From 51587ef41ab94dca2900267a5edcab4345b8f663 Mon Sep 17 00:00:00 2001
From: Joel Klinghed <the_jk@yahoo.com>
Date: Wed, 26 Jul 2017 23:06:58 +0200
Subject: Add SSL interception to Setup in GUI

---
 src/monitor-gui.cc | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 110 insertions(+), 1 deletion(-)

(limited to 'src/monitor-gui.cc')

diff --git a/src/monitor-gui.cc b/src/monitor-gui.cc
index d293935..037f2ff 100644
--- a/src/monitor-gui.cc
+++ b/src/monitor-gui.cc
@@ -67,6 +67,25 @@ bool parse_address(std::string const& addr, std::string* host, uint16_t* port) {
   return true;
 }
 
+#if HAVE_SSL
+const char* CERT_BUNDLE[] = {
+  "/etc/ssl/certs/ca-certificates.crt",
+  NULL
+};
+std::string default_cert_bundle() {
+  static std::string cache;
+  if (cache.empty()) {
+    for (auto bundle = CERT_BUNDLE; *bundle; ++bundle) {
+      if (access(*bundle, R_OK) == 0) {
+        cache.assign(*bundle);
+        break;
+      }
+    }
+  }
+  return cache;
+}
+#endif  // HAVE_SSL
+
 class PackageList : public GuiListModel {
 public:
   struct Package {
@@ -374,7 +393,13 @@ private:
 
   class SetupFormListener : public GuiFormApply::Listener {
   public:
-    void changed(GuiForm* UNUSED(form), std::string const& UNUSED(id)) override {
+    void changed(GuiForm* form, std::string const& id) override {
+      if (id.compare("mitm") == 0) {
+        auto enable = form->get_bool(id);
+        form->enable("ssl-certs", enable);
+        form->enable("ssl-ca", enable);
+        form->enable("unsecure", enable);
+      }
     }
 
     bool about_to_close(GuiForm* form) override {
@@ -383,6 +408,19 @@ private:
         form->set_error("Empty proxy port");
         return false;
       }
+      auto const& mitm = form->get_bool("mitm");
+      if (mitm) {
+        auto const& certs = form->get_file("ssl-certs");
+        if (certs.empty()) {
+          form->set_error("No SSL certificates file set");
+          return false;
+        }
+        auto const& ca = form->get_file("ssl-ca");
+        if (ca.empty()) {
+          form->set_error("No SSL CA file set");
+          return false;
+        }
+      }
       return true;
     }
   };
@@ -411,8 +449,49 @@ private:
       }
       config_->set("bind", bind);
       config_->set("port", port);
+#if HAVE_SSL
+      auto const& mitm = form->get_bool("mitm");
+      config_->set("mitm", mitm);
       proxy_config_->set("proxy_bind", bind);
       proxy_config_->set("proxy_port", port);
+      if (mitm) {
+        auto const& certs = form->get_file("ssl-certs");
+        auto const& ca = form->get_file("ssl-ca");
+        auto const& unsecure = form->get_bool("unsecure");
+        if (certs.empty()) {
+          form->set_error("No SSL certificates file set");
+          form->applied(false);
+          return;
+        }
+        if (access(certs.c_str(), R_OK)) {
+          form->set_error("SSL certificates file not readable");
+          form->applied(false);
+          return;
+        }
+        if (ca.empty()) {
+          form->set_error("No SSL CA file set");
+          form->applied(false);
+          return;
+        }
+        if (access(ca.c_str(), R_OK)) {
+          form->set_error("SSL CA file not readable");
+          form->applied(false);
+          return;
+        }
+        config_->set("ssl-certs", certs);
+        config_->set("ssl-ca", ca);
+        config_->set("unsecure", unsecure);
+        proxy_config_->set("ssl_cert_bundle", certs);
+        proxy_config_->set("ssl_ca_cert", ca);
+        proxy_config_->set("ssl_ca_key", ca);
+        proxy_config_->set("ssl_unsecure", unsecure);
+      } else {
+        proxy_config_->remove("ssl_cert_bundle");
+        proxy_config_->remove("ssl_ca_cert");
+        proxy_config_->remove("ssl_ca_key");
+        proxy_config_->remove("ssl_unsecure");
+      }
+#endif  // HAVE_SSL
       proxy_config_->set("__one_single_monitor", "true");
       io::auto_fd proxy_fd(
           Proxy::setup_accept_socket(proxy_config_, proxy_logger_));
@@ -622,6 +701,36 @@ public:
       connect_->add_string("port", "Port",
                            main_->config()->get("port", "8080"),
                            "Port to listen for proxy connections on.");
+#if HAVE_SSL
+      bool mitm = main_->config()->get("mitm", false);
+      connect_->add_bool("mitm", "Intercept SSL traffic",
+                         mitm,
+                         "If enabled SSL connections will be intercepted"
+                         " by the proxy to log unencrypted traffic.");
+      std::vector<GuiFormApply::Filter> filter;
+      filter.emplace_back();
+      filter.back().name = "PEM";
+      filter.back().masks.emplace_back("*.pem");
+      connect_->add_file("ssl-ca", "Certificate Authority",
+                         main_->config()->get("ssl-ca",
+                             main_->config()->get("genca-output", "")),
+                         "CA and key to sign all fake server certificates with",
+                         GuiForm::FILE_OPEN, filter);
+      connect_->enable("ssl-ca",  mitm);
+      filter.back().name = "CRT";
+      filter.back().masks.emplace_back("*.crt");
+      connect_->add_file("ssl-certs", "Certificate bundle",
+                         main_->config()->get("ssl-certs",
+                                              default_cert_bundle()),
+                         "Certificate bundle to verify remote SSL connections",
+                         GuiForm::FILE_OPEN, filter);
+      connect_->enable("ssl-certs",  mitm);
+      connect_->add_bool("unsecure", "Allow unsecure remote connections",
+                         main_->config()->get("unsecure", false),
+                         "Allow deprecated protocols such as SSLv3 and "
+                         " self-signed or missmatched certificates");
+      connect_->enable("unsecure",  mitm);
+#endif  // HAVE_SSL
       connect_->add_listener(lst.get());
       if (connect_->show(main_.get())) {
         monitor_->attach();
-- 
cgit v1.2.3-70-g09d2