This is implementation of server which is running on crypto.cloudflare.com

5 年前 · aca40d198f
--- a/_dev/Makefile
+++ b/_dev/Makefile
@@ -79,7 +79,7 @@ endif

 build-test-%: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
 	$(DOCKER) build $(BUILDARG) -t tls-tris:$* $(DEV_DIR)/$*
 	$(DOCKER) build $(BUILDARG) -t $(*)-localserver $(DEV_DIR)/$*
 	$(DOCKER) build GOARCH=arm64 $(BUILDARG) -t $(*)-localserver $(DEV_DIR)/$*

 build-all: \
 	build-test-tris-client \
--- a/_dev/patches/88253a956a753213617d95af3f42a23a78798473.patch
+++ b/_dev/patches/88253a956a753213617d95af3f42a23a78798473.patch
@@ -1,63 +0,0 @@
 From 88253a956a753213617d95af3f42a23a78798473 Mon Sep 17 00:00:00 2001
 From: Filippo Valsorda <filippo@cloudflare.com>
 Date: Mon, 28 Nov 2016 05:24:21 +0000
 Subject: [PATCH] net/http: attach TLSConnContextKey to the request Context

 Change-Id: Ic59c84f992c829dc7da741b128dd6899366fa1d2
 src/net/http/request.go |  4 +++-
 src/net/http/server.go  | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

 diff --git a/src/net/http/request.go b/src/net/http/request.go
 index 13f367c1a8..b2827ff123 100644
 +++ b/src/net/http/request.go
@@ -275,7 +275,9 @@ type Request struct {
 	// was received. This field is not filled in by ReadRequest.
 	// The HTTP server in this package sets the field for
 	// TLS-enabled connections before invoking a handler;
 -	// otherwise it leaves the field nil.
 +	// otherwise it leaves the field nil. The value is fixed
 +	// at the state of the connection immediately after Handshake,
 +	// for an immediate value use TLSConnContextKey.
 	// This field is ignored by the HTTP client.
 	TLS *tls.ConnectionState
 
 diff --git a/src/net/http/server.go b/src/net/http/server.go
 index 2fa8ab23d8..b0542cdbc3 100644
 +++ b/src/net/http/server.go
@@ -223,6 +223,12 @@ var (
 	// the local address the connection arrived on.
 	// The associated value will be of type net.Addr.
 	LocalAddrContextKey = &contextKey{"local-addr"}
 +
 +	// TLSConnContextKey is a context key. It can be used in
 +	// HTTP handlers with context.WithValue to access the
 +	// underlying *tls.Conn being served. If the connection
 +	// is not TLS, the key is not set.
 +	TLSConnContextKey = &contextKey{"tls-conn"}
 )
 
 // A conn represents the server side of an HTTP connection.
@@ -969,6 +975,9 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
 	delete(req.Header, "Host")
 
 	ctx, cancelCtx := context.WithCancel(ctx)
 +	if tlsConn, ok := c.rwc.(*tls.Conn); ok {
 +		ctx = context.WithValue(ctx, TLSConnContextKey, tlsConn)
 +	}
 	req.ctx = ctx
 	req.RemoteAddr = c.remoteAddr
 	req.TLS = c.tlsState
@@ -3161,6 +3170,9 @@ func (h initNPNRequest) ServeHTTP(rw ResponseWriter, req *Request) {
 	if req.RemoteAddr == "" {
 		req.RemoteAddr = h.c.RemoteAddr().String()
 	}
 +	if req.ctx != nil && req.ctx.Value(TLSConnContextKey) == nil {
 +		req.ctx = context.WithValue(req.ctx, TLSConnContextKey, h.c)
 +	}
 	h.h.ServeHTTP(rw, req)
 }
 
--- a/_dev/tris-localserver/server.go
+++ b/_dev/tris-localserver/server.go
@@ -3,7 +3,6 @@ package main
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"errors"
 	"flag"
 	"fmt"
@@ -12,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
 	"syscall"
 	"time"
 )

@@ -56,7 +56,7 @@ func NewServer() *server {
 }

 func enablePQ(s *server, enableDefault bool) {
 	var pqGroups = []tls.CurveID{tls.HybridSIDHp503Curve25519, tls.HybridSIKEp503Curve25519}
 	var pqGroups = []tls.CurveID{tls.HybridSIDHp503Curve25519}
 	if enableDefault {
 		var defaultCurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521}
 		s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, defaultCurvePreferences...)
@@ -144,6 +144,18 @@ err:
 	}
 }

 func charsToString(ca []int8) string {
 	s := make([]byte, len(ca))
 	var lens int
 	for ; lens < len(ca); lens++ {
 		if ca[lens] == 0 {
 			break
 		}
 		s[lens] = uint8(ca[lens])
 	}
 	return string(s[0:lens])
 }

 func main() {

 	s := NewServer()
@@ -151,7 +163,7 @@ func main() {
 	arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding")
 	arg_cert := flag.String("cert", "rsa", "Public algorithm to use:\nOptions [rsa, ecdsa, PrivateKeyFile:CertificateChainFile]")
 	arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`)
 	arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")
 	//arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")
 	arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)")
 	arg_pq := flag.String("pq", "", "Enable quantum-resistant algorithms [c: Support classical and Quantum-Resistant, q: Enable Quantum-Resistant only]")
 	flag.Parse()
@@ -180,39 +192,32 @@ func main() {

 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		tlsConn := r.Context().Value(http.TLSConnContextKey).(*tls.Conn)
 		var buf syscall.Utsname

 		with0RTT := ""
 		if !tlsConn.ConnectionState().HandshakeConfirmed {
 			with0RTT = " [0-RTT]"
 		}
 		if *arg_confirm || r.URL.Path == "/confirm" {
 			if err := tlsConn.ConfirmHandshake(); err != nil {
 				log.Fatal(err)
 			}
 			if with0RTT != "" {
 				with0RTT = " [0-RTT confirmed]"
 			}
 			if !tlsConn.ConnectionState().HandshakeConfirmed {
 				panic("HandshakeConfirmed false after ConfirmHandshake")
 			}
 		}

 		resumed := ""
 		if r.TLS.DidResume {
 			resumed = " [resumed]"
 		}

 		http2 := ""
 		if r.ProtoMajor == 2 {
 			http2 = " [HTTP/2]"
 		err := syscall.Uname(&buf)
 		if err != nil {
 			panic("Uname error\n")
 		}

 		fmt.Fprintf(w, "<!DOCTYPE html><p>Hello TLS %s%s%s%s _o/\n", tlsVersionToName[r.TLS.Version], resumed, with0RTT, http2)
 	})

 	http.HandleFunc("/ch", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/plain")
 		fmt.Fprintf(w, "Client Hello packet (%d bytes):\n%s", len(r.TLS.ClientHello), hex.Dump(r.TLS.ClientHello))
 		node := charsToString(buf.Nodename[:])
 		release := charsToString(buf.Release[:])
 		version := charsToString(buf.Version[:])
 		machine := charsToString(buf.Machine[:])
 		sysname := charsToString(buf.Sysname[:])
 		_ = tlsConn
 		fmt.Fprintf(w, "<!DOCTYPE html><body style=\"font-family: courier\">Node\t\t\t\t: %s</br>Version\t\t\t\t: %s</br>Release\t\t\t\t: %s</br>Machine\t\t\t\t: %s</br>Sysname\t\t\t\t: %s</br><pre>", node, version, release, machine, sysname)
 		fmt.Fprintf(w, `
 ▄████▄   ██▀███ ▓██   ██▓ ██▓███  ▄▄▄█████▓ ▒█████
 ▒██▀ ▀█  ▓██ ▒ ██▒▒██  ██▒▓██░  ██▒▓  ██▒ ▓▒▒██▒  ██▒
 ▒▓█    ▄ ▓██ ░▄█ ▒ ▒██ ██░▓██░ ██▓▒▒ ▓██░ ▒░▒██░  ██▒
 ▒▓▓▄ ▄██▒▒██▀▀█▄   ░ ▐██▓░▒██▄█▓▒ ▒░ ▓██▓ ░ ▒██   ██░
 ▒ ▓███▀ ░░██▓ ▒██▒ ░ ██▒▓░▒██▒ ░  ░  ▒██▒ ░ ░ ████▓▒░
 ░ ░▒ ▒  ░░ ▒▓ ░▒▓░  ██▒▒▒ ▒▓▒░ ░  ░  ▒ ░░   ░ ▒░▒░▒░
  ░  ▒     ░▒ ░ ▒░▓██ ░▒░ ░▒ ░         ░      ░ ▒ ▒░
 ░          ░░   ░ ▒ ▒ ░░  ░░         ░      ░ ░ ░ ▒
 ░ ░         ░     ░ ░                           ░ ░
 ░                 ░ ░
 `)
 		fmt.Fprintf(w, "</pre></body></html>")
 	})

 	s.start()
@@ -298,19 +303,6 @@ UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
 mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
 xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==
 -----END CERTIFICATE-----`
 	ecdsaCert = `-----BEGIN CERTIFICATE-----
 MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw
 DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow
 EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO
 B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN
 MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
 BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
 hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C
 IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j
 	ecdsaKey = `-----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49
 AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w
 5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==
 	ecdsaCert = ``
 	ecdsaKey  = ``
 )