Allow adding prologue to noise connections

p2p/security/noise/crypto_test.go

@@ -93,7 +93,7 @@ func TestCryptoFailsIfHandshakeIncomplete(t *testing.T) {
 	init, resp := net.Pipe()
 	_ = resp.Close()
 
-	session, _ := newSecureSession(initTransport, context.TODO(), init, "remote-peer", true)
+	session, _ := newSecureSession(initTransport, context.TODO(), init, "remote-peer", nil, true)
 	_, err := session.encrypt(nil, []byte("hi"))
 	if err == nil {
 		t.Error("expected encryption error when handshake incomplete")

p2p/security/noise/handshake.go

@@ -57,6 +57,7 @@ func (s *secureSession) runHandshake(ctx context.Context) (err error) {
 		Pattern:       noise.HandshakeXX,
 		Initiator:     s.initiator,
 		StaticKeypair: kp,
+		Prologue:      s.prologue,
 	}
 
 	hs, err := noise.NewHandshakeState(cfg)

p2p/security/noise/intermediate_transport.go

@@ -0,0 +1,50 @@
+package noise
+
+import (
+	"context"
+	"net"
+
+	"github.com/libp2p/go-libp2p-core/canonicallog"
+	"github.com/libp2p/go-libp2p-core/peer"
+	"github.com/libp2p/go-libp2p-core/sec"
+	manet "github.com/multiformats/go-multiaddr/net"
+)
+
+type NoiseOptions struct {
+	Prologue []byte
+}
+
+var _ sec.SecureTransport = &intermediateTransport{}
+
+// intermediate transport can be used
+// to provide per-connection options
+type intermediateTransport struct {
+	t *Transport
+	// options
+	prologue []byte
+}
+
+// SecureInbound runs the Noise handshake as the responder.
+// If p is empty, connections from any peer are accepted.
+func (i *intermediateTransport) SecureInbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) {
+	c, err := newSecureSession(i.t, ctx, insecure, p, i.prologue, false)
+	if err != nil {
+		addr, maErr := manet.FromNetAddr(insecure.RemoteAddr())
+		if maErr == nil {
+			canonicallog.LogPeerStatus(100, p, addr, "handshake_failure", "noise", "err", err.Error())
+		}
+	}
+	return c, err
+}
+
+// SecureOutbound runs the Noise handshake as the initiator.
+func (i *intermediateTransport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) {
+	return newSecureSession(i.t, ctx, insecure, p, i.prologue, true)
+}
+
+func (t *Transport) WithNoiseOptions(opts NoiseOptions) sec.SecureTransport {
+	return &intermediateTransport{
+		t:        t,
+		prologue: opts.Prologue,
+	}
+}

p2p/security/noise/session.go

@@ -34,18 +34,22 @@ type secureSession struct {
 
 	enc *noise.CipherState
 	dec *noise.CipherState
+
+	// noise prologue
+	prologue []byte
 }
 
 // newSecureSession creates a Noise session over the given insecureConn Conn, using
 // the libp2p identity keypair from the given Transport.
-func newSecureSession(tpt *Transport, ctx context.Context, insecure net.Conn, remote peer.ID, initiator bool) (*secureSession, error) {
+func newSecureSession(tpt *Transport, ctx context.Context, insecure net.Conn, remote peer.ID, prologue []byte, initiator bool) (*secureSession, error) {
 	s := &secureSession{
 		insecureConn:   insecure,
 		insecureReader: bufio.NewReader(insecure),
 		initiator:      initiator,
 		localID:        tpt.localID,
 		localKey:       tpt.privateKey,
 		remoteID:       remote,
+		prologue:       prologue,
 	}
 
 	// the go-routine we create to run the handshake will

p2p/security/noise/transport.go

@@ -40,7 +40,7 @@ func New(privkey crypto.PrivKey) (*Transport, error) {
 // SecureInbound runs the Noise handshake as the responder.
 // If p is empty, connections from any peer are accepted.
 func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) {
-	c, err := newSecureSession(t, ctx, insecure, p, false)
+	c, err := newSecureSession(t, ctx, insecure, p, nil, false)
 	if err != nil {
 		addr, maErr := manet.FromNetAddr(insecure.RemoteAddr())
 		if maErr == nil {
@@ -52,5 +52,5 @@ func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn, p peer
 
 // SecureOutbound runs the Noise handshake as the initiator.
 func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) {
-	return newSecureSession(t, ctx, insecure, p, true)
+	return newSecureSession(t, ctx, insecure, p, nil, true)
 }

p2p/security/noise/transport_test.go

@@ -372,3 +372,52 @@ func TestReadUnencryptedFails(t *testing.T) {
 	require.Error(t, err)
 	require.Equal(t, 0, afterLen)
 }
+
+func TestPrologueMatches(t *testing.T) {
+	commonPrologue := []byte("test")
+	initTransport := newTestTransport(t, crypto.Ed25519, 2048)
+	respTransport := newTestTransport(t, crypto.Ed25519, 2048)
+
+	initConn, respConn := newConnPair(t)
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+		conn, err := initTransport.
+			WithNoiseOptions(NoiseOptions{Prologue: commonPrologue}).
+			SecureOutbound(context.TODO(), initConn, respTransport.localID)
+		require.NoError(t, err)
+		defer conn.Close()
+	}()
+
+	conn, err := respTransport.
+		WithNoiseOptions(NoiseOptions{Prologue: commonPrologue}).
+		SecureInbound(context.TODO(), respConn, "")
+	require.NoError(t, err)
+	defer conn.Close()
+	<-done
+}
+
+func TestPrologueDoesNotMatchFailsHandshake(t *testing.T) {
+	initTransport := newTestTransport(t, crypto.Ed25519, 2048)
+	respTransport := newTestTransport(t, crypto.Ed25519, 2048)
+
+	initConn, respConn := newConnPair(t)
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+		_, err := initTransport.
+			WithNoiseOptions(NoiseOptions{Prologue: []byte("testtesttest")}).
+			SecureOutbound(context.TODO(), initConn, respTransport.localID)
+		require.Error(t, err)
+	}()
+
+	_, err := respTransport.
+		WithNoiseOptions(NoiseOptions{Prologue: []byte("testtesttesttest")}).
+		SecureInbound(context.TODO(), respConn, "")
+	require.Error(t, err)
+	<-done
+}