Update to support the latest discv5.1 specification

This commit is contained in:
kdeme 2020-10-05 13:51:26 +02:00 committed by zah
parent 820a73f96f
commit 17ef0b25e0
3 changed files with 326 additions and 302 deletions

View File

@ -8,17 +8,19 @@ export keys
{.push raises: [Defect].}
const
version: uint8 = 1
version: uint16 = 1
idNoncePrefix = "discovery-id-nonce"
idSignatureText = "discovery v5 identity proof"
keyAgreementPrefix = "discovery v5 key agreement"
protocolIdStr = "discv5 "
protocolIdStr = "discv5"
protocolId = toBytes(protocolIdStr)
gcmNonceSize* = 12
idNonceSize* = 32
idNonceSize* = 16
gcmTagSize* = 16
ivSize = 16
staticHeaderSize = protocolId.len + sizeof(NodeId) + 1 + 2
authdataHeadSize = 1 + gcmNonceSize + 1 + 1
ivSize* = 16
staticHeaderSize = protocolId.len + 2 + 2 + 1 + gcmNonceSize
authdataHeadSize = sizeof(NodeId) + 1 + 1
whoareyouSize = ivSize + staticHeaderSize + idNonceSize + 8
type
AESGCMNonce* = array[gcmNonceSize, byte]
@ -26,16 +28,17 @@ type
WhoareyouData* = object
requestNonce*: AESGCMNonce
idNonce*: IdNonce
idNonce*: IdNonce # TODO: This data is also available in challengeData
recordSeq*: uint64
challengeData*: seq[byte]
Challenge* = object
whoareyouData*: WhoareyouData
pubkey*: Option[PublicKey]
StaticHeader* = object
srcId: NodeId
flag: Flag
nonce: AESGCMNonce
authdataSize: uint16
HandshakeSecrets* = object
@ -52,13 +55,14 @@ type
of OrdinaryMessage:
messageOpt*: Option[Message]
requestNonce*: AESGCMNonce
srcId*: NodeId
of Whoareyou:
whoareyou*: WhoareyouData
of HandshakeMessage:
message*: Message # In a handshake we expect to always be able to decrypt
# TODO record or node immediately?
node*: Option[Node]
srcId*: NodeId
srcIdHs*: NodeId
Codec* = object
localNode*: Node
@ -79,21 +83,23 @@ proc mapErrTo[T, E](r: Result[T, E], v: static DecodeError):
DecodeResult[T] =
r.mapErr(proc (e: E): DecodeError = v)
proc idNonceHash(nonce, ephkey: openarray[byte]): MDigest[256] =
proc idNonceHash(challengeData, ephkey: openarray[byte], nodeId: NodeId):
MDigest[256] =
var ctx: sha256
ctx.init()
ctx.update(idNoncePrefix)
ctx.update(nonce)
ctx.update(idSignatureText)
ctx.update(challengeData)
ctx.update(ephkey)
ctx.update(nodeId.toByteArrayBE())
result = ctx.finish()
ctx.clear()
proc signIDNonce*(privKey: PrivateKey, idNonce, ephKey: openarray[byte]):
SignatureNR =
signNR(privKey, SkMessage(idNonceHash(idNonce, ephKey).data))
proc signIDNonce*(privKey: PrivateKey, challengeData,
ephKey: openarray[byte], nodeId: NodeId): SignatureNR =
signNR(privKey, SkMessage(idNonceHash(challengeData, ephKey, nodeId).data))
proc deriveKeys*(n1, n2: NodeID, priv: PrivateKey, pub: PublicKey,
idNonce: openarray[byte]): HandshakeSecrets =
challengeData: openarray[byte]): HandshakeSecrets =
let eph = ecdhRawFull(priv, pub)
var info = newSeqOfCap[byte](keyAgreementPrefix.len + 32 * 2)
@ -104,7 +110,9 @@ proc deriveKeys*(n1, n2: NodeID, priv: PrivateKey, pub: PublicKey,
var secrets: HandshakeSecrets
static: assert(sizeof(secrets) == aesKeySize * 2)
var res = cast[ptr UncheckedArray[byte]](addr secrets)
hkdf(sha256, eph.data, idNonce, info, toOpenArray(res, 0, sizeof(secrets) - 1))
hkdf(sha256, eph.data, challengeData, info,
toOpenArray(res, 0, sizeof(secrets) - 1))
secrets
proc encryptGCM*(key, nonce, pt, authData: openarray[byte]): seq[byte] =
@ -141,21 +149,29 @@ proc encryptHeader*(id: NodeId, iv, header: openarray[byte]): seq[byte] =
ectx.encrypt(header, result)
ectx.clear()
proc encodeStaticHeader*(srcId: NodeId, flag: Flag, authSize: int): seq[byte] =
proc hasHandshake*(c: Codec, key: HandShakeKey): bool =
c.handshakes.hasKey(key)
proc encodeStaticHeader*(flag: Flag, nonce: AESGCMNonce, authSize: int):
seq[byte] =
result.add(protocolId)
result.add(srcId.toByteArrayBE())
result.add(version.toBytesBE())
result.add(byte(flag))
result.add(nonce)
# TODO: assert on authSize of > 2^16?
result.add((uint16(authSize)).toBytesBE())
proc encodeMessagePacket*(rng: var BrHmacDrbgContext, c: var Codec,
toId: NodeID, toAddr: Address, message: openarray[byte]):
(seq[byte], AESGCMNonce) =
var authdata: AESGCMNonce
brHmacDrbgGenerate(rng, authdata) # Random AESGCM nonce
var nonce: AESGCMNonce
brHmacDrbgGenerate(rng, nonce) # Random AESGCM nonce
var iv: array[ivSize, byte]
brHmacDrbgGenerate(rng, iv) # Random IV
# static-header
let staticHeader = encodeStaticHeader(c.localNode.id, Flag.OrdinaryMessage,
let authdata = c.localNode.id.toByteArrayBE()
let staticHeader = encodeStaticHeader(Flag.OrdinaryMessage, nonce,
authdata.len())
# header = static-header || authdata
var header: seq[byte]
@ -166,20 +182,18 @@ proc encodeMessagePacket*(rng: var BrHmacDrbgContext, c: var Codec,
var messageEncrypted: seq[byte]
var writeKey, readKey: AesKey
if c.sessions.load(toId, toAddr, readKey, writeKey):
messageEncrypted = encryptGCM(writeKey, authdata, message, header)
messageEncrypted = encryptGCM(writeKey, nonce, message, @iv & header)
else:
# We might not have the node's keys if the handshake hasn't been performed
# yet. That's fine, we send a random-packet and we will be responded with
# a WHOAREYOU packet.
# TODO: What is minimum size of an encrypted message that we should provided
# here?
var randomData: array[44, byte]
# TODO Minumum packet size is 63, we have here 16 + 23 + 32 = 71, so in theory
# we don't need to add random data? But then how do we know if decryption
# fails. Empty message automatically means -> whoareyou?
var randomData: array[8, byte]
brHmacDrbgGenerate(rng, randomData)
messageEncrypted.add(randomData)
var iv: array[ivSize, byte]
brHmacDrbgGenerate(rng, iv) # Random IV
let maskedHeader = encryptHeader(toId, iv, header)
var packet: seq[byte]
@ -187,20 +201,22 @@ proc encodeMessagePacket*(rng: var BrHmacDrbgContext, c: var Codec,
packet.add(maskedHeader)
packet.add(messageEncrypted)
return (packet, authdata)
return (packet, nonce)
proc encodeWhoareyouPacket*(rng: var BrHmacDrbgContext, c: var Codec,
toId: NodeID, requestNonce: AESGCMNonce, idNonce: IdNonce, enrSeq: uint64):
seq[byte] =
toId: NodeID, toAddr: Address, requestNonce: AESGCMNonce, recordSeq: uint64,
pubkey: Option[PublicKey]): seq[byte] =
var idNonce: IdNonce
brHmacDrbgGenerate(rng, idNonce)
# authdata
var authdata: seq[byte]
authdata.add(requestNonce)
authdata.add(idNonce)
authdata.add(enrSeq.tobytesBE)
authdata.add(recordSeq.tobytesBE)
# static-header
let staticHeader = encodeStaticHeader(c.localNode.id, Flag.Whoareyou,
authdata.len()) # authdata will always be 52 bytes
let staticHeader = encodeStaticHeader(Flag.Whoareyou, requestNonce,
authdata.len())
# header = static-header || authdata
var header: seq[byte]
@ -216,50 +232,60 @@ proc encodeWhoareyouPacket*(rng: var BrHmacDrbgContext, c: var Codec,
packet.add(iv)
packet.add(maskedHeader)
let
whoareyouData = WhoareyouData(
requestNonce: requestNonce,
idNonce: idNonce,
recordSeq: recordSeq,
challengeData: @iv & header)
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
key = HandShakeKey(nodeId: toId, address: $toAddr)
c.handshakes[key] = challenge
return packet
proc encodeHandshakePacket*(rng: var BrHmacDrbgContext, c: var Codec,
toId: NodeID, toAddr: Address, message: openarray[byte], idNonce: IdNonce,
enrSeq: uint64, pubkey: PublicKey): seq[byte] =
toId: NodeID, toAddr: Address, message: openarray[byte],
whoareyouData: WhoareyouData, pubkey: PublicKey): seq[byte] =
var header: seq[byte]
var nonce: AESGCMNonce
brHmacDrbgGenerate(rng, nonce)
var iv: array[ivSize, byte]
brHmacDrbgGenerate(rng, iv) # Random IV
var authdata: seq[byte]
var authdataHead: seq[byte]
authdataHead.add(version)
authdataHead.add(nonce)
authdataHead.add(c.localNode.id.toByteArrayBE())
authdataHead.add(64'u8) # sig-size: 64
authdataHead.add(33'u8) # eph-key-size: 33
authdata.add(authdataHead)
let ephKeys = KeyPair.random(rng)
let signature = signIDNonce(c.privKey, idNonce,
ephKeys.pubkey.toRawCompressed())
let signature = signIDNonce(c.privKey, whoareyouData.challengeData,
ephKeys.pubkey.toRawCompressed(), toId)
authdata.add(signature.toRaw())
# compressed pub key format (33 bytes)
authdata.add(ephKeys.pubkey.toRawCompressed())
# Add ENR of sequence number is newer
if enrSeq < c.localNode.record.seqNum:
if whoareyouData.recordSeq < c.localNode.record.seqNum:
authdata.add(encode(c.localNode.record))
let secrets = deriveKeys(c.localNode.id, toId, ephKeys.seckey, pubkey,
idNonce)
whoareyouData.challengeData)
# Header
let staticHeader = encodeStaticHeader(c.localNode.id, Flag.HandshakeMessage,
let staticHeader = encodeStaticHeader(Flag.HandshakeMessage, nonce,
authdata.len())
header.add(staticHeader)
header.add(authdata)
c.sessions.store(toId, toAddr, secrets.readKey, secrets.writeKey)
let messageEncrypted = encryptGCM(secrets.writeKey, nonce, message, header)
var iv: array[ivSize, byte]
brHmacDrbgGenerate(rng, iv) # Random IV
let messageEncrypted = encryptGCM(secrets.writeKey, nonce, message, @iv & header)
let maskedHeader = encryptHeader(toId, iv, header)
@ -272,11 +298,8 @@ proc encodeHandshakePacket*(rng: var BrHmacDrbgContext, c: var Codec,
proc decodeHeader*(id: NodeId, iv, maskedHeader: openarray[byte]):
DecodeResult[(StaticHeader, seq[byte])] =
# Smallest header is staticHeader + gcm nonce for a ordinary message
let inputLen = maskedHeader.len
if inputLen < staticHeaderSize + gcmNonceSize:
return err(PacketError)
# No need to check staticHeader size as that is included in minimum packet
# size check in decodePacket
var ectx: CTR[aes128]
ectx.init(id.toByteArrayBE().toOpenArray(0, ivSize - 1), iv)
# Decrypt static-header part of the header
@ -287,15 +310,22 @@ proc decodeHeader*(id: NodeId, iv, maskedHeader: openarray[byte]):
if staticHeader.toOpenArray(0, protocolId.len - 1) != protocolId:
return err(PacketError)
let srcId = NodeId.fromBytesBE(staticHeader.toOpenArray(8, 39))
if staticHeader[40] < Flag.low.byte or staticHeader[40] > Flag.high.byte:
if uint16.fromBytesBE(staticHeader.toOpenArray(6, 7)) != version:
return err(PacketError)
let flag = cast[Flag](staticHeader[40])
let authdataSize = uint16.fromBytesBE(staticHeader.toOpenArray(41, 42))
if staticHeader[8] < Flag.low.byte or staticHeader[8] > Flag.high.byte:
return err(PacketError)
let flag = cast[Flag](staticHeader[8])
var nonce: AESGCMNonce
copyMem(addr nonce[0], unsafeAddr staticHeader[9], gcmNonceSize)
let authdataSize = uint16.fromBytesBE(staticHeader.toOpenArray(21,
staticHeader.high))
# Input should have minimum size of staticHeader + provided authdata size
if inputLen < staticHeaderSize + int(authdataSize):
# Can be larger as there can come a message after.
if maskedHeader.len < staticHeaderSize + int(authdataSize):
return err(PacketError)
var authdata = newSeq[byte](int(authdataSize))
@ -303,7 +333,7 @@ proc decodeHeader*(id: NodeId, iv, maskedHeader: openarray[byte]):
staticHeaderSize + int(authdataSize) - 1), authdata)
ectx.clear()
ok((StaticHeader(srcId: srcId, flag: flag, authdataSize: authdataSize),
ok((StaticHeader(authdataSize: authdataSize, flag: flag, nonce: nonce),
staticHeader & authdata))
proc decodeMessage*(body: openarray[byte]): DecodeResult[Message] =
@ -352,69 +382,65 @@ proc decodeMessage*(body: openarray[byte]): DecodeResult[Message] =
else:
err(PacketError)
proc decodeMessagePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
ct, header: openArray[byte]): DecodeResult[Packet] =
# We now know the exact size that the header should be
if header.len != staticHeaderSize + gcmNonceSize:
return err(PacketError)
var nonce: AESGCMNonce
copyMem(addr nonce[0], unsafeAddr header[staticHeaderSize], gcmNonceSize)
var writeKey, readKey: AesKey
if not c.sessions.load(srcId, fromAddr, readKey, writeKey):
# Don't consider this an error, simply haven't done a handshake yet or
# the session got removed.
trace "Decrypting failed (no keys)"
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
srcId: srcId))
let pt = decryptGCM(readKey, nonce, ct, header)
if pt.isNone():
# Don't consider this an error, the session got probably removed at the
# peer's side.
trace "Decrypting failed (invalid keys)"
c.sessions.del(srcId, fromAddr)
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
srcId: srcId))
let message = ? decodeMessage(pt.get())
return ok(Packet(flag: Flag.OrdinaryMessage,
messageOpt: some(message), requestNonce: nonce, srcId: srcId))
proc decodeWhoareyouPacket(c: var Codec, srcId: NodeId,
authdata: openArray[byte]): DecodeResult[Packet] =
# We now know the exact size that the authdata should be
if authdata.len != gcmNonceSize + idNonceSize + sizeof(uint64):
proc decodeMessagePacket(c: var Codec, fromAddr: Address, nonce: AESGCMNonce,
iv, header, ct: openArray[byte]): DecodeResult[Packet] =
# We now know the exact size that the header should be
if header.len != staticHeaderSize + sizeof(NodeId):
return err(PacketError)
let srcId = NodeId.fromBytesBE(header.toOpenArray(staticHeaderSize,
header.high))
var writeKey, readKey: AesKey
if not c.sessions.load(srcId, fromAddr, readKey, writeKey):
# Don't consider this an error, simply haven't done a handshake yet or
# the session got removed.
trace "Decrypting failed (no keys)"
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
srcId: srcId))
let pt = decryptGCM(readKey, nonce, ct, @iv & @header)
if pt.isNone():
# Don't consider this an error, the session got probably removed at the
# peer's side.
trace "Decrypting failed (invalid keys)"
c.sessions.del(srcId, fromAddr)
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
srcId: srcId))
let message = ? decodeMessage(pt.get())
return ok(Packet(flag: Flag.OrdinaryMessage,
messageOpt: some(message), requestNonce: nonce, srcId: srcId))
proc decodeWhoareyouPacket(c: var Codec, nonce: AESGCMNonce,
iv, header: openArray[byte]): DecodeResult[Packet] =
# TODO improve this
let authdata = header[staticHeaderSize..header.high()]
# We now know the exact size that the authdata should be
if authdata.len != idNonceSize + sizeof(uint64):
return err(PacketError)
var requestNonce: AESGCMNonce
copyMem(addr requestNonce[0], unsafeAddr authdata[0], gcmNonceSize)
var idNonce: IdNonce
copyMem(addr idNonce[0], unsafeAddr authdata[gcmNonceSize], idNonceSize)
let whoareyou = WhoareyouData(requestNonce: requestNonce, idNonce: idNonce,
copyMem(addr idNonce[0], unsafeAddr authdata[0], idNonceSize)
let whoareyou = WhoareyouData(requestNonce: nonce, idNonce: idNonce,
recordSeq: uint64.fromBytesBE(
authdata.toOpenArray(gcmNonceSize + idNonceSize, authdata.high)))
authdata.toOpenArray(idNonceSize, authdata.high)),
challengeData: @iv & @header)
return ok(Packet(flag: Flag.Whoareyou, whoareyou: whoareyou,
srcId: srcId))
return ok(Packet(flag: Flag.Whoareyou, whoareyou: whoareyou))
proc decodeHandshakePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
ct, header: openArray[byte]): DecodeResult[Packet] =
proc decodeHandshakePacket(c: var Codec, fromAddr: Address, nonce: AESGCMNonce,
iv, header, ct: openArray[byte]): DecodeResult[Packet] =
# Checking if there is enough data to decode authdata-head
if header.len <= staticHeaderSize + authdataHeadSize:
return err(PacketError)
# check version
let authData = header[staticHeaderSize..header.high()]
if uint8(authData[0]) != version:
return err(HandshakeError)
let
nonce = authdata[1..12]
sigSize = uint8(authdata[13])
ephKeySize = uint8(authdata[14])
authdata = header[staticHeaderSize..header.high()]
srcId = NodeId.fromBytesBE(authdata.toOpenArray(0, 31))
sigSize = uint8(authdata[32])
ephKeySize = uint8(authdata[33])
# If smaller, as it can be equal and bigger (in case it holds an enr)
if header.len < staticHeaderSize + authdataHeadSize + int(sigSize) + int(ephKeySize):
@ -469,17 +495,18 @@ proc decodeHandshakePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
authdata.toOpenArray(authdataHeadSize,
authdataHeadSize + int(sigSize) - 1)).mapErrTo(HandshakeError)
let h = idNonceHash(challenge.whoareyouData.idNonce, ephKeyRaw)
let h = idNonceHash(challenge.whoareyouData.challengeData, ephKeyRaw,
c.localNode.id)
if not verify(sig, SkMessage(h.data), pubkey):
return err(HandshakeError)
# Do the key derivation step only after id-nonce-sig is verified!
var secrets = deriveKeys(srcId, c.localNode.id, c.privKey,
ephKey, challenge.whoareyouData.idNonce)
ephKey, challenge.whoareyouData.challengeData)
swap(secrets.readKey, secrets.writeKey)
let pt = decryptGCM(secrets.readKey, nonce, ct, header)
let pt = decryptGCM(secrets.readKey, nonce, ct, @iv & @header)
if pt.isNone():
c.sessions.del(srcId, fromAddr)
# Differently from an ordinary message, this is seen as an error as the
@ -490,20 +517,19 @@ proc decodeHandshakePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
# Only store the session secrets in case decryption was successful and also
# in case the message can get decoded.
c.sessions.store(srcId, fromAddr, secrets.readKey,
secrets.writeKey)
c.sessions.store(srcId, fromAddr, secrets.readKey, secrets.writeKey)
return ok(Packet(flag: Flag.HandshakeMessage, message: message, srcId: srcId,
node: newNode))
return ok(Packet(flag: Flag.HandshakeMessage, message: message,
srcIdHs: srcId, node: newNode))
proc decodePacket*(c: var Codec, fromAddr: Address, input: openArray[byte]):
DecodeResult[Packet] =
## Decode a packet. This can be a regular packet or a packet in response to a
## WHOAREYOU packet. In case of the latter a `newNode` might be provided.
# TODO: First size check. Which size however?
# IVSize + staticHeaderSize + 12 + ...? What is minimum message size?
if input.len() <= ivSize + staticHeaderSize + gcmNonceSize:
# Smallest packet is Whoareyou packet so that is the minimum size
if input.len() < whoareyouSize:
return err(PacketError)
# TODO: Just pass in the full input? Makes more sense perhaps..
let (staticHeader, header) = ? decodeHeader(c.localNode.id,
input.toOpenArray(0, ivSize - 1), # IV
@ -513,18 +539,20 @@ proc decodePacket*(c: var Codec, fromAddr: Address, input: openArray[byte]):
case staticHeader.flag
of OrdinaryMessage:
# TODO: Extra size check on ct data?
return decodeMessagePacket(c, fromAddr, staticHeader.srcId,
input.toOpenArray(ivSize + header.len, input.high), header)
return decodeMessagePacket(c, fromAddr, staticHeader.nonce,
input.toOpenArray(0, ivSize - 1), header,
input.toOpenArray(ivSize + header.len, input.high))
of Whoareyou:
# Header size got checked in decode header
return decodeWhoareyouPacket(c, staticHeader.srcId,
header.toOpenArray(staticHeaderSize, header.high()))
return decodeWhoareyouPacket(c, staticHeader.nonce,
input.toOpenArray(0, ivSize - 1), header)
of HandshakeMessage:
# TODO: Extra size check on ct data?
return decodeHandshakePacket(c, fromAddr, staticHeader.srcId,
input.toOpenArray(ivSize + header.len, input.high), header)
return decodeHandshakePacket(c, fromAddr, staticHeader.nonce,
input.toOpenArray(0, ivSize - 1), header,
input.toOpenArray(ivSize + header.len, input.high))
proc init*(T: type RequestId, rng: var BrHmacDrbgContext): T =
var buf: array[sizeof(T), byte]

View File

@ -316,29 +316,21 @@ proc handleMessage(d: Protocol, srcId: NodeId, fromAddr: Address,
proc sendWhoareyou(d: Protocol, toId: NodeId, a: Address,
requestNonce: AESGCMNonce, node: Option[Node]) {.raises: [Exception].} =
var idNonce: IdNonce
brHmacDrbgGenerate(d.rng[], idNonce)
let key = HandShakeKey(nodeId: toId, address: $a)
if not d.codec.hasHandshake(key):
let
recordSeq = if node.isSome(): node.get().record.seqNum
else: 0
pubkey = if node.isSome(): some(node.get().pubkey)
else: none(PublicKey)
let
recordSeq = if node.isSome(): node.get().record.seqNum
else: 0
whoareyouData = WhoareyouData(requestNonce: requestNonce,
idNonce: idNonce, recordSeq: recordSeq)
pubkey = if node.isSome(): some(node.get().pubkey)
else: none(PublicKey)
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
key = HandShakeKey(nodeId: toId, address: $a)
if not d.codec.handshakes.hasKeyOrPut(key, challenge):
# TODO: raises: [Exception], but it shouldn't.
let data = encodeWhoareyouPacket(d.rng[], d.codec, toId, a, requestNonce,
recordSeq, pubkey)
sleepAsync(handshakeTimeout).addCallback() do(data: pointer):
# TODO: should we still provide cancellation in case handshake completes
# correctly?
d.codec.handshakes.del(key)
let data = encodeWhoareyouPacket(d.rng[], d.codec, toId,
requestNonce, idNonce, recordSeq)
d.send(a, data)
else:
debug "Node with this id already has ongoing handshake, ignoring packet"
@ -374,15 +366,14 @@ proc receive*(d: Protocol, a: Address, packet: openArray[byte]) {.gcsafe,
# This is a node we previously contacted and thus must have an address.
doAssert(toNode.address.isSome())
let data = encodeHandshakePacket(d.rng[], d.codec, toNode.id,
toNode.address.get(), pr.message, packet.whoareyou.idNonce,
packet.whoareyou.recordSeq, toNode.pubkey)
toNode.address.get(), pr.message, packet.whoareyou, toNode.pubkey)
d.send(toNode, data)
else:
debug "Timed out or unrequested Whoareyou packet"
of HandshakeMessage:
trace "Received handshake packet"
d.handleMessage(packet.srcId, a, packet.message)
d.handleMessage(packet.srcIdHs, a, packet.message)
# For a handshake message it is possible that we received an newer ENR.
# In that case we can add/update it to the routing table.
if packet.node.isSome():

View File

@ -4,12 +4,9 @@ import
eth/[rlp, keys],
eth/p2p/discoveryv5/[typesv1, encodingv1, enr, node, sessions]
# According to test vectors:
# https://github.com/ethereum/devp2p/blob/master/discv5/discv5-wire-test-vectors.md
let rng = newRng()
suite "Discovery v5 Protocol Message Encodings":
suite "Discovery v5.1 Protocol Message Encodings":
test "Ping Request":
var p: PingMessage
p.enrSeq = 1
@ -47,11 +44,13 @@ suite "Discovery v5 Protocol Message Encodings":
var reqId: RequestId = 1
check encodeMessage(p, reqId).toHex == "04f8f20101f8eef875b8401ce2991c64993d7c84c29a00bdc871917551c7d330fca2dd0d69c706596dc655448f030b98a77d4001fd46ae0112ce26d613c5a6a02a81a6223cd0c4edaa53280182696482763489736563703235366b31a103ca634cae0d49acb401d8a4c6b6fe8c55b70d115bf400769cc1400f3258cd3138f875b840d7f1c39e376297f81d7297758c64cb37dcc5c3beea9f57f7ce9695d7d5a67553417d719539d6ae4b445946de4d99e680eb8063f29485b555d45b7df16a1850130182696482763489736563703235366b31a1030e2cb74241c0c4fc8e8166f1a79a05d5b0dd95813a74b094529f317d5c39d235"
suite "Discovery v5 Cryptographic Primitives":
# According to test vectors:
# https://github.com/fjl/devp2p/blob/discv5-v1-update/discv5/discv5-wire-test-vectors.md#cryptographic-primitives
suite "Discovery v5.1 Cryptographic Primitives Test Vectors":
test "ECDH":
const
# input
publicKey = "0x9961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231503061ac4aaee666073d7e5bc2c80c3f5c5b500c1cb5fd0a76abbb6b675ad157"
publicKey = "0x039961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231"
secretKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
# expected output
sharedSecret = "0x033b11a2a1f214567e1537ce5e509ffd9b21373247f2a3ff6841f4976f53165e7e"
@ -59,41 +58,51 @@ suite "Discovery v5 Cryptographic Primitives":
let
pub = PublicKey.fromHex(publicKey)[]
priv = PrivateKey.fromHex(secretKey)[]
let eph = ecdhRawFull(priv, pub)
eph = ecdhRawFull(priv, pub)
check:
eph.data == hexToSeqByte(sharedSecret)
test "Key Derivation":
# const
# # input
# secretKey = "0x02a77e3aa0c144ae7c0a3af73692b7d6e5b7a2fdc0eda16e8d5e6cb0d08e88dd04"
# nodeIdA = "0xa448f24c6d18e575453db13171562b71999873db5b286df957af199ec94617f7"
# nodeIdB = "0x885bba8dfeddd49855459df852ad5b63d13a3fae593f3f9fa7e317fd43651409"
# idNonce = "0x0101010101010101010101010101010101010101010101010101010101010101"
# # expected output
# initiatorKey = "0x238d8b50e4363cf603a48c6cc3542967"
# recipientKey = "0xbebc0183484f7e7ca2ac32e3d72c8891"
# authRespKey = "0xe987ad9e414d5b4f9bfe4ff1e52f2fae"
const
# input
ephemeralKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
destPubkey = "0x0317931e6e0840220642f230037d285d122bc59063221ef3226b1f403ddc69ca91"
nodeIdA = "0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb"
nodeIdB = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
challengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
# expected output
initiatorKey = "0xdccc82d81bd610f4f76d3ebe97a40571"
recipientKey = "0xac74bb8773749920b0d3a8881c173ec5"
# Code doesn't allow to start from shared `secretKey`, but only from the
# public and private key. Would require pulling `ecdhAgree` out of
# `deriveKeys`
skip()
let secrets = deriveKeys(
NodeId.fromHex(nodeIdA),
NodeId.fromHex(nodeIdB),
PrivateKey.fromHex(ephemeralKey)[],
PublicKey.fromHex(destPubkey)[],
hexToSeqByte(challengeData))
check:
secrets.writeKey == hexToByteArray[aesKeySize](initiatorKey)
secrets.readKey == hexToByteArray[aesKeySize](recipientKey)
test "Nonce Signing":
const
# input
idNonce = "0xa77e3aa0c144ae7c0a3af73692b7d6e5b7a2fdc0eda16e8d5e6cb0d08e88dd04"
ephemeralKey = "0x9961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231503061ac4aaee666073d7e5bc2c80c3f5c5b500c1cb5fd0a76abbb6b675ad157"
localSecretKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
staticKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
challengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
ephemeralPubkey = "0x039961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231"
nodeIdB = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
# expected output
idNonceSig = "0xc5036e702a79902ad8aa147dabfe3958b523fd6fa36cc78e2889b912d682d8d35fdea142e141f690736d86f50b39746ba2d2fc510b46f82ee08f08fd55d133a4"
idSignature = "0x94852a1e2318c4e5e9d422c98eaf19d1d90d876b29cd06ca7cb7546d0fff7b484fe86c09a064fe72bdbef73ba8e9c34df0cd2b53e9d65528c2c7f336d5dfc6e6"
let
privKey = PrivateKey.fromHex(localSecretKey)[]
signature = signIDNonce(privKey, hexToByteArray[idNonceSize](idNonce),
hexToByteArray[64](ephemeralKey))
check signature.toRaw() == hexToByteArray[64](idNonceSig)
privKey = PrivateKey.fromHex(staticKey)[]
signature = signIDNonce(
privKey,
hexToSeqByte(challengeData),
hexToSeqByte(ephemeralPubkey),
NodeId.fromHex(nodeIdB))
check signature.toRaw() == hexToByteArray[64](idSignature)
test "Encryption/Decryption":
const
@ -111,14 +120,9 @@ suite "Discovery v5 Cryptographic Primitives":
hexToByteArray[32](ad))
check encrypted == hexToSeqByte(messageCiphertext)
test "Authentication Header and Encrypted Message Generation":
# Can't work directly with the provided shared secret as keys are derived
# inside makeAuthHeader, and passed on one call up.
# The encryption of the auth-resp-pt uses one of these keys, as does the
# encryption of the message itself. So the whole test depends on this.
skip()
suite "Discovery v5.1 Test Vectors":
# According to test vectors:
# https://github.com/fjl/devp2p/blob/discv5-v1-update/discv5/discv5-wire-test-vectors.md#packet-encodings
suite "Discovery v5.1 Packet Encodings Test Vectors":
const
nodeAKey = "0xeef77acb6c6a6eebc5b363a475ac583ec7eccdb42b6481424c60f59aa326547f"
nodeBKey = "0x66fb62bfbd66b9177a138c1e5cddbe4f7c30c343e94e68df8769459cb1cde628"
@ -143,13 +147,45 @@ suite "Discovery v5.1 Test Vectors":
codecB = Codec(localNode: nodeB, privKey: privKeyB,
sessions: Sessions.init(5))
test "Ping Ordinary Message Packet":
const
readKey = "0x00000000000000000000000000000000"
pingReqId = 0x00000001'u64
pingEnrSeq = 2'u64
encodedPacket =
"00000000000000000000000000000000088b3d4342774649325f313964a39e55" &
"ea96c005ad52be8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3" &
"4c4f53245d08dab84102ed931f66d1492acb308fa1c6715b9d139b81acbdcc"
let dummyKey = "0x00000000000000000000000000000001" # of no importance
codecA.sessions.store(nodeB.id, nodeB.address.get(),
hexToByteArray[aesKeySize](dummyKey), hexToByteArray[aesKeySize](readKey))
codecB.sessions.store(nodeA.id, nodeA.address.get(),
hexToByteArray[aesKeySize](readKey), hexToByteArray[aesKeySize](dummyKey))
# Note: Noticed when comparing these test vectors that we encode reqId as
# integer while it seems the test vectors have it encoded as byte seq,
# meaning having potentially leading zeroes.
let decoded = codecB.decodePacket(nodeA.address.get(), hexToSeqByte(encodedPacket))
check:
decoded.isOK()
decoded.get().messageOpt.isSome()
decoded.get().messageOpt.get().reqId == pingReqId
decoded.get().messageOpt.get().kind == ping
decoded.get().messageOpt.get().ping.enrSeq == pingEnrSeq
test "Whoareyou Packet":
const
whoareyouChallengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
whoareyouRequestNonce = "0x0102030405060708090a0b0c"
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f1000000000000000000000000000000000"
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f10"
whoareyouEnrSeq = 0
encodedPacket = "0x00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3ecb9ad5e368892ec562137bf19c6d0a9191a5651c4f415117bdfa0c7ab86af62b7a9784eceb28008d03ede83bd1369631f9f3d8da0b45"
encodedPacket =
"00000000000000000000000000000000088b3d434277464933a1ccc59f5967ad" &
"1d6035f15e528627dde75cd68292f9e6c27d6b66c8100a873fcbaed4e16b8d"
let decoded = codecB.decodePacket(nodeA.address.get(),
hexToSeqByte(encodedPacket))
@ -160,59 +196,35 @@ suite "Discovery v5.1 Test Vectors":
decoded.get().whoareyou.requestNonce == hexToByteArray[gcmNonceSize](whoareyouRequestNonce)
decoded.get().whoareyou.idNonce == hexToByteArray[idNonceSize](whoareyouIdNonce)
decoded.get().whoareyou.recordSeq == whoareyouEnrSeq
test "Ping Ordinary Message Packet":
const
# nonce = "0xffffffffffffffffffffffff"
readKey = "0x00000000000000000000000000000000"
pingReqId = 0x00000001'u64
pingEnrSeq = 2'u64
encodedPacket = "00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3fcba22b1e9472d43c9ae48d04689eb84102ed931f66d180cbb4219f369a24f4e6b24d7bdc2a04"
let dummyKey = "0x00000000000000000000000000000001" # of no importance
codecA.sessions.store(nodeB.id, nodeB.address.get(),
hexToByteArray[aesKeySize](dummyKey), hexToByteArray[aesKeySize](readKey))
codecB.sessions.store(nodeA.id, nodeA.address.get(),
hexToByteArray[aesKeySize](readKey), hexToByteArray[aesKeySize](dummyKey))
# Note: Noticed when comparing these test vectors that we encode reqId as
# integer while it seems the test vectors have it encoded as byte seq,
# meaning having potentially heaving leading zeroes.
let decoded = codecB.decodePacket(nodeA.address.get(), hexToSeqByte(encodedPacket))
check:
decoded.isOK()
decoded.get().messageOpt.isSome()
decoded.get().messageOpt.get().reqId == pingReqId
decoded.get().messageOpt.get().kind == ping
decoded.get().messageOpt.get().ping.enrSeq == pingEnrSeq
decoded.get().whoareyou.challengeData == hexToSeqByte(whoareyouChallengeData)
test "Ping Handshake Message Packet":
const
# srcNodeId = "0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb"
# destNodeId = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
# nonce = "0xffffffffffffffffffffffff"
# readKey = "0x4917330b5aeb51650213f90d5f253c45"
pingReqId = 0x00000001'u64
pingEnrSeq = 1'u64
#
# handshake inputs:
#
whoareyouChallengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000001"
whoareyouRequestNonce = "0x0102030405060708090a0b0c"
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f1000000000000000000000000000000000"
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f10"
whoareyouEnrSeq = 1'u64
# ephemeralKey = "0x0288ef00023598499cb6c940146d050d2b1fb914198c327f76aad590bead68b6"
# ephemeralPubkey = "0x039a003ba6517b473fa0cd74aefe99dadfdb34627f90fec6362df85803908f53a5"
encodedPacket = "00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3dcbded51e9472d43c9ae48d04689ef4d3b340a9cb02d3f5cb5c73f266876372a497ef20dccc83eebcf61f61bc2bb13655118c2dddd4fa7f66210832e7c45c2af87b635121ae132057cce99aa7d2760b31390fea5142053c97feb5fc3f5d0ff3d71008a5b6724bbfc8c97746524e695129d2bd7fccc3d4569a69fd8a783849a117bd23ec5b5d02be0a0c57"
encodedPacket =
"00000000000000000000000000000000088b3d4342774649305f313964a39e55" &
"ea96c005ad521d8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3" &
"4c4f53245d08da4bb252012b2cba3f4f374a90a75cff91f142fa9be3e0a5f3ef" &
"268ccb9065aeecfd67a999e7fdc137e062b2ec4a0eb92947f0d9a74bfbf44dfb" &
"a776b21301f8b65efd5796706adff216ab862a9186875f9494150c4ae06fa4d1" &
"f0396c93f215fa4ef524f1eadf5f0f4126b79336671cbcf7a885b1f8bd2a5d83" &
"9cf8"
let
whoareyouData = WhoareyouData(
requestNonce: hexToByteArray[gcmNonceSize](whoareyouRequestNonce),
idNonce: hexToByteArray[idNonceSize](whoareyouIdNonce),
recordSeq: whoareyouEnrSeq)
recordSeq: whoareyouEnrSeq,
challengeData: hexToSeqByte(whoareyouChallengeData))
pubkey = some(privKeyA.toPublicKey())
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
@ -222,43 +234,44 @@ suite "Discovery v5.1 Test Vectors":
let decoded = codecB.decodePacket(nodeA.address.get(),
hexToSeqByte(encodedPacket))
skip()
# TODO: This test fails at the deriveKeys step. The readkey is not the
# expected value of above. Hardcoding that values makes decryption work.
# TBI.
# check:
# decoded.isOk()
# decoded.get().message.reqId == pingReqId
# decoded.get().message.kind == ping
# decoded.get().message.ping.enrSeq == pingEnrSeq
# decoded.get().node.isNone()
check:
decoded.isOk()
decoded.get().message.reqId == pingReqId
decoded.get().message.kind == ping
decoded.get().message.ping.enrSeq == pingEnrSeq
decoded.get().node.isNone()
test "Ping Handshake Message Packet with ENR":
const
# srcNodeId = "0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb"
# destNodeId = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
# nonce = "0xffffffffffffffffffffffff"
# readKey = "0x4917330b5aeb51650213f90d5f253c45"
pingReqId = 0x00000001'u64
pingEnrSeq = 1'u64
#
# handshake inputs:
#
whoareyouChallengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
whoareyouRequestNonce = "0x0102030405060708090a0b0c"
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f1000000000000000000000000000000000"
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f10"
whoareyouEnrSeq = 0'u64
# ephemeralKey = "0x0288ef00023598499cb6c940146d050d2b1fb914198c327f76aad590bead68b6"
# ephemeralPubkey = "0x039a003ba6517b473fa0cd74aefe99dadfdb34627f90fec6362df85803908f53a5"
encodedPacket = "00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3dcaa0d51e9472d43c9ae48d04689ef4d3d2602a5e89ac340f9e81e722b1d7dac2578d520dd5bc6dc1e38ad3ab33012be1a5d259267a0947bf242219834c5702d1c694c0ceb4a6a27b5d68bd2c2e32e6cb9696706adff216ab862a9186875f9494150c4ae06fa4d1f0396c93f215fa4ef52417d9c40a31564e8d5f31a7f08c38045ff5e30d9661838b1eabee9f1e561120bcc4d9f2f9c839152b4ab970e029b2395b97e8c3aa8d3b497ee98a15e865bcd34effa8b83eb6396bca60ad8f0bff1e047e278454bc2b3d6404c12106a9d0b6107fc2383976fc05fbda2c954d402c28c8fb53a2b3a4b111c286ba2ac4ff880168323c6e97b01dbcbeef4f234e5849f75ab007217c919820aaa1c8a7926d3625917fccc3d4569a69fd8aca026be87afab8e8e645d1ee888992"
encodedPacket =
"00000000000000000000000000000000088b3d4342774649305f313964a39e55" &
"ea96c005ad539c8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3" &
"4c4f53245d08da4bb23698868350aaad22e3ab8dd034f548a1c43cd246be9856" &
"2fafa0a1fa86d8e7a3b95ae78cc2b988ded6a5b59eb83ad58097252188b902b2" &
"1481e30e5e285f19735796706adff216ab862a9186875f9494150c4ae06fa4d1" &
"f0396c93f215fa4ef524e0ed04c3c21e39b1868e1ca8105e585ec17315e755e6" &
"cfc4dd6cb7fd8e1a1f55e49b4b5eb024221482105346f3c82b15fdaae36a3bb1" &
"2a494683b4a3c7f2ae41306252fed84785e2bbff3b022812d0882f06978df84a" &
"80d443972213342d04b9048fc3b1d5fcb1df0f822152eced6da4d3f6df27e70e" &
"4539717307a0208cd208d65093ccab5aa596a34d7511401987662d8cf62b1394" &
"71"
let
whoareyouData = WhoareyouData(
requestNonce: hexToByteArray[gcmNonceSize](whoareyouRequestNonce),
idNonce: hexToByteArray[idNonceSize](whoareyouIdNonce),
recordSeq: whoareyouEnrSeq)
recordSeq: whoareyouEnrSeq,
challengeData: hexToSeqByte(whoareyouChallengeData))
pubkey = none(PublicKey)
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
@ -268,19 +281,14 @@ suite "Discovery v5.1 Test Vectors":
let decoded = codecB.decodePacket(nodeA.address.get(),
hexToSeqByte(encodedPacket))
skip()
# TODO: This test fails at the deriveKeys step. The readkey is not the
# expected value of above. Hardcoding that values makes decryption work.
# TBI.
check:
decoded.isOk()
decoded.get().message.reqId == pingReqId
decoded.get().message.kind == ping
decoded.get().message.ping.enrSeq == pingEnrSeq
decoded.get().node.isSome()
# check:
# decoded.isOk()
# decoded.get().message.reqId == pingReqId
# decoded.get().message.kind == ping
# decoded.get().message.ping.enrSeq == pingEnrSeq
# decoded.get().node.isSome()
suite "Discovery v5.1 Additional":
suite "Discovery v5.1 Additional Encode/Decode":
test "Encryption/Decryption":
let
encryptionKey = hexToByteArray[aesKeySize]("0x9f2d77db7004bf8a1a85107ac686990b")
@ -288,8 +296,9 @@ suite "Discovery v5.1 Additional":
ad = hexToByteArray[32]("0x93a7400fa0d6a694ebc24d5cf570f65d04215b6ac00757875e3f3a5f42107903")
pt = hexToSeqByte("0xa1")
let ct = encryptGCM(encryptionKey, nonce, pt, ad)
let decrypted = decryptGCM(encryptionKey, nonce, ct, ad)
let
ct = encryptGCM(encryptionKey, nonce, pt, ad)
decrypted = decryptGCM(encryptionKey, nonce, ct, ad)
check decrypted.get() == pt
@ -316,13 +325,15 @@ suite "Discovery v5.1 Additional":
check decryptGCM(encryptionKey, nonce, invalidCipher, ad).isNone()
test "Encrypt / Decrypt header":
var nonce: AESGCMNonce
brHmacDrbgGenerate(rng[], nonce)
let
privKey = PrivateKey.random(rng[])
nodeId = privKey.toPublicKey().toNodeId()
authdata = [byte 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
staticHeader = encodeStaticHeader(nodeId, Flag.OrdinaryMessage,
authdata = newSeq[byte](32)
staticHeader = encodeStaticHeader(Flag.OrdinaryMessage, nonce,
authdata.len())
header = @staticHeader & @authdata
header = staticHeader & authdata
var iv: array[128 div 8, byte]
brHmacDrbgGenerate(rng[], iv)
@ -367,49 +378,47 @@ suite "Discovery v5.1 Additional":
decoded[].requestNonce == nonce
test "Encode / Decode Whoareyou Packet":
var
requestNonce: AESGCMNonce
idNonce: IdNonce
brHmacDrbgGenerate(rng[], idNonce)
var requestNonce: AESGCMNonce
brHmacDrbgGenerate(rng[], requestNonce)
let recordSeq = 0'u64
let data = encodeWhoareyouPacket(rng[], codecA, nodeB.id, requestNonce, idNonce,
recordSeq)
let data = encodeWhoareyouPacket(rng[], codecA, nodeB.id,
nodeB.address.get(), requestNonce, recordSeq, none(PublicKey))
let decoded = codecB.decodePacket(nodeA.address.get(), data)
let key = HandShakeKey(nodeId: nodeB.id, address: $nodeB.address.get())
var challenge: Challenge
check:
codecA.handshakes.pop(key, challenge)
decoded.isOk()
decoded[].flag == Flag.Whoareyou
decoded[].whoareyou.requestNonce == requestNonce
decoded[].whoareyou.idNonce == idNonce
decoded[].whoareyou.idNonce == challenge.whoareyouData.idNonce
decoded[].whoareyou.recordSeq == recordSeq
test "Encode / Decode Handshake Message Packet":
var
requestNonce: AESGCMNonce
idNonce: IdNonce
brHmacDrbgGenerate(rng[], idNonce)
var requestNonce: AESGCMNonce
brHmacDrbgGenerate(rng[], requestNonce)
let recordSeq = 1'u64
let
recordSeq = 1'u64
m = PingMessage(enrSeq: 0)
reqId = RequestId.init(rng[])
message = encodeMessage(m, reqId)
let
whoareyouData = WhoareyouData(
requestNonce: requestNonce,
idNonce: idNonce,
recordSeq: recordSeq)
pubkey = some(privKeyA.toPublicKey())
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
check: not codecB.handshakes.hasKeyOrPut(key, challenge)
# Encode/decode whoareyou packet to get the handshake stored and the
# whoareyou data returned. It's either that or construct the header for the
# whoareyouData manually.
let
encodedDummy = encodeWhoareyouPacket(rng[], codecB, nodeA.id,
nodeA.address.get(), requestNonce, recordSeq, pubkey)
decodedDummy = codecA.decodePacket(nodeB.address.get(), encodedDummy)
let data = encodeHandshakePacket(rng[], codecA, nodeB.id,
nodeB.address.get(), message, idNonce, recordSeq, privKeyB.toPublicKey())
nodeB.address.get(), message, decodedDummy[].whoareyou,
privKeyB.toPublicKey())
let decoded = codecB.decodePacket(nodeA.address.get(), data)
@ -421,32 +430,28 @@ suite "Discovery v5.1 Additional":
decoded.get().node.isNone()
test "Encode / Decode Handshake Message Packet with ENR":
var
requestNonce: AESGCMNonce
idNonce: IdNonce
brHmacDrbgGenerate(rng[], idNonce)
var requestNonce: AESGCMNonce
brHmacDrbgGenerate(rng[], requestNonce)
let
recordSeq = 0'u64
m = PingMessage(enrSeq: 0)
reqId = RequestId.init(rng[])
message = encodeMessage(m, reqId)
whoareyouData = WhoareyouData(requestNonce: requestNonce,
idNonce: idNonce, recordSeq: recordSeq)
pubkey = none(PublicKey)
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
# Need to manually add the handshake, which would normally be done when
# sending a whoareyou Packet.
check: not codecB.handshakes.hasKeyOrPut(key, challenge)
# Encode/decode whoareyou packet to get the handshake stored and the
# whoareyou data returned. It's either that or construct the header for the
# whoareyouData manually.
let
encodedDummy = encodeWhoareyouPacket(rng[], codecB, nodeA.id,
nodeA.address.get(), requestNonce, recordSeq, pubkey)
decodedDummy = codecA.decodePacket(nodeB.address.get(), encodedDummy)
let data = encodeHandshakePacket(rng[], codecA, nodeB.id,
nodeB.address.get(), message, idNonce, recordSeq, privKeyB.toPublicKey())
let encoded = encodeHandshakePacket(rng[], codecA, nodeB.id,
nodeB.address.get(), message, decodedDummy[].whoareyou,
privKeyB.toPublicKey())
let decoded = codecB.decodePacket(nodeA.address.get(), data)
let decoded = codecB.decodePacket(nodeA.address.get(), encoded)
check:
decoded.isOk()
@ -462,7 +467,7 @@ suite "Discovery v5.1 Additional":
reqId = RequestId.init(rng[])
message = encodeMessage(m, reqId)
# Need to manually add the secrets the normally get negotiated in the
# Need to manually add the secrets that normally get negotiated in the
# handshake packet.
var secrets: HandshakeSecrets
codecA.sessions.store(nodeB.id, nodeB.address.get(), secrets.readKey, secrets.writeKey)