zrepl/tlsconf/tlsconf.go

package tlsconf

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"os"
	"time"
)

func ParseCAFile(certfile string) (*x509.CertPool, error) {
	pool := x509.NewCertPool()
	pem, err := ioutil.ReadFile(certfile)
	if err != nil {
		return nil, err
	}
	if !pool.AppendCertsFromPEM(pem) {
		return nil, errors.New("PEM parsing error")
	}
	return pool, nil
}

type ClientAuthListener struct {
	l                *net.TCPListener
	c                *tls.Config
	handshakeTimeout time.Duration
}

func NewClientAuthListener(
	l *net.TCPListener, ca *x509.CertPool, serverCert tls.Certificate,
	handshakeTimeout time.Duration) *ClientAuthListener {

	if ca == nil {
		panic(ca)
	}
	if serverCert.Certificate == nil || serverCert.PrivateKey == nil {
		panic(serverCert)
	}

	tlsConf := &tls.Config{
		Certificates:             []tls.Certificate{serverCert},
		ClientCAs:                ca,
		ClientAuth:               tls.RequireAndVerifyClientCert,
		PreferServerCipherSuites: true,
		KeyLogWriter:             keylogFromEnv(),
	}
	return &ClientAuthListener{
		l,
		tlsConf,
		handshakeTimeout,
	}
}

// Accept() accepts a connection from the *net.TCPListener passed to the constructor
// and sets up the TLS connection, including handshake and peer CommonName validation
// within the specified handshakeTimeout.
//
// It returns both the raw TCP connection (tcpConn) and the TLS connection (tlsConn) on top of it.
// Access to the raw tcpConn might be necessary if CloseWrite semantics are desired:
// tlsConn.CloseWrite does NOT call tcpConn.CloseWrite, hence we provide access to tcpConn to
// allow the caller to do this by themselves.
func (l *ClientAuthListener) Accept() (tcpConn *net.TCPConn, tlsConn *tls.Conn, clientCN string, err error) {
	tcpConn, err = l.l.AcceptTCP()
	if err != nil {
		return nil, nil, "", err
	}

	tlsConn = tls.Server(tcpConn, l.c)
	var (
		cn        string
		peerCerts []*x509.Certificate
	)
	if err = tlsConn.SetDeadline(time.Now().Add(l.handshakeTimeout)); err != nil {
		goto CloseAndErr
	}
	if err = tlsConn.Handshake(); err != nil {
		goto CloseAndErr
	}
	if err = tlsConn.SetDeadline(time.Time{}); err != nil {
		goto CloseAndErr
	}

	peerCerts = tlsConn.ConnectionState().PeerCertificates
	if len(peerCerts) < 1 {
		err = errors.New("client must present full RFC5246:7.4.2 TLS client certificate chain")
		goto CloseAndErr
	}
	cn = peerCerts[0].Subject.CommonName
	return tcpConn, tlsConn, cn, nil
CloseAndErr:
	// unlike CloseWrite, Close on *tls.Conn actually closes the underlying connection
	tlsConn.Close() // TODO log error
	return nil, nil, "", err
}

func (l *ClientAuthListener) Addr() net.Addr {
	return l.l.Addr()
}

func (l *ClientAuthListener) Close() error {
	return l.l.Close()
}

func ClientAuthClient(serverName string, rootCA *x509.CertPool, clientCert tls.Certificate) (*tls.Config, error) {
	if serverName == "" {
		panic(serverName)
	}
	if rootCA == nil {
		panic(rootCA)
	}
	if clientCert.Certificate == nil || clientCert.PrivateKey == nil {
		panic(clientCert)
	}
	tlsConfig := &tls.Config{
		Certificates: []tls.Certificate{clientCert},
		RootCAs:      rootCA,
		ServerName:   serverName,
		KeyLogWriter: keylogFromEnv(),
	}
	return tlsConfig, nil
}

func keylogFromEnv() io.Writer {
	var keyLog io.Writer = nil
	if outfile := os.Getenv("ZREPL_KEYLOG_FILE"); outfile != "" {
		fmt.Fprintf(os.Stderr, "writing to key log %s\n", outfile)
		var err error
		keyLog, err = os.OpenFile(outfile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
		if err != nil {
			panic(err)
		}
	}
	return keyLog
}
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`package tlsconf`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"errors"`
tlsconf and transport/tls: support NSS-formatted keylog file for debugging ... via env variable 2019-01-17 01:43:39 +01:00			`"fmt"`
			`"io"`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`"io/ioutil"`
			`"net"`
tlsconf and transport/tls: support NSS-formatted keylog file for debugging ... via env variable 2019-01-17 01:43:39 +01:00			`"os"`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`"time"`
			`)`

			`func ParseCAFile(certfile string) (*x509.CertPool, error) {`
			`pool := x509.NewCertPool()`
			`pem, err := ioutil.ReadFile(certfile)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !pool.AppendCertsFromPEM(pem) {`
			`return nil, errors.New("PEM parsing error")`
			`}`
			`return pool, nil`
			`}`

			`type ClientAuthListener struct {`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`l *net.TCPListener`
			`c *tls.Config`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`handshakeTimeout time.Duration`
			`}`

			`func NewClientAuthListener(`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`l net.TCPListener, ca x509.CertPool, serverCert tls.Certificate,`
Multi-client servers + bring back stdinserver support 2018-09-05 01:41:54 +02:00			`handshakeTimeout time.Duration) *ClientAuthListener {`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00
			`if ca == nil {`
			`panic(ca)`
			`}`
			`if serverCert.Certificate == nil \|\| serverCert.PrivateKey == nil {`
			`panic(serverCert)`
			`}`

rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`tlsConf := &tls.Config{`
gofmt 2018-08-25 21:30:25 +02:00			`Certificates: []tls.Certificate{serverCert},`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`ClientCAs: ca,`
			`ClientAuth: tls.RequireAndVerifyClientCert,`
			`PreferServerCipherSuites: true,`
tlsconf and transport/tls: support NSS-formatted keylog file for debugging ... via env variable 2019-01-17 01:43:39 +01:00			`KeyLogWriter: keylogFromEnv(),`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`}`
			`return &ClientAuthListener{`
			`l,`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`tlsConf,`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`handshakeTimeout,`
			`}`
			`}`

rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`// Accept() accepts a connection from the *net.TCPListener passed to the constructor`
Spellcheck all files Signed-off-by: InsanePrawn <insane.prawny@gmail.com> 2020-02-23 23:24:12 +01:00			`// and sets up the TLS connection, including handshake and peer CommonName validation`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`// within the specified handshakeTimeout.`
			`//`
			`// It returns both the raw TCP connection (tcpConn) and the TLS connection (tlsConn) on top of it.`
			`// Access to the raw tcpConn might be necessary if CloseWrite semantics are desired:`
			`// tlsConn.CloseWrite does NOT call tcpConn.CloseWrite, hence we provide access to tcpConn to`
			`// allow the caller to do this by themselves.`
			`func (l ClientAuthListener) Accept() (tcpConn net.TCPConn, tlsConn *tls.Conn, clientCN string, err error) {`
			`tcpConn, err = l.l.AcceptTCP()`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`if err != nil {`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`return nil, nil, "", err`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`}`

rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`tlsConn = tls.Server(tcpConn, l.c)`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`var (`
			`cn string`
			`peerCerts []*x509.Certificate`
			`)`
			`if err = tlsConn.SetDeadline(time.Now().Add(l.handshakeTimeout)); err != nil {`
			`goto CloseAndErr`
			`}`
			`if err = tlsConn.Handshake(); err != nil {`
			`goto CloseAndErr`
			`}`
run golangci-lint and apply suggested fixes 2019-03-22 20:45:27 +01:00			`if err = tlsConn.SetDeadline(time.Time{}); err != nil {`
			`goto CloseAndErr`
			`}`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00
			`peerCerts = tlsConn.ConnectionState().PeerCertificates`
Permit peers to provide a cert chain (multiple certs). fixes #103 2018-12-01 00:34:29 +01:00			`if len(peerCerts) < 1 {`
transport/tls: clarify docs & error message language 2019-03-15 17:17:25 +01:00			`err = errors.New("client must present full RFC5246:7.4.2 TLS client certificate chain")`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`goto CloseAndErr`
			`}`
			`cn = peerCerts[0].Subject.CommonName`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`return tcpConn, tlsConn, cn, nil`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`CloseAndErr:`
rpc rewrite: control RPCs using gRPC + separate RPC for data transfer transport/ssh: update go-netssh to new version => supports CloseWrite and Deadlines => build: require Go 1.11 (netssh requires it) 2018-12-11 22:01:50 +01:00			`// unlike CloseWrite, Close on *tls.Conn actually closes the underlying connection`
			`tlsConn.Close() // TODO log error`
			`return nil, nil, "", err`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`}`

			`func (l *ClientAuthListener) Addr() net.Addr {`
			`return l.l.Addr()`
			`}`

			`func (l *ClientAuthListener) Close() error {`
			`return l.l.Close()`
			`}`

			`func ClientAuthClient(serverName string, rootCA x509.CertPool, clientCert tls.Certificate) (tls.Config, error) {`
			`if serverName == "" {`
			`panic(serverName)`
			`}`
			`if rootCA == nil {`
			`panic(rootCA)`
			`}`
			`if clientCert.Certificate == nil \|\| clientCert.PrivateKey == nil {`
			`panic(clientCert)`
			`}`
			`tlsConfig := &tls.Config{`
			`Certificates: []tls.Certificate{clientCert},`
			`RootCAs: rootCA,`
gofmt 2018-08-25 21:30:25 +02:00			`ServerName: serverName,`
tlsconf and transport/tls: support NSS-formatted keylog file for debugging ... via env variable 2019-01-17 01:43:39 +01:00			`KeyLogWriter: keylogFromEnv(),`
implement tcp and tcp+tls transports 2018-08-25 12:58:17 +02:00			`}`
			`return tlsConfig, nil`
gofmt 2018-08-25 21:30:25 +02:00			`}`
tlsconf and transport/tls: support NSS-formatted keylog file for debugging ... via env variable 2019-01-17 01:43:39 +01:00
			`func keylogFromEnv() io.Writer {`
			`var keyLog io.Writer = nil`
			`if outfile := os.Getenv("ZREPL_KEYLOG_FILE"); outfile != "" {`
			`fmt.Fprintf(os.Stderr, "writing to key log %s\n", outfile)`
			`var err error`
			`keyLog, err = os.OpenFile(outfile, os.O_CREATE\|os.O_TRUNC\|os.O_WRONLY, 0600)`
			`if err != nil {`
			`panic(err)`
			`}`
			`}`
			`return keyLog`
			`}`