sni

package

v0.1.2 Latest Latest Go to latest Published: Jan 23, 2024 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/darvaza-proxy/x

Links

Open Source Insights

Documentation ¶

Overview ¶

Package sni provices logic to work with TLS SNI fields

Index ¶

Constants
func CipherSuites(u []uint16) []string
func CompressionMethods(u []uint8) []string
func PeekClientHelloInfo(ctx context.Context, conn net.Conn) (*tls.ClientHelloInfo, net.Conn, error)
func ReadClientHelloInfo(ctx context.Context, f io.Reader) (*tls.ClientHelloInfo, error)
func SignatureAlgos(u []SignatureScheme) []string
func SupportedVersions(u []uint16) []string
func VersionName(u uint16) string
type ClientHelloInfo
- func GetInfo(buf []byte) *ClientHelloInfo
type Conn
- func (c *Conn) Read(b []byte) (int, error)
type CurveID
type Dispatcher
type Handler
type SignatureScheme

Constants ¶

View Source

const (
	VersionTLS10 = 0x0301
	VersionTLS11 = 0x0302
	VersionTLS12 = 0x0303
	VersionTLS13 = 0x0304

	/* Deprecated: SSLv3 is cryptographically broken, and is no longer
	supported by this package. See golang.org/issue/32716.*/
	VersionSSL30 = 0x0300
)

View Source

const (
	// TLS 1.0 - 1.2 cipher suites.
	TLS_RSA_WITH_RC4_128_SHA                      uint16 = 0x0005
	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a
	TLS_RSA_WITH_AES_128_CBC_SHA                  uint16 = 0x002f
	TLS_RSA_WITH_AES_256_CBC_SHA                  uint16 = 0x0035
	TLS_RSA_WITH_AES_128_CBC_SHA256               uint16 = 0x003c
	TLS_RSA_WITH_AES_128_GCM_SHA256               uint16 = 0x009c
	TLS_RSA_WITH_AES_256_GCM_SHA384               uint16 = 0x009d
	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              uint16 = 0xc007
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          uint16 = 0xc009
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          uint16 = 0xc00a
	TLS_ECDHE_RSA_WITH_RC4_128_SHA                uint16 = 0xc011
	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0xc012
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            uint16 = 0xc013
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            uint16 = 0xc014
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       uint16 = 0xc023
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0xc027
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0xc02f
	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       uint16 = 0xc02b
	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0xc030
	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       uint16 = 0xc02c
	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xcca8
	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9

	// TLS 1.3 cipher suites.
	TLS_AES_128_GCM_SHA256       uint16 = 0x1301
	TLS_AES_256_GCM_SHA384       uint16 = 0x1302
	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303

	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
	// that the client is doing version fallback. See RFC 7507.
	TLS_FALLBACK_SCSV uint16 = 0x5600

	// Legacy names for the corresponding cipher suites with the correct _SHA256
	// suffix, retained for backward compatibility.
	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
)

Variables ¶

This section is empty.

Functions ¶

func CipherSuites ¶

func CipherSuites(u []uint16) []string

CipherSuites returns the supported Cipher suites

func CompressionMethods ¶

func CompressionMethods(u []uint8) []string

CompressionMethods will return the names of the compression method used. This is Compression None or Unknown

func PeekClientHelloInfo ¶

func PeekClientHelloInfo(ctx context.Context,
	conn net.Conn) (*tls.ClientHelloInfo, net.Conn, error)

PeekClientHelloInfo extracts the ClientHelloInfo from a connection still allowing a future handler have complete untouched access to the stream

func ReadClientHelloInfo ¶

func ReadClientHelloInfo(ctx context.Context,
	f io.Reader) (*tls.ClientHelloInfo, error)

ReadClientHelloInfo mimics a TLS connection to let Go's tls.Server parse the ClientHelloInfo for us - https://www.agwa.name/blog/post/writing_an_sni_proxy_in_go

func SignatureAlgos ¶

func SignatureAlgos(u []SignatureScheme) []string

SignatureAlgos will return the names of the supported Signature Algorithms

func SupportedVersions ¶

func SupportedVersions(u []uint16) []string

SupportedVersions will return the names of the compression method used. This is Compression None or Unknown

func VersionName ¶

func VersionName(u uint16) string

VersionName will return the name of the TLS/SSL version

Types ¶

type ClientHelloInfo ¶

type ClientHelloInfo struct {
	Vers uint16

	CipherSuites       []uint16
	CompressionMethods []uint8
	ServerName         string

	SupportedSignatureAlgorithms     []SignatureScheme
	SupportedSignatureAlgorithmsCert []SignatureScheme

	ALPNProtocols []string

	SupportedVersions []uint16
	// contains filtered or unexported fields
}

ClientHelloInfo contains information from a ClientHello message in order to guide application logic in the GetCertificate and GetConfigForClient callbacks.

func GetInfo ¶

func GetInfo(buf []byte) *ClientHelloInfo

GetInfo returns a pointer to a ClientHelloInfo:

type Conn ¶

type Conn struct {
	net.Conn
	io.Reader
}

Conn is a net.Conn with custom Reader

func (*Conn) Read ¶

func (c *Conn) Read(b []byte) (int, error)

type CurveID ¶

type CurveID uint16

CurveID is the type of a TLS identifier for an elliptic curve. See http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8

type Dispatcher ¶

type Dispatcher struct {

	// Logger to report errors
	Logger slog.Logger
	// Context to be used as parent of the internal Canceller
	Context context.Context

	// GetHandler tells the Dispatcher if the connection associated with
	// a given ClientHelloInfo should be passed to a dedicated Handler
	// instead of passing it to the outer tls.Listener
	GetHandler func(*tls.ClientHelloInfo) Handler

	// OnAccept is optionally used to configure the inbound net.Conn
	OnAccept func(net.Conn) (net.Conn, error)

	// OnError let's the use decide if we shut down on critical errors or not
	// it also allows the user to act accordingly
	OnError func(err error) bool
	// contains filtered or unexported fields
}

The Dispatcher screens TCP connections and uses SNI to decide if they should be handled by a dedicated system or passed to the tls.Listener using it via Accept()

dispatcher := &sni.Dispatcher{ GetHandler: func() { ..... }, }

conf := &tls.Config{...} lsn, err := tls.NewListener(dispatcher, config)

func (*Dispatcher) Accept ¶

func (d *Dispatcher) Accept() (net.Conn, error)

Accept returns a connection that wasn't dispatched through the Handler provided by GetHandler

func (*Dispatcher) Addr ¶

func (d *Dispatcher) Addr() net.Addr

Addr returns the address the underlying listener is using

func (*Dispatcher) Cancel ¶

func (d *Dispatcher) Cancel()

Cancel initiates a shut down. it will prevent new dispatches and cancel existing workers, but the responsibility of closing the listener is on the tls.Listener

func (*Dispatcher) Cancelled ¶

func (d *Dispatcher) Cancelled() bool

Cancelled tells if the Dispatcher has been shut down

func (*Dispatcher) Close ¶

func (d *Dispatcher) Close() error

Close initiates a shut down but also returns the first fatal error if there was one

func (*Dispatcher) Err ¶

func (d *Dispatcher) Err() error

Err tells the first fatal error

func (*Dispatcher) Serve ¶

func (d *Dispatcher) Serve(ln net.Listener) error

Serve starts processing the underlying net.Listener

func (*Dispatcher) Shutdown ¶

func (d *Dispatcher) Shutdown(ctx context.Context) error

Shutdown initiates a shutdown and waits until the workers are done or the given context times out.

func (*Dispatcher) Wait ¶

func (d *Dispatcher) Wait() error

Wait waits until all workers are done

type Handler ¶

type Handler func(context.Context, net.Conn) error

A Handler is a function that will take responsibility over a given connection. The Provided Context is used to indicate when a shut down has been initiated

type SignatureScheme ¶

type SignatureScheme uint16

const (
	// RSASSA-PKCS1-v1_5 algorithms.
	PKCS1WithSHA256 SignatureScheme = 0x0401
	PKCS1WithSHA384 SignatureScheme = 0x0501
	PKCS1WithSHA512 SignatureScheme = 0x0601

	// RSASSA-PSS algorithms with public key OID rsaEncryption.
	PSSWithSHA256 SignatureScheme = 0x0804
	PSSWithSHA384 SignatureScheme = 0x0805
	PSSWithSHA512 SignatureScheme = 0x0806

	// ECDSA algorithms. Only constrained to a specific curve in TLS 1.3.
	ECDSAWithP256AndSHA256 SignatureScheme = 0x0403
	ECDSAWithP384AndSHA384 SignatureScheme = 0x0503
	ECDSAWithP521AndSHA512 SignatureScheme = 0x0603

	// EdDSA algorithms.
	Ed25519 SignatureScheme = 0x0807

	// Legacy signature and hash algorithms for TLS 1.2.
	PKCS1WithSHA1 SignatureScheme = 0x0201
	ECDSAWithSHA1 SignatureScheme = 0x0203
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL