Home Explore Help
Sign In
yosoyhendrix
/
psiphon-tunnel-core
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Switch from path to file mode of SSL_CTX_load_verify_locations

Rod Hynes 10 years ago
parent
a7bc255256
commit
79bb06fe27
8 changed files with 40 additions and 40 deletions
Unified View Show Diff Stats
  1. 5 5
      psiphon/config.go
  2. 6 6
      psiphon/controller.go
  3. 7 7
      psiphon/meekConn.go
  4. 4 4
      psiphon/net.go
  5. 3 3
      psiphon/opensslConn.go
  6. 5 5
      psiphon/remoteServerList.go
  7. 3 3
      psiphon/tlsDialer.go
  8. 7 7
      psiphon/tunnel.go

+ 5 - 5
psiphon/config.go
View File 

@@ -244,11 +244,11 @@ type Config struct {
 
 	// parameter is only supported on platforms built with OpenSSL.
 
 	// parameter is only supported on platforms built with OpenSSL.
 
 	UseIndistinguishableTLS bool
 
 	UseIndistinguishableTLS bool
 
 
 
-	// SystemCACertificateDirectory specifies a directory containing OpenSSL-format
 
-	// CA certificate files (OpenSSL 1.0.1+ format). When specified, this enables
 
-	// use of indistinguishable TLS for HTTPS requests that require typical (system
 
-	// CA) server authentication.
 
-	SystemCACertificateDirectory string
 
+	// TrustedCACertificatesFilename specifies a file containing trusted CA certs.
 
+	// The file contents should be compatible with OpenSSL's SSL_CTX_load_verify_locations.
 
+	// When specified, this enables use of indistinguishable TLS for HTTPS requests
 
+	// that require typical (system CA) server authentication.
 
+	TrustedCACertificatesFilename string
 
 }
 
 }
 
 
 
 // LoadConfig parses and validates a JSON format Psiphon config JSON
 
 // LoadConfig parses and validates a JSON format Psiphon config JSON

+ 6 - 6
psiphon/controller.go
View File 

@@ -78,12 +78,12 @@ func NewController(config *Config) (controller *Controller, err error) {
 
 	// used to exclude these requests and connection from VPN routing.
 
 	// used to exclude these requests and connection from VPN routing.
 
 	untunneledPendingConns := new(Conns)
 
 	untunneledPendingConns := new(Conns)
 
 	untunneledDialConfig := &DialConfig{
 
 	untunneledDialConfig := &DialConfig{
 
-		UpstreamProxyUrl:             config.UpstreamProxyUrl,
 
-		PendingConns:                 untunneledPendingConns,
 
-		DeviceBinder:                 config.DeviceBinder,
 
-		DnsServerGetter:              config.DnsServerGetter,
 
-		UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
 
-		SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 
+		UpstreamProxyUrl:              config.UpstreamProxyUrl,
 
+		PendingConns:                  untunneledPendingConns,
 
+		DeviceBinder:                  config.DeviceBinder,
 
+		DnsServerGetter:               config.DnsServerGetter,
 
+		UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
 
+		TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
 
 	}
 
 	}
 
 
 
 	controller = &Controller{
 
 	controller = &Controller{

+ 7 - 7
psiphon/meekConn.go
View File 

@@ -162,13 +162,13 @@ func DialMeek(
 
 
 
 		dialer = NewCustomTLSDialer(
 
 		dialer = NewCustomTLSDialer(
 
 			&CustomTLSConfig{
 
 			&CustomTLSConfig{
 
-				Dial:                         NewTCPDialer(meekConfig),
 
-				Timeout:                      meekConfig.ConnectTimeout,
 
-				FrontingAddr:                 fmt.Sprintf("%s:%d", frontingAddress, 443),
 
-				SendServerName:               false,
 
-				SkipVerify:                   true,
 
-				UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
 
-				SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 
+				Dial:                          NewTCPDialer(meekConfig),
 
+				Timeout:                       meekConfig.ConnectTimeout,
 
+				FrontingAddr:                  fmt.Sprintf("%s:%d", frontingAddress, 443),
 
+				SendServerName:                false,
 
+				SkipVerify:                    true,
 
+				UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
 
+				TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
 
 			})
 
 			})
 
 	} else {
 
 	} else {
 
 		// In the unfronted case, host is both what is dialed and what ends up in the HTTP Host header
 
 		// In the unfronted case, host is both what is dialed and what ends up in the HTTP Host header

+ 4 - 4
psiphon/net.go
View File 

@@ -72,11 +72,11 @@ type DialConfig struct {
 
 	// Only applies to TLS connections.
 
 	// Only applies to TLS connections.
 
 	UseIndistinguishableTLS bool
 
 	UseIndistinguishableTLS bool
 
 
 
-	// SystemCACertificateDirectory specifies a directory containing
 
-	// CA certs. Directory contents should be compatible with OpenSSL's
 
-	// SSL_CTX_load_verify_locations
 
+	// TrustedCACertificatesFilename specifies a file containing trusted
 
+	// CA certs. The file contents should be compatible with OpenSSL's
 
+	// SSL_CTX_load_verify_locations.
 
 	// Only applies to UseIndistinguishableTLS connections.
 
 	// Only applies to UseIndistinguishableTLS connections.
 
-	SystemCACertificateDirectory string
 
+	TrustedCACertificatesFilename string
 
 }
 
 }
 
 
 
 // DeviceBinder defines the interface to the external BindToDevice provider
 
 // DeviceBinder defines the interface to the external BindToDevice provider

+ 3 - 3
psiphon/opensslConn.go
View File 

@@ -46,10 +46,10 @@ func newOpenSSLConn(rawConn net.Conn, hostname string, config *CustomTLSConfig)
 
 			// TODO: verify with VerifyLegacyCertificate
 
 			// TODO: verify with VerifyLegacyCertificate
 
 			return nil, errors.New("newOpenSSLConn does not support VerifyLegacyCertificate")
 
 			return nil, errors.New("newOpenSSLConn does not support VerifyLegacyCertificate")
 
 		} else {
 
 		} else {
 
-			if config.SystemCACertificateDirectory == "" {
 
-				return nil, errors.New("newOpenSSLConn cannot verify without SystemCACertificateDirectory")
 
+			if config.TrustedCACertificatesFilename == "" {
 
+				return nil, errors.New("newOpenSSLConn cannot verify without TrustedCACertificatesFilename")
 
 			}
 
 			}
 
-			err = ctx.LoadVerifyLocations("", config.SystemCACertificateDirectory)
 
+			err = ctx.LoadVerifyLocations(config.TrustedCACertificatesFilename, "")
 
 			if err != nil {
 
 			if err != nil {
 
 				return nil, ContextError(err)
 
 				return nil, ContextError(err)
 
 			}
 
 			}

+ 5 - 5
psiphon/remoteServerList.go
View File 

@@ -54,11 +54,11 @@ func FetchRemoteServerList(config *Config, dialConfig *DialConfig) (err error) {
 
 	if requestUrl.Scheme == "https" {
 
 	if requestUrl.Scheme == "https" {
 
 		dialer = NewCustomTLSDialer(
 
 		dialer = NewCustomTLSDialer(
 
 			&CustomTLSConfig{
 
 			&CustomTLSConfig{
 
-				Dial:                         dialer,
 
-				SendServerName:               true,
 
-				SkipVerify:                   false,
 
-				UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
 
-				SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 
+				Dial:                          dialer,
 
+				SendServerName:                true,
 
+				SkipVerify:                    false,
 
+				UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
 
+				TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
 
 			})
 
 			})
 
 
 
 		// Change the scheme to "http"; otherwise http.Transport will try to do
 
 		// Change the scheme to "http"; otherwise http.Transport will try to do

+ 3 - 3
psiphon/tlsDialer.go
View File 

@@ -112,11 +112,11 @@ type CustomTLSConfig struct {
 
 	// Go's TLS has a distinct fingerprint that may be used for blocking.
 
 	// Go's TLS has a distinct fingerprint that may be used for blocking.
 
 	UseIndistinguishableTLS bool
 
 	UseIndistinguishableTLS bool
 
 
 
-	// SystemCACertificateDirectory specifies a directory containing
 
+	// TrustedCACertificatesFilename specifies a file containing trusted
 
 	// CA certs. Directory contents should be compatible with OpenSSL's
 
 	// CA certs. Directory contents should be compatible with OpenSSL's
 
 	// SSL_CTX_load_verify_locations
 
 	// SSL_CTX_load_verify_locations
 
 	// Only applies to UseIndistinguishableTLS connections.
 
 	// Only applies to UseIndistinguishableTLS connections.
 
-	SystemCACertificateDirectory string
 
+	TrustedCACertificatesFilename string
 
 }
 
 }
 
 
 
 func NewCustomTLSDialer(config *CustomTLSConfig) Dialer {
 
 func NewCustomTLSDialer(config *CustomTLSConfig) Dialer {
 
@@ -189,7 +189,7 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, err
 
 	if config.UseIndistinguishableTLS &&
 
 	if config.UseIndistinguishableTLS &&
 
 		(config.SkipVerify ||
 
 		(config.SkipVerify ||
 
 			// TODO: config.VerifyLegacyCertificate != nil ||
 
 			// TODO: config.VerifyLegacyCertificate != nil ||
 
-			config.SystemCACertificateDirectory != "") {
 
+			config.TrustedCACertificatesFilename != "") {
 
 
 
 		conn, err = newOpenSSLConn(rawConn, hostname, config)
 
 		conn, err = newOpenSSLConn(rawConn, hostname, config)
 
 		if err != nil {
 
 		if err != nil {

+ 7 - 7
psiphon/tunnel.go
View File 

@@ -378,13 +378,13 @@ func dialSsh(
 
 
 
 	// Create the base transport: meek or direct connection
 
 	// Create the base transport: meek or direct connection
 
 	dialConfig := &DialConfig{
 
 	dialConfig := &DialConfig{
 
-		UpstreamProxyUrl:             config.UpstreamProxyUrl,
 
-		ConnectTimeout:               TUNNEL_CONNECT_TIMEOUT,
 
-		PendingConns:                 pendingConns,
 
-		DeviceBinder:                 config.DeviceBinder,
 
-		DnsServerGetter:              config.DnsServerGetter,
 
-		UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
 
-		SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 
+		UpstreamProxyUrl:              config.UpstreamProxyUrl,
 
+		ConnectTimeout:                TUNNEL_CONNECT_TIMEOUT,
 
+		PendingConns:                  pendingConns,
 
+		DeviceBinder:                  config.DeviceBinder,
 
+		DnsServerGetter:               config.DnsServerGetter,
 
+		UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
 
+		TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
 
 	}
 
 	}
 
 	if useMeek {
 
 	if useMeek {
 
 		conn, err = DialMeek(serverEntry, sessionId, frontingAddress, dialConfig)
 
 		conn, err = DialMeek(serverEntry, sessionId, frontingAddress, dialConfig)