mirror of
https://github.com/syncthing/syncthing.git
synced 2024-11-17 02:48:57 -07:00
64354b51c9
Doesn't matter at all for BEP, but the same stuff is used by the web UI and modern browsers are starting to dislike SHA1 extra much.
139 lines
3.6 KiB
Go
139 lines
3.6 KiB
Go
// Copyright (C) 2014 The Syncthing Authors.
|
|
//
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
// You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package tlsutil
|
|
|
|
import (
|
|
"bufio"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io"
|
|
"math/big"
|
|
mr "math/rand"
|
|
"net"
|
|
"os"
|
|
"time"
|
|
)
|
|
|
|
var (
|
|
ErrIdentificationFailed = fmt.Errorf("failed to identify socket type")
|
|
)
|
|
|
|
func NewCertificate(certFile, keyFile, tlsDefaultCommonName string, tlsRSABits int) (tls.Certificate, error) {
|
|
priv, err := rsa.GenerateKey(rand.Reader, tlsRSABits)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("generate key: %s", err)
|
|
}
|
|
|
|
notBefore := time.Now()
|
|
notAfter := time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
|
|
|
template := x509.Certificate{
|
|
SerialNumber: new(big.Int).SetInt64(mr.Int63()),
|
|
Subject: pkix.Name{
|
|
CommonName: tlsDefaultCommonName,
|
|
},
|
|
NotBefore: notBefore,
|
|
NotAfter: notAfter,
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
|
BasicConstraintsValid: true,
|
|
SignatureAlgorithm: x509.SHA256WithRSA,
|
|
}
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("create cert: %s", err)
|
|
}
|
|
|
|
certOut, err := os.Create(certFile)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("save cert: %s", err)
|
|
}
|
|
err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("save cert: %s", err)
|
|
}
|
|
err = certOut.Close()
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("save cert: %s", err)
|
|
}
|
|
|
|
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("save key: %s", err)
|
|
}
|
|
err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("save key: %s", err)
|
|
}
|
|
err = keyOut.Close()
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("save key: %s", err)
|
|
}
|
|
|
|
return tls.LoadX509KeyPair(certFile, keyFile)
|
|
}
|
|
|
|
type DowngradingListener struct {
|
|
net.Listener
|
|
TLSConfig *tls.Config
|
|
}
|
|
|
|
func (l *DowngradingListener) Accept() (net.Conn, error) {
|
|
conn, isTLS, err := l.AcceptNoWrapTLS()
|
|
|
|
// We failed to identify the socket type, pretend that everything is fine,
|
|
// and pass it to the underlying handler, and let them deal with it.
|
|
if err == ErrIdentificationFailed {
|
|
return conn, nil
|
|
}
|
|
|
|
if err != nil {
|
|
return conn, err
|
|
}
|
|
|
|
if isTLS {
|
|
return tls.Server(conn, l.TLSConfig), nil
|
|
}
|
|
return conn, nil
|
|
}
|
|
|
|
func (l *DowngradingListener) AcceptNoWrapTLS() (net.Conn, bool, error) {
|
|
conn, err := l.Listener.Accept()
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
br := bufio.NewReader(conn)
|
|
conn.SetReadDeadline(time.Now().Add(1 * time.Second))
|
|
bs, err := br.Peek(1)
|
|
conn.SetReadDeadline(time.Time{})
|
|
if err != nil {
|
|
// We hit a read error here, but the Accept() call succeeded so we must not return an error.
|
|
// We return the connection as is with a special error which handles this
|
|
// special case in Accept().
|
|
return conn, false, ErrIdentificationFailed
|
|
}
|
|
|
|
return &UnionedConnection{br, conn}, bs[0] == 0x16, nil
|
|
}
|
|
|
|
type UnionedConnection struct {
|
|
io.Reader
|
|
net.Conn
|
|
}
|
|
|
|
func (c *UnionedConnection) Read(b []byte) (n int, err error) {
|
|
return c.Reader.Read(b)
|
|
}
|