aDot
/
nemicosm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Back to rustls

trunk
Alona EM 2022-01-12 21:29:39 +00:00
parent 3aa8364f47
commit 56add49645
5 changed files with 122 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1,3 @@
/target /target
keylog
wireshark_log

35
Cargo.lock generated
View File

@ -365,6 +365,7 @@ version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"native-tls", "native-tls",
"rustls 0.20.2",
"trust-dns-resolver", "trust-dns-resolver",
"uuid", "uuid",
"webpki-roots 0.22.2", "webpki-roots 0.22.2",
@ -411,9 +412,9 @@ dependencies = [
[[package]] [[package]]
name = "openssl-probe" name = "openssl-probe"
version = "0.1.4" version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
[[package]] [[package]]
name = "openssl-sys" name = "openssl-sys"
@ -599,10 +600,22 @@ dependencies = [
"base64", "base64",
"log", "log",
"ring", "ring",
"sct", "sct 0.6.1",
"webpki 0.21.4", "webpki 0.21.4",
] ]
[[package]]
name = "rustls"
version = "0.20.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84"
dependencies = [
"log",
"ring",
"sct 0.7.0",
"webpki 0.22.0",
]
[[package]] [[package]]
name = "schannel" name = "schannel"
version = "0.1.19" version = "0.1.19"
@ -629,6 +642,16 @@ dependencies = [
"untrusted", "untrusted",
] ]
[[package]]
name = "sct"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
dependencies = [
"ring",
"untrusted",
]
[[package]] [[package]]
name = "security-framework" name = "security-framework"
version = "2.4.2" version = "2.4.2"
@ -762,7 +785,7 @@ version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
dependencies = [ dependencies = [
"rustls", "rustls 0.19.1",
"tokio", "tokio",
"webpki 0.21.4", "webpki 0.21.4",
] ]
@ -806,7 +829,7 @@ dependencies = [
"lru-cache", "lru-cache",
"parking_lot", "parking_lot",
"resolv-conf", "resolv-conf",
"rustls", "rustls 0.19.1",
"smallvec", "smallvec",
"thiserror", "thiserror",
"tokio", "tokio",
@ -826,7 +849,7 @@ dependencies = [
"futures-io", "futures-io",
"futures-util", "futures-util",
"log", "log",
"rustls", "rustls 0.19.1",
"tokio", "tokio",
"tokio-rustls", "tokio-rustls",
"trust-dns-proto", "trust-dns-proto",

2
Cargo.toml
View File

@ -8,7 +8,7 @@ edition = "2021"
[dependencies] [dependencies]
anyhow = "1.0.52" anyhow = "1.0.52"
native-tls = "0.2.8" native-tls = "0.2.8"
#rustls = "0.20.2" rustls = { version = "0.20.2", features = ["dangerous_configuration"] }
trust-dns-resolver = { version = "0.20.3", features = ["dns-over-rustls"] } trust-dns-resolver = { version = "0.20.3", features = ["dns-over-rustls"] }
uuid = { version = "0.8.2", features = ["v4"] } uuid = { version = "0.8.2", features = ["v4"] }
webpki-roots = "0.22.2" webpki-roots = "0.22.2"

8
README.md Normal file
View File

@ -0,0 +1,8 @@
```powershell
$Env:SSLKEYLOGFILE="keylog"
cargo run
```
`tls.record.content_type == 23 && tcp.port == 12345` in wireshark
point `Preferences > Prototcols > TLS > (Pre)-Master log filename` to KEYLOG

132
src/main.rs
View File

@ -1,13 +1,16 @@
use std::{ use std::{
io::{Read, Write}, io::{Read, Write},
net::TcpStream, net::TcpStream,
str::FromStr,
sync::Arc, sync::Arc,
}; };
use anyhow::{bail, Context, Result}; use anyhow::{Context, Result};
use native_tls::{TlsConnector, TlsConnectorBuilder}; // use native_tls::TlsConnector;
// use rustls::{ClientConfig, ClientConnection, OwnedTrustAnchor, RootCertStore, StreamOwned}; // use native_tls::TlsConnector;
use rustls::{
client::{ServerCertVerified, ServerCertVerifier},
ClientConfig, ClientConnection, KeyLogFile, OwnedTrustAnchor, RootCertStore, StreamOwned,
};
use trust_dns_resolver::{ use trust_dns_resolver::{
config::{ResolverConfig, ResolverOpts}, config::{ResolverConfig, ResolverOpts},
Resolver, Resolver,
@ -16,27 +19,32 @@ use uuid::Uuid;
fn main() -> Result<()> { fn main() -> Result<()> {
let (port, host) = resolve_dns("daeken.dev")?; let (port, host) = resolve_dns("daeken.dev")?;
let port = 12345;
let host = "localhost";
dbg!(&port); dbg!(&port);
dbg!(&host); dbg!(&host);
// let tls_conf = Arc::new(make_tls_config()); let tls_conf = Arc::new(make_tls_config());
let mut tls_conn = make_tls_connection(&host, port) let mut tls_conn = make_tls_connection(tls_conf, &host, port)
.with_context(|| format!("Can't connect to {}:{}", host, port))?; .with_context(|| format!("Can't connect to {}:{}", host, port))?;
// let uuid =// Uuid::new_v4(); let uuid = Uuid::new_v4();
let uuid = [b'a'; 16];
dbg!(&uuid); dbg!(&uuid);
tls_conn.write_all(&uuid).context("Can't write UUID")?; tls_conn
.write_all(uuid.as_bytes())
.context("Can't write UUID")?;
let mut serv_uuid = [0; 16]; let mut serv_uuid = [0; 16];
tls_conn.read_exact(&mut serv_uuid)?; tls_conn.read_exact(&mut serv_uuid)?;
let serv_uuid = Uuid::from_bytes(serv_uuid);
dbg!(serv_uuid); dbg!(serv_uuid);
// Hangs ATM // Hangs ATM
let mut new = [0; 100]; let mut new = [0; 100];
tls_conn.write_all(&new)?;
let len = tls_conn.read(&mut new)?; let len = tls_conn.read(&mut new)?;
dbg!(&new[..len]); dbg!(&new[..len]);
Ok(()) Ok(())
@ -69,57 +77,81 @@ fn make_dns_client() -> Result<Resolver> {
)?) )?)
} }
// fn make_tls_config() -> ClientConfig { fn make_tls_config() -> ClientConfig {
// let mut root_store = RootCertStore::empty(); let mut root_store = RootCertStore::empty();
// root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
// OwnedTrustAnchor::from_subject_spki_name_constraints( OwnedTrustAnchor::from_subject_spki_name_constraints(
// ta.subject, ta.subject,
// ta.spki, ta.spki,
// ta.name_constraints, ta.name_constraints,
// ) )
// })); }));
// let cert_dir = include_bytes!("../cert.der"); // let cert_dir = include_bytes!("../cert.der");
// assert_eq!( // assert_eq!(
// root_store.add_parsable_certificates(&[cert_dir.to_vec()]), // root_store.add_parsable_certificates(&[cert_dir.to_vec()]),
// (1, 0) // (1, 0)
// ); // );
// let config = rustls::ClientConfig::builder() let mut config = rustls::ClientConfig::builder()
// .with_safe_defaults() .with_safe_defaults()
// .with_root_certificates(root_store) .with_root_certificates(root_store)
// .with_no_client_auth(); .with_no_client_auth();
// config struct DontValidate;
// }
impl ServerCertVerifier for DontValidate {
fn verify_server_cert(
&self,
_: &rustls::Certificate,
_: &[rustls::Certificate],
_: &rustls::ServerName,
_: &mut dyn Iterator<Item = &[u8]>,
_: &[u8],
_: std::time::SystemTime,
) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
Ok(ServerCertVerified::assertion())
}
}
config
.dangerous()
.set_certificate_verifier(Arc::new(DontValidate));
config.key_log = Arc::new(KeyLogFile::new());
config
}
fn make_tls_connection(
config: Arc<ClientConfig>,
server: &str,
port: u16,
) -> Result<impl Read + Write> {
let server_name = server
.try_into()
.with_context(|| format!("Invalid server name: `{}`", server))?;
let conn = ClientConnection::new(config, server_name)?;
let sock = TcpStream::connect((server, port))?;
let stream = StreamOwned::new(conn, sock);
Ok(stream)
}
// fn make_tls_connection( // fn make_tls_connection(
// config: Arc<ClientConfig>, // config: Arc<ClientConfig>,
// server: &str, // server: &str,
// port: u16, // port: u16,
// ) -> Result<impl Read + Write> { // ) -> Result<impl Read + Write> {
// let server_name = server.try_into()?; // let connector = TlsConnector::builder()
// .danger_accept_invalid_certs(true)
// .build()?;
// let conn = ClientConnection::new(config, server_name)?;
// let sock = TcpStream::connect((server, port))?; // let sock = TcpStream::connect((server, port))?;
// let conn = connector.connect(server, sock)?;
// let stream = StreamOwned::new(conn, sock); // Ok(conn)
// Ok(stream)
// } // }
fn make_tls_connection(
// config: Arc<ClientConfig>,
server: &str,
port: u16,
) -> Result<impl Read + Write> {
let connector = TlsConnector::builder()
.danger_accept_invalid_certs(true)
.build()?;
let sock = TcpStream::connect((server, port))?;
let conn = connector.connect(server, sock)?;
Ok(conn)
}