mirror of https://github.com/status-im/nim-eth.git
Update to support the latest discv5.1 specification
This commit is contained in:
parent
820a73f96f
commit
17ef0b25e0
|
@ -8,17 +8,19 @@ export keys
|
|||
{.push raises: [Defect].}
|
||||
|
||||
const
|
||||
version: uint8 = 1
|
||||
version: uint16 = 1
|
||||
idNoncePrefix = "discovery-id-nonce"
|
||||
idSignatureText = "discovery v5 identity proof"
|
||||
keyAgreementPrefix = "discovery v5 key agreement"
|
||||
protocolIdStr = "discv5 "
|
||||
protocolIdStr = "discv5"
|
||||
protocolId = toBytes(protocolIdStr)
|
||||
gcmNonceSize* = 12
|
||||
idNonceSize* = 32
|
||||
idNonceSize* = 16
|
||||
gcmTagSize* = 16
|
||||
ivSize = 16
|
||||
staticHeaderSize = protocolId.len + sizeof(NodeId) + 1 + 2
|
||||
authdataHeadSize = 1 + gcmNonceSize + 1 + 1
|
||||
ivSize* = 16
|
||||
staticHeaderSize = protocolId.len + 2 + 2 + 1 + gcmNonceSize
|
||||
authdataHeadSize = sizeof(NodeId) + 1 + 1
|
||||
whoareyouSize = ivSize + staticHeaderSize + idNonceSize + 8
|
||||
|
||||
type
|
||||
AESGCMNonce* = array[gcmNonceSize, byte]
|
||||
|
@ -26,16 +28,17 @@ type
|
|||
|
||||
WhoareyouData* = object
|
||||
requestNonce*: AESGCMNonce
|
||||
idNonce*: IdNonce
|
||||
idNonce*: IdNonce # TODO: This data is also available in challengeData
|
||||
recordSeq*: uint64
|
||||
challengeData*: seq[byte]
|
||||
|
||||
Challenge* = object
|
||||
whoareyouData*: WhoareyouData
|
||||
pubkey*: Option[PublicKey]
|
||||
|
||||
StaticHeader* = object
|
||||
srcId: NodeId
|
||||
flag: Flag
|
||||
nonce: AESGCMNonce
|
||||
authdataSize: uint16
|
||||
|
||||
HandshakeSecrets* = object
|
||||
|
@ -52,13 +55,14 @@ type
|
|||
of OrdinaryMessage:
|
||||
messageOpt*: Option[Message]
|
||||
requestNonce*: AESGCMNonce
|
||||
srcId*: NodeId
|
||||
of Whoareyou:
|
||||
whoareyou*: WhoareyouData
|
||||
of HandshakeMessage:
|
||||
message*: Message # In a handshake we expect to always be able to decrypt
|
||||
# TODO record or node immediately?
|
||||
node*: Option[Node]
|
||||
srcId*: NodeId
|
||||
srcIdHs*: NodeId
|
||||
|
||||
Codec* = object
|
||||
localNode*: Node
|
||||
|
@ -79,21 +83,23 @@ proc mapErrTo[T, E](r: Result[T, E], v: static DecodeError):
|
|||
DecodeResult[T] =
|
||||
r.mapErr(proc (e: E): DecodeError = v)
|
||||
|
||||
proc idNonceHash(nonce, ephkey: openarray[byte]): MDigest[256] =
|
||||
proc idNonceHash(challengeData, ephkey: openarray[byte], nodeId: NodeId):
|
||||
MDigest[256] =
|
||||
var ctx: sha256
|
||||
ctx.init()
|
||||
ctx.update(idNoncePrefix)
|
||||
ctx.update(nonce)
|
||||
ctx.update(idSignatureText)
|
||||
ctx.update(challengeData)
|
||||
ctx.update(ephkey)
|
||||
ctx.update(nodeId.toByteArrayBE())
|
||||
result = ctx.finish()
|
||||
ctx.clear()
|
||||
|
||||
proc signIDNonce*(privKey: PrivateKey, idNonce, ephKey: openarray[byte]):
|
||||
SignatureNR =
|
||||
signNR(privKey, SkMessage(idNonceHash(idNonce, ephKey).data))
|
||||
proc signIDNonce*(privKey: PrivateKey, challengeData,
|
||||
ephKey: openarray[byte], nodeId: NodeId): SignatureNR =
|
||||
signNR(privKey, SkMessage(idNonceHash(challengeData, ephKey, nodeId).data))
|
||||
|
||||
proc deriveKeys*(n1, n2: NodeID, priv: PrivateKey, pub: PublicKey,
|
||||
idNonce: openarray[byte]): HandshakeSecrets =
|
||||
challengeData: openarray[byte]): HandshakeSecrets =
|
||||
let eph = ecdhRawFull(priv, pub)
|
||||
|
||||
var info = newSeqOfCap[byte](keyAgreementPrefix.len + 32 * 2)
|
||||
|
@ -104,7 +110,9 @@ proc deriveKeys*(n1, n2: NodeID, priv: PrivateKey, pub: PublicKey,
|
|||
var secrets: HandshakeSecrets
|
||||
static: assert(sizeof(secrets) == aesKeySize * 2)
|
||||
var res = cast[ptr UncheckedArray[byte]](addr secrets)
|
||||
hkdf(sha256, eph.data, idNonce, info, toOpenArray(res, 0, sizeof(secrets) - 1))
|
||||
|
||||
hkdf(sha256, eph.data, challengeData, info,
|
||||
toOpenArray(res, 0, sizeof(secrets) - 1))
|
||||
secrets
|
||||
|
||||
proc encryptGCM*(key, nonce, pt, authData: openarray[byte]): seq[byte] =
|
||||
|
@ -141,21 +149,29 @@ proc encryptHeader*(id: NodeId, iv, header: openarray[byte]): seq[byte] =
|
|||
ectx.encrypt(header, result)
|
||||
ectx.clear()
|
||||
|
||||
proc encodeStaticHeader*(srcId: NodeId, flag: Flag, authSize: int): seq[byte] =
|
||||
proc hasHandshake*(c: Codec, key: HandShakeKey): bool =
|
||||
c.handshakes.hasKey(key)
|
||||
|
||||
proc encodeStaticHeader*(flag: Flag, nonce: AESGCMNonce, authSize: int):
|
||||
seq[byte] =
|
||||
result.add(protocolId)
|
||||
result.add(srcId.toByteArrayBE())
|
||||
result.add(version.toBytesBE())
|
||||
result.add(byte(flag))
|
||||
result.add(nonce)
|
||||
# TODO: assert on authSize of > 2^16?
|
||||
result.add((uint16(authSize)).toBytesBE())
|
||||
|
||||
proc encodeMessagePacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
||||
toId: NodeID, toAddr: Address, message: openarray[byte]):
|
||||
(seq[byte], AESGCMNonce) =
|
||||
var authdata: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng, authdata) # Random AESGCM nonce
|
||||
var nonce: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng, nonce) # Random AESGCM nonce
|
||||
var iv: array[ivSize, byte]
|
||||
brHmacDrbgGenerate(rng, iv) # Random IV
|
||||
|
||||
# static-header
|
||||
let staticHeader = encodeStaticHeader(c.localNode.id, Flag.OrdinaryMessage,
|
||||
let authdata = c.localNode.id.toByteArrayBE()
|
||||
let staticHeader = encodeStaticHeader(Flag.OrdinaryMessage, nonce,
|
||||
authdata.len())
|
||||
# header = static-header || authdata
|
||||
var header: seq[byte]
|
||||
|
@ -166,20 +182,18 @@ proc encodeMessagePacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
|||
var messageEncrypted: seq[byte]
|
||||
var writeKey, readKey: AesKey
|
||||
if c.sessions.load(toId, toAddr, readKey, writeKey):
|
||||
messageEncrypted = encryptGCM(writeKey, authdata, message, header)
|
||||
messageEncrypted = encryptGCM(writeKey, nonce, message, @iv & header)
|
||||
else:
|
||||
# We might not have the node's keys if the handshake hasn't been performed
|
||||
# yet. That's fine, we send a random-packet and we will be responded with
|
||||
# a WHOAREYOU packet.
|
||||
# TODO: What is minimum size of an encrypted message that we should provided
|
||||
# here?
|
||||
var randomData: array[44, byte]
|
||||
# TODO Minumum packet size is 63, we have here 16 + 23 + 32 = 71, so in theory
|
||||
# we don't need to add random data? But then how do we know if decryption
|
||||
# fails. Empty message automatically means -> whoareyou?
|
||||
var randomData: array[8, byte]
|
||||
brHmacDrbgGenerate(rng, randomData)
|
||||
messageEncrypted.add(randomData)
|
||||
|
||||
var iv: array[ivSize, byte]
|
||||
brHmacDrbgGenerate(rng, iv) # Random IV
|
||||
|
||||
let maskedHeader = encryptHeader(toId, iv, header)
|
||||
|
||||
var packet: seq[byte]
|
||||
|
@ -187,20 +201,22 @@ proc encodeMessagePacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
|||
packet.add(maskedHeader)
|
||||
packet.add(messageEncrypted)
|
||||
|
||||
return (packet, authdata)
|
||||
return (packet, nonce)
|
||||
|
||||
proc encodeWhoareyouPacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
||||
toId: NodeID, requestNonce: AESGCMNonce, idNonce: IdNonce, enrSeq: uint64):
|
||||
seq[byte] =
|
||||
toId: NodeID, toAddr: Address, requestNonce: AESGCMNonce, recordSeq: uint64,
|
||||
pubkey: Option[PublicKey]): seq[byte] =
|
||||
var idNonce: IdNonce
|
||||
brHmacDrbgGenerate(rng, idNonce)
|
||||
|
||||
# authdata
|
||||
var authdata: seq[byte]
|
||||
authdata.add(requestNonce)
|
||||
authdata.add(idNonce)
|
||||
authdata.add(enrSeq.tobytesBE)
|
||||
authdata.add(recordSeq.tobytesBE)
|
||||
|
||||
# static-header
|
||||
let staticHeader = encodeStaticHeader(c.localNode.id, Flag.Whoareyou,
|
||||
authdata.len()) # authdata will always be 52 bytes
|
||||
let staticHeader = encodeStaticHeader(Flag.Whoareyou, requestNonce,
|
||||
authdata.len())
|
||||
|
||||
# header = static-header || authdata
|
||||
var header: seq[byte]
|
||||
|
@ -216,50 +232,60 @@ proc encodeWhoareyouPacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
|||
packet.add(iv)
|
||||
packet.add(maskedHeader)
|
||||
|
||||
let
|
||||
whoareyouData = WhoareyouData(
|
||||
requestNonce: requestNonce,
|
||||
idNonce: idNonce,
|
||||
recordSeq: recordSeq,
|
||||
challengeData: @iv & header)
|
||||
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
|
||||
key = HandShakeKey(nodeId: toId, address: $toAddr)
|
||||
|
||||
c.handshakes[key] = challenge
|
||||
|
||||
return packet
|
||||
|
||||
proc encodeHandshakePacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
||||
toId: NodeID, toAddr: Address, message: openarray[byte], idNonce: IdNonce,
|
||||
enrSeq: uint64, pubkey: PublicKey): seq[byte] =
|
||||
toId: NodeID, toAddr: Address, message: openarray[byte],
|
||||
whoareyouData: WhoareyouData, pubkey: PublicKey): seq[byte] =
|
||||
var header: seq[byte]
|
||||
var nonce: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng, nonce)
|
||||
var iv: array[ivSize, byte]
|
||||
brHmacDrbgGenerate(rng, iv) # Random IV
|
||||
|
||||
var authdata: seq[byte]
|
||||
var authdataHead: seq[byte]
|
||||
authdataHead.add(version)
|
||||
authdataHead.add(nonce)
|
||||
|
||||
authdataHead.add(c.localNode.id.toByteArrayBE())
|
||||
authdataHead.add(64'u8) # sig-size: 64
|
||||
authdataHead.add(33'u8) # eph-key-size: 33
|
||||
authdata.add(authdataHead)
|
||||
|
||||
let ephKeys = KeyPair.random(rng)
|
||||
let signature = signIDNonce(c.privKey, idNonce,
|
||||
ephKeys.pubkey.toRawCompressed())
|
||||
let signature = signIDNonce(c.privKey, whoareyouData.challengeData,
|
||||
ephKeys.pubkey.toRawCompressed(), toId)
|
||||
|
||||
authdata.add(signature.toRaw())
|
||||
# compressed pub key format (33 bytes)
|
||||
authdata.add(ephKeys.pubkey.toRawCompressed())
|
||||
|
||||
# Add ENR of sequence number is newer
|
||||
if enrSeq < c.localNode.record.seqNum:
|
||||
if whoareyouData.recordSeq < c.localNode.record.seqNum:
|
||||
authdata.add(encode(c.localNode.record))
|
||||
|
||||
let secrets = deriveKeys(c.localNode.id, toId, ephKeys.seckey, pubkey,
|
||||
idNonce)
|
||||
whoareyouData.challengeData)
|
||||
|
||||
# Header
|
||||
let staticHeader = encodeStaticHeader(c.localNode.id, Flag.HandshakeMessage,
|
||||
let staticHeader = encodeStaticHeader(Flag.HandshakeMessage, nonce,
|
||||
authdata.len())
|
||||
|
||||
header.add(staticHeader)
|
||||
header.add(authdata)
|
||||
|
||||
c.sessions.store(toId, toAddr, secrets.readKey, secrets.writeKey)
|
||||
let messageEncrypted = encryptGCM(secrets.writeKey, nonce, message, header)
|
||||
|
||||
var iv: array[ivSize, byte]
|
||||
brHmacDrbgGenerate(rng, iv) # Random IV
|
||||
let messageEncrypted = encryptGCM(secrets.writeKey, nonce, message, @iv & header)
|
||||
|
||||
let maskedHeader = encryptHeader(toId, iv, header)
|
||||
|
||||
|
@ -272,11 +298,8 @@ proc encodeHandshakePacket*(rng: var BrHmacDrbgContext, c: var Codec,
|
|||
|
||||
proc decodeHeader*(id: NodeId, iv, maskedHeader: openarray[byte]):
|
||||
DecodeResult[(StaticHeader, seq[byte])] =
|
||||
# Smallest header is staticHeader + gcm nonce for a ordinary message
|
||||
let inputLen = maskedHeader.len
|
||||
if inputLen < staticHeaderSize + gcmNonceSize:
|
||||
return err(PacketError)
|
||||
|
||||
# No need to check staticHeader size as that is included in minimum packet
|
||||
# size check in decodePacket
|
||||
var ectx: CTR[aes128]
|
||||
ectx.init(id.toByteArrayBE().toOpenArray(0, ivSize - 1), iv)
|
||||
# Decrypt static-header part of the header
|
||||
|
@ -287,15 +310,22 @@ proc decodeHeader*(id: NodeId, iv, maskedHeader: openarray[byte]):
|
|||
if staticHeader.toOpenArray(0, protocolId.len - 1) != protocolId:
|
||||
return err(PacketError)
|
||||
|
||||
let srcId = NodeId.fromBytesBE(staticHeader.toOpenArray(8, 39))
|
||||
|
||||
if staticHeader[40] < Flag.low.byte or staticHeader[40] > Flag.high.byte:
|
||||
if uint16.fromBytesBE(staticHeader.toOpenArray(6, 7)) != version:
|
||||
return err(PacketError)
|
||||
let flag = cast[Flag](staticHeader[40])
|
||||
|
||||
let authdataSize = uint16.fromBytesBE(staticHeader.toOpenArray(41, 42))
|
||||
if staticHeader[8] < Flag.low.byte or staticHeader[8] > Flag.high.byte:
|
||||
return err(PacketError)
|
||||
let flag = cast[Flag](staticHeader[8])
|
||||
|
||||
var nonce: AESGCMNonce
|
||||
copyMem(addr nonce[0], unsafeAddr staticHeader[9], gcmNonceSize)
|
||||
|
||||
let authdataSize = uint16.fromBytesBE(staticHeader.toOpenArray(21,
|
||||
staticHeader.high))
|
||||
|
||||
# Input should have minimum size of staticHeader + provided authdata size
|
||||
if inputLen < staticHeaderSize + int(authdataSize):
|
||||
# Can be larger as there can come a message after.
|
||||
if maskedHeader.len < staticHeaderSize + int(authdataSize):
|
||||
return err(PacketError)
|
||||
|
||||
var authdata = newSeq[byte](int(authdataSize))
|
||||
|
@ -303,7 +333,7 @@ proc decodeHeader*(id: NodeId, iv, maskedHeader: openarray[byte]):
|
|||
staticHeaderSize + int(authdataSize) - 1), authdata)
|
||||
ectx.clear()
|
||||
|
||||
ok((StaticHeader(srcId: srcId, flag: flag, authdataSize: authdataSize),
|
||||
ok((StaticHeader(authdataSize: authdataSize, flag: flag, nonce: nonce),
|
||||
staticHeader & authdata))
|
||||
|
||||
proc decodeMessage*(body: openarray[byte]): DecodeResult[Message] =
|
||||
|
@ -352,69 +382,65 @@ proc decodeMessage*(body: openarray[byte]): DecodeResult[Message] =
|
|||
else:
|
||||
err(PacketError)
|
||||
|
||||
proc decodeMessagePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
|
||||
ct, header: openArray[byte]): DecodeResult[Packet] =
|
||||
# We now know the exact size that the header should be
|
||||
if header.len != staticHeaderSize + gcmNonceSize:
|
||||
return err(PacketError)
|
||||
|
||||
var nonce: AESGCMNonce
|
||||
copyMem(addr nonce[0], unsafeAddr header[staticHeaderSize], gcmNonceSize)
|
||||
|
||||
var writeKey, readKey: AesKey
|
||||
if not c.sessions.load(srcId, fromAddr, readKey, writeKey):
|
||||
# Don't consider this an error, simply haven't done a handshake yet or
|
||||
# the session got removed.
|
||||
trace "Decrypting failed (no keys)"
|
||||
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
|
||||
srcId: srcId))
|
||||
|
||||
let pt = decryptGCM(readKey, nonce, ct, header)
|
||||
if pt.isNone():
|
||||
# Don't consider this an error, the session got probably removed at the
|
||||
# peer's side.
|
||||
trace "Decrypting failed (invalid keys)"
|
||||
c.sessions.del(srcId, fromAddr)
|
||||
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
|
||||
srcId: srcId))
|
||||
|
||||
let message = ? decodeMessage(pt.get())
|
||||
|
||||
return ok(Packet(flag: Flag.OrdinaryMessage,
|
||||
messageOpt: some(message), requestNonce: nonce, srcId: srcId))
|
||||
|
||||
proc decodeWhoareyouPacket(c: var Codec, srcId: NodeId,
|
||||
authdata: openArray[byte]): DecodeResult[Packet] =
|
||||
# We now know the exact size that the authdata should be
|
||||
if authdata.len != gcmNonceSize + idNonceSize + sizeof(uint64):
|
||||
proc decodeMessagePacket(c: var Codec, fromAddr: Address, nonce: AESGCMNonce,
|
||||
iv, header, ct: openArray[byte]): DecodeResult[Packet] =
|
||||
# We now know the exact size that the header should be
|
||||
if header.len != staticHeaderSize + sizeof(NodeId):
|
||||
return err(PacketError)
|
||||
|
||||
let srcId = NodeId.fromBytesBE(header.toOpenArray(staticHeaderSize,
|
||||
header.high))
|
||||
|
||||
var writeKey, readKey: AesKey
|
||||
if not c.sessions.load(srcId, fromAddr, readKey, writeKey):
|
||||
# Don't consider this an error, simply haven't done a handshake yet or
|
||||
# the session got removed.
|
||||
trace "Decrypting failed (no keys)"
|
||||
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
|
||||
srcId: srcId))
|
||||
|
||||
let pt = decryptGCM(readKey, nonce, ct, @iv & @header)
|
||||
if pt.isNone():
|
||||
# Don't consider this an error, the session got probably removed at the
|
||||
# peer's side.
|
||||
trace "Decrypting failed (invalid keys)"
|
||||
c.sessions.del(srcId, fromAddr)
|
||||
return ok(Packet(flag: Flag.OrdinaryMessage, requestNonce: nonce,
|
||||
srcId: srcId))
|
||||
|
||||
let message = ? decodeMessage(pt.get())
|
||||
|
||||
return ok(Packet(flag: Flag.OrdinaryMessage,
|
||||
messageOpt: some(message), requestNonce: nonce, srcId: srcId))
|
||||
|
||||
proc decodeWhoareyouPacket(c: var Codec, nonce: AESGCMNonce,
|
||||
iv, header: openArray[byte]): DecodeResult[Packet] =
|
||||
# TODO improve this
|
||||
let authdata = header[staticHeaderSize..header.high()]
|
||||
# We now know the exact size that the authdata should be
|
||||
if authdata.len != idNonceSize + sizeof(uint64):
|
||||
return err(PacketError)
|
||||
|
||||
var requestNonce: AESGCMNonce
|
||||
copyMem(addr requestNonce[0], unsafeAddr authdata[0], gcmNonceSize)
|
||||
var idNonce: IdNonce
|
||||
copyMem(addr idNonce[0], unsafeAddr authdata[gcmNonceSize], idNonceSize)
|
||||
let whoareyou = WhoareyouData(requestNonce: requestNonce, idNonce: idNonce,
|
||||
copyMem(addr idNonce[0], unsafeAddr authdata[0], idNonceSize)
|
||||
let whoareyou = WhoareyouData(requestNonce: nonce, idNonce: idNonce,
|
||||
recordSeq: uint64.fromBytesBE(
|
||||
authdata.toOpenArray(gcmNonceSize + idNonceSize, authdata.high)))
|
||||
authdata.toOpenArray(idNonceSize, authdata.high)),
|
||||
challengeData: @iv & @header)
|
||||
|
||||
return ok(Packet(flag: Flag.Whoareyou, whoareyou: whoareyou,
|
||||
srcId: srcId))
|
||||
return ok(Packet(flag: Flag.Whoareyou, whoareyou: whoareyou))
|
||||
|
||||
proc decodeHandshakePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
|
||||
ct, header: openArray[byte]): DecodeResult[Packet] =
|
||||
proc decodeHandshakePacket(c: var Codec, fromAddr: Address, nonce: AESGCMNonce,
|
||||
iv, header, ct: openArray[byte]): DecodeResult[Packet] =
|
||||
# Checking if there is enough data to decode authdata-head
|
||||
if header.len <= staticHeaderSize + authdataHeadSize:
|
||||
return err(PacketError)
|
||||
|
||||
# check version
|
||||
let authData = header[staticHeaderSize..header.high()]
|
||||
if uint8(authData[0]) != version:
|
||||
return err(HandshakeError)
|
||||
|
||||
let
|
||||
nonce = authdata[1..12]
|
||||
sigSize = uint8(authdata[13])
|
||||
ephKeySize = uint8(authdata[14])
|
||||
authdata = header[staticHeaderSize..header.high()]
|
||||
srcId = NodeId.fromBytesBE(authdata.toOpenArray(0, 31))
|
||||
sigSize = uint8(authdata[32])
|
||||
ephKeySize = uint8(authdata[33])
|
||||
|
||||
# If smaller, as it can be equal and bigger (in case it holds an enr)
|
||||
if header.len < staticHeaderSize + authdataHeadSize + int(sigSize) + int(ephKeySize):
|
||||
|
@ -469,17 +495,18 @@ proc decodeHandshakePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
|
|||
authdata.toOpenArray(authdataHeadSize,
|
||||
authdataHeadSize + int(sigSize) - 1)).mapErrTo(HandshakeError)
|
||||
|
||||
let h = idNonceHash(challenge.whoareyouData.idNonce, ephKeyRaw)
|
||||
let h = idNonceHash(challenge.whoareyouData.challengeData, ephKeyRaw,
|
||||
c.localNode.id)
|
||||
if not verify(sig, SkMessage(h.data), pubkey):
|
||||
return err(HandshakeError)
|
||||
|
||||
# Do the key derivation step only after id-nonce-sig is verified!
|
||||
var secrets = deriveKeys(srcId, c.localNode.id, c.privKey,
|
||||
ephKey, challenge.whoareyouData.idNonce)
|
||||
ephKey, challenge.whoareyouData.challengeData)
|
||||
|
||||
swap(secrets.readKey, secrets.writeKey)
|
||||
|
||||
let pt = decryptGCM(secrets.readKey, nonce, ct, header)
|
||||
let pt = decryptGCM(secrets.readKey, nonce, ct, @iv & @header)
|
||||
if pt.isNone():
|
||||
c.sessions.del(srcId, fromAddr)
|
||||
# Differently from an ordinary message, this is seen as an error as the
|
||||
|
@ -490,20 +517,19 @@ proc decodeHandshakePacket(c: var Codec, fromAddr: Address, srcId: NodeId,
|
|||
|
||||
# Only store the session secrets in case decryption was successful and also
|
||||
# in case the message can get decoded.
|
||||
c.sessions.store(srcId, fromAddr, secrets.readKey,
|
||||
secrets.writeKey)
|
||||
c.sessions.store(srcId, fromAddr, secrets.readKey, secrets.writeKey)
|
||||
|
||||
return ok(Packet(flag: Flag.HandshakeMessage, message: message, srcId: srcId,
|
||||
node: newNode))
|
||||
return ok(Packet(flag: Flag.HandshakeMessage, message: message,
|
||||
srcIdHs: srcId, node: newNode))
|
||||
|
||||
proc decodePacket*(c: var Codec, fromAddr: Address, input: openArray[byte]):
|
||||
DecodeResult[Packet] =
|
||||
## Decode a packet. This can be a regular packet or a packet in response to a
|
||||
## WHOAREYOU packet. In case of the latter a `newNode` might be provided.
|
||||
# TODO: First size check. Which size however?
|
||||
# IVSize + staticHeaderSize + 12 + ...? What is minimum message size?
|
||||
if input.len() <= ivSize + staticHeaderSize + gcmNonceSize:
|
||||
# Smallest packet is Whoareyou packet so that is the minimum size
|
||||
if input.len() < whoareyouSize:
|
||||
return err(PacketError)
|
||||
|
||||
# TODO: Just pass in the full input? Makes more sense perhaps..
|
||||
let (staticHeader, header) = ? decodeHeader(c.localNode.id,
|
||||
input.toOpenArray(0, ivSize - 1), # IV
|
||||
|
@ -513,18 +539,20 @@ proc decodePacket*(c: var Codec, fromAddr: Address, input: openArray[byte]):
|
|||
case staticHeader.flag
|
||||
of OrdinaryMessage:
|
||||
# TODO: Extra size check on ct data?
|
||||
return decodeMessagePacket(c, fromAddr, staticHeader.srcId,
|
||||
input.toOpenArray(ivSize + header.len, input.high), header)
|
||||
return decodeMessagePacket(c, fromAddr, staticHeader.nonce,
|
||||
input.toOpenArray(0, ivSize - 1), header,
|
||||
input.toOpenArray(ivSize + header.len, input.high))
|
||||
|
||||
of Whoareyou:
|
||||
# Header size got checked in decode header
|
||||
return decodeWhoareyouPacket(c, staticHeader.srcId,
|
||||
header.toOpenArray(staticHeaderSize, header.high()))
|
||||
return decodeWhoareyouPacket(c, staticHeader.nonce,
|
||||
input.toOpenArray(0, ivSize - 1), header)
|
||||
|
||||
of HandshakeMessage:
|
||||
# TODO: Extra size check on ct data?
|
||||
return decodeHandshakePacket(c, fromAddr, staticHeader.srcId,
|
||||
input.toOpenArray(ivSize + header.len, input.high), header)
|
||||
return decodeHandshakePacket(c, fromAddr, staticHeader.nonce,
|
||||
input.toOpenArray(0, ivSize - 1), header,
|
||||
input.toOpenArray(ivSize + header.len, input.high))
|
||||
|
||||
proc init*(T: type RequestId, rng: var BrHmacDrbgContext): T =
|
||||
var buf: array[sizeof(T), byte]
|
||||
|
|
|
@ -316,29 +316,21 @@ proc handleMessage(d: Protocol, srcId: NodeId, fromAddr: Address,
|
|||
|
||||
proc sendWhoareyou(d: Protocol, toId: NodeId, a: Address,
|
||||
requestNonce: AESGCMNonce, node: Option[Node]) {.raises: [Exception].} =
|
||||
var idNonce: IdNonce
|
||||
brHmacDrbgGenerate(d.rng[], idNonce)
|
||||
let key = HandShakeKey(nodeId: toId, address: $a)
|
||||
if not d.codec.hasHandshake(key):
|
||||
let
|
||||
recordSeq = if node.isSome(): node.get().record.seqNum
|
||||
else: 0
|
||||
pubkey = if node.isSome(): some(node.get().pubkey)
|
||||
else: none(PublicKey)
|
||||
|
||||
let
|
||||
recordSeq = if node.isSome(): node.get().record.seqNum
|
||||
else: 0
|
||||
whoareyouData = WhoareyouData(requestNonce: requestNonce,
|
||||
idNonce: idNonce, recordSeq: recordSeq)
|
||||
pubkey = if node.isSome(): some(node.get().pubkey)
|
||||
else: none(PublicKey)
|
||||
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
|
||||
key = HandShakeKey(nodeId: toId, address: $a)
|
||||
|
||||
if not d.codec.handshakes.hasKeyOrPut(key, challenge):
|
||||
# TODO: raises: [Exception], but it shouldn't.
|
||||
let data = encodeWhoareyouPacket(d.rng[], d.codec, toId, a, requestNonce,
|
||||
recordSeq, pubkey)
|
||||
sleepAsync(handshakeTimeout).addCallback() do(data: pointer):
|
||||
# TODO: should we still provide cancellation in case handshake completes
|
||||
# correctly?
|
||||
d.codec.handshakes.del(key)
|
||||
|
||||
let data = encodeWhoareyouPacket(d.rng[], d.codec, toId,
|
||||
requestNonce, idNonce, recordSeq)
|
||||
|
||||
d.send(a, data)
|
||||
else:
|
||||
debug "Node with this id already has ongoing handshake, ignoring packet"
|
||||
|
@ -374,15 +366,14 @@ proc receive*(d: Protocol, a: Address, packet: openArray[byte]) {.gcsafe,
|
|||
# This is a node we previously contacted and thus must have an address.
|
||||
doAssert(toNode.address.isSome())
|
||||
let data = encodeHandshakePacket(d.rng[], d.codec, toNode.id,
|
||||
toNode.address.get(), pr.message, packet.whoareyou.idNonce,
|
||||
packet.whoareyou.recordSeq, toNode.pubkey)
|
||||
toNode.address.get(), pr.message, packet.whoareyou, toNode.pubkey)
|
||||
|
||||
d.send(toNode, data)
|
||||
else:
|
||||
debug "Timed out or unrequested Whoareyou packet"
|
||||
of HandshakeMessage:
|
||||
trace "Received handshake packet"
|
||||
d.handleMessage(packet.srcId, a, packet.message)
|
||||
d.handleMessage(packet.srcIdHs, a, packet.message)
|
||||
# For a handshake message it is possible that we received an newer ENR.
|
||||
# In that case we can add/update it to the routing table.
|
||||
if packet.node.isSome():
|
||||
|
|
|
@ -4,12 +4,9 @@ import
|
|||
eth/[rlp, keys],
|
||||
eth/p2p/discoveryv5/[typesv1, encodingv1, enr, node, sessions]
|
||||
|
||||
# According to test vectors:
|
||||
# https://github.com/ethereum/devp2p/blob/master/discv5/discv5-wire-test-vectors.md
|
||||
|
||||
let rng = newRng()
|
||||
|
||||
suite "Discovery v5 Protocol Message Encodings":
|
||||
suite "Discovery v5.1 Protocol Message Encodings":
|
||||
test "Ping Request":
|
||||
var p: PingMessage
|
||||
p.enrSeq = 1
|
||||
|
@ -47,11 +44,13 @@ suite "Discovery v5 Protocol Message Encodings":
|
|||
var reqId: RequestId = 1
|
||||
check encodeMessage(p, reqId).toHex == "04f8f20101f8eef875b8401ce2991c64993d7c84c29a00bdc871917551c7d330fca2dd0d69c706596dc655448f030b98a77d4001fd46ae0112ce26d613c5a6a02a81a6223cd0c4edaa53280182696482763489736563703235366b31a103ca634cae0d49acb401d8a4c6b6fe8c55b70d115bf400769cc1400f3258cd3138f875b840d7f1c39e376297f81d7297758c64cb37dcc5c3beea9f57f7ce9695d7d5a67553417d719539d6ae4b445946de4d99e680eb8063f29485b555d45b7df16a1850130182696482763489736563703235366b31a1030e2cb74241c0c4fc8e8166f1a79a05d5b0dd95813a74b094529f317d5c39d235"
|
||||
|
||||
suite "Discovery v5 Cryptographic Primitives":
|
||||
# According to test vectors:
|
||||
# https://github.com/fjl/devp2p/blob/discv5-v1-update/discv5/discv5-wire-test-vectors.md#cryptographic-primitives
|
||||
suite "Discovery v5.1 Cryptographic Primitives Test Vectors":
|
||||
test "ECDH":
|
||||
const
|
||||
# input
|
||||
publicKey = "0x9961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231503061ac4aaee666073d7e5bc2c80c3f5c5b500c1cb5fd0a76abbb6b675ad157"
|
||||
publicKey = "0x039961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231"
|
||||
secretKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
|
||||
# expected output
|
||||
sharedSecret = "0x033b11a2a1f214567e1537ce5e509ffd9b21373247f2a3ff6841f4976f53165e7e"
|
||||
|
@ -59,41 +58,51 @@ suite "Discovery v5 Cryptographic Primitives":
|
|||
let
|
||||
pub = PublicKey.fromHex(publicKey)[]
|
||||
priv = PrivateKey.fromHex(secretKey)[]
|
||||
let eph = ecdhRawFull(priv, pub)
|
||||
eph = ecdhRawFull(priv, pub)
|
||||
check:
|
||||
eph.data == hexToSeqByte(sharedSecret)
|
||||
|
||||
test "Key Derivation":
|
||||
# const
|
||||
# # input
|
||||
# secretKey = "0x02a77e3aa0c144ae7c0a3af73692b7d6e5b7a2fdc0eda16e8d5e6cb0d08e88dd04"
|
||||
# nodeIdA = "0xa448f24c6d18e575453db13171562b71999873db5b286df957af199ec94617f7"
|
||||
# nodeIdB = "0x885bba8dfeddd49855459df852ad5b63d13a3fae593f3f9fa7e317fd43651409"
|
||||
# idNonce = "0x0101010101010101010101010101010101010101010101010101010101010101"
|
||||
# # expected output
|
||||
# initiatorKey = "0x238d8b50e4363cf603a48c6cc3542967"
|
||||
# recipientKey = "0xbebc0183484f7e7ca2ac32e3d72c8891"
|
||||
# authRespKey = "0xe987ad9e414d5b4f9bfe4ff1e52f2fae"
|
||||
const
|
||||
# input
|
||||
ephemeralKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
|
||||
destPubkey = "0x0317931e6e0840220642f230037d285d122bc59063221ef3226b1f403ddc69ca91"
|
||||
nodeIdA = "0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb"
|
||||
nodeIdB = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
|
||||
challengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
|
||||
# expected output
|
||||
initiatorKey = "0xdccc82d81bd610f4f76d3ebe97a40571"
|
||||
recipientKey = "0xac74bb8773749920b0d3a8881c173ec5"
|
||||
|
||||
# Code doesn't allow to start from shared `secretKey`, but only from the
|
||||
# public and private key. Would require pulling `ecdhAgree` out of
|
||||
# `deriveKeys`
|
||||
skip()
|
||||
let secrets = deriveKeys(
|
||||
NodeId.fromHex(nodeIdA),
|
||||
NodeId.fromHex(nodeIdB),
|
||||
PrivateKey.fromHex(ephemeralKey)[],
|
||||
PublicKey.fromHex(destPubkey)[],
|
||||
hexToSeqByte(challengeData))
|
||||
|
||||
check:
|
||||
secrets.writeKey == hexToByteArray[aesKeySize](initiatorKey)
|
||||
secrets.readKey == hexToByteArray[aesKeySize](recipientKey)
|
||||
|
||||
test "Nonce Signing":
|
||||
const
|
||||
# input
|
||||
idNonce = "0xa77e3aa0c144ae7c0a3af73692b7d6e5b7a2fdc0eda16e8d5e6cb0d08e88dd04"
|
||||
ephemeralKey = "0x9961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231503061ac4aaee666073d7e5bc2c80c3f5c5b500c1cb5fd0a76abbb6b675ad157"
|
||||
localSecretKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
|
||||
staticKey = "0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736"
|
||||
challengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
|
||||
ephemeralPubkey = "0x039961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231"
|
||||
nodeIdB = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
|
||||
# expected output
|
||||
idNonceSig = "0xc5036e702a79902ad8aa147dabfe3958b523fd6fa36cc78e2889b912d682d8d35fdea142e141f690736d86f50b39746ba2d2fc510b46f82ee08f08fd55d133a4"
|
||||
idSignature = "0x94852a1e2318c4e5e9d422c98eaf19d1d90d876b29cd06ca7cb7546d0fff7b484fe86c09a064fe72bdbef73ba8e9c34df0cd2b53e9d65528c2c7f336d5dfc6e6"
|
||||
|
||||
let
|
||||
privKey = PrivateKey.fromHex(localSecretKey)[]
|
||||
signature = signIDNonce(privKey, hexToByteArray[idNonceSize](idNonce),
|
||||
hexToByteArray[64](ephemeralKey))
|
||||
check signature.toRaw() == hexToByteArray[64](idNonceSig)
|
||||
privKey = PrivateKey.fromHex(staticKey)[]
|
||||
signature = signIDNonce(
|
||||
privKey,
|
||||
hexToSeqByte(challengeData),
|
||||
hexToSeqByte(ephemeralPubkey),
|
||||
NodeId.fromHex(nodeIdB))
|
||||
check signature.toRaw() == hexToByteArray[64](idSignature)
|
||||
|
||||
test "Encryption/Decryption":
|
||||
const
|
||||
|
@ -111,14 +120,9 @@ suite "Discovery v5 Cryptographic Primitives":
|
|||
hexToByteArray[32](ad))
|
||||
check encrypted == hexToSeqByte(messageCiphertext)
|
||||
|
||||
test "Authentication Header and Encrypted Message Generation":
|
||||
# Can't work directly with the provided shared secret as keys are derived
|
||||
# inside makeAuthHeader, and passed on one call up.
|
||||
# The encryption of the auth-resp-pt uses one of these keys, as does the
|
||||
# encryption of the message itself. So the whole test depends on this.
|
||||
skip()
|
||||
|
||||
suite "Discovery v5.1 Test Vectors":
|
||||
# According to test vectors:
|
||||
# https://github.com/fjl/devp2p/blob/discv5-v1-update/discv5/discv5-wire-test-vectors.md#packet-encodings
|
||||
suite "Discovery v5.1 Packet Encodings Test Vectors":
|
||||
const
|
||||
nodeAKey = "0xeef77acb6c6a6eebc5b363a475ac583ec7eccdb42b6481424c60f59aa326547f"
|
||||
nodeBKey = "0x66fb62bfbd66b9177a138c1e5cddbe4f7c30c343e94e68df8769459cb1cde628"
|
||||
|
@ -143,13 +147,45 @@ suite "Discovery v5.1 Test Vectors":
|
|||
codecB = Codec(localNode: nodeB, privKey: privKeyB,
|
||||
sessions: Sessions.init(5))
|
||||
|
||||
test "Ping Ordinary Message Packet":
|
||||
const
|
||||
readKey = "0x00000000000000000000000000000000"
|
||||
pingReqId = 0x00000001'u64
|
||||
pingEnrSeq = 2'u64
|
||||
|
||||
encodedPacket =
|
||||
"00000000000000000000000000000000088b3d4342774649325f313964a39e55" &
|
||||
"ea96c005ad52be8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3" &
|
||||
"4c4f53245d08dab84102ed931f66d1492acb308fa1c6715b9d139b81acbdcc"
|
||||
|
||||
let dummyKey = "0x00000000000000000000000000000001" # of no importance
|
||||
codecA.sessions.store(nodeB.id, nodeB.address.get(),
|
||||
hexToByteArray[aesKeySize](dummyKey), hexToByteArray[aesKeySize](readKey))
|
||||
codecB.sessions.store(nodeA.id, nodeA.address.get(),
|
||||
hexToByteArray[aesKeySize](readKey), hexToByteArray[aesKeySize](dummyKey))
|
||||
|
||||
# Note: Noticed when comparing these test vectors that we encode reqId as
|
||||
# integer while it seems the test vectors have it encoded as byte seq,
|
||||
# meaning having potentially leading zeroes.
|
||||
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(), hexToSeqByte(encodedPacket))
|
||||
check:
|
||||
decoded.isOK()
|
||||
decoded.get().messageOpt.isSome()
|
||||
decoded.get().messageOpt.get().reqId == pingReqId
|
||||
decoded.get().messageOpt.get().kind == ping
|
||||
decoded.get().messageOpt.get().ping.enrSeq == pingEnrSeq
|
||||
|
||||
test "Whoareyou Packet":
|
||||
const
|
||||
whoareyouChallengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
|
||||
whoareyouRequestNonce = "0x0102030405060708090a0b0c"
|
||||
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f1000000000000000000000000000000000"
|
||||
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f10"
|
||||
whoareyouEnrSeq = 0
|
||||
|
||||
encodedPacket = "0x00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3ecb9ad5e368892ec562137bf19c6d0a9191a5651c4f415117bdfa0c7ab86af62b7a9784eceb28008d03ede83bd1369631f9f3d8da0b45"
|
||||
encodedPacket =
|
||||
"00000000000000000000000000000000088b3d434277464933a1ccc59f5967ad" &
|
||||
"1d6035f15e528627dde75cd68292f9e6c27d6b66c8100a873fcbaed4e16b8d"
|
||||
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(),
|
||||
hexToSeqByte(encodedPacket))
|
||||
|
@ -160,59 +196,35 @@ suite "Discovery v5.1 Test Vectors":
|
|||
decoded.get().whoareyou.requestNonce == hexToByteArray[gcmNonceSize](whoareyouRequestNonce)
|
||||
decoded.get().whoareyou.idNonce == hexToByteArray[idNonceSize](whoareyouIdNonce)
|
||||
decoded.get().whoareyou.recordSeq == whoareyouEnrSeq
|
||||
|
||||
test "Ping Ordinary Message Packet":
|
||||
const
|
||||
# nonce = "0xffffffffffffffffffffffff"
|
||||
readKey = "0x00000000000000000000000000000000"
|
||||
pingReqId = 0x00000001'u64
|
||||
pingEnrSeq = 2'u64
|
||||
|
||||
encodedPacket = "00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3fcba22b1e9472d43c9ae48d04689eb84102ed931f66d180cbb4219f369a24f4e6b24d7bdc2a04"
|
||||
|
||||
let dummyKey = "0x00000000000000000000000000000001" # of no importance
|
||||
codecA.sessions.store(nodeB.id, nodeB.address.get(),
|
||||
hexToByteArray[aesKeySize](dummyKey), hexToByteArray[aesKeySize](readKey))
|
||||
codecB.sessions.store(nodeA.id, nodeA.address.get(),
|
||||
hexToByteArray[aesKeySize](readKey), hexToByteArray[aesKeySize](dummyKey))
|
||||
|
||||
# Note: Noticed when comparing these test vectors that we encode reqId as
|
||||
# integer while it seems the test vectors have it encoded as byte seq,
|
||||
# meaning having potentially heaving leading zeroes.
|
||||
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(), hexToSeqByte(encodedPacket))
|
||||
check:
|
||||
decoded.isOK()
|
||||
decoded.get().messageOpt.isSome()
|
||||
decoded.get().messageOpt.get().reqId == pingReqId
|
||||
decoded.get().messageOpt.get().kind == ping
|
||||
decoded.get().messageOpt.get().ping.enrSeq == pingEnrSeq
|
||||
decoded.get().whoareyou.challengeData == hexToSeqByte(whoareyouChallengeData)
|
||||
|
||||
test "Ping Handshake Message Packet":
|
||||
const
|
||||
# srcNodeId = "0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb"
|
||||
# destNodeId = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
|
||||
# nonce = "0xffffffffffffffffffffffff"
|
||||
# readKey = "0x4917330b5aeb51650213f90d5f253c45"
|
||||
|
||||
pingReqId = 0x00000001'u64
|
||||
pingEnrSeq = 1'u64
|
||||
#
|
||||
# handshake inputs:
|
||||
#
|
||||
whoareyouChallengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000001"
|
||||
whoareyouRequestNonce = "0x0102030405060708090a0b0c"
|
||||
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f1000000000000000000000000000000000"
|
||||
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f10"
|
||||
whoareyouEnrSeq = 1'u64
|
||||
# ephemeralKey = "0x0288ef00023598499cb6c940146d050d2b1fb914198c327f76aad590bead68b6"
|
||||
# ephemeralPubkey = "0x039a003ba6517b473fa0cd74aefe99dadfdb34627f90fec6362df85803908f53a5"
|
||||
|
||||
encodedPacket = "00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3dcbded51e9472d43c9ae48d04689ef4d3b340a9cb02d3f5cb5c73f266876372a497ef20dccc83eebcf61f61bc2bb13655118c2dddd4fa7f66210832e7c45c2af87b635121ae132057cce99aa7d2760b31390fea5142053c97feb5fc3f5d0ff3d71008a5b6724bbfc8c97746524e695129d2bd7fccc3d4569a69fd8a783849a117bd23ec5b5d02be0a0c57"
|
||||
encodedPacket =
|
||||
"00000000000000000000000000000000088b3d4342774649305f313964a39e55" &
|
||||
"ea96c005ad521d8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3" &
|
||||
"4c4f53245d08da4bb252012b2cba3f4f374a90a75cff91f142fa9be3e0a5f3ef" &
|
||||
"268ccb9065aeecfd67a999e7fdc137e062b2ec4a0eb92947f0d9a74bfbf44dfb" &
|
||||
"a776b21301f8b65efd5796706adff216ab862a9186875f9494150c4ae06fa4d1" &
|
||||
"f0396c93f215fa4ef524f1eadf5f0f4126b79336671cbcf7a885b1f8bd2a5d83" &
|
||||
"9cf8"
|
||||
|
||||
let
|
||||
whoareyouData = WhoareyouData(
|
||||
requestNonce: hexToByteArray[gcmNonceSize](whoareyouRequestNonce),
|
||||
idNonce: hexToByteArray[idNonceSize](whoareyouIdNonce),
|
||||
recordSeq: whoareyouEnrSeq)
|
||||
recordSeq: whoareyouEnrSeq,
|
||||
challengeData: hexToSeqByte(whoareyouChallengeData))
|
||||
pubkey = some(privKeyA.toPublicKey())
|
||||
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
|
||||
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
|
||||
|
@ -222,43 +234,44 @@ suite "Discovery v5.1 Test Vectors":
|
|||
let decoded = codecB.decodePacket(nodeA.address.get(),
|
||||
hexToSeqByte(encodedPacket))
|
||||
|
||||
skip()
|
||||
# TODO: This test fails at the deriveKeys step. The readkey is not the
|
||||
# expected value of above. Hardcoding that values makes decryption work.
|
||||
# TBI.
|
||||
|
||||
# check:
|
||||
# decoded.isOk()
|
||||
# decoded.get().message.reqId == pingReqId
|
||||
# decoded.get().message.kind == ping
|
||||
# decoded.get().message.ping.enrSeq == pingEnrSeq
|
||||
# decoded.get().node.isNone()
|
||||
check:
|
||||
decoded.isOk()
|
||||
decoded.get().message.reqId == pingReqId
|
||||
decoded.get().message.kind == ping
|
||||
decoded.get().message.ping.enrSeq == pingEnrSeq
|
||||
decoded.get().node.isNone()
|
||||
|
||||
test "Ping Handshake Message Packet with ENR":
|
||||
const
|
||||
# srcNodeId = "0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb"
|
||||
# destNodeId = "0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9"
|
||||
# nonce = "0xffffffffffffffffffffffff"
|
||||
# readKey = "0x4917330b5aeb51650213f90d5f253c45"
|
||||
|
||||
pingReqId = 0x00000001'u64
|
||||
pingEnrSeq = 1'u64
|
||||
#
|
||||
# handshake inputs:
|
||||
#
|
||||
whoareyouChallengeData = "0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000"
|
||||
whoareyouRequestNonce = "0x0102030405060708090a0b0c"
|
||||
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f1000000000000000000000000000000000"
|
||||
whoareyouIdNonce = "0x0102030405060708090a0b0c0d0e0f10"
|
||||
whoareyouEnrSeq = 0'u64
|
||||
# ephemeralKey = "0x0288ef00023598499cb6c940146d050d2b1fb914198c327f76aad590bead68b6"
|
||||
# ephemeralPubkey = "0x039a003ba6517b473fa0cd74aefe99dadfdb34627f90fec6362df85803908f53a5"
|
||||
|
||||
encodedPacket = "00000000000000000000000000000000088b3d4342776668980a4adf72a8fcaa963f24b27a2f6bb44c7ed5ca10e87de130f94d2390b9853c3dcaa0d51e9472d43c9ae48d04689ef4d3d2602a5e89ac340f9e81e722b1d7dac2578d520dd5bc6dc1e38ad3ab33012be1a5d259267a0947bf242219834c5702d1c694c0ceb4a6a27b5d68bd2c2e32e6cb9696706adff216ab862a9186875f9494150c4ae06fa4d1f0396c93f215fa4ef52417d9c40a31564e8d5f31a7f08c38045ff5e30d9661838b1eabee9f1e561120bcc4d9f2f9c839152b4ab970e029b2395b97e8c3aa8d3b497ee98a15e865bcd34effa8b83eb6396bca60ad8f0bff1e047e278454bc2b3d6404c12106a9d0b6107fc2383976fc05fbda2c954d402c28c8fb53a2b3a4b111c286ba2ac4ff880168323c6e97b01dbcbeef4f234e5849f75ab007217c919820aaa1c8a7926d3625917fccc3d4569a69fd8aca026be87afab8e8e645d1ee888992"
|
||||
encodedPacket =
|
||||
"00000000000000000000000000000000088b3d4342774649305f313964a39e55" &
|
||||
"ea96c005ad539c8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3" &
|
||||
"4c4f53245d08da4bb23698868350aaad22e3ab8dd034f548a1c43cd246be9856" &
|
||||
"2fafa0a1fa86d8e7a3b95ae78cc2b988ded6a5b59eb83ad58097252188b902b2" &
|
||||
"1481e30e5e285f19735796706adff216ab862a9186875f9494150c4ae06fa4d1" &
|
||||
"f0396c93f215fa4ef524e0ed04c3c21e39b1868e1ca8105e585ec17315e755e6" &
|
||||
"cfc4dd6cb7fd8e1a1f55e49b4b5eb024221482105346f3c82b15fdaae36a3bb1" &
|
||||
"2a494683b4a3c7f2ae41306252fed84785e2bbff3b022812d0882f06978df84a" &
|
||||
"80d443972213342d04b9048fc3b1d5fcb1df0f822152eced6da4d3f6df27e70e" &
|
||||
"4539717307a0208cd208d65093ccab5aa596a34d7511401987662d8cf62b1394" &
|
||||
"71"
|
||||
|
||||
let
|
||||
whoareyouData = WhoareyouData(
|
||||
requestNonce: hexToByteArray[gcmNonceSize](whoareyouRequestNonce),
|
||||
idNonce: hexToByteArray[idNonceSize](whoareyouIdNonce),
|
||||
recordSeq: whoareyouEnrSeq)
|
||||
recordSeq: whoareyouEnrSeq,
|
||||
challengeData: hexToSeqByte(whoareyouChallengeData))
|
||||
pubkey = none(PublicKey)
|
||||
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
|
||||
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
|
||||
|
@ -268,19 +281,14 @@ suite "Discovery v5.1 Test Vectors":
|
|||
let decoded = codecB.decodePacket(nodeA.address.get(),
|
||||
hexToSeqByte(encodedPacket))
|
||||
|
||||
skip()
|
||||
# TODO: This test fails at the deriveKeys step. The readkey is not the
|
||||
# expected value of above. Hardcoding that values makes decryption work.
|
||||
# TBI.
|
||||
check:
|
||||
decoded.isOk()
|
||||
decoded.get().message.reqId == pingReqId
|
||||
decoded.get().message.kind == ping
|
||||
decoded.get().message.ping.enrSeq == pingEnrSeq
|
||||
decoded.get().node.isSome()
|
||||
|
||||
# check:
|
||||
# decoded.isOk()
|
||||
# decoded.get().message.reqId == pingReqId
|
||||
# decoded.get().message.kind == ping
|
||||
# decoded.get().message.ping.enrSeq == pingEnrSeq
|
||||
# decoded.get().node.isSome()
|
||||
|
||||
suite "Discovery v5.1 Additional":
|
||||
suite "Discovery v5.1 Additional Encode/Decode":
|
||||
test "Encryption/Decryption":
|
||||
let
|
||||
encryptionKey = hexToByteArray[aesKeySize]("0x9f2d77db7004bf8a1a85107ac686990b")
|
||||
|
@ -288,8 +296,9 @@ suite "Discovery v5.1 Additional":
|
|||
ad = hexToByteArray[32]("0x93a7400fa0d6a694ebc24d5cf570f65d04215b6ac00757875e3f3a5f42107903")
|
||||
pt = hexToSeqByte("0xa1")
|
||||
|
||||
let ct = encryptGCM(encryptionKey, nonce, pt, ad)
|
||||
let decrypted = decryptGCM(encryptionKey, nonce, ct, ad)
|
||||
let
|
||||
ct = encryptGCM(encryptionKey, nonce, pt, ad)
|
||||
decrypted = decryptGCM(encryptionKey, nonce, ct, ad)
|
||||
|
||||
check decrypted.get() == pt
|
||||
|
||||
|
@ -316,13 +325,15 @@ suite "Discovery v5.1 Additional":
|
|||
check decryptGCM(encryptionKey, nonce, invalidCipher, ad).isNone()
|
||||
|
||||
test "Encrypt / Decrypt header":
|
||||
var nonce: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng[], nonce)
|
||||
let
|
||||
privKey = PrivateKey.random(rng[])
|
||||
nodeId = privKey.toPublicKey().toNodeId()
|
||||
authdata = [byte 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
|
||||
staticHeader = encodeStaticHeader(nodeId, Flag.OrdinaryMessage,
|
||||
authdata = newSeq[byte](32)
|
||||
staticHeader = encodeStaticHeader(Flag.OrdinaryMessage, nonce,
|
||||
authdata.len())
|
||||
header = @staticHeader & @authdata
|
||||
header = staticHeader & authdata
|
||||
|
||||
var iv: array[128 div 8, byte]
|
||||
brHmacDrbgGenerate(rng[], iv)
|
||||
|
@ -367,49 +378,47 @@ suite "Discovery v5.1 Additional":
|
|||
decoded[].requestNonce == nonce
|
||||
|
||||
test "Encode / Decode Whoareyou Packet":
|
||||
var
|
||||
requestNonce: AESGCMNonce
|
||||
idNonce: IdNonce
|
||||
brHmacDrbgGenerate(rng[], idNonce)
|
||||
var requestNonce: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng[], requestNonce)
|
||||
let recordSeq = 0'u64
|
||||
|
||||
let data = encodeWhoareyouPacket(rng[], codecA, nodeB.id, requestNonce, idNonce,
|
||||
recordSeq)
|
||||
let data = encodeWhoareyouPacket(rng[], codecA, nodeB.id,
|
||||
nodeB.address.get(), requestNonce, recordSeq, none(PublicKey))
|
||||
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(), data)
|
||||
|
||||
let key = HandShakeKey(nodeId: nodeB.id, address: $nodeB.address.get())
|
||||
var challenge: Challenge
|
||||
|
||||
check:
|
||||
codecA.handshakes.pop(key, challenge)
|
||||
decoded.isOk()
|
||||
decoded[].flag == Flag.Whoareyou
|
||||
decoded[].whoareyou.requestNonce == requestNonce
|
||||
decoded[].whoareyou.idNonce == idNonce
|
||||
decoded[].whoareyou.idNonce == challenge.whoareyouData.idNonce
|
||||
decoded[].whoareyou.recordSeq == recordSeq
|
||||
|
||||
test "Encode / Decode Handshake Message Packet":
|
||||
var
|
||||
requestNonce: AESGCMNonce
|
||||
idNonce: IdNonce
|
||||
brHmacDrbgGenerate(rng[], idNonce)
|
||||
var requestNonce: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng[], requestNonce)
|
||||
let recordSeq = 1'u64
|
||||
|
||||
let
|
||||
recordSeq = 1'u64
|
||||
m = PingMessage(enrSeq: 0)
|
||||
reqId = RequestId.init(rng[])
|
||||
message = encodeMessage(m, reqId)
|
||||
let
|
||||
whoareyouData = WhoareyouData(
|
||||
requestNonce: requestNonce,
|
||||
idNonce: idNonce,
|
||||
recordSeq: recordSeq)
|
||||
pubkey = some(privKeyA.toPublicKey())
|
||||
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
|
||||
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
|
||||
|
||||
check: not codecB.handshakes.hasKeyOrPut(key, challenge)
|
||||
# Encode/decode whoareyou packet to get the handshake stored and the
|
||||
# whoareyou data returned. It's either that or construct the header for the
|
||||
# whoareyouData manually.
|
||||
let
|
||||
encodedDummy = encodeWhoareyouPacket(rng[], codecB, nodeA.id,
|
||||
nodeA.address.get(), requestNonce, recordSeq, pubkey)
|
||||
decodedDummy = codecA.decodePacket(nodeB.address.get(), encodedDummy)
|
||||
|
||||
let data = encodeHandshakePacket(rng[], codecA, nodeB.id,
|
||||
nodeB.address.get(), message, idNonce, recordSeq, privKeyB.toPublicKey())
|
||||
nodeB.address.get(), message, decodedDummy[].whoareyou,
|
||||
privKeyB.toPublicKey())
|
||||
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(), data)
|
||||
|
||||
|
@ -421,32 +430,28 @@ suite "Discovery v5.1 Additional":
|
|||
decoded.get().node.isNone()
|
||||
|
||||
test "Encode / Decode Handshake Message Packet with ENR":
|
||||
var
|
||||
requestNonce: AESGCMNonce
|
||||
idNonce: IdNonce
|
||||
brHmacDrbgGenerate(rng[], idNonce)
|
||||
var requestNonce: AESGCMNonce
|
||||
brHmacDrbgGenerate(rng[], requestNonce)
|
||||
let
|
||||
recordSeq = 0'u64
|
||||
|
||||
m = PingMessage(enrSeq: 0)
|
||||
reqId = RequestId.init(rng[])
|
||||
message = encodeMessage(m, reqId)
|
||||
|
||||
whoareyouData = WhoareyouData(requestNonce: requestNonce,
|
||||
idNonce: idNonce, recordSeq: recordSeq)
|
||||
pubkey = none(PublicKey)
|
||||
challenge = Challenge(whoareyouData: whoareyouData, pubkey: pubkey)
|
||||
key = HandShakeKey(nodeId: nodeA.id, address: $(nodeA.address.get()))
|
||||
|
||||
# Need to manually add the handshake, which would normally be done when
|
||||
# sending a whoareyou Packet.
|
||||
check: not codecB.handshakes.hasKeyOrPut(key, challenge)
|
||||
# Encode/decode whoareyou packet to get the handshake stored and the
|
||||
# whoareyou data returned. It's either that or construct the header for the
|
||||
# whoareyouData manually.
|
||||
let
|
||||
encodedDummy = encodeWhoareyouPacket(rng[], codecB, nodeA.id,
|
||||
nodeA.address.get(), requestNonce, recordSeq, pubkey)
|
||||
decodedDummy = codecA.decodePacket(nodeB.address.get(), encodedDummy)
|
||||
|
||||
let data = encodeHandshakePacket(rng[], codecA, nodeB.id,
|
||||
nodeB.address.get(), message, idNonce, recordSeq, privKeyB.toPublicKey())
|
||||
let encoded = encodeHandshakePacket(rng[], codecA, nodeB.id,
|
||||
nodeB.address.get(), message, decodedDummy[].whoareyou,
|
||||
privKeyB.toPublicKey())
|
||||
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(), data)
|
||||
let decoded = codecB.decodePacket(nodeA.address.get(), encoded)
|
||||
|
||||
check:
|
||||
decoded.isOk()
|
||||
|
@ -462,7 +467,7 @@ suite "Discovery v5.1 Additional":
|
|||
reqId = RequestId.init(rng[])
|
||||
message = encodeMessage(m, reqId)
|
||||
|
||||
# Need to manually add the secrets the normally get negotiated in the
|
||||
# Need to manually add the secrets that normally get negotiated in the
|
||||
# handshake packet.
|
||||
var secrets: HandshakeSecrets
|
||||
codecA.sessions.store(nodeB.id, nodeB.address.get(), secrets.readKey, secrets.writeKey)
|
||||
|
|
Loading…
Reference in New Issue