app/vppn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

wip

Browse Source
This commit is contained in:
jdl
2025-02-19 16:08:39 +01:00
parent e1a5f50e1a
commit fb8f51ba67
5 changed files with 54 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
peer/crypto.go
View File

@@ -3,8 +3,6 @@ package peer
import ( import (
"crypto/rand" "crypto/rand"
"log" "log"
"net/netip"
"sync/atomic"
"golang.org/x/crypto/nacl/box" "golang.org/x/crypto/nacl/box"
"golang.org/x/crypto/nacl/sign" "golang.org/x/crypto/nacl/sign"
@@ -30,87 +28,3 @@ func generateKeys() cryptoKeys {
return cryptoKeys{pubKey[:], privKey[:], pubSignKey[:], privSignKey[:]} return cryptoKeys{pubKey[:], privKey[:], pubSignKey[:], privSignKey[:]}
} }
// ----------------------------------------------------------------------------
// Peer must have a ControlCipher.
func encryptControlPacket(
localIP byte,
peer *remotePeer,
pkt marshaller,
tmp []byte,
out []byte,
) []byte {
h := header{
StreamID: controlStreamID,
Counter: atomic.AddUint64(peer.counter, 1),
SourceIP: localIP,
DestIP: peer.IP,
}
tmp = pkt.Marshal(tmp)
return peer.ControlCipher.Encrypt(h, tmp, out)
}
// Returns a controlMsg[PacketType]. Peer must have a non-nil ControlCipher.
//
// This function also drops packets with duplicate sequence numbers.
func decryptControlPacket(
peer *remotePeer,
fromAddr netip.AddrPort,
h header,
encrypted []byte,
tmp []byte,
) (any, error) {
out, ok := peer.ControlCipher.Decrypt(encrypted, tmp)
if !ok {
return nil, errDecryptionFailed
}
if peer.dupCheck.IsDup(h.Counter) {
return nil, errDuplicateSeqNum
}
msg, err := parseControlMsg(h.SourceIP, fromAddr, out)
if err != nil {
return nil, err
}
return msg, nil
}
// ----------------------------------------------------------------------------
func encryptDataPacket(
localIP byte,
destIP byte,
peer *remotePeer,
data []byte,
out []byte,
) []byte {
h := header{
StreamID: dataStreamID,
Counter: atomic.AddUint64(peer.counter, 1),
SourceIP: localIP,
DestIP: destIP,
}
return peer.DataCipher.Encrypt(h, data, out)
}
// Decrypts and de-dups incoming data packets.
func decryptDataPacket(
peer *remotePeer,
h header,
encrypted []byte,
out []byte,
) ([]byte, error) {
dec, ok := peer.DataCipher.Decrypt(encrypted, out)
if !ok {
return nil, errDecryptionFailed
}
if peer.dupCheck.IsDup(h.Counter) {
return nil, errDuplicateSeqNum
}
return dec, nil
}

20
peer/crypto_test.go
View File

@@ -1,9 +1,6 @@
package peer package peer
import ( import (
"bytes"
"crypto/rand"
"errors"
"net/netip" "net/netip"
"reflect" "reflect"
"testing" "testing"
@@ -39,10 +36,10 @@ func TestDecryptControlPacket(t *testing.T) {
Direct: true, Direct: true,
} }
enc := encryptControlPacket(r1.IP, r2, in, tmp, out) enc := r1.EncryptControlPacket(in, tmp, out)
h := parseHeader(enc) h := parseHeader(enc)
iMsg, err := decryptControlPacket(r2, netip.AddrPort{}, h, enc, tmp) iMsg, err := r2.DecryptControlPacket(netip.AddrPort{}, h, enc, tmp)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@@ -57,7 +54,8 @@ func TestDecryptControlPacket(t *testing.T) {
} }
} }
func TestDecryptControlPacket_decryptionFailed(t *testing.T) { /*
func TestDecryptControlPacket_decryptionFailed(t *testing.T) {
var ( var (
r1, r2 = newRoutePairForTesting() r1, r2 = newRoutePairForTesting()
tmp = make([]byte, bufferSize) tmp = make([]byte, bufferSize)
@@ -81,9 +79,9 @@ func TestDecryptControlPacket_decryptionFailed(t *testing.T) {
t.Fatal(i, err) t.Fatal(i, err)
} }
} }
} }
func TestDecryptControlPacket_duplicate(t *testing.T) { func TestDecryptControlPacket_duplicate(t *testing.T) {
var ( var (
r1, r2 = newRoutePairForTesting() r1, r2 = newRoutePairForTesting()
tmp = make([]byte, bufferSize) tmp = make([]byte, bufferSize)
@@ -107,9 +105,8 @@ func TestDecryptControlPacket_duplicate(t *testing.T) {
if !errors.Is(err, errDuplicateSeqNum) { if !errors.Is(err, errDuplicateSeqNum) {
t.Fatal(err) t.Fatal(err)
} }
} }
/*
func TestDecryptControlPacket_invalidPacket(t *testing.T) { func TestDecryptControlPacket_invalidPacket(t *testing.T) {
var ( var (
r1, r2 = newRoutePairForTesting() r1, r2 = newRoutePairForTesting()
@@ -127,7 +124,7 @@ func TestDecryptControlPacket_duplicate(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
} }
*/
func TestDecryptDataPacket(t *testing.T) { func TestDecryptDataPacket(t *testing.T) {
var ( var (
r1, r2 = newRoutePairForTesting() r1, r2 = newRoutePairForTesting()
@@ -191,3 +188,4 @@ func TestDecryptDataPacket_duplicate(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
} }
*/

2
peer/hubpoller.go
View File

@@ -51,7 +51,9 @@ func newHubPoller(
} }
func (hp *hubPoller) Run() { func (hp *hubPoller) Run() {
log.Printf("Running hub poller...")
state, err := loadNetworkState(hp.netName) state, err := loadNetworkState(hp.netName)
log.Printf("Got state (%s) : %v", hp.netName, state)
if err != nil { if err != nil {
log.Printf("Failed to load network state: %v", err) log.Printf("Failed to load network state: %v", err)
log.Printf("Polling hub...") log.Printf("Polling hub...")

1
peer/peerstates.go
View File

@@ -70,6 +70,7 @@ func (s *pState) OnPeerUpdate(peer *m.Peer) peerState {
s.staged.IP = peer.PeerIP s.staged.IP = peer.PeerIP
s.staged.PubSignKey = peer.PubSignKey s.staged.PubSignKey = peer.PubSignKey
log.Printf("New cipher: %x, %x", s.privKey, peer.PubKey)
s.staged.ControlCipher = newControlCipher(s.privKey, peer.PubKey) s.staged.ControlCipher = newControlCipher(s.privKey, peer.PubKey)
s.staged.DataCipher = newDataCipher() s.staged.DataCipher = newDataCipher()

3
peer/routingtable.go
View File

@@ -1,6 +1,7 @@
package peer package peer
import ( import (
"log"
"net/netip" "net/netip"
"sync/atomic" "sync/atomic"
"time" "time"
@@ -67,6 +68,8 @@ func (p remotePeer) EncryptControlPacket(pkt marshaller, tmp, out []byte) []byte
DestIP: p.IP, DestIP: p.IP,
} }
log.Printf("Encrypting with header: %#v", h)
return p.ControlCipher.Encrypt(h, tmp, out) return p.ControlCipher.Encrypt(h, tmp, out)
} }