fix: signal message encryption

netbirdio · May 5, 2021 · f171f67 · f171f67
1 parent 4e348b7
commit f171f67
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 21 deletions.
diff --git a/cmd/signal.go b/cmd/signal.go
@@ -42,5 +42,5 @@ var (
 )
 
 func init() {
-	upCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
+	signalCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
 }
diff --git a/cmd/up.go b/cmd/up.go
@@ -10,6 +10,10 @@ import (
 	"os"
 )
 
+func toByte32(key wgtypes.Key) *[32]byte {
+	return (*[32]byte)(&key)
+}
+
 var (
 	upCmd = &cobra.Command{
 		Use:   "up",

diff --git a/connection/engine.go b/connection/engine.go
@@ -60,7 +60,7 @@ func (e *Engine) Start(myKey wgtypes.Key, peers []Peer) error {
 		return err
 	}
 
-	e.receiveSignal(myKey.PublicKey().String())
+	e.receiveSignal()
 
 	// initialize peer agents
 	for _, peer := range peers {
@@ -170,9 +170,9 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
 	return nil
 }
 
-func (e *Engine) receiveSignal(localKey string) {
+func (e *Engine) receiveSignal() {
 	// connect to a stream of messages coming from the signal server
-	e.signal.Receive(localKey, func(msg *sProto.Message) error {
+	e.signal.Receive(func(msg *sProto.Message) error {
 
 		conn := e.conns[msg.Key]
 		if conn == nil {

diff --git a/signal/client.go b/signal/client.go
@@ -23,11 +23,12 @@ import (
 
 // Wraps the Signal Exchange Service gRpc client
 type Client struct {
-	key        wgtypes.Key
-	realClient proto.SignalExchangeClient
-	signalConn *grpc.ClientConn
-	ctx        context.Context
-	stream     proto.SignalExchange_ConnectStreamClient
+	key           wgtypes.Key
+	encryptionKey string
+	realClient    proto.SignalExchangeClient
+	signalConn    *grpc.ClientConn
+	ctx           context.Context
+	stream        proto.SignalExchange_ConnectStreamClient
 	//waiting group to notify once stream is connected
 	connWg sync.WaitGroup //todo use a channel instead??
 }
@@ -66,7 +67,7 @@ func NewClient(addr string, key wgtypes.Key, ctx context.Context) (*Client, erro
 // The messages will be handled by msgHandler function provided.
 // This function runs a goroutine underneath and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart)
 // The key is the identifier of our Peer (could be Wireguard public key)
-func (c *Client) Receive(key string, msgHandler func(msg *proto.Message) error) {
+func (c *Client) Receive(msgHandler func(msg *proto.Message) error) {
 	c.connWg.Add(1)
 	go func() {
 
@@ -81,7 +82,7 @@ func (c *Client) Receive(key string, msgHandler func(msg *proto.Message) error)
 		}
 
 		operation := func() error {
-			err := c.connect(key, msgHandler)
+			err := c.connect(c.key.PublicKey().String(), msgHandler)
 			if err != nil {
 				log.Warnf("disconnected from the Signal Exchange due to an error %s. Retrying ... ", err)
 				c.connWg.Add(1)
@@ -152,7 +153,7 @@ func (c *Client) decryptMessage(msg *proto.EncryptedMessage) (*proto.Message, er
 	if err != nil {
 		return nil, err
 	}
-	decryptedBody, err := Decrypt(msg.GetBody(), c.key, remoteKey)
+	decryptedBody, err := Decrypt(msg.GetBody(), remoteKey, c.key)
 	body := &proto.Body{}
 	err = pb.Unmarshal(decryptedBody, body)
 	if err != nil {
@@ -177,7 +178,7 @@ func (c *Client) encryptMessage(msg *proto.Message) (*proto.EncryptedMessage, er
 		return nil, err
 	}
 
-	encryptedBody, err := Encrypt(body, c.key, remoteKey)
+	encryptedBody, err := Encrypt(body, remoteKey, c.key)
 	if err != nil {
 		return nil, err
 	}

diff --git a/signal/encryption.go b/signal/encryption.go
@@ -8,30 +8,30 @@ import (
 )
 
 // As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service.
-// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange) information can't be read anywhere else but the Peer the message is being sent to.
+// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange)
+// information can't be read anywhere else but the Peer the message is being sent to.
 // These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
 // Wireguard keys are used for encryption
 
 // Encrypts a message using local Wireguard private key and remote peer's public key.
-func Encrypt(msg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) {
+func Encrypt(msg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
 	nonce, err := genNonce()
 	if err != nil {
 		return nil, err
 	}
-
-	return box.Seal(nil, msg, nonce, toByte32(remotePubKey), toByte32(privateKey)), nil
+	return box.Seal(nonce[:], msg, nonce, toByte32(peersPublicKey), toByte32(privateKey)), nil
 }
 
 // Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key.
-func Decrypt(encryptedMsg []byte, privateKey wgtypes.Key, remotePubKey wgtypes.Key) ([]byte, error) {
+func Decrypt(encryptedMsg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
 	nonce, err := genNonce()
 	if err != nil {
 		return nil, err
 	}
-
-	opened, ok := box.Open(nil, encryptedMsg, nonce, toByte32(remotePubKey), toByte32(privateKey))
+	copy(nonce[:], encryptedMsg[:24])
+	opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peersPublicKey), toByte32(privateKey))
 	if !ok {
-		return nil, fmt.Errorf("failed to decrypt message from peer %s", remotePubKey.String())
+		return nil, fmt.Errorf("failed to decrypt message from peer %s", peersPublicKey.String())
 	}
 
 	return opened, nil