Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

move go-libp2p-webtransport to p2p/transport/webtransport #1737

Merged
merged 54 commits into from
Sep 7, 2022
Merged

move go-libp2p-webtransport to p2p/transport/webtransport #1737

merged 54 commits into from
Sep 7, 2022

Conversation

marten-seemann
Copy link
Contributor

Part of #1717.

@marten-seemann
initial commit
9c2be3c
@marten-seemann
use a context to control listener shutdown
528fa96
@marten-seemann
run a Noise handshake on the first stream
c7ebc6d 
To make this actually secure, we still need to verify the certificate
hashes.
@marten-seemann
generate a single certificate, not a chain
1ea3360
@marten-seemann
implement a basic certificate manager
a077c89
@marten-seemann
check that addr contains at least one certhash in CanDial
268725c
@marten-seemann
fix copying of http.Server mutex in listener constructor
2d295b5
@marten-seemann
fix staticcheck
59fc6ef
@marten-seemann
fix flaky TestCertRenewal test on CI
85384b7
@marten-seemann
check validity of listen addresses
77cdde6
@marten-seemann
initialize a certiticate manager and pass it to the listeners
ee0e2d0
@marten-seemann
implement a Close method for the transport
ae21c6c
@marten-seemann
chore: update webtransport-go
323960e
@marten-seemann
run a Noise handshake on the first stream to verify peer identities
0af48f5
@marten-seemann
simplify the listener.Accept logic
52ae9b7
@marten-seemann
don't close the HTTP response body when dialing
91e9730
@marten-seemann
add more tests for failed handshakes
d8209e3
@marten-seemann
return local and remote multiaddrs from conn
47be412
@marten-seemann
update webtransport-go, rename webtransport.Conn to Session
a0eec0f
@marten-seemann
tighten multiaddr conversion logic
d155f11
@marten-seemann
return the listener's HTTP handler as soon as the handshake completes
106cbc3 
With the most recent webtransport-go, it's not necessary to block any more.
@marten-seemann
use the resource manager when dialing
ed5a2f5
@marten-seemann
move the HTTP handler to a separate method on the listener
468fd51
@marten-seemann
add a function to convert a IP:port string to a WebTransport multiaddr
2110e68
@marten-seemann
use the resource manager when accepting connections
f55a4ff
@marten-seemann
move extraction of certificate hashes to a separate function
3b13c83
@marten-seemann
pass the connection scope to the connection (#11)
c7149b3
@marten-seemann
properly implement conn.IsClosed (#13)
69341f6
@marten-seemann
refactor the conn constructor
ecc1eff
@marten-seemann
implement connection gating for dials
2c6fc83
@marten-seemann marten-seemann mentioned this pull request Sep 3, 2022
Closed
10 tasks
@marten-seemann marten-seemann mentioned this pull request Sep 6, 2022
Merged
MarcoPolo
MarcoPolo reviewed Sep 7, 2022
View reviewed changes
Copy link
Collaborator

@MarcoPolo MarcoPolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small comments/questions.

Nothing blocking if we agree we can change the multiaddr quic/webtransport part later, but if we are committing to this right now I think we should take a bit more. Not saying we need to change it later, just that we agree we could change it.

p2p/transport/webtransport/cert_manager.go
type certManager struct {
clock clock.Clock
ctx context.Context
ctxCancel context.CancelFunc
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is an anti-pattern. https://go.dev/blog/context-and-structs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this is also the pattern we've been using all across go-libp2p, in every service that spawns Go routines. It's super convenient since you can call the CancelFunc multiple times (which you can't do if you do the naive implementation with a closeChan chan struct{}, as you can only close a channel once).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I know we do it a lot. Just worth pointing out that I don’t think it’s idiomatic go, and maybe we should stop adding new code like this.

Not a blocking change of course

p2p/transport/webtransport/cert_manager.go Outdated Show resolved Hide resolved
p2p/transport/webtransport/conn.go Outdated Show resolved Hide resolved
p2p/transport/webtransport/crypto.go
if err != nil {
return err
}
// TODO: is this the best (and complete?) way to identify RSA certificates?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think anything with the pkcs-1 oid should probably be checked here (You aren't matching oidSignatureSHA512WithRSA for example) (https://www.rfc-editor.org/rfc/rfc3279#section-2.3.1)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how to check for this. We only have access to the parsed certificate, where the signature algorithm is encoded as a x509.SignatureAlgorithm. I'd assume that those other algorithms would show up as x509.UnknownSignatureAlgorithm. Maybe it's sufficient to reject that one?

p2p/transport/webtransport/multiaddr.go Show resolved Hide resolved
p2p/transport/webtransport/transport.go Outdated Show resolved Hide resolved
p2p/transport/webtransport/listener.go Show resolved Hide resolved
p2p/transport/webtransport/listener.go Outdated Show resolved Hide resolved
p2p/transport/webtransport/listener.go Outdated Show resolved Hide resolved
p2p/transport/webtransport/transport.go Outdated Show resolved Hide resolved
@MarcoPolo
Copy link
Collaborator

I left a comment instead of an approval. I think another blocker is the potential stalling of the http server. If that's addressed as well as the other comment (quic/webtransport) then I think this is good and the rest of the changes can be done in separate PRs.

@marten-seemann
Copy link
Contributor Author

@MarcoPolo Thank you for the comprehensive review! I've addressed all your comments and recreated this PR.

Nothing blocking if we agree we can change the multiaddr quic/webtransport part later, but if we are committing to this right now I think we should take a bit more. Not saying we need to change it later, just that we agree we could change it.

See my comment here: #1737 (comment).

@marten-seemann marten-seemann merged commit d934c56 into master Sep 7, 2022
@marten-seemann marten-seemann deleted the merge-webtransport branch November 8, 2022 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcoPolo MarcoPolo MarcoPolo approved these changes

@Stebalien Stebalien Awaiting requested review from Stebalien

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marten-seemann @MarcoPolo