Added TLS --pinnedpubkey support
This commit is contained in:
parent
9d37f3d929
commit
1e7fa84a42
@ -19,7 +19,13 @@ usage: wireguard-proxy [options...]
|
||||
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard
|
||||
client here, default: 127.0.0.1:51820
|
||||
--tls use TLS when connecting to tcp-target
|
||||
WARNING: currently verifies nothing!
|
||||
WARNING: authenticates/verifies nothing
|
||||
without --pinnedpubkey below!!
|
||||
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
|
||||
format is any number of base64 encoded
|
||||
sha256 hashes preceded by "sha256//"
|
||||
and separated by ";". Identical to curl's
|
||||
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
|
||||
--tls-hostname send this in SNI instead of host
|
||||
from --tcp-target, useful for avoiding
|
||||
DNS lookup on connect
|
||||
|
@ -54,8 +54,10 @@ test_script:
|
||||
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test &&
|
||||
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is
|
||||
)
|
||||
# todo: should run --pinnedpubkey test here where we expect failure, but unsure how to do that with windows, help?
|
||||
- if [%CARGO_FEATURES%]==[openssl_vendored] (
|
||||
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
|
||||
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem &&
|
||||
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE=
|
||||
)
|
||||
|
||||
before_deploy:
|
||||
|
@ -19,6 +19,14 @@ main() {
|
||||
if [ $CARGO_FEATURES != "default" ]; then
|
||||
# run TLS tests then too
|
||||
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
|
||||
|
||||
# now pubkey tests
|
||||
|
||||
# one that should fail (wrong pinnedpubkey lowercase e at end instead of uppercase E)
|
||||
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1 || true
|
||||
|
||||
# and one that should pass
|
||||
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE=
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -75,6 +75,7 @@ fn main() {
|
||||
|
||||
let tls_key = args.get_option(&["-tk", "--tls-key"]);
|
||||
let tls_cert = args.get_option(&["-tc", "--tls-cert"]);
|
||||
let pinnedpubkey = args.get_option(&["--pinnedpubkey"]);
|
||||
|
||||
let tls = if tls_key.is_some() && tls_cert.is_some() {
|
||||
true
|
||||
@ -102,6 +103,11 @@ fn main() {
|
||||
requires --tls-cert also
|
||||
-tc, --tls-cert <ip:port> TLS cert to listen with,
|
||||
requires --tls-key also
|
||||
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
|
||||
format is any number of base64 encoded
|
||||
sha256 hashes preceded by "sha256//"
|
||||
and separated by ";". Identical to curl's
|
||||
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
|
||||
"#, default_udp_host_target, default_udp_host_target, default_socket_timeout);
|
||||
return;
|
||||
} else if args.flag("-s") || args.flag("--self-test") {
|
||||
@ -113,50 +119,37 @@ fn main() {
|
||||
let udp_test = args.get_str_idx(0, "udp-test");
|
||||
let proxy = udp_test.clone().replace("udp-test", "wireguard-proxy");
|
||||
|
||||
let mut proxyd = if tls {
|
||||
let mut proxyd_args = vec!["-th", tcp_host, "-ut", host];
|
||||
|
||||
if tls {
|
||||
let tls_key = tls_key.unwrap();
|
||||
let tls_cert = tls_cert.unwrap();
|
||||
println!("executing: {} -th '{}' -ut '{}' -tk '{}' -tc '{}'", proxy, tcp_host, host, tls_key, tls_cert);
|
||||
Command::new(proxy.clone())
|
||||
.arg("-th")
|
||||
.arg(tcp_host)
|
||||
.arg("-ut")
|
||||
.arg(host)
|
||||
.arg("-tk")
|
||||
.arg(tls_key)
|
||||
.arg("-tc")
|
||||
.arg(tls_cert)
|
||||
proxyd_args.extend(["-tk", tls_key, "-tc", tls_cert].iter().cloned());
|
||||
}
|
||||
|
||||
println!("executing: {} {}", proxy, proxyd_args.join(" "));
|
||||
let mut proxyd = Command::new(proxy.clone())
|
||||
.args(&proxyd_args)
|
||||
.spawn()
|
||||
.expect("wireguard-proxy TLS server failed to launch")
|
||||
} else {
|
||||
println!("executing: {} -th '{}' -ut '{}'", proxy, tcp_host, host);
|
||||
Command::new(proxy.clone())
|
||||
.arg("-th")
|
||||
.arg(tcp_host)
|
||||
.arg("-ut")
|
||||
.arg(host)
|
||||
.spawn()
|
||||
.expect("wireguard-proxy server failed to launch")
|
||||
};
|
||||
.expect("wireguard-proxy server failed to launch");
|
||||
println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep);
|
||||
thread::sleep(sleep);
|
||||
|
||||
let mut proxy = if tls {
|
||||
println!("executing: {} -tt {} --tls", proxy, tcp_host);
|
||||
Command::new(proxy)
|
||||
.arg("-tt")
|
||||
.arg(tcp_host)
|
||||
.arg("--tls")
|
||||
let mut proxy_args = vec!["-tt", tcp_host];
|
||||
|
||||
if tls {
|
||||
proxy_args.push("--tls");
|
||||
if pinnedpubkey.is_some() {
|
||||
proxy_args.push("--pinnedpubkey");
|
||||
proxy_args.push(pinnedpubkey.unwrap());
|
||||
}
|
||||
}
|
||||
|
||||
println!("executing: {} {}", proxy, proxy_args.join(" "));
|
||||
let mut proxy = Command::new(proxy)
|
||||
.args(proxy_args)
|
||||
.spawn()
|
||||
.expect("wireguard-proxy TLS client failed to launch")
|
||||
} else {
|
||||
println!("executing: {} -tt {}", proxy, tcp_host);
|
||||
Command::new(proxy)
|
||||
.arg("-tt")
|
||||
.arg(tcp_host)
|
||||
.spawn()
|
||||
.expect("wireguard-proxy client failed to launch")
|
||||
};
|
||||
.expect("wireguard-proxy TLS client failed to launch");
|
||||
println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep);
|
||||
thread::sleep(sleep);
|
||||
|
||||
@ -226,9 +219,17 @@ fn main() {
|
||||
);
|
||||
|
||||
if tls {
|
||||
println!("executing: wireguard-proxy -tt {} --tls", tcp_host);
|
||||
let hostname = tcp_host.split(":").next().expect("cannot extract hostname from tcp_host");
|
||||
thread::spawn(move || proxy_client.start_tls(hostname).expect("error running proxy_client"));
|
||||
let hostname = tcp_host.split(":").next();
|
||||
match pinnedpubkey {
|
||||
Some(pinnedpubkey) =>
|
||||
println!("executing: wireguard-proxy -tt {} --tls --pinnedpubkey {}", tcp_host, pinnedpubkey),
|
||||
None =>
|
||||
println!("executing: wireguard-proxy -tt {} --tls", tcp_host),
|
||||
}
|
||||
// this is a little funky, is this the only way to do it?
|
||||
let pinnedpubkey = pinnedpubkey.map(&str::to_owned);
|
||||
// can use pinnedpubkey.as_deref() below when it's stabilized
|
||||
thread::spawn(move || proxy_client.start_tls(hostname, pinnedpubkey.as_ref().map(String::as_str)).expect("error running proxy_client"));
|
||||
} else {
|
||||
println!("executing: wireguard-proxy -tt {}", tcp_host);
|
||||
thread::spawn(move || proxy_client.start().expect("error running proxy_client"));
|
||||
|
@ -24,7 +24,13 @@ fn main() {
|
||||
-uh, --udp-host <ip:port> UDP host to listen on, point wireguard
|
||||
client here, default: {}
|
||||
--tls use TLS when connecting to tcp-target
|
||||
WARNING: currently verifies nothing!
|
||||
WARNING: authenticates/verifies nothing
|
||||
without --pinnedpubkey below!!
|
||||
--pinnedpubkey <sha256_hashes> Public key to verify peer against,
|
||||
format is any number of base64 encoded
|
||||
sha256 hashes preceded by "sha256//"
|
||||
and separated by ";". Identical to curl's
|
||||
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
|
||||
--tls-hostname send this in SNI instead of host
|
||||
from --tcp-target, useful for avoiding
|
||||
DNS lookup on connect
|
||||
@ -79,9 +85,9 @@ fn client(tcp_target: &str, socket_timeout: u64, args: Args) {
|
||||
);
|
||||
|
||||
if tls {
|
||||
let hostname = args.get_option(&["--tls-hostname"]).or_else(|| tcp_target.split(":").next())
|
||||
.expect("--tls-hostname not set and cannot extract hostname from --tcp-target");
|
||||
proxy_client.start_tls(hostname).expect("error running tls proxy_client");
|
||||
let hostname = args.get_option(&["--tls-hostname"]).or_else(|| tcp_target.split(":").next());
|
||||
let pinnedpubkey = args.get_option(&["--pinnedpubkey"]);
|
||||
proxy_client.start_tls(hostname, pinnedpubkey).expect("error running tls proxy_client");
|
||||
} else {
|
||||
proxy_client.start().expect("error running proxy_client");
|
||||
}
|
||||
|
@ -188,10 +188,10 @@ impl ProxyClient {
|
||||
TcpUdpPipe::new(tcp_stream, udp_socket).shuffle_after_first_udp()
|
||||
}
|
||||
|
||||
pub fn start_tls(&self, hostname: &str) -> Result<usize> {
|
||||
pub fn start_tls(&self, hostname: Option<&str>, pinnedpubkey: Option<&str>) -> Result<usize> {
|
||||
let tcp_stream = self.tcp_connect()?;
|
||||
|
||||
let tcp_stream = TlsStream::client(hostname, tcp_stream)?;
|
||||
let tcp_stream = TlsStream::client(hostname, pinnedpubkey, tcp_stream)?;
|
||||
|
||||
let udp_socket = self.udp_connect()?;
|
||||
|
||||
|
@ -10,7 +10,7 @@ fn err() -> Error {
|
||||
pub struct TlsStream;
|
||||
|
||||
impl TlsStream {
|
||||
pub fn client(_host_name: &str, _tcp_stream: TcpStream) -> Result<TlsStream> {
|
||||
pub fn client(_hostname: Option<&str>, _pinnedpubkey: Option<&str>, _tcp_stream: TcpStream) -> Result<TlsStream> {
|
||||
Err(err())
|
||||
}
|
||||
}
|
||||
|
@ -25,11 +25,38 @@ impl TlsStream {
|
||||
sess: Arc::new(UnsafeCell::new(stream))
|
||||
}
|
||||
}
|
||||
pub fn client(host_name: &str, tcp_stream: TcpStream) -> Result<TlsStream> {
|
||||
pub fn client(hostname: Option<&str>, pinnedpubkey: Option<&str>, tcp_stream: TcpStream) -> Result<TlsStream> {
|
||||
let mut connector = SslConnector::builder(SslMethod::tls())?.build().configure()?;
|
||||
connector.set_use_server_name_indication(hostname.is_some());
|
||||
connector.set_verify_hostname(false);
|
||||
connector.set_verify(SslVerifyMode::NONE);
|
||||
let tcp_stream = connector.connect(host_name, tcp_stream)?;
|
||||
if pinnedpubkey.is_some() {
|
||||
let pinnedpubkey = pinnedpubkey.unwrap().to_owned();
|
||||
connector.set_verify_callback(SslVerifyMode::PEER, move|_preverify_ok, x509_store_ctx| {
|
||||
//println!("preverify_ok: {}", preverify_ok);
|
||||
let cert = x509_store_ctx.current_cert().expect("could not get TLS cert");
|
||||
let pubkey = cert.public_key().expect("could not get public key from TLS cert");
|
||||
let pubkey = pubkey.public_key_to_der().expect("could not get TLS public key bytes");
|
||||
//println!("pubkey.len(): {}", pubkey.len());
|
||||
|
||||
let mut sha256 = openssl::sha::Sha256::new();
|
||||
sha256.update(&pubkey);
|
||||
let pubkey = sha256.finish();
|
||||
|
||||
let pubkey = ["sha256//", &openssl::base64::encode_block(&pubkey)].join("");
|
||||
println!("pubkey from cert: {}", pubkey);
|
||||
|
||||
for key in pinnedpubkey.split(";") {
|
||||
if key == pubkey {
|
||||
println!("SUCCESS: pubkey match found!",);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
println!("ERROR: pubkey match not found!");
|
||||
false
|
||||
});
|
||||
}
|
||||
let tcp_stream = connector.connect(hostname.unwrap_or(""), tcp_stream)?;
|
||||
Ok(TlsStream::new(tcp_stream))
|
||||
}
|
||||
}
|
||||
|
10
test.sh
10
test.sh
@ -60,4 +60,14 @@ run_tests || exit 1
|
||||
# then TLS tests
|
||||
run_tests --tls --tls-key ci/cert.key --tls-cert ci/cert.pem || exit 1
|
||||
|
||||
# now pubkey tests
|
||||
|
||||
# these should fail
|
||||
udp-test -s --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1
|
||||
udp-test -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4de= && exit 1
|
||||
|
||||
# these should pass
|
||||
udp-test -s --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE= || exit 1
|
||||
udp-test -is --tls-key ci/cert.key --tls-cert ci/cert.pem --pinnedpubkey sha256//BEyQeSjwwUBLXXNuCILHRWyV1gLmY31CdMHNA4VH4dE= || exit 1
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user