|
|
|
@ -41,7 +41,7 @@ func readTLSChunk(conn net.Conn) ([]byte, int, error) {
|
|
|
|
|
|
|
|
|
|
|
|
cbyte := cbytes[0]
|
|
|
|
cbyte := cbytes[0]
|
|
|
|
mlen := int(int(cbytes[3])<<8 | int(cbytes[4]))
|
|
|
|
mlen := int(int(cbytes[3])<<8 | int(cbytes[4]))
|
|
|
|
// fmt.Printf("TLS data chunk header read: type = %#x, maj = %v, min = %v, len = %v\n", cbyte, cbytes[1], cbytes[2], mlen)
|
|
|
|
// fmt.Printf("TLS data chunk header read: type = %#x, maj = %v, min = %v, len = %v\n", cbyte, cbytes[1], cbytes[2], mlen)
|
|
|
|
|
|
|
|
|
|
|
|
conn.SetReadDeadline(time.Now().Add(TLSGUARD_READ_TIMEOUT))
|
|
|
|
conn.SetReadDeadline(time.Now().Add(TLSGUARD_READ_TIMEOUT))
|
|
|
|
cbytes2, err := readNBytes(conn, mlen)
|
|
|
|
cbytes2, err := readNBytes(conn, mlen)
|
|
|
|
@ -57,7 +57,7 @@ func readTLSChunk(conn net.Conn) ([]byte, int, error) {
|
|
|
|
|
|
|
|
|
|
|
|
func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
// Should this be a requirement?
|
|
|
|
// Should this be a requirement?
|
|
|
|
// if strings.HasSuffix(request.DestAddr.FQDN, "onion") {
|
|
|
|
// if strings.HasSuffix(request.DestAddr.FQDN, "onion") {
|
|
|
|
|
|
|
|
|
|
|
|
//conn client
|
|
|
|
//conn client
|
|
|
|
//conn2 server
|
|
|
|
//conn2 server
|
|
|
|
@ -84,7 +84,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
for 1 == 1 {
|
|
|
|
for 1 == 1 {
|
|
|
|
loop++
|
|
|
|
loop++
|
|
|
|
|
|
|
|
|
|
|
|
// fmt.Printf("SSL LOOP %v; trying to read: conn2\n", loop)
|
|
|
|
// fmt.Printf("SSL LOOP %v; trying to read: conn2\n", loop)
|
|
|
|
chunk, rtype, err = readTLSChunk(conn2)
|
|
|
|
chunk, rtype, err = readTLSChunk(conn2)
|
|
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
@ -102,7 +102,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
|
|
|
|
|
|
|
|
if rtype == SSL3_RT_CHANGE_CIPHER_SPEC || rtype == SSL3_RT_APPLICATION_DATA ||
|
|
|
|
if rtype == SSL3_RT_CHANGE_CIPHER_SPEC || rtype == SSL3_RT_APPLICATION_DATA ||
|
|
|
|
rtype == SSL3_RT_ALERT {
|
|
|
|
rtype == SSL3_RT_ALERT {
|
|
|
|
// fmt.Println("OTHER DATA; PASSING THRU")
|
|
|
|
// fmt.Println("OTHER DATA; PASSING THRU")
|
|
|
|
passthru = true
|
|
|
|
passthru = true
|
|
|
|
} else if rtype == SSL3_RT_HANDSHAKE {
|
|
|
|
} else if rtype == SSL3_RT_HANDSHAKE {
|
|
|
|
passthru = false
|
|
|
|
passthru = false
|
|
|
|
@ -111,7 +111,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if passthru {
|
|
|
|
if passthru {
|
|
|
|
// fmt.Println("passthru writing buf again and continuing:")
|
|
|
|
// fmt.Println("passthru writing buf again and continuing:")
|
|
|
|
conn.Write(chunk)
|
|
|
|
conn.Write(chunk)
|
|
|
|
continue
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -124,7 +124,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
// Message len, 3 bytes
|
|
|
|
// Message len, 3 bytes
|
|
|
|
serverMessageLen := serverMsg[1:4]
|
|
|
|
serverMessageLen := serverMsg[1:4]
|
|
|
|
serverMessageLenInt := int(int(serverMessageLen[0])<<16 | int(serverMessageLen[1])<<8 | int(serverMessageLen[2]))
|
|
|
|
serverMessageLenInt := int(int(serverMessageLen[0])<<16 | int(serverMessageLen[1])<<8 | int(serverMessageLen[2]))
|
|
|
|
// fmt.Printf("chunk len = %v, serverMsgLen = %v, slint = %v\n", len(chunk), len(serverMsg), serverMessageLenInt)
|
|
|
|
// fmt.Printf("chunk len = %v, serverMsgLen = %v, slint = %v\n", len(chunk), len(serverMsg), serverMessageLenInt)
|
|
|
|
if len(serverMsg) < serverMessageLenInt {
|
|
|
|
if len(serverMsg) < serverMessageLenInt {
|
|
|
|
return errors.New(fmt.Sprintf("len(serverMsg) %v < serverMessageLenInt %v!\n", len(serverMsg), serverMessageLenInt))
|
|
|
|
return errors.New(fmt.Sprintf("len(serverMsg) %v < serverMessageLenInt %v!\n", len(serverMsg), serverMessageLenInt))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -145,7 +145,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
|
|
|
|
|
|
|
|
for remaining > 0 {
|
|
|
|
for remaining > 0 {
|
|
|
|
certLen := int(int(pos[0])<<16 | int(pos[1])<<8 | int(pos[2]))
|
|
|
|
certLen := int(int(pos[0])<<16 | int(pos[1])<<8 | int(pos[2]))
|
|
|
|
// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen)
|
|
|
|
// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen)
|
|
|
|
cert := pos[3 : 3+certLen]
|
|
|
|
cert := pos[3 : 3+certLen]
|
|
|
|
certs, err := x509.ParseCertificates(cert)
|
|
|
|
certs, err := x509.ParseCertificates(cert)
|
|
|
|
if remaining == certChainLen {
|
|
|
|
if remaining == certChainLen {
|
|
|
|
@ -164,22 +164,22 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
verifyOptions.Intermediates = pool
|
|
|
|
verifyOptions.Intermediates = pool
|
|
|
|
|
|
|
|
|
|
|
|
// fmt.Println("ATTEMPTING TO VERIFY: ", fqdn)
|
|
|
|
// fmt.Println("ATTEMPTING TO VERIFY: ", fqdn)
|
|
|
|
_, err = c.Verify(verifyOptions)
|
|
|
|
_, err = c.Verify(verifyOptions)
|
|
|
|
// fmt.Println("ATTEMPTING TO VERIFY RESULT: ", err)
|
|
|
|
// fmt.Println("ATTEMPTING TO VERIFY RESULT: ", err)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return err
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
valid = true
|
|
|
|
valid = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") }
|
|
|
|
// lse if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") }
|
|
|
|
} else if s == SSL3_MT_SERVER_DONE {
|
|
|
|
} else if s == SSL3_MT_SERVER_DONE {
|
|
|
|
conn.Write(chunk)
|
|
|
|
conn.Write(chunk)
|
|
|
|
break
|
|
|
|
break
|
|
|
|
} else if s == SSL3_MT_CERTIFICATE_REQUEST {
|
|
|
|
} else if s == SSL3_MT_CERTIFICATE_REQUEST {
|
|
|
|
break
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// fmt.Printf("Sending chunk of type %d to client.\n", s)
|
|
|
|
// fmt.Printf("Sending chunk of type %d to client.\n", s)
|
|
|
|
|
|
|
|
|
|
|
|
conn.Write(chunk)
|
|
|
|
conn.Write(chunk)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
xSmurf
7 years ago