diff --git a/README.md b/README.md index f92c3bd..5eb680f 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ SSL Kill Switch 2 ================= -[![Build Status](https://travis-ci.org/nabla-c0d3/ssl-kill-switch2.svg?branch=master)](https://travis-ci.org/nabla-c0d3/ssl-kill-switch2) - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps. Second iteration of https://github.com/iSECPartners/ios-ssl-kill-switch . @@ -86,6 +84,8 @@ OS X Instructions SSL Kill Switch 2 can be used in OS X Apps as a dynamic library to be injected into processes. +### WARNING: THIS HAS NOT BEEN TESTED ON RECENT VERSIONS OF MACOS + ### Usage On OS X, the SSLKillSwitch library needs to be manually injected into the process where @@ -119,6 +119,7 @@ that you need to inject in the process where you want to disable SSL pinning. Changelog --------- +* v0.13: Added support for iOS 12. * v0.12: Added support for iOS 11. * v0.11: Added support for iOS 10. * v0.10: Added support for proxy-ing [CocoaSPDY](https://github.com/twitter/CocoaSPDY) Apps (ie. Twitter iOS). diff --git a/SSLKillSwitch/SSLKillSwitch.m b/SSLKillSwitch/SSLKillSwitch.m index c5efd8c..c0be2e1 100644 --- a/SSLKillSwitch/SSLKillSwitch.m +++ b/SSLKillSwitch/SSLKillSwitch.m @@ -122,6 +122,41 @@ static OSStatus replaced_tls_helper_create_peer_trust(void *hdsk, bool server, S } +#pragma mark BoringSSL hooks - iOS 12 + +// Everyone's favorite OpenSSL constant +#define SSL_VERIFY_NONE 0 + +// Constant defined in BoringSSL +enum ssl_verify_result_t { + ssl_verify_ok = 0, + ssl_verify_invalid, + ssl_verify_retry, +}; + + +char *replaced_SSL_get_psk_identity(void *ssl) +{ + return "notarealPSKidentity"; +} + + +static int custom_verify_callback_that_does_not_validate(void *ssl, uint8_t *out_alert) +{ + // Yes this certificate is 100% valid... + return ssl_verify_ok; +} + + +static void (*original_SSL_CTX_set_custom_verify)(void *ctx, int mode, int (*callback)(void *ssl, uint8_t *out_alert)); +static void replaced_SSL_CTX_set_custom_verify(void *ctx, int mode, int (*callback)(void *ssl, uint8_t *out_alert)) +{ + SSKLog(@"Entering replaced_SSL_CTX_set_custom_verify()"); + original_SSL_CTX_set_custom_verify(ctx, SSL_VERIFY_NONE, custom_verify_callback_that_does_not_validate); + return; +} + + #pragma mark CocoaSPDY hook #if SUBSTRATE_BUILD @@ -151,49 +186,68 @@ static void newRegisterOrigin(id self, SEL _cmd, NSString *origin) #endif - #pragma mark Dylib Constructor __attribute__((constructor)) static void init(int argc, const char **argv) { #if SUBSTRATE_BUILD - // Should we enable the hook ? + // Substrate-based hooking; only hook if the preference file says so if (shouldHookFromPreference(PREFERENCE_KEY)) { - // Substrate-based hooking; only hook if the preference file says so SSKLog(@"Substrate hook enabled."); - // SecureTransport hooks - works up to iOS 9 - MSHookFunction((void *) SSLHandshake,(void *) replaced_SSLHandshake, (void **) &original_SSLHandshake); - MSHookFunction((void *) SSLSetSessionOption,(void *) replaced_SSLSetSessionOption, (void **) &original_SSLSetSessionOption); - MSHookFunction((void *) SSLCreateContext,(void *) replaced_SSLCreateContext, (void **) &original_SSLCreateContext); - - // libsystem_coretls.dylib hook - works on iOS 10 - // TODO: Enable this hook for the fishhook-based hooking so it works on OS X too NSProcessInfo *processInfo = [NSProcessInfo processInfo]; - if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){11, 0, 0}]) + if ([processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){12, 0, 0}]) + { + // Support for iOS 12 + SSKLog(@"iOS 12 detected; hooking SSL_CTX_set_custom_verify() and SSL_get_psk_identity()..."); + + void* boringssl_handle = dlopen("/usr/lib/libboringssl.dylib", RTLD_NOW); + void *SSL_CTX_set_custom_verify = dlsym(boringssl_handle, "SSL_CTX_set_custom_verify"); + if (SSL_CTX_set_custom_verify) + { + MSHookFunction((void *) SSL_CTX_set_custom_verify, (void *) replaced_SSL_CTX_set_custom_verify, (void **) &original_SSL_CTX_set_custom_verify); + } + + void *SSL_get_psk_identity = dlsym(boringssl_handle, "SSL_get_psk_identity"); + if (SSL_get_psk_identity) + { + MSHookFunction((void *) SSL_get_psk_identity, (void *) replaced_SSL_get_psk_identity, (void **) NULL); + } + } + else if ([processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){11, 0, 0}]) { // Support for iOS 11 + SSKLog(@"iOS 11 detected; hooking nw_tls_create_peer_trust()..."); void* handle = dlopen("/usr/lib/libnetwork.dylib", RTLD_NOW); - void *tls_helper_create_peer_trust = dlsym(handle, "nw_tls_create_peer_trust"); - if (tls_helper_create_peer_trust) + void *nw_tls_create_peer_trust = dlsym(handle, "nw_tls_create_peer_trust"); + if (nw_tls_create_peer_trust) { - MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust); + MSHookFunction((void *) nw_tls_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust); } } - else if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){10, 0, 0}]) + else if ([processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){10, 0, 0}]) { // Support for iOS 10 + SSKLog(@"iOS 10 detected; hooking tls_helper_create_peer_trust()..."); void *tls_helper_create_peer_trust = dlsym(RTLD_DEFAULT, "tls_helper_create_peer_trust"); MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust); } - + else if ([processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){8, 0, 0}]) + { + // SecureTransport hooks - works up to iOS 9 + SSKLog(@"iOS 8 or 9 detected; hooking SecureTransport..."); + MSHookFunction((void *) SSLHandshake,(void *) replaced_SSLHandshake, (void **) &original_SSLHandshake); + MSHookFunction((void *) SSLSetSessionOption,(void *) replaced_SSLSetSessionOption, (void **) &original_SSLSetSessionOption); + MSHookFunction((void *) SSLCreateContext,(void *) replaced_SSLCreateContext, (void **) &original_SSLCreateContext); + } // CocoaSPDY hooks - https://github.com/twitter/CocoaSPDY // TODO: Enable these hooks for the fishhook-based hooking so it works on OS X too Class spdyProtocolClass = NSClassFromString(@"SPDYProtocol"); if (spdyProtocolClass) { + SSKLog(@"CocoaSPDY detected; hooking it..."); // Disable trust evaluation MSHookMessageEx(object_getClass(spdyProtocolClass), NSSelectorFromString(@"setTLSTrustEvaluator:"), (IMP) &newSetTLSTrustEvaluator, (IMP *)&oldSetTLSTrustEvaluator); diff --git a/layout/DEBIAN/control b/layout/DEBIAN/control index 5ad08ff..9a70d18 100644 --- a/layout/DEBIAN/control +++ b/layout/DEBIAN/control @@ -1,7 +1,7 @@ Package: com.nablac0d3.sslkillswitch2 Name: SSL Kill Switch 2 Depends: mobilesubstrate, preferenceloader -Version: 0.12 +Version: 0.13 Architecture: iphoneos-arm Description: Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps. Maintainer: Alban Diquet