diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000000..6e9b30a9470 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,41 @@ +name: Release + +on: + push: + tags: + - 'v*' + +jobs: + release: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 # It is required for GoReleaser to work properly + - + name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.16 + - + name: Cache Go modules + uses: actions/cache@v1 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - + name: Install modules + run: go mod tidy + - + name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + if: startsWith(github.ref, 'refs/tags/') + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000000..29b636a4866 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.idea +*.iml \ No newline at end of file diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 00000000000..eda89aa62b9 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,30 @@ +project_name: wiretrustee +builds: + - env: [CGO_ENABLED=0] + goos: + - linux + - darwin + goarch: + - arm + - amd64 + - arm64 + ignore: + - goos: darwin + goarch: arm64 +nfpms: + - maintainer: Wiretrustee + description: Wiretrustee project. + homepage: https://wiretrustee.com/ + formats: + - deb + - rpm + contents: + - src: release_files/wiretrustee.service + dst: /lib/systemd/system/wiretrustee.service + + - src: release_files/wiretrustee.json + dst: /etc/wiretrustee/wiretrustee.json + type: "config|noreplace" + + scripts: + postinstall: "release_files/post_install.sh" diff --git a/cmd/config.go b/cmd/config.go new file mode 100644 index 00000000000..ad7640afef8 --- /dev/null +++ b/cmd/config.go @@ -0,0 +1,57 @@ +package cmd + +import ( + "encoding/json" + "github.com/pion/ice/v2" + "github.com/wiretrustee/wiretrustee/connection" + "io/ioutil" + "os" +) + +type Config struct { + // Wireguard private key of local peer + PrivateKey string + Peers []connection.Peer + StunTurnURLs []*ice.URL + // host:port of the signal server + SignalAddr string + WgAddr string + WgIface string +} + +//Write writes configPath to a file +func (cfg *Config) Write(path string) error { + bs, err := json.Marshal(cfg) + if err != nil { + return err + } + + err = ioutil.WriteFile(path, bs, 0600) + if err != nil { + return err + } + + return nil +} + +//Read reads configPath from a file +func Read(path string) (*Config, error) { + f, err := os.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + + bs, err := ioutil.ReadAll(f) + if err != nil { + return nil, err + } + + var cfg Config + err = json.Unmarshal(bs, &cfg) + if err != nil { + return nil, err + } + + return &cfg, nil +} diff --git a/cmd/root.go b/cmd/root.go new file mode 100644 index 00000000000..fc43f377269 --- /dev/null +++ b/cmd/root.go @@ -0,0 +1,35 @@ +package cmd + +import ( + "fmt" + "github.com/spf13/cobra" + "os" + "os/signal" + "syscall" +) + +var ( + rootCmd = &cobra.Command{ + Use: "wiretrustee", + Short: "", + Long: "", + } +) + +// Execute executes the root command. +func Execute() error { + return rootCmd.Execute() +} + +func init() { + rootCmd.AddCommand(upCmd) + rootCmd.AddCommand(signalCmd) +} + +func SetupCloseHandler() { + c := make(chan os.Signal) + signal.Notify(c, os.Interrupt, syscall.SIGTERM) + <-c + fmt.Println("\r- Ctrl+C pressed in Terminal") + os.Exit(0) +} diff --git a/cmd/signal.go b/cmd/signal.go new file mode 100644 index 00000000000..db1582c1cd2 --- /dev/null +++ b/cmd/signal.go @@ -0,0 +1,46 @@ +package cmd + +import ( + "flag" + "fmt" + log "github.com/sirupsen/logrus" + "github.com/spf13/cobra" + sig "github.com/wiretrustee/wiretrustee/signal" + sProto "github.com/wiretrustee/wiretrustee/signal/proto" + "google.golang.org/grpc" + "net" +) + +var ( + port int + + signalCmd = &cobra.Command{ + Use: "signal", + Short: "start Wiretrustee Signal Server", + Run: func(cmd *cobra.Command, args []string) { + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + var opts []grpc.ServerOption + grpcServer := grpc.NewServer(opts...) + sProto.RegisterSignalExchangeServer(grpcServer, sig.NewServer()) + log.Printf("started server: localhost:%v", port) + if err := grpcServer.Serve(lis); err != nil { + log.Fatalf("failed to serve: %v", err) + } + + SetupCloseHandler() + }, + } +) + +func init() { + upCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)") +} diff --git a/cmd/up.go b/cmd/up.go new file mode 100644 index 00000000000..b65208a7edf --- /dev/null +++ b/cmd/up.go @@ -0,0 +1,57 @@ +package cmd + +import ( + "context" + log "github.com/sirupsen/logrus" + "github.com/spf13/cobra" + "github.com/wiretrustee/wiretrustee/connection" + sig "github.com/wiretrustee/wiretrustee/signal" + "os" +) + +const ( + ExitSetupFailed = 1 +) + +var ( + configPath string + logLevel string + + upCmd = &cobra.Command{ + Use: "up", + Short: "start wiretrustee", + Run: func(cmd *cobra.Command, args []string) { + level, err := log.ParseLevel(logLevel) + if err != nil { + log.Errorf("efailed parsing log-level %s: %s", logLevel, err) + os.Exit(ExitSetupFailed) + } + log.SetLevel(level) + + config, _ := Read(configPath) + + ctx := context.Background() + signalClient, err := sig.NewClient(config.SignalAddr, ctx) + if err != nil { + log.Errorf("error while connecting to the Signal Exchange Service %s: %s", config.SignalAddr, err) + os.Exit(ExitSetupFailed) + } + //todo proper close handling + defer func() { signalClient.Close() }() + + engine := connection.NewEngine(signalClient, config.StunTurnURLs, config.WgIface, config.WgAddr) + + err = engine.Start(config.PrivateKey, config.Peers) + + //signalClient.WaitConnected() + + SetupCloseHandler() + }, + } +) + +func init() { + upCmd.PersistentFlags().StringVar(&configPath, "config", "", "") + upCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "") + upCmd.MarkPersistentFlagRequired("config") +} diff --git a/connection/cond.go b/connection/cond.go new file mode 100644 index 00000000000..9790e4d9cc3 --- /dev/null +++ b/connection/cond.go @@ -0,0 +1,32 @@ +package connection + +import "sync" + +// A Cond is a condition variable like sync.Cond, but using a channel so we can use select. +type Cond struct { + once sync.Once + C chan struct{} +} + +// NewCond creates a new condition variable. +func NewCond() *Cond { + return &Cond{C: make(chan struct{})} +} + +// Do runs f if the condition hasn't been signaled yet. Afterwards it will be signaled. +func (c *Cond) Do(f func()) { + c.once.Do(func() { + f() + close(c.C) + }) +} + +// Signal closes the condition variable channel. +func (c *Cond) Signal() { + c.Do(func() {}) +} + +// Wait waits for the condition variable channel to close. +func (c *Cond) Wait() { + <-c.C +} diff --git a/connection/connection.go b/connection/connection.go new file mode 100644 index 00000000000..13fdf932df8 --- /dev/null +++ b/connection/connection.go @@ -0,0 +1,298 @@ +package connection + +import ( + "context" + "fmt" + "github.com/pion/ice/v2" + log "github.com/sirupsen/logrus" + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" + "sync" + "time" +) + +var ( + DefaultWgKeepAlive = 20 * time.Second +) + +type ConnConfig struct { + // Local Wireguard listening address e.g. 127.0.0.1:51820 + WgListenAddr string + // A Local Wireguard Peer IP address in CIDR notation e.g. 10.30.30.1/24 + WgPeerIp string + // Local Wireguard Interface name (e.g. wg0) + WgIface string + // Wireguard allowed IPs (e.g. 10.30.30.2/32) + WgAllowedIPs string + // Local Wireguard private key + WgKey wgtypes.Key + // Remote Wireguard public key + RemoteWgKey wgtypes.Key + + StunTurnURLS []*ice.URL +} + +type IceCredentials struct { + uFrag string + pwd string +} + +type Connection struct { + Config ConnConfig + // signalCandidate is a handler function to signal remote peer about local connection candidate + signalCandidate func(candidate ice.Candidate) error + + // signalOffer is a handler function to signal remote peer our connection offer (credentials) + signalOffer func(uFrag string, pwd string) error + + // signalOffer is a handler function to signal remote peer our connection answer (credentials) + signalAnswer func(uFrag string, pwd string) error + + // remoteAuthChannel is a channel used to wait for remote credentials to proceed with the connection + remoteAuthChannel chan IceCredentials + + // agent is an actual ice.Agent that is used to negotiate and maintain a connection to a remote peer + agent *ice.Agent + + wgProxy *WgProxy + + connected *Cond + closeCond *Cond + + remoteAuthCond sync.Once +} + +func NewConnection(config ConnConfig, + signalCandidate func(candidate ice.Candidate) error, + signalOffer func(uFrag string, pwd string) error, + signalAnswer func(uFrag string, pwd string) error, +) *Connection { + + return &Connection{ + Config: config, + signalCandidate: signalCandidate, + signalOffer: signalOffer, + signalAnswer: signalAnswer, + remoteAuthChannel: make(chan IceCredentials, 1), + closeCond: NewCond(), + connected: NewCond(), + agent: nil, + wgProxy: NewWgProxy(config.WgIface, config.RemoteWgKey.String(), config.WgAllowedIPs, config.WgListenAddr), + } +} + +// Open opens connection to a remote peer. +// Will block until the connection has successfully established +func (conn *Connection) Open(timeout time.Duration) error { + + // create an ice.Agent that will be responsible for negotiating and establishing actual peer-to-peer connection + a, err := ice.NewAgent(&ice.AgentConfig{ + NetworkTypes: []ice.NetworkType{ice.NetworkTypeUDP4}, + Urls: conn.Config.StunTurnURLS, + }) + conn.agent = a + + if err != nil { + return err + } + + err = conn.listenOnLocalCandidates() + if err != nil { + return err + } + + err = conn.listenOnConnectionStateChanges() + if err != nil { + return err + } + + err = conn.signalCredentials() + if err != nil { + return err + } + + log.Infof("trying to connect to peer %s", conn.Config.RemoteWgKey.String()) + + // wait until credentials have been sent from the remote peer (will arrive via a signal server) + select { + case remoteAuth := <-conn.remoteAuthChannel: + + log.Infof("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String()) + + err = conn.agent.GatherCandidates() + if err != nil { + return err + } + + isControlling := conn.Config.WgKey.PublicKey().String() > conn.Config.RemoteWgKey.String() + remoteConn, err := conn.openConnectionToRemote(isControlling, remoteAuth) + if err != nil { + log.Errorf("failed establishing connection with the remote peer %s %s", conn.Config.RemoteWgKey.String(), err) + return err + } + + err = conn.wgProxy.Start(remoteConn) + if err != nil { + return err + } + + log.Infof("opened connection to peer %s", conn.Config.RemoteWgKey.String()) + case <-time.After(timeout): + err := conn.Close() + if err != nil { + log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error()) + } + return fmt.Errorf("timeout of %vs exceeded while waiting for the remote peer %s", timeout.Seconds(), conn.Config.RemoteWgKey.String()) + } + + // wait until connection has been closed + select { + case <-conn.closeCond.C: + return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String()) + } +} + +func (conn *Connection) Close() error { + var err error + conn.closeCond.Do(func() { + + log.Warnf("closing connection to peer %s", conn.Config.RemoteWgKey.String()) + + if a := conn.agent; a != nil { + e := a.Close() + if e != nil { + log.Warnf("error while closing ICE agent of peer connection %s", conn.Config.RemoteWgKey.String()) + err = e + } + } + + if c := conn.wgProxy; c != nil { + e := c.Close() + if e != nil { + log.Warnf("error while closingWireguard proxy connection of peer connection %s", conn.Config.RemoteWgKey.String()) + err = e + } + } + }) + return err +} + +func (conn *Connection) OnAnswer(remoteAuth IceCredentials) error { + + conn.remoteAuthCond.Do(func() { + log.Debugf("OnAnswer from peer %s", conn.Config.RemoteWgKey.String()) + conn.remoteAuthChannel <- remoteAuth + }) + return nil +} + +func (conn *Connection) OnOffer(remoteAuth IceCredentials) error { + + conn.remoteAuthCond.Do(func() { + log.Debugf("OnOffer from peer %s", conn.Config.RemoteWgKey.String()) + conn.remoteAuthChannel <- remoteAuth + uFrag, pwd, err := conn.agent.GetLocalUserCredentials() + if err != nil { + } + + err = conn.signalAnswer(uFrag, pwd) + if err != nil { + } + }) + + return nil +} + +func (conn *Connection) OnRemoteCandidate(candidate ice.Candidate) error { + + log.Debugf("onRemoteCandidate from peer %s -> %s", conn.Config.RemoteWgKey.String(), candidate.String()) + + err := conn.agent.AddRemoteCandidate(candidate) + if err != nil { + return err + } + + return nil +} + +// openConnectionToRemote opens an ice.Conn to the remote peer. This is a real peer-to-peer connection +// blocks until connection has been established +func (conn *Connection) openConnectionToRemote(isControlling bool, credentials IceCredentials) (*ice.Conn, error) { + var realConn *ice.Conn + var err error + + if isControlling { + realConn, err = conn.agent.Dial(context.TODO(), credentials.uFrag, credentials.pwd) + } else { + realConn, err = conn.agent.Accept(context.TODO(), credentials.uFrag, credentials.pwd) + } + + if err != nil { + return nil, err + } + + return realConn, err +} + +// signalCredentials prepares local user credentials and signals them to the remote peer +func (conn *Connection) signalCredentials() error { + localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials() + if err != nil { + return err + } + + err = conn.signalOffer(localUFrag, localPwd) + if err != nil { + return err + } + return nil +} + +// listenOnLocalCandidates registers callback of an ICE Agent to receive new local connection candidates and then +// signals them to the remote peer +func (conn *Connection) listenOnLocalCandidates() error { + err := conn.agent.OnCandidate(func(candidate ice.Candidate) { + if candidate != nil { + log.Debugf("discovered local candidate %s", candidate.String()) + err := conn.signalCandidate(candidate) + if err != nil { + log.Errorf("failed signaling candidate to the remote peer %s %s", conn.Config.RemoteWgKey.String(), err) + //todo ?? + return + } + } + }) + + if err != nil { + return err + } + + return nil +} + +// listenOnConnectionStateChanges registers callback of an ICE Agent to track connection state +func (conn *Connection) listenOnConnectionStateChanges() error { + err := conn.agent.OnConnectionStateChange(func(state ice.ConnectionState) { + log.Debugf("ICE Connection State has changed for peer %s -> %s", conn.Config.RemoteWgKey.String(), state.String()) + if state == ice.ConnectionStateConnected { + // closed the connection has been established we can check the selected candidate pair + pair, err := conn.agent.GetSelectedCandidatePair() + if err != nil { + log.Errorf("failed selecting active ICE candidate pair %s", err) + return + } + log.Debugf("closed to peer %s via selected candidate pair %s", conn.Config.RemoteWgKey.String(), pair) + } else if state == ice.ConnectionStateDisconnected || state == ice.ConnectionStateFailed { + // todo do we really wanna have a connection restart within connection itself? Think of moving it outside + err := conn.Close() + if err != nil { + log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error()) + } + } + }) + + if err != nil { + return err + } + + return nil +} diff --git a/connection/engine.go b/connection/engine.go new file mode 100644 index 00000000000..79ea07c1ee7 --- /dev/null +++ b/connection/engine.go @@ -0,0 +1,241 @@ +package connection + +import ( + "fmt" + "github.com/cenkalti/backoff/v4" + "github.com/pion/ice/v2" + log "github.com/sirupsen/logrus" + "github.com/wiretrustee/wiretrustee/iface" + "github.com/wiretrustee/wiretrustee/signal" + sProto "github.com/wiretrustee/wiretrustee/signal/proto" + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" + "time" +) + +type Engine struct { + // a list of STUN and TURN servers + stunsTurns []*ice.URL + // signal server client + signal *signal.Client + // peer agents indexed by local public key of the remote peers + conns map[string]*Connection + // Wireguard interface + wgIface string + // Wireguard local address + wgIp string +} + +type Peer struct { + WgPubKey string + WgAllowedIps string +} + +func NewEngine(signal *signal.Client, stunsTurns []*ice.URL, wgIface string, wgAddr string) *Engine { + return &Engine{ + stunsTurns: stunsTurns, + signal: signal, + wgIface: wgIface, + wgIp: wgAddr, + conns: map[string]*Connection{}, + } +} + +func (e *Engine) Start(privateKey string, peers []Peer) error { + + // setup wireguard + myKey, err := wgtypes.ParseKey(privateKey) + myPubKey := myKey.PublicKey().String() + if err != nil { + log.Errorf("error parsing Wireguard key %s: [%s]", privateKey, err.Error()) + return err + } + + err = iface.Create(e.wgIface, e.wgIp) + if err != nil { + log.Errorf("error while creating interface %s: [%s]", e.wgIface, err.Error()) + return err + } + + err = iface.Configure(e.wgIface, myKey.String()) + if err != nil { + log.Errorf("error while configuring Wireguard interface [%s]: %s", e.wgIface, err.Error()) + return err + } + + wgPort, err := iface.GetListenPort(e.wgIface) + if err != nil { + log.Errorf("error while getting Wireguard interface port [%s]: %s", e.wgIface, err.Error()) + return err + } + + e.receiveSignal(myPubKey) + + // initialize peer agents + for _, peer := range peers { + + peer := peer + go func() { + var backOff = &backoff.ExponentialBackOff{ + InitialInterval: backoff.DefaultInitialInterval, + RandomizationFactor: backoff.DefaultRandomizationFactor, + Multiplier: backoff.DefaultMultiplier, + MaxInterval: 5 * time.Second, + MaxElapsedTime: time.Duration(0), //never stop + Stop: backoff.Stop, + Clock: backoff.SystemClock, + } + operation := func() error { + _, err := e.openPeerConnection(*wgPort, myKey, peer) + if err != nil { + log.Warnln("retrying connection because of error: ", err.Error()) + e.conns[peer.WgPubKey] = nil + return err + } + backOff.Reset() + return nil + } + + err = backoff.Retry(operation, backOff) + if err != nil { + // should actually never happen + panic(err) + } + }() + } + return nil +} + +func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) { + + remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey) + connConfig := &ConnConfig{ + WgListenAddr: fmt.Sprintf("127.0.0.1:%d", wgPort), + WgPeerIp: e.wgIp, + WgIface: e.wgIface, + WgAllowedIPs: peer.WgAllowedIps, + WgKey: myKey, + RemoteWgKey: remoteKey, + StunTurnURLS: e.stunsTurns, + } + + signalOffer := func(uFrag string, pwd string) error { + return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false) + } + + signalAnswer := func(uFrag string, pwd string) error { + return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true) + } + signalCandidate := func(candidate ice.Candidate) error { + return signalCandidate(candidate, myKey, remoteKey, e.signal) + } + + conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer) + e.conns[remoteKey.String()] = conn + // blocks until the connection is open (or timeout) + err := conn.Open(60 * time.Second) + if err != nil { + return nil, err + } + return conn, nil +} + +func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error { + err := s.Send(&sProto.Message{ + Type: sProto.Message_CANDIDATE, + Key: myKey.PublicKey().String(), + RemoteKey: remoteKey.String(), + Body: candidate.Marshal(), + }) + if err != nil { + log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err) + //todo ?? + return err + } + + return nil +} + +func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error { + + var t sProto.Message_Type + if isAnswer { + t = sProto.Message_ANSWER + } else { + t = sProto.Message_OFFER + } + + msg := signal.MarshalCredential(myKey.PublicKey().String(), remoteKey.String(), &signal.Credential{ + UFrag: uFrag, + Pwd: pwd}, t) + + err := s.Send(msg) + if err != nil { + return err + } + + return nil +} + +func (e *Engine) receiveSignal(localKey string) { + // connect to a stream of messages coming from the signal server + e.signal.Receive(localKey, func(msg *sProto.Message) error { + + conn := e.conns[msg.Key] + if conn == nil { + return fmt.Errorf("wrongly addressed message %s", msg.Key) + } + + if conn.Config.RemoteWgKey.String() != msg.Key { + return fmt.Errorf("unknown peer %s", msg.Key) + } + + switch msg.Type { + case sProto.Message_OFFER: + remoteCred, err := signal.UnMarshalCredential(msg) + if err != nil { + return err + } + err = conn.OnOffer(IceCredentials{ + uFrag: remoteCred.UFrag, + pwd: remoteCred.Pwd, + }) + + if err != nil { + return err + } + + return nil + case sProto.Message_ANSWER: + remoteCred, err := signal.UnMarshalCredential(msg) + if err != nil { + return err + } + err = conn.OnAnswer(IceCredentials{ + uFrag: remoteCred.UFrag, + pwd: remoteCred.Pwd, + }) + + if err != nil { + return err + } + + case sProto.Message_CANDIDATE: + + candidate, err := ice.UnmarshalCandidate(msg.Body) + if err != nil { + log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err) + return err + } + + err = conn.OnRemoteCandidate(candidate) + if err != nil { + log.Errorf("error handling CANDIATE from %s", msg.Key) + return err + } + } + + return nil + }) + + e.signal.WaitConnected() +} diff --git a/connection/wgproxy.go b/connection/wgproxy.go new file mode 100644 index 00000000000..f29d13eea1e --- /dev/null +++ b/connection/wgproxy.go @@ -0,0 +1,111 @@ +package connection + +import ( + "github.com/pion/ice/v2" + log "github.com/sirupsen/logrus" + "github.com/wiretrustee/wiretrustee/iface" + "net" +) + +type WgProxy struct { + iface string + remoteKey string + allowedIps string + wgAddr string + close chan struct{} + wgConn net.Conn +} + +func NewWgProxy(iface string, remoteKey string, allowedIps string, wgAddr string) *WgProxy { + return &WgProxy{ + iface: iface, + remoteKey: remoteKey, + allowedIps: allowedIps, + wgAddr: wgAddr, + close: make(chan struct{}), + } +} + +func (p *WgProxy) Close() error { + + close(p.close) + if c := p.wgConn; c != nil { + err := p.wgConn.Close() + if err != nil { + return err + } + } + + return nil +} + +func (p *WgProxy) Start(remoteConn *ice.Conn) error { + + wgConn, err := net.Dial("udp", p.wgAddr) + if err != nil { + log.Fatalf("failed dialing to local Wireguard port %s", err) + return err + } + p.wgConn = wgConn + // add local proxy connection as a Wireguard peer + err = iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive, + wgConn.LocalAddr().String()) + if err != nil { + log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error()) + return err + } + + go func() { p.proxyToRemotePeer(remoteConn) }() + go func() { p.proxyToLocalWireguard(remoteConn) }() + + return err +} + +// proxyToRemotePeer proxies everything from Wireguard to the remote peer +// blocks +func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) { + + buf := make([]byte, 1500) + for { + select { + case <-p.close: + log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey) + return + default: + n, err := p.wgConn.Read(buf) + if err != nil { + //log.Warnln("failed reading from peer: ", err.Error()) + continue + } + + n, err = remoteConn.Write(buf[:n]) + if err != nil { + //log.Warnln("failed writing to remote peer: ", err.Error()) + } + } + } +} + +// proxyToLocalWireguard proxies everything from the remote peer to local Wireguard +// blocks +func (p *WgProxy) proxyToLocalWireguard(remoteConn *ice.Conn) { + + buf := make([]byte, 1500) + for { + select { + case <-p.close: + log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey) + return + default: + n, err := remoteConn.Read(buf) + if err != nil { + //log.Errorf("failed reading from remote connection %s", err) + } + + n, err = p.wgConn.Write(buf[:n]) + if err != nil { + //log.Errorf("failed writing to local Wireguard instance %s", err) + } + } + } +} diff --git a/go.mod b/go.mod new file mode 100644 index 00000000000..a070c15197f --- /dev/null +++ b/go.mod @@ -0,0 +1,18 @@ +module github.com/wiretrustee/wiretrustee + +go 1.16 + +require ( + github.com/cenkalti/backoff/v4 v4.1.0 + github.com/golang/protobuf v1.4.2 + github.com/google/nftables v0.0.0-20201230142148-715e31cb3c31 + github.com/pion/ice/v2 v2.0.17 + github.com/sirupsen/logrus v1.7.0 + github.com/spf13/cobra v1.1.3 + github.com/vishvananda/netlink v1.1.0 + github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df + golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 + golang.zx2c4.com/wireguard v0.0.20201118 + golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b + google.golang.org/grpc v1.32.0 +) diff --git a/go.sum b/go.sum new file mode 100644 index 00000000000..bb5734bb2a2 --- /dev/null +++ b/go.sum @@ -0,0 +1,415 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= +github.com/cenkalti/backoff/v4 v4.1.0 h1:c8LkOFQTzuO0WBM/ae5HdGQuZPfPxp7lqBRwQRm4fSc= +github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/nftables v0.0.0-20201230142148-715e31cb3c31 h1:kyEB9geFhgDyawmvavtNu9iGW9ri/iq54XTSNIEeHxI= +github.com/google/nftables v0.0.0-20201230142148-715e31cb3c31/go.mod h1:cfspEyr/Ap+JDIITA+N9a0ernqG0qZ4W1aqMRgDZa1g= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw= +github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4 h1:nwOc1YaOrYJ37sEBrtWZrdqzK22hiJs3GpDmP3sR2Yw= +github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/koneu/natend v0.0.0-20150829182554-ec0926ea948d h1:MFX8DxRnKMY/2M3H61iSsVbo/n3h0MWGmWNN1UViOU0= +github.com/koneu/natend v0.0.0-20150829182554-ec0926ea948d/go.mod h1:QHb4k4cr1fQikUahfcRVPcEXiUgFsdIstGqlurL0XL4= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mdlayher/genetlink v1.0.0 h1:OoHN1OdyEIkScEmRgxLEe2M9U8ClMytqA5niynLtfj0= +github.com/mdlayher/genetlink v1.0.0/go.mod h1:0rJ0h4itni50A86M2kHcgS85ttZazNt7a8H2a2cw0Gc= +github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA= +github.com/mdlayher/netlink v0.0.0-20191009155606-de872b0d824b/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M= +github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M= +github.com/mdlayher/netlink v1.1.0 h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkfg= +github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws= +github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pion/dtls/v2 v2.0.9 h1:7Ow+V++YSZQMYzggI0P9vLJz/hUFcffsfGMfT/Qy+u8= +github.com/pion/dtls/v2 v2.0.9/go.mod h1:O0Wr7si/Zj5/EBFlDzDd6UtVxx25CE1r7XM7BQKYQho= +github.com/pion/ice/v2 v2.0.17 h1:YNkULoBhPGQeg1qZdveOdxNq2yZvC6iC30eC137fLzs= +github.com/pion/ice/v2 v2.0.17/go.mod h1:ZI/4u+8cIaENIGy9fmxkQGz0RxKn7vsZ5tXtAddh79Y= +github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY= +github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms= +github.com/pion/mdns v0.0.5 h1:Q2oj/JB3NqfzY9xGZ1fPzZzK7sDSD8rZPOvcIQ10BCw= +github.com/pion/mdns v0.0.5/go.mod h1:UgssrvdD3mxpi8tMxAXbsppL3vJ4Jipw1mTCW+al01g= +github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA= +github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8= +github.com/pion/stun v0.3.5 h1:uLUCBCkQby4S1cf6CGuR9QrVOKcvUwFeemaC865QHDg= +github.com/pion/stun v0.3.5/go.mod h1:gDMim+47EeEtfWogA37n6qXZS88L5V6LqFcf+DZA2UA= +github.com/pion/transport v0.10.1/go.mod h1:PBis1stIILMiis0PewDw91WJeLJkyIMcEk+DwKOzf4A= +github.com/pion/transport v0.12.2/go.mod h1:N3+vZQD9HlDP5GWkZ85LohxNsDcNgofQmyL6ojX5d8Q= +github.com/pion/transport v0.12.3 h1:vdBfvfU/0Wq8kd2yhUMSDB/x+O4Z9MYVl2fJ5BT4JZw= +github.com/pion/transport v0.12.3/go.mod h1:OViWW9SP2peE/HbwBvARicmAVnesphkNkCVZIWJ6q9A= +github.com/pion/turn/v2 v2.0.5 h1:iwMHqDfPEDEOFzwWKT56eFmh6DYC6o/+xnLAEzgISbA= +github.com/pion/turn/v2 v2.0.5/go.mod h1:APg43CFyt/14Uy7heYUOGWdkem/Wu4PhCO/bjyrTqMw= +github.com/pion/udp v0.1.1 h1:8UAPvyqmsxK8oOjloDk4wUt63TzFe9WEJkg5lChlj7o= +github.com/pion/udp v0.1.1/go.mod h1:6AFo+CMdKQm7UiA0eUPA8/eVCTx8jBIITLZHc9DWX5M= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M= +github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0= +github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= +github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= +github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k= +github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w= +golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191028085509-fe3aa8a45271/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201201195509-5d6afe98e0b7/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c h1:KHUzaHIpjWVlVVNh65G3hhuj3KB1HnjY6Cq5cTvRQT8= +golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191029155521-f43be2a4598c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201117222635-ba5294a509c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44 h1:Bli41pIlzTzf3KEY06n+xnzK/BESIg2ze4Pgfh/aI8c= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.zx2c4.com/wireguard v0.0.20200121/go.mod h1:P2HsVp8SKwZEufsnezXZA4GRX/T49/HlU7DGuelXsU4= +golang.zx2c4.com/wireguard v0.0.20201118 h1:QL8y2C7uO8T6z1GY+UX/hSeWiYEBurQkXjOTRFtCvXU= +golang.zx2c4.com/wireguard v0.0.20201118/go.mod h1:Dz+cq5bnrai9EpgYj4GDof/+qaGzbRWbeaAOs1bUYa0= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b h1:l4mBVCYinjzZuR5DtxHuBD6wyd4348TGiavJ5vLrhEc= +golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b/go.mod h1:UdS9frhv65KTfwxME1xE8+rHYoFpbm36gOud1GhBe9c= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a h1:Ob5/580gVHBJZgXnff1cZDbG+xLtMVE5mDRTe+nIsX4= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.32.0 h1:zWTV+LMdc3kaiJMSTOFz2UgSBgx8RNQoTGiZu3fR9S0= +google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/iface/iface.go b/iface/iface.go new file mode 100644 index 00000000000..85b93e967d7 --- /dev/null +++ b/iface/iface.go @@ -0,0 +1,267 @@ +package iface + +import ( + log "github.com/sirupsen/logrus" + "github.com/vishvananda/netlink" + "golang.zx2c4.com/wireguard/device" + "golang.zx2c4.com/wireguard/ipc" + "golang.zx2c4.com/wireguard/tun" + "golang.zx2c4.com/wireguard/wgctrl" + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" + "net" + "time" +) + +const ( + defaultMTU = 1280 +) + +// Saves tun device object - is it required? +var tunIface tun.Device + +// Create Creates a new Wireguard interface, sets a given IP and brings it up. +// Will reuse an existing one. +func Create(iface string, address string) error { + var err error + + tunIface, err = tun.CreateTUN(iface, defaultMTU) + if err != nil { + return err + } + + // We need to create a wireguard-go device and listen to configuration requests + tunDevice := device.NewDevice(tunIface, device.NewLogger(device.LogLevelSilent, "[wiretrustee] ")) + tunDevice.Up() + tunSock, err := ipc.UAPIOpen(iface) + if err != nil { + return err + } + uapi, err := ipc.UAPIListen(iface, tunSock) + if err != nil { + return err + } + + go func() { + for { + conn, err := uapi.Accept() + if err != nil { + log.Debugln(err) + return + } + go tunDevice.IpcHandle(conn) + } + }() + + log.Debugln("UAPI listener started") + + err = assignAddr(iface, address) + if err != nil { + return err + } + return nil +} + +// Extends the functionality of Configure(iface string, privateKey string) by generating a new Wireguard private key +func ConfigureWithKeyGen(iface string) (*wgtypes.Key, error) { + key, err := wgtypes.GeneratePrivateKey() + if err != nil { + return nil, err + } + return &key, Configure(iface, key.String()) +} + +// Configures a Wireguard interface +// The interface must exist before calling this method (e.g. call interface.Create() before) +func Configure(iface string, privateKey string) error { + + log.Debugf("configuring Wireguard interface %s", iface) + wg, err := wgctrl.New() + if err != nil { + return err + } + defer wg.Close() + + log.Debugf("adding Wireguard private key") + key, err := wgtypes.ParseKey(privateKey) + if err != nil { + return err + } + fwmark := 0 + cfg := wgtypes.Config{ + PrivateKey: &key, + ReplacePeers: false, + FirewallMark: &fwmark, + } + err = wg.ConfigureDevice(iface, cfg) + if err != nil { + return err + } + + return nil +} + +func GetListenPort(iface string) (*int, error) { + log.Debugf("getting Wireguard listen port of interface %s", iface) + + //discover Wireguard current configuration + wg, err := wgctrl.New() + if err != nil { + return nil, err + } + defer wg.Close() + + d, err := wg.Device(iface) + if err != nil { + return nil, err + } + log.Debugf("got Wireguard device listen port %s, %d", iface, &d.ListenPort) + + return &d.ListenPort, nil +} + +// Updates a Wireguard interface listen port +func UpdateListenPort(iface string, newPort int) error { + log.Debugf("updating Wireguard listen port of interface %s, new port %d", iface, newPort) + + //discover Wireguard current configuration + wg, err := wgctrl.New() + if err != nil { + return err + } + defer wg.Close() + + _, err = wg.Device(iface) + if err != nil { + return err + } + log.Debugf("got Wireguard device %s", iface) + + config := wgtypes.Config{ + ListenPort: &newPort, + ReplacePeers: false, + } + err = wg.ConfigureDevice(iface, config) + if err != nil { + return err + } + + log.Debugf("updated Wireguard listen port of interface %s, new port %d", iface, newPort) + + return nil +} + +func ifname(n string) []byte { + b := make([]byte, 16) + copy(b, []byte(n+"\x00")) + return b +} + +// Updates existing Wireguard Peer or creates a new one if doesn't exist +// Endpoint is optional +func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.Duration, endpoint string) error { + + log.Debugf("updating interface %s peer %s: endpoint %s ", iface, peerKey, endpoint) + + wg, err := wgctrl.New() + if err != nil { + return err + } + defer wg.Close() + + _, err = wg.Device(iface) + if err != nil { + return err + } + log.Debugf("got Wireguard device %s", iface) + + //parse allowed ips + ipNet, err := netlink.ParseIPNet(allowedIps) + if err != nil { + return err + } + + peerKeyParsed, err := wgtypes.ParseKey(peerKey) + + peers := make([]wgtypes.PeerConfig, 0) + peer := wgtypes.PeerConfig{ + PublicKey: peerKeyParsed, + ReplaceAllowedIPs: true, + AllowedIPs: []net.IPNet{*ipNet}, + PersistentKeepaliveInterval: &keepAlive, + } + peers = append(peers, peer) + + config := wgtypes.Config{ + ReplacePeers: false, + Peers: peers, + } + err = wg.ConfigureDevice(iface, config) + if err != nil { + return err + } + + if endpoint != "" { + return UpdatePeerEndpoint(iface, peerKey, endpoint) + } + + return nil +} + +// Updates a Wireguard interface Peer with the new endpoint +// Used when NAT hole punching was successful and an update of the remote peer endpoint is required +func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error { + + log.Debugf("updating peer %s endpoint %s ", peerKey, newEndpoint) + + wg, err := wgctrl.New() + if err != nil { + return err + } + defer wg.Close() + + _, err = wg.Device(iface) + if err != nil { + return err + } + log.Debugf("got Wireguard device %s", iface) + + peerAddr, err := net.ResolveUDPAddr("udp4", newEndpoint) + if err != nil { + return err + } + + log.Debugf("parsed peer endpoint [%s]", peerAddr.String()) + + peerKeyParsed, err := wgtypes.ParseKey(peerKey) + peers := make([]wgtypes.PeerConfig, 0) + peer := wgtypes.PeerConfig{ + PublicKey: peerKeyParsed, + ReplaceAllowedIPs: false, + UpdateOnly: true, + Endpoint: peerAddr, + } + peers = append(peers, peer) + + config := wgtypes.Config{ + ReplacePeers: false, + Peers: peers, + } + err = wg.ConfigureDevice(iface, config) + if err != nil { + return err + } + + return nil +} + +type wgLink struct { + attrs *netlink.LinkAttrs +} + +func (w *wgLink) Attrs() *netlink.LinkAttrs { + return w.attrs +} + +func (w *wgLink) Type() string { + return "wireguard" +} diff --git a/iface/iface_darwin.go b/iface/iface_darwin.go new file mode 100644 index 00000000000..0481fa58574 --- /dev/null +++ b/iface/iface_darwin.go @@ -0,0 +1,38 @@ +package iface + +import ( + log "github.com/sirupsen/logrus" + "net" + "os/exec" + "strings" +) + +const ( + interfacePrefix = "utun" +) + +// assignAddr Adds IP address to the tunnel interface and network route based on the range provided +func assignAddr(iface string, address string) error { + ip := strings.Split(address, "/") + cmd := exec.Command("ifconfig", iface, "inet", address, ip[0]) + if out, err := cmd.CombinedOutput(); err != nil { + log.Infoln("Command: %v failed with output %s and error: ", cmd.String(), out) + return err + } + _, resolvedNet, err := net.ParseCIDR(address) + err = addRoute(iface, resolvedNet) + if err != nil { + log.Infoln("Adding route failed with error:", err) + } + return nil +} + +// addRoute Adds network route based on the range provided +func addRoute(iface string, ipNet *net.IPNet) error { + cmd := exec.Command("route", "add", "-net", ipNet.String(), "-interface", iface) + if out, err := cmd.CombinedOutput(); err != nil { + log.Printf("Command: %v failed with output %s and error: ", cmd.String(), out) + return err + } + return nil +} diff --git a/iface/iface_linux.go b/iface/iface_linux.go new file mode 100644 index 00000000000..d43e4c65244 --- /dev/null +++ b/iface/iface_linux.go @@ -0,0 +1,33 @@ +package iface + +import ( + log "github.com/sirupsen/logrus" + "github.com/vishvananda/netlink" + "os" +) + +const ( + interfacePrefix = "wg" +) + +// assignAddr Adds IP address to the tunnel interface +func assignAddr(iface string, address string) error { + attrs := netlink.NewLinkAttrs() + attrs.Name = iface + + link := wgLink{ + attrs: &attrs, + } + + log.Debugf("adding address %s to interface: %s", address, iface) + addr, _ := netlink.ParseAddr(address) + err := netlink.AddrAdd(&link, addr) + if os.IsExist(err) { + log.Infof("interface %s already has the address: %s", iface, address) + } else if err != nil { + return err + } + // On linux, the link must be brought up + err = netlink.LinkSetUp(&link) + return err +} diff --git a/iface/nat_linux.go b/iface/nat_linux.go new file mode 100644 index 00000000000..22ebd64e026 --- /dev/null +++ b/iface/nat_linux.go @@ -0,0 +1,85 @@ +package iface + +import ( + "github.com/google/nftables" + "github.com/google/nftables/expr" + log "github.com/sirupsen/logrus" + "github.com/vishvananda/netns" + "io/ioutil" +) + +// Configure routing and IP masquerading +//todo more docs on what exactly happens here and why it is needed +func ConfigureNAT(primaryIface string) error { + log.Debugf("adding NAT / IP masquerading using nftables") + ns, err := netns.Get() + if err != nil { + return err + } + + conn := nftables.Conn{NetNS: int(ns)} + + log.Debugf("flushing nftable rulesets") + conn.FlushRuleset() + + log.Debugf("setting up nftable rules for ip masquerading") + + nat := conn.AddTable(&nftables.Table{ + Family: nftables.TableFamilyIPv4, + Name: "nat", + }) + + conn.AddChain(&nftables.Chain{ + Name: "prerouting", + Table: nat, + Type: nftables.ChainTypeNAT, + Hooknum: nftables.ChainHookPrerouting, + Priority: nftables.ChainPriorityFilter, + }) + + post := conn.AddChain(&nftables.Chain{ + Name: "postrouting", + Table: nat, + Type: nftables.ChainTypeNAT, + Hooknum: nftables.ChainHookPostrouting, + Priority: nftables.ChainPriorityNATSource, + }) + + conn.AddRule(&nftables.Rule{ + Table: nat, + Chain: post, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: ifname(primaryIface), + }, + &expr.Masq{}, + }, + }) + + if err := conn.Flush(); err != nil { + return err + } + + return nil +} + +// Enables IP forwarding system property. +// Mostly used when you setup one peer as a VPN server. +func EnableIPForward() error { + f := "/proc/sys/net/ipv4/ip_forward" + + content, err := ioutil.ReadFile(f) + if err != nil { + return err + } + + if string(content) == "0\n" { + log.Info("enabling IP Forward") + return ioutil.WriteFile(f, []byte("1"), 0600) + } + + return nil +} diff --git a/main.go b/main.go new file mode 100644 index 00000000000..0a71638c8f2 --- /dev/null +++ b/main.go @@ -0,0 +1,12 @@ +package main + +import ( + "github.com/wiretrustee/wiretrustee/cmd" + "os" +) + +func main() { + if err := cmd.Execute(); err != nil { + os.Exit(1) + } +} diff --git a/release_files/post_install.sh b/release_files/post_install.sh new file mode 100644 index 00000000000..5471a7abca3 --- /dev/null +++ b/release_files/post_install.sh @@ -0,0 +1,61 @@ +#!/bin/sh + +# Step 1, decide if we should use systemd or init/upstart +use_systemctl="True" +systemd_version=0 +if ! command -V systemctl >/dev/null 2>&1; then + use_systemctl="False" +else + systemd_version=$(systemctl --version | head -1 | sed 's/systemd //g') +fi + +cleanInstall() { + printf "\033[32m Post Install of an clean install\033[0m\n" + # Step 3 (clean install), enable the service in the proper way for this platform + if [ "${use_systemctl}" = "True" ]; then + printf "\033[32m Reload the service unit from disk\033[0m\n" + systemctl daemon-reload ||: + printf "\033[32m Unmask the service\033[0m\n" + systemctl unmask wiretrustee ||: + printf "\033[32m Set the preset flag for the service unit\033[0m\n" + systemctl preset wiretrustee ||: + printf "\033[32m Set the enabled flag for the service unit\033[0m\n" + systemctl enable wiretrustee ||: + systemctl restart wiretrustee ||: + fi +} + +upgrade() { + printf "\033[32m Post Install of an upgrade\033[0m\n" + if [ "${use_systemctl}" = "True" ]; then + printf "\033[32m Reload the service unit from disk\033[0m\n" + systemctl daemon-reload ||: + printf "\033[32m Restarting the service\033[0m\n" + systemctl restart wiretrustee ||: + fi +} + +# Step 2, check if this is a clean install or an upgrade +action="$1" +if [ "$1" = "configure" ] && [ -z "$2" ]; then + # Alpine linux does not pass args, and deb passes $1=configure + action="install" +elif [ "$1" = "configure" ] && [ -n "$2" ]; then + # deb passes $1=configure $2= + action="upgrade" +fi + +case "$action" in + "1" | "install") + cleanInstall + ;; + "2" | "upgrade") + printf "\033[32m Post Install of an upgrade\033[0m\n" + upgrade + ;; + *) + # $1 == version being installed + printf "\033[32m install\033[0m" + cleanInstall + ;; +esac \ No newline at end of file diff --git a/release_files/wiretrustee.json b/release_files/wiretrustee.json new file mode 100644 index 00000000000..d64d7ee3883 --- /dev/null +++ b/release_files/wiretrustee.json @@ -0,0 +1,30 @@ +{ + "PrivateKey": "", + "Peers": [ + { + "WgPubKey": "", + "WgAllowedIps": "" + } + ], + "StunTurnURLs": [ + { + "Scheme": 1, + "Host": "", + "Port": 3468, + "Username": "", + "Password": "", + "Proto": 1 + }, + { + "Scheme": 3, + "Host": "", + "Port": 3468, + "Username": "", + "Password": "", + "Proto": 1 + } + ], + "SignalAddr": "", + "WgAddr": "", + "WgIface": "" +} diff --git a/release_files/wiretrustee.service b/release_files/wiretrustee.service new file mode 100644 index 00000000000..93ed6fddad8 --- /dev/null +++ b/release_files/wiretrustee.service @@ -0,0 +1,10 @@ +[Unit] +Description=Wiretrustee Service +After=multi-user.target network-online.target +Wants=network-online.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/wiretrustee up --config /etc/wiretrustee/wiretrustee.json --log-level debug +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/signal/README.md b/signal/README.md new file mode 100644 index 00000000000..53421397b2e --- /dev/null +++ b/signal/README.md @@ -0,0 +1,18 @@ +This is a Wiretrustee signal-exchange server and client library to exchange connection information between Wiretrustee Trusted Device and Wiretrustee Hub + +The project uses gRPC library and defines service in protobuf file located in: + ```proto/signal_exchange.proto``` + + To build the project you have to do the following things. + +Install protobuf version 3 (by default v3 is installed on ubuntu 20.04. On previous versions it is proto 2): + ``` +sudo apt install protoc-gen-go +sudo apt install golang-goprotobuf-dev + ``` + +Generate gRPC code: + ``` + protoc -I proto/ proto/signalexchange.proto --go_out=plugins=grpc:proto + + ``` \ No newline at end of file diff --git a/signal/client.go b/signal/client.go new file mode 100644 index 00000000000..debf635fa97 --- /dev/null +++ b/signal/client.go @@ -0,0 +1,210 @@ +package signal + +import ( + "context" + "fmt" + "github.com/cenkalti/backoff/v4" + log "github.com/sirupsen/logrus" + "github.com/wiretrustee/wiretrustee/signal/proto" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/keepalive" + "google.golang.org/grpc/metadata" + "google.golang.org/grpc/status" + "io" + "strings" + "sync" + "time" +) + +// A set of tools to exchange connection details (Wireguard endpoints) with the remote peer. + +// Wraps the Signal Exchange Service gRpc client +type Client struct { + realClient proto.SignalExchangeClient + signalConn *grpc.ClientConn + ctx context.Context + stream proto.SignalExchange_ConnectStreamClient + //waiting group to notify once stream is connected + connWg sync.WaitGroup //todo use a channel instead?? +} + +// Closes underlying connections to the Signal Exchange +func (client *Client) Close() error { + return client.signalConn.Close() +} + +func NewClient(addr string, ctx context.Context) (*Client, error) { + + conn, err := grpc.DialContext( + ctx, + addr, + grpc.WithInsecure(), + grpc.WithBlock(), + grpc.WithKeepaliveParams(keepalive.ClientParameters{ + Time: 3 * time.Second, + Timeout: 2 * time.Second, + })) + + if err != nil { + log.Errorf("failed to connect to the signalling server %v", err) + return nil, err + } + + return &Client{ + realClient: proto.NewSignalExchangeClient(conn), + ctx: ctx, + signalConn: conn, + }, nil +} + +// Connects to the Signal Exchange message stream and starts receiving messages. +// The messages will be handled by msgHandler function provided. +// This function runs a goroutine underneath and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart) +// The key is the identifier of our Peer (could be Wireguard public key) +func (client *Client) Receive(key string, msgHandler func(msg *proto.Message) error) { + client.connWg.Add(1) + go func() { + + var backOff = &backoff.ExponentialBackOff{ + InitialInterval: backoff.DefaultInitialInterval, + RandomizationFactor: backoff.DefaultRandomizationFactor, + Multiplier: backoff.DefaultMultiplier, + MaxInterval: 3 * time.Second, + MaxElapsedTime: time.Duration(0), //never stop + Stop: backoff.Stop, + Clock: backoff.SystemClock, + } + + operation := func() error { + err := client.connect(key, msgHandler) + if err != nil { + log.Warnf("disconnected from the Signal Exchange due to an error %s. Retrying ... ", err) + client.connWg.Add(1) + return err + } + + backOff.Reset() + return nil + } + + err := backoff.Retry(operation, backOff) + if err != nil { + log.Errorf("error while communicating with the Signal Exchange %s ", err) + return + } + }() +} + +func (client *Client) connect(key string, msgHandler func(msg *proto.Message) error) error { + client.stream = nil + + // add key fingerprint to the request header to be identified on the server side + md := metadata.New(map[string]string{proto.HeaderId: key}) + ctx := metadata.NewOutgoingContext(client.ctx, md) + ctx, cancel := context.WithCancel(ctx) + defer cancel() + + stream, err := client.realClient.ConnectStream(ctx) + + client.stream = stream + if err != nil { + return err + } + //connection established we are good to use the stream + client.connWg.Done() + + log.Infof("connected to the Signal Exchange Stream") + + return client.receive(stream, msgHandler) +} + +// Waits until the client is connected to the message stream +func (client *Client) WaitConnected() { + client.connWg.Wait() +} + +// Sends a message to the remote Peer through the Signal Exchange using established stream connection to the Signal Server +// The Client.Receive method must be called before sending messages to establish initial connection to the Signal Exchange +// Client.connWg can be used to wait +func (client *Client) SendToStream(msg *proto.Message) error { + + if client.stream == nil { + return fmt.Errorf("connection to the Signal Exchnage has not been established yet. Please call Client.Receive before sending messages") + } + + err := client.stream.Send(msg) + if err != nil { + log.Errorf("error while sending message to peer [%s] [error: %v]", msg.RemoteKey, err) + return err + } + + return nil +} + +// Sends a message to the remote Peer through the Signal Exchange. +func (client *Client) Send(msg *proto.Message) error { + + _, err := client.realClient.Connect(context.TODO(), msg) + if err != nil { + log.Errorf("error while sending message to peer [%s] [error: %v]", msg.RemoteKey, err) + return err + } + + return nil +} + +// Receives messages from other peers coming through the Signal Exchange +func (client *Client) receive(stream proto.SignalExchange_ConnectStreamClient, + msgHandler func(msg *proto.Message) error) error { + + for { + msg, err := stream.Recv() + if s, ok := status.FromError(err); ok && s.Code() == codes.Canceled { + log.Warnf("stream canceled (usually indicates shutdown)") + return err + } else if s.Code() == codes.Unavailable { + log.Warnf("server has been stopped") + return err + } else if err == io.EOF { + log.Warnf("stream closed by server") + return err + } else if err != nil { + return err + } + log.Debugf("received a new message from Peer [fingerprint: %s] [type %s]", msg.Key, msg.Type) + + //todo decrypt + err = msgHandler(msg) + + if err != nil { + log.Errorf("error while handling message of Peer [key: %s] error: [%s]", msg.Key, err.Error()) + //todo send something?? + } + } +} + +func UnMarshalCredential(msg *proto.Message) (*Credential, error) { + credential := strings.Split(msg.Body, ":") + if len(credential) != 2 { + return nil, fmt.Errorf("error parsing message body %s", msg.Body) + } + return &Credential{ + UFrag: credential[0], + Pwd: credential[1], + }, nil +} + +func MarshalCredential(ourKey string, remoteKey string, credential *Credential, t proto.Message_Type) *proto.Message { + return &proto.Message{ + Type: t, + Key: ourKey, + RemoteKey: remoteKey, + Body: fmt.Sprintf("%s:%s", credential.UFrag, credential.Pwd), + } +} + +type Credential struct { + UFrag string + Pwd string +} diff --git a/signal/encryption.go b/signal/encryption.go new file mode 100644 index 00000000000..8b6136216c2 --- /dev/null +++ b/signal/encryption.go @@ -0,0 +1,52 @@ +package signal + +import ( + "crypto/rand" + "fmt" + "golang.org/x/crypto/nacl/box" + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" +) + +// As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service. +// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange) information can't be read anywhere else but the Peer the message is being sent to. +// These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate) +// Wireguard keys are used for encryption + +// Encrypts a message using local Wireguard private key and remote peer's public key. +func EncryptMessage(msg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) { + nonce, err := genNonce() + if err != nil { + return nil, err + } + + return box.Seal(nil, msg, nonce, toByte32(remotePubKey), toByte32(privateKey)), nil +} + +// Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key. +func DecryptMessage(encryptedMsg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) { + nonce, err := genNonce() + if err != nil { + return nil, err + } + + opened, ok := box.Open(nil, encryptedMsg, nonce, toByte32(remotePubKey), toByte32(privateKey)) + if !ok { + return nil, fmt.Errorf("failed to decrypt message from peer %s", remotePubKey.String()) + } + + return opened, nil +} + +// Generates nonce of size 24 +func genNonce() (*[24]byte, error) { + var nonce [24]byte + if _, err := rand.Read(nonce[:]); err != nil { + return nil, err + } + return &nonce, nil +} + +// Converts Wireguard key to byte array of size 32 (a format used by the golang crypto package) +func toByte32(key wgtypes.Key) *[32]byte { + return (*[32]byte)(&key) +} diff --git a/signal/fingerprint.go b/signal/fingerprint.go new file mode 100644 index 00000000000..7e350d5b1df --- /dev/null +++ b/signal/fingerprint.go @@ -0,0 +1,18 @@ +package signal + +import ( + "crypto/sha256" + "encoding/hex" +) + +const ( + HexTable = "0123456789abcdef" +) + +// Generates a SHA256 Fingerprint of the string +func FingerPrint(key string) string { + hasher := sha256.New() + hasher.Write([]byte(key)) + sha := hasher.Sum(nil) + return hex.EncodeToString(sha) +} diff --git a/signal/peer/peer.go b/signal/peer/peer.go new file mode 100644 index 00000000000..5f08a5ebe59 --- /dev/null +++ b/signal/peer/peer.go @@ -0,0 +1,54 @@ +package peer + +import ( + log "github.com/sirupsen/logrus" + "github.com/wiretrustee/wiretrustee/signal/proto" +) + +// Representation of a connected Peer +type Peer struct { + // a unique id of the Peer (e.g. sha256 fingerprint of the Wireguard public key) + Id string + + //a gRpc connection stream to the Peer + Stream proto.SignalExchange_ConnectStreamServer +} + +func NewPeer(id string, stream proto.SignalExchange_ConnectStreamServer) *Peer { + return &Peer{ + Id: id, + Stream: stream, + } +} + +// registry that holds all currently connected Peers +type Registry struct { + // Peer.key -> Peer + Peers map[string]*Peer +} + +func NewRegistry() *Registry { + return &Registry{ + Peers: make(map[string]*Peer), + } +} + +// Registers peer in the registry +func (reg *Registry) Register(peer *Peer) { + if _, exists := reg.Peers[peer.Id]; exists { + log.Warnf("peer [%s] has been already registered", peer.Id) + } else { + log.Printf("registering new peer [%s]", peer.Id) + } + //replace Peer even if exists + //todo should we really replace? + reg.Peers[peer.Id] = peer +} + +// Deregister Peer from the Registry (usually once it disconnects) +func (reg *Registry) DeregisterHub(peer *Peer) { + if _, ok := reg.Peers[peer.Id]; ok { + delete(reg.Peers, peer.Id) + log.Printf("deregistered peer [%s]", peer.Id) + } +} diff --git a/signal/proto/constants.go b/signal/proto/constants.go new file mode 100644 index 00000000000..d12fff2ab0e --- /dev/null +++ b/signal/proto/constants.go @@ -0,0 +1,4 @@ +package proto + +// protocol constants, field names that can be used by both client and server +const HeaderId = "x-wiretrustee-peer-id" diff --git a/signal/proto/signalexchange.pb.go b/signal/proto/signalexchange.pb.go new file mode 100644 index 00000000000..1860380ca0a --- /dev/null +++ b/signal/proto/signalexchange.pb.go @@ -0,0 +1,301 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: signalexchange.proto + +package proto + +import ( + context "context" + fmt "fmt" + proto "github.com/golang/protobuf/proto" + _ "github.com/golang/protobuf/protoc-gen-go/descriptor" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + math "math" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// Message type +type Message_Type int32 + +const ( + Message_OFFER Message_Type = 0 + Message_ANSWER Message_Type = 1 + Message_CANDIDATE Message_Type = 2 +) + +var Message_Type_name = map[int32]string{ + 0: "OFFER", + 1: "ANSWER", + 2: "CANDIDATE", +} + +var Message_Type_value = map[string]int32{ + "OFFER": 0, + "ANSWER": 1, + "CANDIDATE": 2, +} + +func (x Message_Type) String() string { + return proto.EnumName(Message_Type_name, int32(x)) +} + +func (Message_Type) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_bf680d70b8e3473f, []int{0, 0} +} + +type Message struct { + Type Message_Type `protobuf:"varint,1,opt,name=type,proto3,enum=signalexchange.Message_Type" json:"type,omitempty"` + // a sha256 fingerprint of the Wireguard public key + Key string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"` + // a sha256 fingerprint of the Wireguard public key of the remote peer to connect to + RemoteKey string `protobuf:"bytes,3,opt,name=remoteKey,proto3" json:"remoteKey,omitempty"` + Body string `protobuf:"bytes,4,opt,name=body,proto3" json:"body,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Message) Reset() { *m = Message{} } +func (m *Message) String() string { return proto.CompactTextString(m) } +func (*Message) ProtoMessage() {} +func (*Message) Descriptor() ([]byte, []int) { + return fileDescriptor_bf680d70b8e3473f, []int{0} +} + +func (m *Message) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Message.Unmarshal(m, b) +} +func (m *Message) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Message.Marshal(b, m, deterministic) +} +func (m *Message) XXX_Merge(src proto.Message) { + xxx_messageInfo_Message.Merge(m, src) +} +func (m *Message) XXX_Size() int { + return xxx_messageInfo_Message.Size(m) +} +func (m *Message) XXX_DiscardUnknown() { + xxx_messageInfo_Message.DiscardUnknown(m) +} + +var xxx_messageInfo_Message proto.InternalMessageInfo + +func (m *Message) GetType() Message_Type { + if m != nil { + return m.Type + } + return Message_OFFER +} + +func (m *Message) GetKey() string { + if m != nil { + return m.Key + } + return "" +} + +func (m *Message) GetRemoteKey() string { + if m != nil { + return m.RemoteKey + } + return "" +} + +func (m *Message) GetBody() string { + if m != nil { + return m.Body + } + return "" +} + +func init() { + proto.RegisterEnum("signalexchange.Message_Type", Message_Type_name, Message_Type_value) + proto.RegisterType((*Message)(nil), "signalexchange.Message") +} + +func init() { proto.RegisterFile("signalexchange.proto", fileDescriptor_bf680d70b8e3473f) } + +var fileDescriptor_bf680d70b8e3473f = []byte{ + // 272 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x50, 0xcd, 0x4a, 0xf3, 0x40, + 0x14, 0xed, 0xb4, 0xf9, 0x1a, 0x72, 0xa1, 0x21, 0x5c, 0x3e, 0x30, 0x94, 0x2e, 0x42, 0x56, 0x59, + 0x48, 0x5a, 0xea, 0x52, 0x5c, 0xc4, 0x36, 0x15, 0x11, 0x2b, 0x24, 0x05, 0xc1, 0x5d, 0x9a, 0x5e, + 0xc7, 0x62, 0x9b, 0x09, 0x93, 0x11, 0x9c, 0x37, 0xf1, 0x25, 0x7c, 0x47, 0xe9, 0x34, 0x20, 0x0a, + 0xdd, 0xb8, 0x9a, 0xc3, 0xf9, 0x9b, 0xc3, 0x85, 0xff, 0xcd, 0x96, 0x57, 0xc5, 0x8e, 0xde, 0xcb, + 0x97, 0xa2, 0xe2, 0x14, 0xd7, 0x52, 0x28, 0x81, 0xee, 0x4f, 0x76, 0x18, 0x70, 0x21, 0xf8, 0x8e, + 0xc6, 0x46, 0x5d, 0xbf, 0x3d, 0x8f, 0x37, 0xd4, 0x94, 0x72, 0x5b, 0x2b, 0x21, 0x8f, 0x89, 0xf0, + 0x93, 0x81, 0x7d, 0x4f, 0x4d, 0x53, 0x70, 0xc2, 0x09, 0x58, 0x4a, 0xd7, 0xe4, 0xb3, 0x80, 0x45, + 0xee, 0x74, 0x14, 0xff, 0xfa, 0xa2, 0xb5, 0xc5, 0x2b, 0x5d, 0x53, 0x66, 0x9c, 0xe8, 0x41, 0xef, + 0x95, 0xb4, 0xdf, 0x0d, 0x58, 0xe4, 0x64, 0x07, 0x88, 0x23, 0x70, 0x24, 0xed, 0x85, 0xa2, 0x3b, + 0xd2, 0x7e, 0xcf, 0xf0, 0xdf, 0x04, 0x22, 0x58, 0x6b, 0xb1, 0xd1, 0xbe, 0x65, 0x04, 0x83, 0xc3, + 0x73, 0xb0, 0x0e, 0x8d, 0xe8, 0xc0, 0xbf, 0x87, 0xc5, 0x22, 0xcd, 0xbc, 0x0e, 0x02, 0xf4, 0x93, + 0x65, 0xfe, 0x98, 0x66, 0x1e, 0xc3, 0x01, 0x38, 0xb3, 0x64, 0x39, 0xbf, 0x9d, 0x27, 0xab, 0xd4, + 0xeb, 0x4e, 0x3f, 0x18, 0xb8, 0xb9, 0xd9, 0x95, 0xb6, 0xbb, 0xf0, 0x0a, 0xec, 0x99, 0xa8, 0x2a, + 0x2a, 0x15, 0x9e, 0x9d, 0xd8, 0x3c, 0x3c, 0x25, 0x84, 0x1d, 0xbc, 0x81, 0x41, 0x1b, 0xcf, 0x95, + 0xa4, 0x62, 0xff, 0x97, 0x92, 0x88, 0x4d, 0xd8, 0xb5, 0xf3, 0x64, 0xc7, 0x97, 0xc7, 0x4b, 0xf7, + 0xcd, 0x73, 0xf1, 0x15, 0x00, 0x00, 0xff, 0xff, 0x20, 0x13, 0xc1, 0xe1, 0xa6, 0x01, 0x00, 0x00, +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConn + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion4 + +// SignalExchangeClient is the client API for SignalExchange service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. +type SignalExchangeClient interface { + // Synchronously connect to the Signal Exchange service offering connection candidates and waiting for connection candidates from the other party (remote peer) + Connect(ctx context.Context, in *Message, opts ...grpc.CallOption) (*Message, error) + // Connect to the Signal Exchange service offering connection candidates and maintain a channel for receiving candidates from the other party (remote peer) + ConnectStream(ctx context.Context, opts ...grpc.CallOption) (SignalExchange_ConnectStreamClient, error) +} + +type signalExchangeClient struct { + cc *grpc.ClientConn +} + +func NewSignalExchangeClient(cc *grpc.ClientConn) SignalExchangeClient { + return &signalExchangeClient{cc} +} + +func (c *signalExchangeClient) Connect(ctx context.Context, in *Message, opts ...grpc.CallOption) (*Message, error) { + out := new(Message) + err := c.cc.Invoke(ctx, "/signalexchange.SignalExchange/Connect", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *signalExchangeClient) ConnectStream(ctx context.Context, opts ...grpc.CallOption) (SignalExchange_ConnectStreamClient, error) { + stream, err := c.cc.NewStream(ctx, &_SignalExchange_serviceDesc.Streams[0], "/signalexchange.SignalExchange/ConnectStream", opts...) + if err != nil { + return nil, err + } + x := &signalExchangeConnectStreamClient{stream} + return x, nil +} + +type SignalExchange_ConnectStreamClient interface { + Send(*Message) error + Recv() (*Message, error) + grpc.ClientStream +} + +type signalExchangeConnectStreamClient struct { + grpc.ClientStream +} + +func (x *signalExchangeConnectStreamClient) Send(m *Message) error { + return x.ClientStream.SendMsg(m) +} + +func (x *signalExchangeConnectStreamClient) Recv() (*Message, error) { + m := new(Message) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +// SignalExchangeServer is the server API for SignalExchange service. +type SignalExchangeServer interface { + // Synchronously connect to the Signal Exchange service offering connection candidates and waiting for connection candidates from the other party (remote peer) + Connect(context.Context, *Message) (*Message, error) + // Connect to the Signal Exchange service offering connection candidates and maintain a channel for receiving candidates from the other party (remote peer) + ConnectStream(SignalExchange_ConnectStreamServer) error +} + +// UnimplementedSignalExchangeServer can be embedded to have forward compatible implementations. +type UnimplementedSignalExchangeServer struct { +} + +func (*UnimplementedSignalExchangeServer) Connect(ctx context.Context, req *Message) (*Message, error) { + return nil, status.Errorf(codes.Unimplemented, "method Connect not implemented") +} +func (*UnimplementedSignalExchangeServer) ConnectStream(srv SignalExchange_ConnectStreamServer) error { + return status.Errorf(codes.Unimplemented, "method ConnectStream not implemented") +} + +func RegisterSignalExchangeServer(s *grpc.Server, srv SignalExchangeServer) { + s.RegisterService(&_SignalExchange_serviceDesc, srv) +} + +func _SignalExchange_Connect_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Message) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SignalExchangeServer).Connect(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/signalexchange.SignalExchange/Connect", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SignalExchangeServer).Connect(ctx, req.(*Message)) + } + return interceptor(ctx, in, info, handler) +} + +func _SignalExchange_ConnectStream_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(SignalExchangeServer).ConnectStream(&signalExchangeConnectStreamServer{stream}) +} + +type SignalExchange_ConnectStreamServer interface { + Send(*Message) error + Recv() (*Message, error) + grpc.ServerStream +} + +type signalExchangeConnectStreamServer struct { + grpc.ServerStream +} + +func (x *signalExchangeConnectStreamServer) Send(m *Message) error { + return x.ServerStream.SendMsg(m) +} + +func (x *signalExchangeConnectStreamServer) Recv() (*Message, error) { + m := new(Message) + if err := x.ServerStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +var _SignalExchange_serviceDesc = grpc.ServiceDesc{ + ServiceName: "signalexchange.SignalExchange", + HandlerType: (*SignalExchangeServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Connect", + Handler: _SignalExchange_Connect_Handler, + }, + }, + Streams: []grpc.StreamDesc{ + { + StreamName: "ConnectStream", + Handler: _SignalExchange_ConnectStream_Handler, + ServerStreams: true, + ClientStreams: true, + }, + }, + Metadata: "signalexchange.proto", +} diff --git a/signal/proto/signalexchange.proto b/signal/proto/signalexchange.proto new file mode 100644 index 00000000000..af46dfe9d01 --- /dev/null +++ b/signal/proto/signalexchange.proto @@ -0,0 +1,34 @@ +syntax = "proto3"; + +import "google/protobuf/descriptor.proto"; + +option go_package = ".;proto"; + +package signalexchange; + +service SignalExchange { + // Synchronously connect to the Signal Exchange service offering connection candidates and waiting for connection candidates from the other party (remote peer) + rpc Connect(Message) returns (Message) {} + // Connect to the Signal Exchange service offering connection candidates and maintain a channel for receiving candidates from the other party (remote peer) + rpc ConnectStream(stream Message) returns (stream Message) {} +} + +message Message { + + // Message type + enum Type { + OFFER = 0; + ANSWER = 1; + CANDIDATE = 2; + } + + Type type = 1; + + // a sha256 fingerprint of the Wireguard public key + string key = 2; + + // a sha256 fingerprint of the Wireguard public key of the remote peer to connect to + string remoteKey = 3; + + string body = 4; +} \ No newline at end of file diff --git a/signal/signal.go b/signal/signal.go new file mode 100644 index 00000000000..a212d460fd2 --- /dev/null +++ b/signal/signal.go @@ -0,0 +1,99 @@ +package signal + +import ( + "context" + "flag" + "fmt" + log "github.com/sirupsen/logrus" + "github.com/wiretrustee/wiretrustee/signal/peer" + "github.com/wiretrustee/wiretrustee/signal/proto" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/metadata" + "google.golang.org/grpc/status" + "io" +) + +var ( + port = flag.Int("port", 10000, "The server port") +) + +type SignalExchangeServer struct { + registry *peer.Registry +} + +func NewServer() *SignalExchangeServer { + return &SignalExchangeServer{ + registry: peer.NewRegistry(), + } +} + +func (s *SignalExchangeServer) Connect(ctx context.Context, msg *proto.Message) (*proto.Message, error) { + + if _, found := s.registry.Peers[msg.Key]; !found { + return nil, fmt.Errorf("unknown peer %s", msg.Key) + } + + if dstPeer, found := s.registry.Peers[msg.RemoteKey]; found { + //forward the message to the target peer + err := dstPeer.Stream.Send(msg) + if err != nil { + log.Errorf("error while forwarding message from peer [%s] to peer [%s]", msg.Key, msg.RemoteKey) + //todo respond to the sender? + } + } else { + log.Warnf("message from peer [%s] can't be forwarded to peer [%s] because destination peer is not connected", msg.Key, msg.RemoteKey) + //todo respond to the sender? + } + return &proto.Message{}, nil +} + +func (s *SignalExchangeServer) ConnectStream(stream proto.SignalExchange_ConnectStreamServer) error { + p, err := s.connectPeer(stream) + if err != nil { + return err + } + + log.Infof("peer [%s] has successfully connected", p.Id) + + for { + msg, err := stream.Recv() + if err == io.EOF { + break + } else if err != nil { + return err + } + log.Debugf("received a new message from peer [%s] to peer [%s]", p.Id, msg.RemoteKey) + // lookup the target peer where the message is going to + if dstPeer, found := s.registry.Peers[msg.RemoteKey]; found { + //forward the message to the target peer + err := dstPeer.Stream.Send(msg) + if err != nil { + log.Errorf("error while forwarding message from peer [%s] to peer [%s]", p.Id, msg.RemoteKey) + //todo respond to the sender? + } + } else { + log.Warnf("message from peer [%s] can't be forwarded to peer [%s] because destination peer is not connected", p.Id, msg.RemoteKey) + //todo respond to the sender? + } + + } + <-stream.Context().Done() + return stream.Context().Err() +} + +// Handles initial Peer connection. +// Each connection must provide an ID header. +// At this moment the connecting Peer will be registered in the peer.Registry +func (s SignalExchangeServer) connectPeer(stream proto.SignalExchange_ConnectStreamServer) (*peer.Peer, error) { + if meta, hasMeta := metadata.FromIncomingContext(stream.Context()); hasMeta { + if id, found := meta[proto.HeaderId]; found { + p := peer.NewPeer(id[0], stream) + s.registry.Register(p) + return p, nil + } else { + return nil, status.Errorf(codes.FailedPrecondition, "missing connection header: "+proto.HeaderId) + } + } else { + return nil, status.Errorf(codes.FailedPrecondition, "missing connection stream meta") + } +} diff --git a/util/retry.go b/util/retry.go new file mode 100644 index 00000000000..b04854b245c --- /dev/null +++ b/util/retry.go @@ -0,0 +1,32 @@ +package util + +import ( + "math/rand" + "time" +) + +// Retries a given toExec function calling onError on failed attempts +// onError shouldn be a lightweight function and shouldn't be blocking +func Retry(attempts int, sleep time.Duration, toExec func() error, onError func(e error)) error { + if err := toExec(); err != nil { + if s, ok := err.(stop); ok { + return s.error + } + + if attempts--; attempts > 0 { + jitter := time.Duration(rand.Int63n(int64(sleep))) + sleep = sleep + jitter/2 + + onError(err) + time.Sleep(sleep) + return Retry(attempts, 2*sleep, toExec, onError) + } + return err + } + + return nil +} + +type stop struct { + error +}