Merge pull request #200 from SenseUnit/covert_iff

TLS ticket auth

Author: Snawoot

README.md

@@ -302,6 +302,10 @@ Authentication parameters are passed as URI via `-auth` parameter. Scheme of URI
   * `code` - optional parameter specifying HTTP response code. Default is 403.
   * `body` - optional parameter specifying file with response body.
   * `headers` - optional parameter specifying file with response headers. It uses format identical to request header file format used by `curl` program.
+* `tlscookie` - (EXPERIMENTAL) auth provider which grants access to whitelisted TLS session IDs. Whitelist is checked by query of another auth provider (provided as URL in `lookup` query parameter) with session ID as username and empty password. Example of auth parameter: `-auth tlscookie://?lookup=basicfile%3A%2F%2F%3Fpath%3D%2Fetc%2Fdumbproxy%2Fsessions`. Parameters of this scheme are:
+  * `next` - optional URL specifying the next auth provider to chain to, if authentication succeeded.
+  * `else` - optional URL specifying the next auth provider to chain to, if authentication failed.
+  * `lookup` - mandatory URL specifying another auth provider queried for session validity (typically `basicfile` or some Redis-backed password auth). Queries to this lookup provider ask for validity of session providing hexadecimal session ID as username and empty string as password.
 
 ## Scripting
 
@@ -640,6 +644,8 @@ Usage of /home/user/go/bin/dumbproxy:
     	grace period during server shutdown (default 1s)
   -tls-alpn-enabled
     	enable application protocol negotiation with TLS ALPN extension (default true)
+  -tls-cookies
+    	mark TLS sessions with cookie-like unique session IDs (default true)
   -tls-session-key value
     	override TLS server session keys. Key must be provided as hex-encoded 32-byte string. This option can be repeated multiple times, first key will be used to create session tickets. Empty value resets the list.
   -trusttunnel

auth/auth.go

@@ -41,6 +41,8 @@ func NewAuth(paramstr string, logger *clog.CondLogger) (Auth, error) {
 		return NewRejectHTTPAuth(url, logger)
 	case "reject-static":
 		return NewStaticRejectAuth(url, logger)
+	case "tlscookie":
+		return NewTLSCookieAuth(url, logger)
 	default:
 		return nil, errors.New("Unknown auth scheme")
 	}

auth/tlscookie.go

@@ -0,0 +1,107 @@
+package auth
+
+import (
+	"context"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"sync"
+
+	"github.com/hashicorp/go-multierror"
+
+	clog "github.com/SenseUnit/dumbproxy/log"
+	"github.com/SenseUnit/dumbproxy/tlsutil"
+)
+
+type sessionValidator interface {
+	Valid(sessionID, _, userAddr string) bool
+}
+
+type TLSCookieAuth struct {
+	logger   *clog.CondLogger
+	stopOnce sync.Once
+	next     Auth
+	reject   Auth
+	lookup   sessionValidator
+}
+
+func NewTLSCookieAuth(param_url *url.URL, logger *clog.CondLogger) (*TLSCookieAuth, error) {
+	values, err := url.ParseQuery(param_url.RawQuery)
+	if err != nil {
+		return nil, err
+	}
+	auth := &TLSCookieAuth{
+		logger: logger,
+	}
+	if lookupURL := values.Get("lookup"); lookupURL == "" {
+		return nil, errors.New("\"lookup\" parameter is mandatory for TLS cookie auth provider")
+	} else {
+		lookupAuth, err := NewAuth(lookupURL, logger)
+		if err != nil {
+			return nil, fmt.Errorf("unable to construct lookup provider for TLS cookie auth provider: %w", err)
+		}
+		lookup, ok := lookupAuth.(sessionValidator)
+		if !ok {
+			return nil, fmt.Errorf("unable to construct TLS cookie auth provider: provided lookup provider %q is not suitable for session validation", lookupURL)
+		}
+		auth.lookup = lookup
+	}
+	if nextAuth := values.Get("next"); nextAuth != "" {
+		nap, err := NewAuth(nextAuth, logger)
+		if err != nil {
+			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
+		}
+		auth.next = nap
+	}
+	if nextAuth := values.Get("else"); nextAuth != "" {
+		nap, err := NewAuth(nextAuth, logger)
+		if err != nil {
+			return nil, fmt.Errorf("chained auth provider construction failed: %w", err)
+		}
+		auth.reject = nap
+	}
+	return auth, nil
+}
+
+func (auth *TLSCookieAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+	sessionID, ok := tlsutil.TLSSessionIDFromContext(ctx)
+	if !ok {
+		auth.logger.Debug("tlscookie: no session extracted for %s", req.RemoteAddr)
+		return auth.handleReject(ctx, wr, req)
+	}
+	if !auth.lookup.Valid(hex.EncodeToString(sessionID[:]), "", req.RemoteAddr) {
+		auth.logger.Info("tlscookie: session ID %x from %s is not permitted", sessionID, req.RemoteAddr)
+		return auth.handleReject(ctx, wr, req)
+	}
+	if auth.next != nil {
+		return auth.next.Validate(ctx, wr, req)
+	}
+	return fmt.Sprintf("tlscookie:%x", sessionID), true
+}
+
+func (auth *TLSCookieAuth) handleReject(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
+	if auth.reject != nil {
+		return auth.reject.Validate(ctx, wr, req)
+	}
+	http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
+	return "", false
+}
+
+func (auth *TLSCookieAuth) Close() error {
+	var err error
+	auth.stopOnce.Do(func() {
+		if auth.next != nil {
+			if closeErr := auth.next.Close(); closeErr != nil {
+				err = multierror.Append(err, closeErr)
+			}
+		}
+		if auth.reject != nil {
+			if closeErr := auth.reject.Close(); closeErr != nil {
+				err = multierror.Append(err, closeErr)
+			}
+		}
+	})
+	return err
+}

main.go

@@ -314,6 +314,7 @@ type CLIArgs struct {
 	maxTLSVersion            TLSVersionArg
 	tlsALPNEnabled           bool
 	tlsSessionKeys           [][32]byte
+	tlsCookies               bool
 	bwLimit                  forward.LimitSpec
 	bwBurst                  int64
 	bwSeparate               bool
@@ -505,6 +506,7 @@ func parse_args() *CLIArgs {
 		args.tlsSessionKeys = append(args.tlsSessionKeys, [32]byte(key))
 		return nil
 	})
+	flag.BoolVar(&args.tlsCookies, "tls-cookies", true, "mark TLS sessions with cookie-like unique session IDs")
 	flag.Func("config", "read configuration from file with space-separated keys and values", readConfig)
 	flag.Parse()
 	// pull up remaining parameters from other BW-related arguments
@@ -612,6 +614,9 @@ func run() int {
 	ttDemuxLogger := clog.NewCondLogger(log.New(logWriter, "TTDEMUX :",
 		log.LstdFlags|log.Lshortfile),
 		args.verbosity)
+	tlsSessionLogger := clog.NewCondLogger(log.New(logWriter, "TLSSESS :",
+		log.LstdFlags|log.Lshortfile),
+		args.verbosity)
 
 	// setup auth provider
 	authProvider, err := auth.NewAuth(args.auth, authLogger)
@@ -780,11 +785,12 @@ func run() int {
 	}
 
 	if args.cert != "" {
-		cfg, err1 := makeServerTLSConfig(args)
+		cfg, err1 := makeServerTLSConfig(args, tlsSessionLogger)
 		if err1 != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err1)
 			return 3
 		}
+		listener = tlsutil.NewTaggedConnListener(listener) // attach DTO container
 		listener = tls.NewListener(listener, cfg)
 	} else if args.autocert {
 		// cert caching chain
@@ -841,7 +847,7 @@ func run() int {
 					http.ListenAndServe(args.autocertHTTP, m.HTTPHandler(nil)))
 			}()
 		}
-		cfg, err := makeServerTLSConfig(args)
+		cfg, err := makeServerTLSConfig(args, tlsSessionLogger)
 		if err != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err)
 			return 3
@@ -850,6 +856,7 @@ func run() int {
 		if len(cfg.NextProtos) > 0 {
 			cfg.NextProtos = append(cfg.NextProtos, acme.ALPNProto)
 		}
+		listener = tlsutil.NewTaggedConnListener(listener) // attach DTO container
 		listener = tls.NewListener(listener, cfg)
 	}
 	defer listener.Close()
@@ -889,6 +896,9 @@ func run() int {
 			BaseContext: func(_ net.Listener) context.Context {
 				return stopContext
 			},
+			ConnContext: func(ctx context.Context, conn net.Conn) context.Context {
+				return tlsutil.TLSSessionIDToContext(ctx, conn)
+			},
 		}
 		if args.disableHTTP2 {
 			server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
@@ -1003,8 +1013,8 @@ func run() int {
 	return 2
 }
 
-func makeServerTLSConfig(args *CLIArgs) (*tls.Config, error) {
-	cfg := tls.Config{
+func makeServerTLSConfig(args *CLIArgs, logger *clog.CondLogger) (*tls.Config, error) {
+	cfg := &tls.Config{
 		MinVersion: uint16(args.minTLSVersion),
 		MaxVersion: uint16(args.maxTLSVersion),
 	}
@@ -1041,8 +1051,11 @@ func makeServerTLSConfig(args *CLIArgs) (*tls.Config, error) {
 	}
 	if len(args.tlsSessionKeys) > 0 {
 		cfg.SetSessionTicketKeys(args.tlsSessionKeys)
+		if args.tlsCookies {
+			cfg = tlsutil.EnableTLSCookies(cfg, logger)
+		}
 	}
-	return &cfg, nil
+	return cfg, nil
 }
 
 func readConfig(filename string) error {

tlsutil/session.go

@@ -0,0 +1,147 @@
+package tlsutil
+
+import (
+	"bytes"
+	"context"
+	crand "crypto/rand"
+	"crypto/tls"
+	"errors"
+	"net"
+
+	clog "github.com/SenseUnit/dumbproxy/log"
+)
+
+const tlsCookiePrefix = "dpSessionCookieV1="
+
+type TLSSessionID = [16]byte
+
+func NewTLSSessionID() (res TLSSessionID) {
+	crand.Read(res[:])
+	return
+}
+
+func TLSSessionIDFromState(ss *tls.SessionState) (TLSSessionID, bool) {
+	for _, tag := range ss.Extra {
+		if !bytes.HasPrefix(tag, []byte(tlsCookiePrefix)) {
+			continue
+		}
+		tag = tag[len(tlsCookiePrefix):]
+		if len(tag) != len(TLSSessionID{}) {
+			continue
+		}
+		return TLSSessionID(tag), true
+	}
+	return TLSSessionID{}, false
+}
+
+type tlsSessionIDKey struct{}
+type connKey struct{}
+
+func getTLSSessionID(conn ConnTagger) (TLSSessionID, bool) {
+	saved, ok := conn.GetTag(tlsSessionIDKey{})
+	if !ok {
+		return TLSSessionID{}, false
+	}
+	val, ok := saved.(TLSSessionID)
+	return val, ok
+}
+
+func setTLSSessionID(conn ConnTagger, sessionID TLSSessionID) {
+	conn.SetTag(tlsSessionIDKey{}, sessionID)
+}
+
+func GetTLSSessionID(conn net.Conn) (TLSSessionID, bool) {
+	tagger, ok := conn.(ConnTagger)
+	if !ok {
+		if netconner, ok := conn.(interface {
+			NetConn() net.Conn
+		}); ok {
+			return GetTLSSessionID(netconner.NetConn())
+		}
+		return TLSSessionID{}, false
+	}
+	return getTLSSessionID(tagger)
+}
+
+func TLSSessionIDToContext(ctx context.Context, conn net.Conn) context.Context {
+	return context.WithValue(ctx, connKey{}, conn)
+}
+
+func TLSSessionIDFromContext(ctx context.Context) (TLSSessionID, bool) {
+	val := ctx.Value(connKey{})
+	conn, ok := val.(net.Conn)
+	if !ok {
+		return TLSSessionID{}, false
+	}
+	return GetTLSSessionID(conn)
+}
+
+func EnableTLSCookies(cfg *tls.Config, logger *clog.CondLogger) *tls.Config {
+	getConfig := func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
+		return cfg.Clone(), nil
+	}
+	if cfg.GetConfigForClient != nil {
+		getConfig = cfg.GetConfigForClient
+	}
+	// this one will be returned as updated TLS config to outer function caller
+	cfg = cfg.Clone()
+	cfg.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
+		conn, ok := chi.Conn.(ConnTagger)
+		remoteAddr := chi.Conn.RemoteAddr().String()
+		if !ok {
+			return nil, errors.New("tlsCfg.GetConfigForClient: connection does is not a ConnTagger")
+		}
+		// this one holds closures which capture conn
+		cfg, err := getConfig(chi)
+		if err != nil {
+			return nil, err
+		}
+		cfg.UnwrapSession = func(identity []byte, cs tls.ConnectionState) (*tls.SessionState, error) {
+			ss, err := cfg.DecryptTicket(identity, cs)
+			if err != nil {
+				logger.Error("got error from TLS session ticket decryption: %v", err)
+				return nil, err
+			}
+			if ss == nil {
+				// nothing was decrypted, issue a new session
+				sessionID := NewTLSSessionID()
+				logger.Debug("assigning NEW session ID %x to connection from %s", sessionID, remoteAddr)
+				setTLSSessionID(conn, sessionID)
+				return nil, nil
+			}
+			if sessionID, ok := TLSSessionIDFromState(ss); ok {
+				// valid session ID in ticket
+				logger.Debug("recovered session ID = %x from %s", sessionID, remoteAddr)
+				setTLSSessionID(conn, sessionID)
+			} else {
+				// no valid session ID in ticket (migrating outdated ticket?)
+				sessionID = NewTLSSessionID()
+				logger.Debug("session ID was NOT recovered from ticket from %s. assigning NEW session ID %x", remoteAddr, sessionID)
+				setTLSSessionID(conn, sessionID)
+			}
+			return ss, nil
+		}
+		cfg.WrapSession = func(cs tls.ConnectionState, ss *tls.SessionState) ([]byte, error) {
+			// is there session in TLS session state already?
+			if sessionID, found := TLSSessionIDFromState(ss); found {
+				logger.Warning("sessionState from %s already has sessionID %x", remoteAddr, sessionID)
+				setTLSSessionID(conn, sessionID)
+				return cfg.EncryptTicket(cs, ss)
+			}
+			// did we had a chance to assign a session ID to this connection?
+			sessionID, ok := getTLSSessionID(conn)
+			if ok {
+				logger.Debug("sending new TLS ticket with old session ID %x to remote %s", sessionID, remoteAddr)
+			} else {
+				sessionID = NewTLSSessionID()
+				setTLSSessionID(conn, sessionID)
+				logger.Debug("sending new TLS ticket with NEW session ID %x to remote %s", sessionID, remoteAddr)
+			}
+			cookie := append([]byte(tlsCookiePrefix), sessionID[:]...)
+			ss.Extra = append(ss.Extra, cookie)
+			return cfg.EncryptTicket(cs, ss)
+		}
+		return cfg, nil
+	}
+	return cfg
+}