// Makes an outgoing connection using that protocol type to the given node ID. // Returns a non-nil error if it is unable to connect. // Panics if it is called with protocol set to CLIENT_PROTOCOL. func Dial(protocol int, id uint16) (*BaseConn, error) { log.Print("dialing node ", id) if protocol == CLIENT_PROTOCOL { panic("tried to make outgoing client protocol connection") } ip := config.NodeIP(id) ipStr := ip.String() port := getProtocolPort(protocol) portStr := strconv.FormatInt(int64(port), 10) tlsConfig := new(tls.Config) tlsConfig.Certificates = []tls.Certificate{*config.Certificate()} tlsConfig.RootCAs = config.NodeCertPool(id) // We rely on the receiving node to do TLS authentication for now. // This is safe because it verifies our identity for us. // Backwards to the usual arrangement but should be secure. tlsConfig.InsecureSkipVerify = true tlsConn, err := tls.Dial("tcp", ipStr+":"+portStr, tlsConfig) if err != nil { log.Print(err) return nil, err } return newBaseConn(tlsConn), nil }
// Blocks listening for connections of that given protocol type, // and calls the specified handler when one is received, // passing the node ID of the connecting node, or 0 for the Client Protocol. func Listen(protocol int, handler func(id uint16, b *BaseConn)) { ip := config.NodeIP(config.Id()) ipStr := ip.String() port := getProtocolPort(protocol) portStr := strconv.FormatInt(int64(port), 10) tlsConfig := new(tls.Config) tlsConfig.Certificates = []tls.Certificate{*config.Certificate()} if protocol != CLIENT_PROTOCOL { tlsConfig.ClientAuth = tls.RequireAnyClientCert } listener, err := tls.Listen("tcp", ipStr+":"+portStr, tlsConfig) if err != nil { log.Fatal(err) } for { conn, err := listener.Accept() if err != nil { log.Fatal(err) } tlsConn := conn.(*tls.Conn) err = tlsConn.Handshake() if err != nil { tlsConn.Close() continue } if protocol != CLIENT_PROTOCOL { // Check this connecting node has authenticated. state := tlsConn.ConnectionState() if len(state.PeerCertificates) == 0 { tlsConn.Close() continue } cert := state.PeerCertificates[0] // Identify which node they authenticated as. matched := false for _, node := range config.Nodes() { var verifyOpts x509.VerifyOptions verifyOpts.Intermediates = new(x509.CertPool) verifyOpts.Roots = config.NodeCertPool(node) chains, err := cert.Verify(verifyOpts) if err != nil { continue } // Matched the node. Start the handler. if len(chains) > 0 { matched = true go handler(node, newBaseConn(tlsConn)) break } } // No matching node found. Close the connection. if !matched { tlsConn.Close() } } else { // We don't authenticate clients. // Just run the handler. handler(0, newBaseConn(tlsConn)) } } }