Merge branch 'master' into noise-payloadV2

tests/v2/test_waku_noise.nim

@@ -2,27 +2,58 @@
 
 import
   testutils/unittests,
-  ../../waku/v2/protocol/waku_message,
+  std/random,
+  stew/byteutils,
   ../../waku/v2/protocol/waku_noise/noise,
-  ../../waku/v2/node/waku_payload,
+  ../test_helpers
-  ../test_helpers,
-  std/tables
 
 procSuite "Waku Noise":
   
+  # We initialize the RNG in test_helpers
   let rng = rng()
+  # We initialize the RNG in std/random
+  randomize()
 
-  test "Encrypt -> decrypt public keys":
+  test "ChaChaPoly Encryption/Decryption: random byte sequences":
+
+    let cipherState = randomChaChaPolyCipherState(rng[])
+
+    # We encrypt/decrypt random byte sequences
+    let
+      plaintext: seq[byte] = randomSeqByte(rng[], rand(1..128))
+      ciphertext: ChaChaPolyCiphertext = encrypt(cipherState, plaintext)
+      decryptedCiphertext: seq[byte] = decrypt(cipherState, ciphertext)
+
+    check: 
+      plaintext == decryptedCiphertext
+
+  test "ChaChaPoly Encryption/Decryption: random strings":
+
+    let cipherState = randomChaChaPolyCipherState(rng[])
+
+    # We encrypt/decrypt random strings
+    var plaintext: string
+    for _ in 1..rand(1..128):
+      add(plaintext, char(rand(int('A') .. int('z'))))
+
+    let
+      ciphertext: ChaChaPolyCiphertext = encrypt(cipherState, plaintext.toBytes())
+      decryptedCiphertext: seq[byte] = decrypt(cipherState, ciphertext)
+
+    check: 
+      plaintext.toBytes() == decryptedCiphertext
+
+  test "Encrypt and decrypt Noise public keys":
 
     let noisePublicKey: NoisePublicKey = genNoisePublicKey(rng[])
 
     let 
       cs: ChaChaPolyCipherState = randomChaChaPolyCipherState(rng[])
-      enc_pk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
+      encryptedPk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
-      dec_pk: NoisePublicKey = decryptNoisePublicKey(cs, enc_pk)
+      decryptedPk: NoisePublicKey = decryptNoisePublicKey(cs, encryptedPk)
 
     check: 
-      noisePublicKey == dec_pk
+      noisePublicKey == decryptedPk
 
   test "Decrypt unencrypted public key":
 
@@ -30,36 +61,37 @@ procSuite "Waku Noise":
 
     let 
       cs: ChaChaPolyCipherState = randomChaChaPolyCipherState(rng[])
-      dec_pk: NoisePublicKey = decryptNoisePublicKey(cs, noisePublicKey)
+      decryptedPk: NoisePublicKey = decryptNoisePublicKey(cs, noisePublicKey)
 
     check:
-      noisePublicKey == dec_pk
+      noisePublicKey == decryptedPk
 
-  test "Encrypt -> encrypt public keys":
+  test "Encrypt encrypted public key":
 
     let noisePublicKey: NoisePublicKey = genNoisePublicKey(rng[])
 
     let
       cs: ChaChaPolyCipherState = randomChaChaPolyCipherState(rng[])
-      enc_pk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
+      encryptedPk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
-      enc2_pk: NoisePublicKey = encryptNoisePublicKey(cs, enc_pk)
+      encryptedPk2: NoisePublicKey = encryptNoisePublicKey(cs, encryptedPk)
     
-    check enc_pk == enc2_pk
+    check:
+      encryptedPk == encryptedPk2
 
-  test "Encrypt -> decrypt -> decrypt public keys":
+  test "Encrypt, decrypt and decrypt public key":
 
     let noisePublicKey: NoisePublicKey = genNoisePublicKey(rng[])
 
     let
       cs: ChaChaPolyCipherState = randomChaChaPolyCipherState(rng[])
-      enc_pk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
+      encryptedPk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
-      dec_pk: NoisePublicKey = decryptNoisePublicKey(cs, enc_pk)
+      decryptedPk: NoisePublicKey = decryptNoisePublicKey(cs, encryptedPk)
-      dec2_pk: NoisePublicKey = decryptNoisePublicKey(cs, dec_pk)
+      decryptedPk2: NoisePublicKey = decryptNoisePublicKey(cs, decryptedPk)
 
     check: 
-      dec_pk == dec2_pk
+      decryptedPk == decryptedPk2
 
-  test "Serialize -> deserialize public keys (unencrypted)":
+  test "Serialize and deserialize unencrypted public key":
 
     let 
       noisePublicKey: NoisePublicKey = genNoisePublicKey(rng[])
@@ -69,19 +101,19 @@ procSuite "Waku Noise":
     check:
       noisePublicKey == deserializedNoisePublicKey
 
-  test "Encrypt -> serialize -> deserialize -> decrypt public keys":
+  test "Encrypt, serialize, deserialize and decrypt public key":
 
     let noisePublicKey: NoisePublicKey = genNoisePublicKey(rng[])
 
     let 
       cs: ChaChaPolyCipherState = randomChaChaPolyCipherState(rng[])
-      enc_pk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
+      encryptedPk: NoisePublicKey = encryptNoisePublicKey(cs, noisePublicKey)
-      serializedNoisePublicKey: seq[byte] = serializeNoisePublicKey(enc_pk)
+      serializedNoisePublicKey: seq[byte] = serializeNoisePublicKey(encryptedPk)
       deserializedNoisePublicKey: NoisePublicKey = intoNoisePublicKey(serializedNoisePublicKey)
-      dec_pk: NoisePublicKey = decryptNoisePublicKey(cs, deserializedNoisePublicKey)
+      decryptedPk: NoisePublicKey = decryptNoisePublicKey(cs, deserializedNoisePublicKey)
 
     check:
-      noisePublicKey == dec_pk
+      noisePublicKey == decryptedPk
 
   test "Encode/decode PayloadV2 to byte sequence":
 
@@ -120,4 +152,4 @@ procSuite "Waku Noise":
       decoded.isOk()
       decoded.get() == payload
 
-  #TODO: add encrypt payload with ChaChaPoly
+  #TODO: add encrypt payload with ChaChaPoly

waku/v2/protocol/waku_noise/noise.nim

@@ -24,153 +24,237 @@ import libp2p/errors
 import libp2p/crypto/[crypto, chacha20poly1305, curve25519]
 
 
-when defined(libp2p_dump):
-  import libp2p/debugutils
-
 logScope:
-  topics = "nim-waku noise"
+  topics = "wakunoise"
+
+#################################################################
+
+# Constants and data structures
 
 const
-  # Empty is a special value which indicates k has not yet been initialized.
+  # EmptyKey represents a non-initialized ChaChaPolyKey
   EmptyKey = default(ChaChaPolyKey)
-  NonceMax = uint64.high - 1 # max is reserved
+  # The maximum ChaChaPoly allowed nonce in Noise Handshakes
-  NoiseSize = 32
+  NonceMax = uint64.high - 1
-  MaxPlainSize = int(uint16.high - NoiseSize - ChaChaPolyTag.len)
-
 
 type
-  KeyPair* = object
+  # Default underlying elliptic curve arithmetic (useful for switching to multiple ECs)
-    privateKey: Curve25519Key
+  # Current default is Curve25519
-    publicKey: Curve25519Key
+  EllipticCurveKey = Curve25519Key
 
+  # An EllipticCurveKey (public, private) key pair
+  KeyPair* = object
+    privateKey: EllipticCurveKey
+    publicKey: EllipticCurveKey
+
+  # A Noise public key is a public key exchanged during Noise handshakes (no private part)
+  # This follows https://rfc.vac.dev/spec/35/#public-keys-serialization
+  # pk contains the X coordinate of the public key, if unencrypted (this implies flag = 0)
+  # or the encryption of the X coordinate concatenated with the authorization tag, if encrypted (this implies flag = 1)
   NoisePublicKey* = object
     flag: uint8
     pk: seq[byte]
 
+  # A ChaChaPoly ciphertext (data) + authorization tag (tag)
   ChaChaPolyCiphertext* = object
-    data: seq[byte]
+    data*: seq[byte]
-    tag: ChaChaPolyTag
+    tag*: ChaChaPolyTag
 
+  # A ChaChaPoly Cipher State containing key (k), nonce (nonce) and associated data (ad)
   ChaChaPolyCipherState* = object
-    k*: ChaChaPolyKey
+    k: ChaChaPolyKey
-    nonce*: ChaChaPolyNonce
+    nonce: ChaChaPolyNonce
-    ad*: seq[byte]
+    ad: seq[byte]
 
+  # Some useful error types
   NoiseError* = object of LPError
   NoiseHandshakeError* = object of NoiseError
+  NoiseEmptyChaChaPolyInput* = object of NoiseError
   NoiseDecryptTagError* = object of NoiseError
-  NoiseNonceMaxError* = object of NoiseError # drop connection on purpose
+  NoiseNonceMaxError* = object of NoiseError
   NoisePublicKeyError* = object of NoiseError
   NoiseMalformedHandshake* = object of NoiseError
 
 
+#################################################################
+
+# Utilities
+
+# Generates random byte sequences of given size
+proc randomSeqByte*(rng: var BrHmacDrbgContext, size: int): seq[byte] =
+  var output = newSeq[byte](size.uint32)
+  brHmacDrbgGenerate(rng, output)
+  return output
+
+# Generate random Curve25519 (public, private) key pairs
+proc genKeyPair*(rng: var BrHmacDrbgContext): KeyPair =
+  var keyPair: KeyPair
+  keyPair.privateKey = EllipticCurveKey.random(rng)
+  keyPair.publicKey = keyPair.privateKey.public()
+  return keyPair
+
 
 #################################################################
 
+# ChaChaPoly Symmetric Cipher
 
 # ChaChaPoly encryption
+# It takes a Cipher State (with key, nonce, and associated data) and encrypts a plaintext
+# The cipher state in not changed
 proc encrypt*(
     state: ChaChaPolyCipherState,
     plaintext: openArray[byte]): ChaChaPolyCiphertext
-    {.noinit, raises: [Defect].} =
+    {.noinit, raises: [Defect, NoiseEmptyChaChaPolyInput].} =
+  # If plaintext is empty, we raise an error
+  if plaintext == @[]:
+    raise newException(NoiseEmptyChaChaPolyInput, "Tried to encrypt empty plaintext")
+  var ciphertext: ChaChaPolyCiphertext
+  # Since ChaChaPoly's library "encrypt" primitive directly changes the input plaintext to the ciphertext,
+  # we copy the plaintext into the ciphertext variable and we pass the latter to encrypt
+  ciphertext.data.add plaintext
   #TODO: add padding
-  result.data.add plaintext
+  # ChaChaPoly.encrypt takes as input: the key (k), the nonce (nonce), a data structure for storing the computed authorization tag (tag), 
-  ChaChaPoly.encrypt(state.k, state.nonce, result.tag, result.data, state.ad)
+  # the plaintext (overwritten to ciphertext) (data), the associated data (ad)
+  ChaChaPoly.encrypt(state.k, state.nonce, ciphertext.tag, ciphertext.data, state.ad)
+  return ciphertext
 
+# ChaChaPoly decryption
+# It takes a Cipher State (with key, nonce, and associated data) and decrypts a ciphertext
+# The cipher state is not changed
 proc decrypt*(
     state: ChaChaPolyCipherState, 
     ciphertext: ChaChaPolyCiphertext): seq[byte]
-    {.raises: [Defect, NoiseDecryptTagError].} =
+    {.raises: [Defect, NoiseEmptyChaChaPolyInput, NoiseDecryptTagError].} =
+  # If ciphertext is empty, we raise an error
+  if ciphertext.data == @[]:
+    raise newException(NoiseEmptyChaChaPolyInput, "Tried to decrypt empty ciphertext")
   var
+    # The input authorization tag
     tagIn = ciphertext.tag
+    # The authorization tag computed during decryption
     tagOut: ChaChaPolyTag
-  result = ciphertext.data
+  # Since ChaChaPoly's library "decrypt" primitive directly changes the input ciphertext to the plaintext,
-  ChaChaPoly.decrypt(state.k, state.nonce, tagOut, result, state.ad)
+  # we copy the ciphertext into the plaintext variable and we pass the latter to decrypt
+  var plaintext = ciphertext.data
+  # ChaChaPoly.decrypt takes as input: the key (k), the nonce (nonce), a data structure for storing the computed authorization tag (tag), 
+  # the ciphertext (overwritten to plaintext) (data), the associated data (ad)
+  ChaChaPoly.decrypt(state.k, state.nonce, tagOut, plaintext, state.ad)
   #TODO: add unpadding
   trace "decrypt", tagIn = tagIn.shortLog, tagOut = tagOut.shortLog, nonce = state.nonce
+  # We check if the authorization tag computed while decrypting is the same as the input tag
   if tagIn != tagOut:
-    debug "decrypt failed", result = shortLog(result)
+    debug "decrypt failed", plaintext = shortLog(plaintext)
     raise newException(NoiseDecryptTagError, "decrypt tag authentication failed.")
+  return plaintext
 
-
+# Generates a random ChaChaPoly Cipher State for testing encryption/decryption
 proc randomChaChaPolyCipherState*(rng: var BrHmacDrbgContext): ChaChaPolyCipherState =
-  brHmacDrbgGenerate(rng, result.k)
+  var randomCipherState: ChaChaPolyCipherState
-  brHmacDrbgGenerate(rng, result.nonce)
+  brHmacDrbgGenerate(rng, randomCipherState.k)
-  result.ad = newSeq[byte](32)
+  brHmacDrbgGenerate(rng, randomCipherState.nonce)
-  brHmacDrbgGenerate(rng, result.ad)
+  randomCipherState.ad = newSeq[byte](32)
+  brHmacDrbgGenerate(rng, randomCipherState.ad)
+  return randomCipherState
 
 
 #################################################################
 
+# Noise Public keys 
 
-# Utility
+# Checks equality between two Noise public keys
-
-proc genKeyPair*(rng: var BrHmacDrbgContext): KeyPair =
-  result.privateKey = Curve25519Key.random(rng)
-  result.publicKey = result.privateKey.public()
-
-
-# Public keys serializations/encryption
-
 proc `==`(k1, k2: NoisePublicKey): bool =
-  result = (k1.flag == k2.flag) and (k1.pk == k2.pk)
+  return (k1.flag == k2.flag) and (k1.pk == k2.pk)
   
-
+# Converts a (public, private) Elliptic Curve keypair to an unencrypted Noise public key (only public part)
 proc keyPairToNoisePublicKey*(keyPair: KeyPair): NoisePublicKey =
-  result.flag = 0
+  var noisePublicKey: NoisePublicKey
-  result.pk = getBytes(keyPair.publicKey)
+  noisePublicKey.flag = 0
-
+  noisePublicKey.pk = getBytes(keyPair.publicKey)
+  return noisePublicKey
 
+# Generates a random Noise public key
 proc genNoisePublicKey*(rng: var BrHmacDrbgContext): NoisePublicKey =
+  var noisePublicKey: NoisePublicKey
+  # We generate a random key pair
   let keyPair: KeyPair = genKeyPair(rng)
-  result.flag = 0
+  # Since it is unencrypted, flag is 0
-  result.pk = getBytes(keyPair.publicKey)
+  noisePublicKey.flag = 0
+  # We copy the public X coordinate of the key pair to the output Noise public key
+  noisePublicKey.pk = getBytes(keyPair.publicKey)
+  return noisePublicKey
 
+# Converts a Noise public key to a stream of bytes as in 
+# https://rfc.vac.dev/spec/35/#public-keys-serialization
 proc serializeNoisePublicKey*(noisePublicKey: NoisePublicKey): seq[byte] =
-  result.add noisePublicKey.flag
+  var serializedNoisePublicKey: seq[byte]
-  result.add noisePublicKey.pk
+  # Public key is serialized as (flag || pk)
+  # Note that pk contains the X coordinate of the public key if unencrypted
+  # or the encryption concatenated with the authorization tag if encrypted 
+  serializedNoisePublicKey.add noisePublicKey.flag
+  serializedNoisePublicKey.add noisePublicKey.pk
+  return serializedNoisePublicKey
 
-proc intoNoisePublicKey*(serializedNoisePublicKey: seq[byte]): NoisePublicKey =
+# Converts a serialized Noise public key to a NoisePublicKey object as in
-  result.flag = serializedNoisePublicKey[0]
+# https://rfc.vac.dev/spec/35/#public-keys-serialization
-  assert result.flag == 0 or result.flag == 1
+proc intoNoisePublicKey*(serializedNoisePublicKey: seq[byte]): NoisePublicKey
-  result.pk = serializedNoisePublicKey[1..<serializedNoisePublicKey.len]
+  {.raises: [Defect, NoisePublicKeyError].} =
-
+  var noisePublicKey: NoisePublicKey
-# Public keys encryption/decryption
+  # We retrieve the encryption flag
+  noisePublicKey.flag = serializedNoisePublicKey[0]
+  # If not 0 or 1 we raise a new exception
+  if not (noisePublicKey.flag == 0 or noisePublicKey.flag == 1):
+    raise newException(NoisePublicKeyError, "Invalid flag in serialized public key")
+  # We set the remaining sequence to the pk value (this may be an encrypted or not encrypted X coordinate)
+  noisePublicKey.pk = serializedNoisePublicKey[1..<serializedNoisePublicKey.len]
+  return noisePublicKey
 
+# Encrypts a Noise public key using a ChaChaPoly Cipher State
 proc encryptNoisePublicKey*(cs: ChaChaPolyCipherState, noisePublicKey: NoisePublicKey): NoisePublicKey
-  {.raises: [Defect, NoiseNonceMaxError].} =
+  {.raises: [Defect, NoiseEmptyChaChaPolyInput, NoiseNonceMaxError].} =
+  var encryptedNoisePublicKey: NoisePublicKey
+  # We proceed with encryption only if 
+  # - a key is set in the cipher state 
+  # - the public key is unencrypted
   if cs.k != EmptyKey and noisePublicKey.flag == 0:
-    let enc_pk = encrypt(cs, noisePublicKey.pk)
+    let encPk = encrypt(cs, noisePublicKey.pk)
-    result.flag = 1
+    # We set the flag to 1, since encrypted
-    result.pk = enc_pk.data
+    encryptedNoisePublicKey.flag = 1
-    result.pk.add enc_pk.tag
+    # Authorization tag is appendend to the ciphertext
+    encryptedNoisePublicKey.pk = encPk.data
+    encryptedNoisePublicKey.pk.add encPk.tag
+  # Otherwise we return the public key as it is
   else:
-    result = noisePublicKey
+    encryptedNoisePublicKey = noisePublicKey
-
+  return encryptedNoisePublicKey
 
+# Decrypts a Noise public key using a ChaChaPoly Cipher State
 proc decryptNoisePublicKey*(cs: ChaChaPolyCipherState, noisePublicKey: NoisePublicKey): NoisePublicKey
-  {.raises: [Defect, NoiseDecryptTagError].} =
+  {.raises: [Defect, NoiseEmptyChaChaPolyInput, NoiseDecryptTagError].} =
+  var decryptedNoisePublicKey: NoisePublicKey
+  # We proceed with decryption only if 
+  # - a key is set in the cipher state 
+  # - the public key is encrypted
   if cs.k != EmptyKey and noisePublicKey.flag == 1:
-    #let ciphertext = ChaChaPolyCiphertext(data: noisePublicKey.pk, tag: noisePublicKey.pk_auth)
+    # Since the pk field would contain an encryption + tag, we retrieve the ciphertext length
-    let pk_len = noisePublicKey.pk.len - ChaChaPolyTag.len
+    let pkLen = noisePublicKey.pk.len - ChaChaPolyTag.len
-    let pk = noisePublicKey.pk[0..<pk_len]
+    # We isolate the ciphertext and the authorization tag
-    let pk_auth = intoChaChaPolyTag(noisePublicKey.pk[pk_len..<pk_len+ChaChaPolyTag.len])
+    let pk = noisePublicKey.pk[0..<pkLen]
-    let ciphertext = ChaChaPolyCiphertext(data: pk, tag: pk_auth) 
+    let pkAuth = intoChaChaPolyTag(noisePublicKey.pk[pkLen..<pkLen+ChaChaPolyTag.len])
-    result.pk = decrypt(cs, ciphertext)
+    # We convert it to a ChaChaPolyCiphertext
-    result.flag = 0
+    let ciphertext = ChaChaPolyCiphertext(data: pk, tag: pkAuth) 
+    # We run decryption and store its value to a non-encrypted Noise public key (flag = 0)
+    decryptedNoisePublicKey.pk = decrypt(cs, ciphertext)
+    decryptedNoisePublicKey.flag = 0
+  # Otherwise we return the public key as it is
   else:
-    if cs.k == EmptyKey:
+    decryptedNoisePublicKey = noisePublicKey
-      debug "No key in cipher state."
+  return decryptedNoisePublicKey
-    if noisePublicKey.flag == 0:
-      debug "Public key is not encrypted."
-    debug "Public key is left unchanged"
-    result = noisePublicKey
-
-
 
 
+#################################################################
 
 # Payload functions
+
 type
   PayloadV2* = object
     protocol_id: uint8
@@ -273,4 +357,4 @@ proc decodeV2*(payload: seq[byte]): Option[PayloadV2] =
   res.transport_message = payload[i..i+transport_message_len-1]
   i+=transport_message_len
 
-  return some(res)
+  return some(res)