Commit Graph

42 Commits

Author SHA1 Message Date
Olaoluwa Osuntokun
8c6dbc9ffa
brontide: when decrypting re-use the allocated ciphertext buf
In this commit, we implement a simple optimization that dramatically
reduces the number of allocations we need to make when we decrypt a new
message. Before this commit, we would pass in a `nil` value to the
`Decrypt` method which meant that it would always allocate a new
buffers.

Rather than force this behavior, in this commit, we pass in the
ciphertext buffer (with a length of zero), such that the decryption
operation will simply copy the plaintext bytes over the cipher text in
place. This works as the cipher text is always larger than the
plaintext, since the plaintext doesn't have a MAC attached.

The amount the perf increase, amount of allocations, and amount of bytes
allocated are pretty nice:
```
benchmark                        old ns/op     new ns/op     delta
BenchmarkReadHeaderAndBody-8     88652         75896         -14.39%

benchmark                        old allocs     new allocs     delta
BenchmarkReadHeaderAndBody-8     6              4              -33.33%

benchmark                        old bytes     new bytes     delta
BenchmarkReadHeaderAndBody-8     65664         128           -99.81%
```

Here old is without this change, and new with it.
2021-08-27 16:57:12 -07:00
yyforyongyu
e06768e4eb
brontide: fix typo 2020-12-04 23:07:53 +08:00
Oliver Gugger
535a22c590
server+brontide: use ECDH interface for brontide handshake 2020-05-20 09:06:56 +02:00
Andras Banki-Horvath
556e3525ea misc: fix error formatting in multiple files 2020-04-24 19:15:08 +02:00
yyforyongyu
4be1a4d0ec multi: fix typos 2020-03-27 16:59:18 +08:00
nsa
7c316b9194
brontide: add SetCurveToNil function 2020-01-30 16:45:59 -05:00
Conner Fromknecht
e3728da478
brontide/noise_test: add TestFlush 2019-04-22 16:04:24 -07:00
Conner Fromknecht
73cf352daa
brontide/conn: migrate to WriteMessage + Flush
This commit modifies WriteMessage to only perform encryption on the
passed plaintext, and buffer the ciphertext within the connection
object. We then modify internal uses of WriteMessage to follow with a
call to Flush, which actually writes the message to the wire.
Additionally, since WriteMessage does not actually perform the write
itself, the io.Writer argument is removed from the function signature
and all call sites.
2019-04-22 16:03:56 -07:00
Conner Fromknecht
ed8fe4bc82
brontide/noise: add Flush method
This commit adds a Flush method to the brontide.Machine, which can write
out a buffered message to an io.Writer. This is a preliminary change
which will allow the encryption of the plaintext to be done in a
distinct method from actually writing the bytes to the wire.
2019-04-22 16:03:39 -07:00
Conner Fromknecht
93ce4a7575
brontide/noise: compose ReadMessage from ReadHeader+ReadBody 2019-02-21 20:11:05 -08:00
Conner Fromknecht
2900d8aff8
brontide/noise: take read buffers from pool, return w/ finalizer 2019-02-15 19:33:23 -08:00
Conner Fromknecht
04febab85c
brontide/noise: use static default ephemeral keygen closure 2019-02-15 18:13:43 -08:00
Conner Fromknecht
785740493e
brontide/noise: use statically allocated prologue 2019-02-15 18:13:34 -08:00
Olaoluwa Osuntokun
6f60f139f4 multi: switch over import paths from roasbeef/* to btcsuite/* 2018-07-13 17:05:39 -07:00
practicalswift
663c396235 multi: fix a-vs-an typos 2018-04-17 19:02:04 -07:00
Olaoluwa Osuntokun
406fdbbf64
brontide: increase timeout to 5s 2018-04-05 15:54:47 -07:00
Olaoluwa Osuntokun
d82f67cc1d
brontide: decrease handshake timeout to 1s 2018-04-02 15:56:47 -07:00
Olaoluwa Osuntokun
0c16ab6b32
brontide: reduce memory allocs by using static buf for next header+msg
In this commit, we reduce the total number of allocations that a
brontide session will incur over its lifetime. Profiling on one of my
nodes showed that we were generating a lot of garbage due to
re-creating a 65KB buffer to read the next message each time the
ReadMessage method was called.

To reduce the total number of memory allocations, we’ll now simply
re-use a buffer for both the cipher text header, and the cipher text
itself.
2018-02-24 19:30:45 -08:00
Adam Gibson
cd7f40422f
Fix trivial comment errors in noise.go 2018-01-11 16:49:38 +02:00
Matt Drollette
adf0d98194 multi: fix several typos in godoc comments 2017-12-17 18:40:05 -08:00
Olaoluwa Osuntokun
e375a308b9
brontide: add EphemeralGenerator as a functional arg to NewBrontideMachine
This commit modifies the NewBrontideMachine constructor to allow a
caller to specify exactly _how_ new ephemeral private keys for the
crypto handshake are generated. This allows callers a bit more
flexibility when using brontide, and also allow test cases to insert
specific public keys for use within the hand shake.
2017-08-01 17:16:36 -07:00
Olaoluwa Osuntokun
e87cc29b36
brontide: add additional detail to handshake version error message
This commit adds some additional detail to the error message
encountered when the first byte of an act is an invalid handshake
version byte. This commit is meant to aide in tracking down a
re-occurring bug that has been encountered by early testers of the
software.
2017-07-30 17:48:29 -07:00
Olaoluwa Osuntokun
f7800709ba
lnwire: use %v instead of %x when printing length of oversized msg 2017-07-30 17:47:51 -07:00
Olaoluwa Osuntokun
38d3c72dc8
brontide: add new ReadMessage method to brontide.Conn
This commit adds a new message to the brontide.Conn struct which allows
callers to read an _entire_ message from the stream. As defined now,
brontide is a message crypto messaging protocol. Previously the only
method that allowed callers to read attempted to hide this feature with
a stream-like abstraction. However, having this as the sole interface
is at odds with the message oriented Lightning wire protocol, and isn’t
sufficient to allow parsing messages that have been padded as is
allowed by the protocol.

This new ReadNextMessage is intended to be used by higher level systems
which implement the Lightning p2p protocol.
2017-04-20 15:35:35 -07:00
Olaoluwa Osuntokun
6f2d3b3cc5
brontide: allocate max message buffer on the stack 2017-04-19 16:10:17 -07:00
Olaoluwa Osuntokun
9234956a34
brontide: replace aead/chacha20 with x/crypto/chacha20poly1305
This commit replaces aead’s chacha20 library with the official golang
implementation. We should see a bit of a performance increase on amd64
as the assembly for the library uses the SIMD AVX2 instructions in the
inner loop. In the future assembly will be written for other platforms,
so we’ll see a performance increase across the board.

Fixes #146.
2017-03-15 19:03:24 -07:00
Olaoluwa Osuntokun
f217093c00
multi: replace usage of fastsha256 with crypto/sha256
This commit removes all instances of the fastsha256 library and
replaces it with the sha256 library in the standard library. This
change should see a number of performance improvements as the standard
library has highly optimized assembly instructions with use vectorized
instructions as the platform supports.
2017-03-15 18:56:41 -07:00
Andrey Samokhvalov
ee2379775c lnd: fix golint warning which requires to add additional comments 2017-03-13 16:30:23 -07:00
Andrey Samokhvalov
fd97a4bd19 lnd: partially fix golint warnings 2017-03-13 16:30:23 -07:00
Andrey Samokhvalov
8fb54782e2 lnd: fix gosimple warnings 2017-03-13 16:30:23 -07:00
Olaoluwa Osuntokun
fdaeab7c9b
brontide: refer directly to the curve object in btcec's global namespace
This commit modifies the `ecdh` function within the `brontide` package
to refer directly to the global curve params object in the `bcec`
package rather than reference it from the target public key. This
changes fixes a class of panics that have been uncovered recently but
*doesn’t* yet fix the root cause.
2017-02-28 17:44:32 -06:00
Olaoluwa Osuntokun
bc885f5f27
brontide: modify key rotation to match test vectors in spec
This commit modifies our key rotation slightly to match the test
vectors within the BOLT08 specifications. Before this commit, we were
rotating one message before the rest of the implementers. This
implementation divergence was possibly due to the section of the spec
describing the rotations being a bit ambiguous.

A future PR to the lightning-rfc repo will make the spec more explicit
to avoid situations like this in the future.
2017-01-09 19:12:48 -08:00
Olaoluwa Osuntokun
d046efb502
brontide: exclude MAC length from cipher text packet length prefix
Pervasively we would include the length of the MAC in the length prefix
for cipher text packets. As a result, the MAC would eat into the total
payload size. To remedy this, we now exclude the MAC from the length
prefix for cipher text packets, and instead account for the length of
the MAC on the packet when reading messages.
2017-01-07 21:21:52 -08:00
Olaoluwa Osuntokun
ad180b4fba
brontide: fix bug in final sender/receiver key derivation
This commit fixes a bug in our key derivation for the final step of the
key exchange. In our code we were swapping the order of the salt and
input keyeing material to the HKDF function. This was triggered by the
argument order of the golang implementation we’re currently using has
the “secret” of IKM argument first, instead of second as defined within
rfc5869.

To fix this, we simply need to swap function arguments in two places:
within the split() function and during key rotation.

This bug was discovered by Rusty Russell, thanks!
2016-12-13 11:32:02 -08:00
Olaoluwa Osuntokun
61ddd48255
brontide: set the prologue value as specified within BOLT0008 2016-12-12 15:56:50 -08:00
Olaoluwa Osuntokun
b1d28426d5
brontide: properly pack nonce as 96-bit little endian value 2016-12-12 15:56:46 -08:00
Olaoluwa Osuntokun
fdb111e867
brontide: switch to using libsecp256k1's public ECDH API
This commit modifies the opening brontide handshake to use
libsecp256k1's public ECDH API throughout the handshake rather than the
current method which just returns the x-coordinate of the generated
point.

This change was made in order to align the current spec draft with the
aforementioned library since it’s very popular within the pace and
strives to only expose safe API’s to end users.
2016-12-12 15:56:42 -08:00
Olaoluwa Osuntokun
60f66fe2d7
brontide: implement handshake versioning enforcement per the spec 2016-11-30 19:11:58 -08:00
Olaoluwa Osuntokun
75ea05aef6
brontide: the encrypted packet length is no longer the associated data
This commit modifies the current implementation to more closely match
what’s currently specified within the spec.

The encrypted+MAC’d packet length is no longer included as the
associated data for the encryption/decryption of transport messages.
This isn’t required as if an active attacker swaps out the encrypted
length in the byte string, the decryption+MAC check will simply fail as
the nonce won’t be in proper sequence.
2016-11-14 15:10:54 -08:00
Olaoluwa Osuntokun
ae84b6197b
brontide: implement cipher stream key rotation
This commit implements key rotation for brontide as-per the current
draft of the LN p2p crypto spec. Key rotation is currently performed
every 1000 messages encrypted/decrypted with a cipherState object. Key
rotation is performed by evaluating the HKDF (extracting exactly 64
bytes) with the current chaining key, and cipher key. The key rotation
is to attempted after each nonce increment making implementation easy
as the current nonce value will already be within the local scope.
2016-11-10 17:29:13 -08:00
Olaoluwa Osuntokun
49f9f496fb
brontide: modify the max payload length to be 65535 bytes total
This commit modifies the current implementation of the p2p crypto
protocol to further constrain the max allowed payload size. With this
change we now use 16-bits (2-bytes) for the maximum payload length.
This change puts us closer to strict adherence of the Noise spec, and
simplifies the memory management w.r.t implementing the current version
of our scheme.

Note that this doesn’t restrict the size of messages that are able to
be sent over the wire within the LN p2p protocol. Larger message can
safely be encapsulated within the crypt messages via fragmentation that
will detected take place if a larger message is detected.
2016-11-07 18:50:26 -08:00
Olaoluwa Osuntokun
ab97d9693f
brontide: an authenticated key agreement protocol in three acts
This commit introduces Brontide: an authenticated key agreement
protocol in three acts. Brontide is the successor to lndc within lnd,
and ultimately within the greater Lighting Network. Brontide uses the
Noise_XK handshake for initial key agreement, then implements an AEAD
scheme which encrypts+authenticates both packets, and the lengths of
the packets on the wire. The initial authentication handshake preserves
the responder’s identity by never transmitting it to the initiator and
performing mutual authentication via an incremental Triple-DH based on
ECDH of secp256k1 and an HKDF which uses SHA-256.

Bronzed isn’t yet integrated within the wider daemon yet. Full
integration will land in a future pull request.
2016-10-17 19:41:29 -07:00