You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

346 lines
9.3 KiB

  1. // Uses nacl's secret_box to encrypt a net.Conn.
  2. // It is (meant to be) an implementation of the STS protocol.
  3. // Note we do not (yet) assume that a remote peer's pubkey
  4. // is known ahead of time, and thus we are technically
  5. // still vulnerable to MITM. (TODO!)
  6. // See docs/sts-final.pdf for more info
  7. package p2p
  8. import (
  9. "bytes"
  10. crand "crypto/rand"
  11. "crypto/sha256"
  12. "encoding/binary"
  13. "errors"
  14. "io"
  15. "net"
  16. "time"
  17. "github.com/tendermint/tendermint/Godeps/_workspace/src/golang.org/x/crypto/nacl/box"
  18. "github.com/tendermint/tendermint/Godeps/_workspace/src/golang.org/x/crypto/nacl/secretbox"
  19. "github.com/tendermint/tendermint/Godeps/_workspace/src/golang.org/x/crypto/ripemd160"
  20. acm "github.com/tendermint/tendermint/account"
  21. . "github.com/tendermint/tendermint/common"
  22. "github.com/tendermint/tendermint/wire"
  23. )
  24. // 2 + 1024 == 1026 total frame size
  25. const dataLenSize = 2 // uint16 to describe the length, is <= dataMaxSize
  26. const dataMaxSize = 1024
  27. const totalFrameSize = dataMaxSize + dataLenSize
  28. const sealedFrameSize = totalFrameSize + secretbox.Overhead
  29. const authSigMsgSize = (32 + 1) + (64 + 1) // fixed size (length prefixed) byte arrays
  30. // Implements net.Conn
  31. type SecretConnection struct {
  32. conn io.ReadWriteCloser
  33. recvBuffer []byte
  34. recvNonce *[24]byte
  35. sendNonce *[24]byte
  36. remPubKey acm.PubKeyEd25519
  37. shrSecret *[32]byte // shared secret
  38. }
  39. // Performs handshake and returns a new authenticated SecretConnection.
  40. // Returns nil if error in handshake.
  41. // Caller should call conn.Close()
  42. // See docs/sts-final.pdf for more information.
  43. func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey acm.PrivKeyEd25519) (*SecretConnection, error) {
  44. locPubKey := locPrivKey.PubKey().(acm.PubKeyEd25519)
  45. // Generate ephemeral keys for perfect forward secrecy.
  46. locEphPub, locEphPriv := genEphKeys()
  47. // Write local ephemeral pubkey and receive one too.
  48. // NOTE: every 32-byte string is accepted as a Curve25519 public key
  49. // (see DJB's Curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf)
  50. remEphPub, err := shareEphPubKey(conn, locEphPub)
  51. if err != nil {
  52. return nil, err
  53. }
  54. // Compute common shared secret.
  55. shrSecret := computeSharedSecret(remEphPub, locEphPriv)
  56. // Sort by lexical order.
  57. loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
  58. // Generate nonces to use for secretbox.
  59. recvNonce, sendNonce := genNonces(loEphPub, hiEphPub, locEphPub == loEphPub)
  60. // Generate common challenge to sign.
  61. challenge := genChallenge(loEphPub, hiEphPub)
  62. // Construct SecretConnection.
  63. sc := &SecretConnection{
  64. conn: conn,
  65. recvBuffer: nil,
  66. recvNonce: recvNonce,
  67. sendNonce: sendNonce,
  68. shrSecret: shrSecret,
  69. }
  70. // Sign the challenge bytes for authentication.
  71. locSignature := signChallenge(challenge, locPrivKey)
  72. // Share (in secret) each other's pubkey & challenge signature
  73. authSigMsg, err := shareAuthSignature(sc, locPubKey, locSignature)
  74. if err != nil {
  75. return nil, err
  76. }
  77. remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig
  78. if !remPubKey.VerifyBytes(challenge[:], remSignature) {
  79. return nil, errors.New("Challenge verification failed")
  80. }
  81. // We've authorized.
  82. sc.remPubKey = remPubKey
  83. return sc, nil
  84. }
  85. // Returns authenticated remote pubkey
  86. func (sc *SecretConnection) RemotePubKey() acm.PubKeyEd25519 {
  87. return sc.remPubKey
  88. }
  89. // Writes encrypted frames of `sealedFrameSize`
  90. // CONTRACT: data smaller than dataMaxSize is read atomically.
  91. func (sc *SecretConnection) Write(data []byte) (n int, err error) {
  92. for 0 < len(data) {
  93. var frame []byte = make([]byte, totalFrameSize)
  94. var chunk []byte
  95. if dataMaxSize < len(data) {
  96. chunk = data[:dataMaxSize]
  97. data = data[dataMaxSize:]
  98. } else {
  99. chunk = data
  100. data = nil
  101. }
  102. chunkLength := len(chunk)
  103. binary.BigEndian.PutUint16(frame, uint16(chunkLength))
  104. copy(frame[dataLenSize:], chunk)
  105. // encrypt the frame
  106. var sealedFrame = make([]byte, sealedFrameSize)
  107. secretbox.Seal(sealedFrame[:0], frame, sc.sendNonce, sc.shrSecret)
  108. // fmt.Printf("secretbox.Seal(sealed:%X,sendNonce:%X,shrSecret:%X\n", sealedFrame, sc.sendNonce, sc.shrSecret)
  109. incr2Nonce(sc.sendNonce)
  110. // end encryption
  111. _, err := sc.conn.Write(sealedFrame)
  112. if err != nil {
  113. return n, err
  114. } else {
  115. n += len(chunk)
  116. }
  117. }
  118. return
  119. }
  120. // CONTRACT: data smaller than dataMaxSize is read atomically.
  121. func (sc *SecretConnection) Read(data []byte) (n int, err error) {
  122. if 0 < len(sc.recvBuffer) {
  123. n_ := copy(data, sc.recvBuffer)
  124. sc.recvBuffer = sc.recvBuffer[n_:]
  125. return
  126. }
  127. sealedFrame := make([]byte, sealedFrameSize)
  128. _, err = io.ReadFull(sc.conn, sealedFrame)
  129. if err != nil {
  130. return
  131. }
  132. // decrypt the frame
  133. var frame = make([]byte, totalFrameSize)
  134. // fmt.Printf("secretbox.Open(sealed:%X,recvNonce:%X,shrSecret:%X\n", sealedFrame, sc.recvNonce, sc.shrSecret)
  135. _, ok := secretbox.Open(frame[:0], sealedFrame, sc.recvNonce, sc.shrSecret)
  136. if !ok {
  137. return n, errors.New("Failed to decrypt SecretConnection")
  138. }
  139. incr2Nonce(sc.recvNonce)
  140. // end decryption
  141. var chunkLength = binary.BigEndian.Uint16(frame) // read the first two bytes
  142. if chunkLength > dataMaxSize {
  143. return 0, errors.New("chunkLength is greater than dataMaxSize")
  144. }
  145. var chunk = frame[dataLenSize : dataLenSize+chunkLength]
  146. n = copy(data, chunk)
  147. sc.recvBuffer = chunk[n:]
  148. return
  149. }
  150. // Implements net.Conn
  151. func (sc *SecretConnection) Close() error { return sc.conn.Close() }
  152. func (sc *SecretConnection) LocalAddr() net.Addr { return sc.conn.(net.Conn).LocalAddr() }
  153. func (sc *SecretConnection) RemoteAddr() net.Addr { return sc.conn.(net.Conn).RemoteAddr() }
  154. func (sc *SecretConnection) SetDeadline(t time.Time) error { return sc.conn.(net.Conn).SetDeadline(t) }
  155. func (sc *SecretConnection) SetReadDeadline(t time.Time) error {
  156. return sc.conn.(net.Conn).SetReadDeadline(t)
  157. }
  158. func (sc *SecretConnection) SetWriteDeadline(t time.Time) error {
  159. return sc.conn.(net.Conn).SetWriteDeadline(t)
  160. }
  161. func genEphKeys() (ephPub, ephPriv *[32]byte) {
  162. var err error
  163. ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
  164. if err != nil {
  165. PanicCrisis("Could not generate ephemeral keypairs")
  166. }
  167. return
  168. }
  169. func shareEphPubKey(conn io.ReadWriteCloser, locEphPub *[32]byte) (remEphPub *[32]byte, err error) {
  170. var err1, err2 error
  171. Parallel(
  172. func() {
  173. _, err1 = conn.Write(locEphPub[:])
  174. },
  175. func() {
  176. remEphPub = new([32]byte)
  177. _, err2 = io.ReadFull(conn, remEphPub[:])
  178. },
  179. )
  180. if err1 != nil {
  181. return nil, err1
  182. }
  183. if err2 != nil {
  184. return nil, err2
  185. }
  186. return remEphPub, nil
  187. }
  188. func computeSharedSecret(remPubKey, locPrivKey *[32]byte) (shrSecret *[32]byte) {
  189. shrSecret = new([32]byte)
  190. box.Precompute(shrSecret, remPubKey, locPrivKey)
  191. return
  192. }
  193. func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
  194. if bytes.Compare(foo[:], bar[:]) < 0 {
  195. lo = foo
  196. hi = bar
  197. } else {
  198. lo = bar
  199. hi = foo
  200. }
  201. return
  202. }
  203. func genNonces(loPubKey, hiPubKey *[32]byte, locIsLo bool) (recvNonce, sendNonce *[24]byte) {
  204. nonce1 := hash24(append(loPubKey[:], hiPubKey[:]...))
  205. nonce2 := new([24]byte)
  206. copy(nonce2[:], nonce1[:])
  207. nonce2[len(nonce2)-1] ^= 0x01
  208. if locIsLo {
  209. recvNonce = nonce1
  210. sendNonce = nonce2
  211. } else {
  212. recvNonce = nonce2
  213. sendNonce = nonce1
  214. }
  215. return
  216. }
  217. func genChallenge(loPubKey, hiPubKey *[32]byte) (challenge *[32]byte) {
  218. return hash32(append(loPubKey[:], hiPubKey[:]...))
  219. }
  220. func signChallenge(challenge *[32]byte, locPrivKey acm.PrivKeyEd25519) (signature acm.SignatureEd25519) {
  221. signature = locPrivKey.Sign(challenge[:]).(acm.SignatureEd25519)
  222. return
  223. }
  224. type authSigMessage struct {
  225. Key acm.PubKeyEd25519
  226. Sig acm.SignatureEd25519
  227. }
  228. func shareAuthSignature(sc *SecretConnection, pubKey acm.PubKeyEd25519, signature acm.SignatureEd25519) (*authSigMessage, error) {
  229. var recvMsg authSigMessage
  230. var err1, err2 error
  231. Parallel(
  232. func() {
  233. msgBytes := wire.BinaryBytes(authSigMessage{pubKey, signature})
  234. _, err1 = sc.Write(msgBytes)
  235. },
  236. func() {
  237. readBuffer := make([]byte, authSigMsgSize)
  238. _, err2 = io.ReadFull(sc, readBuffer)
  239. if err2 != nil {
  240. return
  241. }
  242. n := int64(0) // not used.
  243. recvMsg = wire.ReadBinary(authSigMessage{}, bytes.NewBuffer(readBuffer), &n, &err2).(authSigMessage)
  244. })
  245. if err1 != nil {
  246. return nil, err1
  247. }
  248. if err2 != nil {
  249. return nil, err2
  250. }
  251. return &recvMsg, nil
  252. }
  253. func verifyChallengeSignature(challenge *[32]byte, remPubKey acm.PubKeyEd25519, remSignature acm.SignatureEd25519) bool {
  254. return remPubKey.VerifyBytes(challenge[:], remSignature)
  255. }
  256. //--------------------------------------------------------------------------------
  257. // sha256
  258. func hash32(input []byte) (res *[32]byte) {
  259. hasher := sha256.New()
  260. hasher.Write(input) // does not error
  261. resSlice := hasher.Sum(nil)
  262. res = new([32]byte)
  263. copy(res[:], resSlice)
  264. return
  265. }
  266. // We only fill in the first 20 bytes with ripemd160
  267. func hash24(input []byte) (res *[24]byte) {
  268. hasher := ripemd160.New()
  269. hasher.Write(input) // does not error
  270. resSlice := hasher.Sum(nil)
  271. res = new([24]byte)
  272. copy(res[:], resSlice)
  273. return
  274. }
  275. // ripemd160
  276. func hash20(input []byte) (res *[20]byte) {
  277. hasher := ripemd160.New()
  278. hasher.Write(input) // does not error
  279. resSlice := hasher.Sum(nil)
  280. res = new([20]byte)
  281. copy(res[:], resSlice)
  282. return
  283. }
  284. // increment nonce big-endian by 2 with wraparound.
  285. func incr2Nonce(nonce *[24]byte) {
  286. incrNonce(nonce)
  287. incrNonce(nonce)
  288. }
  289. // increment nonce big-endian by 1 with wraparound.
  290. func incrNonce(nonce *[24]byte) {
  291. for i := 23; 0 <= i; i-- {
  292. nonce[i] += 1
  293. if nonce[i] != 0 {
  294. return
  295. }
  296. }
  297. }