mirror of
https://github.com/netbirdio/netbird.git
synced 2024-11-29 03:23:56 +01:00
fix: signal message encryption
This commit is contained in:
parent
4e348b733a
commit
f171f6755b
@ -42,5 +42,5 @@ var (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
upCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
|
signalCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
|
||||||
}
|
}
|
||||||
|
@ -10,6 +10,10 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func toByte32(key wgtypes.Key) *[32]byte {
|
||||||
|
return (*[32]byte)(&key)
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
upCmd = &cobra.Command{
|
upCmd = &cobra.Command{
|
||||||
Use: "up",
|
Use: "up",
|
||||||
|
@ -60,7 +60,7 @@ func (e *Engine) Start(myKey wgtypes.Key, peers []Peer) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
e.receiveSignal(myKey.PublicKey().String())
|
e.receiveSignal()
|
||||||
|
|
||||||
// initialize peer agents
|
// initialize peer agents
|
||||||
for _, peer := range peers {
|
for _, peer := range peers {
|
||||||
@ -170,9 +170,9 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *Engine) receiveSignal(localKey string) {
|
func (e *Engine) receiveSignal() {
|
||||||
// connect to a stream of messages coming from the signal server
|
// connect to a stream of messages coming from the signal server
|
||||||
e.signal.Receive(localKey, func(msg *sProto.Message) error {
|
e.signal.Receive(func(msg *sProto.Message) error {
|
||||||
|
|
||||||
conn := e.conns[msg.Key]
|
conn := e.conns[msg.Key]
|
||||||
if conn == nil {
|
if conn == nil {
|
||||||
|
@ -24,6 +24,7 @@ import (
|
|||||||
// Wraps the Signal Exchange Service gRpc client
|
// Wraps the Signal Exchange Service gRpc client
|
||||||
type Client struct {
|
type Client struct {
|
||||||
key wgtypes.Key
|
key wgtypes.Key
|
||||||
|
encryptionKey string
|
||||||
realClient proto.SignalExchangeClient
|
realClient proto.SignalExchangeClient
|
||||||
signalConn *grpc.ClientConn
|
signalConn *grpc.ClientConn
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
@ -66,7 +67,7 @@ func NewClient(addr string, key wgtypes.Key, ctx context.Context) (*Client, erro
|
|||||||
// The messages will be handled by msgHandler function provided.
|
// The messages will be handled by msgHandler function provided.
|
||||||
// This function runs a goroutine underneath and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart)
|
// This function runs a goroutine underneath and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart)
|
||||||
// The key is the identifier of our Peer (could be Wireguard public key)
|
// The key is the identifier of our Peer (could be Wireguard public key)
|
||||||
func (c *Client) Receive(key string, msgHandler func(msg *proto.Message) error) {
|
func (c *Client) Receive(msgHandler func(msg *proto.Message) error) {
|
||||||
c.connWg.Add(1)
|
c.connWg.Add(1)
|
||||||
go func() {
|
go func() {
|
||||||
|
|
||||||
@ -81,7 +82,7 @@ func (c *Client) Receive(key string, msgHandler func(msg *proto.Message) error)
|
|||||||
}
|
}
|
||||||
|
|
||||||
operation := func() error {
|
operation := func() error {
|
||||||
err := c.connect(key, msgHandler)
|
err := c.connect(c.key.PublicKey().String(), msgHandler)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Warnf("disconnected from the Signal Exchange due to an error %s. Retrying ... ", err)
|
log.Warnf("disconnected from the Signal Exchange due to an error %s. Retrying ... ", err)
|
||||||
c.connWg.Add(1)
|
c.connWg.Add(1)
|
||||||
@ -152,7 +153,7 @@ func (c *Client) decryptMessage(msg *proto.EncryptedMessage) (*proto.Message, er
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
decryptedBody, err := Decrypt(msg.GetBody(), c.key, remoteKey)
|
decryptedBody, err := Decrypt(msg.GetBody(), remoteKey, c.key)
|
||||||
body := &proto.Body{}
|
body := &proto.Body{}
|
||||||
err = pb.Unmarshal(decryptedBody, body)
|
err = pb.Unmarshal(decryptedBody, body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -177,7 +178,7 @@ func (c *Client) encryptMessage(msg *proto.Message) (*proto.EncryptedMessage, er
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
encryptedBody, err := Encrypt(body, c.key, remoteKey)
|
encryptedBody, err := Encrypt(body, remoteKey, c.key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -8,30 +8,30 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service.
|
// As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service.
|
||||||
// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange) information can't be read anywhere else but the Peer the message is being sent to.
|
// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange)
|
||||||
|
// information can't be read anywhere else but the Peer the message is being sent to.
|
||||||
// These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
|
// These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
|
||||||
// Wireguard keys are used for encryption
|
// Wireguard keys are used for encryption
|
||||||
|
|
||||||
// Encrypts a message using local Wireguard private key and remote peer's public key.
|
// Encrypts a message using local Wireguard private key and remote peer's public key.
|
||||||
func Encrypt(msg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) {
|
func Encrypt(msg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
|
||||||
nonce, err := genNonce()
|
nonce, err := genNonce()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
return box.Seal(nonce[:], msg, nonce, toByte32(peersPublicKey), toByte32(privateKey)), nil
|
||||||
return box.Seal(nil, msg, nonce, toByte32(remotePubKey), toByte32(privateKey)), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key.
|
// Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key.
|
||||||
func Decrypt(encryptedMsg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) {
|
func Decrypt(encryptedMsg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
|
||||||
nonce, err := genNonce()
|
nonce, err := genNonce()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
copy(nonce[:], encryptedMsg[:24])
|
||||||
opened, ok := box.Open(nil, encryptedMsg, nonce, toByte32(remotePubKey), toByte32(privateKey))
|
opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peersPublicKey), toByte32(privateKey))
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("failed to decrypt message from peer %s", remotePubKey.String())
|
return nil, fmt.Errorf("failed to decrypt message from peer %s", peersPublicKey.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
return opened, nil
|
return opened, nil
|
||||||
|
Loading…
Reference in New Issue
Block a user