Magiselect

core/sec/security.go

@@ -9,6 +9,9 @@ import (
 	"github.com/libp2p/go-libp2p/core/network"
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/libp2p/go-libp2p/core/protocol"
+	"github.com/libp2p/go-libp2p/p2p/transport/magiselect"
+	"github.com/multiformats/go-multiaddr"
+	mafmt "github.com/multiformats/go-multiaddr-fmt"
 )
 
 // SecureConn is an authenticated, encrypted connection.
@@ -31,6 +34,18 @@ type SecureTransport interface {
 	ID() protocol.ID
 }
 
+// StraightableSecureTransport can be implemented by security transports which support being ran straight on the stream.
+// This allows them to skip the multistream security handshake.
+type StraightableSecureTransport interface {
+	SecureTransport
+
+	// Suffix indicate the trailing component which allows to skip the multistream select exchange.
+	Suffix() multiaddr.Multiaddr
+	SuffixProtocol() int
+	SuffixMatcher() mafmt.Pattern
+	magiselect.Matcher
+}
+
 type ErrPeerIDMismatch struct {
 	Expected peer.ID
 	Actual   peer.ID

core/transport/transport.go

@@ -12,6 +12,7 @@ import (
 	"github.com/libp2p/go-libp2p/core/peer"
 
 	ma "github.com/multiformats/go-multiaddr"
+	mafmt "github.com/multiformats/go-multiaddr-fmt"
 	manet "github.com/multiformats/go-multiaddr/net"
 )
 
@@ -96,6 +97,14 @@ type Listener interface {
 	Multiaddr() ma.Multiaddr
 }
 
+// ListenerFromUpgrader is a workaround to let the swarm append suffixes, it is optionally implemented by Listeners.
+// FIXME: I want 8962b2ae336d94627f2f4361f96799ee3a5bd9e4 but it was reverted in 1c8eaabfd385346a7c41b988e2dbc2e20ddfa460 and I'm not in the mood to figure out this kind of mess.
+type ListenerFromUpgrader interface {
+	Listener
+
+	Upgrader() Upgrader
+}
+
 // ErrListenerClosed is returned by Listener.Accept when the listener is gracefully closed.
 var ErrListenerClosed = errors.New("listener closed")
 
@@ -121,9 +130,18 @@ type TransportNetwork interface {
 // to a full transport connection (secure and multiplexed).
 type Upgrader interface {
 	// UpgradeListener upgrades the passed multiaddr-net listener into a full libp2p-transport listener.
-	UpgradeListener(Transport, manet.Listener) Listener
-	// Upgrade upgrades the multiaddr/net connection into a full libp2p-transport connection.
-	Upgrade(ctx context.Context, t Transport, maconn manet.Conn, dir network.Direction, p peer.ID, scope network.ConnManagementScope) (CapableConn, error)
+	UpgradeListener(Transport, manet.Listener) ListenerFromUpgrader
+
+	// UpgradeOutbound/Inbound upgrades the multiaddr/net connection into a full libp2p-transport connection.
+	// suffix can be nil if no suffix is present.
+	UpgradeOutbound(ctx context.Context, t Transport, maconn manet.Conn, suffix ma.Multiaddr, p peer.ID, scope network.ConnManagementScope) (CapableConn, error)
+	UpgradeInbound(ctx context.Context, t Transport, maconn manet.Conn, p peer.ID, scope network.ConnManagementScope) (CapableConn, error)
+
+	// Suffixes let the Upgrader indicate optional maddr suffixes which can be used to skip parts of the negociation.
+	// A nil maddr indicate that no suffix must be applied (multistream-select will be used).
+	Suffixes() []ma.Multiaddr
+	SuffixesProtocols() []int
+	SuffixMatcher() mafmt.Pattern
 }
 
 // DialUpdater provides updates on in progress dials.

go.mod

@@ -36,7 +36,7 @@ require (
 	github.com/multiformats/go-base32 v0.1.0
 	github.com/multiformats/go-multiaddr v0.12.2
 	github.com/multiformats/go-multiaddr-dns v0.3.1
-	github.com/multiformats/go-multiaddr-fmt v0.1.0
+	github.com/multiformats/go-multiaddr-fmt v0.1.1-0.20240317044316-238036a861f0
 	github.com/multiformats/go-multibase v0.2.0
 	github.com/multiformats/go-multicodec v0.9.0
 	github.com/multiformats/go-multihash v0.2.3

go.sum

@@ -245,14 +245,13 @@ github.com/multiformats/go-base32 v0.1.0 h1:pVx9xoSPqEIQG8o+UbAe7DNi51oej1NtK+aG
 github.com/multiformats/go-base32 v0.1.0/go.mod h1:Kj3tFY6zNr+ABYMqeUNeGvkIC/UYgtWibDcT0rExnbI=
 github.com/multiformats/go-base36 v0.2.0 h1:lFsAbNOGeKtuKozrtBsAkSVhv1p9D0/qedU9rQyccr0=
 github.com/multiformats/go-base36 v0.2.0/go.mod h1:qvnKE++v+2MWCfePClUEjE78Z7P2a1UV0xHgWc0hkp4=
-github.com/multiformats/go-multiaddr v0.1.1/go.mod h1:aMKBKNEYmzmDmxfX88/vz+J5IU55txyt0p4aiWVohjo=
 github.com/multiformats/go-multiaddr v0.2.0/go.mod h1:0nO36NvPpyV4QzvTLi/lafl2y95ncPj0vFwVF6k6wJ4=
 github.com/multiformats/go-multiaddr v0.12.2 h1:9G9sTY/wCYajKa9lyfWPmpZAwe6oV+Wb1zcmMS1HG24=
 github.com/multiformats/go-multiaddr v0.12.2/go.mod h1:GKyaTYjZRdcUhyOetrxTk9z0cW+jA/YrnqTOvKgi44M=
 github.com/multiformats/go-multiaddr-dns v0.3.1 h1:QgQgR+LQVt3NPTjbrLLpsaT2ufAA2y0Mkk+QRVJbW3A=
 github.com/multiformats/go-multiaddr-dns v0.3.1/go.mod h1:G/245BRQ6FJGmryJCrOuTdB37AMA5AMOVuO6NY3JwTk=
-github.com/multiformats/go-multiaddr-fmt v0.1.0 h1:WLEFClPycPkp4fnIzoFoV9FVd49/eQsuaL3/CWe167E=
-github.com/multiformats/go-multiaddr-fmt v0.1.0/go.mod h1:hGtDIW4PU4BqJ50gW2quDuPVjyWNZxToGUh/HwTZYJo=
+github.com/multiformats/go-multiaddr-fmt v0.1.1-0.20240317044316-238036a861f0 h1:KCd9ZVLosRwAYaZfRk/BeT9dBkTBIJpG/GwMI0sE3hk=
+github.com/multiformats/go-multiaddr-fmt v0.1.1-0.20240317044316-238036a861f0/go.mod h1:fU4KrUT9EeccvWYMheDXrJlEgjr38O1V7sEyshNz3BI=
 github.com/multiformats/go-multibase v0.2.0 h1:isdYCVLvksgWlMW9OZRYJEa9pZETFivncJHmHnnd87g=
 github.com/multiformats/go-multibase v0.2.0/go.mod h1:bFBZX4lKCA/2lyOFSAoKH5SS6oPyjtnzK/XTFDPkNuk=
 github.com/multiformats/go-multicodec v0.9.0 h1:pb/dlPnzee/Sxv/j4PmkDRxCOi3hXTz3IbPKOXWJkmg=

p2p/net/swarm/swarm_addr.go

@@ -3,6 +3,7 @@ package swarm
 import (
 	"time"
 
+	"github.com/libp2p/go-libp2p/core/transport"
 	manet "github.com/multiformats/go-multiaddr/net"
 
 	ma "github.com/multiformats/go-multiaddr"
@@ -18,7 +19,22 @@ func (s *Swarm) ListenAddresses() []ma.Multiaddr {
 func (s *Swarm) listenAddressesNoLock() []ma.Multiaddr {
 	addrs := make([]ma.Multiaddr, 0, len(s.listeners.m)+10) // A bit extra so we may avoid an extra allocation in the for loop below.
 	for l := range s.listeners.m {
-		addrs = append(addrs, l.Multiaddr())
+		addr := l.Multiaddr()
+
+		// FIXME: this is a hack because we don't return multimple addresses from .Multiaddr, see the docs of transport.ListenerFromUpgrader.
+		if lu, ok := l.(transport.ListenerFromUpgrader); ok {
+			u := lu.Upgrader()
+			for _, suffix := range u.Suffixes() {
+				if suffix == nil {
+					// implicit multistream-select
+					addrs = append(addrs, addr)
+				} else {
+					addrs = append(addrs, addr.Encapsulate(suffix))
+				}
+			}
+		} else {
+			addrs = append(addrs, addr)
+		}
 	}
 	return addrs
 }

p2p/net/upgrader/listener.go

@@ -119,7 +119,7 @@ func (l *listener) handleIncoming() {
 			ctx, cancel := context.WithTimeout(l.ctx, l.upgrader.acceptTimeout)
 			defer cancel()
 
-			conn, err := l.upgrader.Upgrade(ctx, l.transport, maconn, network.DirInbound, "", connScope)
+			conn, err := l.upgrader.UpgradeInbound(ctx, l.transport, maconn, "", connScope)
 			if err != nil {
 				// Don't bother bubbling this up. We just failed
 				// to completely negotiate the connection.
@@ -179,4 +179,9 @@ func (l *listener) String() string {
 	return fmt.Sprintf("<stream.Listener %s>", l.Multiaddr())
 }
 
+func (l *listener) Upgrader() transport.Upgrader {
+	return l.upgrader
+}
+
 var _ transport.Listener = (*listener)(nil)
+var _ transport.ListenerFromUpgrader = (*listener)(nil)

p2p/net/upgrader/upgrader.go

@@ -15,7 +15,10 @@ import (
 	"github.com/libp2p/go-libp2p/core/sec"
 	"github.com/libp2p/go-libp2p/core/transport"
 	"github.com/libp2p/go-libp2p/p2p/net/pnet"
+	"github.com/libp2p/go-libp2p/p2p/transport/magiselect"
 
+	ma "github.com/multiformats/go-multiaddr"
+	mafmt "github.com/multiformats/go-multiaddr-fmt"
 	manet "github.com/multiformats/go-multiaddr/net"
 	mss "github.com/multiformats/go-multistream"
 )
@@ -61,6 +64,9 @@ type upgrader struct {
 	securityMuxer *mss.MultistreamMuxer[protocol.ID]
 	securityIDs   []protocol.ID
 
+	straightSecurity []sec.StraightableSecureTransport
+	straightMatcher  mafmt.Pattern
+
 	// AcceptTimeout is the maximum duration an Accept is allowed to take.
 	// This includes the time between accepting the raw network connection,
 	// protocol selection as well as the handshake, if applicable.
@@ -96,15 +102,25 @@ func New(security []sec.SecureTransport, muxers []StreamMuxer, psk ipnet.PSK, rc
 		u.muxerIDs = append(u.muxerIDs, m.ID)
 	}
 	u.securityIDs = make([]protocol.ID, 0, len(security))
+	u.straightSecurity = make([]sec.StraightableSecureTransport, 0, len(security))
+	suffixes := []mafmt.Pattern{mafmt.Nothing}
 	for _, s := range security {
 		u.securityMuxer.AddHandler(s.ID(), nil)
 		u.securityIDs = append(u.securityIDs, s.ID())
+		if straight, ok := s.(sec.StraightableSecureTransport); ok {
+			u.straightSecurity = append(u.straightSecurity, straight)
+			if straight.Suffix() == nil {
+				return nil, fmt.Errorf("StraightSecureTransport %q returned an empty suffix", straight.ID())
+			}
+			suffixes = append(suffixes, straight.SuffixMatcher())
+		}
 	}
+	u.straightMatcher = mafmt.Or(suffixes...)
 	return u, nil
 }
 
 // UpgradeListener upgrades the passed multiaddr-net listener into a full libp2p-transport listener.
-func (u *upgrader) UpgradeListener(t transport.Transport, list manet.Listener) transport.Listener {
+func (u *upgrader) UpgradeListener(t transport.Transport, list manet.Listener) transport.ListenerFromUpgrader {
 	ctx, cancel := context.WithCancel(context.Background())
 	l := &listener{
 		Listener:  list,
@@ -120,17 +136,20 @@ func (u *upgrader) UpgradeListener(t transport.Transport, list manet.Listener) t
 	return l
 }
 
-// Upgrade upgrades the multiaddr/net connection into a full libp2p-transport connection.
-func (u *upgrader) Upgrade(ctx context.Context, t transport.Transport, maconn manet.Conn, dir network.Direction, p peer.ID, connScope network.ConnManagementScope) (transport.CapableConn, error) {
-	c, err := u.upgrade(ctx, t, maconn, dir, p, connScope)
-	if err != nil {
-		connScope.Done()
-		return nil, err
-	}
-	return c, nil
+func (u *upgrader) UpgradeOutbound(ctx context.Context, t transport.Transport, maconn manet.Conn, suffix ma.Multiaddr, p peer.ID, scope network.ConnManagementScope) (transport.CapableConn, error) {
+	return u.upgrade(ctx, t, maconn, network.DirOutbound, suffix, p, scope)
+}
+func (u *upgrader) UpgradeInbound(ctx context.Context, t transport.Transport, maconn manet.Conn, p peer.ID, scope network.ConnManagementScope) (transport.CapableConn, error) {
+	return u.upgrade(ctx, t, maconn, network.DirInbound, nil, p, scope)
 }
 
-func (u *upgrader) upgrade(ctx context.Context, t transport.Transport, maconn manet.Conn, dir network.Direction, p peer.ID, connScope network.ConnManagementScope) (transport.CapableConn, error) {
+// suffix is only used for Outbound connections
+func (u *upgrader) upgrade(ctx context.Context, t transport.Transport, maconn manet.Conn, dir network.Direction, suffix ma.Multiaddr, p peer.ID, connScope network.ConnManagementScope) (_ transport.CapableConn, err error) {
+	defer func() {
+		if err != nil {
+			connScope.Done()
+		}
+	}()
 	if dir == network.DirOutbound && p == "" {
 		return nil, ErrNilPeer
 	}
@@ -153,7 +172,7 @@ func (u *upgrader) upgrade(ctx context.Context, t transport.Transport, maconn ma
 	}
 
 	isServer := dir == network.DirInbound
-	sconn, security, err := u.setupSecurity(ctx, conn, p, isServer)
+	sconn, security, err := u.setupSecurity(ctx, conn, suffix, p, isServer)
 	if err != nil {
 		conn.Close()
 		return nil, fmt.Errorf("failed to negotiate security protocol: %w", err)
@@ -200,8 +219,8 @@ func (u *upgrader) upgrade(ctx context.Context, t transport.Transport, maconn ma
 	return tc, nil
 }
 
-func (u *upgrader) setupSecurity(ctx context.Context, conn net.Conn, p peer.ID, isServer bool) (sec.SecureConn, protocol.ID, error) {
-	st, err := u.negotiateSecurity(ctx, conn, isServer)
+func (u *upgrader) setupSecurity(ctx context.Context, conn net.Conn, suffix ma.Multiaddr, p peer.ID, isServer bool) (_ sec.SecureConn, _ protocol.ID, err error) {
+	st, conn, err := u.negotiateSecurity(ctx, conn, suffix, isServer)
 	if err != nil {
 		return nil, "", err
 	}
@@ -306,38 +325,92 @@ func (u *upgrader) getSecurityByID(id protocol.ID) sec.SecureTransport {
 	return nil
 }
 
-func (u *upgrader) negotiateSecurity(ctx context.Context, insecure net.Conn, server bool) (sec.SecureTransport, error) {
+var ErrNoMagiselectMatch = errors.New("no magiselect match")
+
+func (u *upgrader) negotiateSecurity(ctx context.Context, insecure net.Conn, suffix ma.Multiaddr, server bool) (sec.SecureTransport, net.Conn, error) {
+	if suffix != nil {
+		for _, straight := range u.straightSecurity {
+			if straight.SuffixMatcher().Matches(suffix) {
+				return straight, insecure, nil
+			}
+		}
+		return nil, nil, fmt.Errorf("suffix was provided but does not match anything %q %q", insecure, suffix) // buggy transport
+	}
+
 	type result struct {
 		proto protocol.ID
+		st    sec.SecureTransport
 		err   error
 	}
 
 	done := make(chan result, 1)
 	go func() {
-		if server {
-			var r result
-			r.proto, _, r.err = u.securityMuxer.Negotiate(insecure)
-			done <- r
-			return
-		}
 		var r result
-		r.proto, r.err = mss.SelectOneOf(u.securityIDs, insecure)
+		r.proto, r.st, r.err = func() (protocol.ID, sec.SecureTransport, error) {
+			if server {
+				var s magiselect.Sample
+				var err error
+				s, insecure, err = magiselect.ReadSampleFromConn(insecure)
+				if err != nil {
+					return "", nil, err
+				}
+
+				if magiselect.IsMultistreamSelect(s) {
+					proto, _, err := u.securityMuxer.Negotiate(insecure)
+					return proto, nil, err
+				}
+
+				for _, ss := range u.straightSecurity {
+					if ss.Match(s) {
+						return "", ss, nil
+					}
+				}
+
+				return "", nil, ErrNoMagiselectMatch
+			}
+
+			proto, err := mss.SelectOneOf(u.securityIDs, insecure)
+			return proto, nil, err
+		}()
 		done <- r
 	}()
 
 	select {
 	case r := <-done:
 		if r.err != nil {
-			return nil, r.err
+			return nil, nil, r.err
+		}
+		if r.st != nil {
+			return r.st, insecure, nil
 		}
 		if s := u.getSecurityByID(r.proto); s != nil {
-			return s, nil
+			return s, insecure, nil
 		}
-		return nil, fmt.Errorf("selected unknown security transport: %s", r.proto)
+		return nil, nil, fmt.Errorf("selected unknown security transport: %s", r.proto)
 	case <-ctx.Done():
 		// We *must* do this. We have outstanding work on the connection, and it's no longer safe to use.
 		insecure.Close()
 		<-done // wait to stop using the connection.
-		return nil, ctx.Err()
+		return nil, nil, ctx.Err()
+	}
+}
+
+func (u *upgrader) Suffixes() []ma.Multiaddr {
+	r := make([]ma.Multiaddr, len(u.straightSecurity)+1) // +1 for nil indicating multistream-select
+	for i, s := range u.straightSecurity {
+		r[i] = s.Suffix()
 	}
+	return r
+}
+
+func (u *upgrader) SuffixesProtocols() []int {
+	r := make([]int, len(u.straightSecurity))
+	for i, s := range u.straightSecurity {
+		r[i] = s.SuffixProtocol()
+	}
+	return r
+}
+
+func (u *upgrader) SuffixMatcher() mafmt.Pattern {
+	return u.straightMatcher
 }

p2p/net/upgrader/upgrader_test.go

@@ -129,7 +129,7 @@ func dial(t *testing.T, upgrader transport.Upgrader, raddr ma.Multiaddr, p peer.
 	if err != nil {
 		return nil, err
 	}
-	return upgrader.Upgrade(context.Background(), nil, macon, network.DirOutbound, p, scope)
+	return upgrader.UpgradeOutbound(context.Background(), nil, macon, nil, p, scope)
 }
 
 func TestOutboundConnectionGating(t *testing.T) {

p2p/protocol/circuitv2/client/transport.go

@@ -70,7 +70,8 @@ func (c *Client) dialAndUpgrade(ctx context.Context, a ma.Multiaddr, p peer.ID,
 		return nil, err
 	}
 	conn.tagHop()
-	cc, err := c.upgrader.Upgrade(ctx, c, conn, network.DirOutbound, p, connScope)
+	// FIXME: remove our leading maddr and compute suffix
+	cc, err := c.upgrader.UpgradeOutbound(ctx, c, conn, nil, p, connScope)
 	if err != nil {
 		return nil, err
 	}