mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 21:15:39 +00:00
02ad987e24
This is so that we can plumb our client capability version through the protocol as the Noise version. The capability version increments more frequently than strictly required (the Noise version only needs to change when cryptographically-significant changes are made to the protocol, whereas the capability version also indicates changes in non-cryptographically-significant parts of the protocol), but this gives us a safe pre-auth way to determine if the client supports future protocol features, while still relying on Noise's strong assurance that the client and server have agreed on the same version. Currently, the server executes the same protocol regardless of the version number, and just presents the version to the caller so they can do capability-based things in the upper RPC protocol. In future, we may add a ratchet to disallow obsolete protocols, or vary the Noise handshake behavior based on requested version. Updates #3488 Signed-off-by: David Anderson <danderson@tailscale.com>
74 lines
2.3 KiB
Go
74 lines
2.3 KiB
Go
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package controlhttp
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"tailscale.com/control/controlbase"
|
|
"tailscale.com/net/netutil"
|
|
"tailscale.com/types/key"
|
|
)
|
|
|
|
// AcceptHTTP upgrades the HTTP request given by w and r into a
|
|
// Tailscale control protocol base transport connection.
|
|
//
|
|
// AcceptHTTP always writes an HTTP response to w. The caller must not
|
|
// attempt their own response after calling AcceptHTTP.
|
|
func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate, maxSupportedVersion uint16) (*controlbase.Conn, error) {
|
|
next := r.Header.Get("Upgrade")
|
|
if next == "" {
|
|
http.Error(w, "missing next protocol", http.StatusBadRequest)
|
|
return nil, errors.New("no next protocol in HTTP request")
|
|
}
|
|
if next != upgradeHeaderValue {
|
|
http.Error(w, "unknown next protocol", http.StatusBadRequest)
|
|
return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
|
|
}
|
|
|
|
initB64 := r.Header.Get(handshakeHeaderName)
|
|
if initB64 == "" {
|
|
http.Error(w, "missing Tailscale handshake header", http.StatusBadRequest)
|
|
return nil, errors.New("no tailscale handshake header in HTTP request")
|
|
}
|
|
init, err := base64.StdEncoding.DecodeString(initB64)
|
|
if err != nil {
|
|
http.Error(w, "invalid tailscale handshake header", http.StatusBadRequest)
|
|
return nil, fmt.Errorf("decoding base64 handshake header: %v", err)
|
|
}
|
|
|
|
hijacker, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
http.Error(w, "make request over HTTP/1", http.StatusBadRequest)
|
|
return nil, errors.New("can't hijack client connection")
|
|
}
|
|
|
|
w.Header().Set("Upgrade", upgradeHeaderValue)
|
|
w.Header().Set("Connection", "upgrade")
|
|
w.WriteHeader(http.StatusSwitchingProtocols)
|
|
|
|
conn, brw, err := hijacker.Hijack()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("hijacking client connection: %w", err)
|
|
}
|
|
if err := brw.Flush(); err != nil {
|
|
conn.Close()
|
|
return nil, fmt.Errorf("flushing hijacked HTTP buffer: %w", err)
|
|
}
|
|
conn = netutil.NewDrainBufConn(conn, brw.Reader)
|
|
|
|
nc, err := controlbase.Server(ctx, conn, private, maxSupportedVersion, init)
|
|
if err != nil {
|
|
conn.Close()
|
|
return nil, fmt.Errorf("noise handshake failed: %w", err)
|
|
}
|
|
|
|
return nc, nil
|
|
}
|