Verify negotiated protocol bep/1.0

2015-03-05 15:58:16 +01:00 · 2015-03-05 15:58:16 +01:00 · 4745431cda
parent 0455a948a9
commit 4745431cda
2 changed files with 11 additions and 2 deletions
--- a/cmd/syncthing/connections.go
+++ b/cmd/syncthing/connections.go
@ -41,7 +41,14 @@ func listenConnect(myID protocol.DeviceID, m *model.Model, tlsCfg *tls.Config) {

 next:
 	for conn := range conns {
-		certs := conn.ConnectionState().PeerCertificates
+		cs := conn.ConnectionState()
+		if !cs.NegotiatedProtocolIsMutual || cs.NegotiatedProtocol != bepProtocolName {
+			l.Infof("Peer %s did not negotiate bep/1.0", conn.RemoteAddr())
+			conn.Close()
+			continue
+		}
+
+		certs := cs.PeerCertificates
 		if cl := len(certs); cl != 1 {
 			l.Infof("Got peer certificate list of length %d != 1 from %s; protocol error", cl, conn.RemoteAddr())
 			conn.Close()
--- a/cmd/syncthing/main.go
+++ b/cmd/syncthing/main.go
@ -72,6 +72,8 @@ const (
 	exitUpgrading          = 4
 )

+const bepProtocolName = "bep/1.0"
+
 var l = logger.DefaultLogger

 func init() {
@ -461,7 +463,7 @@ func syncthingMain() {

 	tlsCfg := &tls.Config{
 		Certificates:           []tls.Certificate{cert},
-		NextProtos:             []string{"bep/1.0"},
+		NextProtos:             []string{bepProtocolName},
 		ClientAuth:             tls.RequestClientCert,
 		SessionTicketsDisabled: true,
 		InsecureSkipVerify:     true,