This allows people to chroot sslh into a path to further harden it.
We have to rework the user logic a bit because we need to look up
the user details *before* we chroot (as we need to read /etc/passwd
files), but do the actual priv dropping *after* we chroot (so we
have permission to make the actual chroot call).
Similarly, we need to open the syslog before we drop privs because
/dev/log won't be available inside the chroot.
Modified is_adb_protocol in patch.c to check if initial host->device
packet sends an empty message for reasons unknown. This was introduced
in ADB master in https://android-review.googlesource.com/c/342653.
When transparent mode is enabled and sslh listening on :: IPv6 address then
source origin address is propagated to target application independently if
connection is IPv4 or IPv6.
On Linux by default IPv6 socket can accept also IPv4 connections. More
applications, including OpenSSH server do not accept IPv4 connections on
IPv6 socket and therefore such transparent configuration does not work.
On BSD systems it is turned off by default due to security reasons.
This patch disables IPv4 connections on IPv6 listening sockets. If somebody
needs to have sslh listening on both IPv4 and IPv6 addresses, then still it
is possible by specifying multiple --listen arguments.
I think it is more misleading if option --listen :::443 cause listening on
both IPv4 and IPv6 addresses even IPv4 address was not specified. This can
also cause security related problems for people who do not know about this
fact as documentation does not mentioned this behavior.
as libpcre has to better binary support.
Note, just linking libpcre only has no effect, the posix functions are
provided by libpcreposix.
Use "make USELIBPCRE=" to turn libpcre off and link POSIX library.
6cc3382 introduced a potential buffer overflow. Ensure that hostname is
always null-terminated. (Issue #135)
Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
The existing TLS probe is documented to ignore SSL 2.0, citing RFC 6176 as a reason.
RFC 6176 does prohibit the usage of SSL 2.0, but does allow for ClientHello messages
in the version 2 CLIENT-HELLO format (as long as those are used to negotiate the use
of a higher protocol).
This commit extends the TLS probe, by making it accept SSL v2 ClientHello messages
that negotiate a version of SSL/TLS 1.0 or higher (which is the same version range
as the original code).
Previously, if some data was still deferred after the connect_queue
call, the server side of the connection would never start being
monitored for reads, while the client side kept being monitored
and new data from the client could be sent to the server before
the previously deferred data.
