|
@ -7,21 +7,22 @@ import ( |
|
|
"crypto/sha256" |
|
|
"crypto/sha256" |
|
|
"crypto/subtle" |
|
|
"crypto/subtle" |
|
|
"encoding/binary" |
|
|
"encoding/binary" |
|
|
"errors" |
|
|
|
|
|
"io" |
|
|
"io" |
|
|
"math" |
|
|
"math" |
|
|
"net" |
|
|
"net" |
|
|
"sync" |
|
|
"sync" |
|
|
"time" |
|
|
"time" |
|
|
|
|
|
|
|
|
|
|
|
pool "github.com/libp2p/go-buffer-pool" |
|
|
|
|
|
"github.com/pkg/errors" |
|
|
"golang.org/x/crypto/chacha20poly1305" |
|
|
"golang.org/x/crypto/chacha20poly1305" |
|
|
"golang.org/x/crypto/curve25519" |
|
|
"golang.org/x/crypto/curve25519" |
|
|
|
|
|
"golang.org/x/crypto/hkdf" |
|
|
"golang.org/x/crypto/nacl/box" |
|
|
"golang.org/x/crypto/nacl/box" |
|
|
|
|
|
|
|
|
pool "github.com/libp2p/go-buffer-pool" |
|
|
|
|
|
"github.com/tendermint/tendermint/crypto" |
|
|
"github.com/tendermint/tendermint/crypto" |
|
|
|
|
|
"github.com/tendermint/tendermint/crypto/ed25519" |
|
|
cmn "github.com/tendermint/tendermint/libs/common" |
|
|
cmn "github.com/tendermint/tendermint/libs/common" |
|
|
"golang.org/x/crypto/hkdf" |
|
|
|
|
|
) |
|
|
) |
|
|
|
|
|
|
|
|
// 4 + 1024 == 1028 total frame size
|
|
|
// 4 + 1024 == 1028 total frame size
|
|
@ -107,11 +108,11 @@ func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (* |
|
|
|
|
|
|
|
|
sendAead, err := chacha20poly1305.New(sendSecret[:]) |
|
|
sendAead, err := chacha20poly1305.New(sendSecret[:]) |
|
|
if err != nil { |
|
|
if err != nil { |
|
|
return nil, errors.New("Invalid send SecretConnection Key") |
|
|
|
|
|
|
|
|
return nil, errors.New("invalid send SecretConnection Key") |
|
|
} |
|
|
} |
|
|
recvAead, err := chacha20poly1305.New(recvSecret[:]) |
|
|
recvAead, err := chacha20poly1305.New(recvSecret[:]) |
|
|
if err != nil { |
|
|
if err != nil { |
|
|
return nil, errors.New("Invalid receive SecretConnection Key") |
|
|
|
|
|
|
|
|
return nil, errors.New("invalid receive SecretConnection Key") |
|
|
} |
|
|
} |
|
|
// Construct SecretConnection.
|
|
|
// Construct SecretConnection.
|
|
|
sc := &SecretConnection{ |
|
|
sc := &SecretConnection{ |
|
@ -134,12 +135,12 @@ func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (* |
|
|
|
|
|
|
|
|
remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig |
|
|
remPubKey, remSignature := authSigMsg.Key, authSigMsg.Sig |
|
|
|
|
|
|
|
|
if remPubKey == nil { |
|
|
|
|
|
return nil, errors.New("peer sent a nil public key") |
|
|
|
|
|
|
|
|
if _, ok := remPubKey.(ed25519.PubKeyEd25519); !ok { |
|
|
|
|
|
return nil, errors.Errorf("expected ed25519 pubkey, got %T", remPubKey) |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
if !remPubKey.VerifyBytes(challenge[:], remSignature) { |
|
|
if !remPubKey.VerifyBytes(challenge[:], remSignature) { |
|
|
return nil, errors.New("Challenge verification failed") |
|
|
|
|
|
|
|
|
return nil, errors.New("challenge verification failed") |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// We've authorized.
|
|
|
// We've authorized.
|
|
@ -222,7 +223,7 @@ func (sc *SecretConnection) Read(data []byte) (n int, err error) { |
|
|
defer pool.Put(frame) |
|
|
defer pool.Put(frame) |
|
|
_, err = sc.recvAead.Open(frame[:0], sc.recvNonce[:], sealedFrame, nil) |
|
|
_, err = sc.recvAead.Open(frame[:0], sc.recvNonce[:], sealedFrame, nil) |
|
|
if err != nil { |
|
|
if err != nil { |
|
|
return n, errors.New("Failed to decrypt SecretConnection") |
|
|
|
|
|
|
|
|
return n, errors.New("failed to decrypt SecretConnection") |
|
|
} |
|
|
} |
|
|
incrNonce(sc.recvNonce) |
|
|
incrNonce(sc.recvNonce) |
|
|
// end decryption
|
|
|
// end decryption
|
|
|