From 2bd7a92d20306a5ff99ebc069a634eb18f40b042 Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Thu, 14 Jun 2018 15:29:36 -0400
Subject: [PATCH] send SessionConfirmed

---
 libi2pd/NTCP2.cpp | 128 ++++++++++++++++++++++++++++++++++++----------
 libi2pd/NTCP2.h   |  11 ++--
 2 files changed, 109 insertions(+), 30 deletions(-)

diff --git a/libi2pd/NTCP2.cpp b/libi2pd/NTCP2.cpp
index f2675276..2dd18960 100644
--- a/libi2pd/NTCP2.cpp
+++ b/libi2pd/NTCP2.cpp
@@ -17,7 +17,7 @@ namespace transport
 		TransportSession (in_RemoteRouter, 30), 
 		m_Server (server), m_Socket (m_Server.GetService ()), 
 		m_IsEstablished (false), m_IsTerminated (false),
-		m_SessionRequestBuffer (nullptr), m_SessionCreatedBuffer (nullptr)
+		m_SessionRequestBuffer (nullptr), m_SessionCreatedBuffer (nullptr), m_SessionConfirmedBuffer (nullptr)
 	{
 		auto addr = in_RemoteRouter->GetNTCPAddress ();
 		if (addr->ntcp2)
@@ -33,6 +33,7 @@ namespace transport
 	{
 		delete[] m_SessionRequestBuffer; 
 		delete[] m_SessionCreatedBuffer;
+		delete[] m_SessionConfirmedBuffer;
 	}
 
 	void NTCP2Session::Terminate ()
@@ -51,6 +52,19 @@ namespace transport
 		m_Server.GetService ().post (std::bind (&NTCP2Session::Terminate, shared_from_this ()));
 	}
 
+	void NTCP2Session::MixKey (const uint8_t * inputKeyMaterial, uint8_t * derived)
+	{
+		// temp_key = HMAC-SHA256(ck, input_key_material)
+		uint8_t tempKey[32]; unsigned int len;
+		HMAC(EVP_sha256(), m_CK, 32, inputKeyMaterial, 32, tempKey, &len); 	
+		// ck = HMAC-SHA256(temp_key, byte(0x01)) 
+		static uint8_t one[1] =  { 1 };
+		HMAC(EVP_sha256(), tempKey, 32, one, 1, m_CK, &len); 	
+		// derived = HMAC-SHA256(temp_key, ck || byte(0x02))
+		m_CK[32] = 2;
+		HMAC(EVP_sha256(), tempKey, 32, m_CK, 33, derived, &len); 	
+	}
+
 	void NTCP2Session::KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * pub, uint8_t * derived)
 	{
 		static const char protocolName[] = "Noise_XK_25519_ChaChaPoly_SHA256"; // 32 bytes
@@ -68,15 +82,7 @@ namespace transport
 		BN_CTX * ctx = BN_CTX_new ();
 		i2p::crypto::GetEd25519 ()->ScalarMul (rs, m_ExpandedPrivateKey, inputKeyMaterial, ctx); // rs*priv
 		BN_CTX_free (ctx);
-		// temp_key = HMAC-SHA256(ck, input_key_material)
-		uint8_t tempKey[32]; unsigned int len;
-		HMAC(EVP_sha256(), m_CK, 32, inputKeyMaterial, 32, tempKey, &len); 	
-		// ck = HMAC-SHA256(temp_key, byte(0x01)) 
-		inputKeyMaterial[0] = 1;
-		HMAC(EVP_sha256(), tempKey, 32, inputKeyMaterial, 1, m_CK, &len); 	
-		// derived = HMAC-SHA256(temp_key, ck || byte(0x02))
-		m_CK[32] = 2;
-		HMAC(EVP_sha256(), tempKey, 32, m_CK, 33, derived, &len); 	
+		MixKey (inputKeyMaterial, derived);
 	}
 
 	void NTCP2Session::KeyDerivationFunction2 (const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived)
@@ -101,15 +107,16 @@ namespace transport
 		BN_CTX * ctx = BN_CTX_new ();
 		i2p::crypto::GetEd25519 ()->ScalarMul (pub, m_ExpandedPrivateKey, inputKeyMaterial, ctx); 
 		BN_CTX_free (ctx);
-		// temp_key = HMAC-SHA256(ck, input_key_material)
-		uint8_t tempKey[32]; unsigned int len;
-		HMAC(EVP_sha256(), m_CK, 32, inputKeyMaterial, 32, tempKey, &len); 	
-		// ck = HMAC-SHA256(temp_key, byte(0x01)) 
-		inputKeyMaterial[0] = 1;
-		HMAC(EVP_sha256(), tempKey, 32, inputKeyMaterial, 1, m_CK, &len); 	
-		// derived = HMAC-SHA256(temp_key, ck || byte(0x02))
-		m_CK[32] = 2;
-		HMAC(EVP_sha256(), tempKey, 32, m_CK, 33, derived, &len); 
+		MixKey (inputKeyMaterial, derived);
+	}
+
+	void NTCP2Session::KeyDerivationFunction3 (const uint8_t * staticPrivKey, uint8_t * derived)
+	{
+		uint8_t inputKeyMaterial[32];
+		BN_CTX * ctx = BN_CTX_new ();
+		i2p::crypto::GetEd25519 ()->ScalarMul (m_Y, staticPrivKey, inputKeyMaterial, ctx); 
+		BN_CTX_free (ctx);
+		MixKey (inputKeyMaterial, derived);
 	}
 
 	void NTCP2Session::CreateEphemeralKey (uint8_t * pub)
@@ -185,23 +192,30 @@ namespace transport
 		}
 		else
 		{
-			LogPrint (eLogInfo, "NTCP2: SessionCreated received ", bytes_transferred);
-			uint8_t y[32];
+			LogPrint (eLogDebug, "NTCP2: SessionCreated received ", bytes_transferred);
+			m_SessionCreatedBufferLen = 56;
 			// decrypt Y
 			i2p::crypto::CBCDecryption decryption;
 			decryption.SetKey (GetRemoteIdentity ()->GetIdentHash ());
 			decryption.SetIV (m_IV);
-			decryption.Decrypt (m_SessionCreatedBuffer, 32, y);
-			// decryption key for next block
-			uint8_t key[32];
-			KeyDerivationFunction2 (y, m_SessionRequestBuffer, m_SessionRequestBufferLen, key);
+			decryption.Decrypt (m_SessionCreatedBuffer, 32, m_Y);
+			// decryption key for next block (m_K)
+			KeyDerivationFunction2 (m_Y, m_SessionRequestBuffer, m_SessionRequestBufferLen, m_K);
 			// decrypt and verify MAC
 			uint8_t payload[8];
 			uint8_t nonce[12];
 			memset (nonce, 0, 12); // set nonce to zero
-			if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionCreatedBuffer + 32, 8, m_H, 32, key, nonce, payload, 8, false)) // decrypt
+			if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionCreatedBuffer + 32, 8, m_H, 32, m_K, nonce, payload, 8, false)) // decrypt
 			{		
-				// TODO:
+				uint16_t paddingLen = bufbe16toh(payload);
+				LogPrint (eLogDebug, "NTCP2: padding length ", paddingLen);
+				if (paddingLen > 0)
+				{
+					boost::asio::async_read (m_Socket, boost::asio::buffer(m_SessionCreatedBuffer + 56, paddingLen), boost::asio::transfer_all (),
+						std::bind(&NTCP2Session::HandleSessionCreatedPaddingReceived, shared_from_this (), std::placeholders::_1, std::placeholders::_2));
+				}
+				else
+					SendSessionConfirmed ();
 			}
 			else
 			{	
@@ -211,6 +225,66 @@ namespace transport
 		}
 	}
 
+	void NTCP2Session::HandleSessionCreatedPaddingReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
+	{
+		if (ecode)
+		{
+			LogPrint (eLogWarning, "NTCP2: SessionCreated padding read error: ", ecode.message ());
+			Terminate ();
+		}
+		else
+		{
+			m_SessionCreatedBufferLen += bytes_transferred;
+			SendSessionConfirmed ();
+		}
+	}
+
+	void NTCP2Session::SendSessionConfirmed ()
+	{
+		// update AD
+		uint8_t h[80];
+		memcpy (h, m_H, 32);
+		memcpy (h + 32, m_SessionCreatedBuffer + 32, 24); // encrypted payload
+		SHA256 (h, 56, h); 
+		int paddingLength = m_SessionCreatedBufferLen - 56;
+		if (paddingLength > 0)
+		{
+			std::vector<uint8_t> h1(paddingLength + 32);
+			memcpy (h1.data (), h, 32);
+			memcpy (h1.data () + 32, m_SessionCreatedBuffer + 56, paddingLength);
+			SHA256 (h1.data (), paddingLength + 32, h); 
+		}	
+		// part1 48 bytes 
+		uint8_t s[32]; // public static
+		CreateEphemeralKey (s); // TODO: take it from RouterContext
+		m_SessionConfirmedBuffer = new uint8_t[2048]; // TODO: actual size
+		uint8_t nonce[12];
+		memset (nonce, 0, 4); htole64buf (nonce + 4, 1); // set nonce to 1
+		i2p::crypto::AEADChaCha20Poly1305 (s, 32, h, 32, m_K, nonce, m_SessionConfirmedBuffer, 48, true); // encrypt
+		// part 2
+		// update AD again
+		memcpy (h + 32, m_SessionConfirmedBuffer, 48);
+		SHA256 (h, 80, m_H); 			
+
+		size_t m3p2Len = 550; // TODO: actual size
+		uint8_t buf[550];
+		memset (buf, 0, m3p2Len - 16); // TODO: fill
+		uint8_t key[32];
+		KeyDerivationFunction3 (m_ExpandedPrivateKey, key); // TODO: take it from RouterContext
+		memset (nonce, 0, 12); // set nonce to 0 again
+		i2p::crypto::AEADChaCha20Poly1305 (buf, m3p2Len - 16, m_H, 32, key, nonce, m_SessionConfirmedBuffer + 48, m3p2Len, true); // encrypt
+
+		// send message
+		boost::asio::async_write (m_Socket, boost::asio::buffer (m_SessionConfirmedBuffer, m3p2Len + 48), boost::asio::transfer_all (),
+			std::bind(&NTCP2Session::HandleSessionConfirmedSent, shared_from_this (), std::placeholders::_1, std::placeholders::_2));
+	}
+
+	void NTCP2Session::HandleSessionConfirmedSent (const boost::system::error_code& ecode, std::size_t bytes_transferred)
+	{
+		LogPrint (eLogDebug, "NTCP2: SessionConfirmed sent");
+		Terminate (); // TODO
+	}
+
 	void NTCP2Session::ClientLogin ()
 	{
 		SendSessionRequest ();
diff --git a/libi2pd/NTCP2.h b/libi2pd/NTCP2.h
index b7e83f26..e9a170bd 100644
--- a/libi2pd/NTCP2.h
+++ b/libi2pd/NTCP2.h
@@ -29,14 +29,19 @@ namespace transport
 
 		private:
 
+			void MixKey (const uint8_t * inputKeyMaterial, uint8_t * derived);
 			void KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * pub, uint8_t * derived); // for SessionRequest
 			void KeyDerivationFunction2 (const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived); // for SessionCreate
+			void KeyDerivationFunction3 (const uint8_t * staticPrivKey, uint8_t * derived); // for SessionConfirmed part 2
 
 			void CreateEphemeralKey (uint8_t * pub);
 			void SendSessionRequest ();
+			void SendSessionConfirmed ();
 
 			void HandleSessionRequestSent (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			void HandleSessionCreatedReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);
+			void HandleSessionCreatedPaddingReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);
+			void HandleSessionConfirmedSent (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 
 		private:
 
@@ -45,9 +50,9 @@ namespace transport
 			bool m_IsEstablished, m_IsTerminated;
 
 			uint8_t m_ExpandedPrivateKey[64]; // x25519 ephemeral key
-			uint8_t m_RemoteStaticKey[32], m_IV[16], m_H[32] /*h*/, m_CK[33] /*ck*/;
-			uint8_t * m_SessionRequestBuffer, * m_SessionCreatedBuffer;
-			size_t m_SessionRequestBufferLen;
+			uint8_t m_RemoteStaticKey[32], m_IV[16], m_H[32] /*h*/, m_CK[33] /*ck*/, m_K[32] /* derived after SessionCreated */, m_Y[32];
+			uint8_t * m_SessionRequestBuffer, * m_SessionCreatedBuffer, * m_SessionConfirmedBuffer;
+			size_t m_SessionRequestBufferLen, m_SessionCreatedBufferLen;
 	};
 
 	class NTCP2Server