From 32fc6482ccc3394f19a86b15ee920cbcffb92417 Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Thu, 3 Dec 2020 17:58:37 -0500
Subject: [PATCH] moved Noise initializations to Crypto.cpp

---
 libi2pd/Crypto.cpp                        | 61 +++++++++++++++++++++++
 libi2pd/Crypto.h                          |  4 ++
 libi2pd/ECIESX25519AEADRatchetSession.cpp | 24 ++-------
 libi2pd/ECIESX25519AEADRatchetSession.h   |  1 -
 libi2pd/NTCP2.cpp                         | 18 +------
 libi2pd/RouterContext.cpp                 |  4 +-
 libi2pd/TunnelConfig.cpp                  | 15 +-----
 libi2pd/TunnelConfig.h                    |  2 -
 8 files changed, 71 insertions(+), 58 deletions(-)

diff --git a/libi2pd/Crypto.cpp b/libi2pd/Crypto.cpp
index 523828ce..6055f888 100644
--- a/libi2pd/Crypto.cpp
+++ b/libi2pd/Crypto.cpp
@@ -1316,6 +1316,8 @@ namespace crypto
 #endif
 	}
 
+// Noise
+	
 	void NoiseSymmetricState::MixHash (const uint8_t * buf, size_t len)
 	{
 		SHA256_CTX ctx;
@@ -1331,6 +1333,65 @@ namespace crypto
 		// new ck is m_CK[0:31], key is m_CK[32:63]
 	}
 
+	void InitNoiseNState (NoiseSymmetricState& state, const uint8_t * pub)
+	{
+		// pub is Bob's public static key
+		static const char protocolName[] = "Noise_N_25519_ChaChaPoly_SHA256"; // 31 chars
+		static const uint8_t hh[32] =
+		{
+			0x69, 0x4d, 0x52, 0x44, 0x5a, 0x27, 0xd9, 0xad, 0xfa, 0xd2, 0x9c, 0x76, 0x32, 0x39, 0x5d, 0xc1, 
+			0xe4, 0x35, 0x4c, 0x69, 0xb4, 0xf9, 0x2e, 0xac, 0x8a, 0x1e, 0xe4, 0x6a, 0x9e, 0xd2, 0x15, 0x54
+		}; // hh = SHA256(protocol_name || 0)
+		memcpy (state.m_CK, protocolName, 32);	// ck = protocol_name || 0
+		SHA256_CTX ctx;
+		SHA256_Init (&ctx);
+		SHA256_Update (&ctx, hh, 32);
+		SHA256_Update (&ctx, pub, 32);
+		SHA256_Final (state.m_H, &ctx); // h = MixHash(pub) = SHA256(hh || pub)
+	}	
+
+	void InitNoiseXKState (NoiseSymmetricState& state, const uint8_t * pub)
+	{
+		// pub is Bob's public static key
+		static const uint8_t protocolNameHash[] =
+		{
+			0x72, 0xe8, 0x42, 0xc5, 0x45, 0xe1, 0x80, 0x80, 0xd3, 0x9c, 0x44, 0x93, 0xbb, 0x91, 0xd7, 0xed,
+			0xf2, 0x28, 0x98, 0x17, 0x71, 0x21, 0x8c, 0x1f, 0x62, 0x4e, 0x20, 0x6f, 0x28, 0xd3, 0x2f, 0x71
+		}; // SHA256 ("Noise_XKaesobfse+hs2+hs3_25519_ChaChaPoly_SHA256")
+		static const uint8_t hh[32] =
+		{
+			0x49, 0xff, 0x48, 0x3f, 0xc4, 0x04, 0xb9, 0xb2, 0x6b, 0x11, 0x94, 0x36, 0x72, 0xff, 0x05, 0xb5,
+			0x61, 0x27, 0x03, 0x31, 0xba, 0x89, 0xb8, 0xfc, 0x33, 0x15, 0x93, 0x87, 0x57, 0xdd, 0x3d, 0x1e
+		}; // SHA256 (protocolNameHash)
+		memcpy (state.m_CK, protocolNameHash, 32);
+		SHA256_CTX ctx;
+		SHA256_Init (&ctx);
+		SHA256_Update (&ctx, hh, 32);
+		SHA256_Update (&ctx, pub, 32);
+		SHA256_Final (state.m_H, &ctx);  // h = MixHash(pub) = SHA256(hh || pub)
+	}	
+
+	void InitNoiseIKState (NoiseSymmetricState& state, const uint8_t * pub)
+	{
+		// pub is Bob's public static key
+		static const uint8_t protocolNameHash[32] =
+		{
+			0x4c, 0xaf, 0x11, 0xef, 0x2c, 0x8e, 0x36, 0x56, 0x4c, 0x53, 0xe8, 0x88, 0x85, 0x06, 0x4d, 0xba,
+			0xac, 0xbe, 0x00, 0x54, 0xad, 0x17, 0x8f, 0x80, 0x79, 0xa6, 0x46, 0x82, 0x7e, 0x6e, 0xe4, 0x0c
+		}; // SHA256("Noise_IKelg2+hs2_25519_ChaChaPoly_SHA256"), 40 bytes
+		static const uint8_t hh[32] =
+		{
+			0x9c, 0xcf, 0x85, 0x2c, 0xc9, 0x3b, 0xb9, 0x50, 0x44, 0x41, 0xe9, 0x50, 0xe0, 0x1d, 0x52, 0x32,
+			0x2e, 0x0d, 0x47, 0xad, 0xd1, 0xe9, 0xa5, 0x55, 0xf7, 0x55, 0xb5, 0x69, 0xae, 0x18, 0x3b, 0x5c
+		}; // SHA256 (protocolNameHash)
+		memcpy (state.m_CK, protocolNameHash, 32);
+		SHA256_CTX ctx;
+		SHA256_Init (&ctx);
+		SHA256_Update (&ctx, hh, 32);
+		SHA256_Update (&ctx, pub, 32);
+		SHA256_Final (state.m_H, &ctx);  // h = MixHash(pub) = SHA256(hh || pub)
+	}	
+	
 // init and terminate
 
 /*	std::vector <std::unique_ptr<std::mutex> > m_OpenSSLMutexes;
diff --git a/libi2pd/Crypto.h b/libi2pd/Crypto.h
index da7a4bf4..c63cc45e 100644
--- a/libi2pd/Crypto.h
+++ b/libi2pd/Crypto.h
@@ -318,6 +318,10 @@ namespace crypto
 		void MixKey (const uint8_t * sharedSecret);	
 	};
 
+	void InitNoiseNState (NoiseSymmetricState& state, const uint8_t * pub); // Noise_N (tunnels, router)
+	void InitNoiseXKState (NoiseSymmetricState& state, const uint8_t * pub); // Noise_XK (NTCP2)
+	void InitNoiseIKState (NoiseSymmetricState& state, const uint8_t * pub); // Noise_IK (ratchets)
+	
 // init and terminate
 	void InitCrypto (bool precomputation, bool aesni, bool avx, bool force);
 	void TerminateCrypto ();
diff --git a/libi2pd/ECIESX25519AEADRatchetSession.cpp b/libi2pd/ECIESX25519AEADRatchetSession.cpp
index 00efee48..b3b30a1b 100644
--- a/libi2pd/ECIESX25519AEADRatchetSession.cpp
+++ b/libi2pd/ECIESX25519AEADRatchetSession.cpp
@@ -153,29 +153,12 @@ namespace garlic
 		GarlicRoutingSession (owner, attachLeaseSet)
 	{
 		RAND_bytes (m_PaddingSizes, 32); m_NextPaddingSize = 0;
-		ResetKeys ();
 	}
 
 	ECIESX25519AEADRatchetSession::~ECIESX25519AEADRatchetSession ()
 	{
 	}
 
-	void ECIESX25519AEADRatchetSession::ResetKeys ()
-	{
-		static const uint8_t protocolNameHash[32] =
-		{
-			0x4c, 0xaf, 0x11, 0xef, 0x2c, 0x8e, 0x36, 0x56, 0x4c, 0x53, 0xe8, 0x88, 0x85, 0x06, 0x4d, 0xba,
-			0xac, 0xbe, 0x00, 0x54, 0xad, 0x17, 0x8f, 0x80, 0x79, 0xa6, 0x46, 0x82, 0x7e, 0x6e, 0xe4, 0x0c
-		}; // SHA256("Noise_IKelg2+hs2_25519_ChaChaPoly_SHA256"), 40 bytes
-		static const uint8_t hh[32] =
-		{
-			0x9c, 0xcf, 0x85, 0x2c, 0xc9, 0x3b, 0xb9, 0x50, 0x44, 0x41, 0xe9, 0x50, 0xe0, 0x1d, 0x52, 0x32,
-			0x2e, 0x0d, 0x47, 0xad, 0xd1, 0xe9, 0xa5, 0x55, 0xf7, 0x55, 0xb5, 0x69, 0xae, 0x18, 0x3b, 0x5c
-		}; // SHA256 (protocolNameHash)
-		memcpy (m_CK, protocolNameHash, 32);
-		memcpy (m_H, hh, 32);
-	}
-
 	void ECIESX25519AEADRatchetSession::CreateNonce (uint64_t seqn, uint8_t * nonce)
 	{
 		memset (nonce, 0, 4);
@@ -236,8 +219,8 @@ namespace garlic
 		if (!GetOwner ()) return false;
 		// we are Bob
 		// KDF1
-		MixHash (GetOwner ()->GetEncryptionPublicKey (i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD), 32); // h = SHA256(h || bpk)
-
+		i2p::crypto::InitNoiseIKState (*this, GetOwner ()->GetEncryptionPublicKey (i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD)); // bpk
+		
 		if (!i2p::crypto::GetElligator ()->Decode (buf, m_Aepk))
 		{
 			LogPrint (eLogError, "Garlic: Can't decode elligator");
@@ -448,7 +431,6 @@ namespace garlic
 
 	bool ECIESX25519AEADRatchetSession::NewOutgoingSessionMessage (const uint8_t * payload, size_t len, uint8_t * out, size_t outLen, bool isStatic)
 	{
-		ResetKeys ();
 		// we are Alice, bpk is m_RemoteStaticKey
 		size_t offset = 0;
 		if (!GenerateEphemeralKeysAndEncode (out + offset))
@@ -459,7 +441,7 @@ namespace garlic
 		offset += 32;
 
 		// KDF1
-		MixHash (m_RemoteStaticKey, 32); // h = SHA256(h || bpk)
+		i2p::crypto::InitNoiseIKState (*this, m_RemoteStaticKey); // bpk
 		MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || aepk)
 		uint8_t sharedSecret[32];
 		m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // x25519(aesk, bpk)
diff --git a/libi2pd/ECIESX25519AEADRatchetSession.h b/libi2pd/ECIESX25519AEADRatchetSession.h
index 755531a3..e71d9782 100644
--- a/libi2pd/ECIESX25519AEADRatchetSession.h
+++ b/libi2pd/ECIESX25519AEADRatchetSession.h
@@ -178,7 +178,6 @@ namespace garlic
 
 		private:
 
-			void ResetKeys ();
 			void CreateNonce (uint64_t seqn, uint8_t * nonce);
 			bool GenerateEphemeralKeysAndEncode (uint8_t * buf); // buf is 32 bytes
 			std::shared_ptr<RatchetTagSet> CreateNewSessionTagset ();
diff --git a/libi2pd/NTCP2.cpp b/libi2pd/NTCP2.cpp
index bb54437e..1706399d 100644
--- a/libi2pd/NTCP2.cpp
+++ b/libi2pd/NTCP2.cpp
@@ -41,23 +41,7 @@ namespace transport
 
 	void NTCP2Establisher::KeyDerivationFunction1 (const uint8_t * pub, i2p::crypto::X25519Keys& priv, const uint8_t * rs, const uint8_t * epub)
 	{
-		static const uint8_t protocolNameHash[] =
-		{
-			0x72, 0xe8, 0x42, 0xc5, 0x45, 0xe1, 0x80, 0x80, 0xd3, 0x9c, 0x44, 0x93, 0xbb, 0x91, 0xd7, 0xed,
-			0xf2, 0x28, 0x98, 0x17, 0x71, 0x21, 0x8c, 0x1f, 0x62, 0x4e, 0x20, 0x6f, 0x28, 0xd3, 0x2f, 0x71
-		}; // SHA256 ("Noise_XKaesobfse+hs2+hs3_25519_ChaChaPoly_SHA256")
-		static const uint8_t hh[32] =
-		{
-			0x49, 0xff, 0x48, 0x3f, 0xc4, 0x04, 0xb9, 0xb2, 0x6b, 0x11, 0x94, 0x36, 0x72, 0xff, 0x05, 0xb5,
-			0x61, 0x27, 0x03, 0x31, 0xba, 0x89, 0xb8, 0xfc, 0x33, 0x15, 0x93, 0x87, 0x57, 0xdd, 0x3d, 0x1e
-		}; // SHA256 (protocolNameHash)
-		memcpy (m_CK, protocolNameHash, 32);
-		// h = SHA256(hh || rs)
-		SHA256_CTX ctx;
-		SHA256_Init (&ctx);
-		SHA256_Update (&ctx, hh, 32);
-		SHA256_Update (&ctx, rs, 32);
-		SHA256_Final (m_H, &ctx);
+		i2p::crypto::InitNoiseXKState (*this, rs);
 		// h = SHA256(h || epub)
 		MixHash (epub, 32);
 		// x25519 between pub and priv
diff --git a/libi2pd/RouterContext.cpp b/libi2pd/RouterContext.cpp
index cdab624c..3c066532 100644
--- a/libi2pd/RouterContext.cpp
+++ b/libi2pd/RouterContext.cpp
@@ -19,7 +19,6 @@
 #include "version.h"
 #include "Log.h"
 #include "Family.h"
-#include "TunnelConfig.h"
 #include "RouterContext.h"
 
 namespace i2p
@@ -45,8 +44,7 @@ namespace i2p
 		if (IsECIES ())
 		{	
 			auto initState = new i2p::crypto::NoiseSymmetricState ();
-			i2p::tunnel::InitBuildRequestRecordNoiseState (*initState);
-			initState->MixHash (GetIdentity ()->GetEncryptionPublicKey (), 32); // h = SHA256(h || hepk)
+			i2p::crypto::InitNoiseNState (*initState, GetIdentity ()->GetEncryptionPublicKey ());
 			m_InitialNoiseState.reset (initState);	
 		}	
 	}
diff --git a/libi2pd/TunnelConfig.cpp b/libi2pd/TunnelConfig.cpp
index a1b234a1..d43483c0 100644
--- a/libi2pd/TunnelConfig.cpp
+++ b/libi2pd/TunnelConfig.cpp
@@ -127,10 +127,9 @@ namespace tunnel
 	void TunnelHopConfig::EncryptECIES (std::shared_ptr<i2p::crypto::CryptoKeyEncryptor>& encryptor, 
 			const uint8_t * plainText, uint8_t * encrypted, BN_CTX * ctx)
 	{
-		InitBuildRequestRecordNoiseState (*this);
 		uint8_t hepk[32];
 		encryptor->Encrypt (nullptr, hepk, nullptr, false); 
-		MixHash (hepk, 32); // h = SHA256(h || hepk)
+		i2p::crypto::InitNoiseNState (*this, hepk);
 		auto ephemeralKeys = i2p::transport::transports.GetNextX25519KeysPair ();
 		memcpy (encrypted, ephemeralKeys->GetPublicKey (), 32);  
 		MixHash (encrypted, 32); // h = SHA256(h || sepk)
@@ -148,17 +147,5 @@ namespace tunnel
 		}	
 		MixHash (encrypted, ECIES_BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE + 16); // h = SHA256(h || ciphertext)
 	}	
-
-	void InitBuildRequestRecordNoiseState (i2p::crypto::NoiseSymmetricState& state)
-	{
-		static const char protocolName[] = "Noise_N_25519_ChaChaPoly_SHA256"; // 31 chars
-		static const uint8_t hh[32] =
-		{
-			0x69, 0x4d, 0x52, 0x44, 0x5a, 0x27, 0xd9, 0xad, 0xfa, 0xd2, 0x9c, 0x76, 0x32, 0x39, 0x5d, 0xc1, 
-			0xe4, 0x35, 0x4c, 0x69, 0xb4, 0xf9, 0x2e, 0xac, 0x8a, 0x1e, 0xe4, 0x6a, 0x9e, 0xd2, 0x15, 0x54
-		}; // SHA256 (protocol_name || 0)
-		memcpy (state.m_CK, protocolName, 32);	// ck = h = protocol_name || 0
-		memcpy (state.m_H, hh, 32); // h = SHA256(h)
-	}	
 }
 }
\ No newline at end of file
diff --git a/libi2pd/TunnelConfig.h b/libi2pd/TunnelConfig.h
index 9aed0d25..45693970 100644
--- a/libi2pd/TunnelConfig.h
+++ b/libi2pd/TunnelConfig.h
@@ -44,8 +44,6 @@ namespace tunnel
 		void EncryptECIES (std::shared_ptr<i2p::crypto::CryptoKeyEncryptor>& encryptor, 
 			const uint8_t * clearText, uint8_t * encrypted, BN_CTX * ctx);
 	};
-
-	void InitBuildRequestRecordNoiseState (i2p::crypto::NoiseSymmetricState& state);	
 	
 	class TunnelConfig
 	{