Remove TLS root validation

This is just too complicated compared to the per-peer/per-listener/per-interface password approach.
2025-04-28 22:25:07 +03:00 · 2023-10-11 18:25:35 +01:00 · 2023-10-11 18:25:35 +01:00 · 45b773eade
commit 45b773eade
parent 6dc847de31
7 changed files with 29 additions and 196 deletions
--- a/src/core/core.go
+++ b/src/core/core.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/ed25519"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/hex"
 	"fmt"
 	"io"
@ -39,8 +38,7 @@ type Core struct {
 	log          Logger
 	addPeerTimer *time.Timer
 	config       struct {
-		tls   *tls.Config    // immutable after startup
-		roots *x509.CertPool // immutable after startup
+		tls *tls.Config // immutable after startup
 		//_peers             map[Peer]*linkInfo         // configurable after startup
 		_listeners         map[ListenAddress]struct{} // configurable after startup
 		nodeinfo           NodeInfo                   // immutable after startup
@ -110,9 +108,6 @@ func New(cert *tls.Certificate, logger Logger, opts ...SetupOption) (*Core, erro
 	c.log.Infof("Your public key is %s", hex.EncodeToString(c.public))
 	c.log.Infof("Your IPv6 address is %s", address.String())
 	c.log.Infof("Your IPv6 subnet is %s", subnet.String())
-	if c.config.roots != nil {
-		c.log.Println("Yggdrasil is running in TLS-only mode")
-	}
 	c.proto.init(c)
 	if err := c.links.init(c); err != nil {
 		return nil, fmt.Errorf("error initialising links: %w", err)
@ -169,10 +164,6 @@ func (c *Core) _close() error {
 	return err
 }

-func (c *Core) isTLSOnly() bool {
-	return c.config.roots != nil
-}
-
 func (c *Core) MTU() uint64 {
 	const sessionTypeOverhead = 1
 	MTU := c.PacketConn.MTU() - sessionTypeOverhead
--- a/src/core/link_tcp.go
+++ b/src/core/link_tcp.go
@ -69,9 +69,6 @@ func (l *linkTCP) dialersFor(url *url.URL, info linkInfo) ([]*tcpDialer, error)
 }

 func (l *linkTCP) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
-	if l.core.isTLSOnly() {
-		return nil, fmt.Errorf("TCP peer prohibited in TLS-only mode")
-	}
 	dialers, err := l.dialersFor(url, info)
 	if err != nil {
 		return nil, err
@ -92,9 +89,6 @@ func (l *linkTCP) dial(ctx context.Context, url *url.URL, info linkInfo, options
 }

 func (l *linkTCP) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {
-	if l.core.isTLSOnly() {
-		return nil, fmt.Errorf("TCP listener prohibited in TLS-only mode")
-	}
 	hostport := url.Host
 	if sintf != "" {
 		if host, port, err := net.SplitHostPort(hostport); err == nil {
--- a/src/core/options.go
+++ b/src/core/options.go
@ -2,19 +2,12 @@ package core

 import (
 	"crypto/ed25519"
-	"crypto/x509"
 	"fmt"
 	"net/url"
 )

 func (c *Core) _applyOption(opt SetupOption) (err error) {
 	switch v := opt.(type) {
-	case RootCertificate:
-		cert := x509.Certificate(v)
-		if c.config.roots == nil {
-			c.config.roots = x509.NewCertPool()
-		}
-		c.config.roots.AddCert(&cert)
 	case Peer:
 		u, err := url.Parse(v.URI)
 		if err != nil {
@ -39,7 +32,6 @@ type SetupOption interface {
 	isSetupOption()
 }

-type RootCertificate x509.Certificate
 type ListenAddress string
 type Peer struct {
 	URI             string
@ -49,7 +41,6 @@ type NodeInfo map[string]interface{}
 type NodeInfoPrivacy bool
 type AllowedPublicKey ed25519.PublicKey

-func (a RootCertificate) isSetupOption()  {}
 func (a ListenAddress) isSetupOption()    {}
 func (a Peer) isSetupOption()             {}
 func (a NodeInfo) isSetupOption()         {}
--- a/src/core/tls.go
+++ b/src/core/tls.go
@ -17,46 +17,30 @@ func (c *Core) generateTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
 		VerifyConnection:      c.verifyTLSConnection,
 		InsecureSkipVerify:    true,
 		MinVersion:            tls.VersionTLS13,
-		NextProtos:            []string{"yggdrasil/0.5"},
+		NextProtos: []string{
+			fmt.Sprintf("yggdrasil/%d.%d", ProtocolVersionMajor, ProtocolVersionMinor),
+		},
 	}
 	return config, nil
 }

 func (c *Core) verifyTLSCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-	if c.config.roots == nil {
-		// If there's no certificate pool configured then we will
-		// accept all TLS certificates.
-		return nil
-	}
-	if len(rawCerts) == 0 {
-		return fmt.Errorf("expected at least one certificate")
+	if len(rawCerts) != 1 {
+		return fmt.Errorf("expected one certificate")
 	}

-	opts := x509.VerifyOptions{
-		Roots: c.config.roots,
-	}
-
-	for i, rawCert := range rawCerts {
-		if i == 0 {
-			// The first certificate is the leaf certificate. All other
-			// certificates in the list are intermediates, so add them
-			// into the VerifyOptions.
-			continue
-		}
-		cert, err := x509.ParseCertificate(rawCert)
+	/*
+		opts := x509.VerifyOptions{}
+		cert, err := x509.ParseCertificate(rawCerts[0])
 		if err != nil {
-			return fmt.Errorf("failed to parse intermediate certificate: %w", err)
+			return fmt.Errorf("failed to parse leaf certificate: %w", err)
 		}
-		opts.Intermediates.AddCert(cert)
-	}

-	cert, err := x509.ParseCertificate(rawCerts[0])
-	if err != nil {
-		return fmt.Errorf("failed to parse leaf certificate: %w", err)
-	}
+		_, err = cert.Verify(opts)
+		return err
+	*/

-	_, err = cert.Verify(opts)
-	return err
+	return nil
 }

 func (c *Core) verifyTLSConnection(cs tls.ConnectionState) error {