yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-04-28 22:25:07 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Link refactoring, admin socket changes

Browse source
This commit is contained in:
Neil Alexander 2023-04-06 21:45:49 +01:00
parent c7ee7d9681
commit 7afa23be4c
No known key found for this signature in database
GPG key ID: A02A2019A2BB0944
32 changed files with 1206 additions and 1130 deletions
Download patch file Download diff file Expand all files Collapse all files

153
src/core/api.go
View file

@ -6,9 +6,9 @@ import (
"fmt"
"net"
"net/url"
"sync/atomic"
"time"
"github.com/Arceliar/ironwood/network"
"github.com/Arceliar/phony"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
@ -19,15 +19,19 @@ type SelfInfo struct {
}
type PeerInfo struct {
Key ed25519.PublicKey
Root ed25519.PublicKey
Coords []uint64
Port uint64
Priority uint8
Remote string
RXBytes uint64
TXBytes uint64
Uptime time.Duration
URI string
Up bool
Inbound bool
LastError error
LastErrorTime time.Time
Key ed25519.PublicKey
Root ed25519.PublicKey
Coords []uint64
Port uint64
Priority uint8
RXBytes uint64
TXBytes uint64
Uptime time.Duration
}
type TreeEntryInfo struct {
@ -61,35 +65,39 @@ func (c *Core) GetSelf() SelfInfo {
func (c *Core) GetPeers() []PeerInfo {
peers := []PeerInfo{}
names := make(map[net.Conn]string)
conns := map[net.Conn]network.DebugPeerInfo{}
iwpeers := c.PacketConn.PacketConn.Debug.GetPeers()
for _, p := range iwpeers {
conns[p.Conn] = p
}
phony.Block(&c.links, func() {
for _, info := range c.links._links {
if info == nil {
continue
for info, state := range c.links._links {
var peerinfo PeerInfo
var conn net.Conn
phony.Block(state, func() {
peerinfo.URI = info.uri
peerinfo.LastError = state._err
peerinfo.LastErrorTime = state._errtime
if c := state._conn; c != nil {
conn = c
peerinfo.Up = true
peerinfo.Inbound = info.linkType == linkTypeIncoming
peerinfo.RXBytes = c.rx
peerinfo.TXBytes = c.tx
peerinfo.Uptime = time.Since(c.up)
}
})
if p, ok := conns[conn]; ok {
peerinfo.Key = p.Key
peerinfo.Root = p.Root
peerinfo.Port = p.Port
peerinfo.Priority = p.Priority
}
names[info.conn] = info.lname
peers = append(peers, peerinfo)
}
})
ps := c.PacketConn.PacketConn.Debug.GetPeers()
for _, p := range ps {
var info PeerInfo
info.Key = p.Key
info.Root = p.Root
info.Port = p.Port
info.Priority = p.Priority
if p.Conn != nil {
info.Remote = p.Conn.RemoteAddr().String()
if linkconn, ok := p.Conn.(*linkConn); ok {
info.RXBytes = atomic.LoadUint64(&linkconn.rx)
info.TXBytes = atomic.LoadUint64(&linkconn.tx)
info.Uptime = time.Since(linkconn.up)
}
if name := names[p.Conn]; name != "" {
info.Remote = name
}
}
peers = append(peers, info)
}
return peers
}
@ -139,16 +147,7 @@ func (c *Core) GetSessions() []SessionInfo {
// parsed from a string of the form e.g. "tcp://a.b.c.d:e". In the case of a
// link-local address, the interface should be provided as the second argument.
func (c *Core) Listen(u *url.URL, sintf string) (*Listener, error) {
switch u.Scheme {
case "tcp":
return c.links.tcp.listen(u, sintf)
case "tls":
return c.links.tls.listen(u, sintf)
case "unix":
return c.links.unix.listen(u, sintf)
default:
return nil, fmt.Errorf("unrecognised scheme %q", u.Scheme)
}
return c.links.listen(u, sintf)
}
// Address gets the IPv6 address of the Yggdrasil node. This is always a /128
@ -187,49 +186,34 @@ func (c *Core) SetLogger(log Logger) {
//
// This adds the peer to the peer list, so that they will be called again if the
// connection drops.
func (c *Core) AddPeer(uri string, sourceInterface string) error {
var known bool
phony.Block(c, func() {
_, known = c.config._peers[Peer{uri, sourceInterface}]
})
if known {
return fmt.Errorf("peer already configured")
}
u, err := url.Parse(uri)
if err != nil {
return err
}
info, err := c.links.call(u, sourceInterface, nil)
if err != nil {
return err
}
phony.Block(c, func() {
c.config._peers[Peer{uri, sourceInterface}] = &info
})
return nil
func (c *Core) AddPeer(u *url.URL, sintf string) error {
return c.links.add(u, sintf, linkTypePersistent)
}
// RemovePeer removes a peer. The peer should be specified in URI format, see AddPeer.
// The peer is not disconnected immediately.
func (c *Core) RemovePeer(uri string, sourceInterface string) error {
var err error
phony.Block(c, func() {
peer := Peer{uri, sourceInterface}
linkInfo, ok := c.config._peers[peer]
if !ok {
err = fmt.Errorf("peer not configured")
return
}
if ok && linkInfo != nil {
c.links.Act(nil, func() {
if link := c.links._links[*linkInfo]; link != nil {
_ = link.close()
}
})
}
delete(c.config._peers, peer)
})
return err
return fmt.Errorf("not implemented yet")
/*
var err error
phony.Block(c, func() {
peer := Peer{uri, sourceInterface}
linkInfo, ok := c.config._peers[peer]
if !ok {
err = fmt.Errorf("peer not configured")
return
}
if ok && linkInfo != nil {
c.links.Act(nil, func() {
if link := c.links._links[*linkInfo]; link != nil {
_ = link.conn.Close()
}
})
}
delete(c.config._peers, peer)
})
return err
*/
}
// CallPeer calls a peer once. This should be specified in the peer URI format,
@ -241,8 +225,7 @@ func (c *Core) RemovePeer(uri string, sourceInterface string) error {
// This does not add the peer to the peer list, so if the connection drops, the
// peer will not be called again automatically.
func (c *Core) CallPeer(u *url.URL, sintf string) error {
_, err := c.links.call(u, sintf, nil)
return err
return c.links.add(u, sintf, linkTypeEphemeral)
}
func (c *Core) PublicKey() ed25519.PublicKey {

128
src/core/core.go
View file

@ -3,6 +3,9 @@ package core
import (
"context"
"crypto/ed25519"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"fmt"
"io"
"net"
@ -10,12 +13,10 @@ import (
"time"
iwe "github.com/Arceliar/ironwood/encrypted"
iwn "github.com/Arceliar/ironwood/network"
iwt "github.com/Arceliar/ironwood/types"
"github.com/Arceliar/phony"
"github.com/gologme/log"
"github.com/yggdrasil-network/yggdrasil-go/src/address"
"github.com/yggdrasil-network/yggdrasil-go/src/version"
)
@ -36,7 +37,9 @@ type Core struct {
log Logger
addPeerTimer *time.Timer
config struct {
_peers map[Peer]*linkInfo // configurable after startup
tls *tls.Config // immutable after startup
roots *x509.CertPool // immutable after startup
//_peers map[Peer]*linkInfo // configurable after startup
_listeners map[ListenAddress]struct{} // configurable after startup
nodeinfo NodeInfo // immutable after startup
nodeinfoPrivacy NodeInfoPrivacy // immutable after startup
@ -45,48 +48,76 @@ type Core struct {
pathNotify func(ed25519.PublicKey)
}
func New(secret ed25519.PrivateKey, logger Logger, opts ...SetupOption) (*Core, error) {
func New(cert *tls.Certificate, logger Logger, opts ...SetupOption) (*Core, error) {
c := &Core{
log: logger,
}
c.ctx, c.cancel = context.WithCancel(context.Background())
if c.log == nil {
c.log = log.New(io.Discard, "", 0)
}
if name := version.BuildName(); name != "unknown" {
c.log.Infoln("Build name:", name)
}
if version := version.BuildVersion(); version != "unknown" {
c.log.Infoln("Build version:", version)
}
c.ctx, c.cancel = context.WithCancel(context.Background())
// Take a copy of the private key so that it is in our own memory space.
if len(secret) != ed25519.PrivateKeySize {
return nil, fmt.Errorf("private key is incorrect length")
}
c.secret = make(ed25519.PrivateKey, ed25519.PrivateKeySize)
copy(c.secret, secret)
c.public = secret.Public().(ed25519.PublicKey)
var err error
keyXform := func(key ed25519.PublicKey) ed25519.PublicKey {
return address.SubnetForKey(key).GetKey()
}
if c.PacketConn, err = iwe.NewPacketConn(c.secret,
iwn.WithBloomTransform(keyXform),
iwn.WithPeerMaxMessageSize(65535*2),
iwn.WithPathNotify(c.doPathNotify),
); err != nil {
return nil, fmt.Errorf("error creating encryption: %w", err)
}
c.config._peers = map[Peer]*linkInfo{}
c.config._listeners = map[ListenAddress]struct{}{}
c.config._allowedPublicKeys = map[[32]byte]struct{}{}
for _, opt := range opts {
c._applyOption(opt)
switch opt.(type) {
case Peer, ListenAddress:
// We can't do peers yet as the links aren't set up.
continue
default:
if err = c._applyOption(opt); err != nil {
return nil, fmt.Errorf("failed to apply configuration option %T: %w", opt, err)
}
}
}
if c.log == nil {
c.log = log.New(io.Discard, "", 0)
if cert == nil || cert.PrivateKey == nil {
return nil, fmt.Errorf("no private key supplied")
}
var ok bool
if c.secret, ok = cert.PrivateKey.(ed25519.PrivateKey); !ok {
return nil, fmt.Errorf("private key must be ed25519")
}
if len(c.secret) != ed25519.PrivateKeySize {
return nil, fmt.Errorf("private key is incorrect length")
}
c.public = c.secret.Public().(ed25519.PublicKey)
if c.config.tls, err = c.generateTLSConfig(cert); err != nil {
return nil, fmt.Errorf("error generating TLS config: %w", err)
}
if c.PacketConn, err = iwe.NewPacketConn(c.secret); err != nil {
return nil, fmt.Errorf("error creating encryption: %w", err)
}
address, subnet := c.Address(), c.Subnet()
c.log.Infof("Your public key is %s", hex.EncodeToString(c.public))
c.log.Infof("Your IPv6 address is %s", address.String())
c.log.Infof("Your IPv6 subnet is %s", subnet.String())
if c.config.roots != nil {
c.log.Println("Yggdrasil is running in TLS-only mode")
}
c.proto.init(c)
if err := c.links.init(c); err != nil {
return nil, fmt.Errorf("error initialising links: %w", err)
}
for _, opt := range opts {
switch opt.(type) {
case Peer, ListenAddress:
// Now do the peers and listeners.
if err = c._applyOption(opt); err != nil {
return nil, fmt.Errorf("failed to apply configuration option %T: %w", opt, err)
}
default:
continue
}
}
if err := c.proto.nodeinfo.setNodeInfo(c.config.nodeinfo, bool(c.config.nodeinfoPrivacy)); err != nil {
return nil, fmt.Errorf("error setting node info: %w", err)
}
@ -100,42 +131,11 @@ func New(secret ed25519.PrivateKey, logger Logger, opts ...SetupOption) (*Core,
c.log.Errorf("Failed to start listener %q: %s\n", listenaddr, err)
}
}
c.Act(nil, c._addPeerLoop)
return c, nil
}
// If any static peers were provided in the configuration above then we should
// configure them. The loop ensures that disconnected peers will eventually
// be reconnected with.
func (c *Core) _addPeerLoop() {
select {
case <-c.ctx.Done():
return
default:
}
// Add peers from the Peers section
for peer := range c.config._peers {
go func(peer string, intf string) {
u, err := url.Parse(peer)
if err != nil {
c.log.Errorln("Failed to parse peer url:", peer, err)
}
if err := c.CallPeer(u, intf); err != nil {
c.log.Errorln("Failed to add peer:", err)
}
}(peer.URI, peer.SourceInterface) // TODO: this should be acted and not in a goroutine?
}
c.addPeerTimer = time.AfterFunc(time.Minute, func() {
c.Act(nil, c._addPeerLoop)
})
}
func (c *Core) RetryPeersNow() {
if c.addPeerTimer != nil && !c.addPeerTimer.Stop() {
<-c.addPeerTimer.C
}
c.Act(nil, c._addPeerLoop)
// TODO: figure out a way to retrigger peer connections.
}
// Stop shuts down the Yggdrasil node.
@ -159,6 +159,10 @@ func (c *Core) _close() error {
return err
}
func (c *Core) isTLSOnly() bool {
return c.config.roots != nil
}
func (c *Core) MTU() uint64 {
const sessionTypeOverhead = 1
MTU := c.PacketConn.MTU() - sessionTypeOverhead
@ -213,14 +217,6 @@ func (c *Core) WriteTo(p []byte, addr net.Addr) (n int, err error) {
return
}
func (c *Core) doPathNotify(key ed25519.PublicKey) {
c.Act(nil, func() {
if c.pathNotify != nil {
c.pathNotify(key)
}
})
}
func (c *Core) SetPathNotify(notify func(ed25519.PublicKey)) {
c.Act(nil, func() {
c.pathNotify = notify

17
src/core/core_test.go
View file

@ -2,7 +2,6 @@ package core
import (
"bytes"
"crypto/ed25519"
"math/rand"
"net/url"
"os"
@ -10,6 +9,7 @@ import (
"time"
"github.com/gologme/log"
"github.com/yggdrasil-network/yggdrasil-go/src/config"
)
// GetLoggerWithPrefix creates a new logger instance with prefix.
@ -29,18 +29,21 @@ func GetLoggerWithPrefix(prefix string, verbose bool) *log.Logger {
// Verbosity flag is passed to logger.
func CreateAndConnectTwo(t testing.TB, verbose bool) (nodeA *Core, nodeB *Core) {
var err error
var skA, skB ed25519.PrivateKey
if _, skA, err = ed25519.GenerateKey(nil); err != nil {
cfgA, cfgB := config.GenerateConfig(), config.GenerateConfig()
if err = cfgA.GenerateSelfSignedCertificate(); err != nil {
t.Fatal(err)
}
if _, skB, err = ed25519.GenerateKey(nil); err != nil {
if err = cfgB.GenerateSelfSignedCertificate(); err != nil {
t.Fatal(err)
}
logger := GetLoggerWithPrefix("", false)
if nodeA, err = New(skA, logger, ListenAddress("tcp://127.0.0.1:0")); err != nil {
if nodeA, err = New(cfgA.Certificate, logger, ListenAddress("tcp://127.0.0.1:0")); err != nil {
t.Fatal(err)
}
if nodeB, err = New(skB, logger, ListenAddress("tcp://127.0.0.1:0")); err != nil {
if nodeB, err = New(cfgB.Certificate, logger, ListenAddress("tcp://127.0.0.1:0")); err != nil {
t.Fatal(err)
}
@ -76,7 +79,7 @@ func WaitConnected(nodeA, nodeB *Core) bool {
}
*/
if len(nodeA.GetTree()) > 1 && len(nodeB.GetTree()) > 1 {
time.Sleep(3*time.Second) // FIXME hack, there's still stuff happening internally
time.Sleep(3 * time.Second) // FIXME hack, there's still stuff happening internally
return true
}
}

532
src/core/link.go
View file

@ -2,10 +2,12 @@ package core
import (
"bytes"
"context"
"encoding/hex"
"errors"
"fmt"
"io"
"math"
"net"
"net/url"
"strconv"
@ -17,6 +19,14 @@ import (
"github.com/yggdrasil-network/yggdrasil-go/src/address"
)
type linkType int
const (
linkTypePersistent linkType = iota // Statically configured
linkTypeEphemeral // Multicast discovered
linkTypeIncoming // Incoming connection
)
type links struct {
phony.Inbox
core *Core
@ -27,41 +37,52 @@ type links struct {
_links map[linkInfo]*link // *link is nil if connection in progress
}
type linkProtocol interface {
dial(url *url.URL, info linkInfo, options linkOptions) (net.Conn, error)
listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error)
}
// linkInfo is used as a map key
type linkInfo struct {
linkType string // Type of link, e.g. TCP, AWDL
local string // Local name or address
remote string // Remote name or address
}
type linkDial struct {
url *url.URL
sintf string
uri string // Peering URI in complete form
sintf string // Peering source interface (i.e. from InterfacePeers)
linkType linkType // Type of link, i.e. outbound/inbound, persistent/ephemeral
}
// link tracks the state of a connection, either persistent or non-persistent
type link struct {
lname string
links *links
conn *linkConn
options linkOptions
info linkInfo
incoming bool
force bool
phony.Inbox
ctx context.Context //
cancel context.CancelFunc //
kick chan struct{} // Attempt to reconnect now, if backing off
info linkInfo //
linkProto string // Protocol carrier of link, e.g. TCP, AWDL
_conn *linkConn // Connected link, if any, nil if not connected
_err error // Last error on the connection, if any
_errtime time.Time // Last time an error occured
}
type linkOptions struct {
pinnedEd25519Keys map[keyArray]struct{}
priority uint8
tlsSNI string
}
type Listener struct {
net.Listener
closed chan struct{}
listener net.Listener
ctx context.Context
Cancel context.CancelFunc
}
func (l *Listener) Addr() net.Addr {
return l.listener.Addr()
}
func (l *Listener) Close() error {
err := l.Listener.Close()
<-l.closed
l.Cancel()
err := l.listener.Close()
<-l.ctx.Done()
return err
}
@ -105,195 +126,294 @@ func (l *links) shutdown() {
func (l *links) isConnectedTo(info linkInfo) bool {
var isConnected bool
phony.Block(l, func() {
_, isConnected = l._links[info]
link, ok := l._links[info]
if !ok {
return
}
isConnected = link._conn != nil
})
return isConnected
}
func (l *links) call(u *url.URL, sintf string, errch chan<- error) (info linkInfo, err error) {
info = linkInfoFor(u.Scheme, sintf, u.Host)
if l.isConnectedTo(info) {
if errch != nil {
close(errch) // already connected, no error
type linkError string
func (e linkError) Error() string { return string(e) }
const ErrLinkAlreadyConfigured = linkError("peer is already configured")
const ErrLinkPriorityInvalid = linkError("priority value is invalid")
const ErrLinkPinnedKeyInvalid = linkError("pinned public key is invalid")
const ErrLinkUnrecognisedSchema = linkError("link schema unknown")
func (l *links) add(u *url.URL, sintf string, linkType linkType) error {
// Generate the link info and see whether we think we already
// have an open peering to this peer.
info := linkInfo{
uri: u.String(),
sintf: sintf,
linkType: linkType,
}
if state, ok := l._links[info]; ok {
select {
case state.kick <- struct{}{}:
default:
}
return info, nil
return ErrLinkAlreadyConfigured
}
options := linkOptions{
pinnedEd25519Keys: map[keyArray]struct{}{},
// Create the link entry. This will contain the connection
// in progress (if any), any error details and a context that
// lets the link be cancelled later.
ctx, cancel := context.WithCancel(l.core.ctx)
state := &link{
info: info,
linkProto: strings.ToUpper(u.Scheme),
ctx: ctx,
cancel: cancel,
}
// Collect together the link options, these are global options
// that are not specific to any given protocol.
var options linkOptions
for _, pubkey := range u.Query()["key"] {
sigPub, err := hex.DecodeString(pubkey)
if err != nil {
if errch != nil {
close(errch)
}
return info, fmt.Errorf("pinned key contains invalid hex characters")
return ErrLinkPinnedKeyInvalid
}
var sigPubKey keyArray
copy(sigPubKey[:], sigPub)
if options.pinnedEd25519Keys == nil {
options.pinnedEd25519Keys = map[keyArray]struct{}{}
}
options.pinnedEd25519Keys[sigPubKey] = struct{}{}
}
if p := u.Query().Get("priority"); p != "" {
pi, err := strconv.ParseUint(p, 10, 8)
if err != nil {
if errch != nil {
close(errch)
}
return info, fmt.Errorf("priority invalid: %w", err)
return ErrLinkPriorityInvalid
}
options.priority = uint8(pi)
}
switch info.linkType {
case "tcp":
go func() {
if errch != nil {
defer close(errch)
}
if err := l.tcp.dial(u, options, sintf); err != nil && err != io.EOF {
l.core.log.Warnf("Failed to dial TCP %s: %s\n", u.Host, err)
if errch != nil {
errch <- err
}
}
}()
case "socks":
go func() {
if errch != nil {
defer close(errch)
}
if err := l.socks.dial(u, options); err != nil && err != io.EOF {
l.core.log.Warnf("Failed to dial SOCKS %s: %s\n", u.Host, err)
if errch != nil {
errch <- err
}
}
}()
// Store the state of the link, try to connect and then run
// the handler.
phony.Block(l, func() {
l._links[info] = state
})
case "tls":
// SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal. We do this by splitting
// the host-port combo from the query option and then seeing if it parses to an
// IP address successfully or not.
var tlsSNI string
if sni := u.Query().Get("sni"); sni != "" {
if net.ParseIP(sni) == nil {
tlsSNI = sni
}
// Track how many consecutive connection failures we have had,
// as we will back off exponentially rather than hammering the
// remote node endlessly.
var backoff int
// backoffNow is called when there's a connection error. It
// will wait for the specified amount of time and then return
// true, unless the peering context was cancelled (due to a
// peer removal most likely), in which case it returns false.
// The caller should check the return value to decide whether
// or not to give up trying.
backoffNow := func() bool {
backoff++
duration := time.Second * time.Duration(math.Exp2(float64(backoff)))
select {
case <-time.After(duration):
return true
case <-state.kick:
return true
case <-ctx.Done():
return false
}
// If the SNI is not configured still because the above failed then we'll try
// again but this time we'll use the host part of the peering URI instead.
if tlsSNI == "" {
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
tlsSNI = host
}
}
go func() {
if errch != nil {
defer close(errch)
}
if err := l.tls.dial(u, options, sintf, tlsSNI); err != nil && err != io.EOF {
l.core.log.Warnf("Failed to dial TLS %s: %s\n", u.Host, err)
if errch != nil {
errch <- err
}
}
}()
case "unix":
go func() {
if errch != nil {
defer close(errch)
}
if err := l.unix.dial(u, options, sintf); err != nil && err != io.EOF {
l.core.log.Warnf("Failed to dial UNIX %s: %s\n", u.Host, err)
if errch != nil {
errch <- err
}
}
}()
default:
if errch != nil {
close(errch)
}
return info, errors.New("unknown call scheme: " + u.Scheme)
}
return info, nil
}
func (l *links) listen(u *url.URL, sintf string) (*Listener, error) {
var listener *Listener
var err error
switch u.Scheme {
case "tcp":
listener, err = l.tcp.listen(u, sintf)
case "tls":
listener, err = l.tls.listen(u, sintf)
case "unix":
listener, err = l.unix.listen(u, sintf)
default:
return nil, fmt.Errorf("unrecognised scheme %q", u.Scheme)
}
return listener, err
}
func (l *links) create(conn net.Conn, dial *linkDial, name string, info linkInfo, incoming, force bool, options linkOptions) error {
intf := link{
conn: &linkConn{
Conn: conn,
up: time.Now(),
},
lname: name,
links: l,
options: options,
info: info,
incoming: incoming,
force: force,
}
// The goroutine is responsible for attempting the connection
// and then running the handler. If the connection is persistent
// then the loop will run endlessly, using backoffs as needed.
// Otherwise the loop will end, cleaning up the link entry.
go func() {
if err := intf.handler(dial); err != nil {
l.core.log.Errorf("Link handler %s error (%s): %s", name, conn.RemoteAddr(), err)
defer phony.Block(l, func() {
delete(l._links, info)
})
for {
conn, err := l.connect(u, info, options)
if err != nil {
if linkType == linkTypePersistent {
phony.Block(state, func() {
state._err = err
state._errtime = time.Now()
})
if backoffNow() {
continue
} else {
return
}
} else {
break
}
}
lc := &linkConn{
Conn: conn,
up: time.Now(),
}
phony.Block(state, func() {
state._conn = lc
state._err = nil
state._errtime = time.Time{}
})
if err = l.handler(&info, options, lc); err != nil && err != io.EOF {
l.core.log.Debugf("Link %s error: %s\n", info.uri, err)
} else {
backoff = 0
}
_ = conn.Close()
phony.Block(state, func() {
state._conn = nil
if state._err = err; state._err != nil {
state._errtime = time.Now()
}
})
if linkType == linkTypePersistent {
if backoffNow() {
continue
} else {
return
}
} else {
break
}
}
}()
return nil
}
func (intf *link) handler(dial *linkDial) error {
defer intf.conn.Close() // nolint:errcheck
// Don't connect to this link more than once.
if intf.links.isConnectedTo(intf.info) {
return nil
func (l *links) listen(u *url.URL, sintf string) (*Listener, error) {
ctx, cancel := context.WithCancel(l.core.ctx)
var protocol linkProtocol
switch strings.ToLower(u.Scheme) {
case "tcp":
protocol = l.tcp
case "tls":
protocol = l.tls
case "unix":
protocol = l.unix
default:
cancel()
return nil, ErrLinkUnrecognisedSchema
}
listener, err := protocol.listen(ctx, u, sintf)
if err != nil {
cancel()
return nil, err
}
li := &Listener{
listener: listener,
ctx: ctx,
Cancel: cancel,
}
go func() {
l.core.log.Printf("%s listener started on %s", strings.ToUpper(u.Scheme), listener.Addr())
defer l.core.log.Printf("%s listener stopped on %s", strings.ToUpper(u.Scheme), listener.Addr())
for {
conn, err := listener.Accept()
if err != nil {
continue
}
pu := *u
pu.Host = conn.RemoteAddr().String()
info := linkInfo{
uri: pu.String(),
sintf: sintf,
linkType: linkTypeIncoming,
}
if l.isConnectedTo(info) {
_ = conn.Close()
continue
}
state := l._links[info]
if state == nil {
state = &link{
info: info,
}
}
lc := &linkConn{
Conn: conn,
up: time.Now(),
}
var options linkOptions
phony.Block(state, func() {
state._conn = lc
state._err = nil
state.linkProto = strings.ToUpper(u.Scheme)
})
phony.Block(l, func() {
l._links[info] = state
})
if err = l.handler(&info, options, lc); err != nil && err != io.EOF {
l.core.log.Debugf("Link %s error: %s\n", u.Host, err)
}
phony.Block(state, func() {
state._conn = nil
if state._err = err; state._err != nil {
state._errtime = time.Now()
}
})
phony.Block(l, func() {
delete(l._links, info)
})
}
}()
return li, nil
}
// Mark the connection as in progress.
phony.Block(intf.links, func() {
intf.links._links[intf.info] = nil
})
// When we're done, clean up the connection entry.
defer phony.Block(intf.links, func() {
delete(intf.links._links, intf.info)
})
func (l *links) connect(u *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
var dialer linkProtocol
switch strings.ToLower(u.Scheme) {
case "tcp":
dialer = l.tcp
case "tls":
// SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal. We do this by splitting
// the host-port combo from the query option and then seeing if it parses to an
// IP address successfully or not.
if sni := u.Query().Get("sni"); sni != "" {
if net.ParseIP(sni) == nil {
options.tlsSNI = sni
}
}
// If the SNI is not configured still because the above failed then we'll try
// again but this time we'll use the host part of the peering URI instead.
if options.tlsSNI == "" {
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
options.tlsSNI = host
}
}
dialer = l.tls
case "socks":
dialer = l.socks
case "unix":
dialer = l.unix
default:
return nil, ErrLinkUnrecognisedSchema
}
return dialer.dial(u, info, options)
}
func (l *links) handler(info *linkInfo, options linkOptions, conn net.Conn) error {
meta := version_getBaseMetadata()
meta.publicKey = intf.links.core.public
meta.publicKey = l.core.public
metaBytes := meta.encode()
if err := intf.conn.SetDeadline(time.Now().Add(time.Second * 6)); err != nil {
if err := conn.SetDeadline(time.Now().Add(time.Second * 6)); err != nil {
return fmt.Errorf("failed to set handshake deadline: %w", err)
}
n, err := intf.conn.Write(metaBytes)
n, err := conn.Write(metaBytes)
switch {
case err != nil:
return fmt.Errorf("write handshake: %w", err)
case err == nil && n != len(metaBytes):
return fmt.Errorf("incomplete handshake send")
}
if _, err = io.ReadFull(intf.conn, metaBytes); err != nil {
if _, err = io.ReadFull(conn, metaBytes); err != nil {
return fmt.Errorf("read handshake: %w", err)
}
if err = intf.conn.SetDeadline(time.Time{}); err != nil {
if err = conn.SetDeadline(time.Time{}); err != nil {
return fmt.Errorf("failed to clear handshake deadline: %w", err)
}
meta = version_metadata{}
@ -302,23 +422,14 @@ func (intf *link) handler(dial *linkDial) error {
return errors.New("failed to decode metadata")
}
if !meta.check() {
var connectError string
if intf.incoming {
connectError = "Rejected incoming connection"
} else {
connectError = "Failed to connect"
}
intf.links.core.log.Debugf("%s: %s is incompatible version (local %s, remote %s)",
connectError,
intf.lname,
return fmt.Errorf("remote node incompatible version (local %s, remote %s)",
fmt.Sprintf("%d.%d", base.majorVer, base.minorVer),
fmt.Sprintf("%d.%d", meta.majorVer, meta.minorVer),
)
return errors.New("remote node is incompatible version")
}
// Check if the remote side matches the keys we expected. This is a bit of a weak
// check - in future versions we really should check a signature or something like that.
if pinned := intf.options.pinnedEd25519Keys; len(pinned) > 0 {
if pinned := options.pinnedEd25519Keys; len(pinned) > 0 {
var key keyArray
copy(key[:], meta.publicKey)
if _, allowed := pinned[key]; !allowed {
@ -326,7 +437,10 @@ func (intf *link) handler(dial *linkDial) error {
}
}
// Check if we're authorized to connect to this key / IP
allowed := intf.links.core.config._allowedPublicKeys
var allowed map[[32]byte]struct{}
phony.Block(l.core, func() {
allowed = l.core.config._allowedPublicKeys
})
isallowed := len(allowed) == 0
for k := range allowed {
if bytes.Equal(k[:], meta.publicKey) {
@ -334,73 +448,32 @@ func (intf *link) handler(dial *linkDial) error {
break
}
}
if intf.incoming && !intf.force && !isallowed {
_ = intf.close()
if info.linkType == linkTypeIncoming && !isallowed {
return fmt.Errorf("node public key %q is not in AllowedPublicKeys", hex.EncodeToString(meta.publicKey))
}
phony.Block(intf.links, func() {
intf.links._links[intf.info] = intf
})
dir := "outbound"
if intf.incoming {
if info.linkType == linkTypeIncoming {
dir = "inbound"
}
remoteAddr := net.IP(address.AddrForKey(meta.publicKey)[:]).String()
remoteStr := fmt.Sprintf("%s@%s", remoteAddr, intf.info.remote)
localStr := intf.conn.LocalAddr()
intf.links.core.log.Infof("Connected %s %s: %s, source %s",
dir, strings.ToUpper(intf.info.linkType), remoteStr, localStr)
remoteStr := fmt.Sprintf("%s@%s", remoteAddr, conn.RemoteAddr())
localStr := conn.LocalAddr()
l.core.log.Infof("Connected %s: %s, source %s",
dir, remoteStr, localStr)
err = intf.links.core.HandleConn(meta.publicKey, intf.conn, intf.options.priority)
err = l.core.HandleConn(meta.publicKey, conn, options.priority)
switch err {
case io.EOF, net.ErrClosed, nil:
intf.links.core.log.Infof("Disconnected %s %s: %s, source %s",
dir, strings.ToUpper(intf.info.linkType), remoteStr, localStr)
l.core.log.Infof("Disconnected %s: %s, source %s",
dir, remoteStr, localStr)
default:
intf.links.core.log.Infof("Disconnected %s %s: %s, source %s; error: %s",
dir, strings.ToUpper(intf.info.linkType), remoteStr, localStr, err)
l.core.log.Infof("Disconnected %s: %s, source %s; error: %s",
dir, remoteStr, localStr, err)
}
if !intf.incoming && dial != nil {
// The connection was one that we dialled, so wait a second and try to
// dial it again.
var retry func(attempt int)
retry = func(attempt int) {
// intf.links.core.log.Infof("Retrying %s (attempt %d of 5)...", dial.url.String(), attempt)
errch := make(chan error, 1)
if _, err := intf.links.call(dial.url, dial.sintf, errch); err != nil {
return
}
if err := <-errch; err != nil {
if attempt < 3 {
time.AfterFunc(time.Second, func() {
retry(attempt + 1)
})
}
}
}
time.AfterFunc(time.Second, func() {
retry(1)
})
}
return nil
}
func (intf *link) close() error {
return intf.conn.Close()
}
func linkInfoFor(linkType, sintf, remote string) linkInfo {
return linkInfo{
linkType: linkType,
local: sintf,
remote: remote,
}
}
type linkConn struct {
// tx and rx are at the beginning of the struct to ensure 64-bit alignment
// on 32-bit platforms, see https://pkg.go.dev/sync/atomic#pkg-note-BUG
@ -421,12 +494,3 @@ func (c *linkConn) Write(p []byte) (n int, err error) {
atomic.AddUint64(&c.tx, uint64(n))
return
}
func linkOptionsForListener(u *url.URL) (l linkOptions) {
if p := u.Query().Get("priority"); p != "" {
if pi, err := strconv.ParseUint(p, 10, 8); err == nil {
l.priority = uint8(pi)
}
}
return
}

38
src/core/link_socks.go
View file

@ -1,6 +1,7 @@
package core
import (
"context"
"fmt"
"net"
"net/url"
@ -20,37 +21,22 @@ func (l *links) newLinkSOCKS() *linkSOCKS {
return lt
}
func (l *linkSOCKS) dial(url *url.URL, options linkOptions) error {
info := linkInfoFor("socks", "", url.Path)
if l.links.isConnectedTo(info) {
return nil
func (l *linkSOCKS) dial(url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
var proxyAuth *proxy.Auth
if url.User != nil && url.User.Username() != "" {
proxyAuth = &proxy.Auth{
User: url.User.Username(),
}
proxyAuth.Password, _ = url.User.Password()
}
proxyAuth := &proxy.Auth{}
proxyAuth.User = url.User.Username()
proxyAuth.Password, _ = url.User.Password()
dialer, err := proxy.SOCKS5("tcp", url.Host, proxyAuth, proxy.Direct)
if err != nil {
return fmt.Errorf("failed to configure proxy")
return nil, fmt.Errorf("failed to configure proxy")
}
pathtokens := strings.Split(strings.Trim(url.Path, "/"), "/")
conn, err := dialer.Dial("tcp", pathtokens[0])
if err != nil {
return err
}
dial := &linkDial{
url: url,
}
return l.handler(dial, info, conn, options, false)
return dialer.Dial("tcp", pathtokens[0])
}
func (l *linkSOCKS) handler(dial *linkDial, info linkInfo, conn net.Conn, options linkOptions, incoming bool) error {
return l.links.create(
conn, // connection
dial, // connection URL
dial.url.String(), // connection name
info, // connection info
incoming, // not incoming
false, // not forced
options, // connection options
)
func (l *linkSOCKS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
return nil, fmt.Errorf("SOCKS listener not supported")
}

109
src/core/link_tcp.go
View file

@ -6,7 +6,6 @@ import (
"net"
"net/url"
"strconv"
"strings"
"time"
"github.com/Arceliar/phony"
@ -15,19 +14,19 @@ import (
type linkTCP struct {
phony.Inbox
*links
listener *net.ListenConfig
_listeners map[*Listener]context.CancelFunc
listenconfig *net.ListenConfig
_listeners map[*Listener]context.CancelFunc
}
func (l *links) newLinkTCP() *linkTCP {
lt := &linkTCP{
links: l,
listener: &net.ListenConfig{
listenconfig: &net.ListenConfig{
KeepAlive: -1,
},
_listeners: map[*Listener]context.CancelFunc{},
}
lt.listener.Control = lt.tcpContext
lt.listenconfig.Control = lt.tcpContext
return lt
}
@ -37,7 +36,7 @@ type tcpDialer struct {
addr *net.TCPAddr
}
func (l *linkTCP) dialersFor(url *url.URL, options linkOptions, sintf string) ([]*tcpDialer, error) {
func (l *linkTCP) dialersFor(url *url.URL, info linkInfo) ([]*tcpDialer, error) {
host, p, err := net.SplitHostPort(url.Host)
if err != nil {
return nil, err
@ -56,14 +55,10 @@ func (l *linkTCP) dialersFor(url *url.URL, options linkOptions, sintf string) ([
IP: ip,
Port: port,
}
dialer, err := l.dialerFor(addr, sintf)
dialer, err := l.dialerFor(addr, info.sintf)
if err != nil {
continue
}
info := linkInfoFor("tcp", sintf, tcpIDFor(dialer.LocalAddr, addr))
if l.links.isConnectedTo(info) {
return nil, nil
}
dialers = append(dialers, &tcpDialer{
info: info,
dialer: dialer,
@ -73,13 +68,16 @@ func (l *linkTCP) dialersFor(url *url.URL, options linkOptions, sintf string) ([
return dialers, nil
}
func (l *linkTCP) dial(url *url.URL, options linkOptions, sintf string) error {
dialers, err := l.dialersFor(url, options, sintf)
func (l *linkTCP) dial(url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
if l.core.isTLSOnly() {
return nil, fmt.Errorf("TCP peer prohibited in TLS-only mode")
}
dialers, err := l.dialersFor(url, info)
if err != nil {
return err
return nil, err
}
if len(dialers) == 0 {
return nil
return nil, nil
}
for _, d := range dialers {
var conn net.Conn
@ -88,72 +86,22 @@ func (l *linkTCP) dial(url *url.URL, options linkOptions, sintf string) error {
l.core.log.Warnf("Failed to connect to %s: %s", d.addr, err)
continue
}
name := strings.TrimRight(strings.SplitN(url.String(), "?", 2)[0], "/")
dial := &linkDial{
url: url,
sintf: sintf,
}
return l.handler(dial, name, d.info, conn, options, false, false)
return conn, nil
}
return fmt.Errorf("failed to connect via %d address(es), last error: %w", len(dialers), err)
return nil, err
}
func (l *linkTCP) listen(url *url.URL, sintf string) (*Listener, error) {
ctx, cancel := context.WithCancel(l.core.ctx)
func (l *linkTCP) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {
if l.core.isTLSOnly() {
return nil, fmt.Errorf("TCP listener prohibited in TLS-only mode")
}
hostport := url.Host
if sintf != "" {
if host, port, err := net.SplitHostPort(hostport); err == nil {
hostport = fmt.Sprintf("[%s%%%s]:%s", host, sintf, port)
}
}
listener, err := l.listener.Listen(ctx, "tcp", hostport)
if err != nil {
cancel()
return nil, err
}
entry := &Listener{
Listener: listener,
closed: make(chan struct{}),
}
phony.Block(l, func() {
l._listeners[entry] = cancel
})
l.core.log.Printf("TCP listener started on %s", listener.Addr())
go func() {
defer phony.Block(l, func() {
delete(l._listeners, entry)
})
for {
conn, err := listener.Accept()
if err != nil {
cancel()
break
}
laddr := conn.LocalAddr().(*net.TCPAddr)
raddr := conn.RemoteAddr().(*net.TCPAddr)
name := fmt.Sprintf("tcp://%s", raddr)
info := linkInfoFor("tcp", sintf, tcpIDFor(laddr, raddr))
if err = l.handler(nil, name, info, conn, linkOptionsForListener(url), true, raddr.IP.IsLinkLocalUnicast()); err != nil {
l.core.log.Errorln("Failed to create inbound link:", err)
}
}
_ = listener.Close()
close(entry.closed)
l.core.log.Printf("TCP listener stopped on %s", listener.Addr())
}()
return entry, nil
}
func (l *linkTCP) handler(dial *linkDial, name string, info linkInfo, conn net.Conn, options linkOptions, incoming, force bool) error {
return l.links.create(
conn, // connection
dial, // connection URL
name, // connection name
info, // connection info
incoming, // not incoming
force, // not forced
options, // connection options
)
return l.listenconfig.Listen(ctx, "tcp", hostport)
}
// Returns the address of the listener.
@ -163,8 +111,8 @@ func (l *linkTCP) getAddr() *net.TCPAddr {
// doesn't have the ability to send more than one address in a packet either
var addr *net.TCPAddr
phony.Block(l, func() {
for listener := range l._listeners {
addr = listener.Addr().(*net.TCPAddr)
for li := range l._listeners {
addr = li.listener.Addr().(*net.TCPAddr)
}
})
return addr
@ -228,16 +176,3 @@ func (l *linkTCP) dialerFor(dst *net.TCPAddr, sintf string) (*net.Dialer, error)
}
return dialer, nil
}
func tcpIDFor(local net.Addr, remoteAddr *net.TCPAddr) string {
if localAddr, ok := local.(*net.TCPAddr); ok && localAddr.IP.Equal(remoteAddr.IP) {
// Nodes running on the same host — include both the IP and port.
return remoteAddr.String()
}
if remoteAddr.IP.IsLinkLocalUnicast() {
// Nodes discovered via multicast — include the IP only.
return remoteAddr.IP.String()
}
// Nodes connected remotely — include both the IP and port.
return remoteAddr.String()
}

119
src/core/link_tls.go
View file

@ -1,20 +1,11 @@
package core
import (
"bytes"
"context"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/hex"
"encoding/pem"
"fmt"
"math/big"
"net"
"net/url"
"strings"
"time"
"github.com/Arceliar/phony"
)
@ -36,27 +27,23 @@ func (l *links) newLinkTLS(tcp *linkTCP) *linkTLS {
Control: tcp.tcpContext,
KeepAlive: -1,
},
config: l.core.config.tls.Clone(),
_listeners: map[*Listener]context.CancelFunc{},
}
var err error
lt.config, err = lt.generateConfig()
if err != nil {
panic(err)
}
return lt
}
func (l *linkTLS) dial(url *url.URL, options linkOptions, sintf, sni string) error {
dialers, err := l.tcp.dialersFor(url, options, sintf)
func (l *linkTLS) dial(url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
dialers, err := l.tcp.dialersFor(url, info)
if err != nil {
return err
return nil, err
}
if len(dialers) == 0 {
return nil
return nil, nil
}
for _, d := range dialers {
tlsconfig := l.config.Clone()
tlsconfig.ServerName = sni
tlsconfig.ServerName = options.tlsSNI
tlsdialer := &tls.Dialer{
NetDialer: d.dialer,
Config: tlsconfig,
@ -66,18 +53,12 @@ func (l *linkTLS) dial(url *url.URL, options linkOptions, sintf, sni string) err
if err != nil {
continue
}
name := strings.TrimRight(strings.SplitN(url.String(), "?", 2)[0], "/")
dial := &linkDial{
url: url,
sintf: sintf,
}
return l.handler(dial, name, d.info, conn, options, false, false)
return conn, nil
}
return fmt.Errorf("failed to connect via %d address(es), last error: %w", len(dialers), err)
return nil, err
}
func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
ctx, cancel := context.WithCancel(l.core.ctx)
func (l *linkTLS) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {
hostport := url.Host
if sintf != "" {
if host, port, err := net.SplitHostPort(hostport); err == nil {
@ -86,88 +67,8 @@ func (l *linkTLS) listen(url *url.URL, sintf string) (*Listener, error) {
}
listener, err := l.listener.Listen(ctx, "tcp", hostport)
if err != nil {
cancel()
return nil, err
}
tlslistener := tls.NewListener(listener, l.config)
entry := &Listener{
Listener: tlslistener,
closed: make(chan struct{}),
}
phony.Block(l, func() {
l._listeners[entry] = cancel
})
l.core.log.Printf("TLS listener started on %s", listener.Addr())
go func() {
defer phony.Block(l, func() {
delete(l._listeners, entry)
})
for {
conn, err := tlslistener.Accept()
if err != nil {
cancel()
break
}
laddr := conn.LocalAddr().(*net.TCPAddr)
raddr := conn.RemoteAddr().(*net.TCPAddr)
name := fmt.Sprintf("tls://%s", raddr)
info := linkInfoFor("tls", sintf, tcpIDFor(laddr, raddr))
if err = l.handler(nil, name, info, conn, linkOptionsForListener(url), true, raddr.IP.IsLinkLocalUnicast()); err != nil {
l.core.log.Errorln("Failed to create inbound link:", err)
}
}
_ = tlslistener.Close()
close(entry.closed)
l.core.log.Printf("TLS listener stopped on %s", listener.Addr())
}()
return entry, nil
}
// RFC5280 section 4.1.2.5
var notAfterNeverExpires = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
func (l *linkTLS) generateConfig() (*tls.Config, error) {
certBuf := &bytes.Buffer{}
cert := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: hex.EncodeToString(l.links.core.public[:]),
},
NotBefore: time.Now(),
NotAfter: notAfterNeverExpires,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
certbytes, err := x509.CreateCertificate(rand.Reader, &cert, &cert, l.links.core.public, l.links.core.secret)
if err != nil {
return nil, err
}
if err := pem.Encode(certBuf, &pem.Block{
Type: "CERTIFICATE",
Bytes: certbytes,
}); err != nil {
return nil, err
}
rootCAs := x509.NewCertPool()
rootCAs.AppendCertsFromPEM(certbytes)
return &tls.Config{
RootCAs: rootCAs,
Certificates: []tls.Certificate{
{
Certificate: [][]byte{certbytes},
PrivateKey: l.links.core.secret,
},
},
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS13,
}, nil
}
func (l *linkTLS) handler(dial *linkDial, name string, info linkInfo, conn net.Conn, options linkOptions, incoming, force bool) error {
return l.tcp.handler(dial, name, info, conn, options, incoming, force)
return tlslistener, nil
}

64
src/core/link_unix.go
View file

@ -32,70 +32,14 @@ func (l *links) newLinkUNIX() *linkUNIX {
return lt
}
func (l *linkUNIX) dial(url *url.URL, options linkOptions, _ string) error {
info := linkInfoFor("unix", "", url.Path)
if l.links.isConnectedTo(info) {
return nil
}
func (l *linkUNIX) dial(url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
addr, err := net.ResolveUnixAddr("unix", url.Path)
if err != nil {
return err
}
conn, err := l.dialer.DialContext(l.core.ctx, "unix", addr.String())
if err != nil {
return err
}
dial := &linkDial{
url: url,
}
return l.handler(dial, url.String(), info, conn, options, false)
}
func (l *linkUNIX) listen(url *url.URL, _ string) (*Listener, error) {
ctx, cancel := context.WithCancel(l.core.ctx)
listener, err := l.listener.Listen(ctx, "unix", url.Path)
if err != nil {
cancel()
return nil, err
}
entry := &Listener{
Listener: listener,
closed: make(chan struct{}),
}
phony.Block(l, func() {
l._listeners[entry] = cancel
})
l.core.log.Printf("UNIX listener started on %s", listener.Addr())
go func() {
defer phony.Block(l, func() {
delete(l._listeners, entry)
})
for {
conn, err := listener.Accept()
if err != nil {
cancel()
break
}
info := linkInfoFor("unix", "", url.String())
if err = l.handler(nil, url.String(), info, conn, linkOptionsForListener(url), true); err != nil {
l.core.log.Errorln("Failed to create inbound link:", err)
}
}
_ = listener.Close()
close(entry.closed)
l.core.log.Printf("UNIX listener stopped on %s", listener.Addr())
}()
return entry, nil
return l.dialer.DialContext(l.core.ctx, "unix", addr.String())
}
func (l *linkUNIX) handler(dial *linkDial, name string, info linkInfo, conn net.Conn, options linkOptions, incoming bool) error {
return l.links.create(
conn, // connection
dial, // connection URL
name, // connection name
info, // connection info
incoming, // not incoming
false, // not forced
options, // connection options
)
func (l *linkUNIX) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {
return l.listener.Listen(ctx, "unix", url.Path)
}

20
src/core/options.go
View file

@ -2,12 +2,25 @@ package core
import (
"crypto/ed25519"
"crypto/x509"
"fmt"
"net/url"
)
func (c *Core) _applyOption(opt SetupOption) {
func (c *Core) _applyOption(opt SetupOption) (err error) {
switch v := opt.(type) {
case RootCertificate:
cert := x509.Certificate(v)
if c.config.roots == nil {
c.config.roots = x509.NewCertPool()
}
c.config.roots.AddCert(&cert)
case Peer:
c.config._peers[v] = nil
u, err := url.Parse(v.URI)
if err != nil {
return fmt.Errorf("unable to parse peering URI: %w", err)
}
return c.links.add(u, v.SourceInterface, linkTypePersistent)
case ListenAddress:
c.config._listeners[v] = struct{}{}
case NodeInfo:
@ -19,12 +32,14 @@ func (c *Core) _applyOption(opt SetupOption) {
copy(pk[:], v)
c.config._allowedPublicKeys[pk] = struct{}{}
}
return
}
type SetupOption interface {
isSetupOption()
}
type RootCertificate x509.Certificate
type ListenAddress string
type Peer struct {
URI string
@ -34,6 +49,7 @@ type NodeInfo map[string]interface{}
type NodeInfoPrivacy bool
type AllowedPublicKey ed25519.PublicKey
func (a RootCertificate) isSetupOption() {}
func (a ListenAddress) isSetupOption() {}
func (a Peer) isSetupOption() {}
func (a NodeInfo) isSetupOption() {}

63
src/core/tls.go Normal file
View file

@ -0,0 +1,63 @@
package core
import (
"crypto/tls"
"crypto/x509"
"fmt"
)
func (c *Core) generateTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
config := &tls.Config{
Certificates: []tls.Certificate{*cert},
ClientAuth: tls.RequireAnyClientCert,
GetClientCertificate: func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return cert, nil
},
VerifyPeerCertificate: c.verifyTLSCertificate,
VerifyConnection: c.verifyTLSConnection,
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS13,
}
return config, nil
}
func (c *Core) verifyTLSCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if c.config.roots == nil {
// If there's no certificate pool configured then we will
// accept all TLS certificates.
return nil
}
if len(rawCerts) == 0 {
return fmt.Errorf("expected at least one certificate")
}
opts := x509.VerifyOptions{
Roots: c.config.roots,
}
for i, rawCert := range rawCerts {
if i == 0 {
// The first certificate is the leaf certificate. All other
// certificates in the list are intermediates, so add them
// into the VerifyOptions.
continue
}
cert, err := x509.ParseCertificate(rawCert)
if err != nil {
return fmt.Errorf("failed to parse intermediate certificate: %w", err)
}
opts.Intermediates.AddCert(cert)
}
cert, err := x509.ParseCertificate(rawCerts[0])
if err != nil {
return fmt.Errorf("failed to parse leaf certificate: %w", err)
}
_, err = cert.Verify(opts)
return err
}
func (c *Core) verifyTLSConnection(cs tls.ConnectionState) error {
return nil
}