From 06c099b8b00e7c8fed899cf18dd6f4a437d5ec89 Mon Sep 17 00:00:00 2001 From: dma Date: Fri, 5 Jan 2018 22:10:36 +0000 Subject: [PATCH] Testing fixes to TLSGuard --- sgfw/socks_server_chain.go | 6 +++--- sgfw/tlsguard.go | 37 +++++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index 990d7be..587be99 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -420,9 +420,9 @@ func (c *socksChainSession) forwardTraffic(tls bool) { log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %s", c.pinfo.ExePath, dest, x509ValidationError) } return - } /*else { + } else { log.Notice("TLSGuard approved certificate presented for connection to: ", dest) - } */ + } } var wg sync.WaitGroup @@ -431,7 +431,7 @@ func (c *socksChainSession) forwardTraffic(tls bool) { copyLoop := func(dst, src net.Conn) { defer wg.Done() defer dst.Close() - + //fmt.Println("in copy loop") io.Copy(dst, src) } go copyLoop(c.upstreamConn, c.clientConn) diff --git a/sgfw/tlsguard.go b/sgfw/tlsguard.go index 9ba290a..3306f09 100644 --- a/sgfw/tlsguard.go +++ b/sgfw/tlsguard.go @@ -11,7 +11,7 @@ import ( "time" ) -const TLSGUARD_READ_TIMEOUT = 8 // seconds +const TLSGUARD_READ_TIMEOUT = 10 // seconds const TLSGUARD_MIN_TLS_VER_MAJ = 3 const TLSGUARD_MIN_TLS_VER_MIN = 1 @@ -25,9 +25,13 @@ const SSL3_RT_APPLICATION_DATA = 23 const SSL3_MT_HELLO_REQUEST = 0 const SSL3_MT_CLIENT_HELLO = 1 const SSL3_MT_SERVER_HELLO = 2 +const SSL3_MT_HELLO_VERIFY_REQUEST = 3 +const SSL3_MT_NEW_SESSION_TICKET = 4 const SSL3_MT_CERTIFICATE = 11 +const SSL3_MT_SERVER_KEY_EXCHANGE = 12 const SSL3_MT_CERTIFICATE_REQUEST = 13 const SSL3_MT_SERVER_DONE = 14 +const SSL3_MT_CLIENT_KEY_EXCHANGE = 16 const SSL3_MT_CERTIFICATE_STATUS = 22 const SSL3_AL_WARNING = 1 @@ -273,7 +277,8 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha ntimeouts := 0 for { - if ret_error != nil { + //fmt.Println("stage ", stage, " is client ", is_client, " ntimeouts ", ntimeouts) + if ret_error != nil || ntimeouts >= TLSGUARD_READ_TIMEOUT { cr := connReader{client: is_client, data: nil, rtype: 0, err: ret_error} c <- cr break @@ -296,11 +301,11 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha _, err := io.ReadFull(conn, header) conn.SetReadDeadline(time.Time{}) if err != nil { - if err, ok := err.(net.Error); ok && err.Timeout() { + if err, ok := err.(net.Error); ok && !err.Timeout() { ret_error = err } else { ntimeouts++ - if ntimeouts == TLSGUARD_READ_TIMEOUT { + if ntimeouts >= TLSGUARD_READ_TIMEOUT { ret_error = err } } @@ -334,18 +339,19 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha ntimeouts = 0 } else if stage == 2 { remainder := make([]byte, mlen) - conn.SetReadDeadline(time.Now().Add(2 * time.Second)) + conn.SetReadDeadline(time.Now().Add(1 * time.Second)) numRead, err := io.ReadFull(conn, remainder) conn.SetReadDeadline(time.Time{}) if err != nil { - if err, ok := err.(net.Error); ok && err.Timeout() { + if err, ok := err.(net.Error); ok && !err.Timeout() { ret_error = err if numRead > 0 { buffered = append(buffered, remainder[:numRead]...) } } else { ntimeouts++ - if ntimeouts == TLSGUARD_READ_TIMEOUT { + //fmt.Println(is_client, " timeout #", ntimeouts) + if ntimeouts >= TLSGUARD_READ_TIMEOUT { ret_error = err } } @@ -396,8 +402,8 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error { go connectionReader(conn, true, crChan, dChan) go connectionReader(conn2, false, crChan, dChan2) - client_expected := []uint{SSL3_MT_CLIENT_HELLO} - server_expected := []uint{SSL3_MT_SERVER_HELLO} + client_expected := []uint{SSL3_MT_CLIENT_HELLO, SSL3_MT_CLIENT_KEY_EXCHANGE, SSL3_MT_HELLO_REQUEST} + server_expected := []uint{SSL3_MT_SERVER_HELLO, SSL3_MT_HELLO_VERIFY_REQUEST, SSL3_MT_SERVER_KEY_EXCHANGE, SSL3_MT_NEW_SESSION_TICKET} client_sess := false server_sess := false @@ -408,8 +414,8 @@ select_loop: for { if ndone == 2 { // fmt.Println("DONE channel got both notifications. Terminating loop.") - close(dChan) - close(dChan2) + //close(dChan) + //close(dChan2) close(crChan) break } @@ -481,14 +487,14 @@ select_loop: if (client_sess || server_sess) && (client_change_cipher || server_change_cipher) { - //if handshakeMessageLenInt > len(cr.data)+9 { + if handshakeMessageLenInt > len(cr.data)+9 { log.Notice("TLSGuard saw what looks like a resumed encrypted session... passing connection through") other.Write(cr.data) dChan <- true dChan2 <- true x509Valid = true break select_loop - //} + } } @@ -504,7 +510,7 @@ select_loop: //SRC := "" if s != SSL3_MT_CLIENT_HELLO { - server_expected = []uint{SSL3_MT_CERTIFICATE, SSL3_MT_HELLO_REQUEST} + server_expected = []uint{SSL3_MT_CERTIFICATE, SSL3_MT_HELLO_REQUEST, SSL3_MT_HELLO_VERIFY_REQUEST, SSL3_MT_SERVER_KEY_EXCHANGE, SSL3_MT_NEW_SESSION_TICKET} //SRC = "CLIENT" } else { //SRC = "SERVER" @@ -610,7 +616,7 @@ select_loop: server_expected = []uint{SSL3_MT_CERTIFICATE} } - if !cr.client && s == SSL3_MT_HELLO_REQUEST { + if !cr.client && s == SSL3_MT_HELLO_REQUEST || s == SSL3_MT_HELLO_VERIFY_REQUEST { //fmt.Println("Server sent hello request") other.Write(cr.data) continue @@ -727,7 +733,6 @@ select_loop: if !x509Valid { return errors.New("Unknown error: TLS connection could not be validated") } - return nil }