ik functional w/ fallback from xx to ik

2019-08-24 09:32:50 -04:00 · 2019-08-24 09:32:50 -04:00 · 5c2c243998
parent 7823ac99c9
commit 5c2c243998
3 changed files with 84 additions and 41 deletions
--- a/p2p/security/noise/ik/IK.noise.go
+++ b/p2p/security/noise/ik/IK.noise.go
@ -151,19 +151,18 @@ func (mb *MessageBuffer) Encode0() []byte {
 	return enc
 }

-// Encodes a MessageBuffer from stage 1 and 2
-// func (mb *MessageBuffer) Encode1() []byte {
-// 	enc := []byte{}
+// Encodes a MessageBuffer from stage 1
+func (mb *MessageBuffer) Encode1() []byte {
+	enc := []byte{}

-// 	enc = append(enc, mb.ne[:]...)
-// 	enc = append(enc, mb.ns...)
-// 	enc = append(enc, mb.ciphertext...)
+	enc = append(enc, mb.ne[:]...)
+	enc = append(enc, mb.ciphertext...)

-// 	// log.Debug("XX_Encode1", "ne", mb.ne)
-// 	// log.Debug("XX_Encode1", "ns", mb.ns)
+	// log.Debug("XX_Encode1", "ne", mb.ne)
+	// log.Debug("XX_Encode1", "ns", mb.ns)

-// 	return enc
-// }
+	return enc
+}

 // Decodes initial message (stage 0) into MessageBuffer
 func Decode0(in []byte) (*MessageBuffer, error) {
@ -181,24 +180,24 @@ func Decode0(in []byte) (*MessageBuffer, error) {
 	return mb, nil
 }

-// Decodes messages at stage 1 or 2 into MessageBuffer
-// func Decode1(in []byte) (*MessageBuffer, error) {
-// 	if len(in) < 80 {
-// 		return nil, errors.New("cannot decode stage 1/2 MessageBuffer: length less than 96 bytes")
-// 	}
+// Decodes messages at stage 1 into MessageBuffer
+func Decode1(in []byte) (*MessageBuffer, error) {
+	if len(in) < 80 {
+		return nil, errors.New("cannot decode stage 1/2 MessageBuffer: length less than 96 bytes")
+	}

-// 	// log.Debug("XX_Decode1", "in", in)
-// 	// log.Debug("XX_Decode1", "ns", in[32:80])
+	// log.Debug("XX_Decode1", "in", in)
+	// log.Debug("XX_Decode1", "ns", in[32:80])

-// 	mb := new(MessageBuffer)
-// 	copy(mb.ne[:], in[:32])
-// 	mb.ns = in[32:80]
-// 	mb.ciphertext = in[80:]
-// 	// copy(mb.ns,)
-// 	// copy(mb.ciphertext,)
+	mb := new(MessageBuffer)
+	copy(mb.ne[:], in[:32])
+	//mb.ns = in[32:80]
+	mb.ciphertext = in[32:]
+	// copy(mb.ns,)
+	// copy(mb.ciphertext,)

-// 	return mb, nil
-// }
+	return mb, nil
+}

 func validatePublicKey(k []byte) bool {
 	forbiddenCurveValues := [12][]byte{
--- a/p2p/security/noise/ik_handshake.go
+++ b/p2p/security/noise/ik_handshake.go
@ -11,18 +11,18 @@ import (
 	pb "github.com/ChainSafe/go-libp2p-noise/pb"
 )

-func (s *secureSession) ik_sendHandshakeMessage(payload []byte) error {
+func (s *secureSession) ik_sendHandshakeMessage(payload []byte, initial_stage bool) error {
 	log.Debug("ik_sendHandshakeMessage", "initiator", s.initiator, "payload", payload, "payload len", len(payload))

 	// create send message w payload
 	var msgbuf ik.MessageBuffer
 	s.ik_ns, msgbuf = ik.SendMessage(s.ik_ns, payload)
 	var encMsgBuf []byte
-	//if initial_stage {
-	encMsgBuf = msgbuf.Encode0()
-	// } else {
-	// 	encMsgBuf = msgbuf.Encode1()
-	// }
+	if initial_stage {
+		encMsgBuf = msgbuf.Encode0()
+	} else {
+		encMsgBuf = msgbuf.Encode1()
+	}

 	log.Debug("ik_sendHandshakeMessage", "initiator", s.initiator, "msgbuf", msgbuf)
 	log.Debug("ik_sendHandshakeMessage", "initiator", s.initiator, "encMsgBuf", encMsgBuf, "ns_len", len(msgbuf.NS()), "enc_len", len(encMsgBuf))
@ -43,7 +43,7 @@ func (s *secureSession) ik_sendHandshakeMessage(payload []byte) error {
 	return nil
 }

-func (s *secureSession) ik_recvHandshakeMessage() (buf []byte, plaintext []byte, valid bool, err error) {
+func (s *secureSession) ik_recvHandshakeMessage(initial_stage bool) (buf []byte, plaintext []byte, valid bool, err error) {
 	l, err := s.ReadLength()
 	if err != nil {
 		return nil, nil, false, fmt.Errorf("read length fail: %s", err)
@ -57,11 +57,11 @@ func (s *secureSession) ik_recvHandshakeMessage() (buf []byte, plaintext []byte,
 	}

 	var msgbuf *ik.MessageBuffer
-	//if initial_stage {
-	msgbuf, err = ik.Decode0(buf)
-	// } else {
-	// 	msgbuf, err = ik.Decode1(buf)
-	// }
+	if initial_stage {
+		msgbuf, err = ik.Decode0(buf)
+	} else {
+		msgbuf, err = ik.Decode1(buf)
+	}

 	log.Debug("ik_recvHandshakeMessage", "initiator", s.initiator, "msgbuf", msgbuf, "buf len", len(buf))

@ -87,7 +87,7 @@ func (s *secureSession) runHandshake_ik(ctx context.Context, handshakeData []byt

 	if s.noisePrivateKey == [32]byte{} {
 		// generate local static noise key
-		kp = ik.GenerateKeypair()	
+		kp = ik.GenerateKeypair()
 		s.noisePrivateKey = kp.PrivKey()
 	} else {
 		pub := ik.GeneratePublicKey(s.noisePrivateKey)
@ -126,7 +126,7 @@ func (s *secureSession) runHandshake_ik(ctx context.Context, handshakeData []byt

 	if s.initiator {
 		// stage 0 //
-		err := s.ik_sendHandshakeMessage(payloadEnc)
+		err := s.ik_sendHandshakeMessage(payloadEnc, true)
 		if err != nil {
 			log.Error("stage 0 initiator send", "err", err)
 			return nil, fmt.Errorf("stage 0 initiator fail: %s", err)
@ -134,6 +134,42 @@ func (s *secureSession) runHandshake_ik(ctx context.Context, handshakeData []byt

 		// stage 1 //

+		// read message
+		buf, plaintext, valid, err := s.ik_recvHandshakeMessage(false)
+		if err != nil {
+			return buf, fmt.Errorf("stage 1 initiator fail: %s", err)
+		}
+
+		if !valid {
+			return buf, fmt.Errorf("stage 1 initiator validation fail")
+		}
+
+		// unmarshal payload
+		nhp := new(pb.NoiseHandshakePayload)
+		err = proto.Unmarshal(plaintext, nhp)
+		if err != nil {
+			return buf, fmt.Errorf("stage 1 initiator validation fail: cannot unmarshal payload")
+		}
+
+		// set remote libp2p public key
+		err = s.setRemotePeerInfo(nhp.GetLibp2PKey())
+		if err != nil {
+			log.Error("stage 1 initiator set remote peer info", "err", err)
+			return buf, fmt.Errorf("stage 1 initiator read remote libp2p key fail")
+		}
+
+		// assert that remote peer ID matches libp2p key
+		err = s.setRemotePeerID(s.RemotePublicKey())
+		if err != nil {
+			log.Error("stage 1 initiator set remote peer id", "err", err)
+		}
+
+		// verify payload is signed by libp2p key
+		err = s.verifyPayload(nhp, s.noiseStaticKeyCache[s.remotePeer])
+		if err != nil {
+			log.Error("stage 1 initiator verify payload", "err", err)
+		}
+
 	} else {
 		// stage 0 //

@ -155,7 +191,7 @@ func (s *secureSession) runHandshake_ik(ctx context.Context, handshakeData []byt
 			s.ik_ns, plaintext, valid = ik.RecvMessage(s.ik_ns, msgbuf)
 		} else {
 			// read message
-			buf, plaintext, valid, err = s.ik_recvHandshakeMessage()
+			buf, plaintext, valid, err = s.ik_recvHandshakeMessage(true)
 			if err != nil {
 				return buf, fmt.Errorf("stage 0 responder fail: %s", err)
 			}
@ -194,6 +230,14 @@ func (s *secureSession) runHandshake_ik(ctx context.Context, handshakeData []byt
 			log.Error("stage 1 responder verify payload", "err", err)
 		}

+		// stage 1 //
+
+		err := s.ik_sendHandshakeMessage(payloadEnc, false)
+		if err != nil {
+			log.Error("stage 1 responder send", "err", err)
+			return nil, fmt.Errorf("stage 1 responder fail: %s", err)
+		}
+
 	}

 	return nil, nil
--- a/p2p/security/noise/xx_handshake.go
+++ b/p2p/security/noise/xx_handshake.go
@ -88,7 +88,7 @@ func (s *secureSession) runHandshake_xx(ctx context.Context, fallback bool, msg
 	if s.noisePrivateKey == [32]byte{} {
 		// generate local static noise key
 		kp = xx.GenerateKeypair()
-		s.noisePrivateKey = kp.PrivKey()	
+		s.noisePrivateKey = kp.PrivKey()
 	} else {
 		pub := xx.GeneratePublicKey(s.noisePrivateKey)
 		kp = xx.NewKeypair(pub, s.noisePrivateKey)