P2P: Feature-gate libp2p's mdns & remove wasm-timer
#303
Conversation
|
I can only hope that you are doing this in order to have a thin stronghold client in the browser, without any signing or other cryptographic powers. Otherwise, this is a clear violation of the underlying philosophy of never putting a stronghold in the browser. Can you please advise to your planned usage of this feature? |
There was a problem hiding this comment.
The test in behaviour.rs also needs to be changed, could you please include the below diff:
--- a/p2p/src/behaviour.rs
+++ b/p2p/src/behaviour.rs
@@ -971,9 +971,10 @@ mod test {
use super::*;
use crate::firewall::{PermissionValue, RequestPermissions, VariantPermission};
use futures::{channel::mpsc, StreamExt};
+ #[cfg(feature = "mdns")]
+ use libp2p::mdns::{Mdns, MdnsConfig};
use libp2p::{
core::{identity, upgrade, PeerId, Transport},
- mdns::{Mdns, MdnsConfig},
noise::{Keypair as NoiseKeypair, NoiseConfig, X25519Spec},
relay::{new_transport_and_behaviour, RelayConfig},
swarm::{Swarm, SwarmBuilder, SwarmEvent},
@@ -1174,12 +1175,14 @@ mod test {
.multiplex(YamuxConfig::default())
.boxed();
+ #[cfg(feature = "mdns")]
let mdns = Mdns::new(MdnsConfig::default())
.await
.expect("Failed to create mdns behaviour.");
let (dummy_tx, _) = mpsc::channel(10);
let behaviour = NetBehaviour::new(
NetBehaviourConfig::default(),
+ #[cfg(feature = "mdns")]
Some(mdns),
Some(relay_behaviour),
dummy_tx,Looks good to me otherwise.
This PR re-enables compilation of stronghold-p2p for Wasm. This is required for the identity actor we're building, which is supposed to be able to run in node.js applications, as an example. We have not fully decided on whether an actor will eventually also run in a browser, but since it would need to authenticate to another actor before being able to do any cryptographic operations in that scenario, that does not have the same security implications as running a full stronghold in a browser. A similar argument goes for a "remote stronghold" (i.e. a thin client that connects to a stronghold via stronghold-p2p) that we may want to run in a browser. We definitely do not plan to run full strongholds in browsers. |
I've added |
You can specify what features are active when running a test, so we also need conditional compilation within the test. Even if |
Understood. However if you make it feasible, someone will build it. Similar to gadget attacks, we also never shipped with functionality to read out a secret, you are potentially opening up venues for misuse and I think you would do well to make a MASSIVE disclaimer. Also, I am pretty sure this will trigger the requirement for an entire audit, since NEON bindings are not the same as WASM inclusion and the memory space of V8 + WASM means you have a plethora if new attack vectors such as electron and server-based applications to have reviewed. |
@nothingismagick maybe there is some misunderstanding here. This PR only targets the |
Got it, I feature-gated it. |
|
ok ok - sorry. you guys know my paranoia with anything surrounding WASM. sorry for the bruhaha :) |
Your input is very much appreciated. Please continue the discussion in case you think that using the p2p crate in WASM could already be an issue. |
|
If you look at the description at https://noiseexplorer.com/patterns/XX/ - there is one comment that is the same in every stage: "Assuming the corresponding private keys are secure, this authentication cannot be forged." If you are using WASM in the browser, how do you guarantee that the private keys are secure? |
|
Thanks for the input @nothingismagick, we will discuss this some more before going ahead with the PR. |
|
thanks @nothingismagick for your input! The more I think about it, the more I agree, that this might not be a good idea. There is the (still experimental) I would like to add some thoughts on how an extension might interact with Stronghold without compromising security, and give the flexibility of a browser extension:
Having said that, there might be still a window when secrets can be intercepted when issuing requests from the extension. We surely have to discuss this. |
|
Thanks again for the discussion here. This PR was intended to enable our identity actor to run on Wasm, but we have since replaced Of course, the discussion around Wasm safety is still very important, regardless of this change, and unfortunately an ongoing topic as no solution has emerged yet. The discussion will thus be continued on other channels. |
Description of change
This PR contains two Wasm-related changes in the
stronghold-p2pcrate.wasm-timerand addinstant. This is required for proper Wasm support becauselibp2pitself has moved away from wasm-timer.mdnsfeature, which is not supported on Wasm targets.Type of change
Choose a type of change, and delete any options that are not relevant.
How the change has been tested
No new functionality was added, so only existing tests were run.
Change checklist
Add an
xto the boxes that are relevant to your changes, and delete any items that are not.