Merge pull request #655 from dedis/go15

Adapt to Go 1.15

.travis.yml

@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - "1.14.x"
+  - "1.15.x"
 
 go_import_path: go.dedis.ch/onet/v3
 

network/tls.go

@@ -10,8 +10,10 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/hex"
+	"fmt"
 	"math/big"
 	"net"
+	"net/url"
 	"time"
 
 	"go.dedis.ch/kyber/v3"
@@ -117,6 +119,9 @@ func (cm *certMaker) getClientCertificate(req *tls.CertificateRequestInfo) (*tls
 	return cert, nil
 }
 
+// This global is only manipulated in tls_test.go.
+var testNoURIs = false
+
 func (cm *certMaker) get(nonce []byte) (*tls.Certificate, error) {
 	if len(nonce) != nonceSize {
 		return nil, xerrors.New("nonce is the wrong size")
@@ -146,16 +151,24 @@ func (cm *certMaker) get(nonce []byte) (*tls.Certificate, error) {
 	r := random.Bits(128, true, random.New())
 	serial.SetBytes(r)
 
+	// The URL scheme is "onet-pubkey:$serviceName:pubToCN($pubkey)".
+	// In this case, we are sending the server public key, so leave
+	// the service name empty.
+	uri, err := url.Parse(fmt.Sprintf("onet-pubkey::%v", cm.subj.CommonName))
+	if err != nil {
+		return nil, err
+	}
+
 	tmpl := &x509.Certificate{
 		BasicConstraintsValid: true,
-		MaxPathLen:            1,
 		IsCA:                  false,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		NotAfter:              time.Now().Add(2 * time.Hour),
 		NotBefore:             time.Now().Add(-5 * time.Minute),
 		SerialNumber:          serial,
 		SignatureAlgorithm:    x509.ECDSAWithSHA384,
 		Subject:               cm.subj,
+		URIs:                  []*url.URL{uri},
 		ExtraExtensions: []pkix.Extension{
 			{
 				Id:       oidDedisSig,
@@ -165,6 +178,14 @@ func (cm *certMaker) get(nonce []byte) (*tls.Certificate, error) {
 		},
 	}
 
+	// For testing interoperability between old-style handshakes and the new
+	// URI-based handshakes. It is unfortunate to use a global but the only
+	// context we have here to attach to is cm, which is not possible for the
+	// test code to get ahold of and modify.
+	if testNoURIs {
+		tmpl.URIs = nil
+	}
+
 	cDer, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, cm.k.Public(), cm.k)
 	if err != nil {
 		return nil, xerrors.Errorf("certificate: %v", err)
@@ -262,7 +283,7 @@ func NewTLSListenerWithListenAddr(si *ServerIdentity, suite Suite,
 		return cfg2, nil
 	}
 
-	// This is "any client cert" because we do not want crypto/tls
+	// This is an "any client cert" because we do not want crypto/tls
 	// to run Verify. However, since we provide a VerifyPeerCertificate
 	// callback, it will still call us.
 	cfg.ClientAuth = tls.RequireAnyClientCert
@@ -320,12 +341,28 @@ func makeVerifier(suite Suite, them *ServerIdentity) (verifier, []byte) {
 			return xerrors.Errorf("certificate verification: %v", err)
 		}
 
-		// When we know who we are connecting to (e.g. client mode):
-		// Check that the CN is the same as the public key.
+		// When we know who we are connecting to (e.g. client mode, so them !=
+		// nil) check that the public key advertsied by the far side is the same
+		// as the public key we expect.
 		if them != nil {
-			err = cert.VerifyHostname(pubToCN(them.Public))
-			if err != nil {
-				return xerrors.Errorf("certificate verification: %v", err)
+			if len(cert.URIs) > 0 {
+				// see explanation of the URL scheme above for why we prepend :.
+				cn := fmt.Sprintf(":%v", pubToCN(them.Public))
+				found := false
+				for _, u := range cert.URIs {
+					if u.Scheme == "onet-pubkey" && u.Opaque == cn {
+						found = true
+						break
+					}
+				}
+				if !found {
+					return xerrors.Errorf("No onet-pubkey URIs match the expected public key %v", pubToCN(them.Public))
+				}
+			} else {
+				// The other end did not send any URIs (old style), so check the CN instead.
+				if cert.Subject.CommonName != pubToCN(them.Public) {
+					return xerrors.Errorf("certificate common-name %v not expected", cert.Subject.CommonName)
+				}
 			}
 		}
 

network/tls_test.go

@@ -34,17 +34,31 @@ type hello struct {
 }
 
 func TestTLS(t *testing.T) {
-	testTLS(t, tSuite)
+	testTLS(t, tSuite, false)
 }
 
 func TestTLS_bn256(t *testing.T) {
 	s := suites.MustFind("bn256.g2")
-	testTLS(t, s)
+	testTLS(t, s, false)
 }
 
-func testTLS(t *testing.T, s suites.Suite) {
+func TestTLS_noURIs(t *testing.T) {
+	testTLS(t, tSuite, true)
+}
+
+func testTLS(t *testing.T, s suites.Suite, noURIs bool) {
+	// Clean up changes we might make in this test.
+	defer func() {
+		testNoURIs = false
+	}()
+
+	// R1 has URI-based handshakes unconditionally.
 	r1, err := NewTestRouterTLS(s, 0)
 	require.Nil(t, err, "new tcp router")
+
+	// R2 might have no URIs, in order to simulate old handshake to new handshake
+	// compatibility.
+	testNoURIs = noURIs
 	r2, err := NewTestRouterTLS(s, 0)
 	require.Nil(t, err, "new tcp router 2")