Merge pull request #1400 from calmh/negproto

Verify negotiated protocol bep/1.0
This commit is contained in:
Audrius Butkevicius 2015-03-05 15:16:59 +00:00
commit 6057138466
2 changed files with 27 additions and 2 deletions

View File

@ -41,7 +41,21 @@ func listenConnect(myID protocol.DeviceID, m *model.Model, tlsCfg *tls.Config) {
next: next:
for conn := range conns { for conn := range conns {
certs := conn.ConnectionState().PeerCertificates cs := conn.ConnectionState()
// We should have negotiated the next level protocol "bep/1.0" as part
// of the TLS handshake. If we didn't, we're not speaking to another
// BEP-speaker so drop the connection.
if !cs.NegotiatedProtocolIsMutual || cs.NegotiatedProtocol != bepProtocolName {
l.Infof("Peer %s did not negotiate bep/1.0", conn.RemoteAddr())
conn.Close()
continue
}
// We should have received exactly one certificate from the other
// side. If we didn't, they don't have a device ID and we drop the
// connection.
certs := cs.PeerCertificates
if cl := len(certs); cl != 1 { if cl := len(certs); cl != 1 {
l.Infof("Got peer certificate list of length %d != 1 from %s; protocol error", cl, conn.RemoteAddr()) l.Infof("Got peer certificate list of length %d != 1 from %s; protocol error", cl, conn.RemoteAddr())
conn.Close() conn.Close()
@ -50,12 +64,21 @@ next:
remoteCert := certs[0] remoteCert := certs[0]
remoteID := protocol.NewDeviceID(remoteCert.Raw) remoteID := protocol.NewDeviceID(remoteCert.Raw)
// The device ID should not be that of ourselves. It can happen
// though, especially in the presense of NAT hairpinning, multiple
// clients between the same NAT gateway, and global discovery.
if remoteID == myID { if remoteID == myID {
l.Infof("Connected to myself (%s) - should not happen", remoteID) l.Infof("Connected to myself (%s) - should not happen", remoteID)
conn.Close() conn.Close()
continue continue
} }
// We should not already be connected to the other party. TODO: This
// could use some better handling. If the old connection is dead but
// hasn't timed out yet we may want to drop *that* connection and keep
// this one. But in case we are two devices connecting to each other
// in parallell we don't want to do that or we end up with no
// connections still established...
if m.ConnectedTo(remoteID) { if m.ConnectedTo(remoteID) {
l.Infof("Connected to already connected device (%s)", remoteID) l.Infof("Connected to already connected device (%s)", remoteID)
conn.Close() conn.Close()

View File

@ -72,6 +72,8 @@ const (
exitUpgrading = 4 exitUpgrading = 4
) )
const bepProtocolName = "bep/1.0"
var l = logger.DefaultLogger var l = logger.DefaultLogger
func init() { func init() {
@ -461,7 +463,7 @@ func syncthingMain() {
tlsCfg := &tls.Config{ tlsCfg := &tls.Config{
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
NextProtos: []string{"bep/1.0"}, NextProtos: []string{bepProtocolName},
ClientAuth: tls.RequestClientCert, ClientAuth: tls.RequestClientCert,
SessionTicketsDisabled: true, SessionTicketsDisabled: true,
InsecureSkipVerify: true, InsecureSkipVerify: true,