From 56add49645622e0a792135f7b34ee4de17152994 Mon Sep 17 00:00:00 2001 From: Nixon Enraght-Moony Date: Wed, 12 Jan 2022 21:29:39 +0000 Subject: [PATCH] Back to rustls --- .gitignore | 2 + Cargo.lock | 35 +++++++++++--- Cargo.toml | 2 +- README.md | 8 ++++ src/main.rs | 132 ++++++++++++++++++++++++++++++++-------------------- 5 files changed, 122 insertions(+), 57 deletions(-) create mode 100644 README.md diff --git a/.gitignore b/.gitignore index ea8c4bf..8c794f6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ /target +keylog +wireshark_log \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index a637d83..07e3ad6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -365,6 +365,7 @@ version = "0.1.0" dependencies = [ "anyhow", "native-tls", + "rustls 0.20.2", "trust-dns-resolver", "uuid", "webpki-roots 0.22.2", @@ -411,9 +412,9 @@ dependencies = [ [[package]] name = "openssl-probe" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a" +checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-sys" @@ -599,10 +600,22 @@ dependencies = [ "base64", "log", "ring", - "sct", + "sct 0.6.1", "webpki 0.21.4", ] +[[package]] +name = "rustls" +version = "0.20.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84" +dependencies = [ + "log", + "ring", + "sct 0.7.0", + "webpki 0.22.0", +] + [[package]] name = "schannel" version = "0.1.19" @@ -629,6 +642,16 @@ dependencies = [ "untrusted", ] +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "security-framework" version = "2.4.2" @@ -762,7 +785,7 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" dependencies = [ - "rustls", + "rustls 0.19.1", "tokio", "webpki 0.21.4", ] @@ -806,7 +829,7 @@ dependencies = [ "lru-cache", "parking_lot", "resolv-conf", - "rustls", + "rustls 0.19.1", "smallvec", "thiserror", "tokio", @@ -826,7 +849,7 @@ dependencies = [ "futures-io", "futures-util", "log", - "rustls", + "rustls 0.19.1", "tokio", "tokio-rustls", "trust-dns-proto", diff --git a/Cargo.toml b/Cargo.toml index d0fc534..ff09e0a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,7 +8,7 @@ edition = "2021" [dependencies] anyhow = "1.0.52" native-tls = "0.2.8" -#rustls = "0.20.2" +rustls = { version = "0.20.2", features = ["dangerous_configuration"] } trust-dns-resolver = { version = "0.20.3", features = ["dns-over-rustls"] } uuid = { version = "0.8.2", features = ["v4"] } webpki-roots = "0.22.2" diff --git a/README.md b/README.md new file mode 100644 index 0000000..dc6bc0f --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +```powershell +$Env:SSLKEYLOGFILE="keylog" +cargo run +``` + +`tls.record.content_type == 23 && tcp.port == 12345` in wireshark + +point `Preferences > Prototcols > TLS > (Pre)-Master log filename` to KEYLOG \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index 42f8b12..763f301 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,13 +1,16 @@ use std::{ io::{Read, Write}, net::TcpStream, - str::FromStr, sync::Arc, }; -use anyhow::{bail, Context, Result}; -use native_tls::{TlsConnector, TlsConnectorBuilder}; -// use rustls::{ClientConfig, ClientConnection, OwnedTrustAnchor, RootCertStore, StreamOwned}; +use anyhow::{Context, Result}; +// use native_tls::TlsConnector; +// use native_tls::TlsConnector; +use rustls::{ + client::{ServerCertVerified, ServerCertVerifier}, + ClientConfig, ClientConnection, KeyLogFile, OwnedTrustAnchor, RootCertStore, StreamOwned, +}; use trust_dns_resolver::{ config::{ResolverConfig, ResolverOpts}, Resolver, @@ -16,27 +19,32 @@ use uuid::Uuid; fn main() -> Result<()> { let (port, host) = resolve_dns("daeken.dev")?; + let port = 12345; + let host = "localhost"; dbg!(&port); dbg!(&host); - // let tls_conf = Arc::new(make_tls_config()); - let mut tls_conn = make_tls_connection(&host, port) + let tls_conf = Arc::new(make_tls_config()); + let mut tls_conn = make_tls_connection(tls_conf, &host, port) .with_context(|| format!("Can't connect to {}:{}", host, port))?; - // let uuid =// Uuid::new_v4(); - - let uuid = [b'a'; 16]; + let uuid = Uuid::new_v4(); dbg!(&uuid); - tls_conn.write_all(&uuid).context("Can't write UUID")?; + tls_conn + .write_all(uuid.as_bytes()) + .context("Can't write UUID")?; let mut serv_uuid = [0; 16]; tls_conn.read_exact(&mut serv_uuid)?; + let serv_uuid = Uuid::from_bytes(serv_uuid); dbg!(serv_uuid); // Hangs ATM let mut new = [0; 100]; + tls_conn.write_all(&new)?; let len = tls_conn.read(&mut new)?; + dbg!(&new[..len]); Ok(()) @@ -69,57 +77,81 @@ fn make_dns_client() -> Result { )?) } -// fn make_tls_config() -> ClientConfig { -// let mut root_store = RootCertStore::empty(); -// root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { -// OwnedTrustAnchor::from_subject_spki_name_constraints( -// ta.subject, -// ta.spki, -// ta.name_constraints, -// ) -// })); +fn make_tls_config() -> ClientConfig { + let mut root_store = RootCertStore::empty(); + root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { + OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + })); -// let cert_dir = include_bytes!("../cert.der"); + // let cert_dir = include_bytes!("../cert.der"); -// assert_eq!( -// root_store.add_parsable_certificates(&[cert_dir.to_vec()]), -// (1, 0) -// ); + // assert_eq!( + // root_store.add_parsable_certificates(&[cert_dir.to_vec()]), + // (1, 0) + // ); -// let config = rustls::ClientConfig::builder() -// .with_safe_defaults() -// .with_root_certificates(root_store) -// .with_no_client_auth(); + let mut config = rustls::ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates(root_store) + .with_no_client_auth(); -// config -// } + struct DontValidate; + + impl ServerCertVerifier for DontValidate { + fn verify_server_cert( + &self, + _: &rustls::Certificate, + _: &[rustls::Certificate], + _: &rustls::ServerName, + _: &mut dyn Iterator, + _: &[u8], + _: std::time::SystemTime, + ) -> Result { + Ok(ServerCertVerified::assertion()) + } + } + + config + .dangerous() + .set_certificate_verifier(Arc::new(DontValidate)); + + config.key_log = Arc::new(KeyLogFile::new()); + + config +} + +fn make_tls_connection( + config: Arc, + server: &str, + port: u16, +) -> Result { + let server_name = server + .try_into() + .with_context(|| format!("Invalid server name: `{}`", server))?; + + let conn = ClientConnection::new(config, server_name)?; + let sock = TcpStream::connect((server, port))?; + + let stream = StreamOwned::new(conn, sock); + + Ok(stream) +} // fn make_tls_connection( // config: Arc, // server: &str, // port: u16, // ) -> Result { -// let server_name = server.try_into()?; +// let connector = TlsConnector::builder() +// .danger_accept_invalid_certs(true) +// .build()?; -// let conn = ClientConnection::new(config, server_name)?; // let sock = TcpStream::connect((server, port))?; +// let conn = connector.connect(server, sock)?; -// let stream = StreamOwned::new(conn, sock); - -// Ok(stream) +// Ok(conn) // } - -fn make_tls_connection( - // config: Arc, - server: &str, - port: u16, -) -> Result { - let connector = TlsConnector::builder() - .danger_accept_invalid_certs(true) - .build()?; - - let sock = TcpStream::connect((server, port))?; - let conn = connector.connect(server, sock)?; - - Ok(conn) -}