Proxy with certificates

kiwiirc · Aug 17, 2020 · af54c11 · af54c11
1 parent 4b9cdd9
commit af54c11
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 29 deletions.
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -31,6 +31,8 @@ type KiwiProxyConnection struct {
 	DestTLS        bool
 	State          KiwiProxyState
 	Conn           *net.Conn
+	WebircPemCert  []byte
+	WebircPemKey   []byte
 }
 
 func MakeKiwiProxyConnection() *KiwiProxyConnection {
@@ -63,11 +65,13 @@ func (c *KiwiProxyConnection) Dial(proxyServerAddr string) error {
 	c.State = KiwiProxyStateHandshaking
 
 	meta, _ := json.Marshal(map[string]interface{}{
-		"username":  c.Username,
-		"interface": c.ProxyInterface,
-		"host":      c.DestHost,
-		"port":      c.DestPort,
-		"ssl":       c.DestTLS,
+		"username":    c.Username,
+		"interface":   c.ProxyInterface,
+		"host":        c.DestHost,
+		"port":        c.DestPort,
+		"ssl":         c.DestTLS,
+		"webirc_cert": c.WebircPemCert,
+		"webirc_key":  c.WebircPemKey,
 	})
 
 	(*c.Conn).Write(append(meta, byte('\n')))

diff --git a/pkg/proxy/server.go b/pkg/proxy/server.go
@@ -29,21 +29,19 @@ var identdRpc *identd.RpcClient
 var Server net.Listener
 
 type HandshakeMeta struct {
-	Host      string `json:"host"`
-	Port      int    `json:"port"`
-	TLS       bool   `json:"ssl"`
-	Username  string `json:"username"`
-	Interface string `json:"interface"`
+	Host          string `json:"host"`
+	Port          int    `json:"port"`
+	TLS           bool   `json:"ssl"`
+	Username      string `json:"username"`
+	Interface     string `json:"interface"`
+	WebircPemCert []byte `json:"webirc_cert"`
+	WebircPemKey  []byte `json:"webirc_key"`
 }
 
-func MakeClient(conn net.Conn, webircCert *tls.Certificate) *Client {
-	client := &Client{
+func MakeClient(conn net.Conn) *Client {
+	return &Client{
 		Client: conn,
 	}
-	if webircCert != nil {
-		client.WebircCertificate = []tls.Certificate{*webircCert}
-	}
-	return client
 }
 
 type Client struct {
@@ -93,6 +91,13 @@ func (c *Client) Handshake() error {
 		return unmarshalErr
 	}
 
+	if len(meta.WebircPemCert) > 0 && len(meta.WebircPemKey) > 0 {
+		webircCert, err := tls.X509KeyPair(meta.WebircPemCert, meta.WebircPemKey)
+		if err == nil {
+			c.WebircCertificate = []tls.Certificate{webircCert}
+		}
+	}
+
 	if meta.Host == "" || meta.Port == 0 || meta.Username == "" || meta.Interface == "" {
 		c.Client.Write([]byte(ResponseError))
 		return fmt.Errorf("missing args")
@@ -148,7 +153,10 @@ func (c *Client) ConnectUpstream() error {
 	}
 
 	if c.TLS {
-		tlsConfig := &tls.Config{InsecureSkipVerify: true}
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: true,
+			Certificates:       c.WebircCertificate,
+		}
 		tlsConn := tls.Client(conn, tlsConfig)
 		err := tlsConn.Handshake()
 		if err != nil {
@@ -190,7 +198,7 @@ func (c *Client) Pipe() {
 	}
 }
 
-func Start(laddr string, webircCert *tls.Certificate) {
+func Start(laddr string) {
 	srv, err := net.Listen("tcp", laddr)
 	if err != nil {
 		log.Fatal(err.Error())
@@ -210,7 +218,7 @@ func Start(laddr string, webircCert *tls.Certificate) {
 			break
 		}
 
-		c := MakeClient(conn, webircCert)
+		c := MakeClient(conn)
 		go c.Run()
 	}
 }

diff --git a/pkg/webircgateway/client.go b/pkg/webircgateway/client.go
@@ -303,6 +303,15 @@ func (c *Client) makeUpstreamConnection() (io.ReadWriteCloser, error) {
 	client := c
 	upstreamConfig := c.UpstreamConfig
 
+	// TODO remove me
+	upstreamConfig.Proxy = &ConfigProxy{
+		Type:      "kiwi",
+		Hostname:  "127.0.0.1",
+		Port:      7999,
+		TLS:       false,
+		Username:  client.IrcState.Username,
+		Interface: "0.0.0.0",
+	}
 	var connection io.ReadWriteCloser
 
 	if upstreamConfig.Proxy == nil {
@@ -370,6 +379,8 @@ func (c *Client) makeUpstreamConnection() (io.ReadWriteCloser, error) {
 		conn.DestTLS = upstreamConfig.TLS
 		conn.Username = upstreamConfig.Proxy.Username
 		conn.ProxyInterface = upstreamConfig.Proxy.Interface
+		conn.WebircPemCert = upstreamConfig.WebircPemCert
+		conn.WebircPemKey = upstreamConfig.WebircPemKey
 
 		dialErr := conn.Dial(fmt.Sprintf(
 			"%s:%d",
@@ -703,10 +714,12 @@ func (c *Client) configureUpstream() ConfigUpstream {
 	upstreamConfig.Timeout = c.Gateway.Config.GatewayTimeout
 	upstreamConfig.Throttle = c.Gateway.Config.GatewayThrottle
 	upstreamConfig.WebircPassword = c.Gateway.findWebircPassword(c.DestHost)
+	upstreamConfig.WebircPemCert = c.Gateway.Config.WebircPemCert
+	upstreamConfig.WebircPemKey = c.Gateway.Config.WebircPemKey
 
-	if c.Gateway.Config.WebircCert != nil {
+	if c.Gateway.Config.WebircCertificate.Certificate != nil {
 		upstreamConfig.WebircCertificate = []tls.Certificate{
-			*c.Gateway.Config.WebircCert,
+			*c.Gateway.Config.WebircCertificate,
 		}
 	}
 	return upstreamConfig

diff --git a/pkg/webircgateway/config.go b/pkg/webircgateway/config.go
@@ -3,6 +3,7 @@ package webircgateway
 import (
 	"crypto/tls"
 	"errors"
+	"io/ioutil"
 	"net"
 	"os"
 	"os/exec"
@@ -29,6 +30,8 @@ type ConfigUpstream struct {
 	GatewayName          string
 	Proxy                *ConfigProxy
 	WebircCertificate    []tls.Certificate
+	WebircPemCert        []byte
+	WebircPemKey         []byte
 }
 
 // ConfigServer - A web server config
@@ -79,7 +82,9 @@ type Config struct {
 	ReCaptchaSecret       string
 	ReCaptchaKey          string
 	Secret                string
-	WebircCert            *tls.Certificate
+	WebircCertificate     *tls.Certificate
+	WebircPemCert         []byte
+	WebircPemKey          []byte
 	Plugins               []string
 	DnsblServers          []string
 	// DnsblAction - "deny" = deny the connection. "verify" = require verification
@@ -151,7 +156,9 @@ func (c *Config) Load() error {
 	c.ReCaptchaKey = ""
 	c.RequiresVerification = false
 	c.Secret = ""
-	c.WebircCert = nil
+	c.WebircCertificate = nil
+	c.WebircPemCert = make([]byte, 0)
+	c.WebircPemKey = make([]byte, 0)
 	c.SendQuitOnClientClose = ""
 	c.ClientRealname = ""
 	c.ClientUsername = ""
@@ -183,9 +190,22 @@ func (c *Config) Load() error {
 			if webircCert != "" && webircKey != "" {
 				certPath := c.ResolvePath(webircCert)
 				keyPath := c.ResolvePath(webircKey)
-				webircCert, err := tls.LoadX509KeyPair(certPath, keyPath)
+
+				c.WebircPemCert, err = ioutil.ReadFile(certPath)
+				if err != nil {
+					c.gateway.Log(3, "Failed to load webirc certificate, "+err.Error())
+					continue
+				}
+
+				c.WebircPemKey, err = ioutil.ReadFile(keyPath)
+				if err != nil {
+					c.gateway.Log(3, "Failed to load webirc certificate, "+err.Error())
+					continue
+				}
+
+				webircCert, err := tls.X509KeyPair(c.WebircPemCert, c.WebircPemKey)
 				if err == nil {
-					c.WebircCert = &webircCert
+					c.WebircCertificate = &webircCert
 				} else {
 					c.gateway.Log(3, "Failed to load webirc certificate, "+err.Error())
 				}

diff --git a/pkg/webircgateway/gateway.go b/pkg/webircgateway/gateway.go
@@ -78,10 +78,7 @@ func (s *Gateway) Start() {
 	}
 
 	if s.Function == "proxy" {
-		proxy.Start(
-			fmt.Sprintf("%s:%d", s.Config.Proxy.LocalAddr, s.Config.Proxy.Port),
-			s.Config.WebircCert,
-		)
+		proxy.Start(fmt.Sprintf("%s:%d", s.Config.Proxy.LocalAddr, s.Config.Proxy.Port))
 	}
 }