yggdrasil-go/src/core/link_tls.go

package core

import (
	"bytes"
	"context"
	"crypto/rand"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/hex"
	"encoding/pem"
	"fmt"
	"math/big"
	"net"
	"net/url"
	"strings"
	"time"

	"github.com/Arceliar/phony"
)

type linkTLS struct {
	phony.Inbox
	*links
	tcp        *linkTCP
	listener   *net.ListenConfig
	config     *tls.Config
	_listeners map[*Listener]context.CancelFunc
}

func (l *links) newLinkTLS(tcp *linkTCP) *linkTLS {
	lt := &linkTLS{
		links: l,
		tcp:   tcp,
		listener: &net.ListenConfig{
			Control:   tcp.tcpContext,
			KeepAlive: -1,
		},
		_listeners: map[*Listener]context.CancelFunc{},
	}
	var err error
	lt.config, err = lt.generateConfig()
	if err != nil {
		panic(err)
	}
	return lt
}

func (l *linkTLS) dial(url *url.URL, options linkOptions, sintf, sni string) error {
	addr, err := net.ResolveTCPAddr("tcp", url.Host)
	if err != nil {
		return err
	}
	dialer, err := l.tcp.dialerFor(addr, sintf)
	if err != nil {
		return err
	}
	info := linkInfoFor("tls", sintf, tcpIDFor(dialer.LocalAddr, addr))
	if l.links.isConnectedTo(info) {
		return nil
	}
	tlsconfig := l.config.Clone()
	tlsconfig.ServerName = sni
	tlsdialer := &tls.Dialer{
		NetDialer: dialer,
		Config:    tlsconfig,
	}
	conn, err := tlsdialer.DialContext(l.core.ctx, "tcp", addr.String())
	if err != nil {
		return err
	}
	uri := strings.TrimRight(strings.SplitN(url.String(), "?", 2)[0], "/")
	return l.handler(uri, info, conn, options, false, false)
}

func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
	ctx, cancel := context.WithCancel(l.core.ctx)
	hostport := url.Host
	if sintf != "" {
		if host, port, err := net.SplitHostPort(hostport); err == nil {
			hostport = fmt.Sprintf("[%s%%%s]:%s", host, sintf, port)
		}
	}
	listener, err := l.listener.Listen(ctx, "tcp", hostport)
	if err != nil {
		cancel()
		return nil, err
	}
	tlslistener := tls.NewListener(listener, l.config)
	entry := &Listener{
		Listener: tlslistener,
		closed:   make(chan struct{}),
	}
	phony.Block(l, func() {
		l._listeners[entry] = cancel
	})
	l.core.log.Printf("TLS listener started on %s", listener.Addr())
	go func() {
		defer phony.Block(l, func() {
			delete(l._listeners, entry)
		})
		for {
			conn, err := tlslistener.Accept()
			if err != nil {
				cancel()
				break
			}
			laddr := conn.LocalAddr().(*net.TCPAddr)
			raddr := conn.RemoteAddr().(*net.TCPAddr)
			name := fmt.Sprintf("tls://%s", raddr)
			info := linkInfoFor("tls", sintf, tcpIDFor(laddr, raddr))
			if err = l.handler(name, info, conn, linkOptionsForListener(url), true, raddr.IP.IsLinkLocalUnicast()); err != nil {
				l.core.log.Errorln("Failed to create inbound link:", err)
			}
		}
		_ = tlslistener.Close()
		close(entry.closed)
		l.core.log.Printf("TLS listener stopped on %s", listener.Addr())
	}()
	return entry, nil
}

func (l *linkTLS) generateConfig() (*tls.Config, error) {
	certBuf := &bytes.Buffer{}

	// TODO: because NotAfter is finite, we should add some mechanism to
	// regenerate the certificate and restart the listeners periodically
	// for nodes with very high uptimes. Perhaps regenerate certs and restart
	// listeners every few months or so.
	cert := x509.Certificate{
		SerialNumber: big.NewInt(1),
		Subject: pkix.Name{
			CommonName: hex.EncodeToString(l.links.core.public[:]),
		},
		NotBefore:             time.Now(),
		NotAfter:              time.Now().Add(time.Hour * 24 * 365),
		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
	}

	certbytes, err := x509.CreateCertificate(rand.Reader, &cert, &cert, l.links.core.public, l.links.core.secret)
	if err != nil {
		return nil, err
	}

	if err := pem.Encode(certBuf, &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: certbytes,
	}); err != nil {
		return nil, err
	}

	rootCAs := x509.NewCertPool()
	rootCAs.AppendCertsFromPEM(certbytes)

	return &tls.Config{
		RootCAs: rootCAs,
		Certificates: []tls.Certificate{
			{
				Certificate: [][]byte{certbytes},
				PrivateKey:  l.links.core.secret,
			},
		},
		InsecureSkipVerify: true,
		MinVersion:         tls.VersionTLS13,
	}, nil
}

func (l *linkTLS) handler(name string, info linkInfo, conn net.Conn, options linkOptions, incoming, force bool) error {
	return l.tcp.handler(name, info, conn, options, incoming, force)
}
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`package core`

			`import (`
			`"bytes"`
			`"context"`
			`"crypto/rand"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/hex"`
			`"encoding/pem"`
			`"fmt"`
			`"math/big"`
			`"net"`
			`"net/url"`
			`"strings"`
			`"time"`

			`"github.com/Arceliar/phony"`
			`)`

			`type linkTLS struct {`
			`phony.Inbox`
			`*links`
			`tcp *linkTCP`
			`listener *net.ListenConfig`
			`config *tls.Config`
			`_listeners map[*Listener]context.CancelFunc`
			`}`

			`func (l links) newLinkTLS(tcp linkTCP) *linkTLS {`
			`lt := &linkTLS{`
			`links: l,`
			`tcp: tcp,`
			`listener: &net.ListenConfig{`
			`Control: tcp.tcpContext,`
			`KeepAlive: -1,`
			`},`
			`_listeners: map[*Listener]context.CancelFunc{},`
			`}`
			`var err error`
			`lt.config, err = lt.generateConfig()`
			`if err != nil {`
			`panic(err)`
			`}`
			`return lt`
			`}`

			`func (l linkTLS) dial(url url.URL, options linkOptions, sintf, sni string) error {`
			`addr, err := net.ResolveTCPAddr("tcp", url.Host)`
			`if err != nil {`
			`return err`
			`}`
Fix `InterfacePeers` 2022-10-21 19:49:15 +01:00			`dialer, err := l.tcp.dialerFor(addr, sintf)`
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`if err != nil {`
			`return err`
			`}`
Varying connection check strictness based on scope 2022-10-22 17:45:09 +01:00			`info := linkInfoFor("tls", sintf, tcpIDFor(dialer.LocalAddr, addr))`
			`if l.links.isConnectedTo(info) {`
			`return nil`
			`}`
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`tlsconfig := l.config.Clone()`
			`tlsconfig.ServerName = sni`
			`tlsdialer := &tls.Dialer{`
			`NetDialer: dialer,`
			`Config: tlsconfig,`
			`}`
			`conn, err := tlsdialer.DialContext(l.core.ctx, "tcp", addr.String())`
			`if err != nil {`
			`return err`
			`}`
Don't reject multiple genuine links from the same host 2022-10-22 16:59:25 +01:00			`uri := strings.TrimRight(strings.SplitN(url.String(), "?", 2)[0], "/")`
			`return l.handler(uri, info, conn, options, false, false)`
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`}`

			`func (l linkTLS) listen(url url.URL, sintf string) (*Listener, error) {`
			`ctx, cancel := context.WithCancel(l.core.ctx)`
			`hostport := url.Host`
			`if sintf != "" {`
			`if host, port, err := net.SplitHostPort(hostport); err == nil {`
			`hostport = fmt.Sprintf("[%s%%%s]:%s", host, sintf, port)`
			`}`
			`}`
			`listener, err := l.listener.Listen(ctx, "tcp", hostport)`
			`if err != nil {`
			`cancel()`
			`return nil, err`
			`}`
			`tlslistener := tls.NewListener(listener, l.config)`
			`entry := &Listener{`
			`Listener: tlslistener,`
			`closed: make(chan struct{}),`
			`}`
			`phony.Block(l, func() {`
			`l._listeners[entry] = cancel`
			`})`
			`l.core.log.Printf("TLS listener started on %s", listener.Addr())`
			`go func() {`
			`defer phony.Block(l, func() {`
			`delete(l._listeners, entry)`
			`})`
			`for {`
			`conn, err := tlslistener.Accept()`
			`if err != nil {`
			`cancel()`
			`break`
			`}`
Varying connection check strictness based on scope 2022-10-22 17:45:09 +01:00			`laddr := conn.LocalAddr().(*net.TCPAddr)`
			`raddr := conn.RemoteAddr().(*net.TCPAddr)`
			`name := fmt.Sprintf("tls://%s", raddr)`
			`info := linkInfoFor("tls", sintf, tcpIDFor(laddr, raddr))`
Priority support (#964) * Allow setting link priorities * Fix a bug * Allow setting priority on listeners and multicast interfaces * Update `yggdrasilctl` * Update to Arceliar/ironwood#5 2022-10-26 09:24:24 +01:00			`if err = l.handler(name, info, conn, linkOptionsForListener(url), true, raddr.IP.IsLinkLocalUnicast()); err != nil {`
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`l.core.log.Errorln("Failed to create inbound link:", err)`
			`}`
			`}`
Lint tweaks 2022-09-24 17:05:44 +01:00			`_ = tlslistener.Close()`
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`close(entry.closed)`
			`l.core.log.Printf("TLS listener stopped on %s", listener.Addr())`
			`}()`
			`return entry, nil`
			`}`

			`func (l linkTLS) generateConfig() (tls.Config, error) {`
			`certBuf := &bytes.Buffer{}`

			`// TODO: because NotAfter is finite, we should add some mechanism to`
			`// regenerate the certificate and restart the listeners periodically`
			`// for nodes with very high uptimes. Perhaps regenerate certs and restart`
			`// listeners every few months or so.`
			`cert := x509.Certificate{`
			`SerialNumber: big.NewInt(1),`
			`Subject: pkix.Name{`
			`CommonName: hex.EncodeToString(l.links.core.public[:]),`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().Add(time.Hour * 24 * 365),`
			`KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},`
			`BasicConstraintsValid: true,`
			`}`

			`certbytes, err := x509.CreateCertificate(rand.Reader, &cert, &cert, l.links.core.public, l.links.core.secret)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := pem.Encode(certBuf, &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: certbytes,`
			`}); err != nil {`
			`return nil, err`
			`}`

			`rootCAs := x509.NewCertPool()`
			`rootCAs.AppendCertsFromPEM(certbytes)`

			`return &tls.Config{`
			`RootCAs: rootCAs,`
			`Certificates: []tls.Certificate{`
			`{`
			`Certificate: [][]byte{certbytes},`
			`PrivateKey: l.links.core.secret,`
			`},`
			`},`
			`InsecureSkipVerify: true,`
			`MinVersion: tls.VersionTLS13,`
			`}, nil`
			`}`

Always allow link-local peerings again 2022-10-22 16:23:25 +01:00			`func (l *linkTLS) handler(name string, info linkInfo, conn net.Conn, options linkOptions, incoming, force bool) error {`
			`return l.tcp.handler(name, info, conn, options, incoming, force)`
Link refactor (#941) * Link refactoring * More refactoring * More tweaking * Cleaner shutdowns, UNIX socket support, more tweaks * Actorise links, remove mutex * SOCKS support 2022-09-17 20:07:00 +01:00			`}`