Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: verify expected PeerId as part of security handshake #4864

Draft
wants to merge 18 commits into
base: master
Choose a base branch
from
Draft

feat: verify expected PeerId as part of security handshake #4864

wants to merge 18 commits into from

Conversation

denis2glez
Copy link

@denis2glez denis2glez commented Nov 14, 2023
edited by thomaseizinger
Loading

Description

During a handshake, certificates should be verified in order to allow the connection attempt to be aborted during the security handshake (by security protocols such as TLS or Noise). This requires being able to verify the peer ID after the handshake. Otherwise, we will have abnormal behaviors, such as aborting after completing the handshake and leaving the peer not knowing what went wrong.

Fixes: #2946.
Related: #4307.
Related: #4726.
Related: #882.

Tasks

  • Introduce the InboundSecurityUpgrade/OutboundSecurityUpgrade traits that should be implemented by transports such as Noise or TLS.
  • Create the Builder::authenticate2 function to accept an upgrade that implements this traits.
  • Implement a state machine inupgrade::secure that calls the InboundSecurityUpgrade/OutboundSecurityUpgrade traits instead of InboundConnectionUpgrade / OutboundConnectionUpgrade.
  • Implement the InboundSecurityUpgrade/OutboundSecurityUpgrade traits for Noise and TLS transports, repectively.
  • Complete the missing parts.
  • Include unit tests.
  • Make appropriate changes to the docs.

Notes & open questions

@denis2glez denis2glez changed the title feat: Verification of the expected PeerId as part of a protocol handshake. feat: Verification of expected PeerId during protocol handshake. Nov 15, 2023
@denis2glez denis2glez mentioned this pull request Nov 15, 2023
Open
thomaseizinger
thomaseizinger reviewed Nov 15, 2023
View reviewed changes
Copy link
Contributor

@thomaseizinger thomaseizinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great start!

We'll need to implement the new trait for libp2p-tls and libp2p-noise.

core/src/upgrade.rs Outdated Show resolved Hide resolved
core/src/upgrade/secure.rs Outdated Show resolved Hide resolved
core/src/upgrade/secure.rs Outdated Show resolved Hide resolved
core/src/transport/upgrade.rs Outdated Show resolved Hide resolved
core/src/transport/upgrade.rs Show resolved Hide resolved
@denis2glez
Copy link
Author

Thanks for the suggestions!

@denis2glez
fix: introduce Builder::authenticate2 as an alternative code path
d800320 
Introduce `Builder::authenticate2` as an alternative code path given
the supplied upgrade implements `SecurityUpgrade` instead of
`InboundConnectionUpgrade`/`OutboundConnectionUpgrade`.

Inline `secure_inbound` and `secure_outound` functions into `secure`.

Fix `PeerId` in the output of `SecurityUpgrade::upgrade_security`.

Remove the unnecessary call to `panic`.

Co-authored-by: Thomas Eizinger
@denis2glez
docs: improve comments related to Builder::authenticate2
af48270
thomaseizinger
thomaseizinger reviewed Nov 17, 2023
View reviewed changes
core/src/upgrade.rs Outdated Show resolved Hide resolved
@denis2glez
fix: add Send constraint to Builder::authenticate2 parameters
31c7e61 
Use an owned dynamically typed `Future` that is `Send`
(i.e. `BoxFuture`).
@denis2glez
refactor: split SecurityUpgrade into two alternative traits
5c5b728 
Introduce `InboundSecurityUpgrade`/`OutboundSecurityUpgrade` instead.
@denis2glez
docs: mark items related to Builder::authenticate2 as #[doc(hidden)]
b686801 
Plus fix doc comments.
@denis2glez
feat: impl InboundSecurityUpgrade/OutboundSecurityUpgrade for TLS
c0fad3a 
Implement the `InboundSecurityUpgrade`/`OutboundSecurityUpgrade` traits
for the TLS transport verifying the expected peer ID on outgoing upgrades.
@denis2glez
feat: impl InboundSecurityUpgrade/OutboundSecurityUpgrade for Noise
399666b 
Implement the `InboundSecurityUpgrade`/`OutboundSecurityUpgrade` traits
for the Noise transport verifying the expected peer ID on outgoing upgrades.
thomaseizinger
thomaseizinger reviewed Nov 19, 2023
View reviewed changes
Copy link
Contributor

@thomaseizinger thomaseizinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks great!

I've left some more comments. Can you also please use authenticate2 within the SwarmBuilder in the libp2p crate?

core/src/upgrade.rs Outdated Show resolved Hide resolved
transports/noise/src/lib.rs Outdated Show resolved Hide resolved
transports/tls/src/upgrade.rs Outdated Show resolved Hide resolved
@denis2glez denis2glez mentioned this pull request Nov 19, 2023
Closed
@denis2glez
chore: minor doc comments fixes
71e0ac8
@denis2glez
refactor: remove the PeerId parameter in InboundSecurityUpgrade
5500663 
The optional `PeerId` parameter in a security upgrade is never known
at this point for an inbound connection.
thomaseizinger
thomaseizinger reviewed Nov 19, 2023
View reviewed changes
Copy link
Contributor

@thomaseizinger thomaseizinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good progress! I've left a few more comments :)

core/src/transport/upgrade.rs Outdated Show resolved Hide resolved
core/src/transport/upgrade.rs Outdated Show resolved Hide resolved
core/src/upgrade.rs Outdated Show resolved Hide resolved
core/src/upgrade/secure.rs Outdated Show resolved Hide resolved
transports/noise/src/lib.rs Outdated Show resolved Hide resolved
transports/noise/src/lib.rs Outdated Show resolved Hide resolved
transports/noise/src/lib.rs Outdated Show resolved Hide resolved
core/src/upgrade.rs Outdated Show resolved Hide resolved
@thomaseizinger thomaseizinger changed the title feat: Verification of expected PeerId during protocol handshake. feat: verify expected PeerId as part of security handshake Nov 19, 2023
@denis2glez
docs: fix several issues in the comments
a726083
@denis2glez
refactor: delegate upgrade_inbound and upgrade_outbound methods
514b220 
Delegate the implementations of `InboundConnectionUpgrade`/`OutboundConnectionUpgrade`
traits to `InboundSecurityUpgrade`/`OutboundSecurityUpgrade` for Noise and TLS.
@denis2glez
fix: references to actual and remote PeerId respectively
66df049 
The `PeerId` coming from the address is the remote `PeerId` and the one from the handshake is the actual `PeerId`.
@denis2glez
chore: keep grouping of module and use declarations
d8440e7
@denis2glez
fix: make client and server config ad-hoc in secure_outbound method
c386182 
Introduce the `with_remote_peer_id` constructor in `Config`.
@thomaseizinger
Copy link
Contributor

thomaseizinger commented Nov 27, 2023
edited
Loading

Can you also please use authenticate2 within the SwarmBuilder in the libp2p crate?

In addition to the above comments, this is also still an open item. So far, we are not using those APIs anywhere, meaning we don't actually get to benefit from the new handshake. You'll have to find the usage sites of the current authenticate function within the SwarmBuilder and use authenticate2 instead. Your IDE should be of great assistance here or alternatively, you can mark the old as deprecated and run the compiler once.

Here is one of the usages sites:

rust-libp2p/libp2p/src/builder/phase/tcp.rs

Lines 84 to 86 in d851d1b

.authenticate(
security_upgrade.into_security_upgrade(&self.keypair)?,
)

@denis2glez
fix: use the wording of actual and expected PeerId
3eb5f1f 
The `PeerId` coming from the address is the expected `PeerId`
and the one from the handshake is the actual `PeerId`.
@denis2glez
Copy link
Author

Can you also please use authenticate2 within the SwarmBuilder in the libp2p crate?

In addition to the above comments, this is also still an open item. So far, we are not using those APIs anywhere, meaning we don't actually get to benefit from the new handshake. You'll have to find the usage sites of the current authenticate function within the SwarmBuilder and use authenticate2 instead. Your IDE should be of great assistance here or alternatively, you can mark the old as deprecated and run the compiler once.

Here is one of the usages sites:

rust-libp2p/libp2p/src/builder/phase/tcp.rs

Lines 84 to 86 in d851d1b

.authenticate(
security_upgrade.into_security_upgrade(&self.keypair)?,
)

Thanks, I was already working on this.

@denis2glez
refactor: store the identity::Keypair within Config
2ede11c 
Explicitly call `make_server_config` and `make_client_config` as part of the upgrade.
@thomaseizinger
Copy link
Contributor

Thanks, I was already working on this.

Awesome! Let me know when you want another review! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomaseizinger thomaseizinger thomaseizinger left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider verifying expected PeerId as part of auth upgrades
2 participants
@denis2glez @thomaseizinger