2017-10-30 10:22:38 +01:00
|
|
|
// Copyright 2017 Parity Technologies (UK) Ltd.
|
|
|
|
|
//
|
|
|
|
|
// Permission is hereby granted, free of charge, to any person obtaining a
|
|
|
|
|
// copy of this software and associated documentation files (the "Software"),
|
|
|
|
|
// to deal in the Software without restriction, including without limitation
|
|
|
|
|
// the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
|
|
|
// and/or sell copies of the Software, and to permit persons to whom the
|
|
|
|
|
// Software is furnished to do so, subject to the following conditions:
|
|
|
|
|
//
|
|
|
|
|
// The above copyright notice and this permission notice shall be included in
|
|
|
|
|
// all copies or substantial portions of the Software.
|
|
|
|
|
//
|
|
|
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
|
|
|
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
|
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
|
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
|
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
|
|
|
// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
|
|
|
|
// DEALINGS IN THE SOFTWARE.
|
|
|
|
|
|
|
|
|
|
use algo_support;
|
|
|
|
|
use bytes::BytesMut;
|
|
|
|
|
use codec::{full_codec, FullCodec};
|
|
|
|
|
use crypto::aes::{ctr, KeySize};
|
|
|
|
|
use error::SecioError;
|
|
|
|
|
use futures::Future;
|
|
|
|
|
use futures::future;
|
|
|
|
|
use futures::sink::Sink;
|
|
|
|
|
use futures::stream::Stream;
|
2018-03-07 16:20:55 +01:00
|
|
|
use keys_proto::{KeyType as KeyTypeProtobuf, PublicKey as PublicKeyProtobuf};
|
2017-10-30 10:22:38 +01:00
|
|
|
use protobuf::Message as ProtobufMessage;
|
2018-05-21 17:32:59 +02:00
|
|
|
use protobuf::parse_from_bytes as protobuf_parse_from_bytes;
|
2017-10-30 10:22:38 +01:00
|
|
|
use ring::agreement::EphemeralPrivateKey;
|
2018-03-07 16:20:55 +01:00
|
|
|
use ring::hmac::{SigningContext, SigningKey, VerificationKey};
|
2017-10-30 10:22:38 +01:00
|
|
|
use ring::rand::SecureRandom;
|
|
|
|
|
use ring::signature::verify as signature_verify;
|
2018-05-31 14:50:24 +02:00
|
|
|
use ring::signature::{RSASigningState, RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_SHA256, ED25519};
|
2018-05-14 15:55:16 +02:00
|
|
|
use ring::{agreement, digest, rand};
|
2018-06-20 09:47:43 +02:00
|
|
|
use secp256k1;
|
2017-10-30 10:22:38 +01:00
|
|
|
use std::cmp::{self, Ordering};
|
|
|
|
|
use std::io::{Error as IoError, ErrorKind as IoErrorKind};
|
|
|
|
|
use std::mem;
|
2018-03-07 16:20:55 +01:00
|
|
|
use structs_proto::{Exchange, Propose};
|
2017-10-30 10:22:38 +01:00
|
|
|
use tokio_io::codec::length_delimited;
|
2018-05-14 15:55:16 +02:00
|
|
|
use tokio_io::{AsyncRead, AsyncWrite};
|
2017-10-30 10:22:38 +01:00
|
|
|
use untrusted::Input as UntrustedInput;
|
2018-05-31 14:50:24 +02:00
|
|
|
use {SecioKeyPair, SecioKeyPairInner, SecioPublicKey};
|
2017-10-30 10:22:38 +01:00
|
|
|
|
|
|
|
|
/// Performs a handshake on the given socket.
|
|
|
|
|
///
|
|
|
|
|
/// This function expects that the remote is identified with `remote_public_key`, and the remote
|
2018-05-31 14:50:24 +02:00
|
|
|
/// will expect that we are identified with `local_key`.Any mismatch somewhere will produce a
|
|
|
|
|
/// `SecioError`.
|
2017-10-30 10:22:38 +01:00
|
|
|
///
|
|
|
|
|
/// On success, returns an object that implements the `Sink` and `Stream` trait whose items are
|
|
|
|
|
/// buffers of data, plus the public key of the remote.
|
|
|
|
|
pub fn handshake<'a, S: 'a>(
|
2018-03-07 16:20:55 +01:00
|
|
|
socket: S,
|
2018-05-31 14:50:24 +02:00
|
|
|
local_key: SecioKeyPair,
|
|
|
|
|
) -> Box<Future<Item = (FullCodec<S>, SecioPublicKey), Error = SecioError> + 'a>
|
2018-03-07 16:20:55 +01:00
|
|
|
where
|
|
|
|
|
S: AsyncRead + AsyncWrite,
|
2017-10-30 10:22:38 +01:00
|
|
|
{
|
2018-03-07 16:20:55 +01:00
|
|
|
// TODO: could be rewritten as a coroutine once coroutines land in stable Rust
|
|
|
|
|
|
|
|
|
|
// This struct contains the whole context of a handshake, and is filled progressively
|
|
|
|
|
// throughout the various parts of the handshake.
|
|
|
|
|
struct HandshakeContext {
|
|
|
|
|
// Filled with this function's parameters.
|
2018-06-20 09:47:43 +02:00
|
|
|
local_key: SecioKeyPair,
|
2018-03-07 16:20:55 +01:00
|
|
|
|
|
|
|
|
rng: rand::SystemRandom,
|
|
|
|
|
// Locally-generated random number. The array size can be changed without any repercussion.
|
|
|
|
|
local_nonce: [u8; 16],
|
|
|
|
|
|
|
|
|
|
// Our local proposition's raw bytes.
|
|
|
|
|
local_public_key_in_protobuf_bytes: Vec<u8>,
|
|
|
|
|
local_proposition_bytes: Vec<u8>,
|
|
|
|
|
|
|
|
|
|
// The remote proposition's raw bytes.
|
|
|
|
|
remote_proposition_bytes: BytesMut,
|
|
|
|
|
remote_public_key_in_protobuf_bytes: Vec<u8>,
|
2018-05-31 14:50:24 +02:00
|
|
|
remote_public_key: Option<SecioPublicKey>,
|
2018-03-07 16:20:55 +01:00
|
|
|
|
|
|
|
|
// The remote peer's version of `local_nonce`.
|
|
|
|
|
// If the NONCE size is actually part of the protocol, we can change this to a fixed-size
|
|
|
|
|
// array instead of a `Vec`.
|
|
|
|
|
remote_nonce: Vec<u8>,
|
|
|
|
|
|
|
|
|
|
// Set to `ordering(
|
|
|
|
|
// hash(concat(remote-pubkey, local-none)),
|
|
|
|
|
// hash(concat(local-pubkey, remote-none))
|
|
|
|
|
// )`.
|
|
|
|
|
// `Ordering::Equal` is an invalid value (as it would mean we're talking to ourselves).
|
|
|
|
|
//
|
|
|
|
|
// Since everything is symmetrical, this value is used to determine what should be ours
|
|
|
|
|
// and what should be the remote's.
|
|
|
|
|
hashes_ordering: Ordering,
|
|
|
|
|
|
|
|
|
|
// Crypto algorithms chosen for the communication.
|
|
|
|
|
chosen_exchange: Option<&'static agreement::Algorithm>,
|
|
|
|
|
// We only support AES for now, so store just a key size.
|
|
|
|
|
chosen_cipher: Option<KeySize>,
|
|
|
|
|
chosen_hash: Option<&'static digest::Algorithm>,
|
|
|
|
|
|
|
|
|
|
// Ephemeral key generated for the handshake and then thrown away.
|
|
|
|
|
local_tmp_priv_key: Option<EphemeralPrivateKey>,
|
|
|
|
|
local_tmp_pub_key: [u8; agreement::PUBLIC_KEY_MAX_LEN],
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let context = HandshakeContext {
|
2018-06-20 09:47:43 +02:00
|
|
|
local_key: local_key,
|
2018-03-07 16:20:55 +01:00
|
|
|
rng: rand::SystemRandom::new(),
|
|
|
|
|
local_nonce: Default::default(),
|
|
|
|
|
local_public_key_in_protobuf_bytes: Vec::new(),
|
|
|
|
|
local_proposition_bytes: Vec::new(),
|
|
|
|
|
remote_proposition_bytes: BytesMut::new(),
|
|
|
|
|
remote_public_key_in_protobuf_bytes: Vec::new(),
|
2018-05-31 14:50:24 +02:00
|
|
|
remote_public_key: None,
|
2018-03-07 16:20:55 +01:00
|
|
|
remote_nonce: Vec::new(),
|
|
|
|
|
hashes_ordering: Ordering::Equal,
|
|
|
|
|
chosen_exchange: None,
|
|
|
|
|
chosen_cipher: None,
|
|
|
|
|
chosen_hash: None,
|
|
|
|
|
local_tmp_priv_key: None,
|
|
|
|
|
local_tmp_pub_key: [0; agreement::PUBLIC_KEY_MAX_LEN],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// The handshake messages all start with a 4-bytes message length prefix.
|
|
|
|
|
let socket = length_delimited::Builder::new()
|
|
|
|
|
.big_endian()
|
|
|
|
|
.length_field_length(4)
|
|
|
|
|
.new_framed(socket);
|
|
|
|
|
|
|
|
|
|
let future = future::ok::<_, SecioError>(context)
|
|
|
|
|
// Generate our nonce.
|
|
|
|
|
.and_then(|mut context| {
|
|
|
|
|
context.rng.fill(&mut context.local_nonce)
|
|
|
|
|
.map_err(|_| SecioError::NonceGenerationFailed)?;
|
2018-05-31 14:50:24 +02:00
|
|
|
trace!("starting handshake ; local nonce = {:?}", context.local_nonce);
|
2018-03-07 16:20:55 +01:00
|
|
|
Ok(context)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Send our proposition with our nonce, public key and supported protocols.
|
|
|
|
|
.and_then(|mut context| {
|
|
|
|
|
let mut public_key = PublicKeyProtobuf::new();
|
2018-06-20 09:47:43 +02:00
|
|
|
public_key.set_Data(context.local_key.to_public_key().into_raw().0);
|
|
|
|
|
match context.local_key.inner {
|
|
|
|
|
SecioKeyPairInner::Rsa { .. } => {
|
2018-05-31 14:50:24 +02:00
|
|
|
public_key.set_Type(KeyTypeProtobuf::RSA);
|
|
|
|
|
},
|
2018-06-20 09:47:43 +02:00
|
|
|
SecioKeyPairInner::Ed25519 { .. } => {
|
2018-05-31 14:50:24 +02:00
|
|
|
public_key.set_Type(KeyTypeProtobuf::Ed25519);
|
2018-06-20 09:47:43 +02:00
|
|
|
},
|
|
|
|
|
SecioKeyPairInner::Secp256k1 { .. } => {
|
|
|
|
|
public_key.set_Type(KeyTypeProtobuf::Secp256k1);
|
2018-05-31 14:50:24 +02:00
|
|
|
},
|
|
|
|
|
}
|
2018-03-07 16:20:55 +01:00
|
|
|
context.local_public_key_in_protobuf_bytes = public_key.write_to_bytes().unwrap();
|
|
|
|
|
|
|
|
|
|
let mut proposition = Propose::new();
|
|
|
|
|
proposition.set_rand(context.local_nonce.clone().to_vec());
|
|
|
|
|
proposition.set_pubkey(context.local_public_key_in_protobuf_bytes.clone());
|
|
|
|
|
proposition.set_exchanges(algo_support::exchanges::PROPOSITION_STRING.into());
|
|
|
|
|
proposition.set_ciphers(algo_support::ciphers::PROPOSITION_STRING.into());
|
|
|
|
|
proposition.set_hashes(algo_support::hashes::PROPOSITION_STRING.into());
|
|
|
|
|
let proposition_bytes = proposition.write_to_bytes().unwrap();
|
|
|
|
|
context.local_proposition_bytes = proposition_bytes.clone();
|
|
|
|
|
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("sending proposition to remote");
|
2018-03-07 16:20:55 +01:00
|
|
|
|
|
|
|
|
socket.send(BytesMut::from(proposition_bytes.clone()))
|
|
|
|
|
.from_err()
|
|
|
|
|
.map(|s| (s, context))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Receive the remote's proposition.
|
|
|
|
|
.and_then(move |(socket, mut context)| {
|
|
|
|
|
socket.into_future()
|
|
|
|
|
.map_err(|(e, _)| e.into())
|
|
|
|
|
.and_then(move |(prop_raw, socket)| {
|
|
|
|
|
match prop_raw {
|
|
|
|
|
Some(p) => context.remote_proposition_bytes = p,
|
|
|
|
|
None => {
|
|
|
|
|
let err = IoError::new(IoErrorKind::BrokenPipe, "unexpected eof");
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("unexpected eof while waiting for remote's proposition");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(err.into())
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let mut prop = match protobuf_parse_from_bytes::<Propose>(
|
|
|
|
|
&context.remote_proposition_bytes
|
|
|
|
|
) {
|
|
|
|
|
Ok(prop) => prop,
|
|
|
|
|
Err(_) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to parse remote's proposition protobuf message");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(SecioError::HandshakeParsingFailure);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
context.remote_public_key_in_protobuf_bytes = prop.take_pubkey();
|
|
|
|
|
let mut pubkey = {
|
|
|
|
|
let bytes = &context.remote_public_key_in_protobuf_bytes;
|
|
|
|
|
match protobuf_parse_from_bytes::<PublicKeyProtobuf>(bytes) {
|
|
|
|
|
Ok(p) => p,
|
|
|
|
|
Err(_) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to parse remote's proposition's pubkey protobuf");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(SecioError::HandshakeParsingFailure);
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-31 14:50:24 +02:00
|
|
|
context.remote_nonce = prop.take_rand();
|
|
|
|
|
context.remote_public_key = Some(match pubkey.get_Type() {
|
|
|
|
|
KeyTypeProtobuf::RSA => {
|
|
|
|
|
SecioPublicKey::Rsa(pubkey.take_Data())
|
|
|
|
|
},
|
|
|
|
|
KeyTypeProtobuf::Ed25519 => {
|
|
|
|
|
SecioPublicKey::Ed25519(pubkey.take_Data())
|
|
|
|
|
},
|
2018-06-20 09:47:43 +02:00
|
|
|
KeyTypeProtobuf::Secp256k1 => {
|
|
|
|
|
SecioPublicKey::Secp256k1(pubkey.take_Data())
|
2018-03-07 16:20:55 +01:00
|
|
|
},
|
2018-05-31 14:50:24 +02:00
|
|
|
});
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("received proposition from remote ; pubkey = {:?} ; nonce = {:?}",
|
2018-03-07 16:20:55 +01:00
|
|
|
context.remote_public_key, context.remote_nonce);
|
|
|
|
|
Ok((prop, socket, context))
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Decide which algorithms to use (thanks to the remote's proposition).
|
|
|
|
|
.and_then(move |(remote_prop, socket, mut context)| {
|
|
|
|
|
// In order to determine which protocols to use, we compute two hashes and choose
|
|
|
|
|
// based on which hash is larger.
|
|
|
|
|
context.hashes_ordering = {
|
|
|
|
|
let oh1 = {
|
|
|
|
|
let mut ctx = digest::Context::new(&digest::SHA256);
|
|
|
|
|
ctx.update(&context.remote_public_key_in_protobuf_bytes);
|
|
|
|
|
ctx.update(&context.local_nonce);
|
|
|
|
|
ctx.finish()
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let oh2 = {
|
|
|
|
|
let mut ctx = digest::Context::new(&digest::SHA256);
|
|
|
|
|
ctx.update(&context.local_public_key_in_protobuf_bytes);
|
|
|
|
|
ctx.update(&context.remote_nonce);
|
|
|
|
|
ctx.finish()
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
oh1.as_ref().cmp(&oh2.as_ref())
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
context.chosen_exchange = {
|
|
|
|
|
let list = &remote_prop.get_exchanges();
|
|
|
|
|
Some(match algo_support::exchanges::select_best(context.hashes_ordering, list) {
|
|
|
|
|
Ok(a) => a,
|
|
|
|
|
Err(err) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to select an exchange protocol");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(err);
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
};
|
|
|
|
|
context.chosen_cipher = {
|
|
|
|
|
let list = &remote_prop.get_ciphers();
|
|
|
|
|
Some(match algo_support::ciphers::select_best(context.hashes_ordering, list) {
|
|
|
|
|
Ok(a) => a,
|
|
|
|
|
Err(err) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to select a cipher protocol");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(err);
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
};
|
|
|
|
|
context.chosen_hash = {
|
|
|
|
|
let list = &remote_prop.get_hashes();
|
|
|
|
|
Some(match algo_support::hashes::select_best(context.hashes_ordering, list) {
|
|
|
|
|
Ok(a) => a,
|
|
|
|
|
Err(err) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to select a hash protocol");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(err);
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Ok((socket, context))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Generate an ephemeral key for the negotiation.
|
|
|
|
|
.and_then(|(socket, context)| {
|
2018-06-19 13:57:47 +02:00
|
|
|
match EphemeralPrivateKey::generate(context.chosen_exchange.as_ref().unwrap(), &context.rng) {
|
2018-03-07 16:20:55 +01:00
|
|
|
Ok(tmp_priv_key) => Ok((socket, context, tmp_priv_key)),
|
|
|
|
|
Err(_) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to generate ECDH key");
|
2018-03-07 16:20:55 +01:00
|
|
|
Err(SecioError::EphemeralKeyGenerationFailed)
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Send the ephemeral pub key to the remote in an `Exchange` struct. The `Exchange` also
|
|
|
|
|
// contains a signature of the two propositions encoded with our static public key.
|
|
|
|
|
.and_then(|(socket, mut context, tmp_priv)| {
|
|
|
|
|
let exchange = {
|
|
|
|
|
let local_tmp_pub_key = &mut context.local_tmp_pub_key[..tmp_priv.public_key_len()];
|
|
|
|
|
tmp_priv.compute_public_key(local_tmp_pub_key).unwrap();
|
|
|
|
|
context.local_tmp_priv_key = Some(tmp_priv);
|
|
|
|
|
|
|
|
|
|
let mut data_to_sign = context.local_proposition_bytes.clone();
|
|
|
|
|
data_to_sign.extend_from_slice(&context.remote_proposition_bytes);
|
|
|
|
|
data_to_sign.extend_from_slice(local_tmp_pub_key);
|
|
|
|
|
|
|
|
|
|
let mut exchange = Exchange::new();
|
|
|
|
|
exchange.set_epubkey(local_tmp_pub_key.to_vec());
|
|
|
|
|
exchange.set_signature({
|
2018-06-20 09:47:43 +02:00
|
|
|
match context.local_key.inner {
|
2018-05-31 14:50:24 +02:00
|
|
|
SecioKeyPairInner::Rsa { ref private, .. } => {
|
|
|
|
|
let mut state = match RSASigningState::new(private.clone()) {
|
|
|
|
|
Ok(s) => s,
|
|
|
|
|
Err(_) => {
|
|
|
|
|
debug!("failed to sign local exchange");
|
|
|
|
|
return Err(SecioError::SigningFailure);
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
let mut signature = vec![0; private.public_modulus_len()];
|
|
|
|
|
match state.sign(&RSA_PKCS1_SHA256, &context.rng, &data_to_sign,
|
|
|
|
|
&mut signature)
|
|
|
|
|
{
|
|
|
|
|
Ok(_) => (),
|
|
|
|
|
Err(_) => {
|
|
|
|
|
debug!("failed to sign local exchange");
|
|
|
|
|
return Err(SecioError::SigningFailure);
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
signature
|
2018-03-07 16:20:55 +01:00
|
|
|
},
|
2018-05-31 14:50:24 +02:00
|
|
|
SecioKeyPairInner::Ed25519 { ref key_pair } => {
|
|
|
|
|
let signature = key_pair.sign(&data_to_sign);
|
|
|
|
|
signature.as_ref().to_owned()
|
2018-03-07 16:20:55 +01:00
|
|
|
},
|
2018-06-20 09:47:43 +02:00
|
|
|
SecioKeyPairInner::Secp256k1 { ref private } => {
|
|
|
|
|
let data_to_sign = digest::digest(&digest::SHA256, &data_to_sign);
|
|
|
|
|
let message = secp256k1::Message::from_slice(data_to_sign.as_ref())
|
|
|
|
|
.expect("digest output length doesn't match secp256k1 input length");
|
|
|
|
|
let secp256k1 = secp256k1::Secp256k1::with_caps(secp256k1::ContextFlag::SignOnly);
|
|
|
|
|
secp256k1
|
|
|
|
|
.sign(&message, private)
|
|
|
|
|
.expect("failed to sign message")
|
|
|
|
|
.serialize_der(&secp256k1)
|
|
|
|
|
},
|
2018-05-31 14:50:24 +02:00
|
|
|
}
|
2018-03-07 16:20:55 +01:00
|
|
|
});
|
|
|
|
|
exchange
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let local_exch = exchange.write_to_bytes()
|
|
|
|
|
.expect("can only fail if the protobuf msg is malformed, which can't happen for \
|
|
|
|
|
this message in particular");
|
|
|
|
|
Ok((BytesMut::from(local_exch), socket, context))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Send our local `Exchange`.
|
|
|
|
|
.and_then(|(local_exch, socket, context)| {
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("sending exchange to remote");
|
2018-03-07 16:20:55 +01:00
|
|
|
socket.send(local_exch)
|
|
|
|
|
.from_err()
|
|
|
|
|
.map(|s| (s, context))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Receive the remote's `Exchange`.
|
|
|
|
|
.and_then(move |(socket, context)| {
|
|
|
|
|
socket.into_future()
|
|
|
|
|
.map_err(|(e, _)| e.into())
|
|
|
|
|
.and_then(move |(raw, socket)| {
|
|
|
|
|
let raw = match raw {
|
|
|
|
|
Some(r) => r,
|
|
|
|
|
None => {
|
|
|
|
|
let err = IoError::new(IoErrorKind::BrokenPipe, "unexpected eof");
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("unexpected eof while waiting for remote's exchange");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(err.into())
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let remote_exch = match protobuf_parse_from_bytes::<Exchange>(&raw) {
|
|
|
|
|
Ok(e) => e,
|
|
|
|
|
Err(err) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to parse remote's exchange protobuf ; {:?}", err);
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(SecioError::HandshakeParsingFailure);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("received and decoded the remote's exchange");
|
2018-03-07 16:20:55 +01:00
|
|
|
Ok((remote_exch, socket, context))
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Check the validity of the remote's `Exchange`. This verifies that the remote was really
|
|
|
|
|
// the sender of its proposition, and that it is the owner of both its global and ephemeral
|
|
|
|
|
// keys.
|
|
|
|
|
.and_then(|(remote_exch, socket, context)| {
|
|
|
|
|
let mut data_to_verify = context.remote_proposition_bytes.clone();
|
|
|
|
|
data_to_verify.extend_from_slice(&context.local_proposition_bytes);
|
|
|
|
|
data_to_verify.extend_from_slice(remote_exch.get_epubkey());
|
|
|
|
|
|
2018-05-31 14:50:24 +02:00
|
|
|
match context.remote_public_key {
|
|
|
|
|
Some(SecioPublicKey::Rsa(ref remote_public_key)) => {
|
|
|
|
|
// TODO: The ring library doesn't like some stuff in our DER public key,
|
|
|
|
|
// therefore we scrap the first 24 bytes of the key. A proper fix would
|
|
|
|
|
// be to write a DER parser, but that's not trivial.
|
|
|
|
|
match signature_verify(&RSA_PKCS1_2048_8192_SHA256,
|
|
|
|
|
UntrustedInput::from(&remote_public_key[24..]),
|
|
|
|
|
UntrustedInput::from(&data_to_verify),
|
|
|
|
|
UntrustedInput::from(remote_exch.get_signature()))
|
|
|
|
|
{
|
|
|
|
|
Ok(()) => (),
|
|
|
|
|
Err(_) => {
|
|
|
|
|
debug!("failed to verify the remote's signature");
|
|
|
|
|
return Err(SecioError::SignatureVerificationFailed)
|
|
|
|
|
},
|
|
|
|
|
}
|
2018-03-07 16:20:55 +01:00
|
|
|
},
|
2018-05-31 14:50:24 +02:00
|
|
|
Some(SecioPublicKey::Ed25519(ref remote_public_key)) => {
|
|
|
|
|
match signature_verify(&ED25519,
|
|
|
|
|
UntrustedInput::from(remote_public_key),
|
|
|
|
|
UntrustedInput::from(&data_to_verify),
|
|
|
|
|
UntrustedInput::from(remote_exch.get_signature()))
|
|
|
|
|
{
|
|
|
|
|
Ok(()) => (),
|
|
|
|
|
Err(_) => {
|
|
|
|
|
debug!("failed to verify the remote's signature");
|
|
|
|
|
return Err(SecioError::SignatureVerificationFailed)
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
2018-06-20 09:47:43 +02:00
|
|
|
Some(SecioPublicKey::Secp256k1(ref remote_public_key)) => {
|
|
|
|
|
let data_to_verify = digest::digest(&digest::SHA256, &data_to_verify);
|
|
|
|
|
let message = secp256k1::Message::from_slice(data_to_verify.as_ref())
|
|
|
|
|
.expect("digest output length doesn't match secp256k1 input length");
|
|
|
|
|
let secp256k1 = secp256k1::Secp256k1::with_caps(secp256k1::ContextFlag::VerifyOnly);
|
|
|
|
|
let signature = secp256k1::Signature::from_der(&secp256k1, remote_exch.get_signature());
|
|
|
|
|
let remote_public_key = secp256k1::key::PublicKey::from_slice(&secp256k1, remote_public_key);
|
|
|
|
|
if let (Ok(signature), Ok(remote_public_key)) = (signature, remote_public_key) {
|
|
|
|
|
match secp256k1.verify(&message, &signature, &remote_public_key) {
|
|
|
|
|
Ok(()) => (),
|
|
|
|
|
Err(_) => {
|
|
|
|
|
debug!("failed to verify the remote's signature");
|
|
|
|
|
return Err(SecioError::SignatureVerificationFailed)
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
debug!("remote's secp256k1 signature has wrong format");
|
|
|
|
|
return Err(SecioError::SignatureVerificationFailed)
|
|
|
|
|
}
|
|
|
|
|
},
|
2018-05-31 14:50:24 +02:00
|
|
|
None => unreachable!("we store a Some in the remote public key before reaching \
|
|
|
|
|
this point")
|
|
|
|
|
};
|
2018-03-07 16:20:55 +01:00
|
|
|
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("successfully verified the remote's signature");
|
2018-03-07 16:20:55 +01:00
|
|
|
Ok((remote_exch, socket, context))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Generate a key from the local ephemeral private key and the remote ephemeral public key,
|
|
|
|
|
// derive from it a ciper key, an iv, and a hmac key, and build the encoder/decoder.
|
|
|
|
|
.and_then(|(remote_exch, socket, mut context)| {
|
|
|
|
|
let local_priv_key = context.local_tmp_priv_key.take()
|
|
|
|
|
.expect("we filled this Option earlier, and extract it now");
|
|
|
|
|
let codec = agreement::agree_ephemeral(local_priv_key,
|
|
|
|
|
&context.chosen_exchange.clone().unwrap(),
|
|
|
|
|
UntrustedInput::from(remote_exch.get_epubkey()),
|
|
|
|
|
SecioError::SecretGenerationFailed,
|
|
|
|
|
|key_material| {
|
|
|
|
|
let key = SigningKey::new(context.chosen_hash.unwrap(), key_material);
|
|
|
|
|
|
|
|
|
|
let chosen_cipher = context.chosen_cipher.unwrap();
|
|
|
|
|
let (cipher_key_size, iv_size) = match chosen_cipher {
|
|
|
|
|
KeySize::KeySize128 => (16, 16),
|
|
|
|
|
KeySize::KeySize256 => (32, 16),
|
|
|
|
|
_ => panic!()
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let mut longer_key = vec![0u8; 2 * (iv_size + cipher_key_size + 20)];
|
|
|
|
|
stretch_key(&key, &mut longer_key);
|
|
|
|
|
|
|
|
|
|
let (local_infos, remote_infos) = {
|
|
|
|
|
let (first_half, second_half) = longer_key.split_at(longer_key.len() / 2);
|
|
|
|
|
match context.hashes_ordering {
|
|
|
|
|
Ordering::Equal => panic!(),
|
|
|
|
|
Ordering::Less => (second_half, first_half),
|
|
|
|
|
Ordering::Greater => (first_half, second_half),
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let (encoding_cipher, encoding_hmac) = {
|
|
|
|
|
let (iv, rest) = local_infos.split_at(iv_size);
|
|
|
|
|
let (cipher_key, mac_key) = rest.split_at(cipher_key_size);
|
|
|
|
|
let hmac = SigningKey::new(&context.chosen_hash.clone().unwrap(), mac_key);
|
|
|
|
|
let cipher = ctr(chosen_cipher, cipher_key, iv);
|
|
|
|
|
(cipher, hmac)
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let (decoding_cipher, decoding_hmac) = {
|
|
|
|
|
let (iv, rest) = remote_infos.split_at(iv_size);
|
|
|
|
|
let (cipher_key, mac_key) = rest.split_at(cipher_key_size);
|
|
|
|
|
let hmac = VerificationKey::new(&context.chosen_hash.clone().unwrap(), mac_key);
|
|
|
|
|
let cipher = ctr(chosen_cipher, cipher_key, iv);
|
|
|
|
|
(cipher, hmac)
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Ok(full_codec(socket, Box::new(encoding_cipher), encoding_hmac,
|
|
|
|
|
Box::new(decoding_cipher), decoding_hmac))
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
match codec {
|
|
|
|
|
Ok(c) => Ok((c, context)),
|
|
|
|
|
Err(err) => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed to generate shared secret with remote");
|
2018-03-07 16:20:55 +01:00
|
|
|
return Err(err);
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// We send back their nonce to check if the connection works.
|
|
|
|
|
.and_then(|(codec, mut context)| {
|
|
|
|
|
let remote_nonce = mem::replace(&mut context.remote_nonce, Vec::new());
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("checking encryption by sending back remote's nonce");
|
2018-03-07 16:20:55 +01:00
|
|
|
codec.send(BytesMut::from(remote_nonce))
|
|
|
|
|
.map(|s| (s, context))
|
|
|
|
|
.from_err()
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// Check that the received nonce is correct.
|
|
|
|
|
.and_then(|(codec, context)| {
|
|
|
|
|
codec.into_future()
|
|
|
|
|
.map_err(|(e, _)| e)
|
|
|
|
|
.and_then(move |(nonce, rest)| {
|
|
|
|
|
match nonce {
|
|
|
|
|
Some(ref n) if n == &context.local_nonce => {
|
2018-05-17 15:14:13 +02:00
|
|
|
trace!("secio handshake success");
|
2018-05-31 14:50:24 +02:00
|
|
|
Ok((rest, context.remote_public_key.expect("we stored a Some earlier")))
|
2018-03-07 16:20:55 +01:00
|
|
|
},
|
|
|
|
|
None => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("unexpected eof during nonce check");
|
2018-03-07 16:20:55 +01:00
|
|
|
Err(IoError::new(IoErrorKind::BrokenPipe, "unexpected eof").into())
|
|
|
|
|
},
|
|
|
|
|
_ => {
|
2018-05-17 15:14:13 +02:00
|
|
|
debug!("failed nonce verification with remote");
|
2018-03-07 16:20:55 +01:00
|
|
|
Err(SecioError::NonceVerificationFailed)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Box::new(future)
|
2017-10-30 10:22:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Custom algorithm translated from reference implementations. Needs to be the same algorithm
|
|
|
|
|
// amongst all implementations.
|
|
|
|
|
fn stretch_key(key: &SigningKey, result: &mut [u8]) {
|
2018-03-07 16:20:55 +01:00
|
|
|
const SEED: &'static [u8] = b"key expansion";
|
2017-10-30 10:22:38 +01:00
|
|
|
|
2018-03-07 16:20:55 +01:00
|
|
|
let mut init_ctxt = SigningContext::with_key(key);
|
|
|
|
|
init_ctxt.update(SEED);
|
|
|
|
|
let mut a = init_ctxt.sign();
|
2017-10-30 10:22:38 +01:00
|
|
|
|
2018-03-07 16:20:55 +01:00
|
|
|
let mut j = 0;
|
|
|
|
|
while j < result.len() {
|
|
|
|
|
let mut context = SigningContext::with_key(key);
|
|
|
|
|
context.update(a.as_ref());
|
|
|
|
|
context.update(SEED);
|
|
|
|
|
let b = context.sign();
|
2017-10-30 10:22:38 +01:00
|
|
|
|
2018-03-07 16:20:55 +01:00
|
|
|
let todo = cmp::min(b.as_ref().len(), result.len() - j);
|
2017-10-30 10:22:38 +01:00
|
|
|
|
2018-03-07 16:20:55 +01:00
|
|
|
result[j..j + todo].copy_from_slice(&b.as_ref()[..todo]);
|
2017-10-30 10:22:38 +01:00
|
|
|
|
2018-03-07 16:20:55 +01:00
|
|
|
j += todo;
|
2017-10-30 10:22:38 +01:00
|
|
|
|
2018-03-07 16:20:55 +01:00
|
|
|
let mut context = SigningContext::with_key(key);
|
|
|
|
|
context.update(a.as_ref());
|
|
|
|
|
a = context.sign();
|
|
|
|
|
}
|
2017-10-30 10:22:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
mod tests {
|
2018-03-07 16:20:55 +01:00
|
|
|
extern crate tokio_core;
|
2018-05-14 15:55:16 +02:00
|
|
|
use self::tokio_core::net::TcpListener;
|
|
|
|
|
use self::tokio_core::net::TcpStream;
|
|
|
|
|
use self::tokio_core::reactor::Core;
|
2018-03-07 16:20:55 +01:00
|
|
|
use super::handshake;
|
|
|
|
|
use super::stretch_key;
|
|
|
|
|
use futures::Future;
|
|
|
|
|
use futures::Stream;
|
|
|
|
|
use ring::digest::SHA256;
|
|
|
|
|
use ring::hmac::SigningKey;
|
2018-05-31 14:50:24 +02:00
|
|
|
use SecioKeyPair;
|
2018-03-07 16:20:55 +01:00
|
|
|
|
|
|
|
|
#[test]
|
2018-05-31 14:50:24 +02:00
|
|
|
fn handshake_with_self_succeeds_rsa() {
|
|
|
|
|
let key1 = {
|
|
|
|
|
let private = include_bytes!("../tests/test-rsa-private-key.pk8");
|
|
|
|
|
let public = include_bytes!("../tests/test-rsa-public-key.der").to_vec();
|
|
|
|
|
SecioKeyPair::rsa_from_pkcs8(private, public).unwrap()
|
2018-03-07 16:20:55 +01:00
|
|
|
};
|
|
|
|
|
|
2018-05-31 14:50:24 +02:00
|
|
|
let key2 = {
|
|
|
|
|
let private = include_bytes!("../tests/test-rsa-private-key-2.pk8");
|
|
|
|
|
let public = include_bytes!("../tests/test-rsa-public-key-2.der").to_vec();
|
|
|
|
|
SecioKeyPair::rsa_from_pkcs8(private, public).unwrap()
|
2018-03-07 16:20:55 +01:00
|
|
|
};
|
2018-06-20 09:47:43 +02:00
|
|
|
|
|
|
|
|
handshake_with_self_succeeds(key1, key2);
|
|
|
|
|
}
|
2018-03-07 16:20:55 +01:00
|
|
|
|
2018-06-20 09:47:43 +02:00
|
|
|
#[test]
|
|
|
|
|
fn handshake_with_self_succeeds_ed25519() {
|
|
|
|
|
let key1 = SecioKeyPair::ed25519_generated().unwrap();
|
|
|
|
|
let key2 = SecioKeyPair::ed25519_generated().unwrap();
|
|
|
|
|
handshake_with_self_succeeds(key1, key2);
|
|
|
|
|
}
|
2018-03-07 16:20:55 +01:00
|
|
|
|
2018-06-20 09:47:43 +02:00
|
|
|
#[test]
|
|
|
|
|
fn handshake_with_self_succeeds_secp256k1() {
|
|
|
|
|
let key1 = {
|
|
|
|
|
let key = include_bytes!("../tests/test-secp256k1-private-key.der");
|
|
|
|
|
SecioKeyPair::secp256k1_from_der(&key[..]).unwrap()
|
|
|
|
|
};
|
2018-05-31 14:50:24 +02:00
|
|
|
|
2018-06-20 09:47:43 +02:00
|
|
|
let key2 = {
|
|
|
|
|
let key = include_bytes!("../tests/test-secp256k1-private-key-2.der");
|
|
|
|
|
SecioKeyPair::secp256k1_from_der(&key[..]).unwrap()
|
|
|
|
|
};
|
2018-05-31 14:50:24 +02:00
|
|
|
|
2018-06-20 09:47:43 +02:00
|
|
|
handshake_with_self_succeeds(key1, key2);
|
2018-05-31 14:50:24 +02:00
|
|
|
}
|
|
|
|
|
|
2018-06-20 09:47:43 +02:00
|
|
|
fn handshake_with_self_succeeds(key1: SecioKeyPair, key2: SecioKeyPair) {
|
2018-05-31 14:50:24 +02:00
|
|
|
let mut core = Core::new().unwrap();
|
|
|
|
|
|
|
|
|
|
let listener = TcpListener::bind(&"127.0.0.1:0".parse().unwrap(), &core.handle()).unwrap();
|
|
|
|
|
let listener_addr = listener.local_addr().unwrap();
|
|
|
|
|
|
|
|
|
|
let server = listener
|
|
|
|
|
.incoming()
|
|
|
|
|
.into_future()
|
|
|
|
|
.map_err(|(e, _)| e.into())
|
|
|
|
|
.and_then(move |(connec, _)| handshake(connec.unwrap().0, key1));
|
2018-03-07 16:20:55 +01:00
|
|
|
|
|
|
|
|
let client = TcpStream::connect(&listener_addr, &core.handle())
|
|
|
|
|
.map_err(|e| e.into())
|
2018-05-31 14:50:24 +02:00
|
|
|
.and_then(move |stream| handshake(stream, key2));
|
2018-03-07 16:20:55 +01:00
|
|
|
|
|
|
|
|
core.run(server.join(client)).unwrap();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
|
fn stretch() {
|
|
|
|
|
let mut output = [0u8; 32];
|
|
|
|
|
|
|
|
|
|
let key1 = SigningKey::new(&SHA256, &[]);
|
|
|
|
|
stretch_key(&key1, &mut output);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
&output,
|
|
|
|
|
&[
|
|
|
|
|
103, 144, 60, 199, 85, 145, 239, 71, 79, 198, 85, 164, 32, 53, 143, 205, 50, 48,
|
|
|
|
|
153, 10, 37, 32, 85, 1, 226, 61, 193, 1, 154, 120, 207, 80,
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let key2 = SigningKey::new(
|
|
|
|
|
&SHA256,
|
|
|
|
|
&[
|
|
|
|
|
157, 166, 80, 144, 77, 193, 198, 6, 23, 220, 87, 220, 191, 72, 168, 197, 54, 33,
|
|
|
|
|
219, 225, 84, 156, 165, 37, 149, 224, 244, 32, 170, 79, 125, 35, 171, 26, 178, 176,
|
|
|
|
|
92, 168, 22, 27, 205, 44, 229, 61, 152, 21, 222, 81, 241, 81, 116, 236, 74, 166,
|
|
|
|
|
89, 145, 5, 162, 108, 230, 55, 54, 9, 17,
|
|
|
|
|
],
|
|
|
|
|
);
|
|
|
|
|
stretch_key(&key2, &mut output);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
&output,
|
|
|
|
|
&[
|
|
|
|
|
39, 151, 182, 63, 180, 175, 224, 139, 42, 131, 130, 116, 55, 146, 62, 31, 157, 95,
|
|
|
|
|
217, 15, 73, 81, 10, 83, 243, 141, 64, 227, 103, 144, 99, 121,
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let key3 = SigningKey::new(
|
|
|
|
|
&SHA256,
|
|
|
|
|
&[
|
|
|
|
|
98, 219, 94, 104, 97, 70, 139, 13, 185, 110, 56, 36, 66, 3, 80, 224, 32, 205, 102,
|
|
|
|
|
170, 59, 32, 140, 245, 86, 102, 231, 68, 85, 249, 227, 243, 57, 53, 171, 36, 62,
|
|
|
|
|
225, 178, 74, 89, 142, 151, 94, 183, 231, 208, 166, 244, 130, 130, 209, 248, 65,
|
|
|
|
|
19, 48, 127, 127, 55, 82, 117, 154, 124, 108,
|
|
|
|
|
],
|
|
|
|
|
);
|
|
|
|
|
stretch_key(&key3, &mut output);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
&output,
|
|
|
|
|
&[
|
|
|
|
|
28, 39, 158, 206, 164, 16, 211, 194, 99, 43, 208, 36, 24, 141, 90, 93, 157, 236,
|
|
|
|
|
238, 111, 170, 0, 60, 11, 49, 174, 177, 121, 30, 12, 182, 25,
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
}
|
2017-10-30 10:22:38 +01:00
|
|
|
}
|
