We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: debcb76939
Branches Tags
moby
/
vendor
/
github.com
/
google
/
s2a-go
/
fallback
/
s2a_fallback.go

s2a_fallback.go 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 
  1. /*
    2. 

  2.  *
    3. 

  3.  * Copyright 2023 Google LLC
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.  * you may not use this file except in compliance with the License.
    7. 

  7.  * You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *     https://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  *
    17. 

  17.  */
    18. 

  18. 

  19. // Package fallback provides default implementations of fallback options when S2A fails.
    20. 

  20. package fallback
    21. 

  21. 

  22. import (
    23. 

  23. 	"context"
    24. 

  24. 	"crypto/tls"
    25. 

  25. 	"fmt"
    26. 

  26. 	"net"
    27. 

  27. 

  28. 	"google.golang.org/grpc/credentials"
    29. 

  29. 	"google.golang.org/grpc/grpclog"
    30. 

  30. )
    31. 

  31. 

  32. const (
    33. 

  33. 	alpnProtoStrH2   = "h2"
    34. 

  34. 	alpnProtoStrHTTP = "http/1.1"
    35. 

  35. 	defaultHTTPSPort = "443"
    36. 

  36. )
    37. 

  37. 

  38. // FallbackTLSConfigGRPC is a tls.Config used by the DefaultFallbackClientHandshakeFunc function.
    39. 

  39. // It supports GRPC use case, thus the alpn is set to 'h2'.
    40. 

  40. var FallbackTLSConfigGRPC = tls.Config{
    41. 

  41. 	MinVersion:         tls.VersionTLS13,
    42. 

  42. 	ClientSessionCache: nil,
    43. 

  43. 	NextProtos:         []string{alpnProtoStrH2},
    44. 

  44. }
    45. 

  45. 

  46. // FallbackTLSConfigHTTP is a tls.Config used by the DefaultFallbackDialerAndAddress func.
    47. 

  47. // It supports the HTTP use case and the alpn is set to both 'http/1.1' and 'h2'.
    48. 

  48. var FallbackTLSConfigHTTP = tls.Config{
    49. 

  49. 	MinVersion:         tls.VersionTLS13,
    50. 

  50. 	ClientSessionCache: nil,
    51. 

  51. 	NextProtos:         []string{alpnProtoStrH2, alpnProtoStrHTTP},
    52. 

  52. }
    53. 

  53. 

  54. // ClientHandshake establishes a TLS connection and returns it, plus its auth info.
    55. 

  55. // Inputs:
    56. 

  56. //
    57. 

  57. //	targetServer: the server attempted with S2A.
    58. 

  58. //	conn: the tcp connection to the server at address targetServer that was passed into S2A's ClientHandshake func.
    59. 

  59. //	            If fallback is successful, the `conn` should be closed.
    60. 

  60. //	err: the error encountered when performing the client-side TLS handshake with S2A.
    61. 

  61. type ClientHandshake func(ctx context.Context, targetServer string, conn net.Conn, err error) (net.Conn, credentials.AuthInfo, error)
    62. 

  62. 

  63. // DefaultFallbackClientHandshakeFunc returns a ClientHandshake function,
    64. 

  64. // which establishes a TLS connection to the provided fallbackAddr, returns the new connection and its auth info.
    65. 

  65. // Example use:
    66. 

  66. //
    67. 

  67. //	transportCreds, _ = s2a.NewClientCreds(&s2a.ClientOptions{
    68. 

  68. //		S2AAddress: s2aAddress,
    69. 

  69. //		FallbackOpts: &s2a.FallbackOptions{ // optional
    70. 

  70. //			FallbackClientHandshakeFunc: fallback.DefaultFallbackClientHandshakeFunc(fallbackAddr),
    71. 

  71. //		},
    72. 

  72. //	})
    73. 

  73. //
    74. 

  74. // The fallback server's certificate must be verifiable using OS root store.
    75. 

  75. // The fallbackAddr is expected to be a network address, e.g. example.com:port. If port is not specified,
    76. 

  76. // it uses default port 443.
    77. 

  77. // In the returned function's TLS config, ClientSessionCache is explicitly set to nil to disable TLS resumption,
    78. 

  78. // and min TLS version is set to 1.3.
    79. 

  79. func DefaultFallbackClientHandshakeFunc(fallbackAddr string) (ClientHandshake, error) {
    80. 

  80. 	var fallbackDialer = tls.Dialer{Config: &FallbackTLSConfigGRPC}
    81. 

  81. 	return defaultFallbackClientHandshakeFuncInternal(fallbackAddr, fallbackDialer.DialContext)
    82. 

  82. }
    83. 

  83. 

  84. func defaultFallbackClientHandshakeFuncInternal(fallbackAddr string, dialContextFunc func(context.Context, string, string) (net.Conn, error)) (ClientHandshake, error) {
    85. 

  85. 	fallbackServerAddr, err := processFallbackAddr(fallbackAddr)
    86. 

  86. 	if err != nil {
    87. 

  87. 		if grpclog.V(1) {
    88. 

  88. 			grpclog.Infof("error processing fallback address [%s]: %v", fallbackAddr, err)
    89. 

  89. 		}
    90. 

  90. 		return nil, err
    91. 

  91. 	}
    92. 

  92. 	return func(ctx context.Context, targetServer string, conn net.Conn, s2aErr error) (net.Conn, credentials.AuthInfo, error) {
    93. 

  93. 		fbConn, fbErr := dialContextFunc(ctx, "tcp", fallbackServerAddr)
    94. 

  94. 		if fbErr != nil {
    95. 

  95. 			grpclog.Infof("dialing to fallback server %s failed: %v", fallbackServerAddr, fbErr)
    96. 

  96. 			return nil, nil, fmt.Errorf("dialing to fallback server %s failed: %v; S2A client handshake with %s error: %w", fallbackServerAddr, fbErr, targetServer, s2aErr)
    97. 

  97. 		}
    98. 

  98. 

  99. 		tc, success := fbConn.(*tls.Conn)
    100. 

  100. 		if !success {
    101. 

  101. 			grpclog.Infof("the connection with fallback server is expected to be tls but isn't")
    102. 

  102. 			return nil, nil, fmt.Errorf("the connection with fallback server is expected to be tls but isn't; S2A client handshake with %s error: %w", targetServer, s2aErr)
    103. 

  103. 		}
    104. 

  104. 

  105. 		tlsInfo := credentials.TLSInfo{
    106. 

  106. 			State: tc.ConnectionState(),
    107. 

  107. 			CommonAuthInfo: credentials.CommonAuthInfo{
    108. 

  108. 				SecurityLevel: credentials.PrivacyAndIntegrity,
    109. 

  109. 			},
    110. 

  110. 		}
    111. 

  111. 		if grpclog.V(1) {
    112. 

  112. 			grpclog.Infof("ConnectionState.NegotiatedProtocol: %v", tc.ConnectionState().NegotiatedProtocol)
    113. 

  113. 			grpclog.Infof("ConnectionState.HandshakeComplete: %v", tc.ConnectionState().HandshakeComplete)
    114. 

  114. 			grpclog.Infof("ConnectionState.ServerName: %v", tc.ConnectionState().ServerName)
    115. 

  115. 		}
    116. 

  116. 		conn.Close()
    117. 

  117. 		return fbConn, tlsInfo, nil
    118. 

  118. 	}, nil
    119. 

  119. }
    120. 

  120. 

  121. // DefaultFallbackDialerAndAddress returns a TLS dialer and the network address to dial.
    122. 

  122. // Example use:
    123. 

  123. //
    124. 

  124. //	    fallbackDialer, fallbackServerAddr := fallback.DefaultFallbackDialerAndAddress(fallbackAddr)
    125. 

  125. //		dialTLSContext := s2a.NewS2aDialTLSContextFunc(&s2a.ClientOptions{
    126. 

  126. //			S2AAddress:         s2aAddress, // required
    127. 

  127. //			FallbackOpts: &s2a.FallbackOptions{
    128. 

  128. //				FallbackDialer: &s2a.FallbackDialer{
    129. 

  129. //					Dialer:     fallbackDialer,
    130. 

  130. //					ServerAddr: fallbackServerAddr,
    131. 

  131. //				},
    132. 

  132. //			},
    133. 

  133. //	})
    134. 

  134. //
    135. 

  135. // The fallback server's certificate should be verifiable using OS root store.
    136. 

  136. // The fallbackAddr is expected to be a network address, e.g. example.com:port. If port is not specified,
    137. 

  137. // it uses default port 443.
    138. 

  138. // In the returned function's TLS config, ClientSessionCache is explicitly set to nil to disable TLS resumption,
    139. 

  139. // and min TLS version is set to 1.3.
    140. 

  140. func DefaultFallbackDialerAndAddress(fallbackAddr string) (*tls.Dialer, string, error) {
    141. 

  141. 	fallbackServerAddr, err := processFallbackAddr(fallbackAddr)
    142. 

  142. 	if err != nil {
    143. 

  143. 		if grpclog.V(1) {
    144. 

  144. 			grpclog.Infof("error processing fallback address [%s]: %v", fallbackAddr, err)
    145. 

  145. 		}
    146. 

  146. 		return nil, "", err
    147. 

  147. 	}
    148. 

  148. 	return &tls.Dialer{Config: &FallbackTLSConfigHTTP}, fallbackServerAddr, nil
    149. 

  149. }
    150. 

  150. 

  151. func processFallbackAddr(fallbackAddr string) (string, error) {
    152. 

  152. 	var fallbackServerAddr string
    153. 

  153. 	var err error
    154. 

  154. 

  155. 	if fallbackAddr == "" {
    156. 

  156. 		return "", fmt.Errorf("empty fallback address")
    157. 

  157. 	}
    158. 

  158. 	_, _, err = net.SplitHostPort(fallbackAddr)
    159. 

  159. 	if err != nil {
    160. 

  160. 		// fallbackAddr does not have port suffix
    161. 

  161. 		fallbackServerAddr = net.JoinHostPort(fallbackAddr, defaultHTTPSPort)
    162. 

  162. 	} else {
    163. 

  163. 		// FallbackServerAddr already has port suffix
    164. 

  164. 		fallbackServerAddr = fallbackAddr
    165. 

  165. 	}
    166. 

  166. 	return fallbackServerAddr, nil
    167. 

  167. }
    168.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5