diff --git a/p2p/client_identity.go b/p2p/client_identity.go index f15fd01bfc6d..ef01f1ad7827 100644 --- a/p2p/client_identity.go +++ b/p2p/client_identity.go @@ -17,6 +17,7 @@ type SimpleClientIdentity struct { customIdentifier string os string implementation string + privkey []byte pubkey []byte } @@ -50,8 +51,12 @@ func (c *SimpleClientIdentity) String() string { c.implementation) } +func (c *SimpleClientIdentity) Privkey() []byte { + return c.privkey +} + func (c *SimpleClientIdentity) Pubkey() []byte { - return []byte(c.pubkey) + return c.pubkey } func (c *SimpleClientIdentity) SetCustomIdentifier(customIdentifier string) { diff --git a/p2p/client_identity_test.go b/p2p/client_identity_test.go index 7248a7b1a7e2..7b62f05ef02e 100644 --- a/p2p/client_identity_test.go +++ b/p2p/client_identity_test.go @@ -1,6 +1,7 @@ package p2p import ( + "bytes" "fmt" "runtime" "testing" @@ -8,6 +9,10 @@ import ( func TestClientIdentity(t *testing.T) { clientIdentity := NewSimpleClientIdentity("Ethereum(G)", "0.5.16", "test", []byte("pubkey")) + key := clientIdentity.Pubkey() + if !bytes.Equal(key, []byte("pubkey")) { + t.Errorf("Expected Pubkey to be %x, got %x", key, []byte("pubkey")) + } clientString := clientIdentity.String() expected := fmt.Sprintf("Ethereum(G)/v0.5.16/test/%s/%s", runtime.GOOS, runtime.Version()) if clientString != expected { diff --git a/p2p/crypto.go b/p2p/crypto.go new file mode 100644 index 000000000000..cb0534cba092 --- /dev/null +++ b/p2p/crypto.go @@ -0,0 +1,404 @@ +package p2p + +import ( + // "binary" + "crypto/ecdsa" + "crypto/rand" + "fmt" + "io" + + "github.com/ethereum/go-ethereum/crypto" + "github.com/ethereum/go-ethereum/crypto/secp256k1" + ethlogger "github.com/ethereum/go-ethereum/logger" + "github.com/obscuren/ecies" +) + +var clogger = ethlogger.NewLogger("CRYPTOID") + +const ( + sskLen int = 16 // ecies.MaxSharedKeyLength(pubKey) / 2 + sigLen int = 65 // elliptic S256 + pubLen int = 64 // 512 bit pubkey in uncompressed representation without format byte + shaLen int = 32 // hash length (for nonce etc) + msgLen int = 194 // sigLen + shaLen + pubLen + shaLen + 1 = 194 + resLen int = 97 // pubLen + shaLen + 1 + iHSLen int = 307 // size of the final ECIES payload sent as initiator's handshake + rHSLen int = 210 // size of the final ECIES payload sent as receiver's handshake +) + +// secretRW implements a message read writer with encryption and authentication +// it is initialised by cryptoId.Run() after a successful crypto handshake +// aesSecret, macSecret, egressMac, ingress +type secretRW struct { + aesSecret, macSecret, egressMac, ingressMac []byte +} + +type hexkey []byte + +func (self hexkey) String() string { + return fmt.Sprintf("(%d) %x", len(self), []byte(self)) +} + +var nonceF = func(b []byte) (n int, err error) { + return rand.Read(b) +} + +var step = 0 +var detnonceF = func(b []byte) (n int, err error) { + step++ + copy(b, crypto.Sha3([]byte("privacy"+string(step)))) + fmt.Printf("detkey %v: %v\n", step, hexkey(b)) + return +} + +var keyF = func() (priv *ecdsa.PrivateKey, err error) { + priv, err = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + if err != nil { + return + } + return +} + +var detkeyF = func() (priv *ecdsa.PrivateKey, err error) { + s := make([]byte, 32) + detnonceF(s) + priv = crypto.ToECDSA(s) + return +} + +/* +NewSecureSession(connection, privateKey, remotePublicKey, sessionToken, initiator) is called when the peer connection starts to set up a secure session by performing a crypto handshake. + + connection is (a buffered) network connection. + + privateKey is the local client's private key (*ecdsa.PrivateKey) + + remotePublicKey is the remote peer's node Id ([]byte) + + sessionToken is the token from the previous session with this same peer. Nil if no token is found. + + initiator is a boolean flag. True if the node is the initiator of the connection (ie., remote is an outbound peer reached by dialing out). False if the connection was established by accepting a call from the remote peer via a listener. + + It returns a secretRW which implements the MsgReadWriter interface. +*/ +func NewSecureSession(conn io.ReadWriter, prvKey *ecdsa.PrivateKey, remotePubKeyS []byte, sessionToken []byte, initiator bool) (token []byte, rw *secretRW, err error) { + var auth, initNonce, recNonce []byte + var read int + var randomPrivKey *ecdsa.PrivateKey + var remoteRandomPubKey *ecdsa.PublicKey + clogger.Debugf("attempting session with %v", hexkey(remotePubKeyS)) + if initiator { + if auth, initNonce, randomPrivKey, _, err = startHandshake(prvKey, remotePubKeyS, sessionToken); err != nil { + return + } + if sessionToken != nil { + clogger.Debugf("session-token: %v", hexkey(sessionToken)) + } + clogger.Debugf("initiator-nonce: %v", hexkey(initNonce)) + clogger.Debugf("initiator-random-private-key: %v", hexkey(crypto.FromECDSA(randomPrivKey))) + randomPublicKeyS, _ := ExportPublicKey(&randomPrivKey.PublicKey) + clogger.Debugf("initiator-random-public-key: %v", hexkey(randomPublicKeyS)) + + if _, err = conn.Write(auth); err != nil { + return + } + clogger.Debugf("initiator handshake (sent to %v):\n%v", hexkey(remotePubKeyS), hexkey(auth)) + var response []byte = make([]byte, rHSLen) + if read, err = conn.Read(response); err != nil || read == 0 { + return + } + if read != rHSLen { + err = fmt.Errorf("remote receiver's handshake has invalid length. expect %v, got %v", rHSLen, read) + return + } + // write out auth message + // wait for response, then call complete + if recNonce, remoteRandomPubKey, _, err = completeHandshake(response, prvKey); err != nil { + return + } + clogger.Debugf("receiver-nonce: %v", hexkey(recNonce)) + remoteRandomPubKeyS, _ := ExportPublicKey(remoteRandomPubKey) + clogger.Debugf("receiver-random-public-key: %v", hexkey(remoteRandomPubKeyS)) + + } else { + auth = make([]byte, iHSLen) + clogger.Debugf("waiting for initiator handshake (from %v)", hexkey(remotePubKeyS)) + if read, err = conn.Read(auth); err != nil { + return + } + if read != iHSLen { + err = fmt.Errorf("remote initiator's handshake has invalid length. expect %v, got %v", iHSLen, read) + return + } + clogger.Debugf("received initiator handshake (from %v):\n%v", hexkey(remotePubKeyS), hexkey(auth)) + // we are listening connection. we are responders in the handshake. + // Extract info from the authentication. The initiator starts by sending us a handshake that we need to respond to. + // so we read auth message first, then respond + var response []byte + if response, recNonce, initNonce, randomPrivKey, remoteRandomPubKey, err = respondToHandshake(auth, prvKey, remotePubKeyS, sessionToken); err != nil { + return + } + clogger.Debugf("receiver-nonce: %v", hexkey(recNonce)) + clogger.Debugf("receiver-random-priv-key: %v", hexkey(crypto.FromECDSA(randomPrivKey))) + if _, err = conn.Write(response); err != nil { + return + } + clogger.Debugf("receiver handshake (sent to %v):\n%v", hexkey(remotePubKeyS), hexkey(response)) + } + return newSession(initiator, initNonce, recNonce, auth, randomPrivKey, remoteRandomPubKey) +} + +/* +ImportPublicKey creates a 512 bit *ecsda.PublicKey from a byte slice. It accepts the simple 64 byte uncompressed format or the 65 byte format given by calling elliptic.Marshal on the EC point represented by the key. Any other length will result in an invalid public key error. +*/ +func ImportPublicKey(pubKey []byte) (pubKeyEC *ecdsa.PublicKey, err error) { + var pubKey65 []byte + switch len(pubKey) { + case 64: + pubKey65 = append([]byte{0x04}, pubKey...) + case 65: + pubKey65 = pubKey + default: + return nil, fmt.Errorf("invalid public key length %v (expect 64/65)", len(pubKey)) + } + return crypto.ToECDSAPub(pubKey65), nil +} + +/* +ExportPublicKey exports a *ecdsa.PublicKey into a byte slice using a simple 64-byte format. and is used for simple serialisation in network communication +*/ +func ExportPublicKey(pubKeyEC *ecdsa.PublicKey) (pubKey []byte, err error) { + if pubKeyEC == nil { + return nil, fmt.Errorf("no ECDSA public key given") + } + return crypto.FromECDSAPub(pubKeyEC)[1:], nil +} + +/* startHandshake is called by if the node is the initiator of the connection. + +The caller provides the public key of the peer as conjuctured from lookup based on IP:port, given as user input or proven by signatures. The caller must have access to persistant information about the peers, and pass the previous session token as an argument to cryptoId. + +The first return value is the auth message that is to be sent out to the remote receiver. +*/ +func startHandshake(prvKey *ecdsa.PrivateKey, remotePubKeyS, sessionToken []byte) (auth []byte, initNonce []byte, randomPrvKey *ecdsa.PrivateKey, remotePubKey *ecdsa.PublicKey, err error) { + // session init, common to both parties + if remotePubKey, err = ImportPublicKey(remotePubKeyS); err != nil { + return + } + + var tokenFlag byte // = 0x00 + if sessionToken == nil { + // no session token found means we need to generate shared secret. + // ecies shared secret is used as initial session token for new peers + // generate shared key from prv and remote pubkey + if sessionToken, err = ecies.ImportECDSA(prvKey).GenerateShared(ecies.ImportECDSAPublic(remotePubKey), sskLen, sskLen); err != nil { + return + } + // tokenFlag = 0x00 // redundant + } else { + // for known peers, we use stored token from the previous session + tokenFlag = 0x01 + } + + //E(remote-pubk, S(ecdhe-random, ecdh-shared-secret^nonce) || H(ecdhe-random-pubk) || pubk || nonce || 0x0) + // E(remote-pubk, S(ecdhe-random, token^nonce) || H(ecdhe-random-pubk) || pubk || nonce || 0x1) + // allocate msgLen long message, + var msg []byte = make([]byte, msgLen) + initNonce = msg[msgLen-shaLen-1 : msgLen-1] + fmt.Printf("init-nonce: ") + if _, err = nonceF(initNonce); err != nil { + return + } + // create known message + // ecdh-shared-secret^nonce for new peers + // token^nonce for old peers + var sharedSecret = Xor(sessionToken, initNonce) + + // generate random keypair to use for signing + fmt.Printf("init-random-ecdhe-private-key: ") + if randomPrvKey, err = keyF(); err != nil { + return + } + // sign shared secret (message known to both parties): shared-secret + var signature []byte + // signature = sign(ecdhe-random, shared-secret) + // uses secp256k1.Sign + if signature, err = crypto.Sign(sharedSecret, randomPrvKey); err != nil { + return + } + + // message + // signed-shared-secret || H(ecdhe-random-pubk) || pubk || nonce || 0x0 + copy(msg, signature) // copy signed-shared-secret + // H(ecdhe-random-pubk) + var randomPubKey64 []byte + if randomPubKey64, err = ExportPublicKey(&randomPrvKey.PublicKey); err != nil { + return + } + var pubKey64 []byte + if pubKey64, err = ExportPublicKey(&prvKey.PublicKey); err != nil { + return + } + copy(msg[sigLen:sigLen+shaLen], crypto.Sha3(randomPubKey64)) + // pubkey copied to the correct segment. + copy(msg[sigLen+shaLen:sigLen+shaLen+pubLen], pubKey64) + // nonce is already in the slice + // stick tokenFlag byte to the end + msg[msgLen-1] = tokenFlag + + // encrypt using remote-pubk + // auth = eciesEncrypt(remote-pubk, msg) + + if auth, err = crypto.Encrypt(remotePubKey, msg); err != nil { + return + } + + return +} + +/* +respondToHandshake is called by peer if it accepted (but not initiated) the connection from the remote. It is passed the initiator handshake received, the public key and session token belonging to the remote initiator. + +The first return value is the authentication response (aka receiver handshake) that is to be sent to the remote initiator. +*/ +func respondToHandshake(auth []byte, prvKey *ecdsa.PrivateKey, remotePubKeyS, sessionToken []byte) (authResp []byte, respNonce []byte, initNonce []byte, randomPrivKey *ecdsa.PrivateKey, remoteRandomPubKey *ecdsa.PublicKey, err error) { + var msg []byte + var remotePubKey *ecdsa.PublicKey + if remotePubKey, err = ImportPublicKey(remotePubKeyS); err != nil { + return + } + + // they prove that msg is meant for me, + // I prove I possess private key if i can read it + if msg, err = crypto.Decrypt(prvKey, auth); err != nil { + return + } + + var tokenFlag byte + if sessionToken == nil { + // no session token found means we need to generate shared secret. + // ecies shared secret is used as initial session token for new peers + // generate shared key from prv and remote pubkey + if sessionToken, err = ecies.ImportECDSA(prvKey).GenerateShared(ecies.ImportECDSAPublic(remotePubKey), sskLen, sskLen); err != nil { + return + } + // tokenFlag = 0x00 // redundant + } else { + // for known peers, we use stored token from the previous session + tokenFlag = 0x01 + } + + // the initiator nonce is read off the end of the message + initNonce = msg[msgLen-shaLen-1 : msgLen-1] + // I prove that i own prv key (to derive shared secret, and read nonce off encrypted msg) and that I own shared secret + // they prove they own the private key belonging to ecdhe-random-pubk + // we can now reconstruct the signed message and recover the peers pubkey + var signedMsg = Xor(sessionToken, initNonce) + var remoteRandomPubKeyS []byte + if remoteRandomPubKeyS, err = secp256k1.RecoverPubkey(signedMsg, msg[:sigLen]); err != nil { + return + } + // convert to ECDSA standard + if remoteRandomPubKey, err = ImportPublicKey(remoteRandomPubKeyS); err != nil { + return + } + + // now we find ourselves a long task too, fill it random + var resp = make([]byte, resLen) + // generate shaLen long nonce + respNonce = resp[pubLen : pubLen+shaLen] + fmt.Printf("rec-nonce: ") + if _, err = nonceF(respNonce); err != nil { + return + } + // generate random keypair for session + fmt.Printf("rec-random-ecdhe-private-key: ") + if randomPrivKey, err = keyF(); err != nil { + return + } + // responder auth message + // E(remote-pubk, ecdhe-random-pubk || nonce || 0x0) + var randomPubKeyS []byte + if randomPubKeyS, err = ExportPublicKey(&randomPrivKey.PublicKey); err != nil { + return + } + copy(resp[:pubLen], randomPubKeyS) + // nonce is already in the slice + resp[resLen-1] = tokenFlag + + // encrypt using remote-pubk + // auth = eciesEncrypt(remote-pubk, msg) + // why not encrypt with ecdhe-random-remote + if authResp, err = crypto.Encrypt(remotePubKey, resp); err != nil { + return + } + return +} + +/* +completeHandshake is called when the initiator receives an authentication response (aka receiver handshake). It completes the handshake by reading off parameters the remote peer provides needed to set up the secure session +*/ +func completeHandshake(auth []byte, prvKey *ecdsa.PrivateKey) (respNonce []byte, remoteRandomPubKey *ecdsa.PublicKey, tokenFlag bool, err error) { + var msg []byte + // they prove that msg is meant for me, + // I prove I possess private key if i can read it + if msg, err = crypto.Decrypt(prvKey, auth); err != nil { + return + } + + respNonce = msg[pubLen : pubLen+shaLen] + var remoteRandomPubKeyS = msg[:pubLen] + if remoteRandomPubKey, err = ImportPublicKey(remoteRandomPubKeyS); err != nil { + return + } + if msg[resLen-1] == 0x01 { + tokenFlag = true + } + return +} + +/* +newSession is called after the handshake is completed. The arguments are values negotiated in the handshake and the return value is a new session : a new session Token to be remembered for the next time we connect with this peer. And a MsgReadWriter that implements an encrypted and authenticated connection with key material obtained from the crypto handshake key exchange +*/ +func newSession(initiator bool, initNonce, respNonce, auth []byte, privKey *ecdsa.PrivateKey, remoteRandomPubKey *ecdsa.PublicKey) (sessionToken []byte, rw *secretRW, err error) { + // 3) Now we can trust ecdhe-random-pubk to derive new keys + //ecdhe-shared-secret = ecdh.agree(ecdhe-random, remote-ecdhe-random-pubk) + var dhSharedSecret []byte + pubKey := ecies.ImportECDSAPublic(remoteRandomPubKey) + if dhSharedSecret, err = ecies.ImportECDSA(privKey).GenerateShared(pubKey, sskLen, sskLen); err != nil { + return + } + var sharedSecret = crypto.Sha3(append(dhSharedSecret, crypto.Sha3(append(respNonce, initNonce...))...)) + sessionToken = crypto.Sha3(sharedSecret) + var aesSecret = crypto.Sha3(append(dhSharedSecret, sharedSecret...)) + var macSecret = crypto.Sha3(append(dhSharedSecret, aesSecret...)) + var egressMac, ingressMac []byte + if initiator { + egressMac = Xor(macSecret, respNonce) + ingressMac = Xor(macSecret, initNonce) + } else { + egressMac = Xor(macSecret, initNonce) + ingressMac = Xor(macSecret, respNonce) + } + rw = &secretRW{ + aesSecret: aesSecret, + macSecret: macSecret, + egressMac: egressMac, + ingressMac: ingressMac, + } + clogger.Debugf("aes-secret: %v", hexkey(aesSecret)) + clogger.Debugf("mac-secret: %v", hexkey(macSecret)) + clogger.Debugf("egress-mac: %v", hexkey(egressMac)) + clogger.Debugf("ingress-mac: %v", hexkey(ingressMac)) + return +} + +// TODO: optimisation +// should use cipher.xorBytes from crypto/cipher/xor.go for fast xor +func Xor(one, other []byte) (xor []byte) { + xor = make([]byte, len(one)) + for i := 0; i < len(one); i++ { + xor[i] = one[i] ^ other[i] + } + return +} diff --git a/p2p/crypto_test.go b/p2p/crypto_test.go new file mode 100644 index 000000000000..a4bf14ba64da --- /dev/null +++ b/p2p/crypto_test.go @@ -0,0 +1,248 @@ +package p2p + +import ( + "bytes" + "crypto/ecdsa" + "fmt" + "net" + "testing" + "time" + + "github.com/ethereum/go-ethereum/crypto" + "github.com/obscuren/ecies" +) + +func TestPublicKeyEncoding(t *testing.T) { + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + pub0s := crypto.FromECDSAPub(pub0) + pub1, err := ImportPublicKey(pub0s) + if err != nil { + t.Errorf("%v", err) + } + eciesPub1 := ecies.ImportECDSAPublic(pub1) + if eciesPub1 == nil { + t.Errorf("invalid ecdsa public key") + } + pub1s, err := ExportPublicKey(pub1) + if err != nil { + t.Errorf("%v", err) + } + if len(pub1s) != 64 { + t.Errorf("wrong length expect 64, got", len(pub1s)) + } + pub2, err := ImportPublicKey(pub1s) + if err != nil { + t.Errorf("%v", err) + } + pub2s, err := ExportPublicKey(pub2) + if err != nil { + t.Errorf("%v", err) + } + if !bytes.Equal(pub1s, pub2s) { + t.Errorf("exports dont match") + } + pub2sEC := crypto.FromECDSAPub(pub2) + if !bytes.Equal(pub0s, pub2sEC) { + t.Errorf("exports dont match") + } +} + +func TestSharedSecret(t *testing.T) { + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + prv1, _ := crypto.GenerateKey() + pub1 := &prv1.PublicKey + + ss0, err := ecies.ImportECDSA(prv0).GenerateShared(ecies.ImportECDSAPublic(pub1), sskLen, sskLen) + if err != nil { + return + } + ss1, err := ecies.ImportECDSA(prv1).GenerateShared(ecies.ImportECDSAPublic(pub0), sskLen, sskLen) + if err != nil { + return + } + t.Logf("Secret:\n%v %x\n%v %x", len(ss0), ss0, len(ss0), ss1) + if !bytes.Equal(ss0, ss1) { + t.Errorf("dont match :(") + } +} + +func TestCryptoHandshake(t *testing.T) { + testCryptoHandshakeWithGen(false, t) +} + +func TestTokenCryptoHandshake(t *testing.T) { + testCryptoHandshakeWithGen(true, t) +} + +func TestDetCryptoHandshake(t *testing.T) { + defer testlog(t).detach() + tmpkeyF := keyF + keyF = detkeyF + tmpnonceF := nonceF + nonceF = detnonceF + testCryptoHandshakeWithGen(false, t) + keyF = tmpkeyF + nonceF = tmpnonceF +} + +func TestDetTokenCryptoHandshake(t *testing.T) { + defer testlog(t).detach() + tmpkeyF := keyF + keyF = detkeyF + tmpnonceF := nonceF + nonceF = detnonceF + testCryptoHandshakeWithGen(true, t) + keyF = tmpkeyF + nonceF = tmpnonceF +} + +func testCryptoHandshakeWithGen(token bool, t *testing.T) { + fmt.Printf("init-private-key: ") + prv0, err := keyF() + if err != nil { + t.Errorf("%v", err) + return + } + fmt.Printf("rec-private-key: ") + prv1, err := keyF() + if err != nil { + t.Errorf("%v", err) + return + } + var nonce []byte + if token { + fmt.Printf("session-token: ") + nonce = make([]byte, shaLen) + nonceF(nonce) + } + testCryptoHandshake(prv0, prv1, nonce, t) +} + +func testCryptoHandshake(prv0, prv1 *ecdsa.PrivateKey, sessionToken []byte, t *testing.T) { + var err error + pub0 := &prv0.PublicKey + pub1 := &prv1.PublicKey + + pub0s := crypto.FromECDSAPub(pub0) + pub1s := crypto.FromECDSAPub(pub1) + + // simulate handshake by feeding output to input + // initiator sends handshake 'auth' + auth, initNonce, randomPrivKey, _, err := startHandshake(prv0, pub1s, sessionToken) + if err != nil { + t.Errorf("%v", err) + } + fmt.Printf("-> %v\n", hexkey(auth)) + + // receiver reads auth and responds with response + response, remoteRecNonce, remoteInitNonce, remoteRandomPrivKey, remoteInitRandomPubKey, err := respondToHandshake(auth, prv1, pub0s, sessionToken) + if err != nil { + t.Errorf("%v", err) + } + fmt.Printf("<- %v\n", hexkey(response)) + + // initiator reads receiver's response and the key exchange completes + recNonce, remoteRandomPubKey, _, err := completeHandshake(response, prv0) + if err != nil { + t.Errorf("%v", err) + } + + // now both parties should have the same session parameters + initSessionToken, initSecretRW, err := newSession(true, initNonce, recNonce, auth, randomPrivKey, remoteRandomPubKey) + if err != nil { + t.Errorf("%v", err) + } + + recSessionToken, recSecretRW, err := newSession(false, remoteInitNonce, remoteRecNonce, auth, remoteRandomPrivKey, remoteInitRandomPubKey) + if err != nil { + t.Errorf("%v", err) + } + + // fmt.Printf("\nauth (%v) %x\n\nresp (%v) %x\n\n", len(auth), auth, len(response), response) + + // fmt.Printf("\nauth %x\ninitNonce %x\nresponse%x\nremoteRecNonce %x\nremoteInitNonce %x\nremoteRandomPubKey %x\nrecNonce %x\nremoteInitRandomPubKey %x\ninitSessionToken %x\n\n", auth, initNonce, response, remoteRecNonce, remoteInitNonce, remoteRandomPubKey, recNonce, remoteInitRandomPubKey, initSessionToken) + + if !bytes.Equal(initNonce, remoteInitNonce) { + t.Errorf("nonces do not match") + } + if !bytes.Equal(recNonce, remoteRecNonce) { + t.Errorf("receiver nonces do not match") + } + if !bytes.Equal(initSessionToken, recSessionToken) { + t.Errorf("session tokens do not match") + } + // aesSecret, macSecret, egressMac, ingressMac + if !bytes.Equal(initSecretRW.aesSecret, recSecretRW.aesSecret) { + t.Errorf("AES secrets do not match") + } + if !bytes.Equal(initSecretRW.macSecret, recSecretRW.macSecret) { + t.Errorf("macSecrets do not match") + } + if !bytes.Equal(initSecretRW.egressMac, recSecretRW.ingressMac) { + t.Errorf("initiator's egressMac do not match receiver's ingressMac") + } + if !bytes.Equal(initSecretRW.ingressMac, recSecretRW.egressMac) { + t.Errorf("initiator's inressMac do not match receiver's egressMac") + } + +} + +func TestPeersHandshake(t *testing.T) { + defer testlog(t).detach() + var err error + // var sessionToken []byte + prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) + pub0 := &prv0.PublicKey + prv1, _ := crypto.GenerateKey() + pub1 := &prv1.PublicKey + + prv0s := crypto.FromECDSA(prv0) + pub0s := crypto.FromECDSAPub(pub0) + prv1s := crypto.FromECDSA(prv1) + pub1s := crypto.FromECDSAPub(pub1) + + conn1, conn2 := net.Pipe() + initiator := newPeer(conn1, []Protocol{}, nil) + receiver := newPeer(conn2, []Protocol{}, nil) + initiator.dialAddr = &peerAddr{IP: net.ParseIP("1.2.3.4"), Port: 2222, Pubkey: pub1s[1:]} + initiator.privateKey = prv0s + + // this is cheating. identity of initiator/dialler not available to listener/receiver + // its public key should be looked up based on IP address + receiver.identity = &peerId{nil, pub0s} + receiver.privateKey = prv1s + + initiator.pubkeyHook = func(*peerAddr) error { return nil } + receiver.pubkeyHook = func(*peerAddr) error { return nil } + + initiator.cryptoHandshake = true + receiver.cryptoHandshake = true + errc0 := make(chan error, 1) + errc1 := make(chan error, 1) + go func() { + _, err := initiator.loop() + errc0 <- err + }() + go func() { + _, err := receiver.loop() + errc1 <- err + }() + ready := make(chan bool) + go func() { + <-initiator.cryptoReady + <-receiver.cryptoReady + close(ready) + }() + timeout := time.After(10 * time.Second) + select { + case <-ready: + case <-timeout: + t.Errorf("crypto handshake hanging for too long") + case err = <-errc0: + t.Errorf("peer 0 quit with error: %v", err) + case err = <-errc1: + t.Errorf("peer 1 quit with error: %v", err) + } +} diff --git a/p2p/peer.go b/p2p/peer.go index 2380a3285b8d..e82bca222b6d 100644 --- a/p2p/peer.go +++ b/p2p/peer.go @@ -3,6 +3,8 @@ package p2p import ( "bufio" "bytes" + "crypto/ecdsa" + "crypto/rand" "fmt" "io" "io/ioutil" @@ -11,6 +13,8 @@ import ( "sync" "time" + "github.com/ethereum/go-ethereum/crypto" + "github.com/ethereum/go-ethereum/event" "github.com/ethereum/go-ethereum/logger" ) @@ -70,6 +74,9 @@ type Peer struct { // These fields maintain the running protocols. protocols []Protocol runBaseProtocol bool // for testing + cryptoHandshake bool // for testing + cryptoReady chan struct{} + privateKey []byte runlock sync.RWMutex // protects running running map[string]*proto @@ -119,15 +126,16 @@ func newServerPeer(server *Server, conn net.Conn, dialAddr *peerAddr) *Peer { func newPeer(conn net.Conn, protocols []Protocol, dialAddr *peerAddr) *Peer { p := &Peer{ - Logger: logger.NewLogger("P2P " + conn.RemoteAddr().String()), - conn: conn, - dialAddr: dialAddr, - bufconn: bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)), - protocols: protocols, - running: make(map[string]*proto), - disc: make(chan DiscReason), - protoErr: make(chan error), - closed: make(chan struct{}), + Logger: logger.NewLogger("P2P " + conn.RemoteAddr().String()), + conn: conn, + dialAddr: dialAddr, + bufconn: bufio.NewReadWriter(bufio.NewReader(conn), bufio.NewWriter(conn)), + protocols: protocols, + running: make(map[string]*proto), + disc: make(chan DiscReason), + protoErr: make(chan error), + closed: make(chan struct{}), + cryptoReady: make(chan struct{}), } return p } @@ -141,6 +149,20 @@ func (p *Peer) Identity() ClientIdentity { return p.identity } +func (self *Peer) Pubkey() (pubkey []byte) { + self.infolock.Lock() + defer self.infolock.Unlock() + switch { + case self.identity != nil: + pubkey = self.identity.Pubkey()[1:] + case self.dialAddr != nil: + pubkey = self.dialAddr.Pubkey + case self.listenAddr != nil: + pubkey = self.listenAddr.Pubkey + } + return +} + // Caps returns the capabilities (supported subprotocols) of the remote peer. func (p *Peer) Caps() []Cap { p.infolock.Lock() @@ -207,14 +229,25 @@ func (p *Peer) loop() (reason DiscReason, err error) { defer close(p.closed) defer p.conn.Close() + var readLoop func(chan<- Msg, chan<- error, <-chan bool) + if p.cryptoHandshake { + if readLoop, err = p.handleCryptoHandshake(); err != nil { + // from here on everything can be encrypted, authenticated + return DiscProtocolError, err // no graceful disconnect + } + } else { + readLoop = p.readLoop + } + // read loop readMsg := make(chan Msg) readErr := make(chan error) readNext := make(chan bool, 1) protoDone := make(chan struct{}, 1) - go p.readLoop(readMsg, readErr, readNext) + go readLoop(readMsg, readErr, readNext) readNext <- true + close(p.cryptoReady) if p.runBaseProtocol { p.startBaseProtocol() } @@ -307,6 +340,47 @@ func (p *Peer) dispatch(msg Msg, protoDone chan struct{}) (wait bool, err error) return wait, nil } +type readLoop func(chan<- Msg, chan<- error, <-chan bool) + +func (p *Peer) PrivateKey() (prv *ecdsa.PrivateKey, err error) { + if prv = crypto.ToECDSA(p.privateKey); prv == nil { + err = fmt.Errorf("invalid private key") + } + return +} + +func (p *Peer) handleCryptoHandshake() (loop readLoop, err error) { + // cryptoId is just created for the lifecycle of the handshake + // it is survived by an encrypted readwriter + var initiator bool + var sessionToken []byte + sessionToken = make([]byte, shaLen) + if _, err = rand.Read(sessionToken); err != nil { + return + } + if p.dialAddr != nil { // this should have its own method Outgoing() bool + initiator = true + } + + // run on peer + // this bit handles the handshake and creates a secure communications channel with + // var rw *secretRW + var prvKey *ecdsa.PrivateKey + if prvKey, err = p.PrivateKey(); err != nil { + err = fmt.Errorf("unable to access private key for client: %v", err) + return + } + // initialise a new secure session + if sessionToken, _, err = NewSecureSession(p.conn, prvKey, p.Pubkey(), sessionToken, initiator); err != nil { + p.Debugf("unable to setup secure session: %v", err) + return + } + loop = func(msg chan<- Msg, err chan<- error, next <-chan bool) { + // this is the readloop :) + } + return +} + func (p *Peer) startBaseProtocol() { p.runlock.Lock() defer p.runlock.Unlock() diff --git a/p2p/protocol.go b/p2p/protocol.go index 1d121a885579..62ada929d70c 100644 --- a/p2p/protocol.go +++ b/p2p/protocol.go @@ -64,6 +64,10 @@ func (h *handshake) Pubkey() []byte { return h.NodeID } +func (h *handshake) PrivKey() []byte { + return nil +} + // Cap is the structure of a peer capability. type Cap struct { Name string diff --git a/p2p/protocol_test.go b/p2p/protocol_test.go index b1d10ac5360f..6804a9d40bf4 100644 --- a/p2p/protocol_test.go +++ b/p2p/protocol_test.go @@ -11,7 +11,7 @@ import ( ) type peerId struct { - pubkey []byte + privKey, pubkey []byte } func (self *peerId) String() string { @@ -27,6 +27,15 @@ func (self *peerId) Pubkey() (pubkey []byte) { return } +func (self *peerId) PrivKey() (privKey []byte) { + privKey = self.privKey + if len(privKey) == 0 { + privKey = crypto.GenerateNewKeyPair().PublicKey + self.privKey = privKey + } + return +} + func newTestPeer() (peer *Peer) { peer = NewPeer(&peerId{}, []Cap{}) peer.pubkeyHook = func(*peerAddr) error { return nil }