Many fixes

This commit is contained in:
风扇滑翔翼 2024-09-26 14:51:48 +00:00 committed by GitHub
parent 72892dac2f
commit df370f0223
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 60 additions and 49 deletions

View file

@ -445,8 +445,15 @@ func (c *TLSConfig) Build() (proto.Message, error) {
} }
} }
if c.ECHConfig != "" {
ECHConfig, err := base64.StdEncoding.DecodeString(c.ECHConfig)
if err != nil {
return nil, errors.New("invalid ECH Config", c.ECHConfig)
}
config.EchConfig = ECHConfig
}
config.MasterKeyLog = c.MasterKeyLog config.MasterKeyLog = c.MasterKeyLog
config.EchConfig = c.ECHConfig
config.Ech_DOHserver = c.ECHDOHServer config.Ech_DOHserver = c.ECHDOHServer
return config, nil return config, nil

View file

@ -220,7 +220,7 @@ type Config struct {
// @Critical // @Critical
PinnedPeerCertificatePublicKeySha256 [][]byte `protobuf:"bytes,14,rep,name=pinned_peer_certificate_public_key_sha256,json=pinnedPeerCertificatePublicKeySha256,proto3" json:"pinned_peer_certificate_public_key_sha256,omitempty"` PinnedPeerCertificatePublicKeySha256 [][]byte `protobuf:"bytes,14,rep,name=pinned_peer_certificate_public_key_sha256,json=pinnedPeerCertificatePublicKeySha256,proto3" json:"pinned_peer_certificate_public_key_sha256,omitempty"`
MasterKeyLog string `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"` MasterKeyLog string `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
EchConfig string `protobuf:"bytes,16,opt,name=ech_config,json=echConfig,proto3" json:"ech_config,omitempty"` EchConfig []byte `protobuf:"bytes,16,opt,name=ech_config,json=echConfig,proto3" json:"ech_config,omitempty"`
Ech_DOHserver string `protobuf:"bytes,17,opt,name=ech_DOHserver,json=echDOHserver,proto3" json:"ech_DOHserver,omitempty"` Ech_DOHserver string `protobuf:"bytes,17,opt,name=ech_DOHserver,json=echDOHserver,proto3" json:"ech_DOHserver,omitempty"`
} }
@ -362,11 +362,11 @@ func (x *Config) GetMasterKeyLog() string {
return "" return ""
} }
func (x *Config) GetEchConfig() string { func (x *Config) GetEchConfig() []byte {
if x != nil { if x != nil {
return x.EchConfig return x.EchConfig
} }
return "" return nil
} }
func (x *Config) GetEch_DOHserver() string { func (x *Config) GetEch_DOHserver() string {
@ -456,7 +456,7 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{
0x61, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x0f, 0x20, 0x61, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x0f, 0x20,
0x01, 0x28, 0x09, 0x52, 0x0c, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x4c, 0x6f, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x4c, 0x6f,
0x67, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x63, 0x68, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x67, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x63, 0x68, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18,
0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x10, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
0x12, 0x23, 0x0a, 0x0d, 0x65, 0x63, 0x68, 0x5f, 0x44, 0x4f, 0x48, 0x73, 0x65, 0x72, 0x76, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x63, 0x68, 0x5f, 0x44, 0x4f, 0x48, 0x73, 0x65, 0x72, 0x76, 0x65,
0x72, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x63, 0x68, 0x44, 0x4f, 0x48, 0x73, 0x72, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x63, 0x68, 0x44, 0x4f, 0x48, 0x73,
0x65, 0x72, 0x76, 0x65, 0x72, 0x42, 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x65, 0x72, 0x76, 0x65, 0x72, 0x42, 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61,

View file

@ -88,6 +88,6 @@ message Config {
repeated bytes pinned_peer_certificate_public_key_sha256 = 14; repeated bytes pinned_peer_certificate_public_key_sha256 = 14;
string master_key_log = 15; string master_key_log = 15;
string ech_config = 16; bytes ech_config = 16;
string ech_DOHserver = 17; string ech_DOHserver = 17;
} }

View file

@ -7,10 +7,8 @@ import (
"bytes" "bytes"
"context" "context"
"crypto/tls" "crypto/tls"
"encoding/base64"
"io" "io"
"net/http" "net/http"
"regexp"
"sync" "sync"
"time" "time"
@ -25,19 +23,15 @@ func ApplyECH(c *Config, config *tls.Config) error {
var err error var err error
if len(c.EchConfig) > 0 { if len(c.EchConfig) > 0 {
ECHConfig, err = base64.StdEncoding.DecodeString(c.EchConfig) ECHConfig = c.EchConfig
if err != nil {
return errors.New("invalid ECH config")
}
} else { // ECH config > DOH lookup } else { // ECH config > DOH lookup
if c.ServerName == "" { if config.ServerName == "" {
return errors.New("Using DOH for ECH needs serverName") return errors.New("Using DOH for ECH needs serverName")
} }
ECHRecord, err := QueryRecord(c.ServerName, c.Ech_DOHserver) ECHConfig, err = QueryRecord(c.ServerName, c.Ech_DOHserver)
if err != nil { if err != nil {
return err return err
} }
ECHConfig, _ = base64.StdEncoding.DecodeString(ECHRecord)
} }
config.EncryptedClientHelloConfigList = ECHConfig config.EncryptedClientHelloConfigList = ECHConfig
@ -45,7 +39,7 @@ func ApplyECH(c *Config, config *tls.Config) error {
} }
type record struct { type record struct {
record string record []byte
expire time.Time expire time.Time
} }
@ -54,34 +48,40 @@ var (
mutex sync.RWMutex mutex sync.RWMutex
) )
func QueryRecord(domain string, server string) (string, error) { func QueryRecord(domain string, server string) ([]byte, error) {
mutex.Lock()
rec, found := dnsCache[domain] rec, found := dnsCache[domain]
if found && rec.expire.After(time.Now()) { if found && rec.expire.After(time.Now()) {
mutex.Unlock()
return rec.record, nil return rec.record, nil
} }
mutex.Lock() mutex.Unlock()
defer mutex.Unlock()
errors.LogDebug(context.Background(), "Tring to query ECH config for domain: ", domain, " with ECH server: ", server) errors.LogDebug(context.Background(), "Trying to query ECH config for domain: ", domain, " with ECH server: ", server)
record, ttl, err := dohQuery(server, domain) record, ttl, err := dohQuery(server, domain)
if err != nil { if err != nil {
return "", err return []byte{}, err
} }
// Use TTL for good, but many HTTPS records have TTL 60, too short
if ttl < 600 { if ttl < 600 {
ttl = 600 ttl = 600
} }
mutex.Lock()
defer mutex.Unlock()
rec.record = record rec.record = record
rec.expire = time.Now().Add(time.Second * time.Duration(ttl)) rec.expire = time.Now().Add(time.Second * time.Duration(ttl))
dnsCache[domain] = rec dnsCache[domain] = rec
return record, nil return record, nil
} }
func dohQuery(server string, domain string) (string, uint32, error) { func dohQuery(server string, domain string) ([]byte, uint32, error) {
m := new(dns.Msg) m := new(dns.Msg)
m.SetQuestion(dns.Fqdn(domain), dns.TypeHTTPS) m.SetQuestion(dns.Fqdn(domain), dns.TypeHTTPS)
m.Id = 0
msg, err := m.Pack() msg, err := m.Pack()
if err != nil { if err != nil {
return "", 0, err return []byte{}, 0, err
} }
tr := &http.Transport{ tr := &http.Transport{
IdleConnTimeout: 90 * time.Second, IdleConnTimeout: 90 * time.Second,
@ -104,33 +104,37 @@ func dohQuery(server string, domain string) (string, uint32, error) {
} }
req, err := http.NewRequest("POST", server, bytes.NewReader(msg)) req, err := http.NewRequest("POST", server, bytes.NewReader(msg))
if err != nil { if err != nil {
return "", 0, err return []byte{}, 0, err
} }
req.Header.Set("Content-Type", "application/dns-message") req.Header.Set("Content-Type", "application/dns-message")
resp, err := client.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
return "", 0, err return []byte{}, 0, err
} }
defer resp.Body.Close() defer resp.Body.Close()
respBody, err := io.ReadAll(resp.Body) respBody, err := io.ReadAll(resp.Body)
if err != nil { if err != nil {
return "", 0, err return []byte{}, 0, err
} }
if resp.StatusCode != http.StatusOK { if resp.StatusCode != http.StatusOK {
return "", 0, errors.New("query failed with response code:", resp.StatusCode) return []byte{}, 0, errors.New("query failed with response code:", resp.StatusCode)
} }
respMsg := new(dns.Msg) respMsg := new(dns.Msg)
err = respMsg.Unpack(respBody) err = respMsg.Unpack(respBody)
if err != nil { if err != nil {
return "", 0, err return []byte{}, 0, err
} }
if len(respMsg.Answer) > 0 { if len(respMsg.Answer) > 0 {
re := regexp.MustCompile(`ech="([^"]+)"`) for _, answer := range respMsg.Answer {
match := re.FindStringSubmatch(respMsg.Answer[0].String()) if https, ok := answer.(*dns.HTTPS); ok && https.Hdr.Name == dns.Fqdn(domain) {
if match[1] != "" { for _, v := range https.Value {
errors.LogDebug(context.Background(), "Get ECH config:", match[1], " TTL:", respMsg.Answer[0].Header().Ttl) if echConfig, ok := v.(*dns.SVCBECHConfig); ok {
return match[1], respMsg.Answer[0].Header().Ttl, nil errors.LogDebug(context.Background(), "Get ECH config:", echConfig.String(), " TTL:", respMsg.Answer[0].Header().Ttl)
return echConfig.ECH, answer.Header().Ttl, nil
} }
} }
return "", 0, errors.New("no ech record found") }
}
}
return []byte{}, 0, errors.New("no ech record found")
} }