Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
neoppod
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Levin Zimmermann
neoppod
Commits
3f783164
Commit
3f783164
authored
Dec 16, 2020
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
.
parent
76783b20
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
121 additions
and
96 deletions
+121
-96
go/neo/client.go
go/neo/client.go
+2
-1
go/neo/cmd/neo/misc.go
go/neo/cmd/neo/misc.go
+2
-1
go/neo/internal/xtls/xtls.go
go/neo/internal/xtls/xtls.go
+117
-0
go/neo/util.go
go/neo/util.go
+0
-94
No files found.
go/neo/client.go
View file @
3f783164
...
...
@@ -38,6 +38,7 @@ import (
"lab.nexedi.com/kirr/neo/go/internal/xzlib"
"lab.nexedi.com/kirr/neo/go/neo/internal/xsha1"
"lab.nexedi.com/kirr/neo/go/neo/internal/xtls"
"lab.nexedi.com/kirr/neo/go/neo/neonet"
"lab.nexedi.com/kirr/neo/go/neo/proto"
"lab.nexedi.com/kirr/neo/go/zodb"
...
...
@@ -679,7 +680,7 @@ func openClientByURL(ctx context.Context, u *url.URL, opt *zodb.DriverOptions) (
net
:=
xnet
.
NetPlain
(
"tcp"
)
// TODO not only "tcp" ?
if
ssl
{
tlsCfg
,
err
:=
tls
ForP2P
(
ca
,
cert
,
key
)
tlsCfg
,
err
:=
xtls
.
Config
ForP2P
(
ca
,
cert
,
key
)
if
err
!=
nil
{
return
nil
,
zodb
.
InvalidTid
,
err
}
...
...
go/neo/cmd/neo/misc.go
View file @
3f783164
...
...
@@ -35,6 +35,7 @@ import (
"lab.nexedi.com/kirr/go123/xnet"
"lab.nexedi.com/kirr/go123/xsync"
"lab.nexedi.com/kirr/neo/go/internal/log"
"lab.nexedi.com/kirr/neo/go/neo/internal/xtls"
// for http://.../debug/pprof
...
...
@@ -62,7 +63,7 @@ func netFlags(flags *flag.FlagSet) /*netSetup*/ func() (xnet.Networker, error) {
net
:=
xnet
.
NetPlain
(
"tcp"
)
// TODO not only "tcp" ?
if
ssl
{
tlsCfg
,
err
:=
tls
ForP2P
(
ca
,
cert
,
key
)
tlsCfg
,
err
:=
xtls
.
Config
ForP2P
(
ca
,
cert
,
key
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
go/neo/internal/xtls/xtls.go
0 → 100644
View file @
3f783164
// Copyright (C) 2020 Nexedi SA and Contributors.
// Kirill Smelkov <kirr@nexedi.com>
//
// This program is free software: you can Use, Study, Modify and Redistribute
// it under the terms of the GNU General Public License version 3, or (at your
// option) any later version, as published by the Free Software Foundation.
//
// You can also Link and Combine this program with other software covered by
// the terms of any of the Free Software licenses or any of the Open Source
// Initiative approved licenses and Convey the resulting work. Corresponding
// source of such a combination shall include the source code for all other
// software used.
//
// This program is distributed WITHOUT ANY WARRANTY; without even the implied
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
//
// See COPYING file for full licensing terms.
// See https://www.nexedi.com/licensing for rationale and options.
// Package xtls complements standard package crypto/tls with NEO-specific bits.
package
xtls
import
(
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"lab.nexedi.com/kirr/go123/xerr"
)
// ConfigForP2P builds tls.Config for peer-to-peer internetworking.
//
// When two peers connect, they authenticate each other by verifying that
// peer's certificate is signed by CA, which should be common to all peers.
//
// Arguments provide paths to files:
//
// - ca - path to CA certificate
// - cert - path to node certificate
// - key - path to node private key
//
// Returned TLS config is interoperable with NEO/py - see:
// https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L74-90
func
ConfigForP2P
(
ca
,
cert
,
key
string
)
(
_
*
tls
.
Config
,
err
error
)
{
defer
xerr
.
Contextf
(
&
err
,
"tls p2p setup"
)
caData
,
err
:=
ioutil
.
ReadFile
(
ca
)
if
err
!=
nil
{
return
nil
,
err
}
CA
:=
x509
.
NewCertPool
()
ok
:=
CA
.
AppendCertsFromPEM
(
caData
)
if
!
ok
{
return
nil
,
fmt
.
Errorf
(
"invalid CA"
)
}
crt
,
err
:=
tls
.
LoadX509KeyPair
(
cert
,
key
)
if
err
!=
nil
{
return
nil
,
err
}
tlsCfg
:=
&
tls
.
Config
{
Certificates
:
[]
tls
.
Certificate
{
crt
},
// (cert, key) as loaded
RootCAs
:
CA
,
// (ca,) as loaded
// a server also verifies client (but also see verifyPeerCert below)
ClientAuth
:
tls
.
RequireAndVerifyClientCert
,
ClientCAs
:
CA
,
PreferServerCipherSuites
:
true
,
MinVersion
:
tls
.
VersionTLS12
,
// only accept TLS >= 1.2
}
// tls docs say we should parse Certificate[0] into Leaf ourselves
leaf
,
err
:=
x509
.
ParseCertificate
(
crt
.
Certificate
[
0
])
if
err
!=
nil
{
return
nil
,
err
}
crt
.
Leaf
=
leaf
// NEO/py does not verify CommonName (ssl.check_hostname=False implicitly).
// Match that behaviour with custom VerifyPeerCertificate because Go
// does not provide functionality to skip only CN verification out of the box.
// https://github.com/golang/go/issues/21971#issuecomment-332693931
// https://stackoverflow.com/questions/44295820
verifyPeerCert
:=
func
(
rawCerts
[][]
byte
,
_
[][]
*
x509
.
Certificate
)
(
err
error
)
{
defer
xerr
.
Contextf
(
&
err
,
"verify peer cert"
)
certv
:=
[]
*
x509
.
Certificate
{}
for
_
,
certData
:=
range
rawCerts
{
cert
,
err
:=
x509
.
ParseCertificate
(
certData
)
if
err
!=
nil
{
return
err
}
certv
=
append
(
certv
,
cert
)
}
vopt
:=
x509
.
VerifyOptions
{
DNSName
:
""
,
// means "don't verify name"
Roots
:
tlsCfg
.
RootCAs
,
Intermediates
:
x509
.
NewCertPool
(),
}
for
_
,
cert
:=
range
certv
[
1
:
]
{
vopt
.
Intermediates
.
AddCert
(
cert
)
}
_
,
err
=
certv
[
0
]
.
Verify
(
vopt
)
return
err
}
tlsCfg
.
InsecureSkipVerify
=
true
// disables all verifications including for ServerName
tlsCfg
.
VerifyPeerCertificate
=
verifyPeerCert
return
tlsCfg
,
nil
}
go/neo/util.go
View file @
3f783164
...
...
@@ -21,15 +21,10 @@ package neo
import
(
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"io/ioutil"
"net/url"
"lab.nexedi.com/kirr/go123/xerr"
"lab.nexedi.com/kirr/neo/go/zodb"
"lab.nexedi.com/kirr/neo/go/internal/log"
)
...
...
@@ -73,95 +68,6 @@ func before2At(before zodb.Tid) (at zodb.Tid) {
}
// tlsForP2P builds tls.Config for peer-to-peer internetworking.
//
// When two peers connect, they authenticate each other by verifying that
// peer's certificate is signed by CA, which should be common to all peers.
//
// Arguments provide paths to files:
//
// - ca - path to CA certificate
// - cert - path to node certificate
// - key - path to node private key
//
// Returned TLS config is interoperable with NEO/py - see:
// https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L74-90
//
// XXX -> xtls.ConfigForP2P
func
tlsForSSL
(
ca
,
cert
,
key
string
)
(
_
*
tls
.
Config
,
err
error
)
{
defer
xerr
.
Contextf
(
&
err
,
"tls setup"
)
caData
,
err
:=
ioutil
.
ReadFile
(
ca
)
if
err
!=
nil
{
return
nil
,
err
}
CA
:=
x509
.
NewCertPool
()
ok
:=
CA
.
AppendCertsFromPEM
(
caData
)
if
!
ok
{
return
nil
,
fmt
.
Errorf
(
"invalid CA"
)
}
crt
,
err
:=
tls
.
LoadX509KeyPair
(
cert
,
key
)
if
err
!=
nil
{
return
nil
,
err
}
tlsCfg
:=
&
tls
.
Config
{
Certificates
:
[]
tls
.
Certificate
{
crt
},
// (cert, key) as loaded
RootCAs
:
CA
,
// (ca,) as loaded
// a server also verifies client (but also see verifyPeerCert below)
ClientAuth
:
tls
.
RequireAndVerifyClientCert
,
ClientCAs
:
CA
,
PreferServerCipherSuites
:
true
,
MinVersion
:
tls
.
VersionTLS12
,
// only accept TLS >= 1.2
}
// tls docs say we should parse Certificate[0] into Leaf ourselves
leaf
,
err
:=
x509
.
ParseCertificate
(
crt
.
Certificate
[
0
])
if
err
!=
nil
{
return
nil
,
err
}
crt
.
Leaf
=
leaf
// NEO/py does not verify CommonName (ssl.check_hostname=False implicitly).
// Match that behaviour with custom VerifyPeerCertificate because Go
// does not provide functionality to skip only CN verification out of the box.
// https://github.com/golang/go/issues/21971#issuecomment-332693931
// https://stackoverflow.com/questions/44295820
verifyPeerCert
:=
func
(
rawCerts
[][]
byte
,
_
[][]
*
x509
.
Certificate
)
(
err
error
)
{
defer
xerr
.
Contextf
(
&
err
,
"verify peer cert"
)
certv
:=
[]
*
x509
.
Certificate
{}
for
_
,
certData
:=
range
rawCerts
{
cert
,
err
:=
x509
.
ParseCertificate
(
certData
)
if
err
!=
nil
{
return
err
}
certv
=
append
(
certv
,
cert
)
}
vopt
:=
x509
.
VerifyOptions
{
DNSName
:
""
,
// means "don't verify name"
Roots
:
tlsCfg
.
RootCAs
,
Intermediates
:
x509
.
NewCertPool
(),
}
for
_
,
cert
:=
range
certv
[
1
:
]
{
vopt
.
Intermediates
.
AddCert
(
cert
)
}
_
,
err
=
certv
[
0
]
.
Verify
(
vopt
)
return
err
}
tlsCfg
.
InsecureSkipVerify
=
true
// disables all verifications including for ServerName
tlsCfg
.
VerifyPeerCertificate
=
verifyPeerCert
return
tlsCfg
,
nil
}
// parseQuery parses query string into regular map.
// see also url.ParseQuery
func
parseQuery
(
query
string
)
(
map
[
string
]
string
,
error
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment