Главная Обзор Помощь
Вход
yosoyhendrix
/
psiphon-tunnel-core
зеркало из https://github.com/Psiphon-Labs/psiphon-tunnel-core
1
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

Extend SkipVerify support to TransferURLs

Miro 1 год назад
Родитель
cae47c6406
Сommit
2771b1adb8
6 измененных файлов с 40 добавлено и 19 удалено
Разделённый вид Показать статистику Diff
  1. 3 4
      psiphon/common/parameters/transferURLs.go
  2. 6 7
      psiphon/common/parameters/transferURLs_test.go
  3. 2 0
      psiphon/feedback.go
  4. 25 8
      psiphon/net.go
  5. 2 0
      psiphon/remoteServerList.go
  6. 2 0
      psiphon/upgradeDownload.go

+ 3 - 4
psiphon/common/parameters/transferURLs.go
Просмотреть файл 

@@ -74,10 +74,9 @@ func (t TransferURLs) DecodeAndValidate() error {
 
 	hasOnlyAfterZero := false
 
 	for _, transferURL := range t {
 
 
-		// Currently, TransferURL FrontingSpecs are not permitted to specify
 
-		// SkipVerify as psiphon.makeFrontedHTTPClient uses
 
-		// MeekModePlaintextRoundTrip.
 
-		allowSkipVerify := false
 
+		// TransferURL FrontingSpecs are permitted to specify SkipVerify
 
+		// because transfers have additional security at the payload level.
 
+		allowSkipVerify := true
 
 		err := transferURL.FrontingSpecs.Validate(allowSkipVerify)
 
 		if err != nil {
 
 			return errors.Trace(err)

+ 6 - 7
psiphon/common/parameters/transferURLs_test.go
Просмотреть файл 

@@ -66,7 +66,7 @@ func TestTransferURLs(t *testing.T) {
 
 			1,
 
 		},
 
 		{
 
-			"single URL, fronting spec, invalid skip verify",
 
+			"single URL, multiple attempts, fronting spec",
 
 			TransferURLs{
 
 				{
 
 					URL:               encodedA,
 
@@ -77,18 +77,18 @@ func TestTransferURLs(t *testing.T) {
 
 							Addresses:          []string{"example.org"},
 
 							VerifyServerName:   "example.com",
 
 							Host:               "example.org",
 
-							SkipVerify:         true,
 
+							SkipVerify:         false,
 
 						},
 
 					},
 
 				},
 
 			},
 
-			1,
 
-			false,
 
+			2,
 
+			true,
 
 			decodedA,
 
 			1,
 
 		},
 
 		{
 
-			"single URL, multiple attempts, fronting spec",
 
+			"single URL, multiple attempts, fronting spec, skip verify set",
 
 			TransferURLs{
 
 				{
 
 					URL:               encodedA,
 
@@ -97,9 +97,8 @@ func TestTransferURLs(t *testing.T) {
 
 						{
 
 							FrontingProviderID: "frontingProvider",
 
 							Addresses:          []string{"example.org"},
 
-							VerifyServerName:   "example.com",
 
 							Host:               "example.org",
 
-							SkipVerify:         false,
 
+							SkipVerify:         true,
 
 						},
 
 					},
 
 				},

+ 2 - 0
psiphon/feedback.go
Просмотреть файл 

@@ -204,12 +204,14 @@ func SendFeedback(ctx context.Context, config *Config, diagnostics, uploadPath s
 
 			feedbackUploadTimeout)
 
 		defer cancelFunc()
 
 
+		payloadSecure := true
 
 		client, _, err := MakeUntunneledHTTPClient(
 
 			feedbackUploadCtx,
 
 			config,
 
 			untunneledDialConfig,
 
 			uploadURL.SkipVerify,
 
 			config.DisableSystemRootCAs,
 
+			payloadSecure,
 
 			uploadURL.FrontingSpecs,
 
 			func(frontingProviderID string) {
 
 				NoticeInfo(

+ 25 - 8
psiphon/net.go
Просмотреть файл 

@@ -401,6 +401,10 @@ func UntunneledResolveIP(
 
 // The context is applied to underlying TCP dials. The caller is responsible
 
 // for applying the context to requests made with the returned http.Client.
 
 //
 
+// payloadSecure must only be set if all HTTP plaintext payloads sent through
 
+// the returned net/http.Client will be wrapped in their own transport security
 
+// layer, which permits skipping of server certificate verification.
 
+//
 
 // Warning: it is not safe to call makeFrontedHTTPClient concurrently with the
 
 // same dialConfig when tunneled is true because dialConfig will be used
 
 // directly, instead of copied, which can lead to a crash when fields not safe
 
@@ -412,8 +416,9 @@ func makeFrontedHTTPClient(
 
 	dialConfig *DialConfig,
 
 	frontingSpecs parameters.FrontingSpecs,
 
 	selectedFrontingProviderID func(string),
 
-	skipVerify bool,
 
-	disableSystemRootCAs bool) (*http.Client, func() common.APIParameters, error) {
 
+	skipVerify,
 
+	disableSystemRootCAs,
 
+	payloadSecure bool) (*http.Client, func() common.APIParameters, error) {
 
 
 	frontingProviderID,
 
 		frontingTransport,
 
@@ -494,10 +499,15 @@ func makeFrontedHTTPClient(
 
 		}
 
 	}
 
 
+	var meekMode MeekMode = MeekModePlaintextRoundTrip
 
+	if payloadSecure {
 
+		meekMode = MeekModeWrappedPlaintextRoundTrip
 
+	}
 
+
 
 	meekConfig := &MeekConfig{
 
 		DiagnosticID:             frontingProviderID,
 
 		Parameters:               config.GetParameters(),
 
-		Mode:                     MeekModePlaintextRoundTrip,
 
+		Mode:                     meekMode,
 
 		DialAddress:              meekDialAddress,
 
 		UseHTTPS:                 true,
 
 		TLSProfile:               tlsProfile,
 
@@ -680,6 +690,7 @@ func MakeUntunneledHTTPClient(
 
 	untunneledDialConfig *DialConfig,
 
 	skipVerify bool,
 
 	disableSystemRootCAs bool,
 
+	payloadSecure bool,
 
 	frontingSpecs parameters.FrontingSpecs,
 
 	selectedFrontingProviderID func(string)) (*http.Client, func() common.APIParameters, error) {
 
 
@@ -695,7 +706,8 @@ func MakeUntunneledHTTPClient(
 
 			frontingSpecs,
 
 			selectedFrontingProviderID,
 
 			false,
 
-			disableSystemRootCAs)
 
+			disableSystemRootCAs,
 
+			payloadSecure)
 
 		if err != nil {
 
 			return nil, nil, errors.Trace(err)
 
 		}
 
@@ -741,8 +753,9 @@ func MakeTunneledHTTPClient(
 
 	ctx context.Context,
 
 	config *Config,
 
 	tunnel *Tunnel,
 
-	skipVerify bool,
 
-	disableSystemRootCAs bool,
 
+	skipVerify,
 
+	disableSystemRootCAs,
 
+	payloadSecure bool,
 
 	frontingSpecs parameters.FrontingSpecs,
 
 	selectedFrontingProviderID func(string)) (*http.Client, func() common.APIParameters, error) {
 
 
@@ -775,7 +788,8 @@ func MakeTunneledHTTPClient(
 
 			frontingSpecs,
 
 			selectedFrontingProviderID,
 
 			false,
 
-			disableSystemRootCAs)
 
+			disableSystemRootCAs,
 
+			payloadSecure)
 
 		if err != nil {
 
 			return nil, nil, errors.Trace(err)
 
 		}
 
@@ -818,7 +832,8 @@ func MakeDownloadHTTPClient(
 
 	tunnel *Tunnel,
 
 	untunneledDialConfig *DialConfig,
 
 	skipVerify,
 
-	disableSystemRootCAs bool,
 
+	disableSystemRootCAs,
 
+	payloadSecure bool,
 
 	frontingSpecs parameters.FrontingSpecs,
 
 	selectedFrontingProviderID func(string)) (*http.Client, bool, func() common.APIParameters, error) {
 
 
@@ -836,6 +851,7 @@ func MakeDownloadHTTPClient(
 
 			tunnel,
 
 			skipVerify || disableSystemRootCAs,
 
 			disableSystemRootCAs,
 
+			payloadSecure,
 
 			frontingSpecs,
 
 			selectedFrontingProviderID)
 
 		if err != nil {
 
@@ -849,6 +865,7 @@ func MakeDownloadHTTPClient(
 
 			untunneledDialConfig,
 
 			skipVerify,
 
 			disableSystemRootCAs,
 
+			payloadSecure,
 
 			frontingSpecs,
 
 			selectedFrontingProviderID)
 
 		if err != nil {

+ 2 - 0
psiphon/remoteServerList.go
Просмотреть файл 

@@ -461,6 +461,7 @@ func downloadRemoteServerListFile(
 
 	// MakeDownloadHttpClient will select either a tunneled
 
 	// or untunneled configuration.
 
 
+	payloadSecure := true
 
 	httpClient, tunneled, getParams, err := MakeDownloadHTTPClient(
 
 		ctx,
 
 		config,
 
@@ -468,6 +469,7 @@ func downloadRemoteServerListFile(
 
 		untunneledDialConfig,
 
 		skipVerify,
 
 		disableSystemRootCAs,
 
+		payloadSecure,
 
 		frontingSpecs,
 
 		func(frontingProviderID string) {
 
 			NoticeInfo(

+ 2 - 0
psiphon/upgradeDownload.go
Просмотреть файл 

@@ -87,6 +87,7 @@ func DownloadUpgrade(
 
 
 	downloadURL := urls.Select(attempt)
 
 
+	payloadSecure := true
 
 	httpClient, _, _, err := MakeDownloadHTTPClient(
 
 		ctx,
 
 		config,
 
@@ -94,6 +95,7 @@ func DownloadUpgrade(
 
 		untunneledDialConfig,
 
 		downloadURL.SkipVerify,
 
 		config.DisableSystemRootCAs,
 
+		payloadSecure,
 
 		downloadURL.FrontingSpecs,
 
 		func(frontingProviderID string) {
 
 			NoticeInfo(