers may want to use a specific service user account instead of 42 | * overloading nobody with yet another use case. Using nobody for source 43 | * builds makes sense because chances are high that it exists. Good practice 44 | * is to create a dedicated user for sslsplit. 45 | * 46 | * Make sure to also patch the manual page if you patch this. 47 | */ 48 | #define DFLT_DROPUSER "nobody" 49 | 50 | /* 51 | * Default file and directory modes for newly created files and directories 52 | * created as part of e.g. logging. The default is to use full permissions 53 | * subject to the system's umask, as is the default for system utilities. 54 | * Use a more restrictive mode for the PID file. 55 | */ 56 | #define DFLT_DIRMODE 0777 57 | #define DFLT_FILEMODE 0666 58 | #define DFLT_PIDFMODE 0644 59 | 60 | #endif /* !DEFAULTS_H */ 61 | 62 | /* vim: set noet ft=c: */ 63 | -------------------------------------------------------------------------------- /Mk/bin/install-opt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | if [ -z "$SSL" ]; then 3 | echo '$SSL not set, aborting' >&2 4 | exit 1 5 | fi 6 | if [ -z "$EVENT" ]; then 7 | echo '$EVENT not set, aborting' >&2 8 | exit 1 9 | fi 10 | 11 | case "$SSL" in 12 | openssl-0.9.*) 13 | SSLURL=https://www.openssl.org/source/old/0.9.x/$SSL.tar.gz 14 | ;; 15 | openssl-1.0.0*) 16 | SSLURL=https://www.openssl.org/source/old/1.0.0/$SSL.tar.gz 17 | ;; 18 | openssl-1.0.1*) 19 | SSLURL=https://www.openssl.org/source/old/1.0.1/$SSL.tar.gz 20 | ;; 21 | openssl-1.0.2*) 22 | SSLURL=https://www.openssl.org/source/old/1.0.2/$SSL.tar.gz 23 | ;; 24 | openssl-1.1.0*) 25 | SSLURL=https://www.openssl.org/source/old/1.1.0/$SSL.tar.gz 26 | ;; 27 | openssl-1.1.1*) 28 | SSLURL=https://www.openssl.org/source/old/1.1.1/$SSL.tar.gz 29 | ;; 30 | openssl-*) 31 | SSLURL=https://www.openssl.org/source/$SSL.tar.gz 32 | ;; 33 | libressl-*) 34 | #SSLURL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$SSL.tar.gz 35 | SSLURL=http://ftp.fau.de/pub/OpenBSD/LibreSSL/$SSL.tar.gz 36 | ;; 37 | *) 38 | exit 1 39 | ;; 40 | esac 41 | 42 | case "$EVENT" in 43 | libevent-2.1.8) 44 | EVENTURL=https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz 45 | EVENTPATCH=Mk/patches/libevent-2.1.8.diff 46 | EVENTOPTS="$EVENTOPTS --disable-libevent-regress --disable-samples" 47 | ;; 48 | libevent-2.1.11) 49 | EVENTURL=https://github.com/libevent/libevent/releases/download/release-2.1.11-stable/libevent-2.1.11-stable.tar.gz 50 | EVENTOPTS="$EVENTOPTS --disable-libevent-regress --disable-samples" 51 | ;; 52 | libevent-2.0.22) 53 | EVENTURL=https://github.com/libevent/libevent/releases/download/release-2.0.22-stable/libevent-2.0.22-stable.tar.gz 54 | ;; 55 | *) 56 | exit 1 57 | ;; 58 | esac 59 | 60 | if [ ! -d "$HOME/opt/$SSL" ]; then 61 | if [ "`uname`" = "Linux" ]; then 62 | SSLOPTS="$SSLOPTS -Wl,-rpath=$HOME/opt/$SSL/lib" 63 | fi 64 | # Do not verify server cert due to expired Let's Encrypt cert 65 | wget --no-check-certificate "$SSLURL" || exit 1 66 | tar -xzvf "$SSL.tar.gz" || exit 1 67 | cd "$SSL" || exit 1 68 | ./config shared \ 69 | --prefix="$HOME/opt/$SSL" \ 70 | --openssldir="$HOME/opt/$SSL" \ 71 | $SSLOPTS || exit 1 72 | make && make install || { rm -rf "$HOME/opt/$SSL"; exit 1; } 73 | cd .. 74 | fi 75 | 76 | export CPPFLAGS="-I$HOME/opt/$SSL/include" 77 | export LDFLAGS="-L$HOME/opt/$SSL/lib" 78 | 79 | if [ ! -d "$HOME/opt/$EVENT" ]; then 80 | wget "$EVENTURL" || exit 1 81 | tar -xzvf "$EVENT-stable.tar.gz" || exit 1 82 | cd "$EVENT-stable" || exit 1 83 | if [ -n "$EVENTPATCH" ]; then 84 | patch -p0 < ../$EVENTPATCH || exit 1 85 | fi 86 | ./configure --prefix="$HOME/opt/$EVENT" $EVENTOPTS || exit 1 87 | make && make install || { rm -rf "$HOME/opt/$EVENT"; exit 1; } 88 | cd .. 89 | fi 90 | 91 | -------------------------------------------------------------------------------- /src/logpkt.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef LOGPKT_H 30 | #define LOGPKT_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | #include 37 | 38 | #ifndef WITHOUT_MIRROR 39 | #include 40 | #else /* WITHOUT_MIRROR */ 41 | #define libnet_t void 42 | #define ETHER_ADDR_LEN 6 43 | #endif /* WITHOUT_MIRROR */ 44 | 45 | typedef struct { 46 | libnet_t *libnet; 47 | uint8_t src_ether[ETHER_ADDR_LEN]; 48 | uint8_t dst_ether[ETHER_ADDR_LEN]; 49 | struct sockaddr_storage src_addr; 50 | struct sockaddr_storage dst_addr; 51 | uint32_t src_seq; 52 | uint32_t dst_seq; 53 | size_t mss; 54 | } logpkt_ctx_t; 55 | 56 | #define LOGPKT_REQUEST 0 57 | #define LOGPKT_RESPONSE 1 58 | 59 | int logpkt_pcap_open_fd(int fd) WUNRES; 60 | void logpkt_ctx_init(logpkt_ctx_t *, libnet_t *, size_t, 61 | const uint8_t *, const uint8_t *, 62 | const struct sockaddr *, socklen_t, 63 | const struct sockaddr *, socklen_t); 64 | int logpkt_write_payload(logpkt_ctx_t *, int, int, 65 | const unsigned char *, size_t) WUNRES; 66 | int logpkt_write_close(logpkt_ctx_t *, int, int); 67 | int logpkt_ether_lookup(libnet_t *, uint8_t *, uint8_t *, 68 | const char *, const char *) WUNRES; 69 | 70 | #endif /* !LOGPKT_H */ 71 | -------------------------------------------------------------------------------- /src/proc.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PROC_H 30 | #define PROC_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | #include 38 | 39 | #if defined(HAVE_DARWIN_LIBPROC) || defined(__FreeBSD__) 40 | #define HAVE_LOCAL_PROCINFO 41 | #endif 42 | 43 | #ifdef HAVE_DARWIN_LIBPROC 44 | #ifndef LOCAL_PROCINFO_STR 45 | #define LOCAL_PROCINFO_STR "Darwin libproc" 46 | #define proc_pid_for_addr(a,b,c) proc_darwin_pid_for_addr(a,b,c) 47 | #define proc_get_info(a,b,c,d) proc_darwin_get_info(a,b,c,d) 48 | #endif /* LOCAL_PROCINFO_STR */ 49 | int proc_darwin_pid_for_addr(pid_t *, struct sockaddr *, socklen_t) WUNRES NONNULL(1,2); 50 | int proc_darwin_get_info(pid_t, char **, uid_t *, gid_t *) WUNRES NONNULL(2,3,4); 51 | #endif /* HAVE_DARWIN_LIBPROC */ 52 | 53 | #ifdef __FreeBSD__ 54 | #ifndef LOCAL_PROCINFO_STR 55 | #define LOCAL_PROCINFO_STR "FreeBSD sysctl" 56 | #define proc_pid_for_addr(a,b,c) proc_freebsd_pid_for_addr(a,b,c) 57 | #define proc_get_info(a,b,c,d) proc_freebsd_get_info(a,b,c,d) 58 | #endif /* LOCAL_PROCINFO_STR */ 59 | int proc_freebsd_pid_for_addr(pid_t *, struct sockaddr *, socklen_t) WUNRES NONNULL(1,2); 60 | int proc_freebsd_get_info(pid_t, char **, uid_t *, gid_t *) WUNRES NONNULL(2,3,4); 61 | #endif /* __FreeBSD__ */ 62 | 63 | #endif /* !PROC_H */ 64 | 65 | /* vim: set noet ft=c: */ 66 | -------------------------------------------------------------------------------- /tests/testproxy/lp/pxythr.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2017-2025, Soner Tari . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PXYTHR_H 30 | #define PXYTHR_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | typedef struct pxy_conn_ctx pxy_conn_ctx_t; 42 | typedef struct pxy_thrmgr_ctx pxy_thrmgr_ctx_t; 43 | 44 | typedef struct pxy_thr_ctx { 45 | pthread_t thr; 46 | int id; 47 | pxy_thrmgr_ctx_t *thrmgr; 48 | size_t load; 49 | struct event_base *evbase; 50 | int running; 51 | 52 | // Statistics 53 | evutil_socket_t max_fd; 54 | size_t max_load; 55 | size_t errors; 56 | size_t set_watermarks; 57 | size_t unset_watermarks; 58 | long long unsigned int intif_in_bytes; 59 | long long unsigned int intif_out_bytes; 60 | long long unsigned int extif_in_bytes; 61 | long long unsigned int extif_out_bytes; 62 | // Each stats has an id, incremented on each stats print 63 | unsigned short stats_id; 64 | // Used to print statistics, compared against stats_period 65 | unsigned int timeout_count; 66 | 67 | // List of active connections on the thread 68 | pxy_conn_ctx_t *conns; 69 | } pxy_thr_ctx_t; 70 | 71 | void pxy_thr_attach(pxy_conn_ctx_t *) NONNULL(1); 72 | void pxy_thr_detach(pxy_conn_ctx_t *) NONNULL(1); 73 | void *pxy_thr(void *); 74 | 75 | #endif /* !PXYTHR_H */ 76 | 77 | /* vim: set noet ft=c: */ 78 | -------------------------------------------------------------------------------- /tests/check/engine/dummy-engine.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | /* 30 | * Dummy OpenSSL engine. Does not do anything useful except being loadable. 31 | * It deliberately builds fine even if engine support is unavailable. 32 | * 33 | * gcc -I/opt/local/include -fPIC -o dummy-engine.o -c dummy-engine.c 34 | * gcc -L/opt/local/lib -shared -o dummy-engine.dylib -lcrypto dummy-engine.o 35 | * openssl engine -t -c `pwd`/dummy-engine.dylib 36 | */ 37 | 38 | #include 39 | 40 | #include 41 | #ifndef OPENSSL_NO_ENGINE 42 | #include 43 | 44 | static int 45 | bind(ENGINE *engine, const char *id) 46 | { 47 | // Engines are deprecated but should still work with OpenSSL 3.x, so we just suppress the deprecation warnings 48 | // see ssl_engine() in src/ssl.c as well 49 | #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) 50 | #pragma GCC diagnostic ignored "-Wdeprecated-declarations" 51 | #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ 52 | 53 | if (!ENGINE_set_id(engine, "dummy")) { 54 | fprintf(stderr, "ENGINE_set_id() failed\n"); 55 | return 0; 56 | } 57 | if (!ENGINE_set_name(engine, "dummy engine")) { 58 | fprintf(stderr, "ENGINE_set_name() failed\n"); 59 | return 0; 60 | } 61 | return 1; 62 | } 63 | 64 | IMPLEMENT_DYNAMIC_BIND_FN(bind) 65 | IMPLEMENT_DYNAMIC_CHECK_FN() 66 | #endif /* !OPENSSL_NO_ENGINE */ 67 | 68 | -------------------------------------------------------------------------------- /src/protohttp.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * Copyright (c) 2017-2025, Soner Tari . 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions are met: 11 | * 1. Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright notice, 14 | * this list of conditions and the following disclaimer in the documentation 15 | * and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | * POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef PROTOHTTP_H 31 | #define PROTOHTTP_H 32 | 33 | #include "pxyconn.h" 34 | 35 | typedef struct protohttp_ctx { 36 | unsigned int seen_req_header : 1; /* 0 until request header complete */ 37 | unsigned int seen_resp_header : 1; /* 0 until response hdr complete */ 38 | unsigned int sent_http_conn_close : 1; /* 0 until Conn: close sent */ 39 | unsigned int ocsp_denied : 1; /* 1 if OCSP was denied */ 40 | 41 | /* log strings from HTTP request */ 42 | char *http_method; 43 | char *http_uri; 44 | char *http_host; 45 | char *http_content_type; 46 | 47 | /* log strings from HTTP response */ 48 | char *http_status_code; 49 | char *http_status_text; 50 | char *http_content_length; 51 | 52 | unsigned int not_valid : 1; /* 1 if cannot find HTTP on first line */ 53 | unsigned int seen_keyword_count; 54 | long long unsigned int seen_bytes; 55 | } protohttp_ctx_t; 56 | 57 | int protohttp_validate(pxy_conn_ctx_t *) NONNULL(1); 58 | 59 | protocol_t protohttp_setup(pxy_conn_ctx_t *) NONNULL(1); 60 | protocol_t protohttps_setup(pxy_conn_ctx_t *) NONNULL(1); 61 | 62 | protocol_t protohttp_setup_child(pxy_conn_child_ctx_t *) NONNULL(1); 63 | protocol_t protohttps_setup_child(pxy_conn_child_ctx_t *) NONNULL(1); 64 | 65 | #endif /* !PROTOHTTP_H */ 66 | 67 | /* vim: set noet ft=c: */ 68 | -------------------------------------------------------------------------------- /tests/testproxy/lp/attrib.h: -------------------------------------------------------------------------------- 1 | /* 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef ATTRIB_H 30 | #define ATTRIB_H 31 | 32 | /* 33 | * GCC attributes and built-ins for improved compile-time error checking 34 | * and performance optimization. 35 | * 36 | * All of these are fully optional and are automatically disabled on non-GCC 37 | * and non-LLVM/clang compilers. 38 | */ 39 | 40 | /* 41 | * Attributes. 42 | * These serve to improve the compiler warnings or optimizations. 43 | */ 44 | 45 | #if !defined(__GNUC__) && !defined(__clang__) 46 | #define __attribute__(x) 47 | #endif 48 | 49 | #define UNUSED __attribute__((unused)) 50 | #define NORET __attribute__((noreturn)) 51 | #define PRINTF(f,a) __attribute__((format(printf,(f),(a)))) 52 | #define SCANF(f,a) __attribute__((format(scanf,(f),(a)))) 53 | #define WUNRES __attribute__((warn_unused_result)) 54 | #define MALLOC __attribute__((malloc)) WUNRES 55 | #define NONNULL(...) __attribute__((nonnull(__VA_ARGS__))) 56 | #define PURE __attribute__((pure)) 57 | 58 | /* 59 | * Branch prediction macros. 60 | * These serve to tell the compiler which of the branches is more likely. 61 | */ 62 | 63 | #if !defined(__GNUC__) && !defined(__clang__) 64 | #define likely(expr) (expr) 65 | #define unlikely(expr) (expr) 66 | #else 67 | #define likely(expr) __builtin_expect((expr), 1) 68 | #define unlikely(expr) __builtin_expect((expr), 0) 69 | #endif 70 | 71 | #endif /* !ATTRIB_H */ 72 | 73 | /* vim: set noet ft=c: */ 74 | -------------------------------------------------------------------------------- /tests/testproxy/lp/sys.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef SYS_H 30 | #define SYS_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | #include 37 | 38 | int sys_privdrop(const char *, const char *, const char *) WUNRES; 39 | 40 | int sys_pidf_open(const char *) NONNULL(1) WUNRES; 41 | int sys_pidf_write(int) WUNRES; 42 | void sys_pidf_close(int, const char *) NONNULL(2); 43 | 44 | int sys_uid(const char *, uid_t *) NONNULL(1) WUNRES; 45 | int sys_gid(const char *, gid_t *) NONNULL(1) WUNRES; 46 | int sys_isuser(const char *) NONNULL(1) WUNRES; 47 | int sys_isgroup(const char *) NONNULL(1) WUNRES; 48 | int sys_isgeteuid(const char *) NONNULL(1) WUNRES; 49 | 50 | int sys_get_af(const char *); 51 | int sys_sockaddr_parse(struct sockaddr_storage *, socklen_t *, 52 | char *, char *, int, int) NONNULL(1,2,3,4) WUNRES; 53 | int sys_sockaddr_str(struct sockaddr *, socklen_t, 54 | char **, char **) NONNULL(1,3,4); 55 | char * sys_ip46str_sanitize(const char *) NONNULL(1) MALLOC; 56 | 57 | int sys_isdir(const char *) NONNULL(1) WUNRES; 58 | int sys_mkpath(const char *, mode_t) NONNULL(1) WUNRES; 59 | char * sys_realdir(const char *) NONNULL(1) MALLOC; 60 | 61 | uint32_t sys_get_cpu_cores(void) WUNRES; 62 | 63 | ssize_t sys_sendmsgfd(int, void *, size_t, int) NONNULL(2) WUNRES; 64 | ssize_t sys_recvmsgfd(int, void *, size_t, int *) NONNULL(2) WUNRES; 65 | 66 | #endif /* !SYS_H */ 67 | 68 | /* vim: set noet ft=c: */ 69 | -------------------------------------------------------------------------------- /src/attrib.h: -------------------------------------------------------------------------------- 1 | /* 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef ATTRIB_H 30 | #define ATTRIB_H 31 | 32 | /* 33 | * GCC attributes and built-ins for improved compile-time error checking 34 | * and performance optimization. 35 | * 36 | * All of these are fully optional and are automatically disabled on non-GCC 37 | * and non-LLVM/clang compilers. 38 | */ 39 | 40 | /* 41 | * Attributes. 42 | * These serve to improve the compiler warnings or optimizations. 43 | */ 44 | 45 | #if !defined(__GNUC__) && !defined(__clang__) 46 | #define __attribute__(x) 47 | #endif 48 | 49 | #define UNUSED __attribute__((unused)) 50 | #define NORET __attribute__((noreturn)) 51 | #define PRINTF(f,a) __attribute__((format(printf,(f),(a)))) 52 | #define SCANF(f,a) __attribute__((format(scanf,(f),(a)))) 53 | #define WUNRES __attribute__((warn_unused_result)) 54 | #define MALLOC __attribute__((malloc)) WUNRES 55 | #define NONNULL(...) __attribute__((nonnull(__VA_ARGS__))) 56 | #define PURE __attribute__((pure)) 57 | #define INLINE __attribute__((always_inline)) 58 | 59 | /* 60 | * Branch prediction macros. 61 | * These serve to tell the compiler which of the branches is more likely. 62 | */ 63 | 64 | #if !defined(__GNUC__) && !defined(__clang__) 65 | #define likely(expr) (expr) 66 | #define unlikely(expr) (expr) 67 | #else 68 | #define likely(expr) __builtin_expect((expr), 1) 69 | #define unlikely(expr) __builtin_expect((expr), 0) 70 | #endif 71 | 72 | #endif /* !ATTRIB_H */ 73 | 74 | /* vim: set noet ft=c: */ 75 | -------------------------------------------------------------------------------- /src/logbuf.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef LOGBUF_H 30 | #define LOGBUF_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | typedef struct logbuf { 38 | int prio; 39 | unsigned char *buf; 40 | ssize_t sz; 41 | void *fh; 42 | unsigned long ctl; 43 | struct logbuf *next; 44 | } logbuf_t; 45 | 46 | typedef ssize_t (*writefunc_t)(int, void *, unsigned long, const void *, size_t); 47 | 48 | logbuf_t * logbuf_new(int, void *, size_t, logbuf_t *) MALLOC; 49 | logbuf_t * logbuf_new_alloc(size_t, logbuf_t *) MALLOC; 50 | logbuf_t * logbuf_new_copy(const void *, size_t, logbuf_t *) MALLOC; 51 | logbuf_t * logbuf_new_printf(logbuf_t *, const char *, ...) MALLOC PRINTF(2,3); 52 | logbuf_t * logbuf_new_deepcopy(logbuf_t *, int) MALLOC; 53 | logbuf_t * logbuf_make_contiguous(logbuf_t *) WUNRES; 54 | ssize_t logbuf_size(logbuf_t *) NONNULL(1) WUNRES; 55 | ssize_t logbuf_write_free(logbuf_t *, writefunc_t) NONNULL(1); 56 | void logbuf_free(logbuf_t *) NONNULL(1); 57 | 58 | #define logbuf_ctl_clear(x) (x)->ctl = 0 59 | #define logbuf_ctl_set(x, y) (x)->ctl |= (y) 60 | #define logbuf_ctl_unset(x, y) (x)->ctl &= ~(y) 61 | #define logbuf_ctl_isset(x, y) (!!((x)->ctl & (y))) 62 | 63 | #define LBFLAG_REOPEN (1 << 0) /* logger */ 64 | #define LBFLAG_OPEN (1 << 1) /* logger */ 65 | #define LBFLAG_CLOSE (1 << 2) /* logger */ 66 | #define LBFLAG_IS_REQ (1 << 3) /* pcap/mirror content log */ 67 | #define LBFLAG_IS_RESP (1 << 4) /* pcap/mirror content log */ 68 | 69 | #endif /* !LOGBUF_H */ 70 | 71 | /* vim: set noet ft=c: */ 72 | -------------------------------------------------------------------------------- /tests/testproxy/lp/logbuf.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef LOGBUF_H 30 | #define LOGBUF_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | typedef struct logbuf { 38 | int prio; 39 | unsigned char *buf; 40 | ssize_t sz; 41 | void *fh; 42 | unsigned long ctl; 43 | struct logbuf *next; 44 | } logbuf_t; 45 | 46 | typedef ssize_t (*writefunc_t)(int, void *, unsigned long, const void *, size_t); 47 | 48 | logbuf_t * logbuf_new(int, void *, size_t, logbuf_t *) MALLOC; 49 | logbuf_t * logbuf_new_alloc(size_t, logbuf_t *) MALLOC; 50 | logbuf_t * logbuf_new_copy(const void *, size_t, logbuf_t *) MALLOC; 51 | logbuf_t * logbuf_new_printf(logbuf_t *, const char *, ...) MALLOC PRINTF(2,3); 52 | logbuf_t * logbuf_new_deepcopy(logbuf_t *, int) MALLOC; 53 | logbuf_t * logbuf_make_contiguous(logbuf_t *) WUNRES; 54 | ssize_t logbuf_size(logbuf_t *) NONNULL(1) WUNRES; 55 | ssize_t logbuf_write_free(logbuf_t *, writefunc_t) NONNULL(1); 56 | void logbuf_free(logbuf_t *) NONNULL(1); 57 | 58 | #define logbuf_ctl_clear(x) (x)->ctl = 0 59 | #define logbuf_ctl_set(x, y) (x)->ctl |= (y) 60 | #define logbuf_ctl_unset(x, y) (x)->ctl &= ~(y) 61 | #define logbuf_ctl_isset(x, y) (!!((x)->ctl & (y))) 62 | 63 | #define LBFLAG_REOPEN (1 << 0) /* logger */ 64 | #define LBFLAG_OPEN (1 << 1) /* logger */ 65 | #define LBFLAG_CLOSE (1 << 2) /* logger */ 66 | #define LBFLAG_IS_REQ (1 << 3) /* pcap/mirror content log */ 67 | #define LBFLAG_IS_RESP (1 << 4) /* pcap/mirror content log */ 68 | 69 | #endif /* !LOGBUF_H */ 70 | 71 | /* vim: set noet ft=c: */ 72 | -------------------------------------------------------------------------------- /src/pxythr.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2017-2025, Soner Tari . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef PXYTHR_H 30 | #define PXYTHR_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | typedef struct pxy_conn_ctx pxy_conn_ctx_t; 42 | typedef struct pxy_thrmgr_ctx pxy_thrmgr_ctx_t; 43 | 44 | typedef struct pxy_thr_ctx { 45 | pthread_t thr; 46 | int id; 47 | pxy_thrmgr_ctx_t *thrmgr; 48 | size_t load; 49 | struct event_base *evbase; 50 | struct evdns_base *dnsbase; 51 | int running; 52 | 53 | // Statistics 54 | evutil_socket_t max_fd; 55 | size_t max_load; 56 | size_t timedout_conns; 57 | size_t errors; 58 | size_t set_watermarks; 59 | size_t unset_watermarks; 60 | long long unsigned int intif_in_bytes; 61 | long long unsigned int intif_out_bytes; 62 | long long unsigned int extif_in_bytes; 63 | long long unsigned int extif_out_bytes; 64 | // Each stats has an id, incremented on each stats print 65 | unsigned short stats_id; 66 | // Used to print statistics, compared against stats_period 67 | unsigned int timeout_count; 68 | 69 | // List of active connections on the thread 70 | pxy_conn_ctx_t *conns; 71 | 72 | #ifndef WITHOUT_USERAUTH 73 | // Per-thread sqlite stmt is necessary to prevent multithreading issues between threads 74 | struct sqlite3_stmt *get_user; 75 | #endif /* !WITHOUT_USERAUTH */ 76 | } pxy_thr_ctx_t; 77 | 78 | void pxy_thr_attach(pxy_conn_ctx_t *) NONNULL(1); 79 | void pxy_thr_detach(pxy_conn_ctx_t *) NONNULL(1); 80 | 81 | void *pxy_thr(void *); 82 | 83 | #endif /* !PXYTHR_H */ 84 | 85 | /* vim: set noet ft=c: */ 86 | -------------------------------------------------------------------------------- /tests/check/cert.t.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include "ssl.h" 30 | #include "cert.h" 31 | 32 | #include 33 | #include 34 | 35 | #include 36 | 37 | #define TESTCERT "pki/targets/daniel.roe.ch.pem" 38 | 39 | START_TEST(cert_new_load_01) 40 | { 41 | cert_t *c; 42 | 43 | c = cert_new_load(TESTCERT); 44 | ck_assert_msg(!!c, "loading PEM failed"); 45 | ck_assert_msg(!!c->crt, "loading crt failed"); 46 | ck_assert_msg(!!c->key, "loading key failed"); 47 | ck_assert_msg(!!c->chain, "initializing chain stack failed"); 48 | ck_assert_msg(sk_X509_num(c->chain) == 1, "loading chain failed"); 49 | cert_free(c); 50 | } 51 | END_TEST 52 | 53 | START_TEST(cert_refcount_inc_01) 54 | { 55 | cert_t *c; 56 | 57 | c = cert_new_load(TESTCERT); 58 | ck_assert_msg(!!c, "loading PEM failed"); 59 | ck_assert_msg(c->references == 1, "refcount mismatch"); 60 | cert_refcount_inc(c); 61 | ck_assert_msg(c->references == 2, "refcount mismatch"); 62 | cert_free(c); 63 | ck_assert_msg(c->references == 1, "refcount mismatch"); 64 | cert_free(c); 65 | #if 0 66 | /* deliberate access after last free() */ 67 | ck_assert_msg(c->references == 0, "refcount mismatch"); 68 | #endif 69 | } 70 | END_TEST 71 | 72 | Suite * 73 | cert_suite(void) 74 | { 75 | Suite *s; 76 | TCase *tc; 77 | 78 | s = suite_create("cert"); 79 | 80 | tc = tcase_create("cert_new_load"); 81 | tcase_add_test(tc, cert_new_load_01); 82 | suite_add_tcase(s, tc); 83 | 84 | tc = tcase_create("cert_refcount_inc"); 85 | tcase_add_test(tc, cert_refcount_inc_01); 86 | suite_add_tcase(s, tc); 87 | 88 | return s; 89 | } 90 | 91 | /* vim: set noet ft=c: */ 92 | -------------------------------------------------------------------------------- /tests/testproxy/ssl_testset_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for SSL configuration: tls10 only", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl", 7 | "no_ssl2": "yes", 8 | "no_ssl3": "yes", 9 | "no_tls10": "no", 10 | "no_tls11": "yes", 11 | "no_tls12": "yes", 12 | "no_tls13": "yes" 13 | }, 14 | "client": { 15 | "ip": "127.0.0.1", 16 | "port": "8449" 17 | }, 18 | "server": { 19 | "ip": "127.0.0.1", 20 | "port": "9449", 21 | "crt": "server.crt", 22 | "key": "server.key" 23 | } 24 | }, 25 | "2": { 26 | "proto": { 27 | "proto": "ssl", 28 | "no_ssl2": "no", 29 | "no_ssl3": "no", 30 | "no_tls10": "no", 31 | "no_tls11": "no", 32 | "no_tls12": "no", 33 | "no_tls13": "no" 34 | }, 35 | "client": { 36 | "ip": "127.0.0.1", 37 | "port": "8449" 38 | }, 39 | "server": { 40 | "ip": "127.0.0.1", 41 | "port": "9449", 42 | "crt": "server.crt", 43 | "key": "server.key" 44 | } 45 | } 46 | }, 47 | "tests": { 48 | "1": { 49 | "comment": "Configures tls10 only", 50 | "states": { 51 | "1": { 52 | "testend": "client", 53 | "cmd": "send", 54 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 55 | "assert": { 56 | "current_cipher_version": { 57 | "==": [ 58 | "SSLv3", 59 | "TLSv1", 60 | "TLSv1.0" 61 | ], 62 | "!match": [ 63 | "^TLSv1\\.[1-3]?$" 64 | ] 65 | }, 66 | "ssl_proto_version": { 67 | "==": [ 68 | "SSLv3", 69 | "TLSv1" 70 | ], 71 | "!match": [ 72 | "^TLSv1\\.[1-3]?$" 73 | ] 74 | }, 75 | "ssl_state": { 76 | "==": [ 77 | "SSLOK " 78 | ] 79 | } 80 | } 81 | }, 82 | "2": { 83 | "testend": "server", 84 | "cmd": "recv", 85 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n", 86 | "assert": { 87 | "current_cipher_version": { 88 | "==": [ 89 | "SSLv3", 90 | "TLSv1", 91 | "TLSv1.0" 92 | ], 93 | "!match": [ 94 | "^TLSv1\\.[1-3]?$" 95 | ] 96 | }, 97 | "ssl_proto_version": { 98 | "==": [ 99 | "SSLv3", 100 | "TLSv1" 101 | ], 102 | "!match": [ 103 | "^TLSv1\\.[1-3]?$" 104 | ] 105 | }, 106 | "ssl_state": { 107 | "==": [ 108 | "SSLOK " 109 | ] 110 | } 111 | } 112 | } 113 | } 114 | } 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /tests/check/defaults.t.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #include "sys.h" 30 | 31 | #include "defaults.h" 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | #include 38 | 39 | #define CONNECT_CMD "openssl s_client -connect www.google.com:443" \ 40 | " -quiet -no_ign_eof /dev/null 2>/dev/null" 41 | 42 | START_TEST(defaults_dropuser_01) 43 | { 44 | ck_assert_msg(0 == sys_privdrop(DFLT_DROPUSER, NULL, NULL), 45 | "privdrop failed"); 46 | } 47 | END_TEST 48 | 49 | /* 50 | * This test is designed to fail in the third assertion if the currently 51 | * configured default dropuser is not allowed to make outbound network 52 | * connections. It also fails if we do not have Internet connection. 53 | */ 54 | START_TEST(defaults_dropuser_02) 55 | { 56 | ck_assert_msg(0 == system(CONNECT_CMD), 57 | "connect failed for user running tests"); 58 | ck_assert_msg(0 == sys_privdrop(DFLT_DROPUSER, NULL, NULL), 59 | "privdrop failed"); 60 | ck_assert_msg(0 == system(CONNECT_CMD), 61 | "connect failed for default dropuser " DFLT_DROPUSER); 62 | } 63 | END_TEST 64 | 65 | Suite * 66 | defaults_suite(void) 67 | { 68 | Suite *s; 69 | TCase *tc; 70 | 71 | s = suite_create("defaults"); 72 | 73 | tc = tcase_create("dropuser"); 74 | if (getuid() == 0) { 75 | tcase_add_test(tc, defaults_dropuser_01); 76 | tcase_add_test(tc, defaults_dropuser_02); 77 | } else { 78 | fprintf(stderr, "defaults: 2 tests omitted because " 79 | "not building as root\n"); 80 | } 81 | suite_add_tcase(s, tc); 82 | 83 | return s; 84 | } 85 | 86 | /* vim: set noet ft=c: */ 87 | -------------------------------------------------------------------------------- /extra/nssdebug/snoop-nss-verify.c: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | /* 30 | * LD_PRELOAD library overlay to print calls to NSS CERT_PKIXVerifyCert() and 31 | * their error code. This function is used by Chrome and other browsers using 32 | * NSS to verify server certificates. This overlay is intended to help finding 33 | * the root cause for certificate verification failures in Chrome, that are 34 | * mapped to Chrome error codes in MapSecurityError(): 35 | * https://chromium.googlesource.com/chromium/src/+/master/net/cert/cert_verify_proc_nss.cc 36 | * 37 | * Usage on Linux: 38 | * gcc -shared -fPIC -o snoop-nss-verify.so snoop-nss-verify.c -ldl 39 | * LD_PRELOAD=./snoop-nss-verify.so /usr/bin/google-chrome 40 | */ 41 | 42 | #define _GNU_SOURCE 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | 50 | #define CERTCertificate void 51 | #define SECCertificateUsage int64_t 52 | #define CERTValInParam void 53 | #define CERTValOutParam void 54 | #define SECStatus int /* actually enum */ 55 | 56 | SECStatus 57 | CERT_PKIXVerifyCert(CERTCertificate *cert, 58 | SECCertificateUsage usages, 59 | CERTValInParam *paramsIn, 60 | CERTValOutParam *paramsOut, 61 | void *wincx) 62 | { 63 | typeof(CERT_PKIXVerifyCert) *original; 64 | SECStatus rv; 65 | 66 | original = dlsym(RTLD_NEXT, "CERT_PKIXVerifyCert"); 67 | rv = original(cert, usages, paramsIn, paramsOut, wincx); 68 | fprintf(stderr, 69 | "CERT_PKIXVerifyCert(%p, %"PRId64", %p, %p, %p) => %i\n", 70 | cert, usages, paramsIn, paramsOut, wincx, rv); 71 | return rv; 72 | } 73 | 74 | -------------------------------------------------------------------------------- /tests/testproxy/ssl_testset_3.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for SSL configuration: tls10/tls11 only", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl", 7 | "no_ssl2": "yes", 8 | "no_ssl3": "yes", 9 | "no_tls10": "yes", 10 | "no_tls11": "no", 11 | "no_tls12": "yes", 12 | "no_tls13": "yes" 13 | }, 14 | "client": { 15 | "ip": "127.0.0.1", 16 | "port": "8450" 17 | }, 18 | "server": { 19 | "ip": "127.0.0.1", 20 | "port": "9450", 21 | "crt": "server.crt", 22 | "key": "server.key" 23 | } 24 | }, 25 | "2": { 26 | "proto": { 27 | "proto": "ssl", 28 | "no_ssl2": "no", 29 | "no_ssl3": "no", 30 | "no_tls10": "no", 31 | "no_tls11": "no", 32 | "no_tls12": "no", 33 | "no_tls13": "no" 34 | }, 35 | "client": { 36 | "ip": "127.0.0.1", 37 | "port": "8450" 38 | }, 39 | "server": { 40 | "ip": "127.0.0.1", 41 | "port": "9450", 42 | "crt": "server.crt", 43 | "key": "server.key" 44 | } 45 | } 46 | }, 47 | "tests": { 48 | "1": { 49 | "comment": "Configures tls10/tls11 only", 50 | "states": { 51 | "1": { 52 | "testend": "client", 53 | "cmd": "send", 54 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 55 | "assert": { 56 | "current_cipher_version": { 57 | "==": [ 58 | "TLSv1.0", 59 | "TLSv1.1" 60 | ], 61 | "!match": [ 62 | "SSLv3", 63 | "^TLSv1\\.[23]?$" 64 | ] 65 | }, 66 | "ssl_proto_version": { 67 | "==": [ 68 | "TLSv1.0", 69 | "TLSv1.1" 70 | ], 71 | "!match": [ 72 | "SSLv3", 73 | "^TLSv1\\.[23]?$" 74 | ] 75 | }, 76 | "ssl_state": { 77 | "==": [ 78 | "SSLOK " 79 | ] 80 | } 81 | } 82 | }, 83 | "2": { 84 | "testend": "server", 85 | "cmd": "recv", 86 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n", 87 | "assert": { 88 | "current_cipher_version": { 89 | "==": [ 90 | "TLSv1.0", 91 | "TLSv1.1" 92 | ], 93 | "!match": [ 94 | "SSLv3", 95 | "^TLSv1\\.[23]?$" 96 | ] 97 | }, 98 | "ssl_proto_version": { 99 | "==": [ 100 | "TLSv1.0", 101 | "TLSv1.1" 102 | ], 103 | "!match": [ 104 | "SSLv3", 105 | "^TLSv1\\.[23]?$" 106 | ] 107 | }, 108 | "ssl_state": { 109 | "==": [ 110 | "SSLOK " 111 | ] 112 | } 113 | } 114 | } 115 | } 116 | } 117 | } 118 | } 119 | -------------------------------------------------------------------------------- /src/protossl.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * Copyright (c) 2017-2025, Soner Tari . 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions are met: 11 | * 1. Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright notice, 14 | * this list of conditions and the following disclaimer in the documentation 15 | * and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 18 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | * POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef PROTOSSL_H 31 | #define PROTOSSL_H 32 | 33 | #include "pxyconn.h" 34 | 35 | int protossl_log_masterkey(pxy_conn_ctx_t *, pxy_conn_desc_t *) NONNULL(1,2); 36 | void protossl_log_ssl_error(struct bufferevent *, pxy_conn_ctx_t *) NONNULL(1,2); 37 | 38 | // @todo Used externally by pxy_log_connect_src(), create tcp and ssl versions of that function instead? 39 | void protossl_srccert_write(pxy_conn_ctx_t *) NONNULL(1); 40 | SSL *protossl_dstssl_create(pxy_conn_ctx_t *) NONNULL(1); 41 | 42 | void protossl_free(pxy_conn_ctx_t *) NONNULL(1); 43 | void protossl_init_conn(evutil_socket_t, short, void *); 44 | int protossl_conn_connect(pxy_conn_ctx_t *) NONNULL(1) WUNRES; 45 | int protossl_connect_child(pxy_conn_child_ctx_t *) NONNULL(1) WUNRES; 46 | 47 | int protossl_enable_src(pxy_conn_ctx_t *) NONNULL(1); 48 | 49 | int protossl_setup_src_ssl_from_dst(pxy_conn_ctx_t *) NONNULL(1); 50 | int protossl_setup_src_ssl_from_child_dst(pxy_conn_child_ctx_t *) NONNULL(1); 51 | 52 | int protossl_setup_dst_ssl(pxy_conn_ctx_t *) NONNULL(1); 53 | int protossl_setup_dst_ssl_child(pxy_conn_child_ctx_t *) NONNULL(1); 54 | 55 | int protossl_setup_srvdst_ssl(pxy_conn_ctx_t *) NONNULL(1); 56 | int protossl_setup_srvdst(pxy_conn_ctx_t *) NONNULL(1); 57 | 58 | void protossl_bev_eventcb_srvdst(struct bufferevent *, short, pxy_conn_ctx_t *) NONNULL(1); 59 | 60 | void protossl_bev_eventcb(struct bufferevent *, short, void *) NONNULL(1); 61 | void protossl_bev_eventcb_child(struct bufferevent *, short, void *) NONNULL(1); 62 | 63 | protocol_t protossl_setup(pxy_conn_ctx_t *) NONNULL(1); 64 | protocol_t protossl_setup_child(pxy_conn_child_ctx_t *) NONNULL(1); 65 | 66 | #endif /* PROTOSSL_H */ 67 | -------------------------------------------------------------------------------- /Mk/bin/copyright.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # vim: set ft=python list et ts=8 sts=4 sw=4: 3 | 4 | # Update the copyright headers in all source files passed on the command line. 5 | # The copyright headers are comments at the beginning of lines that are 6 | # marked by a dash immediately at the start of the comment. 7 | # The entire copyright header is replaced by the copyright in LICENSE, with the 8 | # exception of contributor's additional Copyright lines, which are kept intact 9 | # as found in each source file. 10 | 11 | import sys 12 | import os 13 | 14 | MAIN_NAME = 'Daniel Roethlisberger' 15 | MAIN_EMAIL = 'daniel@roe.ch' 16 | TITLE = ('SSLsplit - transparent SSL/TLS interception\n' 17 | 'https://www.roe.ch/SSLsplit\n\n') 18 | 19 | class Language: 20 | def __init__(self, begin, each, end): 21 | self.begin = begin 22 | self.each = each 23 | self.end = end 24 | 25 | def is_end(self, line): 26 | if self.end != None: 27 | return line.startswith(self.end) 28 | else: 29 | return not line.startswith(self.each) 30 | 31 | languages = [] 32 | languages.append(Language('/*-', ' *', ' */')) # c 33 | languages.append(Language('#-', '#', None)) # scripts and make files 34 | languages.append(Language('.\\"-', '.\\"', None)) # troff 35 | 36 | 37 | def split_before(s, delimiter): 38 | s1, s2 = s.split(delimiter, 1) 39 | return s1, delimiter + s2 40 | 41 | def commentline(prefix, line): 42 | if len(line) > 0: 43 | return prefix + ' ' + line + '\n' 44 | return prefix + '\n' 45 | 46 | def license(outfile, language, contribrights=''): 47 | with open('LICENSE', 'r') as f: 48 | license = f.read() 49 | header, rest = split_before(license, 'Copyright') 50 | copyright, legalese = split_before(rest, 'All rights reserved') 51 | copyright = copyright.replace('and contributors', '<%s>' % MAIN_EMAIL) 52 | text = TITLE + copyright + contribrights + legalese 53 | outfile.write('%s\n' % language.begin) 54 | for line in text.splitlines(): 55 | outfile.write(commentline(language.each, line)) 56 | 57 | def mangle(outfile, infile): 58 | contribs = [] 59 | language = None 60 | have_first = False 61 | have_header = False 62 | for line in infile: 63 | if have_header: 64 | outfile.write(line) 65 | elif have_first: 66 | if language.is_end(line): 67 | license(outfile, language, ''.join(contribs)) 68 | outfile.write(line) 69 | have_header = True 70 | elif 'Copyright' in line and not MAIN_NAME in line: 71 | prefix, copyright = split_before(line, 'Copyright') 72 | contribs.append(copyright) 73 | else: 74 | for lang in languages: 75 | if line.startswith(lang.begin): 76 | language = lang 77 | break 78 | if language == None: 79 | outfile.write(line) 80 | continue 81 | have_first = True 82 | 83 | for fn in sys.argv[1:]: 84 | with open(fn, 'r') as infile: 85 | with open(fn + '~', 'w') as outfile: 86 | mode = os.fstat(infile.fileno()).st_mode 87 | os.fchmod(outfile.fileno(), mode) 88 | mangle(outfile, infile) 89 | os.rename(fn + '~', fn) 90 | 91 | -------------------------------------------------------------------------------- /src/sys.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef SYS_H 30 | #define SYS_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | #include 36 | #include 37 | 38 | int sys_privdrop(const char *, const char *, const char *) WUNRES; 39 | 40 | int sys_pidf_open(const char *) NONNULL(1) WUNRES; 41 | int sys_pidf_write(int) WUNRES; 42 | void sys_pidf_close(int, const char *) NONNULL(2); 43 | 44 | int sys_uid(const char *, uid_t *) NONNULL(1) WUNRES; 45 | int sys_gid(const char *, gid_t *) NONNULL(1) WUNRES; 46 | int sys_isuser(const char *) NONNULL(1) WUNRES; 47 | int sys_isgroup(const char *) NONNULL(1) WUNRES; 48 | int sys_isgeteuid(const char *) NONNULL(1) WUNRES; 49 | char * sys_user_str(uid_t) MALLOC; 50 | char * sys_group_str(gid_t) MALLOC; 51 | 52 | int sys_get_af(const char *); 53 | int sys_sockaddr_parse(struct sockaddr_storage *, socklen_t *, 54 | char *, char *, int, int) NONNULL(1,2,3,4) WUNRES; 55 | int sys_sockaddr_str(struct sockaddr *, socklen_t, 56 | char **, char **) NONNULL(1,3,4); 57 | char * sys_ip46str_sanitize(const char *) NONNULL(1) MALLOC; 58 | size_t sys_get_mtu(const char *); 59 | 60 | int sys_isdir(const char *) NONNULL(1) WUNRES; 61 | int sys_mkpath(const char *, mode_t) NONNULL(1) WUNRES; 62 | char * sys_realdir(const char *) NONNULL(1) MALLOC; 63 | 64 | typedef int (*sys_dir_eachfile_cb_t)(const char *, void *) NONNULL(1) WUNRES; 65 | int sys_dir_eachfile(const char *, sys_dir_eachfile_cb_t, void *) NONNULL(1,2) WUNRES; 66 | 67 | uint32_t sys_get_cpu_cores(void) WUNRES; 68 | 69 | ssize_t sys_sendmsgfd(int, void *, size_t, int) NONNULL(2) WUNRES; 70 | ssize_t sys_recvmsgfd(int, void *, size_t, int *) NONNULL(2) WUNRES; 71 | 72 | void sys_dump_fds(void); 73 | 74 | uint16_t sys_rand16(void); 75 | uint32_t sys_rand32(void); 76 | 77 | #endif /* !SYS_H */ 78 | 79 | /* vim: set noet ft=c: */ 80 | -------------------------------------------------------------------------------- /tests/testproxy/ssl_testset_4.json: -------------------------------------------------------------------------------- 1 | { 2 | "comment": "Tests for SSL configuration: tls12 only", 3 | "configs": { 4 | "1": { 5 | "proto": { 6 | "proto": "ssl", 7 | "no_ssl2": "yes", 8 | "no_ssl3": "yes", 9 | "no_tls10": "yes", 10 | "no_tls11": "yes", 11 | "no_tls12": "no", 12 | "no_tls13": "yes" 13 | }, 14 | "client": { 15 | "ip": "127.0.0.1", 16 | "port": "8451", 17 | "use_sni": "yes", 18 | "sni_servername": "example.com" 19 | }, 20 | "server": { 21 | "ip": "127.0.0.1", 22 | "port": "9451", 23 | "crt": "server.crt", 24 | "key": "server.key" 25 | } 26 | }, 27 | "2": { 28 | "proto": { 29 | "proto": "ssl", 30 | "no_ssl2": "no", 31 | "no_ssl3": "no", 32 | "no_tls10": "no", 33 | "no_tls11": "no", 34 | "no_tls12": "no", 35 | "no_tls13": "no" 36 | }, 37 | "client": { 38 | "ip": "127.0.0.1", 39 | "port": "8451", 40 | "use_sni": "yes", 41 | "sni_servername": "example.com" 42 | }, 43 | "server": { 44 | "ip": "127.0.0.1", 45 | "port": "9451", 46 | "crt": "server.crt", 47 | "key": "server.key" 48 | } 49 | } 50 | }, 51 | "tests": { 52 | "1": { 53 | "comment": "Configures tls12 only", 54 | "states": { 55 | "1": { 56 | "testend": "client", 57 | "cmd": "send", 58 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 59 | "assert": { 60 | "current_cipher_version": { 61 | "==": [ 62 | "TLSv1.2" 63 | ], 64 | "!match": [ 65 | "SSLv3", 66 | "^TLSv1\\.[013]?$" 67 | ] 68 | }, 69 | "ssl_proto_version": { 70 | "==": [ 71 | "TLSv1.2" 72 | ], 73 | "!=": [ 74 | "SSLv3" 75 | ], 76 | "!match": [ 77 | "^TLSv1\\.[013]?$" 78 | ] 79 | }, 80 | "ssl_state": { 81 | "==": [ 82 | "SSLOK " 83 | ] 84 | } 85 | } 86 | }, 87 | "2": { 88 | "testend": "server", 89 | "cmd": "recv", 90 | "payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n", 91 | "assert": { 92 | "current_cipher_version": { 93 | "==": [ 94 | "TLSv1.2" 95 | ], 96 | "!match": [ 97 | "SSLv3", 98 | "^TLSv1\\.[013]?$" 99 | ] 100 | }, 101 | "ssl_proto_version": { 102 | "==": [ 103 | "TLSv1.2" 104 | ], 105 | "!=": [ 106 | "SSLv3" 107 | ], 108 | "!match": [ 109 | "^TLSv1\\.[013]?$" 110 | ] 111 | }, 112 | "ssl_state": { 113 | "==": [ 114 | "SSLOK " 115 | ] 116 | }, 117 | "sni_servername": { 118 | "==": [ 119 | "example.com" 120 | ] 121 | } 122 | } 123 | } 124 | } 125 | } 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /src/cache.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef CACHE_H 30 | #define CACHE_H 31 | 32 | #include "attrib.h" 33 | 34 | #include 35 | 36 | typedef void * cache_val_t; 37 | typedef void * cache_key_t; 38 | typedef unsigned int cache_iter_t; /* must match khiter_t */ 39 | 40 | typedef cache_iter_t (*cache_begin_cb_t)(void); 41 | typedef cache_iter_t (*cache_end_cb_t)(void); 42 | typedef int (*cache_exist_cb_t)(cache_iter_t); 43 | typedef void (*cache_del_cb_t)(cache_iter_t); 44 | typedef cache_iter_t (*cache_get_cb_t)(cache_key_t); 45 | typedef cache_iter_t (*cache_put_cb_t)(cache_key_t, int *); 46 | typedef void (*cache_free_key_cb_t)(cache_key_t); 47 | typedef void (*cache_free_val_cb_t)(cache_val_t); 48 | typedef cache_key_t (*cache_get_key_cb_t)(cache_iter_t); 49 | typedef cache_val_t (*cache_get_val_cb_t)(cache_iter_t); 50 | typedef void (*cache_set_val_cb_t)(cache_iter_t, cache_val_t); 51 | typedef cache_val_t (*cache_unpackverify_val_cb_t)(cache_val_t, int); 52 | typedef void (*cache_fini_cb_t)(void); 53 | 54 | typedef struct cache { 55 | pthread_mutex_t mutex; 56 | 57 | cache_begin_cb_t begin_cb; 58 | cache_end_cb_t end_cb; 59 | cache_exist_cb_t exist_cb; 60 | cache_del_cb_t del_cb; 61 | cache_get_cb_t get_cb; 62 | cache_put_cb_t put_cb; 63 | cache_free_key_cb_t free_key_cb; 64 | cache_free_val_cb_t free_val_cb; 65 | cache_get_key_cb_t get_key_cb; 66 | cache_get_val_cb_t get_val_cb; 67 | cache_set_val_cb_t set_val_cb; 68 | cache_unpackverify_val_cb_t unpackverify_val_cb; 69 | cache_fini_cb_t fini_cb; 70 | } cache_t; 71 | 72 | typedef void (*cache_init_cb_t)(struct cache *); 73 | 74 | cache_t * cache_new(cache_init_cb_t) MALLOC; 75 | int cache_reinit(cache_t *) NONNULL(1) WUNRES; 76 | void cache_free(cache_t *) NONNULL(1); 77 | void cache_gc(cache_t *) NONNULL(1); 78 | cache_val_t cache_get(cache_t *, cache_key_t) NONNULL(1) WUNRES; 79 | void cache_set(cache_t *, cache_key_t, cache_val_t) NONNULL(1); 80 | void cache_del(cache_t *, cache_key_t) NONNULL(1); 81 | 82 | #endif /* !CACHE_H */ 83 | 84 | /* vim: set noet ft=c: */ 85 | -------------------------------------------------------------------------------- /tests/testproxy/GNUmakefile: -------------------------------------------------------------------------------- 1 | PROJECT_ROOT= ../.. 2 | TESTPROXY:= ~/.cargo/bin/testproxy 3 | 4 | TESTPROXY_VERSION=$(shell $(TESTPROXY) -V) 5 | ifneq ($(TESTPROXY_VERSION),testproxy 0.0.5) 6 | $(error Use Testproxy v0.0.5 with this version of SSLproxy, found $(TESTPROXY_VERSION)) 7 | endif 8 | 9 | ifeq ($(findstring -DWITHOUT_USERAUTH,$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "Features: ")),-DWITHOUT_USERAUTH) 10 | $(error End-to-end tests need UserAuth enabled, disable WITHOUT_USERAUTH feature in main makefile and try again) 11 | endif 12 | 13 | all: test 14 | 15 | buildsslproxy: 16 | $(MAKE) -C $(PROJECT_ROOT) 17 | 18 | buildlp: 19 | $(MAKE) -C lp 20 | 21 | # XXX: How to build sslproxy before setting the vars? Otherwise, we depend on the main makefile to have already built it. 22 | test: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability") 23 | test: TLS11=$(findstring tls11,$(SSL_PROTOS)) 24 | test: TLS13=$(findstring tls13,$(SSL_PROTOS)) 25 | test: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL") 26 | test: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL)) 27 | test: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf) 28 | test: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf) 29 | test: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf) 30 | test: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody 31 | test: TESTHARNESS=$(if $(TLS13),testharness.json,testharness_no_tls13.json) 32 | test: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_no_tls11.json) 33 | test: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_openssl3.json) 34 | #test: SKIP_TESTHARNESS=2 35 | test: buildsslproxy buildlp 36 | sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody 37 | sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) $(SSLPROXY_COMMAND) 38 | $(TESTPROXY) -f $(TESTHARNESS) -l 4 --skip-test-harness $(SKIP_TESTHARNESS) 39 | sudo pkill sslproxy 40 | sudo pkill lp 41 | 42 | test_split: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability") 43 | test_split: TLS11=$(findstring tls11,$(SSL_PROTOS)) 44 | test_split: TLS13=$(findstring tls13,$(SSL_PROTOS)) 45 | test_split: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL") 46 | test_split: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL)) 47 | test_split: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf) 48 | test_split: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf) 49 | test_split: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf) 50 | test_split: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -n -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody 51 | test_split: TESTHARNESS=$(if $(TLS13),testharness_split.json,testharness_split_no_tls13.json) 52 | test_split: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_split_no_tls11.json) 53 | test_split: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_split_openssl3.json) 54 | test_split: buildsslproxy buildlp 55 | sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody 56 | sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) $(SSLPROXY_COMMAND) 57 | $(TESTPROXY) -f $(TESTHARNESS) -l 4 58 | sudo pkill sslproxy 59 | sudo pkill lp 60 | 61 | travis: test 62 | 63 | clean: 64 | $(MAKE) -C $(PROJECT_ROOT) clean 65 | $(MAKE) -C lp clean 66 | 67 | FORCE: 68 | 69 | .PHONY: all clean buildsslproxy buildlp test test_split travis 70 | 71 | -------------------------------------------------------------------------------- /src/logger.h: -------------------------------------------------------------------------------- 1 | /*- 2 | * SSLsplit - transparent SSL/TLS interception 3 | * https://www.roe.ch/SSLsplit 4 | * 5 | * Copyright (c) 2009-2019, Daniel Roethlisberger . 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 1. Redistributions of source code must retain the above copyright notice, 11 | * this list of conditions and the following disclaimer. 12 | * 2. Redistributions in binary form must reproduce the above copyright notice, 13 | * this list of conditions and the following disclaimer in the documentation 14 | * and/or other materials provided with the distribution. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS'' 17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | * POSSIBILITY OF SUCH DAMAGE. 27 | */ 28 | 29 | #ifndef LOGGER_H 30 | #define LOGGER_H 31 | 32 | #include "logbuf.h" 33 | #include "attrib.h" 34 | 35 | #include 36 | #include 37 | 38 | typedef int (*logger_reopen_func_t)(void); 39 | typedef int (*logger_open_func_t)(void *); 40 | typedef void (*logger_close_func_t)(void *, unsigned long); 41 | typedef ssize_t (*logger_write_func_t)(int, void *, unsigned long, 42 | const void *, size_t); 43 | typedef logbuf_t * (*logger_prep_func_t)(void *, unsigned long, logbuf_t *); 44 | typedef void (*logger_except_func_t)(void); 45 | typedef struct logger logger_t; 46 | 47 | logger_t * logger_new(logger_reopen_func_t, logger_open_func_t, 48 | logger_close_func_t, logger_write_func_t, 49 | logger_prep_func_t, logger_except_func_t) 50 | NONNULL(4,6) MALLOC; 51 | void logger_free(logger_t *) NONNULL(1); 52 | int logger_start(logger_t *) NONNULL(1) WUNRES; 53 | void logger_leave(logger_t *) NONNULL(1); 54 | int logger_join(logger_t *) NONNULL(1); 55 | int logger_stop(logger_t *) NONNULL(1) WUNRES; 56 | int logger_reopen(logger_t *) NONNULL(1) WUNRES; 57 | int logger_open(logger_t *, void *) NONNULL(1,2) WUNRES; 58 | int logger_close(logger_t *, void *, unsigned long) NONNULL(1,2) WUNRES; 59 | int logger_submit(logger_t *, void *, unsigned long, 60 | logbuf_t *) NONNULL(1) WUNRES; 61 | int logger_printf(logger_t *, void *, unsigned long, 62 | const char *, ...) PRINTF(4,5) NONNULL(1,4) WUNRES; 63 | int logger_print(logger_t *, void *, unsigned long, 64 | const char *) NONNULL(1,4) WUNRES; 65 | int logger_write(logger_t *, void *, unsigned long, 66 | const void *, size_t) NONNULL(1,4) WUNRES; 67 | int logger_print_freebuf(logger_t *, void *, unsigned long, 68 | char *) NONNULL(1,4) WUNRES; 69 | int logger_write_freebuf(logger_t *, int, void *, unsigned long, 70 | void *, size_t) NONNULL(1,5) WUNRES; 71 | 72 | #endif /* !LOGGER_H */ 73 | 74 | /* vim: set noet ft=c: */ 75 | --------------------------------------------------------------------------------