From ee845a176874127f02cf533d20138d5ac58d3483 Mon Sep 17 00:00:00 2001 From: Jacek Sieka Date: Sat, 2 Nov 2024 08:15:40 +0100 Subject: [PATCH] devp2p: drop pre-EIP8 support, fix snappy negotiation (#758) Support for previous versions was [removed](https://github.com/ethereum/go-ethereum/commit/7194c847b6e7f545f2aad57d8eae0a046e08d7a4) from geth in 2021 after other clients had migrated - should be safe to remove here also. * fix snappy detection - it should use the hello version, not the RLPx handshake * simplify generation of auth messages * pad 100-300 bytes like spec suggests TODO: error handling is all over the place - will be addressed in a follow-up PR --- eth/p2p/auth.nim | 520 ++++++++++++--------------------------- eth/p2p/rlpx.nim | 225 ++++++++--------- eth/p2p/rlpxcrypt.nim | 38 +-- tests/p2p/test_auth.nim | 277 ++------------------- tests/p2p/test_crypt.nim | 277 +++++++++------------ 5 files changed, 407 insertions(+), 930 deletions(-) diff --git a/eth/p2p/auth.nim b/eth/p2p/auth.nim index 2a97255..28f53c8 100644 --- a/eth/p2p/auth.nim +++ b/eth/p2p/auth.nim @@ -8,7 +8,10 @@ # MIT license (LICENSE-MIT) # -## This module implements Ethereum RLPx authentication +## This module implements Ethereum EIP-8 RLPx authentication - pre-EIP-8 +## messages are not supported +## https://github.com/ethereum/devp2p/blob/5713591d0366da78a913a811c7502d9ca91d29a8/rlpx.md#initial-handshake +## https://github.com/ethereum/EIPs/blob/b479473414cf94445b450c266a9dedc079a12158/EIPS/eip-8.md {.push raises: [].} @@ -25,79 +28,69 @@ export results type keccak256 = keccak.keccak256 const - SupportedRlpxVersion* = 4'u8 - # Auth message sizes + MsgLenLenEIP8* = 2 + ## auth-size = size of enc-auth-body, encoded as a big-endian 16-bit integer + ## ack-size = size of enc-ack-body, encoded as a big-endian 16-bit integer - # Pre EIP8 - PlainAuthMessageV4Length* = 194 - AuthMessageV4Length* = 307 + MinPadLenEIP8* = 100 + MaxPadLenEIP8* = 300 + ## Padding makes message length unpredictable which makes packet filtering + ## a tiny bit harder - although not necessary any more, we always add at + ## least 100 bytes of padding to make the message distinguishable from + ## pre-EIP8 and at most 200 to stay within recommendation - # EIP8 # signature + pubkey + nounce + version + rlp encoding overhead # 65 + 64 + 32 + 1 + 7 = 169 PlainAuthMessageEIP8Length = 169 - PlainAuthMessageMaxEIP8* = PlainAuthMessageEIP8Length + 255 # with padding + PlainAuthMessageMaxEIP8 = PlainAuthMessageEIP8Length + MaxPadLenEIP8 # Min. encrypted message + size prefix = 284 - AuthMessageEIP8Length* = PlainAuthMessageEIP8Length + eciesOverheadLength + 2 - AuthMessageMaxEIP8* = AuthMessageEIP8Length + 255 # with padding + AuthMessageEIP8Length* = + eciesEncryptedLength(PlainAuthMessageEIP8Length) + MsgLenLenEIP8 + AuthMessageMaxEIP8* = AuthMessageEIP8Length + MaxPadLenEIP8 + ## Minimal output buffer size to pass into `authMessage` # Ack message sizes - # Pre EIP8 - PlainAckMessageV4Length* = 97 - AckMessageV4Length* = 210 - - # EIP 8 # pubkey + nounce + version + rlp encoding overhead # 64 + 32 + 1 + 5 = 102 - PlainAckMessageEIP8Length* = 102 - PlainAckMessageMaxEIP8* = PlainAckMessageEIP8Length + 255 # with padding + PlainAckMessageEIP8Length = 102 + PlainAckMessageMaxEIP8 = PlainAckMessageEIP8Length + MaxPadLenEIP8 # Min. encrypted message + size prefix = 217 - AckMessageEIP8Length* = PlainAckMessageEIP8Length + eciesOverheadLength + 2 - AckMessageMaxEIP8* = AckMessageEIP8Length + 255 # with padding + AckMessageEIP8Length* = eciesEncryptedLength(PlainAckMessageMaxEIP8) + MsgLenLenEIP8 + AckMessageMaxEIP8* = AckMessageEIP8Length + MaxPadLenEIP8 + ## Minimal output buffer size to pass into `ackMessage` + + Vsn = [byte 4] + ## auth-vsn = 4 + ## ack-vsn = 4 type Nonce* = array[KeyLength, byte] - AuthMessageV4* {.packed.} = object - signature: array[RawSignatureSize, byte] - keyhash: array[keccak256.sizeDigest, byte] - pubkey: array[RawPublicKeySize, byte] - nonce: array[keccak256.sizeDigest, byte] - flag: byte - - AckMessageV4* {.packed.} = object - pubkey: array[RawPublicKeySize, byte] - nonce: array[keccak256.sizeDigest, byte] - flag: byte - HandshakeFlag* = enum - Initiator, ## `Handshake` owner is connection initiator - Responder, ## `Handshake` owner is connection responder - EIP8 ## Flag indicates that EIP-8 handshake is used + Initiator ## `Handshake` owner is connection initiator + Responder ## `Handshake` owner is connection responder AuthError* = enum - EcdhError = "auth: ECDH shared secret could not be calculated" - BufferOverrun = "auth: buffer overrun" - SignatureError = "auth: signature could not be obtained" - EciesError = "auth: ECIES encryption/decryption error" - InvalidPubKey = "auth: invalid public key" - InvalidAuth = "auth: invalid Authentication message" - InvalidAck = "auth: invalid Authentication ACK message" - RlpError = "auth: error while decoding RLP stream" + EcdhError = "auth: ECDH shared secret could not be calculated" + BufferOverrun = "auth: buffer overrun" + SignatureError = "auth: signature could not be obtained" + EciesError = "auth: ECIES encryption/decryption error" + InvalidPubKey = "auth: invalid public key" + InvalidAuth = "auth: invalid Authentication message" + InvalidAck = "auth: invalid Authentication ACK message" + RlpError = "auth: error while decoding RLP stream" IncompleteError = "auth: data incomplete" Handshake* = object - version*: uint8 ## protocol version - flags*: set[HandshakeFlag] ## handshake flags - host*: KeyPair ## host keypair - ephemeral*: KeyPair ## ephemeral host keypair - remoteHPubkey*: PublicKey ## remote host public key - remoteEPubkey*: PublicKey ## remote host ephemeral public key - initiatorNonce*: Nonce ## initiator nonce - responderNonce*: Nonce ## responder nonce - expectedLength*: int ## expected incoming message length + flags*: set[HandshakeFlag] ## handshake flags + host*: KeyPair ## host keypair + ephemeral*: KeyPair ## ephemeral host keypair + remoteHPubkey*: PublicKey ## remote host public key + remoteEPubkey*: PublicKey ## remote host ephemeral public key + initiatorNonce*: Nonce ## initiator nonce + responderNonce*: Nonce ## responder nonce ConnectionSecret* = object aesKey*: array[aes256.sizeKey, byte] @@ -111,291 +104,154 @@ template toa(a, b, c: untyped): untyped = toOpenArray((a), (b), (b) + (c) - 1) proc mapErrTo[T, E](r: Result[T, E], v: static AuthError): AuthResult[T] = - r.mapErr(proc (e: E): AuthError = v) + r.mapErr( + proc(e: E): AuthError = + v + ) proc init*( - T: type Handshake, rng: var HmacDrbgContext, host: KeyPair, - flags: set[HandshakeFlag] = {Initiator}, - version: uint8 = SupportedRlpxVersion): T = + T: type Handshake, + rng: var HmacDrbgContext, + host: KeyPair, + flags: set[HandshakeFlag], +): T = ## Create new `Handshake` object. var initiatorNonce: Nonce responderNonce: Nonce - expectedLength: int ephemeral = KeyPair.random(rng) if Initiator in flags: - expectedLength = AckMessageV4Length rng.generate(initiatorNonce) else: - expectedLength = AuthMessageV4Length rng.generate(responderNonce) return T( - version: version, flags: flags, host: host, ephemeral: ephemeral, initiatorNonce: initiatorNonce, responderNonce: responderNonce, - expectedLength: expectedLength ) -proc authMessagePreEIP8(h: var Handshake, - rng: var HmacDrbgContext, - pubkey: PublicKey, - output: var openArray[byte], - outlen: var int, - flag: byte = 0, - encrypt: bool = true): AuthResult[void] = - ## Create plain pre-EIP8 authentication message. - var - buffer: array[PlainAuthMessageV4Length, byte] - outlen = 0 - let header = cast[ptr AuthMessageV4](addr buffer[0]) +proc authMessage*( + h: var Handshake, + rng: var HmacDrbgContext, + pubkey: PublicKey, + output: var openArray[byte], +): AuthResult[int] = + ## Create EIP8 authentication message - returns length of encoded message + ## The output should be a buffer of AuthMessageMaxEIP8 bytes at least. + if len(output) < AuthMessageMaxEIP8: + return err(AuthError.BufferOverrun) - var secret = ecdhSharedSecret(h.host.seckey, pubkey) - secret.data = secret.data xor h.initiatorNonce - - let signature = sign(h.ephemeral.seckey, SkMessage(secret.data)) - secret.clear() - - h.remoteHPubkey = pubkey - header.signature = signature.toRaw() - header.keyhash = keccak256.digest(h.ephemeral.pubkey.toRaw()).data - header.pubkey = h.host.pubkey.toRaw() - header.nonce = h.initiatorNonce - header.flag = flag - if encrypt: - if len(output) < AuthMessageV4Length: - return err(AuthError.BufferOverrun) - if eciesEncrypt(rng, buffer, output, h.remoteHPubkey).isErr: - return err(AuthError.EciesError) - outlen = AuthMessageV4Length - else: - if len(output) < PlainAuthMessageV4Length: - return err(AuthError.BufferOverrun) - copyMem(addr output[0], addr buffer[0], PlainAuthMessageV4Length) - outlen = PlainAuthMessageV4Length - - ok() - -proc authMessageEIP8(h: var Handshake, - rng: var HmacDrbgContext, - pubkey: PublicKey, - output: var openArray[byte], - outlen: var int, - flag: byte = 0, - encrypt: bool = true): AuthResult[void] = - ## Create EIP8 authentication message. - var - buffer: array[PlainAuthMessageMaxEIP8, byte] - - doAssert(EIP8 in h.flags) - outlen = 0 - - var secret = ecdhSharedSecret(h.host.seckey, pubkey) - secret.data = secret.data xor h.initiatorNonce - - let signature = sign(h.ephemeral.seckey, SkMessage(secret.data)) - secret.clear() - - h.remoteHPubkey = pubkey - var payload = rlp.encodeList(signature.toRaw(), - h.host.pubkey.toRaw(), - h.initiatorNonce, - [byte(h.version)]) - doAssert(len(payload) == PlainAuthMessageEIP8Length) - let - pencsize = eciesEncryptedLength(len(payload)) - - var padsize = int(rng.generate(byte)) # aka rand(max) - while padsize <= (AuthMessageV4Length - (pencsize + 2)): + var padsize = int(rng.generate(byte)) + while padsize > (MaxPadLenEIP8 - MinPadLenEIP8): padsize = int(rng.generate(byte)) + padsize += MinPadLenEIP8 - # It is possible to make packet size constant by uncommenting this line - # padsize = 24 let + pencsize = eciesEncryptedLength(PlainAuthMessageEIP8Length) wosize = pencsize + padsize fullsize = wosize + 2 - rng.generate(toa(buffer, PlainAuthMessageEIP8Length, padsize)) - - if encrypt: - if len(output) < fullsize: - return err(AuthError.BufferOverrun) - - copyMem(addr buffer[0], addr payload[0], len(payload)) - - let wosizeBE = uint16(wosize).toBytesBE() - output[0..<2] = wosizeBE - if eciesEncrypt(rng, toa(buffer, 0, len(payload) + padsize), - toa(output, 2, wosize), pubkey, - toa(output, 0, 2)).isErr: - return err(AuthError.EciesError) - outlen = fullsize - else: - let plainsize = len(payload) + padsize - if len(output) < plainsize: - return err(AuthError.BufferOverrun) - copyMem(addr output[0], addr buffer[0], plainsize) - outlen = plainsize - - ok() - -proc ackMessagePreEIP8(h: var Handshake, - rng: var HmacDrbgContext, - output: var openArray[byte], - outlen: var int, - flag: byte = 0, - encrypt: bool = true): AuthResult[void] = - ## Create plain pre-EIP8 authentication ack message. - var buffer: array[PlainAckMessageV4Length, byte] - outlen = 0 - let header = cast[ptr AckMessageV4](addr buffer[0]) - header.pubkey = h.ephemeral.pubkey.toRaw() - header.nonce = h.responderNonce - header.flag = flag - if encrypt: - if len(output) < AckMessageV4Length: - return err(AuthError.BufferOverrun) - if eciesEncrypt(rng, buffer, output, h.remoteHPubkey).isErr: - return err(AuthError.EciesError) - outlen = AckMessageV4Length - else: - if len(output) < PlainAckMessageV4Length: - return err(AuthError.BufferOverrun) - copyMem(addr output[0], addr buffer[0], PlainAckMessageV4Length) - outlen = PlainAckMessageV4Length - - ok() - -proc ackMessageEIP8(h: var Handshake, - rng: var HmacDrbgContext, - output: var openArray[byte], - outlen: var int, - flag: byte = 0, - encrypt: bool = true): AuthResult[void] = - ## Create EIP8 authentication ack message. - var - buffer: array[PlainAckMessageMaxEIP8, byte] - padsize: array[1, byte] - doAssert(EIP8 in h.flags) - var payload = rlp.encodeList(h.ephemeral.pubkey.toRaw(), - h.responderNonce, - [byte(h.version)]) - doAssert(len(payload) == PlainAckMessageEIP8Length) - outlen = 0 - let pencsize = eciesEncryptedLength(len(payload)) - while true: - generate(rng, padsize) - if int(padsize[0]) > (AckMessageV4Length - (pencsize + 2)): - break - # It is possible to make packet size constant by uncommenting this line - # padsize = 0 - let wosize = pencsize + int(padsize[0]) - let fullsize = wosize + 2 - if int(padsize[0]) > 0: - rng.generate(toa(buffer, PlainAckMessageEIP8Length, int(padsize[0]))) - - copyMem(addr buffer[0], addr payload[0], len(payload)) - if encrypt: - if len(output) < fullsize: - return err(AuthError.BufferOverrun) - output[0..<2] = uint16(wosize).toBytesBE() - if eciesEncrypt(rng, toa(buffer, 0, len(payload) + int(padsize[0])), - toa(output, 2, wosize), h.remoteHPubkey, - toa(output, 0, 2)).isErr: - return err(AuthError.EciesError) - outlen = fullsize - else: - let plainsize = len(payload) + int(padsize[0]) - if len(output) < plainsize: - return err(AuthError.BufferOverrun) - copyMem(addr output[0], addr buffer[0], plainsize) - outlen = plainsize - - ok() - -template authSize*(h: Handshake, encrypt: bool = true): int = - ## Get number of bytes needed to store AuthMessage. - if EIP8 in h.flags: - if encrypt: (AuthMessageMaxEIP8) else: (PlainAuthMessageMaxEIP8) - else: - if encrypt: (AuthMessageV4Length) else: (PlainAuthMessageV4Length) - -template ackSize*(h: Handshake, encrypt: bool = true): int = - ## Get number of bytes needed to store AckMessage. - if EIP8 in h.flags: - if encrypt: (AckMessageMaxEIP8) else: (PlainAckMessageMaxEIP8) - else: - if encrypt: (AckMessageV4Length) else: (PlainAckMessageV4Length) - -proc authMessage*(h: var Handshake, rng: var HmacDrbgContext, - pubkey: PublicKey, - output: var openArray[byte], - outlen: var int, flag: byte = 0, - encrypt: bool = true): AuthResult[void] = - ## Create new AuthMessage for specified `pubkey` and store it inside - ## of `output`, size of generated AuthMessage will stored in `outlen`. - if EIP8 in h.flags: - authMessageEIP8(h, rng, pubkey, output, outlen, flag, encrypt) - else: - authMessagePreEIP8(h, rng, pubkey, output, outlen, flag, encrypt) - -proc ackMessage*(h: var Handshake, rng: var HmacDrbgContext, - output: var openArray[byte], - outlen: var int, flag: byte = 0, - encrypt: bool = true): AuthResult[void] = - ## Create new AckMessage and store it inside of `output`, size of generated - ## AckMessage will stored in `outlen`. - if EIP8 in h.flags: - ackMessageEIP8(h, rng, output, outlen, flag, encrypt) - else: - ackMessagePreEIP8(h, rng, output, outlen, flag, encrypt) - -proc decodeAuthMessageV4(h: var Handshake, m: openArray[byte]): AuthResult[void] = - ## Decodes V4 AuthMessage. - var - buffer: array[PlainAuthMessageV4Length, byte] - - doAssert(Responder in h.flags) - if eciesDecrypt(m, buffer, h.host.seckey).isErr: - return err(EciesError) - - let - header = cast[ptr AuthMessageV4](addr buffer[0]) - pubkey = ? PublicKey.fromRaw(header.pubkey).mapErrTo(InvalidPubKey) - signature = ? Signature.fromRaw(header.signature).mapErrTo(SignatureError) + doAssert fullsize <= len(output), "We checked against max possible length above" var secret = ecdhSharedSecret(h.host.seckey, pubkey) - secret.data = secret.data xor header.nonce + secret.data = secret.data xor h.initiatorNonce - var recovered = recover(signature, SkMessage(secret.data)) + let signature = sign(h.ephemeral.seckey, SkMessage(secret.data)) secret.clear() - h.remoteEPubkey = ? recovered.mapErrTo(SignatureError) - h.initiatorNonce = header.nonce h.remoteHPubkey = pubkey + var payload = + rlp.encodeList(signature.toRaw(), h.host.pubkey.toRaw(), h.initiatorNonce, Vsn) + doAssert(len(payload) == PlainAuthMessageEIP8Length) - ok() + var buffer {.noinit.}: array[PlainAuthMessageMaxEIP8, byte] + copyMem(addr buffer[0], addr payload[0], len(payload)) + rng.generate(toa(buffer, PlainAuthMessageEIP8Length, padsize)) -proc decodeAuthMessageEIP8(h: var Handshake, m: openArray[byte]): AuthResult[void] = + let wosizeBE = uint16(wosize).toBytesBE() + output[0 ..< 2] = wosizeBE + if eciesEncrypt( + rng, + toa(buffer, 0, len(payload) + padsize), + toa(output, 2, wosize), + pubkey, + toa(output, 0, 2), + ).isErr: + return err(AuthError.EciesError) + + ok(fullsize) + +proc ackMessage*( + h: var Handshake, rng: var HmacDrbgContext, output: var openArray[byte] +): AuthResult[int] = + ## Create EIP8 authentication ack message - returns length of encoded message + ## The output should be a buffer of AckMessageMaxEIP8 bytes at least. + if len(output) < AckMessageMaxEIP8: + return err(AuthError.BufferOverrun) + + var padsize = int(rng.generate(byte)) + while padsize > (MaxPadLenEIP8 - MinPadLenEIP8): + padsize = int(rng.generate(byte)) + padsize += MinPadLenEIP8 + + let + pencsize = eciesEncryptedLength(PlainAckMessageEIP8Length) + wosize = pencsize + padsize + fullsize = wosize + 2 + + doAssert fullsize <= len(output), "We checked against max possible length above" + + var + buffer: array[PlainAckMessageMaxEIP8, byte] + payload = rlp.encodeList(h.ephemeral.pubkey.toRaw(), h.responderNonce, Vsn) + doAssert(len(payload) == PlainAckMessageEIP8Length) + + copyMem(addr buffer[0], addr payload[0], PlainAckMessageEIP8Length) + rng.generate(toa(buffer, PlainAckMessageEIP8Length, padsize)) + + output[0 ..< MsgLenLenEIP8] = uint16(wosize).toBytesBE() + + if eciesEncrypt( + rng, + toa(buffer, 0, PlainAckMessageEIP8Length + padsize), + toa(output, MsgLenLenEIP8, wosize), + h.remoteHPubkey, + toa(output, 0, MsgLenLenEIP8), + ).isErr: + return err(AuthError.EciesError) + ok(fullsize) + +proc decodeMsgLen*(h: Handshake, input: openArray[byte]): AuthResult[int] = + if input.len < 2: + return err(AuthError.IncompleteError) + let len = int(uint16.fromBytesBE(input)) + 2 + if len < AuthMessageEIP8Length: + return err(AuthError.IncompleteError) + ok(len) + +proc decodeAuthMessage*(h: var Handshake, m: openArray[byte]): AuthResult[void] = ## Decodes EIP-8 AuthMessage. - let size = uint16.fromBytesBE(m) - h.expectedLength = 2 + int(size) + let + expectedLength = ?h.decodeMsgLen(m) + size = expectedLength - MsgLenLenEIP8 # Check if the prefixed size is => than the minimum - if h.expectedLength < AuthMessageEIP8Length: + if expectedLength < AuthMessageEIP8Length: return err(AuthError.IncompleteError) - if h.expectedLength > len(m): + if expectedLength > len(m): return err(AuthError.IncompleteError) - var buffer = newSeq[byte](eciesDecryptedLength(int(size))) + var buffer = newSeq[byte](eciesDecryptedLength(size)) if eciesDecrypt( - toa(m, 2, int(size)), buffer, h.host.seckey, toa(m, 0, 2)).isErr: + toa(m, MsgLenLenEIP8, int(size)), buffer, h.host.seckey, toa(m, 0, MsgLenLenEIP8) + ).isErr: return err(AuthError.EciesError) + try: var reader = rlpFromBytes(buffer) if not reader.isList() or reader.listLen() < 4: @@ -412,11 +268,9 @@ proc decodeAuthMessageEIP8(h: var Handshake, m: openArray[byte]): AuthResult[voi signatureBr = reader.listElem(0).toBytes() pubkeyBr = reader.listElem(1).toBytes() nonceBr = reader.listElem(2).toBytes() - versionBr = reader.listElem(3).toBytes() - let - signature = ? Signature.fromRaw(signatureBr).mapErrTo(SignatureError) - pubkey = ? PublicKey.fromRaw(pubkeyBr).mapErrTo(InvalidPubKey) + signature = ?Signature.fromRaw(signatureBr).mapErrTo(SignatureError) + pubkey = ?PublicKey.fromRaw(pubkeyBr).mapErrTo(InvalidPubKey) nonce = toArray(KeyLength, nonceBr) var secret = ecdhSharedSecret(h.host.seckey, pubkey) @@ -425,100 +279,52 @@ proc decodeAuthMessageEIP8(h: var Handshake, m: openArray[byte]): AuthResult[voi let recovered = recover(signature, SkMessage(secret.data)) secret.clear() - h.remoteEPubkey = ? recovered.mapErrTo(SignatureError) + h.remoteEPubkey = ?recovered.mapErrTo(SignatureError) h.initiatorNonce = nonce h.remoteHPubkey = pubkey - h.version = versionBr[0] ok() except CatchableError: err(AuthError.RlpError) -proc decodeAckMessageEIP8*(h: var Handshake, m: openArray[byte]): AuthResult[void] = +proc decodeAckMessage*(h: var Handshake, m: openArray[byte]): AuthResult[void] = ## Decodes EIP-8 AckMessage. - let size = uint16.fromBytesBE(m) - h.expectedLength = 2 + int(size) + let + expectedLength = ?h.decodeMsgLen(m) + size = expectedLength - MsgLenLenEIP8 # Check if the prefixed size is => than the minimum - if h.expectedLength < AckMessageEIP8Length: + if expectedLength > len(m): return err(AuthError.IncompleteError) - if h.expectedLength > len(m): - return err(AuthError.IncompleteError) - - var buffer = newSeq[byte](eciesDecryptedLength(int(size))) + var buffer = newSeq[byte](eciesDecryptedLength(size)) if eciesDecrypt( - toa(m, 2, int(size)), buffer, h.host.seckey, toa(m, 0, 2)).isErr: + toa(m, MsgLenLenEIP8, size), buffer, h.host.seckey, toa(m, 0, MsgLenLenEIP8) + ).isErr: return err(AuthError.EciesError) try: var reader = rlpFromBytes(buffer) + # The last element, the version, is ignored if not reader.isList() or reader.listLen() < 3: return err(AuthError.InvalidAck) if reader.listElem(0).blobLen != RawPublicKeySize: return err(AuthError.InvalidAck) if reader.listElem(1).blobLen != KeyLength: return err(AuthError.InvalidAck) - if reader.listElem(2).blobLen != 1: - return err(AuthError.InvalidAck) + let pubkeyBr = reader.listElem(0).toBytes() nonceBr = reader.listElem(1).toBytes() - versionBr = reader.listElem(2).toBytes() - h.remoteEPubkey = ? PublicKey.fromRaw(pubkeyBr).mapErrTo(InvalidPubKey) + h.remoteEPubkey = ?PublicKey.fromRaw(pubkeyBr).mapErrTo(InvalidPubKey) h.responderNonce = toArray(KeyLength, nonceBr) - h.version = versionBr[0] ok() except CatchableError: err(AuthError.RlpError) -proc decodeAckMessageV4(h: var Handshake, m: openArray[byte]): AuthResult[void] = - ## Decodes V4 AckMessage. - var - buffer: array[PlainAckMessageV4Length, byte] - doAssert(Initiator in h.flags) - - if eciesDecrypt(m, buffer, h.host.seckey).isErr: - return err(AuthError.EciesError) - var header = cast[ptr AckMessageV4](addr buffer[0]) - - h.remoteEPubkey = ? PublicKey.fromRaw(header.pubkey).mapErrTo(InvalidPubKey) - h.responderNonce = header.nonce - - ok() - -proc decodeAuthMessage*(h: var Handshake, input: openArray[byte]): AuthResult[void] = - ## Decodes AuthMessage from `input`. - # Using the smallest min. message length of the two types - if len(input) < AuthMessageEIP8Length: - return err(AuthError.IncompleteError) - - if len(input) == AuthMessageV4Length: - let res = h.decodeAuthMessageV4(input) - if res.isOk(): return res - - let res = h.decodeAuthMessageEIP8(input) - if res.isOk(): - h.flags.incl(EIP8) - res - -proc decodeAckMessage*(h: var Handshake, input: openArray[byte]): AuthResult[void] = - ## Decodes AckMessage from `input`. - # Using the smallest min. message length of the two types - if len(input) < AckMessageV4Length: - return err(AuthError.IncompleteError) - - if len(input) == AckMessageV4Length: - let res = h.decodeAckMessageV4(input) - if res.isOk(): return res - - let res = h.decodeAckMessageEIP8(input) - if res.isOk(): h.flags.incl(EIP8) - res - proc getSecrets*( - h: Handshake, authmsg: openArray[byte], - ackmsg: openArray[byte]): ConnectionSecret = + h: Handshake, authmsg: openArray[byte], ackmsg: openArray[byte] +): ConnectionSecret = ## Derive secrets from handshake `h` using encrypted AuthMessage `authmsg` and ## encrypted AckMessage `ackmsg`. var diff --git a/eth/p2p/rlpx.nim b/eth/p2p/rlpx.nim index c078169..a27571f 100644 --- a/eth/p2p/rlpx.nim +++ b/eth/p2p/rlpx.nim @@ -27,7 +27,7 @@ import std/[algorithm, deques, options, typetraits, os], stew/shims/macros, chronicles, nimcrypto/utils, chronos, metrics, - ".."/[rlp, common, async_utils], + ".."/[rlp, async_utils], ./private/p2p_types, "."/[kademlia, auth, rlpxcrypt, enode, p2p_protocol_dsl] # TODO: This doesn't get enabled currently in any of the builds, so we send a @@ -76,8 +76,6 @@ type DisconnectionReasonList = object value: DisconnectionReason - Address = enode.Address - proc read(rlp: var Rlp; T: type DisconnectionReasonList): T {.gcsafe, raises: [RlpError].} = ## Rlp mixin: `DisconnectionReasonList` parser @@ -108,7 +106,6 @@ proc read(rlp: var Rlp; T: type DisconnectionReasonList): T raise newException(RlpTypeMismatch, "Single entry list expected") - const devp2pVersion* = 4 maxMsgSize = 1024 * 1024 * 10 @@ -543,45 +540,37 @@ proc resolveResponseFuture(peer: Peer, msgId: uint64, msg: pointer, reqId: uint6 trace "late or dup RPLx reply ignored" - proc recvMsg*(peer: Peer): Future[tuple[msgId: uint64, msgData: Rlp]] {.async.} = ## This procs awaits the next complete RLPx message in the TCP stream var headerBytes: array[32, byte] await peer.transport.readExactly(addr headerBytes[0], 32) - var msgSize: int var msgHeader: RlpxHeader - if decryptHeaderAndGetMsgSize(peer.secretsState, - headerBytes, msgSize, msgHeader).isErr(): + let msgSize = decryptHeader( + peer.secretsState, headerBytes, msgHeader).valueOr: await peer.disconnectAndRaise(BreachOfProtocol, "Cannot decrypt RLPx frame header") + 0 # TODO raises analysis insufficient if msgSize > maxMsgSize: await peer.disconnectAndRaise(BreachOfProtocol, "RLPx message exceeds maximum size") let remainingBytes = encryptedLength(msgSize) - 32 - # TODO: Migrate this to a thread-local seq - # JACEK: - # or pass it in, allowing the caller to choose - they'll likely be in a - # better position to decide if buffer should be reused or not. this will - # also be useful for chunked messages where part of the buffer may have - # been processed and needs filling in var encryptedBytes = newSeq[byte](remainingBytes) await peer.transport.readExactly(addr encryptedBytes[0], len(encryptedBytes)) let decryptedMaxLength = decryptedLength(msgSize) var decryptedBytes = newSeq[byte](decryptedMaxLength) - decryptedBytesCount = 0 if decryptBody(peer.secretsState, encryptedBytes, msgSize, - decryptedBytes, decryptedBytesCount).isErr(): + decryptedBytes).isErr(): await peer.disconnectAndRaise(BreachOfProtocol, "Cannot decrypt RLPx frame body") - decryptedBytes.setLen(decryptedBytesCount) + decryptedBytes.setLen(msgSize) when useSnappy: if peer.snappyEnabled: @@ -1138,21 +1127,10 @@ template `^`(arr): auto = # variable as an open array arr.toOpenArray(0, `arr Len` - 1) -proc initSecretState(p: Peer, hs: Handshake, authMsg, ackMsg: openArray[byte]) = - var secrets = hs.getSecrets(authMsg, ackMsg) - initSecretState(secrets, p.secretsState) - burnMem(secrets) - -template setSnappySupport(peer: Peer, node: EthereumNode, handshake: Handshake) = +template setSnappySupport(peer: Peer, node: EthereumNode, hello: DevP2P.hello) = when useSnappy: peer.snappyEnabled = node.protocolVersion >= devp2pSnappyVersion.uint64 and - handshake.version >= devp2pSnappyVersion.uint64 - -template getVersion(handshake: Handshake): uint64 = - when useSnappy: - handshake.version - else: - devp2pVersion + hello.version >= devp2pSnappyVersion.uint64 template baseProtocolVersion(node: EthereumNode): untyped = when useSnappy: @@ -1160,13 +1138,6 @@ template baseProtocolVersion(node: EthereumNode): untyped = else: devp2pVersion -template baseProtocolVersion(peer: Peer): uint64 = - when useSnappy: - if peer.snappyEnabled: devp2pSnappyVersion - else: devp2pVersion - else: - devp2pVersion - type RlpxError* = enum TransportConnectError, @@ -1180,6 +1151,79 @@ type PeerDisconnectedError, TooManyPeersError +proc initiatorHandshake( + node: EthereumNode, transport: StreamTransport, pubkey: PublicKey +): Future[ConnectionSecret] {. + async: (raises: [CancelledError, TransportError, EthP2PError]) +.} = + # https://github.com/ethereum/devp2p/blob/5713591d0366da78a913a811c7502d9ca91d29a8/rlpx.md#initial-handshake + var + handshake = Handshake.init(node.rng[], node.keys, {Initiator}) + authMsg: array[AuthMessageMaxEIP8, byte] + + let + authMsgLen = handshake.authMessage(node.rng[], pubkey, authMsg).expect( + "No errors with correctly sized buffer" + ) + + writeRes = await transport.write(addr authMsg[0], authMsgLen) + if writeRes != authMsgLen: + raisePeerDisconnected("Unexpected disconnect while authenticating", TcpError) + + var ackMsg = newSeqOfCap[byte](1024) + ackMsg.setLen(MsgLenLenEIP8) + await transport.readExactly(addr ackMsg[0], len(ackMsg)) + + let ackMsgLen = handshake.decodeMsgLen(ackMsg).valueOr: + raise (ref MalformedMessageError)( + msg: "Could not decode handshake ack length: " & $error + ) + + ackMsg.setLen(ackMsgLen) + await transport.readExactly(addr ackMsg[MsgLenLenEIP8], ackMsgLen - MsgLenLenEIP8) + + handshake.decodeAckMessage(ackMsg).isOkOr: + raise (ref MalformedMessageError)(msg: "Could not decode handshake ack: " & $error) + + handshake.getSecrets(^authMsg, ackMsg) + +proc responderHandshake( + node: EthereumNode, transport: StreamTransport +): Future[(ConnectionSecret, PublicKey)] {. + async: (raises: [CancelledError, TransportError, EthP2PError]) +.} = + # https://github.com/ethereum/devp2p/blob/5713591d0366da78a913a811c7502d9ca91d29a8/rlpx.md#initial-handshake + var + handshake = Handshake.init(node.rng[], node.keys, {auth.Responder}) + authMsg = newSeqOfCap[byte](1024) + + authMsg.setLen(MsgLenLenEIP8) + await transport.readExactly(addr authMsg[0], len(authMsg)) + + let authMsgLen = handshake.decodeMsgLen(authMsg).valueOr: + raise (ref MalformedMessageError)( + msg: "Could not decode handshake auth length: " & $error + ) + + authMsg.setLen(authMsgLen) + await transport.readExactly(addr authMsg[MsgLenLenEIP8], authMsgLen - MsgLenLenEIP8) + + handshake.decodeAuthMessage(authMsg).isOkOr: + raise (ref MalformedMessageError)( + msg: "Could not decode handshake auth message: " & $error + ) + + var ackMsg: array[AckMessageMaxEIP8, byte] + let ackMsgLen = handshake.ackMessage(node.rng[], ackMsg).expect( + "no errors with correcly sized buffer" + ) + + var res = await transport.write(addr ackMsg[0], ackMsgLen) + if res != ackMsgLen: + raisePeerDisconnected("Unexpected disconnect while authenticating", TcpError) + + (handshake.getSecrets(authMsg, ^ackMsg), handshake.remoteHPubkey) + proc rlpxConnect*(node: EthereumNode, remote: Node): Future[Result[Peer, RlpxError]] {.async.} = # TODO: Should we not set some timeouts on the `connect` and `readExactly`s? @@ -1208,64 +1252,23 @@ proc rlpxConnect*(node: EthereumNode, remote: Node): trace "TCP connect with peer failed", err = $e.name, errMsg = $e.msg return err(TransportConnectError) - # RLPx initial handshake - var - handshake = Handshake.init( - node.rng[], node.keys, {Initiator, EIP8}, node.baseProtocolVersion) - authMsg: array[AuthMessageMaxEIP8, byte] - authMsgLen = 0 - # TODO: Rework this so we won't have to pass an array as parameter? - authMessage( - handshake, node.rng[], remote.node.pubkey, authMsg, authMsgLen).tryGet() - - let writeRes = - try: - await peer.transport.write(addr authMsg[0], authMsgLen) - except TransportError: - return err(RlpxHandshakeTransportError) - except CatchableError as e: # TODO: Only TransportErrors can occur? - raiseAssert($e.name & " " & $e.msg) - if writeRes != authMsgLen: - return err(RlpxHandshakeTransportError) - - let initialSize = handshake.expectedLength - var ackMsg = newSeqOfCap[byte](1024) - ackMsg.setLen(initialSize) - try: - await peer.transport.readExactly(addr ackMsg[0], len(ackMsg)) + let secrets = await node.initiatorHandshake(peer.transport, remote.node.pubkey) + initSecretState(secrets, peer.secretsState) except TransportError: return err(RlpxHandshakeTransportError) + except EthP2PError: + return err(RlpxHandshakeError) except CatchableError as e: raiseAssert($e.name & " " & $e.msg) - let res = handshake.decodeAckMessage(ackMsg) - if res.isErr and res.error == AuthError.IncompleteError: - ackMsg.setLen(handshake.expectedLength) - try: - await peer.transport.readExactly(addr ackMsg[initialSize], - len(ackMsg) - initialSize) - except TransportError: - return err(RlpxHandshakeTransportError) - except CatchableError as e: # TODO: Only TransportErrors can occur? - raiseAssert($e.name & " " & $e.msg) - - # TODO: Bullet 1 of https://github.com/status-im/nim-eth/issues/559 - let res = handshake.decodeAckMessage(ackMsg) - if res.isErr(): - trace "rlpxConnect handshake error", error = res.error - return err(RlpxHandshakeError) - - peer.setSnappySupport(node, handshake) - peer.initSecretState(handshake, ^authMsg, ackMsg) - logConnectedPeer peer # RLPx p2p capability handshake: After the initial handshake, both sides of # the connection must send either Hello or a Disconnect message. let sendHelloFut = peer.hello( - handshake.getVersion(), + node.baseProtocolVersion(), node.clientId, node.capabilities, uint(node.address.tcpPort), @@ -1304,6 +1307,8 @@ proc rlpxConnect*(node: EthereumNode, remote: Node): trace "Wrong devp2p identity in Hello message" return err(InvalidIdentityError) + peer.setSnappySupport(node, response) + trace "DevP2P handshake completed", peer = remote, clientId = response.clientId @@ -1338,56 +1343,17 @@ proc rlpxAccept*( initTracing(devp2pInfo, node.protocols) let peer = Peer(transport: transport, network: node) - var handshake = Handshake.init(node.rng[], node.keys, {auth.Responder}) var ok = false try: - let initialSize = handshake.expectedLength - var authMsg = newSeqOfCap[byte](1024) - - authMsg.setLen(initialSize) - # TODO: Should we not set some timeouts on these `readExactly`s? - await transport.readExactly(addr authMsg[0], len(authMsg)) - var ret = handshake.decodeAuthMessage(authMsg) - if ret.isErr and ret.error == AuthError.IncompleteError: - # Eip8 auth message is possible, but not likely - authMsg.setLen(handshake.expectedLength) - await transport.readExactly(addr authMsg[initialSize], - len(authMsg) - initialSize) - ret = handshake.decodeAuthMessage(authMsg) - - if ret.isErr(): - # It is likely that errors on the handshake Auth is just garbage arriving - # on the TCP port as it is the first data on the incoming connection, - # hence log them as trace. - trace "rlpxAccept handshake error", error = ret.error - if not isNil(peer.transport): - peer.transport.close() - - rlpx_accept_failure.inc() - rlpx_accept_failure.inc(labelValues = ["handshake_error"]) - return nil - - ret.get() - - peer.setSnappySupport(node, handshake) - handshake.version = uint8(peer.baseProtocolVersion) - - var ackMsg: array[AckMessageMaxEIP8, byte] - var ackMsgLen: int - handshake.ackMessage(node.rng[], ackMsg, ackMsgLen).tryGet() - var res = await transport.write(addr ackMsg[0], ackMsgLen) - if res != ackMsgLen: - raisePeerDisconnected("Unexpected disconnect while authenticating", - TcpError) - - peer.initSecretState(handshake, authMsg, ^ackMsg) + let (secrets, pubkey) = await node.responderHandshake(transport) + initSecretState(secrets, peer.secretsState) let listenPort = transport.localAddress().port logAcceptedPeer peer var sendHelloFut = peer.hello( - peer.baseProtocolVersion, + node.baseProtocolVersion(), node.clientId, node.capabilities, listenPort.uint, @@ -1400,14 +1366,15 @@ proc rlpxAccept*( trace "Received Hello", version=response.version, id=response.clientId - if not validatePubKeyInHello(response, handshake.remoteHPubkey): - trace "A Remote nodeId is not its public key" # XXX: Do we care? + if not validatePubKeyInHello(response, pubkey): + raise (ref MalformedMessageError)(msg: "Wrong pubkey in hello message") + + peer.setSnappySupport(node, response) let remote = transport.remoteAddress() let address = Address(ip: remote.address, tcpPort: remote.port, udpPort: remote.port) - peer.remote = newNode( - ENode(pubkey: handshake.remoteHPubkey, address: address)) + peer.remote = newNode(ENode(pubkey: pubkey, address: address)) trace "devp2p handshake completed", peer = peer.remote, clientId = response.clientId diff --git a/eth/p2p/rlpxcrypt.nim b/eth/p2p/rlpxcrypt.nim index aa793be..b50049f 100644 --- a/eth/p2p/rlpxcrypt.nim +++ b/eth/p2p/rlpxcrypt.nim @@ -61,8 +61,8 @@ proc sxor[T](a: var openArray[T], b: openArray[T]) {.inline.} = proc initSecretState*(secrets: ConnectionSecret, context: var SecretState) = ## Initialized `context` with values from `secrets`. - # FIXME: Yes, the encryption is insecure, - # see: https://github.com/ethereum/devp2p/issues/32 + # This scheme is insecure, see: + # https://github.com/ethereum/devp2p/issues/32 # https://github.com/ethereum/py-evm/blob/master/p2p/peer.py#L159-L160 var iv: array[context.aesenc.sizeBlock, byte] context.aesenc.init(secrets.aesKey, iv) @@ -132,8 +132,8 @@ proc encrypt*(c: var SecretState, header: openArray[byte], var frameMac = tmpmac.finish() tmpmac.clear() # return header_ciphertext + header_mac + frame_ciphertext + frame_mac - copyMem(addr output[headerMacPos], addr headerMac.data[0], RlpHeaderLength) - copyMem(addr output[frameMacPos], addr frameMac.data[0], RlpHeaderLength) + copyMem(addr output[headerMacPos], addr headerMac.data[0], RlpMacLength) + copyMem(addr output[frameMacPos], addr frameMac.data[0], RlpMacLength) ok() proc encryptMsg*(msg: openArray[byte], secrets: var SecretState): seq[byte] = @@ -160,7 +160,7 @@ proc getBodySize*(a: RlpxHeader): int = (int(a[0]) shl 16) or (int(a[1]) shl 8) or int(a[2]) proc decryptHeader*(c: var SecretState, data: openArray[byte], - output: var openArray[byte]): RlpxResult[void] = + output: var RlpxHeader): RlpxResult[int] = ## Decrypts header `data` using SecretState `c` context and store ## result into `output`. ## @@ -190,30 +190,14 @@ proc decryptHeader*(c: var SecretState, data: openArray[byte], let headerMacPos = RlpHeaderLength if not equalMem(cast[pointer](unsafeAddr data[headerMacPos]), cast[pointer](addr expectMac.data[0]), RlpMacLength): - result = err(IncorrectMac) + err(IncorrectMac) else: # return self.aes_dec.update(header_ciphertext) c.aesdec.decrypt(toa(data, 0, RlpHeaderLength), output) - result = ok() - -proc decryptHeaderAndGetMsgSize*(c: var SecretState, - encryptedHeader: openArray[byte], - outSize: var int, - outHeader: var RlpxHeader): RlpxResult[void] = - result = decryptHeader(c, encryptedHeader, outHeader) - if result.isOk(): - outSize = outHeader.getBodySize - -proc decryptHeaderAndGetMsgSize*(c: var SecretState, - encryptedHeader: openArray[byte], - outSize: var int): RlpxResult[void] = - var decryptedHeader: RlpxHeader - result = decryptHeader(c, encryptedHeader, decryptedHeader) - if result.isOk(): - outSize = decryptedHeader.getBodySize + ok(output.getBodySize()) proc decryptBody*(c: var SecretState, data: openArray[byte], bodysize: int, - output: var openArray[byte], outlen: var int): RlpxResult[void] = + output: var openArray[byte]): RlpxResult[void] = ## Decrypts body `data` using SecretState `c` context and store ## result into `output`. ## @@ -224,7 +208,6 @@ proc decryptBody*(c: var SecretState, data: openArray[byte], bodysize: int, var tmpmac: keccak256 aes: array[RlpHeaderLength, byte] - outlen = 0 let rsize = roundup16(bodysize) if len(data) < rsize + RlpMacLength: return err(IncompleteError) @@ -245,8 +228,7 @@ proc decryptBody*(c: var SecretState, data: openArray[byte], bodysize: int, let bodyMacPos = rsize if not equalMem(cast[pointer](unsafeAddr data[bodyMacPos]), cast[pointer](addr expectMac.data[0]), RlpMacLength): - result = err(IncorrectMac) + err(IncorrectMac) else: c.aesdec.decrypt(toa(data, 0, rsize), output) - outlen = bodysize - result = ok() + ok() diff --git a/tests/p2p/test_auth.nim b/tests/p2p/test_auth.nim index 80c7e2d..041817f 100644 --- a/tests/p2p/test_auth.nim +++ b/tests/p2p/test_auth.nim @@ -14,87 +14,6 @@ import nimcrypto/[utils, keccak], ../../eth/common/keys, ../../eth/p2p/auth -# This was generated by `print` actual auth message generated by -# https://github.com/ethereum/py-evm/blob/master/tests/p2p/test_auth.py -const pyevmAuth = """ - 22034ad2e7545e2b0bf02ecb1e40db478dfbbf7aeecc834aec2523eb2b7e74ee - 77ba40c70a83bfe9f2ab91f0131546dcf92c3ee8282d9907fee093017fd0302d - 0034fdb5419558137e0d44cd13d319afe5629eeccb47fd9dfe55cc6089426e46 - cc762dd8a0636e07a54b31169eba0c7a20a1ac1ef68596f1f283b5c676bae406 - 4abfcce24799d09f67e392632d3ffdc12e3d6430dcb0ea19c318343ffa7aae74 - d4cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb - 1100""" - -# This data comes from https://gist.github.com/fjl/3a78780d17c755d22df2 -const data = [ - ("initiator_private_key", - "5e173f6ac3c669587538e7727cf19b782a4f2fda07c1eaa662c593e5e85e3051"), - ("receiver_private_key", - "c45f950382d542169ea207959ee0220ec1491755abe405cd7498d6b16adb6df8"), - ("initiator_ephemeral_private_key", - "19c2185f4f40634926ebed3af09070ca9e029f2edd5fae6253074896205f5f6c"), - ("receiver_ephemeral_private_key", - "d25688cf0ab10afa1a0e2dba7853ed5f1e5bf1c631757ed4e103b593ff3f5620"), - ("auth_plaintext", - """884c36f7ae6b406637c1f61b2f57e1d2cab813d24c6559aaf843c3f48962f32f - 46662c066d39669b7b2e3ba14781477417600e7728399278b1b5d801a519aa57 - 0034fdb5419558137e0d44cd13d319afe5629eeccb47fd9dfe55cc6089426e46 - cc762dd8a0636e07a54b31169eba0c7a20a1ac1ef68596f1f283b5c676bae406 - 4abfcce24799d09f67e392632d3ffdc12e3d6430dcb0ea19c318343ffa7aae74 - d4cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb - 1100"""), - ("authresp_plaintext", - """802b052f8b066640bba94a4fc39d63815c377fced6fcb84d27f791c9921ddf3e - 9bf0108e298f490812847109cbd778fae393e80323fd643209841a3b7f110397 - f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7 - 00"""), - ("auth_ciphertext", - """04a0274c5951e32132e7f088c9bdfdc76c9d91f0dc6078e848f8e3361193dbdc - 43b94351ea3d89e4ff33ddcefbc80070498824857f499656c4f79bbd97b6c51a - 514251d69fd1785ef8764bd1d262a883f780964cce6a14ff206daf1206aa073a - 2d35ce2697ebf3514225bef186631b2fd2316a4b7bcdefec8d75a1025ba2c540 - 4a34e7795e1dd4bc01c6113ece07b0df13b69d3ba654a36e35e69ff9d482d88d - 2f0228e7d96fe11dccbb465a1831c7d4ad3a026924b182fc2bdfe016a6944312 - 021da5cc459713b13b86a686cf34d6fe6615020e4acf26bf0d5b7579ba813e77 - 23eb95b3cef9942f01a58bd61baee7c9bdd438956b426a4ffe238e61746a8c93 - d5e10680617c82e48d706ac4953f5e1c4c4f7d013c87d34a06626f498f34576d - c017fdd3d581e83cfd26cf125b6d2bda1f1d56"""), - ("authresp_ciphertext", - """049934a7b2d7f9af8fd9db941d9da281ac9381b5740e1f64f7092f3588d4f87f - 5ce55191a6653e5e80c1c5dd538169aa123e70dc6ffc5af1827e546c0e958e42 - dad355bcc1fcb9cdf2cf47ff524d2ad98cbf275e661bf4cf00960e74b5956b79 - 9771334f426df007350b46049adb21a6e78ab1408d5e6ccde6fb5e69f0f4c92b - b9c725c02f99fa72b9cdc8dd53cff089e0e73317f61cc5abf6152513cb7d833f - 09d2851603919bf0fbe44d79a09245c6e8338eb502083dc84b846f2fee1cc310 - d2cc8b1b9334728f97220bb799376233e113"""), - ("ecdhe_shared_secret", - "e3f407f83fc012470c26a93fdff534100f2c6f736439ce0ca90e9914f7d1c381"), - ("initiator_nonce", - "cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb11"), - ("receiver_nonce", - "f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7"), - ("aes_secret", - "c0458fa97a5230830e05f4f20b7c755c1d4e54b1ce5cf43260bb191eef4e418d"), - ("mac_secret", - "48c938884d5067a1598272fcddaa4b833cd5e7d92e8228c0ecdfabbe68aef7f1"), - ("token", - "3f9ec2592d1554852b1f54d228f042ed0a9310ea86d038dc2b401ba8cd7fdac4"), - ("initial_egress_MAC", - "09771e93b1a6109e97074cbe2d2b0cf3d3878efafe68f53c41bb60c0ec49097e"), - ("initial_ingress_MAC", - "75823d96e23136c89666ee025fb21a432be906512b3dd4a3049e898adb433847"), - ("initiator_hello_packet", - """6ef23fcf1cec7312df623f9ae701e63b550cdb8517fefd8dd398fc2acd1d935e - 6e0434a2b96769078477637347b7b01924fff9ff1c06df2f804df3b0402bbb9f - 87365b3c6856b45e1e2b6470986813c3816a71bff9d69dd297a5dbd935ab578f - 6e5d7e93e4506a44f307c332d95e8a4b102585fd8ef9fc9e3e055537a5cec2e9"""), - ("receiver_hello_packet", - """6ef23fcf1cec7312df623f9ae701e63be36a1cdd1b19179146019984f3625d4a - 6e0434a2b96769050577657247b7b02bc6c314470eca7e3ef650b98c83e9d7dd - 4830b3f718ff562349aead2530a8d28a8484604f92e5fced2c6183f304344ab0 - e7c301a0c05559f4c25db65e36820b4b909a226171a60ac6cb7beea09376d6d8""") -] - # These test vectors were copied from EIP8 specification # https://github.com/ethereum/EIPs/blob/master/EIPS/eip-8.md const eip8data = [ @@ -110,17 +29,6 @@ const eip8data = [ "7e968bba13b6c50e2c4cd7f241cc0d64d1ac25c7f5952df231ac6a2bda8ee5d6"), ("receiver_nonce", "559aead08264d5795d3909718cdd05abd49572e84fe55590eef31a88a08fdffd"), - ("auth_ciphertext_v4", - """048ca79ad18e4b0659fab4853fe5bc58eb83992980f4c9cc147d2aa31532efd29 - a3d3dc6a3d89eaf913150cfc777ce0ce4af2758bf4810235f6e6ceccfee1acc6b - 22c005e9e3a49d6448610a58e98744ba3ac0399e82692d67c1f58849050b3024e - 21a52c9d3b01d871ff5f210817912773e610443a9ef142e91cdba0bd77b5fdf07 - 69b05671fc35f83d83e4d3b0b000c6b2a1b1bba89e0fc51bf4e460df3105c444f - 14be226458940d6061c296350937ffd5e3acaceeaaefd3c6f74be8e23e0f45163 - cc7ebd76220f0128410fd05250273156d548a414444ae2f7dea4dfca2d43c057a - db701a715bf59f6fb66b2d1d20f2c703f851cbf5ac47396d9ca65b6260bd141ac - 4d53e2de585a73d1750780db4c9ee4cd4d225173a4592ee77e2bd94d0be3691f3 - b406f9bba9b591fc63facc016bfa8"""), ("auth_ciphertext_eip8", """01b304ab7578555167be8154d5cc456f567d5ba302662433674222360f08d5f15 34499d3678b513b0fca474f3a514b18e75683032eb63fccb16c156dc6eb2c0b15 @@ -151,14 +59,6 @@ const eip8data = [ f37407ac044b55be0908ecb94d4ed172ece66fd31bfdadf2b97a8bc690163ee11 f5b575a4b44e36e2bfb2f0fce91676fd64c7773bac6a003f481fddd0bae0a1f31 aa27504e2a533af4cef3b623f4791b2cca6d490"""), - ("authack_ciphertext_v4", - """049f8abcfa9c0dc65b982e98af921bc0ba6e4243169348a236abe9df5f93aa69d - 99cadddaa387662b0ff2c08e9006d5a11a278b1b3331e5aaabf0a32f01281b6f4 - ede0e09a2d5f585b26513cb794d9635a57563921c04a9090b4f14ee42be1a5461 - 049af4ea7a7f49bf4c97a352d39c8d02ee4acc416388c1c66cec761d2bc1c72da - 6ba143477f049c9d2dde846c252c111b904f630ac98e51609b3b1f58168ddca65 - 05b7196532e5f85b259a20c45e1979491683fee108e9660edbf38f3add489ae73 - e3dda2c71bd1497113d5c755e942d1"""), ("authack_ciphertext_eip8", """01ea0451958701280a56482929d3b0757da8f7fbe5286784beead59d95089c217 c9b917788989470b0e330cc6e4fb383c0340ed85fab836ec9fb8a49672712aeab @@ -204,12 +104,6 @@ const eip8data = [ let rng = newRng() -proc testValue(s: string): string = - for item in data: - if item[0] == s: - result = item[1] - break - proc testE8Value(s: string): string = for item in eip8data: if item[0] == s: @@ -217,118 +111,6 @@ proc testE8Value(s: string): string = break suite "Ethereum P2P handshake test suite": - block: - proc newTestHandshake(flags: set[HandshakeFlag]): Handshake = - if Initiator in flags: - let pk = PrivateKey.fromHex(testValue("initiator_private_key"))[] - result = Handshake.init(rng[], pk.toKeyPair(), flags) - - let epki = testValue("initiator_ephemeral_private_key") - result.ephemeral = PrivateKey.fromHex(epki)[].toKeyPair() - let nonce = fromHex(stripSpaces(testValue("initiator_nonce"))) - result.initiatorNonce[0..^1] = nonce[0..^1] - elif Responder in flags: - let pk = PrivateKey.fromHex(testValue("receiver_private_key"))[] - result = Handshake.init(rng[], pk.toKeyPair(), flags) - let epkr = testValue("receiver_ephemeral_private_key") - result.ephemeral = PrivateKey.fromHex(epkr)[].toKeyPair() - let nonce = fromHex(stripSpaces(testValue("receiver_nonce"))) - result.responderNonce[0..^1] = nonce[0..^1] - - test "Create plain auth message": - var initiator = newTestHandshake({Initiator}) - var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize(false)) - var k0 = 0 - initiator.authMessage( - rng[], responder.host.pubkey, m0, k0, 0, false).expect("auth success") - var expect1 = fromHex(stripSpaces(testValue("auth_plaintext"))) - var expect2 = fromHex(stripSpaces(pyevmAuth)) - check: - m0[65..^1] == expect1[65..^1] - m0[0..^1] == expect2[0..^1] - - test "Auth message decoding": - var initiator = newTestHandshake({Initiator}) - var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize()) - var k0 = 0 - let remoteEPubkey0 = initiator.ephemeral.pubkey - let remoteHPubkey0 = initiator.host.pubkey - - initiator.authMessage( - rng[], responder.host.pubkey, m0, k0).expect("auth success") - responder.decodeAuthMessage(m0).expect("decode success") - check: - responder.initiatorNonce[0..^1] == initiator.initiatorNonce[0..^1] - responder.remoteEPubkey == remoteEPubkey0 - responder.remoteHPubkey == remoteHPubkey0 - - test "ACK message expectation": - var initiator = newTestHandshake({Initiator}) - var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize()) - var m1 = newSeq[byte](responder.ackSize(false)) - var k0 = 0 - var k1 = 0 - var expect0 = fromHex(stripSpaces(testValue("authresp_plaintext"))) - initiator.authMessage( - rng[], responder.host.pubkey, m0, k0).expect("auth success") - responder.decodeAuthMessage(m0).expect("decode success") - responder.ackMessage(rng[], m1, k1, 0, false).expect("ack success") - check: - m1 == expect0 - responder.initiatorNonce == initiator.initiatorNonce - - test "ACK message decoding": - var initiator = newTestHandshake({Initiator}) - var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize()) - var m1 = newSeq[byte](responder.ackSize()) - var k0 = 0 - var k1 = 0 - - initiator.authMessage( - rng[], responder.host.pubkey, m0, k0).expect("auth success") - responder.decodeAuthMessage(m0).expect("decode success") - responder.ackMessage(rng[], m1, k1).expect("ack success") - initiator.decodeAckMessage(m1).expect("decode success") - let remoteEPubkey0 = responder.ephemeral.pubkey - let remoteHPubkey0 = responder.host.pubkey - check: - initiator.remoteEPubkey == remoteEPubkey0 - initiator.remoteHPubkey == remoteHPubkey0 - initiator.responderNonce == responder.responderNonce - - test "Check derived secrets": - var initiator = newTestHandshake({Initiator}) - var responder = newTestHandshake({Responder}) - var authm = fromHex(stripSpaces(testValue("auth_ciphertext"))) - var ackm = fromHex(stripSpaces(testValue("authresp_ciphertext"))) - var taes = fromHex(stripSpaces(testValue("aes_secret"))) - var tmac = fromHex(stripSpaces(testValue("mac_secret"))) - var temac = fromHex(stripSpaces(testValue("initial_egress_MAC"))) - var timac = fromHex(stripSpaces(testValue("initial_ingress_MAC"))) - - responder.decodeAuthMessage(authm).expect("decode success") - initiator.decodeAckMessage(ackm).expect("ack success") - var csecInitiator = initiator.getSecrets(authm, ackm) - var csecResponder = responder.getSecrets(authm, ackm) - check: - csecInitiator.aesKey == csecResponder.aesKey - csecInitiator.macKey == csecResponder.macKey - taes[0..^1] == csecInitiator.aesKey[0..^1] - tmac[0..^1] == csecInitiator.macKey[0..^1] - let iemac = csecInitiator.egressMac.finish() - let iimac = csecInitiator.ingressMac.finish() - let remac = csecResponder.egressMac.finish() - let rimac = csecResponder.ingressMac.finish() - check: - iemac.data[0..^1] == temac[0..^1] - iimac.data[0..^1] == timac[0..^1] - remac.data[0..^1] == timac[0..^1] - rimac.data[0..^1] == temac[0..^1] - block: proc newTestHandshake(flags: set[HandshakeFlag]): Handshake = if Initiator in flags: @@ -348,25 +130,6 @@ suite "Ethereum P2P handshake test suite": let nonce = fromHex(stripSpaces(testE8Value("receiver_nonce"))) result.responderNonce[0..^1] = nonce[0..^1] - test "AUTH/ACK v4 test vectors": # auth/ack v4 - var initiator = newTestHandshake({Initiator}) - var responder = newTestHandshake({Responder}) - var m0 = fromHex(stripSpaces(testE8Value("auth_ciphertext_v4"))) - responder.decodeAuthMessage(m0).expect("decode success") - check: - responder.initiatorNonce[0..^1] == initiator.initiatorNonce[0..^1] - let remoteEPubkey0 = initiator.ephemeral.pubkey - let remoteHPubkey0 = initiator.host.pubkey - check: - responder.remoteEPubkey == remoteEPubkey0 - responder.remoteHPubkey == remoteHPubkey0 - var m1 = fromHex(stripSpaces(testE8Value("authack_ciphertext_v4"))) - initiator.decodeAckMessage(m1).expect("decode success") - let remoteEPubkey1 = responder.ephemeral.pubkey - check: - initiator.remoteEPubkey == remoteEPubkey1 - initiator.responderNonce[0..^1] == responder.responderNonce[0..^1] - test "AUTH/ACK EIP-8 test vectors": var initiator = newTestHandshake({Initiator}) var responder = newTestHandshake({Responder}) @@ -390,8 +153,6 @@ suite "Ethereum P2P handshake test suite": var csecInitiator = initiator.getSecrets(m0, m1) var csecResponder = responder.getSecrets(m0, m1) check: - int(initiator.version) == 4 - int(responder.version) == 4 csecInitiator.aesKey == csecResponder.aesKey csecInitiator.macKey == csecResponder.macKey taes[0..^1] == csecInitiator.aesKey[0..^1] @@ -418,25 +179,21 @@ suite "Ethereum P2P handshake test suite": initiator.decodeAckMessage(m1).expect("decode success") let remoteEPubkey1 = responder.ephemeral.pubkey check: - int(initiator.version) == 57 - int(responder.version) == 56 initiator.remoteEPubkey == remoteEPubkey1 initiator.responderNonce[0..^1] == responder.responderNonce[0..^1] test "100 AUTH/ACK EIP-8 handshakes": for i in 1..100: - var initiator = newTestHandshake({Initiator, EIP8}) + var initiator = newTestHandshake({Initiator}) var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize()) - var k0 = 0 - var k1 = 0 - initiator.authMessage( - rng[], responder.host.pubkey, m0, k0).expect("auth success") + var m0 = newSeq[byte](AuthMessageMaxEIP8) + let k0 = initiator.authMessage( + rng[], responder.host.pubkey, m0).expect("auth success") m0.setLen(k0) responder.decodeAuthMessage(m0).expect("decode success") - check (EIP8 in responder.flags) == true - var m1 = newSeq[byte](responder.ackSize()) - responder.ackMessage(rng[], m1, k1).expect("ack success") + + var m1 = newSeq[byte](AckMessageMaxEIP8) + let k1 = responder.ackMessage(rng[], m1).expect("ack success") m1.setLen(k1) initiator.decodeAckMessage(m1).expect("decode success") var csecInitiator = initiator.getSecrets(m0, m1) @@ -449,15 +206,13 @@ suite "Ethereum P2P handshake test suite": for i in 1..100: var initiator = newTestHandshake({Initiator}) var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize()) - var k0 = 0 - var k1 = 0 - initiator.authMessage( - rng[], responder.host.pubkey, m0, k0).expect("auth success") + var m0 = newSeq[byte](AuthMessageMaxEIP8) + let k0 = initiator.authMessage( + rng[], responder.host.pubkey, m0).expect("auth success") m0.setLen(k0) responder.decodeAuthMessage(m0).expect("auth success") - var m1 = newSeq[byte](responder.ackSize()) - responder.ackMessage(rng[], m1, k1).expect("ack success") + var m1 = newSeq[byte](AckMessageMaxEIP8) + let k1 = responder.ackMessage(rng[], m1).expect("ack success") m1.setLen(k1) initiator.decodeAckMessage(m1).expect("ack success") @@ -507,10 +262,10 @@ suite "Ethereum P2P handshake test suite": res.error == AuthError.IncompleteError test "Invalid AckMessage - Minimum input size": - var initiator = newTestHandshake({Initiator, EIP8}) + var initiator = newTestHandshake({Initiator,}) # 1 byte short on minimum size - let m = newSeq[byte](AckMessageV4Length - 1) + let m = newSeq[byte](AckMessageEIP8Length - 1) let res = initiator.decodeAckMessage(m) check: @@ -518,7 +273,7 @@ suite "Ethereum P2P handshake test suite": res.error == AuthError.IncompleteError test "Invalid AckMessage - Minimum size prefix": - var initiator = newTestHandshake({Initiator, EIP8}) + var initiator = newTestHandshake({Initiator}) # Minimum size for EIP8 AckMessage var m = newSeq[byte](AckMessageEIP8Length) @@ -532,7 +287,7 @@ suite "Ethereum P2P handshake test suite": res.error == AuthError.IncompleteError test "Invalid AckMessage - Size prefix bigger than input": - var initiator = newTestHandshake({Initiator, EIP8}) + var initiator = newTestHandshake({Initiator}) # Minimum size for EIP8 AckMessage var m = newSeq[byte](AckMessageEIP8Length) diff --git a/tests/p2p/test_crypt.nim b/tests/p2p/test_crypt.nim index b630a28..6ec7b1b 100644 --- a/tests/p2p/test_crypt.nim +++ b/tests/p2p/test_crypt.nim @@ -11,176 +11,147 @@ import unittest2, - nimcrypto/[utils, sysrand], + nimcrypto/[utils, keccak, sysrand], ../../eth/common/keys, ../../eth/p2p/[auth, rlpxcrypt] -const data = [ - ("initiator_private_key", - "5e173f6ac3c669587538e7727cf19b782a4f2fda07c1eaa662c593e5e85e3051"), - ("receiver_private_key", - "c45f950382d542169ea207959ee0220ec1491755abe405cd7498d6b16adb6df8"), - ("initiator_ephemeral_private_key", - "19c2185f4f40634926ebed3af09070ca9e029f2edd5fae6253074896205f5f6c"), - ("receiver_ephemeral_private_key", - "d25688cf0ab10afa1a0e2dba7853ed5f1e5bf1c631757ed4e103b593ff3f5620"), - ("auth_plaintext", - """884c36f7ae6b406637c1f61b2f57e1d2cab813d24c6559aaf843c3f48962f32f - 46662c066d39669b7b2e3ba14781477417600e7728399278b1b5d801a519aa57 - 0034fdb5419558137e0d44cd13d319afe5629eeccb47fd9dfe55cc6089426e46 - cc762dd8a0636e07a54b31169eba0c7a20a1ac1ef68596f1f283b5c676bae406 - 4abfcce24799d09f67e392632d3ffdc12e3d6430dcb0ea19c318343ffa7aae74 - d4cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb - 1100"""), - ("authresp_plaintext", - """802b052f8b066640bba94a4fc39d63815c377fced6fcb84d27f791c9921ddf3e - 9bf0108e298f490812847109cbd778fae393e80323fd643209841a3b7f110397 - f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7 - 00"""), - ("auth_ciphertext", - """04a0274c5951e32132e7f088c9bdfdc76c9d91f0dc6078e848f8e3361193dbdc - 43b94351ea3d89e4ff33ddcefbc80070498824857f499656c4f79bbd97b6c51a - 514251d69fd1785ef8764bd1d262a883f780964cce6a14ff206daf1206aa073a - 2d35ce2697ebf3514225bef186631b2fd2316a4b7bcdefec8d75a1025ba2c540 - 4a34e7795e1dd4bc01c6113ece07b0df13b69d3ba654a36e35e69ff9d482d88d - 2f0228e7d96fe11dccbb465a1831c7d4ad3a026924b182fc2bdfe016a6944312 - 021da5cc459713b13b86a686cf34d6fe6615020e4acf26bf0d5b7579ba813e77 - 23eb95b3cef9942f01a58bd61baee7c9bdd438956b426a4ffe238e61746a8c93 - d5e10680617c82e48d706ac4953f5e1c4c4f7d013c87d34a06626f498f34576d - c017fdd3d581e83cfd26cf125b6d2bda1f1d56"""), - ("authresp_ciphertext", - """049934a7b2d7f9af8fd9db941d9da281ac9381b5740e1f64f7092f3588d4f87f - 5ce55191a6653e5e80c1c5dd538169aa123e70dc6ffc5af1827e546c0e958e42 - dad355bcc1fcb9cdf2cf47ff524d2ad98cbf275e661bf4cf00960e74b5956b79 - 9771334f426df007350b46049adb21a6e78ab1408d5e6ccde6fb5e69f0f4c92b - b9c725c02f99fa72b9cdc8dd53cff089e0e73317f61cc5abf6152513cb7d833f - 09d2851603919bf0fbe44d79a09245c6e8338eb502083dc84b846f2fee1cc310 - d2cc8b1b9334728f97220bb799376233e113"""), - ("ecdhe_shared_secret", - "e3f407f83fc012470c26a93fdff534100f2c6f736439ce0ca90e9914f7d1c381"), - ("initiator_nonce", - "cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb11"), - ("receiver_nonce", - "f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7"), - ("aes_secret", - "c0458fa97a5230830e05f4f20b7c755c1d4e54b1ce5cf43260bb191eef4e418d"), - ("mac_secret", - "48c938884d5067a1598272fcddaa4b833cd5e7d92e8228c0ecdfabbe68aef7f1"), - ("token", - "3f9ec2592d1554852b1f54d228f042ed0a9310ea86d038dc2b401ba8cd7fdac4"), - ("initial_egress_MAC", - "09771e93b1a6109e97074cbe2d2b0cf3d3878efafe68f53c41bb60c0ec49097e"), - ("initial_ingress_MAC", - "75823d96e23136c89666ee025fb21a432be906512b3dd4a3049e898adb433847"), - ("initiator_hello_packet", - """6ef23fcf1cec7312df623f9ae701e63b550cdb8517fefd8dd398fc2acd1d935e - 6e0434a2b96769078477637347b7b01924fff9ff1c06df2f804df3b0402bbb9f - 87365b3c6856b45e1e2b6470986813c3816a71bff9d69dd297a5dbd935ab578f - 6e5d7e93e4506a44f307c332d95e8a4b102585fd8ef9fc9e3e055537a5cec2e9"""), - ("receiver_hello_packet", - """6ef23fcf1cec7312df623f9ae701e63be36a1cdd1b19179146019984f3625d4a - 6e0434a2b96769050577657247b7b02bc6c314470eca7e3ef650b98c83e9d7dd - 4830b3f718ff562349aead2530a8d28a8484604f92e5fced2c6183f304344ab0 - e7c301a0c05559f4c25db65e36820b4b909a226171a60ac6cb7beea09376d6d8""") -] +# EIP-8 test case +# https://github.com/ethereum/EIPs/blob/master/EIPS/eip-8.md#rlpx-handshake + +const + staticKeyA = fromHex("49a7b37aa6f6645917e7b807e9d1c00d4fa71f18343b0d4122a4d2df64dd6fee") + staticKeyB = fromHex("b71c71a67e1177ad4e901695e1b4b9ee17ae16c6668d313eac2f96dbcda3f291") + ephemeralKeyA = fromHex("869d6ecf5211f1cc60418a13b9d870b22959d0c16f02bec714c960dd2298a32d") + ephemeralKeyB = fromHex("e238eb8e04fee6511ab04c6dd3c89ce097b11f25d584863ac2b6d5b35b1847e4") + nonceA = fromHex("7e968bba13b6c50e2c4cd7f241cc0d64d1ac25c7f5952df231ac6a2bda8ee5d6") + nonceB = fromHex("559aead08264d5795d3909718cdd05abd49572e84fe55590eef31a88a08fdffd") + + auth1 = fromHex(stripSpaces(""" + 048ca79ad18e4b0659fab4853fe5bc58eb83992980f4c9cc147d2aa31532efd29a3d3dc6a3d89eaf + 913150cfc777ce0ce4af2758bf4810235f6e6ceccfee1acc6b22c005e9e3a49d6448610a58e98744 + ba3ac0399e82692d67c1f58849050b3024e21a52c9d3b01d871ff5f210817912773e610443a9ef14 + 2e91cdba0bd77b5fdf0769b05671fc35f83d83e4d3b0b000c6b2a1b1bba89e0fc51bf4e460df3105 + c444f14be226458940d6061c296350937ffd5e3acaceeaaefd3c6f74be8e23e0f45163cc7ebd7622 + 0f0128410fd05250273156d548a414444ae2f7dea4dfca2d43c057adb701a715bf59f6fb66b2d1d2 + 0f2c703f851cbf5ac47396d9ca65b6260bd141ac4d53e2de585a73d1750780db4c9ee4cd4d225173 + a4592ee77e2bd94d0be3691f3b406f9bba9b591fc63facc016bfa8""")) + auth2 = fromHex(stripSpaces(""" + 01b304ab7578555167be8154d5cc456f567d5ba302662433674222360f08d5f1534499d3678b513b + 0fca474f3a514b18e75683032eb63fccb16c156dc6eb2c0b1593f0d84ac74f6e475f1b8d56116b84 + 9634a8c458705bf83a626ea0384d4d7341aae591fae42ce6bd5c850bfe0b999a694a49bbbaf3ef6c + da61110601d3b4c02ab6c30437257a6e0117792631a4b47c1d52fc0f8f89caadeb7d02770bf999cc + 147d2df3b62e1ffb2c9d8c125a3984865356266bca11ce7d3a688663a51d82defaa8aad69da39ab6 + d5470e81ec5f2a7a47fb865ff7cca21516f9299a07b1bc63ba56c7a1a892112841ca44b6e0034dee + 70c9adabc15d76a54f443593fafdc3b27af8059703f88928e199cb122362a4b35f62386da7caad09 + c001edaeb5f8a06d2b26fb6cb93c52a9fca51853b68193916982358fe1e5369e249875bb8d0d0ec3 + 6f917bc5e1eafd5896d46bd61ff23f1a863a8a8dcd54c7b109b771c8e61ec9c8908c733c0263440e + 2aa067241aaa433f0bb053c7b31a838504b148f570c0ad62837129e547678c5190341e4f1693956c + 3bf7678318e2d5b5340c9e488eefea198576344afbdf66db5f51204a6961a63ce072c8926c""")) + auth3 = fromHex(stripSpaces(""" + 01b8044c6c312173685d1edd268aa95e1d495474c6959bcdd10067ba4c9013df9e40ff45f5bfd6f7 + 2471f93a91b493f8e00abc4b80f682973de715d77ba3a005a242eb859f9a211d93a347fa64b597bf + 280a6b88e26299cf263b01b8dfdb712278464fd1c25840b995e84d367d743f66c0e54a586725b7bb + f12acca27170ae3283c1073adda4b6d79f27656993aefccf16e0d0409fe07db2dc398a1b7e8ee93b + cd181485fd332f381d6a050fba4c7641a5112ac1b0b61168d20f01b479e19adf7fdbfa0905f63352 + bfc7e23cf3357657455119d879c78d3cf8c8c06375f3f7d4861aa02a122467e069acaf513025ff19 + 6641f6d2810ce493f51bee9c966b15c5043505350392b57645385a18c78f14669cc4d960446c1757 + 1b7c5d725021babbcd786957f3d17089c084907bda22c2b2675b4378b114c601d858802a55345a15 + 116bc61da4193996187ed70d16730e9ae6b3bb8787ebcaea1871d850997ddc08b4f4ea668fbf3740 + 7ac044b55be0908ecb94d4ed172ece66fd31bfdadf2b97a8bc690163ee11f5b575a4b44e36e2bfb2 + f0fce91676fd64c7773bac6a003f481fddd0bae0a1f31aa27504e2a533af4cef3b623f4791b2cca6 + d490""")) + ack1 = fromHex(stripSpaces(""" + 049f8abcfa9c0dc65b982e98af921bc0ba6e4243169348a236abe9df5f93aa69d99cadddaa387662 + b0ff2c08e9006d5a11a278b1b3331e5aaabf0a32f01281b6f4ede0e09a2d5f585b26513cb794d963 + 5a57563921c04a9090b4f14ee42be1a5461049af4ea7a7f49bf4c97a352d39c8d02ee4acc416388c + 1c66cec761d2bc1c72da6ba143477f049c9d2dde846c252c111b904f630ac98e51609b3b1f58168d + dca6505b7196532e5f85b259a20c45e1979491683fee108e9660edbf38f3add489ae73e3dda2c71b + d1497113d5c755e942d1""")) + ack2 = fromHex(stripSpaces(""" + 01ea0451958701280a56482929d3b0757da8f7fbe5286784beead59d95089c217c9b917788989470 + b0e330cc6e4fb383c0340ed85fab836ec9fb8a49672712aeabbdfd1e837c1ff4cace34311cd7f4de + 05d59279e3524ab26ef753a0095637ac88f2b499b9914b5f64e143eae548a1066e14cd2f4bd7f814 + c4652f11b254f8a2d0191e2f5546fae6055694aed14d906df79ad3b407d94692694e259191cde171 + ad542fc588fa2b7333313d82a9f887332f1dfc36cea03f831cb9a23fea05b33deb999e85489e645f + 6aab1872475d488d7bd6c7c120caf28dbfc5d6833888155ed69d34dbdc39c1f299be1057810f34fb + e754d021bfca14dc989753d61c413d261934e1a9c67ee060a25eefb54e81a4d14baff922180c395d + 3f998d70f46f6b58306f969627ae364497e73fc27f6d17ae45a413d322cb8814276be6ddd13b885b + 201b943213656cde498fa0e9ddc8e0b8f8a53824fbd82254f3e2c17e8eaea009c38b4aa0a3f306e8 + 797db43c25d68e86f262e564086f59a2fc60511c42abfb3057c247a8a8fe4fb3ccbadde17514b7ac + 8000cdb6a912778426260c47f38919a91f25f4b5ffb455d6aaaf150f7e5529c100ce62d6d92826a7 + 1778d809bdf60232ae21ce8a437eca8223f45ac37f6487452ce626f549b3b5fdee26afd2072e4bc7 + 5833c2464c805246155289f4""")) + ack3 = fromHex(stripSpaces(""" + 01f004076e58aae772bb101ab1a8e64e01ee96e64857ce82b1113817c6cdd52c09d26f7b90981cd7 + ae835aeac72e1573b8a0225dd56d157a010846d888dac7464baf53f2ad4e3d584531fa203658fab0 + 3a06c9fd5e35737e417bc28c1cbf5e5dfc666de7090f69c3b29754725f84f75382891c561040ea1d + dc0d8f381ed1b9d0d4ad2a0ec021421d847820d6fa0ba66eaf58175f1b235e851c7e2124069fbc20 + 2888ddb3ac4d56bcbd1b9b7eab59e78f2e2d400905050f4a92dec1c4bdf797b3fc9b2f8e84a482f3 + d800386186712dae00d5c386ec9387a5e9c9a1aca5a573ca91082c7d68421f388e79127a5177d4f8 + 590237364fd348c9611fa39f78dcdceee3f390f07991b7b47e1daa3ebcb6ccc9607811cb17ce51f1 + c8c2c5098dbdd28fca547b3f58c01a424ac05f869f49c6a34672ea2cbbc558428aa1fe48bbfd6115 + 8b1b735a65d99f21e70dbc020bfdface9f724a0d1fb5895db971cc81aa7608baa0920abb0a565c9c + 436e2fd13323428296c86385f2384e408a31e104670df0791d93e743a3a5194ee6b076fb6323ca59 + 3011b7348c16cf58f66b9633906ba54a2ee803187344b394f75dd2e663a57b956cb830dd7a908d4f + 39a2336a61ef9fda549180d4ccde21514d117b6c6fd07a9102b5efe710a32af4eeacae2cb3b1dec0 + 35b9593b48b9d3ca4c13d245d5f04169b0b1""")) + + aesSecret2 = fromHex("80e8632c05fed6fc2a13b0f8d31a3cf645366239170ea067065aba8e28bac487") + macSecret2 = fromHex("2ea74ec5dae199227dff1af715362700e989d889d7a493cb0639691efb8e5f98") let rng = newRng() -proc testValue(s: string): string = - for item in data: - if item[0] == s: - result = item[1] - break - suite "Ethereum RLPx encryption/decryption test suite": proc newTestHandshake(flags: set[HandshakeFlag]): Handshake = if Initiator in flags: - let pk = PrivateKey.fromHex(testValue("initiator_private_key"))[] + let pk = PrivateKey.fromRaw(staticKeyA)[] result = Handshake.init(rng[], pk.toKeyPair(), flags) - let epki = testValue("initiator_ephemeral_private_key") - result.ephemeral = PrivateKey.fromHex(epki)[].toKeyPair() - let nonce = fromHex(stripSpaces(testValue("initiator_nonce"))) - result.initiatorNonce[0..^1] = nonce[0..^1] + result.ephemeral = PrivateKey.fromRaw(ephemeralKeyA)[].toKeyPair() + result.initiatorNonce[0..^1] = nonceA elif Responder in flags: - let pk = PrivateKey.fromHex(testValue("receiver_private_key"))[] + let pk = PrivateKey.fromRaw(staticKeyB)[] result = Handshake.init(rng[], pk.toKeyPair(), flags) - let epkr = testValue("receiver_ephemeral_private_key") - result.ephemeral = PrivateKey.fromHex(epkr)[].toKeyPair() - let nonce = fromHex(stripSpaces(testValue("receiver_nonce"))) - result.responderNonce[0..^1] = nonce[0..^1] + result.ephemeral = PrivateKey.fromRaw(ephemeralKeyB)[].toKeyPair() + result.responderNonce[0..^1] = nonceB - test "Encrypt/Decrypt Hello packet test vectors": + test "Fail on pre-EIP8 messages": var initiator = newTestHandshake({Initiator}) var responder = newTestHandshake({Responder}) - var authm = fromHex(stripSpaces(testValue("auth_ciphertext"))) - var ackm = fromHex(stripSpaces(testValue("authresp_ciphertext"))) - var stateInitiator0, stateInitiator1: SecretState - var stateResponder0, stateResponder1: SecretState - responder.decodeAuthMessage(authm).expect("success") - initiator.decodeAckMessage(ackm).expect("success") + check: responder.decodeAuthMessage(auth1).isErr() + check: initiator.decodeAckMessage(ack1).isErr() - var csecInitiator = initiator.getSecrets(authm, ackm) - var csecResponder = responder.getSecrets(authm, ackm) - initSecretState(csecInitiator, stateInitiator0) - initSecretState(csecResponder, stateResponder0) - initSecretState(csecInitiator, stateInitiator1) - initSecretState(csecResponder, stateResponder1) - var packet0 = testValue("initiator_hello_packet") - var initiatorHello = fromHex(stripSpaces(packet0)) - var packet1 = testValue("receiver_hello_packet") - var responderHello = fromHex(stripSpaces(packet1)) - var header: array[RlpHeaderLength, byte] + test "Correct shared EIP-8 secret": + var initiator = newTestHandshake({Initiator}) + var responder = newTestHandshake({Responder}) - block: - check stateResponder0.decryptHeader(toOpenArray(initiatorHello, 0, 31), - header).isOk() - let bodysize = getBodySize(header) - check bodysize == 79 - # we need body size to be rounded to 16 bytes boundary to properly - # encrypt/decrypt it. - var body = newSeq[byte](decryptedLength(bodysize)) - var decrsize = 0 - check: - stateResponder0.decryptBody( - toOpenArray(initiatorHello, 32, len(initiatorHello) - 1), - getBodySize(header), body, decrsize).isOk() - decrsize == 79 - body.setLen(decrsize) - var hello = newSeq[byte](encryptedLength(bodysize)) - check: - stateInitiator1.encrypt(header, body, hello).isOk() - hello == initiatorHello - block: - check stateInitiator0.decryptHeader(toOpenArray(responderHello, 0, 31), - header).isOk() - let bodysize = getBodySize(header) - check bodysize == 79 - # we need body size to be rounded to 16 bytes boundary to properly - # encrypt/decrypt it. - var body = newSeq[byte](decryptedLength(bodysize)) - var decrsize = 0 - check: - stateInitiator0.decryptBody( - toOpenArray(responderHello, 32, len(initiatorHello) - 1), - getBodySize(header), body, decrsize).isOk() - decrsize == 79 - body.setLen(decrsize) - var hello = newSeq[byte](encryptedLength(bodysize)) - check: - stateResponder1.encrypt(header, body, hello).isOk() - hello == responderHello + check: responder.decodeAuthMessage(auth2).isOk() + check: initiator.decodeAckMessage(ack2).isOk() + + var csecResponder = responder.getSecrets(auth2, ack2) + + check: + csecResponder.aesKey == aesSecret2 + csecResponder.macKey == macSecret2 + var tmpMac = csecResponder.ingressMac + tmpMac.update("foo".toOpenArrayByte(0, 2)) + check: + tmpMac.finish().data == fromHex("0c7ec6340062cc46f5e9f1e3cf86f8c8c403c5a0964f5df0ebd34a75ddc86db5") + + test "Can parse auth/ack with extra bytes": + var initiator = newTestHandshake({Initiator}) + var responder = newTestHandshake({Responder}) + check: responder.decodeAuthMessage(auth3).isOk() + check: initiator.decodeAckMessage(ack3).isOk() test "Continuous stream of different lengths (1000 times)": var initiator = newTestHandshake({Initiator}) var responder = newTestHandshake({Responder}) - var m0 = newSeq[byte](initiator.authSize()) - var k0 = 0 - var k1 = 0 - check initiator.authMessage(rng[], responder.host.pubkey, - m0, k0).isOk + var m0 = newSeq[byte](AuthMessageMaxEIP8) + let k0 = initiator.authMessage(rng[], responder.host.pubkey, + m0).expect("correct buf size") m0.setLen(k0) check responder.decodeAuthMessage(m0).isOk - var m1 = newSeq[byte](responder.ackSize()) - check responder.ackMessage(rng[], m1, k1).isOk + var m1 = newSeq[byte](AckMessageMaxEIP8) + let k1 = responder.ackMessage(rng[], m1).expect("correct buf size") m1.setLen(k1) check initiator.decodeAckMessage(m1).isOk @@ -210,13 +181,11 @@ suite "Ethereum RLPx encryption/decryption test suite": var length = getBodySize(rheader) check length == len(ibody) var rbody = newSeq[byte](decryptedLength(length)) - var decrsize = 0 check: stateResponder.decryptBody( toOpenArray(encrypted, 32, len(encrypted) - 1), - length, rbody, decrsize).isOk() - decrsize == length - rbody.setLen(decrsize) + length, rbody).isOk() + rbody.setLen(length) check: iheader == rheader ibody == rbody @@ -238,12 +207,10 @@ suite "Ethereum RLPx encryption/decryption test suite": var length = getBodySize(rheader) check length == len(ibody) var rbody = newSeq[byte](decryptedLength(length)) - var decrsize = 0 check: stateInitiator.decryptBody( toOpenArray(encrypted, 32, len(encrypted) - 1), - length, rbody, decrsize).isOk() - decrsize == length + length, rbody).isOk() rbody.setLen(length) check: iheader == rheader