jab2870/YAIP
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
YAIP/src/ssl.c
Jonathan Hodgson bb62ed3b1f Starts work on https as well as some moving about 
I now start the listener in the main.c file rather than proxy given that
I didn't feel proxy was the right place if a normal (non-proxied)
request came in. webserver.{c,h} and proxy.{c,h} had some changes
relating to this.

The config changed slightly - we now create a folder in ~/.config/
called yaip. This is where certificates and so on will be stored along
with the user configuration

I created a helper function to get files inside this directory (it
changes based on xdg_config_home) and updated relevant tests.

In ssl.{c,h} I have started work. If they don't exist, the tool now
creates and stores a key and certificate for the CA that this tool will
need to pretend to be. I still need to write tests for this.
2022-01-20 16:53:35 +00:00

180 lines
4.7 KiB
C
Raw Blame History

#include "ssl.h"
SSL_CTX* InitServerCTX(Config *config) {
const SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
SSL_load_error_strings(); /* load all error messages */
method = TLS_server_method(); /* create new server-method instance */
ctx = SSL_CTX_new(method); /* create new context from method */
if ( ctx == NULL ) {
ERR_print_errors_fp(stderr);
abort();
}
//set the local certificate from CertFile
if ( SSL_CTX_use_certificate_file(ctx, config->certfile, SSL_FILETYPE_PEM) <= 0 ){
ERR_print_errors_fp(stderr);
abort();
}
//set the private key from KeyFile (may be the same as CertFile)
if ( SSL_CTX_use_PrivateKey_file(ctx, config->keyfile, SSL_FILETYPE_PEM) <= 0 ){
ERR_print_errors_fp(stderr);
abort();
}
//verify private key
if ( !SSL_CTX_check_private_key(ctx) )
{
fprintf(stderr, "Private key does not match the public certificate\n");
abort();
}
return ctx;
}
// Generates a 2048-bit RSA key.
// Largely stolen from here: https://gist.github.com/nathan-osman/5041136
EVP_PKEY* generate_ca_key() {
// Allocate memory for the EVP_PKEY structure.
EVP_PKEY *pkey = EVP_PKEY_new();
if(!pkey) {
perror("Unable to create EVP_PKEY structure.\n");
return NULL;
}
// Generate the RSA key and assign it to pkey.
RSA *rsa = RSA_new();
BIGNUM *bn = BN_new();
BN_set_word(bn, RSA_F4);
RSA_generate_key_ex(rsa, 2048, bn, NULL );
if(!EVP_PKEY_assign_RSA(pkey, rsa)) {
perror("Unable to generate 2048-bit RSA key.\n");
EVP_PKEY_free(pkey);
return NULL;
}
// The key has been generated, return it.
return pkey;
}
// Generates a self-signed x509 certificate.
// Largely stolen from here: https://gist.github.com/nathan-osman/5041136
X509* generate_ca_cert(EVP_PKEY * pkey) {
// Allocate memory for the X509 structure.
X509 *x509 = X509_new();
if(!x509) {
perror( "Unable to create X509 structure.\n");
return NULL;
}
// Set the serial number.
ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
// This certificate is valid from now until exactly one year from now.
X509_gmtime_adj(X509_get_notBefore(x509), 0);
X509_gmtime_adj(X509_get_notAfter(x509), 31536000L);
// Set the public key for our certificate.
X509_set_pubkey(x509, pkey);
// We want to copy the subject name to the issuer name.
X509_NAME *name = X509_get_subject_name(x509);
// Set the country code and common name.
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"Yet Another Intercepting Proxy", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"jn.hn", -1, -1, 0);
// Now set the issuer name.
X509_set_issuer_name(x509, name);
// TODO: mitmproxy adds some extensions. I don' tknow if I need those
// https://github.com/mitmproxy/mitmproxy/blob/3cb89069b9f70c198cc89337bd5a9b1bbf3a69d0/mitmproxy/certs.py#L190-L204
// Actually sign the certificate with our key.
if(!X509_sign(x509, pkey, EVP_sha1()))
{
perror( "Error signing certificate.\n");
X509_free(x509);
return NULL;
}
return x509;
}
bool create_and_save_key(char keyfile[]) {
// Generate the key
EVP_PKEY *pkey = generate_ca_key();
if ( pkey == NULL ){
fprintf(stderr, "Unable to open generate key\n");
return false;
}
// Open the PEM file for writing the key to disk.
FILE * pkey_file = fopen(keyfile, "wb");
if(!pkey_file) {
fprintf(stderr, "Unable to open \"%s\" for writing.\n", keyfile);
return false;
}
// Write the key to disk.
bool ret = PEM_write_PrivateKey(pkey_file, pkey, NULL, NULL, 0, NULL, NULL);
fclose(pkey_file);
if(!ret) {
perror("Unable to write private key to disk.\n");
return false;
}
return true;
}
EVP_PKEY* read_private_key(char keyfile[]){
FILE *fp;
EVP_PKEY *pkey;
if (! (fp = fopen(keyfile, "r"))){
perror("Error cant open certificate private key file.\n");
return NULL;
}
pkey = PEM_read_PrivateKey( fp, NULL, NULL, NULL );
if ( pkey == NULL ){
perror("Error cant read certificate private key file.\n");
}
return pkey;
}
bool create_and_save_cert(char certfile[], EVP_PKEY *pkey) {
// Open the PEM file for writing the certificate to disk.
FILE * x509_file = fopen(certfile, "wb");
if(!x509_file) {
fprintf(stderr, "Unable to open \"%s\" for writing.\n", certfile);
return false;
}
X509 *x509 = generate_ca_cert(pkey);
if ( x509 == NULL ){
fprintf(stderr, "Unable to open generate cert\n");
return false;
}
// Write the certificate to disk.
int ret = PEM_write_X509(x509_file, x509);
fclose(x509_file);
if(!ret) {
perror("Unable to write certificate to disk.\n");
return false;
}
return true;
}
Reference in a new issue View git blame Copy permalink