Enable SSL compression (with -C)

Cert file option changed from -C <file> to -X <file> (X as in X.509)
author: Cedric Cellier <rixed@happyleptic.org> 2018-05-30 09:18:45 +0200
committer: Cedric Cellier <rixed@happyleptic.org> 2018-09-13 08:26:46 +0200
commit: 0f0a435cd7f240ac3641fa02881e665922cb095a (patch)
tree: fb016c4f7ff187b0a0052d2e3407e26014608548
parent: 9ba5495a8a6c63debb66eee82c153dbf02226c90 (diff)
download: libpcap-0f0a435cd7f240ac3641fa02881e665922cb095a.tar.gz
3 files changed, 20 insertions, 52 deletions
diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c
index 76e676c5..645828ea 100644
--- a/rpcapd/rpcapd.c
+++ b/rpcapd/rpcapd.c
@@ -151,8 +151,9 @@ static void printusage(void)
 #endif
 #ifdef HAVE_OPENSSL
 	"  -S              encrypt all communication with SSL (implements rpcaps://)\n"
+	"  -C              enable compression\n"
 	"  -K <pem_file>   uses the SSL private key in this file (default: key.pem)\n"
-	"  -C <pem_file>   uses the certificate from this file (default: cert.pem)\n"
+	"  -X <pem_file>   uses the certificate from this file (default: cert.pem)\n"
 #endif
 	"  -s <config_file> save the current configuration to file\n\n"
 	"  -f <config_file> load the current configuration from file; all switches\n"
@@ -179,6 +180,9 @@ int main(int argc, char *argv[])
 #ifndef _WIN32
 	struct sigaction action;
 #endif
+#ifdef HAVE_OPENSSL
+	int enable_compression = 0;
+#endif
 
 	savefile[0] = 0;
 	loadfile[0] = 0;
@@ -205,7 +209,7 @@ int main(int argc, char *argv[])
 
 	// Getting the proper command line options
 #	ifdef HAVE_OPENSSL
-#		define SSL_CLOPTS  "SK:C:"
+#		define SSL_CLOPTS  "SK:X:C"
 #	else
 #		define SSL_CLOPTS ""
 #	endif
@@ -288,10 +292,13 @@ int main(int argc, char *argv[])
 			case 'S':
 				uses_ssl = 1;
 				break;
+			case 'C':
+				enable_compression = 1;
+				break;
 			case 'K':
 				snprintf(ssl_keyfile, sizeof ssl_keyfile, "%s", optarg);
 				break;
-			case 'C':
+			case 'X':
 				snprintf(ssl_certfile, sizeof ssl_certfile, "%s", optarg);
 				break;
 #endif
@@ -361,7 +368,7 @@ int main(int argc, char *argv[])
 #endif
 
 # ifdef HAVE_OPENSSL
-	if (uses_ssl) init_ssl_or_die(1);
+	if (uses_ssl) init_ssl_or_die(1, enable_compression);
 # endif
 
 #ifndef _WIN32
diff --git a/sslutils.c b/sslutils.c
index 637940a1..c6fb80c5 100644
--- a/sslutils.c
+++ b/sslutils.c
@@ -49,7 +49,7 @@ char ssl_rootfile[PATH_MAX];  //!< file containing the list of CAs trusted by th
 // TODO: lock?
 static SSL_CTX *ctx;
 
-static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen)
+static int ssl_init_once(int is_server, int enable_compression, char *errbuf, size_t errbuflen)
 {
 	static int inited = 0;
 	if (inited) return 0;
@@ -57,41 +57,30 @@ static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen)
 	SSL_library_init();
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
+	if (enable_compression)
+		SSL_COMP_get_compression_methods();
 
-<<<<<<< HEAD
-	SSL_METHOD const *meth = SSLv23_method();
+	SSL_METHOD const *meth =
+	    is_server ? SSLv23_server_method() : SSLv23_client_method();
 	ctx = SSL_CTX_new(meth);
 	if (! ctx)
 	{
-=======
-	SSL_METHOD const *meth =
-		is_server ? SSLv23_server_method() : SSLv23_client_method();
-	ctx = SSL_CTX_new(meth);
-	if (! ctx) {
->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket
 		pcap_snprintf(errbuf, errbuflen, "Cannot get a new SSL context: %s", ERR_error_string(ERR_get_error(), NULL));
 		goto die;
 	}
 
 	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 
-<<<<<<< HEAD
 	if (is_server)
 	{
 		char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem";
 		if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM))
 		{
-=======
-	if (is_server) {
-		char const *certfile = ssl_certfile[0] ? ssl_certfile : "cert.pem";
-		if (1 != SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) {
->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket
 			pcap_snprintf(errbuf, errbuflen, "Cannot read certificate file %s: %s", certfile, ERR_error_string(ERR_get_error(), NULL));
 			goto die;
 		}
 
 		char const *keyfile = ssl_keyfile[0] ? ssl_keyfile : "key.pem";
-<<<<<<< HEAD
 		if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM))
 		{
 			pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
@@ -110,40 +99,19 @@ static int ssl_init_once(int is_server, char *errbuf, size_t errbuflen)
 		}
 		else
 		{
-=======
-		if (1 != SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM)) {
-			pcap_snprintf(errbuf, errbuflen, "Cannot read private key file %s: %s", keyfile, ERR_error_string(ERR_get_error(), NULL));
-			goto die;
-		}
-	} else {
-		if (ssl_rootfile[0]) {
-			if (! SSL_CTX_load_verify_locations(ctx, ssl_rootfile, 0)) {
-				pcap_snprintf(errbuf, errbuflen, "Cannot read CA list from %s", ssl_rootfile);
-				goto die;
-			}
-		} else {
->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket
 			SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
 		}
 	}
 
 #if 0
-<<<<<<< HEAD
 	if (! RAND_load_file(RANDOM, 1024*1024))
 	{
-=======
-	if (! RAND_load_file(RANDOM, 1024*1024)) {
->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket
 		pcap_snprintf(errbuf, errbuflen, "Cannot init random");
 		goto die;
 	}
 
-<<<<<<< HEAD
 	if (is_server)
 	{
-=======
-	if (is_server) {
->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket
 		SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context, sizeof(s_server_session_id_context));
 	}
 #endif
@@ -155,26 +123,20 @@ die:
 	return -1;
 }
 
-void init_ssl_or_die(int is_server)
+void init_ssl_or_die(int is_server, int enable_compression)
 {
 	char errbuf[PCAP_ERRBUF_SIZE];
 
-<<<<<<< HEAD
-	if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0)
+	if (ssl_init_once(is_server, enable_compression, errbuf, sizeof errbuf) < 0)
 	{
 		fprintf(stderr, "%s\n", errbuf);
 		exit(3);
 	}
-=======
-	if (ssl_init_once(is_server, errbuf, sizeof errbuf) < 0) {
-		fprintf(stderr, "%s\n", errbuf);
-		exit(3);
-	}
 }
 
 SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t errbuflen)
 {
-	if (ssl_init_once(is_server, errbuf, errbuflen) < 0) {
+	if (ssl_init_once(is_server, 1, errbuf, errbuflen) < 0) {
 		return NULL;
 	}
 
@@ -197,7 +159,6 @@ SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t
 	}
 
 	return ssl;
->>>>>>> b5063379... TLS for rpcap: also encrypt the control socket
 }
 
 SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen)
diff --git a/sslutils.h b/sslutils.h
index 457c9214..41a243e3 100644
--- a/sslutils.h
+++ b/sslutils.h
@@ -54,7 +54,7 @@ extern char ssl_rootfile[PATH_MAX];
  * Utility functions
  */
 
-void init_ssl_or_die(int is_server);
+void init_ssl_or_die(int is_server, int enable_compression);
 SSL *ssl_promotion(int is_server, SOCKET s, char *errbuf, size_t errbuflen);
 SSL *ssl_promotion_rw(int is_server, SOCKET in, SOCKET out, char *errbuf, size_t errbuflen);
 int ssl_send(SSL *, char const *buffer, size_t size, char *errbuf, size_t errbuflen);
author	Cedric Cellier <rixed@happyleptic.org>	2018-05-30 09:18:45 +0200
committer	Cedric Cellier <rixed@happyleptic.org>	2018-09-13 08:26:46 +0200
commit	0f0a435cd7f240ac3641fa02881e665922cb095a (patch)
tree	fb016c4f7ff187b0a0052d2e3407e26014608548
parent	9ba5495a8a6c63debb66eee82c153dbf02226c90 (diff)
download	libpcap-0f0a435cd7f240ac3641fa02881e665922cb095a.tar.gz