type Hook func(http.ResponseWriter, *http.Request) bool
type HostCfg struct {
- Root string
- TLS *TLSCfg
- GOSTTLS *TLSCfg
- DirList bool
- WebDAV bool
- Hooks []Hook
- Auth *AuthCfg
+ Root string
+ ECDSATLS *TLSCfg
+ EdDSATLS *TLSCfg
+ GOSTTLS *TLSCfg
+ DirList bool
+ WebDAV bool
+ Hooks []Hook
+ Auth *AuthCfg
Indices []string
Readmes []string
@verbatim
Hosts["example.com"] = &godlighty.HostCfg{
Root: "/www/example.com",
- TLS: &godlighty.TLSCfg{
+ EdDSATLS: &godlighty.TLSCfg{
Cert: "/path/to/example.com.pem",
Key: "/path/to/example.com.key.pem",
CACert: "/path/to/ca.pem",
// Highly-customizable HTTP, HTTP/2, HTTPS server
package godlighty
-const Version = "godlighty/0.3.0"
+const Version = "godlighty/0.4.0"
var BindAddr string
return
}
- if cfg.TLS != nil && len(cfg.TLS.ClientCAs) > 0 {
+ if (cfg.ECDSATLS != nil && len(cfg.ECDSATLS.ClientCAs) > 0) ||
+ (cfg.EdDSATLS != nil && len(cfg.EdDSATLS.ClientCAs) > 0) ||
+ (cfg.GOSTTLS != nil && len(cfg.GOSTTLS.ClientCAs) > 0) {
if r.TLS == nil {
err = errors.New("TLS client authentication required")
printErr(http.StatusForbidden, err)
func addGitRepoCfg(host, root, gitwebCfg string) {
godlighty.Hosts[host] = &godlighty.HostCfg{
- TLS: newTLSCfg(host),
+ EdDSATLS: newTLSCfg(host),
Hooks: []godlighty.Hook{
func(w http.ResponseWriter, r *http.Request) bool {
if r.URL.Path == "/" {
}
host = "www." + host
godlighty.Hosts[host] = &godlighty.HostCfg{
- Root: "/usr/local/share/gitweb",
- TLS: newTLSCfg(host),
+ Root: "/usr/local/share/gitweb",
+ EdDSATLS: newTLSCfg(host),
Hooks: []godlighty.Hook{
func(w http.ResponseWriter, r *http.Request) bool {
if r.URL.Path == "/" {
func addGoRepoCfg(host string) {
godlighty.Hosts[host] = &godlighty.HostCfg{
- Root: path.Join(WWW, host),
- TLS: newTLSCfg(host),
- MIMEs: map[string]string{"": "text/html"},
- Indices: []string{"v1"},
+ Root: path.Join(WWW, host),
+ EdDSATLS: newTLSCfg(host),
+ MIMEs: map[string]string{"": "text/html"},
+ Indices: []string{"v1"},
}
}
func init() {
host := "lists.cypherpunks.ru"
godlighty.Hosts[host] = &godlighty.HostCfg{
- Root: path.Join(WWW, host),
- TLS: newTLSCfg(host),
+ Root: path.Join(WWW, host),
+ EdDSATLS: newTLSCfg(host),
Hooks: []godlighty.Hook{
func(w http.ResponseWriter, r *http.Request) bool {
if strings.HasPrefix(r.URL.Path, "/archive/") {
root = path.Join(WWW, root)
}
godlighty.Hosts[host] = &godlighty.HostCfg{
- Root: root,
- TLS: newTLSCfg(host),
+ Root: root,
+ EdDSATLS: newTLSCfg(host),
}
}
var (
NextProtos = []string{"h2", "http/1.1"}
- HostToCertificate map[string]*tls.Certificate
- HostClientAuth map[string]*x509.CertPool
+ HostToECDSACertificate map[string]*tls.Certificate
+ HostECDSAClientAuth map[string]*x509.CertPool
+
+ HostToEdDSACertificate map[string]*tls.Certificate
+ HostEdDSAClientAuth map[string]*x509.CertPool
HostToGOSTCertificate map[string]*tls.Certificate
HostGOSTClientAuth map[string]*x509.CertPool
)
+func CHIHasTLS13(chi *tls.ClientHelloInfo) bool {
+ for _, v := range chi.SupportedVersions {
+ if v == tls.VersionTLS13 {
+ return true
+ }
+ }
+ return false
+}
+
+func CHIHasEdDSA(chi *tls.ClientHelloInfo) bool {
+ if !CHIHasTLS13(chi) {
+ return false
+ }
+ for _, ss := range chi.SignatureSchemes {
+ if ss == tls.Ed25519 {
+ return true
+ }
+ }
+ return false
+}
+
func GetCertificate(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
if CHIHasGOST(chi) {
if cert := HostToGOSTCertificate[chi.ServerName]; cert != nil {
return cert, nil
}
}
- cert := HostToCertificate[chi.ServerName]
+ if CHIHasEdDSA(chi) {
+ if cert := HostToEdDSACertificate[chi.ServerName]; cert != nil {
+ return cert, nil
+ }
+ }
+ cert := HostToECDSACertificate[chi.ServerName]
if cert == nil {
return nil, errors.New("no certificate found")
}
if CHIHasGOST(chi) {
pool = HostGOSTClientAuth[chi.ServerName]
}
+ if pool == nil && CHIHasEdDSA(chi) {
+ pool = HostEdDSAClientAuth[chi.ServerName]
+ }
if pool == nil {
- pool = HostClientAuth[chi.ServerName]
+ pool = HostECDSAClientAuth[chi.ServerName]
}
if pool == nil {
return nil, nil
}
func LoadCertificates() {
- HostToCertificate = make(map[string]*tls.Certificate, len(Hosts))
- HostClientAuth = make(map[string]*x509.CertPool)
+ HostToECDSACertificate = make(map[string]*tls.Certificate, len(Hosts))
+ HostECDSAClientAuth = make(map[string]*x509.CertPool)
+ HostToEdDSACertificate = make(map[string]*tls.Certificate, len(Hosts))
+ HostEdDSAClientAuth = make(map[string]*x509.CertPool)
HostToGOSTCertificate = make(map[string]*tls.Certificate, len(Hosts))
HostGOSTClientAuth = make(map[string]*x509.CertPool)
for host, cfg := range Hosts {
- loadCertificates(host, cfg.TLS, &HostToCertificate, &HostClientAuth)
+ loadCertificates(host, cfg.ECDSATLS, &HostToECDSACertificate, &HostECDSAClientAuth)
+ loadCertificates(host, cfg.EdDSATLS, &HostToEdDSACertificate, &HostEdDSAClientAuth)
loadCertificates(host, cfg.GOSTTLS, &HostToGOSTCertificate, &HostGOSTClientAuth)
}
}
import "crypto/tls"
func CHIHasGOST(chi *tls.ClientHelloInfo) bool {
- tls13Found := false
- for _, v := range chi.SupportedVersions {
- if v == tls.VersionTLS13 {
- tls13Found = true
- break
- }
- }
- if !tls13Found {
+ if !CHIHasTLS13(chi) {
return false
}
for _, ss := range chi.SignatureSchemes {