[feature] Add a TLS protected optional endpoint for team/autoRef endpoint

g3force · g3force · commit 84eabbb4f99f · 2018-12-22T10:14:27.000+01:00
diff --git a/config/ssl-game-controller.yaml b/config/ssl-game-controller.yaml
@@ -5,9 +5,11 @@ network:
 server:
   auto-ref:
     address: :10007
+    address-tls: :10107
     trusted-keys-dir: config/trusted_keys/auto_ref
   team:
     address: :10008
+    address-tls: :10108
     trusted-keys-dir: config/trusted_keys/team
 game:
   yellow-card-duration: 2m
diff --git a/internal/app/config/config.go b/internal/app/config/config.go
@@ -61,12 +61,14 @@ type Server struct {
 // ServerAutoRef holds configs for the autoRef server
 type ServerAutoRef struct {
 	Address        string `yaml:"address"`
+	AddressTls     string `yaml:"address-tls"`
 	TrustedKeysDir string `yaml:"trusted-keys-dir"`
 }
 
 // ServerTeam holds configs for the team server
 type ServerTeam struct {
 	Address        string `yaml:"address"`
+	AddressTls     string `yaml:"address-tls"`
 	TrustedKeysDir string `yaml:"trusted-keys-dir"`
 }
 
@@ -130,8 +132,10 @@ func DefaultControllerConfig() (c Controller) {
 	c.Game.DefaultDivision = DivA
 
 	c.Server.AutoRef.Address = ":10007"
+	c.Server.AutoRef.AddressTls = ":10107"
 	c.Server.AutoRef.TrustedKeysDir = "config/trusted_keys/auto_ref"
 	c.Server.Team.Address = ":10008"
+	c.Server.Team.AddressTls = ":10108"
 	c.Server.Team.TrustedKeysDir = "config/trusted_keys/team"
 
 	c.Game.DefaultGeometry = map[Division]*Geometry{}
diff --git a/internal/app/config/testdata/config.yaml b/internal/app/config/testdata/config.yaml
@@ -5,9 +5,11 @@ network:
 server:
   auto-ref:
     address: :10007
+    address-tls: :10107
     trusted-keys-dir: config/trusted_keys/auto_ref
   team:
     address: :10008
+    address-tls: :10108
     trusted-keys-dir: config/trusted_keys/team
 game:
   yellow-card-duration: 2m
diff --git a/internal/app/controller/controller.go b/internal/app/controller/controller.go
@@ -83,7 +83,9 @@ func (c *GameController) Run() {
 	go c.mainLoop()
 	go c.publishToNetwork()
 	go c.AutoRefServer.Listen(c.Config.Server.AutoRef.Address)
+	go c.AutoRefServer.ListenTls(c.Config.Server.AutoRef.AddressTls)
 	go c.TeamServer.Listen(c.Config.Server.Team.Address)
+	go c.TeamServer.ListenTls(c.Config.Server.Team.AddressTls)
 }
 
 // setupTimeProvider changes the time provider to the vision receiver, if configured
diff --git a/internal/app/rcon/server.go b/internal/app/rcon/server.go
@@ -4,13 +4,15 @@ import (
 	"crypto"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"github.com/RoboCup-SSL/ssl-game-controller/pkg/refproto"
 	"github.com/golang/protobuf/proto"
 	"io/ioutil"
 	"log"
 	"net"
+	"os"
 	"strings"
 )
 
@@ -53,6 +55,41 @@ func (s *Server) Listen(address string) {
 	}
 }
 
+func (s *Server) ListenTls(address string) {
+
+	if _, err := os.Stat("server.crt"); os.IsNotExist(err) {
+		log.Println("Missing certificate for TLS endpoint. Put a server.crt in the working dir.")
+		return
+	}
+	if _, err := os.Stat("server.key"); os.IsNotExist(err) {
+		log.Println("Missing certificate key for TLS endpoint. Put a server.key in the working dir.")
+		return
+	}
+
+	cer, err := tls.LoadX509KeyPair("server.crt", "server.key")
+	if err != nil {
+		log.Printf("Could not load X509 key pair: %v", err)
+		return
+	}
+
+	config := &tls.Config{Certificates: []tls.Certificate{cer}}
+	listener, err := tls.Listen("tcp", address, config)
+	if err != nil {
+		log.Printf("Failed to listen on %v: %v", address, err)
+		return
+	}
+	log.Print("Listening on ", address)
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			log.Print("Could not accept connection: ", err)
+		} else {
+			go s.ConnectionHandler(conn)
+		}
+	}
+}
+
 func (s *Server) CloseConnection(conn net.Conn, id string) {
 	delete(s.Clients, id)
 	log.Printf("Connection to %v closed", id)
diff --git a/tools/newX509KeyPair.sh b/tools/newX509KeyPair.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Generate a new x509 key-pair.
+# Ref: https://github.com/denji/golang-tls
+
+# Key considerations for algorithm "RSA" ≥ 2048-bit
+openssl genrsa -out server.key 2048
+
+# Key considerations for algorithm "ECDSA" ≥ secp384r1
+# List ECDSA the supported curves (openssl ecparam -list_curves)
+openssl ecparam -genkey -name secp384r1 -out server.key
+
+# Generation of self-signed(x509) public key (PEM-encodings .pem|.crt) based on the private (.key)
+openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,9 @@ func (c *GameController) Run() {`
`83`	`83`	`go c.mainLoop()`
`84`	`84`	`go c.publishToNetwork()`
`85`	`85`	`go c.AutoRefServer.Listen(c.Config.Server.AutoRef.Address)`
	`86`	`+ go c.AutoRefServer.ListenTls(c.Config.Server.AutoRef.AddressTls)`
`86`	`87`	`go c.TeamServer.Listen(c.Config.Server.Team.Address)`
	`88`	`+ go c.TeamServer.ListenTls(c.Config.Server.Team.AddressTls)`
`87`	`89`	`}`
`88`	`90`
`89`	`91`	`// setupTimeProvider changes the time provider to the vision receiver, if configured`