diff --git a/cmd/ethereum/flags.go b/cmd/ethereum/flags.go index f829744dc931..94aa765576b2 100644 --- a/cmd/ethereum/flags.go +++ b/cmd/ethereum/flags.go @@ -65,6 +65,7 @@ var ( SHH bool Dial bool PrintVersion bool + Encryption bool ) // flags specific to cli client @@ -115,6 +116,7 @@ func Init() { flag.BoolVar(&ShowGenesis, "genesis", false, "Dump the genesis block") flag.StringVar(&ImportChain, "chain", "", "Imports given chain") + flag.BoolVar(&Encryption, "crypto", false, "whether to use encryption (experimental, temporary)") flag.BoolVar(&Dump, "dump", false, "output the ethereum state in JSON format. Sub args [number, hash]") flag.StringVar(&DumpHash, "hash", "", "specify arg in hex") flag.IntVar(&DumpNumber, "number", -1, "specify arg in number") diff --git a/cmd/ethereum/main.go b/cmd/ethereum/main.go index b816c678e77a..2eec4695ffb2 100644 --- a/cmd/ethereum/main.go +++ b/cmd/ethereum/main.go @@ -75,6 +75,7 @@ func main() { KeyRing: KeyRing, Shh: SHH, Dial: Dial, + Encryption: Encryption, }) if err != nil { diff --git a/eth/backend.go b/eth/backend.go index c3c7d12878d4..4cbf30bbe377 100644 --- a/eth/backend.go +++ b/eth/backend.go @@ -36,8 +36,9 @@ type Config struct { NATType string PMPGateway string - Shh bool - Dial bool + Shh bool + Dial bool + Encryption bool KeyManager *crypto.KeyManager } @@ -107,7 +108,7 @@ func New(config *Config) (*Ethereum, error) { keyManager.Init(config.KeyRing, 0, false) // Create a new client id for this instance. This will help identifying the node on the network - clientId := p2p.NewSimpleClientIdentity(config.Name, config.Version, config.Identifier, keyManager.PublicKey()) + clientId := p2p.NewSimpleClientIdentity(config.Name, config.Version, config.Identifier, keyManager.PrivateKey(), keyManager.PublicKey()) saveProtocolVersion(db) //ethutil.Config.Db = db @@ -143,12 +144,13 @@ func New(config *Config) (*Ethereum, error) { fmt.Println(nat) eth.net = &p2p.Server{ - Identity: clientId, - MaxPeers: config.MaxPeers, - Protocols: protocols, - Blacklist: eth.blacklist, - NAT: p2p.UPNP(), - NoDial: !config.Dial, + Identity: clientId, + MaxPeers: config.MaxPeers, + Protocols: protocols, + Blacklist: eth.blacklist, + NAT: p2p.UPNP(), + NoDial: !config.Dial, + Encryption: config.Encryption, } if len(config.Port) > 0 { diff --git a/eth/protocol.go b/eth/protocol.go index 24a0f0a8e8d8..3ade8a2ec8bb 100644 --- a/eth/protocol.go +++ b/eth/protocol.go @@ -97,7 +97,7 @@ func runEthProtocol(txPool txPool, chainManager chainManager, blockPool blockPoo blockPool: blockPool, rw: rw, peer: peer, - id: fmt.Sprintf("%x", peer.Identity().Pubkey()[:8]), + id: fmt.Sprintf("%x", peer.PublicKey()[:8]), } err = self.handleStatus() if err == nil { diff --git a/p2p/client_identity.go b/p2p/client_identity.go index f15fd01bfc6d..db8cf9dec9c1 100644 --- a/p2p/client_identity.go +++ b/p2p/client_identity.go @@ -7,8 +7,9 @@ import ( // ClientIdentity represents the identity of a peer. type ClientIdentity interface { - String() string // human readable identity - Pubkey() []byte // 512-bit public key + String() string // human readable identity + PublicKey() []byte // 512-bit public key represented in 65 byte format as per golang/elliptic.Marshal, first byte encodes curve + PrivateKey() []byte // 256-bit private key } type SimpleClientIdentity struct { @@ -17,10 +18,11 @@ type SimpleClientIdentity struct { customIdentifier string os string implementation string + privkey []byte pubkey []byte } -func NewSimpleClientIdentity(clientIdentifier string, version string, customIdentifier string, pubkey []byte) *SimpleClientIdentity { +func NewSimpleClientIdentity(clientIdentifier string, version string, customIdentifier string, privkey []byte, pubkey []byte) *SimpleClientIdentity { clientIdentity := &SimpleClientIdentity{ clientIdentifier: clientIdentifier, version: version, @@ -28,6 +30,7 @@ func NewSimpleClientIdentity(clientIdentifier string, version string, customIden os: runtime.GOOS, implementation: runtime.Version(), pubkey: pubkey, + privkey: privkey, } return clientIdentity @@ -50,8 +53,12 @@ func (c *SimpleClientIdentity) String() string { c.implementation) } -func (c *SimpleClientIdentity) Pubkey() []byte { - return []byte(c.pubkey) +func (c *SimpleClientIdentity) PrivateKey() []byte { + return c.privkey +} + +func (c *SimpleClientIdentity) PublicKey() []byte { + return c.pubkey } func (c *SimpleClientIdentity) SetCustomIdentifier(customIdentifier string) { diff --git a/p2p/client_identity_test.go b/p2p/client_identity_test.go index 7248a7b1a7e2..9c15b8895c4f 100644 --- a/p2p/client_identity_test.go +++ b/p2p/client_identity_test.go @@ -1,13 +1,22 @@ package p2p import ( + "bytes" "fmt" "runtime" "testing" ) func TestClientIdentity(t *testing.T) { - clientIdentity := NewSimpleClientIdentity("Ethereum(G)", "0.5.16", "test", []byte("pubkey")) + clientIdentity := NewSimpleClientIdentity("Ethereum(G)", "0.5.16", "test", []byte("privkey"), []byte("pubkey")) + key := clientIdentity.PrivateKey() + if !bytes.Equal(key, []byte("privkey")) { + t.Errorf("Expected Privkey to be %x, got %x", key, []byte("privkey")) + } + key = clientIdentity.PublicKey() + if !bytes.Equal(key, []byte("pubkey")) { + t.Errorf("Expected Pubkey to be %x, got %x", key, []byte("pubkey")) + } clientString := clientIdentity.String() expected := fmt.Sprintf("Ethereum(G)/v0.5.16/test/%s/%s", runtime.GOOS, runtime.Version()) if clientString != expected { diff --git a/p2p/crypto.go b/p2p/crypto.go new file mode 100644 index 000000000000..c4bf4bcea590 --- /dev/null +++ b/p2p/crypto.go @@ -0,0 +1,402 @@ +package p2p + +import ( + "crypto/ecdsa" + "crypto/rand" + "fmt" + "io" + + "github.com/ethereum/go-ethereum/crypto" + "github.com/ethereum/go-ethereum/crypto/secp256k1" + ethlogger "github.com/ethereum/go-ethereum/logger" + "github.com/obscuren/ecies" +) + +var clogger = ethlogger.NewLogger("CRYPTOID") + +const ( + sskLen int = 16 // ecies.MaxSharedKeyLength(pubKey) / 2 + sigLen int = 65 // elliptic S256 + pubLen int = 64 // 512 bit pubkey in uncompressed representation without format byte + shaLen int = 32 // hash length (for nonce etc) + msgLen int = 194 // sigLen + shaLen + pubLen + shaLen + 1 = 194 + resLen int = 97 // pubLen + shaLen + 1 + iHSLen int = 307 // size of the final ECIES payload sent as initiator's handshake + rHSLen int = 210 // size of the final ECIES payload sent as receiver's handshake +) + +/* +cryptoId implements the crypto layer for the p2p networking +It is initialised on the node's own identity (which has access to the node's private key) and run separately on a peer connection to set up a secure session after a crypto handshake +After it performs a crypto handshake it returns +*/ +type cryptoId struct { + prvKey *ecdsa.PrivateKey + pubKey *ecdsa.PublicKey + pubKeyS []byte +} + +/* +newCryptoId(id ClientIdentity) initialises a crypto layer manager. This object has a short lifecycle when the peer connection starts. It is survived by a secretRW (an message read writer with encryption and authentication) if the crypto handshake is successful. +*/ +func newCryptoId(id ClientIdentity) (self *cryptoId, err error) { + // will be at server init + var prvKeyS []byte = id.PrivateKey() + if prvKeyS == nil { + err = fmt.Errorf("no private key for client") + return + } + // initialise ecies private key via importing keys (known via our own clientIdentity) + // the key format is what elliptic package is using: elliptic.Marshal(Curve, X, Y) + var prvKey = crypto.ToECDSA(prvKeyS) + if prvKey == nil { + err = fmt.Errorf("invalid private key for client") + return + } + self = &cryptoId{ + prvKey: prvKey, + // initialise public key from the imported private key + pubKey: &prvKey.PublicKey, + // to be created at server init shared between peers and sessions + // for reuse, call wth ReadAt, no reset seek needed + } + self.pubKeyS = id.PublicKey()[1:] + clogger.Debugf("initialise crypto for NodeId %v", hexkey(self.pubKeyS)) + clogger.Debugf("private-key %v\npublic key %v", hexkey(prvKeyS), hexkey(self.pubKeyS)) + return +} + +type hexkey []byte + +func (self hexkey) String() string { + return fmt.Sprintf("(%d) %x", len(self), []byte(self)) +} + +/* +NewSession is called when the peer connection starts to set up a secure session by performing a crypto handshake. + + connection is (a buffered) network connection. + + remotePublicKey is the remote peer's node Id. + + sessionToken is the token from the previous session with this same peer. Nil if no token is found. + + initiator is a boolean flag. True if the node represented by cryptoId is the initiator of the connection (ie., remote is an outbound peer reached by dialing out). False if the connection was established by accepting a call from the remote peer via a listener. + + It returns a secretRW which implements the MsgReadWriter interface. +*/ + +func (self *cryptoId) NewSession(r io.Reader, w io.Writer, remotePubKeyS []byte, sessionToken []byte, initiator bool) (token []byte, rw MsgReadWriter, err error) { + var auth, initNonce, recNonce []byte + var read int + var randomPrivKey *ecdsa.PrivateKey + var remoteRandomPubKey *ecdsa.PublicKey + clogger.Debugf("attempting session with %v", hexkey(remotePubKeyS)) + if initiator { + if auth, initNonce, randomPrivKey, _, err = self.startHandshake(remotePubKeyS, sessionToken); err != nil { + return + } + if sessionToken != nil { + clogger.Debugf("session-token: %v", hexkey(sessionToken)) + } + clogger.Debugf("initiator-nonce: %v", hexkey(initNonce)) + clogger.Debugf("initiator-random-private-key: %v", hexkey(crypto.FromECDSA(randomPrivKey))) + randomPublicKeyS, _ := ExportPublicKey(&randomPrivKey.PublicKey) + clogger.Debugf("initiator-random-public-key: %v", hexkey(randomPublicKeyS)) + + if _, err = w.Write(auth); err != nil { + return + } + clogger.Debugf("initiator handshake (sent to %v):\n%v", hexkey(remotePubKeyS), hexkey(auth)) + var response []byte = make([]byte, rHSLen) + if read, err = r.Read(response); err != nil || read == 0 { + return + } + if read != rHSLen { + err = fmt.Errorf("remote receiver's handshake has invalid length. expect %v, got %v", rHSLen, read) + return + } + // write out auth message + // wait for response, then call complete + if recNonce, remoteRandomPubKey, _, err = self.completeHandshake(response); err != nil { + return + } + clogger.Debugf("receiver-nonce: %v", hexkey(recNonce)) + remoteRandomPubKeyS, _ := ExportPublicKey(remoteRandomPubKey) + clogger.Debugf("receiver-random-public-key: %v", hexkey(remoteRandomPubKeyS)) + + } else { + auth = make([]byte, iHSLen) + clogger.Debugf("waiting for initiator handshake (from %v)", hexkey(remotePubKeyS)) + if read, err = r.Read(auth); err != nil { + return + } + if read != iHSLen { + err = fmt.Errorf("remote initiator's handshake has invalid length. expect %v, got %v", iHSLen, read) + return + } + clogger.Debugf("received initiator handshake (from %v):\n%v", hexkey(remotePubKeyS), hexkey(auth)) + // we are listening connection. we are responders in the handshake. + // Extract info from the authentication. The initiator starts by sending us a handshake that we need to respond to. + // so we read auth message first, then respond + var response []byte + if response, recNonce, initNonce, randomPrivKey, remoteRandomPubKey, err = self.respondToHandshake(auth, remotePubKeyS, sessionToken); err != nil { + return + } + clogger.Debugf("receiver-nonce: %v", hexkey(recNonce)) + clogger.Debugf("receiver-random-priv-key: %v", hexkey(crypto.FromECDSA(randomPrivKey))) + if _, err = w.Write(response); err != nil { + return + } + clogger.Debugf("receiver handshake (sent to %v):\n%v", hexkey(remotePubKeyS), hexkey(response)) + } + return self.newSession(r, w, initiator, initNonce, recNonce, auth, randomPrivKey, remoteRandomPubKey) +} + +/* +ImportPublicKey creates a 512 bit *ecsda.PublicKey from a byte slice. It accepts the simple 64 byte uncompressed format or the 65 byte format given by calling elliptic.Marshal on the EC point represented by the key. Any other length will result in an invalid public key error. +*/ +func ImportPublicKey(pubKey []byte) (pubKeyEC *ecdsa.PublicKey, err error) { + var pubKey65 []byte + switch len(pubKey) { + case 64: + pubKey65 = append([]byte{0x04}, pubKey...) + case 65: + pubKey65 = pubKey + default: + return nil, fmt.Errorf("invalid public key length %v (expect 64/65)", len(pubKey)) + } + return crypto.ToECDSAPub(pubKey65), nil +} + +/* +ExportPublicKey exports a *ecdsa.PublicKey into a byte slice using a simple 64-byte format. and is used for simple serialisation in network communication +*/ +func ExportPublicKey(pubKeyEC *ecdsa.PublicKey) (pubKey []byte, err error) { + if pubKeyEC == nil { + return nil, fmt.Errorf("no ECDSA public key given") + } + return crypto.FromECDSAPub(pubKeyEC)[1:], nil +} + +/* startHandshake is called by if the node is the initiator of the connection. + +The caller provides the public key of the peer as conjuctured from lookup based on IP:port, given as user input or proven by signatures. The caller must have access to persistant information about the peers, and pass the previous session token as an argument to cryptoId. + +The first return value is the auth message that is to be sent out to the remote receiver. +*/ +func (self *cryptoId) startHandshake(remotePubKeyS, sessionToken []byte) (auth []byte, initNonce []byte, randomPrvKey *ecdsa.PrivateKey, remotePubKey *ecdsa.PublicKey, err error) { + // session init, common to both parties + if remotePubKey, err = ImportPublicKey(remotePubKeyS); err != nil { + return + } + + var tokenFlag byte // = 0x00 + if sessionToken == nil { + // no session token found means we need to generate shared secret. + // ecies shared secret is used as initial session token for new peers + // generate shared key from prv and remote pubkey + if sessionToken, err = ecies.ImportECDSA(self.prvKey).GenerateShared(ecies.ImportECDSAPublic(remotePubKey), sskLen, sskLen); err != nil { + return + } + } else { + // for known peers, we use stored token from the previous session + tokenFlag = 0x01 + } + + //E(remote-pubk, S(ecdhe-random, ecdh-shared-secret^nonce) || H(ecdhe-random-pubk) || pubk || nonce || 0x0) + // E(remote-pubk, S(ecdhe-random, token^nonce) || H(ecdhe-random-pubk) || pubk || nonce || 0x1) + // allocate msgLen long message, + var msg []byte = make([]byte, msgLen) + initNonce = msg[msgLen-shaLen-1 : msgLen-1] + if _, err = rand.Read(initNonce); err != nil { + return + } + // create known message + // ecdh-shared-secret^nonce for new peers + // token^nonce for old peers + var sharedSecret = Xor(sessionToken, initNonce) + + // generate random keypair to use for signing + if randomPrvKey, err = crypto.GenerateKey(); err != nil { + return + } + // sign shared secret (message known to both parties): shared-secret + var signature []byte + // signature = sign(ecdhe-random, shared-secret) + // uses secp256k1.Sign + if signature, err = crypto.Sign(sharedSecret, randomPrvKey); err != nil { + return + } + + // message + // signed-shared-secret || H(ecdhe-random-pubk) || pubk || nonce || 0x0 + copy(msg, signature) // copy signed-shared-secret + // H(ecdhe-random-pubk) + var randomPubKey64 []byte + if randomPubKey64, err = ExportPublicKey(&randomPrvKey.PublicKey); err != nil { + return + } + copy(msg[sigLen:sigLen+shaLen], crypto.Sha3(randomPubKey64)) + // pubkey copied to the correct segment. + copy(msg[sigLen+shaLen:sigLen+shaLen+pubLen], self.pubKeyS) + // nonce is already in the slice + // stick tokenFlag byte to the end + msg[msgLen-1] = tokenFlag + + // encrypt using remote-pubk + // auth = eciesEncrypt(remote-pubk, msg) + + if auth, err = crypto.Encrypt(remotePubKey, msg); err != nil { + return + } + + return +} + +/* +respondToHandshake is called by peer if it accepted (but not initiated) the connection from the remote. It is passed the initiator handshake received, the public key and session token belonging to the remote initiator. + +The first return value is the authentication response (aka receiver handshake) that is to be sent to the remote initiator. +*/ +func (self *cryptoId) respondToHandshake(auth, remotePubKeyS, sessionToken []byte) (authResp []byte, respNonce []byte, initNonce []byte, randomPrivKey *ecdsa.PrivateKey, remoteRandomPubKey *ecdsa.PublicKey, err error) { + var msg []byte + var remotePubKey *ecdsa.PublicKey + if remotePubKey, err = ImportPublicKey(remotePubKeyS); err != nil { + return + } + + // they prove that msg is meant for me, + // I prove I possess private key if i can read it + if msg, err = crypto.Decrypt(self.prvKey, auth); err != nil { + return + } + + var tokenFlag byte + if sessionToken == nil { + // no session token found means we need to generate shared secret. + // ecies shared secret is used as initial session token for new peers + // generate shared key from prv and remote pubkey + if sessionToken, err = ecies.ImportECDSA(self.prvKey).GenerateShared(ecies.ImportECDSAPublic(remotePubKey), sskLen, sskLen); err != nil { + return + } + // tokenFlag = 0x00 // redundant + } else { + // for known peers, we use stored token from the previous session + tokenFlag = 0x01 + } + + // the initiator nonce is read off the end of the message + initNonce = msg[msgLen-shaLen-1 : msgLen-1] + // I prove that i own prv key (to derive shared secret, and read nonce off encrypted msg) and that I own shared secret + // they prove they own the private key belonging to ecdhe-random-pubk + // we can now reconstruct the signed message and recover the peers pubkey + var signedMsg = Xor(sessionToken, initNonce) + var remoteRandomPubKeyS []byte + if remoteRandomPubKeyS, err = secp256k1.RecoverPubkey(signedMsg, msg[:sigLen]); err != nil { + return + } + // convert to ECDSA standard + if remoteRandomPubKey, err = ImportPublicKey(remoteRandomPubKeyS); err != nil { + return + } + + // now we find ourselves a long task too, fill it random + var resp = make([]byte, resLen) + // generate shaLen long nonce + respNonce = resp[pubLen : pubLen+shaLen] + if _, err = rand.Read(respNonce); err != nil { + return + } + // generate random keypair for session + if randomPrivKey, err = crypto.GenerateKey(); err != nil { + return + } + // responder auth message + // E(remote-pubk, ecdhe-random-pubk || nonce || 0x0) + var randomPubKeyS []byte + if randomPubKeyS, err = ExportPublicKey(&randomPrivKey.PublicKey); err != nil { + return + } + copy(resp[:pubLen], randomPubKeyS) + // nonce is already in the slice + resp[resLen-1] = tokenFlag + + // encrypt using remote-pubk + // auth = eciesEncrypt(remote-pubk, msg) + // why not encrypt with ecdhe-random-remote + if authResp, err = crypto.Encrypt(remotePubKey, resp); err != nil { + return + } + return +} + +/* +completeHandshake is called when the initiator receives an authentication response (aka receiver handshake). It completes the handshake by reading off parameters the remote peer provides needed to set up the secure session +*/ +func (self *cryptoId) completeHandshake(auth []byte) (respNonce []byte, remoteRandomPubKey *ecdsa.PublicKey, tokenFlag bool, err error) { + var msg []byte + // they prove that msg is meant for me, + // I prove I possess private key if i can read it + if msg, err = crypto.Decrypt(self.prvKey, auth); err != nil { + return + } + + respNonce = msg[pubLen : pubLen+shaLen] + var remoteRandomPubKeyS = msg[:pubLen] + if remoteRandomPubKey, err = ImportPublicKey(remoteRandomPubKeyS); err != nil { + return + } + if msg[resLen-1] == 0x01 { + tokenFlag = true + } + return +} + +/* +newSession is called after the handshake is completed. The arguments are values negotiated in the handshake and the return value is a new session : a new session Token to be remembered for the next time we connect with this peer. And a MsgReadWriter that implements an encrypted and authenticated connection with key material obtained from the crypto handshake key exchange +*/ +func (self *cryptoId) newSession(r io.Reader, w io.Writer, initiator bool, initNonce, respNonce, auth []byte, privKey *ecdsa.PrivateKey, remoteRandomPubKey *ecdsa.PublicKey) (sessionToken []byte, rw MsgReadWriter, err error) { + // 3) Now we can trust ecdhe-random-pubk to derive new keys + //ecdhe-shared-secret = ecdh.agree(ecdhe-random, remote-ecdhe-random-pubk) + var dhSharedSecret []byte + pubKey := ecies.ImportECDSAPublic(remoteRandomPubKey) + if dhSharedSecret, err = ecies.ImportECDSA(privKey).GenerateShared(pubKey, sskLen, sskLen); err != nil { + return + } + // shared-secret = crypto.Sha3(ecdhe-shared-secret || crypto.Sha3(nonce || initiator-nonce)) + var sharedSecret = crypto.Sha3(append(dhSharedSecret, crypto.Sha3(append(respNonce, initNonce...))...)) + // token = crypto.Sha3(shared-secret) + sessionToken = crypto.Sha3(sharedSecret) + // aes-secret = crypto.Sha3(ecdhe-shared-secret || shared-secret) + var aesSecret = crypto.Sha3(append(dhSharedSecret, sharedSecret...)) + // # destroy shared-secret + // mac-secret = crypto.Sha3(ecdhe-shared-secret || aes-secret) + var macSecret = crypto.Sha3(append(dhSharedSecret, aesSecret...)) + // # destroy ecdhe-shared-secret + var egressMac, ingressMac []byte + if initiator { + egressMac = Xor(macSecret, respNonce) + ingressMac = Xor(macSecret, initNonce) + } else { + egressMac = Xor(macSecret, initNonce) + ingressMac = Xor(macSecret, respNonce) + } + clogger.Debugf("aes-secret: %v", hexkey(aesSecret)) + clogger.Debugf("mac-secret: %v", hexkey(macSecret)) + clogger.Debugf("egress-mac: %v", hexkey(egressMac)) + clogger.Debugf("ingress-mac: %v", hexkey(ingressMac)) + + rw, err = NewCryptoMsgRW(r, w, aesSecret, macSecret, egressMac, ingressMac) + return +} + +// TODO: optimisation +// should use cipher.xorBytes from crypto/cipher/xor.go for fast xor +func Xor(one, other []byte) (xor []byte) { + xor = make([]byte, len(one)) + for i := 0; i < len(one); i++ { + xor[i] = one[i] ^ other[i] + } + return +} diff --git a/p2p/crypto_test.go b/p2p/crypto_test.go new file mode 100644 index 000000000000..fd6b8aa2903e --- /dev/null +++ b/p2p/crypto_test.go @@ -0,0 +1,217 @@ +package p2p + +import ( + "bytes" + // "crypto/ecdsa" + // "crypto/elliptic" + // "crypto/rand" + "bufio" + "fmt" + "net" + "testing" + "time" + + "github.com/ethereum/go-ethereum/crypto" + "github.com/obscuren/ecies" +) + +func TestPublicKeyEncoding(t *testing.T) { + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + pub0s := crypto.FromECDSAPub(pub0) + pub1, err := ImportPublicKey(pub0s) + if err != nil { + t.Errorf("%v", err) + } + eciesPub1 := ecies.ImportECDSAPublic(pub1) + if eciesPub1 == nil { + t.Errorf("invalid ecdsa public key") + } + pub1s, err := ExportPublicKey(pub1) + if err != nil { + t.Errorf("%v", err) + } + if len(pub1s) != 64 { + t.Errorf("wrong length expect 64, got", len(pub1s)) + } + pub2, err := ImportPublicKey(pub1s) + if err != nil { + t.Errorf("%v", err) + } + pub2s, err := ExportPublicKey(pub2) + if err != nil { + t.Errorf("%v", err) + } + if !bytes.Equal(pub1s, pub2s) { + t.Errorf("exports dont match") + } + pub2sEC := crypto.FromECDSAPub(pub2) + if !bytes.Equal(pub0s, pub2sEC) { + t.Errorf("exports dont match") + } +} + +func TestSharedSecret(t *testing.T) { + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + prv1, _ := crypto.GenerateKey() + pub1 := &prv1.PublicKey + + ss0, err := ecies.ImportECDSA(prv0).GenerateShared(ecies.ImportECDSAPublic(pub1), sskLen, sskLen) + if err != nil { + return + } + ss1, err := ecies.ImportECDSA(prv1).GenerateShared(ecies.ImportECDSAPublic(pub0), sskLen, sskLen) + if err != nil { + return + } + t.Logf("Secret:\n%v %x\n%v %x", len(ss0), ss0, len(ss0), ss1) + if !bytes.Equal(ss0, ss1) { + t.Errorf("dont match :(") + } +} + +func TestCryptoHandshake(t *testing.T) { + var err error + var sessionToken []byte + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + prv1, _ := crypto.GenerateKey() + pub1 := &prv1.PublicKey + + var initiator, receiver *cryptoId + if initiator, err = newCryptoId(&peerId{crypto.FromECDSA(prv0), crypto.FromECDSAPub(pub0)}); err != nil { + return + } + if receiver, err = newCryptoId(&peerId{crypto.FromECDSA(prv1), crypto.FromECDSAPub(pub1)}); err != nil { + return + } + + // simulate handshake by feeding output to input + // initiator sends handshake 'auth' + auth, initNonce, randomPrivKey, _, err := initiator.startHandshake(receiver.pubKeyS, sessionToken) + if err != nil { + t.Errorf("%v", err) + } + + // receiver reads auth and responds with response + response, remoteRecNonce, remoteInitNonce, remoteRandomPrivKey, remoteInitRandomPubKey, err := receiver.respondToHandshake(auth, crypto.FromECDSAPub(pub0), sessionToken) + if err != nil { + t.Errorf("%v", err) + } + + // initiator reads receiver's response and the key exchange completes + recNonce, remoteRandomPubKey, _, err := initiator.completeHandshake(response) + if err != nil { + t.Errorf("%v", err) + } + + conn0, conn1 := net.Pipe() + + // now both parties should have the same session parameters + initSessionToken, initRW, err := initiator.newSession(bufio.NewReader(conn0), conn0, true, initNonce, recNonce, auth, randomPrivKey, remoteRandomPubKey) + if err != nil { + t.Errorf("%v", err) + } + + recSessionToken, recRW, err := receiver.newSession(bufio.NewReader(conn1), conn1, false, remoteInitNonce, remoteRecNonce, auth, remoteRandomPrivKey, remoteInitRandomPubKey) + if err != nil { + t.Errorf("%v", err) + } + + fmt.Printf("\nauth (%v) %x\n\nresp (%v) %x\n\n", len(auth), auth, len(response), response) + + // fmt.Printf("\nauth %x\ninitNonce %x\nresponse%x\nremoteRecNonce %x\nremoteInitNonce %x\nremoteRandomPubKey %x\nrecNonce %x\nremoteInitRandomPubKey %x\ninitSessionToken %x\n\n", auth, initNonce, response, remoteRecNonce, remoteInitNonce, remoteRandomPubKey, recNonce, remoteInitRandomPubKey, initSessionToken) + + if !bytes.Equal(initNonce, remoteInitNonce) { + t.Errorf("nonces do not match") + } + if !bytes.Equal(recNonce, remoteRecNonce) { + t.Errorf("receiver nonces do not match") + } + if !bytes.Equal(initSessionToken, recSessionToken) { + t.Errorf("session tokens do not match") + } + + initSecretRW, ok := initRW.(*CryptoMsgRW) + if !ok { + t.Errorf("incorrect return type. expected *CryptoMsgRW, got %T", initRW) + } + recSecretRW, ok := recRW.(*CryptoMsgRW) + if !ok { + t.Errorf("incorrect return type. expected *CryptoMsgRW, got %T", recRW) + } + + // aesSecret, macSecret, egressMac, ingressMac + if !bytes.Equal(initSecretRW.aesSecret, recSecretRW.aesSecret) { + t.Errorf("AES secrets do not match") + } + if !bytes.Equal(initSecretRW.macSecret, recSecretRW.macSecret) { + t.Errorf("macSecrets do not match") + } + if !bytes.Equal(initSecretRW.egressMac, recSecretRW.ingressMac) { + t.Errorf("initiator's egressMac do not match receiver's ingressMac") + } + if !bytes.Equal(initSecretRW.ingressMac, recSecretRW.egressMac) { + t.Errorf("initiator's inressMac do not match receiver's egressMac") + } + +} + +func TestPeersHandshake(t *testing.T) { + defer testlog(t).detach() + var err error + // var sessionToken []byte + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + prv1, _ := crypto.GenerateKey() + pub1 := &prv1.PublicKey + + prv0s := crypto.FromECDSA(prv0) + pub0s := crypto.FromECDSAPub(pub0) + prv1s := crypto.FromECDSA(prv1) + pub1s := crypto.FromECDSAPub(pub1) + + conn1, conn2 := net.Pipe() + initiator := newPeer(conn1, []Protocol{}, nil) + receiver := newPeer(conn2, []Protocol{}, nil) + initiator.dialAddr = &peerAddr{IP: net.ParseIP("1.2.3.4"), Port: 2222, Pubkey: pub1s[1:]} + initiator.ourID = &peerId{prv0s, pub0s} + + // this is cheating. identity of initiator/dialler not available to listener/receiver + // its public key should be looked up based on IP address + receiver.identity = initiator.ourID + receiver.ourID = &peerId{prv1s, pub1s} + + initiator.pubkeyHook = func(*peerAddr) error { return nil } + receiver.pubkeyHook = func(*peerAddr) error { return nil } + + initiator.CryptoType = EthCrypto + receiver.CryptoType = EthCrypto + errc0 := make(chan error, 1) + errc1 := make(chan error, 1) + go func() { + _, err := initiator.loop() + errc0 <- err + }() + go func() { + _, err := receiver.loop() + errc1 <- err + }() + ready := make(chan bool) + go func() { + <-initiator.cryptoReady + <-receiver.cryptoReady + close(ready) + }() + timeout := time.After(20 * time.Second) + select { + case <-ready: + case <-timeout: + t.Errorf("crypto handshake hanging for too long") + case err = <-errc0: + t.Errorf("peer 0 quit with error: %v", err) + case err = <-errc1: + t.Errorf("peer 1 quit with error: %v", err) + } +} diff --git a/p2p/encryption.go b/p2p/encryption.go new file mode 100644 index 000000000000..cfe69907fd64 --- /dev/null +++ b/p2p/encryption.go @@ -0,0 +1,142 @@ +package p2p + +import ( + "bytes" + "crypto/aes" + "crypto/cipher" + "crypto/hmac" + "crypto/sha256" + "encoding/binary" + "hash" + "io" + + "github.com/ethereum/go-ethereum/ethutil" + "github.com/ethereum/go-ethereum/rlp" +) + +/* +CryptoMsgRW implements MsgReadWriter a message read writer with encryption and authentication +it is initialised by cryptoId.NewSession() after a successful crypto handshake on the same IO +It uses the legacy devp2p packet structure (temporary) +*/ +type CryptoMsgRW struct { + r io.Reader + w io.Writer + aesSecret, macSecret []byte + egressMac, ingressMac []byte + ingress, egress hash.Hash + stream cipher.Stream +} + +func NewCryptoMsgRW(r io.Reader, w io.Writer, aesSecret, macSecret, egressMac, ingressMac []byte) (*CryptoMsgRW, error) { + self := &CryptoMsgRW{ + r: r, + w: w, + aesSecret: aesSecret, + macSecret: macSecret, + egressMac: egressMac, + ingressMac: ingressMac, + } + block, err := aes.NewCipher(aesSecret) + if err != nil { + return nil, err + } + self.stream = cipher.NewCTR(block, macSecret[:aes.BlockSize]) + self.egress = hmac.New(sha256.New, egressMac) + self.ingress = hmac.New(sha256.New, ingressMac) + return self, nil +} + +func (self *CryptoMsgRW) Decrypt(plaintext, ciphertext []byte) (err error) { + self.stream.XORKeyStream(plaintext, ciphertext) + self.ingress.Write(plaintext) + return +} + +func (self *CryptoMsgRW) Encrypt(ciphertext, plaintext []byte) (err error) { + self.stream.XORKeyStream(ciphertext, plaintext) + self.egress.Write(plaintext) + return +} + +func (self *CryptoMsgRW) WriteMsg(msg Msg) (err error) { + // TODO: handle case when Size + len(code) + len(listhdr) overflows uint32 + code := ethutil.Encode(uint32(msg.Code)) + listhdr := makeListHeader(msg.Size + uint32(len(code))) + payloadLen := uint32(len(listhdr)) + uint32(len(code)) + msg.Size + + start := make([]byte, 8) + copy(start, magicToken) + binary.BigEndian.PutUint32(start[4:], payloadLen) + if _, err = self.w.Write(start); err != nil { + return + } + listhdrLen := uint32(len(listhdr)) + codeLen := uint32(len(code)) + ciphertext := make([]byte, listhdrLen+codeLen+msg.Size) + plaintext := make([]byte, listhdrLen+codeLen+msg.Size) + copy(plaintext, listhdr) + copy(plaintext[listhdrLen:], code) + msg.Payload.Read(plaintext[listhdrLen+codeLen:]) + self.Encrypt(ciphertext, plaintext) + if _, err = self.w.Write(ciphertext); err != nil { + return + } + mac := self.egress.Sum(nil) + if _, err = self.w.Write(mac); err != nil { + return + } + + return +} + +func (self *CryptoMsgRW) ReadMsg() (msg Msg, err error) { + var size uint32 + if size, err = self.readHeader(); err != nil { + err = newPeerError(errRead, "%v", err) + return + } + // authenticate size + var payload rlp.ByteReader + if payload, err = self.readPayload(size); err != nil { + err = newPeerError(errRead, "%v", err) + return + } + return NewMsgFromRLP(size, payload) +} + +func (self *CryptoMsgRW) readHeader() (size uint32, err error) { + // read magic and payload size + start := make([]byte, 8) + if _, err = io.ReadFull(self.r, start); err != nil { + err = newPeerError(errRead, "%v", err) + return + } + if !bytes.HasPrefix(start, magicToken) { + err = newPeerError(errMagicTokenMismatch, "got %x, want %x", start[:4], magicToken) + return + } + // here we could deobfuscate and auth the header... + size = binary.BigEndian.Uint32(start[4:]) + // here more header type metainfo... + return +} + +func (self *CryptoMsgRW) readPayload(size uint32) (r rlp.ByteReader, err error) { + plaintext := make([]byte, size) + ciphertext := make([]byte, size) + self.r.Read(ciphertext) + self.Decrypt(plaintext, ciphertext) + mac := make([]byte, 32) + if _, err = self.r.Read(mac); err != nil { + err = newPeerError(errRead, "%v", err) + return + } + var expectedMac = self.ingress.Sum(nil) + if !hmac.Equal(expectedMac, mac) { + err = newPeerError(errAuthentication, "ingress incorrect:\nexp %v\ngot %v\n", hexkey(expectedMac), hexkey(mac)) + return + } + r = bytes.NewReader(plaintext) + return +} diff --git a/p2p/encryption_test.go b/p2p/encryption_test.go new file mode 100644 index 000000000000..20de23a23cf2 --- /dev/null +++ b/p2p/encryption_test.go @@ -0,0 +1,82 @@ +package p2p + +import ( + "bufio" + "bytes" + "crypto/rand" + "io" + "net" + "testing" +) + +func randomKey(i int) (key []byte) { + key = make([]byte, i) + if _, err := io.ReadFull(rand.Reader, key); err != nil { + panic(err) + } + return +} + +func TestEncryption(t *testing.T) { + var args [][]byte = make([][]byte, 4) + for i, _ := range args { + args[i] = randomKey(32) + } + var pubkey = randomKey(64) + + var caps []interface{} + for _, p := range []Cap{Cap{"bzz", 0}, Cap{"shh", 1}, Cap{"eth", 2}} { + caps = append(caps, p) + } + + var msg0 = NewMsg(handshakeMsg, + baseProtocolVersion, + "ethersphere", + caps, + 3301, + pubkey, + ) + + var hs handshake + + conn0, conn1 := net.Pipe() + rw0, err := NewCryptoMsgRW(bufio.NewReader(conn0), conn0, args[0], args[1], args[2], args[3]) + if err != nil { + return + } + messenger0 := NewMessenger(rw0) + + // note that args 3/2 swapped! ingress <-> egress MAC should reverse + rw1, err := NewCryptoMsgRW(bufio.NewReader(conn1), conn1, args[0], args[1], args[3], args[2]) + if err != nil { + return + } + messenger1 := NewMessenger(rw1) + + messenger0.WriteC() <- msg0 + + messenger1.ReadNextC() <- true + + var msg1 Msg + select { + case msg1 = <-messenger1.ReadC(): + + case err = <-messenger0.ErrorC(): + t.Errorf("unexpected error on initiator%v", err) + + case err = <-messenger1.ErrorC(): + t.Errorf("unexpected error on receiver %v", err) + } + + if err = msg1.Decode(&hs); err != nil { + t.Errorf("rlp decoding error: %v", err) + } + + if //!bytes.Equal(hs.ListenPort, 3301) || + hs.ID != "ethersphere" || + len(hs.Caps) != 3 || + !bytes.Equal(hs.PublicKey(), pubkey) { + t.Errorf("mismatch") + } + +} diff --git a/p2p/message.go b/p2p/message.go index daf2bf05c1c5..e4406adc39d6 100644 --- a/p2p/message.go +++ b/p2p/message.go @@ -2,12 +2,10 @@ package p2p import ( "bytes" - "encoding/binary" "errors" "fmt" "io" "io/ioutil" - "math/big" "sync/atomic" "github.com/ethereum/go-ethereum/ethutil" @@ -23,7 +21,7 @@ import ( // separate Msg with a bytes.Reader as Payload for each send. type Msg struct { Code uint64 - Size uint32 // size of the paylod + Size uint32 // size of the payload Payload io.Reader } @@ -36,6 +34,7 @@ func NewMsg(code uint64, params ...interface{}) Msg { return Msg{Code: code, Size: uint32(buf.Len()), Payload: buf} } +// this should probably use the new rlp encoding func encodePayload(params ...interface{}) []byte { buf := new(bytes.Buffer) for _, p := range params { @@ -66,6 +65,26 @@ func (msg Msg) Discard() error { return err } +func NewMsgFromRLP(size uint32, r rlp.ByteReader) (msg Msg, err error) { + // decode start of RLP message to get the message code + posr := &postrack{r, 0} + s := rlp.NewStream(posr) + if _, err := s.List(); err != nil { + return msg, err + } + code, err := s.Uint() + if err != nil { + return msg, err + } + payloadsize := size - posr.p + return Msg{code, payloadsize, io.LimitReader(r, int64(payloadsize))}, nil +} + +/* +MsgReadWriter is an interface for reading and writing messages +It is aware of message structure and knows how to encode/decode +*/ + type MsgReader interface { ReadMsg() (Msg, error) } @@ -84,89 +103,15 @@ type MsgReadWriter interface { MsgWriter } +// EncodeMsg should be explicit in the interface and should have the MsgWriter +// as receiver + // EncodeMsg writes an RLP-encoded message with the given code and // data elements. func EncodeMsg(w MsgWriter, code uint64, data ...interface{}) error { return w.WriteMsg(NewMsg(code, data...)) } -var magicToken = []byte{34, 64, 8, 145} - -func writeMsg(w io.Writer, msg Msg) error { - // TODO: handle case when Size + len(code) + len(listhdr) overflows uint32 - code := ethutil.Encode(uint32(msg.Code)) - listhdr := makeListHeader(msg.Size + uint32(len(code))) - payloadLen := uint32(len(listhdr)) + uint32(len(code)) + msg.Size - - start := make([]byte, 8) - copy(start, magicToken) - binary.BigEndian.PutUint32(start[4:], payloadLen) - - for _, b := range [][]byte{start, listhdr, code} { - if _, err := w.Write(b); err != nil { - return err - } - } - _, err := io.CopyN(w, msg.Payload, int64(msg.Size)) - return err -} - -func makeListHeader(length uint32) []byte { - if length < 56 { - return []byte{byte(length + 0xc0)} - } - enc := big.NewInt(int64(length)).Bytes() - lenb := byte(len(enc)) + 0xf7 - return append([]byte{lenb}, enc...) -} - -// readMsg reads a message header from r. -// It takes an rlp.ByteReader to ensure that the decoding doesn't buffer. -func readMsg(r rlp.ByteReader) (msg Msg, err error) { - // read magic and payload size - start := make([]byte, 8) - if _, err = io.ReadFull(r, start); err != nil { - return msg, newPeerError(errRead, "%v", err) - } - if !bytes.HasPrefix(start, magicToken) { - return msg, newPeerError(errMagicTokenMismatch, "got %x, want %x", start[:4], magicToken) - } - size := binary.BigEndian.Uint32(start[4:]) - - // decode start of RLP message to get the message code - posr := &postrack{r, 0} - s := rlp.NewStream(posr) - if _, err := s.List(); err != nil { - return msg, err - } - code, err := s.Uint() - if err != nil { - return msg, err - } - payloadsize := size - posr.p - return Msg{code, payloadsize, io.LimitReader(r, int64(payloadsize))}, nil -} - -// postrack wraps an rlp.ByteReader with a position counter. -type postrack struct { - r rlp.ByteReader - p uint32 -} - -func (r *postrack) Read(buf []byte) (int, error) { - n, err := r.r.Read(buf) - r.p += uint32(n) - return n, err -} - -func (r *postrack) ReadByte() (byte, error) { - b, err := r.r.ReadByte() - if err == nil { - r.p++ - } - return b, err -} - // MsgPipe creates a message pipe. Reads on one end are matched // with writes on the other. The pipe is full-duplex, both ends // implement MsgReadWriter. @@ -185,6 +130,19 @@ func MsgPipe() (*MsgPipeRW, *MsgPipeRW) { // pipe has been closed. var ErrPipeClosed = errors.New("p2p: read or write on closed message pipe") +// Close unblocks any pending ReadMsg and WriteMsg calls on both ends +// of the pipe. They will return ErrPipeClosed. Note that Close does +// not interrupt any reads from a message payload. +func (p *MsgPipeRW) Close() error { + if atomic.AddInt32(p.closed, 1) != 1 { + // someone else is already closing + atomic.StoreInt32(p.closed, 1) // avoid overflow + return nil + } + close(p.closing) + return nil +} + // MsgPipeRW is an endpoint of a MsgReadWriter pipe. type MsgPipeRW struct { w chan<- Msg @@ -224,15 +182,25 @@ func (p *MsgPipeRW) ReadMsg() (Msg, error) { return Msg{}, ErrPipeClosed } -// Close unblocks any pending ReadMsg and WriteMsg calls on both ends -// of the pipe. They will return ErrPipeClosed. Note that Close does -// not interrupt any reads from a message payload. -func (p *MsgPipeRW) Close() error { - if atomic.AddInt32(p.closed, 1) != 1 { - // someone else is already closing - atomic.StoreInt32(p.closed, 1) // avoid overflow - return nil +// eofSignal wraps a reader with eof signaling. the eof channel is +// closed when the wrapped reader returns an error or when count bytes +// have been read. +// +type eofSignal struct { + wrapped io.Reader + count int64 + eof chan<- struct{} +} + +// note: when using eofSignal to detect whether a message payload +// has been read, Read might not be called for zero sized messages. + +func (r *eofSignal) Read(buf []byte) (int, error) { + n, err := r.wrapped.Read(buf) + r.count -= int64(n) + if (err != nil || r.count <= 0) && r.eof != nil { + r.eof <- struct{}{} // tell Peer that msg has been consumed + r.eof = nil } - close(p.closing) - return nil + return n, err } diff --git a/p2p/message_test.go b/p2p/message_test.go index 5cde9abf5b21..34b30065f123 100644 --- a/p2p/message_test.go +++ b/p2p/message_test.go @@ -29,12 +29,13 @@ func TestNewMsg(t *testing.T) { func TestEncodeDecodeMsg(t *testing.T) { msg := NewMsg(3, 1, "000") buf := new(bytes.Buffer) - if err := writeMsg(buf, msg); err != nil { + rw, _ := NewMsgRW(buf, buf) + if err := rw.WriteMsg(msg); err != nil { t.Fatalf("encodeMsg error: %v", err) } // t.Logf("encoded: %x", buf.Bytes()) - decmsg, err := readMsg(buf) + decmsg, err := rw.ReadMsg() if err != nil { t.Fatalf("readMsg error: %v", err) } @@ -62,7 +63,9 @@ func TestEncodeDecodeMsg(t *testing.T) { func TestDecodeRealMsg(t *testing.T) { data := ethutil.Hex2Bytes("2240089100000080f87e8002b5457468657265756d282b2b292f5065657220536572766572204f6e652f76302e372e382f52656c656173652f4c696e75782f672b2bc082765fb84086dd80b7aefd6a6d2e3b93f4f300a86bfb6ef7bdc97cb03f793db6bb") - msg, err := readMsg(bytes.NewReader(data)) + buf := bytes.NewReader(data) + rw, _ := NewMsgRW(buf, nil) + msg, err := rw.ReadMsg() if err != nil { t.Fatalf("unexpected error: %v", err) } diff --git a/p2p/messenger.go b/p2p/messenger.go new file mode 100644 index 000000000000..2bed6228b393 --- /dev/null +++ b/p2p/messenger.go @@ -0,0 +1,226 @@ +package p2p + +import ( + "bytes" + "encoding/binary" + "io" + "math/big" + "time" + + "github.com/ethereum/go-ethereum/ethutil" + "github.com/ethereum/go-ethereum/rlp" +) + +const ( + // maximum amount of time allowed for reading a message + msgReadTimeout = 5 * time.Second + // maximum amount of time allowed for writing a message + msgWriteTimeout = 5 * time.Second + // messages smaller than this many bytes will be read at + // once before passing them to a protocol. + wholePayloadSize = 64 * 1024 +) + +var magicToken = []byte{34, 64, 8, 145} + +/* + A MsgChanReadWriter implementation will typically sit on a multiplexed peer connection and runs a single read and a write loop without need to use locking. + + It passes on incoming messages to its channel ReadC() + the peer runs a dispatch loop that figures out which protocol to forward the message to. + + The channel for outcgoing messages (WriteC) is simply shared between the individual MsgReadWriter instances for each protocol +*/ + +type MsgChanReadWriter interface { + ReadC() chan Msg + WriteC() chan Msg + ErrorC() chan error + ReadNextC() chan bool + Close() +} + +type Messenger struct { + in chan Msg + out chan Msg + errc chan error + unblock chan bool + rw MsgReadWriter +} + +/* +Messenger is a simple implementation of a read and write loop using a MsgReadWriter to encode/decode individual messages +This MsgReadWriter can implement parsing from/to any kind of packet structure and employ encryption and authentication +*/ +func NewMessenger(rw MsgReadWriter) *Messenger { + self := &Messenger{ + in: make(chan Msg), + out: make(chan Msg), + errc: make(chan error), + unblock: make(chan bool, 1), + rw: rw, + } + go self.readLoop() + go self.writeLoop() + return self +} + +func (self *Messenger) Close() { + close(self.unblock) + close(self.out) +} + +func (self *Messenger) ReadC() chan Msg { + return self.in +} + +func (self *Messenger) WriteC() chan Msg { + return self.out +} + +func (self *Messenger) ErrorC() chan error { + return self.errc +} + +// ReadNextC <- true must be called before the next read is attempted +func (self *Messenger) ReadNextC() chan bool { + return self.unblock +} + +func (self *Messenger) readLoop() { + for _ = range self.unblock { + if msg, err := self.rw.ReadMsg(); err != nil { + self.errc <- err + } else { + self.in <- msg + } + } + close(self.errc) +} + +func (self *Messenger) writeLoop() { + for msg := range self.out { + if err := self.rw.WriteMsg(msg); err != nil { + self.errc <- newPeerError(errWrite, "%v", err) + } + + } +} + +/* +MsgReadWriter is an interface for reading and writing messages +It is aware of message structure and knows how to encode/decode + +MsgRW is a simple encoder implementing MsgReadWriter +It complies with the legacy devp2p packet structure and no encryption or authentication +*/ +type MsgRW struct { + r rlp.ByteReader // this is implemented by bufio.ReadWriter + // r io.Reader + w io.Writer +} + +func NewMsgRW(r rlp.ByteReader, w io.Writer) (*MsgRW, error) { + return &MsgRW{ + r: r, + w: w, + }, nil +} + +func (self *MsgRW) WriteMsg(msg Msg) error { + + // TODO: handle case when Size + len(code) + len(listhdr) overflows uint32 + code := ethutil.Encode(uint32(msg.Code)) + listhdr := makeListHeader(msg.Size + uint32(len(code))) + payloadLen := uint32(len(listhdr)) + uint32(len(code)) + msg.Size + + start := make([]byte, 8) + copy(start, magicToken) + binary.BigEndian.PutUint32(start[4:], payloadLen) + + for _, b := range [][]byte{start, listhdr, code} { + if _, err := self.w.Write(b); err != nil { + return err + } + } + _, err := io.CopyN(self.w, msg.Payload, int64(msg.Size)) + return err +} + +func makeListHeader(length uint32) []byte { + if length < 56 { + return []byte{byte(length + 0xc0)} + } + enc := big.NewInt(int64(length)).Bytes() + lenb := byte(len(enc)) + 0xf7 + return append([]byte{lenb}, enc...) +} + +// readMsg reads a message header from r. +// It takes an rlp.ByteReader to ensure that the decoding doesn't buffer. +func (self *MsgRW) ReadMsg() (msg Msg, err error) { + + // read magic and payload size + start := make([]byte, 8) + if _, err = io.ReadFull(self.r, start); err != nil { + return msg, newPeerError(errRead, "%v", err) + } + + if !bytes.HasPrefix(start, magicToken) { + return msg, newPeerError(errMagicTokenMismatch, "got %x, want %x", start[:4], magicToken) + } + size := binary.BigEndian.Uint32(start[4:]) + return NewMsgFromRLP(size, self.r) +} + +// postrack wraps an rlp.ByteReader with a position counter. +type postrack struct { + r rlp.ByteReader + p uint32 +} + +func (r *postrack) Read(buf []byte) (int, error) { + n, err := r.r.Read(buf) + r.p += uint32(n) + return n, err +} + +func (r *postrack) ReadByte() (byte, error) { + b, err := r.r.ReadByte() + if err == nil { + r.p++ + } + return b, err +} + +// proto will embed the same writer channel as given to the readwriter +// in the legacy code it knows about the code offset +// no need to go through peer for writing , so do not need to embed peer as field +type proto struct { + name string + in, out chan Msg + maxcode, offset uint64 +} + +// WriteMsg proto implements MsgWriter interface +func (rw *proto) WriteMsg(msg Msg) error { + if msg.Code >= rw.maxcode { + return newPeerError(errInvalidMsgCode, "not handled") + } + msg.Code += rw.offset + rw.out <- msg + return nil +} + +func (rw *proto) EncodeMsg(code uint64, data ...interface{}) error { + return rw.WriteMsg(NewMsg(code, data...)) +} + +func (rw *proto) ReadMsg() (Msg, error) { + msg, ok := <-rw.in + if !ok { + return msg, io.EOF + } + msg.Code -= rw.offset + return msg, nil +} diff --git a/p2p/peer.go b/p2p/peer.go index 2380a3285b8d..473baf51358e 100644 --- a/p2p/peer.go +++ b/p2p/peer.go @@ -3,8 +3,8 @@ package p2p import ( "bufio" "bytes" + "crypto/rand" "fmt" - "io" "io/ioutil" "net" "sort" @@ -61,15 +61,14 @@ type Peer struct { listenAddr *peerAddr // what remote peer is listening on dialAddr *peerAddr // non-nil if dialing - // The mutex protects the connection - // so only one protocol can write at a time. - writeMu sync.Mutex - conn net.Conn - bufconn *bufio.ReadWriter + conn net.Conn + crw MsgChanReadWriter // These fields maintain the running protocols. protocols []Protocol - runBaseProtocol bool // for testing + runBaseProtocol bool // for testing + CryptoType CryptoType // + cryptoReady chan struct{} runlock sync.RWMutex // protects running running map[string]*proto @@ -108,26 +107,29 @@ func newServerPeer(server *Server, conn net.Conn, dialAddr *peerAddr) *Peer { p.otherPeers = server.Peers p.pubkeyHook = server.verifyPeer p.runBaseProtocol = true + if server.Encryption { + p.CryptoType = EthCrypto + } // laddr can be updated concurrently by NAT traversal. // newServerPeer must be called with the server lock held. if server.laddr != nil { - p.ourListenAddr = newPeerAddr(server.laddr, server.Identity.Pubkey()) + p.ourListenAddr = newPeerAddr(server.laddr, server.Identity.PublicKey()) } return p } func newPeer(conn net.Conn, protocols []Protocol, dialAddr *peerAddr) *Peer { p := &Peer{ - Logger: logger.NewLogger("P2P " + conn.RemoteAddr().String()), - conn: conn, - dialAddr: dialAddr, - bufconn: bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)), - protocols: protocols, - running: make(map[string]*proto), - disc: make(chan DiscReason), - protoErr: make(chan error), - closed: make(chan struct{}), + Logger: logger.NewLogger("P2P " + conn.RemoteAddr().String()), + conn: conn, + dialAddr: dialAddr, + protocols: protocols, + running: make(map[string]*proto), + disc: make(chan DiscReason), + protoErr: make(chan error), + closed: make(chan struct{}), + cryptoReady: make(chan struct{}), } return p } @@ -141,6 +143,20 @@ func (p *Peer) Identity() ClientIdentity { return p.identity } +func (self *Peer) PublicKey() (pubkey []byte) { + self.infolock.Lock() + defer self.infolock.Unlock() + switch { + case self.identity != nil: + pubkey = self.identity.PublicKey()[1:] + case self.dialAddr != nil: + pubkey = self.dialAddr.Pubkey + case self.listenAddr != nil: + pubkey = self.listenAddr.Pubkey + } + return +} + // Caps returns the capabilities (supported subprotocols) of the remote peer. func (p *Peer) Caps() []Cap { p.infolock.Lock() @@ -186,16 +202,6 @@ func (p *Peer) String() string { return fmt.Sprintf("Peer(%p %v %s)", p, p.conn.RemoteAddr(), kind) } -const ( - // maximum amount of time allowed for reading a message - msgReadTimeout = 5 * time.Second - // maximum amount of time allowed for writing a message - msgWriteTimeout = 5 * time.Second - // messages smaller than this many bytes will be read at - // once before passing them to a protocol. - wholePayloadSize = 64 * 1024 -) - var ( inactivityTimeout = 2 * time.Second disconnectGracePeriod = 2 * time.Second @@ -207,13 +213,21 @@ func (p *Peer) loop() (reason DiscReason, err error) { defer close(p.closed) defer p.conn.Close() + if err = p.handleCryptoHandshake(); err != nil { + // from here on everything can be encrypted, authenticated + return DiscProtocolError, err // no graceful disconnect + } + defer p.crw.Close() + close(p.cryptoReady) + // read loop - readMsg := make(chan Msg) - readErr := make(chan error) - readNext := make(chan bool, 1) protoDone := make(chan struct{}, 1) - go p.readLoop(readMsg, readErr, readNext) - readNext <- true + + in := p.crw.ReadC() + errc := p.crw.ErrorC() + unblock := p.crw.ReadNextC() + + unblock <- true if p.runBaseProtocol { p.startBaseProtocol() @@ -222,7 +236,7 @@ func (p *Peer) loop() (reason DiscReason, err error) { loop: for { select { - case msg := <-readMsg: + case msg := <-in: // a new message has arrived. var wait bool if wait, err = p.dispatch(msg, protoDone); err != nil { @@ -232,19 +246,18 @@ loop: } if !wait { // Msg has already been read completely, continue with next message. - readNext <- true + unblock <- true } p.activity.Post(time.Now()) case <-protoDone: // protocol has consumed the message payload, // we can continue reading from the socket. - readNext <- true + unblock <- true - case err := <-readErr: - // read failed. there is no need to run the + case err := <-errc: + // read or write failed. there is no need to run the // polite disconnect sequence because the connection // is probably dead anyway. - // TODO: handle write errors as well return DiscNetworkError, err case err = <-p.protoErr: reason = discReasonForError(err) @@ -253,37 +266,13 @@ loop: break loop } } - - // wait for read loop to return. - close(readNext) - <-readErr // tell the remote end to disconnect - done := make(chan struct{}) - go func() { - p.conn.SetDeadline(time.Now().Add(disconnectGracePeriod)) - p.writeMsg(NewMsg(discMsg, reason), disconnectGracePeriod) - io.Copy(ioutil.Discard, p.conn) - close(done) - }() - select { - case <-done: - case <-time.After(disconnectGracePeriod): - } + p.writeProtoMsg("", NewMsg(discMsg, reason)) + // io.Copy(ioutil.Discard, p.conn)//?? + <-time.After(disconnectGracePeriod) return reason, err } -func (p *Peer) readLoop(msgc chan<- Msg, errc chan<- error, unblock <-chan bool) { - for _ = range unblock { - p.conn.SetReadDeadline(time.Now().Add(msgReadTimeout)) - if msg, err := readMsg(p.bufconn); err != nil { - errc <- err - } else { - msgc <- msg - } - } - close(errc) -} - func (p *Peer) dispatch(msg Msg, protoDone chan struct{}) (wait bool, err error) { proto, err := p.getProto(msg.Code) if err != nil { @@ -307,6 +296,70 @@ func (p *Peer) dispatch(msg Msg, protoDone chan struct{}) (wait bool, err error) return wait, nil } +type CryptoType byte + +const ( + NoCrypto CryptoType = iota + EthCrypto +) + +var cryptoType = map[CryptoType]string{ + NoCrypto: "no encryption", + EthCrypto: "AES256 CTR HMAC SHA256", +} + +func (self CryptoType) String() (s string) { + s = cryptoType[self] + if len(s) == 0 { + s = string([]byte{byte(self)}) + } + return +} + +func (p *Peer) handleCryptoHandshake() (err error) { + var crw MsgReadWriter + switch p.CryptoType { + case NoCrypto: + if crw, err = NewMsgRW(bufio.NewReader(p.conn), p.conn); err != nil { + return + } + p.Infof("insecure connection using no encryption/authentication") + + case EthCrypto: + // cryptoId is just created for the lifecycle of the handshake + // it is survived by an encrypted readwriter + var initiator bool + // TODO: this is clearly a placeholder until we figure how we store session Token + var sessionToken []byte + sessionToken = make([]byte, keyLen) + if _, err = rand.Read(sessionToken); err != nil { + return + } + if p.dialAddr != nil { // this should have its own method Outgoing() bool + initiator = true + } + // create crypto layer + // this could in principle run only once but maybe we want to allow + // identity switching + var crypto *cryptoId + if crypto, err = newCryptoId(p.ourID); err != nil { + return + } + // run on peer + // this bit handles the handshake and creates a secure communications channel with + if sessionToken, crw, err = crypto.NewSession(bufio.NewReader(p.conn), p.conn, p.PublicKey(), sessionToken, initiator); err != nil { + p.Errorf("unable to setup secure session: %v", err) + return + } + default: + err = fmt.Errorf("unrecognised crypto type %v", p.CryptoType) + p.Errorf("%v", err) + } + p.crw = NewMessenger(crw) + p.Infof("secure connection using %v", p.CryptoType) + return +} + func (p *Peer) startBaseProtocol() { p.runlock.Lock() defer p.runlock.Unlock() @@ -340,9 +393,9 @@ outer: func (p *Peer) startProto(offset uint64, impl Protocol) *proto { rw := &proto{ in: make(chan Msg), + out: p.crw.WriteC(), offset: offset, maxcode: impl.Length, - peer: p, } p.protoWG.Add(1) go func() { @@ -392,71 +445,5 @@ func (p *Peer) writeProtoMsg(protoName string, msg Msg) error { if !ok { return fmt.Errorf("protocol %s not handled by peer", protoName) } - if msg.Code >= proto.maxcode { - return newPeerError(errInvalidMsgCode, "code %x is out of range for protocol %q", msg.Code, protoName) - } - msg.Code += proto.offset - return p.writeMsg(msg, msgWriteTimeout) -} - -// writeMsg writes a message to the connection. -func (p *Peer) writeMsg(msg Msg, timeout time.Duration) error { - p.writeMu.Lock() - defer p.writeMu.Unlock() - p.conn.SetWriteDeadline(time.Now().Add(timeout)) - if err := writeMsg(p.bufconn, msg); err != nil { - return newPeerError(errWrite, "%v", err) - } - return p.bufconn.Flush() -} - -type proto struct { - name string - in chan Msg - maxcode, offset uint64 - peer *Peer -} - -func (rw *proto) WriteMsg(msg Msg) error { - if msg.Code >= rw.maxcode { - return newPeerError(errInvalidMsgCode, "not handled") - } - msg.Code += rw.offset - return rw.peer.writeMsg(msg, msgWriteTimeout) -} - -func (rw *proto) EncodeMsg(code uint64, data ...interface{}) error { - return rw.WriteMsg(NewMsg(code, data...)) -} - -func (rw *proto) ReadMsg() (Msg, error) { - msg, ok := <-rw.in - if !ok { - return msg, io.EOF - } - msg.Code -= rw.offset - return msg, nil -} - -// eofSignal wraps a reader with eof signaling. the eof channel is -// closed when the wrapped reader returns an error or when count bytes -// have been read. -// -type eofSignal struct { - wrapped io.Reader - count int64 - eof chan<- struct{} -} - -// note: when using eofSignal to detect whether a message payload -// has been read, Read might not be called for zero sized messages. - -func (r *eofSignal) Read(buf []byte) (int, error) { - n, err := r.wrapped.Read(buf) - r.count -= int64(n) - if (err != nil || r.count <= 0) && r.eof != nil { - r.eof <- struct{}{} // tell Peer that msg has been consumed - r.eof = nil - } - return n, err + return proto.WriteMsg(msg) } diff --git a/p2p/peer_error.go b/p2p/peer_error.go index 0eb7ec838d45..d67c42a36d2a 100644 --- a/p2p/peer_error.go +++ b/p2p/peer_error.go @@ -19,6 +19,8 @@ const ( errPingTimeout errInvalidNetworkId errInvalidProtocolVersion + errAuthentication + errEncryption ) var errorToString = map[int]string{ @@ -36,6 +38,8 @@ var errorToString = map[int]string{ errPingTimeout: "Ping timeout", errInvalidNetworkId: "Invalid network id", errInvalidProtocolVersion: "Invalid protocol version", + errAuthentication: "Authentication error", + errEncryption: "Encryption error", } type peerError struct { diff --git a/p2p/peer_test.go b/p2p/peer_test.go index 4ee88f112b0f..7419488accc3 100644 --- a/p2p/peer_test.go +++ b/p2p/peer_test.go @@ -38,6 +38,7 @@ func testPeer(protos []Protocol) (net.Conn, *Peer, <-chan error) { _, err := peer.loop() errc <- err }() + <-peer.cryptoReady return conn2, peer, errc } @@ -71,9 +72,11 @@ func TestPeerProtoReadMsg(t *testing.T) { net, peer, errc := testPeer([]Protocol{proto}) defer net.Close() + peer.startSubprotocols([]Cap{proto.cap()}) - writeMsg(net, NewMsg(18, 1, "000")) + rw, _ := NewMsgRW(nil, net) + rw.WriteMsg(NewMsg(18, 1, "000")) select { case <-done: case err := <-errc: @@ -107,9 +110,11 @@ func TestPeerProtoReadLargeMsg(t *testing.T) { net, peer, errc := testPeer([]Protocol{proto}) defer net.Close() - peer.startSubprotocols([]Cap{proto.cap()}) - writeMsg(net, NewMsg(18, make([]byte, msgsize))) + rw, _ := NewMsgRW(nil, net) + + peer.startSubprotocols([]Cap{proto.cap()}) + rw.WriteMsg(NewMsg(18, make([]byte, msgsize))) select { case <-done: case err := <-errc: @@ -137,10 +142,11 @@ func TestPeerProtoEncodeMsg(t *testing.T) { } net, peer, _ := testPeer([]Protocol{proto}) defer net.Close() - peer.startSubprotocols([]Cap{proto.cap()}) bufr := bufio.NewReader(net) - msg, err := readMsg(bufr) + rw, _ := NewMsgRW(bufr, nil) + peer.startSubprotocols([]Cap{proto.cap()}) + msg, err := rw.ReadMsg() if err != nil { t.Errorf("read error: %v", err) } @@ -177,7 +183,8 @@ func TestPeerWrite(t *testing.T) { read := make(chan struct{}) go func() { bufr := bufio.NewReader(net) - msg, err := readMsg(bufr) + rw, _ := NewMsgRW(bufr, nil) + msg, err := rw.ReadMsg() if err != nil { t.Errorf("read error: %v", err) } else if msg.Code != 16 { @@ -211,8 +218,9 @@ func TestPeerActivity(t *testing.T) { sub := peer.activity.Subscribe(time.Time{}) defer sub.Unsubscribe() + rw, _ := NewMsgRW(nil, net) for i := 0; i < 6; i++ { - writeMsg(net, NewMsg(16)) + rw.WriteMsg(NewMsg(16)) select { case <-sub.Chan(): case <-time.After(inactivityTimeout / 2): diff --git a/p2p/protocol.go b/p2p/protocol.go index 1d121a885579..3aa39ce9c820 100644 --- a/p2p/protocol.go +++ b/p2p/protocol.go @@ -60,10 +60,14 @@ type handshake struct { func (h *handshake) String() string { return h.ID } -func (h *handshake) Pubkey() []byte { +func (h *handshake) PublicKey() []byte { return h.NodeID } +func (h *handshake) PrivateKey() []byte { + return nil +} + // Cap is the structure of a peer capability. type Cap struct { Name string @@ -261,7 +265,7 @@ func (bp *baseProtocol) handshakeMsg() Msg { bp.peer.ourID.String(), caps, port, - bp.peer.ourID.Pubkey()[1:], + bp.peer.ourID.PublicKey()[1:], ) } diff --git a/p2p/protocol_test.go b/p2p/protocol_test.go index b1d10ac5360f..1cd72626d6f2 100644 --- a/p2p/protocol_test.go +++ b/p2p/protocol_test.go @@ -11,14 +11,14 @@ import ( ) type peerId struct { - pubkey []byte + privkey, pubkey []byte } func (self *peerId) String() string { - return fmt.Sprintf("test peer %x", self.Pubkey()[:4]) + return fmt.Sprintf("test peer %x", self.PublicKey()[:4]) } -func (self *peerId) Pubkey() (pubkey []byte) { +func (self *peerId) PublicKey() (pubkey []byte) { pubkey = self.pubkey if len(pubkey) == 0 { pubkey = crypto.GenerateNewKeyPair().PublicKey @@ -27,6 +27,15 @@ func (self *peerId) Pubkey() (pubkey []byte) { return } +func (self *peerId) PrivateKey() (privkey []byte) { + privkey = self.privkey + if len(privkey) == 0 { + privkey = crypto.GenerateNewKeyPair().PublicKey + self.privkey = privkey + } + return +} + func newTestPeer() (peer *Peer) { peer = NewPeer(&peerId{}, []Cap{}) peer.pubkeyHook = func(*peerAddr) error { return nil } diff --git a/p2p/server.go b/p2p/server.go index 4fd1f7d03423..a553862363ce 100644 --- a/p2p/server.go +++ b/p2p/server.go @@ -62,6 +62,9 @@ type Server struct { // If NoDial is true, the server will not dial any peers. NoDial bool + // whether or not use encryption + Encryption bool + // Hook for testing. This is useful because we can inhibit // the whole protocol stack. newPeerFunc peerFunc @@ -399,7 +402,7 @@ func (srv *Server) verifyPeer(addr *peerAddr) error { if srv.Blacklist.Exists(addr.Pubkey) { return errors.New("blacklisted") } - if bytes.Equal(srv.Identity.Pubkey()[1:], addr.Pubkey) { + if bytes.Equal(srv.Identity.PublicKey()[1:], addr.Pubkey) { return newPeerError(errPubkeyForbidden, "not allowed to connect to srv") } srv.lock.RLock() @@ -407,7 +410,7 @@ func (srv *Server) verifyPeer(addr *peerAddr) error { for _, peer := range srv.peers { if peer != nil { id := peer.Identity() - if id != nil && bytes.Equal(id.Pubkey(), addr.Pubkey) { + if id != nil && bytes.Equal(id.PublicKey(), addr.Pubkey) { return errors.New("already connected") } } diff --git a/p2p/server_test.go b/p2p/server_test.go index ceb89e3f7fb7..13753442448d 100644 --- a/p2p/server_test.go +++ b/p2p/server_test.go @@ -1,6 +1,7 @@ package p2p import ( + "bufio" "bytes" "io" "net" @@ -121,6 +122,8 @@ func TestServerBroadcast(t *testing.T) { var connected sync.WaitGroup srv := startTestServer(t, func(srv *Server, c net.Conn, dialAddr *peerAddr) *Peer { peer := newPeer(c, []Protocol{discard}, dialAddr) + rw, _ := NewMsgRW(bufio.NewReader(c), c) + peer.crw = NewMessenger(rw) peer.startSubprotocols([]Cap{discard.cap()}) connected.Done() return peer @@ -145,9 +148,10 @@ func TestServerBroadcast(t *testing.T) { // broadcast one message srv.Broadcast("discard", 0, "foo") - goldbuf := new(bytes.Buffer) - writeMsg(goldbuf, NewMsg(16, "foo")) - golden := goldbuf.Bytes() + buf := new(bytes.Buffer) + rw, _ := NewMsgRW(buf, buf) + rw.WriteMsg(NewMsg(16, "foo")) + golden := buf.Bytes() // check that the message has been written everywhere for i, conn := range conns {