-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtls.go
110 lines (97 loc) · 2.89 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package tcprouter
import (
"bufio"
"bytes"
"crypto/tls"
"io"
"net"
"github.com/rs/zerolog/log"
)
// Code extracted from traefik to get the servername from TLS connection.
// GetConn creates a connection proxy with a peeked string
func GetConn(conn WriteCloser, peeked string) WriteCloser {
conn = &Conn{
Peeked: []byte(peeked),
WriteCloser: conn,
}
return conn
}
// Conn is a connection proxy that handles Peeked bytes
type Conn struct {
// Peeked are the bytes that have been read from Conn for the
// purposes of route matching, but have not yet been consumed
// by Read calls. It set to nil by Read when fully consumed.
Peeked []byte
// Conn is the underlying connection.
// It can be type asserted against *net.TCPConn or other types
// as needed. It should not be read from directly unless
// Peeked is nil.
WriteCloser
}
// Read reads bytes from the connection (using the buffer prior to actually reading)
func (c *Conn) Read(p []byte) (n int, err error) {
if len(c.Peeked) > 0 {
n = copy(p, c.Peeked)
c.Peeked = c.Peeked[n:]
if len(c.Peeked) == 0 {
c.Peeked = nil
}
return n, nil
}
return c.WriteCloser.Read(p)
}
// clientHelloServerName returns the SNI server name inside the TLS ClientHello,
// without consuming any bytes from br.
// On any error, the empty string is returned.
func clientHelloServerName(br *bufio.Reader) (string, bool, string) {
hdr, err := br.Peek(1)
if err != nil {
if err != io.EOF {
log.Error().Err(err).Msg("Error while Peeking first byte")
}
return "", false, ""
}
const recordTypeHandshake = 0x16
if hdr[0] != recordTypeHandshake {
return "", false, getPeeked(br) // Not TLS.
}
const recordHeaderLen = 5
hdr, err = br.Peek(recordHeaderLen)
if err != nil {
log.Error().Err(err).Msg("Error while Peeking hello")
return "", false, getPeeked(br)
}
recLen := int(hdr[3])<<8 | int(hdr[4]) // ignoring version in hdr[1:3]
helloBytes, err := br.Peek(recordHeaderLen + recLen)
if err != nil {
log.Error().Err(err).Msg("Error while Hello")
return "", true, getPeeked(br)
}
sni := ""
server := tls.Server(sniSniffConn{r: bytes.NewReader(helloBytes)}, &tls.Config{
GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
sni = hello.ServerName
return nil, nil
},
})
_ = server.Handshake()
return sni, true, getPeeked(br)
}
func getPeeked(br *bufio.Reader) string {
peeked, err := br.Peek(br.Buffered())
if err != nil {
log.Error().Err(err).Msg("Could not get anything")
return ""
}
return string(peeked)
}
// sniSniffConn is a net.Conn that reads from r, fails on Writes,
// and crashes otherwise.
type sniSniffConn struct {
r io.Reader
net.Conn // nil; crash on any unexpected use
}
// Read reads from the underlying reader
func (c sniSniffConn) Read(p []byte) (int, error) { return c.r.Read(p) }
// Write crashes all the time
func (sniSniffConn) Write(p []byte) (int, error) { return 0, io.EOF }