If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
Conflicts
Reviewers, this pull request conflicts with the following ones:
#27534 (rpc: add ‘getnetmsgstats’, new rpc to view network message statistics by satsie)
#27530 (Remove now-unnecessary poll, fcntl includes from net(base).cpp by Empact)
#27479 (BIP324: ElligatorSwift integrations by sipa)
#27411 (p2p: Restrict self-advertisements with privacy networks to avoid fingerprinting by mzumsande)
#27407 (net, refactor: Privatise CNode send queue by dergoegge)
#27385 (net, refactor: extract Network and BIP155Network logic to node/network by jonatack)
#26684 (bench: add readblock benchmark by andrewtoth)
#26593 (tracing: Only prepare tracepoint arguments when actually tracing by 0xB10C)
#25572 (refactor: Introduce EvictionManager and use it for the inbound eviction logic by dergoegge)
#25268 (refactor: Introduce EvictionManager by dergoegge)
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.
dhruv force-pushed
on Oct 10, 2021
dhruv
commented at 4:51 am on October 10, 2021:
contributor
DrahtBot added the label
Needs rebase
on Oct 21, 2021
dhruv force-pushed
on Oct 22, 2021
dhruv
commented at 6:24 pm on October 22, 2021:
contributor
Rebased. Ready for further review.
DrahtBot removed the label
Needs rebase
on Oct 22, 2021
in
src/net.cpp:776
in
a53a06cc75outdated
772+ if (m_hdr_pos < CHACHA20_POLY1305_AEAD_AAD_LEN) {
773+ return copy_bytes;
774+ }
775+
776+ // we got the AAD bytes at this point (3 bytes encrypted packet length)
777+ // we keep the sequence numbers unchanged at this point. Once the message is authenticated and decrypted, we increase the sequence numbers (or the aad_pos)
stratospher
commented at 4:44 am on November 5, 2021:
This comment can be removed since it’s related to the AEAD cipher suite implementation and doesn’t play a role here.
776+ // we got the AAD bytes at this point (3 bytes encrypted packet length)
777+ // we keep the sequence numbers unchanged at this point. Once the message is authenticated and decrypted, we increase the sequence numbers (or the aad_pos)
778+ m_message_size = m_aead->DecryptLength((const uint8_t*)vRecv.data());
779+
780+ // reject messages larger than MAX_SIZE
781+ if (m_message_size > MAX_SIZE) {
stratospher
commented at 4:51 am on November 5, 2021:
This will need to be updated to be consistent with the BIP since MAX_SIZE is 2^25 bytes.
882+ // message command without an assigned short-ID
883+ assert(msg.m_type.size() <= NET_P2P_V2_CMD_MAX_CHARS_SIZE);
884+ // encode as varstr, max 12 chars
885+ serialized_command_size = ::GetSerializeSize(msg.m_type, PROTOCOL_VERSION);
886+ }
887+ // prepare the packet length that will later be encrypted and part of the MAC (AD)
stratospher
commented at 5:34 am on November 5, 2021:
0 // prepare the packet length that will later be encrypted and part of the MAC (AAD)
905+ vector_writer << msg.m_type;
906+ }
907+
908+ // insert header directly into the CSerializedNetMsg data buffer (insert at begin)
909+ // TODO: if we refactor the ChaCha20Poly1350 crypt function to allow separate buffers for
910+ // the AD, payload and MAC, we could avoid a insert and thus a potential reallocation
stratospher
commented at 5:36 am on November 5, 2021:
0// the AAD, payload and MAC, we could avoid a insert and thus a potential reallocation
Well, so, the term “header” doesn’t really make sense without the context of which layer we are talking about. net covers both transport and p2p(application) layers to some degree. For the transport layer, perhaps the “header” is the encrypted length. For the application layer, the p2p message type is arguably part of the “header”. I updated the comment to be clear in a different way though.
in
src/net.cpp:908
in
a53a06cc75outdated
904+ // or the ASCII command string
905+ vector_writer << msg.m_type;
906+ }
907+
908+ // insert header directly into the CSerializedNetMsg data buffer (insert at begin)
909+ // TODO: if we refactor the ChaCha20Poly1350 crypt function to allow separate buffers for
stratospher
commented at 5:54 am on November 5, 2021:
0 // TODO: if we refactor the ChaCha20Poly1305 crypt function to allow separate buffers for
805+ return copy_bytes;
806+}
807+
808+std::optional<CNetMessage> V2TransportDeserializer::GetMessage(std::chrono::microseconds time, uint32_t& out_err_raw_size)
809+{
810+ // In v2, vRecv contains the encrypted payload plus the MAC tag (1+bytes serialized message command + ? bytes message payload + 16 byte mac tag)
stratospher
commented at 6:08 am on November 5, 2021:
0// In v2, vRecv contains the AAD, encrypted payload plus the MAC tag (3 byte AAD +1+bytes serialized message command +? bytes message payload +16 byte mac tag)
stratospher
commented at 6:38 am on November 5, 2021:
contributor
Concept ACKab5b49d. This PR nicely implements the v2 transport serialisation and deserialisation process.
4be7638
To introduce short-IDs, allNetMessageTypes[] is represented as a map and functions to convert short-ID to a message and vice versa are added. Verified that changes don’t need to be made to other files due to this commit.
a53a06c
The v2TransportDeserializer contains:
readHeader() : copies the header from msg_bytes to location in vRecv[] which is addressed by m_hdr_pos. After the entire header is read, it switches to read message data mode(m_in_data = true).
readData() : copies the data from msg_bytes to location in vRecv[] which is addressed by CHACHA20_POLY1305_AEAD_AAD_LEN + m_data_pos. vRecv[] is resized to at max 256 KiB forward if there’s no space to hold msg_bytes.
GetMessage() : performs decryption of vRecv[] and chops off the AAD and MAC tag if successful decryption occurs. It reads the first byte of the payload in size_or_shortid. If size_or_shortid is a number between 1 and 12, then it’s a string command and the next size_or_shortid bytes is read into command_name. If size_or_shortid is larger than 12, then it’s a Message-Type-ID and if it’s string mapping is found, it’s stored in command_name. Otherwise the size_or_shortid is appended with the prefix ‘unknown’ and stored in command_name. CNetMessage msg is constructed and returned.
The v2TransportSerializer contains:
prepareForTransport() : prepares the CSerializedNetMsg msg for serialisation. serialized_command_size is used to store the size of short id (1 byte) or the size of message command string if short id isn’t assigned. packet_length contains the length of the message type id and payload which is stored in a LE representation in serialized_header. The short id/ command string is also appended to it. serialized_header is then inserted into the beginning of msg buffer. Encryption is performed on msg and returns true when successful.
ryihan approved
dhruv force-pushed
on Nov 9, 2021
dhruv
commented at 0:28 am on November 9, 2021:
contributor
Rebased to bring in changes from #22735, and addressed comments from @stratospher (Thank you!). Ready for further review.
dhruv
commented at 11:29 pm on November 23, 2021:
contributor
Pushed changes to enforce connection termination upon finding an invalid mac tag. Ready for further review.
dhruv force-pushed
on Dec 5, 2021
dhruv
commented at 4:33 pm on December 5, 2021:
contributor
@stratospher found a couple crashing fuzz seeds. They were occurring because the fuzz test allowed for a mac_assist to be provided even if the length was not assisted. And when that happens, the test assertion for a valid mac tag would fail.
Rebased with master due to unrelated tests failing on CI.
Ready for further review.
in
src/protocol.cpp:49
in
6f819714a3outdated
45@@ -46,46 +46,44 @@ const char *CFCHECKPT="cfcheckpt";
46 const char *WTXIDRELAY="wtxidrelay";
47 } // namespace NetMsgType
4849-/** All known message types. Keep this in the same order as the list of
50+/** All known message types including the short-ID. Keep this in the same order as the list of
Nice suggestion. Done in #20962(where the commit belongs) and brought in here.
in
src/test/fuzz/p2p_v2_transport_serialization.cpp:28
in
6f819714a3outdated
23+ V2TransportSerializer serializer{k1, k2};
24+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
25+
26+ bool length_assist = fuzzed_data_provider.ConsumeBool();
27+
28+ // There is no sense is providing a mac assist if the length is incorrect.
I might be missing something, but, wouldn’t WriteLE32 here mean that the fourth byte (which is the first byte in the ciphertext payload) would be written over. Is there a way for me to use WriteLE32 only for 3 bytes?
I guess that is still deterministic, so the fuzz test would work, but I’m not sure if it will work against the fuzzing engine.
274+ * returns the short ID for a message type (if known) */
275+std::optional<uint8_t> GetShortIDFromMessageType(const std::string& message_type);
276+
277+/** returns the message type (string) from a short ID
278+ * returns an empty string if short ID has not been found */
279+bool GetMessageTypeFromShortID(const uint8_t shortID, std::string& message_type);
Would prefer to return a std::optional<std::string> instead of a separate bool and output argument (more symmetrical with GetShortIDFromMessageType as well).
This had been on my list for far too long. Thanks for the nudge. Done in #20962 and brought in here. (First commit is a separate PR #20962 and this PR builds on it).
in
src/crypto/chacha_poly_aead.h:99
in
6f819714a3outdated
152+ * (using the ChaCha20 stream keyed with K_2) and append it to the encrypted
153+ * length. Finally, calculate a MAC tag (using poly1305 key from stream keyed with K_1)
154+ * and append it.
155 */
156157+const int KEYSTREAM_SIZE = 4096;
Yes. It makes some of the invariants about msg below hold and that makes fuzz testing easier. The client of this function is expected to reject the message in this case.
DrahtBot added the label
Needs rebase
on Jan 24, 2022
dhruv force-pushed
on Jan 24, 2022
dhruv
commented at 7:41 pm on January 24, 2022:
contributor
Rebased. Ready for further review.
DrahtBot removed the label
Needs rebase
on Jan 24, 2022
DrahtBot added the label
Needs rebase
on Jan 31, 2022
dhruv force-pushed
on Feb 2, 2022
dhruv
commented at 2:49 am on February 2, 2022:
contributor
Rebased. Ready for further review.
git range-diff 02e1d8d06f a999f11 ed5f00d
DrahtBot removed the label
Needs rebase
on Feb 2, 2022
dhruv force-pushed
on Feb 10, 2022
dhruv
commented at 2:28 am on February 10, 2022:
contributor
Update to bring in #24253. Please review with: git range-diff 5e8e0b3d7f ed5f00d d7afc96
Ready for further review.
dhruv force-pushed
on Feb 23, 2022
dhruv
commented at 1:47 am on February 23, 2022:
contributor
Updated code due to bug found while fuzzing and testing a new BIP324 PR which is WIP. Please review diff with: git range-diff refs/heads/master d7afc96 HEAD
Ready for further review.
DrahtBot added the label
Needs rebase
on Mar 3, 2022
dhruv force-pushed
on Mar 10, 2022
DrahtBot removed the label
Needs rebase
on Mar 10, 2022
dhruv
commented at 1:00 am on March 11, 2022:
contributor
Rebased. Ready for further review.
dhruv force-pushed
on Mar 21, 2022
dhruv
commented at 8:13 pm on March 21, 2022:
contributor
DrahtBot added the label
Needs rebase
on Jul 20, 2022
dhruv force-pushed
on Jul 22, 2022
dhruv
commented at 1:54 pm on July 22, 2022:
contributor
Rebased. Ready for further review.
dhruv force-pushed
on Jul 22, 2022
dhruv
commented at 1:59 pm on July 22, 2022:
contributor
Amended a commit description to force push again as CI would not trigger. No code changes. Ready for further review.
DrahtBot removed the label
Needs rebase
on Jul 22, 2022
DrahtBot added the label
Needs rebase
on Aug 30, 2022
dhruv force-pushed
on Sep 11, 2022
dhruv
commented at 8:24 pm on September 11, 2022:
contributor
Modified code to bring in upstream interface changes from #25361 and exposed the BIP324CipherSuite AAD via the V2TransportSerializer and V2TransportDeserializerclasses to facilitate the authentication of the garbage bytes in the shapable handshake.
Ready for further review.
DrahtBot removed the label
Needs rebase
on Sep 11, 2022
DrahtBot added the label
Needs rebase
on Sep 25, 2022
dhruv force-pushed
on Sep 29, 2022
dhruv
commented at 4:38 am on September 29, 2022:
contributor
While implementing it, I found a bug in the arm of code that serialized/deserialized message types without assigned short ids. That branch of code was previously unexercised by any tests. This is no longer the case.
BIP324 Cipher Suite187761fc8a
Allow for RFC8439 AD in cipher suite interface8405856ed9
Merge branch 'bip324-cipher-suite' into bip324-net-v20c3c7ab105
Add BIP324 short-IDs to protocol.cpp
Co-authored-by: Jonas Schnelli <dev@jonasschnelli.ch>
9d9c46f702
Add BIP324 v2 transport serializer and deserializer
Co-authored-by: Jonas Schnelli <dev@jonasschnelli.ch>
c32329c47a
fuzz: Add fuzz test for v2 transport {de}serialization16eeb431eb
Expose BIP324CipherSuite AAD via transport classesf01955687f
dhruv force-pushed
on Mar 21, 2023
dhruv
commented at 4:01 am on March 21, 2023:
contributor
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-12-18 18:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me