refactor: remove handshaking to resolve issues with go dialing js

Author: jacobheun

README.md

@@ -17,6 +17,12 @@ Connection protection management for libp2p leveraging PSK encryption via XSalsa
 
 ## Usage
 
+```js
+const Protector = require('libp2p-pnet')
+const protector = new Protector(swarmKeyBuffer)
+const privateConnection = protector.protect(myPublicConnection, (err) => { })
+```
+
 ### Private Shared Keys
 
 Private Shared Keys are expected to be in the following format:
@@ -49,6 +55,15 @@ that project, assuming the node_modules are installed.
 node -e "require('libp2p-pnet').generate(process.stdout)" > swarm.key
 ```
 
+#### Programmatically
+
+```js
+const writeKey = require('libp2p-pnet').generate
+const swarmKey = Buffer.alloc(95)
+writeKey(swarmKey)
+fs.writeFileSync('swarm.key', swarmKey)
+```
+
 ## Contribute
 
 There are some ways you can make this module better:

package.json

@@ -27,7 +27,9 @@
   "dependencies": {
     "debug": "^3.1.0",
     "interface-connection": "^0.3.2",
+    "pull-cat": "^1.1.11",
     "pull-handshake": "^1.1.4",
+    "pull-reader": "^1.2.9",
     "pull-stream": "^3.6.7",
     "xsalsa20": "^1.0.2"
   },

src/crypto.js

@@ -5,6 +5,7 @@ const debug = require('debug')
 const Errors = require('./errors')
 const xsalsa20 = require('xsalsa20')
 const KEY_LENGTH = require('./key-generator').KEY_LENGTH
+const NONCE_LENGTH = require('./key-generator').NONCE_LENGTH
 
 const log = debug('libp2p:pnet')
 log.trace = debug('libp2p:pnet:trace')
@@ -30,15 +31,24 @@ module.exports.createBoxStream = (nonce, psk) => {
 /**
  * Creates a pull stream to decrypt messages in a private network
  *
- * @param {Buffer} nonce The nonce to use in decryption
+ * @param {Object} remote Holds the nonce of the peer
  * @param {Buffer} psk The private shared key to use in decryption
  * @returns {PullStream} a through stream
  */
-module.exports.createUnboxStream = (nonce, psk) => {
-  const xor = xsalsa20(nonce, psk)
+module.exports.createUnboxStream = (remote, psk) => {
+  let xor
   return pull(
     ensureBuffer(),
     pull.map((chunk) => {
+      if (!xor) {
+        if (!remote.nonce || remote.nonce.byteLength !== NONCE_LENGTH) {
+          log.trace('No nonce was read, throwing an error')
+          throw new Error(Errors.INVALID_PEER)
+        }
+        xor = xsalsa20(remote.nonce, psk)
+        log.trace('Decryption enabled')
+      }
+
       return xor.update(chunk, chunk)
     })
   )

src/handshake.js

@@ -5,7 +5,6 @@ const Connection = require('interface-connection').Connection
 const assert = require('assert')
 
 const Errors = require('./errors')
-const handshake = require('./handshake')
 const State = require('./state')
 const decodeV1PSK = require('./crypto').decodeV1PSK
 const debug = require('debug')
@@ -19,12 +18,10 @@ log.err = debug('libp2p:pnet:err')
 class Protector {
   /**
    * @param {Buffer} keyBuffer The private shared key buffer
-   * @param {any} options Options for the protector
    * @constructor
    */
-  constructor (keyBuffer, options) {
+  constructor (keyBuffer) {
     const decodedPSK = decodeV1PSK(keyBuffer)
-    this.options = options || {}
     this.psk = decodedPSK.psk
     this.tag = decodedPSK.tag
   }
@@ -42,21 +39,21 @@ class Protector {
     assert(connection, Errors.NO_HANDSHAKE_CONNECTION)
 
     const protectedConnection = new Connection(undefined, connection)
-    const state = new State(this.psk, { timeout: this.options.timeout }, callback)
+    const state = new State(this.psk)
 
     log('protecting the connection')
 
-    // Run the connection through an encryption handshake
+    // Run the connection through an encryptor
     pull(
       connection,
-      handshake(state, (err) => {
+      state.encrypt((err, encryptedOuterStream) => {
         if (err) {
           log.err('There was an error attempting to protect the connection', err)
           return callback(err)
         }
 
         connection.getPeerInfo(() => {
-          protectedConnection.setInnerConn(new Connection(state.secure, connection))
+          protectedConnection.setInnerConn(new Connection(encryptedOuterStream, connection))
           log('the connection has been successfully wrapped by the protector')
           callback()
         })

src/index.js

@@ -1,36 +1,105 @@
 'use strict'
 
-const handshake = require('pull-handshake')
-const deferred = require('pull-defer')
 const crypto = require('crypto')
+const debug = require('debug')
+const pair = require('pull-pair')
+const Reader = require('pull-reader')
+const cat = require('pull-cat')
+const pull = require('pull-stream')
+
+const cryptoStreams = require('./crypto')
 const NONCE_LENGTH = require('./key-generator').NONCE_LENGTH
 
+const log = debug('libp2p:pnet')
+log.err = debug('libp2p:pnet:err')
+
 /**
  * Keeps track of the state of a given connection, such as the local psk
  * and local and remote nonces for encryption/decryption
  */
 class State {
   /**
    * @param {Buffer} psk The key buffer used for encryption
-   * @param {any} options Options for the state, including timeout of the handshake
-   * @param {function(Error)} callback Called on completion of the handshake
    * @constructor
    */
-  constructor (psk, options, callback) {
+  constructor (psk) {
     this.local = {
       nonce: Buffer.from(
         crypto.randomBytes(NONCE_LENGTH)
       ),
       psk: psk
     }
-    options = options || {}
-
     this.remote = { nonce: null }
-    this.timeout = options.timeout || 60e3
-    this.secure = deferred.duplex()
-    this.stream = handshake({ timeout: this.timeout }, callback)
-    this.shake = this.stream.handshake
-    delete this.stream.handshake
+
+    this.rawReader = Reader(60e3)
+    this.encryptedReader = Reader(60e3)
+
+    this.rawPairStream = pair()
+    this.encryptedPairStream = pair()
+
+    // The raw, pair stream
+    this.innerRawStream = null
+    this.outerRawStream = {
+      sink: this.rawReader,
+      source: cat([
+        pull.values([
+          this.local.nonce
+        ]),
+        this.rawPairStream.source
+      ])
+    }
+
+    // The encrypted, pair stream
+    this.innerEncryptedStream = {
+      sink: this.encryptedReader,
+      source: this.encryptedPairStream.source
+    }
+    this.outerEncryptedStream = null
+  }
+
+  /**
+   * Creates encryption streams for the given state
+   *
+   * @param {function(Error, Connection)} callback
+   * @returns {void}
+   */
+  encrypt (callback) {
+    // The outer stream needs to be returned before we setup the
+    // rest of the streams, so we're delaying the execution
+    setTimeout(() => {
+      // Read the nonce first, this queues up the read when data
+      // is available, so we will have the nonce before any
+      // decryption occurs
+      this.rawReader.read(NONCE_LENGTH, (err, data) => {
+        if (err) {
+          log.err('There was an error attempting to read the nonce', err)
+        }
+        this.remote.nonce = data
+      })
+
+      this.innerRawStream = {
+        sink: this.rawPairStream.sink,
+        source: this.rawReader.read()
+      }
+
+      // Create the pull exchange between the two inner streams
+      pull(
+        this.innerRawStream,
+        cryptoStreams.createUnboxStream(this.remote, this.local.psk),
+        this.innerEncryptedStream,
+        cryptoStreams.createBoxStream(this.local.nonce, this.local.psk),
+        this.innerRawStream
+      )
+
+      this.outerEncryptedStream = {
+        sink: this.encryptedPairStream.sink,
+        source: this.encryptedReader.read()
+      }
+
+      callback(null, this.outerEncryptedStream)
+    }, 0)
+
+    return this.outerRawStream
   }
 }
 

src/state.js

@@ -28,7 +28,7 @@ describe('private network', () => {
     parallel([
       (cb) => PeerId.createFromJSON(require('./fixtures/peer-a'), cb),
       (cb) => PeerId.createFromJSON(require('./fixtures/peer-b'), cb)
-    ], (err, peers) => {
+    ], (err) => {
       expect(err).to.not.exist()
       done()
     })