handle follow-on NSR messages

libi2pd/ECIESX25519AEADRatchetSession.cpp

@@ -9,6 +9,7 @@
 #include <string.h>
 #include <openssl/sha.h>
 #include "Log.h"
+#include "util.h"
 #include "Crypto.h"
 #include "Elligator.h"
 #include "Tag.h"
@@ -619,18 +620,15 @@ namespace garlic
 		}
 		buf += 32; len -= 32;
 		// KDF for Reply Key Section
-		uint8_t h[32]; memcpy (h, m_H, 32); // save m_H
+		i2p::util::SaveStateHelper<i2p::crypto::NoiseSymmetricState> s(*this); // restore noise state on exit
 		MixHash (tag, 8); // h = SHA256(h || tag)
 		MixHash (bepk, 32); // h = SHA256(h || bepk)
 		uint8_t sharedSecret[32];
-		if (m_State == eSessionStateNewSessionSent)
-		{
-			// only fist time, we assume ephemeral keys the same
 		m_EphemeralKeys->Agree (bepk, sharedSecret); // sharedSecret = x25519(aesk, bepk)
 		MixKey (sharedSecret);
 		GetOwner ()->Decrypt (bepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD); // x25519 (ask, bepk)
 		MixKey (sharedSecret);
-		}
+
 		uint8_t nonce[12];
 		CreateNonce (0, nonce);
 		// calculate hash for zero length
@@ -646,6 +644,7 @@ namespace garlic
 		i2p::crypto::HKDF (m_CK, nullptr, 0, "", keydata); // keydata = HKDF(chainKey, ZEROLEN, "", 64)
 		if (m_State == eSessionStateNewSessionSent)
 		{
+			// only first time, then we keep using existing tagsets
 			// k_ab = keydata[0:31], k_ba = keydata[32:63]
 			m_SendTagset = std::make_shared<RatchetTagSet>(shared_from_this ());
 			m_SendTagset->DHInitialize (m_CK, keydata); // tagset_ab = DH_INITIALIZE(chainKey, k_ab)
@@ -667,11 +666,10 @@ namespace garlic
 		if (m_State == eSessionStateNewSessionSent)
 		{
 			m_State = eSessionStateEstablished;
-			m_EphemeralKeys = nullptr;
+			//m_EphemeralKeys = nullptr; // TODO: delete after a while
 			m_SessionCreatedTimestamp = i2p::util::GetSecondsSinceEpoch ();
 			GetOwner ()->AddECIESx25519Session (m_RemoteStaticKey, shared_from_this ());
 		}
-		memcpy (m_H, h, 32); // restore m_H
 		HandlePayload (buf, len - 16, nullptr, 0);
 
 		// we have received reply to NS with LeaseSet in it
@@ -762,12 +760,16 @@ namespace garlic
 				[[fallthrough]];
 #endif
 			case eSessionStateEstablished:
-				if (HandleExistingSessionMessage (buf, len, receiveTagset, index)) return true;
+				if (receiveTagset->IsNS ())
-				// check NSR just in case
+				{	
+					// our of sequence NSR 
 					LogPrint (eLogDebug, "Garlic: check for out of order NSR with index ", index);
 					if (receiveTagset->GetNextIndex () - index < ECIESX25519_NSR_NUM_GENERATED_TAGS/2)
 						GenerateMoreReceiveTags (receiveTagset, ECIESX25519_NSR_NUM_GENERATED_TAGS);
 					return HandleNewOutgoingSessionReply (buf, len);
+				}	
+				else
+					return HandleExistingSessionMessage (buf, len, receiveTagset, index);
 			case eSessionStateNew:
 				return HandleNewIncomingSession (buf, len);
 			case eSessionStateNewSessionSent:

libi2pd/ECIESX25519AEADRatchetSession.h

@@ -45,6 +45,7 @@ namespace garlic
 		public:
 
 			RatchetTagSet (std::shared_ptr<ECIESX25519AEADRatchetSession> session): m_Session (session) {};
+			virtual bool IsNS () const { return false; };
 			
 			void DHInitialize (const uint8_t * rootKey, const uint8_t * k);
 			void NextSessionTagRatchet ();
@@ -92,6 +93,8 @@ namespace garlic
 			NSRatchetTagSet (std::shared_ptr<ECIESX25519AEADRatchetSession> session):
 				RatchetTagSet (session), m_DummySession (session) {};
 
+			bool IsNS () const { return true; };
+			
 		private:
 
 			std::shared_ptr<ECIESX25519AEADRatchetSession> m_DummySession; // we need a strong pointer for NS

libi2pd/util.h

@@ -170,6 +170,20 @@ namespace util
 
 	void SetThreadName (const char *name);
 
+	template<typename T>
+	class SaveStateHelper
+	{
+		public:
+
+			SaveStateHelper (T& orig): m_Original (orig), m_Copy (orig) {};
+			~SaveStateHelper () { m_Original = m_Copy; };
+			
+		private:
+
+			T& m_Original;
+			T m_Copy;
+	};	
+	
 	namespace net
 	{
 		int GetMTU (const boost::asio::ip::address& localAddress);