expose the security protocol on the ConnectionState

config/config.go

@@ -14,6 +14,8 @@ import (
 	"github.com/libp2p/go-libp2p/core/peerstore"
 	"github.com/libp2p/go-libp2p/core/pnet"
 	"github.com/libp2p/go-libp2p/core/routing"
+	"github.com/libp2p/go-libp2p/core/sec"
+	"github.com/libp2p/go-libp2p/core/sec/insecure"
 	"github.com/libp2p/go-libp2p/core/transport"
 	"github.com/libp2p/go-libp2p/p2p/host/autonat"
 	"github.com/libp2p/go-libp2p/p2p/host/autorelay"
@@ -167,20 +169,9 @@ func (cfg *Config) addTransports(h host.Host) error {
 		return fmt.Errorf("swarm does not support transports")
 	}
 
-	var security []fx.Option
-	if cfg.Insecure {
-		security = append(security, fx.Provide(makeInsecureTransport))
-	} else {
-		security = cfg.SecurityTransports
-	}
-
 	fxopts := []fx.Option{
 		fx.WithLogger(func() fxevent.Logger { return getFXLogger() }),
-		fx.Provide(tptu.New),
-		fx.Provide(fx.Annotate(
-			makeSecurityMuxer,
-			fx.ParamTags(`group:"security"`),
-		)),
+		fx.Provide(fx.Annotate(tptu.New, fx.ParamTags(`group:"security"`))),
 		fx.Supply(cfg.Muxers),
 		fx.Supply(h.ID()),
 		fx.Provide(func() host.Host { return h }),
@@ -191,8 +182,19 @@ func (cfg *Config) addTransports(h host.Host) error {
 		fx.Provide(func() *madns.Resolver { return cfg.MultiaddrResolver }),
 	}
 	fxopts = append(fxopts, cfg.Transports...)
-	if !cfg.Insecure {
-		fxopts = append(fxopts, security...)
+	if cfg.Insecure {
+		fxopts = append(fxopts,
+			fx.Provide(
+				fx.Annotate(
+					func(id peer.ID, priv crypto.PrivKey) sec.SecureTransport {
+						return insecure.NewWithIdentity(insecure.ID, id, priv)
+					},
+					fx.ResultTags(`group:"security"`),
+				),
+			),
+		)
+	} else {
+		fxopts = append(fxopts, cfg.SecurityTransports...)
 	}
 
 	fxopts = append(fxopts, fx.Invoke(

core/network/conn.go

@@ -34,12 +34,12 @@ type Conn interface {
 	GetStreams() []Stream
 }
 
-// ConnectionState holds extra information releated to the ConnSecurity entity.
+// ConnectionState holds information about the connection.
 type ConnectionState struct {
-	// The next protocol used for stream muxer selection. This is derived from
-	// security protocol handshake, for example, Noise handshake payload or
-	// TLS/ALPN negotiation.
-	NextProto string
+	// The stream multiplexer used on this connection (if any).
+	StreamMultiplexer string
+	// The security protocol used on this connection (if any).
+	Security string
 }
 
 // ConnSecurity is the interface that one can mix into a connection interface to

core/sec/security.go

@@ -29,18 +29,3 @@ type SecureTransport interface {
 	// ID is the protocol ID of the security protocol.
 	ID() protocol.ID
 }
-
-// A SecureMuxer is a wrapper around SecureTransport which can select security protocols
-// and open outbound connections with simultaneous open.
-type SecureMuxer interface {
-	// SecureInbound secures an inbound connection.
-	// The returned boolean indicates whether the connection should be treated as a server
-	// connection; in the case of SecureInbound it should always be true.
-	// If p is empty, connections from any peer are accepted.
-	SecureInbound(ctx context.Context, insecure net.Conn, p peer.ID) (SecureConn, bool, error)
-
-	// SecureOutbound secures an outbound connection.
-	// The returned boolean indicates whether the connection should be treated as a server
-	// connection due to simultaneous open.
-	SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (SecureConn, bool, error)
-}

p2p/net/swarm/dial_worker_test.go

@@ -12,11 +12,11 @@ import (
 	"github.com/libp2p/go-libp2p/core/crypto"
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/libp2p/go-libp2p/core/peerstore"
+	"github.com/libp2p/go-libp2p/core/sec"
 	"github.com/libp2p/go-libp2p/core/sec/insecure"
 	"github.com/libp2p/go-libp2p/core/transport"
 	"github.com/libp2p/go-libp2p/p2p/host/peerstore/pstoremem"
 	"github.com/libp2p/go-libp2p/p2p/muxer/yamux"
-	csms "github.com/libp2p/go-libp2p/p2p/net/conn-security-multistream"
 	tptu "github.com/libp2p/go-libp2p/p2p/net/upgrader"
 	quic "github.com/libp2p/go-libp2p/p2p/transport/quic"
 	"github.com/libp2p/go-libp2p/p2p/transport/tcp"
@@ -75,10 +75,9 @@ func makeSwarm(t *testing.T) *Swarm {
 func makeUpgrader(t *testing.T, n *Swarm) transport.Upgrader {
 	id := n.LocalPeer()
 	pk := n.Peerstore().PrivKey(id)
-	secMuxer := new(csms.SSMuxer)
-	secMuxer.AddTransport(insecure.ID, insecure.NewWithIdentity(insecure.ID, id, pk))
+	st := insecure.NewWithIdentity(insecure.ID, id, pk)
 
-	u, err := tptu.New(secMuxer, []tptu.StreamMuxer{{ID: "/yamux/1.0.0", Muxer: yamux.DefaultTransport}}, nil, nil, nil)
+	u, err := tptu.New([]sec.SecureTransport{st}, []tptu.StreamMuxer{{ID: "/yamux/1.0.0", Muxer: yamux.DefaultTransport}}, nil, nil, nil)
 	require.NoError(t, err)
 	return u
 }

p2p/net/swarm/swarm_dial.go

@@ -269,6 +269,13 @@ func (s *Swarm) dialPeer(ctx context.Context, p peer.ID) (*Conn, error) {
 
 	conn, err = s.dsync.Dial(ctx, p)
 	if err == nil {
+		// Ensure we connected to the correct peer.
+		// This was most likely already checked by the security protocol, but it doesn't hurt do it again here.
+		if conn.RemotePeer() != p {
+			conn.Close()
+			log.Errorw("Handshake failed to properly authenticate peer", "authenticated", conn.RemotePeer(), "expected", p)
+			return nil, fmt.Errorf("unexpected peer")
+		}
 		return conn, nil
 	}