X-Git-Url: http://www.git.stargrave.org/?p=tofuproxy.git;a=blobdiff_plain;f=tls.go;h=b73d42eebfd29f5242135d3927b5d30c14e7caf5;hp=dc598622998f6bcdcf893c11991c72b40c9532ed;hb=HEAD;hpb=0c0a261a6ef4fddfc34a9150005f7964cc69c420 diff --git a/tls.go b/tls.go index dc59862..889dba7 100644 --- a/tls.go +++ b/tls.go @@ -1,43 +1,37 @@ -/* -tofuproxy -- flexible HTTP/WARC proxy with TLS certificates management -Copyright (C) 2021 Sergey Matveev - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, version 3 of the License. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see . -*/ +// tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU +// manager, WARC/geminispace browser +// Copyright (C) 2021-2024 Sergey Matveev +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, version 3 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see . package tofuproxy import ( - "context" "crypto" "crypto/tls" "crypto/x509" "fmt" "log" - "net" "net/http" - "strings" "time" - "go.cypherpunks.ru/ucspi" - "go.stargrave.org/tofuproxy/fifos" + ttls "go.stargrave.org/tofuproxy/tls" ) var ( TLSNextProtoS = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) CACert *x509.Certificate CAPrv crypto.PrivateKey - sessionCache = tls.NewLRUClientSessionCache(1024) ) type Handler struct{} @@ -56,16 +50,15 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { log.Fatalln(err) } defer conn.Close() - conn.Write([]byte(fmt.Sprintf( - "%s %d %s\r\n\r\n", - req.Proto, - http.StatusOK, http.StatusText(http.StatusOK), - ))) - host := strings.Split(req.Host, ":")[0] + fmt.Fprintf( + conn, "%s %d %s\r\n\r\n", + req.Proto, http.StatusOK, http.StatusText(http.StatusOK), + ) + host, _, _ := ttls.SplitHostPort(req.Host) hostCertsM.Lock() keypair, ok := hostCerts[host] if !ok || !keypair.cert.NotAfter.After(time.Now().Add(time.Hour)) { - keypair = newKeypair(host, CACert, CAPrv) + keypair = newX509Keypair(host, CACert, CAPrv) hostCerts[host] = keypair } hostCertsM.Unlock() @@ -101,51 +94,3 @@ func (h *HTTPSHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { req.URL.Host = h.host roundTrip(w, req) } - -func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) { - host := strings.Split(addr, ":")[0] - ccg := ClientCertificateGetter{host: host} - cfg := tls.Config{ - VerifyPeerCertificate: func( - rawCerts [][]byte, - verifiedChains [][]*x509.Certificate, - ) error { - return verifyCert(host, nil, rawCerts, verifiedChains) - }, - ClientSessionCache: sessionCache, - NextProtos: []string{"h2", "http/1.1"}, - GetClientCertificate: ccg.get, - } - conn, dialErr := tls.Dial(network, addr, &cfg) - if dialErr != nil { - if _, ok := dialErr.(ErrRejected); ok { - return nil, dialErr - } - cfg.InsecureSkipVerify = true - cfg.VerifyPeerCertificate = func( - rawCerts [][]byte, - verifiedChains [][]*x509.Certificate, - ) error { - return verifyCert(host, dialErr, rawCerts, verifiedChains) - } - var err error - conn, err = tls.Dial(network, addr, &cfg) - if err != nil { - fifos.LogErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error()) - return nil, err - } - } - connState := conn.ConnectionState() - if !connState.DidResume { - fifos.LogTLS <- fmt.Sprintf( - "%s\t%s %s %s\t%s\t%s", - addr, - ucspi.TLSVersion(connState.Version), - tls.CipherSuiteName(connState.CipherSuite), - connState.PeerCertificates[0].SignatureAlgorithm, - spkiHash(connState.PeerCertificates[0]), - connState.NegotiatedProtocol, - ) - } - return conn, nil -}