transport.go 3.35 KB
Newer Older
Marten Seemann's avatar
Marten Seemann committed
1 2 3 4 5
package libp2ptls

import (
	"context"
	"crypto/tls"
6
	"errors"
Marten Seemann's avatar
Marten Seemann committed
7
	"net"
Marten Seemann's avatar
Marten Seemann committed
8
	"os"
Marten Seemann's avatar
Marten Seemann committed
9

10 11 12
	ci "github.com/libp2p/go-libp2p-core/crypto"
	"github.com/libp2p/go-libp2p-core/peer"
	"github.com/libp2p/go-libp2p-core/sec"
Marten Seemann's avatar
Marten Seemann committed
13 14
)

Marten Seemann's avatar
Marten Seemann committed
15 16 17 18 19 20
// TLS 1.3 is opt-in in Go 1.12
// Activate it by setting the tls13 GODEBUG flag.
func init() {
	os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
}

Marten Seemann's avatar
Marten Seemann committed
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
// ID is the protocol ID (used when negotiating with multistream)
const ID = "/tls/1.0.0"

// Transport constructs secure communication sessions for a peer.
type Transport struct {
	identity *Identity

	localPeer peer.ID
	privKey   ci.PrivKey
}

// New creates a TLS encrypted transport
func New(key ci.PrivKey) (*Transport, error) {
	id, err := peer.IDFromPrivateKey(key)
	if err != nil {
		return nil, err
	}
38 39 40 41
	t := &Transport{
		localPeer: id,
		privKey:   key,
	}
42

43
	identity, err := NewIdentity(key)
Marten Seemann's avatar
Marten Seemann committed
44 45 46
	if err != nil {
		return nil, err
	}
47 48
	t.identity = identity
	return t, nil
Marten Seemann's avatar
Marten Seemann committed
49 50
}

51
var _ sec.SecureTransport = &Transport{}
Marten Seemann's avatar
Marten Seemann committed
52 53

// SecureInbound runs the TLS handshake as a server.
54
func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (sec.SecureConn, error) {
55 56
	config, keyCh := t.identity.ConfigForAny()
	return t.handshake(ctx, tls.Server(insecure, config), keyCh)
Marten Seemann's avatar
Marten Seemann committed
57 58 59
}

// SecureOutbound runs the TLS handshake as a client.
Marten Seemann's avatar
Marten Seemann committed
60 61 62 63 64 65
// Note that SecureOutbound will not return an error if the server doesn't
// accept the certificate. This is due to the fact that in TLS 1.3, the client
// sends its certificate and the ClientFinished in the same flight, and can send
// application data immediately afterwards.
// If the handshake fails, the server will close the connection. The client will
// notice this after 1 RTT when calling Read.
66
func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) {
67 68
	config, keyCh := t.identity.ConfigForPeer(p)
	return t.handshake(ctx, tls.Client(insecure, config), keyCh)
69
}
70

71 72 73
func (t *Transport) handshake(
	ctx context.Context,
	tlsConn *tls.Conn,
74
	keyCh <-chan ci.PubKey,
75
) (sec.SecureConn, error) {
76 77 78
	// There's no way to pass a context to tls.Conn.Handshake().
	// See https://github.com/golang/go/issues/18482.
	// Close the connection instead.
79 80 81 82 83
	select {
	case <-ctx.Done():
		tlsConn.Close()
	default:
	}
84 85 86 87 88 89
	done := make(chan struct{})
	defer close(done)
	go func() {
		select {
		case <-done:
		case <-ctx.Done():
Marten Seemann's avatar
Marten Seemann committed
90
			tlsConn.Close()
91 92 93
		}
	}()

94 95
	if err := tlsConn.Handshake(); err != nil {
		// if the context was canceled, return the context error
96 97 98 99
		if ctxErr := ctx.Err(); ctxErr != nil {
			return nil, ctxErr
		}
		return nil, err
100
	}
101 102

	// Should be ready by this point, don't block.
Marten Seemann's avatar
Marten Seemann committed
103
	var remotePubKey ci.PubKey
104 105 106 107 108 109
	select {
	case remotePubKey = <-keyCh:
	default:
	}

	conn, err := t.setupConn(tlsConn, remotePubKey)
110 111
	if err != nil {
		// if the context was canceled, return the context error
112 113 114 115
		if ctxErr := ctx.Err(); ctxErr != nil {
			return nil, ctxErr
		}
		return nil, err
Marten Seemann's avatar
Marten Seemann committed
116
	}
117
	return conn, nil
Marten Seemann's avatar
Marten Seemann committed
118 119
}

120
func (t *Transport) setupConn(tlsConn *tls.Conn, remotePubKey ci.PubKey) (sec.SecureConn, error) {
121
	if remotePubKey == nil {
122
		return nil, errors.New("go-libp2p-tls BUG: expected remote pub key to be set")
Marten Seemann's avatar
Marten Seemann committed
123
	}
124

Marten Seemann's avatar
Marten Seemann committed
125 126 127 128 129 130 131 132 133 134 135 136
	remotePeerID, err := peer.IDFromPublicKey(remotePubKey)
	if err != nil {
		return nil, err
	}
	return &conn{
		Conn:         tlsConn,
		localPeer:    t.localPeer,
		privKey:      t.privKey,
		remotePeer:   remotePeerID,
		remotePubKey: remotePubKey,
	}, nil
}