personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-12 06:13:57 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into mutex-debug

Browse Source
This commit is contained in:
Wade Simmons 2023-05-09 10:29:37 -04:00
commit afde2080d6
6 changed files with 59 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.github/workflows/test.yml vendored
View File

@ -52,6 +52,36 @@ jobs:
path: e2e/mermaid/ path: e2e/mermaid/
if-no-files-found: warn if-no-files-found: warn
test-linux-boringcrypto:
name: Build and test on linux with boringcrypto
runs-on: ubuntu-latest
steps:
- name: Set up Go 1.20
uses: actions/setup-go@v2
with:
go-version: "1.20"
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@v2
- uses: actions/cache@v2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go1.20-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go1.20-
- name: Build
run: make bin-boringcrypto
- name: Test
run: make test-boringcrypto
- name: End 2 end
run: make e2evv GOEXPERIMENT=boringcrypto CGO_ENABLED=1
test: test:
name: Build and test on ${{ matrix.os }} name: Build and test on ${{ matrix.os }}
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}

3
Makefile
View File

@ -145,6 +145,9 @@ vet:
test: test:
go test -v ./... go test -v ./...
test-boringcrypto:
GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go test -v ./...
test-cov-html: test-cov-html:
go test -coverprofile=coverage.out go test -coverprofile=coverage.out
go tool cover -html=coverage.out go tool cover -html=coverage.out

4
cert/cert.go
View File

@ -522,15 +522,15 @@ func (nc *NebulaCertificate) Sign(curve Curve, key []byte) error {
signer := ed25519.PrivateKey(key) signer := ed25519.PrivateKey(key)
sig = ed25519.Sign(signer, b) sig = ed25519.Sign(signer, b)
case Curve_P256: case Curve_P256:
x, y := elliptic.Unmarshal(elliptic.P256(), nc.Details.PublicKey)
signer := &ecdsa.PrivateKey{ signer := &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{ PublicKey: ecdsa.PublicKey{
Curve: elliptic.P256(), Curve: elliptic.P256(),
X: x, Y: y,
}, },
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95 // ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95
D: new(big.Int).SetBytes(key), D: new(big.Int).SetBytes(key),
} }
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119
signer.X, signer.Y = signer.Curve.ScalarBaseMult(key)
// We need to hash first for ECDSA // We need to hash first for ECDSA
// - https://pkg.go.dev/crypto/ecdsa#SignASN1 // - https://pkg.go.dev/crypto/ecdsa#SignASN1

17
connection_manager.go
View File

@ -17,11 +17,12 @@ import (
type trafficDecision int type trafficDecision int
const ( const (
doNothing trafficDecision = 0 doNothing trafficDecision = 0
deleteTunnel trafficDecision = 1 // delete the hostinfo on our side, do not notify the remote deleteTunnel trafficDecision = 1 // delete the hostinfo on our side, do not notify the remote
closeTunnel trafficDecision = 2 // delete the hostinfo and notify the remote closeTunnel trafficDecision = 2 // delete the hostinfo and notify the remote
swapPrimary trafficDecision = 3 swapPrimary trafficDecision = 3
migrateRelays trafficDecision = 4 migrateRelays trafficDecision = 4
tryRehandshake trafficDecision = 5
) )
type connectionManager struct { type connectionManager struct {
@ -193,6 +194,9 @@ func (n *connectionManager) doTrafficCheck(localIndex uint32, p, nb, out []byte,
case migrateRelays: case migrateRelays:
n.migrateRelayUsed(hostinfo, primary) n.migrateRelayUsed(hostinfo, primary)
case tryRehandshake:
n.tryRehandshake(hostinfo)
} }
n.resetRelayTrafficCheck(hostinfo) n.resetRelayTrafficCheck(hostinfo)
@ -321,7 +325,8 @@ func (n *connectionManager) makeTrafficDecision(localIndex uint32, p, nb, out []
delete(n.pendingDeletion, hostinfo.localIndexId) delete(n.pendingDeletion, hostinfo.localIndexId)
if mainHostInfo { if mainHostInfo {
n.tryRehandshake(hostinfo) decision = tryRehandshake
} else { } else {
if n.shouldSwapPrimary(hostinfo, primary) { if n.shouldSwapPrimary(hostinfo, primary) {
decision = swapPrimary decision = swapPrimary

7
noiseutil/boring_test.go
View File

@ -4,14 +4,21 @@
package noiseutil package noiseutil
import ( import (
"crypto/boring"
"encoding/hex" "encoding/hex"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
func TestEncryptLockNeeded(t *testing.T) {
assert.True(t, EncryptLockNeeded)
}
// Ensure NewGCMTLS validates the nonce is non-repeating // Ensure NewGCMTLS validates the nonce is non-repeating
func TestNewGCMTLS(t *testing.T) { func TestNewGCMTLS(t *testing.T) {
assert.True(t, boring.Enabled())
// Test Case 16 from GCM Spec: // Test Case 16 from GCM Spec:
// - (now dead link): http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf // - (now dead link): http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
// - as listed in boringssl tests: https://github.com/google/boringssl/blob/fips-20220613/crypto/cipher_extra/test/cipher_tests.txt#L412-L418 // - as listed in boringssl tests: https://github.com/google/boringssl/blob/fips-20220613/crypto/cipher_extra/test/cipher_tests.txt#L412-L418

13
noiseutil/notboring_test.go
View File

@ -4,12 +4,11 @@
package noiseutil package noiseutil
import ( import (
// NOTE: We have to force these imports here or boring_test.go fails to "testing"
// compile correctly. This seems to be a Go bug:
//
// $ GOEXPERIMENT=boringcrypto go test ./noiseutil
// # github.com/slackhq/nebula/noiseutil
// boring_test.go:10:2: cannot find package
_ "github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
func TestEncryptLockNeeded(t *testing.T) {
assert.False(t, EncryptLockNeeded)
}