merge bitcoin#29431: disconnection scenarios during v2 handshake

This commit is contained in:
Kittywhiskers Van Gogh 2024-01-30 19:27:21 +05:30
parent cc6b88ee37
commit 4735b82979
No known key found for this signature in database
GPG Key ID: 30CD0C065E5C4AAD
9 changed files with 201 additions and 107 deletions

View File

@ -2401,7 +2401,11 @@ bool CConnman::InactivityCheck(const CNode& node) const
}
if (!node.fSuccessfullyConnected) {
if (node.m_transport->GetInfo().transport_type == TransportProtocolType::DETECTING) {
LogPrint(BCLog::NET, "V2 handshake timeout peer=%d\n", node.GetId());
} else {
LogPrint(BCLog::NET, "version handshake timeout peer=%d\n", node.GetId());
}
return true;
}

View File

@ -1,91 +0,0 @@
#!/usr/bin/env python3
# Copyright (c) 2022 The Bitcoin Core developers
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
import random
from test_framework.test_framework import BitcoinTestFramework
from test_framework.crypto.ellswift import ellswift_create
from test_framework.util import random_bytes
from test_framework.p2p import P2PInterface
from test_framework.v2_p2p import EncryptedP2PState
class TestEncryptedP2PState(EncryptedP2PState):
""" Modify v2 P2P protocol functions for testing that "The responder waits until one byte is received which does
not match the 16 bytes consisting of the network magic followed by "version\x00\x00\x00\x00\x00"." (see BIP 324)
- if `send_net_magic` is True, send first 4 bytes of ellswift (match network magic) else send remaining 60 bytes
- `can_data_be_received` is a variable used to assert if data is received on recvbuf.
- v2 TestNode shouldn't respond back if we send V1_PREFIX and data shouldn't be received on recvbuf.
This state is represented using `can_data_be_received` = False.
- v2 TestNode responds back when mismatch from V1_PREFIX happens and data can be received on recvbuf.
This state is represented using `can_data_be_received` = True.
"""
def __init__(self):
super().__init__(initiating=True, net='regtest')
self.send_net_magic = True
self.can_data_be_received = False
def initiate_v2_handshake(self, garbage_len=random.randrange(4096)):
"""Initiator begins the v2 handshake by sending its ellswift bytes and garbage.
Here, the 64 bytes ellswift is assumed to have it's 4 bytes match network magic bytes. It is sent in 2 phases:
1. when `send_network_magic` = True, send first 4 bytes of ellswift (matches network magic bytes)
2. when `send_network_magic` = False, send remaining 60 bytes of ellswift
"""
if self.send_net_magic:
self.privkey_ours, self.ellswift_ours = ellswift_create()
self.sent_garbage = random_bytes(garbage_len)
self.send_net_magic = False
return b"\xfc\xc1\xb7\xdc"
else:
self.can_data_be_received = True
return self.ellswift_ours[4:] + self.sent_garbage
class PeerEarlyKey(P2PInterface):
"""Custom implementation of P2PInterface which uses modified v2 P2P protocol functions for testing purposes."""
def __init__(self):
super().__init__()
self.v2_state = None
self.connection_opened = False
def connection_made(self, transport):
"""64 bytes ellswift is sent in 2 parts during `initial_v2_handshake()`"""
self.v2_state = TestEncryptedP2PState()
super().connection_made(transport)
def data_received(self, t):
# check that data can be received on recvbuf only when mismatch from V1_PREFIX happens (send_net_magic = False)
assert self.v2_state.can_data_be_received and not self.v2_state.send_net_magic
def on_open(self):
self.connection_opened = True
class P2PEarlyKey(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 1
self.disable_mocktime = True
self.extra_args = [["-v2transport=1", "-peertimeout=3"]]
def run_test(self):
self.log.info('Sending ellswift bytes in parts to ensure that response from responder is received only when')
self.log.info('ellswift bytes have a mismatch from the 16 bytes(network magic followed by "version\\x00\\x00\\x00\\x00\\x00")')
node0 = self.nodes[0]
self.log.info('Sending first 4 bytes of ellswift which match network magic')
self.log.info('If a response is received, assertion failure would happen in our custom data_received() function')
# send happens in `initiate_v2_handshake()` in `connection_made()`
peer1 = node0.add_p2p_connection(PeerEarlyKey(), wait_for_verack=False, send_version=False, supports_v2_p2p=True, wait_for_v2_handshake=False)
self.wait_until(lambda: peer1.connection_opened)
self.log.info('Sending remaining ellswift and garbage which are different from V1_PREFIX. Since a response is')
self.log.info('expected now, our custom data_received() function wouldn\'t result in assertion failure')
ellswift_and_garbage_data = peer1.v2_state.initiate_v2_handshake()
peer1.send_raw_message(ellswift_and_garbage_data)
peer1.wait_for_disconnect(timeout=5)
self.log.info('successful disconnection when MITM happens in the key exchange phase')
if __name__ == '__main__':
P2PEarlyKey().main()

View File

@ -0,0 +1,178 @@
#!/usr/bin/env python3
# Copyright (c) 2022 The Bitcoin Core developers
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
import random
from enum import Enum
from test_framework.messages import MAGIC_BYTES
from test_framework.util import random_bytes
from test_framework.p2p import P2PInterface
from test_framework.test_framework import BitcoinTestFramework
from test_framework.util import random_bitflip
from test_framework.v2_p2p import (
EncryptedP2PState,
MAX_GARBAGE_LEN,
)
class TestType(Enum):
""" Scenarios to be tested:
1. EARLY_KEY_RESPONSE - The responder needs to wait until one byte is received which does not match the 16 bytes
consisting of network magic followed by "version\x00\x00\x00\x00\x00" before sending out its ellswift + garbage bytes
2. EXCESS_GARBAGE - Disconnection happens when > MAX_GARBAGE_LEN bytes garbage is sent
3. WRONG_GARBAGE_TERMINATOR - Disconnection happens when incorrect garbage terminator is sent
4. WRONG_GARBAGE - Disconnection happens when garbage bytes that is sent is different from what the peer receives
5. SEND_NO_AAD - Disconnection happens when AAD of first encrypted packet after the garbage terminator is not filled
6. SEND_NON_EMPTY_VERSION_PACKET - non-empty version packet is simply ignored
"""
EARLY_KEY_RESPONSE = 0
EXCESS_GARBAGE = 1
WRONG_GARBAGE_TERMINATOR = 2
WRONG_GARBAGE = 3
SEND_NO_AAD = 4
SEND_NON_EMPTY_VERSION_PACKET = 5
class EarlyKeyResponseState(EncryptedP2PState):
""" Modify v2 P2P protocol functions for testing EARLY_KEY_RESPONSE scenario"""
def __init__(self, initiating, net):
super().__init__(initiating=initiating, net=net)
self.can_data_be_received = False # variable used to assert if data is received on recvbuf.
def initiate_v2_handshake(self):
"""Send ellswift and garbage bytes in 2 parts when TestType = (EARLY_KEY_RESPONSE)"""
self.generate_keypair_and_garbage()
return b""
class ExcessGarbageState(EncryptedP2PState):
"""Generate > MAX_GARBAGE_LEN garbage bytes"""
def generate_keypair_and_garbage(self):
garbage_len = MAX_GARBAGE_LEN + random.randrange(1, MAX_GARBAGE_LEN + 1)
return super().generate_keypair_and_garbage(garbage_len)
class WrongGarbageTerminatorState(EncryptedP2PState):
"""Add option for sending wrong garbage terminator"""
def generate_keypair_and_garbage(self):
garbage_len = random.randrange(MAX_GARBAGE_LEN//2)
return super().generate_keypair_and_garbage(garbage_len)
def complete_handshake(self, response):
length, handshake_bytes = super().complete_handshake(response)
# first 16 bytes returned by complete_handshake() is the garbage terminator
wrong_garbage_terminator = random_bitflip(handshake_bytes[:16])
return length, wrong_garbage_terminator + handshake_bytes[16:]
class WrongGarbageState(EncryptedP2PState):
"""Generate tampered garbage bytes"""
def generate_keypair_and_garbage(self):
garbage_len = random.randrange(1, MAX_GARBAGE_LEN)
ellswift_garbage_bytes = super().generate_keypair_and_garbage(garbage_len)
# assume that garbage bytes sent to TestNode were tampered with
return ellswift_garbage_bytes[:64] + random_bitflip(ellswift_garbage_bytes[64:])
class NoAADState(EncryptedP2PState):
"""Add option for not filling first encrypted packet after garbage terminator with AAD"""
def generate_keypair_and_garbage(self):
garbage_len = random.randrange(1, MAX_GARBAGE_LEN)
return super().generate_keypair_and_garbage(garbage_len)
def complete_handshake(self, response):
self.sent_garbage = b'' # do not authenticate the garbage which is sent
return super().complete_handshake(response)
class NonEmptyVersionPacketState(EncryptedP2PState):
""""Add option for sending non-empty transport version packet."""
def complete_handshake(self, response):
self.transport_version = random_bytes(5)
return super().complete_handshake(response)
class MisbehavingV2Peer(P2PInterface):
"""Custom implementation of P2PInterface which uses modified v2 P2P protocol functions for testing purposes."""
def __init__(self, test_type):
super().__init__()
self.test_type = test_type
def connection_made(self, transport):
if self.test_type == TestType.EARLY_KEY_RESPONSE:
self.v2_state = EarlyKeyResponseState(initiating=True, net='regtest')
elif self.test_type == TestType.EXCESS_GARBAGE:
self.v2_state = ExcessGarbageState(initiating=True, net='regtest')
elif self.test_type == TestType.WRONG_GARBAGE_TERMINATOR:
self.v2_state = WrongGarbageTerminatorState(initiating=True, net='regtest')
elif self.test_type == TestType.WRONG_GARBAGE:
self.v2_state = WrongGarbageState(initiating=True, net='regtest')
elif self.test_type == TestType.SEND_NO_AAD:
self.v2_state = NoAADState(initiating=True, net='regtest')
elif TestType.SEND_NON_EMPTY_VERSION_PACKET:
self.v2_state = NonEmptyVersionPacketState(initiating=True, net='regtest')
super().connection_made(transport)
def data_received(self, t):
if self.test_type == TestType.EARLY_KEY_RESPONSE:
# check that data can be received on recvbuf only when mismatch from V1_PREFIX happens
assert self.v2_state.can_data_be_received
else:
super().data_received(t)
class EncryptedP2PMisbehaving(BitcoinTestFramework):
def set_test_params(self):
self.num_nodes = 1
self.disable_mocktime = True
self.extra_args = [["-v2transport=1", "-peertimeout=3"]]
def run_test(self):
self.test_earlykeyresponse()
self.test_v2disconnection()
def test_earlykeyresponse(self):
self.log.info('Sending ellswift bytes in parts to ensure that response from responder is received only when')
self.log.info('ellswift bytes have a mismatch from the 16 bytes(network magic followed by "version\\x00\\x00\\x00\\x00\\x00")')
node0 = self.nodes[0]
self.log.info('Sending first 4 bytes of ellswift which match network magic')
self.log.info('If a response is received, assertion failure would happen in our custom data_received() function')
peer1 = node0.add_p2p_connection(MisbehavingV2Peer(TestType.EARLY_KEY_RESPONSE), wait_for_verack=False, send_version=False, supports_v2_p2p=True, wait_for_v2_handshake=False)
peer1.send_raw_message(MAGIC_BYTES['regtest'])
self.log.info('Sending remaining ellswift and garbage which are different from V1_PREFIX. Since a response is')
self.log.info('expected now, our custom data_received() function wouldn\'t result in assertion failure')
peer1.v2_state.can_data_be_received = True
peer1.send_raw_message(peer1.v2_state.ellswift_ours[4:] + peer1.v2_state.sent_garbage)
with node0.assert_debug_log(['V2 handshake timeout peer=0']):
peer1.wait_for_disconnect(timeout=5)
self.log.info('successful disconnection since modified ellswift was sent as response')
def test_v2disconnection(self):
# test v2 disconnection scenarios
node0 = self.nodes[0]
expected_debug_message = [
[], # EARLY_KEY_RESPONSE
["V2 transport error: missing garbage terminator, peer=1"], # EXCESS_GARBAGE
["V2 handshake timeout peer=2"], # WRONG_GARBAGE_TERMINATOR
["V2 transport error: packet decryption failure"], # WRONG_GARBAGE
["V2 transport error: packet decryption failure"], # SEND_NO_AAD
[], # SEND_NON_EMPTY_VERSION_PACKET
]
for test_type in TestType:
if test_type == TestType.EARLY_KEY_RESPONSE:
continue
elif test_type == TestType.SEND_NON_EMPTY_VERSION_PACKET:
node0.add_p2p_connection(MisbehavingV2Peer(test_type), wait_for_verack=True, send_version=True, supports_v2_p2p=True)
self.log.info(f"No disconnection for {test_type.name}")
else:
with node0.assert_debug_log(expected_debug_message[test_type.value], timeout=5):
peer = node0.add_p2p_connection(MisbehavingV2Peer(test_type), wait_for_verack=False, send_version=False, supports_v2_p2p=True, expect_success=False)
peer.wait_for_disconnect()
self.log.info(f"Expected disconnection for {test_type.name}")
if __name__ == '__main__':
EncryptedP2PMisbehaving().main()

View File

@ -14,6 +14,7 @@ import random
import unittest
from test_framework.crypto import secp256k1
from test_framework.util import random_bitflip
# Order of the secp256k1 curve
ORDER = secp256k1.GE.ORDER
@ -289,11 +290,6 @@ def sign_schnorr(key, msg, aux=None, flip_p=False, flip_r=False):
class TestFrameworkKey(unittest.TestCase):
def test_ecdsa_and_schnorr(self):
"""Test the Python ECDSA and Schnorr implementations."""
def random_bitflip(sig):
sig = list(sig)
sig[random.randrange(len(sig))] ^= (1 << (random.randrange(8)))
return bytes(sig)
byte_arrays = [generate_privkey() for _ in range(3)] + [v.to_bytes(32, 'big') for v in [0, ORDER - 1, ORDER, 2**256 - 1]]
keys = {}
for privkey_bytes in byte_arrays: # build array of key/pubkey pairs

View File

@ -249,6 +249,7 @@ class P2PConnection(asyncio.Protocol):
# send the initial handshake immediately
if self.supports_v2_p2p and self.v2_state.initiating and not self.v2_state.tried_v2_handshake:
send_handshake_bytes = self.v2_state.initiate_v2_handshake()
logger.debug(f"sending {len(self.v2_state.sent_garbage)} bytes of garbage data")
self.send_raw_message(send_handshake_bytes)
# if v2 connection, send `on_connection_send_msg` after initial v2 handshake.
# if reconnection situation, send `on_connection_send_msg` after version message is received in `on_version()`.
@ -289,6 +290,7 @@ class P2PConnection(asyncio.Protocol):
self.v2_state = None
return
elif send_handshake_bytes:
logger.debug(f"sending {len(self.v2_state.sent_garbage)} bytes of garbage data")
self.send_raw_message(send_handshake_bytes)
elif send_handshake_bytes == b"":
return # only after send_handshake_bytes are sent can `complete_handshake()` be done

View File

@ -632,7 +632,7 @@ class TestNode():
assert_msg += "with expected error " + expected_msg
self._raise_assertion_error(assert_msg)
def add_p2p_connection(self, p2p_conn, *, wait_for_verack=True, send_version=True, supports_v2_p2p=None, wait_for_v2_handshake=True, **kwargs):
def add_p2p_connection(self, p2p_conn, *, wait_for_verack=True, send_version=True, supports_v2_p2p=None, wait_for_v2_handshake=True, expect_success=True, **kwargs):
"""Add an inbound p2p connection to the node.
This method adds the p2p connection to the self.p2ps list and also
@ -652,7 +652,6 @@ class TestNode():
if supports_v2_p2p is None:
supports_v2_p2p = self.use_v2transport
p2p_conn.p2p_connected_to_node = True
if self.use_v2transport:
kwargs['services'] = kwargs.get('services', P2P_SERVICES) | NODE_P2P_V2
@ -660,6 +659,8 @@ class TestNode():
p2p_conn.peer_connect(**kwargs, send_version=send_version, net=self.chain, timeout_factor=self.timeout_factor, supports_v2_p2p=supports_v2_p2p)()
self.p2ps.append(p2p_conn)
if not expect_success:
return p2p_conn
p2p_conn.wait_until(lambda: p2p_conn.is_connected, check_connected=False)
if supports_v2_p2p and wait_for_v2_handshake:
p2p_conn.wait_until(lambda: p2p_conn.v2_state.tried_v2_handshake)

View File

@ -219,6 +219,12 @@ def str_to_b64str(string):
return b64encode(string.encode('utf-8')).decode('ascii')
def random_bitflip(data):
data = list(data)
data[random.randrange(len(data))] ^= (1 << (random.randrange(8)))
return bytes(data)
def satoshi_round(amount):
return Decimal(amount).quantize(Decimal('0.00000001'), rounding=ROUND_DOWN)

View File

@ -4,7 +4,6 @@
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
"""Class for v2 P2P protocol (see BIP 324)"""
import logging
import random
from .crypto.bip324_cipher import FSChaCha20Poly1305
@ -15,14 +14,12 @@ from .key import TaggedHash
from .messages import MAGIC_BYTES
from .util import random_bytes
logger = logging.getLogger("TestFramework.v2_p2p")
CHACHA20POLY1305_EXPANSION = 16
HEADER_LEN = 1
IGNORE_BIT_POS = 7
LENGTH_FIELD_LEN = 3
MAX_GARBAGE_LEN = 4095
TRANSPORT_VERSION = b''
SHORTID = {
1: b"addr",
@ -136,6 +133,7 @@ class EncryptedP2PState:
# has been decrypted. set to -1 if decryption hasn't been done yet.
self.contents_len = -1
self.found_garbage_terminator = False
self.transport_version = b''
@staticmethod
def v2_ecdh(priv, ellswift_theirs, ellswift_ours, initiating):
@ -152,12 +150,12 @@ class EncryptedP2PState:
# Responding, place their public key encoding first.
return TaggedHash("bip324_ellswift_xonly_ecdh", ellswift_theirs + ellswift_ours + ecdh_point_x32)
def generate_keypair_and_garbage(self):
def generate_keypair_and_garbage(self, garbage_len=None):
"""Generates ellswift keypair and 4095 bytes garbage at max"""
self.privkey_ours, self.ellswift_ours = ellswift_create()
if garbage_len is None:
garbage_len = random.randrange(MAX_GARBAGE_LEN + 1)
self.sent_garbage = random_bytes(garbage_len)
logger.debug(f"sending {garbage_len} bytes of garbage data")
return self.ellswift_ours + self.sent_garbage
def initiate_v2_handshake(self):
@ -213,7 +211,7 @@ class EncryptedP2PState:
msg_to_send += self.v2_enc_packet(decoy_content_len * b'\x00', aad=aad, ignore=True)
aad = b''
# Send version packet.
msg_to_send += self.v2_enc_packet(TRANSPORT_VERSION, aad=aad)
msg_to_send += self.v2_enc_packet(self.transport_version, aad=aad)
return 64 - len(self.received_prefix), msg_to_send
def authenticate_handshake(self, response):

View File

@ -245,7 +245,7 @@ BASE_SCRIPTS = [
'p2p_invalid_tx.py --v2transport',
'p2p_v2_transport.py',
'p2p_v2_encrypted.py',
'p2p_v2_earlykeyresponse.py',
'p2p_v2_misbehaving.py',
'feature_assumevalid.py',
'example_test.py',
'wallet_txn_doublespend.py --legacy-wallet',