extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-29 03:23:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: signal message encryption

Browse Source
This commit is contained in:
braginini 2021-05-05 10:40:53 +02:00
parent 4e348b733a
commit f171f6755b
5 changed files with 26 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/signal.go
View File

@ -42,5 +42,5 @@ var (
) )
func init() { func init() {
upCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)") signalCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
} }

4
cmd/up.go
View File

@ -10,6 +10,10 @@ import (
"os" "os"
) )
func toByte32(key wgtypes.Key) *[32]byte {
return (*[32]byte)(&key)
}
var ( var (
upCmd = &cobra.Command{ upCmd = &cobra.Command{
Use: "up", Use: "up",

6
connection/engine.go
View File

@ -60,7 +60,7 @@ func (e *Engine) Start(myKey wgtypes.Key, peers []Peer) error {
return err return err
} }
e.receiveSignal(myKey.PublicKey().String()) e.receiveSignal()
// initialize peer agents // initialize peer agents
for _, peer := range peers { for _, peer := range peers {
@ -170,9 +170,9 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
return nil return nil
} }
func (e *Engine) receiveSignal(localKey string) { func (e *Engine) receiveSignal() {
// connect to a stream of messages coming from the signal server // connect to a stream of messages coming from the signal server
e.signal.Receive(localKey, func(msg *sProto.Message) error { e.signal.Receive(func(msg *sProto.Message) error {
conn := e.conns[msg.Key] conn := e.conns[msg.Key]
if conn == nil { if conn == nil {

19
signal/client.go
View File

@ -23,11 +23,12 @@ import (
// Wraps the Signal Exchange Service gRpc client // Wraps the Signal Exchange Service gRpc client
type Client struct { type Client struct {
key wgtypes.Key key wgtypes.Key
realClient proto.SignalExchangeClient encryptionKey string
signalConn *grpc.ClientConn realClient proto.SignalExchangeClient
ctx context.Context signalConn *grpc.ClientConn
stream proto.SignalExchange_ConnectStreamClient ctx context.Context
stream proto.SignalExchange_ConnectStreamClient
//waiting group to notify once stream is connected //waiting group to notify once stream is connected
connWg sync.WaitGroup //todo use a channel instead?? connWg sync.WaitGroup //todo use a channel instead??
} }
@ -66,7 +67,7 @@ func NewClient(addr string, key wgtypes.Key, ctx context.Context) (*Client, erro
// The messages will be handled by msgHandler function provided. // The messages will be handled by msgHandler function provided.
// This function runs a goroutine underneath and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart) // This function runs a goroutine underneath and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart)
// The key is the identifier of our Peer (could be Wireguard public key) // The key is the identifier of our Peer (could be Wireguard public key)
func (c *Client) Receive(key string, msgHandler func(msg *proto.Message) error) { func (c *Client) Receive(msgHandler func(msg *proto.Message) error) {
c.connWg.Add(1) c.connWg.Add(1)
go func() { go func() {
@ -81,7 +82,7 @@ func (c *Client) Receive(key string, msgHandler func(msg *proto.Message) error)
} }
operation := func() error { operation := func() error {
err := c.connect(key, msgHandler) err := c.connect(c.key.PublicKey().String(), msgHandler)
if err != nil { if err != nil {
log.Warnf("disconnected from the Signal Exchange due to an error %s. Retrying ... ", err) log.Warnf("disconnected from the Signal Exchange due to an error %s. Retrying ... ", err)
c.connWg.Add(1) c.connWg.Add(1)
@ -152,7 +153,7 @@ func (c *Client) decryptMessage(msg *proto.EncryptedMessage) (*proto.Message, er
if err != nil { if err != nil {
return nil, err return nil, err
} }
decryptedBody, err := Decrypt(msg.GetBody(), c.key, remoteKey) decryptedBody, err := Decrypt(msg.GetBody(), remoteKey, c.key)
body := &proto.Body{} body := &proto.Body{}
err = pb.Unmarshal(decryptedBody, body) err = pb.Unmarshal(decryptedBody, body)
if err != nil { if err != nil {
@ -177,7 +178,7 @@ func (c *Client) encryptMessage(msg *proto.Message) (*proto.EncryptedMessage, er
return nil, err return nil, err
} }
encryptedBody, err := Encrypt(body, c.key, remoteKey) encryptedBody, err := Encrypt(body, remoteKey, c.key)
if err != nil { if err != nil {
return nil, err return nil, err
} }

16
signal/encryption.go
View File

@ -8,30 +8,30 @@ import (
) )
// As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service. // As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service.
// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange) information can't be read anywhere else but the Peer the message is being sent to. // We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange)
// information can't be read anywhere else but the Peer the message is being sent to.
// These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate) // These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
// Wireguard keys are used for encryption // Wireguard keys are used for encryption
// Encrypts a message using local Wireguard private key and remote peer's public key. // Encrypts a message using local Wireguard private key and remote peer's public key.
func Encrypt(msg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) { func Encrypt(msg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
nonce, err := genNonce() nonce, err := genNonce()
if err != nil { if err != nil {
return nil, err return nil, err
} }
return box.Seal(nonce[:], msg, nonce, toByte32(peersPublicKey), toByte32(privateKey)), nil
return box.Seal(nil, msg, nonce, toByte32(remotePubKey), toByte32(privateKey)), nil
} }
// Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key. // Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key.
func Decrypt(encryptedMsg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) { func Decrypt(encryptedMsg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
nonce, err := genNonce() nonce, err := genNonce()
if err != nil { if err != nil {
return nil, err return nil, err
} }
copy(nonce[:], encryptedMsg[:24])
opened, ok := box.Open(nil, encryptedMsg, nonce, toByte32(remotePubKey), toByte32(privateKey)) opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peersPublicKey), toByte32(privateKey))
if !ok { if !ok {
return nil, fmt.Errorf("failed to decrypt message from peer %s", remotePubKey.String()) return nil, fmt.Errorf("failed to decrypt message from peer %s", peersPublicKey.String())
} }
return opened, nil return opened, nil