From: Sergey Matveev Date: Sun, 5 Sep 2021 15:52:29 +0000 (+0300) Subject: Tiny refactor, no keep-alive restrictions X-Git-Tag: v0.1.0~89 X-Git-Url: http://www.git.stargrave.org/?a=commitdiff_plain;h=e0874503d7bc16fb92ca0cd9bcd21a437fafd77e;p=tofuproxy.git Tiny refactor, no keep-alive restrictions --- diff --git a/dane.go b/dane.go index 2b850d8..f660f02 100644 --- a/dane.go +++ b/dane.go @@ -28,6 +28,10 @@ import ( "github.com/miekg/dns" ) +var ( + dnsSrv *string +) + func dane(addr string, cert *x509.Certificate) (bool, bool) { if *dnsSrv == "" { return false, false diff --git a/main.go b/main.go index 79e355e..ac80e2a 100644 --- a/main.go +++ b/main.go @@ -19,10 +19,8 @@ package main import ( "context" "crypto" - "crypto/sha256" "crypto/tls" "crypto/x509" - "encoding/hex" "flag" "fmt" "io" @@ -33,7 +31,6 @@ import ( "os" "os/exec" "strings" - "sync" "time" "github.com/dustin/go-humanize" @@ -42,51 +39,18 @@ import ( var ( tlsNextProtoS = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) - tlsNextProtoC = make(map[string]func(string, *tls.Conn) http.RoundTripper) caCert *x509.Certificate caPrv crypto.PrivateKey - certs *string - dnsSrv *string transport = http.Transport{ - ForceAttemptHTTP2: false, - DisableKeepAlives: true, - MaxIdleConnsPerHost: 2, - TLSNextProto: tlsNextProtoC, - DialTLSContext: dialTLS, + ForceAttemptHTTP2: false, + TLSNextProto: make(map[string]func(string, *tls.Conn) http.RoundTripper), + DialTLSContext: dialTLS, } - accepted = make(map[string]string) - acceptedM sync.RWMutex - rejected = make(map[string]string) - rejectedM sync.RWMutex - CmdDWebP = "dwebp" CmdDJXL = "djxl" ) -func spkiHash(cert *x509.Certificate) string { - hsh := sha256.Sum256(cert.RawSubjectPublicKeyInfo) - return hex.EncodeToString(hsh[:]) -} - -func acceptedAdd(addr, h string) { - acceptedM.Lock() - accepted[addr] = h - acceptedM.Unlock() -} - -func rejectedAdd(addr, h string) { - rejectedM.Lock() - rejected[addr] = h - rejectedM.Unlock() -} - -type ErrRejected struct { - addr string -} - -func (err ErrRejected) Error() string { return err.addr + " was rejected" } - func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) { host := strings.TrimSuffix(addr, ":443") cfg := tls.Config{ @@ -411,7 +375,6 @@ func main() { Handler: &Handler{}, TLSNextProto: tlsNextProtoS, } - srv.SetKeepAlivesEnabled(false) log.Println("listening:", *bind) if err := srv.Serve(ln); err != nil { log.Fatalln(err) diff --git a/verify.go b/verify.go index 6c1ed9e..f6844cd 100644 --- a/verify.go +++ b/verify.go @@ -18,7 +18,9 @@ package main import ( "bytes" + "crypto/sha256" "crypto/x509" + "encoding/hex" "encoding/pem" "fmt" "log" @@ -26,6 +28,7 @@ import ( "os/exec" "path/filepath" "strings" + "sync" "go.cypherpunks.ru/ucspi" ) @@ -33,8 +36,37 @@ import ( var ( CmdCerttool = "certtool" CmdWish = "wish8.7" + + certs *string + accepted = make(map[string]string) + acceptedM sync.RWMutex + rejected = make(map[string]string) + rejectedM sync.RWMutex ) +func spkiHash(cert *x509.Certificate) string { + hsh := sha256.Sum256(cert.RawSubjectPublicKeyInfo) + return hex.EncodeToString(hsh[:]) +} + +func acceptedAdd(addr, h string) { + acceptedM.Lock() + accepted[addr] = h + acceptedM.Unlock() +} + +func rejectedAdd(addr, h string) { + rejectedM.Lock() + rejected[addr] = h + rejectedM.Unlock() +} + +type ErrRejected struct { + addr string +} + +func (err ErrRejected) Error() string { return err.addr + " was rejected" } + func certInfo(certRaw []byte) string { cmd := exec.Command(CmdCerttool, "--certificate-info", "--inder") cmd.Stdin = bytes.NewReader(certRaw)