2021-05-23 19:42:26 +00:00
|
|
|
package core
|
2018-06-09 23:44:59 +00:00
|
|
|
|
|
|
|
// This file contains the version metadata struct
|
2019-11-29 09:45:02 +00:00
|
|
|
// Used in the initial connection setup and key exchange
|
2018-06-09 23:44:59 +00:00
|
|
|
// Some of this could arguably go in wire.go instead
|
|
|
|
|
2023-03-18 12:14:32 +00:00
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto/ed25519"
|
|
|
|
"encoding/binary"
|
2023-06-18 19:28:14 +00:00
|
|
|
"io"
|
2023-10-09 15:44:07 +00:00
|
|
|
|
|
|
|
"golang.org/x/crypto/blake2b"
|
2023-03-18 12:14:32 +00:00
|
|
|
)
|
2018-12-15 02:49:18 +00:00
|
|
|
|
2018-06-10 23:03:28 +00:00
|
|
|
// This is the version-specific metadata exchanged at the start of a connection.
|
2019-11-29 09:45:02 +00:00
|
|
|
// It must always begin with the 4 bytes "meta" and a wire formatted uint64 major version number.
|
|
|
|
// The current version also includes a minor version number, and the box/sig/link keys that need to be exchanged to open a connection.
|
2018-06-09 23:44:59 +00:00
|
|
|
type version_metadata struct {
|
2023-03-18 12:14:32 +00:00
|
|
|
majorVer uint16
|
|
|
|
minorVer uint16
|
|
|
|
publicKey ed25519.PublicKey
|
|
|
|
priority uint8
|
2018-06-09 23:44:59 +00:00
|
|
|
}
|
|
|
|
|
2023-03-18 12:14:32 +00:00
|
|
|
const (
|
|
|
|
ProtocolVersionMajor uint16 = 0
|
|
|
|
ProtocolVersionMinor uint16 = 5
|
|
|
|
)
|
|
|
|
|
2023-10-09 15:44:07 +00:00
|
|
|
// Once a major/minor version is released, it is not safe to change any of these
|
|
|
|
// (including their ordering), it is only safe to add new ones.
|
2023-03-18 12:14:32 +00:00
|
|
|
const (
|
|
|
|
metaVersionMajor uint16 = iota // uint16
|
|
|
|
metaVersionMinor // uint16
|
|
|
|
metaPublicKey // [32]byte
|
|
|
|
metaPriority // uint8
|
|
|
|
)
|
|
|
|
|
2024-08-01 20:53:48 +00:00
|
|
|
type handshakeError string
|
|
|
|
|
|
|
|
func (e handshakeError) Error() string { return string(e) }
|
|
|
|
|
|
|
|
const ErrHandshakeInvalidPreamble = handshakeError("invalid handshake, remote side is not Yggdrasil")
|
|
|
|
const ErrHandshakeInvalidLength = handshakeError("invalid handshake length, possible version mismatch")
|
|
|
|
const ErrHandshakeInvalidPassword = handshakeError("invalid password supplied, check your config")
|
|
|
|
const ErrHandshakeHashFailure = handshakeError("invalid hash length")
|
|
|
|
const ErrHandshakeIncorrectPassword = handshakeError("password does not match remote side")
|
|
|
|
|
2018-06-10 23:03:28 +00:00
|
|
|
// Gets a base metadata with no keys set, but with the correct version numbers.
|
2018-06-09 23:44:59 +00:00
|
|
|
func version_getBaseMetadata() version_metadata {
|
|
|
|
return version_metadata{
|
2023-03-18 12:14:32 +00:00
|
|
|
majorVer: ProtocolVersionMajor,
|
|
|
|
minorVer: ProtocolVersionMinor,
|
2018-06-09 23:44:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-06-10 23:03:28 +00:00
|
|
|
// Encodes version metadata into its wire format.
|
2023-10-09 15:44:07 +00:00
|
|
|
func (m *version_metadata) encode(privateKey ed25519.PrivateKey, password []byte) ([]byte, error) {
|
2023-03-18 12:14:32 +00:00
|
|
|
bs := make([]byte, 0, 64)
|
|
|
|
bs = append(bs, 'm', 'e', 't', 'a')
|
2023-06-18 19:28:14 +00:00
|
|
|
bs = append(bs, 0, 0) // Remaining message length
|
2023-03-18 12:14:32 +00:00
|
|
|
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, metaVersionMajor)
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, 2)
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, m.majorVer)
|
|
|
|
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, metaVersionMinor)
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, 2)
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, m.minorVer)
|
|
|
|
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, metaPublicKey)
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, ed25519.PublicKeySize)
|
|
|
|
bs = append(bs, m.publicKey[:]...)
|
|
|
|
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, metaPriority)
|
|
|
|
bs = binary.BigEndian.AppendUint16(bs, 1)
|
|
|
|
bs = append(bs, m.priority)
|
|
|
|
|
2023-10-09 15:44:07 +00:00
|
|
|
hasher, err := blake2b.New512(password)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
n, err := hasher.Write(m.publicKey)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if n != ed25519.PublicKeySize {
|
2024-08-01 20:53:48 +00:00
|
|
|
return nil, ErrHandshakeHashFailure
|
2023-10-09 15:44:07 +00:00
|
|
|
}
|
|
|
|
hash := hasher.Sum(nil)
|
|
|
|
bs = append(bs, ed25519.Sign(privateKey, hash)...)
|
|
|
|
|
2023-06-18 19:28:14 +00:00
|
|
|
binary.BigEndian.PutUint16(bs[4:6], uint16(len(bs)-6))
|
2023-10-09 15:44:07 +00:00
|
|
|
return bs, nil
|
2018-06-09 23:44:59 +00:00
|
|
|
}
|
|
|
|
|
2018-06-10 23:03:28 +00:00
|
|
|
// Decodes version metadata from its wire format into the struct.
|
2023-11-04 17:57:04 +00:00
|
|
|
func (m *version_metadata) decode(r io.Reader, password []byte) error {
|
2023-06-18 19:28:14 +00:00
|
|
|
bh := [6]byte{}
|
|
|
|
if _, err := io.ReadFull(r, bh[:]); err != nil {
|
2023-11-04 17:57:04 +00:00
|
|
|
return err
|
2023-06-18 19:28:14 +00:00
|
|
|
}
|
2023-03-18 12:14:32 +00:00
|
|
|
meta := [4]byte{'m', 'e', 't', 'a'}
|
2023-06-18 19:28:14 +00:00
|
|
|
if !bytes.Equal(bh[:4], meta[:]) {
|
2024-08-01 20:53:48 +00:00
|
|
|
return ErrHandshakeInvalidPreamble
|
2023-06-18 19:28:14 +00:00
|
|
|
}
|
2023-11-04 17:57:04 +00:00
|
|
|
hl := binary.BigEndian.Uint16(bh[4:6])
|
|
|
|
if hl < ed25519.SignatureSize {
|
2024-08-01 20:53:48 +00:00
|
|
|
return ErrHandshakeInvalidLength
|
2018-06-09 23:44:59 +00:00
|
|
|
}
|
2023-11-04 17:57:04 +00:00
|
|
|
bs := make([]byte, hl)
|
|
|
|
if _, err := io.ReadFull(r, bs); err != nil {
|
|
|
|
return err
|
2023-10-12 18:12:17 +00:00
|
|
|
}
|
2023-10-09 15:44:07 +00:00
|
|
|
sig := bs[len(bs)-ed25519.SignatureSize:]
|
|
|
|
bs = bs[:len(bs)-ed25519.SignatureSize]
|
|
|
|
|
2023-06-18 19:28:14 +00:00
|
|
|
for len(bs) >= 4 {
|
2023-03-18 12:14:32 +00:00
|
|
|
op := binary.BigEndian.Uint16(bs[:2])
|
|
|
|
oplen := binary.BigEndian.Uint16(bs[2:4])
|
|
|
|
if bs = bs[4:]; len(bs) < int(oplen) {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
switch op {
|
|
|
|
case metaVersionMajor:
|
|
|
|
m.majorVer = binary.BigEndian.Uint16(bs[:2])
|
|
|
|
|
|
|
|
case metaVersionMinor:
|
|
|
|
m.minorVer = binary.BigEndian.Uint16(bs[:2])
|
|
|
|
|
|
|
|
case metaPublicKey:
|
|
|
|
m.publicKey = make(ed25519.PublicKey, ed25519.PublicKeySize)
|
|
|
|
copy(m.publicKey, bs[:ed25519.PublicKeySize])
|
|
|
|
|
|
|
|
case metaPriority:
|
|
|
|
m.priority = bs[0]
|
|
|
|
}
|
|
|
|
bs = bs[oplen:]
|
|
|
|
}
|
2023-10-09 15:44:07 +00:00
|
|
|
|
|
|
|
hasher, err := blake2b.New512(password)
|
|
|
|
if err != nil {
|
2024-08-01 20:53:48 +00:00
|
|
|
return ErrHandshakeInvalidPassword
|
2023-10-09 15:44:07 +00:00
|
|
|
}
|
|
|
|
n, err := hasher.Write(m.publicKey)
|
|
|
|
if err != nil || n != ed25519.PublicKeySize {
|
2024-08-01 20:53:48 +00:00
|
|
|
return ErrHandshakeHashFailure
|
2023-10-09 15:44:07 +00:00
|
|
|
}
|
|
|
|
hash := hasher.Sum(nil)
|
2023-11-04 17:57:04 +00:00
|
|
|
if !ed25519.Verify(m.publicKey, hash, sig) {
|
2024-08-01 20:53:48 +00:00
|
|
|
return ErrHandshakeIncorrectPassword
|
2023-11-04 17:57:04 +00:00
|
|
|
}
|
|
|
|
return nil
|
2018-06-09 23:44:59 +00:00
|
|
|
}
|
|
|
|
|
2018-06-10 23:03:28 +00:00
|
|
|
// Checks that the "meta" bytes and the version numbers are the expected values.
|
2018-06-09 23:44:59 +00:00
|
|
|
func (m *version_metadata) check() bool {
|
2023-03-18 12:14:32 +00:00
|
|
|
switch {
|
|
|
|
case m.majorVer != ProtocolVersionMajor:
|
|
|
|
return false
|
|
|
|
case m.minorVer != ProtocolVersionMinor:
|
|
|
|
return false
|
|
|
|
case len(m.publicKey) != ed25519.PublicKeySize:
|
|
|
|
return false
|
|
|
|
default:
|
|
|
|
return true
|
|
|
|
}
|
2018-06-09 23:44:59 +00:00
|
|
|
}
|