zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9955 Commits
183 Branches
291 MiB
Tree: 2df5c85a8d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2df5c85a8d'
${ noResults }
tendermint/internal/p2p/conn/secret_connection.go

464 lines
13 KiB
Raw Normal View History

Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
change use of errors.Wrap to fmt.Errorf with %w verb Closes #4603 Commands used (VIM): ``` :args `rg -l errors.Wrap` :argdo normal @q | update ``` where q is a macros rewriting the `errors.Wrap` to `fmt.Errorf`.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: session should terminate on nonce wrapping (#3531) (#3609) Refs #3531
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
sync: remove special mutexes (#7438)
3 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p: only allow ed25519 pubkeys when connecting also, recover from any possible failures in acceptPeers Refs #4030
5 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
p2p: only allow ed25519 pubkeys when connecting also, recover from any possible failures in acceptPeers Refs #4030
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: only allow ed25519 pubkeys when connecting also, recover from any possible failures in acceptPeers Refs #4030
5 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
Move libs/async to internal/libs/async. (#7449)
3 years ago
libs: internalize some packages (#6366) ## Description Internalize some libs. This reduces the amount ot public API tendermint is supporting. The moved libraries are mainly ones that are used within Tendermint-core.
3 years ago
proto: folder structure adhere to buf (#5025)
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
secret connection check all zeroes (#3347) * reject the shared secret if is all zeros in case the blacklist was not sufficient * Add test that verifies lower order pub-keys are rejected at the DH step * Update changelog * fix typo in test-comment
5 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
secret connection check all zeroes (#3347) * reject the shared secret if is all zeros in case the blacklist was not sufficient * Add test that verifies lower order pub-keys are rejected at the DH step * Update changelog * fix typo in test-comment
5 years ago
secret connection: check for low order points (#3040) > Implement a check for the blacklisted low order points, ala the X25519 has_small_order() function in libsodium (#3010 (comment)) resolves first half of #3010
5 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
sync: remove special mutexes (#7438)
3 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
sync: remove special mutexes (#7438)
3 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
secret connection check all zeroes (#3347) * reject the shared secret if is all zeros in case the blacklist was not sufficient * Add test that verifies lower order pub-keys are rejected at the DH step * Update changelog * fix typo in test-comment
5 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
p2p: only allow ed25519 pubkeys when connecting also, recover from any possible failures in acceptPeers Refs #4030
5 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
p2p: only allow ed25519 pubkeys when connecting also, recover from any possible failures in acceptPeers Refs #4030
5 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
p2p: make SecretConnection non-malleable (#3668) ## Issue: This is an approach to fixing secret connection that is more noise-ish than actually noise. but it essentially fixes the problem that #3315 is trying to solve by making the secret connection handshake non-malleable. It's easy to understand and I think will be acceptable to @jaekwon .. the formal reasoning is basically, if the "view" of the transcript between diverges between the sender and the receiver at any point in the protocol, the handshake would terminate. The base protocol of Station to Station mistakenly assumes that if the sender and receiver arrive at shared secret they have the same view. This is only true for a DH on prime order groups. This robustly solves the problem by having each cryptographic operation commit to operators view of the protocol. Another nice thing about a transcript is it provides the basis for "secure" (barring cryptographic breakages, horrible design flaws, or implementation bugs) downgrades, where a backwards compatible handshake can be used to offer newer protocol features/extensions, peers agree to the common subset of what they support, and both sides have to agree on what the other offered for the transcript MAC to verify. With something like Protos/Amino you already get "extensions" for free (TLS uses a simple TLV format https://tools.ietf.org/html/rfc8446#section-4.2 for extensions not too far off from Protos/Amino), so as long as you cryptographically commit to what they contain in the transcript, it should be possible to extend the protocol in a backwards-compatible manner. ## Commits: * Minimal changes to remove malleability of secret connection removes the need to check for lower order points. Breaks compatibility. Secret connections that have no been updated will fail * Remove the redundant blacklist * remove remainders of blacklist in tests to make the code compile again Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Apply suggestions from code review Apply Ismail's error handling Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * fix error check for io.ReadFull Signed-off-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update p2p/conn/secret_connection.go Co-Authored-By: Bot from GolangCI <42910462+golangcibot@users.noreply.github.com> * update changelog and format the code * move hkdfInit closer to where it's used
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: return err on `signChallenge` (#4795) * remove panic & todo in secret_connection
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
crypto: add sr25519 as a validator key (#6376) ## Description Add sr25519 as a validator key option. We support the crypto in tendermint and added batch verification recently.
3 years ago
crypto: remove key suffixes (#4941) ## Description - remove keyname suffix from keys Closes: #2228
4 years ago
change use of errors.Wrap to fmt.Errorf with %w verb Closes #4603 Commands used (VIM): ``` :args `rg -l errors.Wrap` :argdo normal @q | update ``` where q is a macros rewriting the `errors.Wrap` to `fmt.Errorf`.
4 years ago
Fix for panic in signature verification if a peer sends a nil public key.
5 years ago
crypto: add sr25519 as a validator key (#6376) ## Description Add sr25519 as a validator key option. We support the crypto in tendermint and added batch verification recently.
3 years ago
crypto: API modifications (#5236) ## Description This PR aims to make the crypto.PubKey interface more intuitive. Changes: - `VerfiyBytes` -> `VerifySignature` Before `Bytes()` was amino encoded, now since it is the byte representation should we get rid of it entirely? EDIT: decided to keep `Bytes()` as it is useful if you are using the interface instead of the concrete key Closes: #XXX
4 years ago
p2p: only allow ed25519 pubkeys when connecting also, recover from any possible failures in acceptPeers Refs #4030
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
fix linter errors thrown by `unconvert`, `goconst`, and `nakedret` (#3960) * Remove unnecessary type conversions * Consolidate repeated strings into consts * Clothe return statements * Update blockchain/v1/reactor_fsm_test.go Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> This PR repairs linter errors seen when running the following commands: golangci-lint run --no-config --disable-all=true --enable=unconvert golangci-lint run --no-config --disable-all=true --enable=goconst golangci-lint run --no-config --disable-all=true --enable=nakedret Contributes to #3262
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
p2p: Remove RipeMd160. Generate keys with HKDF instead of hash functions, which provides better security properties. Add xchacha20poly1305 to secret connection. (Due to rebasing, this code has been removed)
6 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
Make SecretConnection thread safe (#3111) * p2p/conn: add failing tests * p2p/conn: make SecretConnection thread safe * changelog * fix from review
6 years ago
update secret connection to use a little endian encoded nonce (#2264) * update secret connection to use a little endian encoded nonce * update encoding of chunk length to be little endian, too * update comment * Change comment slightly to trigger circelci
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: Add Bufferpool (#3664) * use byte buffer pool to decreass allocs * wrap to put buffer in defer * wapper defer * add dependency * remove Gopkg,* * add change log
5 years ago
fix linter errors thrown by `unconvert`, `goconst`, and `nakedret` (#3960) * Remove unnecessary type conversions * Consolidate repeated strings into consts * Clothe return statements * Update blockchain/v1/reactor_fsm_test.go Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> This PR repairs linter errors seen when running the following commands: golangci-lint run --no-config --disable-all=true --enable=unconvert golangci-lint run --no-config --disable-all=true --enable=goconst golangci-lint run --no-config --disable-all=true --enable=nakedret Contributes to #3262
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
secret connection check all zeroes (#3347) * reject the shared secret if is all zeros in case the blacklist was not sufficient * Add test that verifies lower order pub-keys are rejected at the DH step * Update changelog * fix typo in test-comment
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
secret connection check all zeroes (#3347) * reject the shared secret if is all zeros in case the blacklist was not sufficient * Add test that verifies lower order pub-keys are rejected at the DH step * Update changelog * fix typo in test-comment
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: modify code to pass maligned and interfacer (#3959) * Fix maligned structs * Fix interfacer errors * Revert accidental go.mod and go.sum changes * Revert P2PConfig struct maligned reorder * Revert PeerRoundState struct maligned reordering * Revert RoundState struct maligned reordering * Reorder WSClient struct * Revert accidental type change * Clean up type change * Clean up type changes * Revert to types.ABCIApplicationServer in GRPCServer struct * Revert maligned changes to BaseConfig struct * Fix tests in io_test.go * Fix client_test package tests * Fix reactor tests in consensus package * Fix new interfacer errors
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
libs/common: Refactor libs/common 5 (#4240) * libs/common: Refactor libs/common 5 - move mathematical functions and types out of `libs/common` to math pkg - move net functions out of `libs/common` to net pkg - move string functions out of `libs/common` to strings pkg - move async functions out of `libs/common` to async pkg - move bit functions out of `libs/common` to bits pkg - move cmap functions out of `libs/common` to cmap pkg - move os functions out of `libs/common` to os pkg Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * fix testing issues * fix tests closes #41417 woooooooooooooooooo kill the cmn pkg Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * add changelog entry * fix goimport issues * run gofmt
5 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p: fix MConnection inbound traffic statistics and rate limiting (#5868) Fixes #5866. Inbound traffic monitoring (and by extension inbound rate limiting) was inadvertently removed in 660e72a.
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
Fix linter errors thrown by `lll` (#3970) * Fix long line errors in abci, crypto, and libs packages * Fix long lines in p2p and rpc packages * Fix long lines in abci, state, and tools packages * Fix long lines in behaviour and blockchain packages * Fix long lines in cmd and config packages * Begin fixing long lines in consensus package * Finish fixing long lines in consensus package * Add lll exclusion for lines containing URLs * Fix long lines in crypto package * Fix long lines in evidence package * Fix long lines in mempool and node packages * Fix long lines in libs package * Fix long lines in lite package * Fix new long line in node package * Fix long lines in p2p package * Ignore gocritic warning * Fix long lines in privval package * Fix long lines in rpc package * Fix long lines in scripts package * Fix long lines in state package * Fix long lines in tools package * Fix long lines in types package * Enable lll linter
5 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
p2p/conn: simplify secret connection handshake malleability fix with merlin (#4185) * p2p/conn: simplify secret connection handshake malleability fix with merlin Introduces new dependencies on github.com/gtank/merlin and sha3 as a cryptographic primitive This also only uses the transcript hash as a MAC. * p2p/conn: avoid string to byte conversion https://github.com/uber-go/guide/blob/master/style.md#avoid-string-to-byte-conversion
5 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
p2p: fix comment in secret connection (#3348) Just a minor followup on the review if #3347: Fixes a comment. [#3347 (comment)](https://github.com/tendermint/tendermint/pull/3347#discussion_r259582330)
5 years ago
p2p: use curve25519.X25519() instead of ScalarMult() (#4449) * p2p: use curve25519.X25519() instead of ScalarMult() * Renamed array to shrKeyArray * Updated CHANGELOG_PENDING * Revert "Updated CHANGELOG_PENDING" This reverts commit dbb72e0bf721287847ac136c99f385ce7456d1f7.
4 years ago
secret connection check all zeroes (#3347) * reject the shared secret if is all zeros in case the blacklist was not sufficient * Add test that verifies lower order pub-keys are rejected at the DH step * Update changelog * fix typo in test-comment
5 years ago
p2p: use curve25519.X25519() instead of ScalarMult() (#4449) * p2p: use curve25519.X25519() instead of ScalarMult() * Renamed array to shrKeyArray * Updated CHANGELOG_PENDING * Revert "Updated CHANGELOG_PENDING" This reverts commit dbb72e0bf721287847ac136c99f385ce7456d1f7.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: return err on `signChallenge` (#4795) * remove panic & todo in secret_connection
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: return err on `signChallenge` (#4795) * remove panic & todo in secret_connection
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
p2p: return err on `signChallenge` (#4795) * remove panic & todo in secret_connection
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
crypto: Remove interface from crypto.Signature Signatures are now []byte, which saves on the number of bytes after amino encoding (squash this) address Ismail's comment
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: modify code to pass maligned and interfacer (#3959) * Fix maligned structs * Fix interfacer errors * Revert accidental go.mod and go.sum changes * Revert P2PConfig struct maligned reorder * Revert PeerRoundState struct maligned reordering * Revert RoundState struct maligned reordering * Reorder WSClient struct * Revert accidental type change * Clean up type change * Clean up type changes * Revert to types.ABCIApplicationServer in GRPCServer struct * Revert maligned changes to BaseConfig struct * Fix tests in io_test.go * Fix client_test package tests * Fix reactor tests in consensus package * Fix new interfacer errors
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
libs/common: Refactor libs/common 5 (#4240) * libs/common: Refactor libs/common 5 - move mathematical functions and types out of `libs/common` to math pkg - move net functions out of `libs/common` to net pkg - move string functions out of `libs/common` to strings pkg - move async functions out of `libs/common` to async pkg - move bit functions out of `libs/common` to bits pkg - move cmap functions out of `libs/common` to cmap pkg - move os functions out of `libs/common` to os pkg Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * fix testing issues * fix tests closes #41417 woooooooooooooooooo kill the cmn pkg Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * add changelog entry * fix goimport issues * run gofmt
5 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
p2p: fix MConnection inbound traffic statistics and rate limiting (#5868) Fixes #5866. Inbound traffic monitoring (and by extension inbound rate limiting) was inadvertently removed in 660e72a.
4 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
p2p/conn: migrate to Protobuf (#4990) Migrates the p2p connections to Protobuf. Supersedes #4800. gogoproto's `NewDelimitedReader()` uses an internal buffer, which makes it unsuitable for reading individual messages from a shared reader (since any remaining data in the buffer will be discarded). We therefore add a new `protoio` package with an unbuffered `NewDelimitedReader()`. Additionally, the `NewDelimitedWriter()` returns the number of bytes written, and we've added `MarshalDelimited()` and `UnmarshalDelimited()`, to ease migration of existing code.
4 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
linters: enable stylecheck (#4153) Refs #3262
5 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
update secret connection to use a little endian encoded nonce (#2264) * update secret connection to use a little endian encoded nonce * update encoding of chunk length to be little endian, too * update comment * Change comment slightly to trigger circelci
6 years ago
p2p/secret_connection: Switch salsa usage to hkdf + chacha This now uses one hkdf on the X25519 shared secret to create a key for the sender and receiver. The hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. The nonces now start at 0, as we are using chacha as a stream cipher, and the sender and receiver now have different keys.
6 years ago
update secret connection to use a little endian encoded nonce (#2264) * update secret connection to use a little endian encoded nonce * update encoding of chunk length to be little endian, too * update comment * Change comment slightly to trigger circelci
6 years ago
p2p: session should terminate on nonce wrapping (#3531) (#3609) Refs #3531
5 years ago
update secret connection to use a little endian encoded nonce (#2264) * update secret connection to use a little endian encoded nonce * update encoding of chunk length to be little endian, too * update comment * Change comment slightly to trigger circelci
6 years ago
Revert "delete everything" (includes everything non-go-crypto) This reverts commit 96a3502
6 years ago
 
  1. package conn
  2. 

  3. import (
  4. 	"bytes"
  5. 	"crypto/cipher"
  6. 	crand "crypto/rand"
  7. 	"crypto/sha256"
  8. 	"encoding/binary"
  9. 	"errors"
  10. 	"fmt"
  11. 	"io"
  12. 	"math"
  13. 	"net"
  14. 	"sync"
  15. 	"time"
  16. 

  17. 	gogotypes "github.com/gogo/protobuf/types"
  18. 	pool "github.com/libp2p/go-buffer-pool"
  19. 	"github.com/oasisprotocol/curve25519-voi/primitives/merlin"
  20. 	"golang.org/x/crypto/chacha20poly1305"
  21. 	"golang.org/x/crypto/curve25519"
  22. 	"golang.org/x/crypto/hkdf"
  23. 	"golang.org/x/crypto/nacl/box"
  24. 

  25. 	"github.com/tendermint/tendermint/crypto"
  26. 	"github.com/tendermint/tendermint/crypto/ed25519"
  27. 	"github.com/tendermint/tendermint/crypto/encoding"
  28. 	"github.com/tendermint/tendermint/internal/libs/async"
  29. 	"github.com/tendermint/tendermint/internal/libs/protoio"
  30. 	tmp2p "github.com/tendermint/tendermint/proto/tendermint/p2p"
  31. )
  32. 

  33. // 4 + 1024 == 1028 total frame size

  34. const (
  35. 	dataLenSize      = 4
  36. 	dataMaxSize      = 1024
  37. 	totalFrameSize   = dataMaxSize + dataLenSize
  38. 	aeadSizeOverhead = 16 // overhead of poly 1305 authentication tag

  39. 	aeadKeySize      = chacha20poly1305.KeySize
  40. 	aeadNonceSize    = chacha20poly1305.NonceSize
  41. 

  42. 	labelEphemeralLowerPublicKey = "EPHEMERAL_LOWER_PUBLIC_KEY"
  43. 	labelEphemeralUpperPublicKey = "EPHEMERAL_UPPER_PUBLIC_KEY"
  44. 	labelDHSecret                = "DH_SECRET"
  45. 	labelSecretConnectionMac     = "SECRET_CONNECTION_MAC"
  46. )
  47. 

  48. var (
  49. 	ErrSmallOrderRemotePubKey = errors.New("detected low order point from remote peer")
  50. 

  51. 	secretConnKeyAndChallengeGen = []byte("TENDERMINT_SECRET_CONNECTION_KEY_AND_CHALLENGE_GEN")
  52. )
  53. 

  54. // SecretConnection implements net.Conn.

  55. // It is an implementation of the STS protocol.

  56. // See https://github.com/tendermint/tendermint/blob/0.1/docs/sts-final.pdf for

  57. // details on the protocol.

  58. //

  59. // Consumers of the SecretConnection are responsible for authenticating

  60. // the remote peer's pubkey against known information, like a nodeID.

  61. // Otherwise they are vulnerable to MITM.

  62. // (TODO(ismail): see also https://github.com/tendermint/tendermint/issues/3010)

  63. type SecretConnection struct {
  64. 

  65. 	// immutable

  66. 	recvAead cipher.AEAD
  67. 	sendAead cipher.AEAD
  68. 

  69. 	remPubKey crypto.PubKey
  70. 	conn      io.ReadWriteCloser
  71. 

  72. 	// net.Conn must be thread safe:

  73. 	// https://golang.org/pkg/net/#Conn.

  74. 	// Since we have internal mutable state,

  75. 	// we need mtxs. But recv and send states

  76. 	// are independent, so we can use two mtxs.

  77. 	// All .Read are covered by recvMtx,

  78. 	// all .Write are covered by sendMtx.

  79. 	recvMtx    sync.Mutex
  80. 	recvBuffer []byte
  81. 	recvNonce  *[aeadNonceSize]byte
  82. 

  83. 	sendMtx   sync.Mutex
  84. 	sendNonce *[aeadNonceSize]byte
  85. }
  86. 

  87. // MakeSecretConnection performs handshake and returns a new authenticated

  88. // SecretConnection.

  89. // Returns nil if there is an error in handshake.

  90. // Caller should call conn.Close()

  91. // See docs/sts-final.pdf for more information.

  92. func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (*SecretConnection, error) {
  93. 	var (
  94. 		locPubKey = locPrivKey.PubKey()
  95. 	)
  96. 

  97. 	// Generate ephemeral keys for perfect forward secrecy.

  98. 	locEphPub, locEphPriv := genEphKeys()
  99. 

  100. 	// Write local ephemeral pubkey and receive one too.

  101. 	// NOTE: every 32-byte string is accepted as a Curve25519 public key (see

  102. 	// DJB's Curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf)

  103. 	remEphPub, err := shareEphPubKey(conn, locEphPub)
  104. 	if err != nil {
  105. 		return nil, err
  106. 	}
  107. 

  108. 	// Sort by lexical order.

  109. 	loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
  110. 

  111. 	transcript := merlin.NewTranscript("TENDERMINT_SECRET_CONNECTION_TRANSCRIPT_HASH")
  112. 

  113. 	transcript.AppendMessage(labelEphemeralLowerPublicKey, loEphPub[:])
  114. 	transcript.AppendMessage(labelEphemeralUpperPublicKey, hiEphPub[:])
  115. 

  116. 	// Check if the local ephemeral public key was the least, lexicographically

  117. 	// sorted.

  118. 	locIsLeast := bytes.Equal(locEphPub[:], loEphPub[:])
  119. 

  120. 	// Compute common diffie hellman secret using X25519.

  121. 	dhSecret, err := computeDHSecret(remEphPub, locEphPriv)
  122. 	if err != nil {
  123. 		return nil, err
  124. 	}
  125. 

  126. 	transcript.AppendMessage(labelDHSecret, dhSecret[:])
  127. 

  128. 	// Generate the secret used for receiving, sending, challenge via HKDF-SHA2

  129. 	// on the transcript state (which itself also uses HKDF-SHA2 to derive a key

  130. 	// from the dhSecret).

  131. 	recvSecret, sendSecret := deriveSecrets(dhSecret, locIsLeast)
  132. 

  133. 	const challengeSize = 32
  134. 	var challenge [challengeSize]byte
  135. 	transcript.ExtractBytes(challenge[:], labelSecretConnectionMac)
  136. 

  137. 	sendAead, err := chacha20poly1305.New(sendSecret[:])
  138. 	if err != nil {
  139. 		return nil, errors.New("invalid send SecretConnection Key")
  140. 	}
  141. 	recvAead, err := chacha20poly1305.New(recvSecret[:])
  142. 	if err != nil {
  143. 		return nil, errors.New("invalid receive SecretConnection Key")
  144. 	}
  145. 

  146. 	sc := &SecretConnection{
  147. 		conn:       conn,
  148. 		recvBuffer: nil,
  149. 		recvNonce:  new([aeadNonceSize]byte),
  150. 		sendNonce:  new([aeadNonceSize]byte),
  151. 		recvAead:   recvAead,
  152. 		sendAead:   sendAead,
  153. 	}
  154. 

  155. 	// Sign the challenge bytes for authentication.

  156. 	locSignature, err := signChallenge(&challenge, locPrivKey)
  157. 	if err != nil {
  158. 		return nil, err
  159. 	}
  160. 

  161. 	// Share (in secret) each other's pubkey & challenge signature

  162. 	authSigMsg, err := shareAuthSignature(sc, locPubKey, locSignature)
  163. 	if err != nil {
  164. 		return nil, err
  165. 	}
  166. 

  167. 	remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig
  168. 

  169. 	if _, ok := remPubKey.(ed25519.PubKey); !ok {
  170. 		return nil, fmt.Errorf("expected ed25519 pubkey, got %T", remPubKey)
  171. 	}
  172. 

  173. 	if !remPubKey.VerifySignature(challenge[:], remSignature) {
  174. 		return nil, errors.New("challenge verification failed")
  175. 	}
  176. 

  177. 	// We've authorized.

  178. 	sc.remPubKey = remPubKey
  179. 	return sc, nil
  180. }
  181. 

  182. // RemotePubKey returns authenticated remote pubkey

  183. func (sc *SecretConnection) RemotePubKey() crypto.PubKey {
  184. 	return sc.remPubKey
  185. }
  186. 

  187. // Writes encrypted frames of `totalFrameSize + aeadSizeOverhead`.

  188. // CONTRACT: data smaller than dataMaxSize is written atomically.

  189. func (sc *SecretConnection) Write(data []byte) (n int, err error) {
  190. 	sc.sendMtx.Lock()
  191. 	defer sc.sendMtx.Unlock()
  192. 

  193. 	for 0 < len(data) {
  194. 		if err := func() error {
  195. 			var sealedFrame = pool.Get(aeadSizeOverhead + totalFrameSize)
  196. 			var frame = pool.Get(totalFrameSize)
  197. 			defer func() {
  198. 				pool.Put(sealedFrame)
  199. 				pool.Put(frame)
  200. 			}()
  201. 			var chunk []byte
  202. 			if dataMaxSize < len(data) {
  203. 				chunk = data[:dataMaxSize]
  204. 				data = data[dataMaxSize:]
  205. 			} else {
  206. 				chunk = data
  207. 				data = nil
  208. 			}
  209. 			chunkLength := len(chunk)
  210. 			binary.LittleEndian.PutUint32(frame, uint32(chunkLength))
  211. 			copy(frame[dataLenSize:], chunk)
  212. 

  213. 			// encrypt the frame

  214. 			sc.sendAead.Seal(sealedFrame[:0], sc.sendNonce[:], frame, nil)
  215. 			incrNonce(sc.sendNonce)
  216. 			// end encryption

  217. 

  218. 			_, err = sc.conn.Write(sealedFrame)
  219. 			if err != nil {
  220. 				return err
  221. 			}
  222. 			n += len(chunk)
  223. 			return nil
  224. 		}(); err != nil {
  225. 			return n, err
  226. 		}
  227. 	}
  228. 	return n, err
  229. }
  230. 

  231. // CONTRACT: data smaller than dataMaxSize is read atomically.

  232. func (sc *SecretConnection) Read(data []byte) (n int, err error) {
  233. 	sc.recvMtx.Lock()
  234. 	defer sc.recvMtx.Unlock()
  235. 

  236. 	// read off and update the recvBuffer, if non-empty

  237. 	if 0 < len(sc.recvBuffer) {
  238. 		n = copy(data, sc.recvBuffer)
  239. 		sc.recvBuffer = sc.recvBuffer[n:]
  240. 		return
  241. 	}
  242. 

  243. 	// read off the conn

  244. 	var sealedFrame = pool.Get(aeadSizeOverhead + totalFrameSize)
  245. 	defer pool.Put(sealedFrame)
  246. 	_, err = io.ReadFull(sc.conn, sealedFrame)
  247. 	if err != nil {
  248. 		return
  249. 	}
  250. 

  251. 	// decrypt the frame.

  252. 	// reads and updates the sc.recvNonce

  253. 	var frame = pool.Get(totalFrameSize)
  254. 	defer pool.Put(frame)
  255. 	_, err = sc.recvAead.Open(frame[:0], sc.recvNonce[:], sealedFrame, nil)
  256. 	if err != nil {
  257. 		return n, fmt.Errorf("failed to decrypt SecretConnection: %w", err)
  258. 	}
  259. 	incrNonce(sc.recvNonce)
  260. 	// end decryption

  261. 

  262. 	// copy checkLength worth into data,

  263. 	// set recvBuffer to the rest.

  264. 	var chunkLength = binary.LittleEndian.Uint32(frame) // read the first four bytes

  265. 	if chunkLength > dataMaxSize {
  266. 		return 0, errors.New("chunkLength is greater than dataMaxSize")
  267. 	}
  268. 	var chunk = frame[dataLenSize : dataLenSize+chunkLength]
  269. 	n = copy(data, chunk)
  270. 	if n < len(chunk) {
  271. 		sc.recvBuffer = make([]byte, len(chunk)-n)
  272. 		copy(sc.recvBuffer, chunk[n:])
  273. 	}
  274. 	return n, err
  275. }
  276. 

  277. // Implements net.Conn

  278. func (sc *SecretConnection) Close() error                  { return sc.conn.Close() }
  279. func (sc *SecretConnection) LocalAddr() net.Addr           { return sc.conn.(net.Conn).LocalAddr() }
  280. func (sc *SecretConnection) RemoteAddr() net.Addr          { return sc.conn.(net.Conn).RemoteAddr() }
  281. func (sc *SecretConnection) SetDeadline(t time.Time) error { return sc.conn.(net.Conn).SetDeadline(t) }
  282. func (sc *SecretConnection) SetReadDeadline(t time.Time) error {
  283. 	return sc.conn.(net.Conn).SetReadDeadline(t)
  284. }
  285. func (sc *SecretConnection) SetWriteDeadline(t time.Time) error {
  286. 	return sc.conn.(net.Conn).SetWriteDeadline(t)
  287. }
  288. 

  289. func genEphKeys() (ephPub, ephPriv *[32]byte) {
  290. 	var err error
  291. 	// TODO: Probably not a problem but ask Tony: different from the rust implementation (uses x25519-dalek),

  292. 	// we do not "clamp" the private key scalar:

  293. 	// see: https://github.com/dalek-cryptography/x25519-dalek/blob/34676d336049df2bba763cc076a75e47ae1f170f/src/x25519.rs#L56-L74

  294. 	ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
  295. 	if err != nil {
  296. 		panic("Could not generate ephemeral key-pair")
  297. 	}
  298. 	return
  299. }
  300. 

  301. func shareEphPubKey(conn io.ReadWriter, locEphPub *[32]byte) (remEphPub *[32]byte, err error) {
  302. 

  303. 	// Send our pubkey and receive theirs in tandem.

  304. 	var trs, _ = async.Parallel(
  305. 		func(_ int) (val interface{}, abort bool, err error) {
  306. 			lc := *locEphPub
  307. 			_, err = protoio.NewDelimitedWriter(conn).WriteMsg(&gogotypes.BytesValue{Value: lc[:]})
  308. 			if err != nil {
  309. 				return nil, true, err // abort

  310. 			}
  311. 			return nil, false, nil
  312. 		},
  313. 		func(_ int) (val interface{}, abort bool, err error) {
  314. 			var bytes gogotypes.BytesValue
  315. 			_, err = protoio.NewDelimitedReader(conn, 1024*1024).ReadMsg(&bytes)
  316. 			if err != nil {
  317. 				return nil, true, err // abort

  318. 			}
  319. 

  320. 			var _remEphPub [32]byte
  321. 			copy(_remEphPub[:], bytes.Value)
  322. 			return _remEphPub, false, nil
  323. 		},
  324. 	)
  325. 

  326. 	// If error:

  327. 	if trs.FirstError() != nil {
  328. 		err = trs.FirstError()
  329. 		return
  330. 	}
  331. 

  332. 	// Otherwise:

  333. 	var _remEphPub = trs.FirstValue().([32]byte)
  334. 	return &_remEphPub, nil
  335. }
  336. 

  337. func deriveSecrets(
  338. 	dhSecret *[32]byte,
  339. 	locIsLeast bool,
  340. ) (recvSecret, sendSecret *[aeadKeySize]byte) {
  341. 	hash := sha256.New
  342. 	hkdf := hkdf.New(hash, dhSecret[:], nil, secretConnKeyAndChallengeGen)
  343. 	// get enough data for 2 aead keys, and a 32 byte challenge

  344. 	res := new([2*aeadKeySize + 32]byte)
  345. 	_, err := io.ReadFull(hkdf, res[:])
  346. 	if err != nil {
  347. 		panic(err)
  348. 	}
  349. 

  350. 	recvSecret = new([aeadKeySize]byte)
  351. 	sendSecret = new([aeadKeySize]byte)
  352. 

  353. 	// bytes 0 through aeadKeySize - 1 are one aead key.

  354. 	// bytes aeadKeySize through 2*aeadKeySize -1 are another aead key.

  355. 	// which key corresponds to sending and receiving key depends on whether

  356. 	// the local key is less than the remote key.

  357. 	if locIsLeast {
  358. 		copy(recvSecret[:], res[0:aeadKeySize])
  359. 		copy(sendSecret[:], res[aeadKeySize:aeadKeySize*2])
  360. 	} else {
  361. 		copy(sendSecret[:], res[0:aeadKeySize])
  362. 		copy(recvSecret[:], res[aeadKeySize:aeadKeySize*2])
  363. 	}
  364. 

  365. 	return
  366. }
  367. 

  368. // computeDHSecret computes a Diffie-Hellman shared secret key

  369. // from our own local private key and the other's public key.

  370. func computeDHSecret(remPubKey, locPrivKey *[32]byte) (*[32]byte, error) {
  371. 	shrKey, err := curve25519.X25519(locPrivKey[:], remPubKey[:])
  372. 	if err != nil {
  373. 		return nil, err
  374. 	}
  375. 	var shrKeyArray [32]byte
  376. 	copy(shrKeyArray[:], shrKey)
  377. 	return &shrKeyArray, nil
  378. }
  379. 

  380. func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
  381. 	if bytes.Compare(foo[:], bar[:]) < 0 {
  382. 		lo = foo
  383. 		hi = bar
  384. 	} else {
  385. 		lo = bar
  386. 		hi = foo
  387. 	}
  388. 	return
  389. }
  390. 

  391. func signChallenge(challenge *[32]byte, locPrivKey crypto.PrivKey) ([]byte, error) {
  392. 	signature, err := locPrivKey.Sign(challenge[:])
  393. 	if err != nil {
  394. 		return nil, err
  395. 	}
  396. 	return signature, nil
  397. }
  398. 

  399. type authSigMessage struct {
  400. 	Key crypto.PubKey
  401. 	Sig []byte
  402. }
  403. 

  404. func shareAuthSignature(sc io.ReadWriter, pubKey crypto.PubKey, signature []byte) (recvMsg authSigMessage, err error) {
  405. 

  406. 	// Send our info and receive theirs in tandem.

  407. 	var trs, _ = async.Parallel(
  408. 		func(_ int) (val interface{}, abort bool, err error) {
  409. 			pbpk, err := encoding.PubKeyToProto(pubKey)
  410. 			if err != nil {
  411. 				return nil, true, err
  412. 			}
  413. 			_, err = protoio.NewDelimitedWriter(sc).WriteMsg(&tmp2p.AuthSigMessage{PubKey: pbpk, Sig: signature})
  414. 			if err != nil {
  415. 				return nil, true, err // abort

  416. 			}
  417. 			return nil, false, nil
  418. 		},
  419. 		func(_ int) (val interface{}, abort bool, err error) {
  420. 			var pba tmp2p.AuthSigMessage
  421. 			_, err = protoio.NewDelimitedReader(sc, 1024*1024).ReadMsg(&pba)
  422. 			if err != nil {
  423. 				return nil, true, err // abort

  424. 			}
  425. 

  426. 			pk, err := encoding.PubKeyFromProto(pba.PubKey)
  427. 			if err != nil {
  428. 				return nil, true, err // abort

  429. 			}
  430. 

  431. 			_recvMsg := authSigMessage{
  432. 				Key: pk,
  433. 				Sig: pba.Sig,
  434. 			}
  435. 			return _recvMsg, false, nil
  436. 		},
  437. 	)
  438. 

  439. 	// If error:

  440. 	if trs.FirstError() != nil {
  441. 		err = trs.FirstError()
  442. 		return
  443. 	}
  444. 

  445. 	var _recvMsg = trs.FirstValue().(authSigMessage)
  446. 	return _recvMsg, nil
  447. }
  448. 

  449. //--------------------------------------------------------------------------------

  450. 

  451. // Increment nonce little-endian by 1 with wraparound.

  452. // Due to chacha20poly1305 expecting a 12 byte nonce we do not use the first four

  453. // bytes. We only increment a 64 bit unsigned int in the remaining 8 bytes

  454. // (little-endian in nonce[4:]).

  455. func incrNonce(nonce *[aeadNonceSize]byte) {
  456. 	counter := binary.LittleEndian.Uint64(nonce[4:])
  457. 	if counter == math.MaxUint64 {
  458. 		// Terminates the session and makes sure the nonce would not re-used.

  459. 		// See https://github.com/tendermint/tendermint/issues/3531

  460. 		panic("can't increase nonce without overflow")
  461. 	}
  462. 	counter++
  463. 	binary.LittleEndian.PutUint64(nonce[4:], counter)
  464. }