mirror of
https://github.com/caddyserver/caddy.git
synced 2024-11-25 17:56:34 +08:00
09188981c4
* tls: Add support for the tls-alpn-01 challenge Also updates lego/acme to latest on master. TODO: This implementation of the tls-alpn challenge is not yet solvable in a distributed Caddy cluster like the http challenge is. * build: Allow building with the race detector * tls: Support distributed solving of the TLS-ALPN-01 challenge * Update vendor and add a todo in MITM checker
781 lines
26 KiB
Go
781 lines
26 KiB
Go
// Copyright 2015 Light Code Labs, LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package httpserver
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/mholt/caddy/caddytls"
|
|
"github.com/mholt/caddy/telemetry"
|
|
)
|
|
|
|
// tlsHandler is a http.Handler that will inject a value
|
|
// into the request context indicating if the TLS
|
|
// connection is likely being intercepted.
|
|
type tlsHandler struct {
|
|
next http.Handler
|
|
listener *tlsHelloListener
|
|
closeOnMITM bool // whether to close connection on MITM; TODO: expose through new directive
|
|
}
|
|
|
|
// ServeHTTP checks the User-Agent. For the four main browsers (Chrome,
|
|
// Edge, Firefox, and Safari) indicated by the User-Agent, the properties
|
|
// of the TLS Client Hello will be compared. The context value "mitm" will
|
|
// be set to a value indicating if it is likely that the underlying TLS
|
|
// connection is being intercepted.
|
|
//
|
|
// Note that due to Microsoft's decision to intentionally make IE/Edge
|
|
// user agents obscure (and look like other browsers), this may offer
|
|
// less accuracy for IE/Edge clients.
|
|
//
|
|
// This MITM detection capability is based on research done by Durumeric,
|
|
// Halderman, et. al. in "The Security Impact of HTTPS Interception" (NDSS '17):
|
|
// https://jhalderm.com/pub/papers/interception-ndss17.pdf
|
|
func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
// TODO: one request per connection, we should report UA in connection with
|
|
// handshake (reported in caddytls package) and our MITM assessment
|
|
|
|
if h.listener == nil {
|
|
h.next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
h.listener.helloInfosMu.RLock()
|
|
info := h.listener.helloInfos[r.RemoteAddr]
|
|
h.listener.helloInfosMu.RUnlock()
|
|
|
|
ua := r.Header.Get("User-Agent")
|
|
uaHash := telemetry.FastHash([]byte(ua))
|
|
|
|
// report this request's UA in connection with this ClientHello
|
|
go telemetry.AppendUnique("tls_client_hello_ua:"+caddytls.ClientHelloInfo(info).Key(), uaHash)
|
|
|
|
var checked, mitm bool
|
|
if r.Header.Get("X-BlueCoat-Via") != "" || // Blue Coat (masks User-Agent header to generic values)
|
|
r.Header.Get("X-FCCKV2") != "" || // Fortinet
|
|
info.advertisesHeartbeatSupport() { // no major browsers have ever implemented Heartbeat
|
|
// TODO: Move the heartbeat check into each "looksLike" function...
|
|
checked = true
|
|
mitm = true
|
|
} else if strings.Contains(ua, "Edge") || strings.Contains(ua, "MSIE") ||
|
|
strings.Contains(ua, "Trident") {
|
|
checked = true
|
|
mitm = !info.looksLikeEdge()
|
|
} else if strings.Contains(ua, "Chrome") {
|
|
checked = true
|
|
mitm = !info.looksLikeChrome()
|
|
} else if strings.Contains(ua, "CriOS") {
|
|
// Chrome on iOS sometimes uses iOS-provided TLS stack (which looks exactly like Safari)
|
|
// but for connections that don't render a web page (favicon, etc.) it uses its own...
|
|
checked = true
|
|
mitm = !info.looksLikeChrome() && !info.looksLikeSafari()
|
|
} else if strings.Contains(ua, "Firefox") {
|
|
checked = true
|
|
if strings.Contains(ua, "Windows") {
|
|
ver := getVersion(ua, "Firefox")
|
|
if ver == 45.0 || ver == 52.0 {
|
|
mitm = !info.looksLikeTor()
|
|
} else {
|
|
mitm = !info.looksLikeFirefox()
|
|
}
|
|
} else {
|
|
mitm = !info.looksLikeFirefox()
|
|
}
|
|
} else if strings.Contains(ua, "Safari") {
|
|
checked = true
|
|
mitm = !info.looksLikeSafari()
|
|
}
|
|
|
|
if checked {
|
|
r = r.WithContext(context.WithValue(r.Context(), MitmCtxKey, mitm))
|
|
if mitm {
|
|
go telemetry.AppendUnique("http_mitm", "likely")
|
|
} else {
|
|
go telemetry.AppendUnique("http_mitm", "unlikely")
|
|
}
|
|
} else {
|
|
go telemetry.AppendUnique("http_mitm", "unknown")
|
|
}
|
|
|
|
if mitm && h.closeOnMITM {
|
|
// TODO: This termination might need to happen later in the middleware
|
|
// chain in order to be picked up by the log directive, in case the site
|
|
// owner still wants to log this event. It'll probably require a new
|
|
// directive. If this feature is useful, we can finish implementing this.
|
|
r.Close = true
|
|
return
|
|
}
|
|
|
|
h.next.ServeHTTP(w, r)
|
|
}
|
|
|
|
// getVersion returns a (possibly simplified) representation of the version string
|
|
// from a UserAgent string. It returns a float, so it can represent major and minor
|
|
// versions; the rest of the version is just tacked on behind the decimal point.
|
|
// The purpose of this is to stay simple while allowing for basic, fast comparisons.
|
|
// If the version for softwareName is not found in ua, -1 is returned.
|
|
func getVersion(ua, softwareName string) float64 {
|
|
search := softwareName + "/"
|
|
start := strings.Index(ua, search)
|
|
if start < 0 {
|
|
return -1
|
|
}
|
|
start += len(search)
|
|
end := strings.Index(ua[start:], " ")
|
|
if end < 0 {
|
|
end = len(ua)
|
|
} else {
|
|
end += start
|
|
}
|
|
strVer := strings.Replace(ua[start:end], "-", "", -1)
|
|
firstDot := strings.Index(strVer, ".")
|
|
if firstDot >= 0 {
|
|
strVer = strVer[:firstDot+1] + strings.Replace(strVer[firstDot+1:], ".", "", -1)
|
|
}
|
|
ver, err := strconv.ParseFloat(strVer, 64)
|
|
if err != nil {
|
|
return -1
|
|
}
|
|
return ver
|
|
}
|
|
|
|
// clientHelloConn reads the ClientHello
|
|
// and stores it in the attached listener.
|
|
type clientHelloConn struct {
|
|
net.Conn
|
|
listener *tlsHelloListener
|
|
readHello bool // whether ClientHello has been read
|
|
buf *bytes.Buffer
|
|
}
|
|
|
|
// Read reads from c.Conn (by letting the standard library
|
|
// do the reading off the wire), with the exception of
|
|
// getting a copy of the ClientHello so it can parse it.
|
|
func (c *clientHelloConn) Read(b []byte) (n int, err error) {
|
|
// if we've already read the ClientHello, pass thru
|
|
if c.readHello {
|
|
return c.Conn.Read(b)
|
|
}
|
|
|
|
// we let the standard lib read off the wire for us, and
|
|
// tee that into our buffer so we can read the ClientHello
|
|
tee := io.TeeReader(c.Conn, c.buf)
|
|
n, err = tee.Read(b)
|
|
if err != nil {
|
|
return
|
|
}
|
|
if c.buf.Len() < 5 {
|
|
return // need to read more bytes for header
|
|
}
|
|
|
|
// read the header bytes
|
|
hdr := make([]byte, 5)
|
|
_, err = io.ReadFull(c.buf, hdr)
|
|
if err != nil {
|
|
return // this would be highly unusual and sad
|
|
}
|
|
|
|
// get length of the ClientHello message and read it
|
|
length := int(uint16(hdr[3])<<8 | uint16(hdr[4]))
|
|
if c.buf.Len() < length {
|
|
return // need to read more bytes
|
|
}
|
|
hello := make([]byte, length)
|
|
_, err = io.ReadFull(c.buf, hello)
|
|
if err != nil {
|
|
return
|
|
}
|
|
bufpool.Put(c.buf) // buffer no longer needed
|
|
|
|
// parse the ClientHello and store it in the map
|
|
rawParsed := parseRawClientHello(hello)
|
|
c.listener.helloInfosMu.Lock()
|
|
c.listener.helloInfos[c.Conn.RemoteAddr().String()] = rawParsed
|
|
c.listener.helloInfosMu.Unlock()
|
|
|
|
// report this ClientHello to telemetry
|
|
chKey := caddytls.ClientHelloInfo(rawParsed).Key()
|
|
go telemetry.SetNested("tls_client_hello", chKey, rawParsed)
|
|
go telemetry.AppendUnique("tls_client_hello_count", chKey)
|
|
|
|
c.readHello = true
|
|
return
|
|
}
|
|
|
|
// parseRawClientHello parses data which contains the raw
|
|
// TLS Client Hello message. It extracts relevant information
|
|
// into info. Any error reading the Client Hello (such as
|
|
// insufficient length or invalid length values) results in
|
|
// a silent error and an incomplete info struct, since there
|
|
// is no good way to handle an error like this during Accept().
|
|
// The data is expected to contain the whole ClientHello and
|
|
// ONLY the ClientHello.
|
|
//
|
|
// The majority of this code is borrowed from the Go standard
|
|
// library, which is (c) The Go Authors. It has been modified
|
|
// to fit this use case.
|
|
func parseRawClientHello(data []byte) (info rawHelloInfo) {
|
|
if len(data) < 42 {
|
|
return
|
|
}
|
|
info.Version = uint16(data[4])<<8 | uint16(data[5])
|
|
sessionIDLen := int(data[38])
|
|
if sessionIDLen > 32 || len(data) < 39+sessionIDLen {
|
|
return
|
|
}
|
|
data = data[39+sessionIDLen:]
|
|
if len(data) < 2 {
|
|
return
|
|
}
|
|
// cipherSuiteLen is the number of bytes of cipher suite numbers. Since
|
|
// they are uint16s, the number must be even.
|
|
cipherSuiteLen := int(data[0])<<8 | int(data[1])
|
|
if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
|
|
return
|
|
}
|
|
numCipherSuites := cipherSuiteLen / 2
|
|
// read in the cipher suites
|
|
info.CipherSuites = make([]uint16, numCipherSuites)
|
|
for i := 0; i < numCipherSuites; i++ {
|
|
info.CipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
|
|
}
|
|
data = data[2+cipherSuiteLen:]
|
|
if len(data) < 1 {
|
|
return
|
|
}
|
|
// read in the compression methods
|
|
compressionMethodsLen := int(data[0])
|
|
if len(data) < 1+compressionMethodsLen {
|
|
return
|
|
}
|
|
info.CompressionMethods = data[1 : 1+compressionMethodsLen]
|
|
|
|
data = data[1+compressionMethodsLen:]
|
|
|
|
// ClientHello is optionally followed by extension data
|
|
if len(data) < 2 {
|
|
return
|
|
}
|
|
extensionsLength := int(data[0])<<8 | int(data[1])
|
|
data = data[2:]
|
|
if extensionsLength != len(data) {
|
|
return
|
|
}
|
|
|
|
// read in each extension, and extract any relevant information
|
|
// from extensions we care about
|
|
for len(data) != 0 {
|
|
if len(data) < 4 {
|
|
return
|
|
}
|
|
extension := uint16(data[0])<<8 | uint16(data[1])
|
|
length := int(data[2])<<8 | int(data[3])
|
|
data = data[4:]
|
|
if len(data) < length {
|
|
return
|
|
}
|
|
|
|
// record that the client advertised support for this extension
|
|
info.Extensions = append(info.Extensions, extension)
|
|
|
|
switch extension {
|
|
case extensionSupportedCurves:
|
|
// http://tools.ietf.org/html/rfc4492#section-5.5.1
|
|
if length < 2 {
|
|
return
|
|
}
|
|
l := int(data[0])<<8 | int(data[1])
|
|
if l%2 == 1 || length != l+2 {
|
|
return
|
|
}
|
|
numCurves := l / 2
|
|
info.Curves = make([]tls.CurveID, numCurves)
|
|
d := data[2:]
|
|
for i := 0; i < numCurves; i++ {
|
|
info.Curves[i] = tls.CurveID(d[0])<<8 | tls.CurveID(d[1])
|
|
d = d[2:]
|
|
}
|
|
case extensionSupportedPoints:
|
|
// http://tools.ietf.org/html/rfc4492#section-5.5.2
|
|
if length < 1 {
|
|
return
|
|
}
|
|
l := int(data[0])
|
|
if length != l+1 {
|
|
return
|
|
}
|
|
info.Points = make([]uint8, l)
|
|
copy(info.Points, data[1:])
|
|
}
|
|
|
|
data = data[length:]
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// newTLSListener returns a new tlsHelloListener that wraps ln.
|
|
func newTLSListener(ln net.Listener, config *tls.Config) *tlsHelloListener {
|
|
return &tlsHelloListener{
|
|
Listener: ln,
|
|
config: config,
|
|
helloInfos: make(map[string]rawHelloInfo),
|
|
}
|
|
}
|
|
|
|
// tlsHelloListener is a TLS listener that is specially designed
|
|
// to read the ClientHello manually so we can extract necessary
|
|
// information from it. Each ClientHello message is mapped by
|
|
// the remote address of the client, which must be removed when
|
|
// the connection is closed (use ConnState).
|
|
type tlsHelloListener struct {
|
|
net.Listener
|
|
config *tls.Config
|
|
helloInfos map[string]rawHelloInfo
|
|
helloInfosMu sync.RWMutex
|
|
}
|
|
|
|
// Accept waits for and returns the next connection to the listener.
|
|
// After it accepts the underlying connection, it reads the
|
|
// ClientHello message and stores the parsed data into a map on l.
|
|
func (l *tlsHelloListener) Accept() (net.Conn, error) {
|
|
conn, err := l.Listener.Accept()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
buf := bufpool.Get().(*bytes.Buffer)
|
|
buf.Reset()
|
|
helloConn := &clientHelloConn{Conn: conn, listener: l, buf: buf}
|
|
return tls.Server(helloConn, l.config), nil
|
|
}
|
|
|
|
// rawHelloInfo contains the "raw" data parsed from the TLS
|
|
// Client Hello. No interpretation is done on the raw data.
|
|
//
|
|
// The methods on this type implement heuristics described
|
|
// by Durumeric, Halderman, et. al. in
|
|
// "The Security Impact of HTTPS Interception":
|
|
// https://jhalderm.com/pub/papers/interception-ndss17.pdf
|
|
type rawHelloInfo caddytls.ClientHelloInfo
|
|
|
|
// advertisesHeartbeatSupport returns true if info indicates
|
|
// that the client supports the Heartbeat extension.
|
|
func (info rawHelloInfo) advertisesHeartbeatSupport() bool {
|
|
for _, ext := range info.Extensions {
|
|
if ext == extensionHeartbeat {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// looksLikeFirefox returns true if info looks like a handshake
|
|
// from a modern version of Firefox.
|
|
func (info rawHelloInfo) looksLikeFirefox() bool {
|
|
// "To determine whether a Firefox session has been
|
|
// intercepted, we check for the presence and order
|
|
// of extensions, cipher suites, elliptic curves,
|
|
// EC point formats, and handshake compression methods." (early 2016)
|
|
|
|
// We check for the presence and order of the extensions.
|
|
// Note: Sometimes 0x15 (21, padding) is present, sometimes not.
|
|
// Note: Firefox 51+ does not advertise 0x3374 (13172, NPN).
|
|
// Note: Firefox doesn't advertise 0x0 (0, SNI) when connecting to IP addresses.
|
|
// Note: Firefox 55+ doesn't appear to advertise 0xFF03 (65283, short headers). It used to be between 5 and 13.
|
|
// Note: Firefox on Fedora (or RedHat) doesn't include ECC suites because of patent liability.
|
|
requiredExtensionsOrder := []uint16{23, 65281, 10, 11, 35, 16, 5, 13}
|
|
if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) {
|
|
return false
|
|
}
|
|
|
|
// We check for both presence of curves and their ordering.
|
|
requiredCurves := []tls.CurveID{29, 23, 24, 25}
|
|
if len(info.Curves) < len(requiredCurves) {
|
|
return false
|
|
}
|
|
for i := range requiredCurves {
|
|
if info.Curves[i] != requiredCurves[i] {
|
|
return false
|
|
}
|
|
}
|
|
if len(info.Curves) > len(requiredCurves) {
|
|
// newer Firefox (55 Nightly?) may have additional curves at end of list
|
|
allowedCurves := []tls.CurveID{256, 257}
|
|
for i := range allowedCurves {
|
|
if info.Curves[len(requiredCurves)+i] != allowedCurves[i] {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
|
|
if hasGreaseCiphers(info.CipherSuites) {
|
|
return false
|
|
}
|
|
|
|
// We check for order of cipher suites but not presence, since
|
|
// according to the paper, cipher suites may be not be added
|
|
// or reordered by the user, but they may be disabled.
|
|
expectedCipherSuiteOrder := []uint16{
|
|
TLS_AES_128_GCM_SHA256, // 0x1301
|
|
TLS_CHACHA20_POLY1305_SHA256, // 0x1303
|
|
TLS_AES_256_GCM_SHA384, // 0x1302
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // 0xc02b
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // 0xc02f
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // 0xcca9
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // 0xcca8
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // 0xc030
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // 0xc00a
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // 0xc009
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // 0xc013
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // 0xc014
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, // 0x33
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, // 0x39
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA, // 0x2f
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA, // 0x35
|
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // 0xa
|
|
}
|
|
return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, false)
|
|
}
|
|
|
|
// looksLikeChrome returns true if info looks like a handshake
|
|
// from a modern version of Chrome.
|
|
func (info rawHelloInfo) looksLikeChrome() bool {
|
|
// "We check for ciphers and extensions that Chrome is known
|
|
// to not support, but do not check for the inclusion of
|
|
// specific ciphers or extensions, nor do we validate their
|
|
// order. When appropriate, we check the presence and order
|
|
// of elliptic curves, compression methods, and EC point formats." (early 2016)
|
|
|
|
// Not in Chrome 56, but present in Safari 10 (Feb. 2017):
|
|
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
|
|
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
|
|
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
|
|
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
|
|
// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
|
|
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
|
|
// TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
|
|
// TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
|
|
|
|
// Not in Chrome 56, but present in Firefox 51 (Feb. 2017):
|
|
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
|
|
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
|
|
// TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
|
|
// TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
|
|
|
|
// Selected ciphers present in Chrome mobile (Feb. 2017):
|
|
// 0xc00a, 0xc014, 0xc009, 0x9c, 0x9d, 0x2f, 0x35, 0xa
|
|
|
|
chromeCipherExclusions := map[uint16]struct{}{
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: {}, // 0xc024
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: {}, // 0xc023
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: {}, // 0xc028
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: {}, // 0xc027
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256: {}, // 0x3d
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA256: {}, // 0x3c
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: {}, // 0x33
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: {}, // 0x39
|
|
}
|
|
for _, ext := range info.CipherSuites {
|
|
if _, ok := chromeCipherExclusions[ext]; ok {
|
|
return false
|
|
}
|
|
}
|
|
|
|
// Chrome does not include curve 25 (CurveP521) (as of Chrome 56, Feb. 2017).
|
|
for _, curve := range info.Curves {
|
|
if curve == 25 {
|
|
return false
|
|
}
|
|
}
|
|
|
|
if !hasGreaseCiphers(info.CipherSuites) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// looksLikeEdge returns true if info looks like a handshake
|
|
// from a modern version of MS Edge.
|
|
func (info rawHelloInfo) looksLikeEdge() bool {
|
|
// "SChannel connections can by uniquely identified because SChannel
|
|
// is the only TLS library we tested that includes the OCSP status
|
|
// request extension before the supported groups and EC point formats
|
|
// extensions." (early 2016)
|
|
//
|
|
// More specifically, the OCSP status request extension appears
|
|
// *directly* before the other two extensions, which occur in that
|
|
// order. (I contacted the authors for clarification and verified it.)
|
|
for i, ext := range info.Extensions {
|
|
if ext == extensionOCSPStatusRequest {
|
|
if len(info.Extensions) <= i+2 {
|
|
return false
|
|
}
|
|
if info.Extensions[i+1] != extensionSupportedCurves ||
|
|
info.Extensions[i+2] != extensionSupportedPoints {
|
|
return false
|
|
}
|
|
}
|
|
}
|
|
|
|
for _, cs := range info.CipherSuites {
|
|
// As of Feb. 2017, Edge does not have 0xff, but Avast adds it
|
|
if cs == scsvRenegotiation {
|
|
return false
|
|
}
|
|
// Edge and modern IE do not have 0x4 or 0x5, but Blue Coat does
|
|
if cs == TLS_RSA_WITH_RC4_128_MD5 || cs == tls.TLS_RSA_WITH_RC4_128_SHA {
|
|
return false
|
|
}
|
|
}
|
|
|
|
if hasGreaseCiphers(info.CipherSuites) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// looksLikeSafari returns true if info looks like a handshake
|
|
// from a modern version of MS Safari.
|
|
func (info rawHelloInfo) looksLikeSafari() bool {
|
|
// "One unique aspect of Secure Transport is that it includes
|
|
// the TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) cipher first,
|
|
// whereas the other libraries we investigated include the
|
|
// cipher last. Similar to Microsoft, Apple has changed
|
|
// TLS behavior in minor OS updates, which are not indicated
|
|
// in the HTTP User-Agent header. We allow for any of the
|
|
// updates when validating handshakes, and we check for the
|
|
// presence and ordering of ciphers, extensions, elliptic
|
|
// curves, and compression methods." (early 2016)
|
|
|
|
// Note that any C lib (e.g. curl) compiled on macOS
|
|
// will probably use Secure Transport which will also
|
|
// share the TLS handshake characteristics of Safari.
|
|
|
|
// We check for the presence and order of the extensions.
|
|
requiredExtensionsOrder := []uint16{10, 11, 13, 13172, 16, 5, 18, 23}
|
|
if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) {
|
|
// Safari on iOS 11 (beta) uses different set/ordering of extensions
|
|
requiredExtensionsOrderiOS11 := []uint16{65281, 0, 23, 13, 5, 13172, 18, 16, 11, 10}
|
|
if !assertPresenceAndOrdering(requiredExtensionsOrderiOS11, info.Extensions, true) {
|
|
return false
|
|
}
|
|
} else {
|
|
// For these versions of Safari, expect TLS_EMPTY_RENEGOTIATION_INFO_SCSV first.
|
|
if len(info.CipherSuites) < 1 {
|
|
return false
|
|
}
|
|
if info.CipherSuites[0] != scsvRenegotiation {
|
|
return false
|
|
}
|
|
}
|
|
|
|
if hasGreaseCiphers(info.CipherSuites) {
|
|
return false
|
|
}
|
|
|
|
// We check for order and presence of cipher suites
|
|
expectedCipherSuiteOrder := []uint16{
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // 0xc02b
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, // 0xc024
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // 0xc023
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // 0xc00a
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // 0xc009
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // 0xc030
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // 0xc02f
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, // 0xc028
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // 0xc027
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // 0xc014
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // 0xc013
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // 0x9d
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // 0x9c
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256, // 0x3d
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // 0x3c
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA, // 0x35
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA, // 0x2f
|
|
}
|
|
return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, true)
|
|
}
|
|
|
|
// looksLikeTor returns true if the info looks like a ClientHello from Tor browser
|
|
// (based on Firefox).
|
|
func (info rawHelloInfo) looksLikeTor() bool {
|
|
requiredExtensionsOrder := []uint16{10, 11, 16, 5, 13}
|
|
if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) {
|
|
return false
|
|
}
|
|
|
|
// check for session tickets support; Tor doesn't support them to prevent tracking
|
|
for _, ext := range info.Extensions {
|
|
if ext == 35 {
|
|
return false
|
|
}
|
|
}
|
|
|
|
// We check for both presence of curves and their ordering, including
|
|
// an optional curve at the beginning (for Tor based on Firefox 52)
|
|
infoCurves := info.Curves
|
|
if len(info.Curves) == 4 {
|
|
if info.Curves[0] != 29 {
|
|
return false
|
|
}
|
|
infoCurves = info.Curves[1:]
|
|
}
|
|
requiredCurves := []tls.CurveID{23, 24, 25}
|
|
if len(infoCurves) < len(requiredCurves) {
|
|
return false
|
|
}
|
|
for i := range requiredCurves {
|
|
if infoCurves[i] != requiredCurves[i] {
|
|
return false
|
|
}
|
|
}
|
|
|
|
if hasGreaseCiphers(info.CipherSuites) {
|
|
return false
|
|
}
|
|
|
|
// We check for order of cipher suites but not presence, since
|
|
// according to the paper, cipher suites may be not be added
|
|
// or reordered by the user, but they may be disabled.
|
|
expectedCipherSuiteOrder := []uint16{
|
|
TLS_AES_128_GCM_SHA256, // 0x1301
|
|
TLS_CHACHA20_POLY1305_SHA256, // 0x1303
|
|
TLS_AES_256_GCM_SHA384, // 0x1302
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // 0xc02b
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // 0xc02f
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // 0xcca9
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // 0xcca8
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // 0xc030
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // 0xc00a
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // 0xc009
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // 0xc013
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // 0xc014
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, // 0x33
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, // 0x39
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA, // 0x2f
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA, // 0x35
|
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // 0xa
|
|
}
|
|
return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, false)
|
|
}
|
|
|
|
// assertPresenceAndOrdering will return true if candidateList contains
|
|
// the items in requiredItems in the same order as requiredItems.
|
|
//
|
|
// If requiredIsSubset is true, then all items in requiredItems must be
|
|
// present in candidateList. If requiredIsSubset is false, then requiredItems
|
|
// may contain items that are not in candidateList.
|
|
//
|
|
// In all cases, the order of requiredItems is enforced.
|
|
func assertPresenceAndOrdering(requiredItems, candidateList []uint16, requiredIsSubset bool) bool {
|
|
superset := requiredItems
|
|
subset := candidateList
|
|
if requiredIsSubset {
|
|
superset = candidateList
|
|
subset = requiredItems
|
|
}
|
|
|
|
var j int
|
|
for _, item := range subset {
|
|
var found bool
|
|
for j < len(superset) {
|
|
if superset[j] == item {
|
|
found = true
|
|
break
|
|
}
|
|
j++
|
|
}
|
|
if j == len(superset) && !found {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func hasGreaseCiphers(cipherSuites []uint16) bool {
|
|
for _, cipher := range cipherSuites {
|
|
if _, ok := greaseCiphers[cipher]; ok {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// pool buffers so we can reuse allocations over time
|
|
var bufpool = sync.Pool{
|
|
New: func() interface{} {
|
|
return new(bytes.Buffer)
|
|
},
|
|
}
|
|
|
|
var greaseCiphers = map[uint16]struct{}{
|
|
0x0A0A: {},
|
|
0x1A1A: {},
|
|
0x2A2A: {},
|
|
0x3A3A: {},
|
|
0x4A4A: {},
|
|
0x5A5A: {},
|
|
0x6A6A: {},
|
|
0x7A7A: {},
|
|
0x8A8A: {},
|
|
0x9A9A: {},
|
|
0xAAAA: {},
|
|
0xBABA: {},
|
|
0xCACA: {},
|
|
0xDADA: {},
|
|
0xEAEA: {},
|
|
0xFAFA: {},
|
|
}
|
|
|
|
// Define variables used for TLS communication
|
|
const (
|
|
extensionOCSPStatusRequest = 5
|
|
extensionSupportedCurves = 10 // also called "SupportedGroups"
|
|
extensionSupportedPoints = 11
|
|
extensionHeartbeat = 15
|
|
|
|
scsvRenegotiation = 0xff
|
|
|
|
// cipher suites missing from the crypto/tls package,
|
|
// in no particular order here
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xc024
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xc028
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39
|
|
TLS_RSA_WITH_RC4_128_MD5 = 0x4
|
|
|
|
// new PSK ciphers introduced by TLS 1.3, not (yet) in crypto/tls
|
|
// https://tlswg.github.io/tls13-spec/#rfc.appendix.A.4)
|
|
TLS_AES_128_GCM_SHA256 = 0x1301
|
|
TLS_AES_256_GCM_SHA384 = 0x1302
|
|
TLS_CHACHA20_POLY1305_SHA256 = 0x1303
|
|
TLS_AES_128_CCM_SHA256 = 0x1304
|
|
TLS_AES_128_CCM_8_SHA256 = 0x1305
|
|
)
|