.

go/neo/client.go

@@ -38,6 +38,7 @@ import (
 
 	"lab.nexedi.com/kirr/neo/go/internal/xzlib"
 	"lab.nexedi.com/kirr/neo/go/neo/internal/xsha1"
+	"lab.nexedi.com/kirr/neo/go/neo/internal/xtls"
 	"lab.nexedi.com/kirr/neo/go/neo/neonet"
 	"lab.nexedi.com/kirr/neo/go/neo/proto"
 	"lab.nexedi.com/kirr/neo/go/zodb"
@@ -679,7 +680,7 @@ func openClientByURL(ctx context.Context, u *url.URL, opt *zodb.DriverOptions) (
 
 	net := xnet.NetPlain("tcp")	// TODO not only "tcp" ?
 	if ssl {
-		tlsCfg, err := tlsForP2P(ca, cert, key)
+		tlsCfg, err := xtls.ConfigForP2P(ca, cert, key)
 		if err != nil {
 			return nil, zodb.InvalidTid, err
 		}

go/neo/cmd/neo/misc.go

@@ -35,6 +35,7 @@ import (
 	"lab.nexedi.com/kirr/go123/xnet"
 	"lab.nexedi.com/kirr/go123/xsync"
 	"lab.nexedi.com/kirr/neo/go/internal/log"
+	"lab.nexedi.com/kirr/neo/go/neo/internal/xtls"
 
 
 	// for http://.../debug/pprof
@@ -62,7 +63,7 @@ func netFlags(flags *flag.FlagSet) /*netSetup*/ func() (xnet.Networker, error) {
 
 		net := xnet.NetPlain("tcp") // TODO not only "tcp" ?
 		if ssl {
-			tlsCfg, err := tlsForP2P(ca, cert, key)
+			tlsCfg, err := xtls.ConfigForP2P(ca, cert, key)
 			if err != nil {
 				return nil, err
 			}

go/neo/internal/xtls/xtls.go

+// Copyright (C) 2020  Nexedi SA and Contributors.
+//                     Kirill Smelkov <kirr@nexedi.com>
+//
+// This program is free software: you can Use, Study, Modify and Redistribute
+// it under the terms of the GNU General Public License version 3, or (at your
+// option) any later version, as published by the Free Software Foundation.
+//
+// You can also Link and Combine this program with other software covered by
+// the terms of any of the Free Software licenses or any of the Open Source
+// Initiative approved licenses and Convey the resulting work. Corresponding
+// source of such a combination shall include the source code for all other
+// software used.
+//
+// This program is distributed WITHOUT ANY WARRANTY; without even the implied
+// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+//
+// See COPYING file for full licensing terms.
+// See https://www.nexedi.com/licensing for rationale and options.
+
+// Package xtls complements standard package crypto/tls with NEO-specific bits.
+package xtls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+
+	"lab.nexedi.com/kirr/go123/xerr"
+)
+
+// ConfigForP2P builds tls.Config for peer-to-peer internetworking.
+//
+// When two peers connect, they authenticate each other by verifying that
+// peer's certificate is signed by CA, which should be common to all peers.
+//
+// Arguments provide paths to files:
+//
+// - ca   - path to CA certificate
+// - cert - path to node certificate
+// - key  - path to node private key
+//
+// Returned TLS config is interoperable with NEO/py - see:
+// https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L74-90
+func ConfigForP2P(ca, cert, key string) (_ *tls.Config, err error) {
+	defer xerr.Contextf(&err, "tls p2p setup")
+
+	caData, err := ioutil.ReadFile(ca)
+	if err != nil {
+		return nil, err
+	}
+
+	CA := x509.NewCertPool()
+	ok := CA.AppendCertsFromPEM(caData)
+	if !ok {
+		return nil, fmt.Errorf("invalid CA")
+	}
+
+	crt, err := tls.LoadX509KeyPair(cert, key)
+	if err != nil {
+		return nil, err
+	}
+
+
+	tlsCfg := &tls.Config{
+		Certificates: []tls.Certificate{crt}, // (cert, key) as loaded
+		RootCAs: CA,                          // (ca,) as loaded
+
+		// a server also verifies client (but also see verifyPeerCert below)
+		ClientAuth: tls.RequireAndVerifyClientCert,
+		ClientCAs: CA,
+
+		PreferServerCipherSuites: true,
+		MinVersion:               tls.VersionTLS12, // only accept TLS >= 1.2
+	}
+
+	// tls docs say we should parse Certificate[0] into Leaf ourselves
+	leaf, err := x509.ParseCertificate(crt.Certificate[0])
+	if err != nil {
+		return nil, err
+	}
+	crt.Leaf = leaf
+
+	// NEO/py does not verify CommonName (ssl.check_hostname=False implicitly).
+	// Match that behaviour with custom VerifyPeerCertificate because Go
+	// does not provide functionality to skip only CN verification out of the box.
+	// https://github.com/golang/go/issues/21971#issuecomment-332693931
+	// https://stackoverflow.com/questions/44295820
+	verifyPeerCert := func(rawCerts [][]byte, _ [][]*x509.Certificate) (err error) {
+		defer xerr.Contextf(&err, "verify peer cert")
+
+		certv := []*x509.Certificate{}
+		for _, certData := range rawCerts {
+			cert, err := x509.ParseCertificate(certData)
+			if err != nil {
+				return err
+			}
+			certv = append(certv, cert)
+		}
+
+		vopt := x509.VerifyOptions{
+			DNSName:       "",                // means "don't verify name"
+			Roots:         tlsCfg.RootCAs,
+			Intermediates: x509.NewCertPool(),
+		}
+		for _, cert := range certv[1:] {
+			vopt.Intermediates.AddCert(cert)
+		}
+
+		_, err = certv[0].Verify(vopt)
+		return err
+	}
+	tlsCfg.InsecureSkipVerify = true // disables all verifications including for ServerName
+	tlsCfg.VerifyPeerCertificate = verifyPeerCert
+
+	return tlsCfg, nil
+}

go/neo/util.go

@@ -21,15 +21,10 @@ package neo
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/url"
 
-	"lab.nexedi.com/kirr/go123/xerr"
-
 	"lab.nexedi.com/kirr/neo/go/zodb"
 	"lab.nexedi.com/kirr/neo/go/internal/log"
 )
@@ -73,95 +68,6 @@ func before2At(before zodb.Tid) (at zodb.Tid) {
 }
 
 
-// tlsForP2P builds tls.Config for peer-to-peer internetworking.
-//
-// When two peers connect, they authenticate each other by verifying that
-// peer's certificate is signed by CA, which should be common to all peers.
-//
-// Arguments provide paths to files:
-//
-// - ca   - path to CA certificate
-// - cert - path to node certificate
-// - key  - path to node private key
-//
-// Returned TLS config is interoperable with NEO/py - see:
-// https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L74-90
-//
-// XXX -> xtls.ConfigForP2P
-func tlsForSSL(ca, cert, key string) (_ *tls.Config, err error) {
-	defer xerr.Contextf(&err, "tls setup")
-
-	caData, err := ioutil.ReadFile(ca)
-	if err != nil {
-		return nil, err
-	}
-
-	CA := x509.NewCertPool()
-	ok := CA.AppendCertsFromPEM(caData)
-	if !ok {
-		return nil, fmt.Errorf("invalid CA")
-	}
-
-	crt, err := tls.LoadX509KeyPair(cert, key)
-	if err != nil {
-		return nil, err
-	}
-
-
-	tlsCfg := &tls.Config{
-		Certificates: []tls.Certificate{crt}, // (cert, key) as loaded
-		RootCAs: CA,                          // (ca,) as loaded
-
-		// a server also verifies client (but also see verifyPeerCert below)
-		ClientAuth: tls.RequireAndVerifyClientCert,
-		ClientCAs: CA,
-
-		PreferServerCipherSuites: true,
-		MinVersion:               tls.VersionTLS12, // only accept TLS >= 1.2
-	}
-
-	// tls docs say we should parse Certificate[0] into Leaf ourselves
-	leaf, err := x509.ParseCertificate(crt.Certificate[0])
-	if err != nil {
-		return nil, err
-	}
-	crt.Leaf = leaf
-
-	// NEO/py does not verify CommonName (ssl.check_hostname=False implicitly).
-	// Match that behaviour with custom VerifyPeerCertificate because Go
-	// does not provide functionality to skip only CN verification out of the box.
-	// https://github.com/golang/go/issues/21971#issuecomment-332693931
-	// https://stackoverflow.com/questions/44295820
-	verifyPeerCert := func(rawCerts [][]byte, _ [][]*x509.Certificate) (err error) {
-		defer xerr.Contextf(&err, "verify peer cert")
-
-		certv := []*x509.Certificate{}
-		for _, certData := range rawCerts {
-			cert, err := x509.ParseCertificate(certData)
-			if err != nil {
-				return err
-			}
-			certv = append(certv, cert)
-		}
-
-		vopt := x509.VerifyOptions{
-			DNSName:       "",                // means "don't verify name"
-			Roots:         tlsCfg.RootCAs,
-			Intermediates: x509.NewCertPool(),
-		}
-		for _, cert := range certv[1:] {
-			vopt.Intermediates.AddCert(cert)
-		}
-
-		_, err = certv[0].Verify(vopt)
-		return err
-	}
-	tlsCfg.InsecureSkipVerify = true // disables all verifications including for ServerName
-	tlsCfg.VerifyPeerCertificate = verifyPeerCert
-
-	return tlsCfg, nil
-}
-
 // parseQuery parses query string into regular map.
 // see also url.ParseQuery
 func parseQuery(query string) (map[string]string, error) {