Commit 3f783164 authored by Kirill Smelkov's avatar Kirill Smelkov

.

parent 76783b20
...@@ -38,6 +38,7 @@ import ( ...@@ -38,6 +38,7 @@ import (
"lab.nexedi.com/kirr/neo/go/internal/xzlib" "lab.nexedi.com/kirr/neo/go/internal/xzlib"
"lab.nexedi.com/kirr/neo/go/neo/internal/xsha1" "lab.nexedi.com/kirr/neo/go/neo/internal/xsha1"
"lab.nexedi.com/kirr/neo/go/neo/internal/xtls"
"lab.nexedi.com/kirr/neo/go/neo/neonet" "lab.nexedi.com/kirr/neo/go/neo/neonet"
"lab.nexedi.com/kirr/neo/go/neo/proto" "lab.nexedi.com/kirr/neo/go/neo/proto"
"lab.nexedi.com/kirr/neo/go/zodb" "lab.nexedi.com/kirr/neo/go/zodb"
...@@ -679,7 +680,7 @@ func openClientByURL(ctx context.Context, u *url.URL, opt *zodb.DriverOptions) ( ...@@ -679,7 +680,7 @@ func openClientByURL(ctx context.Context, u *url.URL, opt *zodb.DriverOptions) (
net := xnet.NetPlain("tcp") // TODO not only "tcp" ? net := xnet.NetPlain("tcp") // TODO not only "tcp" ?
if ssl { if ssl {
tlsCfg, err := tlsForP2P(ca, cert, key) tlsCfg, err := xtls.ConfigForP2P(ca, cert, key)
if err != nil { if err != nil {
return nil, zodb.InvalidTid, err return nil, zodb.InvalidTid, err
} }
......
...@@ -35,6 +35,7 @@ import ( ...@@ -35,6 +35,7 @@ import (
"lab.nexedi.com/kirr/go123/xnet" "lab.nexedi.com/kirr/go123/xnet"
"lab.nexedi.com/kirr/go123/xsync" "lab.nexedi.com/kirr/go123/xsync"
"lab.nexedi.com/kirr/neo/go/internal/log" "lab.nexedi.com/kirr/neo/go/internal/log"
"lab.nexedi.com/kirr/neo/go/neo/internal/xtls"
// for http://.../debug/pprof // for http://.../debug/pprof
...@@ -62,7 +63,7 @@ func netFlags(flags *flag.FlagSet) /*netSetup*/ func() (xnet.Networker, error) { ...@@ -62,7 +63,7 @@ func netFlags(flags *flag.FlagSet) /*netSetup*/ func() (xnet.Networker, error) {
net := xnet.NetPlain("tcp") // TODO not only "tcp" ? net := xnet.NetPlain("tcp") // TODO not only "tcp" ?
if ssl { if ssl {
tlsCfg, err := tlsForP2P(ca, cert, key) tlsCfg, err := xtls.ConfigForP2P(ca, cert, key)
if err != nil { if err != nil {
return nil, err return nil, err
} }
......
// Copyright (C) 2020 Nexedi SA and Contributors.
// Kirill Smelkov <kirr@nexedi.com>
//
// This program is free software: you can Use, Study, Modify and Redistribute
// it under the terms of the GNU General Public License version 3, or (at your
// option) any later version, as published by the Free Software Foundation.
//
// You can also Link and Combine this program with other software covered by
// the terms of any of the Free Software licenses or any of the Open Source
// Initiative approved licenses and Convey the resulting work. Corresponding
// source of such a combination shall include the source code for all other
// software used.
//
// This program is distributed WITHOUT ANY WARRANTY; without even the implied
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
//
// See COPYING file for full licensing terms.
// See https://www.nexedi.com/licensing for rationale and options.
// Package xtls complements standard package crypto/tls with NEO-specific bits.
package xtls
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"lab.nexedi.com/kirr/go123/xerr"
)
// ConfigForP2P builds tls.Config for peer-to-peer internetworking.
//
// When two peers connect, they authenticate each other by verifying that
// peer's certificate is signed by CA, which should be common to all peers.
//
// Arguments provide paths to files:
//
// - ca - path to CA certificate
// - cert - path to node certificate
// - key - path to node private key
//
// Returned TLS config is interoperable with NEO/py - see:
// https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L74-90
func ConfigForP2P(ca, cert, key string) (_ *tls.Config, err error) {
defer xerr.Contextf(&err, "tls p2p setup")
caData, err := ioutil.ReadFile(ca)
if err != nil {
return nil, err
}
CA := x509.NewCertPool()
ok := CA.AppendCertsFromPEM(caData)
if !ok {
return nil, fmt.Errorf("invalid CA")
}
crt, err := tls.LoadX509KeyPair(cert, key)
if err != nil {
return nil, err
}
tlsCfg := &tls.Config{
Certificates: []tls.Certificate{crt}, // (cert, key) as loaded
RootCAs: CA, // (ca,) as loaded
// a server also verifies client (but also see verifyPeerCert below)
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: CA,
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12, // only accept TLS >= 1.2
}
// tls docs say we should parse Certificate[0] into Leaf ourselves
leaf, err := x509.ParseCertificate(crt.Certificate[0])
if err != nil {
return nil, err
}
crt.Leaf = leaf
// NEO/py does not verify CommonName (ssl.check_hostname=False implicitly).
// Match that behaviour with custom VerifyPeerCertificate because Go
// does not provide functionality to skip only CN verification out of the box.
// https://github.com/golang/go/issues/21971#issuecomment-332693931
// https://stackoverflow.com/questions/44295820
verifyPeerCert := func(rawCerts [][]byte, _ [][]*x509.Certificate) (err error) {
defer xerr.Contextf(&err, "verify peer cert")
certv := []*x509.Certificate{}
for _, certData := range rawCerts {
cert, err := x509.ParseCertificate(certData)
if err != nil {
return err
}
certv = append(certv, cert)
}
vopt := x509.VerifyOptions{
DNSName: "", // means "don't verify name"
Roots: tlsCfg.RootCAs,
Intermediates: x509.NewCertPool(),
}
for _, cert := range certv[1:] {
vopt.Intermediates.AddCert(cert)
}
_, err = certv[0].Verify(vopt)
return err
}
tlsCfg.InsecureSkipVerify = true // disables all verifications including for ServerName
tlsCfg.VerifyPeerCertificate = verifyPeerCert
return tlsCfg, nil
}
...@@ -21,15 +21,10 @@ package neo ...@@ -21,15 +21,10 @@ package neo
import ( import (
"context" "context"
"crypto/tls"
"crypto/x509"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"net/url" "net/url"
"lab.nexedi.com/kirr/go123/xerr"
"lab.nexedi.com/kirr/neo/go/zodb" "lab.nexedi.com/kirr/neo/go/zodb"
"lab.nexedi.com/kirr/neo/go/internal/log" "lab.nexedi.com/kirr/neo/go/internal/log"
) )
...@@ -73,95 +68,6 @@ func before2At(before zodb.Tid) (at zodb.Tid) { ...@@ -73,95 +68,6 @@ func before2At(before zodb.Tid) (at zodb.Tid) {
} }
// tlsForP2P builds tls.Config for peer-to-peer internetworking.
//
// When two peers connect, they authenticate each other by verifying that
// peer's certificate is signed by CA, which should be common to all peers.
//
// Arguments provide paths to files:
//
// - ca - path to CA certificate
// - cert - path to node certificate
// - key - path to node private key
//
// Returned TLS config is interoperable with NEO/py - see:
// https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L74-90
//
// XXX -> xtls.ConfigForP2P
func tlsForSSL(ca, cert, key string) (_ *tls.Config, err error) {
defer xerr.Contextf(&err, "tls setup")
caData, err := ioutil.ReadFile(ca)
if err != nil {
return nil, err
}
CA := x509.NewCertPool()
ok := CA.AppendCertsFromPEM(caData)
if !ok {
return nil, fmt.Errorf("invalid CA")
}
crt, err := tls.LoadX509KeyPair(cert, key)
if err != nil {
return nil, err
}
tlsCfg := &tls.Config{
Certificates: []tls.Certificate{crt}, // (cert, key) as loaded
RootCAs: CA, // (ca,) as loaded
// a server also verifies client (but also see verifyPeerCert below)
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: CA,
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12, // only accept TLS >= 1.2
}
// tls docs say we should parse Certificate[0] into Leaf ourselves
leaf, err := x509.ParseCertificate(crt.Certificate[0])
if err != nil {
return nil, err
}
crt.Leaf = leaf
// NEO/py does not verify CommonName (ssl.check_hostname=False implicitly).
// Match that behaviour with custom VerifyPeerCertificate because Go
// does not provide functionality to skip only CN verification out of the box.
// https://github.com/golang/go/issues/21971#issuecomment-332693931
// https://stackoverflow.com/questions/44295820
verifyPeerCert := func(rawCerts [][]byte, _ [][]*x509.Certificate) (err error) {
defer xerr.Contextf(&err, "verify peer cert")
certv := []*x509.Certificate{}
for _, certData := range rawCerts {
cert, err := x509.ParseCertificate(certData)
if err != nil {
return err
}
certv = append(certv, cert)
}
vopt := x509.VerifyOptions{
DNSName: "", // means "don't verify name"
Roots: tlsCfg.RootCAs,
Intermediates: x509.NewCertPool(),
}
for _, cert := range certv[1:] {
vopt.Intermediates.AddCert(cert)
}
_, err = certv[0].Verify(vopt)
return err
}
tlsCfg.InsecureSkipVerify = true // disables all verifications including for ServerName
tlsCfg.VerifyPeerCertificate = verifyPeerCert
return tlsCfg, nil
}
// parseQuery parses query string into regular map. // parseQuery parses query string into regular map.
// see also url.ParseQuery // see also url.ParseQuery
func parseQuery(query string) (map[string]string, error) { func parseQuery(query string) (map[string]string, error) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment