diff --git a/Makefile b/Makefile index e76fe9f..41c2d6e 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,6 @@ LDFLAGS = \ GOFILES = \ grumble.go \ message.go \ - tlsserver.go \ server.go \ client.go \ channel.go \ diff --git a/server.go b/server.go index c28e591..4e91f0d 100644 --- a/server.go +++ b/server.go @@ -22,6 +22,7 @@ import ( "gob" "hash" "io" + "path/filepath" "rand" "strings" ) @@ -47,6 +48,7 @@ type Server struct { address string port int udpconn *net.UDPConn + tlscfg *tls.Config running bool incoming chan *Message @@ -1091,12 +1093,28 @@ func (s *Server) ListenAndMurmur() { go s.SendUDP() // Create a new listening TLS socket. - l := NewTLSListener(s.port) - if l == nil { - log.Printf("Unable to create TLS listener") + cert, err := tls.LoadX509KeyPair(filepath.Join(*datadir, "cert"), filepath.Join(*datadir, "key")) + if err != nil { + log.Printf("Unable to load x509 key pair: %v", err) return } + cfg := new(tls.Config) + cfg.Certificates = append(cfg.Certificates, cert) + cfg.AuthenticateClient = true + s.tlscfg = cfg + + tl, err := net.ListenTCP("tcp", &net.TCPAddr{ + net.ParseIP("0.0.0.0"), + s.port, + }) + if err != nil { + log.Printf("Cannot bind: %s\n", err) + return + } + + listener := tls.NewListener(tl, s.tlscfg) + log.Printf("Created new Murmur instance on port %v", s.port) // The main accept loop. Basically, we block @@ -1105,7 +1123,7 @@ func (s *Server) ListenAndMurmur() { // a new Go-routine to handle the client. for { // New client connected - conn, err := l.Accept() + conn, err := listener.Accept() if err != nil { log.Printf("Unable to accept() new client.") } diff --git a/tlsserver.go b/tlsserver.go deleted file mode 100644 index 25b548a..0000000 --- a/tlsserver.go +++ /dev/null @@ -1,90 +0,0 @@ -package main - -import ( - "log" - "time" - "net" - "crypto/tls" - "crypto/rand" - "encoding/pem" - "crypto/x509" - "io/ioutil" - "path/filepath" -) - -func NewTLSListener(port int) (rl *tls.Listener) { - rl = nil - - // Load the certificate - pemBytes, err := ioutil.ReadFile(filepath.Join(*datadir, "cert")) - if err != nil { - log.Printf("Failed to read server.crt: %s", err) - return - } - - // Decode the certificate - cert, _ := pem.Decode(pemBytes) - if cert == nil { - log.Printf("Failed to parse server.crt") - return - } - - // Load the private key - keyBytes, err := ioutil.ReadFile(filepath.Join(*datadir, "key")) - if err != nil { - log.Printf("Failed to read server.key.insecure: %s", err) - return - } - - // Decode the private key - pkPEM, _ := pem.Decode(keyBytes) - if pkPEM == nil { - log.Printf("Failed to parse server.key.insecure: %s", err) - return - } - - // Determine if we are an RSA private key - if pkPEM.Type != "RSA PRIVATE KEY" { - log.Printf("server.key.insecure is not an RSA private key. Found '%s'", - pkPEM.Type) - return - } - - // Check if the PEM file has headers. This will typically - // mean that it requires a passphrase to decrypt it. For now, - // let us just assume that people will decrypt them for us, so - // we can use them without too much work. - if len(pkPEM.Headers) != 0 { - log.Printf("server.key.insecure has headers and is probably encrypted.") - return - } - - // Parse the PKCS12 private key. - priv, err := x509.ParsePKCS1PrivateKey(pkPEM.Bytes) - if err != nil { - log.Printf("Invalid key in server.key.insecure: %s", err) - return - } - - // Create a new TLS config. - config := new(tls.Config) - config.Rand = rand.Reader - config.Time = time.Seconds - config.Certificates = make([]tls.Certificate, 1) - config.Certificates[0].Certificate = [][]byte{cert.Bytes} - config.Certificates[0].PrivateKey = priv - config.AuthenticateClient = true - - l, err := net.ListenTCP("tcp", &net.TCPAddr{ - net.ParseIP("0.0.0.0"), - port, - }) - if err != nil { - log.Printf("Cannot bind: %s\n", err) - return - } - - rl = tls.NewListener(l, config) - - return -}