fluencelabs/rust-libp2p
1
0
Fork 0
mirror of https://github.com/fluencelabs/rust-libp2p synced 2025-06-29 17:51:35 +00:00
Code Issues Projects Releases Wiki Activity

Integrate identity keys with libp2p-noise for authentication. (#1027)

Browse Source 
* Integrate use of identity keys into libp2p-noise.

In order to make libp2p-noise usable with a `Swarm`, which requires a
`Transport::Output` that is a pair of a peer ID and an implementation
of `StreamMuxer`, it is necessary to bridge the gap between static
DH public keys and public identity keys from which peer IDs are derived.

Because the DH static keys and the identity keys need not be
related, it is thus generally necessary that the public identity keys are
exchanged as part of the Noise handshake, which the Noise protocol
accomodates for through the use of handshake message payloads.

The implementation of the existing (IK, IX, XX) handshake patterns is thus
changed to send the public identity keys in the handshake payloads.
Additionally, to facilitate the use of any identity keypair with Noise
handshakes, the static DH public keys are signed using the identity
keypairs and the signatures sent alongside the public identity key
in handshake payloads, unless the static DH public key is "linked"
to the public identity key by other means, e.g. when an Ed25519 identity
keypair is (re)used as an X25519 keypair.

* libp2p-noise doesn't build for wasm.

Thus the development transport needs to be still constructed with secio
for transport security when building for wasm.

* Documentation tweaks.

* For consistency, avoid wildcard enum imports.

* For consistency, avoid wildcard enum imports.

* Slightly simplify io:🤝:State::finish.

* Simplify creation of 2-byte arrays.

* Remove unnecessary cast and obey 100 char line limit.

* Update protocols/noise/src/protocol.rs

Co-Authored-By: romanb <romanb@users.noreply.github.com>

* Address more review comments.

* Cosmetics

* Cosmetics

* Give authentic DH keypairs a distinct type.

This has a couple of advantages:

  * Signing the DH public key only needs to happen once, before
    creating a `NoiseConfig` for an authenticated handshake.

  * The identity keypair only needs to be borrowed and can be
    dropped if it is not used further outside of the Noise
    protocol, since it is no longer needed during Noise handshakes.

  * It is explicit in the construction of a `NoiseConfig` for
    a handshake pattern, whether it operates with a plain `Keypair`
    or a keypair that is authentic w.r.t. a public identity key
    and future handshake patterns may be built with either.

  * The function signatures for constructing `NoiseConfig`s for
    handshake patterns are simplified and a few unnecessary trait
    bounds removed.

* Post-merge corrections.

* Add note on experimental status of libp2p-noise.
This commit is contained in:
Roman Borschel
2019-05-07 10:22:42 +02:00
committed by GitHub
parent e44b443b91
commit 8537eb38b9
16 changed files with 1205 additions and 558 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
protocols/noise/src/lib.rs
View File

@ -20,8 +20,11 @@
//! [Noise protocol framework][noise] support for libp2p.
//!
//! > **Note**: This crate is still experimental and subject to major breaking changes
//! > both on the API and the wire protocol.
//!
//! This crate provides `libp2p_core::InboundUpgrade` and `libp2p_core::OutboundUpgrade`
//! implementations for various noise handshake patterns (currently IK, IX, and XX)
//! implementations for various noise handshake patterns (currently `IK`, `IX`, and `XX`)
//! over a particular choice of DH key agreement (currently only X25519).
//!
//! All upgrades produce as output a pair, consisting of the remote's static public key
@ -33,13 +36,15 @@
//! Example:
//!
//! ```
//! use libp2p_core::Transport;
//! use libp2p_core::{identity, Transport};
//! use libp2p_tcp::TcpConfig;
//! use libp2p_noise::{Keypair, X25519, NoiseConfig};
//!
//! # fn main() {
//! let keys = Keypair::<X25519>::new();
//! let transport = TcpConfig::new().with_upgrade(NoiseConfig::xx(keys));
//! let id_keys = identity::Keypair::generate_ed25519();
//! let dh_keys = Keypair::<X25519>::new().into_authentic(&id_keys).unwrap();
//! let noise = NoiseConfig::xx(dh_keys);
//! let transport = TcpConfig::new().with_upgrade(noise);
//! // ...
//! # }
//! ```
@ -50,32 +55,33 @@ mod error;
mod io;
mod protocol;
pub mod rt1;
pub mod rt15;
pub use error::NoiseError;
pub use io::NoiseOutput;
pub use protocol::{Keypair, PublicKey, Protocol, ProtocolParams, IX, IK, XX};
pub use protocol::x25519::X25519;
pub use io::handshake::{Handshake, RemoteIdentity, IdentityExchange};
pub use protocol::{Keypair, AuthenticKeypair, KeypairIdentity, PublicKey, SecretKey};
pub use protocol::{Protocol, ProtocolParams, x25519::X25519, IX, IK, XX};
use libp2p_core::{UpgradeInfo, InboundUpgrade, OutboundUpgrade, upgrade::Negotiated};
use libp2p_core::{identity, UpgradeInfo, InboundUpgrade, OutboundUpgrade, upgrade::Negotiated};
use tokio_io::{AsyncRead, AsyncWrite};
use zeroize::Zeroize;
/// The protocol upgrade configuration.
#[derive(Clone)]
pub struct NoiseConfig<P, C: Zeroize, R = ()> {
keys: Keypair<C>,
dh_keys: AuthenticKeypair<C>,
params: ProtocolParams,
remote: R,
_marker: std::marker::PhantomData<P>
}
impl<C: Protocol<C> + Zeroize> NoiseConfig<IX, C> {
/// Create a new `NoiseConfig` for the IX handshake pattern.
pub fn ix(keys: Keypair<C>) -> Self {
impl<C> NoiseConfig<IX, C>
where
C: Protocol<C> + Zeroize
{
/// Create a new `NoiseConfig` for the `IX` handshake pattern.
pub fn ix(dh_keys: AuthenticKeypair<C>) -> Self {
NoiseConfig {
keys,
dh_keys,
params: C::params_ix(),
remote: (),
_marker: std::marker::PhantomData
@ -83,11 +89,14 @@ impl<C: Protocol<C> + Zeroize> NoiseConfig<IX, C> {
}
}
impl<C: Protocol<C> + Zeroize> NoiseConfig<XX, C> {
/// Create a new `NoiseConfig` for the XX handshake pattern.
pub fn xx(keys: Keypair<C>) -> Self {
impl<C> NoiseConfig<XX, C>
where
C: Protocol<C> + Zeroize
{
/// Create a new `NoiseConfig` for the `XX` handshake pattern.
pub fn xx(dh_keys: AuthenticKeypair<C>) -> Self {
NoiseConfig {
keys,
dh_keys,
params: C::params_xx(),
remote: (),
_marker: std::marker::PhantomData
@ -95,11 +104,17 @@ impl<C: Protocol<C> + Zeroize> NoiseConfig<XX, C> {
}
}
impl<C: Protocol<C> + Zeroize> NoiseConfig<IK, C> {
/// Create a new `NoiseConfig` for the IK handshake pattern (recipient side).
pub fn ik_listener(keys: Keypair<C>) -> Self {
impl<C> NoiseConfig<IK, C>
where
C: Protocol<C> + Zeroize
{
/// Create a new `NoiseConfig` for the `IK` handshake pattern (recipient side).
///
/// Since the identity of the local node is known to the remote, this configuration
/// does not transmit a static DH public key or public identity key to the remote.
pub fn ik_listener(dh_keys: AuthenticKeypair<C>) -> Self {
NoiseConfig {
keys,
dh_keys,
params: C::params_ik(),
remote: (),
_marker: std::marker::PhantomData
@ -107,13 +122,23 @@ impl<C: Protocol<C> + Zeroize> NoiseConfig<IK, C> {
}
}
impl<C: Protocol<C> + Zeroize> NoiseConfig<IK, C, PublicKey<C>> {
/// Create a new `NoiseConfig` for the IK handshake pattern (initiator side).
pub fn ik_dialer(keys: Keypair<C>, remote: PublicKey<C>) -> Self {
impl<C> NoiseConfig<IK, C, (PublicKey<C>, identity::PublicKey)>
where
C: Protocol<C> + Zeroize
{
/// Create a new `NoiseConfig` for the `IK` handshake pattern (initiator side).
///
/// In this configuration, the remote identity is known to the local node,
/// but the local node still needs to transmit its own public identity.
pub fn ik_dialer(
dh_keys: AuthenticKeypair<C>,
remote_id: identity::PublicKey,
remote_dh: PublicKey<C>
) -> Self {
NoiseConfig {
keys,
dh_keys,
params: C::params_ik(),
remote,
remote: (remote_dh, remote_id),
_marker: std::marker::PhantomData
}
}
@ -123,39 +148,43 @@ impl<C: Protocol<C> + Zeroize> NoiseConfig<IK, C, PublicKey<C>> {
impl<T, C> InboundUpgrade<T> for NoiseConfig<IX, C>
where
T: AsyncRead + AsyncWrite,
NoiseConfig<IX, C>: UpgradeInfo,
C: Protocol<C> + AsRef<[u8]> + Zeroize
T: AsyncRead + AsyncWrite + Send + 'static,
C: Protocol<C> + AsRef<[u8]> + Zeroize + Send + 'static,
{
type Output = (PublicKey<C>, NoiseOutput<Negotiated<T>>);
type Output = (RemoteIdentity<C>, NoiseOutput<Negotiated<T>>);
type Error = NoiseError;
type Future = rt1::NoiseInboundFuture<Negotiated<T>, C>;
type Future = Handshake<Negotiated<T>, C>;
fn upgrade_inbound(self, socket: Negotiated<T>, _: Self::Info) -> Self::Future {
let session = self.params.into_builder()
.local_private_key(self.keys.secret().as_ref())
.local_private_key(self.dh_keys.secret().as_ref())
.build_responder()
.map_err(NoiseError::from);
rt1::NoiseInboundFuture::new(socket, session)
Handshake::rt1_responder(socket, session,
self.dh_keys.into_identity(),
IdentityExchange::Mutual)
}
}
impl<T, C> OutboundUpgrade<T> for NoiseConfig<IX, C>
where
T: AsyncRead + AsyncWrite,
NoiseConfig<IX, C>: UpgradeInfo,
C: Protocol<C> + AsRef<[u8]> + Zeroize
T: AsyncRead + AsyncWrite + Send + 'static,
C: Protocol<C> + AsRef<[u8]> + Zeroize + Send + 'static,
{
type Output = (PublicKey<C>, NoiseOutput<Negotiated<T>>);
type Output = (RemoteIdentity<C>, NoiseOutput<Negotiated<T>>);
type Error = NoiseError;
type Future = rt1::NoiseOutboundFuture<Negotiated<T>, C>;
type Future = Handshake<Negotiated<T>, C>;
fn upgrade_outbound(self, socket: Negotiated<T>, _: Self::Info) -> Self::Future {
let session = self.params.into_builder()
.local_private_key(self.keys.secret().as_ref())
.local_private_key(self.dh_keys.secret().as_ref())
.build_initiator()
.map_err(NoiseError::from);
rt1::NoiseOutboundFuture::new(socket, session)
Handshake::rt1_initiator(socket, session,
self.dh_keys.into_identity(),
IdentityExchange::Mutual)
}
}
@ -163,39 +192,43 @@ where
impl<T, C> InboundUpgrade<T> for NoiseConfig<XX, C>
where
T: AsyncRead + AsyncWrite,
NoiseConfig<XX, C>: UpgradeInfo,
C: Protocol<C> + AsRef<[u8]> + Zeroize
T: AsyncRead + AsyncWrite + Send + 'static,
C: Protocol<C> + AsRef<[u8]> + Zeroize + Send + 'static,
{
type Output = (PublicKey<C>, NoiseOutput<Negotiated<T>>);
type Output = (RemoteIdentity<C>, NoiseOutput<Negotiated<T>>);
type Error = NoiseError;
type Future = rt15::NoiseInboundFuture<Negotiated<T>, C>;
type Future = Handshake<Negotiated<T>, C>;
fn upgrade_inbound(self, socket: Negotiated<T>, _: Self::Info) -> Self::Future {
let session = self.params.into_builder()
.local_private_key(self.keys.secret().as_ref())
.local_private_key(self.dh_keys.secret().as_ref())
.build_responder()
.map_err(NoiseError::from);
rt15::NoiseInboundFuture::new(socket, session)
Handshake::rt15_responder(socket, session,
self.dh_keys.into_identity(),
IdentityExchange::Mutual)
}
}
impl<T, C> OutboundUpgrade<T> for NoiseConfig<XX, C>
where
T: AsyncRead + AsyncWrite,
NoiseConfig<XX, C>: UpgradeInfo,
C: Protocol<C> + AsRef<[u8]> + Zeroize
T: AsyncRead + AsyncWrite + Send + 'static,
C: Protocol<C> + AsRef<[u8]> + Zeroize + Send + 'static,
{
type Output = (PublicKey<C>, NoiseOutput<Negotiated<T>>);
type Output = (RemoteIdentity<C>, NoiseOutput<Negotiated<T>>);
type Error = NoiseError;
type Future = rt15::NoiseOutboundFuture<Negotiated<T>, C>;
type Future = Handshake<Negotiated<T>, C>;
fn upgrade_outbound(self, socket: Negotiated<T>, _: Self::Info) -> Self::Future {
let session = self.params.into_builder()
.local_private_key(self.keys.secret().as_ref())
.local_private_key(self.dh_keys.secret().as_ref())
.build_initiator()
.map_err(NoiseError::from);
rt15::NoiseOutboundFuture::new(socket, session)
Handshake::rt15_initiator(socket, session,
self.dh_keys.into_identity(),
IdentityExchange::Mutual)
}
}
@ -203,40 +236,44 @@ where
impl<T, C> InboundUpgrade<T> for NoiseConfig<IK, C>
where
T: AsyncRead + AsyncWrite,
NoiseConfig<IK, C>: UpgradeInfo,
C: Protocol<C> + AsRef<[u8]> + Zeroize
T: AsyncRead + AsyncWrite + Send + 'static,
C: Protocol<C> + AsRef<[u8]> + Zeroize + Send + 'static,
{
type Output = (PublicKey<C>, NoiseOutput<Negotiated<T>>);
type Output = (RemoteIdentity<C>, NoiseOutput<Negotiated<T>>);
type Error = NoiseError;
type Future = rt1::NoiseInboundFuture<Negotiated<T>, C>;
type Future = Handshake<Negotiated<T>, C>;
fn upgrade_inbound(self, socket: Negotiated<T>, _: Self::Info) -> Self::Future {
let session = self.params.into_builder()
.local_private_key(self.keys.secret().as_ref())
.local_private_key(self.dh_keys.secret().as_ref())
.build_responder()
.map_err(NoiseError::from);
rt1::NoiseInboundFuture::new(socket, session)
Handshake::rt1_responder(socket, session,
self.dh_keys.into_identity(),
IdentityExchange::Receive)
}
}
impl<T, C> OutboundUpgrade<T> for NoiseConfig<IK, C, PublicKey<C>>
impl<T, C> OutboundUpgrade<T> for NoiseConfig<IK, C, (PublicKey<C>, identity::PublicKey)>
where
T: AsyncRead + AsyncWrite,
NoiseConfig<IK, C, PublicKey<C>>: UpgradeInfo,
C: Protocol<C> + AsRef<[u8]> + Zeroize
NoiseConfig<IK, C, (PublicKey<C>, identity::PublicKey)>: UpgradeInfo,
T: AsyncRead + AsyncWrite + Send + 'static,
C: Protocol<C> + AsRef<[u8]> + Zeroize + Send + 'static,
{
type Output = (PublicKey<C>, NoiseOutput<Negotiated<T>>);
type Output = (RemoteIdentity<C>, NoiseOutput<Negotiated<T>>);
type Error = NoiseError;
type Future = rt1::NoiseOutboundFuture<Negotiated<T>, C>;
type Future = Handshake<Negotiated<T>, C>;
fn upgrade_outbound(self, socket: Negotiated<T>, _: Self::Info) -> Self::Future {
let session = self.params.into_builder()
.local_private_key(self.keys.secret().as_ref())
.remote_public_key(self.remote.as_ref())
.local_private_key(self.dh_keys.secret().as_ref())
.remote_public_key(self.remote.0.as_ref())
.build_initiator()
.map_err(NoiseError::from);
rt1::NoiseOutboundFuture::new(socket, session)
Handshake::rt1_initiator(socket, session,
self.dh_keys.into_identity(),
IdentityExchange::Send { remote: self.remote.1 })
}
}