github/bettercap
1
0
Fork 0
mirror of https://github.com/bettercap/bettercap synced 2025-08-21 05:53:20 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: fixes a crash when TLS certificate can't be fetched from remote host (fixes #19)

Browse source
This commit is contained in:
evilsocket 2018-01-16 09:53:35 +01:00
commit 63761b0254
1 changed files with 56 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

67
tls/sign.go
View file

@ -6,9 +6,14 @@ import (
"crypto/sha1" "crypto/sha1"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix"
"fmt" "fmt"
"math/big" "math/big"
"net"
"sort" "sort"
"time"
"github.com/evilsocket/bettercap-ng/log"
) )
func hashSorted(lst []string) []byte { func hashSorted(lst []string) []byte {
@ -29,9 +34,12 @@ func hashSortedBigInt(lst []string) *big.Int {
} }
func getServerCertificate(host string, port int) *x509.Certificate { func getServerCertificate(host string, port int) *x509.Certificate {
log.Debug("Fetching TLS certificate from %s:%d ...", host, port)
config := tls.Config{InsecureSkipVerify: true} config := tls.Config{InsecureSkipVerify: true}
conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &config) conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &config)
if err != nil { if err != nil {
log.Warning("Could not fetch TLS certificate from %s:%d: %s", host, port, err)
return nil return nil
} }
defer conn.Close() defer conn.Close()
@ -43,24 +51,61 @@ func getServerCertificate(host string, port int) *x509.Certificate {
func SignCertificateForHost(ca *tls.Certificate, host string, port int) (cert *tls.Certificate, err error) { func SignCertificateForHost(ca *tls.Certificate, host string, port int) (cert *tls.Certificate, err error) {
var x509ca *x509.Certificate var x509ca *x509.Certificate
var template x509.Certificate
if x509ca, err = x509.ParseCertificate(ca.Certificate[0]); err != nil { if x509ca, err = x509.ParseCertificate(ca.Certificate[0]); err != nil {
return return
} }
srvCert := getServerCertificate(host, port) srvCert := getServerCertificate(host, port)
if srvCert == nil {
log.Debug("Could not fetch TLS certificate, falling back to default template.")
template := x509.Certificate{ notBefore := time.Now()
SerialNumber: srvCert.SerialNumber, aYear := time.Duration(365*24) * time.Hour
Issuer: x509ca.Subject, notAfter := notBefore.Add(aYear)
Subject: srvCert.Subject, serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
NotBefore: srvCert.NotBefore, serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
NotAfter: srvCert.NotAfter, if err != nil {
KeyUsage: srvCert.KeyUsage, return nil, err
ExtKeyUsage: srvCert.ExtKeyUsage, }
IPAddresses: srvCert.IPAddresses,
DNSNames: srvCert.DNSNames, template = x509.Certificate{
BasicConstraintsValid: true, SerialNumber: serialNumber,
Issuer: x509ca.Subject,
Subject: pkix.Name{
Country: []string{"US"},
Locality: []string{"Scottsdale"},
Organization: []string{"GoDaddy.com, Inc."},
OrganizationalUnit: []string{"http://certs.godaddy.com/repository/"},
CommonName: "Go Daddy Secure Certificate Authority - G2",
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
if ip := net.ParseIP(host); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, host)
}
} else {
template = x509.Certificate{
SerialNumber: srvCert.SerialNumber,
Issuer: x509ca.Subject,
Subject: srvCert.Subject,
NotBefore: srvCert.NotBefore,
NotAfter: srvCert.NotAfter,
KeyUsage: srvCert.KeyUsage,
ExtKeyUsage: srvCert.ExtKeyUsage,
IPAddresses: srvCert.IPAddresses,
DNSNames: srvCert.DNSNames,
BasicConstraintsValid: true,
}
} }
var certpriv *rsa.PrivateKey var certpriv *rsa.PrivateKey