fix: fixes a crash when TLS certificate can't be fetched from remote host (fixes #19)

This commit is contained in:
evilsocket 2018-01-16 09:53:35 +01:00
commit 63761b0254

View file

@ -6,9 +6,14 @@ import (
"crypto/sha1"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"math/big"
"net"
"sort"
"time"
"github.com/evilsocket/bettercap-ng/log"
)
func hashSorted(lst []string) []byte {
@ -29,9 +34,12 @@ func hashSortedBigInt(lst []string) *big.Int {
}
func getServerCertificate(host string, port int) *x509.Certificate {
log.Debug("Fetching TLS certificate from %s:%d ...", host, port)
config := tls.Config{InsecureSkipVerify: true}
conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &config)
if err != nil {
log.Warning("Could not fetch TLS certificate from %s:%d: %s", host, port, err)
return nil
}
defer conn.Close()
@ -43,24 +51,61 @@ func getServerCertificate(host string, port int) *x509.Certificate {
func SignCertificateForHost(ca *tls.Certificate, host string, port int) (cert *tls.Certificate, err error) {
var x509ca *x509.Certificate
var template x509.Certificate
if x509ca, err = x509.ParseCertificate(ca.Certificate[0]); err != nil {
return
}
srvCert := getServerCertificate(host, port)
if srvCert == nil {
log.Debug("Could not fetch TLS certificate, falling back to default template.")
template := x509.Certificate{
SerialNumber: srvCert.SerialNumber,
Issuer: x509ca.Subject,
Subject: srvCert.Subject,
NotBefore: srvCert.NotBefore,
NotAfter: srvCert.NotAfter,
KeyUsage: srvCert.KeyUsage,
ExtKeyUsage: srvCert.ExtKeyUsage,
IPAddresses: srvCert.IPAddresses,
DNSNames: srvCert.DNSNames,
BasicConstraintsValid: true,
notBefore := time.Now()
aYear := time.Duration(365*24) * time.Hour
notAfter := notBefore.Add(aYear)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, err
}
template = x509.Certificate{
SerialNumber: serialNumber,
Issuer: x509ca.Subject,
Subject: pkix.Name{
Country: []string{"US"},
Locality: []string{"Scottsdale"},
Organization: []string{"GoDaddy.com, Inc."},
OrganizationalUnit: []string{"http://certs.godaddy.com/repository/"},
CommonName: "Go Daddy Secure Certificate Authority - G2",
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
if ip := net.ParseIP(host); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, host)
}
} else {
template = x509.Certificate{
SerialNumber: srvCert.SerialNumber,
Issuer: x509ca.Subject,
Subject: srvCert.Subject,
NotBefore: srvCert.NotBefore,
NotAfter: srvCert.NotAfter,
KeyUsage: srvCert.KeyUsage,
ExtKeyUsage: srvCert.ExtKeyUsage,
IPAddresses: srvCert.IPAddresses,
DNSNames: srvCert.DNSNames,
BasicConstraintsValid: true,
}
}
var certpriv *rsa.PrivateKey