(feat/webrtc-sniffer): reconstruct ephemeral keys

Author: vlad9486

Cargo.lock

@@ -171,6 +171,9 @@ pub struct Node {
     /// - OPENMINA_AWS_BUCKET_NAME
     #[arg(long, env)]
     pub archive_aws_storage: bool,
+
+    #[arg(long, env)]
+    pub rng_seed: Option<String>,
 }
 
 impl Node {
@@ -216,7 +219,27 @@ impl Node {
                 node::config::DEVNET_CONFIG.clone(),
             ),
         };
-        let mut node_builder: NodeBuilder = NodeBuilder::new(None, daemon_conf, genesis_conf);
+
+        let custom_rng_seed = match self.rng_seed {
+            None => None,
+            Some(v) => match hex::decode(v)
+                .map_err(anyhow::Error::from)
+                .and_then(|bytes| {
+                    <[u8; 32]>::try_from(bytes.as_slice()).map_err(anyhow::Error::from)
+                }) {
+                Ok(v) => Some(v),
+                Err(err) => {
+                    node::core::error!(
+                        node::core::log::system_time();
+                        summary = "bad rng seed",
+                        err = err.to_string(),
+                    );
+                    return Err(err);
+                }
+            },
+        };
+        let mut node_builder: NodeBuilder =
+            NodeBuilder::new(custom_rng_seed, daemon_conf, genesis_conf);
 
         // let genesis_config = match self.config {
         //     Some(config_path) => GenesisConfig::DaemonJsonFile(config_path).into(),

cli/src/commands/node/mod.rs

@@ -112,6 +112,7 @@ impl NodeServiceCommonBuilder {
         self.p2p = Some(<NodeService as P2pServiceWebrtcWithLibp2p>::init(
             secret_key.clone(),
             task_spawner,
+            self.rng_seed,
         ));
         self
     }

node/common/src/service/builder.rs

@@ -80,7 +80,7 @@ p2p-testing = { path = "testing" }
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 redux = { workspace = true, features = ["serializable_callbacks"] }
 tokio = { version = "1.26", features = ["rt"] }
-webrtc = { git = "https://github.com/openmina/webrtc.git", rev = "e8705db39af1b198b324a5db6ff57fb213ba75e9", optional = true }
+webrtc = { git = "https://github.com/openmina/webrtc.git", rev = "aeaa62682b97f6984627bedd6e6811fe17af18eb", optional = true }
 datachannel = { git = "https://github.com/openmina/datachannel-rs.git", rev = "1bfb064d0ff3e54a93ae0288409902aab8d102d3", optional = true, features = [
     "vendored",
 ] }

p2p/Cargo.toml

@@ -51,7 +51,11 @@ pub mod webrtc {
 
         fn peers(&mut self) -> &mut BTreeMap<PeerId, PeerState>;
 
-        fn init<S: TaskSpawner>(_secret_key: SecretKey, _spawner: S) -> P2pServiceCtx {
+        fn init<S: TaskSpawner>(
+            _secret_key: SecretKey,
+            _spawner: S,
+            _rng_seed: [u8; 32],
+        ) -> P2pServiceCtx {
             let (cmd_sender, _) = mpsc::unbounded_channel();
             P2pServiceCtx {
                 cmd_sender,

p2p/src/service_impl/mod.rs

@@ -141,6 +141,7 @@ pub type OnConnectionStateChangeHdlrFn = Box<
 pub struct RTCConfig {
     pub ice_servers: RTCConfigIceServers,
     pub certificate: RTCCertificate,
+    pub seed: [u8; 32],
 }
 
 #[derive(Serialize)]
@@ -229,6 +230,7 @@ async fn peer_start(
     abort: Aborted,
     closed: mpsc::Sender<()>,
     certificate: RTCCertificate,
+    rng_seed: [u8; 32],
 ) {
     let PeerAddArgs {
         peer_id,
@@ -241,6 +243,7 @@ async fn peer_start(
     let config = RTCConfig {
         ice_servers: Default::default(),
         certificate,
+        seed: rng_seed,
     };
     let fut = async {
         let mut pc = RTCConnection::create(&api, config).await?;
@@ -730,7 +733,11 @@ pub trait P2pServiceWebrtc: redux::Service {
 
     fn peers(&mut self) -> &mut BTreeMap<PeerId, PeerState>;
 
-    fn init<S: TaskSpawner>(secret_key: SecretKey, spawner: S) -> P2pServiceCtx {
+    fn init<S: TaskSpawner>(
+        secret_key: SecretKey,
+        spawner: S,
+        rng_seed: [u8; 32],
+    ) -> P2pServiceCtx {
         const MAX_PEERS: usize = 500;
         let (cmd_sender, mut cmd_receiver) = mpsc::unbounded_channel();
 
@@ -763,7 +770,7 @@ pub trait P2pServiceWebrtc: redux::Service {
                                 event_sender_clone(P2pConnectionEvent::Closed(peer_id).into());
                             });
                             tokio::select! {
-                                _ = peer_start(api, args, aborted.clone(), closed_tx.clone(), certificate) => {}
+                                _ = peer_start(api, args, aborted.clone(), closed_tx.clone(), certificate, rng_seed) => {}
                                 _ = aborted.wait() => {
                                 }
                             }

p2p/src/service_impl/webrtc/mod.rs

@@ -200,6 +200,7 @@ impl From<RTCConfig> for RTCConfiguration {
             ice_servers: value.ice_servers.0.into_iter().map(Into::into).collect(),
             ice_transport_policy: RTCIceTransportPolicy::All,
             certificates: vec![value.certificate],
+            seed: Some(value.seed.to_vec()),
             ..Default::default()
         }
     }

p2p/src/service_impl/webrtc/webrtc_rs.rs

@@ -29,12 +29,12 @@ pub trait P2pServiceWebrtcWithLibp2p: P2pServiceWebrtc {
 
     fn connections(&self) -> BTreeSet<PeerId>;
 
-    fn init<S: TaskSpawner>(sec_key: SecretKey, spawner: S) -> P2pServiceCtx {
+    fn init<S: TaskSpawner>(sec_key: SecretKey, spawner: S, rng_seed: [u8; 32]) -> P2pServiceCtx {
         P2pServiceCtx {
             sec_key: sec_key.clone(),
             #[cfg(feature = "p2p-libp2p")]
             mio: MioService::pending(sec_key.clone().try_into().expect("valid keypair")),
-            webrtc: <Self as P2pServiceWebrtc>::init(sec_key, spawner),
+            webrtc: <Self as P2pServiceWebrtc>::init(sec_key, spawner, rng_seed),
         }
     }
 

p2p/src/service_impl/webrtc_with_libp2p.rs

@@ -15,4 +15,12 @@ etherparse = { version = "0.17.0" }
 thiserror = { version = "2.0" }
 nom = { version = "8.0.0" }
 
-p2p = { path = "../../p2p" }
+sha2 = { version = "0.10.8" }
+rand = { version = "0.8" }
+hkdf = { version = "0.12" }
+hmac = { version = "0.12" }
+p256 = { version = "0.13", features = ["default", "ecdh", "ecdsa"] }
+p384 = { version = "0.13" }
+aes = { version = "0.8" }
+cbc = { version = "0.1", features = ["block-padding", "alloc"] }
+aes-gcm = { version = "0.10" }

tools/webrtc-sniffer/Cargo.toml

@@ -3,8 +3,6 @@ use std::path::PathBuf;
 use clap::Parser;
 use pcap::{Capture, ConnectionStatus, Device, IfFlags};
 
-use p2p::identity::SecretKey;
-
 // cargo run --release --bin sniffer -- --interface auto --path target/test.pcap
 
 #[derive(Parser)]
@@ -25,19 +23,9 @@ struct Cli {
     #[arg(long, help = "bpf filter, example: \"udp and not port 443\"")]
     filter: Option<String>,
 
-    /// Peer secret key
-    #[arg(long, short = 's', env = "OPENMINA_P2P_SEC_KEY")]
-    p2p_secret_key: Option<SecretKey>,
-
-    // warning, this overrides `OPENMINA_P2P_SEC_KEY`
-    /// Compatibility with OCaml Mina node
-    #[arg(long)]
-    libp2p_keypair: Option<String>,
-
-    // warning, this overrides `OPENMINA_P2P_SEC_KEY`
-    /// Compatibility with OCaml Mina node
-    #[arg(env = "MINA_LIBP2P_PASS")]
-    libp2p_password: Option<String>,
+    /// rng seed
+    #[arg(long, short)]
+    rng_seed: String,
 }
 
 fn init_logger_std() -> Box<dyn log::Log> {
@@ -56,28 +44,10 @@ fn main() {
         interface,
         path,
         filter,
-        p2p_secret_key,
-        libp2p_keypair,
-        libp2p_password,
+        rng_seed,
     } = Cli::parse();
 
-    let secret_key = if let Some(v) = p2p_secret_key {
-        v
-    } else {
-        let (Some(libp2p_keypair), Some(libp2p_password)) = (libp2p_keypair, libp2p_password)
-        else {
-            log::error!("no secret key specified");
-            return;
-        };
-
-        match SecretKey::from_encrypted_file(libp2p_keypair, &libp2p_password) {
-            Ok(v) => v,
-            Err(err) => {
-                log::error!("cannot read secret key {err}");
-                return;
-            }
-        }
-    };
+    let rng_seed = <[u8; 32]>::try_from(hex::decode(rng_seed).unwrap().as_slice()).unwrap();
 
     if let Some(name) = interface {
         sudo::escalate_if_needed().unwrap();
@@ -115,7 +85,7 @@ fn main() {
                     .expect("Failed to apply filter");
                 let savefile = capture.savefile(&path)?;
 
-                webrtc_sniffer::run(capture, Some(savefile), secret_key)
+                webrtc_sniffer::run(capture, Some(savefile), rng_seed)
             });
             if let Err(err) = res {
                 log::error!("{err}");
@@ -130,7 +100,7 @@ fn main() {
             capture
                 .filter(&filter.unwrap_or_default(), true)
                 .expect("Failed to apply filter");
-            webrtc_sniffer::run(capture, None, secret_key)
+            webrtc_sniffer::run(capture, None, rng_seed)
         });
         if let Err(err) = res {
             log::error!("{err}");