2021-09-05 14:49:38 +02:00
|
|
|
package netxlite
|
|
|
|
|
2022-05-15 19:25:27 +02:00
|
|
|
//
|
|
|
|
// TLS implementation
|
|
|
|
//
|
|
|
|
|
2021-09-05 14:49:38 +02:00
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"time"
|
2021-09-05 21:23:47 +02:00
|
|
|
|
|
|
|
oohttp "github.com/ooni/oohttp"
|
2022-01-03 13:53:23 +01:00
|
|
|
"github.com/ooni/probe-cli/v3/internal/model"
|
2022-05-15 19:25:27 +02:00
|
|
|
"github.com/ooni/probe-cli/v3/internal/runtimex"
|
2021-09-05 14:49:38 +02:00
|
|
|
)
|
|
|
|
|
2022-05-15 19:25:27 +02:00
|
|
|
// TODO(bassosimone): check whether there's now equivalent functionality
|
|
|
|
// inside the standard library allowing us to map numbers to names.
|
|
|
|
|
2021-09-05 14:49:38 +02:00
|
|
|
var (
|
|
|
|
tlsVersionString = map[uint16]string{
|
|
|
|
tls.VersionTLS10: "TLSv1",
|
|
|
|
tls.VersionTLS11: "TLSv1.1",
|
|
|
|
tls.VersionTLS12: "TLSv1.2",
|
|
|
|
tls.VersionTLS13: "TLSv1.3",
|
|
|
|
0: "", // guarantee correct behaviour
|
|
|
|
}
|
|
|
|
|
|
|
|
tlsCipherSuiteString = map[uint16]string{
|
|
|
|
tls.TLS_RSA_WITH_RC4_128_SHA: "TLS_RSA_WITH_RC4_128_SHA",
|
|
|
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA",
|
|
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA: "TLS_RSA_WITH_AES_256_CBC_SHA",
|
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA256: "TLS_RSA_WITH_AES_128_CBC_SHA256",
|
|
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256: "TLS_RSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384: "TLS_RSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
|
|
|
tls.TLS_AES_128_GCM_SHA256: "TLS_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_AES_256_GCM_SHA384: "TLS_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_CHACHA20_POLY1305_SHA256: "TLS_CHACHA20_POLY1305_SHA256",
|
|
|
|
0: "", // guarantee correct behaviour
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// TLSVersionString returns a TLS version string. If value is zero, we
|
|
|
|
// return the empty string. If the value is unknown, we return
|
|
|
|
// `TLS_VERSION_UNKNOWN_ddd` where `ddd` is the numeric value passed
|
|
|
|
// to this function.
|
2021-09-05 14:49:38 +02:00
|
|
|
func TLSVersionString(value uint16) string {
|
|
|
|
if str, found := tlsVersionString[value]; found {
|
|
|
|
return str
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("TLS_VERSION_UNKNOWN_%d", value)
|
|
|
|
}
|
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// TLSCipherSuiteString returns the TLS cipher suite as a string. If value
|
|
|
|
// is zero, we return the empty string. If we don't know the mapping from
|
|
|
|
// the value to a cipher suite name, we return `TLS_CIPHER_SUITE_UNKNOWN_ddd`
|
|
|
|
// where `ddd` is the numeric value passed to this function.
|
2021-09-05 14:49:38 +02:00
|
|
|
func TLSCipherSuiteString(value uint16) string {
|
|
|
|
if str, found := tlsCipherSuiteString[value]; found {
|
|
|
|
return str
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("TLS_CIPHER_SUITE_UNKNOWN_%d", value)
|
|
|
|
}
|
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// NewDefaultCertPool returns the default x509 certificate pool
|
|
|
|
// that we bundle from Mozilla. It's safe to modify the returned
|
|
|
|
// value: every invocation returns a distinct *x509.CertPool instance.
|
2021-09-05 14:49:38 +02:00
|
|
|
func NewDefaultCertPool() *x509.CertPool {
|
|
|
|
pool := x509.NewCertPool()
|
|
|
|
// Assumption: AppendCertsFromPEM cannot fail because we
|
2021-09-08 00:00:53 +02:00
|
|
|
// have a test in certify_test.go that guarantees that
|
2022-05-15 19:25:27 +02:00
|
|
|
ok := pool.AppendCertsFromPEM([]byte(pemcerts))
|
|
|
|
runtimex.PanicIfFalse(ok, "pool.AppendCertsFromPEM failed")
|
2021-09-05 14:49:38 +02:00
|
|
|
return pool
|
|
|
|
}
|
|
|
|
|
|
|
|
// ErrInvalidTLSVersion indicates that you passed us a string
|
|
|
|
// that does not represent a valid TLS version.
|
|
|
|
var ErrInvalidTLSVersion = errors.New("invalid TLS version")
|
|
|
|
|
|
|
|
// ConfigureTLSVersion configures the correct TLS version into
|
2021-09-29 20:21:25 +02:00
|
|
|
// a *tls.Config or returns ErrInvalidTLSVersion.
|
|
|
|
//
|
|
|
|
// Recognized strings: TLSv1.3, TLSv1.2, TLSv1.1, TLSv1.0.
|
2021-09-05 14:49:38 +02:00
|
|
|
func ConfigureTLSVersion(config *tls.Config, version string) error {
|
|
|
|
switch version {
|
|
|
|
case "TLSv1.3":
|
|
|
|
config.MinVersion = tls.VersionTLS13
|
|
|
|
config.MaxVersion = tls.VersionTLS13
|
|
|
|
case "TLSv1.2":
|
|
|
|
config.MinVersion = tls.VersionTLS12
|
|
|
|
config.MaxVersion = tls.VersionTLS12
|
|
|
|
case "TLSv1.1":
|
|
|
|
config.MinVersion = tls.VersionTLS11
|
|
|
|
config.MaxVersion = tls.VersionTLS11
|
|
|
|
case "TLSv1.0", "TLSv1":
|
|
|
|
config.MinVersion = tls.VersionTLS10
|
|
|
|
config.MaxVersion = tls.VersionTLS10
|
|
|
|
case "":
|
2021-09-08 22:48:10 +02:00
|
|
|
// nothing to do
|
2021-09-05 14:49:38 +02:00
|
|
|
default:
|
|
|
|
return ErrInvalidTLSVersion
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-09-05 21:23:47 +02:00
|
|
|
// TLSConn is the type of connection that oohttp expects from
|
2021-09-29 20:21:25 +02:00
|
|
|
// any library that implements TLS functionality. By using this
|
|
|
|
// kind of TLSConn we're able to use both the standard library
|
|
|
|
// and gitlab.com/yawning/utls.git to perform TLS operations. Note
|
|
|
|
// that the stdlib's tls.Conn implements this interface.
|
2021-09-05 21:23:47 +02:00
|
|
|
type TLSConn = oohttp.TLSConn
|
2021-09-05 14:49:38 +02:00
|
|
|
|
2021-09-05 21:23:47 +02:00
|
|
|
// Ensures that a tls.Conn implements the TLSConn interface.
|
|
|
|
var _ TLSConn = &tls.Conn{}
|
2021-09-05 14:49:38 +02:00
|
|
|
|
2021-09-05 20:59:42 +02:00
|
|
|
// NewTLSHandshakerStdlib creates a new TLS handshaker using the
|
2021-09-29 20:21:25 +02:00
|
|
|
// go standard library to manage TLS.
|
2021-09-08 22:48:10 +02:00
|
|
|
//
|
|
|
|
// The handshaker guarantees:
|
|
|
|
//
|
|
|
|
// 1. logging
|
|
|
|
//
|
|
|
|
// 2. error wrapping
|
2022-01-03 13:53:23 +01:00
|
|
|
func NewTLSHandshakerStdlib(logger model.DebugLogger) model.TLSHandshaker {
|
2021-09-08 22:48:10 +02:00
|
|
|
return newTLSHandshaker(&tlsHandshakerConfigurable{}, logger)
|
|
|
|
}
|
|
|
|
|
|
|
|
// newTLSHandshaker is the common factory for creating a new TLSHandshaker
|
2022-01-03 13:53:23 +01:00
|
|
|
func newTLSHandshaker(th model.TLSHandshaker, logger model.DebugLogger) model.TLSHandshaker {
|
2021-09-05 20:59:42 +02:00
|
|
|
return &tlsHandshakerLogger{
|
2021-09-07 19:56:42 +02:00
|
|
|
TLSHandshaker: &tlsHandshakerErrWrapper{
|
2021-09-08 22:48:10 +02:00
|
|
|
TLSHandshaker: th,
|
2021-09-07 19:56:42 +02:00
|
|
|
},
|
2022-01-03 13:53:23 +01:00
|
|
|
DebugLogger: logger,
|
2021-09-05 20:59:42 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-05 14:49:38 +02:00
|
|
|
// tlsHandshakerConfigurable is a configurable TLS handshaker that
|
|
|
|
// uses by default the standard library's TLS implementation.
|
|
|
|
type tlsHandshakerConfigurable struct {
|
|
|
|
// NewConn is the OPTIONAL factory for creating a new connection. If
|
|
|
|
// this factory is not set, we'll use the stdlib.
|
2022-05-22 19:53:37 +02:00
|
|
|
NewConn func(conn net.Conn, config *tls.Config) (TLSConn, error)
|
2021-09-05 14:49:38 +02:00
|
|
|
|
|
|
|
// Timeout is the OPTIONAL timeout imposed on the TLS handshake. If zero
|
|
|
|
// or negative, we will use default timeout of 10 seconds.
|
|
|
|
Timeout time.Duration
|
|
|
|
}
|
|
|
|
|
2022-01-03 13:53:23 +01:00
|
|
|
var _ model.TLSHandshaker = &tlsHandshakerConfigurable{}
|
2021-09-05 14:49:38 +02:00
|
|
|
|
|
|
|
// defaultCertPool is the cert pool we use by default. We store this
|
|
|
|
// value into a private variable to enable for unit testing.
|
|
|
|
var defaultCertPool = NewDefaultCertPool()
|
|
|
|
|
|
|
|
// Handshake implements Handshaker.Handshake. This function will
|
|
|
|
// configure the code to use the built-in Mozilla CA if the config
|
|
|
|
// field contains a nil RootCAs field.
|
|
|
|
func (h *tlsHandshakerConfigurable) Handshake(
|
|
|
|
ctx context.Context, conn net.Conn, config *tls.Config,
|
|
|
|
) (net.Conn, tls.ConnectionState, error) {
|
|
|
|
timeout := h.Timeout
|
|
|
|
if timeout <= 0 {
|
|
|
|
timeout = 10 * time.Second
|
|
|
|
}
|
|
|
|
defer conn.SetDeadline(time.Time{})
|
|
|
|
conn.SetDeadline(time.Now().Add(timeout))
|
|
|
|
if config.RootCAs == nil {
|
|
|
|
config = config.Clone()
|
|
|
|
config.RootCAs = defaultCertPool
|
|
|
|
}
|
2022-05-22 19:53:37 +02:00
|
|
|
tlsconn, err := h.newConn(conn, config)
|
|
|
|
if err != nil {
|
|
|
|
return nil, tls.ConnectionState{}, err
|
|
|
|
}
|
2021-09-05 21:23:47 +02:00
|
|
|
if err := tlsconn.HandshakeContext(ctx); err != nil {
|
2021-09-05 14:49:38 +02:00
|
|
|
return nil, tls.ConnectionState{}, err
|
|
|
|
}
|
|
|
|
return tlsconn, tlsconn.ConnectionState(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// newConn creates a new TLSConn.
|
2022-05-22 19:53:37 +02:00
|
|
|
func (h *tlsHandshakerConfigurable) newConn(conn net.Conn, config *tls.Config) (TLSConn, error) {
|
2021-09-05 14:49:38 +02:00
|
|
|
if h.NewConn != nil {
|
|
|
|
return h.NewConn(conn, config)
|
|
|
|
}
|
2022-06-02 08:52:15 +02:00
|
|
|
// This used to be the place where we created a TLSConn using
|
|
|
|
// github.com/ooni/oocrypto's TLS. However, it seems this strategy
|
|
|
|
// does not correctly pick up the CPU capabilities. So, we have
|
|
|
|
// now disabled oocrypto until we investigate, to avoid making the
|
|
|
|
// development branch worse than it could in terms of TLS fingerprint.
|
|
|
|
//
|
|
|
|
// TODO(https://github.com/ooni/probe/issues/2122)
|
|
|
|
return tls.Client(conn, config), nil
|
2021-09-05 14:49:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// defaultTLSHandshaker is the default TLS handshaker.
|
|
|
|
var defaultTLSHandshaker = &tlsHandshakerConfigurable{}
|
|
|
|
|
|
|
|
// tlsHandshakerLogger is a TLSHandshaker with logging.
|
|
|
|
type tlsHandshakerLogger struct {
|
2022-05-15 19:25:27 +02:00
|
|
|
TLSHandshaker model.TLSHandshaker
|
|
|
|
DebugLogger model.DebugLogger
|
2021-09-05 14:49:38 +02:00
|
|
|
}
|
|
|
|
|
2022-01-03 13:53:23 +01:00
|
|
|
var _ model.TLSHandshaker = &tlsHandshakerLogger{}
|
2021-09-05 14:49:38 +02:00
|
|
|
|
|
|
|
// Handshake implements Handshaker.Handshake
|
|
|
|
func (h *tlsHandshakerLogger) Handshake(
|
|
|
|
ctx context.Context, conn net.Conn, config *tls.Config,
|
|
|
|
) (net.Conn, tls.ConnectionState, error) {
|
2022-01-03 13:53:23 +01:00
|
|
|
h.DebugLogger.Debugf(
|
2021-09-05 14:49:38 +02:00
|
|
|
"tls {sni=%s next=%+v}...", config.ServerName, config.NextProtos)
|
|
|
|
start := time.Now()
|
|
|
|
tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
|
|
|
|
elapsed := time.Since(start)
|
|
|
|
if err != nil {
|
2022-01-03 13:53:23 +01:00
|
|
|
h.DebugLogger.Debugf(
|
2021-09-05 14:49:38 +02:00
|
|
|
"tls {sni=%s next=%+v}... %s in %s", config.ServerName,
|
|
|
|
config.NextProtos, err, elapsed)
|
|
|
|
return nil, tls.ConnectionState{}, err
|
|
|
|
}
|
2022-01-03 13:53:23 +01:00
|
|
|
h.DebugLogger.Debugf(
|
2021-09-05 14:49:38 +02:00
|
|
|
"tls {sni=%s next=%+v}... ok in %s {next=%s cipher=%s v=%s}",
|
|
|
|
config.ServerName, config.NextProtos, elapsed, state.NegotiatedProtocol,
|
|
|
|
TLSCipherSuiteString(state.CipherSuite),
|
|
|
|
TLSVersionString(state.Version))
|
|
|
|
return tlsconn, state, nil
|
|
|
|
}
|
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// NewTLSDialer creates a new TLS dialer using the given dialer and handshaker.
|
2022-01-03 13:53:23 +01:00
|
|
|
func NewTLSDialer(dialer model.Dialer, handshaker model.TLSHandshaker) model.TLSDialer {
|
2021-09-06 14:12:30 +02:00
|
|
|
return NewTLSDialerWithConfig(dialer, handshaker, &tls.Config{})
|
|
|
|
}
|
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// NewTLSDialerWithConfig is like NewTLSDialer with an optional config.
|
2022-01-03 13:53:23 +01:00
|
|
|
func NewTLSDialerWithConfig(d model.Dialer, h model.TLSHandshaker, c *tls.Config) model.TLSDialer {
|
2021-09-06 14:12:30 +02:00
|
|
|
return &tlsDialer{Config: c, Dialer: d, TLSHandshaker: h}
|
|
|
|
}
|
|
|
|
|
|
|
|
// tlsDialer is the TLS dialer
|
|
|
|
type tlsDialer struct {
|
2021-09-05 14:49:38 +02:00
|
|
|
// Config is the OPTIONAL tls config.
|
|
|
|
Config *tls.Config
|
|
|
|
|
|
|
|
// Dialer is the MANDATORY dialer.
|
2022-01-03 13:53:23 +01:00
|
|
|
Dialer model.Dialer
|
2021-09-05 14:49:38 +02:00
|
|
|
|
|
|
|
// TLSHandshaker is the MANDATORY TLS handshaker.
|
2022-01-03 13:53:23 +01:00
|
|
|
TLSHandshaker model.TLSHandshaker
|
2021-09-05 14:49:38 +02:00
|
|
|
}
|
|
|
|
|
2022-01-03 13:53:23 +01:00
|
|
|
var _ model.TLSDialer = &tlsDialer{}
|
2021-09-06 14:12:30 +02:00
|
|
|
|
|
|
|
// CloseIdleConnections implements TLSDialer.CloseIdleConnections.
|
|
|
|
func (d *tlsDialer) CloseIdleConnections() {
|
2021-09-06 13:29:37 +02:00
|
|
|
d.Dialer.CloseIdleConnections()
|
|
|
|
}
|
|
|
|
|
2021-09-06 14:12:30 +02:00
|
|
|
// DialTLSContext implements TLSDialer.DialTLSContext.
|
|
|
|
func (d *tlsDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error) {
|
2021-09-05 14:49:38 +02:00
|
|
|
host, port, err := net.SplitHostPort(address)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
conn, err := d.Dialer.DialContext(ctx, network, address)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
config := d.config(host, port)
|
|
|
|
tlsconn, _, err := d.TLSHandshaker.Handshake(ctx, conn, config)
|
|
|
|
if err != nil {
|
|
|
|
conn.Close()
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return tlsconn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// config creates a new config. If d.Config is nil, then we start
|
|
|
|
// from an empty config. Otherwise, we clone d.Config.
|
|
|
|
//
|
|
|
|
// We set the ServerName field if not already set.
|
|
|
|
//
|
|
|
|
// We set the ALPN if the port is 443 or 853, if not already set.
|
2021-09-06 14:12:30 +02:00
|
|
|
func (d *tlsDialer) config(host, port string) *tls.Config {
|
2021-09-05 14:49:38 +02:00
|
|
|
config := d.Config
|
|
|
|
if config == nil {
|
|
|
|
config = &tls.Config{}
|
|
|
|
}
|
|
|
|
config = config.Clone() // operate on a clone
|
|
|
|
if config.ServerName == "" {
|
|
|
|
config.ServerName = host
|
|
|
|
}
|
|
|
|
if len(config.NextProtos) <= 0 {
|
|
|
|
switch port {
|
|
|
|
case "443":
|
|
|
|
config.NextProtos = []string{"h2", "http/1.1"}
|
|
|
|
case "853":
|
|
|
|
config.NextProtos = []string{"dot"}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return config
|
|
|
|
}
|
2021-09-06 14:12:30 +02:00
|
|
|
|
|
|
|
// NewSingleUseTLSDialer is like NewSingleUseDialer but takes
|
|
|
|
// in input a TLSConn rather than a net.Conn.
|
2022-01-03 13:53:23 +01:00
|
|
|
func NewSingleUseTLSDialer(conn TLSConn) model.TLSDialer {
|
2021-09-06 14:12:30 +02:00
|
|
|
return &tlsDialerSingleUseAdapter{NewSingleUseDialer(conn)}
|
|
|
|
}
|
|
|
|
|
|
|
|
// tlsDialerSingleUseAdapter adapts dialerSingleUse to
|
|
|
|
// be a TLSDialer type rather than a Dialer type.
|
|
|
|
type tlsDialerSingleUseAdapter struct {
|
2022-05-15 19:25:27 +02:00
|
|
|
Dialer model.Dialer
|
2021-09-06 14:12:30 +02:00
|
|
|
}
|
|
|
|
|
2022-01-03 13:53:23 +01:00
|
|
|
var _ model.TLSDialer = &tlsDialerSingleUseAdapter{}
|
2021-09-06 14:12:30 +02:00
|
|
|
|
|
|
|
// DialTLSContext implements TLSDialer.DialTLSContext.
|
|
|
|
func (d *tlsDialerSingleUseAdapter) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error) {
|
|
|
|
return d.Dialer.DialContext(ctx, network, address)
|
|
|
|
}
|
2021-09-07 19:56:42 +02:00
|
|
|
|
2022-05-15 19:25:27 +02:00
|
|
|
func (d *tlsDialerSingleUseAdapter) CloseIdleConnections() {
|
|
|
|
d.Dialer.CloseIdleConnections()
|
|
|
|
}
|
|
|
|
|
2021-09-07 19:56:42 +02:00
|
|
|
// tlsHandshakerErrWrapper wraps the returned error to be an OONI error
|
|
|
|
type tlsHandshakerErrWrapper struct {
|
2022-05-15 19:25:27 +02:00
|
|
|
TLSHandshaker model.TLSHandshaker
|
2021-09-07 19:56:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Handshake implements TLSHandshaker.Handshake
|
|
|
|
func (h *tlsHandshakerErrWrapper) Handshake(
|
|
|
|
ctx context.Context, conn net.Conn, config *tls.Config,
|
|
|
|
) (net.Conn, tls.ConnectionState, error) {
|
|
|
|
tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
|
|
|
|
if err != nil {
|
2022-05-15 19:25:27 +02:00
|
|
|
return nil, tls.ConnectionState{}, newErrWrapper(
|
2022-01-07 17:31:21 +01:00
|
|
|
classifyTLSHandshakeError, TLSHandshakeOperation, err)
|
2021-09-07 19:56:42 +02:00
|
|
|
}
|
|
|
|
return tlsconn, state, nil
|
|
|
|
}
|
2021-09-08 14:46:17 +02:00
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// ErrNoTLSDialer is the type of error returned by "null" TLS dialers
|
|
|
|
// when you attempt to dial with them.
|
2021-09-08 14:46:17 +02:00
|
|
|
var ErrNoTLSDialer = errors.New("no configured TLS dialer")
|
|
|
|
|
2021-09-29 20:21:25 +02:00
|
|
|
// NewNullTLSDialer returns a TLS dialer that always fails with ErrNoTLSDialer.
|
2022-01-03 13:53:23 +01:00
|
|
|
func NewNullTLSDialer() model.TLSDialer {
|
2021-09-08 14:46:17 +02:00
|
|
|
return &nullTLSDialer{}
|
|
|
|
}
|
|
|
|
|
|
|
|
type nullTLSDialer struct{}
|
|
|
|
|
2022-01-03 13:53:23 +01:00
|
|
|
var _ model.TLSDialer = &nullTLSDialer{}
|
2021-09-08 14:46:17 +02:00
|
|
|
|
|
|
|
func (*nullTLSDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error) {
|
|
|
|
return nil, ErrNoTLSDialer
|
|
|
|
}
|
|
|
|
|
|
|
|
func (*nullTLSDialer) CloseIdleConnections() {
|
|
|
|
// nothing to do
|
|
|
|
}
|