gnutella 1.0.0

package/src/protocol/node_tls.ts

@@ -0,0 +1,257 @@
+import net from "node:net";
+import tls from "node:tls";
+
+import { ENABLE_TLS } from "../const";
+import { errMsg } from "../shared";
+import type { GnutellaServent } from "./node";
+
+const TLS_UPGRADE_TOKEN = "TLS/1.0";
+const TLS_TIMEOUT_MS = 5000;
+
+// Opportunistic peer TLS does not authenticate remote identity, so a
+// bundled self-signed certificate is sufficient for server-side handshakes.
+const TLS_KEY_PEM = `-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQD4hBqeBHY43TlX
+zVeqDytDe9/8aJGk4DL9RXWdU6fExvMySt5l30OVBH/WqrAtSsxTzYF6Ara8erXG
+vPQq0HbtbnAGzB7VOcadYCYFJFiNFQoR50U4vq0MHE/4QEHsRGZFtB1HRIrHEqJp
+m9TYbaL6/Nw4atzcvEWcjok5rpvy2NHyI1QueixOb7KeukSrgR6WUNCldi0YPuXP
+kePe48nifnzlbw2MqYP5u+TdThpyu5KGLwsvHOUUhr7HrEGpcl8FHpAhsWE2HzVE
+5LGLLK3goASjJOYokl56yzLPNC4PgsmdgpykiMHqDXEwAfaM7dRb2BhAzx4jpxbv
+jwbbJJtPAgMBAAECggEAAOBWD8JTM4UKhR9L71Ei/o2MT3ZhSxKjbYw/0qjG/K0I
+3+hInEmnkMB3aqS1m7Xib0XpgSSKgmJjD/EIcG/lOCL3zIIzz38FK5fIbqxbAfDM
+kwyzHBXt7apTBC4rFZxwhCzvMpjLU+u884mQL1K3d8vPjhCFJNJ/8WVa+0ulJyp+
+otlQVzKWH5T/jjUlTxnaImsIdI8grqaBSC5Fd5Dnay0qUNYx3t5UFlkAZzWc/Uua
+EuDvid1fsFGHbkXrh9jFLLKd+7MnNjCeQf56xzbN8mvFntnnqCJm3AywMGEQwwHB
+84e/2jEeJBQsLuft1qAk2Wr3gKBkF8vcooDoArFpKQKBgQD/GIGsJGcfT5JnMobP
+6Dv7UEIasv5MUZ6PSvB4bLk/AItnAms27No28w32S5X5f19Wm8+ff7AWdEjbs/XP
+rgnLV6QL0e8pQCNBT5kfXidydrZrH8rbSV0h3Ius+UQSEMNnjBaJ8mgPUsH//jBh
+dM077jSgoP3KHjQk2UHp9+p0yQKBgQD5ZaBjdQemDeI6D8Jzowjrr4IT0Y9wrT0u
+O8noRMDxJM1BfFxOB/yrM+mMVEapOFuR7qTcHuJFUUSktROlhwvDHFSXEPs9/0Vy
+d8FFgbd0OF4+Hdg5yk0F7LjgXh982Dc2H363vlPiOZ8BklTX73bnlw9WvgBDxqri
+H7JW92wTVwKBgQD0W0tL1IsbySNay2GsIq/iat0HqlJCVSTn6kczdCJ3IVRn1j9R
+m8zkOisztO/y0XpIAnT+Olg5CicInfhnejVTnZ483FqWTyP2WgM5sv1ifij7sLan
+HD2kRBlgFl6IV5p2xBCLD7NyijnfuGQr1rEKKYIsJEs3o3sbmSm0r5DdUQKBgQCm
+F5ZvZjtHzatCO8imtod0XxhkFoZO5jD+n3biJxfQAVBpMmdO2Gbfpdz+RgohHJVv
+ZN2Kc08CFxN+FdIVxRCCSlXTnc2VBnK7vyGKJs+EqR2qhLnCEwak0Xh2hHi37k8m
+zmbX+/tliDZrF4dFoAcySRpADJ2khaS8n5tn67OgVQKBgQDyHZ4zruZo5b+GQC+5
+IN/FrtviKu0+W2dA+PGwxMcUF+373IDq7Kp+8A8j+QtG0uPYMZiFrWb10Aqp5yjZ
+PH6GWdABuZ61cWEdbFCgG6/NCOWB84iPSHkttZPi0r+EbspHeIlLixUIFSVKUeLf
+jlzk/A25vxdNIA4F+dVdBBy/Pg==
+-----END PRIVATE KEY-----
+`;
+
+const TLS_CERT_PEM = `-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIURECewiM0o9kR9MKlXP0py8dw0XYwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMZ251dGVsbGEtYnVuMB4XDTI2MDMyODA2NDMwMVoXDTM2
+MDMyNTA2NDMwMVowFzEVMBMGA1UEAwwMZ251dGVsbGEtYnVuMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+IQangR2ON05V81Xqg8rQ3vf/GiRpOAy/UV1
+nVOnxMbzMkreZd9DlQR/1qqwLUrMU82BegK2vHq1xrz0KtB27W5wBswe1TnGnWAm
+BSRYjRUKEedFOL6tDBxP+EBB7ERmRbQdR0SKxxKiaZvU2G2i+vzcOGrc3LxFnI6J
+Oa6b8tjR8iNULnosTm+ynrpEq4EellDQpXYtGD7lz5Hj3uPJ4n585W8NjKmD+bvk
+3U4acruShi8LLxzlFIa+x6xBqXJfBR6QIbFhNh81ROSxiyyt4KAEoyTmKJJeessy
+zzQuD4LJnYKcpIjB6g1xMAH2jO3UW9gYQM8eI6cW748G2ySbTwIDAQABo1MwUTAd
+BgNVHQ4EFgQUmmjFyMO+Yec6uc5oDZ32eQZpTVcwHwYDVR0jBBgwFoAUmmjFyMO+
+Yec6uc5oDZ32eQZpTVcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEA1GGX8oZEKsOrC5vo2wtkEuA6A4jnc6+l6E2wHNRhBpK7Pi77i/IijMoAvW/d
+6C+6vLNogZEsavsi9zfwxjCmu6eJO4QW7/Jpoev8ZPQQE0cDZUQigF5B6Qy8HQ1L
+PT836ReE3X2e7TPVwrhtDC8hNSRar+Wh0VZXHvwhEkyfuea75QgYE8jyqpAviYZT
+jH7OHoVlXZyuRBQOh03PJt+ZZyJLG172C39dmeNXC/N5a07PvDH0TRVlvdbnQVfE
+J7/6IhSn3XbO000zgwcdGjZbPVym/xNiidJCPxrqF7ZaGWfWLmNXLnuGrOm0FusM
+x+z+mIKYbuX4pACxG4t1ycRfOQ==
+-----END CERTIFICATE-----
+`;
+
+let secureContext: tls.SecureContext | undefined;
+let tlsContextError: Error | undefined;
+
+function hasHeaderToken(
+  value: string | undefined,
+  token: string,
+): boolean {
+  if (!value) return false;
+  return value
+    .split(",")
+    .map((part) => part.trim().toLowerCase())
+    .includes(token.toLowerCase());
+}
+
+function tlsContext(): tls.SecureContext {
+  if (secureContext) return secureContext;
+  if (tlsContextError) throw tlsContextError;
+  try {
+    secureContext = tls.createSecureContext({
+      key: TLS_KEY_PEM,
+      cert: TLS_CERT_PEM,
+      minVersion: "TLSv1.2",
+    });
+    return secureContext;
+  } catch (error) {
+    tlsContextError =
+      error instanceof Error ? error : new Error(errMsg(error));
+    throw tlsContextError;
+  }
+}
+
+function secureEventNames(mode: "client" | "server"): string[] {
+  return mode === "client"
+    ? ["secureConnect", "secure"]
+    : ["secure", "secureConnect"];
+}
+
+function maybeStartTlsSocket(
+  socket: tls.TLSSocket,
+  mode: "client" | "server",
+): void {
+  // `tls.connect()` already starts the client handshake in Bun. Calling
+  // the internal starter again throws and aborts the upgrade.
+  if (mode !== "server") return;
+  const starter = socket as tls.TLSSocket & { _start?: () => void };
+  if (typeof starter._start === "function") starter._start();
+}
+
+function waitForSecureTlsSocket(
+  node: GnutellaServent,
+  socket: tls.TLSSocket,
+  mode: "client" | "server",
+  timeoutMs: number,
+  start?: () => void,
+): Promise<tls.TLSSocket> {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const cleanup = () => {
+      node.collaborators.scheduler.clearTimeout(timer);
+      for (const event of secureEventNames(mode)) {
+        socket.off(event, onSecure);
+      }
+      socket.off("error", onError);
+      socket.off("close", onClose);
+    };
+    const finish = (value: tls.TLSSocket) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve(value);
+    };
+    const fail = (error: unknown) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      reject(error instanceof Error ? error : new Error(errMsg(error)));
+    };
+    const onSecure = () => finish(socket);
+    const onError = (error: unknown) => fail(error);
+    const onClose = () => fail(new Error("TLS socket closed"));
+    const timer = node.collaborators.scheduler.setTimeout(() => {
+      fail(new Error("TLS handshake timeout"));
+    }, timeoutMs);
+
+    for (const event of secureEventNames(mode)) {
+      socket.once(event, onSecure);
+    }
+    socket.once("error", onError);
+    socket.once("close", onClose);
+    try {
+      start?.();
+    } catch (error) {
+      fail(error);
+    }
+  });
+}
+
+export function tlsEnabled(node: GnutellaServent): boolean {
+  if (!ENABLE_TLS) return false;
+  if (!node.config().enableTls) return false;
+  try {
+    tlsContext();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function socketUsesTls(
+  _node: GnutellaServent,
+  socket: net.Socket,
+): boolean {
+  return (
+    socket instanceof tls.TLSSocket ||
+    !!(socket as net.Socket & { encrypted?: boolean }).encrypted
+  );
+}
+
+export function canUpgradeSocketToTls(
+  _node: GnutellaServent,
+  socket: net.Socket,
+): boolean {
+  return socket instanceof net.Socket;
+}
+
+export function peerRequestedTlsUpgrade(
+  _node: GnutellaServent,
+  headers: Record<string, string>,
+): boolean {
+  return hasHeaderToken(headers["upgrade"], TLS_UPGRADE_TOKEN);
+}
+
+export function peerAcceptedTlsUpgrade(
+  _node: GnutellaServent,
+  headers: Record<string, string>,
+): boolean {
+  return (
+    hasHeaderToken(headers["upgrade"], TLS_UPGRADE_TOKEN) &&
+    hasHeaderToken(headers["connection"], "upgrade")
+  );
+}
+
+export function clientAcceptedTlsUpgrade(
+  _node: GnutellaServent,
+  headers: Record<string, string>,
+): boolean {
+  return hasHeaderToken(headers["connection"], "upgrade");
+}
+
+export function tlsUpgradeToken(_node: GnutellaServent): string {
+  return TLS_UPGRADE_TOKEN;
+}
+
+export async function upgradeSocketToTls(
+  node: GnutellaServent,
+  socket: net.Socket,
+  mode: "client" | "server",
+  initialBuf: Uint8Array = Buffer.alloc(0),
+): Promise<tls.TLSSocket> {
+  if (!node.tlsEnabled()) throw new Error("TLS unavailable");
+  if (initialBuf.length) socket.unshift(initialBuf);
+  socket.setTimeout(0);
+  socket.pause();
+
+  const timeoutMs = Math.max(
+    TLS_TIMEOUT_MS,
+    node.config().connectTimeoutMs,
+  );
+  const upgraded =
+    mode === "client"
+      ? tls.connect({
+          socket,
+          secureContext: tlsContext(),
+          rejectUnauthorized: false,
+          minVersion: "TLSv1.2",
+        })
+      : new tls.TLSSocket(socket, {
+          isServer: true,
+          secureContext: tlsContext(),
+          requestCert: false,
+          rejectUnauthorized: false,
+        });
+  return await waitForSecureTlsSocket(
+    node,
+    upgraded,
+    mode,
+    timeoutMs,
+    () => {
+      upgraded.setNoDelay(true);
+      maybeStartTlsSocket(upgraded, mode);
+      upgraded.resume();
+    },
+  );
+}

package/src/protocol/node_topology.ts

@@ -0,0 +1,141 @@
+import type { PeerCapabilities, PeerRole } from "../types";
+import type { GnutellaServent } from "./node";
+import type { Peer } from "./node_types";
+
+function isMeshPeerRole(role: PeerRole): boolean {
+  return role !== "leaf";
+}
+
+export function nodeMode(node: GnutellaServent) {
+  return node.config().nodeMode;
+}
+
+export function classifyPeerRole(
+  node: GnutellaServent,
+  capabilities: PeerCapabilities,
+): PeerRole {
+  const remoteIsUltrapeer = capabilities.isUltrapeer;
+  const mode = node.nodeMode();
+
+  if (mode === "ultrapeer") {
+    return remoteIsUltrapeer === true ? "ultrapeer" : "leaf";
+  }
+
+  return remoteIsUltrapeer === true ? "ultrapeer" : "leaf";
+}
+
+export function peerRole(
+  _node: GnutellaServent,
+  peer: Pick<Peer, "role">,
+): PeerRole {
+  return peer.role;
+}
+
+export function countPeersByRole(
+  node: GnutellaServent,
+  role: PeerRole,
+): number {
+  let count = 0;
+  for (const peer of node.peers.values()) {
+    if (peer.role === role) count++;
+  }
+  return count;
+}
+
+export function connectedLeafCount(node: GnutellaServent): number {
+  return node.countPeersByRole("leaf");
+}
+
+export function connectedMeshPeerCount(node: GnutellaServent): number {
+  let count = 0;
+  for (const peer of node.peers.values()) {
+    if (isMeshPeerRole(peer.role)) count++;
+  }
+  return count;
+}
+
+export function availableDialSlots(node: GnutellaServent): number {
+  const c = node.config();
+  if (node.nodeMode() === "ultrapeer") {
+    return Math.max(
+      0,
+      c.maxUltrapeerConnections -
+        node.connectedMeshPeerCount() -
+        node.dialing.size,
+    );
+  }
+  return Math.max(
+    0,
+    c.maxUltrapeerConnections -
+      node.connectedMeshPeerCount() -
+      node.dialing.size,
+  );
+}
+
+export function canAcceptPeerRole(
+  node: GnutellaServent,
+  role: PeerRole,
+): { ok: true } | { ok: false; code: number; reason: string } {
+  const c = node.config();
+  const mode = node.nodeMode();
+
+  if (mode === "leaf") {
+    if (role === "leaf") {
+      return {
+        ok: false,
+        code: 503,
+        reason: `Shielded leaf node (${c.maxUltrapeerConnections} ultrapeers max)`,
+      };
+    }
+    if (node.connectedMeshPeerCount() >= c.maxUltrapeerConnections) {
+      return {
+        ok: false,
+        code: 503,
+        reason: `Too many ultrapeer connections (${c.maxUltrapeerConnections} max)`,
+      };
+    }
+    return { ok: true };
+  }
+
+  if (role === "leaf") {
+    if (node.connectedLeafCount() >= c.maxLeafConnections) {
+      return {
+        ok: false,
+        code: 503,
+        reason: `Too many leaf connections (${c.maxLeafConnections} max)`,
+      };
+    }
+    return { ok: true };
+  }
+
+  if (node.connectedMeshPeerCount() >= c.maxUltrapeerConnections) {
+    return {
+      ok: false,
+      code: 503,
+      reason: `Too many ultrapeer connections (${c.maxUltrapeerConnections} max)`,
+    };
+  }
+  return { ok: true };
+}
+
+export function shouldRelayQueries(node: GnutellaServent): boolean {
+  return node.nodeMode() === "ultrapeer";
+}
+
+export function shouldRelayPings(node: GnutellaServent): boolean {
+  return node.nodeMode() === "ultrapeer";
+}
+
+export function isLeafPeer(
+  _node: GnutellaServent,
+  peer: Pick<Peer, "role">,
+): boolean {
+  return peer.role === "leaf";
+}
+
+export function isMeshPeer(
+  _node: GnutellaServent,
+  peer: Pick<Peer, "role">,
+): boolean {
+  return isMeshPeerRole(peer.role);
+}