wip
This commit is contained in:
jdl
parent
e1a5f50e1a
commit
fb8f51ba67
@ -3,8 +3,6 @@ package peer
|
||||
import (
|
||||
"crypto/rand"
|
||||
"log"
|
||||
"net/netip"
|
||||
"sync/atomic"
|
||||
|
||||
"golang.org/x/crypto/nacl/box"
|
||||
"golang.org/x/crypto/nacl/sign"
|
||||
@ -30,87 +28,3 @@ func generateKeys() cryptoKeys {
|
||||
|
||||
return cryptoKeys{pubKey[:], privKey[:], pubSignKey[:], privSignKey[:]}
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
// Peer must have a ControlCipher.
|
||||
func encryptControlPacket(
|
||||
localIP byte,
|
||||
peer *remotePeer,
|
||||
pkt marshaller,
|
||||
tmp []byte,
|
||||
out []byte,
|
||||
) []byte {
|
||||
h := header{
|
||||
StreamID: controlStreamID,
|
||||
Counter: atomic.AddUint64(peer.counter, 1),
|
||||
SourceIP: localIP,
|
||||
DestIP: peer.IP,
|
||||
}
|
||||
tmp = pkt.Marshal(tmp)
|
||||
return peer.ControlCipher.Encrypt(h, tmp, out)
|
||||
}
|
||||
|
||||
// Returns a controlMsg[PacketType]. Peer must have a non-nil ControlCipher.
|
||||
//
|
||||
// This function also drops packets with duplicate sequence numbers.
|
||||
func decryptControlPacket(
|
||||
peer *remotePeer,
|
||||
fromAddr netip.AddrPort,
|
||||
h header,
|
||||
encrypted []byte,
|
||||
tmp []byte,
|
||||
) (any, error) {
|
||||
out, ok := peer.ControlCipher.Decrypt(encrypted, tmp)
|
||||
if !ok {
|
||||
return nil, errDecryptionFailed
|
||||
}
|
||||
|
||||
if peer.dupCheck.IsDup(h.Counter) {
|
||||
return nil, errDuplicateSeqNum
|
||||
}
|
||||
|
||||
msg, err := parseControlMsg(h.SourceIP, fromAddr, out)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return msg, nil
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
func encryptDataPacket(
|
||||
localIP byte,
|
||||
destIP byte,
|
||||
peer *remotePeer,
|
||||
data []byte,
|
||||
out []byte,
|
||||
) []byte {
|
||||
h := header{
|
||||
StreamID: dataStreamID,
|
||||
Counter: atomic.AddUint64(peer.counter, 1),
|
||||
SourceIP: localIP,
|
||||
DestIP: destIP,
|
||||
}
|
||||
return peer.DataCipher.Encrypt(h, data, out)
|
||||
}
|
||||
|
||||
// Decrypts and de-dups incoming data packets.
|
||||
func decryptDataPacket(
|
||||
peer *remotePeer,
|
||||
h header,
|
||||
encrypted []byte,
|
||||
out []byte,
|
||||
) ([]byte, error) {
|
||||
dec, ok := peer.DataCipher.Decrypt(encrypted, out)
|
||||
if !ok {
|
||||
return nil, errDecryptionFailed
|
||||
}
|
||||
|
||||
if peer.dupCheck.IsDup(h.Counter) {
|
||||
return nil, errDuplicateSeqNum
|
||||
}
|
||||
|
||||
return dec, nil
|
||||
}
|
||||
|
||||
@ -1,9 +1,6 @@
|
||||
package peer
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"errors"
|
||||
"net/netip"
|
||||
"reflect"
|
||||
"testing"
|
||||
@ -39,10 +36,10 @@ func TestDecryptControlPacket(t *testing.T) {
|
||||
Direct: true,
|
||||
}
|
||||
|
||||
enc := encryptControlPacket(r1.IP, r2, in, tmp, out)
|
||||
enc := r1.EncryptControlPacket(in, tmp, out)
|
||||
h := parseHeader(enc)
|
||||
|
||||
iMsg, err := decryptControlPacket(r2, netip.AddrPort{}, h, enc, tmp)
|
||||
iMsg, err := r2.DecryptControlPacket(netip.AddrPort{}, h, enc, tmp)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@ -57,59 +54,59 @@ func TestDecryptControlPacket(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDecryptControlPacket_decryptionFailed(t *testing.T) {
|
||||
var (
|
||||
r1, r2 = newRoutePairForTesting()
|
||||
tmp = make([]byte, bufferSize)
|
||||
out = make([]byte, bufferSize)
|
||||
)
|
||||
/*
|
||||
func TestDecryptControlPacket_decryptionFailed(t *testing.T) {
|
||||
var (
|
||||
r1, r2 = newRoutePairForTesting()
|
||||
tmp = make([]byte, bufferSize)
|
||||
out = make([]byte, bufferSize)
|
||||
)
|
||||
|
||||
in := packetSyn{
|
||||
TraceID: newTraceID(),
|
||||
SharedKey: r1.DataCipher.Key(),
|
||||
Direct: true,
|
||||
}
|
||||
in := packetSyn{
|
||||
TraceID: newTraceID(),
|
||||
SharedKey: r1.DataCipher.Key(),
|
||||
Direct: true,
|
||||
}
|
||||
|
||||
enc := encryptControlPacket(r1.IP, r2, in, tmp, out)
|
||||
h := parseHeader(enc)
|
||||
enc := encryptControlPacket(r1.IP, r2, in, tmp, out)
|
||||
h := parseHeader(enc)
|
||||
|
||||
for i := range enc {
|
||||
x := bytes.Clone(enc)
|
||||
x[i]++
|
||||
_, err := decryptControlPacket(r2, netip.AddrPort{}, h, x, tmp)
|
||||
if !errors.Is(err, errDecryptionFailed) {
|
||||
t.Fatal(i, err)
|
||||
for i := range enc {
|
||||
x := bytes.Clone(enc)
|
||||
x[i]++
|
||||
_, err := decryptControlPacket(r2, netip.AddrPort{}, h, x, tmp)
|
||||
if !errors.Is(err, errDecryptionFailed) {
|
||||
t.Fatal(i, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestDecryptControlPacket_duplicate(t *testing.T) {
|
||||
var (
|
||||
r1, r2 = newRoutePairForTesting()
|
||||
tmp = make([]byte, bufferSize)
|
||||
out = make([]byte, bufferSize)
|
||||
)
|
||||
func TestDecryptControlPacket_duplicate(t *testing.T) {
|
||||
var (
|
||||
r1, r2 = newRoutePairForTesting()
|
||||
tmp = make([]byte, bufferSize)
|
||||
out = make([]byte, bufferSize)
|
||||
)
|
||||
|
||||
in := packetSyn{
|
||||
TraceID: newTraceID(),
|
||||
SharedKey: r1.DataCipher.Key(),
|
||||
Direct: true,
|
||||
in := packetSyn{
|
||||
TraceID: newTraceID(),
|
||||
SharedKey: r1.DataCipher.Key(),
|
||||
Direct: true,
|
||||
}
|
||||
|
||||
enc := encryptControlPacket(r1.IP, r2, in, tmp, out)
|
||||
h := parseHeader(enc)
|
||||
|
||||
if _, err := decryptControlPacket(r2, netip.AddrPort{}, h, enc, tmp); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
_, err := decryptControlPacket(r2, netip.AddrPort{}, h, enc, tmp)
|
||||
if !errors.Is(err, errDuplicateSeqNum) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
enc := encryptControlPacket(r1.IP, r2, in, tmp, out)
|
||||
h := parseHeader(enc)
|
||||
|
||||
if _, err := decryptControlPacket(r2, netip.AddrPort{}, h, enc, tmp); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
_, err := decryptControlPacket(r2, netip.AddrPort{}, h, enc, tmp)
|
||||
if !errors.Is(err, errDuplicateSeqNum) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
func TestDecryptControlPacket_invalidPacket(t *testing.T) {
|
||||
var (
|
||||
r1, r2 = newRoutePairForTesting()
|
||||
@ -127,7 +124,7 @@ func TestDecryptControlPacket_duplicate(t *testing.T) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
func TestDecryptDataPacket(t *testing.T) {
|
||||
var (
|
||||
r1, r2 = newRoutePairForTesting()
|
||||
@ -191,3 +188,4 @@ func TestDecryptDataPacket_duplicate(t *testing.T) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
@ -51,7 +51,9 @@ func newHubPoller(
|
||||
}
|
||||
|
||||
func (hp *hubPoller) Run() {
|
||||
log.Printf("Running hub poller...")
|
||||
state, err := loadNetworkState(hp.netName)
|
||||
log.Printf("Got state (%s) : %v", hp.netName, state)
|
||||
if err != nil {
|
||||
log.Printf("Failed to load network state: %v", err)
|
||||
log.Printf("Polling hub...")
|
||||
|
||||
@ -70,6 +70,7 @@ func (s *pState) OnPeerUpdate(peer *m.Peer) peerState {
|
||||
|
||||
s.staged.IP = peer.PeerIP
|
||||
s.staged.PubSignKey = peer.PubSignKey
|
||||
log.Printf("New cipher: %x, %x", s.privKey, peer.PubKey)
|
||||
s.staged.ControlCipher = newControlCipher(s.privKey, peer.PubKey)
|
||||
s.staged.DataCipher = newDataCipher()
|
||||
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package peer
|
||||
|
||||
import (
|
||||
"log"
|
||||
"net/netip"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
@ -67,6 +68,8 @@ func (p remotePeer) EncryptControlPacket(pkt marshaller, tmp, out []byte) []byte
|
||||
DestIP: p.IP,
|
||||
}
|
||||
|
||||
log.Printf("Encrypting with header: %#v", h)
|
||||
|
||||
return p.ControlCipher.Encrypt(h, tmp, out)
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user