kris
/
th5
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Alternative TLS implementation in Go
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
549 Commits
3 Branches
2.6 MiB
 
 
Struktur: 36f2800cb3
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „36f2800cb3“
${ noResults }
th5/_dev/tris-localserver/server.go

314 Zeilen
11 KiB
Originalformat Blame Verlauf 

  1. package main

  2. 

  3. import (

  4. 	"crypto/tls"

  5. 	"crypto/x509"

  6. 	"encoding/hex"

  7. 	"errors"

  8. 	"flag"

  9. 	"fmt"

  10. 	"io/ioutil"

  11. 	"log"

  12. 	"net/http"

  13. 	"os"

  14. 	"strings"

  15. 	"time"

  16. )

  17. 

  18. type ZeroRTT_t int

  19. type PubKeyAlgo_t int

  20. 

  21. // Bitset

  22. const (

  23. 	ZeroRTT_None   ZeroRTT_t = 0

  24. 	ZeroRTT_Offer            = 1 << 0

  25. 	ZeroRTT_Accept           = 1 << 1

  26. )

  27. 

  28. type server struct {

  29. 	Address string

  30. 	ZeroRTT ZeroRTT_t

  31. 	TLS     tls.Config

  32. }

  33. 

  34. var tlsVersionToName = map[uint16]string{

  35. 	tls.VersionTLS10: "1.0",

  36. 	tls.VersionTLS11: "1.1",

  37. 	tls.VersionTLS12: "1.2",

  38. 	tls.VersionTLS13: "1.3",

  39. }

  40. 

  41. func NewServer() *server {

  42. 	s := new(server)

  43. 	s.ZeroRTT = ZeroRTT_None

  44. 	s.Address = "0.0.0.0:443"

  45. 	s.TLS = tls.Config{

  46. 		GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) {

  47. 			// If we send the first flight too fast, NSS sends empty early data.

  48. 			time.Sleep(500 * time.Millisecond)

  49. 			return nil, nil

  50. 		},

  51. 		MaxVersion: tls.VersionTLS13,

  52. 		ClientAuth: tls.NoClientCert,

  53. 	}

  54. 

  55. 	return s

  56. }

  57. 

  58. func enableQR(s *server, enableDefault bool) {

  59. 	var sidhCurves = []tls.CurveID{tls.HybridSidhP503Curve25519}

  60. 	if enableDefault {

  61. 		var defaultCurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521}

  62. 		s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, defaultCurvePreferences...)

  63. 	}

  64. 	s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, sidhCurves...)

  65. }

  66. 

  67. func (s *server) start() {

  68. 	var err error

  69. 	if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer {

  70. 		s.TLS.Max0RTTDataSize = 100 * 1024

  71. 	}

  72. 

  73. 	if keyLogFile := os.Getenv("SSLKEYLOGFILE"); keyLogFile != "" {

  74. 		s.TLS.KeyLogWriter, err = os.OpenFile(keyLogFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)

  75. 		if err != nil {

  76. 			log.Fatalf("Cannot open keylog file: %v", err)

  77. 		}

  78. 		log.Println("Enabled keylog")

  79. 	}

  80. 

  81. 	s.TLS.ClientCAs = x509.NewCertPool()

  82. 	s.TLS.ClientCAs.AppendCertsFromPEM([]byte(rsaCa_client))

  83. 	s.TLS.Accept0RTTData = ((s.ZeroRTT & ZeroRTT_Accept) == ZeroRTT_Accept)

  84. 	s.TLS.NextProtos = []string{"npn_proto"}

  85. 

  86. 	httpServer := &http.Server{

  87. 		Addr:      s.Address,

  88. 		TLSConfig: &s.TLS,

  89. 	}

  90. 	log.Fatal(httpServer.ListenAndServeTLS("", ""))

  91. }

  92. 

  93. // setServerCertificateFromArgs sets server certificate from an argument provided by the caller. Possible values

  94. // for arg_cert:

  95. // * "rsa": sets hardcoded RSA keypair

  96. // * "ecdsa": sets hardcoded ECDSA keypair

  97. // * FILE1:FILE2: Uses private key from FILE1 and public key from FILE2. Both must be in PEM format. FILE2 can

  98. //   be single certificate or certificate chain.

  99. // * nil: fallbacks to "rsa"

  100. //

  101. // Function generate a panic in case certificate can't be correctly set

  102. func (s *server) setServerCertificateFromArgs(arg_cert *string) {

  103. 	var certStr, keyStr []byte

  104. 	var cert tls.Certificate

  105. 	var err error

  106. 

  107. 	if arg_cert == nil {

  108. 		// set rsa by default

  109. 		certStr, keyStr = []byte(rsaCert), []byte(rsaKey)

  110. 	} else {

  111. 		switch *arg_cert {

  112. 		case "rsa":

  113. 			certStr, keyStr = []byte(rsaCert), []byte(rsaKey)

  114. 		case "ecdsa":

  115. 			certStr, keyStr = []byte(ecdsaCert), []byte(ecdsaKey)

  116. 		default:

  117. 			files := strings.Split(*arg_cert, ":")

  118. 			if len(files) != 2 {

  119. 				err = errors.New("Wrong format provided after -cert.")

  120. 				goto err

  121. 			}

  122. 			keyStr, err = ioutil.ReadFile(files[0])

  123. 			if err != nil {

  124. 				goto err

  125. 			}

  126. 			certStr, err = ioutil.ReadFile(files[1])

  127. 			if err != nil {

  128. 				goto err

  129. 			}

  130. 		}

  131. 	}

  132. 

  133. 	cert, err = tls.X509KeyPair(certStr, keyStr)

  134. 	if err != nil {

  135. 		goto err

  136. 	}

  137. 

  138. 	s.TLS.Certificates = []tls.Certificate{cert}

  139. err:

  140. 	if err != nil {

  141. 		// Not possible to proceed really

  142. 		log.Fatal(err)

  143. 		panic(err)

  144. 	}

  145. }

  146. 

  147. func main() {

  148. 

  149. 	s := NewServer()

  150. 

  151. 	arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding")

  152. 	arg_cert := flag.String("cert", "rsa", "Public algorithm to use:\nOptions [rsa, ecdsa, PrivateKeyFile:CertificateChainFile]")

  153. 	arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`)

  154. 	arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")

  155. 	arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)")

  156. 	arg_qr := flag.String("qr", "", "Enable quantum-resistant algorithms [c: Support classical and Quantum-Resistant, q: Enable Quantum-Resistant only]")

  157. 	flag.Parse()

  158. 

  159. 	s.Address = *arg_addr

  160. 

  161. 	s.setServerCertificateFromArgs(arg_cert)

  162. 

  163. 	if *arg_zerortt == "a" {

  164. 		s.ZeroRTT = ZeroRTT_Accept

  165. 	} else if *arg_zerortt == "o" {

  166. 		s.ZeroRTT = ZeroRTT_Offer

  167. 	} else if *arg_zerortt == "oa" {

  168. 		s.ZeroRTT = ZeroRTT_Offer | ZeroRTT_Accept

  169. 	}

  170. 

  171. 	if *arg_clientauth {

  172. 		s.TLS.ClientAuth = tls.RequireAndVerifyClientCert

  173. 	}

  174. 

  175. 	if *arg_qr == "c" {

  176. 		enableQR(s, true)

  177. 	} else if *arg_qr == "q" {

  178. 		enableQR(s, false)

  179. 	}

  180. 

  181. 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {

  182. 		tlsConn := r.Context().Value(http.TLSConnContextKey).(*tls.Conn)

  183. 

  184. 		with0RTT := ""

  185. 		if !tlsConn.ConnectionState().HandshakeConfirmed {

  186. 			with0RTT = " [0-RTT]"

  187. 		}

  188. 		if *arg_confirm || r.URL.Path == "/confirm" {

  189. 			if err := tlsConn.ConfirmHandshake(); err != nil {

  190. 				log.Fatal(err)

  191. 			}

  192. 			if with0RTT != "" {

  193. 				with0RTT = " [0-RTT confirmed]"

  194. 			}

  195. 			if !tlsConn.ConnectionState().HandshakeConfirmed {

  196. 				panic("HandshakeConfirmed false after ConfirmHandshake")

  197. 			}

  198. 		}

  199. 

  200. 		resumed := ""

  201. 		if r.TLS.DidResume {

  202. 			resumed = " [resumed]"

  203. 		}

  204. 

  205. 		http2 := ""

  206. 		if r.ProtoMajor == 2 {

  207. 			http2 = " [HTTP/2]"

  208. 		}

  209. 

  210. 		fmt.Fprintf(w, "<!DOCTYPE html><p>Hello TLS %s%s%s%s _o/\n", tlsVersionToName[r.TLS.Version], resumed, with0RTT, http2)

  211. 	})

  212. 

  213. 	http.HandleFunc("/ch", func(w http.ResponseWriter, r *http.Request) {

  214. 		w.Header().Set("Content-Type", "text/plain")

  215. 		fmt.Fprintf(w, "Client Hello packet (%d bytes):\n%s", len(r.TLS.ClientHello), hex.Dump(r.TLS.ClientHello))

  216. 	})

  217. 

  218. 	s.start()

  219. }

  220. 

  221. const (

  222. 	rsaKey = `-----BEGIN RSA PRIVATE KEY-----

  223. MIIEpAIBAAKCAQEA1DHcIM3SThFqy8nAkPQFX0E7ph8jqh8EATXryjKHGuVjR3Xh

  224. OQ0BSPoJxyfdg/VEwevFrtmZAfz0WCbxvP2SVCmf7oobg4V2KPSo3nNt9vlBFUne

  225. RtIyHRQ8YRnGSWaRHzJbX6ffltnG2aD+8qUfk161rdZgxBA9G0Ga47IkwQhT2Hqu

  226. H3dW2Uu4W2WMyt6gX/tdyEAV57MOPcoceknr7Nb2kfiuDPR7h6wFrW3I6eoj8oX2

  227. SkIOuVNt1Z31BAUcPJDUjqopI0o9tolM/7X13M8dEY0OJQVr7FQYDF9JeSYeEMyb

  228. wizjBaHDm48mSghP1o5UssQBbNNC83btXCjiLQIDAQABAoIBACzvGgRAUYaCnbDl

  229. 2kdXxUN0luMIuQ6vXrO67WF17bI+XRWm2riwDlObzzJDON9Wsua1vLjYD1SickOw

  230. i4RP1grIfbuPt1/UhT8LAC+LFgA0rBmL+OvaWw5ZWKffQ2QLujN3AG5zKB/Tog43

  231. z4UmfldAuQxE11zta2M4M0qAUNQnQj1oiuI8RUdG0VvvLw8Htdi1ogH0CI5R669z

  232. NjHt+JV+2gzKx6EX0s8mQL3yXGkC2xXItRbFclyCMJEhPS7QbBu+tru35N6WpzAq

  233. BCl2Q7LQogvSA6MXuMOx6CyuExVfgmhbfeoheLE8gmXwl0Y37n/g6ZBZFAtpCjcs

  234. UckPv0ECgYEA1orl7RwgIsZljMap6vWtMGoRIHKmT91DGpMmkh4suZe+yAk85maU

  235. 49Vd+8ZfIN41AH37yrsGOcPHgz5o5QufELpoub6DCsQ7u9F1vQp55cp+qyBWzAgz

  236. b/xUuVnIyv3kLan3fpk7ZGCBXFBpLG0QXMFOHtda3Mlk5SmuoEYaYRkCgYEA/TLR

  237. u4neKqyqwsqMuRJGC1iKFVmfCjZeNMtPNbTWpdqez/vvT8APnEpIumUGt8YROLGZ

  238. 8biUr5/ViOkmaP3wmQbO9m2/cE01lMTYv75w1cw2KVQe6kAHJkOx+JEx9xg53RJ/

  239. QlFtG5MQUy2599Gxp8BMGaXLH5yo4qwvNvY6CDUCgYEArxr7AwX7rKZlZ/sV4HHY

  240. gzVu+R7aY0DibiRATO5X7rrNuhLgI+UCDNqvNLn6FqeGdvpcsmDneeozQwmDL77G

  241. ey7KHyBBcF4tquQQxtRwHX+i1yUz8p+W7AX1WLrRSezjeenJ2QhUE1849hGjZeE2

  242. g546lq2Kub2enfPhVWsiSLECgYEA72T5QCPeVuLioUH5Q5Kvf1K7W+xcnr9A2xHP

  243. Vqwgtre5qFQ/tFuXZuIlWXbjnyY6aiwhrZYjntm0f7pRgrt2nHj/fafOdVPK8Voc

  244. xU4+SSbHntPWVw0qtVcUEjzVzRauvwMaJ43tZ0DpEnwNdO5i1oTObwF+x+jLFWZP

  245. TdwIinECgYBzjZeCxxOMk5SlPpTsLUtgC+q3m1AavXhUVNEPP2gKMOIPTETPbhbG

  246. LBxB2vVbJiS3J7itQy8gceT89O0vSEZnaTPXiM/Ws1QbkBJ8yW7KI7X4WuzN4Imq

  247. /cLBRXLb8R328U27YyQFNGMjr2tX/+vx5FulJjSloWMRNuFWUngv7w==

  248. -----END RSA PRIVATE KEY-----`

  249. 	rsaCert = `-----BEGIN CERTIFICATE-----

  250. MIIC+jCCAeKgAwIBAgIRANBDimJ/ww2tz77qcYIhuZowDQYJKoZIhvcNAQELBQAw

  251. EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA5MjQxNzI5MTlaFw0yNjA5MjIxNzI5

  252. MTlaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw

  253. ggEKAoIBAQDUMdwgzdJOEWrLycCQ9AVfQTumHyOqHwQBNevKMoca5WNHdeE5DQFI

  254. +gnHJ92D9UTB68Wu2ZkB/PRYJvG8/ZJUKZ/uihuDhXYo9Kjec232+UEVSd5G0jId

  255. FDxhGcZJZpEfMltfp9+W2cbZoP7ypR+TXrWt1mDEED0bQZrjsiTBCFPYeq4fd1bZ

  256. S7hbZYzK3qBf+13IQBXnsw49yhx6Sevs1vaR+K4M9HuHrAWtbcjp6iPyhfZKQg65

  257. U23VnfUEBRw8kNSOqikjSj22iUz/tfXczx0RjQ4lBWvsVBgMX0l5Jh4QzJvCLOMF

  258. ocObjyZKCE/WjlSyxAFs00Lzdu1cKOItAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF

  259. oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC

  260. CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAygPV4enmvwSuMd1JarxOXpOK

  261. Z4Nsk7EKlfCPgzxQUOkFdLIr5ZG1kUkQt/omzTmoIWjLAsoYzT0ZCPOrioczKsWj

  262. MceFUIkT0w+eIl+8DzauPy34o8rjcApglF165UG3iphlpI+jdPzv5TBarUAbwsFb

  263. ClMLEiNJQ0OMxAIaRtb2RehD4q3OWlpWf6joJ36PRBqL8T5+f2x6Tg3c64UR+QPX

  264. 98UcCQHHdEhm7y2z5Z2Wt0B48tZ+UAxDEoEwMghNyw7wUD79IRlXGYypBnXaMuLX

  265. 46aGxbsSQ7Rfg62Co3JG7vo+eJd0AoZHrtFUnfM8V70IFzMBZnSwRslHRJe56Q==

  266. -----END CERTIFICATE-----`

  267. 	rsaCa_client = `-----BEGIN CERTIFICATE-----

  268. MIIFYDCCA0igAwIBAgIJAPpBgIvtQb1EMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV

  269. BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX

  270. aWRnaXRzIFB0eSBMdGQwHhcNMTgwMjEzMjAxNjA3WhcNMTkwMjEzMjAxNjA3WjBF

  271. MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50

  272. ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC

  273. CgKCAgEAr4xgdmB4DaEh8zRFmg/1ZxYhQZMUP0iQX/Y8nDWxNlcd42p3TgpY1biz

  274. jrq58ln9Om4U/GAn2RmtBAynSBXIlR5oVa44JeMM8Ka8R/dMKyHpF0Nj2EJB9unb

  275. TC33PfzOlnKQxATwevnnhI6tGluWmwvxXUi7WnX0di+nQg9HrIVom3KrmRr2/41y

  276. g497ccYUuNnKE6sewGdGzw045oWZpMDA2Us+MFo1IywOurjaM9bueRhPTcIiQ8RE

  277. h7qb+FRwfxaj9ynZA2PCM7WMSSWCiZJV0uj/pshYF2lvtJcJef4dhwnsYBpc+mgx

  278. 2q9qcUBeo3ZHbi1/PRqjwSmcW3yY5cQRbpYp6xFmgmX3oHQkVXS0UlpNVZ+morcS

  279. HEpaK8b76fCFcL5yFsAJkPPfny1IKU+CfaVq60dM/mxbEW6J4mZT/uAiqrCilMC+

  280. FyiATCZur8Ks7p47eZy700DllLod7gWTiuZTgHeQFVoX+jxbCZKlFn5Xspu8ALoK

  281. Mla/q83mICRVy3+eMUsD7DNvoWYpCAYy/oMk0VWfrQ48JkCGbBW2PW/dU2nmqVhY

  282. /11rurkr+1TUvYodnajANtXvUjW1DPOLb4dES4Qc4b7Fw8eFXrARhl5mXiL5HFKR

  283. /VnRshiJ+QwTVkxl+KkZHEm/WS8QD+Zd8leAxh9MCoaU/XrBUBkCAwEAAaNTMFEw

  284. HQYDVR0OBBYEFKUinuD1xRvcNd2Wti/PnBJp7On1MB8GA1UdIwQYMBaAFKUinuD1

  285. xRvcNd2Wti/PnBJp7On1MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD

  286. ggIBAJdJrNBftqkTs2HyuJ3x5RIsTxYh85hJYwNOdFLyzVG6HER9jRCnvmNTjG0O

  287. I5wz5hQvDpwXs4BCCXHQZrTLAi3BEjq3AjrmR/XeGHulbWh3eh8LVu7MiLRgt+Ys

  288. GnL2IaERrbkje24nCCMNPbI3fGDQEhTIYmmX8RJp+5BOJgCycKk6pFgfrjJv2C+d

  289. 78pcjlYII6M4vPnr/a08M49Bq6b5ADvIfe5G2KrUvD/+vwoAwv6d/daymHCQ2rY5

  290. kmdVk9VUp3Q4uKoeej4ENJSAUNTV7oTu346oc7q9sJffB5OltqbrE7ichak7lL+v

  291. EjArZHElAhKNFXRZViCMvGDs+7JztqbsfT8Xb6Z27e+WyudB2bOUGm3hKuTIl06D

  292. bA7yUskwEhmkd1CJqO5RLEJjKitOqe6Ye0/GsmPQNDK8GvyXTyGQK5OqBuzEexF0

  293. mlPoIhpSVH3K9SkRTTHvvcbdYlaQLi6gKq2uhbk4PnS2nfBtXqYIy9mxcgBJzLiB

  294. /ydfLcf3GClwgvO1JHp6qAl4CO7oe8jqHpoGuznwi1aqkTyNkQWh0OXq3MS+dyqB

  295. 2yXFCFIeKCx18TE1OtuTD3ppBDjpyd0o/a6kYR3FDmdks/J33bGwLsLH3lbN6VjF

  296. PNfNkaE1tfkpSGYsuT1DPxX8aAT4JLUfZ1Si6iO+E0Sj9LXA

  297. -----END CERTIFICATE-----`

  298. 	ecdsaCert = `-----BEGIN CERTIFICATE-----

  299. MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw

  300. DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow

  301. EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO

  302. B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN

  303. MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr

  304. BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq

  305. hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C

  306. IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j

  307. -----END CERTIFICATE-----`

  308. 	ecdsaKey = `-----BEGIN EC PRIVATE KEY-----

  309. MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49

  310. AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w

  311. 5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==

  312. -----END EC PRIVATE KEY-----`

  313. )