From e800725733e1072193561dd5a35c202e890bb9f5 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Sun, 20 Sep 2020 12:49:39 +0200 Subject: [PATCH] ratched: add new package Signed-off-by: Toni Uhlig --- net/ratched/Makefile | 37 ++++++++ ...0001-Disable-non-IANA-TLS-extensions.patch | 27 ++++++ ...-compilation-without-deprecated-APIs.patch | 95 +++++++++++++++++++ 3 files changed, 159 insertions(+) create mode 100644 net/ratched/Makefile create mode 100644 net/ratched/patches/0001-Disable-non-IANA-TLS-extensions.patch create mode 100644 net/ratched/patches/0002-openssl-fix-compilation-without-deprecated-APIs.patch diff --git a/net/ratched/Makefile b/net/ratched/Makefile new file mode 100644 index 0000000000..3ab20e5b6c --- /dev/null +++ b/net/ratched/Makefile @@ -0,0 +1,37 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=ratched +PKG_VERSION:=1.0.0 +PKG_RELEASE:=1 + +PKG_MAINTAINER:=Toni Uhlig +PKG_LICENSE:=GPL-3.0-only + +PKG_SOURCE_URL:=https://github.com/johndoe31415/ratched.git +PKG_SOURCE_VERSION:=091d000ba91c5ebc41148cb9b511a4b527c1ea44 +PKG_SOURCE_PROTO:=git +PKG_MIRROR_HASH:=67c8ff1a54af34181d8467803e18c709d06fd20929b6fdbba68700af88de71aa + +include $(INCLUDE_DIR)/package.mk + +MAKE_FLAGS+=CFLAGS='$(TARGET_CFLAGS) -DBUILD_TIMESTAMP_UTC="\"unknown\"" -DBUILD_REVISION="\"$(PKG_VERSION)-$(PKG_RELEASE)\""' +MAKE_FLAGS+=LDFLAGS='$(TARGET_LDFLAGS) -lssl -lcrypto $(if $(CONFIG_USE_GLIBC),-lpthread)' + +define Package/ratched + SECTION:=net + CATEGORY:=Network + TITLE:=ratched + URL:=https://github.com/johndoe31415/ratched + DEPENDS:=+libopenssl +libpthread +endef + +define Package/ratched/description + Ratched is a transparent Man-in-the-Middle TLS proxy intended for penetration testing. +endef + +define Package/ratched/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/ratched $(1)/usr/bin/ratched +endef + +$(eval $(call BuildPackage,ratched)) diff --git a/net/ratched/patches/0001-Disable-non-IANA-TLS-extensions.patch b/net/ratched/patches/0001-Disable-non-IANA-TLS-extensions.patch new file mode 100644 index 0000000000..2c72d43237 --- /dev/null +++ b/net/ratched/patches/0001-Disable-non-IANA-TLS-extensions.patch @@ -0,0 +1,27 @@ +From 70cef63e0c0ec15016cf7c52d5183ed864cc50c4 Mon Sep 17 00:00:00 2001 +From: Toni Uhlig +Date: Sun, 20 Sep 2020 13:58:05 +0200 +Subject: [PATCH] Disable non IANA TLS extensions. + +Signed-off-by: Toni Uhlig +--- + openssl_clienthello.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/openssl_clienthello.c b/openssl_clienthello.c +index 559db56..6ecabcb 100644 +--- a/openssl_clienthello.c ++++ b/openssl_clienthello.c +@@ -93,7 +93,9 @@ static struct lookup_table_element_t known_extensions[] = { + ELEMENT(TLSEXT_TYPE_certificate_authorities), + #endif + ELEMENT(TLSEXT_TYPE_renegotiate), ++#ifndef OPENSSL_NO_NEXTPROTONEG + ELEMENT(TLSEXT_TYPE_next_proto_neg), ++#endif + { 0 } + }; + +-- +2.20.1 + diff --git a/net/ratched/patches/0002-openssl-fix-compilation-without-deprecated-APIs.patch b/net/ratched/patches/0002-openssl-fix-compilation-without-deprecated-APIs.patch new file mode 100644 index 0000000000..2736c4b285 --- /dev/null +++ b/net/ratched/patches/0002-openssl-fix-compilation-without-deprecated-APIs.patch @@ -0,0 +1,95 @@ +From fa8f6fcd33e829cbe3ef3e4a92fa34cba3f20c91 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Sun, 20 Sep 2020 20:18:18 -0700 +Subject: [PATCH] openssl: fix compilation without deprecated APIs + +Added missing headers, removed initialization, and fixed APIs. + +Signed-off-by: Rosen Penev +--- + openssl.c | 8 ++------ + openssl_certs.c | 9 +++++---- + openssl_tls.c | 5 ----- + 3 files changed, 7 insertions(+), 15 deletions(-) + +diff --git a/openssl.c b/openssl.c +index ba097a5..76c817b 100644 +--- a/openssl.c ++++ b/openssl.c +@@ -22,21 +22,17 @@ + **/ + + #include ++#include ++#include + #include + + #include "openssl.h" + #include "errstack.h" + + void openssl_init(void) { +- SSL_load_error_strings(); +- OpenSSL_add_ssl_algorithms(); + } + + void openssl_deinit(void) { +- EVP_cleanup(); +- CRYPTO_cleanup_all_ex_data(); +- SSL_COMP_free_compression_methods(); +- ERR_free_strings(); + } + + static void errstack_free_X509(struct errstack_element_t *element) { +diff --git a/openssl_certs.c b/openssl_certs.c +index 021b573..a062a24 100644 +--- a/openssl_certs.c ++++ b/openssl_certs.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + + #include "ipfwd.h" +@@ -280,8 +281,8 @@ X509* openssl_create_certificate(const struct certificatespec_t *spec) { + BN_free(serial); + + /* Set lifetime */ +- X509_gmtime_adj(X509_get_notBefore(cert), -spec->validity_predate_seconds); +- X509_gmtime_adj(X509_get_notAfter(cert), spec->validity_seconds); ++ X509_gmtime_adj(X509_getm_notBefore(cert), -spec->validity_predate_seconds); ++ X509_gmtime_adj(X509_getm_notAfter(cert), spec->validity_seconds); + + /* Set public key */ + X509_set_pubkey(cert, spec->subject_pubkey); +@@ -357,8 +358,8 @@ X509* openssl_create_certificate(const struct certificatespec_t *spec) { + return cert; + } + +-static bool is_certificate_expired(X509 *cert) { +- return X509_cmp_current_time(X509_get_notAfter(cert)) <= 0; ++static bool is_certificate_expired(const X509 *cert) { ++ return X509_cmp_current_time(X509_get0_notAfter(cert)) <= 0; + } + + X509* openssl_load_stored_certificate(const struct certificatespec_t *certspec, const char *filename, bool recreate_when_expired, bool recreate_when_key_mismatch) { +diff --git a/openssl_tls.c b/openssl_tls.c +index 4ba19a3..96a12ec 100644 +--- a/openssl_tls.c ++++ b/openssl_tls.c +@@ -146,11 +146,6 @@ struct tls_connection_t openssl_tls_connect(const struct tls_connection_request_ + SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, NULL); + SSL_CTX_set_cert_verify_callback(sslctx, cert_verify_callback, &result); + } +- if (!SSL_CTX_set_ecdh_auto(sslctx, 1)) { +- logmsgext(LLVL_ERROR, FLAG_OPENSSL_ERROR, "openssl_tls %s: SSL_CTX_set_ecdh_auto() failed.", request->is_server ? "server" : "client"); +- SSL_CTX_free(sslctx); +- return result; +- } + + if (request->config && request->config->cert) { + if (SSL_CTX_use_certificate(sslctx, request->config->cert) != 1) { +-- +2.20.1 + -- 2.30.2