p2p challenge and anti-spoof

Author: vans163

ex/lib/node/node_gen.ex

@@ -7,14 +7,16 @@ defmodule NodeGen do
 
   def init([ip_tuple, _port]) do
     ip = Tuple.to_list(ip_tuple) |> Enum.join(".")
-    NodePeers.seed(ip)
+    NodeANR.seed()
+    #NodePeers.seed(ip)
 
     state = %{
       ns: NodeState.init()
     }
 
     :erlang.send_after(1000, self(), :tick)
     :erlang.send_after(1000, self(), :tick_ping)
+    :erlang.send_after(1000, self(), :tick_anr)
     {:ok, state}
   end
 
@@ -36,6 +38,21 @@ defmodule NodeGen do
     end)
   end
 
+  def broadcast_check_anr(state) do
+    my_pk = Application.fetch_env!(:ama, :trainer_pk)
+    NodeANR.get_random_unverified(3)
+    |> Enum.filter(& elem(&1,0) != my_pk)
+    |> Enum.reduce(state, fn({pk, ip}, state)->
+      IO.inspect {:anr_check, ip}
+      challenge = :os.system_time(1)
+      :erlang.spawn(fn()->
+        msg = NodeProto.new_phone_who_dis(challenge)
+        send(get_socket_gen(), {:send_to_some, [ip], NodeProto.compress(msg)})
+      end)
+      put_in(state, [:ns, :challenges, pk], challenge)
+    end)
+  end
+
   def broadcast(:txpool, who, [txs_packed]) do
     :erlang.spawn(fn()->
       msg = NodeProto.txpool(txs_packed)
@@ -81,20 +98,28 @@ defmodule NodeGen do
   end
 
   def handle_info(msg, state) do
-    case msg do
+    state = case msg do
 
       :tick ->
         :erlang.send_after(1000, self(), :tick)
         tick()
+        state
 
       :tick_ping ->
         :erlang.send_after(500, self(), :tick_ping)
         broadcast_ping()
+        state
+
+      :tick_anr ->
+        :erlang.send_after(1000, self(), :tick_anr)
+        state = broadcast_check_anr(state)
+        state
 
       {:handle_sync, op, innerstate, args} ->
         #TODO: ns dropped
         innerstate = Map.put(innerstate, :ns, state.ns)
-        NodeState.handle(op, innerstate, args)
+        innerstate = NodeState.handle(op, innerstate, args)
+        Map.put(state, :ns, innerstate)
 
     end
     {:noreply, state}

ex/lib/node/node_gen_socket_gen.ex

@@ -58,26 +58,36 @@ defmodule NodeGenSocketGen do
     case msg do
       {:udp, _socket, ip, _inportno, data} ->
         #IO.puts IO.ANSI.red() <> inspect({:relay_from, ip, msg.op}) <> IO.ANSI.reset()
-
         :erlang.spawn(fn()->
           try do
           case NodeProto.unpack_message_v2(data) do
             %{error: :signature, shard_total: 1, pk: pk, version: version, signature: signature, payload: payload} ->
               if !BlsEx.verify?(pk, signature, Blake3.hash(pk<>payload), BLS12AggSig.dst_node()), do: throw(%{error: :invalid_signature})
+
               msg = payload
               |> NodeProto.deflate_decompress()
               |> :erlang.binary_to_term([:safe])
+
               peer_ip = Tuple.to_list(ip) |> Enum.join(".")
               peer = %{ip: peer_ip, signer: pk, version: version}
-              NodeState.handle(msg.op, %{peer: peer}, msg)
+
+              hasPermissionSlip = NodeANR.handshaked_and_valid_ip4(pk, peer_ip)
+              cond do
+                hasPermissionSlip -> NodeState.handle(msg.op, %{peer: peer}, msg)
+                msg.op in [:ping, :new_phone_who_dis, :what?] -> NodeState.handle(msg.op, %{peer: peer}, msg)
+                true -> nil
+              end
 
             %{error: :signature, pk: pk, signature: signature, ts_nano: ts_nano, shard_index: shard_index, shard_total: shard_total,
               version: version, original_size: original_size, payload: payload}
             ->
               peer_ip = Tuple.to_list(ip) |> Enum.join(".")
 
-              gen = NodeGen.get_reassembly_gen(pk, ts_nano)
-              send(gen, {:add_shard, {pk, ts_nano, shard_total}, {peer_ip, version, nil, signature, shard_index, original_size}, payload})
+              hasPermissionSlip = NodeANR.handshaked_and_valid_ip4(pk, peer_ip)
+              if hasPermissionSlip do
+                gen = NodeGen.get_reassembly_gen(pk, ts_nano)
+                send(gen, {:add_shard, {pk, ts_nano, shard_total}, {peer_ip, version, nil, signature, shard_index, original_size}, payload})
+              end
 
             %{error: :encrypted, shard_total: 1, pk: pk, version: version, ts_nano: ts_nano, payload: payload} ->
               shared_secret = NodePeers.get_shared_secret(pk)
@@ -92,20 +102,32 @@ defmodule NodeGenSocketGen do
 
               peer_ip = Tuple.to_list(ip) |> Enum.join(".")
               peer = %{ip: peer_ip, signer: pk, version: version}
-              NodeState.handle(msg.op, %{peer: peer}, msg)
+
+              hasPermissionSlip = NodeANR.handshaked_and_valid_ip4(pk, peer_ip)
+              cond do
+                hasPermissionSlip -> NodeState.handle(msg.op, %{peer: peer}, msg)
+                msg.op in [:ping, :new_phone_who_dis, :what?] -> NodeState.handle(msg.op, %{peer: peer}, msg)
+                true -> nil
+              end
+
 
             %{error: :encrypted, pk: pk, ts_nano: ts_nano, shard_index: shard_index, shard_total: shard_total,
               version: version, original_size: original_size, payload: payload} ->
-              shared_secret = NodePeers.get_shared_secret(pk)
-
               peer_ip = Tuple.to_list(ip) |> Enum.join(".")
-              gen = NodeGen.get_reassembly_gen(pk, ts_nano)
-              send(gen, {:add_shard, {pk, ts_nano, shard_total}, {peer_ip, version, shared_secret, nil, shard_index, original_size}, payload})
 
-            _ -> nil
+              hasPermissionSlip = NodeANR.handshaked_and_valid_ip4(pk, peer_ip)
+              if hasPermissionSlip do
+                shared_secret = NodePeers.get_shared_secret(pk)
+
+                gen = NodeGen.get_reassembly_gen(pk, ts_nano)
+                send(gen, {:add_shard, {pk, ts_nano, shard_total}, {peer_ip, version, shared_secret, nil, shard_index, original_size}, payload})
+              end
+
+            _data ->
+              nil
           end
           catch
-            _,_ -> nil
+            _e, _r -> nil
           end
         end)
 

ex/lib/node/node_peers.ex

@@ -1,11 +1,53 @@
 defmodule NodePeers do
+  def clear_stale() do
+    ts_m = :os.system_time(1000)
+
+    validators = Consensus.trainers_for_height(Consensus.chain_height()+1)
+    validator_anr_ips = NodeANR.by_pks_ip(validators)
+    validators_map = validators |> Enum.into(%{}, & {&1,true})
+
+    handshaked_ips = NodeANR.handshaked_pk_ip4() |> Enum.map(& elem(&1,1))
+
+    {cur_ips, cur_val_ips} = :ets.foldl(fn({key, v}, {acc, acc_vals})->
+      lp = v[:last_msg]
+      cond do
+        !lp -> :ets.insert(NODEPeers, {key, Map.put(v, :last_msg, ts_m)})
+        ts_m > lp + (1_000*60) -> :ets.delete(NODEPeers, key)
+        true -> nil
+      end
+      if validators_map[v[:pk]] do
+        {acc, acc_vals ++ [key]}
+      else
+        {acc ++ [key], acc_vals}
+      end
+    end, {[], []}, NODEPeers)
+
+    missing_vals = validator_anr_ips -- cur_val_ips
+    missing_ips = handshaked_ips -- cur_ips
+
+    max_peers = Application.fetch_env!(:ama, :max_peers)
+    add_size = max_peers - :ets.info(NODEPeers, :size) - length(cur_val_ips) - length(missing_vals)
+
+    missing_ips = Enum.take(Enum.shuffle(missing_ips), add_size)
+
+    Enum.each(missing_vals ++ missing_ips, fn(ip)->
+      :ets.insert(NODEPeers, {ip, %{ip: ip}})
+    end)
+  end
+
   def seed(my_ip) do
     seeds = Application.fetch_env!(:ama, :seednodes)
     nodes = Application.fetch_env!(:ama, :othernodes)
     filtered = Enum.uniq(seeds ++ nodes) -- [my_ip]
     Enum.each(filtered, fn(ip)->
       :ets.insert(NODEPeers, {ip, %{ip: ip, static: true}})
     end)
+
+    validators = Consensus.trainers_for_height(Consensus.chain_height()+1)
+    validators = NodeANR.by_pks_ip(validators)
+    Enum.each(validators, fn(ip)->
+      :ets.insert(NODEPeers, {ip, %{ip: ip}})
+    end)
   end
 
   def random(no) do
@@ -18,20 +60,6 @@ defmodule NodePeers do
     end
   end
 
-  def clear_stale() do
-    ts_m = :os.system_time(1000)
-    :ets.foldl(fn({key, v}, acc)->
-      lp = v[:last_msg]
-      #60 minutes
-      if !v[:static] and !!lp and ts_m > lp+(1_000*60*60) do
-        acc ++ [key]
-      else
-        acc
-      end
-    end, [], NODEPeers)
-    |> Enum.each(& :ets.delete(NODEPeers, &1))
-  end
-
   def all() do
     peers = :ets.tab2list(NODEPeers)
     |> Enum.map(& elem(&1,1))
@@ -91,7 +119,7 @@ defmodule NodePeers do
     cond do
       !peer[:pk] -> false
       Application.fetch_env!(:ama, :trainer_pk) == peer.pk -> true
-      !!lp and ts_m - lp <= 3_000 -> true
+      !!lp and ts_m - lp <= 6_000 -> true
       true -> false
     end
   end
@@ -109,6 +137,10 @@ defmodule NodePeers do
     |> List.first()
   end
 
+  def ips_by_pk(pk) do
+    :ets.select(NODEPeers, [{{:"$1", %{pk: pk}}, [], [:"$1"]}])
+  end
+
   def by_pk(pk) do
     ip = :ets.select(NODEPeers, [{{:"$1", %{pk: pk}}, [], [:"$1"]}])
     |> List.first()

ex/lib/node/node_state.ex

@@ -3,25 +3,62 @@ defmodule NodeState do
 
   def init() do
     %{
+      challenges: %{},
     }
   end
 
+  #TODO: anti local compute dos here
+  def handle(:new_phone_who_dis, istate, term) do
+    anr = NodeANR.verify_and_unpack(term.anr)
+    if !!anr and is_integer(term.challenge) and istate.peer.ip == anr.ip4 do
+      sk = Application.fetch_env!(:ama, :trainer_sk)
+      pk = Application.fetch_env!(:ama, :trainer_pk)
+      sig = BlsEx.sign!(sk, <<pk::binary, :erlang.integer_to_binary(term.challenge)::binary>>, BLS12AggSig.dst_anr_challenge())
+      send(NodeGen.get_socket_gen(), {:send_to_some, [istate.peer.ip], compress(NodeProto.what?(term.challenge, sig))})
+      send(NodeGen, {:handle_sync, :new_phone_who_dis_ns, istate, %{anr: anr}})
+    end
+  end
+  def handle(:new_phone_who_dis_ns, istate, term) do
+    NodeANR.insert(term.anr)
+    istate.ns
+  end
+
+  def handle(:what?, istate, term) do
+    anr = NodeANR.verify_and_unpack(term.anr)
+
+    #signed within 6 seconds
+    ts = :os.system_time(1)
+    delta = abs(ts - term.challenge)
+
+    if !!anr and istate.peer.ip == anr.ip4 and delta <= 6 do
+      challenge_bin = :erlang.integer_to_binary(term.challenge)
+      if BlsEx.verify?(anr.pk, term.signature, <<anr.pk::binary, challenge_bin::binary>>, BLS12AggSig.dst_anr_challenge()) do
+        send(NodeGen, {:handle_sync, :'what?_ns', istate, %{pk: anr.pk, anr: anr}})
+      end
+    end
+  end
+  def handle(:'what?_ns', istate, term) do
+    NodeANR.insert(term.anr)
+    NodeANR.set_handshaked(term.anr.pk)
+    istate.ns
+  end
+
   def handle(:ping, istate, term) do
     temporal = Entry.unpack(term.temporal)
     rooted = Entry.unpack(term.rooted)
     try do
       %{error: :ok, hash: hasht} = Entry.validate_signature(temporal.header, temporal.signature, temporal.header_unpacked.signer, temporal[:mask])
       %{error: :ok, hash: hashr} = Entry.validate_signature(rooted.header, rooted.signature, rooted.header_unpacked.signer, rooted[:mask])
 
+      hasPermissionSlip = NodeANR.handshaked_and_valid_ip4(istate.peer.signer, istate.peer.ip)
       :erlang.spawn(fn()->
-        #txs_packed = TXPool.random()
-        #txs_packed && send(NodeGen.get_socket_gen(), {:send_to_some, [istate.peer.ip], compress(NodeProto.txpool(txs_packed))})
-
-        rng_peers = NodePeers.random(6) |> Enum.map(& &1.ip)
-        if rng_peers != [], do: send(NodeGen.get_socket_gen(), {:send_to_some, [istate.peer.ip], compress(NodeProto.peers(rng_peers))})
+        if hasPermissionSlip do
+          anrs = NodeANR.get_random_verified(3)
+          if anrs != [], do: send(NodeGen.get_socket_gen(), {:send_to_some, [istate.peer.ip], compress(NodeProto.peers_v2(anrs))})
+        end
       end)
 
-      term = %{temporal: Map.put(temporal, :hash, hasht), rooted: Map.put(rooted, :hash, hashr), ts_m: term.ts_m}
+      term = %{temporal: Map.put(temporal, :hash, hasht), rooted: Map.put(rooted, :hash, hashr), ts_m: term.ts_m, hasPermissionSlip: hasPermissionSlip}
       send(NodeGen, {:handle_sync, :ping_ns, istate, term})
     catch
       e,{:badmatch, %{error: :wrong_epoch}} -> nil
@@ -30,23 +67,26 @@ defmodule NodeState do
   end
   def handle(:ping_ns, istate, term) do
     peer_ip = istate.peer.ip
-    peer = :ets.lookup_element(NODEPeers, peer_ip, 2, %{})
-    peer = Map.merge(peer, %{
-        ip: peer_ip,
-        pk: istate.peer.signer, version: istate.peer.version,
-        last_ping: :os.system_time(1000),
-        last_msg: :os.system_time(1000),
-        temporal: term.temporal, rooted: term.rooted,
-    })
-
-    peer = if !!peer[:shared_secret] do peer else
-      shared_key = BlsEx.get_shared_secret!(istate.peer.signer, Application.fetch_env!(:ama, :trainer_sk))
-      Map.put(peer, :shared_secret, shared_key)
-    end
 
-    :ets.insert(NODEPeers, {peer_ip, peer})
+    if term.hasPermissionSlip or (istate.peer.signer in Consensus.trainers_for_height(Consensus.chain_height())) do
+      peer = :ets.lookup_element(NODEPeers, peer_ip, 2, %{})
+      peer = Map.merge(peer, %{
+          ip: peer_ip,
+          pk: istate.peer.signer, version: istate.peer.version,
+          last_ping: :os.system_time(1000),
+          last_msg: :os.system_time(1000),
+          temporal: term.temporal, rooted: term.rooted,
+      })
+
+      peer = if !!peer[:shared_secret] do peer else
+        shared_key = BlsEx.get_shared_secret!(istate.peer.signer, Application.fetch_env!(:ama, :trainer_sk))
+        Map.put(peer, :shared_secret, shared_key)
+      end
+
+      :ets.insert(NODEPeers, {peer_ip, peer})
 
-    :erlang.spawn(fn()-> send(NodeGen.get_socket_gen(), {:send_to_some, [peer_ip], compress(NodeProto.pong(term.ts_m))}) end)
+      :erlang.spawn(fn()-> send(NodeGen.get_socket_gen(), {:send_to_some, [peer_ip], compress(NodeProto.pong(term.ts_m))}) end)
+    end
 
     istate.ns
   end
@@ -73,14 +113,15 @@ defmodule NodeState do
     TXPool.insert(good)
   end
 
-  def handle(:peers, istate, term) do
-    send(NodeGen, {:handle_sync, :peers_ns, istate, term})
+  def handle(:peers_v2, istate, term) do
+    anrs = Enum.map(term.anrs, & NodeANR.verify_and_unpack(&1))
+    |> Enum.filter(& &1)
+    term = %{anrs: anrs}
+    send(NodeGen, {:handle_sync, :peers_v2_ns, istate, term})
   end
-  def handle(:peers_ns, istate, term) do
-    Enum.each(term.ips, fn(peer_ip)->
-      peer = :ets.lookup_element(NODEPeers, peer_ip, 2, %{})
-      peer = Map.merge(peer, %{ip: peer_ip})
-      :ets.insert(NODEPeers, {peer_ip, peer})
+  def handle(:peers_v2_ns, istate, term) do
+    Enum.each(term.anrs, fn(anr)->
+      NodeANR.insert(anr)
     end)
     istate.ns
   end
@@ -93,10 +134,7 @@ defmodule NodeState do
       sol.epoch != Consensus.chain_epoch() ->
         #IO.inspect {:broadcasted_sol_invalid_epoch, sol.epoch, Consensus.chain_epoch()}
         nil
-      sol.epoch < 260 and !BIC.Sol.verify(term.sol) ->
-        IO.inspect {:peer_sent_invalid_sol, :TODO_block_malicious_peer}
-        nil
-      sol.epoch >= 260 and !BIC.Sol.verify(term.sol, %{vr_b3: :crypto.strong_rand_bytes(32)}) ->
+      !BIC.Sol.verify(term.sol, %{vr_b3: :crypto.strong_rand_bytes(32)}) ->
         IO.inspect {:peer_sent_invalid_sol, :TODO_block_malicious_peer}
         nil
       !BlsEx.verify?(sol.pk, sol.pop, sol.pk, BLS12AggSig.dst_pop()) ->