draft of secret_connection

2025-06-10 12:01:18 +00:00 · 2015-07-14 17:52:54 -07:00 · 2015-07-14 17:52:54 -07:00 · 402b3a3e52
commit 402b3a3e52
parent d91f073676
4 changed files with 345 additions and 5 deletions
--- a/account/priv_key.go
+++ b/account/priv_key.go
@ -2,6 +2,7 @@ package account

 import (
 	"github.com/tendermint/tendermint/Godeps/_workspace/src/github.com/tendermint/ed25519"
+	"github.com/tendermint/tendermint/Godeps/_workspace/src/github.com/tendermint/ed25519/extra25519"
 	"github.com/tendermint/tendermint/binary"
 	. "github.com/tendermint/tendermint/common"
 )
@ -37,12 +38,19 @@ func (privKey PrivKeyEd25519) Sign(msg []byte) Signature {
 	return SignatureEd25519(signatureBytes[:])
 }

-func (key PrivKeyEd25519) PubKey() PubKey {
-	keyBytes := new([64]byte)
-	copy(keyBytes[:], key[:])
-	return PubKeyEd25519(ed25519.MakePublicKey(keyBytes)[:])
+func (privKey PrivKeyEd25519) PubKey() PubKey {
+	privKeyBytes := new([64]byte)
+	copy(privKeyBytes[:], privKey[:])
+	return PubKeyEd25519(ed25519.MakePublicKey(privKeyBytes)[:])
 }

-func (key PrivKeyEd25519) String() string {
+func (privKey PrivKeyEd25519) ToCurve25519() *[32]byte {
+	keyEd25519, keyCurve25519 := new([64]byte), new([32]byte)
+	copy(keyEd25519[:], privKey)
+	extra25519.PrivateKeyToCurve25519(keyCurve25519, keyEd25519)
+	return keyCurve25519
+}
+
+func (privKey PrivKeyEd25519) String() string {
 	return Fmt("PrivKeyEd25519{*****}")
 }
--- a/account/pub_key.go
+++ b/account/pub_key.go
@ -3,6 +3,7 @@ package account
 import (
 	"errors"
 	"github.com/tendermint/tendermint/Godeps/_workspace/src/github.com/tendermint/ed25519"
+	"github.com/tendermint/tendermint/Godeps/_workspace/src/github.com/tendermint/ed25519/extra25519"
 	"github.com/tendermint/tendermint/binary"
 	. "github.com/tendermint/tendermint/common"
 )
@ -48,6 +49,18 @@ func (pubKey PubKeyEd25519) VerifyBytes(msg []byte, sig_ Signature) bool {
 	return ed25519.Verify(pubKeyBytes, msg, sigBytes)
 }

+// For use with golang/crypto/nacl/box
+// If error, returns nil.
+func (pubKey PubKeyEd25519) ToCurve25519() *[32]byte {
+	keyEd25519, keyCurve25519 := new([32]byte), new([32]byte)
+	copy(keyEd25519[:], pubKey)
+	ok := extra25519.PublicKeyToCurve25519(keyCurve25519, keyEd25519)
+	if !ok {
+		return nil
+	}
+	return keyCurve25519
+}
+
 func (pubKey PubKeyEd25519) ValidateBasic() error {
 	if len(pubKey) != ed25519.PublicKeySize {
 		return errors.New("Invalid PubKeyEd25519 key size")
--- a/p2p/peer.go
+++ b/p2p/peer.go
@ -23,6 +23,7 @@ type Peer struct {
 }

 // NOTE: blocking
+// Before creating a peer with newPeer(), perform a handshake on connection.
 func peerHandshake(conn net.Conn, ourNodeInfo *types.NodeInfo) (*types.NodeInfo, error) {
 	var peerNodeInfo = new(types.NodeInfo)
 	var wg sync.WaitGroup
@ -50,6 +51,7 @@ func peerHandshake(conn net.Conn, ourNodeInfo *types.NodeInfo) (*types.NodeInfo,
 	return peerNodeInfo, nil
 }

+// NOTE: call peerHandshake on conn before calling newPeer().
 func newPeer(conn net.Conn, peerNodeInfo *types.NodeInfo, outbound bool, reactorsByCh map[byte]Reactor, chDescs []*ChannelDescriptor, onPeerError func(*Peer, interface{})) *Peer {
 	var p *Peer
 	onReceive := func(chId byte, msgBytes []byte) {
--- a/p2p/secret_connection.go
+++ b/p2p/secret_connection.go
@ -0,0 +1,317 @@
+// Uses nacl's secret_box to encrypt a net.Conn.
+package p2p
+
+import (
+	"bytes"
+	crand "crypto/rand"
+	"crypto/sha256"
+	"encoding/binary"
+	"errors"
+	"io"
+	"net"
+	"sync"
+
+	"golang.org/x/crypto/nacl/box"
+	"golang.org/x/crypto/nacl/secretbox"
+	"golang.org/x/crypto/ripemd160"
+
+	acm "github.com/tendermint/tendermint/account"
+	bm "github.com/tendermint/tendermint/binary"
+)
+
+// 2 + 1024 == 1026 total frame size
+const dataLenSize = 2 // uint16 to describe the length, is <= dataMaxSize
+const dataMaxSize = 1024
+const totalFrameSize = dataMaxSize + dataLenSize
+
+type SecretConnection struct {
+	conn       net.Conn
+	recvBuffer []byte
+	recvNonce  *[24]byte
+	sendNonce  *[24]byte
+	remPubKey  acm.PubKeyEd25519
+	shrSecret  *[32]byte // shared secret
+}
+
+// If handshake error, will return nil.
+// Caller should call conn.Close()
+func secretHandshake(conn net.Conn, locPrivKey acm.PrivKeyEd25519) (*SecretConnection, error) {
+
+	locPubKey := locPrivKey.PubKey().(acm.PubKeyEd25519)
+
+	// Generate ephemeral keys for perfect forward secrecy.
+	locEphPub, locEphPriv := genEphKeys()
+
+	// Write local ephemeral pubkey and receive one too.
+	remEphPub, err := share32(conn, locEphPub)
+
+	// Compute common shared secret.
+	shrSecret := computeSharedSecret(remEphPub, locEphPriv)
+
+	// Sort by lexical order.
+	loEphPub, hiEphPub := sort32(locEphPub, remEphPub)
+
+	// Generate nonces to use for secretbox.
+	recvNonce, sendNonce := genNonces(loEphPub, hiEphPub, locEphPub == loEphPub)
+
+	// Generate common challenge to sign.
+	challenge := genChallenge(loEphPub, hiEphPub)
+
+	// Construct SecretConnection.
+	sc := &SecretConnection{
+		conn:       conn,
+		recvBuffer: nil,
+		recvNonce:  recvNonce,
+		sendNonce:  sendNonce,
+		remPubKey:  nil,
+		shrSecret:  shrSecret,
+	}
+
+	// Sign the challenge bytes for authentication.
+	locSignature := signChallenge(challenge, locPrivKey)
+
+	// Share (in secret) each other's pubkey & challenge signature
+	remPubKey, remSignature, err := shareAuthSignature(sc, locPubKey, locSignature)
+	if err != nil {
+		return nil, err
+	}
+	if !remPubKey.VerifyBytes(challenge[:], remSignature) {
+		return nil, errors.New("Challenge verification failed")
+	}
+
+	// We've authorized.
+	sc.remPubKey = remPubKey
+	return sc, nil
+}
+
+// CONTRACT: data smaller than dataMaxSize is read atomically.
+func (sc *SecretConnection) Write(data []byte) (n int, err error) {
+	for 0 < len(data) {
+		var frame []byte = make([]byte, totalFrameSize)
+		var chunk []byte
+		if dataMaxSize < len(data) {
+			chunk = data[:dataMaxSize]
+			data = data[dataMaxSize:]
+		} else {
+			chunk = data
+			data = nil
+		}
+		chunkLength := len(chunk)
+		binary.BigEndian.PutUint16(frame, uint16(chunkLength))
+		copy(frame[dataLenSize:], chunk)
+
+		// encrypt the frame
+		var sealedFrame = make([]byte, totalFrameSize+secretbox.Overhead)
+		secretbox.Seal(sealedFrame, frame, sc.sendNonce, sc.shrSecret)
+		incr2Nonce(sc.sendNonce)
+		// end encryption
+
+		_, err := sc.conn.Write(sealedFrame)
+		if err != nil {
+			return n, err
+		} else {
+			n += len(chunk)
+		}
+	}
+	return
+}
+
+// CONTRACT: data smaller than dataMaxSize is read atomically.
+func (sc *SecretConnection) Read(data []byte) (n int, err error) {
+	if 0 < len(sc.recvBuffer) {
+		n_ := copy(data, sc.recvBuffer)
+		sc.recvBuffer = sc.recvBuffer[n_:]
+		return
+	}
+
+	sealedFrame := make([]byte, totalFrameSize+secretbox.Overhead)
+	_, err = io.ReadFull(sc.conn, sealedFrame)
+	if err != nil {
+		return
+	}
+
+	// decrypt the frame
+	var frame = make([]byte, totalFrameSize)
+	_, ok := secretbox.Open(frame, sealedFrame, sc.recvNonce, sc.shrSecret)
+	if !ok {
+		return n, errors.New("Failed to decrypt SecretConnection")
+	}
+	incr2Nonce(sc.recvNonce)
+	// end decryption
+
+	var chunkLength = binary.BigEndian.Uint16(frame)
+	var chunk = frame[dataLenSize : dataLenSize+chunkLength]
+
+	n = copy(data, chunk)
+	sc.recvBuffer = chunk[n:]
+	return
+}
+
+func genEphKeys() (ephPub, ephPriv *[32]byte) {
+	var err error
+	ephPub, ephPriv, err = box.GenerateKey(crand.Reader)
+	if err != nil {
+		panic("Could not generate ephemeral keypairs")
+	}
+	return
+}
+
+func share32(conn net.Conn, sendBytes *[32]byte) (recvBytes *[32]byte, err error) {
+	var err1, err2 error
+	var wg sync.WaitGroup
+	wg.Add(2)
+
+	go func() {
+		defer wg.Done()
+		_, err1 = conn.Write(sendBytes[:])
+	}()
+
+	go func() {
+		defer wg.Done()
+		recvBytes = new([32]byte)
+		_, err2 = io.ReadFull(conn, recvBytes[:])
+	}()
+
+	wg.Wait()
+	if err1 != nil {
+		return nil, err1
+	}
+	if err2 != nil {
+		return nil, err2
+	}
+
+	return recvBytes, nil
+}
+
+func computeSharedSecret(remPubKey, locPrivKey *[32]byte) (shrSecret *[32]byte) {
+	shrSecret = new([32]byte)
+	box.Precompute(shrSecret, remPubKey, locPrivKey)
+	return
+}
+
+func sort32(foo, bar *[32]byte) (lo, hi *[32]byte) {
+	if bytes.Compare(foo[:], bar[:]) < 0 {
+		lo = foo
+		hi = bar
+	} else {
+		lo = bar
+		hi = foo
+	}
+	return
+}
+
+func genNonces(loPubKey, hiPubKey *[32]byte, locIsLo bool) (recvNonce, sendNonce *[24]byte) {
+	nonce1 := hash24(append(loPubKey[:], hiPubKey[:]...))
+	nonce2 := new([24]byte)
+	copy(nonce2[:], nonce1[:])
+	nonce2[len(nonce2)-1] ^= 0x01
+	if locIsLo {
+		recvNonce = nonce1
+		sendNonce = nonce2
+	} else {
+		recvNonce = nonce1
+		sendNonce = nonce2
+	}
+	return
+}
+
+func genChallenge(loPubKey, hiPubKey *[32]byte) (challenge *[32]byte) {
+	return hash32(append(loPubKey[:], hiPubKey[:]...))
+}
+
+func signChallenge(challenge *[32]byte, locPrivKey acm.PrivKeyEd25519) (signature acm.SignatureEd25519) {
+	signature = locPrivKey.Sign(challenge[:]).(acm.SignatureEd25519)
+	return
+}
+
+type authSigMessage struct {
+	Key acm.PubKeyEd25519
+	Sig acm.SignatureEd25519
+}
+
+func shareAuthSignature(sc *SecretConnection, pubKey acm.PubKeyEd25519, signature acm.SignatureEd25519) (acm.PubKeyEd25519, acm.SignatureEd25519, error) {
+	var recvMsg authSigMessage
+	var err1, err2 error
+	var wg sync.WaitGroup
+	wg.Add(2)
+
+	go func() {
+		defer wg.Done()
+		msgBytes := bm.BinaryBytes(authSigMessage{pubKey, signature})
+		_, err1 = sc.Write(msgBytes)
+	}()
+
+	go func() {
+		defer wg.Done()
+		// NOTE relies on atomicity of small data.
+		readBuffer := make([]byte, dataMaxSize)
+		_, err2 = sc.Read(readBuffer)
+		if err2 != nil {
+			return
+		}
+		n := int64(0) // not used.
+		recvMsg = bm.ReadBinary(authSigMessage{}, bytes.NewBuffer(readBuffer), &n, &err2).(authSigMessage)
+	}()
+
+	wg.Wait()
+	if err1 != nil {
+		return nil, nil, err1
+	}
+	if err2 != nil {
+		return nil, nil, err2
+	}
+
+	return recvMsg.Key, recvMsg.Sig, nil
+}
+
+func verifyChallengeSignature(challenge *[32]byte, remPubKey acm.PubKeyEd25519, remSignature acm.SignatureEd25519) bool {
+	return remPubKey.VerifyBytes(challenge[:], remSignature)
+}
+
+//--------------------------------------------------------------------------------
+
+// sha256
+func hash32(input []byte) (res *[32]byte) {
+	hasher := sha256.New()
+	hasher.Write(input) // does not error
+	resSlice := hasher.Sum(nil)
+	res = new([32]byte)
+	copy(res[:], resSlice)
+	return
+}
+
+// We only fill in the first 20 bytes with ripemd160
+func hash24(input []byte) (res *[24]byte) {
+	hasher := ripemd160.New()
+	hasher.Write(input) // does not error
+	resSlice := hasher.Sum(nil)
+	res = new([24]byte)
+	copy(res[:], resSlice)
+	return
+}
+
+// ripemd160
+func hash20(input []byte) (res *[20]byte) {
+	hasher := ripemd160.New()
+	hasher.Write(input) // does not error
+	resSlice := hasher.Sum(nil)
+	res = new([20]byte)
+	copy(res[:], resSlice)
+	return
+}
+
+// increment nonce big-endian by 2 with wraparound.
+func incr2Nonce(nonce *[24]byte) {
+	incrNonce(nonce)
+	incrNonce(nonce)
+}
+
+// increment nonce big-endian by 1 with wraparound.
+func incrNonce(nonce *[24]byte) {
+	for i := 23; 0 <= i; i-- {
+		nonce[i] += 1
+		if nonce[i] != 0 {
+			return
+		}
+	}
+}