bughz/3proxy
1
0
Fork 0
mirror of https://github.com/3proxy/3proxy.git synced 2025-04-21 19:52:08 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

ssl_server_verify, ssl_server_ca_dir, ssl_server_ca_store added, ssl_server / ssl_client aliases added to ssl_serv / ssl_cli

Browse Source
This commit is contained in:
Vladimir Dubrovin 2025-04-15 19:18:14 +03:00
parent 6355f9659b
commit 43d48adeb9
3 changed files with 128 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/plugins/SSLPlugin/my_ssl.c
View File

@ -45,6 +45,11 @@ static char hexMap[] = {
static BIO *bio_err=NULL; static BIO *bio_err=NULL;
char * getSSLErr(){
return ERR_error_string(ERR_get_error(), errbuf);
}
static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length) static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length)
{ {
char *p; char *p;
@ -218,13 +223,13 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
if(!SSL_set_fd(conn->ssl, s)){ if(!SSL_set_fd(conn->ssl, s)){
ssl_conn_free(conn); ssl_conn_free(conn);
*errSSL = ERR_error_string(ERR_get_error(), errbuf); *errSSL = getSSLErr();
return NULL; return NULL;
} }
if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname); if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
err = SSL_connect(conn->ssl); err = SSL_connect(conn->ssl);
if ( err == -1 ) { if ( err == -1 ) {
*errSSL = ERR_error_string(ERR_get_error(), errbuf); *errSSL = getSSLErr();
ssl_conn_free(conn); ssl_conn_free(conn);
return NULL; return NULL;
} }
@ -250,42 +255,6 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
} }
SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
SSL_CTX *ctx;
int err = 0;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx = SSL_CTX_new(SSLv23_server_method());
#else
ctx = SSL_CTX_new(TLS_server_method());
#endif
if (!ctx) {
*errSSL = ERR_error_string(ERR_get_error(), errbuf);
return NULL;
}
err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
if ( err <= 0 ) {
*errSSL = ERR_error_string(ERR_get_error(), errbuf);
SSL_CTX_free(ctx);
return NULL;
}
err = SSL_CTX_use_PrivateKey(ctx, server_key);
if ( err <= 0 ) {
*errSSL = ERR_error_string(ERR_get_error(), errbuf);
SSL_CTX_free(ctx);
return NULL;
}
if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
return ctx;
}
SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
int err = 0; int err = 0;
X509 *cert; X509 *cert;
@ -320,7 +289,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
conn->ssl = SSL_new(config->cli_ctx?config->cli_ctx : conn->ctx); conn->ssl = SSL_new(config->cli_ctx?config->cli_ctx : conn->ctx);
if ( conn->ssl == NULL ) { if ( conn->ssl == NULL ) {
*errSSL = ERR_error_string(ERR_get_error(), errbuf); *errSSL = getSSLErr();
if(conn->ctx)SSL_CTX_free(conn->ctx); if(conn->ctx)SSL_CTX_free(conn->ctx);
free(conn); free(conn);
return NULL; return NULL;
@ -329,7 +298,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
SSL_set_fd(conn->ssl, s); SSL_set_fd(conn->ssl, s);
err = SSL_accept(conn->ssl); err = SSL_accept(conn->ssl);
if ( err <= 0 ) { if ( err <= 0 ) {
*errSSL = ERR_error_string(ERR_get_error(), errbuf); *errSSL = getSSLErr();
ssl_conn_free(conn); ssl_conn_free(conn);
return NULL; return NULL;
} }

23
src/plugins/SSLPlugin/my_ssl.h
View File

@ -11,10 +11,6 @@ typedef void *SSL_CONN;
typedef void *SSL_CERT; typedef void *SSL_CERT;
struct ssl_config { struct ssl_config {
int mitm;
int serv;
int cli;
char *certcache;
X509 *CA_cert; X509 *CA_cert;
X509 *server_cert; X509 *server_cert;
X509 *client_cert; X509 *client_cert;
@ -23,11 +19,7 @@ struct ssl_config {
EVP_PKEY *client_key; EVP_PKEY *client_key;
SSL_CTX *cli_ctx; SSL_CTX *cli_ctx;
SSL_CTX *srv_ctx; SSL_CTX *srv_ctx;
int client_min_proto_version; char *certcache;
int client_max_proto_version;
int server_min_proto_version;
int server_max_proto_version;
int client_verify;
char * client_ciphersuites; char * client_ciphersuites;
char * server_ciphersuites; char * server_ciphersuites;
char * client_cipher_list; char * client_cipher_list;
@ -35,6 +27,18 @@ struct ssl_config {
char * client_ca_file; char * client_ca_file;
char * client_ca_dir; char * client_ca_dir;
char * client_ca_store; char * client_ca_store;
char * server_ca_file;
char * server_ca_dir;
char * server_ca_store;
int mitm;
int serv;
int cli;
int client_min_proto_version;
int client_max_proto_version;
int server_min_proto_version;
int server_max_proto_version;
int client_verify;
int server_verify;
}; };
typedef struct ssl_config SSL_CONFIG; typedef struct ssl_config SSL_CONFIG;
@ -69,6 +73,7 @@ void _ssl_cert_free(SSL_CERT cert);
// Global (de)initialization // Global (de)initialization
// //
void ssl_init(void); void ssl_init(void);
char * getSSLErr(void);
#endif // __my_ssl_h__ #endif // __my_ssl_h__

109
src/plugins/SSLPlugin/ssl_plugin.c
View File

@ -38,6 +38,8 @@ char *srvkey = NULL;
char *clicert = NULL; char *clicert = NULL;
char *clikey = NULL; char *clikey = NULL;
char *server_ca_file = NULL; char *server_ca_file = NULL;
char *server_ca_dir = NULL;
char *server_ca_store = NULL;
char *server_ca_key = NULL; char *server_ca_key = NULL;
char *client_ca_file = NULL; char *client_ca_file = NULL;
char *client_ca_dir = NULL; char *client_ca_dir = NULL;
@ -51,6 +53,7 @@ int client_max_proto_version = 0;
int server_min_proto_version = 0; int server_min_proto_version = 0;
int server_max_proto_version = 0; int server_max_proto_version = 0;
int client_verify = 0; int client_verify = 0;
int server_verify = 0;
char * client_ciphersuites = NULL; char * client_ciphersuites = NULL;
char * server_ciphersuites = NULL; char * server_ciphersuites = NULL;
char * client_cipher_list = NULL; char * client_cipher_list = NULL;
@ -341,6 +344,59 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx){
return preverify_ok; return preverify_ok;
} }
SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
SSL_CTX *ctx;
int err = 0;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx = SSL_CTX_new(SSLv23_server_method());
#else
ctx = SSL_CTX_new(TLS_server_method());
#endif
if (!ctx) {
*errSSL = getSSLErr();
return NULL;
}
err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
if ( err <= 0 ) {
*errSSL = getSSLErr();
SSL_CTX_free(ctx);
return NULL;
}
err = SSL_CTX_use_PrivateKey(ctx, server_key);
if ( err <= 0 ) {
*errSSL = getSSLErr();
SSL_CTX_free(ctx);
return NULL;
}
if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
if(config->server_verify){
fprintf(stderr, "server verify\n");
fflush(stderr);
if(config->server_ca_file || config->server_ca_dir){
SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
else if(config->server_ca_store){
SSL_CTX_load_verify_store(ctx, config->server_ca_store);
}
#endif
else
SSL_CTX_set_default_verify_paths(ctx);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE, NULL);
}
return ctx;
}
static void* ssl_filter_open(void * idata, struct srvparam * srv){ static void* ssl_filter_open(void * idata, struct srvparam * srv){
char fname[256]; char fname[256];
char *errSSL; char *errSSL;
@ -355,6 +411,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
sc->server_min_proto_version = server_min_proto_version; sc->server_min_proto_version = server_min_proto_version;
sc->server_max_proto_version = server_max_proto_version; sc->server_max_proto_version = server_max_proto_version;
sc->client_verify = client_verify; sc->client_verify = client_verify;
sc->server_verify = server_verify;
if(client_ciphersuites) sc->client_ciphersuites = strdup(client_ciphersuites); if(client_ciphersuites) sc->client_ciphersuites = strdup(client_ciphersuites);
if(server_ciphersuites) sc->server_ciphersuites = strdup(server_ciphersuites); if(server_ciphersuites) sc->server_ciphersuites = strdup(server_ciphersuites);
if(client_cipher_list) sc->client_cipher_list = strdup(client_cipher_list); if(client_cipher_list) sc->client_cipher_list = strdup(client_cipher_list);
@ -375,7 +432,10 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
} }
if(client_ca_file)sc->client_ca_file=client_ca_file; if(client_ca_file)sc->client_ca_file=client_ca_file;
if(client_ca_dir)sc->client_ca_dir=client_ca_dir; if(client_ca_dir)sc->client_ca_dir=client_ca_dir;
if(client_ca_store)sc->client_ca_dir=client_ca_store; if(client_ca_store)sc->client_ca_store=client_ca_store;
if(server_ca_file)sc->server_ca_file=server_ca_file;
if(server_ca_dir)sc->server_ca_dir=server_ca_dir;
if(server_ca_store)sc->server_ca_store=server_ca_store;
if(mitm){ if(mitm){
@ -474,7 +534,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
#endif #endif
else else
SSL_CTX_set_default_verify_paths(sc->srv_ctx); SSL_CTX_set_default_verify_paths(sc->srv_ctx);
SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
} }
} }
#ifdef WIWHSPLICE #ifdef WIWHSPLICE
@ -770,6 +830,18 @@ static int h_client_ca_store(int argc, unsigned char **argv){
return 0; return 0;
} }
static int h_server_ca_dir(int argc, unsigned char **argv){
free(server_ca_dir);
server_ca_dir = argc > 1? strdup((char *)argv[1]) : NULL;
return 0;
}
static int h_server_ca_store(int argc, unsigned char **argv){
free(server_ca_store);
server_ca_store = argc > 1? strdup((char *)argv[1]) : NULL;
return 0;
}
struct vermap{ struct vermap{
char *sver; char *sver;
int iver; int iver;
@ -836,6 +908,15 @@ static int h_no_client_verify(int argc, unsigned char **argv){
return 0; return 0;
} }
static int h_server_verify(int argc, unsigned char **argv){
server_verify = 1;
return 0;
}
static int h_no_server_verify(int argc, unsigned char **argv){
server_verify = 0;
return 0;
}
static struct commands ssl_commandhandlers[] = { static struct commands ssl_commandhandlers[] = {
{ssl_commandhandlers+1, "ssl_mitm", h_mitm, 1, 1}, {ssl_commandhandlers+1, "ssl_mitm", h_mitm, 1, 1},
{ssl_commandhandlers+2, "ssl_nomitm", h_nomitm, 1, 1}, {ssl_commandhandlers+2, "ssl_nomitm", h_nomitm, 1, 1},
@ -862,6 +943,14 @@ static struct commands ssl_commandhandlers[] = {
{ssl_commandhandlers+23, "ssl_nocli", h_nocli, 1, 1}, {ssl_commandhandlers+23, "ssl_nocli", h_nocli, 1, 1},
{ssl_commandhandlers+24, "ssl_client_cert", h_clicert, 1, 2}, {ssl_commandhandlers+24, "ssl_client_cert", h_clicert, 1, 2},
{ssl_commandhandlers+25, "ssl_client_key", h_clikey, 1, 2}, {ssl_commandhandlers+25, "ssl_client_key", h_clikey, 1, 2},
{ssl_commandhandlers+26, "ssl_server", h_serv, 1, 1},
{ssl_commandhandlers+27, "ssl_noserver", h_noserv, 1, 1},
{ssl_commandhandlers+28, "ssl_client", h_cli, 1, 1},
{ssl_commandhandlers+29, "ssl_noclient", h_nocli, 1, 1},
{ssl_commandhandlers+30, "ssl_server_verify", h_server_verify, 1, 1},
{ssl_commandhandlers+31, "ssl_server_no_verify", h_no_server_verify, 1, 1},
{ssl_commandhandlers+32, "ssl_server_ca_dir", h_server_ca_dir, 1, 2},
{ssl_commandhandlers+33, "ssl_server_ca_store", h_server_ca_store, 1, 2},
{NULL, "ssl_certcache", h_certcache, 2, 2}, {NULL, "ssl_certcache", h_certcache, 2, 2},
}; };
@ -875,22 +964,30 @@ static struct commands ssl_commandhandlers[] = {
PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink, PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink,
int argc, char** argv){ int argc, char** argv){
mitm = 0;
serv = 0;
cli = 0;
pl = pluginlink; pl = pluginlink;
ssl_connect_timeout = 0; ssl_connect_timeout = 0;
free(certcache); free(certcache);
certcache = NULL; certcache = NULL;
free(srvcert); free(srvcert);
srvcert = NULL; srvcert = NULL;
free(srvkey); free(srvkey);
srvkey = NULL; srvkey = NULL;
mitm = 0; free(clicert);
serv = 0; clicert = NULL;
free(clikey);
clikey = NULL;
client_min_proto_version = 0; client_min_proto_version = 0;
client_max_proto_version = 0; client_max_proto_version = 0;
server_min_proto_version = 0; server_min_proto_version = 0;
server_max_proto_version = 0; server_max_proto_version = 0;
client_verify = 0; client_verify = 0;
server_verify = 0;
free(client_ciphersuites); free(client_ciphersuites);
client_ciphersuites = NULL; client_ciphersuites = NULL;
free(server_ciphersuites); free(server_ciphersuites);
@ -909,6 +1006,10 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink,
client_ca_dir = NULL; client_ca_dir = NULL;
free(client_ca_store); free(client_ca_store);
client_ca_store = NULL; client_ca_store = NULL;
free(server_ca_dir);
server_ca_dir = NULL;
free(server_ca_store);
server_ca_store = NULL;
if(!ssl_loaded){ if(!ssl_loaded){