QUIC support

Cargo.toml

@@ -44,6 +44,7 @@ wasm-timer = "0.2.4"
 libp2p-deflate = { version = "0.16.0", path = "protocols/deflate" }
 libp2p-dns = { version = "0.16.0", path = "transports/dns" }
 libp2p-mdns = { version = "0.16.0", path = "protocols/mdns" }
+libp2p-quic = { version = "0.16.0", path = "transports/quic" }
 libp2p-tcp = { version = "0.16.0", path = "transports/tcp" }
 libp2p-websocket = { version = "0.16.0", path = "transports/websocket", optional = true }
 
@@ -70,11 +71,18 @@ members = [
     "protocols/ping",
     "protocols/plaintext",
     "protocols/secio",
+    "protocols/tls",
     "swarm",
     "transports/dns",
+    "transports/quic",
     "transports/tcp",
     "transports/uds",
+    "transports/wasm-ext",
     "transports/websocket",
-    "transports/wasm-ext"
+]
+exclude = [
+    "webpki"
 ]
 
+[patch.crates-io]
+webpki = { git = "https://github.com/paritytech/webpki", branch = "extension-handlers" }

core/src/lib.rs

@@ -23,14 +23,14 @@
 //! The main concepts of libp2p-core are:
 //!
 //! - A [`PeerId`] is a unique global identifier for a node on the network.
-//!   Each node must have a different `PeerId`. Normally, a `PeerId` is the
+//!   Each node must have a different [`PeerId`]. Normally, a [`PeerId`] is the
 //!   hash of the public key used to negotiate encryption on the
 //!   communication channel, thereby guaranteeing that they cannot be spoofed.
 //! - The [`Transport`] trait defines how to reach a remote node or listen for
-//!   incoming remote connections. See the `transport` module.
+//!   incoming remote connections. See the [`transport`] module.
 //! - The [`StreamMuxer`] trait is implemented on structs that hold a connection
 //!   to a remote and can subdivide this connection into multiple substreams.
-//!   See the `muxing` module.
+//!   See the [`muxing`] module.
 //! - The [`UpgradeInfo`], [`InboundUpgrade`] and [`OutboundUpgrade`] traits
 //!   define how to upgrade each individual substream to use a protocol.
 //!   See the `upgrade` module.

misc/multiaddr/Cargo.toml

@@ -20,6 +20,10 @@ static_assertions = "1.1"
 unsigned-varint = "0.3"
 url = { version = "2.1.0", default-features = false }
 
+[target.'cfg(not(any(target_os = "emscripten", target_os = "unknown")))'.dependencies]
+get_if_addrs = "0.5.3"
+ipnet = "2.1.0"
+
 [dev-dependencies]
 bincode = "1"
 quickcheck = "0.9.0"

misc/multiaddr/src/lib.rs

@@ -303,6 +303,37 @@ impl TryFrom<Vec<u8>> for Multiaddr {
     }
 }
 
+/// Collect all local host addresses and use the provided port number as listen port.
+#[cfg(not(any(target_os = "emscripten", target_os = "unknown")))]
+pub fn host_addresses(suffix: &[Protocol]) -> io::Result<Vec<(IpAddr, ipnet::IpNet, Multiaddr)>> {
+    use get_if_addrs::{get_if_addrs, IfAddr};
+    use ipnet::{IpNet, Ipv4Net, Ipv6Net};
+    let mut addrs = Vec::new();
+    for iface in get_if_addrs()? {
+        let ip = iface.ip();
+        let mut ma = Multiaddr::from(ip);
+        for proto in suffix {
+            ma = ma.with(proto.clone())
+        }
+        let ipn = match iface.addr {
+            IfAddr::V4(ip4) => {
+                let prefix_len = (!u32::from_be_bytes(ip4.netmask.octets())).leading_zeros();
+                let ipnet = Ipv4Net::new(ip4.ip, prefix_len as u8)
+                    .expect("prefix_len is the number of bits in a u32, so can not exceed 32");
+                IpNet::V4(ipnet)
+            }
+            IfAddr::V6(ip6) => {
+                let prefix_len = (!u128::from_be_bytes(ip6.netmask.octets())).leading_zeros();
+                let ipnet = Ipv6Net::new(ip6.ip, prefix_len as u8)
+                    .expect("prefix_len is the number of bits in a u128, so can not exceed 128");
+                IpNet::V6(ipnet)
+            }
+        };
+        addrs.push((ip, ipn, ma))
+    }
+    Ok(addrs)
+}
+
 impl TryFrom<String> for Multiaddr {
     type Error = Error;
 

protocols/tls/Cargo.toml

@@ -0,0 +1,29 @@
+[package]
+name = "libp2p-tls"
+version = "0.16.0"
+authors = ["Parity Technologies <admin@parity.io>"]
+edition = "2018"
+description = "TLS encryption for libp2p"
+license = "MIT"
+repository = "https://github.com/libp2p/rust-libp2p"
+keywords = ["peer-to-peer", "libp2p", "networking", "tls"]
+categories = ["network-programming", "asynchronous"]
+
+[dependencies]
+quinn = { git = "https://github.com/djc/quinn", optional = true, package = "quinn-proto" }
+rustls = "0.17.0"
+ring = "0.16.11"
+rcgen = "0.7.0"
+webpki = "0.21.2"
+untrusted = "0.7.0"
+log = "0.4.8"
+libp2p-core = { path = "../../core", version = "0.16.0" }
+yasna = "0.3.1"
+
+[features]
+default = ["quic"]
+quic = ["quinn"]
+
+[lib]
+name = "libp2p_tls"
+path = "src/tls.rs"

protocols/tls/src/certificate.rs

@@ -0,0 +1,145 @@
+// Copyright 2017-2018 Parity Technologies (UK) Ltd.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the "Software"),
+// to deal in the Software without restriction, including without limitation
+// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+// and/or sell copies of the Software, and to permit persons to whom the
+// Software is furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+// DEALINGS IN THE SOFTWARE.
+
+//! Certificate handling for libp2p
+//!
+//! This handles generation, signing, and verification.
+//!
+//! This crate uses the `log` crate to emit log output.  Events that will occur normally are output
+//! at `trace` level, while “expected” error conditions (ones that can result during correct use of the
+//! library) are logged at `debug` level.
+
+use super::LIBP2P_SIGNING_PREFIX_LENGTH;
+use libp2p_core::identity;
+use log::error;
+
+const LIBP2P_OID: &[u64] = &[1, 3, 6, 1, 4, 1, 53594, 1, 1];
+const LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH: usize = 65;
+static LIBP2P_SIGNATURE_ALGORITHM: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P256_SHA256;
+// preferred, but not supported by rustls yet
+//const LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH: usize = 32;
+//static LIBP2P_SIGNATURE_ALGORITHM: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ED25519;
+// same but with P-384
+//const LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH: usize = 97;
+//static LIBP2P_SIGNATURE_ALGORITHM: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P384_SHA384;
+
+fn encode_signed_key(public_key: identity::PublicKey, signature: &[u8]) -> rcgen::CustomExtension {
+    let public_key = public_key.into_protobuf_encoding();
+    let contents = yasna::construct_der(|writer| {
+        writer.write_sequence(|writer| {
+            writer
+                .next()
+                .write_bitvec_bytes(&public_key, public_key.len() * 8);
+            writer
+                .next()
+                .write_bitvec_bytes(signature, signature.len() * 8);
+        })
+    });
+    let mut ext = rcgen::CustomExtension::from_oid_content(LIBP2P_OID, contents);
+    ext.set_criticality(true);
+    ext
+}
+
+fn gen_signed_keypair(keypair: &identity::Keypair) -> (rcgen::KeyPair, rcgen::CustomExtension) {
+    let temp_keypair = rcgen::KeyPair::generate(&LIBP2P_SIGNATURE_ALGORITHM)
+        .expect("we pass valid parameters, and assume we have enough memory and randomness; qed");
+    let mut signing_buf =
+        [0u8; LIBP2P_SIGNING_PREFIX_LENGTH + LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH];
+    let public = temp_keypair.public_key_raw();
+    assert_eq!(
+        public.len(),
+        LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH,
+        "ed25519 public keys are {} bytes",
+        LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH
+    );
+    signing_buf[..LIBP2P_SIGNING_PREFIX_LENGTH].copy_from_slice(&super::LIBP2P_SIGNING_PREFIX[..]);
+    signing_buf[LIBP2P_SIGNING_PREFIX_LENGTH..].copy_from_slice(public);
+    let signature = keypair.sign(&signing_buf).expect("signing failed");
+    (
+        temp_keypair,
+        encode_signed_key(keypair.public(), &signature),
+    )
+}
+
+/// Generates a self-signed TLS certificate that includes a libp2p-specific certificate extension
+/// containing the public key of the given keypair.
+pub(crate) fn make_cert(keypair: &identity::Keypair) -> rcgen::Certificate {
+    let mut params = rcgen::CertificateParams::new(vec![]);
+    let (cert_keypair, libp2p_extension) = gen_signed_keypair(keypair);
+    params.custom_extensions.push(libp2p_extension);
+    params.alg = &LIBP2P_SIGNATURE_ALGORITHM;
+    params.key_pair = Some(cert_keypair);
+    rcgen::Certificate::from_params(params)
+        .expect("certificate generation with valid params will succeed; qed")
+}
+
+/// Extracts the `PeerId` from a certificate’s libp2p extension. It is erroneous
+/// to call this unless the certificate is known to be a well-formed X.509
+/// certificate with a valid libp2p extension. The certificate verifiers in this
+/// crate validate check this.
+///
+/// If you get `Err` from this function, there is a bug somewhere. Either you
+/// called it without checking the preconditions, or there is a bug in this
+/// library or one of its dependencies.
+pub fn extract_peerid(certificate: &[u8]) -> Result<libp2p_core::PeerId, webpki::Error> {
+    let mut id = None;
+    let cb = &mut |oid: untrusted::Input<'_>, value, _, _| match oid.as_slice_less_safe() {
+        super::LIBP2P_OID_BYTES => {
+            if id.is_some() {
+                error!(
+                    "multiple libp2p extensions should have been detected \
+                     earlier; something is wrong"
+                );
+                id = Some(Err(webpki::Error::UnknownIssuer))
+            }
+            id = Some(match extract_libp2p_peerid(value) {
+                Ok(value) => Ok(value),
+                Err(_) => {
+                    error!(
+                        "bogus libp2p extension should have been detected \
+                         earlier; something is wrong"
+                    );
+                    Err(webpki::Error::UnknownIssuer)
+                }
+            });
+            webpki::Understood::Yes
+        }
+        _ => webpki::Understood::No,
+    };
+    webpki::EndEntityCert::from_with_extension_cb(certificate, cb)?;
+    id.unwrap_or(Err(webpki::Error::UnknownIssuer))
+}
+
+fn extract_libp2p_peerid(
+    extension: untrusted::Input<'_>,
+) -> Result<libp2p_core::PeerId, ring::error::Unspecified> {
+    use ring::{error::Unspecified, io::der};
+    extension
+        .read_all(Unspecified, |mut reader| {
+            let inner = der::expect_tag_and_get_value(&mut reader, der::Tag::Sequence)?;
+            inner.read_all(Unspecified, |mut reader| {
+                let public_key =
+                    der::bit_string_with_no_unused_bits(&mut reader)?.as_slice_less_safe();
+                der::bit_string_with_no_unused_bits(&mut reader)?;
+                identity::PublicKey::from_protobuf_encoding(public_key).map_err(|_| Unspecified)
+            })
+        })
+        .map(From::from)
+}

protocols/tls/src/tls.rs

@@ -0,0 +1,125 @@
+// Copyright 2020 Parity Technologies (UK) Ltd.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the "Software"),
+// to deal in the Software without restriction, including without limitation
+// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+// and/or sell copies of the Software, and to permit persons to whom the
+// Software is furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+// DEALINGS IN THE SOFTWARE.
+
+//! TLS configuration for `libp2p-quic`.
+#![deny(
+    exceeding_bitshifts,
+    invalid_type_param_default,
+    missing_fragment_specifier,
+    mutable_transmutes,
+    no_mangle_const_items,
+    overflowing_literals,
+    patterns_in_fns_without_body,
+    pub_use_of_private_extern_crate,
+    unknown_crate_types,
+    const_err,
+    order_dependent_trait_objects,
+    illegal_floating_point_literal_pattern,
+    improper_ctypes,
+    late_bound_lifetime_arguments,
+    non_camel_case_types,
+    non_shorthand_field_patterns,
+    non_snake_case,
+    non_upper_case_globals,
+    no_mangle_generic_items,
+    path_statements,
+    private_in_public,
+    safe_packed_borrows,
+    stable_features,
+    type_alias_bounds,
+    tyvar_behind_raw_pointer,
+    unconditional_recursion,
+    unused,
+    unused_allocation,
+    unused_comparisons,
+    unused_mut,
+    unreachable_pub,
+    while_true,
+    anonymous_parameters,
+    bare_trait_objects,
+    elided_lifetimes_in_paths,
+    missing_copy_implementations,
+    missing_debug_implementations,
+    missing_docs,
+    single_use_lifetimes,
+    trivial_casts,
+    trivial_numeric_casts,
+    unused_extern_crates,
+    unused_import_braces,
+    unused_qualifications,
+    clippy::all
+)]
+#![forbid(unsafe_code)]
+
+mod certificate;
+mod verifier;
+
+pub use certificate::extract_peerid;
+use std::sync::Arc;
+
+const LIBP2P_SIGNING_PREFIX: [u8; 21] = *b"libp2p-tls-handshake:";
+const LIBP2P_SIGNING_PREFIX_LENGTH: usize = LIBP2P_SIGNING_PREFIX.len();
+const LIBP2P_OID_BYTES: &[u8] = &[43, 6, 1, 4, 1, 131, 162, 90, 1, 1];
+
+fn make_client_config(
+    certificate: rustls::Certificate,
+    key: rustls::PrivateKey,
+    verifier: Arc<verifier::Libp2pCertificateVerifier>,
+) -> rustls::ClientConfig {
+    let mut crypto = rustls::ClientConfig::new();
+    crypto.versions = vec![rustls::ProtocolVersion::TLSv1_3];
+    crypto.enable_early_data = true;
+    crypto
+        .set_single_client_cert(vec![certificate], key)
+        .expect("we have a valid certificate; qed");
+    crypto.dangerous().set_certificate_verifier(verifier);
+    crypto
+}
+
+fn make_server_config(
+    certificate: rustls::Certificate,
+    key: rustls::PrivateKey,
+    verifier: Arc<verifier::Libp2pCertificateVerifier>,
+) -> rustls::ServerConfig {
+    let mut crypto = rustls::ServerConfig::new(verifier);
+    crypto.versions = vec![rustls::ProtocolVersion::TLSv1_3];
+    crypto
+        .set_single_cert(vec![certificate], key)
+        .expect("we have a valid certificate; qed");
+    crypto
+}
+
+/// Create TLS client and server configurations for libp2p.
+pub fn make_tls_config(
+    keypair: &libp2p_core::identity::Keypair,
+) -> (rustls::ClientConfig, rustls::ServerConfig) {
+    let cert = certificate::make_cert(&keypair);
+    let private_key = cert.serialize_private_key_der();
+    let verifier = Arc::new(verifier::Libp2pCertificateVerifier);
+    let cert = rustls::Certificate(
+        cert.serialize_der()
+            .expect("serialization of a valid cert will succeed; qed"),
+    );
+    let key = rustls::PrivateKey(private_key);
+    (
+        make_client_config(cert.clone(), key.clone(), verifier.clone()),
+        make_server_config(cert, key, verifier),
+    )
+}