Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: quic integration #1466

Draft
wants to merge 56 commits into
base: v0.34.x-celestia
Choose a base branch
from
Draft

WIP: quic integration #1466

wants to merge 56 commits into from

Conversation

rach-id
Copy link
Member

@rach-id rach-id commented Aug 27, 2024

Description

This is just a prototype, doesn't need to be reviewed by automatic reviewers

@rach-id rach-id requested a review from Wondertan August 27, 2024 19:28
@rach-id rach-id self-assigned this Aug 27, 2024
@rach-id rach-id requested a review from a team as a code owner August 27, 2024 19:28
@rach-id rach-id requested review from rootulp and staheri14 and removed request for a team, rootulp and staheri14 August 27, 2024 19:28
@rach-id rach-id marked this pull request as draft August 27, 2024 19:28
}
return &tls.Config{
MinVersion: tls.VersionTLS13,
InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.

Check failure

Code scanning / CodeQL

Disabled TLS certificate check High

InsecureSkipVerify should not be used in production code.

Copilot Autofix AI 21 days ago

To fix the problem, we need to ensure that TLS certificate verification is enabled and properly implemented. This involves:

  1. Removing the InsecureSkipVerify: true setting.
  2. Implementing the VerifyPeerCertificate function to perform the necessary certificate chain verification.

The changes will be made in the NewTLSConfig function in the p2p/certificate.go file. We will:

  • Remove the InsecureSkipVerify: true line.
  • Implement the VerifyPeerCertificate function to verify the certificate chain.
Suggested changeset 1
p2p/certificate.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/p2p/certificate.go b/p2p/certificate.go
--- a/p2p/certificate.go
+++ b/p2p/certificate.go
@@ -67,7 +67,26 @@
 		MinVersion:         tls.VersionTLS13,
-		InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
 		ClientAuth:         tls.RequireAnyClientCert,
 		Certificates:       []tls.Certificate{*cert},
-		VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error {
-			panic("tls config not specialized for peer")
+		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			certs := make([]*x509.Certificate, len(rawCerts))
+			for i, rawCert := range rawCerts {
+				cert, err := x509.ParseCertificate(rawCert)
+				if err != nil {
+					return err
+				}
+				certs[i] = cert
+			}
+			opts := x509.VerifyOptions{
+				Roots:         x509.NewCertPool(),
+				Intermediates: x509.NewCertPool(),
+			}
+			for _, cert := range certs {
+				if cert.IsCA {
+					opts.Roots.AddCert(cert)
+				} else {
+					opts.Intermediates.AddCert(cert)
+				}
+			}
+			_, err := certs[0].Verify(opts)
+			return err
 		},
EOF
@@ -67,7 +67,26 @@
MinVersion: tls.VersionTLS13,
InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
ClientAuth: tls.RequireAnyClientCert,
Certificates: []tls.Certificate{*cert},
VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error {
panic("tls config not specialized for peer")
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
certs := make([]*x509.Certificate, len(rawCerts))
for i, rawCert := range rawCerts {
cert, err := x509.ParseCertificate(rawCert)
if err != nil {
return err
}
certs[i] = cert
}
opts := x509.VerifyOptions{
Roots: x509.NewCertPool(),
Intermediates: x509.NewCertPool(),
}
for _, cert := range certs {
if cert.IsCA {
opts.Roots.AddCert(cert)
} else {
opts.Intermediates.AddCert(cert)
}
}
_, err := certs[0].Verify(opts)
return err
},
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
p2p/netaddress.go Fixed Show fixed Hide fixed
Copy link
Member

@Wondertan Wondertan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My current goal is to grasp the approach here, think about it, compare it with alternatives, and contribute with pros and cons for us to compare. The selected approach looks promising and simple. However, a few things are missing for the final version, like stream management, that will add some more complexity.

The first superficial look includes comments on major DOS and synchronization issues that must be fixed.

p2p/peer.go Show resolved Hide resolved
p2p/peer.go Outdated
labels := []string{
"peer_id", string(p.ID()),
"chID", fmt.Sprintf("%#x", chID),
stream, has := p.streams[chID]
Copy link
Member

@Wondertan Wondertan Aug 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Send is called concurrently, so access to streams must be synchronized.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides, dead and duplicate stream cases must be handled as well

msg, err = w.Unwrap()
if err != nil {
panic(fmt.Errorf("unwrapping message: %s", err))
// start accepting data
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before continuing to listen for new messages, it must check whether the given chID is supported.

func (na *NetAddress) Dial(ctx context.Context) (quic.Connection, error) {
tlsConfig := tls.Config{
MinVersion: tls.VersionTLS13,
InsecureSkipVerify: true,
Copy link
Member

@Wondertan Wondertan Aug 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, this means TLS is disabled, and according to recent additions to the code you meant to enable it, no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function is not used anywhere, that's why I didn't fix its implementation. Maybe later

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants