github.hscsec.cn/scroll-tech/go-ethereum@v1.9.7/whisper/whisperv6/message.go (about) 1 // Copyright 2016 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 // Contains the Whisper protocol Message element. 18 19 package whisperv6 20 21 import ( 22 "crypto/aes" 23 "crypto/cipher" 24 "crypto/ecdsa" 25 crand "crypto/rand" 26 "encoding/binary" 27 "errors" 28 mrand "math/rand" 29 "strconv" 30 31 "github.com/ethereum/go-ethereum/common" 32 "github.com/ethereum/go-ethereum/crypto" 33 "github.com/ethereum/go-ethereum/crypto/ecies" 34 "github.com/ethereum/go-ethereum/log" 35 ) 36 37 // MessageParams specifies the exact way a message should be wrapped 38 // into an Envelope. 39 type MessageParams struct { 40 TTL uint32 41 Src *ecdsa.PrivateKey 42 Dst *ecdsa.PublicKey 43 KeySym []byte 44 Topic TopicType 45 WorkTime uint32 46 PoW float64 47 Payload []byte 48 Padding []byte 49 } 50 51 // SentMessage represents an end-user data packet to transmit through the 52 // Whisper protocol. These are wrapped into Envelopes that need not be 53 // understood by intermediate nodes, just forwarded. 54 type sentMessage struct { 55 Raw []byte 56 } 57 58 // ReceivedMessage represents a data packet to be received through the 59 // Whisper protocol and successfully decrypted. 60 type ReceivedMessage struct { 61 Raw []byte 62 63 Payload []byte 64 Padding []byte 65 Signature []byte 66 Salt []byte 67 68 PoW float64 // Proof of work as described in the Whisper spec 69 Sent uint32 // Time when the message was posted into the network 70 TTL uint32 // Maximum time to live allowed for the message 71 Src *ecdsa.PublicKey // Message recipient (identity used to decode the message) 72 Dst *ecdsa.PublicKey // Message recipient (identity used to decode the message) 73 Topic TopicType 74 75 SymKeyHash common.Hash // The Keccak256Hash of the key 76 EnvelopeHash common.Hash // Message envelope hash to act as a unique id 77 } 78 79 func isMessageSigned(flags byte) bool { 80 return (flags & signatureFlag) != 0 81 } 82 83 func (msg *ReceivedMessage) isSymmetricEncryption() bool { 84 return msg.SymKeyHash != common.Hash{} 85 } 86 87 func (msg *ReceivedMessage) isAsymmetricEncryption() bool { 88 return msg.Dst != nil 89 } 90 91 // NewSentMessage creates and initializes a non-signed, non-encrypted Whisper message. 92 func NewSentMessage(params *MessageParams) (*sentMessage, error) { 93 const payloadSizeFieldMaxSize = 4 94 msg := sentMessage{} 95 msg.Raw = make([]byte, 1, 96 flagsLength+payloadSizeFieldMaxSize+len(params.Payload)+len(params.Padding)+signatureLength+padSizeLimit) 97 msg.Raw[0] = 0 // set all the flags to zero 98 msg.addPayloadSizeField(params.Payload) 99 msg.Raw = append(msg.Raw, params.Payload...) 100 err := msg.appendPadding(params) 101 return &msg, err 102 } 103 104 // addPayloadSizeField appends the auxiliary field containing the size of payload 105 func (msg *sentMessage) addPayloadSizeField(payload []byte) { 106 fieldSize := getSizeOfPayloadSizeField(payload) 107 field := make([]byte, 4) 108 binary.LittleEndian.PutUint32(field, uint32(len(payload))) 109 field = field[:fieldSize] 110 msg.Raw = append(msg.Raw, field...) 111 msg.Raw[0] |= byte(fieldSize) 112 } 113 114 // getSizeOfPayloadSizeField returns the number of bytes necessary to encode the size of payload 115 func getSizeOfPayloadSizeField(payload []byte) int { 116 s := 1 117 for i := len(payload); i >= 256; i /= 256 { 118 s++ 119 } 120 return s 121 } 122 123 // appendPadding appends the padding specified in params. 124 // If no padding is provided in params, then random padding is generated. 125 func (msg *sentMessage) appendPadding(params *MessageParams) error { 126 if len(params.Padding) != 0 { 127 // padding data was provided by the Dapp, just use it as is 128 msg.Raw = append(msg.Raw, params.Padding...) 129 return nil 130 } 131 132 rawSize := flagsLength + getSizeOfPayloadSizeField(params.Payload) + len(params.Payload) 133 if params.Src != nil { 134 rawSize += signatureLength 135 } 136 odd := rawSize % padSizeLimit 137 paddingSize := padSizeLimit - odd 138 pad := make([]byte, paddingSize) 139 _, err := crand.Read(pad) 140 if err != nil { 141 return err 142 } 143 if !validateDataIntegrity(pad, paddingSize) { 144 return errors.New("failed to generate random padding of size " + strconv.Itoa(paddingSize)) 145 } 146 msg.Raw = append(msg.Raw, pad...) 147 return nil 148 } 149 150 // sign calculates and sets the cryptographic signature for the message, 151 // also setting the sign flag. 152 func (msg *sentMessage) sign(key *ecdsa.PrivateKey) error { 153 if isMessageSigned(msg.Raw[0]) { 154 // this should not happen, but no reason to panic 155 log.Error("failed to sign the message: already signed") 156 return nil 157 } 158 159 msg.Raw[0] |= signatureFlag // it is important to set this flag before signing 160 hash := crypto.Keccak256(msg.Raw) 161 signature, err := crypto.Sign(hash, key) 162 if err != nil { 163 msg.Raw[0] &= (0xFF ^ signatureFlag) // clear the flag 164 return err 165 } 166 msg.Raw = append(msg.Raw, signature...) 167 return nil 168 } 169 170 // encryptAsymmetric encrypts a message with a public key. 171 func (msg *sentMessage) encryptAsymmetric(key *ecdsa.PublicKey) error { 172 if !ValidatePublicKey(key) { 173 return errors.New("invalid public key provided for asymmetric encryption") 174 } 175 encrypted, err := ecies.Encrypt(crand.Reader, ecies.ImportECDSAPublic(key), msg.Raw, nil, nil) 176 if err == nil { 177 msg.Raw = encrypted 178 } 179 return err 180 } 181 182 // encryptSymmetric encrypts a message with a topic key, using AES-GCM-256. 183 // nonce size should be 12 bytes (see cipher.gcmStandardNonceSize). 184 func (msg *sentMessage) encryptSymmetric(key []byte) (err error) { 185 if !validateDataIntegrity(key, aesKeyLength) { 186 return errors.New("invalid key provided for symmetric encryption, size: " + strconv.Itoa(len(key))) 187 } 188 block, err := aes.NewCipher(key) 189 if err != nil { 190 return err 191 } 192 aesgcm, err := cipher.NewGCM(block) 193 if err != nil { 194 return err 195 } 196 salt, err := generateSecureRandomData(aesNonceLength) // never use more than 2^32 random nonces with a given key 197 if err != nil { 198 return err 199 } 200 encrypted := aesgcm.Seal(nil, salt, msg.Raw, nil) 201 msg.Raw = append(encrypted, salt...) 202 return nil 203 } 204 205 // generateSecureRandomData generates random data where extra security is required. 206 // The purpose of this function is to prevent some bugs in software or in hardware 207 // from delivering not-very-random data. This is especially useful for AES nonce, 208 // where true randomness does not really matter, but it is very important to have 209 // a unique nonce for every message. 210 func generateSecureRandomData(length int) ([]byte, error) { 211 x := make([]byte, length) 212 y := make([]byte, length) 213 res := make([]byte, length) 214 215 _, err := crand.Read(x) 216 if err != nil { 217 return nil, err 218 } else if !validateDataIntegrity(x, length) { 219 return nil, errors.New("crypto/rand failed to generate secure random data") 220 } 221 _, err = mrand.Read(y) 222 if err != nil { 223 return nil, err 224 } else if !validateDataIntegrity(y, length) { 225 return nil, errors.New("math/rand failed to generate secure random data") 226 } 227 for i := 0; i < length; i++ { 228 res[i] = x[i] ^ y[i] 229 } 230 if !validateDataIntegrity(res, length) { 231 return nil, errors.New("failed to generate secure random data") 232 } 233 return res, nil 234 } 235 236 // Wrap bundles the message into an Envelope to transmit over the network. 237 func (msg *sentMessage) Wrap(options *MessageParams) (envelope *Envelope, err error) { 238 if options.TTL == 0 { 239 options.TTL = DefaultTTL 240 } 241 if options.Src != nil { 242 if err = msg.sign(options.Src); err != nil { 243 return nil, err 244 } 245 } 246 if options.Dst != nil { 247 err = msg.encryptAsymmetric(options.Dst) 248 } else if options.KeySym != nil { 249 err = msg.encryptSymmetric(options.KeySym) 250 } else { 251 err = errors.New("unable to encrypt the message: neither symmetric nor assymmetric key provided") 252 } 253 if err != nil { 254 return nil, err 255 } 256 257 envelope = NewEnvelope(options.TTL, options.Topic, msg) 258 if err = envelope.Seal(options); err != nil { 259 return nil, err 260 } 261 return envelope, nil 262 } 263 264 // decryptSymmetric decrypts a message with a topic key, using AES-GCM-256. 265 // nonce size should be 12 bytes (see cipher.gcmStandardNonceSize). 266 func (msg *ReceivedMessage) decryptSymmetric(key []byte) error { 267 // symmetric messages are expected to contain the 12-byte nonce at the end of the payload 268 if len(msg.Raw) < aesNonceLength { 269 return errors.New("missing salt or invalid payload in symmetric message") 270 } 271 salt := msg.Raw[len(msg.Raw)-aesNonceLength:] 272 273 block, err := aes.NewCipher(key) 274 if err != nil { 275 return err 276 } 277 aesgcm, err := cipher.NewGCM(block) 278 if err != nil { 279 return err 280 } 281 decrypted, err := aesgcm.Open(nil, salt, msg.Raw[:len(msg.Raw)-aesNonceLength], nil) 282 if err != nil { 283 return err 284 } 285 msg.Raw = decrypted 286 msg.Salt = salt 287 return nil 288 } 289 290 // decryptAsymmetric decrypts an encrypted payload with a private key. 291 func (msg *ReceivedMessage) decryptAsymmetric(key *ecdsa.PrivateKey) error { 292 decrypted, err := ecies.ImportECDSA(key).Decrypt(msg.Raw, nil, nil) 293 if err == nil { 294 msg.Raw = decrypted 295 } 296 return err 297 } 298 299 // ValidateAndParse checks the message validity and extracts the fields in case of success. 300 func (msg *ReceivedMessage) ValidateAndParse() bool { 301 end := len(msg.Raw) 302 if end < 1 { 303 return false 304 } 305 306 if isMessageSigned(msg.Raw[0]) { 307 end -= signatureLength 308 if end <= 1 { 309 return false 310 } 311 msg.Signature = msg.Raw[end : end+signatureLength] 312 msg.Src = msg.SigToPubKey() 313 if msg.Src == nil { 314 return false 315 } 316 } 317 318 beg := 1 319 payloadSize := 0 320 sizeOfPayloadSizeField := int(msg.Raw[0] & SizeMask) // number of bytes indicating the size of payload 321 if sizeOfPayloadSizeField != 0 { 322 payloadSize = int(bytesToUintLittleEndian(msg.Raw[beg : beg+sizeOfPayloadSizeField])) 323 if payloadSize+1 > end { 324 return false 325 } 326 beg += sizeOfPayloadSizeField 327 msg.Payload = msg.Raw[beg : beg+payloadSize] 328 } 329 330 beg += payloadSize 331 msg.Padding = msg.Raw[beg:end] 332 return true 333 } 334 335 // SigToPubKey returns the public key associated to the message's 336 // signature. 337 func (msg *ReceivedMessage) SigToPubKey() *ecdsa.PublicKey { 338 defer func() { recover() }() // in case of invalid signature 339 340 pub, err := crypto.SigToPub(msg.hash(), msg.Signature) 341 if err != nil { 342 log.Error("failed to recover public key from signature", "err", err) 343 return nil 344 } 345 return pub 346 } 347 348 // hash calculates the SHA3 checksum of the message flags, payload size field, payload and padding. 349 func (msg *ReceivedMessage) hash() []byte { 350 if isMessageSigned(msg.Raw[0]) { 351 sz := len(msg.Raw) - signatureLength 352 return crypto.Keccak256(msg.Raw[:sz]) 353 } 354 return crypto.Keccak256(msg.Raw) 355 }