maddy

Fork https://github.com/foxcpp/maddy

git clone git://git.lin.moe/go/maddy.git

 1/*
 2Maddy Mail Server - Composable all-in-one email server.
 3Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
 4
 5This program is free software: you can redistribute it and/or modify
 6it under the terms of the GNU General Public License as published by
 7the Free Software Foundation, either version 3 of the License, or
 8(at your option) any later version.
 9
10This program is distributed in the hope that it will be useful,
11but WITHOUT ANY WARRANTY; without even the implied warranty of
12MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13GNU General Public License for more details.
14
15You should have received a copy of the GNU General Public License
16along with this program.  If not, see <https://www.gnu.org/licenses/>.
17*/
18
19package tls
20
21import (
22	"crypto/tls"
23	"crypto/x509"
24	"fmt"
25	"os"
26
27	"github.com/foxcpp/maddy/framework/config"
28	"github.com/foxcpp/maddy/framework/log"
29)
30
31func TLSClientBlock(_ *config.Map, node config.Node) (interface{}, error) {
32	cfg := tls.Config{}
33
34	childM := config.NewMap(nil, node)
35	var (
36		tlsVersions       [2]uint16
37		rootCAPaths       []string
38		certPath, keyPath string
39	)
40
41	childM.StringList("root_ca", false, false, nil, &rootCAPaths)
42	childM.String("cert", false, false, "", &certPath)
43	childM.String("key", false, false, "", &keyPath)
44	childM.Custom("protocols", false, false, func() (interface{}, error) {
45		return [2]uint16{0, 0}, nil
46	}, TLSVersionsDirective, &tlsVersions)
47	childM.Custom("ciphers", false, false, func() (interface{}, error) {
48		return nil, nil
49	}, TLSCiphersDirective, &cfg.CipherSuites)
50	childM.Custom("curves", false, false, func() (interface{}, error) {
51		return nil, nil
52	}, TLSCurvesDirective, &cfg.CurvePreferences)
53
54	if _, err := childM.Process(); err != nil {
55		return nil, err
56	}
57
58	if len(rootCAPaths) != 0 {
59		pool := x509.NewCertPool()
60		for _, path := range rootCAPaths {
61			blob, err := os.ReadFile(path)
62			if err != nil {
63				return nil, err
64			}
65			if !pool.AppendCertsFromPEM(blob) {
66				return nil, fmt.Errorf("no certificates was loaded from %s", path)
67			}
68		}
69		cfg.RootCAs = pool
70	}
71
72	if certPath != "" && keyPath != "" {
73		keypair, err := tls.LoadX509KeyPair(certPath, keyPath)
74		if err != nil {
75			return nil, err
76		}
77		log.Debugf("using client keypair %s/%s", certPath, keyPath)
78		cfg.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
79			return &keypair, nil
80		}
81	}
82
83	cfg.MinVersion = tlsVersions[0]
84	cfg.MaxVersion = tlsVersions[1]
85	log.Debugf("tls: min version: %x, max version: %x", tlsVersions[0], tlsVersions[1])
86
87	return &cfg, nil
88}