Compare commits
18 Commits
af316c3d61
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
 neru
|
df146989df | ||
|
neru
|
699dc354c8 | ||
|
neru
|
efca4fd3fd | ||
|
neru
|
4d54533f9a | ||
|
neru
|
558f964ce2 | ||
|
neru
|
409c41e196 | ||
|
neru
|
55202646ca | ||
|
neru
|
a9c1a30218 | ||
|
neru
|
6602a25188 | ||
|
neru
|
cd1146d0d8 | ||
|
neru
|
dad8cb55d7 | ||
|
neru
|
6ad87ecc18 | ||
|
neru
|
e0e0eb5f12 | ||
|
neru
|
c0adefeda1 | ||
|
neru
|
b7a0d494fb | ||
|
neru
|
f5442a8fc4 | ||
|
neru
|
97fb406c32 | ||
|
neru
|
f585fa48ad |
+14
-5
@@ -17,10 +17,6 @@ if (TINYMITM_TEST)
|
||||
set(TINYMITM_LOGS ON CACHE BOOL "" FORCE)
|
||||
endif()
|
||||
|
||||
if (TINYMITM_LOGS)
|
||||
add_compile_definitions(TINYMITM_LOGS)
|
||||
endif()
|
||||
|
||||
# ---------------------
|
||||
# external dependencies
|
||||
# ---------------------
|
||||
@@ -38,7 +34,7 @@ FetchContent_Declare(
|
||||
|
||||
# seallib config
|
||||
set(SEALLIB_EVENTS ON CACHE BOOL "" FORCE)
|
||||
if (TINYMITM_LOGS)
|
||||
if (TINYMITM_LOGS OR $CACHE{TINYMITM_LOGS})
|
||||
set(SEALLIB_LOG ON CACHE BOOL "" FORCE)
|
||||
endif()
|
||||
FetchContent_GetProperties(seallib)
|
||||
@@ -47,6 +43,9 @@ FetchContent_MakeAvailable(seallib)
|
||||
# wolfssl config
|
||||
set(WOLFSSL_ALPN ON CACHE BOOL "" FORCE)
|
||||
set(WOLFSSL_CERTGEN ON CACHE BOOL "" FORCE)
|
||||
set(WOLFSSL_CERTEXT ON CACHE BOOL "" FORCE)
|
||||
set(WOLFSSL_KEYGEN ON CACHE BOOL "" FORCE)
|
||||
set(WOLFSSL_SNI ON CACHE BOOL "" FORCE)
|
||||
set(WOLFSSL_EXAMPLES OFF CACHE BOOL "" FORCE)
|
||||
set(WOLFSSL_CRYPT_TESTS OFF CACHE BOOL "" FORCE)
|
||||
set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
|
||||
@@ -56,6 +55,8 @@ FetchContent_MakeAvailable(wolfssl)
|
||||
target_compile_definitions(wolfssl PUBLIC
|
||||
-DWOLFSSL_ALT_NAMES
|
||||
-DWOLFSSL_ALPN
|
||||
-DWOLFSSL_HAVE_MIN
|
||||
-DWOLFSSL_HAVE_MAX
|
||||
)
|
||||
|
||||
# ---------------------
|
||||
@@ -79,6 +80,14 @@ target_link_libraries(tinymitm PRIVATE tinymitm-warnings)
|
||||
target_link_libraries(tinymitm PUBLIC seallib wolfssl)
|
||||
set_target_properties(tinymitm PROPERTIES CXX_EXTENSIONS OFF)
|
||||
|
||||
if (TINYMITM_LOGS OR $CACHE{TINYMITM_LOGS})
|
||||
target_compile_definitions(tinymitm PUBLIC TINYMITM_LOGS)
|
||||
endif()
|
||||
|
||||
if (WIN32)
|
||||
target_link_libraries(tinymitm PRIVATE crypt32)
|
||||
endif()
|
||||
|
||||
# ------------------------------
|
||||
# test
|
||||
# ------------------------------
|
||||
|
||||
@@ -6,7 +6,10 @@
|
||||
|
||||
#if defined(_WIN64) || defined(_WIN32)
|
||||
#define FD_SETSIZE 1024
|
||||
|
||||
#ifndef NOMINMAX
|
||||
#define NOMINMAX
|
||||
#endif
|
||||
|
||||
#include <winsock2.h>
|
||||
#include <ws2tcpip.h>
|
||||
@@ -14,7 +17,6 @@
|
||||
#define CLOSE_SOCKET closesocket
|
||||
#define SHUT_RDWR SD_BOTH
|
||||
#endif
|
||||
|
||||
#include <wolfssl/options.h>
|
||||
#include <wolfssl/ssl.h>
|
||||
#include "ssl.h"
|
||||
@@ -24,7 +26,7 @@
|
||||
#ifdef TINYMITM_LOGS
|
||||
#define TINYMITM_WRITELOG(type, ...) _log->type(__VA_ARGS__)
|
||||
#else
|
||||
#define TINYMITM_WRITELOG()
|
||||
#define TINYMITM_WRITELOG(...)
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -194,7 +196,7 @@ bool TinyMITMProxy::init()
|
||||
return false;
|
||||
}
|
||||
TINYMITM_WRITELOG(verbose, "wolfssl context creation");
|
||||
_clientCtx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
|
||||
_clientCtx = wolfSSL_CTX_new(wolfTLS_client_method());
|
||||
if (!_clientCtx)
|
||||
{
|
||||
TINYMITM_WRITELOG(error, "failed to create wolfssl context");
|
||||
@@ -435,6 +437,12 @@ void TinyMITMProxy::handleClient(SOCKET clientSocket)
|
||||
wolfSSL_set_fd(clientSSL.get(), (int)clientGuard);
|
||||
wolfSSL_set_fd(remoteSSL.get(), (int)remoteGuard);
|
||||
|
||||
char alpnList[] = "http/1.1";
|
||||
wolfSSL_UseALPN(remoteSSL.get(), alpnList, static_cast<word32>(strlen(alpnList)),
|
||||
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH);
|
||||
wolfSSL_UseALPN(clientSSL.get(), alpnList, static_cast<word32>(strlen(alpnList)),
|
||||
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH);
|
||||
|
||||
wolfSSL_UseSNI(remoteSSL.get(), WOLFSSL_SNI_HOST_NAME, host.c_str(), (unsigned short)host.size());
|
||||
|
||||
setNonBlocking(clientGuard, true);
|
||||
@@ -457,10 +465,10 @@ void TinyMITMProxy::handleClient(SOCKET clientSocket)
|
||||
if (isConnect) return wolfSSL_read(ssl, b, sz);
|
||||
return ::recv(s, b, sz, 0);
|
||||
};
|
||||
auto sslWrite = [&](WOLFSSL* ssl, SOCKET s, const char* b, int sz) -> int {
|
||||
if (isConnect) return wolfSSL_write(ssl, b, sz);
|
||||
return ::send(s, b, sz, 0);
|
||||
};
|
||||
// auto sslWrite = [&](WOLFSSL* ssl, SOCKET s, const char* b, int sz) -> int {
|
||||
// if (isConnect) return wolfSSL_write(ssl, b, sz);
|
||||
// return ::send(s, b, sz, 0);
|
||||
// };
|
||||
auto sslPending = [&](WOLFSSL* ssl) -> int {
|
||||
if (isConnect) return wolfSSL_pending(ssl);
|
||||
return 0;
|
||||
|
||||
@@ -6,6 +6,8 @@
|
||||
#include <seallib/log.h>
|
||||
#endif
|
||||
|
||||
#include <condition_variable>
|
||||
#include <mutex>
|
||||
#include <thread>
|
||||
#include <atomic>
|
||||
#include <queue>
|
||||
|
||||
+55
-23
@@ -13,13 +13,12 @@
|
||||
#ifdef _WIN32
|
||||
#include <windows.h>
|
||||
#include <wincrypt.h>
|
||||
#pragma comment(lib, "crypt32.lib")
|
||||
#endif
|
||||
|
||||
/*
|
||||
CertificateManager implementation
|
||||
*/
|
||||
CertificateManager::CertificateManager() : _rng(new WC_RNG()), _caKey(nullptr), _sessionKey(nullptr) {}
|
||||
CertificateManager::CertificateManager() : _caKey(nullptr), _sessionKey(nullptr), _rng(new WC_RNG()) {}
|
||||
|
||||
CertificateManager::~CertificateManager()
|
||||
{
|
||||
@@ -62,10 +61,17 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
|
||||
memset(cert.get(), 0, sizeof(Cert));
|
||||
wc_InitCert(cert.get());
|
||||
|
||||
cert->isCA = 0;
|
||||
cert->basicConstSet = 1;
|
||||
cert->basicConstCrit = 0;
|
||||
|
||||
cert->version = 2;
|
||||
cert->sigType = CTC_SHA256wRSA;
|
||||
cert->daysValid = 365;
|
||||
|
||||
cert->keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_KEY_ENCIPHER;
|
||||
cert->extKeyUsage = EXTKEYUSE_SERVER_AUTH;
|
||||
|
||||
strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), hostTrimmed.c_str(), _TRUNCATE);
|
||||
wc_SetIssuerBuffer(cert.get(), _caCertDer.data(), (int)_caCertDer.size());
|
||||
|
||||
@@ -77,42 +83,58 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
|
||||
cert->serial[2] = (hash >> 8) & 0xFF;
|
||||
cert->serial[3] = hash & 0xFF;
|
||||
|
||||
// SAN
|
||||
std::vector<unsigned char> sanDer;
|
||||
sanDer.push_back(0x30);
|
||||
sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length() + 2));
|
||||
sanDer.push_back(0x82);
|
||||
sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length()));
|
||||
sanDer.insert(sanDer.end(), hostTrimmed.begin(), hostTrimmed.end());
|
||||
/*
|
||||
SAN
|
||||
*/
|
||||
memset(cert->altNames, 0, CTC_MAX_ALT_SIZE);
|
||||
|
||||
memcpy(cert->altNames, sanDer.data(), sanDer.size());
|
||||
cert->altNamesSz = static_cast<word16>(sanDer.size());
|
||||
// sequence
|
||||
cert->altNames[0] = 0x30;
|
||||
cert->altNames[1] = static_cast<byte>(hostTrimmed.length() + 2);
|
||||
|
||||
//dNSName tag & len
|
||||
cert->altNames[2] = 0x82;
|
||||
cert->altNames[3] = static_cast<byte>(hostTrimmed.length());
|
||||
|
||||
// actual data
|
||||
memcpy(&cert->altNames[4], hostTrimmed.c_str(), hostTrimmed.length());
|
||||
|
||||
// sz: seq hdr (2) + dNSName hdr (2) + hostName
|
||||
cert->altNamesSz = 4 + static_cast<int>(hostTrimmed.length());
|
||||
cert->altNamesCrit = 0;
|
||||
|
||||
wc_SetSubjectKeyIdFromPublicKey(cert.get(), _sessionKey.get(), nullptr);
|
||||
wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), static_cast<int>(_caCertDer.size()));
|
||||
|
||||
/*
|
||||
cert sign
|
||||
*/
|
||||
std::vector<unsigned char> hostCertDer(4096);
|
||||
int certLen =
|
||||
wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _sessionKey.get(), nullptr, _rng.get());
|
||||
std::vector<unsigned char> hostCertDer(8192);
|
||||
int certLen = wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()),
|
||||
_sessionKey.get(), nullptr, _rng.get());
|
||||
if (certLen < 0) return nullptr;
|
||||
|
||||
certLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _caKey.get(),
|
||||
nullptr, _rng.get());
|
||||
hostCertDer.resize(certLen);
|
||||
int signedLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(),
|
||||
static_cast<word32>(hostCertDer.size()), _caKey.get(), nullptr, _rng.get());
|
||||
if (signedLen < 0) return nullptr;
|
||||
hostCertDer.resize(signedLen);
|
||||
|
||||
/*
|
||||
context setup
|
||||
*/
|
||||
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
|
||||
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLS_server_method());
|
||||
if (!ctx) return nullptr;
|
||||
if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()), WOLFSSL_FILETYPE_ASN1) !=
|
||||
WOLFSSL_SUCCESS ||
|
||||
if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()),
|
||||
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS ||
|
||||
wolfSSL_CTX_use_PrivateKey_buffer(ctx, _sessionKeyDer.data(), static_cast<long>(_sessionKeyDer.size()),
|
||||
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS)
|
||||
{
|
||||
wolfSSL_CTX_free(ctx);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
_hostContexts[host] = ctx;
|
||||
|
||||
return ctx;
|
||||
}
|
||||
|
||||
@@ -125,7 +147,7 @@ bool CertificateManager::installCertificate()
|
||||
(DWORD)_caCertDer.size());
|
||||
|
||||
if (!certCtx) return false;
|
||||
HCERTSTORE rootStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"Root");
|
||||
HCERTSTORE rootStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, L"Root");
|
||||
bool success = false;
|
||||
if (rootStore)
|
||||
{
|
||||
@@ -172,10 +194,17 @@ bool CertificateManager::generateAndSaveCA(const char* caName, int days, const s
|
||||
cert->sigType = CTC_SHA256wRSA;
|
||||
cert->daysValid = days;
|
||||
cert->keyUsage = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN;
|
||||
cert->pathLenSet = 0;
|
||||
cert->pathLen = 0;
|
||||
|
||||
cert->serialSz = 1;
|
||||
cert->serial[0] = 1;
|
||||
|
||||
cert->selfSigned = 1;
|
||||
|
||||
wc_SetSubjectKeyIdFromPublicKey(cert.get(), _caKey.get(), 0);
|
||||
wc_SetAuthKeyIdFromPublicKey(cert.get(), _caKey.get(), 0);
|
||||
|
||||
/*
|
||||
CA sign
|
||||
*/
|
||||
@@ -239,7 +268,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
|
||||
std::vector<unsigned char> keyDer;
|
||||
DerBuffer* derBuff = nullptr;
|
||||
|
||||
int ret = wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
|
||||
int ret =
|
||||
wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
|
||||
if (ret == 0 && derBuff)
|
||||
{
|
||||
certDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
|
||||
@@ -249,7 +279,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
|
||||
return false;
|
||||
|
||||
derBuff = nullptr;
|
||||
ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr, nullptr);
|
||||
ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr,
|
||||
nullptr);
|
||||
if (ret == 0 && derBuff)
|
||||
{
|
||||
keyDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
|
||||
@@ -260,6 +291,7 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
|
||||
|
||||
return decodeCA(certDer, keyDer);
|
||||
}
|
||||
|
||||
bool CertificateManager::decodeCA(const std::vector<unsigned char>& certDer, const std::vector<unsigned char>& keyDer)
|
||||
{
|
||||
if (certDer.empty() || keyDer.empty()) return false;
|
||||
|
||||
Reference in New Issue
Block a user