feat: relay peer end-to-end encryption via Noise IK handshake (#1960)

Enable encryption for non-direct nodes requiring relay forwarding. When secure_mode is enabled, peers perform Noise IK handshake to establish an encrypted PeerSession. Relay packets are encrypted at the sender and decrypted at the receiver. Intermediate forwarding nodes cannot read plaintext data. --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: KKRainbow <5665404+KKRainbow@users.noreply.github.com>
2026-05-16 02:45:41 +00:00 · 2026-03-07 14:47:22 +08:00
parent 22b4c4be2c
commit 59d4475743
14 changed files with 2081 additions and 73 deletions
@@ -146,6 +146,7 @@ impl RoutePeerInfo {
            groups: Vec::new(),

            quic_port: None,
+            noise_static_pubkey: Vec::new(),
        }
    }

@@ -164,6 +165,12 @@ impl RoutePeerInfo {
        global_ctx: &ArcGlobalCtx,
    ) -> Self {
        let stun_info = global_ctx.get_stun_info_collector().get_stun_info();
+        let noise_static_pubkey = global_ctx
+            .config
+            .get_secure_mode()
+            .and_then(|cfg| cfg.public_key().ok())
+            .map(|pk| pk.as_bytes().to_vec())
+            .unwrap_or_default();
        Self {
            peer_id: my_peer_id,
            inst_id: Some(global_ctx.get_id().into()),
@@ -197,6 +204,8 @@ impl RoutePeerInfo {

            groups: global_ctx.get_acl_groups(my_peer_id),

+            noise_static_pubkey,
+
            ..Default::default()
        }
    }
@@ -1842,15 +1851,6 @@ impl PeerRouteServiceImpl {
            if let Some(last_update) = peer_info.last_update {
                let last_update = TryInto::<SystemTime>::try_into(last_update).unwrap();
                if last_sync_succ_timestamp.is_some_and(|t| last_update < t) {
-                    tracing::debug!(
-                        "ignore peer_info {:?} because last_update: {:?} is older than last_sync_succ_timestamp: {:?}, peer_infos_count: {}, my_peer_id: {:?}, session: {:?}",
-                        peer_info,
-                        last_update,
-                        last_sync_succ_timestamp,
-                        peer_infos.len(),
-                        self.my_peer_id,
-                        session
-                    );
                    break;
                }
            }
@@ -2556,6 +2556,7 @@ impl RouteSessionManager {
                    continue;
                };
                session.update_initiator_flag(true);
+                self.sync_now("update_initiator_flag");
            }

            // clear sessions that are neither dst_initiator or we_are_initiator.