Merge bitcoin#29431: test/BIP324: disconnection scenarios during v2 h…

…andshake

c9dacd9 test: Check that non empty version packet is ignored and no disconnection happens (stratospher)
997cc00 test: Check that disconnection happens when AAD isn't filled (stratospher)
b5e6238 test: Check that disconnection happens when garbage sent/received are different (stratospher)
ad1482d test: Check that disconnection happens when wrong garbage terminator is sent (stratospher)
e351576 test: Check that disconnection happens when >4095 garbage bytes is sent (stratospher)
e075fd1 test: Introduce test types and modify v2 handshake function accordingly (stratospher)
7d07daa log: Add V2 handshake timeout (stratospher)
d4a1da8 test: Make global TRANSPORT_VERSION variable an instance variable (stratospher)
c642b08 test: Log when the garbage is actually sent to transport layer (stratospher)
86cca2c test: Support disconnect waiting for add_p2p_connection (stratospher)
bf9669a test: Rename early key response test and move random_bitflip to util (stratospher)

Pull request description:

  Add tests for the following v2 handshake scenarios:
  1. Disconnection happens when > `MAX_GARBAGE_LEN` bytes garbage is sent
  2. Disconnection happens when incorrect garbage terminator is sent
  3. Disconnection happens when garbage bytes are tampered with
  4. Disconnection happens when AAD of first encrypted packet after the garbage terminator is not filled
  5. bitcoind ignores non-empty version packet and no disconnection happens

  All these tests require a modified v2 P2P class (different from `EncryptedP2PState` used in `v2_p2p.py`) to implement our custom handshake behaviour based on different scenarios and have been kept in a single test file (`test/functional/p2p_v2_misbehaving.py`). Shifted the test in `test/functional/p2p_v2_earlykeyresponse.py` which is of the same pattern to this file too.

ACKs for top commit:
  achow101:
    ACK c9dacd9
  mzumsande:
    ACK c9dacd9
  theStack:
    Code-review ACK c9dacd9

Tree-SHA512: 90df81f0c7f4ecf0a47762d290a618ded92cde9f83d3ef3cc70e1b005ecb16125ec39a9d80ce95f99e695d29abd63443240cb5490aa57c5bc8fa2e52149a0672

src/net.cpp

@@ -1983,7 +1983,11 @@ bool CConnman::InactivityCheck(const CNode& node) const
     }
 
     if (!node.fSuccessfullyConnected) {
-        LogPrint(BCLog::NET, "version handshake timeout peer=%d\n", node.GetId());
+        if (node.m_transport->GetInfo().transport_type == TransportProtocolType::DETECTING) {
+            LogPrint(BCLog::NET, "V2 handshake timeout peer=%d\n", node.GetId());
+        } else {
+            LogPrint(BCLog::NET, "version handshake timeout peer=%d\n", node.GetId());
+        }
         return true;
     }
 

test/functional/p2p_v2_misbehaving.py

@@ -0,0 +1,176 @@
+#!/usr/bin/env python3
+# Copyright (c) 2022 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+import random
+from enum import Enum
+
+from test_framework.messages import MAGIC_BYTES
+from test_framework.p2p import P2PInterface
+from test_framework.test_framework import BitcoinTestFramework
+from test_framework.util import random_bitflip
+from test_framework.v2_p2p import (
+    EncryptedP2PState,
+    MAX_GARBAGE_LEN,
+)
+
+
+class TestType(Enum):
+    """ Scenarios to be tested:
+
+    1. EARLY_KEY_RESPONSE - The responder needs to wait until one byte is received which does not match the 16 bytes
+    consisting of network magic followed by "version\x00\x00\x00\x00\x00" before sending out its ellswift + garbage bytes
+    2. EXCESS_GARBAGE - Disconnection happens when > MAX_GARBAGE_LEN bytes garbage is sent
+    3. WRONG_GARBAGE_TERMINATOR - Disconnection happens when incorrect garbage terminator is sent
+    4. WRONG_GARBAGE - Disconnection happens when garbage bytes that is sent is different from what the peer receives
+    5. SEND_NO_AAD - Disconnection happens when AAD of first encrypted packet after the garbage terminator is not filled
+    6. SEND_NON_EMPTY_VERSION_PACKET - non-empty version packet is simply ignored
+    """
+    EARLY_KEY_RESPONSE = 0
+    EXCESS_GARBAGE = 1
+    WRONG_GARBAGE_TERMINATOR = 2
+    WRONG_GARBAGE = 3
+    SEND_NO_AAD = 4
+    SEND_NON_EMPTY_VERSION_PACKET = 5
+
+
+class EarlyKeyResponseState(EncryptedP2PState):
+    """ Modify v2 P2P protocol functions for testing EARLY_KEY_RESPONSE scenario"""
+    def __init__(self, initiating, net):
+        super().__init__(initiating=initiating, net=net)
+        self.can_data_be_received = False  # variable used to assert if data is received on recvbuf.
+
+    def initiate_v2_handshake(self):
+        """Send ellswift and garbage bytes in 2 parts when TestType = (EARLY_KEY_RESPONSE)"""
+        self.generate_keypair_and_garbage()
+        return b""
+
+
+class ExcessGarbageState(EncryptedP2PState):
+    """Generate > MAX_GARBAGE_LEN garbage bytes"""
+    def generate_keypair_and_garbage(self):
+        garbage_len = MAX_GARBAGE_LEN + random.randrange(1, MAX_GARBAGE_LEN + 1)
+        return super().generate_keypair_and_garbage(garbage_len)
+
+
+class WrongGarbageTerminatorState(EncryptedP2PState):
+    """Add option for sending wrong garbage terminator"""
+    def generate_keypair_and_garbage(self):
+        garbage_len = random.randrange(MAX_GARBAGE_LEN//2)
+        return super().generate_keypair_and_garbage(garbage_len)
+
+    def complete_handshake(self, response):
+        length, handshake_bytes = super().complete_handshake(response)
+        # first 16 bytes returned by complete_handshake() is the garbage terminator
+        wrong_garbage_terminator = random_bitflip(handshake_bytes[:16])
+        return length, wrong_garbage_terminator + handshake_bytes[16:]
+
+
+class WrongGarbageState(EncryptedP2PState):
+    """Generate tampered garbage bytes"""
+    def generate_keypair_and_garbage(self):
+        garbage_len = random.randrange(1, MAX_GARBAGE_LEN)
+        ellswift_garbage_bytes = super().generate_keypair_and_garbage(garbage_len)
+        # assume that garbage bytes sent to TestNode were tampered with
+        return ellswift_garbage_bytes[:64] + random_bitflip(ellswift_garbage_bytes[64:])
+
+
+class NoAADState(EncryptedP2PState):
+    """Add option for not filling first encrypted packet after garbage terminator with AAD"""
+    def generate_keypair_and_garbage(self):
+        garbage_len = random.randrange(1, MAX_GARBAGE_LEN)
+        return super().generate_keypair_and_garbage(garbage_len)
+
+    def complete_handshake(self, response):
+        self.sent_garbage = b''  # do not authenticate the garbage which is sent
+        return super().complete_handshake(response)
+
+
+class NonEmptyVersionPacketState(EncryptedP2PState):
+    """"Add option for sending non-empty transport version packet."""
+    def complete_handshake(self, response):
+        self.transport_version = random.randbytes(5)
+        return super().complete_handshake(response)
+
+
+class MisbehavingV2Peer(P2PInterface):
+    """Custom implementation of P2PInterface which uses modified v2 P2P protocol functions for testing purposes."""
+    def __init__(self, test_type):
+        super().__init__()
+        self.test_type = test_type
+
+    def connection_made(self, transport):
+        if self.test_type == TestType.EARLY_KEY_RESPONSE:
+            self.v2_state = EarlyKeyResponseState(initiating=True, net='regtest')
+        elif self.test_type == TestType.EXCESS_GARBAGE:
+            self.v2_state = ExcessGarbageState(initiating=True, net='regtest')
+        elif self.test_type == TestType.WRONG_GARBAGE_TERMINATOR:
+            self.v2_state = WrongGarbageTerminatorState(initiating=True, net='regtest')
+        elif self.test_type == TestType.WRONG_GARBAGE:
+            self.v2_state = WrongGarbageState(initiating=True, net='regtest')
+        elif self.test_type == TestType.SEND_NO_AAD:
+            self.v2_state = NoAADState(initiating=True, net='regtest')
+        elif TestType.SEND_NON_EMPTY_VERSION_PACKET:
+            self.v2_state = NonEmptyVersionPacketState(initiating=True, net='regtest')
+        super().connection_made(transport)
+
+    def data_received(self, t):
+        if self.test_type == TestType.EARLY_KEY_RESPONSE:
+            # check that data can be received on recvbuf only when mismatch from V1_PREFIX happens
+            assert self.v2_state.can_data_be_received
+        else:
+            super().data_received(t)
+
+
+class EncryptedP2PMisbehaving(BitcoinTestFramework):
+    def set_test_params(self):
+        self.num_nodes = 1
+        self.extra_args = [["-v2transport=1", "-peertimeout=3"]]
+
+    def run_test(self):
+        self.test_earlykeyresponse()
+        self.test_v2disconnection()
+
+    def test_earlykeyresponse(self):
+        self.log.info('Sending ellswift bytes in parts to ensure that response from responder is received only when')
+        self.log.info('ellswift bytes have a mismatch from the 16 bytes(network magic followed by "version\\x00\\x00\\x00\\x00\\x00")')
+        node0 = self.nodes[0]
+        self.log.info('Sending first 4 bytes of ellswift which match network magic')
+        self.log.info('If a response is received, assertion failure would happen in our custom data_received() function')
+        peer1 = node0.add_p2p_connection(MisbehavingV2Peer(TestType.EARLY_KEY_RESPONSE), wait_for_verack=False, send_version=False, supports_v2_p2p=True, wait_for_v2_handshake=False)
+        peer1.send_raw_message(MAGIC_BYTES['regtest'])
+        self.log.info('Sending remaining ellswift and garbage which are different from V1_PREFIX. Since a response is')
+        self.log.info('expected now, our custom data_received() function wouldn\'t result in assertion failure')
+        peer1.v2_state.can_data_be_received = True
+        peer1.send_raw_message(peer1.v2_state.ellswift_ours[4:] + peer1.v2_state.sent_garbage)
+        with node0.assert_debug_log(['V2 handshake timeout peer=0']):
+            peer1.wait_for_disconnect(timeout=5)
+        self.log.info('successful disconnection since modified ellswift was sent as response')
+
+    def test_v2disconnection(self):
+        # test v2 disconnection scenarios
+        node0 = self.nodes[0]
+        expected_debug_message = [
+            [],  # EARLY_KEY_RESPONSE
+            ["V2 transport error: missing garbage terminator, peer=1"],  # EXCESS_GARBAGE
+            ["V2 handshake timeout peer=2"],  # WRONG_GARBAGE_TERMINATOR
+            ["V2 transport error: packet decryption failure"],  # WRONG_GARBAGE
+            ["V2 transport error: packet decryption failure"],  # SEND_NO_AAD
+            [],  # SEND_NON_EMPTY_VERSION_PACKET
+        ]
+        for test_type in TestType:
+            if test_type == TestType.EARLY_KEY_RESPONSE:
+                continue
+            elif test_type == TestType.SEND_NON_EMPTY_VERSION_PACKET:
+                node0.add_p2p_connection(MisbehavingV2Peer(test_type), wait_for_verack=True, send_version=True, supports_v2_p2p=True)
+                self.log.info(f"No disconnection for {test_type.name}")
+            else:
+                with node0.assert_debug_log(expected_debug_message[test_type.value], timeout=5):
+                    peer = node0.add_p2p_connection(MisbehavingV2Peer(test_type), wait_for_verack=False, send_version=False, supports_v2_p2p=True, expect_success=False)
+                    peer.wait_for_disconnect()
+                self.log.info(f"Expected disconnection for {test_type.name}")
+
+
+if __name__ == '__main__':
+    EncryptedP2PMisbehaving().main()

test/functional/test_framework/key.py

@@ -14,6 +14,7 @@
 import unittest
 
 from test_framework.crypto import secp256k1
+from test_framework.util import random_bitflip
 
 # Point with no known discrete log.
 H_POINT = "50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0"
@@ -292,11 +293,6 @@ def sign_schnorr(key, msg, aux=None, flip_p=False, flip_r=False):
 class TestFrameworkKey(unittest.TestCase):
     def test_ecdsa_and_schnorr(self):
         """Test the Python ECDSA and Schnorr implementations."""
-        def random_bitflip(sig):
-            sig = list(sig)
-            sig[random.randrange(len(sig))] ^= (1 << (random.randrange(8)))
-            return bytes(sig)
-
         byte_arrays = [generate_privkey() for _ in range(3)] + [v.to_bytes(32, 'big') for v in [0, ORDER - 1, ORDER, 2**256 - 1]]
         keys = {}
         for privkey_bytes in byte_arrays:  # build array of key/pubkey pairs

test/functional/test_framework/p2p.py

@@ -223,6 +223,7 @@ def connection_made(self, transport):
         # send the initial handshake immediately
         if self.supports_v2_p2p and self.v2_state.initiating and not self.v2_state.tried_v2_handshake:
             send_handshake_bytes = self.v2_state.initiate_v2_handshake()
+            logger.debug(f"sending {len(self.v2_state.sent_garbage)} bytes of garbage data")
             self.send_raw_message(send_handshake_bytes)
         # for v1 outbound connections, send version message immediately after opening
         # (for v2 outbound connections, send it after the initial v2 handshake)
@@ -262,6 +263,7 @@ def _on_data_v2_handshake(self):
                     self.v2_state = None
                     return
                 elif send_handshake_bytes:
+                    logger.debug(f"sending {len(self.v2_state.sent_garbage)} bytes of garbage data")
                     self.send_raw_message(send_handshake_bytes)
                 elif send_handshake_bytes == b"":
                     return  # only after send_handshake_bytes are sent can `complete_handshake()` be done

test/functional/test_framework/test_node.py

@@ -666,7 +666,7 @@ def assert_start_raises_init_error(self, extra_args=None, expected_msg=None, mat
                     assert_msg += "with expected error " + expected_msg
                 self._raise_assertion_error(assert_msg)
 
-    def add_p2p_connection(self, p2p_conn, *, wait_for_verack=True, send_version=True, supports_v2_p2p=None, wait_for_v2_handshake=True, **kwargs):
+    def add_p2p_connection(self, p2p_conn, *, wait_for_verack=True, send_version=True, supports_v2_p2p=None, wait_for_v2_handshake=True, expect_success=True, **kwargs):
         """Add an inbound p2p connection to the node.
 
         This method adds the p2p connection to the self.p2ps list and also
@@ -686,14 +686,15 @@ def add_p2p_connection(self, p2p_conn, *, wait_for_verack=True, send_version=Tru
         if supports_v2_p2p is None:
             supports_v2_p2p = self.use_v2transport
 
-
         p2p_conn.p2p_connected_to_node = True
         if self.use_v2transport:
             kwargs['services'] = kwargs.get('services', P2P_SERVICES) | NODE_P2P_V2
         supports_v2_p2p = self.use_v2transport and supports_v2_p2p
         p2p_conn.peer_connect(**kwargs, send_version=send_version, net=self.chain, timeout_factor=self.timeout_factor, supports_v2_p2p=supports_v2_p2p)()
 
         self.p2ps.append(p2p_conn)
+        if not expect_success:
+            return p2p_conn
         p2p_conn.wait_until(lambda: p2p_conn.is_connected, check_connected=False)
         if supports_v2_p2p and wait_for_v2_handshake:
             p2p_conn.wait_until(lambda: p2p_conn.v2_state.tried_v2_handshake)

test/functional/test_framework/util.py

@@ -14,6 +14,7 @@
 import os
 import pathlib
 import platform
+import random
 import re
 import time
 
@@ -247,6 +248,12 @@ def ceildiv(a, b):
     return -(-a // b)
 
 
+def random_bitflip(data):
+    data = list(data)
+    data[random.randrange(len(data))] ^= (1 << (random.randrange(8)))
+    return bytes(data)
+
+
 def get_fee(tx_size, feerate_btc_kvb):
     """Calculate the fee in BTC given a feerate is BTC/kvB. Reflects CFeeRate::GetFee"""
     feerate_sat_kvb = int(feerate_btc_kvb * Decimal(1e8)) # Fee in sat/kvb as an int to avoid float precision errors