b612/starnet
1
0
Fork 0
Code Issues Pull Requests Projects Releases 18 Wiki Activity

Compare commits

base: b612:v0.4.3
Branches Tags
b612:master
b612:v0.4.4
b612:v0.4.3
b612:v0.4.2
b612:v0.4.1
b612:v0.4.0
b612:v0.3.1
b612:v0.3.0
b612:v0.2.3
b612:v0.2.2
b612:v0.2.1
b612:v0.2.0
b612:v0.1.8
b612:v0.1.7
b612:v0.1.6
b612:v0.1.5
b612:v0.1.4
b612:v0.1.3
b612:v0.1.2
b612:v0.1.1
b612:v0.1.0
...
compare: b612:master
Branches Tags
b612:master
b612:v0.4.4
b612:v0.4.3
b612:v0.4.2
b612:v0.4.1
b612:v0.4.0
b612:v0.3.1
b612:v0.3.0
b612:v0.2.3
b612:v0.2.2
b612:v0.2.1
b612:v0.2.0
b612:v0.1.8
b612:v0.1.7
b612:v0.1.6
b612:v0.1.5
b612:v0.1.4
b612:v0.1.3
b612:v0.1.2
b612:v0.1.1
b612:v0.1.0

1 Commits
v0.4.3 ... master

Author SHA1 Message Date
starainrt
9ac9b65bc5
fix(starnet): 收紧 TLS ClientHello 嗅探并补齐边界测试 
- 用轻量 ClientHello 解析替代假握手式 TLS 嗅探
  - 保留截断和 max-bytes 场景下的 TLS 分类与缓冲回放能力
  - 拒绝首个 record 完整但并非 ClientHello 的伪 TLS 流量
  - 为动态 TLS 配置选择透出更完整的 ClientHello 元数据
  - 拆分 TLS 初始化失败统计为 sniff/config/plain rejected
  - 补充正常、分片、截断、限长、伪 TLS 等回归测试
 2026-03-27 12:05:23 +08:00
5 changed files with 986 additions and 80 deletions
Show Stats Expand all files Collapse all files

9
errors.go
View File

@ -68,6 +68,12 @@ var (
// ErrNilConn indicates a nil net.Conn argument.
ErrNilConn = errors.New("starnet: nil connection")
// ErrTLSSniffFailed indicates TLS sniffing/parsing failed before handshake setup.
ErrTLSSniffFailed = errors.New("starnet: tls sniff failed")
// ErrTLSConfigSelectionFailed indicates dynamic TLS config selection failed.
ErrTLSConfigSelectionFailed = errors.New("starnet: tls config selection failed")
// ErrNonTLSNotAllowed indicates plain TCP was detected while non-TLS is forbidden.
ErrNonTLSNotAllowed = errors.New("starnet: non-TLS connection not allowed")
@ -179,7 +185,8 @@ func IsTLS(err error) bool {
if err == nil {
return false
}
if errors.Is(err, ErrNotTLS) || errors.Is(err, ErrNoTLSConfig) || errors.Is(err, ErrNonTLSNotAllowed) {
if errors.Is(err, ErrNotTLS) || errors.Is(err, ErrNoTLSConfig) || errors.Is(err, ErrNonTLSNotAllowed) ||
errors.Is(err, ErrTLSSniffFailed) || errors.Is(err, ErrTLSConfigSelectionFailed) {
return true
}

37
tlsconfig.go
View File

@ -9,14 +9,49 @@ import (
// GetConfigForClientFunc selects TLS config by hostname/SNI.
type GetConfigForClientFunc func(hostname string) (*tls.Config, error)
// ClientHelloMeta carries sniffed TLS metadata and connection context.
type ClientHelloMeta struct {
ServerName string
LocalAddr net.Addr
RemoteAddr net.Addr
SupportedProtos []string
SupportedVersions []uint16
CipherSuites []uint16
}
// Clone returns a detached copy safe for callers to mutate.
func (m *ClientHelloMeta) Clone() *ClientHelloMeta {
if m == nil {
return nil
}
out := *m
if m.SupportedProtos != nil {
out.SupportedProtos = append([]string(nil), m.SupportedProtos...)
}
if m.SupportedVersions != nil {
out.SupportedVersions = append([]uint16(nil), m.SupportedVersions...)
}
if m.CipherSuites != nil {
out.CipherSuites = append([]uint16(nil), m.CipherSuites...)
}
return &out
}
// GetConfigForClientHelloFunc selects TLS config by sniffed TLS metadata.
type GetConfigForClientHelloFunc func(hello *ClientHelloMeta) (*tls.Config, error)
// ListenerConfig controls listener behavior.
type ListenerConfig struct {
// BaseTLSConfig is used for TLS when dynamic selection returns nil.
BaseTLSConfig *tls.Config
// GetConfigForClient selects TLS config for a hostname.
// GetConfigForClient selects TLS config for a hostname/SNI.
// Deprecated: prefer GetConfigForClientHello for richer context.
GetConfigForClient GetConfigForClientFunc
// GetConfigForClientHello selects TLS config for sniffed TLS metadata.
GetConfigForClientHello GetConfigForClientHelloFunc
// AllowNonTLS allows plain TCP fallback.
AllowNonTLS bool

449
tlssniffer.go
View File

@ -4,6 +4,8 @@ import (
"bytes"
"context"
"crypto/tls"
"encoding/binary"
"errors"
"io"
"net"
"sync"
@ -34,9 +36,9 @@ func (c *replayConn) SetWriteDeadline(t time.Time) error { return c.conn.SetWrit
// SniffResult describes protocol sniffing result.
type SniffResult struct {
IsTLS bool
Hostname string
Buffer *bytes.Buffer
IsTLS bool
ClientHello *ClientHelloMeta
Buffer *bytes.Buffer
}
// Sniffer detects protocol and metadata from initial bytes.
@ -55,44 +57,210 @@ func (s TLSSniffer) Sniff(conn net.Conn, maxBytes int) (SniffResult, error) {
var buf bytes.Buffer
limited := &io.LimitedReader{R: conn, N: int64(maxBytes)}
tee := io.TeeReader(limited, &buf)
var hello *tls.ClientHelloInfo
_ = tls.Server(readOnlyConn{r: tee, raw: conn}, &tls.Config{
GetConfigForClient: func(ch *tls.ClientHelloInfo) (*tls.Config, error) {
cp := *ch
hello = &cp
return nil, nil
},
}).Handshake()
peek := buf.Bytes()
isTLS := len(peek) >= 3 && peek[0] == 0x16 && peek[1] == 0x03
meta, isTLS := sniffClientHello(limited, &buf, conn)
out := SniffResult{
IsTLS: isTLS,
Buffer: bytes.NewBuffer(append([]byte(nil), peek...)),
Buffer: bytes.NewBuffer(append([]byte(nil), buf.Bytes()...)),
}
if hello != nil {
out.Hostname = hello.ServerName
if isTLS {
out.ClientHello = meta
}
return out, nil
}
// readOnlyConn rejects writes/close and reads from a reader.
type readOnlyConn struct {
r io.Reader
raw net.Conn
func sniffClientHello(r io.Reader, buf *bytes.Buffer, conn net.Conn) (*ClientHelloMeta, bool) {
meta := &ClientHelloMeta{
LocalAddr: conn.LocalAddr(),
RemoteAddr: conn.RemoteAddr(),
}
header, complete := readTLSRecordHeader(r, buf)
if len(header) < 3 {
return nil, false
}
isTLS := header[0] == 0x16 && header[1] == 0x03
if !isTLS {
return nil, false
}
if len(header) < 5 || !complete {
return meta, true
}
recordLen := int(binary.BigEndian.Uint16(header[3:5]))
recordBody, bodyOK := readBufferedBytes(r, buf, recordLen)
if !bodyOK {
return meta, true
}
if len(recordBody) < 4 || recordBody[0] != 0x01 {
return nil, false
}
helloLen := int(recordBody[1])<<16 | int(recordBody[2])<<8 | int(recordBody[3])
helloBytes := append([]byte(nil), recordBody[4:]...)
for len(helloBytes) < helloLen {
nextHeader, nextOK := readTLSRecordHeader(r, buf)
if len(nextHeader) < 5 || !nextOK {
return meta, true
}
if nextHeader[0] != 0x16 || nextHeader[1] != 0x03 {
return meta, true
}
nextLen := int(binary.BigEndian.Uint16(nextHeader[3:5]))
nextBody, nextBodyOK := readBufferedBytes(r, buf, nextLen)
if !nextBodyOK {
return meta, true
}
helloBytes = append(helloBytes, nextBody...)
}
parseClientHelloBody(meta, helloBytes[:helloLen])
return meta, true
}
func (c readOnlyConn) Read(p []byte) (int, error) { return c.r.Read(p) }
func (c readOnlyConn) Write(p []byte) (int, error) { return 0, io.ErrClosedPipe }
func (c readOnlyConn) Close() error { return nil }
func (c readOnlyConn) LocalAddr() net.Addr { return c.raw.LocalAddr() }
func (c readOnlyConn) RemoteAddr() net.Addr { return c.raw.RemoteAddr() }
func (c readOnlyConn) SetDeadline(_ time.Time) error { return nil }
func (c readOnlyConn) SetReadDeadline(_ time.Time) error { return nil }
func (c readOnlyConn) SetWriteDeadline(_ time.Time) error { return nil }
func readTLSRecordHeader(r io.Reader, buf *bytes.Buffer) ([]byte, bool) {
return readBufferedBytes(r, buf, 5)
}
func readBufferedBytes(r io.Reader, buf *bytes.Buffer, n int) ([]byte, bool) {
if n <= 0 {
return nil, true
}
tmp := make([]byte, n)
readN, err := io.ReadFull(r, tmp)
if readN > 0 {
buf.Write(tmp[:readN])
}
return append([]byte(nil), tmp[:readN]...), err == nil
}
func parseClientHelloBody(meta *ClientHelloMeta, body []byte) {
if meta == nil || len(body) < 34 {
return
}
offset := 2 + 32
sessionIDLen := int(body[offset])
offset++
if offset+sessionIDLen > len(body) {
return
}
offset += sessionIDLen
if offset+2 > len(body) {
return
}
cipherSuitesLen := int(binary.BigEndian.Uint16(body[offset : offset+2]))
offset += 2
if offset+cipherSuitesLen > len(body) {
return
}
for i := 0; i+1 < cipherSuitesLen; i += 2 {
meta.CipherSuites = append(meta.CipherSuites, binary.BigEndian.Uint16(body[offset+i:offset+i+2]))
}
offset += cipherSuitesLen
if offset >= len(body) {
return
}
compressionMethodsLen := int(body[offset])
offset++
if offset+compressionMethodsLen > len(body) {
return
}
offset += compressionMethodsLen
if offset+2 > len(body) {
return
}
extensionsLen := int(binary.BigEndian.Uint16(body[offset : offset+2]))
offset += 2
if offset+extensionsLen > len(body) {
return
}
parseClientHelloExtensions(meta, body[offset:offset+extensionsLen])
}
func parseClientHelloExtensions(meta *ClientHelloMeta, exts []byte) {
for offset := 0; offset+4 <= len(exts); {
extType := binary.BigEndian.Uint16(exts[offset : offset+2])
extLen := int(binary.BigEndian.Uint16(exts[offset+2 : offset+4]))
offset += 4
if offset+extLen > len(exts) {
return
}
extData := exts[offset : offset+extLen]
offset += extLen
switch extType {
case 0:
parseServerNameExtension(meta, extData)
case 16:
parseALPNExtension(meta, extData)
case 43:
parseSupportedVersionsExtension(meta, extData)
}
}
}
func parseServerNameExtension(meta *ClientHelloMeta, data []byte) {
if len(data) < 2 {
return
}
listLen := int(binary.BigEndian.Uint16(data[:2]))
if listLen == 0 || 2+listLen > len(data) {
return
}
list := data[2 : 2+listLen]
for offset := 0; offset+3 <= len(list); {
nameType := list[offset]
nameLen := int(binary.BigEndian.Uint16(list[offset+1 : offset+3]))
offset += 3
if offset+nameLen > len(list) {
return
}
if nameType == 0 {
meta.ServerName = string(list[offset : offset+nameLen])
return
}
offset += nameLen
}
}
func parseALPNExtension(meta *ClientHelloMeta, data []byte) {
if len(data) < 2 {
return
}
listLen := int(binary.BigEndian.Uint16(data[:2]))
if listLen == 0 || 2+listLen > len(data) {
return
}
list := data[2 : 2+listLen]
for offset := 0; offset < len(list); {
nameLen := int(list[offset])
offset++
if offset+nameLen > len(list) {
return
}
meta.SupportedProtos = append(meta.SupportedProtos, string(list[offset:offset+nameLen]))
offset += nameLen
}
}
func parseSupportedVersionsExtension(meta *ClientHelloMeta, data []byte) {
if len(data) < 1 {
return
}
listLen := int(data[0])
if listLen == 0 || 1+listLen > len(data) {
return
}
list := data[1 : 1+listLen]
for offset := 0; offset+1 < len(list); offset += 2 {
meta.SupportedVersions = append(meta.SupportedVersions, binary.BigEndian.Uint16(list[offset:offset+2]))
}
}
// Conn wraps net.Conn with lazy protocol initialization.
type Conn struct {
@ -106,17 +274,18 @@ type Conn struct {
tlsConn *tls.Conn
plainConn net.Conn
hostname string
clientHello *ClientHelloMeta
baseTLSConfig *tls.Config
getConfigForClient GetConfigForClientFunc
allowNonTLS bool
sniffer Sniffer
sniffTimeout time.Duration
maxClientHello int
logger Logger
stats *Stats
skipSniff bool
baseTLSConfig *tls.Config
getConfigForClient GetConfigForClientFunc
getConfigForClientHello GetConfigForClientHelloFunc
allowNonTLS bool
sniffer Sniffer
sniffTimeout time.Duration
maxClientHello int
logger Logger
stats *Stats
skipSniff bool
}
func newConn(raw net.Conn, cfg ListenerConfig, stats *Stats) *Conn {
@ -125,6 +294,7 @@ func newConn(raw net.Conn, cfg ListenerConfig, stats *Stats) *Conn {
plainConn: raw,
baseTLSConfig: cfg.BaseTLSConfig,
getConfigForClient: cfg.GetConfigForClient,
getConfigForClientHello: cfg.GetConfigForClientHello,
allowNonTLS: cfg.AllowNonTLS,
sniffer: TLSSniffer{},
sniffTimeout: cfg.SniffTimeout,
@ -139,7 +309,7 @@ func (c *Conn) init() {
if c.skipSniff {
return
}
if c.baseTLSConfig == nil && c.getConfigForClient == nil {
if c.baseTLSConfig == nil && c.getConfigForClient == nil && c.getConfigForClientHello == nil {
c.isTLS = false
return
}
@ -152,13 +322,13 @@ func (c *Conn) init() {
_ = c.Conn.SetReadDeadline(time.Time{})
}
if err != nil {
c.initErr = err
c.failAndClose("sniff failed: %v", err)
c.initErr = errors.Join(ErrTLSSniffFailed, err)
c.failSniff(err)
return
}
c.isTLS = res.IsTLS
c.hostname = res.Hostname
c.clientHello = res.ClientHello
if c.isTLS {
if c.stats != nil {
@ -166,8 +336,8 @@ func (c *Conn) init() {
}
tlsCfg, errCfg := c.selectTLSConfig()
if errCfg != nil {
c.initErr = errCfg
c.failAndClose("tls config select failed: %v", errCfg)
c.initErr = errors.Join(ErrTLSConfigSelectionFailed, errCfg)
c.failTLSConfigSelection(errCfg)
return
}
rc := newReplayConn(bytes.NewBuffer(res.Buffer.Bytes()), c.Conn)
@ -180,7 +350,7 @@ func (c *Conn) init() {
}
if !c.allowNonTLS {
c.initErr = ErrNonTLSNotAllowed
c.failAndClose("plain tcp rejected")
c.failPlainRejected()
return
}
c.plainConn = newReplayConn(bytes.NewBuffer(res.Buffer.Bytes()), c.Conn)
@ -188,27 +358,57 @@ func (c *Conn) init() {
}
func (c *Conn) failAndClose(format string, v ...interface{}) {
if c.stats != nil {
c.stats.incInitFailures()
}
if c.logger != nil {
c.logger.Printf("starnet: "+format, v...)
}
_ = c.Close()
}
func (c *Conn) failSniff(err error) {
if c.stats != nil {
c.stats.incSniffFailures()
}
c.failAndClose("tls sniff failed: %v", err)
}
func (c *Conn) failTLSConfigSelection(err error) {
if c.stats != nil {
c.stats.incTLSConfigFailures()
}
c.failAndClose("tls config selection failed: %v", err)
}
func (c *Conn) failPlainRejected() {
if c.stats != nil {
c.stats.incPlainRejected()
}
c.failAndClose("plain tcp rejected")
}
func (c *Conn) selectTLSConfig() (*tls.Config, error) {
if c.getConfigForClient != nil {
cfg, err := c.getConfigForClient(c.hostname)
var selected *tls.Config
if c.getConfigForClientHello != nil {
cfg, err := c.getConfigForClientHello(c.clientHello.Clone())
if err != nil {
return nil, err
}
if cfg != nil {
return cfg, nil
selected = cfg
}
}
if c.baseTLSConfig != nil {
return c.baseTLSConfig, nil
if selected == nil && c.getConfigForClient != nil {
cfg, err := c.getConfigForClient(c.serverName())
if err != nil {
return nil, err
}
if cfg != nil {
selected = cfg
}
}
composed := composeServerTLSConfig(c.baseTLSConfig, selected)
if composed != nil {
return composed, nil
}
return nil, ErrNoTLSConfig
}
@ -216,7 +416,140 @@ func (c *Conn) selectTLSConfig() (*tls.Config, error) {
// Hostname returns sniffed SNI hostname (if any).
func (c *Conn) Hostname() string {
c.init()
return c.hostname
return c.serverName()
}
// ClientHello returns sniffed TLS metadata (if any).
func (c *Conn) ClientHello() *ClientHelloMeta {
c.init()
return c.clientHello.Clone()
}
func (c *Conn) serverName() string {
if c.clientHello == nil {
return ""
}
return c.clientHello.ServerName
}
func composeServerTLSConfig(base, selected *tls.Config) *tls.Config {
if base == nil {
return selected
}
if selected == nil {
return base
}
out := base.Clone()
applyServerTLSOverrides(out, selected)
return out
}
func applyServerTLSOverrides(dst, src *tls.Config) {
if dst == nil || src == nil {
return
}
if src.Rand != nil {
dst.Rand = src.Rand
}
if src.Time != nil {
dst.Time = src.Time
}
if len(src.Certificates) > 0 {
dst.Certificates = append([]tls.Certificate(nil), src.Certificates...)
}
if len(src.NameToCertificate) > 0 {
m := make(map[string]*tls.Certificate, len(src.NameToCertificate))
for k, v := range src.NameToCertificate {
m[k] = v
}
dst.NameToCertificate = m
}
if src.GetCertificate != nil {
dst.GetCertificate = src.GetCertificate
}
if src.GetClientCertificate != nil {
dst.GetClientCertificate = src.GetClientCertificate
}
if src.GetConfigForClient != nil {
dst.GetConfigForClient = src.GetConfigForClient
}
if src.VerifyPeerCertificate != nil {
dst.VerifyPeerCertificate = src.VerifyPeerCertificate
}
if src.VerifyConnection != nil {
dst.VerifyConnection = src.VerifyConnection
}
if src.RootCAs != nil {
dst.RootCAs = src.RootCAs
}
if len(src.NextProtos) > 0 {
dst.NextProtos = append([]string(nil), src.NextProtos...)
}
if src.ServerName != "" {
dst.ServerName = src.ServerName
}
if src.ClientAuth > dst.ClientAuth {
dst.ClientAuth = src.ClientAuth
}
if src.ClientCAs != nil {
dst.ClientCAs = src.ClientCAs
}
if src.InsecureSkipVerify {
dst.InsecureSkipVerify = true
}
if len(src.CipherSuites) > 0 {
dst.CipherSuites = append([]uint16(nil), src.CipherSuites...)
}
if src.PreferServerCipherSuites {
dst.PreferServerCipherSuites = true
}
if src.SessionTicketsDisabled {
dst.SessionTicketsDisabled = true
}
if src.SessionTicketKey != ([32]byte{}) {
dst.SessionTicketKey = src.SessionTicketKey
}
if src.ClientSessionCache != nil {
dst.ClientSessionCache = src.ClientSessionCache
}
if src.UnwrapSession != nil {
dst.UnwrapSession = src.UnwrapSession
}
if src.WrapSession != nil {
dst.WrapSession = src.WrapSession
}
if src.MinVersion != 0 && (dst.MinVersion == 0 || src.MinVersion > dst.MinVersion) {
dst.MinVersion = src.MinVersion
}
if src.MaxVersion != 0 && (dst.MaxVersion == 0 || src.MaxVersion < dst.MaxVersion) {
dst.MaxVersion = src.MaxVersion
}
if len(src.CurvePreferences) > 0 {
dst.CurvePreferences = append([]tls.CurveID(nil), src.CurvePreferences...)
}
if src.DynamicRecordSizingDisabled {
dst.DynamicRecordSizingDisabled = true
}
if src.Renegotiation != 0 {
dst.Renegotiation = src.Renegotiation
}
if src.KeyLogWriter != nil {
dst.KeyLogWriter = src.KeyLogWriter
}
if len(src.EncryptedClientHelloConfigList) > 0 {
dst.EncryptedClientHelloConfigList = append([]byte(nil), src.EncryptedClientHelloConfigList...)
}
if src.EncryptedClientHelloRejectionVerify != nil {
dst.EncryptedClientHelloRejectionVerify = src.EncryptedClientHelloRejectionVerify
}
if src.GetEncryptedClientHelloKeys != nil {
dst.GetEncryptedClientHelloKeys = src.GetEncryptedClientHelloKeys
}
if len(src.EncryptedClientHelloKeys) > 0 {
dst.EncryptedClientHelloKeys = append([]tls.EncryptedClientHelloKey(nil), src.EncryptedClientHelloKeys...)
}
}
func (c *Conn) IsTLS() bool {
@ -365,6 +698,7 @@ func normalizeConfig(cfg ListenerConfig) ListenerConfig {
out.MaxClientHelloBytes = cfg.MaxClientHelloBytes
out.BaseTLSConfig = cfg.BaseTLSConfig
out.GetConfigForClient = cfg.GetConfigForClient
out.GetConfigForClientHello = cfg.GetConfigForClientHello
out.Logger = cfg.Logger
if out.MaxClientHelloBytes <= 0 {
out.MaxClientHelloBytes = 64 * 1024
@ -471,7 +805,6 @@ func DialTLSWithConfig(network, address string, tlsCfg *tls.Config, timeout time
plainConn: raw,
isTLS: true,
tlsConn: tc,
hostname: "",
initErr: nil,
allowNonTLS: false,
skipSniff: true,

519
tlssniffer_test.go
View File

@ -1,12 +1,14 @@
package starnet
import (
"bytes"
"context"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/binary"
"encoding/pem"
"errors"
"io"
@ -18,6 +20,280 @@ import (
"time"
)
type staticSniffer struct {
result SniffResult
err error
}
type fixedAddr string
func (a fixedAddr) Network() string { return "tcp" }
func (a fixedAddr) String() string { return string(a) }
type recordingConn struct {
buf bytes.Buffer
}
func (c *recordingConn) Read([]byte) (int, error) { return 0, io.EOF }
func (c *recordingConn) Write(p []byte) (int, error) { return c.buf.Write(p) }
func (c *recordingConn) Close() error { return nil }
func (c *recordingConn) LocalAddr() net.Addr { return fixedAddr("127.0.0.1:443") }
func (c *recordingConn) RemoteAddr() net.Addr { return fixedAddr("127.0.0.1:50000") }
func (c *recordingConn) SetDeadline(time.Time) error { return nil }
func (c *recordingConn) SetReadDeadline(time.Time) error { return nil }
func (c *recordingConn) SetWriteDeadline(time.Time) error { return nil }
type bytesConn struct {
reader io.Reader
local net.Addr
remote net.Addr
}
func (c *bytesConn) Read(p []byte) (int, error) { return c.reader.Read(p) }
func (c *bytesConn) Write(p []byte) (int, error) { return len(p), nil }
func (c *bytesConn) Close() error { return nil }
func (c *bytesConn) LocalAddr() net.Addr { return c.local }
func (c *bytesConn) RemoteAddr() net.Addr { return c.remote }
func (c *bytesConn) SetDeadline(time.Time) error { return nil }
func (c *bytesConn) SetReadDeadline(time.Time) error { return nil }
func (c *bytesConn) SetWriteDeadline(time.Time) error { return nil }
func (s staticSniffer) Sniff(_ net.Conn, _ int) (SniffResult, error) {
return s.result, s.err
}
func captureClientHelloBytes(t *testing.T, serverName string, nextProtos []string) []byte {
t.Helper()
conn := &recordingConn{}
tc := tls.Client(conn, &tls.Config{
InsecureSkipVerify: true,
ServerName: serverName,
NextProtos: nextProtos,
MinVersion: tls.VersionTLS12,
})
_ = tc.Handshake()
_ = tc.Close()
out := append([]byte(nil), conn.buf.Bytes()...)
if len(out) < 9 {
t.Fatalf("captured hello too short: %d", len(out))
}
return out
}
func prefixBytes(data []byte, n int) []byte {
if n < 0 {
n = 0
}
if len(data) < n {
n = len(data)
}
return data[:n]
}
func splitClientHelloRecord(t *testing.T, data []byte, splitBodyAt int) []byte {
t.Helper()
if len(data) < 9 {
t.Fatalf("client hello too short: %d", len(data))
}
if data[0] != 0x16 || data[1] != 0x03 {
t.Fatalf("unexpected tls record header: % x", prefixBytes(data, 5))
}
recordLen := int(binary.BigEndian.Uint16(data[3:5]))
if len(data) < 5+recordLen {
t.Fatalf("short tls record: have=%d want=%d", len(data), 5+recordLen)
}
recordBody := append([]byte(nil), data[5:5+recordLen]...)
if len(recordBody) < 4 || recordBody[0] != 0x01 {
t.Fatalf("unexpected handshake record: % x", prefixBytes(recordBody, 4))
}
if splitBodyAt <= 4 || splitBodyAt >= len(recordBody) {
t.Fatalf("invalid split point %d for body len %d", splitBodyAt, len(recordBody))
}
var out bytes.Buffer
writeRecord := func(body []byte) {
out.WriteByte(0x16)
out.WriteByte(data[1])
out.WriteByte(data[2])
header := []byte{0, 0}
binary.BigEndian.PutUint16(header, uint16(len(body)))
out.Write(header)
out.Write(body)
}
writeRecord(recordBody[:splitBodyAt])
writeRecord(recordBody[splitBodyAt:])
return out.Bytes()
}
func TestTLSSnifferParsesClientHello(t *testing.T) {
client, server := net.Pipe()
defer client.Close()
defer server.Close()
done := make(chan error, 1)
go func() {
tc := tls.Client(client, &tls.Config{
InsecureSkipVerify: true,
ServerName: "example.com",
NextProtos: []string{"h2", "http/1.1"},
MinVersion: tls.VersionTLS12,
})
defer tc.Close()
done <- tc.Handshake()
}()
_ = server.SetReadDeadline(time.Now().Add(2 * time.Second))
res, err := (TLSSniffer{}).Sniff(server, 64*1024)
if err != nil {
t.Fatalf("sniff: %v", err)
}
if !res.IsTLS {
t.Fatalf("expected TLS")
}
if res.ClientHello == nil {
t.Fatalf("expected client hello metadata")
}
if res.ClientHello.ServerName != "example.com" {
t.Fatalf("unexpected server name: %q", res.ClientHello.ServerName)
}
if len(res.ClientHello.SupportedProtos) == 0 || res.ClientHello.SupportedProtos[0] != "h2" {
t.Fatalf("unexpected ALPN list: %v", res.ClientHello.SupportedProtos)
}
if len(res.ClientHello.SupportedVersions) == 0 {
t.Fatalf("expected supported versions")
}
if len(res.ClientHello.CipherSuites) == 0 {
t.Fatalf("expected cipher suites")
}
_ = server.Close()
<-done
}
func TestTLSSnifferParsesFragmentedClientHelloRecords(t *testing.T) {
rawHello := captureClientHelloBytes(t, "example.com", []string{"h2", "http/1.1"})
fragmented := splitClientHelloRecord(t, rawHello, 32)
conn := &bytesConn{
reader: bytes.NewReader(fragmented),
local: fixedAddr("127.0.0.1:443"),
remote: fixedAddr("127.0.0.1:50000"),
}
res, err := (TLSSniffer{}).Sniff(conn, 64*1024)
if err != nil {
t.Fatalf("sniff: %v", err)
}
if !res.IsTLS {
t.Fatalf("expected TLS")
}
if res.ClientHello == nil {
t.Fatalf("expected client hello metadata")
}
if res.ClientHello.ServerName != "example.com" {
t.Fatalf("unexpected server name: %q", res.ClientHello.ServerName)
}
if len(res.ClientHello.SupportedProtos) == 0 || res.ClientHello.SupportedProtos[0] != "h2" {
t.Fatalf("unexpected ALPN list: %v", res.ClientHello.SupportedProtos)
}
if len(res.ClientHello.SupportedVersions) == 0 {
t.Fatalf("expected supported versions")
}
if len(res.ClientHello.CipherSuites) == 0 {
t.Fatalf("expected cipher suites")
}
}
func TestTLSSnifferKeepsTruncatedTLSAsTLS(t *testing.T) {
rawHello := captureClientHelloBytes(t, "example.com", []string{"h2", "http/1.1"})
truncated := append([]byte(nil), rawHello[:20]...)
conn := &bytesConn{
reader: bytes.NewReader(truncated),
local: fixedAddr("127.0.0.1:443"),
remote: fixedAddr("127.0.0.1:50000"),
}
res, err := (TLSSniffer{}).Sniff(conn, 64*1024)
if err != nil {
t.Fatalf("sniff: %v", err)
}
if !res.IsTLS {
t.Fatalf("expected truncated hello to stay classified as TLS")
}
if res.ClientHello == nil {
t.Fatalf("expected client hello metadata")
}
if res.ClientHello.ServerName != "" {
t.Fatalf("expected empty server name for truncated hello, got %q", res.ClientHello.ServerName)
}
if res.ClientHello.LocalAddr == nil || res.ClientHello.RemoteAddr == nil {
t.Fatalf("expected local/remote addr in metadata")
}
if !bytes.Equal(res.Buffer.Bytes(), truncated) {
t.Fatalf("buffer mismatch: got %d bytes want %d", res.Buffer.Len(), len(truncated))
}
}
func TestTLSSnifferRespectsMaxBytesWhileKeepingTLSClassification(t *testing.T) {
rawHello := captureClientHelloBytes(t, "example.com", []string{"h2", "http/1.1"})
limit := 5
conn := &bytesConn{
reader: bytes.NewReader(rawHello),
local: fixedAddr("127.0.0.1:443"),
remote: fixedAddr("127.0.0.1:50000"),
}
res, err := (TLSSniffer{}).Sniff(conn, limit)
if err != nil {
t.Fatalf("sniff: %v", err)
}
if !res.IsTLS {
t.Fatalf("expected TLS classification with header-sized limit")
}
if res.ClientHello == nil {
t.Fatalf("expected client hello metadata")
}
if res.ClientHello.ServerName != "" {
t.Fatalf("expected empty server name with header-sized limit, got %q", res.ClientHello.ServerName)
}
if res.Buffer.Len() != limit {
t.Fatalf("buffer length mismatch: got %d want %d", res.Buffer.Len(), limit)
}
if !bytes.Equal(res.Buffer.Bytes(), rawHello[:limit]) {
t.Fatalf("buffer content mismatch")
}
}
func TestTLSSnifferRejectsFakeTLSClientRecord(t *testing.T) {
fake := []byte{
0x16, 0x03, 0x03, 0x00, 0x04,
'G', 'E', 'T', ' ',
}
conn := &bytesConn{
reader: bytes.NewReader(fake),
local: fixedAddr("127.0.0.1:443"),
remote: fixedAddr("127.0.0.1:50000"),
}
res, err := (TLSSniffer{}).Sniff(conn, 64*1024)
if err != nil {
t.Fatalf("sniff: %v", err)
}
if res.IsTLS {
t.Fatalf("expected fake tls-looking record to be classified as non-tls")
}
if res.ClientHello != nil {
t.Fatalf("expected no client hello metadata for fake record")
}
if !bytes.Equal(res.Buffer.Bytes(), fake) {
t.Fatalf("buffer mismatch")
}
}
// ---------- cert helpers ----------
func genSelfSignedCertPEM(t *testing.T, dnsNames ...string) (certPEM, keyPEM []byte) {
@ -377,6 +653,115 @@ func TestGetConfigForClientError(t *testing.T) {
}
}
func TestGetConfigForClientHelloReceivesMetadata(t *testing.T) {
certA := genSelfSignedCert(t, "a.local")
certB := genSelfSignedCert(t, "b.local")
base := TLSDefaults()
base.Certificates = []tls.Certificate{certA}
cfg := DefaultListenerConfig()
cfg.AllowNonTLS = false
cfg.BaseTLSConfig = base
metaCh := make(chan *ClientHelloMeta, 1)
cfg.GetConfigForClientHello = func(hello *ClientHelloMeta) (*tls.Config, error) {
metaCh <- hello.Clone()
if hello != nil && hello.ServerName == "b.local" {
b := TLSDefaults()
b.Certificates = []tls.Certificate{certB}
return b, nil
}
return nil, nil
}
_, addr, cleanup := startEchoServer(t, cfg)
defer cleanup()
tc, err := tls.Dial("tcp", addr, &tls.Config{
InsecureSkipVerify: true,
ServerName: "b.local",
MinVersion: tls.VersionTLS12,
})
if err != nil {
t.Fatalf("tls dial: %v", err)
}
defer tc.Close()
select {
case hello := <-metaCh:
if hello == nil {
t.Fatalf("expected metadata")
}
if hello.ServerName != "b.local" {
t.Fatalf("unexpected server name: %q", hello.ServerName)
}
if hello.LocalAddr == nil {
t.Fatalf("expected LocalAddr")
}
if hello.RemoteAddr == nil {
t.Fatalf("expected RemoteAddr")
}
if len(hello.CipherSuites) == 0 {
t.Fatalf("expected cipher suites in metadata")
}
case <-time.After(2 * time.Second):
t.Fatalf("timeout waiting client hello metadata")
}
}
func TestGetConfigForClientHelloWithoutSNIStillGetsLocalAddr(t *testing.T) {
cert := genSelfSignedCert(t, "localhost")
base := TLSDefaults()
base.Certificates = []tls.Certificate{cert}
cfg := DefaultListenerConfig()
cfg.AllowNonTLS = false
cfg.BaseTLSConfig = base
metaCh := make(chan *ClientHelloMeta, 1)
cfg.GetConfigForClientHello = func(hello *ClientHelloMeta) (*tls.Config, error) {
metaCh <- hello.Clone()
return nil, nil
}
_, addr, cleanup := startEchoServer(t, cfg)
defer cleanup()
raw, err := net.Dial("tcp", addr)
if err != nil {
t.Fatalf("dial: %v", err)
}
defer raw.Close()
tc := tls.Client(raw, &tls.Config{
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS12,
})
if err := tc.Handshake(); err != nil {
t.Fatalf("tls handshake: %v", err)
}
defer tc.Close()
select {
case hello := <-metaCh:
if hello == nil {
t.Fatalf("expected metadata")
}
if hello.ServerName != "" {
t.Fatalf("expected empty SNI, got %q", hello.ServerName)
}
if hello.LocalAddr == nil {
t.Fatalf("expected LocalAddr")
}
if hello.RemoteAddr == nil {
t.Fatalf("expected RemoteAddr")
}
case <-time.After(2 * time.Second):
t.Fatalf("timeout waiting client hello metadata")
}
}
func TestAcceptContextCancel(t *testing.T) {
cfg := DefaultListenerConfig()
cfg.AllowNonTLS = true
@ -418,6 +803,140 @@ func TestListenerStats(t *testing.T) {
}
}
func TestComposeServerTLSConfigInheritsBaseDefaults(t *testing.T) {
base := TLSDefaults()
base.MinVersion = tls.VersionTLS13
base.NextProtos = []string{"h2", "http/1.1"}
base.ClientAuth = tls.RequireAndVerifyClientCert
base.DynamicRecordSizingDisabled = true
selected := TLSDefaults()
selected.Certificates = []tls.Certificate{genSelfSignedCert(t, "b.local")}
composed := composeServerTLSConfig(base, selected)
if composed == nil {
t.Fatalf("expected composed config")
}
if composed.MinVersion != tls.VersionTLS13 {
t.Fatalf("expected min version from base, got %v", composed.MinVersion)
}
if len(composed.NextProtos) != 2 {
t.Fatalf("expected next protos from base, got %v", composed.NextProtos)
}
if composed.ClientAuth != tls.RequireAndVerifyClientCert {
t.Fatalf("expected client auth from base, got %v", composed.ClientAuth)
}
if !composed.DynamicRecordSizingDisabled {
t.Fatalf("expected dynamic record sizing disabled to inherit")
}
if len(composed.Certificates) != 1 {
t.Fatalf("expected selected certificates to be preserved")
}
}
func TestComposeServerTLSConfigKeepsSelectedOverrides(t *testing.T) {
base := TLSDefaults()
base.MinVersion = tls.VersionTLS12
base.NextProtos = []string{"http/1.1"}
selected := TLSDefaults()
selected.MinVersion = tls.VersionTLS13
selected.NextProtos = []string{"h2"}
composed := composeServerTLSConfig(base, selected)
if composed.MinVersion != tls.VersionTLS13 {
t.Fatalf("expected selected min version, got %v", composed.MinVersion)
}
if len(composed.NextProtos) != 1 || composed.NextProtos[0] != "h2" {
t.Fatalf("expected selected next protos, got %v", composed.NextProtos)
}
}
func TestConnInitFailureStats(t *testing.T) {
t.Run("sniff failure", func(t *testing.T) {
client, server := net.Pipe()
defer client.Close()
defer server.Close()
stats := &Stats{}
cfg := DefaultListenerConfig()
cfg.BaseTLSConfig = TLSDefaults()
conn := newConn(server, cfg, stats)
conn.sniffer = staticSniffer{err: io.ErrUnexpectedEOF}
buf := make([]byte, 1)
_, err := conn.Read(buf)
if err == nil || !errors.Is(err, ErrTLSSniffFailed) {
t.Fatalf("expected tls sniff failure, got %v", err)
}
snap := stats.Snapshot()
if snap.InitFailures != 1 || snap.SniffFailures != 1 {
t.Fatalf("unexpected sniff failure stats: %+v", snap)
}
})
t.Run("tls config selection failure", func(t *testing.T) {
client, server := net.Pipe()
defer client.Close()
defer server.Close()
stats := &Stats{}
cfg := DefaultListenerConfig()
cfg.GetConfigForClientHello = func(*ClientHelloMeta) (*tls.Config, error) {
return nil, errors.New("boom")
}
conn := newConn(server, cfg, stats)
conn.sniffer = staticSniffer{
result: SniffResult{
IsTLS: true,
ClientHello: &ClientHelloMeta{},
Buffer: bytes.NewBuffer(nil),
},
}
buf := make([]byte, 1)
_, err := conn.Read(buf)
if err == nil || !errors.Is(err, ErrTLSConfigSelectionFailed) {
t.Fatalf("expected tls config selection failure, got %v", err)
}
snap := stats.Snapshot()
if snap.InitFailures != 1 || snap.TLSConfigFailures != 1 {
t.Fatalf("unexpected tls config failure stats: %+v", snap)
}
})
t.Run("plain rejected", func(t *testing.T) {
client, server := net.Pipe()
defer client.Close()
defer server.Close()
stats := &Stats{}
cfg := DefaultListenerConfig()
cfg.BaseTLSConfig = TLSDefaults()
cfg.AllowNonTLS = false
conn := newConn(server, cfg, stats)
conn.sniffer = staticSniffer{
result: SniffResult{
IsTLS: false,
Buffer: bytes.NewBuffer(nil),
},
}
buf := make([]byte, 1)
_, err := conn.Read(buf)
if !errors.Is(err, ErrNonTLSNotAllowed) {
t.Fatalf("expected plain rejection, got %v", err)
}
snap := stats.Snapshot()
if snap.InitFailures != 1 || snap.PlainRejected != 1 {
t.Fatalf("unexpected plain rejection stats: %+v", snap)
}
})
}
func TestDialAndDialWithConfig(t *testing.T) {
nl, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {

52
tlsstats.go
View File

@ -4,36 +4,48 @@ import "sync/atomic"
// StatsSnapshot is a read-only copy of runtime counters.
type StatsSnapshot struct {
Accepted uint64
TLSDetected uint64
PlainDetected uint64
InitFailures uint64
Closed uint64
Accepted uint64
TLSDetected uint64
PlainDetected uint64
InitFailures uint64
SniffFailures uint64
TLSConfigFailures uint64
PlainRejected uint64
Closed uint64
}
// Stats provides lock-free counters.
type Stats struct {
accepted uint64
tlsDetected uint64
plainDetected uint64
initFailures uint64
closed uint64
accepted uint64
tlsDetected uint64
plainDetected uint64
initFailures uint64
sniffFailures uint64
tlsConfigFailures uint64
plainRejected uint64
closed uint64
}
func (s *Stats) incAccepted() { atomic.AddUint64(&s.accepted, 1) }
func (s *Stats) incTLSDetected() { atomic.AddUint64(&s.tlsDetected, 1) }
func (s *Stats) incPlainDetected() { atomic.AddUint64(&s.plainDetected, 1) }
func (s *Stats) incInitFailures() { atomic.AddUint64(&s.initFailures, 1) }
func (s *Stats) incClosed() { atomic.AddUint64(&s.closed, 1) }
func (s *Stats) incAccepted() { atomic.AddUint64(&s.accepted, 1) }
func (s *Stats) incTLSDetected() { atomic.AddUint64(&s.tlsDetected, 1) }
func (s *Stats) incPlainDetected() { atomic.AddUint64(&s.plainDetected, 1) }
func (s *Stats) incInitFailures() { atomic.AddUint64(&s.initFailures, 1) }
func (s *Stats) incClosed() { atomic.AddUint64(&s.closed, 1) }
func (s *Stats) incSniffFailures() { atomic.AddUint64(&s.sniffFailures, 1); s.incInitFailures() }
func (s *Stats) incTLSConfigFailures() { atomic.AddUint64(&s.tlsConfigFailures, 1); s.incInitFailures() }
func (s *Stats) incPlainRejected() { atomic.AddUint64(&s.plainRejected, 1); s.incInitFailures() }
// Snapshot returns a stable view of counters.
func (s *Stats) Snapshot() StatsSnapshot {
return StatsSnapshot{
Accepted: atomic.LoadUint64(&s.accepted),
TLSDetected: atomic.LoadUint64(&s.tlsDetected),
PlainDetected: atomic.LoadUint64(&s.plainDetected),
InitFailures: atomic.LoadUint64(&s.initFailures),
Closed: atomic.LoadUint64(&s.closed),
Accepted: atomic.LoadUint64(&s.accepted),
TLSDetected: atomic.LoadUint64(&s.tlsDetected),
PlainDetected: atomic.LoadUint64(&s.plainDetected),
InitFailures: atomic.LoadUint64(&s.initFailures),
SniffFailures: atomic.LoadUint64(&s.sniffFailures),
TLSConfigFailures: atomic.LoadUint64(&s.tlsConfigFailures),
PlainRejected: atomic.LoadUint64(&s.plainRejected),
Closed: atomic.LoadUint64(&s.closed),
}
}