zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9367 Commits
183 Branches
291 MiB
Tree: d0e03f01fc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd0e03f01fc'
${ noResults }
tendermint/privval/secret_connection.go

466 lines
14 KiB
Raw Normal View History

privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
sync: remove special mutexes (#7438)
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
libs: internalize some packages (#6366) ## Description Internalize some libs. This reduces the amount ot public API tendermint is supporting. The moved libraries are mainly ones that are used within Tendermint-core.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
sync: remove special mutexes (#7438)
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
sync: remove special mutexes (#7438)
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
crypto: Use a different library for ed25519/sr25519 (#6526) At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
p2p: fix MConnection inbound traffic statistics and rate limiting (#5868) Fixes #5866. Inbound traffic monitoring (and by extension inbound rate limiting) was inadvertently removed in 660e72a.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
p2p: fix MConnection inbound traffic statistics and rate limiting (#5868) Fixes #5866. Inbound traffic monitoring (and by extension inbound rate limiting) was inadvertently removed in 660e72a.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
cleanup: Reduce and normalize import path aliasing. (#6975) The code in the Tendermint repository makes heavy use of import aliasing. This is made necessary by our extensive reuse of common base package names, and by repetition of similar names across different subdirectories. Unfortunately we have not been very consistent about which packages we alias in various circumstances, and the aliases we use vary. In the spirit of the advice in the style guide and https://github.com/golang/go/wiki/CodeReviewComments#imports, his change makes an effort to clean up and normalize import aliasing. This change makes no API or behavioral changes. It is a pure cleanup intended o help make the code more readable to developers (including myself) trying to understand what is being imported where. Only unexported names have been modified, and the changes were generated and applied mechanically with gofmt -r and comby, respecting the lexical and syntactic rules of Go. Even so, I did not fix every inconsistency. Where the changes would be too disruptive, I left it alone. The principles I followed in this cleanup are: - Remove aliases that restate the package name. - Remove aliases where the base package name is unambiguous. - Move overly-terse abbreviations from the import to the usage site. - Fix lexical issues (remove underscores, remove capitalization). - Fix import groupings to more closely match the style guide. - Group blank (side-effecting) imports and ensure they are commented. - Add aliases to multiple imports with the same base package name.
3 years ago
privval: duplicate SecretConnection from p2p package (#5672) This is so that the `privval` package will not be affected when we refactor `p2p` (#5670). We will be migrating to gRPC shortly (#4698).
4 years ago
 
  1. package privval
  2. 

  3. import (
  4. 	"bytes"
  5. 	"crypto/cipher"
  6. 	crand "crypto/rand"
  7. 	"crypto/sha256"
  8. 	"encoding/binary"
  9. 	"errors"
  10. 	"fmt"
  11. 	"io"
  12. 	"math"
  13. 	"net"
  14. 	"sync"
  15. 	"time"
  16. 

  17. 	gogotypes "github.com/gogo/protobuf/types"
  18. 	pool "github.com/libp2p/go-buffer-pool"
  19. 	"github.com/oasisprotocol/curve25519-voi/primitives/merlin"
  20. 	"golang.org/x/crypto/chacha20poly1305"
  21. 	"golang.org/x/crypto/curve25519"
  22. 	"golang.org/x/crypto/hkdf"
  23. 	"golang.org/x/crypto/nacl/box"
  24. 

  25. 	"github.com/tendermint/tendermint/crypto"
  26. 	"github.com/tendermint/tendermint/crypto/ed25519"
  27. 	"github.com/tendermint/tendermint/crypto/encoding"
  28. 	"github.com/tendermint/tendermint/internal/libs/protoio"
  29. 	"github.com/tendermint/tendermint/libs/async"
  30. 	tmprivval "github.com/tendermint/tendermint/proto/tendermint/privval"
  31. )
  32. 

  33. // This code has been duplicated from p2p/conn prior to the P2P refactor.

  34. // It is left here temporarily until we migrate privval to gRPC.

  35. // https://github.com/tendermint/tendermint/issues/4698

  36. 

  37. // 4 + 1024 == 1028 total frame size

  38. const (
  39. 	dataLenSize      = 4
  40. 	dataMaxSize      = 1024
  41. 	totalFrameSize   = dataMaxSize + dataLenSize
  42. 	aeadSizeOverhead = 16 // overhead of poly 1305 authentication tag

  43. 	aeadKeySize      = chacha20poly1305.KeySize
  44. 	aeadNonceSize    = chacha20poly1305.NonceSize
  45. 

  46. 	labelEphemeralLowerPublicKey = "EPHEMERAL_LOWER_PUBLIC_KEY"
  47. 	labelEphemeralUpperPublicKey = "EPHEMERAL_UPPER_PUBLIC_KEY"
  48. 	labelDHSecret                = "DH_SECRET"
  49. 	labelSecretConnectionMac     = "SECRET_CONNECTION_MAC"
  50. )
  51. 

  52. var (
  53. 	ErrSmallOrderRemotePubKey = errors.New("detected low order point from remote peer")
  54. 

  55. 	secretConnKeyAndChallengeGen = []byte("TENDERMINT_SECRET_CONNECTION_KEY_AND_CHALLENGE_GEN")
  56. )
  57. 

  58. // SecretConnection implements net.Conn.

  59. // It is an implementation of the STS protocol.

  60. // See https://github.com/tendermint/tendermint/blob/0.1/docs/sts-final.pdf for

  61. // details on the protocol.

  62. //

  63. // Consumers of the SecretConnection are responsible for authenticating

  64. // the remote peer's pubkey against known information, like a nodeID.

  65. // Otherwise they are vulnerable to MITM.

  66. // (TODO(ismail): see also https://github.com/tendermint/tendermint/issues/3010)

  67. type SecretConnection struct {
  68. 

  69. 	// immutable

  70. 	recvAead cipher.AEAD
  71. 	sendAead cipher.AEAD
  72. 

  73. 	remPubKey crypto.PubKey
  74. 	conn      io.ReadWriteCloser
  75. 

  76. 	// net.Conn must be thread safe:

  77. 	// https://golang.org/pkg/net/#Conn.

  78. 	// Since we have internal mutable state,

  79. 	// we need mtxs. But recv and send states

  80. 	// are independent, so we can use two mtxs.

  81. 	// All .Read are covered by recvMtx,

  82. 	// all .Write are covered by sendMtx.

  83. 	recvMtx    sync.Mutex
  84. 	recvBuffer []byte
  85. 	recvNonce  *[aeadNonceSize]byte
  86. 

  87. 	sendMtx   sync.Mutex
  88. 	sendNonce *[aeadNonceSize]byte
  89. }
  90. 

  91. // MakeSecretConnection performs handshake and returns a new authenticated

  92. // SecretConnection.

  93. // Returns nil if there is an error in handshake.

  94. // Caller should call conn.Close()

  95. // See docs/sts-final.pdf for more information.

  96. func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (*SecretConnection, error) {
  97. 	var (
  98. 		locPubKey = locPrivKey.PubKey()
  99. 	)
  100. 

  101. 	// Generate ephemeral keys for perfect forward secrecy.

  102. 	locEphPub, locEphPriv := genEphKeys()
  103. 

  104. 	// Write local ephemeral pubkey and receive one too.

  105. 	// NOTE: every 32-byte string is accepted as a Curve25519 public key (see

  106. 	// DJB's Curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf)

  107. 	remEphPub, err := shareEphPubKey(conn, locEphPub)
  108. 	if err != nil {
  109. 		return nil, err
  110. 	}
  111. 

  112. 	// Sort by lexical order.

  113. 	loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
  114. 

  115. 	transcript := merlin.NewTranscript("TENDERMINT_SECRET_CONNECTION_TRANSCRIPT_HASH")
  116. 

  117. 	transcript.AppendMessage(labelEphemeralLowerPublicKey, loEphPub[:])
  118. 	transcript.AppendMessage(labelEphemeralUpperPublicKey, hiEphPub[:])
  119. 

  120. 	// Check if the local ephemeral public key was the least, lexicographically

  121. 	// sorted.

  122. 	locIsLeast := bytes.Equal(locEphPub[:], loEphPub[:])
  123. 

  124. 	// Compute common diffie hellman secret using X25519.

  125. 	dhSecret, err := computeDHSecret(remEphPub, locEphPriv)
  126. 	if err != nil {
  127. 		return nil, err
  128. 	}
  129. 

  130. 	transcript.AppendMessage(labelDHSecret, dhSecret[:])
  131. 

  132. 	// Generate the secret used for receiving, sending, challenge via HKDF-SHA2

  133. 	// on the transcript state (which itself also uses HKDF-SHA2 to derive a key

  134. 	// from the dhSecret).

  135. 	recvSecret, sendSecret := deriveSecrets(dhSecret, locIsLeast)
  136. 

  137. 	const challengeSize = 32
  138. 	var challenge [challengeSize]byte
  139. 	transcript.ExtractBytes(challenge[:], labelSecretConnectionMac)
  140. 

  141. 	sendAead, err := chacha20poly1305.New(sendSecret[:])
  142. 	if err != nil {
  143. 		return nil, errors.New("invalid send SecretConnection Key")
  144. 	}
  145. 	recvAead, err := chacha20poly1305.New(recvSecret[:])
  146. 	if err != nil {
  147. 		return nil, errors.New("invalid receive SecretConnection Key")
  148. 	}
  149. 

  150. 	sc := &SecretConnection{
  151. 		conn:       conn,
  152. 		recvBuffer: nil,
  153. 		recvNonce:  new([aeadNonceSize]byte),
  154. 		sendNonce:  new([aeadNonceSize]byte),
  155. 		recvAead:   recvAead,
  156. 		sendAead:   sendAead,
  157. 	}
  158. 

  159. 	// Sign the challenge bytes for authentication.

  160. 	locSignature, err := signChallenge(&challenge, locPrivKey)
  161. 	if err != nil {
  162. 		return nil, err
  163. 	}
  164. 

  165. 	// Share (in secret) each other's pubkey & challenge signature

  166. 	authSigMsg, err := shareAuthSignature(sc, locPubKey, locSignature)
  167. 	if err != nil {
  168. 		return nil, err
  169. 	}
  170. 

  171. 	remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig
  172. 	if _, ok := remPubKey.(ed25519.PubKey); !ok {
  173. 		return nil, fmt.Errorf("expected ed25519 pubkey, got %T", remPubKey)
  174. 	}
  175. 	if !remPubKey.VerifySignature(challenge[:], remSignature) {
  176. 		return nil, errors.New("challenge verification failed")
  177. 	}
  178. 

  179. 	// We've authorized.

  180. 	sc.remPubKey = remPubKey
  181. 	return sc, nil
  182. }
  183. 

  184. // RemotePubKey returns authenticated remote pubkey

  185. func (sc *SecretConnection) RemotePubKey() crypto.PubKey {
  186. 	return sc.remPubKey
  187. }
  188. 

  189. // Writes encrypted frames of `totalFrameSize + aeadSizeOverhead`.

  190. // CONTRACT: data smaller than dataMaxSize is written atomically.

  191. func (sc *SecretConnection) Write(data []byte) (n int, err error) {
  192. 	sc.sendMtx.Lock()
  193. 	defer sc.sendMtx.Unlock()
  194. 

  195. 	for 0 < len(data) {
  196. 		if err := func() error {
  197. 			var sealedFrame = pool.Get(aeadSizeOverhead + totalFrameSize)
  198. 			var frame = pool.Get(totalFrameSize)
  199. 			defer func() {
  200. 				pool.Put(sealedFrame)
  201. 				pool.Put(frame)
  202. 			}()
  203. 			var chunk []byte
  204. 			if dataMaxSize < len(data) {
  205. 				chunk = data[:dataMaxSize]
  206. 				data = data[dataMaxSize:]
  207. 			} else {
  208. 				chunk = data
  209. 				data = nil
  210. 			}
  211. 			chunkLength := len(chunk)
  212. 			binary.LittleEndian.PutUint32(frame, uint32(chunkLength))
  213. 			copy(frame[dataLenSize:], chunk)
  214. 

  215. 			// encrypt the frame

  216. 			sc.sendAead.Seal(sealedFrame[:0], sc.sendNonce[:], frame, nil)
  217. 			incrNonce(sc.sendNonce)
  218. 			// end encryption

  219. 

  220. 			_, err = sc.conn.Write(sealedFrame)
  221. 			if err != nil {
  222. 				return err
  223. 			}
  224. 			n += len(chunk)
  225. 			return nil
  226. 		}(); err != nil {
  227. 			return n, err
  228. 		}
  229. 	}
  230. 	return n, err
  231. }
  232. 

  233. // CONTRACT: data smaller than dataMaxSize is read atomically.

  234. func (sc *SecretConnection) Read(data []byte) (n int, err error) {
  235. 	sc.recvMtx.Lock()
  236. 	defer sc.recvMtx.Unlock()
  237. 

  238. 	// read off and update the recvBuffer, if non-empty

  239. 	if 0 < len(sc.recvBuffer) {
  240. 		n = copy(data, sc.recvBuffer)
  241. 		sc.recvBuffer = sc.recvBuffer[n:]
  242. 		return
  243. 	}
  244. 

  245. 	// read off the conn

  246. 	var sealedFrame = pool.Get(aeadSizeOverhead + totalFrameSize)
  247. 	defer pool.Put(sealedFrame)
  248. 	_, err = io.ReadFull(sc.conn, sealedFrame)
  249. 	if err != nil {
  250. 		return
  251. 	}
  252. 

  253. 	// decrypt the frame.

  254. 	// reads and updates the sc.recvNonce

  255. 	var frame = pool.Get(totalFrameSize)
  256. 	defer pool.Put(frame)
  257. 	_, err = sc.recvAead.Open(frame[:0], sc.recvNonce[:], sealedFrame, nil)
  258. 	if err != nil {
  259. 		return n, fmt.Errorf("failed to decrypt SecretConnection: %w", err)
  260. 	}
  261. 	incrNonce(sc.recvNonce)
  262. 	// end decryption

  263. 

  264. 	// copy checkLength worth into data,

  265. 	// set recvBuffer to the rest.

  266. 	var chunkLength = binary.LittleEndian.Uint32(frame) // read the first four bytes

  267. 	if chunkLength > dataMaxSize {
  268. 		return 0, errors.New("chunkLength is greater than dataMaxSize")
  269. 	}
  270. 	var chunk = frame[dataLenSize : dataLenSize+chunkLength]
  271. 	n = copy(data, chunk)
  272. 	if n < len(chunk) {
  273. 		sc.recvBuffer = make([]byte, len(chunk)-n)
  274. 		copy(sc.recvBuffer, chunk[n:])
  275. 	}
  276. 	return n, err
  277. }
  278. 

  279. // Implements net.Conn

  280. func (sc *SecretConnection) Close() error                  { return sc.conn.Close() }
  281. func (sc *SecretConnection) LocalAddr() net.Addr           { return sc.conn.(net.Conn).LocalAddr() }
  282. func (sc *SecretConnection) RemoteAddr() net.Addr          { return sc.conn.(net.Conn).RemoteAddr() }
  283. func (sc *SecretConnection) SetDeadline(t time.Time) error { return sc.conn.(net.Conn).SetDeadline(t) }
  284. func (sc *SecretConnection) SetReadDeadline(t time.Time) error {
  285. 	return sc.conn.(net.Conn).SetReadDeadline(t)
  286. }
  287. func (sc *SecretConnection) SetWriteDeadline(t time.Time) error {
  288. 	return sc.conn.(net.Conn).SetWriteDeadline(t)
  289. }
  290. 

  291. func genEphKeys() (ephPub, ephPriv *[32]byte) {
  292. 	var err error
  293. 	// TODO: Probably not a problem but ask Tony: different from the rust implementation (uses x25519-dalek),

  294. 	// we do not "clamp" the private key scalar:

  295. 	// see: https://github.com/dalek-cryptography/x25519-dalek/blob/34676d336049df2bba763cc076a75e47ae1f170f/src/x25519.rs#L56-L74

  296. 	ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
  297. 	if err != nil {
  298. 		panic("Could not generate ephemeral key-pair")
  299. 	}
  300. 	return
  301. }
  302. 

  303. func shareEphPubKey(conn io.ReadWriter, locEphPub *[32]byte) (remEphPub *[32]byte, err error) {
  304. 

  305. 	// Send our pubkey and receive theirs in tandem.

  306. 	var trs, _ = async.Parallel(
  307. 		func(_ int) (val interface{}, abort bool, err error) {
  308. 			lc := *locEphPub
  309. 			_, err = protoio.NewDelimitedWriter(conn).WriteMsg(&gogotypes.BytesValue{Value: lc[:]})
  310. 			if err != nil {
  311. 				return nil, true, err // abort

  312. 			}
  313. 			return nil, false, nil
  314. 		},
  315. 		func(_ int) (val interface{}, abort bool, err error) {
  316. 			var bytes gogotypes.BytesValue
  317. 			_, err = protoio.NewDelimitedReader(conn, 1024*1024).ReadMsg(&bytes)
  318. 			if err != nil {
  319. 				return nil, true, err // abort

  320. 			}
  321. 

  322. 			var _remEphPub [32]byte
  323. 			copy(_remEphPub[:], bytes.Value)
  324. 			return _remEphPub, false, nil
  325. 		},
  326. 	)
  327. 

  328. 	// If error:

  329. 	if trs.FirstError() != nil {
  330. 		err = trs.FirstError()
  331. 		return
  332. 	}
  333. 

  334. 	// Otherwise:

  335. 	var _remEphPub = trs.FirstValue().([32]byte)
  336. 	return &_remEphPub, nil
  337. }
  338. 

  339. func deriveSecrets(
  340. 	dhSecret *[32]byte,
  341. 	locIsLeast bool,
  342. ) (recvSecret, sendSecret *[aeadKeySize]byte) {
  343. 	hash := sha256.New
  344. 	hkdf := hkdf.New(hash, dhSecret[:], nil, secretConnKeyAndChallengeGen)
  345. 	// get enough data for 2 aead keys, and a 32 byte challenge

  346. 	res := new([2*aeadKeySize + 32]byte)
  347. 	_, err := io.ReadFull(hkdf, res[:])
  348. 	if err != nil {
  349. 		panic(err)
  350. 	}
  351. 

  352. 	recvSecret = new([aeadKeySize]byte)
  353. 	sendSecret = new([aeadKeySize]byte)
  354. 

  355. 	// bytes 0 through aeadKeySize - 1 are one aead key.

  356. 	// bytes aeadKeySize through 2*aeadKeySize -1 are another aead key.

  357. 	// which key corresponds to sending and receiving key depends on whether

  358. 	// the local key is less than the remote key.

  359. 	if locIsLeast {
  360. 		copy(recvSecret[:], res[0:aeadKeySize])
  361. 		copy(sendSecret[:], res[aeadKeySize:aeadKeySize*2])
  362. 	} else {
  363. 		copy(sendSecret[:], res[0:aeadKeySize])
  364. 		copy(recvSecret[:], res[aeadKeySize:aeadKeySize*2])
  365. 	}
  366. 

  367. 	return
  368. }
  369. 

  370. // computeDHSecret computes a Diffie-Hellman shared secret key

  371. // from our own local private key and the other's public key.

  372. func computeDHSecret(remPubKey, locPrivKey *[32]byte) (*[32]byte, error) {
  373. 	shrKey, err := curve25519.X25519(locPrivKey[:], remPubKey[:])
  374. 	if err != nil {
  375. 		return nil, err
  376. 	}
  377. 	var shrKeyArray [32]byte
  378. 	copy(shrKeyArray[:], shrKey)
  379. 	return &shrKeyArray, nil
  380. }
  381. 

  382. func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
  383. 	if bytes.Compare(foo[:], bar[:]) < 0 {
  384. 		lo = foo
  385. 		hi = bar
  386. 	} else {
  387. 		lo = bar
  388. 		hi = foo
  389. 	}
  390. 	return
  391. }
  392. 

  393. func signChallenge(challenge *[32]byte, locPrivKey crypto.PrivKey) ([]byte, error) {
  394. 	signature, err := locPrivKey.Sign(challenge[:])
  395. 	if err != nil {
  396. 		return nil, err
  397. 	}
  398. 	return signature, nil
  399. }
  400. 

  401. type authSigMessage struct {
  402. 	Key crypto.PubKey
  403. 	Sig []byte
  404. }
  405. 

  406. func shareAuthSignature(sc io.ReadWriter, pubKey crypto.PubKey, signature []byte) (recvMsg authSigMessage, err error) {
  407. 

  408. 	// Send our info and receive theirs in tandem.

  409. 	var trs, _ = async.Parallel(
  410. 		func(_ int) (val interface{}, abort bool, err error) {
  411. 			pbpk, err := encoding.PubKeyToProto(pubKey)
  412. 			if err != nil {
  413. 				return nil, true, err
  414. 			}
  415. 			_, err = protoio.NewDelimitedWriter(sc).WriteMsg(&tmprivval.AuthSigMessage{PubKey: pbpk, Sig: signature})
  416. 			if err != nil {
  417. 				return nil, true, err // abort

  418. 			}
  419. 			return nil, false, nil
  420. 		},
  421. 		func(_ int) (val interface{}, abort bool, err error) {
  422. 			var pba tmprivval.AuthSigMessage
  423. 			_, err = protoio.NewDelimitedReader(sc, 1024*1024).ReadMsg(&pba)
  424. 			if err != nil {
  425. 				return nil, true, err // abort

  426. 			}
  427. 

  428. 			pk, err := encoding.PubKeyFromProto(pba.PubKey)
  429. 			if err != nil {
  430. 				return nil, true, err // abort

  431. 			}
  432. 

  433. 			_recvMsg := authSigMessage{
  434. 				Key: pk,
  435. 				Sig: pba.Sig,
  436. 			}
  437. 			return _recvMsg, false, nil
  438. 		},
  439. 	)
  440. 

  441. 	// If error:

  442. 	if trs.FirstError() != nil {
  443. 		err = trs.FirstError()
  444. 		return
  445. 	}
  446. 

  447. 	var _recvMsg = trs.FirstValue().(authSigMessage)
  448. 	return _recvMsg, nil
  449. }
  450. 

  451. //--------------------------------------------------------------------------------

  452. 

  453. // Increment nonce little-endian by 1 with wraparound.

  454. // Due to chacha20poly1305 expecting a 12 byte nonce we do not use the first four

  455. // bytes. We only increment a 64 bit unsigned int in the remaining 8 bytes

  456. // (little-endian in nonce[4:]).

  457. func incrNonce(nonce *[aeadNonceSize]byte) {
  458. 	counter := binary.LittleEndian.Uint64(nonce[4:])
  459. 	if counter == math.MaxUint64 {
  460. 		// Terminates the session and makes sure the nonce would not re-used.

  461. 		// See https://github.com/tendermint/tendermint/issues/3531

  462. 		panic("can't increase nonce without overflow")
  463. 	}
  464. 	counter++
  465. 	binary.LittleEndian.PutUint64(nonce[4:], counter)
  466. }