Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
go-libp2p-quic-transport
Commits
de3f35a2
Commit
de3f35a2
authored
Feb 02, 2018
by
Marten Seemann
Browse files
verify the server's certificate using tls.Config.VerifyPeerCertificate
Fixes #2.
parent
c8b9d442
Changes
5
Show whitespace changes
Inline
Side-by-side
README.md
View file @
de3f35a2
...
...
@@ -9,4 +9,3 @@ This is an implementation of the [libp2p transport](https://github.com/libp2p/go
## Known limitations
*
currently only works with RSA host keys
*
[
#2
](
https://github.com/marten-seemann/libp2p-quic-transport/issues/2
)
conn_test.go
View file @
de3f35a2
...
...
@@ -80,14 +80,14 @@ var _ = Describe("Connection", func() {
thirdPartyID
,
err
:=
peer
.
IDFromPrivateKey
(
createPeer
())
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
serverAddrChan
,
_
:=
runServer
()
serverAddrChan
,
serverConnChan
:=
runServer
()
clientTransport
,
err
:=
NewTransport
(
clientKey
)
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
serverAddr
:=
<-
serverAddrChan
// dial, but expect the wrong peer ID
_
,
err
=
clientTransport
.
Dial
(
context
.
Background
(),
serverAddr
,
thirdPartyID
)
Expect
(
err
)
.
To
(
MatchError
(
"peer IDs don't match"
))
// TODO(#2): don't accept a connection if the client's peer v
erificat
ion fails
//
Consistently(serverConnChan).ShouldNot(Receive())
Expect
(
err
)
.
To
(
HaveOccurred
(
))
Expect
(
err
.
Error
())
.
To
(
ContainSubstring
(
"TLS handshake error: bad c
er
t
ificat
e"
))
Consistently
(
serverConnChan
)
.
ShouldNot
(
Receive
())
})
})
crypto.go
View file @
de3f35a2
...
...
@@ -10,8 +10,6 @@ import (
"math/big"
"time"
"github.com/lucas-clemente/quic-go"
"github.com/gogo/protobuf/proto"
ic
"github.com/libp2p/go-libp2p-crypto"
pb
"github.com/libp2p/go-libp2p-crypto/pb"
...
...
@@ -20,10 +18,6 @@ import (
// mint certificate selection is broken.
const
hostname
=
"quic.ipfs"
type
connectionStater
interface
{
ConnectionState
()
quic
.
ConnectionState
}
// TODO: make this private
func
GenerateConfig
(
privKey
ic
.
PrivKey
)
(
*
tls
.
Config
,
error
)
{
key
,
hostCert
,
err
:=
keyToCertificate
(
privKey
)
...
...
@@ -63,17 +57,16 @@ func GenerateConfig(privKey ic.PrivKey) (*tls.Config, error) {
},
nil
}
func
getRemotePubKey
(
conn
connectionStater
)
(
ic
.
PubKey
,
error
)
{
certChain
:=
conn
.
ConnectionState
()
.
PeerCertificates
if
len
(
certChain
)
!=
2
{
func
getRemotePubKey
(
chain
[]
*
x509
.
Certificate
)
(
ic
.
PubKey
,
error
)
{
if
len
(
chain
)
!=
2
{
return
nil
,
errors
.
New
(
"expected 2 certificates in the chain"
)
}
pool
:=
x509
.
NewCertPool
()
pool
.
AddCert
(
c
ertC
hain
[
1
])
if
_
,
err
:=
c
ertC
hain
[
0
]
.
Verify
(
x509
.
VerifyOptions
{
Roots
:
pool
});
err
!=
nil
{
pool
.
AddCert
(
chain
[
1
])
if
_
,
err
:=
chain
[
0
]
.
Verify
(
x509
.
VerifyOptions
{
Roots
:
pool
});
err
!=
nil
{
return
nil
,
err
}
remotePubKey
,
err
:=
x509
.
MarshalPKIXPublicKey
(
c
ertC
hain
[
1
]
.
PublicKey
)
remotePubKey
,
err
:=
x509
.
MarshalPKIXPublicKey
(
chain
[
1
]
.
PublicKey
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
listener.go
View file @
de3f35a2
...
...
@@ -60,7 +60,7 @@ func (l *listener) Accept() (tpt.Conn, error) {
if
err
!=
nil
{
return
nil
,
err
}
remotePubKey
,
err
:=
getRemotePubKey
(
sess
)
remotePubKey
,
err
:=
getRemotePubKey
(
sess
.
ConnectionState
()
.
PeerCertificates
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
transport.go
View file @
de3f35a2
...
...
@@ -2,6 +2,7 @@ package libp2pquic
import
(
"context"
"crypto/x509"
"errors"
ic
"github.com/libp2p/go-libp2p-crypto"
...
...
@@ -45,21 +46,32 @@ func (t *transport) Dial(ctx context.Context, raddr ma.Multiaddr, p peer.ID) (tp
if
err
!=
nil
{
return
nil
,
err
}
sess
,
err
:=
quicDialAddr
(
host
,
tlsConf
,
&
quic
.
Config
{
Versions
:
[]
quic
.
VersionNumber
{
101
}})
var
remotePubKey
ic
.
PubKey
tlsConf
.
VerifyPeerCertificate
=
func
(
rawCerts
[][]
byte
,
_
[][]
*
x509
.
Certificate
)
error
{
chain
:=
make
([]
*
x509
.
Certificate
,
len
(
rawCerts
))
for
i
:=
0
;
i
<
len
(
rawCerts
);
i
++
{
cert
,
err
:=
x509
.
ParseCertificate
(
rawCerts
[
i
])
if
err
!=
nil
{
return
nil
,
err
return
err
}
chain
[
i
]
=
cert
}
remotePubKey
,
err
:=
getRemotePubKey
(
sess
)
var
err
error
remotePubKey
,
err
=
getRemotePubKey
(
chain
)
if
err
!=
nil
{
return
nil
,
err
return
err
}
localMultiaddr
,
err
:=
quicMultiaddr
(
sess
.
LocalAddr
())
if
!
p
.
MatchesPublicKey
(
remotePubKey
)
{
return
errors
.
New
(
"peer IDs don't match"
)
}
return
nil
}
sess
,
err
:=
quicDialAddr
(
host
,
tlsConf
,
&
quic
.
Config
{
Versions
:
[]
quic
.
VersionNumber
{
101
}})
if
err
!=
nil
{
return
nil
,
err
}
if
!
p
.
MatchesPublicKey
(
remotePubKey
)
{
err
:=
errors
.
New
(
"peer IDs don't match"
)
sess
.
Close
(
err
)
localMultiaddr
,
err
:=
quicMultiaddr
(
sess
.
LocalAddr
())
if
err
!=
nil
{
return
nil
,
err
}
return
&
conn
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment