diff VerifyCommonName
[gscan_quic.git] / tls.go
blob6c7c4c8a2c8038505d45230d9fd7c47f9ac5b749
1 package main
3 import (
4 "bytes"
5 "crypto/tls"
6 "encoding/base64"
7 "io"
8 "io/ioutil"
9 "math/rand"
10 "net"
11 "net/http"
12 "time"
15 var (
16 g2pkp, _ = base64.StdEncoding.DecodeString("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnCoEd1zYUJE6BqOC4NhQSLyJP/EZcBqIRn7gj8Xxic4h7lr+YQ23MkSJoHQLU09VpM6CYpXu61lfxuEFgBLEXpQ/vFtIOPRT9yTm+5HpFcTP9FMN9Er8n1Tefb6ga2+HwNBQHygwA0DaCHNRbH//OjynNwaOvUsRBOt9JN7m+fwxcfuU1WDzLkqvQtLL6sRqGrLMU90VS4sfyBlhH82dqD5jK4Q1aWWEyBnFRiL4U5W+44BKEMYq7LqXIBHHOZkQBKDwYXqVJYxOUnXitu0IyhT8ziJqs07PRgOXlwN+wLHee69FM8+6PnG33vQlJcINNYmdnfsOEXmJHjfFr45yaQIDAQAB")
17 g3pkp, _ = base64.StdEncoding.DecodeString("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAylJL6h7/ziRrqNpyGGjVVl0OSFotNQl2Ws+kyByxqf5TifutNP+IW5+75+gAAdw1c3UDrbOxuaR9KyZ5zhVACu9RuJ8yjHxwhlJLFv5qJ2vmNnpiUNjfmonMCSnrTykUiIALjzgegGoYfB29lzt4fUVJNk9BzaLgdlc8aDF5ZMlu11EeZsOiZCx5wOdlw1aEU1pDbcuaAiDS7xpp0bCdc6LgKmBlUDHP+7MvvxGIQC61SRAPCm7cl/q/LJ8FOQtYVK8GlujFjgEWvKgaTUHFk5GiHqGL8v7BiCRJo0dLxRMB3adXEmliK+v+IO9p+zql8H4p7u2WFvexH6DkkCXgMwIDAQAB")
18 // g3ecc, _ = base64.StdEncoding.DecodeString("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG4ANKJrwlpAPXThRcA3Z4XbkwQvWhj5J/kicXpbBQclS4uyuQ5iSOGKcuCRt8ralqREJXuRsnLZo0sIT680+VQ==")
21 func testTls(ip string, config *ScanConfig, record *ScanRecord) bool {
22 start := time.Now()
23 conn, err := net.DialTimeout("tcp", net.JoinHostPort(ip, "443"), config.ScanMaxRTT)
24 if err != nil {
25 return false
27 defer conn.Close()
29 var serverName string
30 if len(config.ServerName) == 0 {
31 serverName = randomHost()
32 } else {
33 serverName = config.ServerName[rand.Intn(len(config.ServerName))]
36 tlscfg := &tls.Config{
37 InsecureSkipVerify: true,
38 MinVersion: tls.VersionTLS10,
39 MaxVersion: tls.VersionTLS12,
40 CipherSuites: []uint16{
41 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
42 tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
43 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
45 ServerName: serverName,
48 tlsconn := tls.Client(conn, tlscfg)
49 defer tlsconn.Close()
51 tlsconn.SetDeadline(time.Now().Add(config.HandshakeTimeout))
52 if err = tlsconn.Handshake(); err != nil {
53 return false
55 if config.Level > 1 {
56 pcs := tlsconn.ConnectionState().PeerCertificates
57 if pcs == nil || len(pcs) < 2 {
58 return false
60 if org := pcs[0].Subject.Organization; len(org) == 0 || org[0] != "Google Inc" {
61 return false
63 pkp := pcs[1].RawSubjectPublicKeyInfo
64 if !bytes.Equal(g2pkp, pkp) && !bytes.Equal(g3pkp, pkp) { // && !bytes.Equal(g3ecc, pkp[:]) {
65 return false
68 if config.Level > 2 {
69 url := "https://" + config.HTTPVerifyHosts[rand.Intn(len(config.HTTPVerifyHosts))]
70 req, _ := http.NewRequest(http.MethodGet, url, nil)
71 req.Close = true
72 c := http.Client{
73 Transport: &http.Transport{
74 DialTLS: func(network, addr string) (net.Conn, error) { return tlsconn, nil },
76 CheckRedirect: func(req *http.Request, via []*http.Request) error {
77 return http.ErrUseLastResponse
79 Timeout: config.ScanMaxRTT - time.Since(start),
81 resp, _ := c.Do(req)
82 if resp == nil || (resp.StatusCode < 200 || resp.StatusCode >= 400) {
83 return false
85 if resp.Body != nil {
86 io.Copy(ioutil.Discard, resp.Body)
87 resp.Body.Close()
91 if rtt := time.Since(start); rtt > config.ScanMinRTT {
92 record.RTT += rtt
93 return true
95 return false