From 144af547fb732fc714b4c5d3b4fd776c3c641066 Mon Sep 17 00:00:00 2001 From: Vladimir Dubrovin <3proxy@3proxy.ru> Date: Sat, 9 Mar 2024 16:23:03 +0300 Subject: [PATCH] Keep TLS client context between requests --- src/plugins/SSLPlugin/my_ssl.c | 16 +++------------- src/plugins/SSLPlugin/my_ssl.h | 4 +++- src/plugins/SSLPlugin/ssl_plugin.c | 18 +++++++++++++++++- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/src/plugins/SSLPlugin/my_ssl.c b/src/plugins/SSLPlugin/my_ssl.c index 5cf640c..1f0a0a6 100644 --- a/src/plugins/SSLPlugin/my_ssl.c +++ b/src/plugins/SSLPlugin/my_ssl.c @@ -181,7 +181,7 @@ SSL_CERT ssl_copy_cert(SSL_CERT cert, SSL_CONFIG *config) } -SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CERT *server_cert, char **errSSL) +SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CTX *srv_ctx, SSL_CERT *server_cert, char **errSSL) { int err = 0; X509 *cert; @@ -193,19 +193,9 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CERT *server_cer if ( conn == NULL ){ return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L - conn->ctx = SSL_CTX_new(SSLv23_client_method()); -#else - conn->ctx = SSL_CTX_new(TLS_client_method()); -#endif - if ( conn->ctx == NULL ) { - free(conn); - return NULL; - } - - conn->ssl = SSL_new(conn->ctx); + conn->ctx = NULL; + conn->ssl = SSL_new(srv_ctx); if ( conn->ssl == NULL ) { - SSL_CTX_free(conn->ctx); free(conn); return NULL; } diff --git a/src/plugins/SSLPlugin/my_ssl.h b/src/plugins/SSLPlugin/my_ssl.h index 3434315..d266ce4 100644 --- a/src/plugins/SSLPlugin/my_ssl.h +++ b/src/plugins/SSLPlugin/my_ssl.h @@ -18,6 +18,8 @@ struct ssl_config { X509 *server_cert; EVP_PKEY *CA_key; EVP_PKEY *server_key; + SSL_CTX *cli_ctx; + SSL_CTX *srv_ctx; }; typedef struct ssl_config SSL_CONFIG; @@ -31,7 +33,7 @@ SSL_CERT ssl_copy_cert(SSL_CERT cert, SSL_CONFIG *config); // // SSL/TLS handshakes // -SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CERT *server_cert, char **errSSL); +SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CTX *srv_ctx, SSL_CERT *server_cert, char **errSSL); SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CERT server_cert, EVP_PKEY *server_key, char **errSSL); // diff --git a/src/plugins/SSLPlugin/ssl_plugin.c b/src/plugins/SSLPlugin/ssl_plugin.c index 3fbb6fb..48f8c1f 100644 --- a/src/plugins/SSLPlugin/ssl_plugin.c +++ b/src/plugins/SSLPlugin/ssl_plugin.c @@ -238,7 +238,7 @@ int domitm(struct clientparam* param, SSL_CONN* ServerConnp, SSL_CONN* ClientCon ul = ((unsigned long)ssl_connect_timeout)*1000; setsockopt(param->remsock, SOL_SOCKET, SO_SNDTIMEO, (char *)&ul, 4); } - ServerConn = ssl_handshake_to_server(param->remsock, (char *)param->hostname, &ServerCert, &errSSL); + ServerConn = ssl_handshake_to_server(param->remsock, (char *)param->hostname, PCONF->srv_ctx, &ServerCert, &errSSL); if ( ServerConn == NULL || ServerCert == NULL ) { param->res = 8011; param->srv->logfunc(param, (unsigned char *)"SSL handshake to server failed"); @@ -371,6 +371,16 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){ srv->usesplice = 0; #endif } + if(sc && sc->mitm){ +#if OPENSSL_VERSION_NUMBER < 0x10100000L + sc->srv_ctx = SSL_CTX_new(SSLv23_client_method()); +#else + sc->srv_ctx = SSL_CTX_new(TLS_client_method()); +#endif + if ( sc->srv_ctx == NULL ) { + sc->mitm = 0; + } + } return sc; } @@ -449,6 +459,12 @@ static void ssl_filter_close(void *fo){ if ( CONFIG->server_key != NULL ) { EVP_PKEY_free(CONFIG->server_key); } + if ( CONFIG->srv_ctx != NULL ) { + SSL_CTX_free(CONFIG->srv_ctx); + } + if ( CONFIG->cli_ctx != NULL ) { + SSL_CTX_free(CONFIG->cli_ctx); + } free(fo); }