From 6e97652d23ccb88075835c92c3aeeb5aee3268ce Mon Sep 17 00:00:00 2001 From: Wendel Hime <6754291+WendelHime@users.noreply.github.com> Date: Thu, 22 Aug 2024 19:05:59 -0300 Subject: [PATCH] Adding verifyHost to peer certificate verification (#43) * fix: replacing crc32 by sha256 hash sum and making sure it doesn't return a negative value * fix: adding SNI to peer certificate verification * fix: update error message * fix: add test for verifying peer certificate * chore: removing unused function * feat: adding verify host attribute * fix: add missing verify host to context.go * fix: add missing verify host to cache_test.go and remove deprecated references from cache.go * feat: use verify host and update tests * chore: removing log trace and add field to operation so we can see the received verifyHost --- cache.go | 6 ++-- cache_test.go | 4 +-- context.go | 2 +- direct.go | 48 +++++++++++++++----------- direct_test.go | 86 +++++++++++++++++++++++++++++++++++++++++++--- masquerade.go | 12 +++++-- masquerade_test.go | 61 ++++++++++++++++++++++++++++++++ test_support.go | 6 ++-- 8 files changed, 189 insertions(+), 36 deletions(-) diff --git a/cache.go b/cache.go index a1457c5..43391bb 100644 --- a/cache.go +++ b/cache.go @@ -2,7 +2,7 @@ package fronted import ( "encoding/json" - "io/ioutil" + "os" "time" ) @@ -12,7 +12,7 @@ func (d *direct) initCaching(cacheFile string) { } func (d *direct) prepopulateMasquerades(cacheFile string) { - bytes, err := ioutil.ReadFile(cacheFile) + bytes, err := os.ReadFile(cacheFile) if err != nil { // This is not a big deal since we'll just fill the cache later log.Debugf("ignorable error: Unable to read cache file for prepopulation: %v", err) @@ -84,7 +84,7 @@ func (d *direct) updateCache(cacheFile string) { log.Errorf("Unable to marshal cache to JSON: %v", err) return } - err = ioutil.WriteFile(cacheFile, b, 0644) + err = os.WriteFile(cacheFile, b, 0644) if err != nil { log.Errorf("Unable to save cache to disk: %v", err) } diff --git a/cache_test.go b/cache_test.go index 3c36192..06e1c42 100644 --- a/cache_test.go +++ b/cache_test.go @@ -22,8 +22,8 @@ func TestCaching(t *testing.T) { cloudsackID := "cloudsack" providers := map[string]*Provider{ - testProviderID: NewProvider(nil, "", nil, nil, nil, nil), - cloudsackID: NewProvider(nil, "", nil, nil, nil, nil), + testProviderID: NewProvider(nil, "", nil, nil, nil, nil, nil), + cloudsackID: NewProvider(nil, "", nil, nil, nil, nil, nil), } makeDirect := func() *direct { diff --git a/context.go b/context.go index 0b08eae..d6ff814 100644 --- a/context.go +++ b/context.go @@ -97,7 +97,7 @@ func (fctx *FrontingContext) ConfigureWithHello(pool *x509.CertPool, providers m // copy providers for k, p := range providers { - d.providers[k] = NewProvider(p.HostAliases, p.TestURL, p.Masquerades, p.Validator, p.PassthroughPatterns, p.SNIConfig) + d.providers[k] = NewProvider(p.HostAliases, p.TestURL, p.Masquerades, p.Validator, p.PassthroughPatterns, p.SNIConfig, p.VerifyHostname) } d.loadCandidates(d.providers) diff --git a/direct.go b/direct.go index de9e330..b4e0f6e 100644 --- a/direct.go +++ b/direct.go @@ -428,8 +428,12 @@ func (d *direct) dialServerWith(m *Masquerade) (net.Conn, error) { tlsConfig.ServerName = m.SNI tlsConfig.InsecureSkipVerify = true tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error { - log.Tracef("verifying peer certificate for masquerade domain %s", m.Domain) - return verifyPeerCertificate(rawCerts, d.certPool, m.Domain) + var verifyHostname string + if m.VerifyHostname != nil { + verifyHostname = *m.VerifyHostname + op.Set("verify_hostname", verifyHostname) + } + return verifyPeerCertificate(rawCerts, d.certPool, verifyHostname) } } @@ -447,9 +451,9 @@ func (d *direct) dialServerWith(m *Masquerade) (net.Conn, error) { ClientHelloID: d.clientHelloID, } conn, err := dialer.Dial("tcp", addr) - if err != nil && m != nil { err = fmt.Errorf("unable to dial masquerade %s: %s", m.Domain, err) + op.FailIf(err) } return conn, err } @@ -463,13 +467,7 @@ func verifyPeerCertificate(rawCerts [][]byte, roots *x509.CertPool, domain strin return fmt.Errorf("unable to parse certificate: %w", err) } - masqueradeOpts := x509.VerifyOptions{ - Roots: roots, - CurrentTime: time.Now(), - DNSName: domain, - Intermediates: x509.NewCertPool(), - } - + opts := []x509.VerifyOptions{generateVerifyOptions(roots, domain)} for i := range rawCerts { if i == 0 { continue @@ -478,24 +476,34 @@ func verifyPeerCertificate(rawCerts [][]byte, roots *x509.CertPool, domain strin if err != nil { return fmt.Errorf("unable to parse intermediate certificate: %w", err) } - masqueradeOpts.Intermediates.AddCert(crt) + + for _, opt := range opts { + opt.Intermediates.AddCert(crt) + } } - _, masqueradeErr := cert.Verify(masqueradeOpts) - if masqueradeErr != nil { - return fmt.Errorf("certificate verification failed for masquerade: %w", masqueradeErr) + var verificationErrors error + for _, opt := range opts { + _, err := cert.Verify(opt) + if err != nil { + verificationErrors = errors.Join(verificationErrors, err) + } + } + + if verificationErrors != nil { + return fmt.Errorf("certificate verification failed: %w", verificationErrors) } return nil } -func (d *direct) findProviderFromMasquerade(m *Masquerade) *Provider { - for _, masquerade := range d.masquerades { - if masquerade.Domain == m.Domain && masquerade.IpAddress == m.IpAddress { - return d.providers[masquerade.ProviderID] - } +func generateVerifyOptions(roots *x509.CertPool, domain string) x509.VerifyOptions { + return x509.VerifyOptions{ + Roots: roots, + CurrentTime: time.Now(), + DNSName: domain, + Intermediates: x509.NewCertPool(), } - return nil } // frontingTLSConfig builds a tls.Config for dialing the fronting domain. This is to establish the diff --git a/direct_test.go b/direct_test.go index 66c1ad2..89a3a05 100644 --- a/direct_test.go +++ b/direct_test.go @@ -229,7 +229,7 @@ func TestHostAliasesBasic(t *testing.T) { "abc.forbidden.com": "abc.cloudsack.biz", "def.forbidden.com": "def.cloudsack.biz", } - p := NewProvider(alias, "https://ttt.cloudsack.biz/ping", masq, nil, nil, nil) + p := NewProvider(alias, "https://ttt.cloudsack.biz/ping", masq, nil, nil, nil, nil) certs := x509.NewCertPool() certs.AddCert(cloudSack.Certificate()) @@ -327,14 +327,14 @@ func TestHostAliasesMulti(t *testing.T) { "abc.forbidden.com": "abc.cloudsack.biz", "def.forbidden.com": "def.cloudsack.biz", } - p1 := NewProvider(alias1, "https://ttt.cloudsack.biz/ping", masq1, nil, nil, nil) + p1 := NewProvider(alias1, "https://ttt.cloudsack.biz/ping", masq1, nil, nil, nil, nil) masq2 := []*Masquerade{{Domain: "example.com", IpAddress: sadCloudAddr}} alias2 := map[string]string{ "abc.forbidden.com": "abc.sadcloud.io", "def.forbidden.com": "def.sadcloud.io", } - p2 := NewProvider(alias2, "https://ttt.sadcloud.io/ping", masq2, nil, nil, nil) + p2 := NewProvider(alias2, "https://ttt.sadcloud.io/ping", masq2, nil, nil, nil, nil) certs := x509.NewCertPool() certs.AddCert(cloudSack.Certificate()) @@ -466,7 +466,7 @@ func TestPassthrough(t *testing.T) { masq := []*Masquerade{{Domain: "example.com", IpAddress: cloudSackAddr}} alias := map[string]string{} passthrough := []string{"*.ok.cloudsack.biz", "abc.cloudsack.biz"} - p := NewProvider(alias, "https://ttt.cloudsack.biz/ping", masq, nil, passthrough, nil) + p := NewProvider(alias, "https://ttt.cloudsack.biz/ping", masq, nil, passthrough, nil, nil) certs := x509.NewCertPool() certs.AddCert(cloudSack.Certificate()) @@ -533,7 +533,7 @@ func TestCustomValidators(t *testing.T) { alias := map[string]string{ "abc.forbidden.com": "abc.sadcloud.io", } - p := NewProvider(alias, "https://ttt.sadcloud.io/ping", masq, validator, nil, nil) + p := NewProvider(alias, "https://ttt.sadcloud.io/ping", masq, validator, nil, nil, nil) certs := x509.NewCertPool() certs.AddCert(sadCloud.Certificate()) @@ -728,3 +728,79 @@ func corruptMasquerades(cacheFile string) { } os.WriteFile(cacheFile, messedUp, 0644) } + +func TestVerifyPeerCertificate(t *testing.T) { + // raw certs generated by printing the received rawCerts from TestDirectDomainFrontingWithSNIConfig + rawCerts := [][]byte{{48, 130, 6, 78, 48, 130, 5, 54, 160, 3, 2, 1, 2, 2, 16, 11, 14, 250, 105, 152, 72, 112, 146, 165, 214, 78, 192, 231, 165, 110, 242, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 48, 79, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 21, 48, 19, 6, 3, 85, 4, 10, 19, 12, 68, 105, 103, 105, 67, 101, 114, 116, 32, 73, 110, 99, 49, 41, 48, 39, 6, 3, 85, 4, 3, 19, 32, 68, 105, 103, 105, 67, 101, 114, 116, 32, 84, 76, 83, 32, 82, 83, 65, 32, 83, 72, 65, 50, 53, 54, 32, 50, 48, 50, 48, 32, 67, 65, 49, 48, 30, 23, 13, 50, 52, 48, 52, 49, 56, 48, 48, 48, 48, 48, 48, 90, 23, 13, 50, 53, 48, 52, 49, 57, 50, 51, 53, 57, 53, 57, 90, 48, 121, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 22, 48, 20, 6, 3, 85, 4, 8, 19, 13, 77, 97, 115, 115, 97, 99, 104, 117, 115, 101, 116, 116, 115, 49, 18, 48, 16, 6, 3, 85, 4, 7, 19, 9, 67, 97, 109, 98, 114, 105, 100, 103, 101, 49, 34, 48, 32, 6, 3, 85, 4, 10, 19, 25, 65, 107, 97, 109, 97, 105, 32, 84, 101, 99, 104, 110, 111, 108, 111, 103, 105, 101, 115, 44, 32, 73, 110, 99, 46, 49, 26, 48, 24, 6, 3, 85, 4, 3, 19, 17, 97, 50, 52, 56, 46, 101, 46, 97, 107, 97, 109, 97, 105, 46, 110, 101, 116, 48, 89, 48, 19, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 5, 224, 177, 69, 53, 250, 80, 142, 150, 138, 229, 168, 82, 249, 163, 196, 35, 150, 140, 182, 86, 208, 48, 132, 211, 49, 12, 169, 58, 148, 19, 105, 223, 193, 88, 236, 160, 208, 199, 150, 32, 252, 119, 75, 85, 5, 247, 130, 138, 242, 186, 184, 107, 67, 177, 230, 40, 36, 104, 131, 178, 228, 231, 148, 163, 130, 3, 197, 48, 130, 3, 193, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 183, 107, 162, 234, 168, 170, 132, 140, 121, 234, 180, 218, 15, 152, 178, 197, 149, 118, 185, 244, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 115, 183, 92, 115, 61, 0, 51, 82, 107, 67, 69, 86, 236, 116, 51, 65, 161, 9, 34, 162, 48, 110, 6, 3, 85, 29, 17, 4, 103, 48, 101, 130, 17, 97, 50, 52, 56, 46, 101, 46, 97, 107, 97, 109, 97, 105, 46, 110, 101, 116, 130, 15, 42, 46, 97, 107, 97, 109, 97, 105, 122, 101, 100, 46, 110, 101, 116, 130, 23, 42, 46, 97, 107, 97, 109, 97, 105, 122, 101, 100, 45, 115, 116, 97, 103, 105, 110, 103, 46, 110, 101, 116, 130, 14, 42, 46, 97, 107, 97, 109, 97, 105, 104, 100, 46, 110, 101, 116, 130, 22, 42, 46, 97, 107, 97, 109, 97, 105, 104, 100, 45, 115, 116, 97, 103, 105, 110, 103, 46, 110, 101, 116, 48, 62, 6, 3, 85, 29, 32, 4, 55, 48, 53, 48, 51, 6, 6, 103, 129, 12, 1, 2, 2, 48, 41, 48, 39, 6, 8, 43, 6, 1, 5, 5, 7, 2, 1, 22, 27, 104, 116, 116, 112, 58, 47, 47, 119, 119, 119, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 67, 80, 83, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 3, 136, 48, 29, 6, 3, 85, 29, 37, 4, 22, 48, 20, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 6, 8, 43, 6, 1, 5, 5, 7, 3, 2, 48, 129, 143, 6, 3, 85, 29, 31, 4, 129, 135, 48, 129, 132, 48, 64, 160, 62, 160, 60, 134, 58, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 51, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 68, 105, 103, 105, 67, 101, 114, 116, 84, 76, 83, 82, 83, 65, 83, 72, 65, 50, 53, 54, 50, 48, 50, 48, 67, 65, 49, 45, 52, 46, 99, 114, 108, 48, 64, 160, 62, 160, 60, 134, 58, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 52, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 68, 105, 103, 105, 67, 101, 114, 116, 84, 76, 83, 82, 83, 65, 83, 72, 65, 50, 53, 54, 50, 48, 50, 48, 67, 65, 49, 45, 52, 46, 99, 114, 108, 48, 127, 6, 8, 43, 6, 1, 5, 5, 7, 1, 1, 4, 115, 48, 113, 48, 36, 6, 8, 43, 6, 1, 5, 5, 7, 48, 1, 134, 24, 104, 116, 116, 112, 58, 47, 47, 111, 99, 115, 112, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 48, 73, 6, 8, 43, 6, 1, 5, 5, 7, 48, 2, 134, 61, 104, 116, 116, 112, 58, 47, 47, 99, 97, 99, 101, 114, 116, 115, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 68, 105, 103, 105, 67, 101, 114, 116, 84, 76, 83, 82, 83, 65, 83, 72, 65, 50, 53, 54, 50, 48, 50, 48, 67, 65, 49, 45, 49, 46, 99, 114, 116, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 130, 1, 125, 6, 10, 43, 6, 1, 4, 1, 214, 121, 2, 4, 2, 4, 130, 1, 109, 4, 130, 1, 105, 1, 103, 0, 118, 0, 78, 117, 163, 39, 92, 154, 16, 195, 56, 91, 108, 212, 223, 63, 82, 235, 29, 240, 224, 142, 27, 141, 105, 192, 177, 250, 100, 177, 98, 154, 57, 223, 0, 0, 1, 142, 241, 217, 223, 134, 0, 0, 4, 3, 0, 71, 48, 69, 2, 33, 0, 182, 60, 198, 96, 136, 128, 205, 139, 42, 82, 117, 248, 90, 158, 186, 210, 179, 163, 225, 68, 48, 33, 54, 42, 66, 129, 205, 220, 227, 47, 241, 24, 2, 32, 47, 50, 19, 81, 103, 101, 88, 38, 67, 79, 20, 225, 232, 59, 123, 77, 100, 243, 60, 99, 22, 213, 169, 109, 122, 35, 153, 88, 59, 40, 193, 180, 0, 118, 0, 125, 89, 30, 18, 225, 120, 42, 123, 28, 97, 103, 124, 94, 253, 248, 208, 135, 92, 20, 160, 78, 149, 158, 185, 3, 47, 217, 14, 140, 46, 121, 184, 0, 0, 1, 142, 241, 217, 223, 135, 0, 0, 4, 3, 0, 71, 48, 69, 2, 33, 0, 236, 206, 233, 76, 152, 193, 240, 13, 15, 141, 73, 58, 88, 53, 123, 217, 228, 185, 26, 35, 9, 53, 191, 231, 1, 223, 99, 28, 200, 188, 2, 47, 2, 32, 39, 67, 173, 42, 123, 38, 247, 178, 220, 3, 89, 37, 218, 105, 45, 249, 17, 111, 222, 84, 173, 197, 17, 26, 177, 217, 193, 163, 221, 229, 129, 134, 0, 117, 0, 230, 210, 49, 99, 64, 119, 140, 193, 16, 65, 6, 215, 113, 185, 206, 193, 210, 64, 246, 150, 132, 134, 251, 186, 135, 50, 29, 253, 30, 55, 142, 80, 0, 0, 1, 142, 241, 217, 223, 156, 0, 0, 4, 3, 0, 70, 48, 68, 2, 32, 63, 238, 16, 71, 200, 160, 240, 218, 87, 96, 100, 137, 184, 151, 189, 202, 191, 140, 193, 138, 110, 83, 166, 225, 152, 192, 33, 228, 72, 60, 146, 9, 2, 32, 20, 216, 203, 133, 251, 181, 154, 237, 126, 11, 120, 77, 219, 28, 73, 93, 254, 23, 141, 52, 195, 145, 216, 145, 16, 187, 133, 16, 140, 184, 135, 183, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 3, 130, 1, 1, 0, 98, 147, 27, 116, 164, 135, 78, 19, 1, 11, 53, 227, 221, 49, 154, 147, 19, 174, 118, 228, 188, 90, 81, 60, 70, 72, 54, 95, 222, 204, 55, 191, 171, 254, 126, 228, 34, 208, 165, 74, 135, 252, 133, 131, 205, 71, 216, 124, 81, 208, 146, 28, 219, 168, 108, 81, 76, 30, 114, 121, 71, 134, 116, 156, 58, 85, 38, 176, 202, 33, 124, 189, 155, 252, 217, 111, 116, 7, 83, 186, 149, 7, 7, 127, 39, 167, 50, 69, 97, 162, 65, 90, 234, 59, 114, 92, 19, 87, 118, 143, 216, 97, 192, 226, 95, 230, 244, 208, 237, 199, 7, 3, 99, 108, 69, 214, 95, 36, 69, 116, 75, 195, 254, 18, 207, 11, 34, 253, 237, 248, 127, 152, 29, 58, 131, 49, 178, 141, 72, 111, 11, 151, 30, 3, 56, 6, 6, 156, 45, 103, 3, 25, 210, 95, 235, 109, 29, 45, 59, 21, 36, 81, 146, 160, 165, 185, 201, 100, 150, 126, 160, 230, 126, 128, 222, 243, 49, 119, 188, 163, 162, 98, 153, 174, 185, 234, 44, 226, 102, 184, 207, 2, 193, 66, 77, 199, 39, 219, 64, 44, 145, 6, 207, 52, 237, 50, 200, 55, 253, 21, 208, 124, 150, 3, 136, 196, 70, 121, 86, 75, 41, 76, 71, 193, 94, 73, 151, 255, 164, 127, 129, 242, 35, 125, 80, 24, 21, 121, 184, 18, 224, 212, 70, 58, 206, 122, 34, 250, 119, 203, 84, 55, 11, 9, 221, 103}, {48, 130, 4, 190, 48, 130, 3, 166, 160, 3, 2, 1, 2, 2, 16, 6, 216, 217, 4, 213, 88, 67, 70, 246, 138, 47, 167, 84, 34, 126, 196, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 48, 97, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 21, 48, 19, 6, 3, 85, 4, 10, 19, 12, 68, 105, 103, 105, 67, 101, 114, 116, 32, 73, 110, 99, 49, 25, 48, 23, 6, 3, 85, 4, 11, 19, 16, 119, 119, 119, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 49, 32, 48, 30, 6, 3, 85, 4, 3, 19, 23, 68, 105, 103, 105, 67, 101, 114, 116, 32, 71, 108, 111, 98, 97, 108, 32, 82, 111, 111, 116, 32, 67, 65, 48, 30, 23, 13, 50, 49, 48, 52, 49, 52, 48, 48, 48, 48, 48, 48, 90, 23, 13, 51, 49, 48, 52, 49, 51, 50, 51, 53, 57, 53, 57, 90, 48, 79, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 21, 48, 19, 6, 3, 85, 4, 10, 19, 12, 68, 105, 103, 105, 67, 101, 114, 116, 32, 73, 110, 99, 49, 41, 48, 39, 6, 3, 85, 4, 3, 19, 32, 68, 105, 103, 105, 67, 101, 114, 116, 32, 84, 76, 83, 32, 82, 83, 65, 32, 83, 72, 65, 50, 53, 54, 32, 50, 48, 50, 48, 32, 67, 65, 49, 48, 130, 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 130, 1, 10, 2, 130, 1, 1, 0, 193, 75, 179, 101, 71, 112, 188, 221, 79, 88, 219, 236, 156, 237, 195, 102, 229, 31, 49, 19, 84, 173, 74, 102, 70, 31, 44, 10, 236, 100, 7, 229, 46, 220, 220, 185, 10, 32, 237, 223, 227, 196, 208, 158, 154, 169, 122, 29, 130, 136, 229, 17, 86, 219, 30, 159, 88, 194, 81, 231, 44, 52, 13, 46, 210, 146, 225, 86, 203, 241, 121, 95, 179, 187, 135, 202, 37, 3, 123, 154, 82, 65, 102, 16, 96, 79, 87, 19, 73, 240, 232, 55, 103, 131, 223, 231, 211, 75, 103, 76, 34, 81, 166, 223, 14, 153, 16, 237, 87, 81, 116, 38, 226, 125, 199, 202, 98, 46, 19, 27, 127, 35, 136, 37, 83, 111, 193, 52, 88, 0, 139, 132, 255, 248, 190, 167, 88, 73, 34, 123, 150, 173, 162, 136, 155, 21, 188, 160, 124, 223, 233, 81, 168, 213, 176, 237, 55, 226, 54, 180, 130, 75, 98, 181, 73, 154, 236, 199, 103, 214, 227, 62, 245, 227, 214, 18, 94, 68, 241, 191, 113, 66, 125, 88, 132, 3, 128, 177, 129, 1, 250, 249, 202, 50, 187, 180, 142, 39, 135, 39, 197, 43, 116, 212, 168, 214, 151, 222, 195, 100, 249, 202, 206, 83, 162, 86, 188, 120, 23, 142, 73, 3, 41, 174, 251, 73, 79, 164, 21, 185, 206, 242, 92, 25, 87, 109, 107, 121, 167, 43, 162, 39, 32, 19, 181, 208, 61, 64, 211, 33, 48, 7, 147, 234, 153, 245, 2, 3, 1, 0, 1, 163, 130, 1, 130, 48, 130, 1, 126, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 0, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 183, 107, 162, 234, 168, 170, 132, 140, 121, 234, 180, 218, 15, 152, 178, 197, 149, 118, 185, 244, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 3, 222, 80, 53, 86, 209, 76, 187, 102, 240, 163, 226, 27, 27, 195, 151, 178, 61, 209, 85, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 29, 6, 3, 85, 29, 37, 4, 22, 48, 20, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 6, 8, 43, 6, 1, 5, 5, 7, 3, 2, 48, 118, 6, 8, 43, 6, 1, 5, 5, 7, 1, 1, 4, 106, 48, 104, 48, 36, 6, 8, 43, 6, 1, 5, 5, 7, 48, 1, 134, 24, 104, 116, 116, 112, 58, 47, 47, 111, 99, 115, 112, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 48, 64, 6, 8, 43, 6, 1, 5, 5, 7, 48, 2, 134, 52, 104, 116, 116, 112, 58, 47, 47, 99, 97, 99, 101, 114, 116, 115, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 68, 105, 103, 105, 67, 101, 114, 116, 71, 108, 111, 98, 97, 108, 82, 111, 111, 116, 67, 65, 46, 99, 114, 116, 48, 66, 6, 3, 85, 29, 31, 4, 59, 48, 57, 48, 55, 160, 53, 160, 51, 134, 49, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 51, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 68, 105, 103, 105, 67, 101, 114, 116, 71, 108, 111, 98, 97, 108, 82, 111, 111, 116, 67, 65, 46, 99, 114, 108, 48, 61, 6, 3, 85, 29, 32, 4, 54, 48, 52, 48, 11, 6, 9, 96, 134, 72, 1, 134, 253, 108, 2, 1, 48, 7, 6, 5, 103, 129, 12, 1, 1, 48, 8, 6, 6, 103, 129, 12, 1, 2, 1, 48, 8, 6, 6, 103, 129, 12, 1, 2, 2, 48, 8, 6, 6, 103, 129, 12, 1, 2, 3, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 3, 130, 1, 1, 0, 128, 50, 206, 94, 11, 221, 110, 90, 13, 10, 175, 225, 214, 132, 203, 192, 142, 250, 133, 112, 237, 218, 93, 179, 12, 247, 43, 117, 64, 254, 133, 10, 250, 243, 49, 120, 183, 112, 75, 26, 137, 88, 186, 128, 189, 243, 107, 29, 233, 126, 207, 11, 186, 88, 156, 89, 212, 144, 211, 253, 108, 253, 208, 152, 109, 183, 113, 130, 91, 207, 109, 11, 90, 9, 208, 123, 222, 196, 67, 216, 42, 164, 222, 158, 65, 38, 95, 187, 143, 153, 203, 221, 174, 225, 168, 111, 159, 135, 254, 116, 183, 31, 27, 32, 171, 177, 79, 198, 245, 103, 93, 93, 155, 60, 233, 255, 105, 247, 97, 108, 214, 217, 243, 253, 54, 198, 171, 3, 136, 118, 210, 75, 46, 117, 134, 227, 252, 216, 85, 125, 38, 194, 17, 119, 223, 62, 2, 182, 124, 243, 171, 123, 122, 134, 54, 111, 184, 247, 216, 147, 113, 207, 134, 223, 115, 48, 250, 123, 171, 237, 42, 89, 200, 66, 132, 59, 17, 23, 26, 82, 243, 201, 14, 20, 125, 162, 91, 114, 103, 186, 113, 237, 87, 71, 102, 197, 184, 2, 74, 101, 52, 94, 139, 208, 42, 60, 32, 156, 81, 153, 76, 231, 82, 158, 247, 107, 17, 43, 13, 146, 126, 29, 232, 138, 235, 54, 22, 67, 135, 234, 42, 99, 191, 117, 63, 235, 222, 196, 3, 187, 10, 60, 247, 48, 239, 235, 175, 76, 252, 139, 54, 16, 115, 62, 243, 164}} + + var tests = []struct { + name string + givenRawCerts [][]byte + givenRoots *x509.CertPool + givenVerifyHost string + assert func(t *testing.T, err error) + }{ + { + name: "should return no certificates present when not providing rawCerts", + givenRawCerts: make([][]byte, 0), + assert: func(t *testing.T, err error) { + if assert.Error(t, err) { + assert.ErrorContains(t, err, "no certificates presented") + } + }, + }, + { + name: "should return an error when providing invalid first rawCert", + givenRawCerts: [][]byte{{}}, + assert: func(t *testing.T, err error) { + if assert.Error(t, err) { + assert.ErrorContains(t, err, "unable to parse certificate") + } + }, + }, + { + name: "should return an error when unable to load intermediate certificates", + givenRawCerts: [][]byte{rawCerts[0], {}}, + assert: func(t *testing.T, err error) { + if assert.Error(t, err) { + assert.ErrorContains(t, err, "unable to parse intermediate certificate") + } + }, + }, + { + name: "should return an error when failing to verify the certificate for the given verifyHost", + givenRawCerts: rawCerts, + givenRoots: trustedCACerts(t), + givenVerifyHost: "cloudfront.net", + assert: func(t *testing.T, err error) { + if assert.Error(t, err) { + assert.ErrorContains(t, err, "certificate verification failed") + } + }, + }, + { + name: "should succeed when providing valid rawCerts, roots, domain and sni", + givenRawCerts: rawCerts, + givenRoots: trustedCACerts(t), + givenVerifyHost: "potato.akamaihd.net", + assert: func(t *testing.T, err error) { + assert.NoError(t, err) + }, + }, + { + name: "should succeed when providing valid rawCerts, roots even without verifying the host", + givenRawCerts: rawCerts, + givenRoots: trustedCACerts(t), + givenVerifyHost: "", + assert: func(t *testing.T, err error) { + assert.NoError(t, err) + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := verifyPeerCertificate(tt.givenRawCerts, tt.givenRoots, tt.givenVerifyHost) + tt.assert(t, err) + }) + } +} diff --git a/masquerade.go b/masquerade.go index 914495a..b57a6fb 100644 --- a/masquerade.go +++ b/masquerade.go @@ -38,6 +38,10 @@ type Masquerade struct { // SNI: the SNI to use for this masquerade SNI string + + // VerifyHostname is used for checking if the certificate for a given hostname is valid. + // This is used for verifying if the peer certificate for the hostnames that are being fronted are valid. + VerifyHostname *string } type masquerade struct { @@ -103,6 +107,10 @@ type Provider struct { // detects a failure for a given masquerade, it is discarded. // The default validator is used if nil. Validator ResponseValidator + + // VerifyHostname is used for checking if the certificate for a given hostname is valid. + // This attribute is only being defined here so it can be sent to the masquerade struct later. + VerifyHostname *string } type SNIConfig struct { @@ -111,7 +119,7 @@ type SNIConfig struct { } // Create a Provider with the given details -func NewProvider(hosts map[string]string, testURL string, masquerades []*Masquerade, validator ResponseValidator, passthrough []string, sniConfig *SNIConfig) *Provider { +func NewProvider(hosts map[string]string, testURL string, masquerades []*Masquerade, validator ResponseValidator, passthrough []string, sniConfig *SNIConfig, verifyHostname *string) *Provider { d := &Provider{ HostAliases: make(map[string]string), TestURL: testURL, @@ -126,7 +134,7 @@ func NewProvider(hosts map[string]string, testURL string, masquerades []*Masquer for _, m := range masquerades { sni := generateSNI(d.SNIConfig, m) - d.Masquerades = append(d.Masquerades, &Masquerade{Domain: m.Domain, IpAddress: m.IpAddress, SNI: sni}) + d.Masquerades = append(d.Masquerades, &Masquerade{Domain: m.Domain, IpAddress: m.IpAddress, SNI: sni, VerifyHostname: verifyHostname}) } d.PassthroughPatterns = append(d.PassthroughPatterns, passthrough...) return d diff --git a/masquerade_test.go b/masquerade_test.go index 29a9475..669dd49 100644 --- a/masquerade_test.go +++ b/masquerade_test.go @@ -1,11 +1,72 @@ package fronted import ( + "net/http" "testing" "github.com/stretchr/testify/assert" ) +func TestNewProvider(t *testing.T) { + verifyHostname := "verifyHostname.com" + var tests = []struct { + name string + givenHosts map[string]string + givenTestURL string + givenMasquerades []*Masquerade + givenValidator ResponseValidator + givenPassthrough []string + givenSNIConfig *SNIConfig + givenVerifyHostname *string + assert func(t *testing.T, actual *Provider) + }{ + { + name: "should return a new provider without host aliases, masquerades and passthrough", + givenHosts: map[string]string{}, + givenTestURL: "http://test.com", + assert: func(t *testing.T, actual *Provider) { + assert.Empty(t, actual.HostAliases) + assert.Empty(t, actual.Masquerades) + assert.Empty(t, actual.PassthroughPatterns) + assert.Equal(t, "http://test.com", actual.TestURL) + assert.Nil(t, actual.Validator) + assert.Nil(t, actual.SNIConfig) + }, + }, + { + name: "should return a new provider with host aliases, masquerades and passthrough", + givenHosts: map[string]string{"host1": "alias1", "host2": "alias2"}, + givenTestURL: "http://test.com", + givenMasquerades: []*Masquerade{{Domain: "domain1", IpAddress: "127.0.0.1"}}, + givenValidator: func(*http.Response) error { return nil }, + givenPassthrough: []string{"passthrough1", "passthrough2"}, + givenSNIConfig: &SNIConfig{ + UseArbitrarySNIs: true, + ArbitrarySNIs: []string{"sni1.com", "sni2.com"}, + }, + givenVerifyHostname: &verifyHostname, + assert: func(t *testing.T, actual *Provider) { + assert.Equal(t, "http://test.com", actual.TestURL) + assert.Equal(t, "alias1", actual.HostAliases["host1"]) + assert.Equal(t, "alias2", actual.HostAliases["host2"]) + assert.Equal(t, 1, len(actual.Masquerades)) + assert.Equal(t, "domain1", actual.Masquerades[0].Domain) + assert.Equal(t, "127.0.0.1", actual.Masquerades[0].IpAddress) + assert.Equal(t, "sni1.com", actual.Masquerades[0].SNI) + assert.Equal(t, verifyHostname, *actual.Masquerades[0].VerifyHostname) + assert.Equal(t, 2, len(actual.PassthroughPatterns)) + }, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + actual := NewProvider(tt.givenHosts, tt.givenTestURL, tt.givenMasquerades, tt.givenValidator, tt.givenPassthrough, tt.givenSNIConfig, tt.givenVerifyHostname) + tt.assert(t, actual) + }) + } +} + func TestGenerateSNI(t *testing.T) { emptyMasquerade := new(Masquerade) var tests = []struct { diff --git a/test_support.go b/test_support.go index 7726ed5..54da8a7 100644 --- a/test_support.go +++ b/test_support.go @@ -47,17 +47,17 @@ func trustedCACerts(t *testing.T) *x509.CertPool { func testProviders() map[string]*Provider { return map[string]*Provider{ - testProviderID: NewProvider(testHosts, pingTestURL, testMasquerades, nil, nil, nil), + testProviderID: NewProvider(testHosts, pingTestURL, testMasquerades, nil, nil, nil, nil), } } func testProvidersWithHosts(hosts map[string]string) map[string]*Provider { return map[string]*Provider{ - testProviderID: NewProvider(hosts, pingTestURL, testMasquerades, nil, nil, nil), + testProviderID: NewProvider(hosts, pingTestURL, testMasquerades, nil, nil, nil, nil), } } func testAkamaiProvidersWithHosts(hosts map[string]string, sniConfig *SNIConfig) map[string]*Provider { return map[string]*Provider{ - testProviderID: NewProvider(hosts, pingTestURL, DefaultAkamaiMasquerades, nil, nil, sniConfig), + testProviderID: NewProvider(hosts, pingTestURL, DefaultAkamaiMasquerades, nil, nil, sniConfig, nil), } }