libp2p / go-libp2p-secio Goto Github PK

View Code? Open in Web Editor NEW

44.0 24.0 22.0 157 KB

a minimal secure channel for libp2p

License: MIT License

Go 99.42% Makefile 0.58%

go-libp2p-secio's Introduction

DEPRECATION NOTICE

secio is not maintained any more, and we advise against using it.

Use go-libp2p-tls and go-libp2p-noise instead.

go-libp2p-secio

A secure transport module for go-libp2p

go-libp2p-secio is a component of the libp2p project, a modular networking stack for developing peer-to-peer applications. It provides a secure transport channel for go-libp2p. Following an initial plaintext handshake, all data exchanged between peers using go-libp2p-secio is encrypted and protected from eavesdropping.

libp2p supports multiple transport protocols, many of which lack native channel security. go-libp2p-secio is designed to work with go-libp2p's "transport upgrader", which applies security modules (like go-libp2p-secio) to an insecure channel. go-libp2p-secio implements the SecureTransport interface, which allows the upgrader to secure any underlying connection.

More detail on the handshake protocol and wire format used is available in the SECIO spec.

Install

Most people building applications with libp2p will have no need to install go-libp2p-secio directly. It is included as a dependency of the main go-libp2p "entry point" module and is enabled by default.

For users who do not depend on go-libp2p and are managing their libp2p module dependencies in a more manual fashion, go-libp2p-secio is a standard Go module which can be installed with:

go get github.com/libp2p/go-libp2p-secio

This repo is gomod-compatible, and users of go 1.11 and later with modules enabled will automatically pull the latest tagged release by referencing this package. Upgrades to future releases can be managed using go get, or by editing your go.mod file as described by the gomod documentation.

Usage

go-libp2p-secio is enabled by default when constructing a new libp2p Host, and it will be used to secure connections if both peers support it and agree to use it when establishing the connection.

You can disable SECIO by using the Security option when constructing a libp2p Host and passing in a different SecureTransport implementation, for example, go-libp2p-tls.

Transport security can be disabled for development and testing by passing the NoSecurity global Option.

Contribute

Feel free to join in. All welcome. Open an issue!

This repository falls under the libp2p Code of Conduct.

Want to hack on libp2p?

License

MIT

The last gx published version of this module was: 2.0.30: QmSVaJe1aRjc78cZARTtf4pqvXERYwihyYhZWoVWceHnsK

go-libp2p-secio's People

Contributors

Stargazers

Watchers

go-libp2p-secio's Issues

Is there a secio formal spec

Is there a formal spec describing the secio protocol in detail?

Race condition in tests

==================
WARNING: DATA RACE
Write at 0x000001bd92a0 by goroutine 67:
  github.com/libp2p/go-libp2p-secio.TestConnections()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/transport_test.go:253 +0x1ef
  testing.tRunner()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:827 +0x162

Previous read at 0x000001bd92a0 by goroutine 42:
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshakeSync()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:158 +0x27a
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshake.func1()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:123 +0x38

Goroutine 67 (running) created at:
  testing.(*T).Run()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:878 +0x659
  testing.runTests.func1()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1119 +0xa8
  testing.tRunner()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:827 +0x162
  testing.runTests()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1117 +0x4ee
  testing.(*M).Run()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1034 +0x2ee
  main.main()
      _testmain.go:48 +0x221

Goroutine 42 (finished) created at:
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshake()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:121 +0x17a
  github.com/libp2p/go-libp2p-secio.newSecureSession()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:96 +0x834
  github.com/libp2p/go-libp2p-secio.(*Transport).SecureInbound()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/transport.go:37 +0xec
  github.com/libp2p/go-conn-security/test.SubtestCancelHandshakeInbound.func1()
      /Users/anacrolix/go/pkg/mod/github.com/libp2p/[email protected]/test/ttest.go:311 +0xa0
==================
==================
WARNING: DATA RACE
Write at 0x000001bd9290 by goroutine 67:
  github.com/libp2p/go-libp2p-secio.TestConnections()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/transport_test.go:254 +0x23b
  testing.tRunner()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:827 +0x162

Previous read at 0x000001bd9290 by goroutine 42:
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshakeSync()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:159 +0x2f2
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshake.func1()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:123 +0x38

Goroutine 67 (running) created at:
  testing.(*T).Run()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:878 +0x659
  testing.runTests.func1()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1119 +0xa8
  testing.tRunner()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:827 +0x162
  testing.runTests()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1117 +0x4ee
  testing.(*M).Run()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1034 +0x2ee
  main.main()
      _testmain.go:48 +0x221

Goroutine 42 (finished) created at:
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshake()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:121 +0x17a
  github.com/libp2p/go-libp2p-secio.newSecureSession()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:96 +0x834
  github.com/libp2p/go-libp2p-secio.(*Transport).SecureInbound()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/transport.go:37 +0xec
  github.com/libp2p/go-conn-security/test.SubtestCancelHandshakeInbound.func1()
      /Users/anacrolix/go/pkg/mod/github.com/libp2p/[email protected]/test/ttest.go:311 +0xa0
==================
==================
WARNING: DATA RACE
Write at 0x000001bd92b0 by goroutine 67:
  github.com/libp2p/go-libp2p-secio.TestConnections()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/transport_test.go:255 +0x28a
  testing.tRunner()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:827 +0x162

Previous read at 0x000001bd92b0 by goroutine 38:
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshakeSync()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:160 +0x36a
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshake.func1()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:123 +0x38

Goroutine 67 (running) created at:
  testing.(*T).Run()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:878 +0x659
  testing.runTests.func1()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1119 +0xa8
  testing.tRunner()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:827 +0x162
  testing.runTests()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1117 +0x4ee
  testing.(*M).Run()
      /Users/anacrolix/src/go1.11/src/testing/testing.go:1034 +0x2ee
  main.main()
      _testmain.go:48 +0x221

Goroutine 38 (finished) created at:
  github.com/libp2p/go-libp2p-secio.(*secureSession).runHandshake()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:121 +0x17a
  github.com/libp2p/go-libp2p-secio.newSecureSession()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/protocol.go:96 +0x834
  github.com/libp2p/go-libp2p-secio.(*Transport).SecureOutbound()
      /Users/anacrolix/go/src/github.com/libp2p/go-libp2p-secio/transport.go:40 +0xfe
  github.com/libp2p/go-conn-security/test.SubtestCancelHandshakeInbound.func2()
      /Users/anacrolix/go/pkg/mod/github.com/libp2p/[email protected]/test/ttest.go:321 +0xc0
==================
--- FAIL: TestConnections (0.23s)
    transport_test.go:247: Using default session parameters.
    transport_test.go:257: Using Exchange: P-384 Cipher: Blowfish Hash: SHA256
    transport_test.go:257: Using Exchange: P-256 Cipher: AES-128 Hash: SHA512
    transport_test.go:257: Using Exchange: P-521 Cipher: AES-256 Hash: SHA256
    testing.go:771: race detected during execution of test
FAIL
FAIL	github.com/libp2p/go-libp2p-secio	7.454s

AES-GCM support

secio is bad at performance due to AES-CTR+SHA. I added GCM support and did some performance test. More details can be found at https://blog.csdn.net/m0_37889044/article/details/104466718

Wonder if the code contribution is accepted, and how. I'm completely a new guy to libp2p...

Remove secio handshake timeout

It should be up to the caller to set it. For now, we're going to keep it until we've had a chance to audit the callers.

high cpu usage in handshake

was poking around on mars (one of the default bootstrappers) and noticed that the thing using the most cpu time was RSA signing in secio.

Heres a listing of the method: https://gist.github.com/whyrusleeping/513cf154eb9c392668e088843b2f6b00

My thoughts are that this is probably a wontfix, mars is likely just getting so many incoming connections, and RSA signing is actually mildly expensive, so the combination of the two is just expensive. I can see this getting better if we switched mars to use an ed25519 key, or switched to TLS1.3.

Maybe theres something unnecessarily expensive here that we can optimize in the mean time though?

Add verbose logging for invalid message authentication codes

Can we print the byte slices using %#v?
00:10:19.083 DEBUG secio: MAC Invalid: S?
?9??v??;?m?3 ?
?�]??$?? != ??c???J?E?|???g?q
??{?G?W? rw.go:231`

Does secio have an ACK mechanism?

If I send a message down an open secio channel, is there any way to know whether or not the message was properly received by the recipient (without relying on transport-layer or application-layer ACKs). That is, does secio have an ACK mechanism?

What is Secio?

So, after seeing both https://github.com/ipfs/go-libp2p-secio and https://github.com/libp2p/js-libp2p-secio with some discussions happening about how to make the two work together, there doesn't seem to be a description of what Secio actually is. Tried doing some googling as well, but seems to have been a thing invented together with the libp2p stuff.

Would be nice to include either a link to a description in the two repos or at least a short description about what it is in them.

import "crypto.proto";

message Propose {
	optional bytes rand = 1;
	optional crypto.pb.PublicKey pubkey = 2;
	optional string exchanges = 3;
	optional string ciphers = 4;
	optional string hashes = 5;
}

Duplicate in spec repo: libp2p/specs#193