Merge pull request #20 from libp2p/new-handshake

implement the new handshake
libp2p · Apr 9, 2019 · 173abf7 · 173abf7
2 parents e31e5a8 + 2684cc1
commit 173abf7
Show file tree

Hide file tree

Showing 4 changed files with 299 additions and 76 deletions.
diff --git a/p2p/security/tls/crypto.go b/p2p/security/tls/crypto.go
@@ -1,21 +1,34 @@
 package libp2ptls
 
 import (
-	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
 	"time"
 
+	"golang.org/x/sys/cpu"
+
+	crypto "github.com/libp2p/go-libp2p-crypto"
 	ic "github.com/libp2p/go-libp2p-crypto"
-	pb "github.com/libp2p/go-libp2p-crypto/pb"
 	peer "github.com/libp2p/go-libp2p-peer"
 )
 
-const certValidityPeriod = 180 * 24 * time.Hour
+const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years
+const certificatePrefix = "libp2p-tls-handshake:"
+
+var extensionID = getPrefixedExtensionID([]int{1, 1})
+
+type signedKey struct {
+	PubKey    []byte
+	Signature []byte
+}
 
 // Identity is used to secure connections
 type Identity struct {
@@ -24,22 +37,21 @@ type Identity struct {
 
 // NewIdentity creates a new identity
 func NewIdentity(privKey ic.PrivKey) (*Identity, error) {
-	key, cert, err := keyToCertificate(privKey)
+	cert, err := keyToCertificate(privKey)
 	if err != nil {
 		return nil, err
 	}
 	return &Identity{
 		config: tls.Config{
-			MinVersion:         tls.VersionTLS13,
-			InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
-			ClientAuth:         tls.RequireAnyClientCert,
-			Certificates: []tls.Certificate{{
-				Certificate: [][]byte{cert.Raw},
-				PrivateKey:  key,
-			}},
+			MinVersion:               tls.VersionTLS13,
+			PreferServerCipherSuites: preferServerCipherSuites(),
+			InsecureSkipVerify:       true, // This is not insecure here. We will verify the cert chain ourselves.
+			ClientAuth:               tls.RequireAnyClientCert,
+			Certificates:             []tls.Certificate{*cert},
 			VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error {
 				panic("tls config not specialized for peer")
 			},
+			SessionTicketsDisabled: true,
 		},
 	}, nil
 }
@@ -95,70 +107,117 @@ func getRemotePubKey(chain []*x509.Certificate) (ic.PubKey, error) {
 	if len(chain) != 1 {
 		return nil, errors.New("expected one certificates in the chain")
 	}
+	cert := chain[0]
 	pool := x509.NewCertPool()
-	pool.AddCert(chain[0])
-	if _, err := chain[0].Verify(x509.VerifyOptions{Roots: pool}); err != nil {
+	pool.AddCert(cert)
+	if _, err := cert.Verify(x509.VerifyOptions{Roots: pool}); err != nil {
 		// If we return an x509 error here, it will be sent on the wire.
 		// Wrap the error to avoid that.
 		return nil, fmt.Errorf("certificate verification failed: %s", err)
 	}
-	remotePubKey, err := x509.MarshalPKIXPublicKey(chain[0].PublicKey)
+
+	var found bool
+	var keyExt pkix.Extension
+	// find the libp2p key extension, skipping all unknown extensions
+	for _, ext := range cert.Extensions {
+		if extensionIDEqual(ext.Id, extensionID) {
+			keyExt = ext
+			found = true
+			break
+		}
+	}
+	if !found {
+		return nil, errors.New("expected certificate to contain the key extension")
+	}
+	var sk signedKey
+	if _, err := asn1.Unmarshal(keyExt.Value, &sk); err != nil {
+		return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err)
+	}
+	pubKey, err := crypto.UnmarshalPublicKey(sk.PubKey)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling public key failed: %s", err)
+	}
+	certKeyPub, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
 	if err != nil {
 		return nil, err
 	}
-	switch chain[0].PublicKeyAlgorithm {
-	case x509.RSA:
-		return ic.UnmarshalRsaPublicKey(remotePubKey)
-	case x509.ECDSA:
-		return ic.UnmarshalECDSAPublicKey(remotePubKey)
-	default:
-		return nil, fmt.Errorf("unexpected public key algorithm: %d", chain[0].PublicKeyAlgorithm)
+	valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature)
+	if err != nil {
+		return nil, fmt.Errorf("signature verification failed: %s", err)
 	}
+	if !valid {
+		return nil, errors.New("signature invalid")
+	}
+	return pubKey, nil
 }
 
-func keyToCertificate(sk ic.PrivKey) (crypto.PrivateKey, *x509.Certificate, error) {
-	sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+func keyToCertificate(sk ic.PrivKey) (*tls.Certificate, error) {
+	certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
-		return nil, nil, err
-	}
-	tmpl := &x509.Certificate{
-		SerialNumber: sn,
-		NotBefore:    time.Now().Add(-24 * time.Hour),
-		NotAfter:     time.Now().Add(certValidityPeriod),
+		return nil, err
 	}
 
-	var privateKey crypto.PrivateKey
-	var publicKey crypto.PublicKey
-	raw, err := sk.Raw()
+	keyBytes, err := crypto.MarshalPublicKey(sk.GetPublic())
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
-	switch sk.Type() {
-	case pb.KeyType_RSA:
-		k, err := x509.ParsePKCS1PrivateKey(raw)
-		if err != nil {
-			return nil, nil, err
-		}
-		publicKey = &k.PublicKey
-		privateKey = k
-	case pb.KeyType_ECDSA:
-		k, err := x509.ParseECPrivateKey(raw)
-		if err != nil {
-			return nil, nil, err
-		}
-		publicKey = &k.PublicKey
-		privateKey = k
-	// TODO: add support for Ed25519
-	default:
-		return nil, nil, errors.New("unsupported key type for TLS")
+	certKeyPub, err := x509.MarshalPKIXPublicKey(certKey.Public())
+	if err != nil {
+		return nil, err
+	}
+	signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...))
+	if err != nil {
+		return nil, err
 	}
-	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, publicKey, privateKey)
+	value, err := asn1.Marshal(signedKey{
+		PubKey:    keyBytes,
+		Signature: signature,
+	})
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
-	cert, err := x509.ParseCertificate(certDER)
+
+	sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
-	return privateKey, cert, nil
+	tmpl := &x509.Certificate{
+		SerialNumber: sn,
+		NotBefore:    time.Time{},
+		NotAfter:     time.Now().Add(certValidityPeriod),
+		// after calling CreateCertificate, these will end up in Certificate.Extensions
+		ExtraExtensions: []pkix.Extension{
+			{Id: extensionID, Value: value},
+		},
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, certKey.Public(), certKey)
+	if err != nil {
+		return nil, err
+	}
+	return &tls.Certificate{
+		Certificate: [][]byte{certDER},
+		PrivateKey:  certKey,
+	}, nil
+}
+
+// We want nodes without AES hardware (e.g. ARM) support to always use ChaCha.
+// Only if both nodes have AES hardware support (e.g. x86), AES should be used.
+// x86->x86: AES, ARM->x86: ChaCha, x86->ARM: ChaCha and ARM->ARM: Chacha
+// This function returns true if we don't have AES hardware support, and false otherwise.
+// Thus, ARM servers will always use their own cipher suite preferences (ChaCha first),
+// and x86 servers will aways use the client's cipher suite preferences.
+func preferServerCipherSuites() bool {
+	// Copied from the Go TLS implementation.
+
+	// Check the cpu flags for each platform that has optimized GCM implementations.
+	// Worst case, these variables will just all be false.
+	var (
+		hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+		hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
+		// Keep in sync with crypto/aes/cipher_s390x.go.
+		hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
+
+		hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+	)
+	return !hasGCMAsm
 }
diff --git a/p2p/security/tls/extension.go b/p2p/security/tls/extension.go
@@ -0,0 +1,22 @@
+package libp2ptls
+
+var extensionPrefix = []int{1, 3, 6, 1, 4, 1, 53594}
+
+// getPrefixedExtensionID returns an Object Identifier
+// that can be used in x509 Certificates.
+func getPrefixedExtensionID(suffix []int) []int {
+	return append(extensionPrefix, suffix...)
+}
+
+// extensionIDEqual compares two extension IDs.
+func extensionIDEqual(a, b []int) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/p2p/security/tls/extension_test.go b/p2p/security/tls/extension_test.go
@@ -0,0 +1,19 @@
+package libp2ptls
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Extensions", func() {
+	It("generates a prefixed extension ID", func() {
+		Expect(getPrefixedExtensionID([]int{13, 37})).To(Equal([]int{1, 3, 6, 1, 4, 1, 53594, 13, 37}))
+	})
+
+	It("compares extension IDs", func() {
+		Expect(extensionIDEqual([]int{1, 2, 3, 4}, []int{1, 2, 3, 4})).To(BeTrue())
+		Expect(extensionIDEqual([]int{1, 2, 3, 4}, []int{1, 2, 3})).To(BeFalse())
+		Expect(extensionIDEqual([]int{1, 2, 3}, []int{1, 2, 3, 4})).To(BeFalse())
+		Expect(extensionIDEqual([]int{1, 2, 3, 4}, []int{4, 3, 2, 1})).To(BeFalse())
+	})
+})