2020-01-15 21:13:43 +01:00
# include <string.h>
# include <openssl/sha.h>
# include "Log.h"
# include "Crypto.h"
# include "Elligator.h"
# include "Tag.h"
# include "I2PEndian.h"
2020-01-23 20:26:40 +01:00
# include "Timestamp.h"
2020-03-08 23:13:41 +01:00
# include "Tunnel.h"
# include "TunnelPool.h"
2020-01-15 21:13:43 +01:00
# include "ECIESX25519AEADRatchetSession.h"
namespace i2p
{
namespace garlic
{
2020-01-20 21:17:38 +01:00
void RatchetTagSet : : DHInitialize ( const uint8_t * rootKey , const uint8_t * k )
{
// DH_INITIALIZE(rootKey, k)
uint8_t keydata [ 64 ] ;
i2p : : crypto : : HKDF ( rootKey , k , 32 , " KDFDHRatchetStep " , keydata ) ; // keydata = HKDF(rootKey, k, "KDFDHRatchetStep", 64)
// nextRootKey = keydata[0:31]
2020-01-21 20:40:23 +01:00
i2p : : crypto : : HKDF ( keydata + 32 , nullptr , 0 , " TagAndKeyGenKeys " , m_KeyData . buf ) ;
// [sessTag_ck, symmKey_ck] = HKDF(keydata[32:63], ZEROLEN, "TagAndKeyGenKeys", 64)
2020-02-09 03:51:02 +01:00
memcpy ( m_SymmKeyCK , m_KeyData . buf + 32 , 32 ) ;
m_NextSymmKeyIndex = 0 ;
2020-01-20 21:17:38 +01:00
}
void RatchetTagSet : : NextSessionTagRatchet ( )
{
2020-01-21 20:40:23 +01:00
i2p : : crypto : : HKDF ( m_KeyData . GetSessTagCK ( ) , nullptr , 0 , " STInitialization " , m_KeyData . buf ) ; // [sessTag_ck, sesstag_constant] = HKDF(sessTag_ck, ZEROLEN, "STInitialization", 64)
memcpy ( m_SessTagConstant , m_KeyData . GetSessTagConstant ( ) , 32 ) ;
2020-02-05 21:48:51 +01:00
m_NextIndex = 0 ;
2020-01-20 21:17:38 +01:00
}
2020-01-21 20:40:23 +01:00
uint64_t RatchetTagSet : : GetNextSessionTag ( )
2020-01-20 21:17:38 +01:00
{
2020-02-09 03:51:02 +01:00
i2p : : crypto : : HKDF ( m_KeyData . GetSessTagCK ( ) , m_SessTagConstant , 32 , " SessionTagKeyGen " , m_KeyData . buf ) ; // [sessTag_ck, tag] = HKDF(sessTag_chainkey, SESSTAG_CONSTANT, "SessionTagKeyGen", 64)
2020-02-05 21:48:51 +01:00
m_NextIndex + + ;
2020-03-27 00:03:38 +01:00
if ( m_NextIndex > = 65535 ) m_NextIndex = 0 ; // TODO: dirty hack, should create new tagset
2020-01-21 20:40:23 +01:00
return m_KeyData . GetTag ( ) ;
2020-01-20 21:17:38 +01:00
}
2020-03-08 00:46:40 +01:00
void RatchetTagSet : : GetSymmKey ( int index , uint8_t * key )
2020-02-09 03:51:02 +01:00
{
2020-03-08 00:46:40 +01:00
if ( m_NextSymmKeyIndex > 0 & & index > = m_NextSymmKeyIndex )
2020-02-09 03:51:02 +01:00
{
2020-03-08 00:46:40 +01:00
auto num = index + 1 - m_NextSymmKeyIndex ;
for ( int i = 0 ; i < num ; i + + )
i2p : : crypto : : HKDF ( m_CurrentSymmKeyCK , nullptr , 0 , " SymmetricRatchet " , m_CurrentSymmKeyCK ) ;
m_NextSymmKeyIndex + = num ;
memcpy ( key , m_CurrentSymmKeyCK + 32 , 32 ) ;
2020-02-09 03:51:02 +01:00
}
else
2020-03-08 00:46:40 +01:00
CalculateSymmKeyCK ( index , key ) ;
2020-02-09 03:51:02 +01:00
}
2020-01-20 21:17:38 +01:00
2020-03-08 00:46:40 +01:00
void RatchetTagSet : : CalculateSymmKeyCK ( int index , uint8_t * key )
2020-02-09 03:51:02 +01:00
{
2020-03-08 00:46:40 +01:00
// TODO: store intermediate keys
uint8_t currentSymmKeyCK [ 64 ] ;
i2p : : crypto : : HKDF ( m_SymmKeyCK , nullptr , 0 , " SymmetricRatchet " , currentSymmKeyCK ) ; // keydata_0 = HKDF(symmKey_ck, SYMMKEY_CONSTANT, "SymmetricRatchet", 64)
2020-02-09 03:51:02 +01:00
for ( int i = 0 ; i < index ; i + + )
2020-03-08 00:46:40 +01:00
i2p : : crypto : : HKDF ( currentSymmKeyCK , nullptr , 0 , " SymmetricRatchet " , currentSymmKeyCK ) ; // keydata_n = HKDF(symmKey_chainKey_(n-1), SYMMKEY_CONSTANT, "SymmetricRatchet", 64)
memcpy ( key , currentSymmKeyCK + 32 , 32 ) ;
2020-02-09 03:51:02 +01:00
}
2020-01-16 20:59:19 +01:00
ECIESX25519AEADRatchetSession : : ECIESX25519AEADRatchetSession ( GarlicDestination * owner ) :
GarlicRoutingSession ( owner , true )
2020-01-15 21:13:43 +01:00
{
2020-01-23 03:42:30 +01:00
ResetKeys ( ) ;
2020-01-15 21:13:43 +01:00
}
ECIESX25519AEADRatchetSession : : ~ ECIESX25519AEADRatchetSession ( )
{
}
2020-01-23 03:42:30 +01:00
void ECIESX25519AEADRatchetSession : : ResetKeys ( )
{
// TODO : use precalculated hashes
static const char protocolName [ 41 ] = " Noise_IKelg2+hs2_25519_ChaChaPoly_SHA256 " ; // 40 bytes
SHA256 ( ( const uint8_t * ) protocolName , 40 , m_H ) ;
memcpy ( m_CK , m_H , 32 ) ;
SHA256 ( m_H , 32 , m_H ) ;
}
2020-01-15 21:13:43 +01:00
void ECIESX25519AEADRatchetSession : : MixHash ( const uint8_t * buf , size_t len )
{
SHA256_CTX ctx ;
SHA256_Init ( & ctx ) ;
SHA256_Update ( & ctx , m_H , 32 ) ;
SHA256_Update ( & ctx , buf , len ) ;
SHA256_Final ( m_H , & ctx ) ;
}
2020-01-17 20:11:15 +01:00
2020-02-05 21:48:51 +01:00
void ECIESX25519AEADRatchetSession : : CreateNonce ( uint64_t seqn , uint8_t * nonce )
{
memset ( nonce , 0 , 4 ) ;
htole64buf ( nonce + 4 , seqn ) ;
}
2020-01-21 18:19:20 +01:00
bool ECIESX25519AEADRatchetSession : : GenerateEphemeralKeysAndEncode ( uint8_t * buf )
{
2020-01-21 20:40:23 +01:00
for ( int i = 0 ; i < 10 ; i + + )
2020-01-21 18:19:20 +01:00
{
m_EphemeralKeys . GenerateKeys ( ) ;
if ( i2p : : crypto : : GetElligator ( ) - > Encode ( m_EphemeralKeys . GetPublicKey ( ) , buf ) )
return true ; // success
}
return false ;
}
2020-01-21 20:40:23 +01:00
uint64_t ECIESX25519AEADRatchetSession : : CreateNewSessionTag ( ) const
{
uint8_t tagsetKey [ 32 ] ;
i2p : : crypto : : HKDF ( m_CK , nullptr , 0 , " SessionReplyTags " , tagsetKey , 32 ) ; // tagsetKey = HKDF(chainKey, ZEROLEN, "SessionReplyTags", 32)
// Session Tag Ratchet
RatchetTagSet tagsetNsr ;
tagsetNsr . DHInitialize ( m_CK , tagsetKey ) ; // tagset_nsr = DH_INITIALIZE(chainKey, tagsetKey)
tagsetNsr . NextSessionTagRatchet ( ) ;
return tagsetNsr . GetNextSessionTag ( ) ;
}
2020-02-03 22:21:07 +01:00
bool ECIESX25519AEADRatchetSession : : HandleNewIncomingSession ( const uint8_t * buf , size_t len )
2020-01-15 21:13:43 +01:00
{
2020-01-16 20:59:19 +01:00
if ( ! GetOwner ( ) ) return false ;
2020-01-15 21:13:43 +01:00
// we are Bob
// KDF1
2020-03-19 23:33:42 +01:00
MixHash ( GetOwner ( ) - > GetEncryptionPublicKey ( i2p : : data : : CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RARCHET ) , 32 ) ; // h = SHA256(h || bpk)
2020-01-30 03:57:10 +01:00
if ( ! i2p : : crypto : : GetElligator ( ) - > Decode ( buf , m_Aepk ) )
2020-01-15 21:13:43 +01:00
{
LogPrint ( eLogError , " Garlic: Can't decode elligator " ) ;
return false ;
}
buf + = 32 ; len - = 32 ;
2020-01-30 03:57:10 +01:00
MixHash ( m_Aepk , 32 ) ; // h = SHA256(h || aepk)
2020-01-15 21:13:43 +01:00
2020-01-17 01:33:00 +01:00
uint8_t sharedSecret [ 32 ] ;
2020-03-31 23:35:51 +02:00
GetOwner ( ) - > Decrypt ( m_Aepk , sharedSecret , nullptr , i2p : : data : : CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RARCHET ) ; // x25519(bsk, aepk)
2020-01-17 01:33:00 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK ) ; // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
2020-01-15 21:13:43 +01:00
// decrypt flags/static
uint8_t nonce [ 12 ] , fs [ 32 ] ;
2020-02-05 21:48:51 +01:00
CreateNonce ( 0 , nonce ) ;
2020-01-17 01:33:00 +01:00
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( buf , 32 , m_H , 32 , m_CK + 32 , nonce , fs , 32 , false ) ) // decrypt
2020-01-15 21:13:43 +01:00
{
LogPrint ( eLogWarning , " Garlic: Flags/static section AEAD verification failed " ) ;
return false ;
}
MixHash ( buf , 48 ) ; // h = SHA256(h || ciphertext)
buf + = 48 ; len - = 48 ; // 32 data + 16 poly
// decrypt payload
std : : vector < uint8_t > payload ( len - 16 ) ;
// KDF2 for payload
bool isStatic = ! i2p : : data : : Tag < 32 > ( fs ) . IsZero ( ) ;
if ( isStatic )
{
// static key, fs is apk
2020-01-17 01:33:00 +01:00
memcpy ( m_RemoteStaticKey , fs , 32 ) ;
2020-03-31 23:35:51 +02:00
GetOwner ( ) - > Decrypt ( fs , sharedSecret , nullptr , i2p : : data : : CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RARCHET ) ; // x25519(bsk, apk)
2020-01-17 01:33:00 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK ) ; // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
2020-01-15 21:13:43 +01:00
}
else // all zeros flags
2020-02-05 21:48:51 +01:00
CreateNonce ( 1 , nonce ) ;
2020-01-17 01:33:00 +01:00
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( buf , len - 16 , m_H , 32 , m_CK + 32 , nonce , payload . data ( ) , len - 16 , false ) ) // decrypt
2020-01-15 21:13:43 +01:00
{
LogPrint ( eLogWarning , " Garlic: Payload section AEAD verification failed " ) ;
return false ;
}
if ( isStatic ) MixHash ( buf , len ) ; // h = SHA256(h || ciphertext)
2020-01-17 17:21:41 +01:00
m_State = eSessionStateNewSessionReceived ;
2020-01-29 18:54:26 +01:00
GetOwner ( ) - > AddECIESx25519Session ( m_RemoteStaticKey , shared_from_this ( ) ) ;
2020-01-17 17:21:41 +01:00
2020-02-03 22:21:07 +01:00
HandlePayload ( payload . data ( ) , len - 16 ) ;
2020-01-15 21:13:43 +01:00
return true ;
}
2020-03-27 00:03:38 +01:00
void ECIESX25519AEADRatchetSession : : HandlePayload ( const uint8_t * buf , size_t len , int index )
2020-01-15 21:13:43 +01:00
{
size_t offset = 0 ;
while ( offset < len )
{
uint8_t blk = buf [ offset ] ;
offset + + ;
auto size = bufbe16toh ( buf + offset ) ;
offset + = 2 ;
LogPrint ( eLogDebug , " Garlic: Block type " , ( int ) blk , " of size " , size ) ;
if ( size > len )
{
LogPrint ( eLogError , " Garlic: Unexpected block length " , size ) ;
break ;
}
switch ( blk )
{
case eECIESx25519BlkGalicClove :
2020-02-03 22:21:07 +01:00
GetOwner ( ) - > HandleECIESx25519GarlicClove ( buf + offset , size ) ;
2020-01-15 21:13:43 +01:00
break ;
case eECIESx25519BlkDateTime :
LogPrint ( eLogDebug , " Garlic: datetime " ) ;
break ;
case eECIESx25519BlkOptions :
LogPrint ( eLogDebug , " Garlic: options " ) ;
break ;
case eECIESx25519BlkPadding :
2020-01-16 18:47:08 +01:00
LogPrint ( eLogDebug , " Garlic: padding " ) ;
2020-01-15 21:13:43 +01:00
break ;
2020-03-27 00:03:38 +01:00
case eECIESx25519BlkAckRequest :
{
LogPrint ( eLogDebug , " Garlic: ack request " ) ;
2020-03-31 23:35:51 +02:00
m_AckRequests . push_back ( { 0 , index } ) ; // TODO: use actual tagsetid
2020-03-27 00:03:38 +01:00
break ;
}
2020-01-15 21:13:43 +01:00
default :
LogPrint ( eLogWarning , " Garlic: Unknown block type " , ( int ) blk ) ;
}
offset + = size ;
}
}
2020-01-16 20:59:19 +01:00
2020-01-16 22:34:13 +01:00
bool ECIESX25519AEADRatchetSession : : NewOutgoingSessionMessage ( const uint8_t * payload , size_t len , uint8_t * out , size_t outLen )
2020-01-21 18:19:20 +01:00
{
2020-01-23 03:42:30 +01:00
ResetKeys ( ) ;
2020-01-17 01:33:00 +01:00
// we are Alice, bpk is m_RemoteStaticKey
2020-01-16 22:34:13 +01:00
size_t offset = 0 ;
2020-01-21 18:19:20 +01:00
if ( ! GenerateEphemeralKeysAndEncode ( out + offset ) )
2020-01-16 22:34:13 +01:00
{
LogPrint ( eLogError , " Garlic: Can't encode elligator " ) ;
return false ;
2020-01-22 17:27:47 +01:00
}
2020-01-16 22:34:13 +01:00
offset + = 32 ;
// KDF1
2020-01-17 01:33:00 +01:00
MixHash ( m_RemoteStaticKey , 32 ) ; // h = SHA256(h || bpk)
2020-01-22 17:27:47 +01:00
MixHash ( m_EphemeralKeys . GetPublicKey ( ) , 32 ) ; // h = SHA256(h || aepk)
2020-01-17 01:33:00 +01:00
uint8_t sharedSecret [ 32 ] ;
2020-01-22 01:13:23 +01:00
m_EphemeralKeys . Agree ( m_RemoteStaticKey , sharedSecret ) ; // x25519(aesk, bpk)
2020-01-17 01:33:00 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK ) ; // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
2020-01-16 22:34:13 +01:00
// encrypt static key section
uint8_t nonce [ 12 ] ;
2020-02-05 21:48:51 +01:00
CreateNonce ( 0 , nonce ) ;
2020-03-19 23:33:42 +01:00
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( GetOwner ( ) - > GetEncryptionPublicKey ( i2p : : data : : CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RARCHET ) , 32 , m_H , 32 , m_CK + 32 , nonce , out + offset , 48 , true ) ) // encrypt
2020-01-16 22:34:13 +01:00
{
LogPrint ( eLogWarning , " Garlic: Static section AEAD encryption failed " ) ;
return false ;
}
MixHash ( out + offset , 48 ) ; // h = SHA256(h || ciphertext)
offset + = 48 ;
// KDF2
2020-03-31 23:35:51 +02:00
GetOwner ( ) - > Decrypt ( m_RemoteStaticKey , sharedSecret , nullptr , i2p : : data : : CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RARCHET ) ; // x25519 (ask, bpk)
2020-01-17 01:33:00 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK ) ; // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
// encrypt payload
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( payload , len , m_H , 32 , m_CK + 32 , nonce , out + offset , len + 16 , true ) ) // encrypt
{
LogPrint ( eLogWarning , " Garlic: Payload section AEAD encryption failed " ) ;
return false ;
}
2020-01-30 03:57:10 +01:00
MixHash ( out + offset , len + 16 ) ; // h = SHA256(h || ciphertext)
2020-01-21 20:40:23 +01:00
2020-01-29 21:54:11 +01:00
m_State = eSessionStateNewSessionSent ;
2020-01-21 20:40:23 +01:00
if ( GetOwner ( ) )
2020-02-05 21:48:51 +01:00
GetOwner ( ) - > AddECIESx25519SessionTag ( 0 , CreateNewSessionTag ( ) , shared_from_this ( ) ) ;
2020-01-21 20:40:23 +01:00
2020-01-16 22:34:13 +01:00
return true ;
}
2020-01-17 20:11:15 +01:00
bool ECIESX25519AEADRatchetSession : : NewSessionReplyMessage ( const uint8_t * payload , size_t len , uint8_t * out , size_t outLen )
{
// we are Bob
2020-01-21 20:40:23 +01:00
uint64_t tag = CreateNewSessionTag ( ) ;
2020-01-17 20:11:15 +01:00
size_t offset = 0 ;
2020-01-21 20:40:23 +01:00
memcpy ( out + offset , & tag , 8 ) ;
2020-01-17 20:11:15 +01:00
offset + = 8 ;
2020-01-21 18:19:20 +01:00
if ( ! GenerateEphemeralKeysAndEncode ( out + offset ) ) // bepk
2020-01-17 20:11:15 +01:00
{
LogPrint ( eLogError , " Garlic: Can't encode elligator " ) ;
return false ;
2020-01-22 17:27:47 +01:00
}
2020-01-17 20:11:15 +01:00
offset + = 32 ;
// KDF for Reply Key Section
2020-01-21 20:40:23 +01:00
MixHash ( ( const uint8_t * ) & tag , 8 ) ; // h = SHA256(h || tag)
2020-01-22 17:27:47 +01:00
MixHash ( m_EphemeralKeys . GetPublicKey ( ) , 32 ) ; // h = SHA256(h || bepk)
2020-01-17 20:11:15 +01:00
uint8_t sharedSecret [ 32 ] ;
2020-01-30 03:57:10 +01:00
m_EphemeralKeys . Agree ( m_Aepk , sharedSecret ) ; // sharedSecret = x25519(besk, aepk)
2020-01-31 01:30:30 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK , 32 ) ; // chainKey = HKDF(chainKey, sharedSecret, "", 32)
m_EphemeralKeys . Agree ( m_RemoteStaticKey , sharedSecret ) ; // sharedSecret = x25519(besk, apk)
2020-01-17 20:11:15 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK ) ; // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
2020-01-31 01:30:30 +01:00
uint8_t nonce [ 12 ] ;
2020-02-05 21:48:51 +01:00
CreateNonce ( 0 , nonce ) ;
2020-01-17 20:11:15 +01:00
// calulate hash for zero length
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( sharedSecret /* can be anything */ , 0 , m_H , 32 , m_CK + 32 , nonce , out + offset , 16 , true ) ) // encrypt, ciphertext = ENCRYPT(k, n, ZEROLEN, ad)
{
LogPrint ( eLogWarning , " Garlic: Reply key section AEAD encryption failed " ) ;
return false ;
}
MixHash ( out + offset , 16 ) ; // h = SHA256(h || ciphertext)
out + = 16 ;
// KDF for payload
2020-01-20 21:17:38 +01:00
uint8_t keydata [ 64 ] ;
i2p : : crypto : : HKDF ( m_CK , nullptr , 0 , " " , keydata ) ; // keydata = HKDF(chainKey, ZEROLEN, "", 64)
2020-02-09 03:51:02 +01:00
// k_ab = keydata[0:31], k_ba = keydata[32:63]
2020-02-03 22:21:07 +01:00
m_ReceiveTagset . DHInitialize ( m_CK , keydata ) ; // tagset_ab = DH_INITIALIZE(chainKey, k_ab)
m_ReceiveTagset . NextSessionTagRatchet ( ) ;
m_SendTagset . DHInitialize ( m_CK , keydata + 32 ) ; // tagset_ba = DH_INITIALIZE(chainKey, k_ba)
m_SendTagset . NextSessionTagRatchet ( ) ;
2020-02-09 23:19:42 +01:00
GenerateMoreReceiveTags ( GetOwner ( ) - > GetNumTags ( ) ) ;
2020-01-17 20:11:15 +01:00
i2p : : crypto : : HKDF ( keydata + 32 , nullptr , 0 , " AttachPayloadKDF " , keydata , 32 ) ; // k = HKDF(k_ba, ZEROLEN, "AttachPayloadKDF", 32)
// encrypt payload
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( payload , len , m_H , 32 , keydata , nonce , out + offset , len + 16 , true ) ) // encrypt
{
LogPrint ( eLogWarning , " Garlic: Payload section AEAD encryption failed " ) ;
return false ;
}
2020-02-03 22:21:07 +01:00
m_State = eSessionStateEstablished ;
2020-02-09 23:19:42 +01:00
2020-01-17 20:11:15 +01:00
return true ;
}
2020-02-03 22:21:07 +01:00
bool ECIESX25519AEADRatchetSession : : HandleNewOutgoingSessionReply ( const uint8_t * buf , size_t len )
2020-01-21 20:40:23 +01:00
{
2020-01-29 18:54:26 +01:00
// we are Alice
2020-01-23 03:42:30 +01:00
LogPrint ( eLogDebug , " Garlic: reply received " ) ;
2020-01-29 18:54:26 +01:00
const uint8_t * tag = buf ;
buf + = 8 ; len - = 8 ; // tag
uint8_t bepk [ 32 ] ; // Bob's ephemeral key
if ( ! i2p : : crypto : : GetElligator ( ) - > Decode ( buf , bepk ) )
{
LogPrint ( eLogError , " Garlic: Can't decode elligator " ) ;
return false ;
}
buf + = 32 ; len - = 32 ;
// KDF for Reply Key Section
MixHash ( tag , 8 ) ; // h = SHA256(h || tag)
MixHash ( bepk , 32 ) ; // h = SHA256(h || bepk)
uint8_t sharedSecret [ 32 ] ;
m_EphemeralKeys . Agree ( bepk , sharedSecret ) ; // sharedSecret = x25519(aesk, bepk)
2020-01-31 01:30:30 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK , 32 ) ; // chainKey = HKDF(chainKey, sharedSecret, "", 32)
2020-03-31 23:35:51 +02:00
GetOwner ( ) - > Decrypt ( bepk , sharedSecret , nullptr , i2p : : data : : CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RARCHET ) ; // x25519 (ask, bepk)
2020-01-31 01:30:30 +01:00
i2p : : crypto : : HKDF ( m_CK , sharedSecret , 32 , " " , m_CK ) ; // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
uint8_t nonce [ 12 ] ;
2020-02-05 21:48:51 +01:00
CreateNonce ( 0 , nonce ) ;
2020-01-29 18:54:26 +01:00
// calulate hash for zero length
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( buf , 0 , m_H , 32 , m_CK + 32 , nonce , sharedSecret /* can be anyting */ , 0 , false ) ) // decrypt, DECRYPT(k, n, ZEROLEN, ad) verification only
{
LogPrint ( eLogWarning , " Garlic: Reply key section AEAD decryption failed " ) ;
return false ;
}
MixHash ( buf , 16 ) ; // h = SHA256(h || ciphertext)
buf + = 16 ; len - = 16 ;
// KDF for payload
uint8_t keydata [ 64 ] ;
i2p : : crypto : : HKDF ( m_CK , nullptr , 0 , " " , keydata ) ; // keydata = HKDF(chainKey, ZEROLEN, "", 64)
2020-02-09 03:51:02 +01:00
// k_ab = keydata[0:31], k_ba = keydata[32:63]
2020-02-03 22:21:07 +01:00
m_SendTagset . DHInitialize ( m_CK , keydata ) ; // tagset_ab = DH_INITIALIZE(chainKey, k_ab)
m_SendTagset . NextSessionTagRatchet ( ) ;
m_ReceiveTagset . DHInitialize ( m_CK , keydata + 32 ) ; // tagset_ba = DH_INITIALIZE(chainKey, k_ba)
m_ReceiveTagset . NextSessionTagRatchet ( ) ;
2020-02-09 23:19:42 +01:00
GenerateMoreReceiveTags ( GetOwner ( ) - > GetNumTags ( ) ) ;
2020-01-29 18:54:26 +01:00
i2p : : crypto : : HKDF ( keydata + 32 , nullptr , 0 , " AttachPayloadKDF " , keydata , 32 ) ; // k = HKDF(k_ba, ZEROLEN, "AttachPayloadKDF", 32)
// decrypt payload
std : : vector < uint8_t > payload ( len - 16 ) ;
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( buf , len - 16 , m_H , 32 , keydata , nonce , payload . data ( ) , len - 16 , false ) ) // decrypt
{
LogPrint ( eLogWarning , " Garlic: Payload section AEAD decryption failed " ) ;
return false ;
}
2020-02-03 22:21:07 +01:00
m_State = eSessionStateEstablished ;
2020-01-29 18:54:26 +01:00
GetOwner ( ) - > AddECIESx25519Session ( m_RemoteStaticKey , shared_from_this ( ) ) ;
2020-02-03 22:21:07 +01:00
HandlePayload ( payload . data ( ) , len - 16 ) ;
2020-01-29 18:54:26 +01:00
2020-01-21 20:40:23 +01:00
return true ;
}
2020-02-05 21:48:51 +01:00
bool ECIESX25519AEADRatchetSession : : NewExistingSessionMessage ( const uint8_t * payload , size_t len , uint8_t * out , size_t outLen )
2020-02-03 22:21:07 +01:00
{
uint8_t nonce [ 12 ] ;
2020-02-09 03:51:02 +01:00
auto index = m_SendTagset . GetNextIndex ( ) ;
CreateNonce ( index , nonce ) ; // tag's index
2020-02-05 21:48:51 +01:00
uint64_t tag = m_SendTagset . GetNextSessionTag ( ) ;
memcpy ( out , & tag , 8 ) ;
2020-02-03 22:21:07 +01:00
// ad = The session tag, 8 bytes
// ciphertext = ENCRYPT(k, n, payload, ad)
2020-03-08 00:46:40 +01:00
uint8_t key [ 32 ] ;
m_SendTagset . GetSymmKey ( index , key ) ;
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( payload , len , out , 8 , key , nonce , out + 8 , outLen - 8 , true ) ) // encrypt
2020-02-05 21:48:51 +01:00
{
LogPrint ( eLogWarning , " Garlic: Payload section AEAD encryption failed " ) ;
return false ;
}
return true ;
}
bool ECIESX25519AEADRatchetSession : : HandleExistingSessionMessage ( const uint8_t * buf , size_t len , int index )
{
uint8_t nonce [ 12 ] ;
CreateNonce ( index , nonce ) ; // tag's index
2020-02-03 22:21:07 +01:00
len - = 8 ; // tag
std : : vector < uint8_t > payload ( len - 16 ) ;
2020-03-08 00:46:40 +01:00
uint8_t key [ 32 ] ;
m_ReceiveTagset . GetSymmKey ( index , key ) ;
if ( ! i2p : : crypto : : AEADChaCha20Poly1305 ( buf + 8 , len - 16 , buf , 8 , key , nonce , payload . data ( ) , len - 16 , false ) ) // decrypt
2020-02-03 22:21:07 +01:00
{
LogPrint ( eLogWarning , " Garlic: Payload section AEAD decryption failed " ) ;
return false ;
}
2020-03-27 00:03:38 +01:00
HandlePayload ( payload . data ( ) , len - 16 , index ) ;
2020-03-23 02:21:12 +01:00
if ( m_ReceiveTagset . GetNextIndex ( ) - index < = GetOwner ( ) - > GetNumTags ( ) * 2 / 3 )
2020-02-09 23:19:42 +01:00
GenerateMoreReceiveTags ( GetOwner ( ) - > GetNumTags ( ) ) ;
2020-02-03 22:21:07 +01:00
return true ;
}
bool ECIESX25519AEADRatchetSession : : HandleNextMessage ( const uint8_t * buf , size_t len , int index )
2020-01-29 21:54:11 +01:00
{
2020-02-20 21:44:09 +01:00
m_LastActivityTimestamp = i2p : : util : : GetSecondsSinceEpoch ( ) ;
2020-01-29 21:54:11 +01:00
switch ( m_State )
{
2020-02-03 22:21:07 +01:00
case eSessionStateEstablished :
return HandleExistingSessionMessage ( buf , len , index ) ;
2020-01-29 21:54:11 +01:00
case eSessionStateNew :
2020-02-03 22:21:07 +01:00
return HandleNewIncomingSession ( buf , len ) ;
2020-01-29 21:54:11 +01:00
case eSessionStateNewSessionSent :
2020-02-03 22:21:07 +01:00
return HandleNewOutgoingSessionReply ( buf , len ) ;
2020-01-29 21:54:11 +01:00
default :
return false ;
}
return true ;
}
2020-01-16 20:59:19 +01:00
std : : shared_ptr < I2NPMessage > ECIESX25519AEADRatchetSession : : WrapSingleMessage ( std : : shared_ptr < const I2NPMessage > msg )
2020-01-17 17:21:41 +01:00
{
auto m = NewI2NPMessage ( ) ;
m - > Align ( 12 ) ; // in order to get buf aligned to 16 (12 + 4)
uint8_t * buf = m - > GetPayload ( ) + 4 ; // 4 bytes for length
auto payload = CreatePayload ( msg ) ;
size_t len = payload . size ( ) ;
switch ( m_State )
{
2020-02-05 21:48:51 +01:00
case eSessionStateEstablished :
if ( ! NewExistingSessionMessage ( payload . data ( ) , payload . size ( ) , buf , m - > maxLen ) )
return nullptr ;
len + = 24 ;
break ;
2020-01-17 17:21:41 +01:00
case eSessionStateNew :
if ( ! NewOutgoingSessionMessage ( payload . data ( ) , payload . size ( ) , buf , m - > maxLen ) )
return nullptr ;
len + = 96 ;
break ;
2020-01-17 20:11:15 +01:00
case eSessionStateNewSessionReceived :
if ( ! NewSessionReplyMessage ( payload . data ( ) , payload . size ( ) , buf , m - > maxLen ) )
return nullptr ;
len + = 72 ;
break ;
2020-01-17 17:21:41 +01:00
default :
return nullptr ;
}
htobe32buf ( m - > GetPayload ( ) , len ) ;
m - > len + = len + 4 ;
m - > FillI2NPMessageHeader ( eI2NPGarlic ) ;
return m ;
2020-01-16 20:59:19 +01:00
}
2020-01-17 17:21:41 +01:00
std : : vector < uint8_t > ECIESX25519AEADRatchetSession : : CreatePayload ( std : : shared_ptr < const I2NPMessage > msg )
{
2020-03-08 23:13:41 +01:00
uint64_t ts = i2p : : util : : GetMillisecondsSinceEpoch ( ) ;
2020-01-23 20:26:40 +01:00
size_t payloadLen = 7 ; // datatime
2020-01-30 17:48:32 +01:00
if ( msg & & m_Destination )
payloadLen + = msg - > GetPayloadLength ( ) + 13 + 32 ;
2020-03-08 23:13:41 +01:00
auto leaseSet = ( GetLeaseSetUpdateStatus ( ) = = eLeaseSetUpdated ) ? CreateDatabaseStoreMsg ( GetOwner ( ) - > GetLeaseSet ( ) ) : nullptr ;
std : : shared_ptr < I2NPMessage > deliveryStatus ;
if ( leaseSet )
{
2020-01-23 20:26:40 +01:00
payloadLen + = leaseSet - > GetPayloadLength ( ) + 13 ;
2020-03-08 23:13:41 +01:00
deliveryStatus = CreateEncryptedDeliveryStatusMsg ( leaseSet - > GetMsgID ( ) ) ;
payloadLen + = deliveryStatus - > GetPayloadLength ( ) + 49 ;
if ( GetLeaseSetUpdateMsgID ( ) ) GetOwner ( ) - > RemoveDeliveryStatusSession ( GetLeaseSetUpdateMsgID ( ) ) ; // remove previous
SetLeaseSetUpdateStatus ( eLeaseSetSubmitted ) ;
SetLeaseSetUpdateMsgID ( leaseSet - > GetMsgID ( ) ) ;
SetLeaseSetSubmissionTime ( ts ) ;
2020-03-14 14:33:48 +01:00
GetOwner ( ) - > DeliveryStatusSent ( shared_from_this ( ) , leaseSet - > GetMsgID ( ) ) ;
2020-03-08 23:13:41 +01:00
}
2020-03-27 00:03:38 +01:00
if ( m_AckRequests . size ( ) > 0 )
payloadLen + = m_AckRequests . size ( ) * 4 + 3 ;
2020-01-23 20:26:40 +01:00
uint8_t paddingSize ;
RAND_bytes ( & paddingSize , 1 ) ;
paddingSize & = 0x0F ; paddingSize + + ; // 1 - 16
2020-01-30 01:27:38 +01:00
payloadLen + = paddingSize + 3 ;
2020-01-22 20:26:47 +01:00
std : : vector < uint8_t > v ( payloadLen ) ;
size_t offset = 0 ;
2020-01-23 20:26:40 +01:00
// DateTime
v [ offset ] = eECIESx25519BlkDateTime ; offset + + ;
htobe16buf ( v . data ( ) + offset , 4 ) ; offset + = 2 ;
2020-03-08 23:13:41 +01:00
htobe32buf ( v . data ( ) + offset , ts / 1000 ) ; offset + = 4 ; // in seconds
2020-01-23 20:26:40 +01:00
// LeaseSet
2020-01-22 20:26:47 +01:00
if ( leaseSet )
offset + = CreateGarlicClove ( leaseSet , v . data ( ) + offset , payloadLen - offset ) ;
2020-03-08 23:13:41 +01:00
// DeliveryStatus
if ( deliveryStatus )
offset + = CreateDeliveryStatusClove ( deliveryStatus , v . data ( ) + offset , payloadLen - offset ) ;
2020-01-23 20:26:40 +01:00
// msg
2020-01-30 17:48:32 +01:00
if ( msg & & m_Destination )
offset + = CreateGarlicClove ( msg , v . data ( ) + offset , payloadLen - offset , true ) ;
2020-03-27 00:03:38 +01:00
// ack
if ( m_AckRequests . size ( ) > 0 )
{
v [ offset ] = eECIESx25519BlkAck ; offset + + ;
htobe16buf ( v . data ( ) + offset , m_AckRequests . size ( ) * 4 ) ; offset + = 2 ;
for ( auto & it : m_AckRequests )
{
htobe16buf ( v . data ( ) + offset , it . first ) ; offset + = 2 ;
htobe16buf ( v . data ( ) + offset , it . second ) ; offset + = 2 ;
}
m_AckRequests . clear ( ) ;
}
2020-01-23 20:26:40 +01:00
// padding
v [ offset ] = eECIESx25519BlkPadding ; offset + + ;
htobe16buf ( v . data ( ) + offset , paddingSize ) ; offset + = 2 ;
2020-01-30 01:27:38 +01:00
memset ( v . data ( ) + offset , 0 , paddingSize ) ; offset + = paddingSize ;
2020-01-17 17:21:41 +01:00
return v ;
2020-01-22 20:26:47 +01:00
}
2020-01-30 17:48:32 +01:00
size_t ECIESX25519AEADRatchetSession : : CreateGarlicClove ( std : : shared_ptr < const I2NPMessage > msg , uint8_t * buf , size_t len , bool isDestination )
2020-01-22 20:26:47 +01:00
{
if ( ! msg ) return 0 ;
uint16_t cloveSize = msg - > GetPayloadLength ( ) + 9 + 1 ;
2020-01-30 17:48:32 +01:00
if ( isDestination ) cloveSize + = 32 ;
2020-01-22 20:26:47 +01:00
if ( ( int ) len < cloveSize + 3 ) return 0 ;
buf [ 0 ] = eECIESx25519BlkGalicClove ; // clove type
2020-01-30 17:48:32 +01:00
htobe16buf ( buf + 1 , cloveSize ) ; // size
buf + = 3 ;
if ( isDestination )
{
* buf = ( eGarlicDeliveryTypeDestination < < 5 ) ;
memcpy ( buf + 1 , * m_Destination , 32 ) ; buf + = 32 ;
}
else
* buf = 0 ;
buf + + ; // flag and delivery instructions
* buf = msg - > GetTypeID ( ) ; // I2NP msg type
htobe32buf ( buf + 1 , msg - > GetMsgID ( ) ) ; // msgID
htobe32buf ( buf + 5 , msg - > GetExpiration ( ) / 1000 ) ; // expiration in seconds
memcpy ( buf + 9 , msg - > GetPayload ( ) , msg - > GetPayloadLength ( ) ) ;
2020-01-22 20:26:47 +01:00
return cloveSize + 3 ;
2020-02-03 22:21:07 +01:00
}
2020-02-09 23:19:42 +01:00
2020-03-08 23:13:41 +01:00
size_t ECIESX25519AEADRatchetSession : : CreateDeliveryStatusClove ( std : : shared_ptr < const I2NPMessage > msg , uint8_t * buf , size_t len )
{
uint16_t cloveSize = msg - > GetPayloadLength ( ) + 9 + 37 /* delivery instruction */ ;
if ( ( int ) len < cloveSize + 3 ) return 0 ;
buf [ 0 ] = eECIESx25519BlkGalicClove ; // clove type
htobe16buf ( buf + 1 , cloveSize ) ; // size
buf + = 3 ;
if ( GetOwner ( ) )
{
auto inboundTunnel = GetOwner ( ) - > GetTunnelPool ( ) - > GetNextInboundTunnel ( ) ;
if ( inboundTunnel )
{
// delivery instructions
* buf = eGarlicDeliveryTypeTunnel < < 5 ; buf + + ; // delivery instructions flag tunnel
// hash and tunnelID sequence is reversed for Garlic
memcpy ( buf , inboundTunnel - > GetNextIdentHash ( ) , 32 ) ; buf + = 32 ; // To Hash
htobe32buf ( buf , inboundTunnel - > GetNextTunnelID ( ) ) ; buf + = 4 ; // tunnelID
}
else
{
LogPrint ( eLogError , " Garlic: No inbound tunnels in the pool for DeliveryStatus " ) ;
return 0 ;
}
2020-03-16 21:41:07 +01:00
* buf = msg - > GetTypeID ( ) ; // I2NP msg type
2020-03-08 23:13:41 +01:00
htobe32buf ( buf + 1 , msg - > GetMsgID ( ) ) ; // msgID
htobe32buf ( buf + 5 , msg - > GetExpiration ( ) / 1000 ) ; // expiration in seconds
memcpy ( buf + 9 , msg - > GetPayload ( ) , msg - > GetPayloadLength ( ) ) ;
}
else
return 0 ;
return cloveSize + 3 ;
}
2020-02-09 23:19:42 +01:00
void ECIESX25519AEADRatchetSession : : GenerateMoreReceiveTags ( int numTags )
{
for ( int i = 0 ; i < numTags ; i + + )
{
auto index = m_ReceiveTagset . GetNextIndex ( ) ;
uint64_t tag = m_ReceiveTagset . GetNextSessionTag ( ) ;
GetOwner ( ) - > AddECIESx25519SessionTag ( index , tag , shared_from_this ( ) ) ;
}
}
2020-03-14 21:35:34 +01:00
bool ECIESX25519AEADRatchetSession : : CheckExpired ( uint64_t ts )
{
CleanupUnconfirmedLeaseSet ( ts ) ;
return ts > m_LastActivityTimestamp + ECIESX25519_EXPIRATION_TIMEOUT ;
}
2020-01-15 21:13:43 +01:00
}
}