build(deps): bump boringtun dependency (#10716)

Primarily to bring in https://github.com/firezone/boringtun/pull/123.

Related: #10631

rust/Cargo.lock

@@ -917,7 +917,7 @@ checksum = "119771309b95163ec7aaf79810da82f7cd0599c19722d48b9c03894dca833966"
 [[package]]
 name = "boringtun"
 version = "0.6.1"
-source = "git+https://github.com/firezone/boringtun?branch=master#ed1de7c6ddf071d2895309f0fb153e9afb82fc99"
+source = "git+https://github.com/firezone/boringtun?branch=master#069a483bb185422feaeddf37d3af62beb650803c"
 dependencies = [
  "aead",
  "base64 0.22.1",
@@ -7051,7 +7051,6 @@ dependencies = [
  "once_cell",
  "rand 0.8.5",
  "ringbuffer",
- "secrecy",
  "sha2",
  "str0m",
  "stun_codec",

rust/connlib/snownet/Cargo.toml

@@ -21,7 +21,6 @@ itertools = { workspace = true }
 once_cell = { workspace = true }
 rand = { workspace = true }
 ringbuffer = { workspace = true }
-secrecy = { workspace = true }
 sha2 = { workspace = true }
 str0m = { workspace = true }
 stun_codec = { workspace = true }

rust/connlib/snownet/src/node.rs

@@ -12,7 +12,7 @@ use boringtun::noise::errors::WireGuardError;
 use boringtun::noise::{
     HandshakeResponse, Index, Packet, PacketCookieReply, PacketData, Tunn, TunnResult,
 };
-use boringtun::x25519::PublicKey;
+use boringtun::x25519::{self, PublicKey};
 use boringtun::{noise::rate_limiter::RateLimiter, x25519::StaticSecret};
 use bufferpool::{Buffer, BufferPool};
 use core::fmt;
@@ -21,9 +21,8 @@ use ip_packet::{Ecn, IpPacket, IpPacketBuf};
 use itertools::Itertools;
 use rand::rngs::StdRng;
 use rand::seq::IteratorRandom;
-use rand::{RngCore, SeedableRng, random};
+use rand::{RngCore, SeedableRng};
 use ringbuffer::{AllocRingBuffer, RingBuffer as _};
-use secrecy::{ExposeSecret, Secret};
 use sha2::Digest;
 use std::collections::btree_map::Entry;
 use std::collections::{BTreeMap, BTreeSet};
@@ -233,7 +232,7 @@ where
         &mut self,
         cid: TId,
         remote: PublicKey,
-        session_key: Secret<[u8; 32]>,
+        preshared_key: x25519::StaticSecret,
         local_creds: Credentials,
         remote_creds: Credentials,
         now: Instant,
@@ -249,8 +248,6 @@ where
             return Ok(());
         }
 
-        let preshared_key = *session_key.expose_secret();
-
         // Check if we already have a connection with the exact same parameters.
         // In order for the connection to be same, we need to compare:
         // - Local ICE credentials
@@ -267,9 +264,7 @@ where
                 .remote_credentials()
                 .is_some_and(|c| c == &remote_creds)
             && c.tunnel.remote_static_public() == remote
-            && c.tunnel
-                .preshared_key()
-                .is_some_and(|key| key == preshared_key)
+            && c.tunnel.preshared_key().as_bytes() == preshared_key.as_bytes()
         {
             tracing::info!(local = ?local_creds, "Reusing existing connection");
 
@@ -747,7 +742,7 @@ where
         cid: TId,
         mut agent: IceAgent,
         remote: PublicKey,
-        key: [u8; 32],
+        key: x25519::StaticSecret,
         relay: RId,
         index: Index,
         intent_sent_at: Instant,
@@ -1077,7 +1072,7 @@ where
         let mut agent = new_agent();
         agent.set_controlling(true);
 
-        let session_key = Secret::new(random());
+        let session_key = x25519::StaticSecret::random_from_rng(rand::thread_rng());
         let ice_creds = agent.local_credentials();
 
         let params = Offer {
@@ -1137,7 +1132,7 @@ where
             cid,
             agent,
             remote,
-            *initial.session_key.expose_secret(),
+            initial.session_key,
             selected_relay,
             index,
             initial.intent_sent_at,
@@ -1210,7 +1205,7 @@ where
             cid,
             agent,
             remote,
-            *offer.session_key.expose_secret(),
+            offer.session_key,
             selected_relay,
             index,
             now, // Technically, this isn't fully correct because gateways don't send intents so we just use the current time.
@@ -1395,7 +1390,7 @@ fn remove_local_candidate<TId>(
 #[deprecated]
 pub struct Offer {
     /// The Wireguard session key for a connection.
-    pub session_key: Secret<[u8; 32]>,
+    pub session_key: x25519::StaticSecret,
     pub credentials: Credentials,
 }
 
@@ -1485,7 +1480,7 @@ impl fmt::Debug for Transmit {
 
 struct InitialConnection<RId> {
     agent: IceAgent,
-    session_key: Secret<[u8; 32]>,
+    session_key: x25519::StaticSecret,
 
     /// The fallback relay we sampled for this potential connection.
     relay: RId,

rust/connlib/tunnel/src/client.rs

@@ -6,6 +6,7 @@ mod resource;
 
 pub(crate) use crate::client::gateway_on_client::GatewayOnClient;
 use crate::client::pending_tun_update::PendingTunUpdate;
+use boringtun::x25519;
 #[cfg(all(feature = "proptest", test))]
 pub(crate) use resource::DnsResource;
 pub(crate) use resource::{CidrResource, InternetResource, Resource};
@@ -14,6 +15,7 @@ use dns_resource_nat::DnsResourceNat;
 use dns_types::ResponseCode;
 use firezone_telemetry::{analytics, feature_flags};
 use ringbuffer::{AllocRingBuffer, RingBuffer};
+use secrecy::ExposeSecret as _;
 
 use crate::client::dns_cache::DnsCache;
 use crate::dns::{DnsResourceRecord, StubResolver};
@@ -37,7 +39,6 @@ use itertools::Itertools;
 
 use crate::ClientEvent;
 use lru::LruCache;
-use secrecy::{ExposeSecret as _, Secret};
 use snownet::{ClientNode, NoTurnServers, RelaySocket, Transmit};
 use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet, VecDeque};
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
@@ -705,7 +706,7 @@ impl ClientState {
         match self.node.upsert_connection(
             gid,
             gateway_key,
-            Secret::new(preshared_key.expose_secret().0),
+            x25519::StaticSecret::from(preshared_key.expose_secret().0),
             snownet::Credentials {
                 username: client_ice.username,
                 password: client_ice.password,

rust/connlib/tunnel/src/gateway.rs

@@ -12,12 +12,12 @@ use crate::messages::{Answer, IceCredentials, ResolveRequest, SecretKey};
 use crate::peer_store::PeerStore;
 use crate::{GatewayEvent, IpConfig, p2p_control};
 use anyhow::{Context, Result};
-use boringtun::x25519::PublicKey;
+use boringtun::x25519::{self, PublicKey};
 use chrono::{DateTime, Utc};
 use connlib_model::{ClientId, IceCandidate, RelayId, ResourceId};
 use dns_types::DomainName;
 use ip_packet::{FzP2pControlSlice, IpPacket};
-use secrecy::{ExposeSecret as _, Secret};
+use secrecy::ExposeSecret as _;
 use snownet::{Credentials, NoTurnServers, RelaySocket, ServerNode, Transmit};
 use std::collections::{BTreeMap, BTreeSet, VecDeque};
 use std::iter;
@@ -317,7 +317,7 @@ impl GatewayState {
         self.node.upsert_connection(
             cid,
             client_key,
-            Secret::new(preshared_key.expose_secret().0),
+            x25519::StaticSecret::from(preshared_key.expose_secret().0),
             Credentials {
                 username: gateway_ice.username,
                 password: gateway_ice.password,

rust/connlib/tunnel/src/messages.rs

@@ -1,6 +1,7 @@
 //! Message types that are used by both the gateway and client.
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
 
+use boringtun::x25519;
 use chrono::{DateTime, Utc, serde::ts_seconds};
 use connlib_model::RelayId;
 use dns_types::DomainName;
@@ -80,7 +81,7 @@ impl Offer {
     // Not a very clean API but it is deprecated anyway.
     pub fn into_snownet_offer(self, key: Secret<Key>) -> snownet::Offer {
         snownet::Offer {
-            session_key: Secret::new(key.expose_secret().0),
+            session_key: x25519::StaticSecret::from(key.expose_secret().0),
             credentials: snownet::Credentials {
                 username: self.username,
                 password: self.password,