Merge branch 'identity' of cwtch.im/tapir into master
This commit is contained in:
commit
3a6cd3bd79
|
@ -8,7 +8,7 @@ Tapir has been designed as a replacement to the Ricochet protocol.
|
|||
|
||||
## Features
|
||||
|
||||
* New Authenticaiton Protocol based on v3 Onion Services
|
||||
* New Authentication Protocol based on v3 Onion Services
|
||||
* Bidirectional Application Channels.
|
||||
|
||||
**Work In Progress**
|
|
@ -47,6 +47,15 @@ func (ea AuthApp) Init(connection tapir.Connection) {
|
|||
return
|
||||
}
|
||||
|
||||
// If we are an outbound connection we can perform an additional check to ensure that the server sent us back the correct long term
|
||||
// public key
|
||||
if connection.IsOutbound() && utils.GetTorV3Hostname(remoteAuthMessage.LongTermPublicKey) != connection.Hostname() {
|
||||
log.Errorf("The remote server (%v) has attempted to authenticate with a different public key %v", connection.Hostname(), utils.GetTorV3Hostname(remoteAuthMessage.LongTermPublicKey))
|
||||
connection.Close()
|
||||
return
|
||||
}
|
||||
|
||||
// Perform the triple-diffie-hellman exchange.
|
||||
key := primitives.Perform3DH(connection.ID(), &ephemeralIdentity, remoteAuthMessage.LongTermPublicKey, remoteAuthMessage.EphemeralPublicKey, connection.IsOutbound())
|
||||
connection.SetEncryptionKey(key)
|
||||
|
||||
|
|
|
@ -20,8 +20,8 @@ func (mc *MockConnection) Init(outbound bool) {
|
|||
return
|
||||
}
|
||||
|
||||
func (MockConnection) Hostname() string {
|
||||
panic("implement me")
|
||||
func (mc MockConnection) Hostname() string {
|
||||
return mc.id.Hostname()
|
||||
}
|
||||
|
||||
func (mc MockConnection) IsOutbound() bool {
|
||||
|
|
|
@ -54,6 +54,7 @@ func (s *BaseOnionService) WaitForCapabilityOrClose(cid string, name string) (ta
|
|||
func (s *BaseOnionService) GetConnection(hostname string) (tapir.Connection, error) {
|
||||
var conn tapir.Connection
|
||||
s.connections.Range(func(key, value interface{}) bool {
|
||||
log.Debugf("Checking %v", key)
|
||||
connection := value.(tapir.Connection)
|
||||
if connection.Hostname() == hostname {
|
||||
if !connection.IsClosed() {
|
||||
|
|
|
@ -8,7 +8,7 @@ import (
|
|||
// Perform3DH encapsulates a triple-diffie-hellman key exchange.
|
||||
// In this exchange Alice and Bob both hold longterm identity keypairs
|
||||
// Both Alice and Bob generate an additional ephemeral key pair:
|
||||
// 3 Diffie Hellman exchanges are then performed:
|
||||
// Three Diffie Hellman exchanges are then performed:
|
||||
// Alice Long Term <-> Bob Ephemeral
|
||||
// Alice Ephemeral <-> Bob Long Term
|
||||
// Alice Ephemeral <-> Bob Ephemeral
|
||||
|
|
|
@ -113,6 +113,7 @@ func (c *connection) HasCapability(name string) bool {
|
|||
|
||||
// Close forcibly closes the connection
|
||||
func (c *connection) Close() {
|
||||
c.closed = true
|
||||
c.conn.Close()
|
||||
}
|
||||
|
||||
|
@ -162,7 +163,7 @@ func (c *connection) Send(message []byte) {
|
|||
if c.encrypted {
|
||||
var nonce [24]byte
|
||||
if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
|
||||
// TODO: Surface is Error
|
||||
log.Errorf("Could not read sufficient randomness %v. Closing connection", err)
|
||||
c.conn.Close()
|
||||
c.closed = true
|
||||
}
|
||||
|
|
BIN
tapir.png
BIN
tapir.png
Binary file not shown.
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 11 KiB |
|
@ -0,0 +1,84 @@
|
|||
package testing
|
||||
|
||||
import (
|
||||
"cwtch.im/tapir"
|
||||
"cwtch.im/tapir/applications"
|
||||
"cwtch.im/tapir/networks/tor"
|
||||
"cwtch.im/tapir/primitives"
|
||||
"git.openprivacy.ca/openprivacy/libricochet-go/connectivity"
|
||||
"git.openprivacy.ca/openprivacy/libricochet-go/log"
|
||||
"git.openprivacy.ca/openprivacy/libricochet-go/utils"
|
||||
"golang.org/x/crypto/ed25519"
|
||||
"runtime"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestTapirMaliciousRemote(t *testing.T) {
|
||||
|
||||
numRoutinesStart := runtime.NumGoroutine()
|
||||
log.SetLevel(log.LevelDebug)
|
||||
log.Infof("Number of goroutines open at start: %d", runtime.NumGoroutine())
|
||||
// Connect to Tor
|
||||
var acn connectivity.ACN
|
||||
acn, _ = connectivity.StartTor("./", "")
|
||||
acn.WaitTillBootstrapped()
|
||||
|
||||
// Generate Server Keys, not we generate two sets
|
||||
id, _ := primitives.InitializeEphemeralIdentity()
|
||||
id2, sk2 := primitives.InitializeEphemeralIdentity()
|
||||
|
||||
// Init the Server running the Simple App.
|
||||
var service tapir.Service
|
||||
service = new(tor.BaseOnionService)
|
||||
// Initialize an onion service with one identity, but the auth app with another, this should
|
||||
// trigger a failure in authentication protocol
|
||||
service.Init(acn, sk2, &id)
|
||||
|
||||
// Goroutine Management
|
||||
sg := new(sync.WaitGroup)
|
||||
sg.Add(1)
|
||||
go func() {
|
||||
service.Listen(applications.AuthApp{})
|
||||
sg.Done()
|
||||
}()
|
||||
|
||||
// Wait for server to come online
|
||||
time.Sleep(time.Second * 30)
|
||||
wg := new(sync.WaitGroup)
|
||||
wg.Add(1)
|
||||
// Init a Client to Connect to the Server
|
||||
log.Infof("initializing the client....")
|
||||
client, _ := genclient(acn)
|
||||
go connectclientandfail(client, id2.PublicKey(), wg, t)
|
||||
wg.Wait()
|
||||
// Wait for Server to Sync
|
||||
time.Sleep(time.Second * 2)
|
||||
log.Infof("closing ACN...")
|
||||
acn.Close()
|
||||
sg.Wait()
|
||||
time.Sleep(time.Second * 2)
|
||||
log.Infof("Number of goroutines open at close: %d", runtime.NumGoroutine())
|
||||
if numRoutinesStart != runtime.NumGoroutine() {
|
||||
t.Errorf("Potential goroutine leak: Num Start:%v NumEnd: %v", numRoutinesStart, runtime.NumGoroutine())
|
||||
}
|
||||
}
|
||||
|
||||
// Client will Connect and launch it's own Echo App goroutine.
|
||||
func connectclientandfail(client tapir.Service, key ed25519.PublicKey, group *sync.WaitGroup, t *testing.T) {
|
||||
client.Connect(utils.GetTorV3Hostname(key), applications.AuthApp{})
|
||||
|
||||
// Once connected, it shouldn't take long to authenticate and run the application. So for the purposes of this demo
|
||||
// we will wait a little while then exit.
|
||||
time.Sleep(time.Second * 5)
|
||||
|
||||
log.Infof("Checking connection status...")
|
||||
conn, err := client.GetConnection(utils.GetTorV3Hostname(key))
|
||||
if err == nil {
|
||||
group.Done()
|
||||
t.Fatalf("Connection should have failed! %v %v", conn, err)
|
||||
}
|
||||
log.Infof("Successfully failed to authenticate...")
|
||||
group.Done()
|
||||
}
|
Loading…
Reference in New Issue