Added TLS --pinnedpubkey support

This commit is contained in:
Travis Burtrum 2019-12-17 01:11:19 -05:00
parent 9d37f3d929
commit 1e7fa84a42
9 changed files with 115 additions and 55 deletions

View File

@ -19,7 +19,13 @@ usage: wireguard-proxy [options...]
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard -uh, --udp-host <ip:port> UDP host to listen on, point wireguard
client here, default: 127.0.0.1:51820 client here, default: 127.0.0.1:51820
--tls use TLS when connecting to tcp-target --tls use TLS when connecting to tcp-target
WARNING: currently verifies nothing! WARNING: authenticates/verifies nothing
without --pinnedpubkey below!!
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
format is any number of base64 encoded
sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
--tls-hostname send this in SNI instead of host --tls-hostname send this in SNI instead of host
from --tcp-target, useful for avoiding from --tcp-target, useful for avoiding
DNS lookup on connect DNS lookup on connect

View File

@ -54,8 +54,10 @@ test_script:
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test && cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test &&
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is
) )
# todo: should run --pinnedpubkey test here where we expect failure, but unsure how to do that with windows, help?
- if [%CARGO_FEATURES%]==[openssl_vendored] ( - if [%CARGO_FEATURES%]==[openssl_vendored] (
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem &&
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE=
) )
before_deploy: before_deploy:

View File

@ -19,6 +19,14 @@ main() {
if [ $CARGO_FEATURES != "default" ]; then if [ $CARGO_FEATURES != "default" ]; then
# run TLS tests then too # run TLS tests then too
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
# now pubkey tests
# one that should fail (wrong pinnedpubkey lowercase e at end instead of uppercase E)
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1 || true
# and one that should pass
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE=
fi fi
} }

View File

@ -75,6 +75,7 @@ fn main() {
let tls_key = args.get_option(&["-tk", "--tls-key"]); let tls_key = args.get_option(&["-tk", "--tls-key"]);
let tls_cert = args.get_option(&["-tc", "--tls-cert"]); let tls_cert = args.get_option(&["-tc", "--tls-cert"]);
let pinnedpubkey = args.get_option(&["--pinnedpubkey"]);
let tls = if tls_key.is_some() && tls_cert.is_some() { let tls = if tls_key.is_some() && tls_cert.is_some() {
true true
@ -98,10 +99,15 @@ fn main() {
before terminating, default: {} before terminating, default: {}
TLS option for self tests only, otherwise self tests are plaintext only: TLS option for self tests only, otherwise self tests are plaintext only:
-tk, --tls-key <ip:port> TLS key to listen with, -tk, --tls-key <ip:port> TLS key to listen with,
requires --tls-cert also requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with, -tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also requires --tls-key also
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
format is any number of base64 encoded
sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
"#, default_udp_host_target, default_udp_host_target, default_socket_timeout); "#, default_udp_host_target, default_udp_host_target, default_socket_timeout);
return; return;
} else if args.flag("-s") || args.flag("--self-test") { } else if args.flag("-s") || args.flag("--self-test") {
@ -113,50 +119,37 @@ fn main() {
let udp_test = args.get_str_idx(0, "udp-test"); let udp_test = args.get_str_idx(0, "udp-test");
let proxy = udp_test.clone().replace("udp-test", "wireguard-proxy"); let proxy = udp_test.clone().replace("udp-test", "wireguard-proxy");
let mut proxyd = if tls { let mut proxyd_args = vec!["-th", tcp_host, "-ut", host];
if tls {
let tls_key = tls_key.unwrap(); let tls_key = tls_key.unwrap();
let tls_cert = tls_cert.unwrap(); let tls_cert = tls_cert.unwrap();
println!("executing: {} -th '{}' -ut '{}' -tk '{}' -tc '{}'", proxy, tcp_host, host, tls_key, tls_cert); proxyd_args.extend(["-tk", tls_key, "-tc", tls_cert].iter().cloned());
Command::new(proxy.clone()) }
.arg("-th")
.arg(tcp_host) println!("executing: {} {}", proxy, proxyd_args.join(" "));
.arg("-ut") let mut proxyd = Command::new(proxy.clone())
.arg(host) .args(&proxyd_args)
.arg("-tk")
.arg(tls_key)
.arg("-tc")
.arg(tls_cert)
.spawn() .spawn()
.expect("wireguard-proxy TLS server failed to launch") .expect("wireguard-proxy server failed to launch");
} else {
println!("executing: {} -th '{}' -ut '{}'", proxy, tcp_host, host);
Command::new(proxy.clone())
.arg("-th")
.arg(tcp_host)
.arg("-ut")
.arg(host)
.spawn()
.expect("wireguard-proxy server failed to launch")
};
println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep); println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep);
thread::sleep(sleep); thread::sleep(sleep);
let mut proxy = if tls { let mut proxy_args = vec!["-tt", tcp_host];
println!("executing: {} -tt {} --tls", proxy, tcp_host);
Command::new(proxy) if tls {
.arg("-tt") proxy_args.push("--tls");
.arg(tcp_host) if pinnedpubkey.is_some() {
.arg("--tls") proxy_args.push("--pinnedpubkey");
proxy_args.push(pinnedpubkey.unwrap());
}
}
println!("executing: {} {}", proxy, proxy_args.join(" "));
let mut proxy = Command::new(proxy)
.args(proxy_args)
.spawn() .spawn()
.expect("wireguard-proxy TLS client failed to launch") .expect("wireguard-proxy TLS client failed to launch");
} else {
println!("executing: {} -tt {}", proxy, tcp_host);
Command::new(proxy)
.arg("-tt")
.arg(tcp_host)
.spawn()
.expect("wireguard-proxy client failed to launch")
};
println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep); println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep);
thread::sleep(sleep); thread::sleep(sleep);
@ -226,9 +219,17 @@ fn main() {
); );
if tls { if tls {
println!("executing: wireguard-proxy -tt {} --tls", tcp_host); let hostname = tcp_host.split(":").next();
let hostname = tcp_host.split(":").next().expect("cannot extract hostname from tcp_host"); match pinnedpubkey {
thread::spawn(move || proxy_client.start_tls(hostname).expect("error running proxy_client")); Some(pinnedpubkey) =>
println!("executing: wireguard-proxy -tt {} --tls --pinnedpubkey {}", tcp_host, pinnedpubkey),
None =>
println!("executing: wireguard-proxy -tt {} --tls", tcp_host),
}
// this is a little funky, is this the only way to do it?
let pinnedpubkey = pinnedpubkey.map(&str::to_owned);
// can use pinnedpubkey.as_deref() below when it's stabilized
thread::spawn(move || proxy_client.start_tls(hostname, pinnedpubkey.as_ref().map(String::as_str)).expect("error running proxy_client"));
} else { } else {
println!("executing: wireguard-proxy -tt {}", tcp_host); println!("executing: wireguard-proxy -tt {}", tcp_host);
thread::spawn(move || proxy_client.start().expect("error running proxy_client")); thread::spawn(move || proxy_client.start().expect("error running proxy_client"));

View File

@ -24,7 +24,13 @@ fn main() {
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard -uh, --udp-host <ip:port> UDP host to listen on, point wireguard
client here, default: {} client here, default: {}
--tls use TLS when connecting to tcp-target --tls use TLS when connecting to tcp-target
WARNING: currently verifies nothing! WARNING: authenticates/verifies nothing
without --pinnedpubkey below!!
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
format is any number of base64 encoded
sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
--tls-hostname send this in SNI instead of host --tls-hostname send this in SNI instead of host
from --tcp-target, useful for avoiding from --tcp-target, useful for avoiding
DNS lookup on connect DNS lookup on connect
@ -79,9 +85,9 @@ fn client(tcp_target: &str, socket_timeout: u64, args: Args) {
); );
if tls { if tls {
let hostname = args.get_option(&["--tls-hostname"]).or_else(|| tcp_target.split(":").next()) let hostname = args.get_option(&["--tls-hostname"]).or_else(|| tcp_target.split(":").next());
.expect("--tls-hostname not set and cannot extract hostname from --tcp-target"); let pinnedpubkey = args.get_option(&["--pinnedpubkey"]);
proxy_client.start_tls(hostname).expect("error running tls proxy_client"); proxy_client.start_tls(hostname, pinnedpubkey).expect("error running tls proxy_client");
} else { } else {
proxy_client.start().expect("error running proxy_client"); proxy_client.start().expect("error running proxy_client");
} }

View File

@ -188,10 +188,10 @@ impl ProxyClient {
TcpUdpPipe::new(tcp_stream, udp_socket).shuffle_after_first_udp() TcpUdpPipe::new(tcp_stream, udp_socket).shuffle_after_first_udp()
} }
pub fn start_tls(&self, hostname: &str) -> Result<usize> { pub fn start_tls(&self, hostname: Option<&str>, pinnedpubkey: Option<&str>) -> Result<usize> {
let tcp_stream = self.tcp_connect()?; let tcp_stream = self.tcp_connect()?;
let tcp_stream = TlsStream::client(hostname, tcp_stream)?; let tcp_stream = TlsStream::client(hostname, pinnedpubkey, tcp_stream)?;
let udp_socket = self.udp_connect()?; let udp_socket = self.udp_connect()?;

View File

@ -10,7 +10,7 @@ fn err() -> Error {
pub struct TlsStream; pub struct TlsStream;
impl TlsStream { impl TlsStream {
pub fn client(_host_name: &str, _tcp_stream: TcpStream) -> Result<TlsStream> { pub fn client(_hostname: Option<&str>, _pinnedpubkey: Option<&str>, _tcp_stream: TcpStream) -> Result<TlsStream> {
Err(err()) Err(err())
} }
} }

View File

@ -25,11 +25,38 @@ impl TlsStream {
sess: Arc::new(UnsafeCell::new(stream)) sess: Arc::new(UnsafeCell::new(stream))
} }
} }
pub fn client(host_name: &str, tcp_stream: TcpStream) -> Result<TlsStream> { pub fn client(hostname: Option<&str>, pinnedpubkey: Option<&str>, tcp_stream: TcpStream) -> Result<TlsStream> {
let mut connector = SslConnector::builder(SslMethod::tls())?.build().configure()?; let mut connector = SslConnector::builder(SslMethod::tls())?.build().configure()?;
connector.set_use_server_name_indication(hostname.is_some());
connector.set_verify_hostname(false); connector.set_verify_hostname(false);
connector.set_verify(SslVerifyMode::NONE); connector.set_verify(SslVerifyMode::NONE);
let tcp_stream = connector.connect(host_name, tcp_stream)?; if pinnedpubkey.is_some() {
let pinnedpubkey = pinnedpubkey.unwrap().to_owned();
connector.set_verify_callback(SslVerifyMode::PEER, move|_preverify_ok, x509_store_ctx| {
//println!("preverify_ok: {}", preverify_ok);
let cert = x509_store_ctx.current_cert().expect("could not get TLS cert");
let pubkey = cert.public_key().expect("could not get public key from TLS cert");
let pubkey = pubkey.public_key_to_der().expect("could not get TLS public key bytes");
//println!("pubkey.len(): {}", pubkey.len());
let mut sha256 = openssl::sha::Sha256::new();
sha256.update(&pubkey);
let pubkey = sha256.finish();
let pubkey = ["sha256//", &openssl::base64::encode_block(&pubkey)].join("");
println!("pubkey from cert: {}", pubkey);
for key in pinnedpubkey.split(";") {
if key == pubkey {
println!("SUCCESS: pubkey match found!",);
return true;
}
}
println!("ERROR: pubkey match not found!");
false
});
}
let tcp_stream = connector.connect(hostname.unwrap_or(""), tcp_stream)?;
Ok(TlsStream::new(tcp_stream)) Ok(TlsStream::new(tcp_stream))
} }
} }

10
test.sh
View File

@ -60,4 +60,14 @@ run_tests || exit 1
# then TLS tests # then TLS tests
run_tests --tls --tls-key ci/cert.key --tls-cert ci/cert.pem || exit 1 run_tests --tls --tls-key ci/cert.key --tls-cert ci/cert.pem || exit 1
# now pubkey tests
# these should fail
udp-test -s --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1
udp-test -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1
# these should pass
udp-test -s --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE= || exit 1
udp-test -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE= || exit 1
exit 0 exit 0