From 9a2e9fbc3ca1d40b4af9da61822422bbb7aa8559 Mon Sep 17 00:00:00 2001 From: Samuel Hawksby-Robinson Date: Fri, 2 Jun 2023 03:44:24 +0100 Subject: [PATCH] Added preflight outbound check to local pairing --- mobile/status.go | 2 +- server/certs.go | 55 ++++---- server/pairing/preflight/preflight.go | 142 +++++++++++++++++++++ server/pairing/preflight/preflight_test.go | 12 ++ server/server_media.go | 4 +- 5 files changed, 187 insertions(+), 28 deletions(-) create mode 100644 server/pairing/preflight/preflight.go create mode 100644 server/pairing/preflight/preflight_test.go diff --git a/mobile/status.go b/mobile/status.go index 0d28e4a19..f20c8fae7 100644 --- a/mobile/status.go +++ b/mobile/status.go @@ -916,7 +916,7 @@ func ConvertToRegularAccount(mnemonic, currPassword, newPassword string) string } func ImageServerTLSCert() string { - cert, err := server.PublicTLSCert() + cert, err := server.PublicMediaTLSCert() if err != nil { return makeJSONResponse(err) diff --git a/server/certs.go b/server/certs.go index 417924caf..5002955f6 100644 --- a/server/certs.go +++ b/server/certs.go @@ -13,8 +13,8 @@ import ( "time" ) -var globalCertificate *tls.Certificate = nil -var globalPem string +var globalMediaCertificate *tls.Certificate = nil +var globalMediaPem string func makeRandomSerialNumber() (*big.Int, error) { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) @@ -59,47 +59,52 @@ func GenerateX509PEMs(cert *x509.Certificate, key *ecdsa.PrivateKey) (certPem, k return } -func generateTLSCert() error { - if globalCertificate != nil { - return nil - } - +func GenerateTLSCert(notBefore, notAfter time.Time, hostname string) (*tls.Certificate, []byte, error) { priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { - return err + return nil, nil, err + } + + sn, err := makeRandomSerialNumber() + if err != nil { + return nil, nil, err + } + + cert := GenerateX509Cert(sn, notBefore, notAfter, hostname) + certPem, keyPem, err := GenerateX509PEMs(cert, priv) + if err != nil { + return nil, nil, err + } + + finalCert, err := tls.X509KeyPair(certPem, keyPem) + return &finalCert, certPem, err +} + +func generateMediaTLSCert() error { + if globalMediaCertificate != nil { + return nil } notBefore := time.Now() notAfter := notBefore.Add(365 * 24 * time.Hour) - sn, err := makeRandomSerialNumber() + finalCert, certPem, err := GenerateTLSCert(notBefore, notAfter, Localhost) if err != nil { return err } - cert := GenerateX509Cert(sn, notBefore, notAfter, Localhost) - certPem, keyPem, err := GenerateX509PEMs(cert, priv) - if err != nil { - return err - } - - finalCert, err := tls.X509KeyPair(certPem, keyPem) - if err != nil { - return err - } - - globalCertificate = &finalCert - globalPem = string(certPem) + globalMediaCertificate = finalCert + globalMediaPem = string(certPem) return nil } -func PublicTLSCert() (string, error) { - err := generateTLSCert() +func PublicMediaTLSCert() (string, error) { + err := generateMediaTLSCert() if err != nil { return "", err } - return globalPem, nil + return globalMediaPem, nil } // ToECDSA takes a []byte of D and uses it to create an ecdsa.PublicKey on the elliptic.P256 curve diff --git a/server/pairing/preflight/preflight.go b/server/pairing/preflight/preflight.go new file mode 100644 index 000000000..ab547603b --- /dev/null +++ b/server/pairing/preflight/preflight.go @@ -0,0 +1,142 @@ +package preflight + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "net" + "net/http" + "net/url" + "strconv" + "time" + + "github.com/status-im/status-go/logutils" + "github.com/status-im/status-go/protocol/common" + "github.com/status-im/status-go/server" +) + +const ( + outboundCheck = "/outbound_check" + headerPing = "ping" + headerPong = "pong" +) + +func preflightHandler(w http.ResponseWriter, r *http.Request) { + ping := r.Header.Get(headerPing) + if ping == "" { + http.Error(w, "no value in 'ping' header", http.StatusBadRequest) + } + + w.Header().Set(headerPong, ping) +} + +func makeCert(address net.IP) (*tls.Certificate, []byte, error) { + notBefore := time.Now() + notAfter := notBefore.Add(time.Minute) + return server.GenerateTLSCert(notBefore, notAfter, address.String()) +} + +func makeAndStartServer(cert *tls.Certificate, address net.IP) (string, func() error, error) { + s := server.NewServer( + cert, + address.String(), + nil, + logutils.ZapLogger().Named("Preflight Server"), + ) + + s.SetHandlers(server.HandlerPatternMap{outboundCheck: preflightHandler}) + err := s.Start() + if err != nil { + return "", nil, err + } + + // hack : sleep to give server time + // TODO something funky with the afterPortChanged func. Maybe waitgroup magic + time.Sleep(500 * time.Millisecond) + return s.GetHostname() + ":" + strconv.Itoa(s.GetPort()), s.Stop, nil +} + +func makeClient(certPem []byte) (*http.Client, error) { + rootCAs, err := x509.SystemCertPool() + if err != nil { + return nil, err + } + if ok := rootCAs.AppendCertsFromPEM(certPem); !ok { + return nil, fmt.Errorf("failed to append certPem to rootCAs") + } + + tr := &http.Transport{ + TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: false, // MUST BE FALSE + RootCAs: rootCAs, + }, + } + + return &http.Client{Transport: tr}, nil +} + +func makeOutboundCheck(c *http.Client, host string) error { + u := url.URL{ + Scheme: "https", + Host: host, + Path: outboundCheck, + } + + req, err := http.NewRequest("GET", u.String(), nil) + if err != nil { + return err + } + + ping, err := common.RandomAlphanumericString(64) + if err != nil { + return err + } + + req.Header.Set(headerPing, ping) + + resp, err := c.Do(req) + if err != nil { + return err + } + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("response status not ok, received '%d' : '%s'", resp.StatusCode, resp.Status) + } + + pong := resp.Header.Get(headerPong) + if pong != ping { + return fmt.Errorf("ping should match pong: ping '%s', pong '%s'", ping, pong) + } + return nil +} + +func CheckOutbound() error { + // cert stuff + outboundIP, err := server.GetOutboundIP() + if err != nil { + return err + } + + cert, certPem, err := makeCert(outboundIP) + if err != nil { + return err + } + + // server stuff + host, stop, err := makeAndStartServer(cert, outboundIP) + if err != nil { + return err + } + defer func() { + stop() + }() + + // Client stuff + c, err := makeClient(certPem) + if err != nil { + return err + } + + return makeOutboundCheck(c, host) +} diff --git a/server/pairing/preflight/preflight_test.go b/server/pairing/preflight/preflight_test.go new file mode 100644 index 000000000..a08f7d592 --- /dev/null +++ b/server/pairing/preflight/preflight_test.go @@ -0,0 +1,12 @@ +package preflight + +import ( + "testing" +) + +func TestCheckOutbound(t *testing.T) { + err := CheckOutbound() + if err != nil { + t.Fatal(err) + } +} diff --git a/server/server_media.go b/server/server_media.go index 6a5939cb7..1f0cdefcd 100644 --- a/server/server_media.go +++ b/server/server_media.go @@ -20,14 +20,14 @@ type MediaServer struct { // NewMediaServer returns a *MediaServer func NewMediaServer(db *sql.DB, downloader *ipfs.Downloader, multiaccountsDB *multiaccounts.Database) (*MediaServer, error) { - err := generateTLSCert() + err := generateMediaTLSCert() if err != nil { return nil, err } s := &MediaServer{ Server: NewServer( - globalCertificate, + globalMediaCertificate, Localhost, signal.SendMediaServerStarted, logutils.ZapLogger().Named("MediaServer"),