X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=tls.go;h=0451b0328f27b66dd1150155174567ea359d711d;hb=0dd0012853840370bc03871d71a8fa0b9274b80a;hp=88f1dc38ff2d458477a77f068c8655aaadb38d7c;hpb=600eeaef572eaaaf5bfb320614091b10664c66f0;p=godlighty.git diff --git a/tls.go b/tls.go index 88f1dc3..0451b03 100644 --- a/tls.go +++ b/tls.go @@ -1,6 +1,6 @@ /* godlighty -- highly-customizable HTTP, HTTP/2, HTTPS server -Copyright (C) 2021 Sergey Matveev +Copyright (C) 2021-2023 Sergey Matveev This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,18 +23,56 @@ import ( "encoding/pem" "errors" "fmt" - "io/ioutil" "log" + "os" ) var ( - NextProtos = []string{"h2", "http/1.1"} - HostToCertificate map[string]*tls.Certificate - HostClientAuth map[string]*x509.CertPool + NextProtos = []string{"h2", "http/1.1"} + + HostToECDSACertificate map[string]*tls.Certificate + HostECDSAClientAuth map[string]*x509.CertPool + + HostToEdDSACertificate map[string]*tls.Certificate + HostEdDSAClientAuth map[string]*x509.CertPool + + HostToGOSTCertificate map[string]*tls.Certificate + HostGOSTClientAuth map[string]*x509.CertPool ) +func CHIHasTLS13(chi *tls.ClientHelloInfo) bool { + for _, v := range chi.SupportedVersions { + if v == tls.VersionTLS13 { + return true + } + } + return false +} + +func CHIHasEdDSA(chi *tls.ClientHelloInfo) bool { + if !CHIHasTLS13(chi) { + return false + } + for _, ss := range chi.SignatureSchemes { + if ss == tls.Ed25519 { + return true + } + } + return false +} + func GetCertificate(chi *tls.ClientHelloInfo) (*tls.Certificate, error) { - cert := HostToCertificate[chi.ServerName] + if CHIHasGOST(chi) { + if cert := HostToGOSTCertificate[chi.ServerName]; cert != nil { + return cert, nil + } + } + if CHIHasEdDSA(chi) { + if cert := HostToEdDSACertificate[chi.ServerName]; cert != nil { + return cert, nil + } + } + cert := HostToECDSACertificate[chi.ServerName] if cert == nil { return nil, errors.New("no certificate found") } @@ -42,7 +80,16 @@ func GetCertificate(chi *tls.ClientHelloInfo) (*tls.Certificate, error) { } func GetConfigForClient(chi *tls.ClientHelloInfo) (*tls.Config, error) { - pool := HostClientAuth[chi.ServerName] + var pool *x509.CertPool + if CHIHasGOST(chi) { + pool = HostGOSTClientAuth[chi.ServerName] + } + if pool == nil && CHIHasEdDSA(chi) { + pool = HostEdDSAClientAuth[chi.ServerName] + } + if pool == nil { + pool = HostECDSAClientAuth[chi.ServerName] + } if pool == nil { return nil, nil } @@ -54,62 +101,76 @@ func GetConfigForClient(chi *tls.ClientHelloInfo) (*tls.Config, error) { }, nil } -func LoadCertificates() { - HostToCertificate = make(map[string]*tls.Certificate, len(Hosts)) - HostClientAuth = make(map[string]*x509.CertPool) - for host, cfg := range Hosts { - if cfg.TLS == nil { - continue +func loadCertificates( + host string, + cfg *TLSCfg, + hostToCertificate *map[string]*tls.Certificate, + hostClientAuth *map[string]*x509.CertPool, +) { + if cfg == nil { + return + } + cert, err := tls.LoadX509KeyPair(cfg.Cert, cfg.Key) + if err != nil { + log.Fatalln(err) + } + if cfg.CACert != "" { + data, err := os.ReadFile(cfg.CACert) + if err != nil { + log.Fatalln(err) + } + block, _ := pem.Decode(data) + if block == nil { + log.Fatalln(fmt.Errorf("no PEM found: %s", cfg.CACert)) + } + if block.Type != "CERTIFICATE" { + log.Fatalln(fmt.Errorf("non CERTIFICATE: %s", cfg.CACert)) } - cert, err := tls.LoadX509KeyPair(cfg.TLS.Cert, cfg.TLS.Key) + cert.Certificate = append(cert.Certificate, block.Bytes) + } + (*hostToCertificate)[host] = &cert + pool := x509.NewCertPool() + for _, p := range cfg.ClientCAs { + data, err := os.ReadFile(p) if err != nil { log.Fatalln(err) } - if cfg.TLS.CACert != "" { - data, err := ioutil.ReadFile(cfg.TLS.CACert) - if err != nil { - log.Fatalln(err) - } - block, _ := pem.Decode(data) + var block *pem.Block + for len(data) > 0 { + block, data = pem.Decode(data) if block == nil { - log.Fatalln(fmt.Errorf("no PEM found: %s", cfg.TLS.CACert)) + log.Fatalln("can not decode PEM:", p) } if block.Type != "CERTIFICATE" { - log.Fatalln(fmt.Errorf("non CERTIFICATE: %s", cfg.TLS.CACert)) + continue } - cert.Certificate = append(cert.Certificate, block.Bytes) - } - HostToCertificate[host] = &cert - pool := x509.NewCertPool() - for _, p := range cfg.TLS.ClientCAs { - data, err := ioutil.ReadFile(p) + ca, err := x509.ParseCertificate(block.Bytes) if err != nil { log.Fatalln(err) } - var block *pem.Block - for len(data) > 0 { - block, data = pem.Decode(data) - if block == nil { - log.Fatalln("can not decode PEM:", p) - } - if block.Type != "CERTIFICATE" { - continue - } - ca, err := x509.ParseCertificate(block.Bytes) - if err != nil { - log.Fatalln(err) - } - pool.AddCert(ca) - } - } - if len(pool.Subjects()) > 0 { - HostClientAuth[host] = pool + pool.AddCert(ca) + (*hostClientAuth)[host] = pool } } } +func LoadCertificates() { + HostToECDSACertificate = make(map[string]*tls.Certificate, len(Hosts)) + HostECDSAClientAuth = make(map[string]*x509.CertPool) + HostToEdDSACertificate = make(map[string]*tls.Certificate, len(Hosts)) + HostEdDSAClientAuth = make(map[string]*x509.CertPool) + HostToGOSTCertificate = make(map[string]*tls.Certificate, len(Hosts)) + HostGOSTClientAuth = make(map[string]*x509.CertPool) + for host, cfg := range Hosts { + loadCertificates(host, cfg.ECDSATLS, &HostToECDSACertificate, &HostECDSAClientAuth) + loadCertificates(host, cfg.EdDSATLS, &HostToEdDSACertificate, &HostEdDSAClientAuth) + loadCertificates(host, cfg.GOSTTLS, &HostToGOSTCertificate, &HostGOSTClientAuth) + } +} + func NewTLSConfig() *tls.Config { return &tls.Config{ + MinVersion: tls.VersionTLS12, NextProtos: NextProtos, GetCertificate: GetCertificate, GetConfigForClient: GetConfigForClient,