diff options
author | Cedric Cellier <rixed@happyleptic.org> | 2018-05-30 09:18:45 +0200 |
---|---|---|
committer | Cedric Cellier <rixed@happyleptic.org> | 2018-09-13 08:26:46 +0200 |
commit | 0f0a435cd7f240ac3641fa02881e665922cb095a (patch) | |
tree | fb016c4f7ff187b0a0052d2e3407e26014608548 | |
parent | 9ba5495a8a6c63debb66eee82c153dbf02226c90 (diff) | |
download | libpcap-0f0a435cd7f240ac3641fa02881e665922cb095a.tar.gz |
Enable SSL compression (with -C)
Cert file option changed from -C <file> to -X <file> (X as in X.509)
-rw-r--r-- | rpcapd/rpcapd.c | 15 | ||||
-rw-r--r-- | sslutils.c | 55 | ||||
-rw-r--r-- | sslutils.h | 2 |
3 files changed, 20 insertions, 52 deletions
diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c index 76e676c5..645828ea 100644 --- a/rpcapd/rpcapd.c +++ b/rpcapd/rpcapd.c @@ -151,8 +151,9 @@ static void printusage(void) #endif #ifdef HAVE_OPENSSL " -S encrypt all communication with SSL (implements rpcaps://)\n" + " -C enable compression\n" " -K <pem_file> uses the SSL private key in this file (default: key.pem)\n" - " -C <pem_file> uses the certificate from this file (default: cert.pem)\n" + " -X <pem_file> uses the certificate from this file (default: cert.pem)\n" #endif " -s <config_file> save the current configuration to file\n\n" " -f <config_file> load the current configuration from file; all switches\n" @@ -179,6 +180,9 @@ int main(int argc, char *argv[]) #ifndef _WIN32 struct sigaction action; #endif +#ifdef HAVE_OPENSSL + int enable_compression = 0; +#endif savefile[0] = 0; loadfile[0] = 0; @@ -205,7 +209,7 @@ int main(int argc, char *argv[]) // Getting the proper command line options # ifdef HAVE_OPENSSL -# define SSL_CLOPTS "SK:C:" +# define SSL_CLOPTS "SK:X:C" # else # define SSL_CLOPTS "" # endif @@ -288,10 +292,13 @@ int main(int argc, char *argv[]) case 'S': uses_ssl = 1; break; + case 'C': + enable_compression = 1; + break; case 'K': snprintf(ssl_keyfile, sizeof ssl_keyfile, "%s", optarg); break; - case 'C': + case 'X': snprintf(ssl_certfile, sizeof ssl_certfile, "%s", optarg); break; #endif @@ -361,7 +368,7 @@ int main(int argc, char *argv[]) #endif # ifdef HAVE_OPENSSL - if (uses_ssl) init_ssl_or_die(1); + if (uses_ssl) init_ssl_or_die(1, enable_compression); # endif #ifndef _WIN32 @@ -49,7 +49,7 @@ char ssl_rootfile[PATH_MAX]; //!< file containing the list of CAs trusted by th // TODO: lock? static SSL_CTX *ctx; -static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen) +static int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t errbuflen) { static int inited = 0; if (inited) return 0; @@ -57,41 +57,30 @@ static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen) SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); + if (enable_compression) + SSL_COMP_get_compression_methods(); -<<<<<<< HEAD - SSL_METHOD const *meth = SSLv23_method(); + SSL_METHOD const *meth = + is_server ? SSLv23_server_method() : SSLv23_client_method(); ctx = SSL_CTX_new(meth); if (! ctx) { -======= - SSL_METHOD const *meth = - is_server ? SSLv23_server_method() : SSLv23_client_method(); - ctx = SSL_CTX_new(meth); - if (! ctx) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket pcap_snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL)); goto die; } SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); -<<<<<<< HEAD if (is_server) { char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem"; if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) { -======= - if (is_server) { - char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem"; - if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket pcap_snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL)); goto die; } char const *keyfile = ssl_keyfile[0] ? ssl_keyfile : "key.pem"; -<<<<<<< HEAD if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM)) { pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL)); @@ -110,40 +99,19 @@ static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen) } else { -======= - if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM)) { - pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL)); - goto die; - } - } else { - if (ssl_rootfile[0]) { - if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0)) { - pcap_snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile); - goto die; - } - } else { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); } } #if 0 -<<<<<<< HEAD if (! RAND_load_file(RANDOM, 1024*1024)) { -======= - if (! RAND_load_file(RANDOM, 1024*1024)) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket pcap_snprintf(errbuf, errbuflen, "Cannot init random"); goto die; } -<<<<<<< HEAD if (is_server) { -======= - if (is_server) { ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context, sizeof(s_server_session_id_context)); } #endif @@ -155,26 +123,20 @@ die: return -1; } -void init_ssl_or_die(int is_server) +void init_ssl_or_die(int is_server, int enable_compression) { char errbuf[PCAP_ERRBUF_SIZE]; -<<<<<<< HEAD - if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0) + if (ssl_init_once(is_server, enable_compression, errbuf, sizeof errbuf) < 0) { fprintf(stderr, "%s\n", errbuf); exit(3); } -======= - if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0) { - fprintf(stderr, "%s\n", errbuf); - exit(3); - } } SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t errbuflen) { - if (ssl_init_once(is_server, errbuf, errbuflen) < 0) { + if (ssl_init_once(is_server, 1, errbuf, errbuflen) < 0) { return NULL; } @@ -197,7 +159,6 @@ SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t } return ssl; ->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket } SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen) @@ -54,7 +54,7 @@ extern char ssl_rootfile[PATH_MAX]; * Utility functions */ -void init_ssl_or_die(int is_server); +void init_ssl_or_die(int is_server, int enable_compression); SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen); SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t errbuflen); int ssl_send(SSL *, char const *buffer, size_t size, char *errbuf, size_t errbuflen); |