Skip to content

GitLab

Commit e85a8ebe authored by tavit ohanian's avatar tavit ohanian
Browse files
Options

Merge branch 'port-2021-07-04'

parents 0fbf76c4 7342813e
Pipeline #707 passed with stages
      in 21 seconds
      Hide whitespace changes
      Inline Side-by-side
      Showing with 1492 additions and 2 deletions
      .github/workflows/automerge.yml 0 → 100644
      View file @ e85a8ebe
      # File managed by web3-bot. DO NOT EDIT.
      # See https://github.com/protocol/.github/ for details.
      # Automatically merge pull requests opened by web3-bot, as soon as (and only if) all tests pass.
      # This reduces the friction associated with updating with our workflows.
      on: [ pull_request ]
      name: Automerge
      jobs:
      automerge-check:
      if: github.event.pull_request.user.login == 'web3-bot'
      runs-on: ubuntu-latest
      outputs:
      status: ${{ steps.should-automerge.outputs.status }}
      steps:
      - uses: actions/checkout@v2
      with:
      fetch-depth: 0
      - name: Check if we should automerge
      id: should-automerge
      run: |
      for commit in $(git rev-list --first-parent origin/${{ github.event.pull_request.base.ref }}..${{ github.event.pull_request.head.sha }}); do
      committer=$(git show --format=$'%ce' -s $commit)
      echo "Committer: $committer"
      if [[ "$committer" != "web3-bot@users.noreply.github.com" ]]; then
      echo "Commit $commit wasn't committed by web3-bot, but by $committer."
      echo "::set-output name=status::false"
      exit
      fi
      done
      echo "::set-output name=status::true"
      automerge:
      needs: automerge-check
      runs-on: ubuntu-latest
      if: ${{ needs.automerge-check.outputs.status == 'true' }}
      steps:
      - name: Wait on tests
      uses: lewagon/wait-on-check-action@bafe56a6863672c681c3cf671f5e10b20abf2eaa # v0.2
      with:
      ref: ${{ github.event.pull_request.head.sha }}
      repo-token: ${{ secrets.GITHUB_TOKEN }}
      wait-interval: 10
      running-workflow-name: 'automerge' # the name of this job
      - name: Merge PR
      uses: pascalgn/automerge-action@741c311a47881be9625932b0a0de1b0937aab1ae # v0.13.1
      env:
      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      MERGE_LABELS: ""
      MERGE_METHOD: "squash"
      MERGE_DELETE_BRANCH: true
      .github/workflows/go-check.yml 0 → 100644
      View file @ e85a8ebe
      # File managed by web3-bot. DO NOT EDIT.
      # See https://github.com/protocol/.github/ for details.
      on: [push, pull_request]
      name: Go Checks
      jobs:
      unit:
      runs-on: ubuntu-latest
      name: All
      steps:
      - uses: actions/checkout@v2
      with:
      submodules: recursive
      - uses: actions/setup-go@v2
      with:
      go-version: "1.16.x"
      - name: Install staticcheck
      run: go install honnef.co/go/tools/cmd/staticcheck@434f5f3816b358fe468fa83dcba62d794e7fe04b # 2021.1 (v0.2.0)
      - name: Check that go.mod is tidy
      uses: protocol/multiple-go-modules@v1.0
      with:
      run: |
      go mod tidy
      if [[ -n $(git ls-files --other --exclude-standard --directory -- go.sum) ]]; then
      echo "go.sum was added by go mod tidy"
      exit 1
      fi
      git diff --exit-code -- go.sum go.mod
      - name: gofmt
      if: ${{ success() || failure() }} # run this step even if the previous one failed
      run: |
      out=$(gofmt -s -l .)
      if [[ -n "$out" ]]; then
      echo $out | awk '{print "::error file=" $0 ",line=0,col=0::File is not gofmt-ed."}'
      exit 1
      fi
      - name: go vet
      if: ${{ success() || failure() }} # run this step even if the previous one failed
      uses: protocol/multiple-go-modules@v1.0
      with:
      run: go vet ./...
      - name: staticcheck
      if: ${{ success() || failure() }} # run this step even if the previous one failed
      uses: protocol/multiple-go-modules@v1.0
      with:
      run: |
      set -o pipefail
      staticcheck ./... | sed -e 's@\(.*\)\.go@./\1.go@g'
      .github/workflows/go-test.yml 0 → 100644
      View file @ e85a8ebe
      # File managed by web3-bot. DO NOT EDIT.
      # See https://github.com/protocol/.github/ for details.
      on: [push, pull_request]
      name: Go Test
      jobs:
      unit:
      strategy:
      fail-fast: false
      matrix:
      os: [ "ubuntu", "windows", "macos" ]
      go: [ "1.15.x", "1.16.x" ]
      runs-on: ${{ matrix.os }}-latest
      name: ${{ matrix.os}} (go ${{ matrix.go }})
      steps:
      - uses: actions/checkout@v2
      with:
      submodules: recursive
      - uses: actions/setup-go@v2
      with:
      go-version: ${{ matrix.go }}
      - name: Go information
      run: |
      go version
      go env
      - name: Run tests
      uses: protocol/multiple-go-modules@v1.0
      with:
      run: go test -v -coverprofile coverage.txt ./...
      - name: Run tests (32 bit)
      if: ${{ matrix.os != 'macos' }} # can't run 32 bit tests on OSX.
      uses: protocol/multiple-go-modules@v1.0
      env:
      GOARCH: 386
      with:
      run: go test -v ./...
      - name: Run tests with race detector
      if: ${{ matrix.os == 'ubuntu' }} # speed things up. Windows and OSX VMs are slow
      uses: protocol/multiple-go-modules@v1.0
      with:
      run: go test -v -race ./...
      - name: Upload coverage to Codecov
      uses: codecov/codecov-action@a1ed4b322b4b38cb846afb5a0ebfa17086917d27 # v1.5.0
      with:
      file: coverage.txt
      env_vars: OS=${{ matrix.os }}, GO=${{ matrix.go }}
      .gitlab-ci.yml 0 → 100644
      View file @ e85a8ebe
      stages:
      - build
      - test
      variables:
      BUILD_DIR: "/tmp/$CI_CONCURRENT_PROJECT_ID"
      before_script:
      - mkdir -p $BUILD_DIR/src
      - cd $BUILD_DIR/src
      - if [ -d $CI_PROJECT_DIR ]
      - then
      - echo "soft link $CI_PROJECT_DIR exists"
      - else
      - echo "creating soft link $CI_PROJECT_DIR"
      - ln -s $CI_PROJECT_DIR
      - fi
      - cd $CI_PROJECT_DIR
      build:
      stage: build
      tags:
      - testing
      script:
      - echo $CI_JOB_STAGE
      - go build
      test:
      stage: test
      tags:
      - testing
      script:
      - echo $CI_JOB_STAGE
      - go test -cover
      coverage: '/coverage: \d+.\d+% of statements/'
      LICENSE.md 0 → 100644
      View file @ e85a8ebe
      Copyright 2018 Marten Seemann
      Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
      The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
      THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
      README.md
      View file @ e85a8ebe
      # go-p2p-tls
      # go-libp2p-tls
      dms3 p2p go-libp2p-tls
      \ No newline at end of file
      [![](https://img.shields.io/badge/made%20by-Protocol%20Labs-blue.svg?style=flat-square)](https://protocol.ai)
      [![](https://img.shields.io/badge/project-libp2p-yellow.svg?style=flat-square)](http://libp2p.io/)
      [![](https://img.shields.io/badge/freenode-%23libp2p-yellow.svg?style=flat-square)](http://webchat.freenode.net/?channels=%23libp2p)
      [![GoDoc](https://godoc.org/github.com/libp2p/go-libp2p-tls?status.svg)](https://godoc.org/github.com/libp2p/go-libp2p-tls)
      [![Linux Build Status](https://img.shields.io/travis/libp2p/go-libp2p-tls/master.svg?style=flat-square&label=linux+build)](https://travis-ci.org/libp2p/go-libp2p-tls)
      [![Code Coverage](https://img.shields.io/codecov/c/github/libp2p/go-libp2p-tls/master.svg?style=flat-square)](https://codecov.io/gh/libp2p/go-libp2p-tls/)
      [![Discourse posts](https://img.shields.io/discourse/https/discuss.libp2p.io/posts.svg)](https://discuss.libp2p.io)
      > go-libp2p's TLS encrypted transport
      Package `go-libp2p-tls` is a libp2p [conn security transport](https://godoc.org/github.com/libp2p/go-libp2p-core/sec). It uses TLS to setup the communication channel.
      ## Install
      `go-libp2p-tls` is a standard Go module which can be installed with:
      ```sh
      go get github.com/libp2p/go-libp2p-tls
      ```
      This repo is [gomod](https://github.com/golang/go/wiki/Modules)-compatible, and users of
      go 1.11 and later with modules enabled will automatically pull the latest tagged release
      by referencing this package. Upgrades to future releases can be managed using `go get`,
      or by editing your `go.mod` file as [described by the gomod documentation](https://github.com/golang/go/wiki/Modules#how-to-upgrade-and-downgrade-dependencies).
      ## Contribute
      Feel free to join in. All welcome. Open an [issue](https://github.com/libp2p/go-libp2p-tls/issues)!
      This repository falls under the libp2p [Code of Conduct](https://github.com/libp2p/community/blob/master/code-of-conduct.md).
      ### Want to hack on libp2p?
      [![](https://cdn.rawgit.com/libp2p/community/master/img/contribute.gif)](https://github.com/libp2p/community/blob/master/CONTRIBUTE.md)
      ## License
      MIT
      ---
      The last gx published version of this module was: 0.1.0: QmR4qpcxA1UoHg7SZ89hJHYCpfrxToPjH9xSCug1cQeH1M
      cmd/README.md 0 → 100644
      View file @ e85a8ebe
      # TLS handshake example
      Run
      ```bash
      go run cmd/tlsdiag.go server
      ```
      cmd/tlsdiag.go 0 → 100644
      View file @ e85a8ebe
      package main
      import (
      "fmt"
      "os"
      "gitlab.dms3.io/p2p/go-p2p-tls/cmd/tlsdiag"
      )
      func main() {
      if len(os.Args) <= 1 {
      fmt.Println("missing argument: client / server")
      return
      }
      role := os.Args[1]
      // remove the role argument from os.Args
      os.Args = append([]string{os.Args[0]}, os.Args[2:]...)
      var err error
      switch role {
      case "client":
      err = tlsdiag.StartClient()
      case "server":
      err = tlsdiag.StartServer()
      default:
      fmt.Println("invalid argument. Expected client / server")
      return
      }
      if err != nil {
      panic(err)
      }
      }
      cmd/tlsdiag/client.go 0 → 100644
      View file @ e85a8ebe
      package tlsdiag
      import (
      "context"
      "flag"
      "fmt"
      "io/ioutil"
      "net"
      "time"
      "gitlab.dms3.io/p2p/go-p2p-core/peer"
      libp2ptls "gitlab.dms3.io/p2p/go-p2p-tls"
      )
      func StartClient() error {
      port := flag.Int("p", 5533, "port")
      peerIDString := flag.String("id", "", "peer ID")
      keyType := flag.String("key", "ecdsa", "rsa, ecdsa, ed25519 or secp256k1")
      flag.Parse()
      priv, err := generateKey(*keyType)
      if err != nil {
      return err
      }
      peerID, err := peer.Decode(*peerIDString)
      if err != nil {
      return err
      }
      id, err := peer.IDFromPrivateKey(priv)
      if err != nil {
      return err
      }
      fmt.Printf(" Peer ID: %s\n", id.Pretty())
      tp, err := libp2ptls.New(priv)
      if err != nil {
      return err
      }
      remoteAddr := fmt.Sprintf("localhost:%d", *port)
      fmt.Printf("Dialing %s\n", remoteAddr)
      conn, err := net.Dial("tcp", remoteAddr)
      if err != nil {
      return err
      }
      fmt.Printf("Dialed raw connection to %s\n", conn.RemoteAddr())
      ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
      defer cancel()
      sconn, err := tp.SecureOutbound(ctx, conn, peerID)
      if err != nil {
      return err
      }
      fmt.Printf("Authenticated server: %s\n", sconn.RemotePeer().Pretty())
      data, err := ioutil.ReadAll(sconn)
      if err != nil {
      return err
      }
      fmt.Printf("Received message from server: %s\n", string(data))
      return nil
      }
      cmd/tlsdiag/key.go 0 → 100644
      View file @ e85a8ebe
      package tlsdiag
      import (
      "crypto/rand"
      "fmt"
      ic "gitlab.dms3.io/p2p/go-p2p-core/crypto"
      )
      func generateKey(keyType string) (priv ic.PrivKey, err error) {
      switch keyType {
      case "rsa":
      fmt.Printf("Generated new peer with an RSA key.")
      priv, _, err = ic.GenerateRSAKeyPair(2048, rand.Reader)
      case "ecdsa":
      fmt.Printf("Generated new peer with an ECDSA key.")
      priv, _, err = ic.GenerateECDSAKeyPair(rand.Reader)
      case "ed25519":
      fmt.Printf("Generated new peer with an Ed25519 key.")
      priv, _, err = ic.GenerateEd25519Key(rand.Reader)
      case "secp256k1":
      fmt.Printf("Generated new peer with an Secp256k1 key.")
      priv, _, err = ic.GenerateSecp256k1Key(rand.Reader)
      default:
      return nil, fmt.Errorf("unknown key type: %s", keyType)
      }
      return
      }
      cmd/tlsdiag/server.go 0 → 100644
      View file @ e85a8ebe
      package tlsdiag
      import (
      "context"
      "flag"
      "fmt"
      "net"
      "time"
      "gitlab.dms3.io/p2p/go-p2p-core/peer"
      libp2ptls "gitlab.dms3.io/p2p/go-p2p-tls"
      )
      func StartServer() error {
      port := flag.Int("p", 5533, "port")
      keyType := flag.String("key", "ecdsa", "rsa, ecdsa, ed25519 or secp256k1")
      flag.Parse()
      priv, err := generateKey(*keyType)
      if err != nil {
      return err
      }
      id, err := peer.IDFromPrivateKey(priv)
      if err != nil {
      return err
      }
      fmt.Printf(" Peer ID: %s\n", id.Pretty())
      tp, err := libp2ptls.New(priv)
      if err != nil {
      return err
      }
      ln, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", *port))
      if err != nil {
      return err
      }
      fmt.Printf("Listening for new connections on %s\n", ln.Addr())
      fmt.Printf("Now run the following command in a separate terminal:\n")
      fmt.Printf("\tgo run cmd/tlsdiag.go client -p %d -id %s\n", *port, id.Pretty())
      for {
      conn, err := ln.Accept()
      if err != nil {
      return err
      }
      fmt.Printf("Accepted raw connection from %s\n", conn.RemoteAddr())
      go func() {
      if err := handleConn(tp, conn); err != nil {
      fmt.Printf("Error handling connection from %s: %s\n", conn.RemoteAddr(), err)
      }
      }()
      }
      }
      func handleConn(tp *libp2ptls.Transport, conn net.Conn) error {
      ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
      defer cancel()
      sconn, err := tp.SecureInbound(ctx, conn)
      if err != nil {
      return err
      }
      fmt.Printf("Authenticated client: %s\n", sconn.RemotePeer().Pretty())
      fmt.Fprintf(sconn, "Hello client!")
      fmt.Printf("Closing connection to %s\n", conn.RemoteAddr())
      return sconn.Close()
      }
      codecov.yml 0 → 100644
      View file @ e85a8ebe
      coverage:
      round: nearest
      status:
      project:
      default:
      threshold: 1
      patch: false
      conn.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      import (
      "crypto/tls"
      ci "gitlab.dms3.io/p2p/go-p2p-core/crypto"
      "gitlab.dms3.io/p2p/go-p2p-core/peer"
      "gitlab.dms3.io/p2p/go-p2p-core/sec"
      )
      type conn struct {
      *tls.Conn
      localPeer peer.ID
      privKey ci.PrivKey
      remotePeer peer.ID
      remotePubKey ci.PubKey
      }
      var _ sec.SecureConn = &conn{}
      func (c *conn) LocalPeer() peer.ID {
      return c.localPeer
      }
      func (c *conn) LocalPrivateKey() ci.PrivKey {
      return c.privKey
      }
      func (c *conn) RemotePeer() peer.ID {
      return c.remotePeer
      }
      func (c *conn) RemotePublicKey() ci.PubKey {
      return c.remotePubKey
      }
      crypto.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      import (
      "crypto/ecdsa"
      "crypto/elliptic"
      "crypto/rand"
      "crypto/tls"
      "crypto/x509"
      "crypto/x509/pkix"
      "encoding/asn1"
      "errors"
      "fmt"
      "math/big"
      "time"
      "golang.org/x/sys/cpu"
      ic "gitlab.dms3.io/p2p/go-p2p-core/crypto"
      "gitlab.dms3.io/p2p/go-p2p-core/peer"
      )
      const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years
      const certificatePrefix = "libp2p-tls-handshake:"
      const alpn string = "libp2p"
      var extensionID = getPrefixedExtensionID([]int{1, 1})
      type signedKey struct {
      PubKey []byte
      Signature []byte
      }
      // Identity is used to secure connections
      type Identity struct {
      config tls.Config
      }
      // NewIdentity creates a new identity
      func NewIdentity(privKey ic.PrivKey) (*Identity, error) {
      cert, err := keyToCertificate(privKey)
      if err != nil {
      return nil, err
      }
      return &Identity{
      config: tls.Config{
      MinVersion: tls.VersionTLS13,
      PreferServerCipherSuites: preferServerCipherSuites(),
      InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
      ClientAuth: tls.RequireAnyClientCert,
      Certificates: []tls.Certificate{*cert},
      VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error {
      panic("tls config not specialized for peer")
      },
      NextProtos: []string{alpn},
      SessionTicketsDisabled: true,
      },
      }, nil
      }
      // ConfigForAny is a short-hand for ConfigForPeer("").
      func (i *Identity) ConfigForAny() (*tls.Config, <-chan ic.PubKey) {
      return i.ConfigForPeer("")
      }
      // ConfigForPeer creates a new single-use tls.Config that verifies the peer's
      // certificate chain and returns the peer's public key via the channel. If the
      // peer ID is empty, the returned config will accept any peer.
      //
      // It should be used to create a new tls.Config before securing either an
      // incoming or outgoing connection.
      func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, <-chan ic.PubKey) {
      keyCh := make(chan ic.PubKey, 1)
      // We need to check the peer ID in the VerifyPeerCertificate callback.
      // The tls.Config it is also used for listening, and we might also have concurrent dials.
      // Clone it so we can check for the specific peer ID we're dialing here.
      conf := i.config.Clone()
      // We're using InsecureSkipVerify, so the verifiedChains parameter will always be empty.
      // We need to parse the certificates ourselves from the raw certs.
      conf.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
      defer close(keyCh)
      chain := make([]*x509.Certificate, len(rawCerts))
      for i := 0; i < len(rawCerts); i++ {
      cert, err := x509.ParseCertificate(rawCerts[i])
      if err != nil {
      return err
      }
      chain[i] = cert
      }
      pubKey, err := PubKeyFromCertChain(chain)
      if err != nil {
      return err
      }
      if remote != "" && !remote.MatchesPublicKey(pubKey) {
      peerID, err := peer.IDFromPublicKey(pubKey)
      if err != nil {
      peerID = peer.ID(fmt.Sprintf("(not determined: %s)", err.Error()))
      }
      return fmt.Errorf("peer IDs don't match: expected %s, got %s", remote, peerID)
      }
      keyCh <- pubKey
      return nil
      }
      return conf, keyCh
      }
      // PubKeyFromCertChain verifies the certificate chain and extract the remote's public key.
      func PubKeyFromCertChain(chain []*x509.Certificate) (ic.PubKey, error) {
      if len(chain) != 1 {
      return nil, errors.New("expected one certificates in the chain")
      }
      cert := chain[0]
      pool := x509.NewCertPool()
      pool.AddCert(cert)
      if _, err := cert.Verify(x509.VerifyOptions{Roots: pool}); err != nil {
      // If we return an x509 error here, it will be sent on the wire.
      // Wrap the error to avoid that.
      return nil, fmt.Errorf("certificate verification failed: %s", err)
      }
      var found bool
      var keyExt pkix.Extension
      // find the libp2p key extension, skipping all unknown extensions
      for _, ext := range cert.Extensions {
      if extensionIDEqual(ext.Id, extensionID) {
      keyExt = ext
      found = true
      break
      }
      }
      if !found {
      return nil, errors.New("expected certificate to contain the key extension")
      }
      var sk signedKey
      if _, err := asn1.Unmarshal(keyExt.Value, &sk); err != nil {
      return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err)
      }
      pubKey, err := ic.UnmarshalPublicKey(sk.PubKey)
      if err != nil {
      return nil, fmt.Errorf("unmarshalling public key failed: %s", err)
      }
      certKeyPub, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
      if err != nil {
      return nil, err
      }
      valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature)
      if err != nil {
      return nil, fmt.Errorf("signature verification failed: %s", err)
      }
      if !valid {
      return nil, errors.New("signature invalid")
      }
      return pubKey, nil
      }
      func keyToCertificate(sk ic.PrivKey) (*tls.Certificate, error) {
      certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
      if err != nil {
      return nil, err
      }
      keyBytes, err := ic.MarshalPublicKey(sk.GetPublic())
      if err != nil {
      return nil, err
      }
      certKeyPub, err := x509.MarshalPKIXPublicKey(certKey.Public())
      if err != nil {
      return nil, err
      }
      signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...))
      if err != nil {
      return nil, err
      }
      value, err := asn1.Marshal(signedKey{
      PubKey: keyBytes,
      Signature: signature,
      })
      if err != nil {
      return nil, err
      }
      sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
      if err != nil {
      return nil, err
      }
      tmpl := &x509.Certificate{
      SerialNumber: sn,
      NotBefore: time.Time{},
      NotAfter: time.Now().Add(certValidityPeriod),
      // after calling CreateCertificate, these will end up in Certificate.Extensions
      ExtraExtensions: []pkix.Extension{
      {Id: extensionID, Value: value},
      },
      }
      certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, certKey.Public(), certKey)
      if err != nil {
      return nil, err
      }
      return &tls.Certificate{
      Certificate: [][]byte{certDER},
      PrivateKey: certKey,
      }, nil
      }
      // We want nodes without AES hardware (e.g. ARM) support to always use ChaCha.
      // Only if both nodes have AES hardware support (e.g. x86), AES should be used.
      // x86->x86: AES, ARM->x86: ChaCha, x86->ARM: ChaCha and ARM->ARM: Chacha
      // This function returns true if we don't have AES hardware support, and false otherwise.
      // Thus, ARM servers will always use their own cipher suite preferences (ChaCha first),
      // and x86 servers will aways use the client's cipher suite preferences.
      func preferServerCipherSuites() bool {
      // Copied from the Go TLS implementation.
      // Check the cpu flags for each platform that has optimized GCM implementations.
      // Worst case, these variables will just all be false.
      var (
      hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
      hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
      // Keep in sync with crypto/aes/cipher_s390x.go.
      hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
      hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
      )
      return !hasGCMAsm
      }
      extension.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      var extensionPrefix = []int{1, 3, 6, 1, 4, 1, 53594}
      // getPrefixedExtensionID returns an Object Identifier
      // that can be used in x509 Certificates.
      func getPrefixedExtensionID(suffix []int) []int {
      return append(extensionPrefix, suffix...)
      }
      // extensionIDEqual compares two extension IDs.
      func extensionIDEqual(a, b []int) bool {
      if len(a) != len(b) {
      return false
      }
      for i := range a {
      if a[i] != b[i] {
      return false
      }
      }
      return true
      }
      extension_test.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      import (
      . "github.com/onsi/ginkgo"
      . "github.com/onsi/gomega"
      )
      var _ = Describe("Extensions", func() {
      It("generates a prefixed extension ID", func() {
      Expect(getPrefixedExtensionID([]int{13, 37})).To(Equal([]int{1, 3, 6, 1, 4, 1, 53594, 13, 37}))
      })
      It("compares extension IDs", func() {
      Expect(extensionIDEqual([]int{1, 2, 3, 4}, []int{1, 2, 3, 4})).To(BeTrue())
      Expect(extensionIDEqual([]int{1, 2, 3, 4}, []int{1, 2, 3})).To(BeFalse())
      Expect(extensionIDEqual([]int{1, 2, 3}, []int{1, 2, 3, 4})).To(BeFalse())
      Expect(extensionIDEqual([]int{1, 2, 3, 4}, []int{4, 3, 2, 1})).To(BeFalse())
      })
      })
      go.mod 0 → 100644
      View file @ e85a8ebe
      module gitlab.dms3.io/p2p/go-p2p-tls
      go 1.15
      require (
      github.com/onsi/ginkgo v1.12.0
      github.com/onsi/gomega v1.9.0
      gitlab.dms3.io/p2p/go-p2p-core v0.0.1
      golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab
      )
      go.sum 0 → 100644
      View file @ e85a8ebe
      cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
      github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
      github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
      github.com/btcsuite/btcd v0.20.1-beta h1:Ik4hyJqN8Jfyv3S4AGBOmyouMsYE3EdYODkMbQjwPGw=
      github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
      github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA=
      github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d/go.mod h1:+5NJ2+qvTyV9exUAL/rxXi3DcLg2Ts+ymUAY5y4NvMg=
      github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd/go.mod h1:HHNXQzUsZCxOoE+CPiyCTO6x34Zs86zZUiwtpXoGdtg=
      github.com/btcsuite/goleveldb v0.0.0-20160330041536-7834afc9e8cd/go.mod h1:F+uVaaLLH7j4eDXPRvw78tMflu7Ie2bzYOH4Y8rRKBY=
      github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc=
      github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY=
      github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs=
      github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
      github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
      github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
      github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
      github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
      github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
      github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
      github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
      github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
      github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
      github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
      github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
      github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
      github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
      github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
      github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
      github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
      github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
      github.com/jbenet/go-cienv v0.1.0/go.mod h1:TqNnHUmJgXau0nCzC7kXWeotg3J9W34CUv5Djy1+FlA=
      github.com/jbenet/goprocess v0.1.4 h1:DRGOFReOMqqDNXwW70QkacFW0YN9QnwLV0Vqk+3oU0o=
      github.com/jbenet/goprocess v0.1.4/go.mod h1:5yspPrukOVuOLORacaBi858NqyClJPQxYZlqdZVfqY4=
      github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
      github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
      github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
      github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
      github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4=
      github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 h1:lYpkrQH5ajf0OXOcUbGjvZxxijuBwbbmlSxLiuofa+g=
      github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1/go.mod h1:pD8RvIylQ358TN4wwqatJ8rNavkEINozVn9DtGI3dfQ=
      github.com/minio/sha256-simd v0.1.1-0.20190913151208-6de447530771/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
      github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKUJU=
      github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
      github.com/mr-tron/base58 v1.1.0/go.mod h1:xcD2VGqlgYjBdcBLw+TuYLr8afG+Hj8g2eTVqeSzSU8=
      github.com/mr-tron/base58 v1.1.3 h1:v+sk57XuaCKGXpWtVBX8YJzO7hMGx4Aajh4TQbdEFdc=
      github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
      github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
      github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
      github.com/multiformats/go-base32 v0.0.3 h1:tw5+NhuwaOjJCC5Pp82QuXbrmLzWg7uxlMFp8Nq/kkI=
      github.com/multiformats/go-base32 v0.0.3/go.mod h1:pLiuGC8y0QR3Ue4Zug5UzK9LjgbkL8NSQj0zQ5Nz/AA=
      github.com/multiformats/go-base36 v0.1.0 h1:JR6TyF7JjGd3m6FbLU2cOxhC0Li8z8dLNGQ89tUg4F4=
      github.com/multiformats/go-base36 v0.1.0/go.mod h1:kFGE83c6s80PklsHO9sRn2NCoffoRdUUOENyW/Vv6sM=
      github.com/multiformats/go-multiaddr v0.2.2 h1:XZLDTszBIJe6m0zF6ITBrEcZR73OPUhCBBS9rYAuUzI=
      github.com/multiformats/go-multiaddr v0.2.2/go.mod h1:NtfXiOtHvghW9KojvtySjH5y0u0xW5UouOmQQrn6a3Y=
      github.com/multiformats/go-multibase v0.0.3 h1:l/B6bJDQjvQ5G52jw4QGSYeOTZoAwIO77RblWplfIqk=
      github.com/multiformats/go-multibase v0.0.3/go.mod h1:5+1R4eQrT3PkYZ24C3W2Ue2tPwIdYQD509ZjSb5y9Oc=
      github.com/multiformats/go-multihash v0.0.13/go.mod h1:VdAWLKTwram9oKAatUcLxBNUjdtcVwxObEQBtRfuyjc=
      github.com/multiformats/go-multihash v0.0.14 h1:QoBceQYQQtNUuf6s7wHxnE2c8bhbMqhfGzNI032se/I=
      github.com/multiformats/go-multihash v0.0.14/go.mod h1:VdAWLKTwram9oKAatUcLxBNUjdtcVwxObEQBtRfuyjc=
      github.com/multiformats/go-varint v0.0.5/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXSrVKRY101jdMZYE=
      github.com/multiformats/go-varint v0.0.6 h1:gk85QWKxh3TazbLxED/NlDVv8+q+ReFJk7Y2W/KhfNY=
      github.com/multiformats/go-varint v0.0.6/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXSrVKRY101jdMZYE=
      github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
      github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
      github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
      github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=
      github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
      github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
      github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
      github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
      github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
      github.com/spacemonkeygo/spacelog v0.0.0-20180420211403-2296661a0572 h1:RC6RW7j+1+HkWaX/Yh71Ee5ZHaHYt7ZP4sQgUrm6cDU=
      github.com/spacemonkeygo/spacelog v0.0.0-20180420211403-2296661a0572/go.mod h1:w0SWMsp6j9O/dk4/ZpIhL+3CkG8ofA2vuv7k+ltqUMc=
      github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
      github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
      github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
      github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
      gitlab.dms3.io/dms3/public/go-cid v0.0.1 h1:qs4dtkDigcLGY/58dIZaFjKLt+orrTcmTBvtqaM3570=
      gitlab.dms3.io/dms3/public/go-cid v0.0.1/go.mod h1:GQw3gc4CSrFY+aX6M+OBQDlg0p5/eQJoRrayaZzkAOQ=
      gitlab.dms3.io/p2p/go-buffer-pool v0.0.1 h1:2IUBfHOWOarILKvoF1NHnfSUD5MMI/g6f64ZTUwacoA=
      gitlab.dms3.io/p2p/go-buffer-pool v0.0.1/go.mod h1:M+a5uWIUEkiKihMm5+IL0+pqzG6G7mcD6nNWosKUKO0=
      gitlab.dms3.io/p2p/go-flow-metrics v0.0.1/go.mod h1:0QFTYtRYP6Y1xfK0xycr40drfoM+0WVCoOXPyI0eFN0=
      gitlab.dms3.io/p2p/go-msgio v0.0.1/go.mod h1:H6AqMy1HOxZb+yEXj2d3o4wgWb+lJx9aYI+nWka46T0=
      gitlab.dms3.io/p2p/go-openssl v0.0.1 h1:BC9zzxiRliZmWNpxQQX37DDkmKpR2rXNUkwxRT0f6NI=
      gitlab.dms3.io/p2p/go-openssl v0.0.1/go.mod h1:aQ3IGGzTd5vw48HiiXv6z6sFKiB52w2jZdg2TFNjylA=
      gitlab.dms3.io/p2p/go-p2p-core v0.0.1 h1:ENn1teKT3rq5v5BN0y4hRWP3rjKEZbOCiwUI1t8CiGI=
      gitlab.dms3.io/p2p/go-p2p-core v0.0.1/go.mod h1:xm5X+ChR6cZDKYaIDSmuCs6Uvd1GtbDy47xXjCljBAk=
      go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
      golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
      golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
      golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
      golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
      golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
      golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
      golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
      golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
      golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
      golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
      golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
      golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
      golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
      golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
      golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
      golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
      golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
      golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
      golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
      golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
      golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
      golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
      golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
      golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
      golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
      golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
      golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
      golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab h1:FvshnhkKW+LO3HWHodML8kuVX8rnJTxKm9dFPuI68UM=
      golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
      golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
      golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
      golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
      golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
      golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
      golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
      golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
      golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
      golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
      golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
      google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
      google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
      google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
      google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
      google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
      google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
      gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
      gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
      gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
      gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
      gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
      gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
      gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
      gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
      gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
      gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
      honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
      libp2p_tls_suite_test.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      import (
      mrand "math/rand"
      "testing"
      . "github.com/onsi/ginkgo"
      . "github.com/onsi/gomega"
      )
      func TestLibp2pTLS(t *testing.T) {
      RegisterFailHandler(Fail)
      RunSpecs(t, "libp2p TLS Suite")
      }
      var _ = BeforeSuite(func() {
      mrand.Seed(GinkgoRandomSeed())
      })
      transport.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      import (
      "context"
      "crypto/tls"
      "errors"
      "net"
      "sync"
      ci "gitlab.dms3.io/p2p/go-p2p-core/crypto"
      "gitlab.dms3.io/p2p/go-p2p-core/peer"
      "gitlab.dms3.io/p2p/go-p2p-core/sec"
      )
      // ID is the protocol ID (used when negotiating with multistream)
      const ID = "/tls/1.0.0"
      // Transport constructs secure communication sessions for a peer.
      type Transport struct {
      identity *Identity
      localPeer peer.ID
      privKey ci.PrivKey
      }
      // New creates a TLS encrypted transport
      func New(key ci.PrivKey) (*Transport, error) {
      id, err := peer.IDFromPrivateKey(key)
      if err != nil {
      return nil, err
      }
      t := &Transport{
      localPeer: id,
      privKey: key,
      }
      identity, err := NewIdentity(key)
      if err != nil {
      return nil, err
      }
      t.identity = identity
      return t, nil
      }
      var _ sec.SecureTransport = &Transport{}
      // SecureInbound runs the TLS handshake as a server.
      func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (sec.SecureConn, error) {
      config, keyCh := t.identity.ConfigForAny()
      cs, err := t.handshake(ctx, tls.Server(insecure, config), keyCh)
      if err != nil {
      insecure.Close()
      }
      return cs, err
      }
      // SecureOutbound runs the TLS handshake as a client.
      // Note that SecureOutbound will not return an error if the server doesn't
      // accept the certificate. This is due to the fact that in TLS 1.3, the client
      // sends its certificate and the ClientFinished in the same flight, and can send
      // application data immediately afterwards.
      // If the handshake fails, the server will close the connection. The client will
      // notice this after 1 RTT when calling Read.
      func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) {
      config, keyCh := t.identity.ConfigForPeer(p)
      cs, err := t.handshake(ctx, tls.Client(insecure, config), keyCh)
      if err != nil {
      insecure.Close()
      }
      return cs, err
      }
      func (t *Transport) handshake(
      ctx context.Context,
      tlsConn *tls.Conn,
      keyCh <-chan ci.PubKey,
      ) (sec.SecureConn, error) {
      // There's no way to pass a context to tls.Conn.Handshake().
      // See https://github.com/golang/go/issues/18482.
      // Close the connection instead.
      select {
      case <-ctx.Done():
      tlsConn.Close()
      default:
      }
      done := make(chan struct{})
      var wg sync.WaitGroup
      // Ensure that we do not return before
      // either being done or having a context
      // cancellation.
      defer wg.Wait()
      defer close(done)
      wg.Add(1)
      go func() {
      defer wg.Done()
      select {
      case <-done:
      case <-ctx.Done():
      tlsConn.Close()
      }
      }()
      if err := tlsConn.Handshake(); err != nil {
      // if the context was canceled, return the context error
      if ctxErr := ctx.Err(); ctxErr != nil {
      return nil, ctxErr
      }
      return nil, err
      }
      // Should be ready by this point, don't block.
      var remotePubKey ci.PubKey
      select {
      case remotePubKey = <-keyCh:
      default:
      }
      if remotePubKey == nil {
      return nil, errors.New("go-libp2p-tls BUG: expected remote pub key to be set")
      }
      conn, err := t.setupConn(tlsConn, remotePubKey)
      if err != nil {
      // if the context was canceled, return the context error
      if ctxErr := ctx.Err(); ctxErr != nil {
      return nil, ctxErr
      }
      return nil, err
      }
      return conn, nil
      }
      func (t *Transport) setupConn(tlsConn *tls.Conn, remotePubKey ci.PubKey) (sec.SecureConn, error) {
      remotePeerID, err := peer.IDFromPublicKey(remotePubKey)
      if err != nil {
      return nil, err
      }
      return &conn{
      Conn: tlsConn,
      localPeer: t.localPeer,
      privKey: t.privKey,
      remotePeer: remotePeerID,
      remotePubKey: remotePubKey,
      }, nil
      }
      transport_test.go 0 → 100644
      View file @ e85a8ebe
      package libp2ptls
      import (
      "context"
      "crypto"
      "crypto/ecdsa"
      "crypto/elliptic"
      "crypto/rand"
      "crypto/rsa"
      "crypto/tls"
      "crypto/x509"
      "crypto/x509/pkix"
      "encoding/asn1"
      "fmt"
      "math/big"
      "net"
      "time"
      "github.com/onsi/gomega/gbytes"
      "github.com/onsi/gomega/types"
      ci "gitlab.dms3.io/p2p/go-p2p-core/crypto"
      "gitlab.dms3.io/p2p/go-p2p-core/peer"
      "gitlab.dms3.io/p2p/go-p2p-core/sec"
      . "github.com/onsi/ginkgo"
      . "github.com/onsi/gomega"
      )
      type transform struct {
      name string
      apply func(*Identity)
      remoteErr types.GomegaMatcher // the error that the side validating the chain gets
      }
      var _ = Describe("Transport", func() {
      var (
      serverKey, clientKey ci.PrivKey
      serverID, clientID peer.ID
      )
      createPeer := func() (peer.ID, ci.PrivKey) {
      var priv ci.PrivKey
      var err error
      // switch mrand.Int() % 4 {
      switch 3 { // handshake fails at line 117 below when client/server peers using different key algorithms
      case 0:
      fmt.Fprintf(GinkgoWriter, " using an ECDSA key: ")
      priv, _, err = ci.GenerateECDSAKeyPair(rand.Reader)
      case 1:
      fmt.Fprintf(GinkgoWriter, " using an RSA key: ")
      priv, _, err = ci.GenerateRSAKeyPair(2048, rand.Reader)
      case 2:
      fmt.Fprintf(GinkgoWriter, " using an Ed25519 key: ")
      priv, _, err = ci.GenerateEd25519Key(rand.Reader)
      case 3:
      fmt.Fprintf(GinkgoWriter, " using an secp256k1 key: ")
      priv, _, err = ci.GenerateSecp256k1Key(rand.Reader)
      }
      Expect(err).ToNot(HaveOccurred())
      id, err := peer.IDFromPrivateKey(priv)
      Expect(err).ToNot(HaveOccurred())
      fmt.Fprintln(GinkgoWriter, id.Pretty())
      return id, priv
      }
      connect := func() (net.Conn, net.Conn) {
      ln, err := net.Listen("tcp", "localhost:0")
      Expect(err).ToNot(HaveOccurred())
      defer ln.Close()
      serverConnChan := make(chan net.Conn)
      go func() {
      defer GinkgoRecover()
      conn, err := ln.Accept()
      Expect(err).ToNot(HaveOccurred())
      serverConnChan <- conn
      }()
      conn, err := net.Dial("tcp", ln.Addr().String())
      Expect(err).ToNot(HaveOccurred())
      return conn, <-serverConnChan
      }
      BeforeEach(func() {
      fmt.Fprintf(GinkgoWriter, "Initializing a server")
      serverID, serverKey = createPeer()
      fmt.Fprintf(GinkgoWriter, "Initializing a client")
      clientID, clientKey = createPeer()
      })
      It("handshakes", func() {
      clientTransport, err := New(clientKey)
      Expect(err).ToNot(HaveOccurred())
      serverTransport, err := New(serverKey)
      Expect(err).ToNot(HaveOccurred())
      clientInsecureConn, serverInsecureConn := connect()
      serverConnChan := make(chan sec.SecureConn)
      go func() {
      defer GinkgoRecover()
      serverConn, err := serverTransport.SecureInbound(context.Background(), serverInsecureConn)
      Expect(err).ToNot(HaveOccurred())
      serverConnChan <- serverConn
      }()
      clientConn, err := clientTransport.SecureOutbound(context.Background(), clientInsecureConn, serverID)
      Expect(err).ToNot(HaveOccurred())
      var serverConn sec.SecureConn
      Eventually(serverConnChan).Should(Receive(&serverConn))
      defer clientConn.Close()
      defer serverConn.Close()
      Expect(clientConn.LocalPeer()).To(Equal(clientID))
      Expect(serverConn.LocalPeer()).To(Equal(serverID))
      Expect(clientConn.LocalPrivateKey()).To(Equal(clientKey))
      Expect(serverConn.LocalPrivateKey()).To(Equal(serverKey))
      Expect(clientConn.RemotePeer()).To(Equal(serverID))
      Expect(serverConn.RemotePeer()).To(Equal(clientID))
      Expect(clientConn.RemotePublicKey()).To(Equal(serverKey.GetPublic()))
      Expect(serverConn.RemotePublicKey()).To(Equal(clientKey.GetPublic()))
      // exchange some data
      _, err = serverConn.Write([]byte("foobar"))
      Expect(err).ToNot(HaveOccurred())
      b := make([]byte, 6)
      _, err = clientConn.Read(b)
      Expect(err).ToNot(HaveOccurred())
      Expect(string(b)).To(Equal("foobar"))
      })
      It("fails when the context of the outgoing connection is canceled", func() {
      clientTransport, err := New(clientKey)
      Expect(err).ToNot(HaveOccurred())
      serverTransport, err := New(serverKey)
      Expect(err).ToNot(HaveOccurred())
      clientInsecureConn, serverInsecureConn := connect()
      go func() {
      defer GinkgoRecover()
      _, err := serverTransport.SecureInbound(context.Background(), serverInsecureConn)
      Expect(err).To(HaveOccurred())
      }()
      ctx, cancel := context.WithCancel(context.Background())
      cancel()
      _, err = clientTransport.SecureOutbound(ctx, clientInsecureConn, serverID)
      Expect(err).To(MatchError(context.Canceled))
      })
      It("fails when the context of the incoming connection is canceled", func() {
      clientTransport, err := New(clientKey)
      Expect(err).ToNot(HaveOccurred())
      serverTransport, err := New(serverKey)
      Expect(err).ToNot(HaveOccurred())
      clientInsecureConn, serverInsecureConn := connect()
      go func() {
      defer GinkgoRecover()
      ctx, cancel := context.WithCancel(context.Background())
      cancel()
      _, err := serverTransport.SecureInbound(ctx, serverInsecureConn)
      Expect(err).To(MatchError(context.Canceled))
      }()
      _, err = clientTransport.SecureOutbound(context.Background(), clientInsecureConn, serverID)
      Expect(err).To(HaveOccurred())
      })
      It("fails if the peer ID doesn't match", func() {
      fmt.Fprintf(GinkgoWriter, "Creating another peer")
      thirdPartyID, _ := createPeer()
      serverTransport, err := New(serverKey)
      Expect(err).ToNot(HaveOccurred())
      clientTransport, err := New(clientKey)
      Expect(err).ToNot(HaveOccurred())
      clientInsecureConn, serverInsecureConn := connect()
      done := make(chan struct{})
      go func() {
      defer GinkgoRecover()
      _, err := serverTransport.SecureInbound(context.Background(), serverInsecureConn)
      Expect(err).To(HaveOccurred())
      Expect(err.Error()).To(ContainSubstring("tls: bad certificate"))
      close(done)
      }()
      // dial, but expect the wrong peer ID
      _, err = clientTransport.SecureOutbound(context.Background(), clientInsecureConn, thirdPartyID)
      Expect(err).To(HaveOccurred())
      Expect(err.Error()).To(ContainSubstring("peer IDs don't match"))
      Eventually(done).Should(BeClosed())
      })
      Context("invalid certificates", func() {
      invalidateCertChain := func(identity *Identity) {
      switch identity.config.Certificates[0].PrivateKey.(type) {
      case *rsa.PrivateKey:
      key, err := rsa.GenerateKey(rand.Reader, 2048)
      Expect(err).ToNot(HaveOccurred())
      identity.config.Certificates[0].PrivateKey = key
      case *ecdsa.PrivateKey:
      key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
      Expect(err).ToNot(HaveOccurred())
      identity.config.Certificates[0].PrivateKey = key
      default:
      Fail("unexpected private key type")
      }
      }
      twoCerts := func(identity *Identity) {
      tmpl := &x509.Certificate{SerialNumber: big.NewInt(1)}
      key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
      Expect(err).ToNot(HaveOccurred())
      key2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
      Expect(err).ToNot(HaveOccurred())
      cert1DER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key1.Public(), key1)
      Expect(err).ToNot(HaveOccurred())
      cert1, err := x509.ParseCertificate(cert1DER)
      Expect(err).ToNot(HaveOccurred())
      cert2DER, err := x509.CreateCertificate(rand.Reader, tmpl, cert1, key2.Public(), key2)
      Expect(err).ToNot(HaveOccurred())
      identity.config.Certificates = []tls.Certificate{{
      Certificate: [][]byte{cert2DER, cert1DER},
      PrivateKey: key2,
      }}
      }
      getCertWithKey := func(key crypto.Signer, tmpl *x509.Certificate) tls.Certificate {
      cert, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
      Expect(err).ToNot(HaveOccurred())
      return tls.Certificate{
      Certificate: [][]byte{cert},
      PrivateKey: key,
      }
      }
      getCert := func(tmpl *x509.Certificate) tls.Certificate {
      key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
      Expect(err).ToNot(HaveOccurred())
      return getCertWithKey(key, tmpl)
      }
      expiredCert := func(identity *Identity) {
      cert := getCert(&x509.Certificate{
      SerialNumber: big.NewInt(1),
      NotBefore: time.Now().Add(-time.Hour),
      NotAfter: time.Now().Add(-time.Minute),
      })
      identity.config.Certificates = []tls.Certificate{cert}
      }
      noKeyExtension := func(identity *Identity) {
      cert := getCert(&x509.Certificate{
      SerialNumber: big.NewInt(1),
      NotBefore: time.Now().Add(-time.Hour),
      NotAfter: time.Now().Add(time.Hour),
      })
      identity.config.Certificates = []tls.Certificate{cert}
      }
      unparseableKeyExtension := func(identity *Identity) {
      cert := getCert(&x509.Certificate{
      SerialNumber: big.NewInt(1),
      NotBefore: time.Now().Add(-time.Hour),
      NotAfter: time.Now().Add(time.Hour),
      ExtraExtensions: []pkix.Extension{
      {Id: extensionID, Value: []byte("foobar")},
      },
      })
      identity.config.Certificates = []tls.Certificate{cert}
      }
      unparseableKey := func(identity *Identity) {
      data, err := asn1.Marshal(signedKey{PubKey: []byte("foobar")})
      Expect(err).ToNot(HaveOccurred())
      cert := getCert(&x509.Certificate{
      SerialNumber: big.NewInt(1),
      NotBefore: time.Now().Add(-time.Hour),
      NotAfter: time.Now().Add(time.Hour),
      ExtraExtensions: []pkix.Extension{
      {Id: extensionID, Value: data},
      },
      })
      identity.config.Certificates = []tls.Certificate{cert}
      }
      tooShortSignature := func(identity *Identity) {
      key, _, err := ci.GenerateSecp256k1Key(rand.Reader)
      Expect(err).ToNot(HaveOccurred())
      keyBytes, err := key.GetPublic().Bytes()
      Expect(err).ToNot(HaveOccurred())
      data, err := asn1.Marshal(signedKey{
      PubKey: keyBytes,
      Signature: []byte("foobar"),
      })
      Expect(err).ToNot(HaveOccurred())
      cert := getCert(&x509.Certificate{
      SerialNumber: big.NewInt(1),
      NotBefore: time.Now().Add(-time.Hour),
      NotAfter: time.Now().Add(time.Hour),
      ExtraExtensions: []pkix.Extension{
      {Id: extensionID, Value: data},
      },
      })
      identity.config.Certificates = []tls.Certificate{cert}
      }
      invalidSignature := func(identity *Identity) {
      key, _, err := ci.GenerateSecp256k1Key(rand.Reader)
      Expect(err).ToNot(HaveOccurred())
      keyBytes, err := key.GetPublic().Bytes()
      Expect(err).ToNot(HaveOccurred())
      signature, err := key.Sign([]byte("foobar"))
      Expect(err).ToNot(HaveOccurred())
      data, err := asn1.Marshal(signedKey{
      PubKey: keyBytes,
      Signature: signature,
      })
      Expect(err).ToNot(HaveOccurred())
      cert := getCert(&x509.Certificate{
      SerialNumber: big.NewInt(1),
      NotBefore: time.Now().Add(-time.Hour),
      NotAfter: time.Now().Add(time.Hour),
      ExtraExtensions: []pkix.Extension{
      {Id: extensionID, Value: data},
      },
      })
      identity.config.Certificates = []tls.Certificate{cert}
      }
      transforms := []transform{
      {
      name: "private key used in the TLS handshake doesn't match the public key in the cert",
      apply: invalidateCertChain,
      remoteErr: Or(
      Equal("tls: invalid signature by the client certificate: ECDSA verification failure"),
      Equal("tls: invalid signature by the server certificate: ECDSA verification failure"),
      ),
      },
      {
      name: "certificate chain contains 2 certs",
      apply: twoCerts,
      remoteErr: Equal("expected one certificates in the chain"),
      },
      {
      name: "cert is expired",
      apply: expiredCert,
      remoteErr: ContainSubstring("certificate has expired or is not yet valid"),
      },
      {
      name: "cert doesn't have the key extension",
      apply: noKeyExtension,
      remoteErr: Equal("expected certificate to contain the key extension"),
      },
      {
      name: "key extension not parseable",
      apply: unparseableKeyExtension,
      remoteErr: ContainSubstring("asn1"),
      },
      {
      name: "key protobuf not parseable",
      apply: unparseableKey,
      remoteErr: ContainSubstring("unmarshalling public key failed: proto:"),
      },
      {
      name: "signature is malformed",
      apply: tooShortSignature,
      remoteErr: ContainSubstring("signature verification failed:"),
      },
      {
      name: "signature is invalid",
      apply: invalidSignature,
      remoteErr: Equal("signature invalid"),
      },
      }
      for i := range transforms {
      t := transforms[i]
      It(fmt.Sprintf("fails if the client presents an invalid cert: %s", t.name), func() {
      serverTransport, err := New(serverKey)
      Expect(err).ToNot(HaveOccurred())
      clientTransport, err := New(clientKey)
      Expect(err).ToNot(HaveOccurred())
      t.apply(clientTransport.identity)
      clientInsecureConn, serverInsecureConn := connect()
      done := make(chan struct{})
      go func() {
      defer GinkgoRecover()
      _, err := serverTransport.SecureInbound(context.Background(), serverInsecureConn)
      Expect(err).To(HaveOccurred())
      Expect(err.Error()).To(t.remoteErr)
      close(done)
      }()
      conn, err := clientTransport.SecureOutbound(context.Background(), clientInsecureConn, serverID)
      Expect(err).ToNot(HaveOccurred())
      _, err = gbytes.TimeoutReader(conn, time.Second).Read([]byte{0})
      Expect(err).To(Or(
      // if the certificate's public key doesn't match the private key used for signing
      MatchError("remote error: tls: error decrypting message"),
      // all other errors
      MatchError("remote error: tls: bad certificate"),
      ))
      Eventually(done).Should(BeClosed())
      })
      It(fmt.Sprintf("fails if the server presents an invalid cert: %s", t.name), func() {
      serverTransport, err := New(serverKey)
      Expect(err).ToNot(HaveOccurred())
      t.apply(serverTransport.identity)
      clientTransport, err := New(clientKey)
      Expect(err).ToNot(HaveOccurred())
      clientInsecureConn, serverInsecureConn := connect()
      done := make(chan struct{})
      go func() {
      defer GinkgoRecover()
      _, err := serverTransport.SecureInbound(context.Background(), serverInsecureConn)
      Expect(err).To(HaveOccurred())
      Expect(err.Error()).To(ContainSubstring("remote error: tls:"))
      close(done)
      }()
      _, err = clientTransport.SecureOutbound(context.Background(), clientInsecureConn, serverID)
      Expect(err).To(HaveOccurred())
      Expect(err.Error()).To(t.remoteErr)
      Eventually(done).Should(BeClosed())
      })
      }
      })
      })
      Markdown is supported
      0% or .
      You are about to add 0 people to the discussion. Proceed with caution.
      Finish editing this message first!
      Please register or to comment