## Nim-LibP2P ## Copyright (c) 2020 Status Research & Development GmbH ## Licensed under either of ## * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE)) ## * MIT license ([LICENSE-MIT](LICENSE-MIT)) ## at your option. ## This file may not be copied, modified, or distributed except according to ## those terms. import chronos import chronicles import stew/[endians2, byteutils] import nimcrypto/[utils, sysrand, sha2, hmac] import ../../stream/lpstream import ../../peerid import ../../peerinfo import ../../protobuf/minprotobuf import ../../utility import ../../stream/lpstream import secure, ../../crypto/[crypto, chacha20poly1305, curve25519, hkdf], ../../stream/bufferstream logScope: topics = "noise" const # https://godoc.org/github.com/libp2p/go-libp2p-noise#pkg-constants NoiseCodec* = "/noise" PayloadString = "noise-libp2p-static-key:" ProtocolXXName = "Noise_XX_25519_ChaChaPoly_SHA256" # Empty is a special value which indicates k has not yet been initialized. EmptyKey: ChaChaPolyKey = [0.byte, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] NonceMax = uint64.high - 1 # max is reserved NoiseSize = 32 MaxPlainSize = int(uint16.high - NoiseSize - ChaChaPolyTag.len) type KeyPair = object privateKey: Curve25519Key publicKey: Curve25519Key # https://noiseprotocol.org/noise.html#the-cipherstate-object CipherState = object k: ChaChaPolyKey n: uint64 # https://noiseprotocol.org/noise.html#the-symmetricstate-object SymmetricState = object cs: CipherState ck: ChaChaPolyKey h: MDigest[256] # https://noiseprotocol.org/noise.html#the-handshakestate-object HandshakeState = object ss: SymmetricState s: KeyPair e: KeyPair rs: Curve25519Key re: Curve25519Key HandshakeResult = object cs1: CipherState cs2: CipherState remoteP2psecret: seq[byte] rs: Curve25519Key Noise* = ref object of Secure localPrivateKey: PrivateKey localPublicKey: PublicKey noisePrivateKey: Curve25519Key noisePublicKey: Curve25519Key commonPrologue: seq[byte] outgoing: bool NoiseConnection* = ref object of SecureConn readCs: CipherState writeCs: CipherState NoiseHandshakeError* = object of CatchableError NoiseDecryptTagError* = object of CatchableError NoiseOversizedPayloadError* = object of CatchableError NoiseNonceMaxError* = object of CatchableError # drop connection on purpose # Utility proc genKeyPair(): KeyPair = result.privateKey = Curve25519Key.random().tryGet() result.publicKey = result.privateKey.public() proc hashProtocol(name: string): MDigest[256] = # If protocol_name is less than or equal to HASHLEN bytes in length, # sets h equal to protocol_name with zero bytes appended to make HASHLEN bytes. # Otherwise sets h = HASH(protocol_name). if name.len <= 32: result.data[0..name.high] = name.toBytes else: result = sha256.digest(name) proc dh(priv: Curve25519Key, pub: Curve25519Key): Curve25519Key = Curve25519.mul(result, pub, priv) # Cipherstate proc hasKey(cs: CipherState): bool = cs.k != EmptyKey proc encryptWithAd(state: var CipherState, ad, data: openarray[byte]): seq[byte] = var tag: ChaChaPolyTag nonce: ChaChaPolyNonce np = cast[ptr uint64](addr nonce[4]) np[] = state.n result = @data ChaChaPoly.encrypt(state.k, nonce, tag, result, ad) inc state.n if state.n > NonceMax: raise newException(NoiseNonceMaxError, "Noise max nonce value reached") result &= tag trace "encryptWithAd", tag = byteutils.toHex(tag), data = result.shortLog, nonce = state.n - 1 proc decryptWithAd(state: var CipherState, ad, data: openarray[byte]): seq[byte] = var tagIn = data[^ChaChaPolyTag.len..data.high].intoChaChaPolyTag tagOut = tagIn nonce: ChaChaPolyNonce np = cast[ptr uint64](addr nonce[4]) np[] = state.n result = data[0..(data.high - ChaChaPolyTag.len)] ChaChaPoly.decrypt(state.k, nonce, tagOut, result, ad) trace "decryptWithAd", tagIn = tagIn.shortLog, tagOut = tagOut.shortLog, nonce = state.n if tagIn != tagOut: error "decryptWithAd failed", data = byteutils.toHex(data) raise newException(NoiseDecryptTagError, "decryptWithAd failed tag authentication.") inc state.n if state.n > NonceMax: raise newException(NoiseNonceMaxError, "Noise max nonce value reached") # Symmetricstate proc init(_: type[SymmetricState]): SymmetricState = result.h = ProtocolXXName.hashProtocol result.ck = result.h.data.intoChaChaPolyKey result.cs = CipherState(k: EmptyKey) proc mixKey(ss: var SymmetricState, ikm: ChaChaPolyKey) = var temp_keys: array[2, ChaChaPolyKey] sha256.hkdf(ss.ck, ikm, [], temp_keys) ss.ck = temp_keys[0] ss.cs = CipherState(k: temp_keys[1]) trace "mixKey", key = ss.cs.k.shortLog proc mixHash(ss: var SymmetricState; data: openarray[byte]) = var ctx: sha256 ctx.init() ctx.update(ss.h.data) ctx.update(data) ss.h = ctx.finish() trace "mixHash", hash = ss.h.data.shortLog # We might use this for other handshake patterns/tokens proc mixKeyAndHash(ss: var SymmetricState; ikm: openarray[byte]) {.used.} = var temp_keys: array[3, ChaChaPolyKey] sha256.hkdf(ss.ck, ikm, [], temp_keys) ss.ck = temp_keys[0] ss.mixHash(temp_keys[1]) ss.cs = CipherState(k: temp_keys[2]) proc encryptAndHash(ss: var SymmetricState, data: openarray[byte]): seq[byte] = # according to spec if key is empty leave plaintext if ss.cs.hasKey: result = ss.cs.encryptWithAd(ss.h.data, data) else: result = @data ss.mixHash(result) proc decryptAndHash(ss: var SymmetricState, data: openarray[byte]): seq[byte] = # according to spec if key is empty leave plaintext if ss.cs.hasKey: result = ss.cs.decryptWithAd(ss.h.data, data) else: result = @data ss.mixHash(data) proc split(ss: var SymmetricState): tuple[cs1, cs2: CipherState] = var temp_keys: array[2, ChaChaPolyKey] sha256.hkdf(ss.ck, [], [], temp_keys) return (CipherState(k: temp_keys[0]), CipherState(k: temp_keys[1])) proc init(_: type[HandshakeState]): HandshakeState = result.ss = SymmetricState.init() template write_e: untyped = trace "noise write e" # Sets e (which must be empty) to GENERATE_KEYPAIR(). Appends e.public_key to the buffer. Calls MixHash(e.public_key). hs.e = genKeyPair() msg &= hs.e.publicKey hs.ss.mixHash(hs.e.publicKey) template write_s: untyped = trace "noise write s" # Appends EncryptAndHash(s.public_key) to the buffer. msg &= hs.ss.encryptAndHash(hs.s.publicKey) template dh_ee: untyped = trace "noise dh ee" # Calls MixKey(DH(e, re)). hs.ss.mixKey(dh(hs.e.privateKey, hs.re)) template dh_es: untyped = trace "noise dh es" # Calls MixKey(DH(e, rs)) if initiator, MixKey(DH(s, re)) if responder. when initiator: hs.ss.mixKey(dh(hs.e.privateKey, hs.rs)) else: hs.ss.mixKey(dh(hs.s.privateKey, hs.re)) template dh_se: untyped = trace "noise dh se" # Calls MixKey(DH(s, re)) if initiator, MixKey(DH(e, rs)) if responder. when initiator: hs.ss.mixKey(dh(hs.s.privateKey, hs.re)) else: hs.ss.mixKey(dh(hs.e.privateKey, hs.rs)) # might be used for other token/handshakes template dh_ss: untyped {.used.} = trace "noise dh ss" # Calls MixKey(DH(s, rs)). hs.ss.mixKey(dh(hs.s.privateKey, hs.rs)) template read_e: untyped = trace "noise read e", size = msg.len if msg.len < Curve25519Key.len: raise newException(NoiseHandshakeError, "Noise E, expected more data") # Sets re (which must be empty) to the next DHLEN bytes from the message. Calls MixHash(re.public_key). hs.re[0..Curve25519Key.high] = msg[0..Curve25519Key.high] msg = msg[Curve25519Key.len..msg.high] hs.ss.mixHash(hs.re) template read_s: untyped = trace "noise read s", size = msg.len # Sets temp to the next DHLEN + 16 bytes of the message if HasKey() == True, or to the next DHLEN bytes otherwise. # Sets rs (which must be empty) to DecryptAndHash(temp). let temp = if hs.ss.cs.hasKey: if msg.len < Curve25519Key.len + ChaChaPolyTag.len: raise newException(NoiseHandshakeError, "Noise S, expected more data") msg[0..Curve25519Key.high + ChaChaPolyTag.len] else: if msg.len < Curve25519Key.len: raise newException(NoiseHandshakeError, "Noise S, expected more data") msg[0..Curve25519Key.high] msg = msg[temp.len..msg.high] let plain = hs.ss.decryptAndHash(temp) hs.rs[0..Curve25519Key.high] = plain proc receiveHSMessage(sconn: Connection): Future[seq[byte]] {.async.} = var besize: array[2, byte] await sconn.readExactly(addr besize[0], besize.len) let size = uint16.fromBytesBE(besize).int trace "receiveHSMessage", size var buffer = newSeq[byte](size) if buffer.len > 0: await sconn.readExactly(addr buffer[0], buffer.len) return buffer proc sendHSMessage(sconn: Connection; buf: seq[byte]) {.async.} = var lesize = buf.len.uint16 besize = lesize.toBytesBE outbuf = newSeqOfCap[byte](besize.len + buf.len) trace "sendHSMessage", size = lesize outbuf &= besize outbuf &= buf await sconn.write(outbuf) proc handshakeXXOutbound(p: Noise, conn: Connection, p2pProof: ProtoBuffer): Future[HandshakeResult] {.async.} = const initiator = true var hs = HandshakeState.init() p2psecret = p2pProof.buffer hs.ss.mixHash(p.commonPrologue) hs.s.privateKey = p.noisePrivateKey hs.s.publicKey = p.noisePublicKey # -> e var msg: seq[byte] write_e() # IK might use this btw! msg &= hs.ss.encryptAndHash(@[]) await conn.sendHSMessage(msg) # <- e, ee, s, es msg = await conn.receiveHSMessage() read_e() dh_ee() read_s() dh_es() let remoteP2psecret = hs.ss.decryptAndHash(msg) # -> s, se msg.setLen(0) write_s() dh_se() # last payload must follow the ecrypted way of sending msg &= hs.ss.encryptAndHash(p2psecret) await conn.sendHSMessage(msg) let (cs1, cs2) = hs.ss.split() return HandshakeResult(cs1: cs1, cs2: cs2, remoteP2psecret: remoteP2psecret, rs: hs.rs) proc handshakeXXInbound(p: Noise, conn: Connection, p2pProof: ProtoBuffer): Future[HandshakeResult] {.async.} = const initiator = false var hs = HandshakeState.init() p2psecret = p2pProof.buffer hs.ss.mixHash(p.commonPrologue) hs.s.privateKey = p.noisePrivateKey hs.s.publicKey = p.noisePublicKey # -> e var msg = await conn.receiveHSMessage() read_e() # we might use this early data one day, keeping it here for clarity let earlyData {.used.} = hs.ss.decryptAndHash(msg) # <- e, ee, s, es msg.setLen(0) write_e() dh_ee() write_s() dh_es() msg &= hs.ss.encryptAndHash(p2psecret) await conn.sendHSMessage(msg) # -> s, se msg = await conn.receiveHSMessage() read_s() dh_se() let remoteP2psecret = hs.ss.decryptAndHash(msg) let (cs1, cs2) = hs.ss.split() return HandshakeResult(cs1: cs1, cs2: cs2, remoteP2psecret: remoteP2psecret, rs: hs.rs) method readMessage*(sconn: NoiseConnection): Future[seq[byte]] {.async.} = while true: # Discard 0-length payloads var besize: array[2, byte] await sconn.stream.readExactly(addr besize[0], besize.len) let size = uint16.fromBytesBE(besize).int # Cannot overflow trace "receiveEncryptedMessage", size, peer = $sconn if size > 0: var buffer = newSeq[byte](size) await sconn.stream.readExactly(addr buffer[0], buffer.len) return sconn.readCs.decryptWithAd([], buffer) else: trace "Received 0-length message", conn = $sconn method write*(sconn: NoiseConnection, message: seq[byte]): Future[void] {.async.} = if message.len == 0: return var left = message.len offset = 0 while left > 0: let chunkSize = if left > MaxPlainSize: MaxPlainSize else: left cipher = sconn.writeCs.encryptWithAd([], message.toOpenArray(offset, offset + chunkSize - 1)) left = left - chunkSize offset = offset + chunkSize var lesize = cipher.len.uint16 besize = lesize.toBytesBE outbuf = newSeqOfCap[byte](cipher.len + 2) trace "sendEncryptedMessage", size = lesize, peer = $sconn, left, offset outbuf &= besize outbuf &= cipher await sconn.stream.write(outbuf) method handshake*(p: Noise, conn: Connection, initiator: bool): Future[SecureConn] {.async.} = trace "Starting Noise handshake", initiator, peer = $conn # https://github.com/libp2p/specs/tree/master/noise#libp2p-data-in-handshake-messages let signedPayload = p.localPrivateKey.sign( PayloadString.toBytes & p.noisePublicKey.getBytes).tryGet() var libp2pProof = initProtoBuffer() libp2pProof.write(initProtoField(1, p.localPublicKey.getBytes.tryGet())) libp2pProof.write(initProtoField(2, signedPayload.getBytes())) # data field also there but not used! libp2pProof.finish() let handshakeRes = if initiator: await handshakeXXOutbound(p, conn, libp2pProof) else: await handshakeXXInbound(p, conn, libp2pProof) var remoteProof = initProtoBuffer(handshakeRes.remoteP2psecret) remotePubKey: PublicKey remotePubKeyBytes: seq[byte] remoteSig: Signature remoteSigBytes: seq[byte] if remoteProof.getLengthValue(1, remotePubKeyBytes) <= 0: raise newException(NoiseHandshakeError, "Failed to deserialize remote public key bytes. (initiator: " & $initiator & ", peer: " & $conn.peerInfo.peerId & ")") if remoteProof.getLengthValue(2, remoteSigBytes) <= 0: raise newException(NoiseHandshakeError, "Failed to deserialize remote signature bytes. (initiator: " & $initiator & ", peer: " & $conn.peerInfo.peerId & ")") if not remotePubKey.init(remotePubKeyBytes): raise newException(NoiseHandshakeError, "Failed to decode remote public key. (initiator: " & $initiator & ", peer: " & $conn.peerInfo.peerId & ")") if not remoteSig.init(remoteSigBytes): raise newException(NoiseHandshakeError, "Failed to decode remote signature. (initiator: " & $initiator & ", peer: " & $conn.peerInfo.peerId & ")") let verifyPayload = PayloadString.toBytes & handshakeRes.rs.getBytes if not remoteSig.verify(verifyPayload, remotePubKey): raise newException(NoiseHandshakeError, "Noise handshake signature verify failed.") else: trace "Remote signature verified", peer = $conn if initiator and not isNil(conn.peerInfo): let pid = PeerID.init(remotePubKey) if not conn.peerInfo.peerId.validate(): raise newException(NoiseHandshakeError, "Failed to validate peerId.") if pid.isErr or pid.get() != conn.peerInfo.peerId: var failedKey: PublicKey discard extractPublicKey(conn.peerInfo.peerId, failedKey) debug "Noise handshake, peer infos don't match!", initiator, dealt_peer = $conn.peerInfo.id, dealt_key = $failedKey, received_peer = $pid, received_key = $remotePubKey raise newException(NoiseHandshakeError, "Noise handshake, peer infos don't match! " & $pid & " != " & $conn.peerInfo.peerId) var secure = NoiseConnection.init(conn, PeerInfo.init(remotePubKey), conn.observedAddr) if initiator: secure.readCs = handshakeRes.cs2 secure.writeCs = handshakeRes.cs1 else: secure.readCs = handshakeRes.cs1 secure.writeCs = handshakeRes.cs2 trace "Noise handshake completed!", initiator, peer = $secure.peerInfo return secure method init*(p: Noise) {.gcsafe.} = procCall Secure(p).init() p.codec = NoiseCodec proc newNoise*(privateKey: PrivateKey; outgoing: bool = true; commonPrologue: seq[byte] = @[]): Noise = new result result.outgoing = outgoing result.localPrivateKey = privateKey result.localPublicKey = privateKey.getKey().tryGet() result.noisePrivateKey = Curve25519Key.random().tryGet() result.noisePublicKey = result.noisePrivateKey.public() result.commonPrologue = commonPrologue result.init()