Introduce secure mode (part 1) (#1808)

Use noise protocol on handshake. Check peer's public key if needed. Also support rekey and replay attack prevention.

E2EE and temporary password will be implemented based on this.

easytier/src/common/config.rs

@@ -14,7 +14,7 @@ use crate::{
     instance::dns_server::DEFAULT_ET_DNS_ZONE,
     proto::{
         acl::Acl,
-        common::{CompressionAlgoPb, PortForwardConfigPb, SocketType},
+        common::{CompressionAlgoPb, PortForwardConfigPb, SecureModeConfig, SocketType},
     },
     tunnel::generate_digest_from_str,
 };
@@ -209,6 +209,9 @@ pub trait ConfigLoader: Send + Sync {
     fn get_stun_servers_v6(&self) -> Option<Vec<String>>;
     fn set_stun_servers_v6(&self, servers: Option<Vec<String>>);
 
+    fn get_secure_mode(&self) -> Option<SecureModeConfig>;
+    fn set_secure_mode(&self, secure_mode: Option<SecureModeConfig>);
+
     fn dump(&self) -> String;
 }
 
@@ -300,6 +303,7 @@ impl Default for NetworkIdentity {
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
 pub struct PeerConfig {
     pub uri: url::Url,
+    pub peer_public_key: Option<String>,
 }
 
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
@@ -407,6 +411,8 @@ struct Config {
 
     port_forward: Option<Vec<PortForwardConfig>>,
 
+    secure_mode: Option<SecureModeConfig>,
+
     flags: Option<serde_json::Map<String, serde_json::Value>>,
 
     #[serde(skip)]
@@ -802,6 +808,14 @@ impl ConfigLoader for TomlConfigLoader {
         self.config.lock().unwrap().stun_servers_v6 = servers;
     }
 
+    fn get_secure_mode(&self) -> Option<SecureModeConfig> {
+        self.config.lock().unwrap().secure_mode.clone()
+    }
+
+    fn set_secure_mode(&self, secure_mode: Option<SecureModeConfig>) {
+        self.config.lock().unwrap().secure_mode = secure_mode;
+    }
+
     fn dump(&self) -> String {
         let default_flags_json = serde_json::to_string(&gen_default_flags()).unwrap();
         let default_flags_hashmap =

easytier/src/common/constants.rs

@@ -29,6 +29,9 @@ define_global_var!(MAX_DIRECT_CONNS_PER_PEER_IN_FOREIGN_NETWORK, u32, 3);
 
 define_global_var!(DIRECT_CONNECT_TO_PUBLIC_SERVER, bool, true);
 
+// must make it true in future.
+define_global_var!(HMAC_SECRET_DIGEST, bool, false);
+
 pub const UDP_HOLE_PUNCH_CONNECTOR_SERVICE_ID: u32 = 2;
 
 pub const WIN_SERVICE_WORK_DIR_REG_KEY: &str = "SOFTWARE\\EasyTier\\Service\\WorkDir";

easytier/src/common/error.rs

@@ -48,6 +48,9 @@ pub enum Error {
 
     #[error("secret key error: {0}")]
     SecretKeyError(String),
+
+    #[error("noise protocol error: {0}")]
+    NoiseError(#[from] snow::Error),
 }
 
 pub type Result<T> = result::Result<T, Error>;

easytier/src/common/global_ctx.rs

@@ -15,6 +15,8 @@ use crate::proto::api::instance::PeerConnInfo;
 use crate::proto::common::{PeerFeatureFlag, PortForwardConfigPb};
 use crate::proto::peer_rpc::PeerGroupInfo;
 use crossbeam::atomic::AtomicCell;
+use hmac::{Hmac, Mac};
+use sha2::Sha256;
 
 use super::{
     config::{ConfigLoader, Flags},
@@ -268,6 +270,15 @@ impl GlobalCtx {
         self.config.get_network_identity()
     }
 
+    pub fn get_secret_proof(&self, challenge: &[u8]) -> Option<Hmac<Sha256>> {
+        let network_secret = self.get_network_identity().network_secret?;
+        let key = network_secret.as_bytes();
+        let mut mac = Hmac::<Sha256>::new_from_slice(key).unwrap();
+        mac.update(b"easytier secret proof");
+        mac.update(challenge);
+        Some(mac)
+    }
+
     pub fn get_network_name(&self) -> String {
         self.get_network_identity().network_name
     }