diff --git a/rust/Cargo.lock b/rust/Cargo.lock index 2808711ac..490281223 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -917,7 +917,7 @@ checksum = "119771309b95163ec7aaf79810da82f7cd0599c19722d48b9c03894dca833966" [[package]] name = "boringtun" version = "0.6.1" -source = "git+https://github.com/firezone/boringtun?branch=master#ed1de7c6ddf071d2895309f0fb153e9afb82fc99" +source = "git+https://github.com/firezone/boringtun?branch=master#069a483bb185422feaeddf37d3af62beb650803c" dependencies = [ "aead", "base64 0.22.1", @@ -7051,7 +7051,6 @@ dependencies = [ "once_cell", "rand 0.8.5", "ringbuffer", - "secrecy", "sha2", "str0m", "stun_codec", diff --git a/rust/connlib/snownet/Cargo.toml b/rust/connlib/snownet/Cargo.toml index d34f9ade5..27bd9b1d0 100644 --- a/rust/connlib/snownet/Cargo.toml +++ b/rust/connlib/snownet/Cargo.toml @@ -21,7 +21,6 @@ itertools = { workspace = true } once_cell = { workspace = true } rand = { workspace = true } ringbuffer = { workspace = true } -secrecy = { workspace = true } sha2 = { workspace = true } str0m = { workspace = true } stun_codec = { workspace = true } diff --git a/rust/connlib/snownet/src/node.rs b/rust/connlib/snownet/src/node.rs index fe9f24825..486aad8b2 100644 --- a/rust/connlib/snownet/src/node.rs +++ b/rust/connlib/snownet/src/node.rs @@ -12,7 +12,7 @@ use boringtun::noise::errors::WireGuardError; use boringtun::noise::{ HandshakeResponse, Index, Packet, PacketCookieReply, PacketData, Tunn, TunnResult, }; -use boringtun::x25519::PublicKey; +use boringtun::x25519::{self, PublicKey}; use boringtun::{noise::rate_limiter::RateLimiter, x25519::StaticSecret}; use bufferpool::{Buffer, BufferPool}; use core::fmt; @@ -21,9 +21,8 @@ use ip_packet::{Ecn, IpPacket, IpPacketBuf}; use itertools::Itertools; use rand::rngs::StdRng; use rand::seq::IteratorRandom; -use rand::{RngCore, SeedableRng, random}; +use rand::{RngCore, SeedableRng}; use ringbuffer::{AllocRingBuffer, RingBuffer as _}; -use secrecy::{ExposeSecret, Secret}; use sha2::Digest; use std::collections::btree_map::Entry; use std::collections::{BTreeMap, BTreeSet}; @@ -233,7 +232,7 @@ where &mut self, cid: TId, remote: PublicKey, - session_key: Secret<[u8; 32]>, + preshared_key: x25519::StaticSecret, local_creds: Credentials, remote_creds: Credentials, now: Instant, @@ -249,8 +248,6 @@ where return Ok(()); } - let preshared_key = *session_key.expose_secret(); - // Check if we already have a connection with the exact same parameters. // In order for the connection to be same, we need to compare: // - Local ICE credentials @@ -267,9 +264,7 @@ where .remote_credentials() .is_some_and(|c| c == &remote_creds) && c.tunnel.remote_static_public() == remote - && c.tunnel - .preshared_key() - .is_some_and(|key| key == preshared_key) + && c.tunnel.preshared_key().as_bytes() == preshared_key.as_bytes() { tracing::info!(local = ?local_creds, "Reusing existing connection"); @@ -747,7 +742,7 @@ where cid: TId, mut agent: IceAgent, remote: PublicKey, - key: [u8; 32], + key: x25519::StaticSecret, relay: RId, index: Index, intent_sent_at: Instant, @@ -1077,7 +1072,7 @@ where let mut agent = new_agent(); agent.set_controlling(true); - let session_key = Secret::new(random()); + let session_key = x25519::StaticSecret::random_from_rng(rand::thread_rng()); let ice_creds = agent.local_credentials(); let params = Offer { @@ -1137,7 +1132,7 @@ where cid, agent, remote, - *initial.session_key.expose_secret(), + initial.session_key, selected_relay, index, initial.intent_sent_at, @@ -1210,7 +1205,7 @@ where cid, agent, remote, - *offer.session_key.expose_secret(), + offer.session_key, selected_relay, index, now, // Technically, this isn't fully correct because gateways don't send intents so we just use the current time. @@ -1395,7 +1390,7 @@ fn remove_local_candidate( #[deprecated] pub struct Offer { /// The Wireguard session key for a connection. - pub session_key: Secret<[u8; 32]>, + pub session_key: x25519::StaticSecret, pub credentials: Credentials, } @@ -1485,7 +1480,7 @@ impl fmt::Debug for Transmit { struct InitialConnection { agent: IceAgent, - session_key: Secret<[u8; 32]>, + session_key: x25519::StaticSecret, /// The fallback relay we sampled for this potential connection. relay: RId, diff --git a/rust/connlib/tunnel/src/client.rs b/rust/connlib/tunnel/src/client.rs index 0ad0afd77..b3bc94586 100644 --- a/rust/connlib/tunnel/src/client.rs +++ b/rust/connlib/tunnel/src/client.rs @@ -6,6 +6,7 @@ mod resource; pub(crate) use crate::client::gateway_on_client::GatewayOnClient; use crate::client::pending_tun_update::PendingTunUpdate; +use boringtun::x25519; #[cfg(all(feature = "proptest", test))] pub(crate) use resource::DnsResource; pub(crate) use resource::{CidrResource, InternetResource, Resource}; @@ -14,6 +15,7 @@ use dns_resource_nat::DnsResourceNat; use dns_types::ResponseCode; use firezone_telemetry::{analytics, feature_flags}; use ringbuffer::{AllocRingBuffer, RingBuffer}; +use secrecy::ExposeSecret as _; use crate::client::dns_cache::DnsCache; use crate::dns::{DnsResourceRecord, StubResolver}; @@ -37,7 +39,6 @@ use itertools::Itertools; use crate::ClientEvent; use lru::LruCache; -use secrecy::{ExposeSecret as _, Secret}; use snownet::{ClientNode, NoTurnServers, RelaySocket, Transmit}; use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet, VecDeque}; use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr}; @@ -705,7 +706,7 @@ impl ClientState { match self.node.upsert_connection( gid, gateway_key, - Secret::new(preshared_key.expose_secret().0), + x25519::StaticSecret::from(preshared_key.expose_secret().0), snownet::Credentials { username: client_ice.username, password: client_ice.password, diff --git a/rust/connlib/tunnel/src/gateway.rs b/rust/connlib/tunnel/src/gateway.rs index f1ade1cf7..8c376cb62 100644 --- a/rust/connlib/tunnel/src/gateway.rs +++ b/rust/connlib/tunnel/src/gateway.rs @@ -12,12 +12,12 @@ use crate::messages::{Answer, IceCredentials, ResolveRequest, SecretKey}; use crate::peer_store::PeerStore; use crate::{GatewayEvent, IpConfig, p2p_control}; use anyhow::{Context, Result}; -use boringtun::x25519::PublicKey; +use boringtun::x25519::{self, PublicKey}; use chrono::{DateTime, Utc}; use connlib_model::{ClientId, IceCandidate, RelayId, ResourceId}; use dns_types::DomainName; use ip_packet::{FzP2pControlSlice, IpPacket}; -use secrecy::{ExposeSecret as _, Secret}; +use secrecy::ExposeSecret as _; use snownet::{Credentials, NoTurnServers, RelaySocket, ServerNode, Transmit}; use std::collections::{BTreeMap, BTreeSet, VecDeque}; use std::iter; @@ -317,7 +317,7 @@ impl GatewayState { self.node.upsert_connection( cid, client_key, - Secret::new(preshared_key.expose_secret().0), + x25519::StaticSecret::from(preshared_key.expose_secret().0), Credentials { username: gateway_ice.username, password: gateway_ice.password, diff --git a/rust/connlib/tunnel/src/messages.rs b/rust/connlib/tunnel/src/messages.rs index a2cf88668..5ddf9f7a9 100644 --- a/rust/connlib/tunnel/src/messages.rs +++ b/rust/connlib/tunnel/src/messages.rs @@ -1,6 +1,7 @@ //! Message types that are used by both the gateway and client. use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr}; +use boringtun::x25519; use chrono::{DateTime, Utc, serde::ts_seconds}; use connlib_model::RelayId; use dns_types::DomainName; @@ -80,7 +81,7 @@ impl Offer { // Not a very clean API but it is deprecated anyway. pub fn into_snownet_offer(self, key: Secret) -> snownet::Offer { snownet::Offer { - session_key: Secret::new(key.expose_secret().0), + session_key: x25519::StaticSecret::from(key.expose_secret().0), credentials: snownet::Credentials { username: self.username, password: self.password,