Merge branch 'main' of github.com:getlantern/flashlight into feat/144…

…2-is-ready
getlantern · Dec 9, 2024 · 8b3f92f · 8b3f92f
2 parents 98d477b + 3e74446
commit 8b3f92f
Show file tree

Hide file tree

Showing 16 changed files with 2,832 additions and 2,762 deletions.
diff --git a/apipb/legacy.go b/apipb/legacy.go
@@ -205,6 +205,7 @@ func serializeTLSSessionState(ss *ProxyConnectConfig_TLSConfig_SessionState) (st
 		Vers          uint16
 		CipherSuite   uint16
 		MasterSecret  []byte
+		SessionState  []byte
 	}
 
 	if ss.Version > math.MaxUint16 {
@@ -218,6 +219,7 @@ func serializeTLSSessionState(ss *ProxyConnectConfig_TLSConfig_SessionState) (st
 		Vers:          uint16(ss.Version),
 		CipherSuite:   uint16(ss.CipherSuite),
 		MasterSecret:  ss.MasterSecret,
+		SessionState:  ss.SessionState,
 	})
 	if err != nil {
 		return "", fmt.Errorf("marshal error: %w", err)

diff --git a/apipb/types.pb.go b/apipb/types.pb.go
diff --git a/apipb/types.proto b/apipb/types.proto
@@ -85,6 +85,9 @@ message ProxyConnectConfig {
       uint32 version = 2;      // actually a uint16
       uint32 cipher_suite = 3; // actually a uint16
       bytes master_secret = 4;
+      // Newer utls version (e.g. v1.6.7) or go >1.21 has build-in serialization for SessionState. 
+      // It's either field 1,5(newer version) or field 1,2,3,4(older version) that are used for serialization.
+      bytes session_state = 5;
     }
 
     SessionState session_state = 1;

diff --git a/chained/chained_test.go b/chained/chained_test.go
@@ -292,5 +292,5 @@ func TestCiphersFromNames(t *testing.T) {
 	assert.Nil(t, ciphersFromNames(nil))
 	assert.Nil(t, ciphersFromNames([]string{}))
 	assert.Nil(t, ciphersFromNames([]string{"UNKNOWN"}))
-	assert.EqualValues(t, []uint16{0x0035, 0x003c}, ciphersFromNames([]string{"TLS_RSA_WITH_AES_256_CBC_SHA", "UNKNOWN", "TLS_RSA_WITH_AES_128_CBC_SHA256"}))
+	assert.EqualValues(t, []uint16{0xc02f, 0xc013}, ciphersFromNames([]string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "UNKNOWN", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}))
 }
diff --git a/chained/common.go b/chained/common.go
@@ -142,28 +142,17 @@ func clientHelloID(pc *config.ProxyConfig) tls.ClientHelloID {
 }
 
 var availableTLSCiphers = map[string]uint16{
-	"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
-	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-	"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	"TLS_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-	"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	// from CipherSuites() in the order of cipherSuitesPreferenceOrder in cipher_suites.go (excluding the InsecureCipherSuites() ones)
 	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 }
 
 // helloBrowser is a special hello ID denoting that ClientHellos should be based on those used by

diff --git a/chained/tls_file_cache.go b/chained/tls_file_cache.go
@@ -3,7 +3,7 @@ package chained
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -65,7 +65,7 @@ func PersistSessionStates(configDir string) {
 func persistSessionStates(configDir string, saveInterval time.Duration) {
 	filename := filepath.Join(configDir, "tls_session_states")
 
-	existing, err := ioutil.ReadFile(filename)
+	existing, err := os.ReadFile(filename)
 	if err == nil {
 		log.Debugf("Initializing current session states from %v", filename)
 		rows := strings.Split(string(existing), "\n")
@@ -107,7 +107,7 @@ func maintainSessionStates(filename string, saveInterval time.Duration) {
 					serialized, rowDelim, server, state.timestamp.Unix(), serializedState)
 				rowDelim = "\n" // after first row, include a delimiter
 			}
-			err := ioutil.WriteFile(filename, []byte(serialized), 0644)
+			err := os.WriteFile(filename, []byte(serialized), 0644)
 			if err != nil {
 				log.Errorf("unable to update session states in %v: %v", filename, err)
 				return

diff --git a/chained/tls_file_cache_test.go b/chained/tls_file_cache_test.go
@@ -1,7 +1,6 @@
 package chained
 
 import (
-	"io/ioutil"
 	"net"
 	"os"
 	"testing"
@@ -14,7 +13,7 @@ import (
 )
 
 func TestPersistSessionStates(t *testing.T) {
-	tmpDir, err := ioutil.TempDir("", "persistSessionStatesTest")
+	tmpDir, err := os.MkdirTemp("", "persistSessionStatesTest")
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -27,25 +26,26 @@ func TestPersistSessionStates(t *testing.T) {
 	currentSessionStatesMx.Unlock()
 
 	persistSessionStates(tmpDir, 250*time.Millisecond)
-
+	cache := tls.NewLRUClientSessionCache(10)
 	td := &tlsdialer.Dialer{
 		DoDial:         net.DialTimeout,
 		Timeout:        10 * time.Second,
 		SendServerName: true,
 		ClientHelloID:  tls.HelloChrome_Auto,
 		Config: &tls.Config{
-			ClientSessionCache: tls.NewLRUClientSessionCache(10),
+			ClientSessionCache: cache,
 		},
 	}
-
-	result, err := td.DialForTimings("tcp", "tls-v1-2.badssl.com:1012")
+	host, port := "tls-v1-2.badssl.com", "1012"
+	result, err := td.DialForTimings("tcp", net.JoinHostPort(host, port))
 	if !assert.NoError(t, err) {
 		return
 	}
 	defer result.Conn.Close()
 	log.Debug(result.Conn.RemoteAddr())
 
-	ss1 := result.UConn.HandshakeState.Session
+	ss1, ok := cache.Get(host)
+	assert.True(t, ok)
 	expectedTS := time.Now()
 	saveSessionState("myserver", ss1, expectedTS)
 	close(saveSessionStateCh)