Integrate Rosenpass

.github/workflows/android-build-validation.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
       - name: Setup Android SDK
         uses: android-actions/setup-android@v2
       - name: NDK Cache

.github/workflows/golang-test-darwin.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
       - name: Checkout code
         uses: actions/checkout@v3
 

.github/workflows/golang-test-linux.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
 
 
       - name: Cache Go modules
@@ -50,7 +50,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
 
       - name: Cache Go modules
         uses: actions/cache@v3

.github/workflows/golang-test-windows.yml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/setup-go@v4
         id: go
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
 
       - name: Download wintun
         uses: carlosperate/download-file-action@v2

.github/workflows/golangci-lint.yml

@@ -1,7 +1,7 @@
 name: golangci-lint
 on: [pull_request]
 
-permissions: 
+permissions:
   contents: read
   pull-requests: read
 
@@ -36,7 +36,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
           cache: false
       - name: Install dependencies
         if: matrix.os == 'ubuntu-latest'

.github/workflows/release.yml

@@ -44,7 +44,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20"
+          go-version: "1.21"
           cache: false
       -
         name: Cache Go modules
@@ -120,7 +120,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20"
+          go-version: "1.21"
           cache: false
       - name: Cache Go modules
         uses: actions/cache@v3
@@ -175,7 +175,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20"
+          go-version: "1.21"
           cache: false
       -
         name: Cache Go modules

.github/workflows/test-infrastructure-files.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.20.x"
+          go-version: "1.21.x"
 
       - name: Cache Go modules
         uses: actions/cache@v3

client/cmd/root.go

@@ -25,9 +25,10 @@ import (
 )
 
 const (
-	externalIPMapFlag  = "external-ip-map"
+	externalIPMapFlag   = "external-ip-map"
+	dnsResolverAddress  = "dns-resolver-address"
+	enableRosenpassFlag = "enable-rosenpass"
 	preSharedKeyFlag   = "preshared-key"
-	dnsResolverAddress = "dns-resolver-address"
 )
 
 var (
@@ -50,6 +51,7 @@ var (
 	preSharedKey            string
 	natExternalIPs          []string
 	customDNSAddress        string
+	rosenpassEnabled        bool
 	rootCmd                 = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
@@ -119,6 +121,7 @@ func init() {
 			`An empty string "" clears the previous configuration. `+
 			`E.g. --dns-resolver-address 127.0.0.1:5053 or --dns-resolver-address ""`,
 	)
+	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 }
 
 // SetupCloseHandler handles SIGTERM signal and exits with success

client/cmd/up.go

@@ -86,6 +86,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		CustomDNSAddress: customDNSAddressConverted,
 	}
 
+	if rootCmd.PersistentFlags().Changed(enableRosenpassFlag) {
+		ic.RosenpassEnabled = &rosenpassEnabled
+	}
+
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		ic.PreSharedKey = &preSharedKey
 	}
@@ -153,6 +157,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		Hostname:             hostName,
 	}
 
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		loginRequest.RosenpassEnabled = &rosenpassEnabled
+	}
+
 	var loginErr error
 
 	var loginResp *proto.LoginResponse

client/internal/config.go

@@ -41,6 +41,7 @@ type ConfigInput struct {
 	PreSharedKey     *string
 	NATExternalIPs   []string
 	CustomDNSAddress []byte
+	RosenpassEnabled *bool
 }
 
 // Config Configuration type
@@ -54,6 +55,7 @@ type Config struct {
 	WgPort               int
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
+	RosenpassEnabled     bool
 	// SSHKey is a private SSH key in a PEM format
 	SSHKey string
 
@@ -169,6 +171,10 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 		config.PreSharedKey = *input.PreSharedKey
 	}
 
+	if input.RosenpassEnabled != nil {
+		config.RosenpassEnabled = *input.RosenpassEnabled
+	}
+
 	defaultAdminURL, err := parseURL("Admin URL", DefaultAdminURL)
 	if err != nil {
 		return nil, err
@@ -247,6 +253,11 @@ func update(input ConfigInput) (*Config, error) {
 		refresh = true
 	}
 
+	if input.RosenpassEnabled != nil {
+		config.RosenpassEnabled = *input.RosenpassEnabled
+		refresh = true
+	}
+
 	if refresh {
 		// since we have new management URL, we need to update config file
 		if err := util.WriteJson(input.ConfigPath, config); err != nil {

client/internal/connect.go

@@ -235,6 +235,7 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		SSHKey:               []byte(config.SSHKey),
 		NATExternalIPs:       config.NATExternalIPs,
 		CustomDNSAddress:     config.CustomDNSAddress,
+		RosenpassEnabled:     config.RosenpassEnabled,
 	}
 
 	if config.PreSharedKey != "" {

client/internal/engine.go

@@ -22,6 +22,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
@@ -76,6 +77,8 @@ type EngineConfig struct {
 	NATExternalIPs []string
 
 	CustomDNSAddress string
+
+	RosenpassEnabled bool
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -86,6 +89,8 @@ type Engine struct {
 	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn
+	// rpManager is a Rosenpass manager
+	rpManager *rosenpass.Manager
 
 	// syncMsgMux is used to guarantee sequential Management Service message processing
 	syncMsgMux *sync.Mutex
@@ -185,6 +190,18 @@ func (e *Engine) Start() error {
 	}
 	e.wgInterface = wgIface
 
+	if e.config.RosenpassEnabled {
+		log.Infof("rosenpass is enabled")
+		e.rpManager, err = rosenpass.NewManager(e.config.PreSharedKey, e.config.WgIfaceName)
+		if err != nil {
+			return err
+		}
+		err := e.rpManager.Run()
+		if err != nil {
+			return err
+		}
+	}
+
 	initialRoutes, dnsServer, err := e.newDnsServer()
 	if err != nil {
 		e.close()
@@ -363,7 +380,8 @@ func sendSignal(message *sProto.Message, s signal.Client) error {
 }
 
 // SignalOfferAnswer signals either an offer or an answer to remote peer
-func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
+func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client,
+	isAnswer bool) error {
 	var t sProto.Body_Type
 	if isAnswer {
 		t = sProto.Body_ANSWER
@@ -374,7 +392,7 @@ func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKe
 	msg, err := signal.MarshalCredential(myKey, offerAnswer.WgListenPort, remoteKey, &signal.Credential{
 		UFrag: offerAnswer.IceCredentials.UFrag,
 		Pwd:   offerAnswer.IceCredentials.Pwd,
-	}, t)
+	}, t, offerAnswer.RosenpassPubKey, offerAnswer.RosenpassAddr)
 	if err != nil {
 		return err
 	}
@@ -627,6 +645,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		e.acl.ApplyFiltering(networkMap)
 	}
 	e.networkSerial = serial
+
 	return nil
 }
 
@@ -796,6 +815,26 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		PreSharedKey: e.config.PreSharedKey,
 	}
 
+	if e.config.RosenpassEnabled {
+		lk := []byte(e.config.WgPrivateKey.PublicKey().String())
+		rk := []byte(wgConfig.RemoteKey)
+		var keyInput []byte
+		if string(lk) > string(rk) {
+			//nolint:gocritic
+			keyInput = append(lk[:16], rk[:16]...)
+		} else {
+			//nolint:gocritic
+			keyInput = append(rk[:16], lk[:16]...)
+		}
+
+		key, err := wgtypes.NewKey(keyInput)
+		if err != nil {
+			return nil, err
+		}
+
+		wgConfig.PreSharedKey = &key
+	}
+
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
@@ -811,6 +850,8 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		LocalWgPort:          e.config.WgPort,
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
 		UserspaceBind:        e.wgInterface.IsUserspaceBind(),
+		RosenpassPubKey:      e.getRosenpassPubKey(),
+		RosenpassAddr:        e.getRosenpassAddr(),
 	}
 
 	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
@@ -842,6 +883,12 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		return sendSignal(message, e.signal)
 	})
 
+	if e.rpManager != nil {
+
+		peerConn.SetOnConnected(e.rpManager.OnConnected)
+		peerConn.SetOnDisconnected(e.rpManager.OnDisconnected)
+	}
+
 	return peerConn, nil
 }
 
@@ -867,29 +914,45 @@ func (e *Engine) receiveSignalEvents() {
 
 				conn.RegisterProtoSupportMeta(msg.Body.GetFeaturesSupported())
 
+				var rosenpassPubKey []byte
+				rosenpassAddr := ""
+				if msg.GetBody().GetRosenpassConfig() != nil {
+					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
+					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
+				}
 				conn.OnRemoteOffer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
 						Pwd:   remoteCred.Pwd,
 					},
-					WgListenPort: int(msg.GetBody().GetWgListenPort()),
-					Version:      msg.GetBody().GetNetBirdVersion(),
+					WgListenPort:    int(msg.GetBody().GetWgListenPort()),
+					Version:         msg.GetBody().GetNetBirdVersion(),
+					RosenpassPubKey: rosenpassPubKey,
+					RosenpassAddr:   rosenpassAddr,
 				})
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
 				if err != nil {
 					return err
 				}
 
-				conn.RegisterProtoSupportMeta(msg.Body.GetFeaturesSupported())
+				conn.RegisterProtoSupportMeta(msg.GetBody().GetFeaturesSupported())
 
+				var rosenpassPubKey []byte
+				rosenpassAddr := ""
+				if msg.GetBody().GetRosenpassConfig() != nil {
+					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
+					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
+				}
 				conn.OnRemoteAnswer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
 						Pwd:   remoteCred.Pwd,
 					},
-					WgListenPort: int(msg.GetBody().GetWgListenPort()),
-					Version:      msg.GetBody().GetNetBirdVersion(),
+					WgListenPort:    int(msg.GetBody().GetWgListenPort()),
+					Version:         msg.GetBody().GetNetBirdVersion(),
+					RosenpassPubKey: rosenpassPubKey,
+					RosenpassAddr:   rosenpassAddr,
 				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
@@ -1000,6 +1063,10 @@ func (e *Engine) close() {
 			log.Warnf("failed to reset firewall: %s", err)
 		}
 	}
+
+	if e.rpManager != nil {
+		_ = e.rpManager.Close()
+	}
 }
 
 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
@@ -1094,3 +1161,17 @@ func findIPFromInterface(iface *net.Interface) (net.IP, error) {
 	}
 	return nil, fmt.Errorf("interface %s don't have an ipv4 address", iface.Name)
 }
+
+func (e *Engine) getRosenpassPubKey() []byte {
+	if e.rpManager != nil {
+		return e.rpManager.GetPubKey()
+	}
+	return nil
+}
+
+func (e *Engine) getRosenpassAddr() string {
+	if e.rpManager != nil {
+		return e.rpManager.GetAddress().String()
+	}
+	return ""
+}