-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Retrieve long term static key for Conn #4
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,6 +17,7 @@ type Conn struct { | |
// handshake | ||
config *Config // configuration passed to constructor | ||
hs handshakeState | ||
remotePub []byte | ||
handshakeComplete bool | ||
handshakeMutex sync.Mutex | ||
|
||
|
@@ -239,7 +240,7 @@ func (c *Conn) Handshake() error { | |
var remoteKeyPair *KeyPair | ||
if c.config.RemoteKey != nil { | ||
if len(c.config.RemoteKey) != 32 { | ||
return errors.New("Noise: the provided remote key is not 32-byte.") | ||
return errors.New("noise: the provided remote key is not 32-byte") | ||
} | ||
remoteKeyPair = &KeyPair{} | ||
copy(remoteKeyPair.PublicKey[:], c.config.RemoteKey) | ||
|
@@ -319,6 +320,9 @@ ContinueHandshake: | |
if !c.config.PublicKeyVerifier(hs.rs.PublicKey[:], receivedPayload) { | ||
return errors.New("Noise: the received public key could not be authenticated") | ||
} | ||
c.isRemoteAuthenticated = true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. good point, I was toying with this idea of having a I'm not sure it is useful as the handshake you're using should make it pretty clear that you're authenticating the remote, but I thought it could be "useful" as a defense-in-depth mechanism. What do you think? It should also probably be exported if it's meant to be used by developers. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I put it there because I used the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
not necessarily, I am trying to get back into the state of mind I had when I wrote this. But I think I wanted to create an out-of-band authentication. For example something like Noise_NN where you would extract a fingerprint and authenticate the connection post-handshake. Noise_NNoob maybe? Although I'm not sure it deserves a name. By having this |
||
c.remotePub = make([]byte, 32) | ||
copy(c.remotePub, hs.rs.PublicKey[:]) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. shouldn't you do this when receiving the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. See comment above. I just want to get the static key when it has been verified. |
||
} | ||
} | ||
|
||
|
@@ -351,6 +355,21 @@ func (c *Conn) IsRemoteAuthenticated() bool { | |
return c.isRemoteAuthenticated | ||
} | ||
|
||
// StaticKey returns the static key of the remote peer. It is useful in case the | ||
// static key is only transmitted during the handshake. | ||
func (c *Conn) StaticKey() ([]byte, error) { | ||
if !c.IsRemoteAuthenticated() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are there usecases where you would still want to obtain the public key, even if the peer has not been authenticated yet? Maybe if you're planning to authenticate post-handshake (using a short-authentication string or something like that) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. True. I was not sure about that, so I just thought going to the safest path. But Is it really possible to get the static key without verifying ? This library panics if there's no There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. true. Another scenario I can think of: setting up the |
||
return nil, errors.New("noise: remote peer not authenticated") | ||
} | ||
if !c.handshakeComplete { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is it important that the handshake has to be finished? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mhhhh I wanna make sure that the key I get when calling |
||
return nil, errors.New("noise: handshake not completed") | ||
} | ||
if c.remotePub == nil { | ||
return nil, errors.New("noise: no remote static key given") | ||
} | ||
return c.remotePub, nil | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why not returning There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Because the |
||
} | ||
|
||
// | ||
// input/output functions | ||
// | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not making it a
[32]byte
to avoid having tomake
during the handshake?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Becase I wanted to see if you can see it ? ahah. well spotted.