Commit Graph

74 Commits

Author SHA1 Message Date
Steven Allen
469ed581a0
Merge pull request #48 from libp2p/fix/fallback-cmp
fix: use fallback comparison for ed25519 keys
2019-09-27 15:33:55 -07:00
Steven Allen
26b960839d
Merge pull request #61 from libp2p/dep/update
chore(dep): update deps
2019-09-25 11:24:15 -07:00
Steven Allen
ac53ea6aa0 chore(dep): update deps
* Update gogo protobuf to 1.3.0
* Update go-multiaddr to move protocol definitions _into_ go-multiaddr itself.
* update opencensus to 0.22.1
* update golang.org/x/crypto
* update sha256-simd to fix webasm build.
* update btcd (used by sekp keys)
2019-09-25 11:12:15 -07:00
Steven Allen
e0ae17a661
Merge pull request #60 from libp2p/fix/constant-time-compare
crypto: improve key comparison logic
2019-09-25 10:41:26 -07:00
Steven Allen
c3facda1a2 crypto: use basicEquals for ECDSA
The check was incomplete as it didn't test the curve. This switches us to use
basicEquals (which is also constant-time).

Note: This key type isn't used by anyone in-practice (to the best of my
knowledge).
2019-09-24 10:41:53 -07:00
Steven Allen
d68e65376d crypto: make the ECDSA receiver consistent 2019-09-24 10:41:53 -07:00
Steven Allen
947196bbb7 crypto: use constant time compare when decoding private keys
In practice, this is impossible to exploit without being able to corrupt the
private key which would allow a much simpler guess-and-check attack. However,
it's still a bad practice to compare private key material like this.
2019-09-24 10:40:54 -07:00
Steven Allen
3b4a4b474f mod: require go 1.12 2019-09-24 10:31:44 -07:00
Steven Allen
b74f60b9cc
Merge pull request #55 from libp2p/bug/rsa-key-test-failure
Ensure all tests pass without weak RSA key flag
2019-08-28 09:05:45 -07:00
Cole Brown
961a767ba5 Remove weak RSA flag from CI 2019-08-28 11:35:23 -04:00
Cole Brown
d50ea9bc1f Ensure all tests pass without weak RSA key flag 2019-08-28 11:34:22 -04:00
Steven Allen
f61804b905
Merge pull request #50 from ralexstokes/use-clearer-multihash-code
Compare multihash `Code` to `IDENTITY` when extracting public key
2019-08-14 14:58:53 -07:00
Alex Stokes
e6f5a2cbcc
Uses v0.0.7 of go-multihash that includes the correct symbol 2019-08-14 14:51:45 -07:00
Alex Stokes
686c1736fd
Compare multihash Code to IDENTITY when extracting public key
This PR is a non-substantive change with the goal of making this method
`ExtractPublicKey` from a `peer.ID` clearer to the reader. This goal is
accomplished by using the full name of the identity hash code `IDENTITY` instead
of the deprecated `ID` code. This change makes its clearer to the reader that
there is a trivial way to compute the public key given the digest. Without this
change it is easy to confuse `ID` with a concept relating to peer IDs (and thus
implying this function somehow computes a hash pre-image to get the
corrresponding public key.
2019-08-14 14:27:04 -07:00
bigs
d204016fc6
Merge pull request #45 from libp2p/feat/event-bus-signature
Return error in Emit
2019-08-06 16:32:28 -04:00
Cole Brown
baf7d1a4e3 Return error in Emit 2019-08-06 12:55:08 -04:00
bigs
9698a72f45
Merge pull request #31 from libp2p/bug/remove-blowfish-support
Remove support for blowfish
2019-08-06 12:29:59 -04:00
Cole Brown
47983a3ab5 Add test for panic on unknown cipher type 2019-08-06 12:15:40 -04:00
Cole Brown
58281f5c6d Add note about panic to KeyStretcher comments 2019-08-06 11:18:41 -04:00
Steven Allen
1461eb16af fix: use fallback comparison for ed25519 keys 2019-08-01 17:45:55 -07:00
Steven Allen
33faefebfc
Merge pull request #46 from libp2p/feat/cherry-pick-stabalize
cherry-pick key optimizations from stabilize
2019-08-01 17:30:46 -07:00
Steven Allen
b47dbc0e29 dep: update go-openssl
Add freebsd/openbsd openssl support.
2019-08-01 16:42:13 -07:00
Steven Allen
1e3fcd96e1 dep: add back missing go.sum lines 2019-08-01 16:37:58 -07:00
Steven Allen
543dbe6c29 nit: simplify equality check 2019-08-01 16:37:58 -07:00
Steven Allen
963cc997b2 remove non-constant-time private key comparison 2019-08-01 16:37:58 -07:00
Steven Allen
9a4415d1a6 use a fallback basicEquals function everywhere
This also ensures we check that the types are equal, even if we're comparing
directly with `k1.Equals(k2)` instead of `KeyEquals(k1, k2)`.
2019-08-01 16:37:58 -07:00
dignifiedquire
2df9672ee4 use equal method from openssl
uses https://github.com/spacemonkeygo/openssl/pull/126
2019-08-01 16:37:58 -07:00
dignifiedquire
bab5f6dd95 fixup: openssl 2019-08-01 16:37:30 -07:00
dignifiedquire
da42c385fc fix: do not allocate when comparing keys 2019-08-01 16:37:30 -07:00
Steven Allen
3390f7d16d
Merge pull request #47 from libp2p/fix/go-mod-tidy
chore: tidy
2019-08-01 16:37:17 -07:00
Steven Allen
35e24d3b6b chore: tidy 2019-08-01 16:36:54 -07:00
bigs
a7cc4bffb1
Merge pull request #34 from libp2p/bug/weak-rsa-keys
Raise minimum bits required for RSA key to 2048
2019-08-01 15:28:04 -08:00
Cole Brown
f1175dbc91 Rename constant for weak RSA key environment variable 2019-08-01 19:05:47 -04:00
Cole Brown
d95ff26e5e UNSAFE -> WEAK in RSA key environment variable 2019-08-01 13:57:48 -04:00
Yusef Napora
62b2c6c482
bring back plaintext 2.0.0 with new constructor (#42)
* bring back plaintext 2.0.0 with new constructor

* fix deprecation comment

* rm unused context argument

* only check remote id validity if we actually have keys

* bring back msgio & simultaneous read/write
2019-07-30 16:46:24 -04:00
Steven Allen
be90519893
Merge pull request #44 from libp2p/fix/43
avoid duplicate randomly generated keys/peer-ids
2019-07-25 10:10:45 -07:00
Jakub Sztandera
f9ca60b486 Add compat check (#40)
License: MIT
Signed-off-by: Jakub Sztandera <kubuxu@protonmail.ch>
2019-07-25 15:51:06 +01:00
Steven Allen
a182f52659 avoid duplicate randomly generated keys/peer-ids
This implements #4 from #43.

fixes #43
2019-07-22 15:12:08 -07:00
Cole Brown
0ae8685baf Add defualt case with meaningful panic 2019-07-17 17:34:22 -04:00
Raúl Kripalani
8890e1b22b
Revert "update insecure transport to plaintext/2.0.0 (#37)" (#38)
This reverts commit b5729d89f3.
2019-07-15 00:10:22 +01:00
bigs
1d45af25d9
Merge pull request #33 from libp2p/bug/curve-name
Return error rather than panic in GenerateEKeyPair
2019-07-12 17:32:13 -04:00
Cole Brown
c7c0a1cdf0 Add test for unknown elliptic curves 2019-07-12 17:09:27 -04:00
bigs
c3f7bb216e
Merge pull request #32 from libp2p/bug/key-equality
Replace bytes.Equal -> subtle.ConstantTimeCompare
2019-07-12 16:45:22 -04:00
Cole Brown
652a852edd Use short-circuiting comparisons for public keys 2019-07-12 16:34:29 -04:00
Cole Brown
c817d49d02 Add env flag for allowing unsafe rsa keys in tests 2019-07-12 16:04:56 -04:00
Yusef Napora
b5729d89f3
update insecure transport to plaintext/2.0.0 (#37)
* add plaintext/2.0.0 (with ugly protoc hack)

* gofmt

* gofmt (for real this time)

* add `go_package` option to proto files

* Revert "add `go_package` option to proto files"

5a543a79bd

* less hacky protobuf imports

* add doc comment for PublicKeyFromProto

* clean up handshake

* go fmt, lol

* use network.MessageSizeMax for ggio reader
2019-07-12 13:24:30 -04:00
Cole Brown
f10115e58f Raise minimum bits required for RSA key to 2048 2019-07-10 17:54:14 -04:00
Cole Brown
bc01c84a59 Remove support for blowfish 2019-07-10 17:30:45 -04:00
Cole Brown
23da4bd6da Return error rather than panic in GenerateEKeyPair 2019-07-10 15:42:51 -04:00
Cole Brown
2726b6493c Replace bytes.Equal -> subtle.ConstantTimeCompare 2019-07-10 15:30:22 -04:00