import {assert, expect} from "chai";
import DuplexPair from 'it-pair/duplex';
import {Noise} from "../src";
import {createPeerIdsFromFixtures} from "./fixtures/peer";
import Wrap from "it-pb-rpc";
import {random} from "bcrypto";
import sinon from "sinon";
import {XXHandshake} from "../src/handshake-xx";
import {createHandshakePayload, generateKeypair, getHandshakePayload, getPayload, signPayload} from "../src/utils";
import {decode0, decode2, encode1, uint16BEDecode, uint16BEEncode} from "../src/encoder";
import {XX} from "../src/handshakes/xx";
import {Buffer} from "buffer";
import {getKeyPairFromPeerId} from "./utils";
import {KeyCache} from "../src/keycache";
import {NOISE_MSG_MAX_LENGTH_BYTES} from "../src/constants";
import BufferList from "bl";
describe("Noise", () => {
let remotePeer, localPeer;
let sandbox = sinon.createSandbox();
before(async () => {
[localPeer, remotePeer] = await createPeerIdsFromFixtures(2);
});
afterEach(function() {
sandbox.restore();
});
it("should communicate through encrypted streams without noise pipes", async() => {
try {
const noiseInit = new Noise(undefined, undefined, false);
const noiseResp = new Noise(undefined, undefined, false);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test");
} catch (e) {
assert(false, e.message);
}
});
it("should test that secureOutbound is spec compliant", async() => {
const noiseInit = new Noise(undefined, undefined, false);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, { wrapped, handshake }] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
(async () => {
const wrapped = Wrap(
inboundConnection,
{
lengthEncoder: uint16BEEncode,
lengthDecoder: uint16BEDecode,
maxDataLength: NOISE_MSG_MAX_LENGTH_BYTES
}
);
const prologue = Buffer.alloc(0);
const staticKeys = generateKeypair();
const xx = new XX();
const payload = await getPayload(remotePeer, staticKeys.publicKey);
const handshake = new XXHandshake(false, payload, prologue, staticKeys, wrapped, localPeer, xx);
let receivedMessageBuffer = decode0((await wrapped.readLP()).slice());
// The first handshake message contains the initiator's ephemeral public key
expect(receivedMessageBuffer.ne.length).equal(32);
xx.recvMessage(handshake.session, receivedMessageBuffer);
// Stage 1
const { publicKey: libp2pPubKey } = getKeyPairFromPeerId(remotePeer);
const signedPayload = await signPayload(remotePeer, getHandshakePayload(staticKeys.publicKey));
const handshakePayload = await createHandshakePayload(libp2pPubKey, signedPayload);
const messageBuffer = xx.sendMessage(handshake.session, handshakePayload);
wrapped.writeLP(encode1(messageBuffer));
// Stage 2 - finish handshake
receivedMessageBuffer = decode2((await wrapped.readLP()).slice());
xx.recvMessage(handshake.session, receivedMessageBuffer);
return {wrapped, handshake};
})(),
]);
try {
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.write(new BufferList([Buffer.from("test")]));
// Check that noise message is prefixed with 16-bit big-endian unsigned integer
const receivedEncryptedPayload = (await wrapped.read()).slice();
const dataLength = receivedEncryptedPayload.readInt16BE(0);
const data = receivedEncryptedPayload.slice(2, dataLength + 2);
const {plaintext: decrypted, valid} = handshake.decrypt(data, handshake.session);
// Decrypted data should match
assert(decrypted.equals(Buffer.from("test")));
assert(valid);
} catch (e) {
assert(false, e.message);
}
});
it("should test large payloads", async function() {
this.timeout(10000);
try {
const noiseInit = new Noise(undefined, undefined, false);
const noiseResp = new Noise(undefined, undefined, false);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
const largePlaintext = random.randomBytes(100000);
wrappedOutbound.writeLP(largePlaintext);
const response = await wrappedInbound.read(100000);
expect(response.length).equals(largePlaintext.length);
} catch (e) {
console.log(e);
assert(false, e.message);
}
});
it.skip("should communicate through encrypted streams with noise pipes", async() => {
try {
const staticKeysInitiator = generateKeypair();
const noiseInit = new Noise(staticKeysInitiator.privateKey);
const staticKeysResponder = generateKeypair();
const noiseResp = new Noise(staticKeysResponder.privateKey);
// Prepare key cache for noise pipes
KeyCache.store(localPeer, staticKeysInitiator.publicKey);
KeyCache.store(remotePeer, staticKeysResponder.publicKey);
const xxSpy = sandbox.spy(noiseInit, "performXXHandshake");
const xxFallbackSpy = sandbox.spy(noiseInit, "performXXFallbackHandshake");
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test v2"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test v2");
assert(xxSpy.notCalled);
assert(xxFallbackSpy.notCalled);
} catch (e) {
console.error(e);
assert(false, e.message);
}
});
it.skip("IK -> XX fallback: initiator has invalid remote static key", async() => {
try {
const staticKeysInitiator = generateKeypair();
const noiseInit = new Noise(staticKeysInitiator.privateKey);
const noiseResp = new Noise();
const xxSpy = sandbox.spy(noiseInit, "performXXFallbackHandshake");
// Prepare key cache for noise pipes
KeyCache.resetStorage();
KeyCache.store(localPeer, staticKeysInitiator.publicKey);
KeyCache.store(remotePeer, generateKeypair().publicKey);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test fallback"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test fallback");
assert(xxSpy.calledOnce, "XX Fallback method was never called.");
} catch (e) {
console.error(e);
assert(false, e.message);
}
});
//this didn't work before but we didn't verify decryption
it.skip("IK -> XX fallback: responder has disabled noise pipes", async() => {
try {
const staticKeysInitiator = generateKeypair();
const noiseInit = new Noise(staticKeysInitiator.privateKey);
const staticKeysResponder = generateKeypair();
const noiseResp = new Noise(staticKeysResponder.privateKey, undefined, false);
const xxSpy = sandbox.spy(noiseInit, "performXXFallbackHandshake");
// Prepare key cache for noise pipes
KeyCache.store(localPeer, staticKeysInitiator.publicKey);
KeyCache.store(remotePeer, staticKeysResponder.publicKey);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test fallback"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test fallback");
assert(xxSpy.calledOnce, "XX Fallback method was never called.");
} catch (e) {
console.error(e);
assert(false, e.message);
}
});
it.skip("Initiator starts with XX (pipes disabled), responder has enabled noise pipes", async() => {
try {
const staticKeysInitiator = generateKeypair();
const noiseInit = new Noise(staticKeysInitiator.privateKey, undefined, false);
const staticKeysResponder = generateKeypair();
const noiseResp = new Noise(staticKeysResponder.privateKey);
const xxInitSpy = sandbox.spy(noiseInit, "performXXHandshake");
const xxRespSpy = sandbox.spy(noiseResp, "performXXFallbackHandshake");
// Prepare key cache for noise pipes
KeyCache.store(localPeer, staticKeysInitiator.publicKey);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test fallback"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test fallback");
assert(xxInitSpy.calledOnce, "XX method was never called.");
assert(xxRespSpy.calledOnce, "XX Fallback method was never called.");
} catch (e) {
console.error(e);
assert(false, e.message);
}
});
it.skip("IK: responder has no remote static key", async() => {
try {
const staticKeysInitiator = generateKeypair();
const noiseInit = new Noise(staticKeysInitiator.privateKey);
const staticKeysResponder = generateKeypair();
const noiseResp = new Noise(staticKeysResponder.privateKey);
const ikInitSpy = sandbox.spy(noiseInit, "performIKHandshake");
const xxFallbackInitSpy = sandbox.spy(noiseInit, "performXXFallbackHandshake");
const ikRespSpy = sandbox.spy(noiseResp, "performIKHandshake");
// Prepare key cache for noise pipes
KeyCache.resetStorage();
KeyCache.store(remotePeer, staticKeysResponder.publicKey);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection, localPeer),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test fallback"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test fallback");
assert(ikInitSpy.calledOnce, "IK handshake was not called.");
assert(ikRespSpy.calledOnce, "IK handshake was not called.");
assert(xxFallbackInitSpy.notCalled, "XX Fallback method was called.");
} catch (e) {
console.error(e);
assert(false, e.message);
}
});
it("should working without remote peer provided in incoming connection", async() => {
try {
const staticKeysInitiator = generateKeypair();
const noiseInit = new Noise(staticKeysInitiator.privateKey);
const staticKeysResponder = generateKeypair();
const noiseResp = new Noise(staticKeysResponder.privateKey);
// Prepare key cache for noise pipes
KeyCache.store(localPeer, staticKeysInitiator.publicKey);
KeyCache.store(remotePeer, staticKeysResponder.publicKey);
const [inboundConnection, outboundConnection] = DuplexPair();
const [outbound, inbound] = await Promise.all([
noiseInit.secureOutbound(localPeer, outboundConnection, remotePeer),
noiseResp.secureInbound(remotePeer, inboundConnection),
]);
const wrappedInbound = Wrap(inbound.conn);
const wrappedOutbound = Wrap(outbound.conn);
wrappedOutbound.writeLP(Buffer.from("test v2"));
const response = await wrappedInbound.readLP();
expect(response.toString()).equal("test v2");
assert(inbound.remotePeer.marshalPubKey().equals(localPeer.marshalPubKey()));
assert(outbound.remotePeer.marshalPubKey().equals(remotePeer.marshalPubKey()));
} catch (e) {
console.error(e);
assert(false, e.message);
}
});
});