freed some leaky memory

server/crypto.c

@@ -397,6 +397,7 @@ int verify_finish_hash(flow *f, uint8_t *p, int32_t incoming){
 	//now compare
 	if(CRYPTO_memcmp(p, output, fin_length) != 0){
 	//	printf("VERIFY FAILED\n");
+		free(output);
 		return 1;
 	} else {
 		printf("VERIFY PASSED\n");
@@ -635,13 +636,13 @@ err:
 	if(order){
 		BN_free(order);
 	}
-	if(e_pub_key != NULL && EC_KEY_get0_public_key(clnt_ecdh) == NULL){
-		EC_POINT_free(e_pub_key);
-	}
-
 	if(clnt_ecdh != NULL){
 		EC_KEY_free(clnt_ecdh);
 	}
+	if(e_pub_key != NULL){
+		EC_POINT_free(e_pub_key);
+	}
+
 
 ///???
 	if(priv_key != NULL){
@@ -890,7 +891,7 @@ int init_ciphers(flow *f){
 	r_ctx_srvr = EVP_CIPHER_CTX_new();
 	EVP_CIPHER_CTX_init(w_ctx_srvr);
 	EVP_CIPHER_CTX_init(r_ctx_srvr);
-
+	
 	/* Initialize MACs --- not needed for aes_256_gcm
 	write_mac = key_block + 2*key_len + 2*iv_len;
 	read_mac = key_block + 2*key_len + 2*iv_len + mac_len;

server/flow.c

@@ -272,14 +272,17 @@ int update_flow(flow *f) {
 			break;
 		case CCS:
 			printf("CCS (%x:%d -> %x:%d) \n", f->src_ip.s_addr, f->src_port, f->dst_ip.s_addr, f->dst_port);
+			/*Initialize ciphers */
+			if ((!f->in_encrypted) && (!f->out_encrypted)){
+				init_ciphers(f);
+			}
+
 			if(incoming){
 				f->in_encrypted = 1;
 			} else {
 				f->out_encrypted = 1;
 			}
 			
-			/*Initialize ciphers */
-			init_ciphers(f);
 			break;
 		case ALERT:
 			p = record;
@@ -367,10 +370,14 @@ int remove_flow(flow *f) {
 	EVP_MD_CTX_destroy(f->finish_md_ctx);
 	//Clean up cipher ctxs
 	if(f->clnt_read_ctx != NULL){
-		EVP_CIPHER_CTX_free(f->clnt_read_ctx);
+		EVP_CIPHER_CTX_cleanup(f->clnt_read_ctx);
+		OPENSSL_free(f->clnt_read_ctx);
+		f->clnt_read_ctx = NULL;
 	}
 	if(f->clnt_write_ctx != NULL){
-		EVP_CIPHER_CTX_free(f->clnt_write_ctx);
+		EVP_CIPHER_CTX_cleanup(f->clnt_write_ctx);
+		OPENSSL_free(f->clnt_write_ctx);
+		f->clnt_write_ctx = NULL;
 	}
 	if(f->srvr_read_ctx != NULL){
 		EVP_CIPHER_CTX_free(f->srvr_read_ctx);
@@ -383,6 +390,13 @@ int remove_flow(flow *f) {
 		EC_KEY_free(f->ecdh);
 	}
 
+	if(f->resume_session == 1){
+		if(f->current_session->session_ticket != NULL){
+			free(f->current_session->session_ticket);
+		}
+		free(f->current_session);
+	}
+
 	sem_wait(&flow_table_lock);
 	flow_entry *entry = table->first_entry;
 	if(entry->f == f){
@@ -559,8 +573,6 @@ int verify_session_id(flow *f, uint8_t *hs){
 		save_session_id(f, p);
 	}
 
-	//now check 
-
 	return 0;
 
 }
@@ -632,7 +644,6 @@ int check_session(flow *f, uint8_t *hs, uint32_t len){
 				new_session->session_ticket = calloc(1, ext_len);
 				memcpy(new_session->session_ticket, p, ext_len);
 				f->current_session = new_session;
-				
 			}
 		}
 		p += ext_len;
@@ -678,6 +689,10 @@ int save_session_id(flow *f, uint8_t *hs){
 	memcpy(new_session->session_id, p, new_session->session_id_len);
 	new_session->next = NULL;
 
+	if(f->current_session != NULL){
+		free(f->current_session);
+	}
+	f->resume_session = 0;
 	f->current_session = new_session;
 
 	if(sessions->first_session == NULL){

server/relay.c

@@ -18,8 +18,6 @@
 #include "flow.h"
 #include "crypto.h"
 
-#define DEBUG
-
 /** Called when a TLS application record is received for a
  *  tagged flow. Upstream packets will be checked for covert
  *  requests to censored sites, downstream packets will be
@@ -684,6 +682,7 @@ int process_downstream(flow *f, int32_t offset, struct packet_info *info){
 
 	uint8_t *p = info->app_data;
 	uint32_t remaining_packet_len = info->app_data_len;
+	printf("Application data length: %d at %p\n", info->app_data_len, info->app_data);
 
 
 	if(f->remaining_record_len > 0){
@@ -814,6 +813,7 @@ int process_downstream(flow *f, int32_t offset, struct packet_info *info){
 
 
 		//now decrypt the record
+		printf("Decrypting %d bytes at %p\n", record_len, record_ptr);
 		int32_t n = encrypt(f, record_ptr, record_ptr, record_len, 1,
 						record_hdr->type, 0);
 		if(n < 0){

server/slitheen-proxy.c

@@ -34,7 +34,7 @@ int main(int argc, char *argv[]){
 	dev2 = argv[2];
 
 	snprintf(filter1, 33, "ether src host %s", macaddr1);
-	snprintf(filter2, 33, "ether src host %s", macaddr2);
+	snprintf(filter2, 33, "ether dst host %s", macaddr2);
 
 	init_tables();
 	init_session_cache();
@@ -120,6 +120,7 @@ void got_packet(uint8_t *args, const struct pcap_pkthdr *header, const uint8_t *
 
 	struct packet_info *info = calloc(1, sizeof(struct packet_info));
 	uint8_t *tmp_packet = calloc(1, header->len);
+	printf("Allocated %d bytes to %p\n", header->len, tmp_packet);
 	memcpy(tmp_packet, packet, header->len);
 	extract_packet_headers(tmp_packet, info);
 

server/slitheen.h

@@ -4,11 +4,11 @@
 #include <netinet/in.h>
 #include <pcap.h>
 
-#define macaddr1 "00:25:90:5a:26:99"
-#define macaddr2 "00:25:90:c9:5a:09"
+//#define macaddr1 "00:25:90:5a:26:99"
+//#define macaddr2 "00:25:90:c9:5a:09"
 
-//#define macaddr1 "08:00:27:0e:89:ea"
-//#define macaddr2 "08:00:27:0e:89:ea"
+#define macaddr1 "08:00:27:0e:89:ea"
+#define macaddr2 "08:00:27:0e:89:ea"
 
 /* Ethernet addresses are 6 bytes */
 #define ETHER_ADDR_LEN	6