zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3040 Commits
183 Branches
291 MiB
Tree: cd15b677ec
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cd15b677ec'
${ noResults }
tendermint/p2p/secret_connection.go

336 lines
9.0 KiB
Raw Normal View History

initial commit
9 years ago
p2p: use cmn instead of .
7 years ago
initial commit
9 years ago
crypto Wrap/Unwrap
7 years ago
initial commit
9 years ago
p2p: use bytes.Equal for key comparison Updates https://github.com/tendermint/tendermint/issues/850 My security alarms falsely blarred when I skimmed and noticed keys being compared with `==`, without the proper context so I mistakenly filed an issue, yet the purpose of that comparison was to check if the local ephemeral public key was just the least, sorted lexicographically. Anyways, let's use the proper bytes.Equal check, to save future labor.
7 years ago
initial commit
9 years ago
p2p: use bytes.Equal for key comparison Updates https://github.com/tendermint/tendermint/issues/850 My security alarms falsely blarred when I skimmed and noticed keys being compared with `==`, without the proper context so I mistakenly filed an issue, yet the purpose of that comparison was to check if the local ephemeral public key was just the least, sorted lexicographically. Anyways, let's use the proper bytes.Equal check, to save future labor.
7 years ago
initial commit
9 years ago
crypto Wrap/Unwrap
7 years ago
initial commit
9 years ago
p2p: use cmn instead of .
7 years ago
initial commit
9 years ago
p2p: use cmn instead of .
7 years ago
initial commit
9 years ago
crypto Wrap/Unwrap
7 years ago
initial commit
9 years ago
Confirm to go-wire new TypeByte behavior
9 years ago
initial commit
9 years ago
p2p: use cmn instead of .
7 years ago
initial commit
9 years ago
crypto Wrap/Unwrap
7 years ago
initial commit
9 years ago
Conform to go-wire 1.0
9 years ago
initial commit
9 years ago
more linting
7 years ago
initial commit
9 years ago
more linting
7 years ago
initial commit
9 years ago
 
  1. // Uses nacl's secret_box to encrypt a net.Conn.

  2. // It is (meant to be) an implementation of the STS protocol.

  3. // Note we do not (yet) assume that a remote peer's pubkey

  4. // is known ahead of time, and thus we are technically

  5. // still vulnerable to MITM. (TODO!)

  6. // See docs/sts-final.pdf for more info

  7. package p2p
  8. 

  9. import (
  10. 	"bytes"
  11. 	crand "crypto/rand"
  12. 	"crypto/sha256"
  13. 	"encoding/binary"
  14. 	"errors"
  15. 	"io"
  16. 	"net"
  17. 	"time"
  18. 

  19. 	"golang.org/x/crypto/nacl/box"
  20. 	"golang.org/x/crypto/nacl/secretbox"
  21. 	"golang.org/x/crypto/ripemd160"
  22. 

  23. 	"github.com/tendermint/go-crypto"
  24. 	"github.com/tendermint/go-wire"
  25. 	cmn "github.com/tendermint/tmlibs/common"
  26. )
  27. 

  28. // 2 + 1024 == 1026 total frame size

  29. const dataLenSize = 2 // uint16 to describe the length, is <= dataMaxSize

  30. const dataMaxSize = 1024
  31. const totalFrameSize = dataMaxSize + dataLenSize
  32. const sealedFrameSize = totalFrameSize + secretbox.Overhead
  33. const authSigMsgSize = (32 + 1) + (64 + 1) // fixed size (length prefixed) byte arrays

  34. 

  35. // Implements net.Conn

  36. type SecretConnection struct {
  37. 	conn       io.ReadWriteCloser
  38. 	recvBuffer []byte
  39. 	recvNonce  *[24]byte
  40. 	sendNonce  *[24]byte
  41. 	remPubKey  crypto.PubKeyEd25519
  42. 	shrSecret  *[32]byte // shared secret

  43. }
  44. 

  45. // Performs handshake and returns a new authenticated SecretConnection.

  46. // Returns nil if error in handshake.

  47. // Caller should call conn.Close()

  48. // See docs/sts-final.pdf for more information.

  49. func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKeyEd25519) (*SecretConnection, error) {
  50. 

  51. 	locPubKey := locPrivKey.PubKey().Unwrap().(crypto.PubKeyEd25519)
  52. 

  53. 	// Generate ephemeral keys for perfect forward secrecy.

  54. 	locEphPub, locEphPriv := genEphKeys()
  55. 

  56. 	// Write local ephemeral pubkey and receive one too.

  57. 	// NOTE: every 32-byte string is accepted as a Curve25519 public key

  58. 	// (see DJB's Curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf)

  59. 	remEphPub, err := shareEphPubKey(conn, locEphPub)
  60. 	if err != nil {
  61. 		return nil, err
  62. 	}
  63. 

  64. 	// Compute common shared secret.

  65. 	shrSecret := computeSharedSecret(remEphPub, locEphPriv)
  66. 

  67. 	// Sort by lexical order.

  68. 	loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
  69. 

  70. 	// Check if the local ephemeral public key

  71. 	// was the least, lexicographically sorted.

  72. 	locIsLeast := bytes.Equal(locEphPub[:], loEphPub[:])
  73. 

  74. 	// Generate nonces to use for secretbox.

  75. 	recvNonce, sendNonce := genNonces(loEphPub, hiEphPub, locIsLeast)
  76. 

  77. 	// Generate common challenge to sign.

  78. 	challenge := genChallenge(loEphPub, hiEphPub)
  79. 

  80. 	// Construct SecretConnection.

  81. 	sc := &SecretConnection{
  82. 		conn:       conn,
  83. 		recvBuffer: nil,
  84. 		recvNonce:  recvNonce,
  85. 		sendNonce:  sendNonce,
  86. 		shrSecret:  shrSecret,
  87. 	}
  88. 

  89. 	// Sign the challenge bytes for authentication.

  90. 	locSignature := signChallenge(challenge, locPrivKey)
  91. 

  92. 	// Share (in secret) each other's pubkey & challenge signature

  93. 	authSigMsg, err := shareAuthSignature(sc, locPubKey, locSignature)
  94. 	if err != nil {
  95. 		return nil, err
  96. 	}
  97. 	remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig
  98. 	if !remPubKey.VerifyBytes(challenge[:], remSignature) {
  99. 		return nil, errors.New("Challenge verification failed")
  100. 	}
  101. 

  102. 	// We've authorized.

  103. 	sc.remPubKey = remPubKey.Unwrap().(crypto.PubKeyEd25519)
  104. 	return sc, nil
  105. }
  106. 

  107. // Returns authenticated remote pubkey

  108. func (sc *SecretConnection) RemotePubKey() crypto.PubKeyEd25519 {
  109. 	return sc.remPubKey
  110. }
  111. 

  112. // Writes encrypted frames of `sealedFrameSize`

  113. // CONTRACT: data smaller than dataMaxSize is read atomically.

  114. func (sc *SecretConnection) Write(data []byte) (n int, err error) {
  115. 	for 0 < len(data) {
  116. 		var frame []byte = make([]byte, totalFrameSize)
  117. 		var chunk []byte
  118. 		if dataMaxSize < len(data) {
  119. 			chunk = data[:dataMaxSize]
  120. 			data = data[dataMaxSize:]
  121. 		} else {
  122. 			chunk = data
  123. 			data = nil
  124. 		}
  125. 		chunkLength := len(chunk)
  126. 		binary.BigEndian.PutUint16(frame, uint16(chunkLength))
  127. 		copy(frame[dataLenSize:], chunk)
  128. 

  129. 		// encrypt the frame

  130. 		var sealedFrame = make([]byte, sealedFrameSize)
  131. 		secretbox.Seal(sealedFrame[:0], frame, sc.sendNonce, sc.shrSecret)
  132. 		// fmt.Printf("secretbox.Seal(sealed:%X,sendNonce:%X,shrSecret:%X\n", sealedFrame, sc.sendNonce, sc.shrSecret)

  133. 		incr2Nonce(sc.sendNonce)
  134. 		// end encryption

  135. 

  136. 		_, err := sc.conn.Write(sealedFrame)
  137. 		if err != nil {
  138. 			return n, err
  139. 		} else {
  140. 			n += len(chunk)
  141. 		}
  142. 	}
  143. 	return
  144. }
  145. 

  146. // CONTRACT: data smaller than dataMaxSize is read atomically.

  147. func (sc *SecretConnection) Read(data []byte) (n int, err error) {
  148. 	if 0 < len(sc.recvBuffer) {
  149. 		n_ := copy(data, sc.recvBuffer)
  150. 		sc.recvBuffer = sc.recvBuffer[n_:]
  151. 		return
  152. 	}
  153. 

  154. 	sealedFrame := make([]byte, sealedFrameSize)
  155. 	_, err = io.ReadFull(sc.conn, sealedFrame)
  156. 	if err != nil {
  157. 		return
  158. 	}
  159. 

  160. 	// decrypt the frame

  161. 	var frame = make([]byte, totalFrameSize)
  162. 	// fmt.Printf("secretbox.Open(sealed:%X,recvNonce:%X,shrSecret:%X\n", sealedFrame, sc.recvNonce, sc.shrSecret)

  163. 	_, ok := secretbox.Open(frame[:0], sealedFrame, sc.recvNonce, sc.shrSecret)
  164. 	if !ok {
  165. 		return n, errors.New("Failed to decrypt SecretConnection")
  166. 	}
  167. 	incr2Nonce(sc.recvNonce)
  168. 	// end decryption

  169. 

  170. 	var chunkLength = binary.BigEndian.Uint16(frame) // read the first two bytes

  171. 	if chunkLength > dataMaxSize {
  172. 		return 0, errors.New("chunkLength is greater than dataMaxSize")
  173. 	}
  174. 	var chunk = frame[dataLenSize : dataLenSize+chunkLength]
  175. 

  176. 	n = copy(data, chunk)
  177. 	sc.recvBuffer = chunk[n:]
  178. 	return
  179. }
  180. 

  181. // Implements net.Conn

  182. func (sc *SecretConnection) Close() error                  { return sc.conn.Close() }
  183. func (sc *SecretConnection) LocalAddr() net.Addr           { return sc.conn.(net.Conn).LocalAddr() }
  184. func (sc *SecretConnection) RemoteAddr() net.Addr          { return sc.conn.(net.Conn).RemoteAddr() }
  185. func (sc *SecretConnection) SetDeadline(t time.Time) error { return sc.conn.(net.Conn).SetDeadline(t) }
  186. func (sc *SecretConnection) SetReadDeadline(t time.Time) error {
  187. 	return sc.conn.(net.Conn).SetReadDeadline(t)
  188. }
  189. func (sc *SecretConnection) SetWriteDeadline(t time.Time) error {
  190. 	return sc.conn.(net.Conn).SetWriteDeadline(t)
  191. }
  192. 

  193. func genEphKeys() (ephPub, ephPriv *[32]byte) {
  194. 	var err error
  195. 	ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
  196. 	if err != nil {
  197. 		cmn.PanicCrisis("Could not generate ephemeral keypairs")
  198. 	}
  199. 	return
  200. }
  201. 

  202. func shareEphPubKey(conn io.ReadWriteCloser, locEphPub *[32]byte) (remEphPub *[32]byte, err error) {
  203. 	var err1, err2 error
  204. 

  205. 	cmn.Parallel(
  206. 		func() {
  207. 			_, err1 = conn.Write(locEphPub[:])
  208. 		},
  209. 		func() {
  210. 			remEphPub = new([32]byte)
  211. 			_, err2 = io.ReadFull(conn, remEphPub[:])
  212. 		},
  213. 	)
  214. 

  215. 	if err1 != nil {
  216. 		return nil, err1
  217. 	}
  218. 	if err2 != nil {
  219. 		return nil, err2
  220. 	}
  221. 

  222. 	return remEphPub, nil
  223. }
  224. 

  225. func computeSharedSecret(remPubKey, locPrivKey *[32]byte) (shrSecret *[32]byte) {
  226. 	shrSecret = new([32]byte)
  227. 	box.Precompute(shrSecret, remPubKey, locPrivKey)
  228. 	return
  229. }
  230. 

  231. func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
  232. 	if bytes.Compare(foo[:], bar[:]) < 0 {
  233. 		lo = foo
  234. 		hi = bar
  235. 	} else {
  236. 		lo = bar
  237. 		hi = foo
  238. 	}
  239. 	return
  240. }
  241. 

  242. func genNonces(loPubKey, hiPubKey *[32]byte, locIsLo bool) (recvNonce, sendNonce *[24]byte) {
  243. 	nonce1 := hash24(append(loPubKey[:], hiPubKey[:]...))
  244. 	nonce2 := new([24]byte)
  245. 	copy(nonce2[:], nonce1[:])
  246. 	nonce2[len(nonce2)-1] ^= 0x01
  247. 	if locIsLo {
  248. 		recvNonce = nonce1
  249. 		sendNonce = nonce2
  250. 	} else {
  251. 		recvNonce = nonce2
  252. 		sendNonce = nonce1
  253. 	}
  254. 	return
  255. }
  256. 

  257. func genChallenge(loPubKey, hiPubKey *[32]byte) (challenge *[32]byte) {
  258. 	return hash32(append(loPubKey[:], hiPubKey[:]...))
  259. }
  260. 

  261. func signChallenge(challenge *[32]byte, locPrivKey crypto.PrivKeyEd25519) (signature crypto.SignatureEd25519) {
  262. 	signature = locPrivKey.Sign(challenge[:]).Unwrap().(crypto.SignatureEd25519)
  263. 	return
  264. }
  265. 

  266. type authSigMessage struct {
  267. 	Key crypto.PubKey
  268. 	Sig crypto.Signature
  269. }
  270. 

  271. func shareAuthSignature(sc *SecretConnection, pubKey crypto.PubKeyEd25519, signature crypto.SignatureEd25519) (*authSigMessage, error) {
  272. 	var recvMsg authSigMessage
  273. 	var err1, err2 error
  274. 

  275. 	cmn.Parallel(
  276. 		func() {
  277. 			msgBytes := wire.BinaryBytes(authSigMessage{pubKey.Wrap(), signature.Wrap()})
  278. 			_, err1 = sc.Write(msgBytes)
  279. 		},
  280. 		func() {
  281. 			readBuffer := make([]byte, authSigMsgSize)
  282. 			_, err2 = io.ReadFull(sc, readBuffer)
  283. 			if err2 != nil {
  284. 				return
  285. 			}
  286. 			n := int(0) // not used.

  287. 			recvMsg = wire.ReadBinary(authSigMessage{}, bytes.NewBuffer(readBuffer), authSigMsgSize, &n, &err2).(authSigMessage)
  288. 		})
  289. 

  290. 	if err1 != nil {
  291. 		return nil, err1
  292. 	}
  293. 	if err2 != nil {
  294. 		return nil, err2
  295. 	}
  296. 

  297. 	return &recvMsg, nil
  298. }
  299. 

  300. //--------------------------------------------------------------------------------

  301. 

  302. // sha256

  303. func hash32(input []byte) (res *[32]byte) {
  304. 	hasher := sha256.New()
  305. 	hasher.Write(input) // nolint: errcheck, gas

  306. 	resSlice := hasher.Sum(nil)
  307. 	res = new([32]byte)
  308. 	copy(res[:], resSlice)
  309. 	return
  310. }
  311. 

  312. // We only fill in the first 20 bytes with ripemd160

  313. func hash24(input []byte) (res *[24]byte) {
  314. 	hasher := ripemd160.New()
  315. 	hasher.Write(input) // nolint: errcheck, gas

  316. 	resSlice := hasher.Sum(nil)
  317. 	res = new([24]byte)
  318. 	copy(res[:], resSlice)
  319. 	return
  320. }
  321. 

  322. // increment nonce big-endian by 2 with wraparound.

  323. func incr2Nonce(nonce *[24]byte) {
  324. 	incrNonce(nonce)
  325. 	incrNonce(nonce)
  326. }
  327. 

  328. // increment nonce big-endian by 1 with wraparound.

  329. func incrNonce(nonce *[24]byte) {
  330. 	for i := 23; 0 <= i; i-- {
  331. 		nonce[i] += 1
  332. 		if nonce[i] != 0 {
  333. 			return
  334. 		}
  335. 	}
  336. }