Testing fixes to TLSGuard

master
dma 7 years ago
parent 571f43158a
commit 06c099b8b0

@ -420,9 +420,9 @@ func (c *socksChainSession) forwardTraffic(tls bool) {
log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %s", c.pinfo.ExePath, dest, x509ValidationError) log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %s", c.pinfo.ExePath, dest, x509ValidationError)
} }
return return
} /*else { } else {
log.Notice("TLSGuard approved certificate presented for connection to: ", dest) log.Notice("TLSGuard approved certificate presented for connection to: ", dest)
} */ }
} }
var wg sync.WaitGroup var wg sync.WaitGroup
@ -431,7 +431,7 @@ func (c *socksChainSession) forwardTraffic(tls bool) {
copyLoop := func(dst, src net.Conn) { copyLoop := func(dst, src net.Conn) {
defer wg.Done() defer wg.Done()
defer dst.Close() defer dst.Close()
//fmt.Println("in copy loop")
io.Copy(dst, src) io.Copy(dst, src)
} }
go copyLoop(c.upstreamConn, c.clientConn) go copyLoop(c.upstreamConn, c.clientConn)

@ -11,7 +11,7 @@ import (
"time" "time"
) )
const TLSGUARD_READ_TIMEOUT = 8 // seconds const TLSGUARD_READ_TIMEOUT = 10 // seconds
const TLSGUARD_MIN_TLS_VER_MAJ = 3 const TLSGUARD_MIN_TLS_VER_MAJ = 3
const TLSGUARD_MIN_TLS_VER_MIN = 1 const TLSGUARD_MIN_TLS_VER_MIN = 1
@ -25,9 +25,13 @@ const SSL3_RT_APPLICATION_DATA = 23
const SSL3_MT_HELLO_REQUEST = 0 const SSL3_MT_HELLO_REQUEST = 0
const SSL3_MT_CLIENT_HELLO = 1 const SSL3_MT_CLIENT_HELLO = 1
const SSL3_MT_SERVER_HELLO = 2 const SSL3_MT_SERVER_HELLO = 2
const SSL3_MT_HELLO_VERIFY_REQUEST = 3
const SSL3_MT_NEW_SESSION_TICKET = 4
const SSL3_MT_CERTIFICATE = 11 const SSL3_MT_CERTIFICATE = 11
const SSL3_MT_SERVER_KEY_EXCHANGE = 12
const SSL3_MT_CERTIFICATE_REQUEST = 13 const SSL3_MT_CERTIFICATE_REQUEST = 13
const SSL3_MT_SERVER_DONE = 14 const SSL3_MT_SERVER_DONE = 14
const SSL3_MT_CLIENT_KEY_EXCHANGE = 16
const SSL3_MT_CERTIFICATE_STATUS = 22 const SSL3_MT_CERTIFICATE_STATUS = 22
const SSL3_AL_WARNING = 1 const SSL3_AL_WARNING = 1
@ -273,7 +277,8 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha
ntimeouts := 0 ntimeouts := 0
for { for {
if ret_error != nil { //fmt.Println("stage ", stage, " is client ", is_client, " ntimeouts ", ntimeouts)
if ret_error != nil || ntimeouts >= TLSGUARD_READ_TIMEOUT {
cr := connReader{client: is_client, data: nil, rtype: 0, err: ret_error} cr := connReader{client: is_client, data: nil, rtype: 0, err: ret_error}
c <- cr c <- cr
break break
@ -296,11 +301,11 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha
_, err := io.ReadFull(conn, header) _, err := io.ReadFull(conn, header)
conn.SetReadDeadline(time.Time{}) conn.SetReadDeadline(time.Time{})
if err != nil { if err != nil {
if err, ok := err.(net.Error); ok && err.Timeout() { if err, ok := err.(net.Error); ok && !err.Timeout() {
ret_error = err ret_error = err
} else { } else {
ntimeouts++ ntimeouts++
if ntimeouts == TLSGUARD_READ_TIMEOUT { if ntimeouts >= TLSGUARD_READ_TIMEOUT {
ret_error = err ret_error = err
} }
} }
@ -334,18 +339,19 @@ func connectionReader(conn net.Conn, is_client bool, c chan connReader, done cha
ntimeouts = 0 ntimeouts = 0
} else if stage == 2 { } else if stage == 2 {
remainder := make([]byte, mlen) remainder := make([]byte, mlen)
conn.SetReadDeadline(time.Now().Add(2 * time.Second)) conn.SetReadDeadline(time.Now().Add(1 * time.Second))
numRead, err := io.ReadFull(conn, remainder) numRead, err := io.ReadFull(conn, remainder)
conn.SetReadDeadline(time.Time{}) conn.SetReadDeadline(time.Time{})
if err != nil { if err != nil {
if err, ok := err.(net.Error); ok && err.Timeout() { if err, ok := err.(net.Error); ok && !err.Timeout() {
ret_error = err ret_error = err
if numRead > 0 { if numRead > 0 {
buffered = append(buffered, remainder[:numRead]...) buffered = append(buffered, remainder[:numRead]...)
} }
} else { } else {
ntimeouts++ ntimeouts++
if ntimeouts == TLSGUARD_READ_TIMEOUT { //fmt.Println(is_client, " timeout #", ntimeouts)
if ntimeouts >= TLSGUARD_READ_TIMEOUT {
ret_error = err ret_error = err
} }
} }
@ -396,8 +402,8 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
go connectionReader(conn, true, crChan, dChan) go connectionReader(conn, true, crChan, dChan)
go connectionReader(conn2, false, crChan, dChan2) go connectionReader(conn2, false, crChan, dChan2)
client_expected := []uint{SSL3_MT_CLIENT_HELLO} client_expected := []uint{SSL3_MT_CLIENT_HELLO, SSL3_MT_CLIENT_KEY_EXCHANGE, SSL3_MT_HELLO_REQUEST}
server_expected := []uint{SSL3_MT_SERVER_HELLO} server_expected := []uint{SSL3_MT_SERVER_HELLO, SSL3_MT_HELLO_VERIFY_REQUEST, SSL3_MT_SERVER_KEY_EXCHANGE, SSL3_MT_NEW_SESSION_TICKET}
client_sess := false client_sess := false
server_sess := false server_sess := false
@ -408,8 +414,8 @@ select_loop:
for { for {
if ndone == 2 { if ndone == 2 {
// fmt.Println("DONE channel got both notifications. Terminating loop.") // fmt.Println("DONE channel got both notifications. Terminating loop.")
close(dChan) //close(dChan)
close(dChan2) //close(dChan2)
close(crChan) close(crChan)
break break
} }
@ -481,14 +487,14 @@ select_loop:
if (client_sess || server_sess) && (client_change_cipher || server_change_cipher) { if (client_sess || server_sess) && (client_change_cipher || server_change_cipher) {
//if handshakeMessageLenInt > len(cr.data)+9 { if handshakeMessageLenInt > len(cr.data)+9 {
log.Notice("TLSGuard saw what looks like a resumed encrypted session... passing connection through") log.Notice("TLSGuard saw what looks like a resumed encrypted session... passing connection through")
other.Write(cr.data) other.Write(cr.data)
dChan <- true dChan <- true
dChan2 <- true dChan2 <- true
x509Valid = true x509Valid = true
break select_loop break select_loop
//} }
} }
@ -504,7 +510,7 @@ select_loop:
//SRC := "" //SRC := ""
if s != SSL3_MT_CLIENT_HELLO { if s != SSL3_MT_CLIENT_HELLO {
server_expected = []uint{SSL3_MT_CERTIFICATE, SSL3_MT_HELLO_REQUEST} server_expected = []uint{SSL3_MT_CERTIFICATE, SSL3_MT_HELLO_REQUEST, SSL3_MT_HELLO_VERIFY_REQUEST, SSL3_MT_SERVER_KEY_EXCHANGE, SSL3_MT_NEW_SESSION_TICKET}
//SRC = "CLIENT" //SRC = "CLIENT"
} else { } else {
//SRC = "SERVER" //SRC = "SERVER"
@ -610,7 +616,7 @@ select_loop:
server_expected = []uint{SSL3_MT_CERTIFICATE} server_expected = []uint{SSL3_MT_CERTIFICATE}
} }
if !cr.client && s == SSL3_MT_HELLO_REQUEST { if !cr.client && s == SSL3_MT_HELLO_REQUEST || s == SSL3_MT_HELLO_VERIFY_REQUEST {
//fmt.Println("Server sent hello request") //fmt.Println("Server sent hello request")
other.Write(cr.data) other.Write(cr.data)
continue continue
@ -727,7 +733,6 @@ select_loop:
if !x509Valid { if !x509Valid {
return errors.New("Unknown error: TLS connection could not be validated") return errors.New("Unknown error: TLS connection could not be validated")
} }
return nil return nil
} }

Loading…
Cancel
Save