mirror of
https://github.com/DNSCrypt/dnscrypt-proxy.git
synced 2025-04-04 21:57:44 +03:00
Adding the ability to do TLS client authentication for DoH (#1203)
* Adding the ability to do TLS client authentication for DoH * whitespace nit * Check for server specific creds before wildcard * small comma ok idiom change
This commit is contained in:
Kevin O'Sullivan
GitHub
parent
c2271c8079
commit
c040b13d59
5 changed files with 61 additions and 4 deletions
|
|
@ -92,6 +92,7 @@ type Config struct {
|
||||||
BlockedQueryResponse string `toml:"blocked_query_response"`
|
BlockedQueryResponse string `toml:"blocked_query_response"`
|
||||||
QueryMeta []string `toml:"query_meta"`
|
QueryMeta []string `toml:"query_meta"`
|
||||||
AnonymizedDNS AnonymizedDNSConfig `toml:"anonymized_dns"`
|
AnonymizedDNS AnonymizedDNSConfig `toml:"anonymized_dns"`
|
||||||
|
TLSClientAuth TLSClientAuthConfig `toml:"tls_client_auth"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func newConfig() Config {
|
func newConfig() Config {
|
||||||
|
|
@ -214,6 +215,16 @@ type ServerSummary struct {
|
||||||
Stamp string `json:"stamp"`
|
Stamp string `json:"stamp"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type TLSClientAuthCredsConfig struct {
|
||||||
|
ServerName string `toml:"server_name"`
|
||||||
|
ClientCert string `toml:"client_cert"`
|
||||||
|
ClientKey string `toml:"client_key"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type TLSClientAuthConfig struct {
|
||||||
|
Creds []TLSClientAuthCredsConfig `toml:"creds"`
|
||||||
|
}
|
||||||
|
|
||||||
type ConfigFlags struct {
|
type ConfigFlags struct {
|
||||||
List *bool
|
List *bool
|
||||||
ListAll *bool
|
ListAll *bool
|
||||||
|
|
@ -472,6 +483,17 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
|
||||||
}
|
}
|
||||||
proxy.routes = &routes
|
proxy.routes = &routes
|
||||||
}
|
}
|
||||||
|
configClientCreds := config.TLSClientAuth.Creds
|
||||||
|
creds := make(map[string]DOHClientCreds)
|
||||||
|
for _, configClientCred := range configClientCreds {
|
||||||
|
credFiles := DOHClientCreds{
|
||||||
|
clientCert: configClientCred.ClientCert,
|
||||||
|
clientKey: configClientCred.ClientKey,
|
||||||
|
}
|
||||||
|
creds[configClientCred.ServerName] = credFiles
|
||||||
|
}
|
||||||
|
proxy.dohCreds = &creds
|
||||||
|
|
||||||
proxy.serversWithBrokenQueryPadding = config.BrokenImplementations.BrokenQueryPadding
|
proxy.serversWithBrokenQueryPadding = config.BrokenImplementations.BrokenQueryPadding
|
||||||
|
|
||||||
if *flags.ListAll {
|
if *flags.ListAll {
|
||||||
|
|
|
||||||
|
|
@ -674,3 +674,14 @@ broken_query_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield', "quad9-dnsc
|
||||||
|
|
||||||
# [static.'myserver']
|
# [static.'myserver']
|
||||||
# stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
|
# stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
|
||||||
|
|
||||||
|
|
||||||
|
################################
|
||||||
|
# TLS Client Authentication #
|
||||||
|
################################
|
||||||
|
|
||||||
|
[tls_client_auth]
|
||||||
|
|
||||||
|
# creds = [
|
||||||
|
# { server_name='myserver', client_cert='client.crt', client_key='client.key' },
|
||||||
|
# ]
|
||||||
|
|
|
||||||
|
|
@ -77,6 +77,7 @@ type Proxy struct {
|
||||||
routes *map[string][]string
|
routes *map[string][]string
|
||||||
serversWithBrokenQueryPadding []string
|
serversWithBrokenQueryPadding []string
|
||||||
showCerts bool
|
showCerts bool
|
||||||
|
dohCreds *map[string]DOHClientCreds
|
||||||
}
|
}
|
||||||
|
|
||||||
func (proxy *Proxy) addDNSListener(listenAddrStr string) {
|
func (proxy *Proxy) addDNSListener(listenAddrStr string) {
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,11 @@ type ServerBugs struct {
|
||||||
incorrectPadding bool
|
incorrectPadding bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type DOHClientCreds struct {
|
||||||
|
clientCert string
|
||||||
|
clientKey string
|
||||||
|
}
|
||||||
|
|
||||||
type ServerInfo struct {
|
type ServerInfo struct {
|
||||||
Proto stamps.StampProtoType
|
Proto stamps.StampProtoType
|
||||||
MagicQuery [8]byte
|
MagicQuery [8]byte
|
||||||
|
|
@ -54,6 +59,7 @@ type ServerInfo struct {
|
||||||
rtt ewma.MovingAverage
|
rtt ewma.MovingAverage
|
||||||
initialRtt int
|
initialRtt int
|
||||||
useGet bool
|
useGet bool
|
||||||
|
DOHClientCreds DOHClientCreds
|
||||||
}
|
}
|
||||||
|
|
||||||
type LBStrategy int
|
type LBStrategy int
|
||||||
|
|
@ -378,6 +384,15 @@ func fetchDoHServerInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, isN
|
||||||
Path: stamp.Path,
|
Path: stamp.Path,
|
||||||
}
|
}
|
||||||
body := dohTestPacket(0xcafe)
|
body := dohTestPacket(0xcafe)
|
||||||
|
dohClientCreds, ok := (*proxy.dohCreds)[name]
|
||||||
|
if !ok {
|
||||||
|
dohClientCreds, ok = (*proxy.dohCreds)["*"]
|
||||||
|
}
|
||||||
|
if ok {
|
||||||
|
dlog.Noticef("[%s] Cert: %s, Key: %s", name, dohClientCreds.clientCert, dohClientCreds.clientKey)
|
||||||
|
proxy.xTransport.tlsClientCreds = dohClientCreds
|
||||||
|
proxy.xTransport.rebuildTransport()
|
||||||
|
}
|
||||||
useGet := false
|
useGet := false
|
||||||
if _, _, _, err := proxy.xTransport.DoHQuery(useGet, url, body, proxy.timeout); err != nil {
|
if _, _, _, err := proxy.xTransport.DoHQuery(useGet, url, body, proxy.timeout); err != nil {
|
||||||
useGet = true
|
useGet = true
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,7 @@ type XTransport struct {
|
||||||
tlsCipherSuite []uint16
|
tlsCipherSuite []uint16
|
||||||
proxyDialer *netproxy.Dialer
|
proxyDialer *netproxy.Dialer
|
||||||
httpProxyFunction func(*http.Request) (*url.URL, error)
|
httpProxyFunction func(*http.Request) (*url.URL, error)
|
||||||
|
tlsClientCreds DOHClientCreds
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewXTransport() *XTransport {
|
func NewXTransport() *XTransport {
|
||||||
|
|
@ -156,10 +157,17 @@ func (xTransport *XTransport) rebuildTransport() {
|
||||||
if xTransport.httpProxyFunction != nil {
|
if xTransport.httpProxyFunction != nil {
|
||||||
transport.Proxy = xTransport.httpProxyFunction
|
transport.Proxy = xTransport.httpProxyFunction
|
||||||
}
|
}
|
||||||
if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil {
|
tlsClientConfig := tls.Config{}
|
||||||
tlsClientConfig := tls.Config{
|
clientCreds := xTransport.tlsClientCreds
|
||||||
SessionTicketsDisabled: xTransport.tlsDisableSessionTickets,
|
if (clientCreds != DOHClientCreds{}) {
|
||||||
|
cert, err := tls.LoadX509KeyPair(clientCreds.clientCert, clientCreds.clientKey)
|
||||||
|
if err != nil {
|
||||||
|
dlog.Error(err)
|
||||||
}
|
}
|
||||||
|
tlsClientConfig.Certificates = []tls.Certificate{cert}
|
||||||
|
}
|
||||||
|
if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil {
|
||||||
|
tlsClientConfig.SessionTicketsDisabled = xTransport.tlsDisableSessionTickets
|
||||||
if !xTransport.tlsDisableSessionTickets {
|
if !xTransport.tlsDisableSessionTickets {
|
||||||
tlsClientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(10)
|
tlsClientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(10)
|
||||||
}
|
}
|
||||||
|
|
@ -167,8 +175,8 @@ func (xTransport *XTransport) rebuildTransport() {
|
||||||
tlsClientConfig.PreferServerCipherSuites = false
|
tlsClientConfig.PreferServerCipherSuites = false
|
||||||
tlsClientConfig.CipherSuites = xTransport.tlsCipherSuite
|
tlsClientConfig.CipherSuites = xTransport.tlsCipherSuite
|
||||||
}
|
}
|
||||||
transport.TLSClientConfig = &tlsClientConfig
|
|
||||||
}
|
}
|
||||||
|
transport.TLSClientConfig = &tlsClientConfig
|
||||||
http2.ConfigureTransport(transport)
|
http2.ConfigureTransport(transport)
|
||||||
xTransport.transport = transport
|
xTransport.transport = transport
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue