mirror of
https://github.com/yggdrasil-network/yggdrasil-go.git
synced 2025-06-17 14:45:06 +03:00
Update core.go
Add secondary layer encryption
This commit is contained in:
Fyodor Ustinov
GitHub
parent
704e98442a
commit
63a6ad9596
1 changed files with 97 additions and 29 deletions
|
|
@ -3,6 +3,10 @@ package core
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/ed25519"
|
"crypto/ed25519"
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/cipher"
|
||||||
|
"crypto/rand"
|
||||||
|
"io"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
@ -30,6 +34,7 @@ type Core struct {
|
||||||
phony.Inbox
|
phony.Inbox
|
||||||
*iwe.PacketConn
|
*iwe.PacketConn
|
||||||
config *config.NodeConfig // Config
|
config *config.NodeConfig // Config
|
||||||
|
sgcm map[string] cipher.AEAD
|
||||||
secret ed25519.PrivateKey
|
secret ed25519.PrivateKey
|
||||||
public ed25519.PublicKey
|
public ed25519.PublicKey
|
||||||
links links
|
links links
|
||||||
|
|
@ -51,6 +56,32 @@ func (c *Core) _init() error {
|
||||||
c.log = log.New(ioutil.Discard, "", 0)
|
c.log = log.New(ioutil.Discard, "", 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
c.sgcm = make(map[string] cipher.AEAD)
|
||||||
|
|
||||||
|
for addr, csecret := range c.config.Secrets {
|
||||||
|
var gcm cipher.AEAD
|
||||||
|
switch len(csecret) {
|
||||||
|
case 16, 24, 32: // Generate GCM
|
||||||
|
ch, err := aes.NewCipher([]byte(csecret))
|
||||||
|
if err != nil { return fmt.Errorf("aes.NewCipher: %w", err) }
|
||||||
|
gcm, err = cipher.NewGCM(ch)
|
||||||
|
if err != nil { return fmt.Errorf("cipher.NewGCM: %w", err) }
|
||||||
|
default:
|
||||||
|
return fmt.Errorf("Secret for %s is incorrect length. Should be 16, 24 or 32 bytes", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
if strings.ToLower(addr) == "all" {
|
||||||
|
c.sgcm["0"] = gcm
|
||||||
|
} else {
|
||||||
|
saddr, err := hex.DecodeString(addr)
|
||||||
|
if err != nil { return err }
|
||||||
|
if len(saddr) != ed25519.PublicKeySize {
|
||||||
|
return fmt.Errorf("PublicKey '%s' has the wrong length", addr)
|
||||||
|
}
|
||||||
|
c.sgcm[string(saddr)] = gcm
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sigPriv, err := hex.DecodeString(c.config.PrivateKey)
|
sigPriv, err := hex.DecodeString(c.config.PrivateKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
@ -207,6 +238,20 @@ func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
|
||||||
switch bs[0] {
|
switch bs[0] {
|
||||||
case typeSessionTraffic:
|
case typeSessionTraffic:
|
||||||
// This is what we want to handle here
|
// This is what we want to handle here
|
||||||
|
gcm := c.getSecretForAddr(from)
|
||||||
|
if gcm != nil { continue }
|
||||||
|
bs = bs[1:n]
|
||||||
|
|
||||||
|
case typeSessionEncTraffic:
|
||||||
|
// Encoded traddic. Decode first
|
||||||
|
gcm := c.getSecretForAddr(from)
|
||||||
|
if gcm == nil { continue }
|
||||||
|
bs, err = gcm.Open(nil, bs[1:gcm.NonceSize()+1], bs[gcm.NonceSize()+1:n], nil)
|
||||||
|
if err != nil { // If we failed to decrypt the packet, we silently skip it.
|
||||||
|
err = nil
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
case typeSessionProto:
|
case typeSessionProto:
|
||||||
var key keyArray
|
var key keyArray
|
||||||
copy(key[:], from.(iwt.Addr))
|
copy(key[:], from.(iwt.Addr))
|
||||||
|
|
@ -216,7 +261,6 @@ func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
|
||||||
default:
|
default:
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
bs = bs[1:n]
|
|
||||||
copy(p, bs)
|
copy(p, bs)
|
||||||
if len(p) < len(bs) {
|
if len(p) < len(bs) {
|
||||||
n = len(p)
|
n = len(p)
|
||||||
|
|
@ -229,11 +273,35 @@ func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
|
||||||
|
|
||||||
func (c *Core) WriteTo(p []byte, addr net.Addr) (n int, err error) {
|
func (c *Core) WriteTo(p []byte, addr net.Addr) (n int, err error) {
|
||||||
buf := make([]byte, 0, 65535)
|
buf := make([]byte, 0, 65535)
|
||||||
|
gcm := c.getSecretForAddr(addr)
|
||||||
|
if gcm == nil { // unencrypted traffic
|
||||||
buf = append(buf, typeSessionTraffic)
|
buf = append(buf, typeSessionTraffic)
|
||||||
buf = append(buf, p...)
|
buf = append(buf, p...)
|
||||||
n, err = c.PacketConn.WriteTo(buf, addr)
|
n, err = c.PacketConn.WriteTo(buf, addr)
|
||||||
if n > 0 {
|
if n > 0 {
|
||||||
n -= 1
|
n -= 1
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
buf = append(buf, typeSessionEncTraffic)
|
||||||
|
nonce := make([]byte, gcm.NonceSize())
|
||||||
|
if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
|
||||||
|
return 0, err
|
||||||
|
}
|
||||||
|
buf = append(buf, gcm.Seal(nonce, nonce, p, nil)...)
|
||||||
|
n, err = c.PacketConn.WriteTo(buf, addr)
|
||||||
|
if n > 0 {
|
||||||
|
n -= 1+len(nonce)
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *Core) getSecretForAddr(addr net.Addr) (ch cipher.AEAD) {
|
||||||
|
if ch, exist := c.sgcm[string(ed25519.PublicKey(addr.(iwt.Addr)))]; exist {
|
||||||
|
return ch
|
||||||
|
}
|
||||||
|
if ch, exist := c.sgcm["0"]; exist {
|
||||||
|
return ch
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue