Commit Graph

40 Commits

Author SHA1 Message Date
Olaoluwa Osuntokun
94b10c6c06
Merge pull request #593 from AdamISZ/noise_tests
Add tests for key rotation from BOLT8 test vectors
2018-01-31 12:38:58 -08:00
Adam Gibson
a6c0ba0c35
Add tests for key rotation from BOLT8 test vectors
This adds a test of encryption/decryption of 1002 copies
of a message "hello" so as to test the test vectors in the
final section of BOLT 8 ("transport-message test").
It also corrects some typos in the preceding section of the
same function (TestBolt0008TestVectors).
2018-01-28 06:38:21 +01:00
Adam Gibson
cd7f40422f
Fix trivial comment errors in noise.go 2018-01-11 16:49:38 +02:00
Matt Drollette
adf0d98194 multi: fix several typos in godoc comments 2017-12-17 18:40:05 -08:00
Olaoluwa Osuntokun
b3000b621b
brontide: within tests, listen on localhost rather than all interfaces 2017-11-01 15:30:57 -07:00
Olaoluwa Osuntokun
eb84d34b8d
brontide: don't run tests that use establishTestConnection in parallel 2017-11-01 15:12:13 -07:00
Olaoluwa Osuntokun
6a42e9057d
brontide: ensure connections are closed after test completion 2017-11-01 13:55:49 -07:00
Olaoluwa Osuntokun
1899847823
brontide: make establishTestConnection full async
In this commit we modify the establishTestConnection() function that
each of the brontide unit tests utilize. Before this commit, we would
fully block on the Accept method of the listener. Since then it has
been observed, that at times if Accept blocks indefinitely, then the
entire test will fail after 10 minutes. To allow the test to return
early with a pertinent error, we’ll now make the entire test async, so
we can immediately return with an error if detected.
2017-11-01 13:28:29 -07:00
Olaoluwa Osuntokun
c64811a5f3
brontide: set read deadlines on socket during initial handshake
This commit fixes a lingering issue within lnd, which can cause a
server to freeze up, and not handle any incoming connections properly,
or cause clients to freeze and not return in a timely manner from a
failed connection attempt.

To avoid this, each time we need to read from the socket during the
initial brontide handshake, we add a 15 second read deadline. If we
don’t successfully read from the buffer during that time frame, then
the Read method will return a timeout error.

With this in place, we ensure that the main listener goroutine will
never be blocked waiting on a remote party to write ActOne.
2017-10-04 14:58:20 -07:00
Olaoluwa Osuntokun
91e14497bb
brontide: add a test case to exercise all BOLT-0008 test vectors 2017-08-01 17:18:05 -07:00
Olaoluwa Osuntokun
e375a308b9
brontide: add EphemeralGenerator as a functional arg to NewBrontideMachine
This commit modifies the NewBrontideMachine constructor to allow a
caller to specify exactly _how_ new ephemeral private keys for the
crypto handshake are generated. This allows callers a bit more
flexibility when using brontide, and also allow test cases to insert
specific public keys for use within the hand shake.
2017-08-01 17:16:36 -07:00
Olaoluwa Osuntokun
2408a3ddcf
brontide: fix minor typo 2017-07-30 17:48:35 -07:00
Olaoluwa Osuntokun
e87cc29b36
brontide: add additional detail to handshake version error message
This commit adds some additional detail to the error message
encountered when the first byte of an act is an invalid handshake
version byte. This commit is meant to aide in tracking down a
re-occurring bug that has been encountered by early testers of the
software.
2017-07-30 17:48:29 -07:00
Olaoluwa Osuntokun
f7800709ba
lnwire: use %v instead of %x when printing length of oversized msg 2017-07-30 17:47:51 -07:00
Olaoluwa Osuntokun
1be4d67ce4
multi: run all test instances in parallel 2017-06-17 01:00:07 +02:00
Olaoluwa Osuntokun
994a3c10ca
brontide+lnwire: fix linter issues 2017-04-20 15:50:13 -07:00
Olaoluwa Osuntokun
38d3c72dc8
brontide: add new ReadMessage method to brontide.Conn
This commit adds a new message to the brontide.Conn struct which allows
callers to read an _entire_ message from the stream. As defined now,
brontide is a message crypto messaging protocol. Previously the only
method that allowed callers to read attempted to hide this feature with
a stream-like abstraction. However, having this as the sole interface
is at odds with the message oriented Lightning wire protocol, and isn’t
sufficient to allow parsing messages that have been padded as is
allowed by the protocol.

This new ReadNextMessage is intended to be used by higher level systems
which implement the Lightning p2p protocol.
2017-04-20 15:35:35 -07:00
Olaoluwa Osuntokun
6f2d3b3cc5
brontide: allocate max message buffer on the stack 2017-04-19 16:10:17 -07:00
Olaoluwa Osuntokun
6b3a258e86
multi: fix formatting issues in packge README's 2017-03-27 16:25:25 -07:00
Olaoluwa Osuntokun
9234956a34
brontide: replace aead/chacha20 with x/crypto/chacha20poly1305
This commit replaces aead’s chacha20 library with the official golang
implementation. We should see a bit of a performance increase on amd64
as the assembly for the library uses the SIMD AVX2 instructions in the
inner loop. In the future assembly will be written for other platforms,
so we’ll see a performance increase across the board.

Fixes #146.
2017-03-15 19:03:24 -07:00
Olaoluwa Osuntokun
f217093c00
multi: replace usage of fastsha256 with crypto/sha256
This commit removes all instances of the fastsha256 library and
replaces it with the sha256 library in the standard library. This
change should see a number of performance improvements as the standard
library has highly optimized assembly instructions with use vectorized
instructions as the platform supports.
2017-03-15 18:56:41 -07:00
Andrey Samokhvalov
ee2379775c lnd: fix golint warning which requires to add additional comments 2017-03-13 16:30:23 -07:00
Andrey Samokhvalov
fd97a4bd19 lnd: partially fix golint warnings 2017-03-13 16:30:23 -07:00
Andrey Samokhvalov
8fb54782e2 lnd: fix gosimple warnings 2017-03-13 16:30:23 -07:00
Olaoluwa Osuntokun
fdaeab7c9b
brontide: refer directly to the curve object in btcec's global namespace
This commit modifies the `ecdh` function within the `brontide` package
to refer directly to the global curve params object in the `bcec`
package rather than reference it from the target public key. This
changes fixes a class of panics that have been uncovered recently but
*doesn’t* yet fix the root cause.
2017-02-28 17:44:32 -06:00
Trevin Hofmann
a13ac90d46 multi: add link to LICENSE in README license badges (#100) 2017-01-12 16:31:08 -08:00
Olaoluwa Osuntokun
4ccdad0d66
multi: add README's for all sub-packages 2017-01-10 15:02:37 -08:00
Olaoluwa Osuntokun
bc885f5f27
brontide: modify key rotation to match test vectors in spec
This commit modifies our key rotation slightly to match the test
vectors within the BOLT08 specifications. Before this commit, we were
rotating one message before the rest of the implementers. This
implementation divergence was possibly due to the section of the spec
describing the rotations being a bit ambiguous.

A future PR to the lightning-rfc repo will make the spec more explicit
to avoid situations like this in the future.
2017-01-09 19:12:48 -08:00
Olaoluwa Osuntokun
d046efb502
brontide: exclude MAC length from cipher text packet length prefix
Pervasively we would include the length of the MAC in the length prefix
for cipher text packets. As a result, the MAC would eat into the total
payload size. To remedy this, we now exclude the MAC from the length
prefix for cipher text packets, and instead account for the length of
the MAC on the packet when reading messages.
2017-01-07 21:21:52 -08:00
Olaoluwa Osuntokun
ad180b4fba
brontide: fix bug in final sender/receiver key derivation
This commit fixes a bug in our key derivation for the final step of the
key exchange. In our code we were swapping the order of the salt and
input keyeing material to the HKDF function. This was triggered by the
argument order of the golang implementation we’re currently using has
the “secret” of IKM argument first, instead of second as defined within
rfc5869.

To fix this, we simply need to swap function arguments in two places:
within the split() function and during key rotation.

This bug was discovered by Rusty Russell, thanks!
2016-12-13 11:32:02 -08:00
Olaoluwa Osuntokun
61ddd48255
brontide: set the prologue value as specified within BOLT0008 2016-12-12 15:56:50 -08:00
Olaoluwa Osuntokun
b1d28426d5
brontide: properly pack nonce as 96-bit little endian value 2016-12-12 15:56:46 -08:00
Olaoluwa Osuntokun
fdb111e867
brontide: switch to using libsecp256k1's public ECDH API
This commit modifies the opening brontide handshake to use
libsecp256k1's public ECDH API throughout the handshake rather than the
current method which just returns the x-coordinate of the generated
point.

This change was made in order to align the current spec draft with the
aforementioned library since it’s very popular within the pace and
strives to only expose safe API’s to end users.
2016-12-12 15:56:42 -08:00
Olaoluwa Osuntokun
60f66fe2d7
brontide: implement handshake versioning enforcement per the spec 2016-11-30 19:11:58 -08:00
Olaoluwa Osuntokun
75ea05aef6
brontide: the encrypted packet length is no longer the associated data
This commit modifies the current implementation to more closely match
what’s currently specified within the spec.

The encrypted+MAC’d packet length is no longer included as the
associated data for the encryption/decryption of transport messages.
This isn’t required as if an active attacker swaps out the encrypted
length in the byte string, the decryption+MAC check will simply fail as
the nonce won’t be in proper sequence.
2016-11-14 15:10:54 -08:00
Olaoluwa Osuntokun
ae84b6197b
brontide: implement cipher stream key rotation
This commit implements key rotation for brontide as-per the current
draft of the LN p2p crypto spec. Key rotation is currently performed
every 1000 messages encrypted/decrypted with a cipherState object. Key
rotation is performed by evaluating the HKDF (extracting exactly 64
bytes) with the current chaining key, and cipher key. The key rotation
is to attempted after each nonce increment making implementation easy
as the current nonce value will already be within the local scope.
2016-11-10 17:29:13 -08:00
Olaoluwa Osuntokun
767c550d65
brontide: implement message chunking for the net.Conn implementation
This commit implements message chunking within the implementation of
net.Conn which implements our initial handshake, then uses the crypto
to read/write messages.

With this change it’s now possible to send message larger than 65535
bytes over a p2p crypto connection by properly chunking the messages on
the side of the connection that’s writing.
2016-11-07 19:45:06 -08:00
Olaoluwa Osuntokun
49f9f496fb
brontide: modify the max payload length to be 65535 bytes total
This commit modifies the current implementation of the p2p crypto
protocol to further constrain the max allowed payload size. With this
change we now use 16-bits (2-bytes) for the maximum payload length.
This change puts us closer to strict adherence of the Noise spec, and
simplifies the memory management w.r.t implementing the current version
of our scheme.

Note that this doesn’t restrict the size of messages that are able to
be sent over the wire within the LN p2p protocol. Larger message can
safely be encapsulated within the crypt messages via fragmentation that
will detected take place if a larger message is detected.
2016-11-07 18:50:26 -08:00
Olaoluwa Osuntokun
9850e8667e
brontide: modify the Dial function to take a *lnwire.NetAddress 2016-10-26 19:04:27 -07:00
Olaoluwa Osuntokun
ab97d9693f
brontide: an authenticated key agreement protocol in three acts
This commit introduces Brontide: an authenticated key agreement
protocol in three acts. Brontide is the successor to lndc within lnd,
and ultimately within the greater Lighting Network. Brontide uses the
Noise_XK handshake for initial key agreement, then implements an AEAD
scheme which encrypts+authenticates both packets, and the lengths of
the packets on the wire. The initial authentication handshake preserves
the responder’s identity by never transmitting it to the initiator and
performing mutual authentication via an incremental Triple-DH based on
ECDH of secp256k1 and an HKDF which uses SHA-256.

Bronzed isn’t yet integrated within the wider daemon yet. Full
integration will land in a future pull request.
2016-10-17 19:41:29 -07:00