nim-eth/eth/p2p/discoveryv5/encoding.nim

402 lines
13 KiB
Nim
Raw Normal View History

import
std/[tables, options],
nimcrypto, stint, chronicles, stew/results, bearssl,
eth/[rlp, keys], types, node, enr, hkdf, sessions
2019-12-16 19:38:45 +00:00
export keys
{.push raises: [Defect].}
2019-12-16 19:38:45 +00:00
const
idNoncePrefix = "discovery-id-nonce"
keyAgreementPrefix = "discovery v5 key agreement"
2020-02-17 17:04:29 +00:00
authSchemeName* = "gcm"
gcmNonceSize* = 12
gcmTagSize* = 16
tagSize* = 32 ## size of the tag where each message (except whoareyou) starts
## with
2019-12-16 19:38:45 +00:00
type
PacketTag* = array[tagSize, byte]
AuthResponse* = object
version*: int
signature*: array[64, byte]
record*: Option[enr.Record]
2019-12-16 19:38:45 +00:00
Codec* = object
localNode*: Node
privKey*: PrivateKey
handshakes*: Table[HandShakeKey, Whoareyou]
sessions*: Sessions
2019-12-16 19:38:45 +00:00
HandshakeSecrets = object
writeKey: AesKey
readKey: AesKey
authRespKey: AesKey
2019-12-16 19:38:45 +00:00
2020-02-17 17:04:29 +00:00
AuthHeader* = object
auth*: AuthTag
idNonce*: IdNonce
2020-02-17 17:04:29 +00:00
scheme*: string
ephemeralKey*: array[64, byte]
response*: seq[byte]
2019-12-16 19:38:45 +00:00
DecodeError* = enum
2020-05-01 20:34:26 +00:00
HandshakeError = "discv5: handshake failed"
PacketError = "discv5: invalid packet"
DecryptError = "discv5: decryption failed"
2020-05-01 20:34:26 +00:00
UnsupportedMessage = "discv5: unsupported message"
DecodeResult*[T] = Result[T, DecodeError]
EncodeResult*[T] = Result[T, cstring]
proc mapErrTo[T, E](r: Result[T, E], v: static DecodeError):
2020-05-01 20:34:26 +00:00
DecodeResult[T] =
r.mapErr(proc (e: E): DecodeError = v)
2019-12-16 19:38:45 +00:00
2020-05-01 20:34:26 +00:00
proc idNonceHash(nonce, ephkey: openarray[byte]): MDigest[256] =
2019-12-16 19:38:45 +00:00
var ctx: sha256
ctx.init()
ctx.update(idNoncePrefix)
ctx.update(nonce)
ctx.update(ephkey)
result = ctx.finish()
ctx.clear()
2019-12-16 19:38:45 +00:00
proc signIDNonce*(privKey: PrivateKey, idNonce, ephKey: openarray[byte]):
SignatureNR =
signNR(privKey, SkMessage(idNonceHash(idNonce, ephKey).data))
2019-12-16 19:38:45 +00:00
proc deriveKeys(n1, n2: NodeID, priv: PrivateKey, pub: PublicKey,
idNonce: openarray[byte]): HandshakeSecrets =
let eph = ecdhRawFull(priv, pub)
2019-12-16 19:38:45 +00:00
var info = newSeqOfCap[byte](keyAgreementPrefix.len + 32 * 2)
2019-12-16 19:38:45 +00:00
for i, c in keyAgreementPrefix: info.add(byte(c))
info.add(n1.toByteArrayBE())
info.add(n2.toByteArrayBE())
var secrets: HandshakeSecrets
static: assert(sizeof(secrets) == aesKeySize * 3)
var res = cast[ptr UncheckedArray[byte]](addr secrets)
hkdf(sha256, eph.data, idNonce, info, toOpenArray(res, 0, sizeof(secrets) - 1))
secrets
2019-12-16 19:38:45 +00:00
2020-05-01 20:34:26 +00:00
proc encryptGCM*(key, nonce, pt, authData: openarray[byte]): seq[byte] =
2019-12-16 19:38:45 +00:00
var ectx: GCM[aes128]
ectx.init(key, nonce, authData)
result = newSeq[byte](pt.len + gcmTagSize)
ectx.encrypt(pt, result)
ectx.getTag(result.toOpenArray(pt.len, result.high))
ectx.clear()
proc encodeAuthHeader*(rng: var BrHmacDrbgContext,
c: Codec,
toId: NodeID,
nonce: array[gcmNonceSize, byte],
challenge: Whoareyou):
(seq[byte], HandshakeSecrets) =
## Encodes the auth-header, which is required for the packet in response to a
## WHOAREYOU packet. Requires the id-nonce and the enr-seq that were in the
## WHOAREYOU packet, and the public key of the node sending it.
2019-12-16 19:38:45 +00:00
var resp = AuthResponse(version: 5)
let ln = c.localNode
if challenge.recordSeq < ln.record.seqNum:
resp.record = some(ln.record)
else:
resp.record = none(enr.Record)
2019-12-16 19:38:45 +00:00
let ephKeys = KeyPair.random(rng)
let signature = signIDNonce(c.privKey, challenge.idNonce,
ephKeys.pubkey.toRaw)
resp.signature = signature.toRaw
2019-12-16 19:38:45 +00:00
# Calling `encodePacket` for handshake should always be with a challenge
# with the pubkey of the node we are targetting.
doAssert(challenge.pubKey.isSome())
let secrets = deriveKeys(ln.id, toId, ephKeys.seckey, challenge.pubKey.get(),
challenge.idNonce)
2019-12-16 19:38:45 +00:00
let respRlp = rlp.encode(resp)
var zeroNonce: array[gcmNonceSize, byte]
let respEnc = encryptGCM(secrets.authRespKey, zeroNonce, respRlp, [])
2019-12-16 19:38:45 +00:00
let header = AuthHeader(auth: nonce, idNonce: challenge.idNonce,
scheme: authSchemeName, ephemeralKey: ephKeys.pubkey.toRaw,
response: respEnc)
(rlp.encode(header), secrets)
2019-12-16 19:38:45 +00:00
2020-05-01 20:34:26 +00:00
proc `xor`[N: static[int], T](a, b: array[N, T]): array[N, T] =
2019-12-16 19:38:45 +00:00
for i in 0 .. a.high:
result[i] = a[i] xor b[i]
2020-05-01 20:34:26 +00:00
proc packetTag(destNode, srcNode: NodeID): PacketTag =
let
destId = destNode.toByteArrayBE()
srcId = srcNode.toByteArrayBE()
destidHash = sha256.digest(destId)
2019-12-16 19:38:45 +00:00
result = srcId xor destidHash.data
proc encodePacket*(
rng: var BrHmacDrbgContext,
c: var Codec,
toId: NodeID,
toAddr: Address,
message: openarray[byte],
challenge: Whoareyou):
(seq[byte], array[gcmNonceSize, byte]) =
## Encode a packet. This can be a regular packet or a packet in response to a
## WHOAREYOU packet. The latter is the case when the `challenge` parameter is
## provided.
2019-12-16 19:38:45 +00:00
var nonce: array[gcmNonceSize, byte]
brHmacDrbgGenerate(rng, nonce)
let tag = packetTag(toId, c.localNode.id)
var packet: seq[byte]
packet.add(tag)
2019-12-16 19:38:45 +00:00
if challenge.isNil:
# Message packet or random packet
let headEnc = rlp.encode(nonce)
packet.add(headEnc)
2019-12-16 19:38:45 +00:00
# TODO: Should we change API to get just the key we need?
var writeKey, readKey: AesKey
if c.sessions.load(toId, toAddr, readKey, writeKey):
packet.add(encryptGCM(writeKey, nonce, message, tag))
else:
# We might not have the node's keys if the handshake hasn't been performed
# yet. That's fine, we send a random-packet and we will be responded with
# a WHOAREYOU packet.
var randomData: array[44, byte]
brHmacDrbgGenerate(rng, randomData)
packet.add(randomData)
2019-12-16 19:38:45 +00:00
else:
# Handshake
let (headEnc, secrets) = encodeAuthHeader(rng, c, toId, nonce, challenge)
packet.add(headEnc)
2019-12-16 19:38:45 +00:00
c.sessions.store(toId, toAddr, secrets.readKey, secrets.writeKey)
2019-12-16 19:38:45 +00:00
packet.add(encryptGCM(secrets.writeKey, nonce, message, tag))
2019-12-16 19:38:45 +00:00
(packet, nonce)
2019-12-16 19:38:45 +00:00
proc decryptGCM*(key: AesKey, nonce, ct, authData: openarray[byte]):
Option[seq[byte]] =
if ct.len <= gcmTagSize:
debug "cipher is missing tag", len = ct.len
return
2019-12-16 19:38:45 +00:00
var dctx: GCM[aes128]
dctx.init(key, nonce, authData)
var res = newSeq[byte](ct.len - gcmTagSize)
2019-12-16 19:38:45 +00:00
var tag: array[gcmTagSize, byte]
dctx.decrypt(ct.toOpenArray(0, ct.high - gcmTagSize), res)
2019-12-16 19:38:45 +00:00
dctx.getTag(tag)
dctx.clear()
if tag != ct.toOpenArray(ct.len - gcmTagSize, ct.high):
return
return some(res)
2020-07-14 20:56:34 +00:00
proc decodeMessage*(body: openarray[byte]): DecodeResult[Message] =
## Decodes to the specific `Message` type.
2020-04-24 14:52:41 +00:00
if body.len < 1:
return err(PacketError)
2020-02-27 18:09:05 +00:00
if body[0] < MessageKind.low.byte or body[0] > MessageKind.high.byte:
2020-04-24 14:52:41 +00:00
return err(PacketError)
# This cast is covered by the above check (else we could get enum with invalid
# data!). However, can't we do this in a cleaner way?
let kind = cast[MessageKind](body[0])
var message = Message(kind: kind)
2020-04-24 14:52:41 +00:00
var rlp = rlpFromBytes(body.toOpenArray(1, body.high))
2020-02-27 18:09:05 +00:00
if rlp.enterList:
try:
message.reqId = rlp.read(RequestId)
except RlpError:
return err(PacketError)
2019-12-16 19:38:45 +00:00
proc decode[T](rlp: var Rlp, v: var T)
{.inline, nimcall, raises:[RlpError, ValueError, Defect].} =
2019-12-16 19:38:45 +00:00
for k, v in v.fieldPairs:
v = rlp.read(typeof(v))
try:
case kind
of unused: return err(PacketError)
of ping: rlp.decode(message.ping)
of pong: rlp.decode(message.pong)
of findNode: rlp.decode(message.findNode)
of nodes: rlp.decode(message.nodes)
of regtopic, ticket, regconfirmation, topicquery:
# TODO: Implement support for topic advertisement
return err(UnsupportedMessage)
except RlpError, ValueError:
return err(PacketError)
ok(message)
2019-12-16 19:38:45 +00:00
else:
err(PacketError)
2019-12-16 19:38:45 +00:00
proc decodeAuthResp*(c: Codec, fromId: NodeId, head: AuthHeader,
challenge: Whoareyou, newNode: var Node): DecodeResult[HandshakeSecrets] =
## Decrypts and decodes the auth-response, which is part of the auth-header.
## Requires the id-nonce from the WHOAREYOU packet that was send.
## newNode can be nil in case node was already known (no was ENR send).
2019-12-16 19:38:45 +00:00
if head.scheme != authSchemeName:
warn "Unknown auth scheme"
return err(HandshakeError)
2019-12-16 19:38:45 +00:00
let ephKey = ? PublicKey.fromRaw(head.ephemeralKey).mapErrTo(HandshakeError)
2019-12-16 19:38:45 +00:00
let secrets =
deriveKeys(fromId, c.localNode.id, c.privKey, ephKey, challenge.idNonce)
2019-12-16 19:38:45 +00:00
var zeroNonce: array[gcmNonceSize, byte]
let respData = decryptGCM(secrets.authRespKey, zeroNonce, head.response, [])
if respData.isNone():
return err(HandshakeError)
var authResp: AuthResponse
try:
# Signature check of record happens in decode.
authResp = rlp.decode(respData.get(), AuthResponse)
except RlpError, ValueError:
return err(HandshakeError)
2019-12-16 19:38:45 +00:00
var pubKey: PublicKey
if authResp.record.isSome():
# Node returned might not have an address or not a valid address.
newNode = ? newNode(authResp.record.get()).mapErrTo(HandshakeError)
if newNode.id != fromId:
return err(HandshakeError)
pubKey = newNode.pubKey
else:
if challenge.pubKey.isSome():
pubKey = challenge.pubKey.get()
else:
# We should have received a Record in this case.
return err(HandshakeError)
# Verify the id-nonce-sig
let sig = ? SignatureNR.fromRaw(authResp.signature).mapErrTo(HandshakeError)
let h = idNonceHash(head.idNonce, head.ephemeralKey)
if verify(sig, SkMessage(h.data), pubkey):
ok(secrets)
else:
err(HandshakeError)
2019-12-16 19:38:45 +00:00
proc decodePacket*(c: var Codec,
2020-02-22 18:49:14 +00:00
fromId: NodeID,
fromAddr: Address,
input: openArray[byte],
authTag: var AuthTag,
newNode: var Node): DecodeResult[Message] =
## Decode a packet. This can be a regular packet or a packet in response to a
## WHOAREYOU packet. In case of the latter a `newNode` might be provided.
var r = rlpFromBytes(input.toOpenArray(tagSize, input.high))
2019-12-16 19:38:45 +00:00
var auth: AuthHeader
var readKey: AesKey
2020-02-27 18:09:05 +00:00
logScope: sender = $fromAddr
2019-12-16 19:38:45 +00:00
if r.isList:
# Handshake - rlp list indicates auth-header
try:
auth = r.read(AuthHeader)
except RlpError:
return err(PacketError)
2019-12-16 19:38:45 +00:00
authTag = auth.auth
let key = HandShakeKey(nodeId: fromId, address: $fromAddr)
var challenge: Whoareyou
# Note: We remove (pop) the stored handshake data here on failure on purpose
# as mitigation for a DoS attack where an invalid handshake is send
# repeatedly, which causes the signature verification to be done until
# handshake timeout, in case the stored data is not removed at first fail.
# See also more info here: https://github.com/prysmaticlabs/prysm/issues/7346
#
# It should be noted though that this means that now it might be possible to
# drop a handshake on purpose by a malicious party. But only if that
# attacker manages to spoof the IP-address of a peer A, and manages to
# listen to traffic between peer A and B that are starting a handshake, and
# next manages to be faster in sending out the (invalid) handshake. And this
# for each attempt in order to deny the peers setting up a session.
# However, this looks like a much more difficult scenario to pull off than
# the more convenient DoS attack. The DoS attack might have less heavy
# consequences though.
if not c.handshakes.pop(key, challenge):
debug "Decoding failed (no previous stored handshake challenge)"
return err(HandshakeError)
2019-12-16 19:38:45 +00:00
if auth.idNonce != challenge.idNonce:
2020-02-22 18:49:14 +00:00
trace "Decoding failed (different nonce)"
return err(HandshakeError)
2019-12-16 19:38:45 +00:00
let secrets = c.decodeAuthResp(fromId, auth, challenge, newNode)
if secrets.isErr:
trace "Decoding failed (invalid auth response)"
return err(HandshakeError)
var sec = secrets[]
c.handshakes.del(key)
2019-12-16 19:38:45 +00:00
# Swap keys to match remote
swap(sec.readKey, sec.writeKey)
c.sessions.store(fromId, fromAddr, sec.readKey, sec.writeKey)
2019-12-16 19:38:45 +00:00
readKey = sec.readKey
else:
# Message packet or random packet - rlp bytes (size 12) indicates auth-tag
try:
authTag = r.read(AuthTag)
except RlpError:
return err(PacketError)
2019-12-16 19:38:45 +00:00
auth.auth = authTag
# TODO: Should we change API to get just the key we need?
var writeKey: AesKey
if not c.sessions.load(fromId, fromAddr, readKey, writeKey):
2020-02-22 18:49:14 +00:00
trace "Decoding failed (no keys)"
return err(DecryptError)
2019-12-16 19:38:45 +00:00
let headSize = tagSize + r.position
2019-12-16 19:38:45 +00:00
let message = decryptGCM(
readKey, auth.auth,
input.toOpenArray(headSize, input.high),
input.toOpenArray(0, tagSize - 1))
if message.isNone():
c.sessions.del(fromId, fromAddr)
return err(DecryptError)
decodeMessage(message.get())
2019-12-16 19:38:45 +00:00
proc init*(T: type RequestId, rng: var BrHmacDrbgContext): T =
var buf: array[sizeof(T), byte]
brHmacDrbgGenerate(rng, buf)
var id: T
copyMem(addr id, addr buf[0], sizeof(id))
id
2019-12-16 19:38:45 +00:00
2020-05-01 20:34:26 +00:00
proc numFields(T: typedesc): int =
2019-12-16 19:38:45 +00:00
for k, v in fieldPairs(default(T)): inc result
2020-05-01 20:34:26 +00:00
proc encodeMessage*[T: SomeMessage](p: T, reqId: RequestId): seq[byte] =
2019-12-16 19:38:45 +00:00
result = newSeqOfCap[byte](64)
result.add(messageKind(T).ord)
2019-12-16 19:38:45 +00:00
const sz = numFields(T)
var writer = initRlpList(sz + 1)
writer.append(reqId)
for k, v in fieldPairs(p):
writer.append(v)
result.add(writer.finish())