* feat: harden encoding/decoding functions against panics
Part of https://github.com/libp2p/go-libp2p/issues/1389
These kinds of functions:
1. Handle user input.
2. Often have out-of-bounds, null pointer, etc bugs.
3. Have completely isolated logic where local panics are unlikely to
cause memory corruption elsewhere.
* test: add a panic catcher test
* bump go.mod to Go 1.16 and run go fix
* run go mod tidy
* run gofmt -s
* update .github/workflows/automerge.yml
* update .github/workflows/go-test.yml
* update .github/workflows/go-check.yml
Co-authored-by: web3-bot <web3-bot@users.noreply.github.com>
* run go mod tidy
* omit receiver name if unused
* remove unused type testkey in tests
* fix duplicate import of go-multiaddr
* fix use of deprecated peer.IDB58{Encode,Decode}
* use bytes.Equal instead of bytes.Compare
* fix unnecessary assigments to blank identifier
* use time.Until instead of t.Sub(time.Now())
* fix use of deprecated go-multihash.ID
* add missing error check in envelope test
* fix error check in tests
* add SignedEnvelope type
* use struct for SignedEnvelope instead of exposing protobuf directly
* doc comments for envelopes
* tests for SignedEnvelopes
* add helpers to make routing records for Host
* fix doc comment
* go fmt
* add method to peerstore to retrieve signed routing records
* update to match spec changes
* just use nanoseconds
* use proto3 & rename fields to match spec changes
* use proto3 for routing records
* make envelope fields private & validate on unmarshal
* use buffer pool for envelope signatures
* tests for RoutingState
* go fmt
* rename Equals -> Equal, add some comments
* use test helpers
* get rid of unsigned RoutingState struct, only expose SignedRoutingState
* rm batching SignedRoutingStates accessor in peerstore
the datastore peerstore implementation doesn't support batched reads, so
it's no more efficient to get a bunch of states at once than it
is to call SignedRoutingState multiple times.
* whitespace
* expose struct fields & remove accessors
* use camelCase in protos for consistency
* use multiformats uvarint for length-prefixes
* remove payloadType check when unmarhaling
* rm stray ref to golang/protobuf
* define CertifiedAddrBook to avoid breaking API change
* add events for updated addresses and routing state
* remove SignedRoutingStateFromHost helper
moving this to go-libp2p
* add routing state records, extend peerstore API
* fix: rebuild protos with new gogofaster generator
* filter private addrs from signed routing records
* envelope: use byte slices from pool; adjust interface.
* move envelope to record package.
* move protobuf files; adjust imports everywhere.
* rename RoutingStateRecord -> PeerRecord
also removes embedded reference to Envelope from the record,
as that was confusing.
as a result, the CertifiedAddrBook now accepts/returns
record.SignedEnvelope instead of a specialized type.
* hoist Seq from PeerRecord to SignedEnvelope
* test that PeerRecords can't be signed by wrong key
* commit go.sum
* add Seq field to envelope signature
* fix proto_path in Makefile
* fix import ordering
* comments for PeerRecord proto message
also removes the seq field from PeerMessage proto,
since it was moved to the SignedEnvelope
* use Record type for envelope payloads
* rename SignedEnvelope -> Envelope, unmarshal payload in ConsumeEnvelope
* return buffer to pool before early return
* doc comments
* rename CertifiedAddrBook methods, update comments
* cache unmarshalled Record payload inside Envelope
* doc comments
* store reflect.Type when registering Record
* Revert "return buffer to pool before early return"
8d8da386f2
misread this - unsigned will be nil if there's an
error, so it was right the way it was
* use a DefaultRecord for unregistered PayloadTypes
instead of returning an error if we don't have a registered
Record for a given PayloadType, we can have a catch-all
DefaultRecord type that just preserves the original payload
as a []byte
* cleanup DefaultRecord code a bit
- removes unused error return from blankRecordForPayloadType
- just references instead of copying in DefaultRecord.UnmarshalRecord
I figure this is likely safe, since we'll be unmarshalling from the
payload of an Envelope, which shouldn't get altered after it's
created.
* use explicit payloadType in MakeEnvelopeWithRecord
* Revert DefaultRecord commits
ae3bc7bdfba26c845a76
* doc comments
* move Seq field back to PeerRecord
* make diffs optional in EvtLocalAddressesUpdated
* more envelope tests
* replace MakeEnvelope with record.Seal
also:
- add Domain and Codec fields to Record interface
* fix import
* add interface check
* rename ProcessPeerRecord -> ConsumePeerRecord
also, adds bool `accepted` return value
* rename event field, add doc comment
* peer record protobuf: fix field casing.
* record protobuf: add docs and fix casing.
* cleanup: group imports.
* nit: split test/utils.go => test/{addrs,errors}.go.
Co-authored-by: Raúl Kripalani <raul.kripalani@gmail.com>
The check was incomplete as it didn't test the curve. This switches us to use
basicEquals (which is also constant-time).
Note: This key type isn't used by anyone in-practice (to the best of my
knowledge).
In practice, this is impossible to exploit without being able to corrupt the
private key which would allow a much simpler guess-and-check attack. However,
it's still a bad practice to compare private key material like this.
The docs seem to lie about what these methods do.
This is the naive solution since it's my first day looking
at go but would it be possible to get these methods
to marshal to public or private key correctly by passing
a type to them?
* bring back plaintext 2.0.0 with new constructor
* fix deprecation comment
* rm unused context argument
* only check remote id validity if we actually have keys
* bring back msgio & simultaneous read/write
