yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-06-17 06:35:07 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update core.go

Browse source 
Add secondary layer encryption
This commit is contained in:
Fyodor Ustinov 2022-07-03 17:26:35 +03:00 committed by GitHub
parent 704e98442a
commit 63a6ad9596
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 97 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

70
src/core/core.go
View file

@ -3,6 +3,10 @@ package core
import (
"context"
"crypto/ed25519"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"io"
"encoding/hex"
"errors"
"fmt"
@ -30,6 +34,7 @@ type Core struct {
phony.Inbox
*iwe.PacketConn
config *config.NodeConfig // Config
sgcm map[string] cipher.AEAD
secret ed25519.PrivateKey
public ed25519.PublicKey
links links
@ -51,6 +56,32 @@ func (c *Core) _init() error {
c.log = log.New(ioutil.Discard, "", 0)
}
c.sgcm = make(map[string] cipher.AEAD)
for addr, csecret := range c.config.Secrets {
var gcm cipher.AEAD
switch len(csecret) {
case 16, 24, 32: // Generate GCM
ch, err := aes.NewCipher([]byte(csecret))
if err != nil { return fmt.Errorf("aes.NewCipher: %w", err) }
gcm, err = cipher.NewGCM(ch)
if err != nil { return fmt.Errorf("cipher.NewGCM: %w", err) }
default:
return fmt.Errorf("Secret for %s is incorrect length. Should be 16, 24 or 32 bytes", addr)
}
if strings.ToLower(addr) == "all" {
c.sgcm["0"] = gcm
} else {
saddr, err := hex.DecodeString(addr)
if err != nil { return err }
if len(saddr) != ed25519.PublicKeySize {
return fmt.Errorf("PublicKey '%s' has the wrong length", addr)
}
c.sgcm[string(saddr)] = gcm
}
}
sigPriv, err := hex.DecodeString(c.config.PrivateKey)
if err != nil {
return err
@ -207,6 +238,20 @@ func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
switch bs[0] {
case typeSessionTraffic:
// This is what we want to handle here
gcm := c.getSecretForAddr(from)
if gcm != nil { continue }
bs = bs[1:n]
case typeSessionEncTraffic:
// Encoded traddic. Decode first
gcm := c.getSecretForAddr(from)
if gcm == nil { continue }
bs, err = gcm.Open(nil, bs[1:gcm.NonceSize()+1], bs[gcm.NonceSize()+1:n], nil)
if err != nil { // If we failed to decrypt the packet, we silently skip it.
err = nil
continue
}
case typeSessionProto:
var key keyArray
copy(key[:], from.(iwt.Addr))
@ -216,7 +261,6 @@ func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
default:
continue
}
bs = bs[1:n]
copy(p, bs)
if len(p) < len(bs) {
n = len(p)
@ -229,11 +273,35 @@ func (c *Core) ReadFrom(p []byte) (n int, from net.Addr, err error) {
func (c *Core) WriteTo(p []byte, addr net.Addr) (n int, err error) {
buf := make([]byte, 0, 65535)
gcm := c.getSecretForAddr(addr)
if gcm == nil { // unencrypted traffic
buf = append(buf, typeSessionTraffic)
buf = append(buf, p...)
n, err = c.PacketConn.WriteTo(buf, addr)
if n > 0 {
n -= 1
}
} else {
buf = append(buf, typeSessionEncTraffic)
nonce := make([]byte, gcm.NonceSize())
if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
return 0, err
}
buf = append(buf, gcm.Seal(nonce, nonce, p, nil)...)
n, err = c.PacketConn.WriteTo(buf, addr)
if n > 0 {
n -= 1+len(nonce)
}
}
return
}
func (c *Core) getSecretForAddr(addr net.Addr) (ch cipher.AEAD) {
if ch, exist := c.sgcm[string(ed25519.PublicKey(addr.(iwt.Addr)))]; exist {
return ch
}
if ch, exist := c.sgcm["0"]; exist {
return ch
}
return nil
}