2 tofuproxy -- HTTP proxy with TLS certificates management
3 Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, version 3 of the License.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>.
34 "go.cypherpunks.ru/ucspi"
35 "go.stargrave.org/tofuproxy/caches"
36 "go.stargrave.org/tofuproxy/fifos"
39 const VerifyDialog = `
40 # host err daneStatus certsTheir certsOur
42 if {[string length $err] > 0} {
45 $tErr configure -wrap word -height 5
46 $tErr configure -state disabled
50 proc certsDecode {raws} {
52 foreach raw [split $raws] {
55 foreach line [split [binary decode hex $raw] "\n"] {
56 lappend lines [format "%03d %s" $lineN $line]
59 lappend certs [join $lines "\n"]
64 set certsTheir [certsDecode $certsTheir]
65 set certsOur [certsDecode $certsOur]
70 proc paginator {i delta t l certs} {
72 if {$i == [llength $certs]} {
75 set i [expr {[llength $certs] - 1}]
77 $t configure -state normal
79 $t insert end [lindex $certs $i]
80 $t configure -state disabled
81 $l configure -text "[expr {$i + 1}] / [llength $certs]"
85 proc addCertsWindow {name} {
86 global certs$name t$name sb$name page$name l$name
88 set sb [scrollbar .sb$name -command [list $t yview]]
89 $t configure -wrap word -yscrollcommand [list $sb set]
90 $t configure -state disabled
91 grid $t $sb -sticky nsew
96 set l$name [label .lPage$name]
97 button .bNext$name -text "Next" -command "set page$name \[
98 paginator \$page$name +1 \$t$name \$l$name \$certs$name
100 button .bPrev$name -text "Prev" -command "set page$name \[
101 paginator \$page$name -1 \$t$name \$l$name \$certs$name
104 grid .lPage$name .bNext$name .bPrev$name -in .fControl$name
105 set page$name [paginator -1 +1 $t [set l$name] [set certs$name]]
109 if {[llength $certsOur] > 0} { addCertsWindow Our }
111 set lDANE [label .lDANE]
112 if {$daneStatus ne ""} {
113 array set daneColour {ok green bad red}
114 $lDANE configure -bg $daneColour($daneStatus)
115 $lDANE configure -text "DANE-EE: $daneStatus"
117 button .bAccept -text "Accept" -bg green -command { exit 10 }
118 button .bOnce -text "Once" -bg green -command { exit 11 }
119 button .bReject -text "Reject" -bg red -command { exit 12 }
121 grid .lDANE .bAccept .bOnce .bReject -in .fButtons
122 grid rowconfigure . 0 -weight 1
123 grid columnconfigure . 0 -weight 1
127 CmdCerttool = "certtool"
134 func spkiHash(cert *x509.Certificate) string {
135 hsh := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
136 return hex.EncodeToString(hsh[:])
139 type ErrRejected struct {
143 func (err ErrRejected) Error() string { return err.addr + " was rejected" }
145 func certInfo(certRaw []byte) string {
146 cmd := exec.Command(CmdCerttool, "--certificate-info", "--inder")
147 cmd.Stdin = bytes.NewReader(certRaw)
148 out, err := cmd.Output()
159 verifiedChains [][]*x509.Certificate,
161 var certTheir *x509.Certificate
163 if len(verifiedChains) > 0 {
164 certTheir = verifiedChains[0][0]
166 certTheir, err = x509.ParseCertificate(rawCerts[0])
171 certTheirHash := spkiHash(certTheir)
173 defer VerifyM.Unlock()
174 caches.AcceptedM.RLock()
175 certOurHash := caches.Accepted[host]
176 caches.AcceptedM.RUnlock()
177 if certTheirHash == certOurHash {
180 caches.RejectedM.RLock()
181 certOurHash = caches.Rejected[host]
182 caches.RejectedM.RUnlock()
183 if certTheirHash == certOurHash {
184 return ErrRejected{host}
186 daneExists, daneMatched := dane(host, certTheir)
189 fifos.LogDANE <- fmt.Sprintf("%s\tACK", host)
191 fifos.LogDANE <- fmt.Sprintf("%s\tNAK", host)
194 fn := filepath.Join(Certs, host)
195 certsOur, _, err := ucspi.CertPoolFromFile(fn)
196 if err == nil || dialErr != nil || (daneExists && !daneMatched) {
197 if certsOur != nil && certTheirHash == spkiHash(certsOur[0]) {
198 caches.AcceptedM.Lock()
199 caches.Accepted[host] = certTheirHash
200 caches.AcceptedM.Unlock()
201 if bytes.Compare(certsOur[0].Raw, rawCerts[0]) != 0 {
202 fifos.LogCert <- fmt.Sprintf("Refresh\t%s\t%s", host, certTheirHash)
208 b.WriteString(fmt.Sprintf("set host \"%s\"\n", host))
210 b.WriteString(fmt.Sprintf("set err \"\"\n"))
212 b.WriteString(fmt.Sprintf("set err \"%s\"\n", dialErr.Error()))
214 var daneStatus string
222 b.WriteString(fmt.Sprintf("set daneStatus \"%s\"\n", daneStatus))
223 hexCerts := make([]string, 0, len(rawCerts))
224 for _, rawCert := range rawCerts {
225 hexCerts = append(hexCerts, hex.EncodeToString([]byte(certInfo(rawCert))))
227 b.WriteString(fmt.Sprintf(
228 "set certsTheir \"%s\"\n", strings.Join(hexCerts, " "),
230 hexCerts = make([]string, 0, len(certsOur))
231 for _, cert := range certsOur {
232 hexCerts = append(hexCerts, hex.EncodeToString([]byte(certInfo(cert.Raw))))
234 b.WriteString(fmt.Sprintf(
235 "set certsOur \"%s\"\n", strings.Join(hexCerts, " "),
237 b.WriteString(VerifyDialog)
238 cmd := exec.Command(CmdWish)
239 // ioutil.WriteFile("/tmp/verify-dialog.tcl", b.Bytes(), 0666)
242 exitError, ok := err.(*exec.ExitError)
244 fifos.LogCert <- fmt.Sprintf("Reject\t%s\t%s", host, certTheirHash)
245 return ErrRejected{host}
247 switch exitError.ExitCode() {
249 fifos.LogCert <- fmt.Sprintf("Accept\t%s\t%s", host, certTheirHash)
252 fifos.LogCert <- fmt.Sprintf("Once\t%s\t%s", host, certTheirHash)
253 caches.AcceptedM.Lock()
254 caches.Accepted[host] = certTheirHash
255 caches.AcceptedM.Unlock()
258 caches.RejectedM.Lock()
259 caches.Rejected[host] = certTheirHash
260 caches.RejectedM.Unlock()
263 fifos.LogCert <- fmt.Sprintf("Reject\t%s\t%s", host, certTheirHash)
264 return ErrRejected{host}
267 if !os.IsNotExist(err) {
270 fifos.LogCert <- fmt.Sprintf("TOFU\t%s\t%s", host, certTheirHash)
273 tmp, err := os.CreateTemp(Certs, "")
277 for _, rawCert := range rawCerts {
278 err = pem.Encode(tmp, &pem.Block{Type: "CERTIFICATE", Bytes: rawCert})
284 os.Rename(tmp.Name(), fn)
285 caches.AcceptedM.Lock()
286 caches.Accepted[host] = certTheirHash
287 caches.AcceptedM.Unlock()