zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3651 Commits
183 Branches
291 MiB
Tree: d3c4f746a7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd3c4f746a7'
${ noResults }
tendermint/p2p/conn/secret_connection.go

348 lines
9.3 KiB
Raw Normal View History

initial commit
9 years ago
p2p: tmconn->conn and types->p2p
7 years ago
initial commit
9 years ago
p2p: use cmn instead of .
7 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: use bytes.Equal for key comparison Updates https://github.com/tendermint/tendermint/issues/850 My security alarms falsely blarred when I skimmed and noticed keys being compared with `==`, without the proper context so I mistakenly filed an issue, yet the purpose of that comparison was to check if the local ephemeral public key was just the least, sorted lexicographically. Anyways, let's use the proper bytes.Equal check, to save future labor.
7 years ago
initial commit
9 years ago
p2p: use bytes.Equal for key comparison Updates https://github.com/tendermint/tendermint/issues/850 My security alarms falsely blarred when I skimmed and noticed keys being compared with `==`, without the proper context so I mistakenly filed an issue, yet the purpose of that comparison was to check if the local ephemeral public key was just the least, sorted lexicographically. Anyways, let's use the proper bytes.Equal check, to save future labor.
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
Fix lint errors (#1390) * use increment and decrement operators. * remove unnecessary else branches. * fix package comment with leading space. * fix receiver names. * fix error strings. * remove omittable code. * remove redundant return statement. * Revert changes (code is generated.) * use cfg as receiver name for all config-related types. * use lsi as the receiver name for the LastSignedInfo type.
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
Fix lint errors (#1390) * use increment and decrement operators. * remove unnecessary else branches. * fix package comment with leading space. * fix receiver names. * fix error strings. * remove omittable code. * remove redundant return statement. * Revert changes (code is generated.) * use cfg as receiver name for all config-related types. * use lsi as the receiver name for the LastSignedInfo type.
6 years ago
initial commit
9 years ago
P2P now works with Amino
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
P2P now works with Amino
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
p2p: PrivKey need not be Ed25519
7 years ago
initial commit
9 years ago
Confirm to go-wire new TypeByte behavior
9 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
First stab: p2p/conn
6 years ago
initial commit
9 years ago
more linting
7 years ago
initial commit
9 years ago
more linting
7 years ago
initial commit
9 years ago
Fix lint errors (#1390) * use increment and decrement operators. * remove unnecessary else branches. * fix package comment with leading space. * fix receiver names. * fix error strings. * remove omittable code. * remove redundant return statement. * Revert changes (code is generated.) * use cfg as receiver name for all config-related types. * use lsi as the receiver name for the LastSignedInfo type.
6 years ago
initial commit
9 years ago
 
  1. // Uses nacl's secret_box to encrypt a net.Conn.

  2. // It is (meant to be) an implementation of the STS protocol.

  3. // Note we do not (yet) assume that a remote peer's pubkey

  4. // is known ahead of time, and thus we are technically

  5. // still vulnerable to MITM. (TODO!)

  6. // See docs/sts-final.pdf for more info

  7. package conn
  8. 

  9. import (
  10. 	"bytes"
  11. 	crand "crypto/rand"
  12. 	"crypto/sha256"
  13. 	"encoding/binary"
  14. 	"errors"
  15. 	"io"
  16. 	"net"
  17. 	"time"
  18. 

  19. 	"golang.org/x/crypto/nacl/box"
  20. 	"golang.org/x/crypto/nacl/secretbox"
  21. 	"golang.org/x/crypto/ripemd160"
  22. 

  23. 	"github.com/tendermint/go-crypto"
  24. 	cmn "github.com/tendermint/tmlibs/common"
  25. )
  26. 

  27. // 4 + 1024 == 1028 total frame size

  28. const dataLenSize = 4
  29. const dataMaxSize = 1024
  30. const totalFrameSize = dataMaxSize + dataLenSize
  31. const sealedFrameSize = totalFrameSize + secretbox.Overhead
  32. 

  33. // Implements net.Conn

  34. type SecretConnection struct {
  35. 	conn       io.ReadWriteCloser
  36. 	recvBuffer []byte
  37. 	recvNonce  *[24]byte
  38. 	sendNonce  *[24]byte
  39. 	remPubKey  crypto.PubKey
  40. 	shrSecret  *[32]byte // shared secret

  41. }
  42. 

  43. // Performs handshake and returns a new authenticated SecretConnection.

  44. // Returns nil if error in handshake.

  45. // Caller should call conn.Close()

  46. // See docs/sts-final.pdf for more information.

  47. func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (*SecretConnection, error) {
  48. 

  49. 	locPubKey := locPrivKey.PubKey()
  50. 

  51. 	// Generate ephemeral keys for perfect forward secrecy.

  52. 	locEphPub, locEphPriv := genEphKeys()
  53. 

  54. 	// Write local ephemeral pubkey and receive one too.

  55. 	// NOTE: every 32-byte string is accepted as a Curve25519 public key

  56. 	// (see DJB's Curve25519 paper: http://cr.yp.to/ecdh/curve25519-20060209.pdf)

  57. 	remEphPub, err := shareEphPubKey(conn, locEphPub)
  58. 	if err != nil {
  59. 		return nil, err
  60. 	}
  61. 

  62. 	// Compute common shared secret.

  63. 	shrSecret := computeSharedSecret(remEphPub, locEphPriv)
  64. 

  65. 	// Sort by lexical order.

  66. 	loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
  67. 

  68. 	// Check if the local ephemeral public key

  69. 	// was the least, lexicographically sorted.

  70. 	locIsLeast := bytes.Equal(locEphPub[:], loEphPub[:])
  71. 

  72. 	// Generate nonces to use for secretbox.

  73. 	recvNonce, sendNonce := genNonces(loEphPub, hiEphPub, locIsLeast)
  74. 

  75. 	// Generate common challenge to sign.

  76. 	challenge := genChallenge(loEphPub, hiEphPub)
  77. 

  78. 	// Construct SecretConnection.

  79. 	sc := &SecretConnection{
  80. 		conn:       conn,
  81. 		recvBuffer: nil,
  82. 		recvNonce:  recvNonce,
  83. 		sendNonce:  sendNonce,
  84. 		shrSecret:  shrSecret,
  85. 	}
  86. 

  87. 	// Sign the challenge bytes for authentication.

  88. 	locSignature := signChallenge(challenge, locPrivKey)
  89. 

  90. 	// Share (in secret) each other's pubkey & challenge signature

  91. 	authSigMsg, err := shareAuthSignature(sc, locPubKey, locSignature)
  92. 	if err != nil {
  93. 		return nil, err
  94. 	}
  95. 	remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig
  96. 	if !remPubKey.VerifyBytes(challenge[:], remSignature) {
  97. 		return nil, errors.New("Challenge verification failed")
  98. 	}
  99. 

  100. 	// We've authorized.

  101. 	sc.remPubKey = remPubKey
  102. 	return sc, nil
  103. }
  104. 

  105. // Returns authenticated remote pubkey

  106. func (sc *SecretConnection) RemotePubKey() crypto.PubKey {
  107. 	return sc.remPubKey
  108. }
  109. 

  110. // Writes encrypted frames of `sealedFrameSize`

  111. // CONTRACT: data smaller than dataMaxSize is read atomically.

  112. func (sc *SecretConnection) Write(data []byte) (n int, err error) {
  113. 	for 0 < len(data) {
  114. 		var frame = make([]byte, totalFrameSize)
  115. 		var chunk []byte
  116. 		if dataMaxSize < len(data) {
  117. 			chunk = data[:dataMaxSize]
  118. 			data = data[dataMaxSize:]
  119. 		} else {
  120. 			chunk = data
  121. 			data = nil
  122. 		}
  123. 		chunkLength := len(chunk)
  124. 		binary.BigEndian.PutUint32(frame, uint32(chunkLength))
  125. 		copy(frame[dataLenSize:], chunk)
  126. 

  127. 		// encrypt the frame

  128. 		var sealedFrame = make([]byte, sealedFrameSize)
  129. 		secretbox.Seal(sealedFrame[:0], frame, sc.sendNonce, sc.shrSecret)
  130. 		// fmt.Printf("secretbox.Seal(sealed:%X,sendNonce:%X,shrSecret:%X\n", sealedFrame, sc.sendNonce, sc.shrSecret)

  131. 		incr2Nonce(sc.sendNonce)
  132. 		// end encryption

  133. 

  134. 		_, err := sc.conn.Write(sealedFrame)
  135. 		if err != nil {
  136. 			return n, err
  137. 		}
  138. 		n += len(chunk)
  139. 	}
  140. 	return
  141. }
  142. 

  143. // CONTRACT: data smaller than dataMaxSize is read atomically.

  144. func (sc *SecretConnection) Read(data []byte) (n int, err error) {
  145. 	if 0 < len(sc.recvBuffer) {
  146. 		n = copy(data, sc.recvBuffer)
  147. 		sc.recvBuffer = sc.recvBuffer[n:]
  148. 		return
  149. 	}
  150. 

  151. 	sealedFrame := make([]byte, sealedFrameSize)
  152. 	_, err = io.ReadFull(sc.conn, sealedFrame)
  153. 	if err != nil {
  154. 		return
  155. 	}
  156. 

  157. 	// decrypt the frame

  158. 	var frame = make([]byte, totalFrameSize)
  159. 	// fmt.Printf("secretbox.Open(sealed:%X,recvNonce:%X,shrSecret:%X\n", sealedFrame, sc.recvNonce, sc.shrSecret)

  160. 	_, ok := secretbox.Open(frame[:0], sealedFrame, sc.recvNonce, sc.shrSecret)
  161. 	if !ok {
  162. 		return n, errors.New("Failed to decrypt SecretConnection")
  163. 	}
  164. 	incr2Nonce(sc.recvNonce)
  165. 	// end decryption

  166. 

  167. 	var chunkLength = binary.BigEndian.Uint32(frame) // read the first two bytes

  168. 	if chunkLength > dataMaxSize {
  169. 		return 0, errors.New("chunkLength is greater than dataMaxSize")
  170. 	}
  171. 	var chunk = frame[dataLenSize : dataLenSize+chunkLength]
  172. 

  173. 	n = copy(data, chunk)
  174. 	sc.recvBuffer = chunk[n:]
  175. 	return
  176. }
  177. 

  178. // Implements net.Conn

  179. func (sc *SecretConnection) Close() error                  { return sc.conn.Close() }
  180. func (sc *SecretConnection) LocalAddr() net.Addr           { return sc.conn.(net.Conn).LocalAddr() }
  181. func (sc *SecretConnection) RemoteAddr() net.Addr          { return sc.conn.(net.Conn).RemoteAddr() }
  182. func (sc *SecretConnection) SetDeadline(t time.Time) error { return sc.conn.(net.Conn).SetDeadline(t) }
  183. func (sc *SecretConnection) SetReadDeadline(t time.Time) error {
  184. 	return sc.conn.(net.Conn).SetReadDeadline(t)
  185. }
  186. func (sc *SecretConnection) SetWriteDeadline(t time.Time) error {
  187. 	return sc.conn.(net.Conn).SetWriteDeadline(t)
  188. }
  189. 

  190. func genEphKeys() (ephPub, ephPriv *[32]byte) {
  191. 	var err error
  192. 	ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
  193. 	if err != nil {
  194. 		panic("Could not generate ephemeral keypairs")
  195. 	}
  196. 	return
  197. }
  198. 

  199. func shareEphPubKey(conn io.ReadWriteCloser, locEphPub *[32]byte) (remEphPub *[32]byte, err error) {
  200. 

  201. 	// Send our pubkey and receive theirs in tandem.

  202. 	var trs, _ = cmn.Parallel(
  203. 		func(_ int) (val interface{}, err error, abort bool) {
  204. 			var _, err1 = cdc.MarshalBinaryWriter(conn, locEphPub)
  205. 			if err1 != nil {
  206. 				return nil, err1, true // abort

  207. 			} else {
  208. 				return nil, nil, false
  209. 			}
  210. 		},
  211. 		func(_ int) (val interface{}, err error, abort bool) {
  212. 			var _remEphPub [32]byte
  213. 			var _, err2 = cdc.UnmarshalBinaryReader(conn, &_remEphPub, 1024*1024) // TODO

  214. 			if err2 != nil {
  215. 				return nil, err2, true // abort

  216. 			} else {
  217. 				return _remEphPub, nil, false
  218. 			}
  219. 		},
  220. 	)
  221. 

  222. 	// If error:

  223. 	if trs.FirstError() != nil {
  224. 		err = trs.FirstError()
  225. 		return
  226. 	}
  227. 

  228. 	// Otherwise:

  229. 	var _remEphPub = trs.FirstValue().([32]byte)
  230. 	return &_remEphPub, nil
  231. }
  232. 

  233. func computeSharedSecret(remPubKey, locPrivKey *[32]byte) (shrSecret *[32]byte) {
  234. 	shrSecret = new([32]byte)
  235. 	box.Precompute(shrSecret, remPubKey, locPrivKey)
  236. 	return
  237. }
  238. 

  239. func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
  240. 	if bytes.Compare(foo[:], bar[:]) < 0 {
  241. 		lo = foo
  242. 		hi = bar
  243. 	} else {
  244. 		lo = bar
  245. 		hi = foo
  246. 	}
  247. 	return
  248. }
  249. 

  250. func genNonces(loPubKey, hiPubKey *[32]byte, locIsLo bool) (recvNonce, sendNonce *[24]byte) {
  251. 	nonce1 := hash24(append(loPubKey[:], hiPubKey[:]...))
  252. 	nonce2 := new([24]byte)
  253. 	copy(nonce2[:], nonce1[:])
  254. 	nonce2[len(nonce2)-1] ^= 0x01
  255. 	if locIsLo {
  256. 		recvNonce = nonce1
  257. 		sendNonce = nonce2
  258. 	} else {
  259. 		recvNonce = nonce2
  260. 		sendNonce = nonce1
  261. 	}
  262. 	return
  263. }
  264. 

  265. func genChallenge(loPubKey, hiPubKey *[32]byte) (challenge *[32]byte) {
  266. 	return hash32(append(loPubKey[:], hiPubKey[:]...))
  267. }
  268. 

  269. func signChallenge(challenge *[32]byte, locPrivKey crypto.PrivKey) (signature crypto.Signature) {
  270. 	signature = locPrivKey.Sign(challenge[:])
  271. 	return
  272. }
  273. 

  274. type authSigMessage struct {
  275. 	Key crypto.PubKey
  276. 	Sig crypto.Signature
  277. }
  278. 

  279. func shareAuthSignature(sc *SecretConnection, pubKey crypto.PubKey, signature crypto.Signature) (recvMsg authSigMessage, err error) {
  280. 

  281. 	// Send our info and receive theirs in tandem.

  282. 	var trs, _ = cmn.Parallel(
  283. 		func(_ int) (val interface{}, err error, abort bool) {
  284. 			var _, err1 = cdc.MarshalBinaryWriter(sc, authSigMessage{pubKey, signature})
  285. 			if err1 != nil {
  286. 				return nil, err1, true // abort

  287. 			} else {
  288. 				return nil, nil, false
  289. 			}
  290. 		},
  291. 		func(_ int) (val interface{}, err error, abort bool) {
  292. 			var _recvMsg authSigMessage
  293. 			var _, err2 = cdc.UnmarshalBinaryReader(sc, &_recvMsg, 1024*1024) // TODO

  294. 			if err2 != nil {
  295. 				return nil, err2, true // abort

  296. 			} else {
  297. 				return _recvMsg, nil, false
  298. 			}
  299. 		},
  300. 	)
  301. 

  302. 	// If error:

  303. 	if trs.FirstError() != nil {
  304. 		err = trs.FirstError()
  305. 		return
  306. 	}
  307. 

  308. 	var _recvMsg = trs.FirstValue().(authSigMessage)
  309. 	return _recvMsg, nil
  310. }
  311. 

  312. //--------------------------------------------------------------------------------

  313. 

  314. // sha256

  315. func hash32(input []byte) (res *[32]byte) {
  316. 	hasher := sha256.New()
  317. 	hasher.Write(input) // nolint: errcheck, gas

  318. 	resSlice := hasher.Sum(nil)
  319. 	res = new([32]byte)
  320. 	copy(res[:], resSlice)
  321. 	return
  322. }
  323. 

  324. // We only fill in the first 20 bytes with ripemd160

  325. func hash24(input []byte) (res *[24]byte) {
  326. 	hasher := ripemd160.New()
  327. 	hasher.Write(input) // nolint: errcheck, gas

  328. 	resSlice := hasher.Sum(nil)
  329. 	res = new([24]byte)
  330. 	copy(res[:], resSlice)
  331. 	return
  332. }
  333. 

  334. // increment nonce big-endian by 2 with wraparound.

  335. func incr2Nonce(nonce *[24]byte) {
  336. 	incrNonce(nonce)
  337. 	incrNonce(nonce)
  338. }
  339. 

  340. // increment nonce big-endian by 1 with wraparound.

  341. func incrNonce(nonce *[24]byte) {
  342. 	for i := 23; 0 <= i; i-- {
  343. 		nonce[i]++
  344. 		if nonce[i] != 0 {
  345. 			return
  346. 		}
  347. 	}
  348. }