1 files changed, 183 insertions, 0 deletions

diff --git a/src/cachefkcrt.cc b/src/cachefkcrt.cc
new file mode 100644
index 0000000..e6cd216
--- /dev/null
+++ b/src/cachefkcrt.cc
@@ -0,0 +1,183 @@
+/*-
+ * SSLsplit - transparent SSL/TLS interception
+ * https://www.roe.ch/SSLsplit
+ *
+ * Copyright (c) 2009-2018, Daniel Roethlisberger <[email protected]>.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "cachefkcrt.h"
+
+#include "ssl.h"
+#include "khash.h"
+
+/*
+ * Cache for generated fake certificates.
+ *
+ * key: char[SSL_X509_FPRSZ]  fingerprint of original server cert
+ * val: X509 *                generated fake certificate
+ */
+
+static inline khint_t
+kh_x509fpr_hash_func(void *b)
+{
+	khint_t *p = (khint_t*)(((char*)b) + SSL_X509_FPRSZ);
+	khint_t h = 0;
+
+	/* assumes fpr is uniformly distributed */
+	while (--p >= (khint_t*)b)
+		h ^= *p;
+	return h;
+}
+
+#define kh_x509fpr_hash_equal(a, b) \
+        (memcmp((char*)(a), (char*)(b), SSL_X509_FPRSZ) == 0)
+
+KHASH_INIT(sha1map_t, void*, void*, 1, kh_x509fpr_hash_func,
+           kh_x509fpr_hash_equal)
+
+static khash_t(sha1map_t) *certmap;
+
+static cache_iter_t
+cachefkcrt_begin_cb(void)
+{
+	return kh_begin(certmap);
+}
+
+static cache_iter_t
+cachefkcrt_end_cb(void)
+{
+	return kh_end(certmap);
+}
+
+static int
+cachefkcrt_exist_cb(cache_iter_t it)
+{
+	return kh_exist(certmap, it);
+}
+
+static void
+cachefkcrt_del_cb(cache_iter_t it)
+{
+	kh_del(sha1map_t, certmap, it);
+}
+
+static cache_iter_t
+cachefkcrt_get_cb(cache_key_t key)
+{
+	return kh_get(sha1map_t, certmap, key);
+}
+
+static cache_iter_t
+cachefkcrt_put_cb(cache_key_t key, int *ret)
+{
+	return kh_put(sha1map_t, certmap, key, ret);
+}
+
+static void
+cachefkcrt_free_key_cb(cache_key_t key)
+{
+	free(key);
+}
+
+static void
+cachefkcrt_free_val_cb(cache_val_t val)
+{
+	X509_free((x509_st *)val);
+}
+
+static cache_key_t
+cachefkcrt_get_key_cb(cache_iter_t it)
+{
+	return kh_key(certmap, it);
+}
+
+static cache_val_t
+cachefkcrt_get_val_cb(cache_iter_t it)
+{
+	return kh_val(certmap, it);
+}
+
+static void
+cachefkcrt_set_val_cb(cache_iter_t it, cache_val_t val)
+{
+	kh_val(certmap, it) = val;
+}
+
+static cache_val_t
+cachefkcrt_unpackverify_val_cb(cache_val_t val, int copy)
+{
+	if (!ssl_x509_is_valid((x509_st *)val))
+		return NULL;
+	if (copy) {
+		ssl_x509_refcount_inc((X509 *)val);
+		return val;
+	}
+	return ((void*)-1);
+}
+
+static void
+cachefkcrt_fini_cb(void)
+{
+	kh_destroy(sha1map_t, certmap);
+}
+
+void
+cachefkcrt_init_cb(cache_t *cache)
+{
+	certmap = kh_init(sha1map_t);
+
+	cache->begin_cb                 = cachefkcrt_begin_cb;
+	cache->end_cb                   = cachefkcrt_end_cb;
+	cache->exist_cb                 = cachefkcrt_exist_cb;
+	cache->del_cb                   = cachefkcrt_del_cb;
+	cache->get_cb                   = cachefkcrt_get_cb;
+	cache->put_cb                   = cachefkcrt_put_cb;
+	cache->free_key_cb              = cachefkcrt_free_key_cb;
+	cache->free_val_cb              = cachefkcrt_free_val_cb;
+	cache->get_key_cb               = cachefkcrt_get_key_cb;
+	cache->get_val_cb               = cachefkcrt_get_val_cb;
+	cache->set_val_cb               = cachefkcrt_set_val_cb;
+	cache->unpackverify_val_cb      = cachefkcrt_unpackverify_val_cb;
+	cache->fini_cb                  = cachefkcrt_fini_cb;
+}
+
+cache_key_t
+cachefkcrt_mkkey(X509 *keycrt)
+{
+	unsigned char *fpr;
+
+	if (!(fpr = (unsigned char *)malloc(SSL_X509_FPRSZ)))
+		return NULL;
+	ssl_x509_fingerprint_sha1(keycrt, fpr);
+	return fpr;
+}
+
+cache_val_t
+cachefkcrt_mkval(X509 *valcrt)
+{
+	ssl_x509_refcount_inc(valcrt);
+	return valcrt;
+}
+
+/* vim: set noet ft=c: */