Skip to content

Commit fcd5336

Browse files
SnawootSnawoot
committed
make TLS tickets assign sessions
1 parent 632c670 commit fcd5336

5 files changed

Lines changed: 188 additions & 142 deletions

File tree

auth/auth.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,8 +41,8 @@ func NewAuth(paramstr string, logger *clog.CondLogger) (Auth, error) {
4141
return NewRejectHTTPAuth(url, logger)
4242
case "reject-static":
4343
return NewStaticRejectAuth(url, logger)
44-
case "tlsticket":
45-
return NewTLSTicketAuth(url, logger)
44+
case "tlscookie":
45+
return NewTLSCookieAuth(url, logger)
4646
default:
4747
return nil, errors.New("Unknown auth scheme")
4848
}

auth/ticket.go renamed to auth/tlscookie.go

Lines changed: 34 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ package auth
22

33
import (
44
"context"
5+
"encoding/hex"
6+
"errors"
57
"fmt"
68
"net/http"
79
"net/url"
@@ -13,21 +15,39 @@ import (
1315
"github.com/SenseUnit/dumbproxy/tlsutil"
1416
)
1517

16-
type TLSTicketAuth struct {
18+
type sessionValidator interface {
19+
Valid(sessionID, _, userAddr string) bool
20+
}
21+
22+
type TLSCookieAuth struct {
1723
logger *clog.CondLogger
1824
stopOnce sync.Once
1925
next Auth
2026
reject Auth
27+
lookup sessionValidator
2128
}
2229

23-
func NewTLSTicketAuth(param_url *url.URL, logger *clog.CondLogger) (*TLSTicketAuth, error) {
30+
func NewTLSCookieAuth(param_url *url.URL, logger *clog.CondLogger) (*TLSCookieAuth, error) {
2431
values, err := url.ParseQuery(param_url.RawQuery)
2532
if err != nil {
2633
return nil, err
2734
}
28-
auth := &TLSTicketAuth{
35+
auth := &TLSCookieAuth{
2936
logger: logger,
3037
}
38+
if lookupURL := values.Get("lookup"); lookupURL == "" {
39+
return nil, errors.New("\"lookup\" parameter is mandatory for TLS cookie auth provider")
40+
} else {
41+
lookupAuth, err := NewAuth(lookupURL, logger)
42+
if err != nil {
43+
return nil, fmt.Errorf("unable to construct lookup provider for TLS cookie auth provider: %w", err)
44+
}
45+
lookup, ok := lookupAuth.(sessionValidator)
46+
if !ok {
47+
return nil, fmt.Errorf("unable to construct TLS cookie auth provider: provided lookup provider %q is not suitable for session validation", lookupURL)
48+
}
49+
auth.lookup = lookup
50+
}
3151
if nextAuth := values.Get("next"); nextAuth != "" {
3252
nap, err := NewAuth(nextAuth, logger)
3353
if err != nil {
@@ -45,25 +65,31 @@ func NewTLSTicketAuth(param_url *url.URL, logger *clog.CondLogger) (*TLSTicketAu
4565
return auth, nil
4666
}
4767

48-
func (auth *TLSTicketAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
49-
if !tlsutil.NonDefaultKeyUsedFromContext(ctx) {
68+
func (auth *TLSCookieAuth) Validate(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
69+
sessionID, ok := tlsutil.TLSSessionIDFromContext(ctx)
70+
if !ok {
71+
auth.logger.Debug("tlscookie: no session extracted for %s", req.RemoteAddr)
72+
return auth.handleReject(ctx, wr, req)
73+
}
74+
if !auth.lookup.Valid(hex.EncodeToString(sessionID[:]), "", req.RemoteAddr) {
75+
auth.logger.Info("tlscookie: session ID %x from %s is not permitted", sessionID, req.RemoteAddr)
5076
return auth.handleReject(ctx, wr, req)
5177
}
5278
if auth.next != nil {
5379
return auth.next.Validate(ctx, wr, req)
5480
}
55-
return "", true
81+
return fmt.Sprintf("tlscookie:%x", sessionID), true
5682
}
5783

58-
func (auth *TLSTicketAuth) handleReject(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
84+
func (auth *TLSCookieAuth) handleReject(ctx context.Context, wr http.ResponseWriter, req *http.Request) (string, bool) {
5985
if auth.reject != nil {
6086
return auth.reject.Validate(ctx, wr, req)
6187
}
6288
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
6389
return "", false
6490
}
6591

66-
func (auth *TLSTicketAuth) Close() error {
92+
func (auth *TLSCookieAuth) Close() error {
6793
var err error
6894
auth.stopOnce.Do(func() {
6995
if auth.next != nil {

main.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,7 @@ type CLIArgs struct {
314314
maxTLSVersion TLSVersionArg
315315
tlsALPNEnabled bool
316316
tlsSessionKeys [][32]byte
317-
tlsSameSessionKey bool
317+
tlsCookies bool
318318
bwLimit forward.LimitSpec
319319
bwBurst int64
320320
bwSeparate bool
@@ -506,7 +506,7 @@ func parse_args() *CLIArgs {
506506
args.tlsSessionKeys = append(args.tlsSessionKeys, [32]byte(key))
507507
return nil
508508
})
509-
flag.BoolVar(&args.tlsSameSessionKey, "tls-same-session-key", true, "issue new TLS session tickets with the same key used for previous ticket")
509+
flag.BoolVar(&args.tlsCookies, "tls-cookies", true, "mark TLS sessions with cookie-like unique session IDs")
510510
flag.Func("config", "read configuration from file with space-separated keys and values", readConfig)
511511
flag.Parse()
512512
// pull up remaining parameters from other BW-related arguments
@@ -897,7 +897,7 @@ func run() int {
897897
return stopContext
898898
},
899899
ConnContext: func(ctx context.Context, conn net.Conn) context.Context {
900-
return tlsutil.NonDefaultKeyUsedToContext(ctx, conn)
900+
return tlsutil.TLSSessionIDToContext(ctx, conn)
901901
},
902902
}
903903
if args.disableHTTP2 {
@@ -1051,8 +1051,8 @@ func makeServerTLSConfig(args *CLIArgs, logger *clog.CondLogger) (*tls.Config, e
10511051
}
10521052
if len(args.tlsSessionKeys) > 0 {
10531053
cfg.SetSessionTicketKeys(args.tlsSessionKeys)
1054-
if args.tlsSameSessionKey {
1055-
cfg = tlsutil.PreserveSessionKeys(cfg, args.tlsSessionKeys, logger)
1054+
if args.tlsCookies {
1055+
cfg = tlsutil.EnableTLSCookies(cfg, logger)
10561056
}
10571057
}
10581058
return cfg, nil

tlsutil/preserve.go

Lines changed: 0 additions & 127 deletions
This file was deleted.

0 commit comments

Comments
 (0)