Skip to content

Commit

Permalink
feat: catch panics in TLS negotiation
Browse files Browse the repository at this point in the history
Part of #1389
  • Loading branch information
Stebalien committed Apr 19, 2022
1 parent 7ee67dd commit 6d7a396
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
12 changes: 11 additions & 1 deletion p2p/security/tls/crypto.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ import (
"errors"
"fmt"
"math/big"
"os"
"runtime/debug"
"time"

"golang.org/x/sys/cpu"
Expand Down Expand Up @@ -72,7 +74,15 @@ func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, <-chan ic.PubKey)
conf := i.config.Clone()
// We're using InsecureSkipVerify, so the verifiedChains parameter will always be empty.
// We need to parse the certificates ourselves from the raw certs.
conf.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
conf.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) (err error) {
defer func() {
if rerr := recover(); rerr != nil {
fmt.Fprintf(os.Stderr, "panic when processing peer certificate in TLS handshake: %s\n%s\n", rerr, debug.Stack())
err = fmt.Errorf("panic when processing peer certificate in TLS handshake: %s", rerr)

}
}()

defer close(keyCh)

chain := make([]*x509.Certificate, len(rawCerts))
Expand Down
13 changes: 12 additions & 1 deletion p2p/security/tls/transport.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@ import (
"context"
"crypto/tls"
"errors"
"fmt"
"net"
"os"
"runtime/debug"

ci "github.com/libp2p/go-libp2p-core/crypto"
"github.com/libp2p/go-libp2p-core/peer"
Expand Down Expand Up @@ -70,7 +73,15 @@ func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p pee
return cs, err
}

func (t *Transport) handshake(ctx context.Context, tlsConn *tls.Conn, keyCh <-chan ci.PubKey) (sec.SecureConn, error) {
func (t *Transport) handshake(ctx context.Context, tlsConn *tls.Conn, keyCh <-chan ci.PubKey) (_sconn sec.SecureConn, err error) {
defer func() {
if rerr := recover(); rerr != nil {
fmt.Fprintf(os.Stderr, "panic in TLS handshake: %s\n%s\n", rerr, debug.Stack())
err = fmt.Errorf("panic in TLS handshake: %s", rerr)

}
}()

if err := tlsConn.HandshakeContext(ctx); err != nil {
return nil, err
}
Expand Down

0 comments on commit 6d7a396

Please sign in to comment.