hex/wstunnel
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: Generate self-signed at startup to avoid fingerprint

Browse source
This commit is contained in:
Σrebe - Romain GERARD 2024-08-27 09:08:17 +02:00
parent 8f83ca0f7b
commit 5b2a34ff2a
No known key found for this signature in database
GPG key ID: 7A42B4B97E0332F4
6 changed files with 66 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
Cargo.lock generated
View file

@ -192,6 +192,7 @@ dependencies = [
"aws-lc-sys",
"mirai-annotations",
"paste",
"untrusted 0.7.1",
"zeroize",
]
@ -1880,6 +1881,19 @@ dependencies = [
"getrandom",
]
[[package]]
name = "rcgen"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779"
dependencies = [
"aws-lc-rs",
"ring",
"rustls-pki-types",
"time",
"yasna",
]
[[package]]
name = "redox_syscall"
version = "0.4.1"
@ -1974,7 +1988,7 @@ dependencies = [
"getrandom",
"libc",
"spin",
"untrusted",
"untrusted 0.9.0",
"windows-sys 0.52.0",
]
@ -2111,7 +2125,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
dependencies = [
"ring",
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -2123,7 +2137,7 @@ dependencies = [
"aws-lc-rs",
"ring",
"rustls-pki-types",
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -2163,7 +2177,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
dependencies = [
"ring",
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -2774,6 +2788,12 @@ version = "0.2.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
[[package]]
name = "untrusted"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
[[package]]
name = "untrusted"
version = "0.9.0"
@ -3146,6 +3166,7 @@ dependencies = [
"parking_lot",
"pin-project",
"ppp",
"rcgen",
"regex",
"rustls-native-certs 0.7.2",
"rustls-pemfile 2.1.3",
@ -3185,6 +3206,15 @@ dependencies = [
"time",
]
[[package]]
name = "yasna"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
dependencies = [
"time",
]
[[package]]
name = "zerocopy"
version = "0.7.34"

2
Cargo.toml
View file

@ -61,9 +61,11 @@ tokio-fd = "0.3.0"
[target.'cfg(any(target_os = "linux", target_os = "macos"))'.dependencies]
tokio-rustls = { version = "0.26.0", features = [] }
rcgen = { version = "0.13.1", default-features = false, features = ["aws_lc_rs"] }
[target.'cfg(not(any(target_os = "linux", target_os = "macos")))'.dependencies]
tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "tls12", "ring"] }
rcgen = { version = "0.13.1", default-features = false, features = ["ring"] }
[dev-dependencies]

13
certs/cert.pem
View file

@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIB4DCCAYegAwIBAgIUdoMEAEloOjgFlRjkA7naE+xGBhowCgYIKoZIzj0EAwIw
RTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA4MjYyMTMxMDVaGA8yMTI0MDgy
NjIxMzEwNVowRTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABFd3WKJWOwZ3SwjjGeqIOiLXV1QWpggGMriK0EorXYaE1XJgNlCI
TTRtZUAYArThwVpnXPzFrA3LoVtZI0IZvkyjUzBRMB0GA1UdDgQWBBTOra0Tv425
GAQl1w5lMmiz0AnJwjAfBgNVHSMEGDAWgBTOra0Tv425GAQl1w5lMmiz0AnJwjAP
BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEd/fLYpJKgTu/rAwIfJ
CAf2ApXcMA//wgQbABbqAQdpAiACDRz766m9bot2PbMzmXah8wTlwLkY0k400xG4
qPrP9w==
-----END CERTIFICATE-----

8
certs/key.pem
View file

@ -1,8 +0,0 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIN9PYI7feqDtiEt2P5Eo1m78mFjrlYeTsOY2HFpSl43roAoGCCqGSM49
AwEHoUQDQgAEV3dYolY7BndLCOMZ6og6ItdXVBamCAYyuIrQSitdhoTVcmA2UIhN
NG1lQBgCtOHBWmdc/MWsDcuhW1kjQhm+TA==
-----END EC PRIVATE KEY-----

44
src/embedded_certificate.rs
View file

@ -1,23 +1,31 @@
use log::info;
use rcgen::{date_time_ymd, CertificateParams, DnType, KeyPair};
use std::sync::LazyLock;
use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
use std::time::Instant;
use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
pub static TLS_PRIVATE_KEY: LazyLock<PrivateKeyDer<'static>> = LazyLock::new(|| {
info!("Loading embedded tls private key");
pub static TLS_CERTIFICATE: LazyLock<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> = LazyLock::new(|| {
info!("Generating self-signed tls certificate");
let key = include_bytes!("../certs/key.pem");
let key = rustls_pemfile::private_key(&mut key.as_slice())
.expect("failed to load embedded tls private key")
.expect("failed to load embedded tls private key");
key
});
pub static TLS_CERTIFICATE: LazyLock<Vec<CertificateDer<'static>>> = LazyLock::new(|| {
info!("Loading embedded tls certificate");
let cert = include_bytes!("../certs/cert.pem");
let certs = rustls_pemfile::certs(&mut cert.as_slice())
.next()
.expect("failed to load embedded tls certificate");
certs.into_iter().collect()
let now = Instant::now();
let key_pair = KeyPair::generate().unwrap();
let mut cert = CertificateParams::new(vec![]).unwrap();
cert.distinguished_name = rcgen::DistinguishedName::new();
cert.distinguished_name.push(DnType::CountryName, "FR".to_string());
let el = now.elapsed();
let year = 2024 - (el.as_nanos() % 2) as i32;
let month = 1 + (el.as_nanos() % 12) as u8;
let day = 1 + (el.as_nanos() % 31) as u8;
cert.not_before = date_time_ymd(year, month, day);
let el = now.elapsed();
let year = 2024 + (el.as_nanos() % 50) as i32;
let month = 1 + (el.as_nanos() % 12) as u8;
let day = 1 + (el.as_nanos() % 31) as u8;
cert.not_after = date_time_ymd(year, month, day);
let cert = cert.self_signed(&key_pair).unwrap().der().clone();
let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialized_der().to_vec()));
(vec![cert], private_key)
});

8
src/main.rs
View file

@ -1069,13 +1069,13 @@ async fn main() -> anyhow::Result<()> {
let tls_certificate = if let Some(cert_path) = &args.tls_certificate {
tls::load_certificates_from_pem(cert_path).expect("Cannot load tls certificate")
} else {
embedded_certificate::TLS_CERTIFICATE.clone()
embedded_certificate::TLS_CERTIFICATE.0.clone()
};
let tls_key = if let Some(key_path) = &args.tls_private_key {
tls::load_private_key_from_file(key_path).expect("Cannot load tls private key")
} else {
embedded_certificate::TLS_PRIVATE_KEY.clone_key()
embedded_certificate::TLS_CERTIFICATE.1.clone_key()
};
let tls_client_ca_certificates = args.tls_client_ca_certs.as_ref().map(|tls_client_ca| {
@ -1125,7 +1125,7 @@ async fn main() -> anyhow::Result<()> {
let http_proxy = mk_http_proxy(args.http_proxy, args.http_proxy_login, args.http_proxy_password)?;
let server_config = WsServerConfig {
socket_so_mark: args.socket_so_mark,
bind: args.remote_addr.socket_addrs(|| Some(8080)).unwrap()[0],
bind: args.remote_addr.socket_addrs(|| Some(8080))?[0],
websocket_ping_frequency: args
.websocket_ping_frequency_sec
.or(Some(Duration::from_secs(30)))
@ -1157,7 +1157,7 @@ async fn main() -> anyhow::Result<()> {
}
}
tokio::signal::ctrl_c().await.unwrap();
tokio::signal::ctrl_c().await?;
Ok(())
}