mirror of
https://github.com/tailscale/tailscale.git
synced 2026-05-07 05:06:30 +02:00
3928ea206e
So we can do key rotation later and have small windows of overlapping valid server keys. Updates #3488 Change-Id: Ib5c7f2006a797a069e3f55d37f5d41f533e82f71 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
108 lines
3.2 KiB
Go
108 lines
3.2 KiB
Go
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package controlhttp
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
|
|
"tailscale.com/control/controlbase"
|
|
"tailscale.com/types/key"
|
|
)
|
|
|
|
// AcceptHTTP upgrades the HTTP request given by w and r into a
|
|
// Tailscale control protocol base transport connection.
|
|
//
|
|
// AcceptHTTP always writes an HTTP response to w. The caller must not
|
|
// attempt their own response after calling AcceptHTTP.
|
|
func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
|
|
next := r.Header.Get("Upgrade")
|
|
if next == "" {
|
|
http.Error(w, "missing next protocol", http.StatusBadRequest)
|
|
return nil, errors.New("no next protocol in HTTP request")
|
|
}
|
|
if next != upgradeHeaderValue {
|
|
http.Error(w, "unknown next protocol", http.StatusBadRequest)
|
|
return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
|
|
}
|
|
|
|
initB64 := r.Header.Get(handshakeHeaderName)
|
|
if initB64 == "" {
|
|
http.Error(w, "missing Tailscale handshake header", http.StatusBadRequest)
|
|
return nil, errors.New("no tailscale handshake header in HTTP request")
|
|
}
|
|
init, err := base64.StdEncoding.DecodeString(initB64)
|
|
if err != nil {
|
|
http.Error(w, "invalid tailscale handshake header", http.StatusBadRequest)
|
|
return nil, fmt.Errorf("decoding base64 handshake header: %v", err)
|
|
}
|
|
|
|
if wantPub := r.Header.Get(serverPubHeaderName); wantPub != "" {
|
|
// If the client declared the public key they expect to speak to,
|
|
// check it.
|
|
// TODO: replace the 'private' parameter with a func/interface
|
|
// that looks up the private key as a function of the public key
|
|
// to see if we have a currently in-rotation key that's valid.
|
|
if private.Public().String() != wantPub {
|
|
http.Error(w, "requested server key unavailable", http.StatusServiceUnavailable)
|
|
return nil, errors.New("client requested unavailble server key")
|
|
}
|
|
}
|
|
|
|
hijacker, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
http.Error(w, "make request over HTTP/1", http.StatusBadRequest)
|
|
return nil, errors.New("can't hijack client connection")
|
|
}
|
|
|
|
w.Header().Set("Upgrade", upgradeHeaderValue)
|
|
w.Header().Set("Connection", "upgrade")
|
|
w.WriteHeader(http.StatusSwitchingProtocols)
|
|
|
|
conn, brw, err := hijacker.Hijack()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("hijacking client connection: %w", err)
|
|
}
|
|
if err := brw.Flush(); err != nil {
|
|
conn.Close()
|
|
return nil, fmt.Errorf("flushing hijacked HTTP buffer: %w", err)
|
|
}
|
|
if brw.Reader.Buffered() > 0 {
|
|
conn = &drainBufConn{conn, brw.Reader}
|
|
}
|
|
|
|
nc, err := controlbase.Server(ctx, conn, private, init)
|
|
if err != nil {
|
|
conn.Close()
|
|
return nil, fmt.Errorf("noise handshake failed: %w", err)
|
|
}
|
|
|
|
return nc, nil
|
|
}
|
|
|
|
// drainBufConn is a net.Conn with an initial bunch of bytes in a
|
|
// bufio.Reader. Read drains the bufio.Reader until empty, then passes
|
|
// through subsequent reads to the Conn directly.
|
|
type drainBufConn struct {
|
|
net.Conn
|
|
r *bufio.Reader
|
|
}
|
|
|
|
func (b *drainBufConn) Read(bs []byte) (int, error) {
|
|
if b.r == nil {
|
|
return b.Conn.Read(bs)
|
|
}
|
|
n, err := b.r.Read(bs)
|
|
if b.r.Buffered() == 0 {
|
|
b.r = nil
|
|
}
|
|
return n, err
|
|
}
|