moparisthebest
/
wireguard-proxy
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity
Browse Source

Added TLS --pinnedpubkey support

master
Travis Burtrum 3 years ago
parent
9d37f3d929
commit
1e7fa84a42
9 changed files with 115 additions and 55 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      README.md
  2. 4
      appveyor.yml
  3. 8
      ci/script.sh
  4. 89
      src/bin/udp-test.rs
  5. 14
      src/bin/wireguard-proxy.rs
  6. 4
      src/lib.rs
  7. 2
      src/notls.rs
  8. 31
      src/openssl.rs
  9. 10
      test.sh

8
README.md
Unescape View File

@ -19,7 +19,13 @@ usage: wireguard-proxy [options...] @@ -19,7 +19,13 @@ usage: wireguard-proxy [options...]
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard
client here, default: 127.0.0.1:51820
--tls use TLS when connecting to tcp-target
WARNING: currently verifies nothing!
WARNING: authenticates/verifies nothing
without --pinnedpubkey below!!
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
format is any number of base64 encoded
sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
--tls-hostname send this in SNI instead of host
from --tcp-target, useful for avoiding
DNS lookup on connect

4
appveyor.yml
Unescape View File

@ -54,8 +54,10 @@ test_script: @@ -54,8 +54,10 @@ test_script:
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test &&
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is
)
# todo: should run --pinnedpubkey test here where we expect failure, but unsure how to do that with windows, help?
- if [%CARGO_FEATURES%]==[openssl_vendored] (
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem &&
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE=
)
before_deploy:

8
ci/script.sh
Unescape View File

@ -19,6 +19,14 @@ main() { @@ -19,6 +19,14 @@ main() {
if [ $CARGO_FEATURES != "default" ]; then
# run TLS tests then too
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
# now pubkey tests
# one that should fail (wrong pinnedpubkey lowercase e at end instead of uppercase E)
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1 || true
# and one that should pass
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE=
fi
}

89
src/bin/udp-test.rs
Unescape View File

@ -75,6 +75,7 @@ fn main() { @@ -75,6 +75,7 @@ fn main() {
let tls_key = args.get_option(&["-tk", "--tls-key"]);
let tls_cert = args.get_option(&["-tc", "--tls-cert"]);
let pinnedpubkey = args.get_option(&["--pinnedpubkey"]);
let tls = if tls_key.is_some() && tls_cert.is_some() {
true
@ -98,10 +99,15 @@ fn main() { @@ -98,10 +99,15 @@ fn main() {
before terminating, default: {}
TLS option for self tests only, otherwise self tests are plaintext only:
-tk, --tls-key <ip:port> TLS key to listen with,
requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also
-tk, --tls-key <ip:port> TLS key to listen with,
requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
format is any number of base64 encoded
sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
"#, default_udp_host_target, default_udp_host_target, default_socket_timeout);
return;
} else if args.flag("-s") || args.flag("--self-test") {
@ -113,50 +119,37 @@ fn main() { @@ -113,50 +119,37 @@ fn main() {
let udp_test = args.get_str_idx(0, "udp-test");
let proxy = udp_test.clone().replace("udp-test", "wireguard-proxy");
let mut proxyd = if tls {
let mut proxyd_args = vec!["-th", tcp_host, "-ut", host];
if tls {
let tls_key = tls_key.unwrap();
let tls_cert = tls_cert.unwrap();
println!("executing: {} -th '{}' -ut '{}' -tk '{}' -tc '{}'", proxy, tcp_host, host, tls_key, tls_cert);
Command::new(proxy.clone())
.arg("-th")
.arg(tcp_host)
.arg("-ut")
.arg(host)
.arg("-tk")
.arg(tls_key)
.arg("-tc")
.arg(tls_cert)
.spawn()
.expect("wireguard-proxy TLS server failed to launch")
} else {
println!("executing: {} -th '{}' -ut '{}'", proxy, tcp_host, host);
Command::new(proxy.clone())
.arg("-th")
.arg(tcp_host)
.arg("-ut")
.arg(host)
proxyd_args.extend(["-tk", tls_key, "-tc", tls_cert].iter().cloned());
}
println!("executing: {} {}", proxy, proxyd_args.join(" "));
let mut proxyd = Command::new(proxy.clone())
.args(&proxyd_args)
.spawn()
.expect("wireguard-proxy server failed to launch")
};
.expect("wireguard-proxy server failed to launch");
println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep);
thread::sleep(sleep);
let mut proxy = if tls {
println!("executing: {} -tt {} --tls", proxy, tcp_host);
Command::new(proxy)
.arg("-tt")
.arg(tcp_host)
.arg("--tls")
.spawn()
.expect("wireguard-proxy TLS client failed to launch")
} else {
println!("executing: {} -tt {}", proxy, tcp_host);
Command::new(proxy)
.arg("-tt")
.arg(tcp_host)
let mut proxy_args = vec!["-tt", tcp_host];
if tls {
proxy_args.push("--tls");
if pinnedpubkey.is_some() {
proxy_args.push("--pinnedpubkey");
proxy_args.push(pinnedpubkey.unwrap());
}
}
println!("executing: {} {}", proxy, proxy_args.join(" "));
let mut proxy = Command::new(proxy)
.args(proxy_args)
.spawn()
.expect("wireguard-proxy client failed to launch")
};
.expect("wireguard-proxy TLS client failed to launch");
println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep);
thread::sleep(sleep);
@ -226,9 +219,17 @@ fn main() { @@ -226,9 +219,17 @@ fn main() {
);
if tls {
println!("executing: wireguard-proxy -tt {} --tls", tcp_host);
let hostname = tcp_host.split(":").next().expect("cannot extract hostname from tcp_host");
thread::spawn(move || proxy_client.start_tls(hostname).expect("error running proxy_client"));
let hostname = tcp_host.split(":").next();
match pinnedpubkey {
Some(pinnedpubkey) =>
println!("executing: wireguard-proxy -tt {} --tls --pinnedpubkey {}", tcp_host, pinnedpubkey),
None =>
println!("executing: wireguard-proxy -tt {} --tls", tcp_host),
}
// this is a little funky, is this the only way to do it?
let pinnedpubkey = pinnedpubkey.map(&str::to_owned);
// can use pinnedpubkey.as_deref() below when it's stabilized
thread::spawn(move || proxy_client.start_tls(hostname, pinnedpubkey.as_ref().map(String::as_str)).expect("error running proxy_client"));
} else {
println!("executing: wireguard-proxy -tt {}", tcp_host);
thread::spawn(move || proxy_client.start().expect("error running proxy_client"));

14
src/bin/wireguard-proxy.rs
Unescape View File

@ -24,7 +24,13 @@ fn main() { @@ -24,7 +24,13 @@ fn main() {
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard
client here, default: {}
--tls use TLS when connecting to tcp-target
WARNING: currently verifies nothing!
WARNING: authenticates/verifies nothing
without --pinnedpubkey below!!
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
format is any number of base64 encoded
sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
--tls-hostname send this in SNI instead of host
from --tcp-target, useful for avoiding
DNS lookup on connect
@ -79,9 +85,9 @@ fn client(tcp_target: &str, socket_timeout: u64, args: Args) { @@ -79,9 +85,9 @@ fn client(tcp_target: &str, socket_timeout: u64, args: Args) {
);
if tls {
let hostname = args.get_option(&["--tls-hostname"]).or_else(|| tcp_target.split(":").next())
.expect("--tls-hostname not set and cannot extract hostname from --tcp-target");
proxy_client.start_tls(hostname).expect("error running tls proxy_client");
let hostname = args.get_option(&["--tls-hostname"]).or_else(|| tcp_target.split(":").next());
let pinnedpubkey = args.get_option(&["--pinnedpubkey"]);
proxy_client.start_tls(hostname, pinnedpubkey).expect("error running tls proxy_client");
} else {
proxy_client.start().expect("error running proxy_client");
}

4
src/lib.rs
Unescape View File

@ -188,10 +188,10 @@ impl ProxyClient { @@ -188,10 +188,10 @@ impl ProxyClient {
TcpUdpPipe::new(tcp_stream, udp_socket).shuffle_after_first_udp()
}
pub fn start_tls(&self, hostname: &str) -> Result<usize> {
pub fn start_tls(&self, hostname: Option<&str>, pinnedpubkey: Option<&str>) -> Result<usize> {
let tcp_stream = self.tcp_connect()?;
let tcp_stream = TlsStream::client(hostname, tcp_stream)?;
let tcp_stream = TlsStream::client(hostname, pinnedpubkey, tcp_stream)?;
let udp_socket = self.udp_connect()?;

2
src/notls.rs
Unescape View File

@ -10,7 +10,7 @@ fn err() -> Error { @@ -10,7 +10,7 @@ fn err() -> Error {
pub struct TlsStream;
impl TlsStream {
pub fn client(_host_name: &str, _tcp_stream: TcpStream) -> Result<TlsStream> {
pub fn client(_hostname: Option<&str>, _pinnedpubkey: Option<&str>, _tcp_stream: TcpStream) -> Result<TlsStream> {
Err(err())
}
}

31
src/openssl.rs
Unescape View File

@ -25,11 +25,38 @@ impl TlsStream { @@ -25,11 +25,38 @@ impl TlsStream {
sess: Arc::new(UnsafeCell::new(stream))
}
}
pub fn client(host_name: &str, tcp_stream: TcpStream) -> Result<TlsStream> {
pub fn client(hostname: Option<&str>, pinnedpubkey: Option<&str>, tcp_stream: TcpStream) -> Result<TlsStream> {
let mut connector = SslConnector::builder(SslMethod::tls())?.build().configure()?;
connector.set_use_server_name_indication(hostname.is_some());
connector.set_verify_hostname(false);
connector.set_verify(SslVerifyMode::NONE);
let tcp_stream = connector.connect(host_name, tcp_stream)?;
if pinnedpubkey.is_some() {
let pinnedpubkey = pinnedpubkey.unwrap().to_owned();
connector.set_verify_callback(SslVerifyMode::PEER, move|_preverify_ok, x509_store_ctx| {
//println!("preverify_ok: {}", preverify_ok);
let cert = x509_store_ctx.current_cert().expect("could not get TLS cert");
let pubkey = cert.public_key().expect("could not get public key from TLS cert");
let pubkey = pubkey.public_key_to_der().expect("could not get TLS public key bytes");
//println!("pubkey.len(): {}", pubkey.len());
let mut sha256 = openssl::sha::Sha256::new();
sha256.update(&pubkey);
let pubkey = sha256.finish();
let pubkey = ["sha256//", &openssl::base64::encode_block(&pubkey)].join("");
println!("pubkey from cert: {}", pubkey);
for key in pinnedpubkey.split(";") {
if key == pubkey {
println!("SUCCESS: pubkey match found!",);
return true;
}
}
println!("ERROR: pubkey match not found!");
false
});
}
let tcp_stream = connector.connect(hostname.unwrap_or(""), tcp_stream)?;
Ok(TlsStream::new(tcp_stream))
}
}

10
test.sh
Unescape View File

@ -60,4 +60,14 @@ run_tests || exit 1 @@ -60,4 +60,14 @@ run_tests || exit 1
# then TLS tests
run_tests --tls --tls-key ci/cert.key --tls-cert ci/cert.pem || exit 1
# now pubkey tests
# these should fail
udp-test -s --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1
udp-test -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1
# these should pass
udp-test -s --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE= || exit 1
udp-test -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE= || exit 1
exit 0

Write Preview
Loading…
Cancel
Save