i2pd/SSU.cpp

#include <string.h>
#include <boost/bind.hpp>
#include <cryptopp/dh.h>
#include <cryptopp/secblock.h>
#include "CryptoConst.h"
#include "Log.h"
#include "Timestamp.h"
#include "RouterContext.h"
#include "hmac.h"
#include "SSU.h"

namespace i2p
{
namespace ssu
{

	SSUSession::SSUSession (SSUServer * server, boost::asio::ip::udp::endpoint& remoteEndpoint,
		const i2p::data::RouterInfo * router): m_Server (server), m_RemoteEndpoint (remoteEndpoint), 
		m_RemoteRouter (router), m_State (eSessionStateUnknown)
	{
	}

	void SSUSession::CreateAESandMacKey (uint8_t * pubKey, uint8_t * aesKey, uint8_t * macKey)
	{
		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
		CryptoPP::SecByteBlock secretKey(dh.AgreedValueLength());
		if (!dh.Agree (secretKey, i2p::context.GetPrivateKey (), pubKey))
		{    
		    LogPrint ("Couldn't create shared key");
			return;
		};

		if (secretKey[0] & 0x80)
		{
			aesKey[0] = 0;
			memcpy (aesKey + 1, secretKey, 31);
			memcpy (macKey, secretKey + 31, 32);
		}	
		else
		{	
			memcpy (aesKey, secretKey, 32);
			memcpy (macKey, secretKey + 32, 32);
		}
	}		

	void SSUSession::ProcessNextMessage (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint)
	{
		switch (m_State)
		{
			case eSessionStateConfirmedSent:
			case eSessionStateEstablished:
				// most common case
				ProcessMessage (buf, len);
			break;
			// establishing
			case eSessionStateUnknown:
				// session request
				ProcessSessionRequest (buf, len, senderEndpoint);
			break;
			case eSessionStateRequestSent:
				// session created
				ProcessSessionCreated (buf, len);
			break;
			case eSessionStateCreatedSent:
				// session confirmed
				ProcessSessionConfirmed (buf, len);
			break;
			case eSessionRelayRequestSent:
				// relay response
				ProcessRelayResponse (buf,len);
			break;
			case eSessionRelayResponseReceived:
				// HolePunch received
				LogPrint ("SSU HolePuch of ", len, " bytes received");
				m_State = eSessionStateEstablished;
				Established ();
			break;	
			case eSessionRelayRequestReceived:
				// HolePunch
				m_State = eSessionStateUnknown;
				Connect ();
			break;
			default:
				LogPrint ("SSU state not implemented yet");
		}
	}

	void SSUSession::ProcessMessage (uint8_t * buf, size_t len)
	{
		if (Validate (buf, len, m_MacKey))
		{
			Decrypt (buf, len, m_SessionKey);
			SSUHeader * header = (SSUHeader *)buf;
			uint8_t payloadType = header->flag >> 4;
			switch (payloadType)
			{
				case PAYLOAD_TYPE_DATA:
					LogPrint ("SSU data received");
					ProcessData (buf + sizeof (SSUHeader), len - sizeof (SSUHeader));
				break;
				case PAYLOAD_TYPE_TEST:
					LogPrint ("SSU test received");
				break;
				case PAYLOAD_TYPE_SESSION_DESTROYED:
				{
					LogPrint ("SSU session destroy received");
					if (m_Server)
						m_Server->DeleteSession (this); // delete this 
					break;
				}	
				case PAYLOAD_TYPE_RELAY_INTRO:
					LogPrint ("SSU relay intro received");
					// TODO:
				break;
				default:
					LogPrint ("Unexpected SSU payload type ", (int)payloadType);
			}
		}
		else
		{
			LogPrint ("MAC key failed. Trying intro key");	
			auto introKey = GetIntroKey ();
			if (introKey && Validate (buf, len, introKey))
			{
				Decrypt (buf, len, introKey);
				SSUHeader * header = (SSUHeader *)buf;
				LogPrint ("Unexpected SSU payload type ", (int)(header->flag >> 4));
				// TODO:
			}	
			else	
				LogPrint ("MAC verifcation failed");	
			m_State = eSessionStateUnknown;
		}
	}

	void SSUSession::ProcessSessionRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint)
	{
		LogPrint ("Process session request");
		// use our intro key
		if (ProcessIntroKeyEncryptedMessage (PAYLOAD_TYPE_SESSION_REQUEST, buf, len))
		{
			m_State = eSessionStateRequestReceived;
			LogPrint ("Session request received");	
			m_RemoteEndpoint = senderEndpoint;
			SendSessionCreated (buf + sizeof (SSUHeader));
		}
	}

	void SSUSession::ProcessSessionCreated (uint8_t * buf, size_t len)
	{
		LogPrint ("Process session created");
		if (!m_RemoteRouter)
		{
			LogPrint ("Unsolicited session created message");
			return;
		}

		// use remote intro key
		if (ProcessIntroKeyEncryptedMessage (PAYLOAD_TYPE_SESSION_CREATED, buf, len))
		{
			m_State = eSessionStateCreatedReceived;
			LogPrint ("Session created received");	
			uint8_t signedData[532]; // x,y, our IP, our port, remote IP, remote port, relayTag, signed on time 
			uint8_t * payload = buf + sizeof (SSUHeader);
			uint8_t * y = payload;
			memcpy (signedData, i2p::context.GetRouterIdentity ().publicKey, 256); // x
			memcpy (signedData + 256, y, 256); // y
			payload += 256;
			payload += 1; // size, assume 4
			uint8_t * ourAddress = payload;
			boost::asio::ip::address_v4 ourIP (be32toh (*(uint32_t* )ourAddress));
			payload += 4; // address
			uint16_t ourPort = be16toh (*(uint16_t *)payload);
			payload += 2; // port
			memcpy (signedData + 512, ourAddress, 6); // our IP and port 
			LogPrint ("Our external address is ", ourIP.to_string (), ":", ourPort);
			i2p::context.UpdateAddress (ourIP.to_string ().c_str ());
			*(uint32_t *)(signedData + 518) = htobe32 (m_RemoteEndpoint.address ().to_v4 ().to_ulong ()); // remote IP
			*(uint16_t *)(signedData + 522) = htobe16 (m_RemoteEndpoint.port ()); // remote port
			memcpy (signedData + 524, payload, 8); // relayTag and signed on time 
			uint32_t relayTag = be32toh (*(uint32_t *)payload);
			payload += 4; // relayTag
			payload += 4; // signed on time
			// decrypt DSA signature
			m_Decryption.SetKeyWithIV (m_SessionKey, 32, ((SSUHeader *)buf)->iv);
			m_Decryption.ProcessData (payload, payload, 48);
			// verify
			CryptoPP::DSA::PublicKey pubKey;
			pubKey.Initialize (i2p::crypto::dsap, i2p::crypto::dsaq, i2p::crypto::dsag, CryptoPP::Integer (m_RemoteRouter->GetRouterIdentity ().signingKey, 128));
			CryptoPP::DSA::Verifier verifier (pubKey);
			if (!verifier.VerifyMessage (signedData, 532, payload, 40))
				LogPrint ("SSU signature verification failed");
			
			SendSessionConfirmed (y, ourAddress, relayTag);
		}
	}	

	void SSUSession::ProcessSessionConfirmed (uint8_t * buf, size_t len)
	{
		LogPrint ("Process session confirmed");
		if (Validate (buf, len, m_MacKey))
		{
			Decrypt (buf, len, m_SessionKey);
			SSUHeader * header = (SSUHeader *)buf;
			if ((header->flag >> 4) == PAYLOAD_TYPE_SESSION_CONFIRMED)
			{
				m_State = eSessionStateConfirmedReceived;
				LogPrint ("Session confirmed received");		
				m_State = eSessionStateEstablished;
				SendI2NPMessage (CreateDeliveryStatusMsg (0));
				Established ();
			}
			else
				LogPrint ("Unexpected payload type ", (int)(header->flag >> 4));	
		}
		else
			LogPrint ("MAC verifcation failed");	
	}

	void SSUSession::SendSessionRequest ()
	{
		auto introKey = GetIntroKey ();
		if (!introKey)
		{
			LogPrint ("SSU is not supported");
			return;
		}
	
		uint8_t buf[304 + 18]; // 304 bytes for ipv4 (320 for ipv6)
		uint8_t * payload = buf + sizeof (SSUHeader);
		memcpy (payload, i2p::context.GetRouterIdentity ().publicKey, 256);
		payload[256] = 4; // we assume ipv4
		*(uint32_t *)(payload + 257) =  htobe32 (m_RemoteEndpoint.address ().to_v4 ().to_ulong ()); 
		
		uint8_t iv[16];
		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
		rnd.GenerateBlock (iv, 16); // random iv
		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_REQUEST, buf, 304, introKey, iv, introKey);
		
		m_State = eSessionStateRequestSent;		
		m_Server->Send (buf, 304, m_RemoteEndpoint);
	}

	void SSUSession::SendRelayRequest (const i2p::data::RouterInfo::Introducer& introducer)
	{
		auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
		if (!address)
		{
			LogPrint ("SSU is not supported");
			return;
		}
	
		uint8_t buf[96 + 18]; 
		uint8_t * payload = buf + sizeof (SSUHeader);
		*(uint32_t *)payload = htobe32 (introducer.iTag);
		payload += 4;
		*payload = 0; // no address
		payload++;
		*(uint16_t *)payload = 0; // port = 0
		payload += 2;
		*payload = 0; // challenge
		payload++;	
		memcpy (payload, address->key, 32);
		payload += 32;
		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
		*(uint32_t *)payload = htobe32 (rnd.GenerateWord32 ()); // nonce	

		uint8_t iv[16];
		rnd.GenerateBlock (iv, 16); // random iv
		FillHeaderAndEncrypt (PAYLOAD_TYPE_RELAY_REQUEST, buf, 96, introducer.iKey, iv, introducer.iKey);
		m_State = eSessionRelayRequestSent;		
		m_Server->Send (buf, 96, m_RemoteEndpoint);
	}

	void SSUSession::SendSessionCreated (const uint8_t * x)
	{
		auto introKey = GetIntroKey ();
		auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
		if (!introKey || !address)
		{
			LogPrint ("SSU is not supported");
			return;
		}
		uint8_t signedData[532]; // x,y, remote IP, remote port, our IP, our port, relayTag, signed on time 
		memcpy (signedData, x, 256); // x

		uint8_t buf[368 + 18];	
		uint8_t * payload = buf + sizeof (SSUHeader);
		memcpy (payload, i2p::context.GetRouterIdentity ().publicKey, 256);
		memcpy (signedData + 256, payload, 256); // y
		payload += 256;
		*payload = 4; // we assume ipv4
		payload++;
		*(uint32_t *)(payload) = htobe32 (m_RemoteEndpoint.address ().to_v4 ().to_ulong ()); 
		payload += 4;
		*(uint16_t *)(payload) = htobe16 (m_RemoteEndpoint.port ());
		payload += 2;
		memcpy (signedData + 512, payload - 6, 6); // remote endpoint IP and port 
		*(uint32_t *)(signedData + 518) = htobe32 (address->host.to_v4 ().to_ulong ()); // our IP
		*(uint16_t *)(signedData + 522) = htobe16 (address->port); // our port
		*(uint32_t *)(payload) = 0; //  relay tag, always 0 for now
		payload += 4; 
		*(uint32_t *)(payload) = htobe32 (i2p::util::GetSecondsSinceEpoch ()); // signed on time
		payload += 4;
		memcpy (signedData + 524, payload - 8, 8); // relayTag and signed on time 
		i2p::context.Sign (signedData, 532, payload); // DSA signature
		// TODO: fill padding with random data	

		uint8_t iv[16];
		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
		rnd.GenerateBlock (iv, 16); // random iv
		// encrypt signature and 8 bytes padding with newly created session key	
		m_Encryption.SetKeyWithIV (m_SessionKey, 32, iv);
		m_Encryption.ProcessData (payload, payload, 48);

		// encrypt message with intro key
		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_CREATED, buf, 368, introKey, iv, introKey);
		m_State = eSessionStateCreatedSent;		
		m_Server->Send (buf, 368, m_RemoteEndpoint);
	}

	void SSUSession::SendSessionConfirmed (const uint8_t * y, const uint8_t * ourAddress, uint32_t relayTag)
	{
		uint8_t buf[480 + 18];
		uint8_t * payload = buf + sizeof (SSUHeader);
		*payload = 1; // 1 fragment
		payload++; // info
		size_t identLen = sizeof (i2p::context.GetRouterIdentity ()); // 387 bytes
		*(uint16_t *)(payload) =  htobe16 (identLen);
		payload += 2; // cursize
		memcpy (payload, (uint8_t *)&i2p::context.GetRouterIdentity (), identLen);
		payload += identLen;
		uint32_t signedOnTime = i2p::util::GetSecondsSinceEpoch ();
		*(uint32_t *)(payload) = htobe32 (signedOnTime); // signed on time
		payload += 4;
		size_t paddingSize = ((payload - buf) + 40)%16;
		if (paddingSize > 0) paddingSize = 16 - paddingSize;
		// TODO: fill padding	
		payload += paddingSize; // padding size

		// signature		
		uint8_t signedData[532]; // x,y, our IP, our port, remote IP, remote port, relayTag, our signed on time 
		memcpy (signedData, i2p::context.GetRouterIdentity ().publicKey, 256); // x
		memcpy (signedData + 256, y, 256); // y
		memcpy (signedData + 512, ourAddress, 6); // our address/port as seem by party
		*(uint32_t *)(signedData + 518) = htobe32 (m_RemoteEndpoint.address ().to_v4 ().to_ulong ()); // remote IP
		*(uint16_t *)(signedData + 522) = htobe16 (m_RemoteEndpoint.port ()); // remote port
		*(uint32_t *)(signedData + 524) = htobe32 (relayTag); // relay tag
		*(uint32_t *)(signedData + 528) = htobe32 (signedOnTime); // signed on time
		i2p::context.Sign (signedData, 532, payload); // DSA signature	

		uint8_t iv[16];
		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
		rnd.GenerateBlock (iv, 16); // random iv
		// encrypt message with session key
		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_CONFIRMED, buf, 480, m_SessionKey, iv, m_MacKey);
		m_State = eSessionStateConfirmedSent;	
		m_Server->Send (buf, 480, m_RemoteEndpoint);
	}

	void SSUSession::ProcessRelayResponse (uint8_t * buf, size_t len)
	{
		LogPrint ("Process relay response");
		auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
		if (!address)
		{
			LogPrint ("SSU is not supported");
			return;
		}

		if (Validate (buf, len, address->key))
		{
			Decrypt (buf, len, address->key);
			SSUHeader * header = (SSUHeader *)buf;
			if ((header->flag >> 4) == PAYLOAD_TYPE_RELAY_RESPONSE)
			{
				LogPrint ("Relay response received");		
				m_State = eSessionRelayRequestReceived;
				uint8_t * payload = buf + sizeof (SSUHeader);
				payload++;
				boost::asio::ip::address_v4 remoteIP (be32toh (*(uint32_t* )(payload)));
				payload += 4;
				uint16_t remotePort = be16toh (*(uint16_t *)(payload));
				payload += 2;
				boost::asio::ip::udp::endpoint newRemoteEndpoint(remoteIP, remotePort);
				m_Server->ReassignSession (m_RemoteEndpoint, newRemoteEndpoint);
				m_RemoteEndpoint = newRemoteEndpoint;	
				payload++;
				boost::asio::ip::address_v4 ourIP (be32toh (*(uint32_t* )(payload)));
				payload += 4;
				uint16_t ourPort = be16toh (*(uint16_t *)(payload));
				payload += 2;
				LogPrint ("Our external address is ", ourIP.to_string (), ":", ourPort);
				i2p::context.UpdateAddress (ourIP.to_string ().c_str ());
				m_State= eSessionRelayResponseReceived;
			}
			else
				LogPrint ("Unexpected payload type ", (int)(header->flag >> 4));
		}
	}

	bool SSUSession::ProcessIntroKeyEncryptedMessage (uint8_t expectedPayloadType, uint8_t * buf, size_t len)
	{
		auto introKey = GetIntroKey ();
		if (introKey)
		{
			// use intro key for verification and decryption
			if (Validate (buf, len, introKey))
			{
				Decrypt (buf, len, introKey);
				SSUHeader * header = (SSUHeader *)buf;
				if ((header->flag >> 4) == expectedPayloadType)
				{
					CreateAESandMacKey (buf + sizeof (SSUHeader), m_SessionKey, m_MacKey);	
					return true;				
				}
				else
					LogPrint ("Unexpected payload type ", (int)(header->flag >> 4));	
			}
			else
			{	
				LogPrint ("MAC verification failed");	
				Failed ();
			}	
		}
		else
			LogPrint ("SSU is not supported");
		return false;
	}	

	void SSUSession::FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len, 
		const uint8_t * aesKey, const uint8_t * iv, const uint8_t * macKey)
	{	
		if (len < sizeof (SSUHeader))
		{
			LogPrint ("Unexpected SSU packet length ", len);
			return;
		}
		SSUHeader * header = (SSUHeader *)buf;
		memcpy (header->iv, iv, 16);
		header->flag = payloadType << 4; // MSB is 0
		header->time = htobe32 (i2p::util::GetSecondsSinceEpoch ());
		uint8_t * encrypted = &header->flag;
		uint16_t encryptedLen = len - (encrypted - buf);
		m_Encryption.SetKeyWithIV (aesKey, 32, iv);
		m_Encryption.ProcessData (encrypted, encrypted, encryptedLen);
		// assume actual buffer size is 18 (16 + 2) bytes more
		memcpy (buf + len, iv, 16);
		*(uint16_t *)(buf + len + 16) = htobe16 (encryptedLen);
		i2p::crypto::HMACMD5Digest (encrypted, encryptedLen + 18, macKey, header->mac);
	}

	void SSUSession::Decrypt (uint8_t * buf, size_t len, const uint8_t * aesKey)
	{
		if (len < sizeof (SSUHeader))
		{
			LogPrint ("Unexpected SSU packet length ", len);
			return;
		}
		SSUHeader * header = (SSUHeader *)buf;
		uint8_t * encrypted = &header->flag;
		uint16_t encryptedLen = len - (encrypted - buf);	
		m_Decryption.SetKeyWithIV (aesKey, 32, header->iv);
		encryptedLen = (encryptedLen/16)*16; // make sure 16 bytes boundary
		m_Decryption.ProcessData (encrypted, encrypted, encryptedLen);
	}

	bool SSUSession::Validate (uint8_t * buf, size_t len, const uint8_t * macKey)
	{
		if (len < sizeof (SSUHeader))
		{
			LogPrint ("Unexpected SSU packet length ", len);
			return false;
		}
		SSUHeader * header = (SSUHeader *)buf;
		uint8_t * encrypted = &header->flag;
		uint16_t encryptedLen = len - (encrypted - buf);
		// assume actual buffer size is 18 (16 + 2) bytes more
		memcpy (buf + len, header->iv, 16);
		*(uint16_t *)(buf + len + 16) = htobe16 (encryptedLen);
		uint8_t digest[16];
		i2p::crypto::HMACMD5Digest (encrypted, encryptedLen + 18, macKey, digest);
		return !memcmp (header->mac, digest, 16);
	}

	void SSUSession::Connect ()
	{
		SendSessionRequest ();
	}

	void SSUSession::ConnectThroughIntroducer (const i2p::data::RouterInfo::Introducer& introducer)
	{	
		SendRelayRequest (introducer);
	}

	void SSUSession::Close ()
	{
		SendSesionDestroyed ();
		if (!m_DelayedMessages.empty ())
		{
			for (auto it :m_DelayedMessages)
				delete it;
			m_DelayedMessages.clear ();
		}	
	}	

	void SSUSession::Established ()
	{
		SendI2NPMessage (CreateDatabaseStoreMsg ());
		if (!m_DelayedMessages.empty ())
		{
			for (auto it :m_DelayedMessages)
				Send (it);
			m_DelayedMessages.clear ();
		}	
	}	

	void SSUSession::Failed ()
	{
		m_State = eSessionStateFailed;
		Close ();
		if (m_Server)
			m_Server->DeleteSession (this); // delete this 
	}	
	
	const uint8_t * SSUSession::GetIntroKey () const
	{
		if (m_RemoteRouter)
		{
			// we are client
			auto address = m_RemoteRouter->GetSSUAddress ();
			return address ? address->key : nullptr;
		}
		else
		{
			// we are server
			auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
			return address ? address->key : nullptr;
		}
	}	

	void SSUSession::SendI2NPMessage (I2NPMessage * msg)
	{
		if (msg)
		{	
			if (m_State == eSessionStateEstablished)
				Send (msg);
			else
				m_DelayedMessages.push_back (msg);
		}	
	}	
	
	void SSUSession::ProcessData (uint8_t * buf, size_t len)
	{
		//uint8_t * start = buf;
		uint8_t flag = *buf;
		buf++;
		LogPrint ("Process SSU data flags=", (int)flag);
		if (flag & DATA_FLAG_EXPLICIT_ACKS_INCLUDED)
		{
			// explicit ACKs
			uint8_t numAcks =*buf;
			buf++;
			// TODO: process ACKs
			buf += numAcks*4;
		}
		if (flag & DATA_FLAG_ACK_BITFIELDS_INCLUDED)
		{
			// explicit ACK bitfields
			uint8_t numBitfields =*buf;
			buf++;
			for (int i = 0; i < numBitfields; i++)
			{
				buf += 4; // msgID
				// TODO: process ACH bitfields
				while (*buf & 0x80) // not last
					buf++;
				buf++; // last byte
			}	
		}	
		uint8_t numFragments = *buf; // number of fragments
		buf++;
		for (int i = 0; i < numFragments; i++)
		{	
			uint32_t msgID = be32toh (*(uint32_t *)buf); // message ID
			buf += 4;
			uint8_t frag[4];
			frag[0] = 0;
			memcpy (frag + 1, buf, 3);
			buf += 3;
			uint32_t fragmentInfo = be32toh (*(uint32_t *)frag); // fragment info
			uint16_t fragmentSize = fragmentInfo & 0x1FFF; // bits 0 - 13
			bool isLast = fragmentInfo & 0x010000; // bit 16	
			uint8_t fragmentNum = fragmentInfo >> 17; // bits 23 - 17
			LogPrint ("SSU data fragment ", (int)fragmentNum, " of message ", msgID, " size=", (int)fragmentSize, isLast ? " last" : " non-last"); 		
			I2NPMessage * msg = nullptr;
			if (fragmentNum > 0) // follow-up fragment
			{
				auto it = m_IncomleteMessages.find (msgID);
				if (it != m_IncomleteMessages.end ())
				{
					msg = it->second;
					memcpy (msg->buf + msg->len, buf, fragmentSize);
					msg->len += fragmentSize;
				}
				else
					// TODO:
					LogPrint ("Unexpected follow-on fragment ", fragmentNum, " of message ", msgID);	
			}
			else // first fragment
			{
				msg = NewI2NPMessage ();
				memcpy (msg->GetSSUHeader (), buf, fragmentSize);
				msg->len += fragmentSize - sizeof (I2NPHeaderShort);
			}

			if (msg)
			{					
				if (!fragmentNum && !isLast)
					m_IncomleteMessages[msgID] = msg;
				if (isLast)
				{
					SendMsgAck (msgID);
					if (fragmentNum > 0)	
						m_IncomleteMessages.erase (msgID);
					msg->FromSSU (msgID);
					if (m_State == eSessionStateEstablished)
						i2p::HandleI2NPMessage (msg);
					else
					{
						// we expect DeliveryStatus
						if (msg->GetHeader ()->typeID == eI2NPDeliveryStatus)
						{
							LogPrint ("SSU session established");
							m_State = eSessionStateEstablished;
							Established ();
						}	
						else
							LogPrint ("SSU unexpected message ", (int)msg->GetHeader ()->typeID);
						DeleteI2NPMessage (msg);
					}	
				}
			}
			buf += fragmentSize;
		}	
	}

	void SSUSession::SendMsgAck (uint32_t msgID)
	{
		uint8_t buf[48 + 18]; // actual length is 44 = 37 + 7 but pad it to multiple of 16
		uint8_t iv[16];
		uint8_t * payload = buf + sizeof (SSUHeader);
		*payload = DATA_FLAG_EXPLICIT_ACKS_INCLUDED; // flag
		payload++;
		*payload = 1; // number of ACKs
		payload++;
		*(uint32_t *)(payload) = htobe32 (msgID); // msgID	
		payload += 4;
		*payload = 0; // number of fragments

		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
		rnd.GenerateBlock (iv, 16); // random iv
		// encrypt message with session key
		FillHeaderAndEncrypt (PAYLOAD_TYPE_DATA, buf, 48, m_SessionKey, iv, m_MacKey);
		m_Server->Send (buf, 48, m_RemoteEndpoint);
	}

	void SSUSession::SendSesionDestroyed ()
	{
		uint8_t buf[48 + 18], iv[16];
		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
		rnd.GenerateBlock (iv, 16); // random iv
		if (m_State == eSessionStateEstablished)
			// encrypt message with session key
			FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_DESTROYED, buf, 48, m_SessionKey, iv, m_MacKey);
		else
		{
			auto introKey = GetIntroKey ();
			if (introKey)
				// encrypt message with intro key
				FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_DESTROYED, buf, 48, introKey, iv, introKey);
			else
			{
				LogPrint ("SSU: can't send SessionDestroyed message");
				return;
			}
		}
		m_Server->Send (buf, 48, m_RemoteEndpoint);
	}	

	void SSUSession::Send (i2p::I2NPMessage * msg)
	{
		uint32_t msgID = htobe32 (msg->ToSSU ());
		size_t payloadSize = SSU_MTU - sizeof (SSUHeader) - 9; // 9  =  flag + #frg(1) + messageID(4) + frag info (3) 
		size_t len = msg->GetLength ();
		uint8_t * msgBuf = msg->GetSSUHeader ();

		uint32_t fragmentNum = 0;
		while (len > 0)
		{	
			uint8_t buf[SSU_MTU + 18], iv[16], * payload = buf + sizeof (SSUHeader);
			*payload = DATA_FLAG_WANT_REPLY; // for compatibility
			payload++;
			*payload = 1; // always 1 message fragment per message
			payload++;
			*(uint32_t *)payload = msgID;
			payload += 4;
			bool isLast = (len <= payloadSize);
			size_t size = isLast ? len : payloadSize;
			uint32_t fragmentInfo = (fragmentNum << 17);
			if (isLast)
				fragmentInfo |= 0x010000;
			
			fragmentInfo |= size;
			fragmentInfo = htobe32 (fragmentInfo);
			memcpy (payload, (uint8_t *)(&fragmentInfo) + 1, 3);
			payload += 3;
			memcpy (payload, msgBuf, size);
			
			size += payload - buf;
			if (size % 16) // make sure 16 bytes boundary
				size = (size/16 + 1)*16;
			
			CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
			rnd.GenerateBlock (iv, 16); // random iv
			// encrypt message with session key
			FillHeaderAndEncrypt (PAYLOAD_TYPE_DATA, buf, size, m_SessionKey, iv, m_MacKey);
			m_Server->Send (buf, size, m_RemoteEndpoint);

			if (!isLast)
			{	
				len -= payloadSize;
				msgBuf += payloadSize;
			}	
			else
				len = 0;
			fragmentNum++;
		}	
	}	
	
	SSUServer::SSUServer (boost::asio::io_service& service, int port):
		m_Endpoint (boost::asio::ip::udp::v4 (), port), m_Socket (service, m_Endpoint)
	{
		m_Socket.set_option (boost::asio::socket_base::receive_buffer_size (65535));
		m_Socket.set_option (boost::asio::socket_base::send_buffer_size (65535));
	}
	
	SSUServer::~SSUServer ()
	{
		for (auto it: m_Sessions)
			delete it.second;
	}

	void SSUServer::Start ()
	{
		Receive ();
	}

	void SSUServer::Stop ()
	{
		DeleteAllSessions ();
		m_Socket.close ();
	}

	void SSUServer::Send (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& to)
	{
		m_Socket.send_to (boost::asio::buffer (buf, len), to);
		LogPrint ("SSU sent ", len, " bytes");
	}	

	void SSUServer::Receive ()
	{
		m_Socket.async_receive_from (boost::asio::buffer (m_ReceiveBuffer, SSU_MTU), m_SenderEndpoint,
			boost::bind (&SSUServer::HandleReceivedFrom, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); 
	}

	void SSUServer::HandleReceivedFrom (const boost::system::error_code& ecode, std::size_t bytes_transferred)
	{
		if (!ecode)
		{
			LogPrint ("SSU received ", bytes_transferred, " bytes");
			SSUSession * session = nullptr;
			auto it = m_Sessions.find (m_SenderEndpoint);
			if (it != m_Sessions.end ())
				session = it->second;
			if (!session)
			{
				session = new SSUSession (this, m_SenderEndpoint);
				m_Sessions[m_SenderEndpoint] = session;
				LogPrint ("New SSU session from ", m_SenderEndpoint.address ().to_string (), ":", m_SenderEndpoint.port (), " created");
			}
			session->ProcessNextMessage (m_ReceiveBuffer, bytes_transferred, m_SenderEndpoint);
			Receive ();
		}
		else
			LogPrint ("SSU receive error: ", ecode.message ());
	}

	SSUSession * SSUServer::FindSession (const i2p::data::RouterInfo * router)
	{
		if (!router) return nullptr;
		auto address = router->GetSSUAddress ();
		if (!address) return nullptr;
		auto it = m_Sessions.find (boost::asio::ip::udp::endpoint (address->host, address->port));
		if (it != m_Sessions.end ())
			return it->second;
		else
			return nullptr;
	}	
		
	SSUSession * SSUServer::GetSession (const i2p::data::RouterInfo * router)
	{
		SSUSession * session = nullptr;
		if (router)
		{
			auto address = router->GetSSUAddress ();
			if (address)
			{
				boost::asio::ip::udp::endpoint remoteEndpoint (address->host, address->port);
				auto it = m_Sessions.find (remoteEndpoint);
				if (it != m_Sessions.end ())
					session = it->second;
				else
				{
					// otherwise create new session					
					if (!router->UsesIntroducer ())
					{
						// connect directly
						session = new SSUSession (this, remoteEndpoint, router);
						m_Sessions[remoteEndpoint] = session;
						LogPrint ("New SSU session to [", router->GetIdentHashAbbreviation (), "] ",
							remoteEndpoint.address ().to_string (), ":", remoteEndpoint.port (), " created");
						session->Connect ();
					}
					else
					{
						// connect through introducer
						if (address->introducers.size () > 0)
						{
							auto& introducer = address->introducers[0]; // TODO:
							boost::asio::ip::udp::endpoint introducerEndpoint (introducer.iHost, introducer.iPort);
							session = new SSUSession (this, introducerEndpoint, router);
							m_Sessions[introducerEndpoint] = session;
							LogPrint ("New SSU session to [", router->GetIdentHashAbbreviation (), 
								"] through introducer ", introducerEndpoint.address ().to_string (), ":", introducerEndpoint.port ());
							session->ConnectThroughIntroducer (introducer);
						}
						else
							LogPrint ("Router is unreachable, but not introducers presentd. Ignored");
					}
				}
			}
			else
				LogPrint ("Router ", router->GetIdentHashAbbreviation (), " doesn't have SSU address");
		}
		return session;
	}

	void SSUServer::DeleteSession (SSUSession * session)
	{
		if (session)
		{
			session->Close ();
			m_Sessions.erase (session->GetRemoteEndpoint ());
			delete session;
		}	
	}	

	void SSUServer::DeleteAllSessions ()
	{
		for (auto it: m_Sessions)
		{
			it.second->Close ();
			delete it.second;			
		}	
		m_Sessions.clear ();
	}

	void SSUServer::ReassignSession (const boost::asio::ip::udp::endpoint& oldEndpoint, const boost::asio::ip::udp::endpoint& newEndpoint)
	{
		auto it = m_Sessions.find (oldEndpoint);
		if (it != m_Sessions.end ())
		{
			auto session = it->second;
			m_Sessions.erase (it);
			m_Sessions[newEndpoint] = session;
			LogPrint ("SSU session ressigned from ", oldEndpoint.address ().to_string (), ":", oldEndpoint.port (), 
				" to ", newEndpoint.address ().to_string (), ":", newEndpoint.port ());
		}						
	}	
}
}