123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669 |
- // Copyright 2015 The go-ethereum Authors
- // This file is part of the go-ethereum library.
- //
- // The go-ethereum library is free software: you can redistribute it and/or modify
- // it under the terms of the GNU Lesser General Public License as published by
- // the Free Software Foundation, either version 3 of the License, or
- // (at your option) any later version.
- //
- // The go-ethereum library is distributed in the hope that it will be useful,
- // but WITHOUT ANY WARRANTY; without even the implied warranty of
- // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- // GNU Lesser General Public License for more details.
- //
- // You should have received a copy of the GNU Lesser General Public License
- // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
- // Package rlpx implements the RLPx transport protocol.
- package rlpx
- import (
- "bytes"
- "crypto/aes"
- "crypto/cipher"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/hmac"
- "crypto/rand"
- "encoding/binary"
- "errors"
- "fmt"
- "hash"
- "io"
- mrand "math/rand"
- "net"
- "time"
- "github.com/ethereum/go-ethereum/crypto"
- "github.com/ethereum/go-ethereum/crypto/ecies"
- "github.com/ethereum/go-ethereum/rlp"
- "github.com/golang/snappy"
- "golang.org/x/crypto/sha3"
- )
- // Conn is an RLPx network connection. It wraps a low-level network connection. The
- // underlying connection should not be used for other activity when it is wrapped by Conn.
- //
- // Before sending messages, a handshake must be performed by calling the Handshake method.
- // This type is not generally safe for concurrent use, but reading and writing of messages
- // may happen concurrently after the handshake.
- type Conn struct {
- dialDest *ecdsa.PublicKey
- conn net.Conn
- handshake *handshakeState
- snappy bool
- }
- type handshakeState struct {
- enc cipher.Stream
- dec cipher.Stream
- macCipher cipher.Block
- egressMAC hash.Hash
- ingressMAC hash.Hash
- }
- // NewConn wraps the given network connection. If dialDest is non-nil, the connection
- // behaves as the initiator during the handshake.
- func NewConn(conn net.Conn, dialDest *ecdsa.PublicKey) *Conn {
- return &Conn{
- dialDest: dialDest,
- conn: conn,
- }
- }
- // SetSnappy enables or disables snappy compression of messages. This is usually called
- // after the devp2p Hello message exchange when the negotiated version indicates that
- // compression is available on both ends of the connection.
- func (c *Conn) SetSnappy(snappy bool) {
- c.snappy = snappy
- }
- // SetReadDeadline sets the deadline for all future read operations.
- func (c *Conn) SetReadDeadline(time time.Time) error {
- return c.conn.SetReadDeadline(time)
- }
- // SetWriteDeadline sets the deadline for all future write operations.
- func (c *Conn) SetWriteDeadline(time time.Time) error {
- return c.conn.SetWriteDeadline(time)
- }
- // SetDeadline sets the deadline for all future read and write operations.
- func (c *Conn) SetDeadline(time time.Time) error {
- return c.conn.SetDeadline(time)
- }
- // Read reads a message from the connection.
- func (c *Conn) Read() (code uint64, data []byte, wireSize int, err error) {
- if c.handshake == nil {
- panic("can't ReadMsg before handshake")
- }
- frame, err := c.handshake.readFrame(c.conn)
- if err != nil {
- return 0, nil, 0, err
- }
- code, data, err = rlp.SplitUint64(frame)
- if err != nil {
- return 0, nil, 0, fmt.Errorf("invalid message code: %v", err)
- }
- wireSize = len(data)
- // If snappy is enabled, verify and decompress message.
- if c.snappy {
- var actualSize int
- actualSize, err = snappy.DecodedLen(data)
- if err != nil {
- return code, nil, 0, err
- }
- if actualSize > maxUint24 {
- return code, nil, 0, errPlainMessageTooLarge
- }
- data, err = snappy.Decode(nil, data)
- }
- return code, data, wireSize, err
- }
- func (h *handshakeState) readFrame(conn io.Reader) ([]byte, error) {
- // read the header
- headbuf := make([]byte, 32)
- if _, err := io.ReadFull(conn, headbuf); err != nil {
- return nil, err
- }
- // verify header mac
- shouldMAC := updateMAC(h.ingressMAC, h.macCipher, headbuf[:16])
- if !hmac.Equal(shouldMAC, headbuf[16:]) {
- return nil, errors.New("bad header MAC")
- }
- h.dec.XORKeyStream(headbuf[:16], headbuf[:16]) // first half is now decrypted
- fsize := readInt24(headbuf)
- // ignore protocol type for now
- // read the frame content
- var rsize = fsize // frame size rounded up to 16 byte boundary
- if padding := fsize % 16; padding > 0 {
- rsize += 16 - padding
- }
- framebuf := make([]byte, rsize)
- if _, err := io.ReadFull(conn, framebuf); err != nil {
- return nil, err
- }
- // read and validate frame MAC. we can re-use headbuf for that.
- h.ingressMAC.Write(framebuf)
- fmacseed := h.ingressMAC.Sum(nil)
- if _, err := io.ReadFull(conn, headbuf[:16]); err != nil {
- return nil, err
- }
- shouldMAC = updateMAC(h.ingressMAC, h.macCipher, fmacseed)
- if !hmac.Equal(shouldMAC, headbuf[:16]) {
- return nil, errors.New("bad frame MAC")
- }
- // decrypt frame content
- h.dec.XORKeyStream(framebuf, framebuf)
- return framebuf[:fsize], nil
- }
- // Write writes a message to the connection.
- //
- // Write returns the written size of the message data. This may be less than or equal to
- // len(data) depending on whether snappy compression is enabled.
- func (c *Conn) Write(code uint64, data []byte) (uint32, error) {
- if c.handshake == nil {
- panic("can't WriteMsg before handshake")
- }
- if len(data) > maxUint24 {
- return 0, errPlainMessageTooLarge
- }
- if c.snappy {
- data = snappy.Encode(nil, data)
- }
- wireSize := uint32(len(data))
- err := c.handshake.writeFrame(c.conn, code, data)
- return wireSize, err
- }
- func (h *handshakeState) writeFrame(conn io.Writer, code uint64, data []byte) error {
- ptype, _ := rlp.EncodeToBytes(code)
- // write header
- headbuf := make([]byte, 32)
- fsize := len(ptype) + len(data)
- if fsize > maxUint24 {
- return errPlainMessageTooLarge
- }
- putInt24(uint32(fsize), headbuf)
- copy(headbuf[3:], zeroHeader)
- h.enc.XORKeyStream(headbuf[:16], headbuf[:16]) // first half is now encrypted
- // write header MAC
- copy(headbuf[16:], updateMAC(h.egressMAC, h.macCipher, headbuf[:16]))
- if _, err := conn.Write(headbuf); err != nil {
- return err
- }
- // write encrypted frame, updating the egress MAC hash with
- // the data written to conn.
- tee := cipher.StreamWriter{S: h.enc, W: io.MultiWriter(conn, h.egressMAC)}
- if _, err := tee.Write(ptype); err != nil {
- return err
- }
- if _, err := tee.Write(data); err != nil {
- return err
- }
- if padding := fsize % 16; padding > 0 {
- if _, err := tee.Write(zero16[:16-padding]); err != nil {
- return err
- }
- }
- // write frame MAC. egress MAC hash is up to date because
- // frame content was written to it as well.
- fmacseed := h.egressMAC.Sum(nil)
- mac := updateMAC(h.egressMAC, h.macCipher, fmacseed)
- _, err := conn.Write(mac)
- return err
- }
- func readInt24(b []byte) uint32 {
- return uint32(b[2]) | uint32(b[1])<<8 | uint32(b[0])<<16
- }
- func putInt24(v uint32, b []byte) {
- b[0] = byte(v >> 16)
- b[1] = byte(v >> 8)
- b[2] = byte(v)
- }
- // updateMAC reseeds the given hash with encrypted seed.
- // it returns the first 16 bytes of the hash sum after seeding.
- func updateMAC(mac hash.Hash, block cipher.Block, seed []byte) []byte {
- aesbuf := make([]byte, aes.BlockSize)
- block.Encrypt(aesbuf, mac.Sum(nil))
- for i := range aesbuf {
- aesbuf[i] ^= seed[i]
- }
- mac.Write(aesbuf)
- return mac.Sum(nil)[:16]
- }
- // Handshake performs the handshake. This must be called before any data is written
- // or read from the connection.
- func (c *Conn) Handshake(prv *ecdsa.PrivateKey) (*ecdsa.PublicKey, error) {
- var (
- sec Secrets
- err error
- )
- if c.dialDest != nil {
- sec, err = initiatorEncHandshake(c.conn, prv, c.dialDest)
- } else {
- sec, err = receiverEncHandshake(c.conn, prv)
- }
- if err != nil {
- return nil, err
- }
- c.InitWithSecrets(sec)
- return sec.remote, err
- }
- // InitWithSecrets injects connection secrets as if a handshake had
- // been performed. This cannot be called after the handshake.
- func (c *Conn) InitWithSecrets(sec Secrets) {
- if c.handshake != nil {
- panic("can't handshake twice")
- }
- macc, err := aes.NewCipher(sec.MAC)
- if err != nil {
- panic("invalid MAC secret: " + err.Error())
- }
- encc, err := aes.NewCipher(sec.AES)
- if err != nil {
- panic("invalid AES secret: " + err.Error())
- }
- // we use an all-zeroes IV for AES because the key used
- // for encryption is ephemeral.
- iv := make([]byte, encc.BlockSize())
- c.handshake = &handshakeState{
- enc: cipher.NewCTR(encc, iv),
- dec: cipher.NewCTR(encc, iv),
- macCipher: macc,
- egressMAC: sec.EgressMAC,
- ingressMAC: sec.IngressMAC,
- }
- }
- // Close closes the underlying network connection.
- func (c *Conn) Close() error {
- return c.conn.Close()
- }
- // Constants for the handshake.
- const (
- maxUint24 = int(^uint32(0) >> 8)
- sskLen = 16 // ecies.MaxSharedKeyLength(pubKey) / 2
- sigLen = crypto.SignatureLength // elliptic S256
- pubLen = 64 // 512 bit pubkey in uncompressed representation without format byte
- shaLen = 32 // hash length (for nonce etc)
- authMsgLen = sigLen + shaLen + pubLen + shaLen + 1
- authRespLen = pubLen + shaLen + 1
- eciesOverhead = 65 /* pubkey */ + 16 /* IV */ + 32 /* MAC */
- encAuthMsgLen = authMsgLen + eciesOverhead // size of encrypted pre-EIP-8 initiator handshake
- encAuthRespLen = authRespLen + eciesOverhead // size of encrypted pre-EIP-8 handshake reply
- )
- var (
- // this is used in place of actual frame header data.
- // TODO: replace this when Msg contains the protocol type code.
- zeroHeader = []byte{0xC2, 0x80, 0x80}
- // sixteen zero bytes
- zero16 = make([]byte, 16)
- // errPlainMessageTooLarge is returned if a decompressed message length exceeds
- // the allowed 24 bits (i.e. length >= 16MB).
- errPlainMessageTooLarge = errors.New("message length >= 16MB")
- )
- // Secrets represents the connection secrets which are negotiated during the handshake.
- type Secrets struct {
- AES, MAC []byte
- EgressMAC, IngressMAC hash.Hash
- remote *ecdsa.PublicKey
- }
- // encHandshake contains the state of the encryption handshake.
- type encHandshake struct {
- initiator bool
- remote *ecies.PublicKey // remote-pubk
- initNonce, respNonce []byte // nonce
- randomPrivKey *ecies.PrivateKey // ecdhe-random
- remoteRandomPub *ecies.PublicKey // ecdhe-random-pubk
- }
- // RLPx v4 handshake auth (defined in EIP-8).
- type authMsgV4 struct {
- gotPlain bool // whether read packet had plain format.
- Signature [sigLen]byte
- InitiatorPubkey [pubLen]byte
- Nonce [shaLen]byte
- Version uint
- // Ignore additional fields (forward-compatibility)
- Rest []rlp.RawValue `rlp:"tail"`
- }
- // RLPx v4 handshake response (defined in EIP-8).
- type authRespV4 struct {
- RandomPubkey [pubLen]byte
- Nonce [shaLen]byte
- Version uint
- // Ignore additional fields (forward-compatibility)
- Rest []rlp.RawValue `rlp:"tail"`
- }
- // receiverEncHandshake negotiates a session token on conn.
- // it should be called on the listening side of the connection.
- //
- // prv is the local client's private key.
- func receiverEncHandshake(conn io.ReadWriter, prv *ecdsa.PrivateKey) (s Secrets, err error) {
- authMsg := new(authMsgV4)
- authPacket, err := readHandshakeMsg(authMsg, encAuthMsgLen, prv, conn)
- if err != nil {
- return s, err
- }
- h := new(encHandshake)
- if err := h.handleAuthMsg(authMsg, prv); err != nil {
- return s, err
- }
- authRespMsg, err := h.makeAuthResp()
- if err != nil {
- return s, err
- }
- var authRespPacket []byte
- if authMsg.gotPlain {
- authRespPacket, err = authRespMsg.sealPlain(h)
- } else {
- authRespPacket, err = sealEIP8(authRespMsg, h)
- }
- if err != nil {
- return s, err
- }
- if _, err = conn.Write(authRespPacket); err != nil {
- return s, err
- }
- return h.secrets(authPacket, authRespPacket)
- }
- func (h *encHandshake) handleAuthMsg(msg *authMsgV4, prv *ecdsa.PrivateKey) error {
- // Import the remote identity.
- rpub, err := importPublicKey(msg.InitiatorPubkey[:])
- if err != nil {
- return err
- }
- h.initNonce = msg.Nonce[:]
- h.remote = rpub
- // Generate random keypair for ECDH.
- // If a private key is already set, use it instead of generating one (for testing).
- if h.randomPrivKey == nil {
- h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
- if err != nil {
- return err
- }
- }
- // Check the signature.
- token, err := h.staticSharedSecret(prv)
- if err != nil {
- return err
- }
- signedMsg := xor(token, h.initNonce)
- remoteRandomPub, err := crypto.Ecrecover(signedMsg, msg.Signature[:])
- if err != nil {
- return err
- }
- h.remoteRandomPub, _ = importPublicKey(remoteRandomPub)
- return nil
- }
- // secrets is called after the handshake is completed.
- // It extracts the connection secrets from the handshake values.
- func (h *encHandshake) secrets(auth, authResp []byte) (Secrets, error) {
- ecdheSecret, err := h.randomPrivKey.GenerateShared(h.remoteRandomPub, sskLen, sskLen)
- if err != nil {
- return Secrets{}, err
- }
- // derive base secrets from ephemeral key agreement
- sharedSecret := crypto.Keccak256(ecdheSecret, crypto.Keccak256(h.respNonce, h.initNonce))
- aesSecret := crypto.Keccak256(ecdheSecret, sharedSecret)
- s := Secrets{
- remote: h.remote.ExportECDSA(),
- AES: aesSecret,
- MAC: crypto.Keccak256(ecdheSecret, aesSecret),
- }
- // setup sha3 instances for the MACs
- mac1 := sha3.NewLegacyKeccak256()
- mac1.Write(xor(s.MAC, h.respNonce))
- mac1.Write(auth)
- mac2 := sha3.NewLegacyKeccak256()
- mac2.Write(xor(s.MAC, h.initNonce))
- mac2.Write(authResp)
- if h.initiator {
- s.EgressMAC, s.IngressMAC = mac1, mac2
- } else {
- s.EgressMAC, s.IngressMAC = mac2, mac1
- }
- return s, nil
- }
- // staticSharedSecret returns the static shared secret, the result
- // of key agreement between the local and remote static node key.
- func (h *encHandshake) staticSharedSecret(prv *ecdsa.PrivateKey) ([]byte, error) {
- return ecies.ImportECDSA(prv).GenerateShared(h.remote, sskLen, sskLen)
- }
- // initiatorEncHandshake negotiates a session token on conn.
- // it should be called on the dialing side of the connection.
- //
- // prv is the local client's private key.
- func initiatorEncHandshake(conn io.ReadWriter, prv *ecdsa.PrivateKey, remote *ecdsa.PublicKey) (s Secrets, err error) {
- h := &encHandshake{initiator: true, remote: ecies.ImportECDSAPublic(remote)}
- authMsg, err := h.makeAuthMsg(prv)
- if err != nil {
- return s, err
- }
- authPacket, err := sealEIP8(authMsg, h)
- if err != nil {
- return s, err
- }
- if _, err = conn.Write(authPacket); err != nil {
- return s, err
- }
- authRespMsg := new(authRespV4)
- authRespPacket, err := readHandshakeMsg(authRespMsg, encAuthRespLen, prv, conn)
- if err != nil {
- return s, err
- }
- if err := h.handleAuthResp(authRespMsg); err != nil {
- return s, err
- }
- return h.secrets(authPacket, authRespPacket)
- }
- // makeAuthMsg creates the initiator handshake message.
- func (h *encHandshake) makeAuthMsg(prv *ecdsa.PrivateKey) (*authMsgV4, error) {
- // Generate random initiator nonce.
- h.initNonce = make([]byte, shaLen)
- _, err := rand.Read(h.initNonce)
- if err != nil {
- return nil, err
- }
- // Generate random keypair to for ECDH.
- h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
- if err != nil {
- return nil, err
- }
- // Sign known message: static-shared-secret ^ nonce
- token, err := h.staticSharedSecret(prv)
- if err != nil {
- return nil, err
- }
- signed := xor(token, h.initNonce)
- signature, err := crypto.Sign(signed, h.randomPrivKey.ExportECDSA())
- if err != nil {
- return nil, err
- }
- msg := new(authMsgV4)
- copy(msg.Signature[:], signature)
- copy(msg.InitiatorPubkey[:], crypto.FromECDSAPub(&prv.PublicKey)[1:])
- copy(msg.Nonce[:], h.initNonce)
- msg.Version = 4
- return msg, nil
- }
- func (h *encHandshake) handleAuthResp(msg *authRespV4) (err error) {
- h.respNonce = msg.Nonce[:]
- h.remoteRandomPub, err = importPublicKey(msg.RandomPubkey[:])
- return err
- }
- func (h *encHandshake) makeAuthResp() (msg *authRespV4, err error) {
- // Generate random nonce.
- h.respNonce = make([]byte, shaLen)
- if _, err = rand.Read(h.respNonce); err != nil {
- return nil, err
- }
- msg = new(authRespV4)
- copy(msg.Nonce[:], h.respNonce)
- copy(msg.RandomPubkey[:], exportPubkey(&h.randomPrivKey.PublicKey))
- msg.Version = 4
- return msg, nil
- }
- func (msg *authMsgV4) decodePlain(input []byte) {
- n := copy(msg.Signature[:], input)
- n += shaLen // skip sha3(initiator-ephemeral-pubk)
- n += copy(msg.InitiatorPubkey[:], input[n:])
- copy(msg.Nonce[:], input[n:])
- msg.Version = 4
- msg.gotPlain = true
- }
- func (msg *authRespV4) sealPlain(hs *encHandshake) ([]byte, error) {
- buf := make([]byte, authRespLen)
- n := copy(buf, msg.RandomPubkey[:])
- copy(buf[n:], msg.Nonce[:])
- return ecies.Encrypt(rand.Reader, hs.remote, buf, nil, nil)
- }
- func (msg *authRespV4) decodePlain(input []byte) {
- n := copy(msg.RandomPubkey[:], input)
- copy(msg.Nonce[:], input[n:])
- msg.Version = 4
- }
- var padSpace = make([]byte, 300)
- func sealEIP8(msg interface{}, h *encHandshake) ([]byte, error) {
- buf := new(bytes.Buffer)
- if err := rlp.Encode(buf, msg); err != nil {
- return nil, err
- }
- // pad with random amount of data. the amount needs to be at least 100 bytes to make
- // the message distinguishable from pre-EIP-8 handshakes.
- pad := padSpace[:mrand.Intn(len(padSpace)-100)+100]
- buf.Write(pad)
- prefix := make([]byte, 2)
- binary.BigEndian.PutUint16(prefix, uint16(buf.Len()+eciesOverhead))
- enc, err := ecies.Encrypt(rand.Reader, h.remote, buf.Bytes(), nil, prefix)
- return append(prefix, enc...), err
- }
- type plainDecoder interface {
- decodePlain([]byte)
- }
- func readHandshakeMsg(msg plainDecoder, plainSize int, prv *ecdsa.PrivateKey, r io.Reader) ([]byte, error) {
- buf := make([]byte, plainSize)
- if _, err := io.ReadFull(r, buf); err != nil {
- return buf, err
- }
- // Attempt decoding pre-EIP-8 "plain" format.
- key := ecies.ImportECDSA(prv)
- if dec, err := key.Decrypt(buf, nil, nil); err == nil {
- msg.decodePlain(dec)
- return buf, nil
- }
- // Could be EIP-8 format, try that.
- prefix := buf[:2]
- size := binary.BigEndian.Uint16(prefix)
- if size < uint16(plainSize) {
- return buf, fmt.Errorf("size underflow, need at least %d bytes", plainSize)
- }
- buf = append(buf, make([]byte, size-uint16(plainSize)+2)...)
- if _, err := io.ReadFull(r, buf[plainSize:]); err != nil {
- return buf, err
- }
- dec, err := key.Decrypt(buf[2:], nil, prefix)
- if err != nil {
- return buf, err
- }
- // Can't use rlp.DecodeBytes here because it rejects
- // trailing data (forward-compatibility).
- s := rlp.NewStream(bytes.NewReader(dec), 0)
- return buf, s.Decode(msg)
- }
- // importPublicKey unmarshals 512 bit public keys.
- func importPublicKey(pubKey []byte) (*ecies.PublicKey, error) {
- var pubKey65 []byte
- switch len(pubKey) {
- case 64:
- // add 'uncompressed key' flag
- pubKey65 = append([]byte{0x04}, pubKey...)
- case 65:
- pubKey65 = pubKey
- default:
- return nil, fmt.Errorf("invalid public key length %v (expect 64/65)", len(pubKey))
- }
- // TODO: fewer pointless conversions
- pub, err := crypto.UnmarshalPubkey(pubKey65)
- if err != nil {
- return nil, err
- }
- return ecies.ImportECDSAPublic(pub), nil
- }
- func exportPubkey(pub *ecies.PublicKey) []byte {
- if pub == nil {
- panic("nil pubkey")
- }
- return elliptic.Marshal(pub.Curve, pub.X, pub.Y)[1:]
- }
- func xor(one, other []byte) (xor []byte) {
- xor = make([]byte, len(one))
- for i := 0; i < len(one); i++ {
- xor[i] = one[i] ^ other[i]
- }
- return xor
- }
|