diff --git a/.gitignore b/.gitignore index dc8f0c02..3f7600e6 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ godog.test debug.test coverage.html +coverage/ gobinsec-cache*.yml # Run files @@ -34,6 +35,7 @@ vendor-cache cmd/Desktop-Bridge/deploy cmd/Import-Export/deploy proton-bridge +/bridge cmd/Desktop-Bridge/*.exe cmd/launcher/*.exe bin/ @@ -48,3 +50,13 @@ _doc/ # gRPC auto-generated C++ source files *.pb.cc *.pb.h + +# Local certificates (never commit) +*.pem +certs/ + +# Local service script +bridge_service.sh + +# System research/audit docs +research/ diff --git a/internal/bridge/debug.go b/internal/bridge/debug.go index 942a6c7c..238bdf66 100644 --- a/internal/bridge/debug.go +++ b/internal/bridge/debug.go @@ -95,7 +95,7 @@ func (bridge *Bridge) CheckClientState(ctx context.Context, checkFlags bool, pro return result, err } - addr := fmt.Sprintf("127.0.0.1:%v", bridge.GetIMAPPort()) + addr := fmt.Sprintf("0.0.0.0:%v", bridge.GetIMAPPort()) for account, mboxMap := range state { if progressCB != nil { diff --git a/internal/certs/tls.go b/internal/certs/tls.go index 354d548e..27f8a9d1 100644 --- a/internal/certs/tls.go +++ b/internal/certs/tls.go @@ -49,13 +49,13 @@ func NewTLSTemplate() (*x509.Certificate, error) { Country: []string{"CH"}, Organization: []string{"Proton AG"}, OrganizationalUnit: []string{"Proton Mail"}, - CommonName: "127.0.0.1", + CommonName: "0.0.0.0", }, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, BasicConstraintsValid: true, IsCA: true, - IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + IPAddresses: []net.IP{net.ParseIP("0.0.0.0")}, NotBefore: time.Now(), NotAfter: time.Now().Add(20 * 365 * 24 * time.Hour), }, nil @@ -110,7 +110,7 @@ func GetConfig(certPEM, keyPEM []byte) (*tls.Config, error) { //nolint:gosec // We need to support older TLS versions for AppleMail and Outlook return &tls.Config{ Certificates: []tls.Certificate{c}, - ServerName: "127.0.0.1", + ServerName: "0.0.0.0", ClientAuth: tls.VerifyClientCertIfGiven, RootCAs: caCertPool, ClientCAs: caCertPool, diff --git a/internal/clientconfig/applemail_test.go b/internal/clientconfig/applemail_test.go index cf616d6f..0406b15f 100644 --- a/internal/clientconfig/applemail_test.go +++ b/internal/clientconfig/applemail_test.go @@ -33,6 +33,6 @@ func TestEscapeXMLString(t *testing.T) { func _TestInstallCert(t *testing.T) { //nolint:unused require.NoError( t, - (&AppleMail{}).Configure(`127.0.0.1`, 1143, 1025, true, false, `user&>>`, `<>`, `user&a`, []byte(`ir8R9vhdNXyB7isWzhyEkQ`)), + (&AppleMail{}).Configure(`0.0.0.0`, 1143, 1025, true, false, `user&>>`, `<>`, `user&a`, []byte(`ir8R9vhdNXyB7isWzhyEkQ`)), ) } diff --git a/internal/constants/constants.go b/internal/constants/constants.go index db661821..d75cf9d1 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -68,7 +68,7 @@ const ( KeyChainName = "bridge-v3" // Host is the hostname of the bridge server. - Host = "127.0.0.1" + Host = "0.0.0.0" ) // nolint:goconst diff --git a/internal/focus/service.go b/internal/focus/service.go index 738ae835..96f0204d 100644 --- a/internal/focus/service.go +++ b/internal/focus/service.go @@ -34,7 +34,7 @@ import ( ) const ( - Host = "127.0.0.1" + Host = "0.0.0.0" serverConfigFileName = "grpcFocusServerConfig.json" ) diff --git a/internal/frontend/bridge-gui/bridge-gui-tester/GRPCServerWorker.cpp b/internal/frontend/bridge-gui/bridge-gui-tester/GRPCServerWorker.cpp index 26d8fbdd..10171e79 100644 --- a/internal/frontend/bridge-gui/bridge-gui-tester/GRPCServerWorker.cpp +++ b/internal/frontend/bridge-gui/bridge-gui-tester/GRPCServerWorker.cpp @@ -67,7 +67,7 @@ void GRPCServerWorker::run() { builder.AddListeningPort(QString("unix://%1").arg(fileSocketPath).toStdString(), credentials); config.fileSocketPath = fileSocketPath; } else { - builder.AddListeningPort("127.0.0.1:0", credentials, &port); + builder.AddListeningPort("0.0.0.0:0", credentials, &port); } builder.RegisterService(&app().grpc()); diff --git a/internal/frontend/bridge-gui/bridge-gui/main.cpp b/internal/frontend/bridge-gui/bridge-gui/main.cpp index cce9d4e7..1c6a9eeb 100644 --- a/internal/frontend/bridge-gui/bridge-gui/main.cpp +++ b/internal/frontend/bridge-gui/bridge-gui/main.cpp @@ -155,7 +155,7 @@ QUrl getApiUrl() { QUrl url; // use default url. url.setScheme("http"); - url.setHost("127.0.0.1"); + url.setHost("0.0.0.0"); url.setPort(1042); // override with what can be found in the prefs.json file. diff --git a/internal/frontend/bridge-gui/bridgepp/bridgepp/FocusGRPC/FocusGRPCClient.cpp b/internal/frontend/bridge-gui/bridgepp/bridgepp/FocusGRPC/FocusGRPCClient.cpp index 11cdb24f..32d8c055 100644 --- a/internal/frontend/bridge-gui/bridgepp/bridgepp/FocusGRPC/FocusGRPCClient.cpp +++ b/internal/frontend/bridge-gui/bridgepp/bridgepp/FocusGRPC/FocusGRPCClient.cpp @@ -29,7 +29,7 @@ namespace { Empty empty; ///< Empty protobuf message, re-used across calls. -QString const hostname = "127.0.0.1"; ///< The hostname of the focus service. +QString const hostname = "0.0.0.0"; ///< The hostname of the focus service. } diff --git a/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp b/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp index 0e936b3f..43dfa48a 100644 --- a/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp +++ b/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp @@ -127,9 +127,9 @@ void GRPCClient::connectToServer(QString const &sessionID, QString const &config grpc::ChannelArguments chanArgs; if (useFileSocketForGRPC()) { address = QString("unix://" + config.fileSocketPath); - chanArgs.SetSslTargetNameOverride("127.0.0.1"); // for file socket, we skip name verification to avoid a confusion localhost/127.0.0.1 + chanArgs.SetSslTargetNameOverride("0.0.0.0"); // for file socket, we skip name verification to avoid a confusion localhost/127.0.0.1 } else { - address = QString("127.0.0.1:%1").arg(config.port); + address = QString("0.0.0.0:%1").arg(config.port); } SslCredentialsOptions opts; diff --git a/internal/frontend/grpc/service.go b/internal/frontend/grpc/service.go index 84caaa29..a02134a4 100644 --- a/internal/frontend/grpc/service.go +++ b/internal/frontend/grpc/service.go @@ -141,7 +141,7 @@ func NewService( } } else { var err error - listener, err = net.Listen("tcp", "127.0.0.1:0") // Port should be provided by the OS. + listener, err = net.Listen("tcp", "0.0.0.0:0") // Port should be provided by the OS. if err != nil { logrus.WithError(err).Panic("Could not create gRPC listener") } diff --git a/utils/port-blocker/port-blocker.go b/utils/port-blocker/port-blocker.go index bf5c2ef9..4b1c27b5 100644 --- a/utils/port-blocker/port-blocker.go +++ b/utils/port-blocker/port-blocker.go @@ -67,7 +67,7 @@ func runBlocker(startPort, endPort int) { } for port := startPort; port <= endPort; port++ { - listener, err := net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(port)) + listener, err := net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(port)) if err != nil { fmt.Printf("Port %v is already blocked. Skipping.\n", port) } else { diff --git a/utils/smtp-send/main.go b/utils/smtp-send/main.go index c1a2e259..801b9d97 100644 --- a/utils/smtp-send/main.go +++ b/utils/smtp-send/main.go @@ -29,7 +29,7 @@ import ( ) var ( - serverURL = flag.String("server", "127.0.0.1:1025", "SMTP server address:port") + serverURL = flag.String("server", "0.0.0.0:1025", "SMTP server address:port") userName = flag.String("user-name", "user", "SMTP user name") userPassword = flag.String("user-pwd", "password", "SMTP user password") toAddr = flag.String("toAddr", "", "Address toAddr whom toAddr send the message")