init gnutls from ed keypair #39
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tewinget
force-pushed
the
gnutls-keys
branch
from
67cf770
to
d40ff24
Compare
dr7ana
reviewed
Sep 6, 2023
jagerman
reviewed
Sep 6, 2023
jagerman
reviewed
Sep 6, 2023
jagerman
reviewed
Sep 6, 2023
A GNUTLSCreds can now be initialized from a pair of Ed25519 seed/pubkey. This enables using libquic in "raw public key" TLS mode, which is useful/needed for Lokinet. GNUTLS says it checks that the keys given match one another, but it does not appear to do so. This commit includes lokinet-specific ALPN code, as testing it in this codebase is easier at the moment. The ALPN specifics and Lokinet specifics should be separated and the Lokinet specifics should move into Lokinet. GNUTLSCreds in raw pubkey mode accepts a verify callback which, given the other side's public key and requested ALPN will determine whether the connection should be allowed. Use case for Lokinet: clients send the client ALPN during negotiation, relays send the relay ALPN on outbound, and relays set both for inbound. This is used to determine whether we are being connected to by a relay or a client, and check keys / setup lokinet accordingly. if we need gnutls debug logs, we can set GNUTLS_DEBUG_LEVEL=level (0-99, >10 is full verbosity it seems) and gnutls will log to stderr
tewinget
force-pushed
the
gnutls-keys
branch
from
2425041
to
83ecd92
Compare
the lokinet-specific ALPN logic should be divorced from libquic, but for now it is working; that can be changed later.
ALPN handling in raw public key mode is now handled generically, rather than having Lokinet-specific concepts. In future, it will be easy to have ALPN handling for any mode, not just raw pubkey, but for now that is not necessary as we do not use ALPNs with normal certs.
dr7ana
approved these changes
Sep 12, 2023
tewinget
force-pushed
the
gnutls-keys
branch
from
83ecd92
to
c5190aa
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Initialize GNUTLS creds from Ed keypair and confirm key allowed on incoming connection.