zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9955 Commits
183 Branches
291 MiB
Tree: 2df5c85a8d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2df5c85a8d'
${ noResults }
tendermint/internal/p2p/conn/evil_secret_connection_test.go

271 lines
6.4 KiB
Raw Normal View History

p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
libs: internalize some packages (#6366) ## Description Internalize some libs. This reduces the amount ot public API tendermint is supporting. The moved libraries are mainly ones that are used within Tendermint-core.
3 years ago
proto: folder structure adhere to buf (#5025)
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p/conn: add a test for MakeSecretConnection (#4829) Refs #4154
4 years ago
 
  1. package conn
  2. 

  3. import (
  4. 	"bytes"
  5. 	"errors"
  6. 	"io"
  7. 	"testing"
  8. 

  9. 	gogotypes "github.com/gogo/protobuf/types"
  10. 	"github.com/oasisprotocol/curve25519-voi/primitives/merlin"
  11. 	"github.com/stretchr/testify/assert"
  12. 	"golang.org/x/crypto/chacha20poly1305"
  13. 

  14. 	"github.com/tendermint/tendermint/crypto"
  15. 	"github.com/tendermint/tendermint/crypto/ed25519"
  16. 	"github.com/tendermint/tendermint/crypto/encoding"
  17. 	"github.com/tendermint/tendermint/internal/libs/protoio"
  18. 	tmp2p "github.com/tendermint/tendermint/proto/tendermint/p2p"
  19. )
  20. 

  21. type buffer struct {
  22. 	next bytes.Buffer
  23. }
  24. 

  25. func (b *buffer) Read(data []byte) (n int, err error) {
  26. 	return b.next.Read(data)
  27. }
  28. 

  29. func (b *buffer) Write(data []byte) (n int, err error) {
  30. 	return b.next.Write(data)
  31. }
  32. 

  33. func (b *buffer) Bytes() []byte {
  34. 	return b.next.Bytes()
  35. }
  36. 

  37. func (b *buffer) Close() error {
  38. 	return nil
  39. }
  40. 

  41. type evilConn struct {
  42. 	secretConn *SecretConnection
  43. 	buffer     *buffer
  44. 

  45. 	locEphPub  *[32]byte
  46. 	locEphPriv *[32]byte
  47. 	remEphPub  *[32]byte
  48. 	privKey    crypto.PrivKey
  49. 

  50. 	readStep   int
  51. 	writeStep  int
  52. 	readOffset int
  53. 

  54. 	shareEphKey        bool
  55. 	badEphKey          bool
  56. 	shareAuthSignature bool
  57. 	badAuthSignature   bool
  58. }
  59. 

  60. func newEvilConn(shareEphKey, badEphKey, shareAuthSignature, badAuthSignature bool) *evilConn {
  61. 	privKey := ed25519.GenPrivKey()
  62. 	locEphPub, locEphPriv := genEphKeys()
  63. 	var rep [32]byte
  64. 	c := &evilConn{
  65. 		locEphPub:  locEphPub,
  66. 		locEphPriv: locEphPriv,
  67. 		remEphPub:  &rep,
  68. 		privKey:    privKey,
  69. 

  70. 		shareEphKey:        shareEphKey,
  71. 		badEphKey:          badEphKey,
  72. 		shareAuthSignature: shareAuthSignature,
  73. 		badAuthSignature:   badAuthSignature,
  74. 	}
  75. 

  76. 	return c
  77. }
  78. 

  79. func (c *evilConn) Read(data []byte) (n int, err error) {
  80. 	if !c.shareEphKey {
  81. 		return 0, io.EOF
  82. 	}
  83. 

  84. 	switch c.readStep {
  85. 	case 0:
  86. 		if !c.badEphKey {
  87. 			lc := *c.locEphPub
  88. 			bz, err := protoio.MarshalDelimited(&gogotypes.BytesValue{Value: lc[:]})
  89. 			if err != nil {
  90. 				panic(err)
  91. 			}
  92. 			copy(data, bz[c.readOffset:])
  93. 			n = len(data)
  94. 		} else {
  95. 			bz, err := protoio.MarshalDelimited(&gogotypes.BytesValue{Value: []byte("drop users;")})
  96. 			if err != nil {
  97. 				panic(err)
  98. 			}
  99. 			copy(data, bz)
  100. 			n = len(data)
  101. 		}
  102. 		c.readOffset += n
  103. 

  104. 		if n >= 32 {
  105. 			c.readOffset = 0
  106. 			c.readStep = 1
  107. 			if !c.shareAuthSignature {
  108. 				c.readStep = 2
  109. 			}
  110. 		}
  111. 

  112. 		return n, nil
  113. 	case 1:
  114. 		signature := c.signChallenge()
  115. 		if !c.badAuthSignature {
  116. 			pkpb, err := encoding.PubKeyToProto(c.privKey.PubKey())
  117. 			if err != nil {
  118. 				panic(err)
  119. 			}
  120. 			bz, err := protoio.MarshalDelimited(&tmp2p.AuthSigMessage{PubKey: pkpb, Sig: signature})
  121. 			if err != nil {
  122. 				panic(err)
  123. 			}
  124. 			n, err = c.secretConn.Write(bz)
  125. 			if err != nil {
  126. 				panic(err)
  127. 			}
  128. 			if c.readOffset > len(c.buffer.Bytes()) {
  129. 				return len(data), nil
  130. 			}
  131. 			copy(data, c.buffer.Bytes()[c.readOffset:])
  132. 		} else {
  133. 			bz, err := protoio.MarshalDelimited(&gogotypes.BytesValue{Value: []byte("select * from users;")})
  134. 			if err != nil {
  135. 				panic(err)
  136. 			}
  137. 			n, err = c.secretConn.Write(bz)
  138. 			if err != nil {
  139. 				panic(err)
  140. 			}
  141. 			if c.readOffset > len(c.buffer.Bytes()) {
  142. 				return len(data), nil
  143. 			}
  144. 			copy(data, c.buffer.Bytes())
  145. 		}
  146. 		c.readOffset += len(data)
  147. 		return n, nil
  148. 	default:
  149. 		return 0, io.EOF
  150. 	}
  151. }
  152. 

  153. func (c *evilConn) Write(data []byte) (n int, err error) {
  154. 	switch c.writeStep {
  155. 	case 0:
  156. 		var (
  157. 			bytes     gogotypes.BytesValue
  158. 			remEphPub [32]byte
  159. 		)
  160. 		err := protoio.UnmarshalDelimited(data, &bytes)
  161. 		if err != nil {
  162. 			panic(err)
  163. 		}
  164. 		copy(remEphPub[:], bytes.Value)
  165. 		c.remEphPub = &remEphPub
  166. 		c.writeStep = 1
  167. 		if !c.shareAuthSignature {
  168. 			c.writeStep = 2
  169. 		}
  170. 		return len(data), nil
  171. 	case 1:
  172. 		// Signature is not needed, therefore skipped.

  173. 		return len(data), nil
  174. 	default:
  175. 		return 0, io.EOF
  176. 	}
  177. }
  178. 

  179. func (c *evilConn) Close() error {
  180. 	return nil
  181. }
  182. 

  183. func (c *evilConn) signChallenge() []byte {
  184. 	// Sort by lexical order.

  185. 	loEphPub, hiEphPub := sort32(c.locEphPub, c.remEphPub)
  186. 

  187. 	transcript := merlin.NewTranscript("TENDERMINT_SECRET_CONNECTION_TRANSCRIPT_HASH")
  188. 

  189. 	transcript.AppendMessage(labelEphemeralLowerPublicKey, loEphPub[:])
  190. 	transcript.AppendMessage(labelEphemeralUpperPublicKey, hiEphPub[:])
  191. 

  192. 	// Check if the local ephemeral public key was the least, lexicographically

  193. 	// sorted.

  194. 	locIsLeast := bytes.Equal(c.locEphPub[:], loEphPub[:])
  195. 

  196. 	// Compute common diffie hellman secret using X25519.

  197. 	dhSecret, err := computeDHSecret(c.remEphPub, c.locEphPriv)
  198. 	if err != nil {
  199. 		panic(err)
  200. 	}
  201. 

  202. 	transcript.AppendMessage(labelDHSecret, dhSecret[:])
  203. 

  204. 	// Generate the secret used for receiving, sending, challenge via HKDF-SHA2

  205. 	// on the transcript state (which itself also uses HKDF-SHA2 to derive a key

  206. 	// from the dhSecret).

  207. 	recvSecret, sendSecret := deriveSecrets(dhSecret, locIsLeast)
  208. 

  209. 	const challengeSize = 32
  210. 	var challenge [challengeSize]byte
  211. 	transcript.ExtractBytes(challenge[:], labelSecretConnectionMac)
  212. 

  213. 	sendAead, err := chacha20poly1305.New(sendSecret[:])
  214. 	if err != nil {
  215. 		panic(errors.New("invalid send SecretConnection Key"))
  216. 	}
  217. 	recvAead, err := chacha20poly1305.New(recvSecret[:])
  218. 	if err != nil {
  219. 		panic(errors.New("invalid receive SecretConnection Key"))
  220. 	}
  221. 

  222. 	b := &buffer{}
  223. 	c.secretConn = &SecretConnection{
  224. 		conn:       b,
  225. 		recvBuffer: nil,
  226. 		recvNonce:  new([aeadNonceSize]byte),
  227. 		sendNonce:  new([aeadNonceSize]byte),
  228. 		recvAead:   recvAead,
  229. 		sendAead:   sendAead,
  230. 	}
  231. 	c.buffer = b
  232. 

  233. 	// Sign the challenge bytes for authentication.

  234. 	locSignature, err := signChallenge(&challenge, c.privKey)
  235. 	if err != nil {
  236. 		panic(err)
  237. 	}
  238. 

  239. 	return locSignature
  240. }
  241. 

  242. // TestMakeSecretConnection creates an evil connection and tests that

  243. // MakeSecretConnection errors at different stages.

  244. func TestMakeSecretConnection(t *testing.T) {
  245. 	testCases := []struct {
  246. 		name   string
  247. 		conn   *evilConn
  248. 		errMsg string
  249. 	}{
  250. 		{"refuse to share ethimeral key", newEvilConn(false, false, false, false), "EOF"},
  251. 		{"share bad ethimeral key", newEvilConn(true, true, false, false), "wrong wireType"},
  252. 		{"refuse to share auth signature", newEvilConn(true, false, false, false), "EOF"},
  253. 		{"share bad auth signature", newEvilConn(true, false, true, true), "failed to decrypt SecretConnection"},
  254. 		{"all good", newEvilConn(true, false, true, false), ""},
  255. 	}
  256. 

  257. 	for _, tc := range testCases {
  258. 		tc := tc
  259. 		t.Run(tc.name, func(t *testing.T) {
  260. 			privKey := ed25519.GenPrivKey()
  261. 			_, err := MakeSecretConnection(tc.conn, privKey)
  262. 			if tc.errMsg != "" {
  263. 				if assert.Error(t, err) {
  264. 					assert.Contains(t, err.Error(), tc.errMsg)
  265. 				}
  266. 			} else {
  267. 				assert.NoError(t, err)
  268. 			}
  269. 		})
  270. 	}
  271. }