2022-07-01 12:22:22 +02:00
|
|
|
package measurexlite
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// TLS tracing
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"errors"
|
|
|
|
|
"net"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/ooni/probe-cli/v3/internal/model"
|
|
|
|
|
"github.com/ooni/probe-cli/v3/internal/netxlite"
|
|
|
|
|
"github.com/ooni/probe-cli/v3/internal/tracex"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// NewTLSHandshakerStdlib is equivalent to netxlite.NewTLSHandshakerStdlib
|
|
|
|
|
// except that it returns a model.TLSHandshaker that uses this trace.
|
|
|
|
|
func (tx *Trace) NewTLSHandshakerStdlib(dl model.DebugLogger) model.TLSHandshaker {
|
|
|
|
|
return &tlsHandshakerTrace{
|
|
|
|
|
thx: tx.newTLSHandshakerStdlib(dl),
|
|
|
|
|
tx: tx,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// tlsHandshakerTrace is a trace-aware TLS handshaker.
|
|
|
|
|
type tlsHandshakerTrace struct {
|
|
|
|
|
thx model.TLSHandshaker
|
|
|
|
|
tx *Trace
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var _ model.TLSHandshaker = &tlsHandshakerTrace{}
|
|
|
|
|
|
|
|
|
|
// Handshake implements model.TLSHandshaker.Handshake.
|
|
|
|
|
func (thx *tlsHandshakerTrace) Handshake(
|
|
|
|
|
ctx context.Context, conn net.Conn, tlsConfig *tls.Config) (net.Conn, tls.ConnectionState, error) {
|
|
|
|
|
return thx.thx.Handshake(netxlite.ContextWithTrace(ctx, thx.tx), conn, tlsConfig)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// OnTLSHandshakeStart implements model.Trace.OnTLSHandshakeStart.
|
|
|
|
|
func (tx *Trace) OnTLSHandshakeStart(now time.Time, remoteAddr string, config *tls.Config) {
|
|
|
|
|
t := now.Sub(tx.ZeroTime)
|
|
|
|
|
select {
|
2022-08-17 20:10:48 +02:00
|
|
|
case tx.networkEvent <- NewAnnotationArchivalNetworkEvent(tx.Index, t, "tls_handshake_start"):
|
2022-07-01 12:22:22 +02:00
|
|
|
default: // buffer is full
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// OnTLSHandshakeDone implements model.Trace.OnTLSHandshakeDone.
|
|
|
|
|
func (tx *Trace) OnTLSHandshakeDone(started time.Time, remoteAddr string, config *tls.Config,
|
|
|
|
|
state tls.ConnectionState, err error, finished time.Time) {
|
|
|
|
|
t := finished.Sub(tx.ZeroTime)
|
|
|
|
|
select {
|
2022-08-17 20:10:48 +02:00
|
|
|
case tx.tlsHandshake <- NewArchivalTLSOrQUICHandshakeResult(
|
2022-07-01 12:22:22 +02:00
|
|
|
tx.Index,
|
|
|
|
|
started.Sub(tx.ZeroTime),
|
fix(datafmt): sync measurexlite and v0.5 with previous code (#942)
* fix(model/archival.go): more optional keys
Basically, `t0` and `transaction_id` should be optional. Version 0.4.x
of web_connectivity should not include them, version 0.5.x should.
There is a technical reason why v0.4.x should not include them. The code
it is based on, tracex, does not record these two fields.
Whereas, v0.5.x, uses measurexlite, which records these two fields.
Part of https://github.com/ooni/probe/issues/2238
* fix(webconnectivity@v0.5): add more fields
This diff adds the following fields to webconnectivity@v0.5:
1. agent, always set to "redirect" (legacy field);
2. client_resolver, properly initialized w/ the resolver's IPv4 address;
3. retries, legacy field always set to null;
4. socksproxy, legacy field always set to null.
Part of https://github.com/ooni/probe/issues/2238
* fix(webconnectivity@v0.5): register extensions
The general idea behind this field is that we would be able
in the future to tweak the data model for some fields, by declaring
we're using a later version, so it seems useful to add it.
See https://github.com/ooni/probe/issues/2238
* fix(measurexlite): use tcp or quic for tls handshake network
This diff fixes a bug where measurexlite was using "tls" as the
protocol for the TLS handshake when using TCP.
While this choice _could_ make sense, the rest of the code we have
written so far uses "tcp" instead.
Using "tcp" makes more sense because it allows you to search for
the same endpoint across different events by checking for the same
network and for the same endpoint rather than special casing TLS
handshakes for using "tls" when the endpoint is "tcp".
See https://github.com/ooni/probe/issues/2238
* chore: run alltests.yml for "alltestsbuild" branches
Part of https://github.com/ooni/probe/issues/2238
2022-09-08 10:02:47 +02:00
|
|
|
"tcp",
|
2022-07-01 12:22:22 +02:00
|
|
|
remoteAddr,
|
|
|
|
|
config,
|
|
|
|
|
state,
|
|
|
|
|
err,
|
|
|
|
|
t,
|
|
|
|
|
):
|
|
|
|
|
default: // buffer is full
|
|
|
|
|
}
|
|
|
|
|
select {
|
2022-08-17 20:10:48 +02:00
|
|
|
case tx.networkEvent <- NewAnnotationArchivalNetworkEvent(tx.Index, t, "tls_handshake_done"):
|
2022-07-01 12:22:22 +02:00
|
|
|
default: // buffer is full
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewArchivalTLSOrQUICHandshakeResult generates a model.ArchivalTLSOrQUICHandshakeResult
|
|
|
|
|
// from the available information right after the TLS handshake returns.
|
|
|
|
|
func NewArchivalTLSOrQUICHandshakeResult(
|
2022-08-17 09:19:11 +02:00
|
|
|
index int64, started time.Duration, network string, address string, config *tls.Config,
|
2022-07-01 12:22:22 +02:00
|
|
|
state tls.ConnectionState, err error, finished time.Duration) *model.ArchivalTLSOrQUICHandshakeResult {
|
|
|
|
|
return &model.ArchivalTLSOrQUICHandshakeResult{
|
2022-08-17 09:19:11 +02:00
|
|
|
Network: network,
|
2022-07-01 12:22:22 +02:00
|
|
|
Address: address,
|
|
|
|
|
CipherSuite: netxlite.TLSCipherSuiteString(state.CipherSuite),
|
|
|
|
|
Failure: tracex.NewFailure(err),
|
|
|
|
|
NegotiatedProtocol: state.NegotiatedProtocol,
|
|
|
|
|
NoTLSVerify: config.InsecureSkipVerify,
|
|
|
|
|
PeerCertificates: TLSPeerCerts(state, err),
|
|
|
|
|
ServerName: config.ServerName,
|
2022-08-25 13:41:26 +02:00
|
|
|
T0: started.Seconds(),
|
2022-07-01 12:22:22 +02:00
|
|
|
T: finished.Seconds(),
|
|
|
|
|
Tags: []string{},
|
|
|
|
|
TLSVersion: netxlite.TLSVersionString(state.Version),
|
2022-08-25 13:41:26 +02:00
|
|
|
TransactionID: index,
|
2022-07-01 12:22:22 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newArchivalBinaryData is a factory that adapts binary data to the
|
|
|
|
|
// model.ArchivalMaybeBinaryData format.
|
|
|
|
|
func newArchivalBinaryData(data []byte) model.ArchivalMaybeBinaryData {
|
|
|
|
|
// TODO(https://github.com/ooni/probe/issues/2165): we should actually extend the
|
|
|
|
|
// model's archival data format to have a pure-binary-data type for the cases in which
|
|
|
|
|
// we know in advance we're dealing with binary data.
|
|
|
|
|
return model.ArchivalMaybeBinaryData{
|
|
|
|
|
Value: string(data),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TLSPeerCerts extracts the certificates either from the list of certificates
|
|
|
|
|
// in the connection state or from the error that occurred.
|
|
|
|
|
func TLSPeerCerts(
|
|
|
|
|
state tls.ConnectionState, err error) (out []model.ArchivalMaybeBinaryData) {
|
|
|
|
|
out = []model.ArchivalMaybeBinaryData{}
|
|
|
|
|
var x509HostnameError x509.HostnameError
|
|
|
|
|
if errors.As(err, &x509HostnameError) {
|
|
|
|
|
// Test case: https://wrong.host.badssl.com/
|
|
|
|
|
out = append(out, newArchivalBinaryData(x509HostnameError.Certificate.Raw))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
var x509UnknownAuthorityError x509.UnknownAuthorityError
|
|
|
|
|
if errors.As(err, &x509UnknownAuthorityError) {
|
|
|
|
|
// Test case: https://self-signed.badssl.com/. This error has
|
|
|
|
|
// never been among the ones returned by MK.
|
|
|
|
|
out = append(out, newArchivalBinaryData(x509UnknownAuthorityError.Cert.Raw))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
var x509CertificateInvalidError x509.CertificateInvalidError
|
|
|
|
|
if errors.As(err, &x509CertificateInvalidError) {
|
|
|
|
|
// Test case: https://expired.badssl.com/
|
|
|
|
|
out = append(out, newArchivalBinaryData(x509CertificateInvalidError.Cert.Raw))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
for _, cert := range state.PeerCertificates {
|
|
|
|
|
out = append(out, newArchivalBinaryData(cert.Raw))
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TLSHandshakes drains the network events buffered inside the TLSHandshake channel.
|
|
|
|
|
func (tx *Trace) TLSHandshakes() (out []*model.ArchivalTLSOrQUICHandshakeResult) {
|
|
|
|
|
for {
|
|
|
|
|
select {
|
2022-08-17 20:10:48 +02:00
|
|
|
case ev := <-tx.tlsHandshake:
|
2022-07-01 12:22:22 +02:00
|
|
|
out = append(out, ev)
|
|
|
|
|
default:
|
|
|
|
|
return // done
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-17 20:10:48 +02:00
|
|
|
|
|
|
|
|
// FirstTLSHandshakeOrNil drains the network events buffered inside the TLSHandshake channel
|
|
|
|
|
// and returns the first TLSHandshake, if any. Otherwise, it returns nil.
|
|
|
|
|
func (tx *Trace) FirstTLSHandshakeOrNil() *model.ArchivalTLSOrQUICHandshakeResult {
|
|
|
|
|
ev := tx.TLSHandshakes()
|
|
|
|
|
if len(ev) < 1 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return ev[0]
|
|
|
|
|
}
|
