github.com/SmartMeshFoundation/Spectrum@v0.0.0-20220621030607-452a266fee1e/p2p/rlpx.go (about)

     1  // Copyright 2015 The Spectrum Authors
     2  // This file is part of the Spectrum library.
     3  //
     4  // The Spectrum library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The Spectrum library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the Spectrum library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  package p2p
    18  
    19  import (
    20  	"bytes"
    21  	"crypto/aes"
    22  	"crypto/cipher"
    23  	"crypto/ecdsa"
    24  	"crypto/elliptic"
    25  	"crypto/hmac"
    26  	"crypto/rand"
    27  	"encoding/binary"
    28  	"errors"
    29  	"fmt"
    30  	"hash"
    31  	"io"
    32  	"io/ioutil"
    33  	mrand "math/rand"
    34  	"net"
    35  	"sync"
    36  	"time"
    37  
    38  	"github.com/SmartMeshFoundation/Spectrum/crypto"
    39  	"github.com/SmartMeshFoundation/Spectrum/crypto/ecies"
    40  	"github.com/SmartMeshFoundation/Spectrum/crypto/secp256k1"
    41  	"github.com/SmartMeshFoundation/Spectrum/crypto/sha3"
    42  	"github.com/SmartMeshFoundation/Spectrum/p2p/discover"
    43  	"github.com/SmartMeshFoundation/Spectrum/rlp"
    44  	"github.com/golang/snappy"
    45  )
    46  
    47  const (
    48  	maxUint24 = ^uint32(0) >> 8
    49  
    50  	sskLen = 16 // ecies.MaxSharedKeyLength(pubKey) / 2
    51  	sigLen = 65 // elliptic S256
    52  	pubLen = 64 // 512 bit pubkey in uncompressed representation without format byte
    53  	shaLen = 32 // hash length (for nonce etc)
    54  
    55  	authMsgLen  = sigLen + shaLen + pubLen + shaLen + 1
    56  	authRespLen = pubLen + shaLen + 1
    57  
    58  	eciesOverhead = 65 /* pubkey */ + 16 /* IV */ + 32 /* MAC */
    59  
    60  	encAuthMsgLen  = authMsgLen + eciesOverhead  // size of encrypted pre-EIP-8 initiator handshake
    61  	encAuthRespLen = authRespLen + eciesOverhead // size of encrypted pre-EIP-8 handshake reply
    62  
    63  	// total timeout for encryption handshake and protocol
    64  	// handshake in both directions.
    65  	handshakeTimeout = 5 * time.Second
    66  
    67  	// This is the timeout for sending the disconnect reason.
    68  	// This is shorter than the usual timeout because we don't want
    69  	// to wait if the connection is known to be bad anyway.
    70  	discWriteTimeout = 1 * time.Second
    71  )
    72  
    73  // errPlainMessageTooLarge is returned if a decompressed message length exceeds
    74  // the allowed 24 bits (i.e. length >= 16MB).
    75  var errPlainMessageTooLarge = errors.New("message length >= 16MB")
    76  
    77  // rlpx is the transport protocol used by actual (non-test) connections.
    78  // It wraps the frame encoder with locks and read/write deadlines.
    79  type rlpx struct {
    80  	fd net.Conn
    81  
    82  	rmu, wmu sync.Mutex
    83  	rw       *rlpxFrameRW
    84  }
    85  
    86  func newRLPX(fd net.Conn) transport {
    87  	fd.SetDeadline(time.Now().Add(handshakeTimeout))
    88  	return &rlpx{fd: fd}
    89  }
    90  
    91  func (t *rlpx) ReadMsg() (Msg, error) {
    92  	t.rmu.Lock()
    93  	defer t.rmu.Unlock()
    94  	t.fd.SetReadDeadline(time.Now().Add(frameReadTimeout))
    95  	return t.rw.ReadMsg()
    96  }
    97  
    98  func (t *rlpx) WriteMsg(msg Msg) error {
    99  	t.wmu.Lock()
   100  	defer t.wmu.Unlock()
   101  	t.fd.SetWriteDeadline(time.Now().Add(frameWriteTimeout))
   102  	return t.rw.WriteMsg(msg)
   103  }
   104  
   105  func (t *rlpx) close(err error) {
   106  	t.wmu.Lock()
   107  	defer t.wmu.Unlock()
   108  	// Tell the remote end why we're disconnecting if possible.
   109  	if t.rw != nil {
   110  		if r, ok := err.(DiscReason); ok && r != DiscNetworkError {
   111  			t.fd.SetWriteDeadline(time.Now().Add(discWriteTimeout))
   112  			SendItems(t.rw, discMsg, r)
   113  		}
   114  	}
   115  	t.fd.Close()
   116  }
   117  
   118  // doEncHandshake runs the protocol handshake using authenticated
   119  // messages. the protocol handshake is the first authenticated message
   120  // and also verifies whether the encryption handshake 'worked' and the
   121  // remote side actually provided the right public key.
   122  func (t *rlpx) doProtoHandshake(our *protoHandshake) (their *protoHandshake, err error) {
   123  	// Writing our handshake happens concurrently, we prefer
   124  	// returning the handshake read error. If the remote side
   125  	// disconnects us early with a valid reason, we should return it
   126  	// as the error so it can be tracked elsewhere.
   127  	werr := make(chan error, 1)
   128  	go func() { werr <- Send(t.rw, handshakeMsg, our) }()
   129  	if their, err = readProtocolHandshake(t.rw, our); err != nil {
   130  		<-werr // make sure the write terminates too
   131  		return nil, err
   132  	}
   133  	if err := <-werr; err != nil {
   134  		return nil, fmt.Errorf("write error: %v", err)
   135  	}
   136  	// If the protocol version supports Snappy encoding, upgrade immediately
   137  	t.rw.snappy = their.Version >= snappyProtocolVersion
   138  
   139  	return their, nil
   140  }
   141  
   142  func readProtocolHandshake(rw MsgReader, our *protoHandshake) (*protoHandshake, error) {
   143  	msg, err := rw.ReadMsg()
   144  	if err != nil {
   145  		return nil, err
   146  	}
   147  	if msg.Size > baseProtocolMaxMsgSize {
   148  		return nil, fmt.Errorf("message too big")
   149  	}
   150  	if msg.Code == discMsg {
   151  		// Disconnect before protocol handshake is valid according to the
   152  		// spec and we send it ourself if the posthanshake checks fail.
   153  		// We can't return the reason directly, though, because it is echoed
   154  		// back otherwise. Wrap it in a string instead.
   155  		var reason [1]DiscReason
   156  		rlp.Decode(msg.Payload, &reason)
   157  		return nil, reason[0]
   158  	}
   159  	if msg.Code != handshakeMsg {
   160  		return nil, fmt.Errorf("expected handshake, got %x", msg.Code)
   161  	}
   162  	var hs protoHandshake
   163  	if err := msg.Decode(&hs); err != nil {
   164  		return nil, err
   165  	}
   166  	if (hs.ID == discover.NodeID{}) {
   167  		return nil, DiscInvalidIdentity
   168  	}
   169  	return &hs, nil
   170  }
   171  
   172  func (t *rlpx) doEncHandshake(prv *ecdsa.PrivateKey, dial *discover.Node) (discover.NodeID, error) {
   173  	var (
   174  		sec secrets
   175  		err error
   176  	)
   177  	if dial == nil {
   178  		sec, err = receiverEncHandshake(t.fd, prv, nil)
   179  	} else {
   180  		sec, err = initiatorEncHandshake(t.fd, prv, dial.ID, nil)
   181  	}
   182  	if err != nil {
   183  		return discover.NodeID{}, err
   184  	}
   185  	t.wmu.Lock()
   186  	t.rw = newRLPXFrameRW(t.fd, sec)
   187  	t.wmu.Unlock()
   188  	return sec.RemoteID, nil
   189  }
   190  
   191  // encHandshake contains the state of the encryption handshake.
   192  type encHandshake struct {
   193  	initiator bool
   194  	remoteID  discover.NodeID
   195  
   196  	remotePub            *ecies.PublicKey  // remote-pubk
   197  	initNonce, respNonce []byte            // nonce
   198  	randomPrivKey        *ecies.PrivateKey // ecdhe-random
   199  	remoteRandomPub      *ecies.PublicKey  // ecdhe-random-pubk
   200  }
   201  
   202  // secrets represents the connection secrets
   203  // which are negotiated during the encryption handshake.
   204  type secrets struct {
   205  	RemoteID              discover.NodeID
   206  	AES, MAC              []byte
   207  	EgressMAC, IngressMAC hash.Hash
   208  	Token                 []byte
   209  }
   210  
   211  // RLPx v4 handshake auth (defined in EIP-8).
   212  type authMsgV4 struct {
   213  	gotPlain bool // whether read packet had plain format.
   214  
   215  	Signature       [sigLen]byte
   216  	InitiatorPubkey [pubLen]byte
   217  	Nonce           [shaLen]byte
   218  	Version         uint
   219  
   220  	// Ignore additional fields (forward-compatibility)
   221  	Rest []rlp.RawValue `rlp:"tail"`
   222  }
   223  
   224  // RLPx v4 handshake response (defined in EIP-8).
   225  type authRespV4 struct {
   226  	RandomPubkey [pubLen]byte
   227  	Nonce        [shaLen]byte
   228  	Version      uint
   229  
   230  	// Ignore additional fields (forward-compatibility)
   231  	Rest []rlp.RawValue `rlp:"tail"`
   232  }
   233  
   234  // secrets is called after the handshake is completed.
   235  // It extracts the connection secrets from the handshake values.
   236  func (h *encHandshake) secrets(auth, authResp []byte) (secrets, error) {
   237  	ecdheSecret, err := h.randomPrivKey.GenerateShared(h.remoteRandomPub, sskLen, sskLen)
   238  	if err != nil {
   239  		return secrets{}, err
   240  	}
   241  
   242  	// derive base secrets from ephemeral key agreement
   243  	sharedSecret := crypto.Keccak256(ecdheSecret, crypto.Keccak256(h.respNonce, h.initNonce))
   244  	aesSecret := crypto.Keccak256(ecdheSecret, sharedSecret)
   245  	s := secrets{
   246  		RemoteID: h.remoteID,
   247  		AES:      aesSecret,
   248  		MAC:      crypto.Keccak256(ecdheSecret, aesSecret),
   249  	}
   250  
   251  	// setup sha3 instances for the MACs
   252  	mac1 := sha3.NewKeccak256()
   253  	mac1.Write(xor(s.MAC, h.respNonce))
   254  	mac1.Write(auth)
   255  	mac2 := sha3.NewKeccak256()
   256  	mac2.Write(xor(s.MAC, h.initNonce))
   257  	mac2.Write(authResp)
   258  	if h.initiator {
   259  		s.EgressMAC, s.IngressMAC = mac1, mac2
   260  	} else {
   261  		s.EgressMAC, s.IngressMAC = mac2, mac1
   262  	}
   263  
   264  	return s, nil
   265  }
   266  
   267  // staticSharedSecret returns the static shared secret, the result
   268  // of key agreement between the local and remote static node key.
   269  func (h *encHandshake) staticSharedSecret(prv *ecdsa.PrivateKey) ([]byte, error) {
   270  	return ecies.ImportECDSA(prv).GenerateShared(h.remotePub, sskLen, sskLen)
   271  }
   272  
   273  // initiatorEncHandshake negotiates a session token on conn.
   274  // it should be called on the dialing side of the connection.
   275  //
   276  // prv is the local client's private key.
   277  func initiatorEncHandshake(conn io.ReadWriter, prv *ecdsa.PrivateKey, remoteID discover.NodeID, token []byte) (s secrets, err error) {
   278  	h := &encHandshake{initiator: true, remoteID: remoteID}
   279  	authMsg, err := h.makeAuthMsg(prv, token)
   280  	if err != nil {
   281  		return s, err
   282  	}
   283  	authPacket, err := sealEIP8(authMsg, h)
   284  	if err != nil {
   285  		return s, err
   286  	}
   287  	if _, err = conn.Write(authPacket); err != nil {
   288  		return s, err
   289  	}
   290  
   291  	authRespMsg := new(authRespV4)
   292  	authRespPacket, err := readHandshakeMsg(authRespMsg, encAuthRespLen, prv, conn)
   293  	if err != nil {
   294  		return s, err
   295  	}
   296  	if err := h.handleAuthResp(authRespMsg); err != nil {
   297  		return s, err
   298  	}
   299  	return h.secrets(authPacket, authRespPacket)
   300  }
   301  
   302  // makeAuthMsg creates the initiator handshake message.
   303  func (h *encHandshake) makeAuthMsg(prv *ecdsa.PrivateKey, token []byte) (*authMsgV4, error) {
   304  	rpub, err := h.remoteID.Pubkey()
   305  	if err != nil {
   306  		return nil, fmt.Errorf("bad remoteID: %v", err)
   307  	}
   308  	h.remotePub = ecies.ImportECDSAPublic(rpub)
   309  	// Generate random initiator nonce.
   310  	h.initNonce = make([]byte, shaLen)
   311  	if _, err := rand.Read(h.initNonce); err != nil {
   312  		return nil, err
   313  	}
   314  	// Generate random keypair to for ECDH.
   315  	h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
   316  	if err != nil {
   317  		return nil, err
   318  	}
   319  
   320  	// Sign known message: static-shared-secret ^ nonce
   321  	token, err = h.staticSharedSecret(prv)
   322  	if err != nil {
   323  		return nil, err
   324  	}
   325  	signed := xor(token, h.initNonce)
   326  	signature, err := crypto.Sign(signed, h.randomPrivKey.ExportECDSA())
   327  	if err != nil {
   328  		return nil, err
   329  	}
   330  
   331  	msg := new(authMsgV4)
   332  	copy(msg.Signature[:], signature)
   333  	copy(msg.InitiatorPubkey[:], crypto.FromECDSAPub(&prv.PublicKey)[1:])
   334  	copy(msg.Nonce[:], h.initNonce)
   335  	msg.Version = 4
   336  	return msg, nil
   337  }
   338  
   339  func (h *encHandshake) handleAuthResp(msg *authRespV4) (err error) {
   340  	h.respNonce = msg.Nonce[:]
   341  	h.remoteRandomPub, err = importPublicKey(msg.RandomPubkey[:])
   342  	return err
   343  }
   344  
   345  // receiverEncHandshake negotiates a session token on conn.
   346  // it should be called on the listening side of the connection.
   347  //
   348  // prv is the local client's private key.
   349  // token is the token from a previous session with this node.
   350  func receiverEncHandshake(conn io.ReadWriter, prv *ecdsa.PrivateKey, token []byte) (s secrets, err error) {
   351  	authMsg := new(authMsgV4)
   352  	authPacket, err := readHandshakeMsg(authMsg, encAuthMsgLen, prv, conn)
   353  	if err != nil {
   354  		return s, err
   355  	}
   356  	h := new(encHandshake)
   357  	if err := h.handleAuthMsg(authMsg, prv); err != nil {
   358  		return s, err
   359  	}
   360  
   361  	authRespMsg, err := h.makeAuthResp()
   362  	if err != nil {
   363  		return s, err
   364  	}
   365  	var authRespPacket []byte
   366  	if authMsg.gotPlain {
   367  		authRespPacket, err = authRespMsg.sealPlain(h)
   368  	} else {
   369  		authRespPacket, err = sealEIP8(authRespMsg, h)
   370  	}
   371  	if err != nil {
   372  		return s, err
   373  	}
   374  	if _, err = conn.Write(authRespPacket); err != nil {
   375  		return s, err
   376  	}
   377  	return h.secrets(authPacket, authRespPacket)
   378  }
   379  
   380  func (h *encHandshake) handleAuthMsg(msg *authMsgV4, prv *ecdsa.PrivateKey) error {
   381  	// Import the remote identity.
   382  	h.initNonce = msg.Nonce[:]
   383  	h.remoteID = msg.InitiatorPubkey
   384  	rpub, err := h.remoteID.Pubkey()
   385  	if err != nil {
   386  		return fmt.Errorf("bad remoteID: %#v", err)
   387  	}
   388  	h.remotePub = ecies.ImportECDSAPublic(rpub)
   389  
   390  	// Generate random keypair for ECDH.
   391  	// If a private key is already set, use it instead of generating one (for testing).
   392  	if h.randomPrivKey == nil {
   393  		h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil)
   394  		if err != nil {
   395  			return err
   396  		}
   397  	}
   398  
   399  	// Check the signature.
   400  	token, err := h.staticSharedSecret(prv)
   401  	if err != nil {
   402  		return err
   403  	}
   404  	signedMsg := xor(token, h.initNonce)
   405  	remoteRandomPub, err := secp256k1.RecoverPubkey(signedMsg, msg.Signature[:])
   406  	if err != nil {
   407  		return err
   408  	}
   409  	h.remoteRandomPub, _ = importPublicKey(remoteRandomPub)
   410  	return nil
   411  }
   412  
   413  func (h *encHandshake) makeAuthResp() (msg *authRespV4, err error) {
   414  	// Generate random nonce.
   415  	h.respNonce = make([]byte, shaLen)
   416  	if _, err = rand.Read(h.respNonce); err != nil {
   417  		return nil, err
   418  	}
   419  
   420  	msg = new(authRespV4)
   421  	copy(msg.Nonce[:], h.respNonce)
   422  	copy(msg.RandomPubkey[:], exportPubkey(&h.randomPrivKey.PublicKey))
   423  	msg.Version = 4
   424  	return msg, nil
   425  }
   426  
   427  func (msg *authMsgV4) sealPlain(h *encHandshake) ([]byte, error) {
   428  	buf := make([]byte, authMsgLen)
   429  	n := copy(buf, msg.Signature[:])
   430  	n += copy(buf[n:], crypto.Keccak256(exportPubkey(&h.randomPrivKey.PublicKey)))
   431  	n += copy(buf[n:], msg.InitiatorPubkey[:])
   432  	n += copy(buf[n:], msg.Nonce[:])
   433  	buf[n] = 0 // token-flag
   434  	return ecies.Encrypt(rand.Reader, h.remotePub, buf, nil, nil)
   435  }
   436  
   437  func (msg *authMsgV4) decodePlain(input []byte) {
   438  	n := copy(msg.Signature[:], input)
   439  	n += shaLen // skip sha3(initiator-ephemeral-pubk)
   440  	n += copy(msg.InitiatorPubkey[:], input[n:])
   441  	copy(msg.Nonce[:], input[n:])
   442  	msg.Version = 4
   443  	msg.gotPlain = true
   444  }
   445  
   446  func (msg *authRespV4) sealPlain(hs *encHandshake) ([]byte, error) {
   447  	buf := make([]byte, authRespLen)
   448  	n := copy(buf, msg.RandomPubkey[:])
   449  	copy(buf[n:], msg.Nonce[:])
   450  	return ecies.Encrypt(rand.Reader, hs.remotePub, buf, nil, nil)
   451  }
   452  
   453  func (msg *authRespV4) decodePlain(input []byte) {
   454  	n := copy(msg.RandomPubkey[:], input)
   455  	copy(msg.Nonce[:], input[n:])
   456  	msg.Version = 4
   457  }
   458  
   459  var padSpace = make([]byte, 300)
   460  
   461  func sealEIP8(msg interface{}, h *encHandshake) ([]byte, error) {
   462  	buf := new(bytes.Buffer)
   463  	if err := rlp.Encode(buf, msg); err != nil {
   464  		return nil, err
   465  	}
   466  	// pad with random amount of data. the amount needs to be at least 100 bytes to make
   467  	// the message distinguishable from pre-EIP-8 handshakes.
   468  	pad := padSpace[:mrand.Intn(len(padSpace)-100)+100]
   469  	buf.Write(pad)
   470  	prefix := make([]byte, 2)
   471  	binary.BigEndian.PutUint16(prefix, uint16(buf.Len()+eciesOverhead))
   472  
   473  	enc, err := ecies.Encrypt(rand.Reader, h.remotePub, buf.Bytes(), nil, prefix)
   474  	return append(prefix, enc...), err
   475  }
   476  
   477  type plainDecoder interface {
   478  	decodePlain([]byte)
   479  }
   480  
   481  func readHandshakeMsg(msg plainDecoder, plainSize int, prv *ecdsa.PrivateKey, r io.Reader) ([]byte, error) {
   482  	buf := make([]byte, plainSize)
   483  	if _, err := io.ReadFull(r, buf); err != nil {
   484  		return buf, err
   485  	}
   486  	// Attempt decoding pre-EIP-8 "plain" format.
   487  	key := ecies.ImportECDSA(prv)
   488  	if dec, err := key.Decrypt(rand.Reader, buf, nil, nil); err == nil {
   489  		msg.decodePlain(dec)
   490  		return buf, nil
   491  	}
   492  	// Could be EIP-8 format, try that.
   493  	prefix := buf[:2]
   494  	size := binary.BigEndian.Uint16(prefix)
   495  	if size < uint16(plainSize) {
   496  		return buf, fmt.Errorf("size underflow, need at least %d bytes", plainSize)
   497  	}
   498  	buf = append(buf, make([]byte, size-uint16(plainSize)+2)...)
   499  	if _, err := io.ReadFull(r, buf[plainSize:]); err != nil {
   500  		return buf, err
   501  	}
   502  	dec, err := key.Decrypt(rand.Reader, buf[2:], nil, prefix)
   503  	if err != nil {
   504  		return buf, err
   505  	}
   506  	// Can't use rlp.DecodeBytes here because it rejects
   507  	// trailing data (forward-compatibility).
   508  	s := rlp.NewStream(bytes.NewReader(dec), 0)
   509  	return buf, s.Decode(msg)
   510  }
   511  
   512  // importPublicKey unmarshals 512 bit public keys.
   513  func importPublicKey(pubKey []byte) (*ecies.PublicKey, error) {
   514  	var pubKey65 []byte
   515  	switch len(pubKey) {
   516  	case 64:
   517  		// add 'uncompressed key' flag
   518  		pubKey65 = append([]byte{0x04}, pubKey...)
   519  	case 65:
   520  		pubKey65 = pubKey
   521  	default:
   522  		return nil, fmt.Errorf("invalid public key length %v (expect 64/65)", len(pubKey))
   523  	}
   524  	// TODO: fewer pointless conversions
   525  	pub := crypto.ToECDSAPub(pubKey65)
   526  	if pub.X == nil {
   527  		return nil, fmt.Errorf("invalid public key")
   528  	}
   529  	return ecies.ImportECDSAPublic(pub), nil
   530  }
   531  
   532  func exportPubkey(pub *ecies.PublicKey) []byte {
   533  	if pub == nil {
   534  		panic("nil pubkey")
   535  	}
   536  	return elliptic.Marshal(pub.Curve, pub.X, pub.Y)[1:]
   537  }
   538  
   539  func xor(one, other []byte) (xor []byte) {
   540  	xor = make([]byte, len(one))
   541  	for i := 0; i < len(one); i++ {
   542  		xor[i] = one[i] ^ other[i]
   543  	}
   544  	return xor
   545  }
   546  
   547  var (
   548  	// this is used in place of actual frame header data.
   549  	// TODO: replace this when Msg contains the protocol type code.
   550  	zeroHeader = []byte{0xC2, 0x80, 0x80}
   551  	// sixteen zero bytes
   552  	zero16 = make([]byte, 16)
   553  )
   554  
   555  // rlpxFrameRW implements a simplified version of RLPx framing.
   556  // chunked messages are not supported and all headers are equal to
   557  // zeroHeader.
   558  //
   559  // rlpxFrameRW is not safe for concurrent use from multiple goroutines.
   560  type rlpxFrameRW struct {
   561  	conn io.ReadWriter
   562  	enc  cipher.Stream
   563  	dec  cipher.Stream
   564  
   565  	macCipher  cipher.Block
   566  	egressMAC  hash.Hash
   567  	ingressMAC hash.Hash
   568  
   569  	snappy bool
   570  }
   571  
   572  func newRLPXFrameRW(conn io.ReadWriter, s secrets) *rlpxFrameRW {
   573  	macc, err := aes.NewCipher(s.MAC)
   574  	if err != nil {
   575  		panic("invalid MAC secret: " + err.Error())
   576  	}
   577  	encc, err := aes.NewCipher(s.AES)
   578  	if err != nil {
   579  		panic("invalid AES secret: " + err.Error())
   580  	}
   581  	// we use an all-zeroes IV for AES because the key used
   582  	// for encryption is ephemeral.
   583  	iv := make([]byte, encc.BlockSize())
   584  	return &rlpxFrameRW{
   585  		conn:       conn,
   586  		enc:        cipher.NewCTR(encc, iv),
   587  		dec:        cipher.NewCTR(encc, iv),
   588  		macCipher:  macc,
   589  		egressMAC:  s.EgressMAC,
   590  		ingressMAC: s.IngressMAC,
   591  	}
   592  }
   593  
   594  func (rw *rlpxFrameRW) WriteMsg(msg Msg) error {
   595  	ptype, _ := rlp.EncodeToBytes(msg.Code)
   596  
   597  	// if snappy is enabled, compress message now
   598  	if rw.snappy {
   599  		if msg.Size > maxUint24 {
   600  			return errPlainMessageTooLarge
   601  		}
   602  		payload, _ := ioutil.ReadAll(msg.Payload)
   603  		payload = snappy.Encode(nil, payload)
   604  
   605  		msg.Payload = bytes.NewReader(payload)
   606  		msg.Size = uint32(len(payload))
   607  	}
   608  	// write header
   609  	headbuf := make([]byte, 32)
   610  	fsize := uint32(len(ptype)) + msg.Size
   611  	if fsize > maxUint24 {
   612  		return errors.New("message size overflows uint24")
   613  	}
   614  	putInt24(fsize, headbuf) // TODO: check overflow
   615  	copy(headbuf[3:], zeroHeader)
   616  	rw.enc.XORKeyStream(headbuf[:16], headbuf[:16]) // first half is now encrypted
   617  
   618  	// write header MAC
   619  	copy(headbuf[16:], updateMAC(rw.egressMAC, rw.macCipher, headbuf[:16]))
   620  	if _, err := rw.conn.Write(headbuf); err != nil {
   621  		return err
   622  	}
   623  
   624  	// write encrypted frame, updating the egress MAC hash with
   625  	// the data written to conn.
   626  	tee := cipher.StreamWriter{S: rw.enc, W: io.MultiWriter(rw.conn, rw.egressMAC)}
   627  	if _, err := tee.Write(ptype); err != nil {
   628  		return err
   629  	}
   630  	if _, err := io.Copy(tee, msg.Payload); err != nil {
   631  		return err
   632  	}
   633  	if padding := fsize % 16; padding > 0 {
   634  		if _, err := tee.Write(zero16[:16-padding]); err != nil {
   635  			return err
   636  		}
   637  	}
   638  
   639  	// write frame MAC. egress MAC hash is up to date because
   640  	// frame content was written to it as well.
   641  	fmacseed := rw.egressMAC.Sum(nil)
   642  	mac := updateMAC(rw.egressMAC, rw.macCipher, fmacseed)
   643  	_, err := rw.conn.Write(mac)
   644  	return err
   645  }
   646  
   647  func (rw *rlpxFrameRW) ReadMsg() (msg Msg, err error) {
   648  	// read the header
   649  	headbuf := make([]byte, 32)
   650  	if _, err := io.ReadFull(rw.conn, headbuf); err != nil {
   651  		return msg, err
   652  	}
   653  	// verify header mac
   654  	shouldMAC := updateMAC(rw.ingressMAC, rw.macCipher, headbuf[:16])
   655  	if !hmac.Equal(shouldMAC, headbuf[16:]) {
   656  		return msg, errors.New("bad header MAC")
   657  	}
   658  	rw.dec.XORKeyStream(headbuf[:16], headbuf[:16]) // first half is now decrypted
   659  	fsize := readInt24(headbuf)
   660  	// ignore protocol type for now
   661  
   662  	// read the frame content
   663  	var rsize = fsize // frame size rounded up to 16 byte boundary
   664  	if padding := fsize % 16; padding > 0 {
   665  		rsize += 16 - padding
   666  	}
   667  	framebuf := make([]byte, rsize)
   668  	if _, err := io.ReadFull(rw.conn, framebuf); err != nil {
   669  		return msg, err
   670  	}
   671  
   672  	// read and validate frame MAC. we can re-use headbuf for that.
   673  	rw.ingressMAC.Write(framebuf)
   674  	fmacseed := rw.ingressMAC.Sum(nil)
   675  	if _, err := io.ReadFull(rw.conn, headbuf[:16]); err != nil {
   676  		return msg, err
   677  	}
   678  	shouldMAC = updateMAC(rw.ingressMAC, rw.macCipher, fmacseed)
   679  	if !hmac.Equal(shouldMAC, headbuf[:16]) {
   680  		return msg, errors.New("bad frame MAC")
   681  	}
   682  
   683  	// decrypt frame content
   684  	rw.dec.XORKeyStream(framebuf, framebuf)
   685  
   686  	// decode message code
   687  	content := bytes.NewReader(framebuf[:fsize])
   688  	if err := rlp.Decode(content, &msg.Code); err != nil {
   689  		return msg, err
   690  	}
   691  	msg.Size = uint32(content.Len())
   692  	msg.Payload = content
   693  
   694  	// if snappy is enabled, verify and decompress message
   695  	if rw.snappy {
   696  		payload, err := ioutil.ReadAll(msg.Payload)
   697  		if err != nil {
   698  			return msg, err
   699  		}
   700  		size, err := snappy.DecodedLen(payload)
   701  		if err != nil {
   702  			return msg, err
   703  		}
   704  		if size > int(maxUint24) {
   705  			return msg, errPlainMessageTooLarge
   706  		}
   707  		payload, err = snappy.Decode(nil, payload)
   708  		if err != nil {
   709  			return msg, err
   710  		}
   711  		msg.Size, msg.Payload = uint32(size), bytes.NewReader(payload)
   712  	}
   713  	return msg, nil
   714  }
   715  
   716  // updateMAC reseeds the given hash with encrypted seed.
   717  // it returns the first 16 bytes of the hash sum after seeding.
   718  func updateMAC(mac hash.Hash, block cipher.Block, seed []byte) []byte {
   719  	aesbuf := make([]byte, aes.BlockSize)
   720  	block.Encrypt(aesbuf, mac.Sum(nil))
   721  	for i := range aesbuf {
   722  		aesbuf[i] ^= seed[i]
   723  	}
   724  	mac.Write(aesbuf)
   725  	return mac.Sum(nil)[:16]
   726  }
   727  
   728  func readInt24(b []byte) uint32 {
   729  	return uint32(b[2]) | uint32(b[1])<<8 | uint32(b[0])<<16
   730  }
   731  
   732  func putInt24(v uint32, b []byte) {
   733  	b[0] = byte(v >> 16)
   734  	b[1] = byte(v >> 8)
   735  	b[2] = byte(v)
   736  }