-
Notifications
You must be signed in to change notification settings - Fork 15
/
tls.go
171 lines (139 loc) · 4.69 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
package dslvm
import (
"context"
"crypto/tls"
"crypto/x509"
"sync"
"time"
"github.com/ooni/probe-engine/pkg/logx"
"github.com/ooni/probe-engine/pkg/model"
"github.com/ooni/probe-engine/pkg/netxlite"
)
// TLSHandshakeStage is a [Stage] that creates [*TLSConnection].
type TLSHandshakeStage struct {
// Input contains the MANDATORY channel from which to read [*TCPConnection]. We
// assume that this channel will be closed when done.
Input <-chan *TCPConnection
// InsecureSkipVerify OPTIONALLY skips TLS verification.
InsecureSkipVerify bool
// NextProtos OPTIONALLY configures the ALPN.
NextProtos []string
// Output is the MANDATORY channel emitting [*TLSConnection]. We will close this
// channel when the Input channel has been closed.
Output chan<- *TLSConnection
// RootCAs OPTIONALLY configures alternative root CAs.
RootCAs *x509.CertPool
// ServerName is the MANDATORY server name.
ServerName string
}
// TLSConnection is a TLS connection.
type TLSConnection struct {
Conn model.TLSConn
tx Trace
}
var _ HTTPConnection = &TLSConnection{}
// AsSingleUseTransport implements HTTPConnection.
func (c *TLSConnection) AsSingleUseTransport(logger model.Logger) model.HTTPTransport {
return netxlite.NewHTTPTransport(logger, netxlite.NewNullDialer(), netxlite.NewSingleUseTLSDialer(c.Conn))
}
// Close implements HTTPConnection.
func (c *TLSConnection) Close(logger model.Logger) error {
ol := logx.NewOperationLogger(logger, "[#%d] TLSClose %s", c.tx.Index(), c.RemoteAddress())
err := c.Conn.Close()
ol.Stop(err)
return err
}
// Network implements HTTPConnection.
func (c *TLSConnection) Network() string {
return "tcp"
}
// RemoteAddress implements HTTPConnection.
func (c *TLSConnection) RemoteAddress() (addr string) {
if v := c.Conn.RemoteAddr(); v != nil {
addr = v.String()
}
return
}
// Scheme implements HTTPConnection.
func (c *TLSConnection) Scheme() string {
return "https"
}
// TLSNegotiatedProtocol implements HTTPConnection.
func (c *TLSConnection) TLSNegotiatedProtocol() string {
return c.Conn.ConnectionState().NegotiatedProtocol
}
// Trace implements HTTPConnection.
func (c *TLSConnection) Trace() Trace {
return c.tx
}
// Run is like [*TCPConnect.Run] except that it reads [*TCPConnection] in Input and
// emits [*TLSConnection] in Output. Each TLS handshake runs in its own background
// goroutine. The parallelism is controlled by the [Runtime] ActiveConnections [Semaphore]
// and you MUST arrange for the [*TLSConnection] to eventually enter into a [*CloseStage]
// such that the code can release the above mentioned [Semaphore] and close the conn. Note
// that this code TAKES OWNERSHIP of the [*TCPConnection] it reads. We will close these
// conns automatically on failure. On success, they will be closed when the [*TLSConnection]
// wrapping them eventually enters into a [*CloseStage].
func (sx *TLSHandshakeStage) Run(ctx context.Context, rtx Runtime) {
// make sure we close the output channel
defer close(sx.Output)
// track the number of running goroutines
waitGroup := &sync.WaitGroup{}
for tcpConn := range sx.Input {
// process connection in a background goroutine, which is fine
// because the previous step has acquired the semaphore.
waitGroup.Add(1)
go func(tcpConn *TCPConnection) {
defer waitGroup.Done()
sx.handshake(ctx, rtx, tcpConn)
}(tcpConn)
}
// wait for pending work to finish
waitGroup.Wait()
}
func (sx *TLSHandshakeStage) handshake(ctx context.Context, rtx Runtime, tcpConn *TCPConnection) {
// keep using the same trace
trace := tcpConn.Trace()
// create a suitable TLS configuration
config := sx.newTLSConfig()
// start the operation logger
ol := logx.NewOperationLogger(
rtx.Logger(),
"[#%d] TLSHandshake with %s SNI=%s ALPN=%v",
trace.Index(),
tcpConn.RemoteAddress(),
config.ServerName,
config.NextProtos,
)
// obtain the handshaker for use
handshaker := trace.NewTLSHandshakerStdlib(rtx.Logger())
// setup
const timeout = 10 * time.Second
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
// handshake
tlsConn, err := handshaker.Handshake(ctx, tcpConn.Conn, config)
// stop the operation logger
ol.Stop(err)
// save the observations
rtx.SaveObservations(maybeTraceToObservations(trace)...)
// handle error case
if err != nil {
rtx.ActiveConnections().Signal() // make sure we release the semaphore
tcpConn.Conn.Close() // make sure we close the conn
return
}
// handle success
sx.Output <- &TLSConnection{
Conn: tlsConn,
tx: trace,
}
}
func (sx *TLSHandshakeStage) newTLSConfig() *tls.Config {
return &tls.Config{
NextProtos: sx.NextProtos,
InsecureSkipVerify: sx.InsecureSkipVerify,
RootCAs: sx.RootCAs,
ServerName: sx.ServerName,
}
}