Merge 983df6f7ae into b5ab5b8906

.github/workflows/c-cpp.yml

@@ -34,7 +34,7 @@ jobs:
       run: copy Makefile.win Makefile
     - name: dirs Windows
       if: ${{ startsWith(matrix.target, 'windows') }}
-      run: cmd /C 'echo LIBS := -L "c:/program files/openssl/lib" $(LIBS) >>Makefile.win && echo CFLAGS := -I "c:/program files/openssl/include" $(CFLAGS) >>Makefile.win && type Makefile.win'
+      run: cmd /C 'echo LIBS := -L "c:/program files/openssl/lib/VC/x64/MT" $(LIBS) >>Makefile.win && echo CFLAGS := -I "c:/program files/openssl/include" $(CFLAGS) >>Makefile.win && type Makefile.win && dir "c:/program files/openssl/lib"'
     - name: SSLPlugin Linux
       if: ${{ startsWith(matrix.target, 'ubuntu') }}
       run: "sed -i '/^PLUGIN/s/$/ SSLPlugin/' Makefile && sed -i '/^LIBS/s/$/ -lcrypto -lssl/' Makefile"

src/common.c

@@ -93,27 +93,31 @@ char *rotations[] = {
 
 
 struct extparam conf = {
-	{0, 0},
+	{0, 0}, /* threadinit */
-	{1, 5, 30, 60, 180, 1800, 15, 60, 15, 5, 0, 0},
+	{1, 5, 30, 60, 180, 1800, 15, 60, 15, 5, 0, 0}, /* timeouts */
-	NULL,
+	NULL, /* struct ace * acl; */
-	NULL,
+	NULL, /* char * conffile; */
-	NULL, NULL,
+	NULL, NULL, /* struct bandlim * bandlimiter,  *bandlimiterout; */
-	NULL,
+	NULL, /* struct connlim * connlimiter; */
-	NULL,
+	NULL, /* struct trafcount * trafcounter; */
-	NULL,
+	NULL, /* struct srvparam *services; */
-	0,
+	0, /* int stacksize, */
-	-1, 0, 0, 0, 0, 
+	-1, 0, 0, 0, 0, /* counterd, haveerror, rotate, paused, archiverc, */
-	0, 500, 0, 0, 0, 0, 0, 0, 2,
+	0, 500, 0, 0, 0, 0, 0, 0, 2, /* demon, maxchild, backlog, needreload, timetoexit, version, noforce, bandlimver, parentretries; */
-	0, 0, 0,
+	6, 600, /* int authcachetype, authcachetime; */
-	6, 600,
+	1048576, /* int filtermaxsize; */
-	1048576,
+	0, 0, 0, /* int gracetraf, gracenum, gracedelay */
-	NULL, NULL,
+	0, /* int maxseg */
-	NONE, NONE,
+	NULL, NULL, /* unsigned char *logname, **archiver; */
-	NULL,
+	NONE, NONE, /* ROTATION logtype, countertype; */
+	NULL, /* char * counterfile; */
 #ifndef NOIPV6
-	{AF_INET},{AF_INET6},{AF_INET}, 
+	{AF_INET},
+	{AF_INET6},
+	{AF_INET}, 
 #else
-	{AF_INET},{AF_INET}, 
+	{AF_INET},
+	{AF_INET}, 
 #endif
 	NULL,
 	NULL,

src/conf.c

@@ -466,6 +466,11 @@ static int h_rotate(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_maxseg(int argc, unsigned char **argv){
+	conf.maxseg = atoi((char *)argv[1]);
+	return 0;
+}
+
 static int h_logformat(int argc, unsigned char **argv){
 	unsigned char * old = conf.logformat;
 	conf.logformat = (unsigned char *)mystrdup((char *)argv[1]);
@@ -1648,8 +1653,9 @@ struct commands commandhandlers[]={
 	{commandhandlers+64, "auto", h_proxy, 1, 0},
 	{commandhandlers+65, "backlog", h_backlog, 2, 2},
 	{commandhandlers+66, "tlspr", h_proxy, 1, 0},
+	{commandhandlers+67, "maxseg", h_maxseg, 2, 2},
 #ifndef NORADIUS
-	{commandhandlers+67, "radius", h_radius, 3, 0},
+	{commandhandlers+68, "radius", h_radius, 3, 0},
 #endif
 	{specificcommands, 	 "", h_noop, 1, 0}
 };

src/plugins/SSLPlugin/my_ssl.h

@@ -30,6 +30,8 @@ struct ssl_config {
     char * server_ca_file;
     char * server_ca_dir;
     char * server_ca_store;
+    char * client_sni;
+    char * client_alpn;
     int mitm;
     int serv;
     int cli;

src/plugins/SSLPlugin/ssl_plugin.c

@@ -58,6 +58,8 @@ char * client_ciphersuites = NULL;
 char * server_ciphersuites = NULL;
 char * client_cipher_list = NULL;
 char * server_cipher_list = NULL;
+char * client_sni = NULL;
+char * client_alpn = NULL;
 
 typedef struct _ssl_conn {
 	struct SSL_CTX *ctx;
@@ -211,6 +213,11 @@ static ssize_t ssl_recv(void *state, SOCKET s, void *msg, size_t len, int flags)
 	return sso._recv(sso.state, s, msg, len, flags);
 }
 
+static int WINAPI ssl_shutdown(void *state, SOCKET s, int how){
+	delSSL(state, s);
+	return sso._shutdown(sso.state, s, how);
+}
+
 static int WINAPI ssl_closesocket(void *state, SOCKET s){
 	delSSL(state, s);
 	return sso._closesocket(sso.state, s);
@@ -307,8 +314,11 @@ int docli(struct clientparam* param){
 
  SSL_CONN ServerConn;
  SSL_CERT ServerCert=NULL;
- 
+ unsigned char *hostname;
+ hostname = param->hostname;
+ param->hostname = (unsigned char *)PCONF->client_sni;
  ServerConn = dosrvcon(param, &ServerCert);
+ param->hostname = hostname;
  _ssl_cert_free(ServerCert);
 
  if(!ServerConn) return 1;
@@ -437,6 +447,9 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 	if(server_ca_dir)sc->server_ca_dir=server_ca_dir;
 	if(server_ca_store)sc->server_ca_store=server_ca_store;
 
+	if(client_sni)sc->client_sni=client_sni;
+	if(client_alpn)sc->client_alpn=client_alpn;
+
 
 	if(mitm){
 	    if(!server_ca_file){
@@ -501,6 +514,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 	    srv->so._recv = ssl_recv;
 	    srv->so._sendto = ssl_sendto;
 	    srv->so._recvfrom = ssl_recvfrom;
+	    srv->so._shutdown = ssl_shutdown;
 	    srv->so._closesocket = ssl_closesocket;
 	    srv->so._poll = ssl_poll;
 	}
@@ -536,7 +550,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 		    SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
 	    }
 	}
-#ifdef WIWHSPLICE
+#ifdef WITHSPLICE
 	srv->usesplice = 0;
 #endif
 	return sc;
@@ -629,6 +643,8 @@ static void ssl_filter_close(void *fo){
     free(CONFIG->client_ca_file);
     free(CONFIG->client_ca_dir);
     free(CONFIG->client_ca_store);
+    free(CONFIG->client_sni);
+    free(CONFIG->client_alpn);
     free(fo);
 }
 
@@ -829,6 +845,18 @@ static int h_client_ca_store(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_client_sni(int argc, unsigned char **argv){
+	free(client_sni);
+	client_sni = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_client_alpn(int argc, unsigned char **argv){
+	free(client_alpn);
+	client_alpn = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
 static int h_server_ca_dir(int argc, unsigned char **argv){
 	free(server_ca_dir);
 	server_ca_dir = argc > 1? strdup((char *)argv[1]) : NULL;
@@ -950,6 +978,8 @@ static struct commands ssl_commandhandlers[] = {
 	{ssl_commandhandlers+31, "ssl_server_no_verify", h_no_server_verify, 1, 1},
 	{ssl_commandhandlers+32, "ssl_server_ca_dir", h_server_ca_dir, 1, 2},
 	{ssl_commandhandlers+33, "ssl_server_ca_store", h_server_ca_store, 1, 2},
+	{ssl_commandhandlers+34, "ssl_client_sni", h_client_sni, 1, 2},
+	{ssl_commandhandlers+35, "ssl_client_alpn", h_client_alpn, 1, 2},
 	{NULL, "ssl_certcache", h_certcache, 2, 2},
 };
 

src/proxymain.c

@@ -170,6 +170,9 @@ struct socketoptions sockopts[] = {
 #endif
 #ifdef TCP_FASTOPEN_CONNECT
 	{TCP_FASTOPEN_CONNECT, "TCP_FASTOPEN_CONNECT"},
+#endif
+#ifdef TCP_MAXSEG
+	{TCP_MAXSEG, "TCP_MAXSEG"},
 #endif
 	{0, NULL}
 };
@@ -193,6 +196,12 @@ void setopts(SOCKET s, int opts){
 	int i, opt, set;
 	for(i = 0; opts >= (opt = (1<<i)); i++){
 		set = 1;
+#ifdef TCP_MAXSEG
+		if(sockopts[i].opt == TCP_MAXSEG){
+		    if(!conf.maxseg) continue;
+		    set = conf.maxseg;
+		}
+#endif
 		if(opts & opt) setsockopt(s, *sockopts[i].optname == 'T'? IPPROTO_TCP:
 #ifdef SOL_IP
 			*sockopts[i].optname == 'I'? SOL_IP: 

src/structures.h

@@ -652,6 +652,7 @@ struct extparam {
 	int authcachetype, authcachetime;
 	int filtermaxsize;
 	int gracetraf, gracenum, gracedelay;
+	int maxseg;
 	unsigned char *logname, **archiver;
 	ROTATION logtype, countertype;
 	char * counterfile;