package conn import ( "bytes" "errors" "io" "testing" gogotypes "github.com/gogo/protobuf/types" "github.com/gtank/merlin" "github.com/stretchr/testify/assert" "golang.org/x/crypto/chacha20poly1305" "github.com/tendermint/tendermint/crypto" "github.com/tendermint/tendermint/crypto/ed25519" cryptoenc "github.com/tendermint/tendermint/crypto/encoding" "github.com/tendermint/tendermint/libs/protoio" tmp2p "github.com/tendermint/tendermint/proto/tendermint/p2p" ) type buffer struct { next bytes.Buffer } func (b *buffer) Read(data []byte) (n int, err error) { return b.next.Read(data) } func (b *buffer) Write(data []byte) (n int, err error) { return b.next.Write(data) } func (b *buffer) Bytes() []byte { return b.next.Bytes() } func (b *buffer) Close() error { return nil } type evilConn struct { secretConn *SecretConnection buffer *buffer locEphPub *[32]byte locEphPriv *[32]byte remEphPub *[32]byte privKey crypto.PrivKey readStep int writeStep int readOffset int shareEphKey bool badEphKey bool shareAuthSignature bool badAuthSignature bool } func newEvilConn(shareEphKey, badEphKey, shareAuthSignature, badAuthSignature bool) *evilConn { privKey := ed25519.GenPrivKey() locEphPub, locEphPriv := genEphKeys() var rep [32]byte c := &evilConn{ locEphPub: locEphPub, locEphPriv: locEphPriv, remEphPub: &rep, privKey: privKey, shareEphKey: shareEphKey, badEphKey: badEphKey, shareAuthSignature: shareAuthSignature, badAuthSignature: badAuthSignature, } return c } func (c *evilConn) Read(data []byte) (n int, err error) { if !c.shareEphKey { return 0, io.EOF } switch c.readStep { case 0: if !c.badEphKey { lc := *c.locEphPub bz, err := protoio.MarshalDelimited(&gogotypes.BytesValue{Value: lc[:]}) if err != nil { panic(err) } copy(data, bz[c.readOffset:]) n = len(data) } else { bz, err := protoio.MarshalDelimited(&gogotypes.BytesValue{Value: []byte("drop users;")}) if err != nil { panic(err) } copy(data, bz) n = len(data) } c.readOffset += n if n >= 32 { c.readOffset = 0 c.readStep = 1 if !c.shareAuthSignature { c.readStep = 2 } } return n, nil case 1: signature := c.signChallenge() if !c.badAuthSignature { pkpb, err := cryptoenc.PubKeyToProto(c.privKey.PubKey()) if err != nil { panic(err) } bz, err := protoio.MarshalDelimited(&tmp2p.AuthSigMessage{PubKey: pkpb, Sig: signature}) if err != nil { panic(err) } n, err = c.secretConn.Write(bz) if err != nil { panic(err) } if c.readOffset > len(c.buffer.Bytes()) { return len(data), nil } copy(data, c.buffer.Bytes()[c.readOffset:]) } else { bz, err := protoio.MarshalDelimited(&gogotypes.BytesValue{Value: []byte("select * from users;")}) if err != nil { panic(err) } n, err = c.secretConn.Write(bz) if err != nil { panic(err) } if c.readOffset > len(c.buffer.Bytes()) { return len(data), nil } copy(data, c.buffer.Bytes()) } c.readOffset += len(data) return n, nil default: return 0, io.EOF } } func (c *evilConn) Write(data []byte) (n int, err error) { switch c.writeStep { case 0: var ( bytes gogotypes.BytesValue remEphPub [32]byte ) err := protoio.UnmarshalDelimited(data, &bytes) if err != nil { panic(err) } copy(remEphPub[:], bytes.Value) c.remEphPub = &remEphPub c.writeStep = 1 if !c.shareAuthSignature { c.writeStep = 2 } return len(data), nil case 1: // Signature is not needed, therefore skipped. return len(data), nil default: return 0, io.EOF } } func (c *evilConn) Close() error { return nil } func (c *evilConn) signChallenge() []byte { // Sort by lexical order. loEphPub, hiEphPub := sort32(c.locEphPub, c.remEphPub) transcript := merlin.NewTranscript("TENDERMINT_SECRET_CONNECTION_TRANSCRIPT_HASH") transcript.AppendMessage(labelEphemeralLowerPublicKey, loEphPub[:]) transcript.AppendMessage(labelEphemeralUpperPublicKey, hiEphPub[:]) // Check if the local ephemeral public key was the least, lexicographically // sorted. locIsLeast := bytes.Equal(c.locEphPub[:], loEphPub[:]) // Compute common diffie hellman secret using X25519. dhSecret, err := computeDHSecret(c.remEphPub, c.locEphPriv) if err != nil { panic(err) } transcript.AppendMessage(labelDHSecret, dhSecret[:]) // Generate the secret used for receiving, sending, challenge via HKDF-SHA2 // on the transcript state (which itself also uses HKDF-SHA2 to derive a key // from the dhSecret). recvSecret, sendSecret := deriveSecrets(dhSecret, locIsLeast) const challengeSize = 32 var challenge [challengeSize]byte challengeSlice := transcript.ExtractBytes(labelSecretConnectionMac, challengeSize) copy(challenge[:], challengeSlice[0:challengeSize]) sendAead, err := chacha20poly1305.New(sendSecret[:]) if err != nil { panic(errors.New("invalid send SecretConnection Key")) } recvAead, err := chacha20poly1305.New(recvSecret[:]) if err != nil { panic(errors.New("invalid receive SecretConnection Key")) } b := &buffer{} c.secretConn = &SecretConnection{ conn: b, recvBuffer: nil, recvNonce: new([aeadNonceSize]byte), sendNonce: new([aeadNonceSize]byte), recvAead: recvAead, sendAead: sendAead, } c.buffer = b // Sign the challenge bytes for authentication. locSignature, err := signChallenge(&challenge, c.privKey) if err != nil { panic(err) } return locSignature } // TestMakeSecretConnection creates an evil connection and tests that // MakeSecretConnection errors at different stages. func TestMakeSecretConnection(t *testing.T) { testCases := []struct { name string conn *evilConn errMsg string }{ {"refuse to share ethimeral key", newEvilConn(false, false, false, false), "EOF"}, {"share bad ethimeral key", newEvilConn(true, true, false, false), "wrong wireType"}, {"refuse to share auth signature", newEvilConn(true, false, false, false), "EOF"}, {"share bad auth signature", newEvilConn(true, false, true, true), "failed to decrypt SecretConnection"}, {"all good", newEvilConn(true, false, true, false), ""}, } for _, tc := range testCases { tc := tc t.Run(tc.name, func(t *testing.T) { privKey := ed25519.GenPrivKey() _, err := MakeSecretConnection(tc.conn, privKey) if tc.errMsg != "" { if assert.Error(t, err) { assert.Contains(t, err.Error(), tc.errMsg) } } else { assert.NoError(t, err) } }) } }