@aria-cli/wireguard 1.0.36 → 1.0.38

package/dist/tunnel.js

@@ -1,474 +0,0 @@
-"use strict";
-/**
- * SecureTunnel — TypeScript transport layer wrapping the boringtun native addon.
- *
- * Manages the UDP socket, port forwarding (plaintext ↔ encrypted), and the
- * 250ms timer loop that drives WireGuard's internal state machine. The native
- * addon handles all cryptographic operations; this module handles I/O.
- *
- * Usage:
- *   const tunnel = new SecureTunnel({ privateKey, peerPublicKey, listenPort });
- *   await tunnel.start();
- *   tunnel.sendPlaintext(Buffer.from("hello"));
- *   tunnel.on("plaintext", (data) => console.log("received:", data));
- *   tunnel.stop();
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SecureTunnel = void 0;
-exports.wrapIpv4 = wrapIpv4;
-exports.unwrapIpv4 = unwrapIpv4;
-const dgram = __importStar(require("node:dgram"));
-const fs = __importStar(require("node:fs"));
-const path = __importStar(require("node:path"));
-const node_events_1 = require("node:events");
-function appendSecureTunnelDiagnostic(entry) {
-    try {
-        const logDir = path.join(process.env.HOME ?? "/tmp", ".aria", "audit");
-        fs.mkdirSync(logDir, { recursive: true });
-        fs.appendFileSync(path.join(logDir, "wireguard-secure-tunnel.jsonl"), JSON.stringify({ timestamp: Date.now(), ...entry }) + "\n");
-    }
-    catch {
-        // Best-effort diagnostics only.
-    }
-}
-/**
- * Encrypted UDP tunnel backed by boringtun.
- *
- * Events:
- *   - "plaintext": decrypted data received from peer
- *   - "handshake": WireGuard handshake completed
- *   - "error": tunnel or socket error
- *   - "close": tunnel stopped
- */
-/**
- * Wrap arbitrary data in a minimal valid IPv4 packet for boringtun layer-3 tunnel.
- *
- * WireGuard is a layer-3 VPN — boringtun validates that decrypted plaintext is a
- * valid IPv4 or IPv6 packet before returning it. Raw bytes are rejected with
- * "InvalidPacket". This helper constructs a minimal 20-byte IPv4 header wrapping
- * the given payload.
- */
-function wrapIpv4(payload, srcIp = 0x0a000001, dstIp = 0x0a000002) {
-    if (payload.length > 65515) {
-        throw new Error("Payload too large for IPv4 (max 65515 bytes)");
-    }
-    const totalLength = 20 + payload.length;
-    const header = Buffer.alloc(20);
-    header[0] = 0x45; // Version 4, IHL 5 (20 bytes)
-    header.writeUInt16BE(totalLength, 2); // Total length
-    header[6] = 0x40; // Don't fragment
-    header[8] = 64; // TTL
-    header[9] = 0x04; // Protocol: IP-in-IP (placeholder)
-    // Source and destination (tunnel-internal)
-    header.writeUInt32BE(srcIp, 12);
-    header.writeUInt32BE(dstIp, 16);
-    // Checksum (RFC 1071)
-    let sum = 0;
-    for (let i = 0; i < 20; i += 2)
-        sum += header.readUInt16BE(i);
-    while (sum > 0xffff)
-        sum = (sum & 0xffff) + (sum >> 16);
-    header.writeUInt16BE(~sum & 0xffff, 10);
-    return Buffer.concat([header, payload]);
-}
-/**
- * Extract payload from an IPv4 packet by reading the IHL field.
- * Optionally validates that the source IP matches the expected peer IP.
- */
-function unwrapIpv4(packet, expectedSourceIp) {
-    if (packet.length < 20)
-        return packet;
-    // Validate source IP if expected (defense-in-depth against inner-header spoofing)
-    if (expectedSourceIp !== undefined) {
-        const sourceIp = packet.readUInt32BE(12);
-        if (sourceIp !== expectedSourceIp) {
-            throw new Error(`Source IP mismatch: expected ${expectedSourceIp.toString(16)}, got ${sourceIp.toString(16)}`);
-        }
-    }
-    const ihl = (packet.readUInt8(0) & 0x0f) * 4;
-    return packet.subarray(ihl);
-}
-/**
- * WireGuard message type 4 = transport data (little-endian u32 in first 4 bytes).
- *
- * Only transport data proves an authenticated session. Handshake responses
- * (type 2) are generated when we act as RESPONDER — they do NOT prove the
- * peer completed the handshake with us. Treating type 2 as proof prematurely
- * promotes the tunnel to "connected", which triggers flushQueue → encrypt on
- * a tunnel with no current session → new handshake initiation that overwrites
- * the pending initiator state → the real handshake response is rejected →
- * return path dies.
- */
-const WG_MSG_TYPE_TRANSPORT_DATA = 4;
-function isTransportData(data) {
-    if (!data || data.length < 4)
-        return false;
-    return data.readUInt32LE(0) === WG_MSG_TYPE_TRANSPORT_DATA;
-}
-class SecureTunnel extends node_events_1.EventEmitter {
-    options;
-    socket = null;
-    tickTimer = null;
-    tunnel = null;
-    stats = {
-        bytesSent: 0,
-        bytesReceived: 0,
-        handshakes: 0,
-        lastHandshake: null,
-        active: false,
-    };
-    /** Tracks whether the first successful decrypt has occurred (handshake completed) */
-    handshakeCompleted = false;
-    peerHost;
-    peerPort;
-    /** Unsubscribe function for external socket mode */
-    externalSocketUnsub = null;
-    constructor(options) {
-        super();
-        this.options = options;
-        this.peerHost = options.peerHost;
-        this.peerPort = options.peerPort;
-    }
-    /** Start the tunnel — binds UDP socket, creates WireGuard tunnel, starts timer */
-    async start() {
-        if (this.stats.active)
-            throw new Error("Tunnel already active");
-        appendSecureTunnelDiagnostic({
-            event: "secure_tunnel_start_called",
-            peerPublicKey: this.options.peerPublicKey,
-            peerHost: this.peerHost,
-            peerPort: this.peerPort,
-            listenPort: this.options.listenPort ?? null,
-            externalSocket: Boolean(this.options.externalSocket),
-        });
-        // Lazy-load the native addon
-        const { createTunnel } = await import("./index.js");
-        this.tunnel = createTunnel({
-            privateKey: this.options.privateKey,
-            peerPublicKey: this.options.peerPublicKey,
-            presharedKey: this.options.presharedKey,
-            keepalive: this.options.keepalive ?? 25,
-        });
-        let port;
-        if (this.options.externalSocket) {
-            // Shared socket mode — use NetworkManager's single UDP socket.
-            // Don't create our own socket; subscribe to the shared one.
-            port = this.options.externalSocket.port;
-            this.externalSocketUnsub = this.options.externalSocket.onPacket((msg, rinfo) => this.classifyIncomingPacket(msg, rinfo));
-        }
-        else {
-            // Standalone mode — create our own UDP socket (existing behavior)
-            this.socket = dgram.createSocket("udp4");
-            port = await new Promise((resolve, reject) => {
-                this.socket.on("error", reject);
-                this.socket.bind(this.options.listenPort ?? 0, () => {
-                    const addr = this.socket.address();
-                    resolve(addr.port);
-                });
-            });
-            // Handle incoming encrypted packets
-            this.socket.on("message", (msg, rinfo) => {
-                this.handleIncomingPacket(msg, rinfo);
-            });
-            // Post-bind error/close handlers
-            this.socket.on("error", (err) => this.emit("error", err));
-            this.socket.on("close", () => this.emit("close"));
-        }
-        // Start the timer loop — drives WireGuard state machine
-        let consecutiveTickErrors = 0;
-        const MAX_CONSECUTIVE_TICK_ERRORS = 5;
-        this.tickTimer = setInterval(() => {
-            if (!this.tunnel)
-                return;
-            try {
-                const result = this.tunnel.tick();
-                this.handleResult(result);
-                consecutiveTickErrors = 0;
-            }
-            catch (err) {
-                consecutiveTickErrors++;
-                this.emit("error", err);
-                if (consecutiveTickErrors >= MAX_CONSECUTIVE_TICK_ERRORS) {
-                    this.emit("error", new Error(`Tunnel tick failed ${MAX_CONSECUTIVE_TICK_ERRORS} consecutive times — stopping tunnel`));
-                    this.stop();
-                }
-            }
-        }, 250);
-        this.stats.active = true;
-        appendSecureTunnelDiagnostic({
-            event: "secure_tunnel_start_returned",
-            peerPublicKey: this.options.peerPublicKey,
-            peerHost: this.peerHost,
-            peerPort: this.peerPort,
-            active: this.stats.active,
-            handshakeCompleted: this.handshakeCompleted,
-            handshakes: this.stats.handshakes,
-            port,
-        });
-        return port;
-    }
-    /**
-     * Handle an incoming encrypted packet. Called either by our own socket
-     * or by the shared socket dispatcher (in shared socket mode).
-     *
-     * Returns true if this tunnel consumed the packet, false otherwise.
-     */
-    handleIncomingPacket(msg, rinfo) {
-        return this.classifyIncomingPacket(msg, rinfo).handled;
-    }
-    classifyIncomingPacket(msg, rinfo) {
-        if (!this.tunnel) {
-            return {
-                handled: false,
-                peerPublicKey: this.options.peerPublicKey,
-                outcome: "no_tunnel",
-            };
-        }
-        try {
-            let result = this.tunnel.decrypt(msg, rinfo.address);
-            // In shared socket mode, "error" means the packet doesn't belong to
-            // this tunnel (wrong key/session/index). Return false so the dispatcher
-            // tries the next tunnel.
-            if (result.op === "error") {
-                const errorDetail = result.data ? result.data.toString() : "decrypt error";
-                if (this.options.externalSocket) {
-                    return {
-                        handled: false,
-                        peerPublicKey: this.options.peerPublicKey,
-                        outcome: "decrypt_error",
-                        errorDetail,
-                    };
-                }
-                this.emit("error", new Error(errorDetail));
-                return {
-                    handled: false,
-                    peerPublicKey: this.options.peerPublicKey,
-                    outcome: "decrypt_error",
-                    errorDetail,
-                };
-            }
-            // "done" from decrypt can mean:
-            // 1. Keepalive processed — empty payload from our peer (peer is alive)
-            // 2. Cookie reply or handshake message consumed internally
-            // In both cases, the native addon may have queued a response (e.g., a
-            // handshake confirmation or transport data). Drain any pending ops so
-            // they get sent immediately rather than waiting for the next tick().
-            if (result.op === "done") {
-                // Update peer endpoint from this packet's source — even "done" packets
-                // prove the peer is reachable at this address.
-                if (rinfo.address && rinfo.port) {
-                    this.peerHost = rinfo.address;
-                    this.peerPort = rinfo.port;
-                }
-                // Drain any queued responses the native addon produced while
-                // processing this packet (e.g., handshake confirmation).
-                let drainResult = this.tunnel.decrypt(Buffer.alloc(0));
-                while (drainResult.op !== "done" && drainResult.op !== "error") {
-                    if (drainResult.op === "write_to_network" && isTransportData(drainResult.data)) {
-                        this.markAuthenticatedSessionProof();
-                    }
-                    this.handleResult(drainResult);
-                    drainResult = this.tunnel.decrypt(Buffer.alloc(0));
-                }
-                appendSecureTunnelDiagnostic({
-                    event: "secure_tunnel_peer_activity",
-                    peerPublicKey: this.options.peerPublicKey,
-                    peerHost: rinfo.address,
-                    peerPort: rinfo.port,
-                    handshakeCompleted: this.handshakeCompleted,
-                });
-                this.emit("peerActivity");
-                return {
-                    handled: true,
-                    peerPublicKey: this.options.peerPublicKey,
-                    outcome: "done",
-                };
-            }
-            // write_to_tunnel or write_to_network — authenticated data from our peer.
-            // Update endpoint after successful authenticated decryption.
-            // Updating before decrypt allows traffic redirection (tunnel hijacking).
-            const handledOutcome = result.op === "write_to_network"
-                ? "write_to_network"
-                : "write_to_tunnel";
-            this.peerHost = rinfo.address;
-            this.peerPort = rinfo.port;
-            if (result.op === "write_to_network" && isTransportData(result.data)) {
-                this.markAuthenticatedSessionProof();
-            }
-            this.handleResult(result);
-            // Drain all queued results until "done" (decapsulate can produce multiple).
-            let drainCount = 0;
-            const MAX_DRAIN = 100;
-            while (result.op !== "done" && drainCount < MAX_DRAIN) {
-                drainCount++;
-                result = this.tunnel.decrypt(Buffer.alloc(0));
-                if (result.op === "done")
-                    break;
-                if (result.op === "write_to_network" && isTransportData(result.data)) {
-                    this.markAuthenticatedSessionProof();
-                }
-                this.handleResult(result);
-            }
-            return {
-                handled: true,
-                peerPublicKey: this.options.peerPublicKey,
-                outcome: handledOutcome,
-            };
-        }
-        catch (err) {
-            // In shared socket mode, ANY decrypt exception means the packet
-            // doesn't belong to this tunnel. Don't emit — return false.
-            if (this.options.externalSocket) {
-                return {
-                    handled: false,
-                    peerPublicKey: this.options.peerPublicKey,
-                    outcome: "decrypt_exception",
-                    errorDetail: err instanceof Error ? err.message : String(err),
-                };
-            }
-            this.emit("error", err);
-            return {
-                handled: false,
-                peerPublicKey: this.options.peerPublicKey,
-                outcome: "decrypt_exception",
-                errorDetail: err instanceof Error ? err.message : String(err),
-            };
-        }
-    }
-    /** Whether the tunnel is currently active */
-    get isActive() {
-        return this.stats.active;
-    }
-    /** Send plaintext data through the encrypted tunnel */
-    sendPlaintext(data) {
-        if (!this.tunnel || !this.stats.active) {
-            throw new Error("Tunnel not active");
-        }
-        const srcIp = this.options.tunnelSrcIp ?? 0x0a000001;
-        const dstIp = this.options.tunnelDstIp ?? 0x0a000002;
-        const ipPacket = wrapIpv4(data, srcIp, dstIp);
-        const result = this.tunnel.encrypt(ipPacket);
-        this.handleResult(result);
-        this.stats.bytesSent += data.length;
-    }
-    /** Set or update the peer endpoint */
-    setPeerEndpoint(host, port) {
-        this.peerHost = host;
-        this.peerPort = port;
-    }
-    /** Get tunnel statistics */
-    getStats() {
-        return { ...this.stats };
-    }
-    markAuthenticatedSessionProof() {
-        if (this.handshakeCompleted) {
-            return;
-        }
-        this.handshakeCompleted = true;
-        this.stats.handshakes++;
-        this.stats.lastHandshake = Date.now();
-        appendSecureTunnelDiagnostic({
-            event: "secure_tunnel_handshake",
-            peerPublicKey: this.options.peerPublicKey,
-            peerHost: this.peerHost,
-            peerPort: this.peerPort,
-            handshakes: this.stats.handshakes,
-        });
-        this.emit("handshake");
-    }
-    /** Stop the tunnel — closes socket (or unsubscribes from shared), stops timer */
-    stop() {
-        if (this.tickTimer) {
-            clearInterval(this.tickTimer);
-            this.tickTimer = null;
-        }
-        if (this.externalSocketUnsub) {
-            // Shared socket mode — unsubscribe, don't close the shared socket
-            this.externalSocketUnsub();
-            this.externalSocketUnsub = null;
-        }
-        if (this.socket) {
-            try {
-                this.socket.close();
-            }
-            catch {
-                // Socket may already be closed
-            }
-            this.socket = null;
-        }
-        this.tunnel = null;
-        this.stats.active = false;
-        this.emit("close");
-        this.removeAllListeners();
-    }
-    /** Handle a WireGuard tunnel result */
-    handleResult(result) {
-        switch (result.op) {
-            case "write_to_network":
-                // Send encrypted packet to peer via own socket or shared socket
-                if (result.data && this.peerHost && this.peerPort) {
-                    if (this.options.externalSocket) {
-                        this.options.externalSocket.send(result.data, this.peerPort, this.peerHost);
-                    }
-                    else if (this.socket) {
-                        this.socket.send(result.data, this.peerPort, this.peerHost);
-                    }
-                }
-                break;
-            case "write_to_tunnel":
-                // Any write_to_tunnel means the peer successfully decrypted a packet
-                // for us — the session is alive. Emit peerActivity so the dead-peer
-                // timer resets even for empty WG keepalive responses.
-                this.markAuthenticatedSessionProof();
-                this.emit("peerActivity");
-                // Decrypted plaintext received — unwrap the IPv4 header added by the sender
-                if (result.data && result.data.length > 0) {
-                    const payload = unwrapIpv4(result.data, this.options.tunnelDstIp);
-                    this.stats.bytesReceived += payload.length;
-                    this.emit("plaintext", payload);
-                }
-                break;
-            case "done":
-                // No action needed
-                break;
-            case "error":
-                this.emit("error", new Error(result.data ? result.data.toString() : "Unknown tunnel error"));
-                break;
-        }
-    }
-}
-exports.SecureTunnel = SecureTunnel;
-//# sourceMappingURL=tunnel.js.map