zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3497 Commits
183 Branches
291 MiB
Tree: 991017fc41
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '991017fc41'
${ noResults }
tendermint/p2p/conn/secret_connection.go

354 lines
9.7 KiB
Raw Normal View History

initial commit
9 years ago
p2p: tmconn->conn and types->p2p
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
p2p: use cmn instead of .
8 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: use bytes.Equal for key comparison Updates https://github.com/tendermint/tendermint/issues/850 My security alarms falsely blarred when I skimmed and noticed keys being compared with `==`, without the proper context so I mistakenly filed an issue, yet the purpose of that comparison was to check if the local ephemeral public key was just the least, sorted lexicographically. Anyways, let's use the proper bytes.Equal check, to save future labor.
7 years ago
initial commit
9 years ago
p2p: use bytes.Equal for key comparison Updates https://github.com/tendermint/tendermint/issues/850 My security alarms falsely blarred when I skimmed and noticed keys being compared with `==`, without the proper context so I mistakenly filed an issue, yet the purpose of that comparison was to check if the local ephemeral public key was just the least, sorted lexicographically. Anyways, let's use the proper bytes.Equal check, to save future labor.
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
Fix lint errors (#1390) * use increment and decrement operators. * remove unnecessary else branches. * fix package comment with leading space. * fix receiver names. * fix error strings. * remove omittable code. * remove redundant return statement. * Revert changes (code is generated.) * use cfg as receiver name for all config-related types. * use lsi as the receiver name for the LastSignedInfo type.
7 years ago
initial commit
9 years ago
Fix lint errors (#1390) * use increment and decrement operators. * remove unnecessary else branches. * fix package comment with leading space. * fix receiver names. * fix error strings. * remove omittable code. * remove redundant return statement. * Revert changes (code is generated.) * use cfg as receiver name for all config-related types. * use lsi as the receiver name for the LastSignedInfo type.
7 years ago
initial commit
9 years ago
p2p: use cmn instead of .
8 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
Confirm to go-wire new TypeByte behavior
9 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
crypto Wrap/Unwrap
8 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
Conform to go-wire 1.0
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
new tmlibs Parallel implementation
7 years ago
initial commit
9 years ago
more linting
7 years ago
initial commit
9 years ago
more linting
7 years ago
initial commit
9 years ago
Fix lint errors (#1390) * use increment and decrement operators. * remove unnecessary else branches. * fix package comment with leading space. * fix receiver names. * fix error strings. * remove omittable code. * remove redundant return statement. * Revert changes (code is generated.) * use cfg as receiver name for all config-related types. * use lsi as the receiver name for the LastSignedInfo type.
7 years ago
initial commit
9 years ago
 
  1. // Uses nacl's secret_box to encrypt a net.Conn.

  2. // It is (meant to be) an implementation of the STS protocol.

  3. // Note we do not (yet) assume that a remote peer's pubkey

  4. // is known ahead of time, and thus we are technically

  5. // still vulnerable to MITM. (TODO!)

  6. // See docs/sts-final.pdf for more info

  7. package conn
  8. 

  9. import (
  10. 	"bytes"
  11. 	crand "crypto/rand"
  12. 	"crypto/sha256"
  13. 	"encoding/binary"
  14. 	"errors"
  15. 	"io"
  16. 	"net"
  17. 	"time"
  18. 

  19. 	"golang.org/x/crypto/nacl/box"
  20. 	"golang.org/x/crypto/nacl/secretbox"
  21. 	"golang.org/x/crypto/ripemd160"
  22. 

  23. 	crypto "github.com/tendermint/go-crypto"
  24. 	wire "github.com/tendermint/go-wire"
  25. 	cmn "github.com/tendermint/tmlibs/common"
  26. )
  27. 

  28. // 2 + 1024 == 1026 total frame size

  29. const dataLenSize = 2 // uint16 to describe the length, is <= dataMaxSize

  30. const dataMaxSize = 1024
  31. const totalFrameSize = dataMaxSize + dataLenSize
  32. const sealedFrameSize = totalFrameSize + secretbox.Overhead
  33. const authSigMsgSize = (32 + 1) + (64 + 1) // fixed size (length prefixed) byte arrays

  34. 

  35. // Implements net.Conn

  36. type SecretConnection struct {
  37. 	conn       io.ReadWriteCloser
  38. 	recvBuffer []byte
  39. 	recvNonce  *[24]byte
  40. 	sendNonce  *[24]byte
  41. 	remPubKey  crypto.PubKey
  42. 	shrSecret  *[32]byte // shared secret

  43. }
  44. 

  45. // Performs handshake and returns a new authenticated SecretConnection.

  46. // Returns nil if error in handshake.

  47. // Caller should call conn.Close()

  48. // See docs/sts-final.pdf for more information.

  49. func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (*SecretConnection, error) {
  50. 

  51. 	locPubKey := locPrivKey.PubKey()
  52. 

  53. 	// Generate ephemeral keys for perfect forward secrecy.

  54. 	locEphPub, locEphPriv := genEphKeys()
  55. 

  56. 	// Write local ephemeral pubkey and receive one too.

  57. 	// NOTE: every 32-byte string is accepted as a Curve25519 public key

  58. 	// (see DJB's Curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf)

  59. 	remEphPub, err := shareEphPubKey(conn, locEphPub)
  60. 	if err != nil {
  61. 		return nil, err
  62. 	}
  63. 

  64. 	// Compute common shared secret.

  65. 	shrSecret := computeSharedSecret(remEphPub, locEphPriv)
  66. 

  67. 	// Sort by lexical order.

  68. 	loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
  69. 

  70. 	// Check if the local ephemeral public key

  71. 	// was the least, lexicographically sorted.

  72. 	locIsLeast := bytes.Equal(locEphPub[:], loEphPub[:])
  73. 

  74. 	// Generate nonces to use for secretbox.

  75. 	recvNonce, sendNonce := genNonces(loEphPub, hiEphPub, locIsLeast)
  76. 

  77. 	// Generate common challenge to sign.

  78. 	challenge := genChallenge(loEphPub, hiEphPub)
  79. 

  80. 	// Construct SecretConnection.

  81. 	sc := &SecretConnection{
  82. 		conn:       conn,
  83. 		recvBuffer: nil,
  84. 		recvNonce:  recvNonce,
  85. 		sendNonce:  sendNonce,
  86. 		shrSecret:  shrSecret,
  87. 	}
  88. 

  89. 	// Sign the challenge bytes for authentication.

  90. 	locSignature := signChallenge(challenge, locPrivKey)
  91. 

  92. 	// Share (in secret) each other's pubkey & challenge signature

  93. 	authSigMsg, err := shareAuthSignature(sc, locPubKey, locSignature)
  94. 	if err != nil {
  95. 		return nil, err
  96. 	}
  97. 	remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig
  98. 	if !remPubKey.VerifyBytes(challenge[:], remSignature) {
  99. 		return nil, errors.New("Challenge verification failed")
  100. 	}
  101. 

  102. 	// We've authorized.

  103. 	sc.remPubKey = remPubKey
  104. 	return sc, nil
  105. }
  106. 

  107. // Returns authenticated remote pubkey

  108. func (sc *SecretConnection) RemotePubKey() crypto.PubKey {
  109. 	return sc.remPubKey
  110. }
  111. 

  112. // Writes encrypted frames of `sealedFrameSize`

  113. // CONTRACT: data smaller than dataMaxSize is read atomically.

  114. func (sc *SecretConnection) Write(data []byte) (n int, err error) {
  115. 	for 0 < len(data) {
  116. 		var frame = make([]byte, totalFrameSize)
  117. 		var chunk []byte
  118. 		if dataMaxSize < len(data) {
  119. 			chunk = data[:dataMaxSize]
  120. 			data = data[dataMaxSize:]
  121. 		} else {
  122. 			chunk = data
  123. 			data = nil
  124. 		}
  125. 		chunkLength := len(chunk)
  126. 		binary.BigEndian.PutUint16(frame, uint16(chunkLength))
  127. 		copy(frame[dataLenSize:], chunk)
  128. 

  129. 		// encrypt the frame

  130. 		var sealedFrame = make([]byte, sealedFrameSize)
  131. 		secretbox.Seal(sealedFrame[:0], frame, sc.sendNonce, sc.shrSecret)
  132. 		// fmt.Printf("secretbox.Seal(sealed:%X,sendNonce:%X,shrSecret:%X\n", sealedFrame, sc.sendNonce, sc.shrSecret)

  133. 		incr2Nonce(sc.sendNonce)
  134. 		// end encryption

  135. 

  136. 		_, err := sc.conn.Write(sealedFrame)
  137. 		if err != nil {
  138. 			return n, err
  139. 		}
  140. 		n += len(chunk)
  141. 	}
  142. 	return
  143. }
  144. 

  145. // CONTRACT: data smaller than dataMaxSize is read atomically.

  146. func (sc *SecretConnection) Read(data []byte) (n int, err error) {
  147. 	if 0 < len(sc.recvBuffer) {
  148. 		n_ := copy(data, sc.recvBuffer)
  149. 		sc.recvBuffer = sc.recvBuffer[n_:]
  150. 		return
  151. 	}
  152. 

  153. 	sealedFrame := make([]byte, sealedFrameSize)
  154. 	_, err = io.ReadFull(sc.conn, sealedFrame)
  155. 	if err != nil {
  156. 		return
  157. 	}
  158. 

  159. 	// decrypt the frame

  160. 	var frame = make([]byte, totalFrameSize)
  161. 	// fmt.Printf("secretbox.Open(sealed:%X,recvNonce:%X,shrSecret:%X\n", sealedFrame, sc.recvNonce, sc.shrSecret)

  162. 	_, ok := secretbox.Open(frame[:0], sealedFrame, sc.recvNonce, sc.shrSecret)
  163. 	if !ok {
  164. 		return n, errors.New("Failed to decrypt SecretConnection")
  165. 	}
  166. 	incr2Nonce(sc.recvNonce)
  167. 	// end decryption

  168. 

  169. 	var chunkLength = binary.BigEndian.Uint16(frame) // read the first two bytes

  170. 	if chunkLength > dataMaxSize {
  171. 		return 0, errors.New("chunkLength is greater than dataMaxSize")
  172. 	}
  173. 	var chunk = frame[dataLenSize : dataLenSize+chunkLength]
  174. 

  175. 	n = copy(data, chunk)
  176. 	sc.recvBuffer = chunk[n:]
  177. 	return
  178. }
  179. 

  180. // Implements net.Conn

  181. func (sc *SecretConnection) Close() error                  { return sc.conn.Close() }
  182. func (sc *SecretConnection) LocalAddr() net.Addr           { return sc.conn.(net.Conn).LocalAddr() }
  183. func (sc *SecretConnection) RemoteAddr() net.Addr          { return sc.conn.(net.Conn).RemoteAddr() }
  184. func (sc *SecretConnection) SetDeadline(t time.Time) error { return sc.conn.(net.Conn).SetDeadline(t) }
  185. func (sc *SecretConnection) SetReadDeadline(t time.Time) error {
  186. 	return sc.conn.(net.Conn).SetReadDeadline(t)
  187. }
  188. func (sc *SecretConnection) SetWriteDeadline(t time.Time) error {
  189. 	return sc.conn.(net.Conn).SetWriteDeadline(t)
  190. }
  191. 

  192. func genEphKeys() (ephPub, ephPriv *[32]byte) {
  193. 	var err error
  194. 	ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
  195. 	if err != nil {
  196. 		cmn.PanicCrisis("Could not generate ephemeral keypairs")
  197. 	}
  198. 	return
  199. }
  200. 

  201. func shareEphPubKey(conn io.ReadWriteCloser, locEphPub *[32]byte) (remEphPub *[32]byte, err error) {
  202. 	// Send our pubkey and receive theirs in tandem.

  203. 	var trs, _ = cmn.Parallel(
  204. 		func(_ int) (val interface{}, err error, abort bool) {
  205. 			var _, err1 = conn.Write(locEphPub[:])
  206. 			if err1 != nil {
  207. 				return nil, err1, true // abort

  208. 			} else {
  209. 				return nil, nil, false
  210. 			}
  211. 		},
  212. 		func(_ int) (val interface{}, err error, abort bool) {
  213. 			var _remEphPub [32]byte
  214. 			var _, err2 = io.ReadFull(conn, _remEphPub[:])
  215. 			if err2 != nil {
  216. 				return nil, err2, true // abort

  217. 			} else {
  218. 				return _remEphPub, nil, false
  219. 			}
  220. 		},
  221. 	)
  222. 

  223. 	// If error:

  224. 	if trs.FirstError() != nil {
  225. 		err = trs.FirstError()
  226. 		return
  227. 	}
  228. 

  229. 	// Otherwise:

  230. 	var _remEphPub = trs.FirstValue().([32]byte)
  231. 	return &_remEphPub, nil
  232. }
  233. 

  234. func computeSharedSecret(remPubKey, locPrivKey *[32]byte) (shrSecret *[32]byte) {
  235. 	shrSecret = new([32]byte)
  236. 	box.Precompute(shrSecret, remPubKey, locPrivKey)
  237. 	return
  238. }
  239. 

  240. func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
  241. 	if bytes.Compare(foo[:], bar[:]) < 0 {
  242. 		lo = foo
  243. 		hi = bar
  244. 	} else {
  245. 		lo = bar
  246. 		hi = foo
  247. 	}
  248. 	return
  249. }
  250. 

  251. func genNonces(loPubKey, hiPubKey *[32]byte, locIsLo bool) (recvNonce, sendNonce *[24]byte) {
  252. 	nonce1 := hash24(append(loPubKey[:], hiPubKey[:]...))
  253. 	nonce2 := new([24]byte)
  254. 	copy(nonce2[:], nonce1[:])
  255. 	nonce2[len(nonce2)-1] ^= 0x01
  256. 	if locIsLo {
  257. 		recvNonce = nonce1
  258. 		sendNonce = nonce2
  259. 	} else {
  260. 		recvNonce = nonce2
  261. 		sendNonce = nonce1
  262. 	}
  263. 	return
  264. }
  265. 

  266. func genChallenge(loPubKey, hiPubKey *[32]byte) (challenge *[32]byte) {
  267. 	return hash32(append(loPubKey[:], hiPubKey[:]...))
  268. }
  269. 

  270. func signChallenge(challenge *[32]byte, locPrivKey crypto.PrivKey) (signature crypto.Signature) {
  271. 	signature = locPrivKey.Sign(challenge[:])
  272. 	return
  273. }
  274. 

  275. type authSigMessage struct {
  276. 	Key crypto.PubKey
  277. 	Sig crypto.Signature
  278. }
  279. 

  280. func shareAuthSignature(sc *SecretConnection, pubKey crypto.PubKey, signature crypto.Signature) (recvMsg *authSigMessage, err error) {
  281. 	// Send our info and receive theirs in tandem.

  282. 	var trs, _ = cmn.Parallel(
  283. 		func(_ int) (val interface{}, err error, abort bool) {
  284. 			msgBytes := wire.BinaryBytes(authSigMessage{pubKey.Wrap(), signature.Wrap()})
  285. 			var _, err1 = sc.Write(msgBytes)
  286. 			if err1 != nil {
  287. 				return nil, err1, true // abort

  288. 			} else {
  289. 				return nil, nil, false
  290. 			}
  291. 		},
  292. 		func(_ int) (val interface{}, err error, abort bool) {
  293. 			readBuffer := make([]byte, authSigMsgSize)
  294. 			var _, err2 = io.ReadFull(sc, readBuffer)
  295. 			if err2 != nil {
  296. 				return nil, err2, true // abort

  297. 			}
  298. 			n := int(0) // not used.

  299. 			var _recvMsg = wire.ReadBinary(authSigMessage{}, bytes.NewBuffer(readBuffer), authSigMsgSize, &n, &err2).(authSigMessage)
  300. 			if err2 != nil {
  301. 				return nil, err2, true // abort

  302. 			} else {
  303. 				return _recvMsg, nil, false
  304. 			}
  305. 		},
  306. 	)
  307. 

  308. 	// If error:

  309. 	if trs.FirstError() != nil {
  310. 		err = trs.FirstError()
  311. 		return
  312. 	}
  313. 

  314. 	var _recvMsg = trs.FirstValue().(authSigMessage)
  315. 	return &_recvMsg, nil
  316. }
  317. 

  318. //--------------------------------------------------------------------------------

  319. 

  320. // sha256

  321. func hash32(input []byte) (res *[32]byte) {
  322. 	hasher := sha256.New()
  323. 	hasher.Write(input) // nolint: errcheck, gas

  324. 	resSlice := hasher.Sum(nil)
  325. 	res = new([32]byte)
  326. 	copy(res[:], resSlice)
  327. 	return
  328. }
  329. 

  330. // We only fill in the first 20 bytes with ripemd160

  331. func hash24(input []byte) (res *[24]byte) {
  332. 	hasher := ripemd160.New()
  333. 	hasher.Write(input) // nolint: errcheck, gas

  334. 	resSlice := hasher.Sum(nil)
  335. 	res = new([24]byte)
  336. 	copy(res[:], resSlice)
  337. 	return
  338. }
  339. 

  340. // increment nonce big-endian by 2 with wraparound.

  341. func incr2Nonce(nonce *[24]byte) {
  342. 	incrNonce(nonce)
  343. 	incrNonce(nonce)
  344. }
  345. 

  346. // increment nonce big-endian by 1 with wraparound.

  347. func incrNonce(nonce *[24]byte) {
  348. 	for i := 23; 0 <= i; i-- {
  349. 		nonce[i]++
  350. 		if nonce[i] != 0 {
  351. 			return
  352. 		}
  353. 	}
  354. }