Browse Source

NTCP2 session establisher

pull/1212/head
orignal 7 years ago
parent
commit
6054bd6621
  1. 181
      libi2pd/NTCP2.cpp
  2. 27
      libi2pd/NTCP2.h

181
libi2pd/NTCP2.cpp

@ -15,50 +15,7 @@ namespace i2p @@ -15,50 +15,7 @@ namespace i2p
{
namespace transport
{
NTCP2Session::NTCP2Session (NTCP2Server& server, std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter):
TransportSession (in_RemoteRouter, 30),
m_Server (server), m_Socket (m_Server.GetService ()),
m_IsEstablished (false), m_IsTerminated (false),
m_SessionRequestBuffer (nullptr), m_SessionCreatedBuffer (nullptr), m_SessionConfirmedBuffer (nullptr),
m_NextReceivedBuffer (nullptr), m_NextSendBuffer (nullptr),
m_ReceiveSequenceNumber (0), m_SendSequenceNumber (0)
{
auto addr = in_RemoteRouter->GetNTCPAddress ();
if (addr->ntcp2)
{
memcpy (m_RemoteStaticKey, addr->ntcp2->staticKey, 32);
memcpy (m_IV, addr->ntcp2->iv, 16);
}
else
LogPrint (eLogWarning, "NTCP2: Missing NTCP2 parameters");
}
NTCP2Session::~NTCP2Session ()
{
delete[] m_SessionRequestBuffer;
delete[] m_SessionCreatedBuffer;
delete[] m_SessionConfirmedBuffer;
delete[] m_NextReceivedBuffer;
delete[] m_NextSendBuffer;
}
void NTCP2Session::Terminate ()
{
if (!m_IsTerminated)
{
m_IsTerminated = true;
m_IsEstablished = false;
m_Socket.close ();
LogPrint (eLogDebug, "NTCP2: session terminated");
}
}
void NTCP2Session::Done ()
{
m_Server.GetService ().post (std::bind (&NTCP2Session::Terminate, shared_from_this ()));
}
void NTCP2Session::MixKey (const uint8_t * inputKeyMaterial, uint8_t * derived)
void NTCP2Establisher::MixKey (const uint8_t * inputKeyMaterial, uint8_t * derived)
{
// temp_key = HMAC-SHA256(ck, input_key_material)
uint8_t tempKey[32]; unsigned int len;
@ -71,13 +28,7 @@ namespace transport @@ -71,13 +28,7 @@ namespace transport
HMAC(EVP_sha256(), tempKey, 32, m_CK, 33, derived, &len);
}
void NTCP2Session::CreateNonce (uint64_t seqn, uint8_t * nonce)
{
memset (nonce, 0, 4);
htole64buf (nonce + 4, seqn);
}
void NTCP2Session::KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * priv, const uint8_t * pub, uint8_t * derived)
void NTCP2Establisher::KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * priv, const uint8_t * pub, uint8_t * derived)
{
static const uint8_t protocolNameHash[] =
{
@ -98,13 +49,11 @@ namespace transport @@ -98,13 +49,11 @@ namespace transport
SHA256 (h, 64, m_H);
// x25519 between rs and priv
uint8_t inputKeyMaterial[32];
BN_CTX * ctx = BN_CTX_new ();
i2p::crypto::GetEd25519 ()->ScalarMul (rs, priv, inputKeyMaterial, ctx); // rs*priv
BN_CTX_free (ctx);
i2p::crypto::GetEd25519 ()->ScalarMul (rs, priv, inputKeyMaterial, m_Ctx); // rs*priv
MixKey (inputKeyMaterial, derived);
}
void NTCP2Session::KeyDerivationFunction2 (const uint8_t * priv, const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived)
void NTCP2Establisher::KeyDerivationFunction2 (const uint8_t * priv, const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived)
{
uint8_t h[64];
memcpy (h, m_H, 32);
@ -123,25 +72,80 @@ namespace transport @@ -123,25 +72,80 @@ namespace transport
// x25519 between remote pub and priv
uint8_t inputKeyMaterial[32];
BN_CTX * ctx = BN_CTX_new ();
i2p::crypto::GetEd25519 ()->ScalarMul (pub, priv, inputKeyMaterial, ctx);
BN_CTX_free (ctx);
i2p::crypto::GetEd25519 ()->ScalarMul (pub, priv, inputKeyMaterial, m_Ctx);
MixKey (inputKeyMaterial, derived);
}
void NTCP2Establisher::CreateEphemeralKey (uint8_t * pub)
{
RAND_bytes (m_EphemeralPrivateKey, 32);
i2p::crypto::GetEd25519 ()->ScalarMulB (m_EphemeralPrivateKey, pub, m_Ctx);
}
NTCP2Session::NTCP2Session (NTCP2Server& server, std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter):
TransportSession (in_RemoteRouter, 30),
m_Server (server), m_Socket (m_Server.GetService ()),
m_IsEstablished (false), m_IsTerminated (false),
m_SessionRequestBuffer (nullptr), m_SessionCreatedBuffer (nullptr), m_SessionConfirmedBuffer (nullptr),
m_NextReceivedBuffer (nullptr), m_NextSendBuffer (nullptr),
m_ReceiveSequenceNumber (0), m_SendSequenceNumber (0)
{
m_Establisher.reset (new NTCP2Establisher);
auto addr = in_RemoteRouter->GetNTCPAddress ();
if (addr->ntcp2)
{
memcpy (m_Establisher->m_RemoteStaticKey, addr->ntcp2->staticKey, 32);
memcpy (m_Establisher->m_IV, addr->ntcp2->iv, 16);
}
else
LogPrint (eLogWarning, "NTCP2: Missing NTCP2 parameters");
}
NTCP2Session::~NTCP2Session ()
{
delete[] m_SessionRequestBuffer;
delete[] m_SessionCreatedBuffer;
delete[] m_SessionConfirmedBuffer;
delete[] m_NextReceivedBuffer;
delete[] m_NextSendBuffer;
}
void NTCP2Session::Terminate ()
{
if (!m_IsTerminated)
{
m_IsTerminated = true;
m_IsEstablished = false;
m_Socket.close ();
LogPrint (eLogDebug, "NTCP2: session terminated");
}
}
void NTCP2Session::Done ()
{
m_Server.GetService ().post (std::bind (&NTCP2Session::Terminate, shared_from_this ()));
}
void NTCP2Session::CreateNonce (uint64_t seqn, uint8_t * nonce)
{
memset (nonce, 0, 4);
htole64buf (nonce + 4, seqn);
}
void NTCP2Session::KeyDerivationFunction3 (const uint8_t * staticPrivKey, uint8_t * derived)
{
uint8_t inputKeyMaterial[32];
BN_CTX * ctx = BN_CTX_new ();
i2p::crypto::GetEd25519 ()->ScalarMul (m_Y, staticPrivKey, inputKeyMaterial, ctx);
i2p::crypto::GetEd25519 ()->ScalarMul (m_Establisher->m_Y, staticPrivKey, inputKeyMaterial, ctx);
BN_CTX_free (ctx);
MixKey (inputKeyMaterial, derived);
m_Establisher->MixKey (inputKeyMaterial, derived);
}
void NTCP2Session::KeyDerivationFunctionDataPhase ()
{
uint8_t tempKey[32]; unsigned int len;
HMAC(EVP_sha256(), m_CK, 32, nullptr, 0, tempKey, &len); // temp_key = HMAC-SHA256(ck, zerolen)
HMAC(EVP_sha256(), m_Establisher->GetCK (), 32, nullptr, 0, tempKey, &len); // temp_key = HMAC-SHA256(ck, zerolen)
static uint8_t one[1] = { 1 };
HMAC(EVP_sha256(), tempKey, 32, one, 1, m_Kab, &len); // k_ab = HMAC-SHA256(temp_key, byte(0x01)).
m_Kab[32] = 2;
@ -149,7 +153,7 @@ namespace transport @@ -149,7 +153,7 @@ namespace transport
static uint8_t ask[4] = { 'a', 's', 'k', 1 }, master[32];
HMAC(EVP_sha256(), tempKey, 32, ask, 4, master, &len); // ask_master = HMAC-SHA256(temp_key, "ask" || byte(0x01))
uint8_t h[39];
memcpy (h, m_H, 32);
memcpy (h, m_Establisher->GetH (), 32);
memcpy (h + 32, "siphash", 7);
HMAC(EVP_sha256(), master, 32, h, 39, tempKey, &len); // temp_key = HMAC-SHA256(ask_master, h || "siphash")
HMAC(EVP_sha256(), tempKey, 32, one, 1, master, &len); // sip_master = HMAC-SHA256(temp_key, byte(0x01))
@ -159,13 +163,6 @@ namespace transport @@ -159,13 +163,6 @@ namespace transport
HMAC(EVP_sha256(), tempKey, 32, m_Sipkeysab, 33, m_Sipkeysba, &len); // sipkeys_ba = HMAC-SHA256(temp_key, sipkeys_ab || byte(0x02))
}
void NTCP2Session::CreateEphemeralKey (uint8_t * pub)
{
RAND_bytes (m_EphemeralPrivateKey, 32);
BN_CTX * ctx = BN_CTX_new ();
i2p::crypto::GetEd25519 ()->ScalarMulB (m_EphemeralPrivateKey, pub, ctx);
BN_CTX_free (ctx);
}
void NTCP2Session::SendSessionRequest ()
{
@ -176,16 +173,16 @@ namespace transport @@ -176,16 +173,16 @@ namespace transport
RAND_bytes (m_SessionRequestBuffer + 64, paddingLength);
// generate key pair (X)
uint8_t x[32];
CreateEphemeralKey (x);
m_Establisher->CreateEphemeralKey (x);
// encrypt X
i2p::crypto::CBCEncryption encryption;
encryption.SetKey (GetRemoteIdentity ()->GetIdentHash ());
encryption.SetIV (m_IV);
encryption.SetIV (m_Establisher->m_IV);
encryption.Encrypt (x, 32, m_SessionRequestBuffer);
encryption.GetIV (m_IV); // save IV for SessionCreated
encryption.GetIV (m_Establisher->m_IV); // save IV for SessionCreated
// encryption key for next block
uint8_t key[32];
KeyDerivationFunction1 (m_RemoteStaticKey, m_EphemeralPrivateKey, x, key);
m_Establisher->KeyDerivationFunction1 (m_Establisher->m_RemoteStaticKey, m_Establisher->m_EphemeralPrivateKey, x, key);
// fill options
uint8_t options[32]; // actual options size is 16 bytes
memset (options, 0, 16);
@ -198,7 +195,7 @@ namespace transport @@ -198,7 +195,7 @@ namespace transport
// sign and encrypt options, use m_H as AD
uint8_t nonce[12];
memset (nonce, 0, 12); // set nonce to zero
i2p::crypto::AEADChaCha20Poly1305 (options, 16, m_H, 32, key, nonce, m_SessionRequestBuffer + 32, 32, true); // encrypt
i2p::crypto::AEADChaCha20Poly1305 (options, 16, m_Establisher->GetH (), 32, key, nonce, m_SessionRequestBuffer + 32, 32, true); // encrypt
// send message
boost::asio::async_write (m_Socket, boost::asio::buffer (m_SessionRequestBuffer, m_SessionRequestBufferLen), boost::asio::transfer_all (),
std::bind(&NTCP2Session::HandleSessionRequestSent, shared_from_this (), std::placeholders::_1, std::placeholders::_2));
@ -235,15 +232,15 @@ namespace transport @@ -235,15 +232,15 @@ namespace transport
i2p::crypto::CBCDecryption decryption;
decryption.SetKey (i2p::context.GetIdentHash ());
decryption.SetIV (i2p::context.GetNTCP2IV ());
decryption.Decrypt (m_SessionRequestBuffer, 32, m_Y);
decryption.GetIV (m_IV); // save IV for SessionCreated
decryption.Decrypt (m_SessionRequestBuffer, 32, m_Establisher->m_Y);
decryption.GetIV (m_Establisher->m_IV); // save IV for SessionCreated
// decryption key for next block
uint8_t key[32];
KeyDerivationFunction1 (m_Y, i2p::context.GetNTCP2StaticPrivateKey (), m_Y, key);
m_Establisher->KeyDerivationFunction1 (m_Establisher->m_Y, i2p::context.GetNTCP2StaticPrivateKey (), m_Establisher->m_Y, key);
// verify MAC and decrypt options block (32 bytes), use m_H as AD
uint8_t nonce[12], options[16];
memset (nonce, 0, 12); // set nonce to zero
if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionRequestBuffer + 32, 16, m_H, 32, key, nonce, options, 16, false)) // decrypt
if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionRequestBuffer + 32, 16, m_Establisher->GetH (), 32, key, nonce, options, 16, false)) // decrypt
{
if (options[1] == 2)
{
@ -286,14 +283,14 @@ namespace transport @@ -286,14 +283,14 @@ namespace transport
m_SessionCreatedBuffer = new uint8_t[287]; // TODO: determine actual max size
// generate key pair (y)
uint8_t y[32];
CreateEphemeralKey (y);
m_Establisher->CreateEphemeralKey (y);
// encrypt Y
i2p::crypto::CBCEncryption encryption;
encryption.SetKey (i2p::context.GetIdentHash ());
encryption.SetIV (m_IV);
encryption.SetIV (m_Establisher->m_IV);
encryption.Encrypt (y, 32, m_SessionCreatedBuffer);
// encryption key for next block (m_K)
KeyDerivationFunction2 (m_EphemeralPrivateKey, m_Y, m_SessionRequestBuffer, m_SessionRequestBufferLen, m_K);
m_Establisher->KeyDerivationFunction2 (m_Establisher->m_EphemeralPrivateKey, m_Establisher->m_Y, m_SessionRequestBuffer, m_SessionRequestBufferLen, m_Establisher->m_K);
auto paddingLen = rand () % (287 - 64);
uint8_t options[16];
memset (options, 0, 16);
@ -302,7 +299,7 @@ namespace transport @@ -302,7 +299,7 @@ namespace transport
// sign and encrypt options, use m_H as AD
uint8_t nonce[12];
memset (nonce, 0, 12); // set nonce to zero
i2p::crypto::AEADChaCha20Poly1305 (options, 16, m_H, 32, m_K, nonce, m_SessionCreatedBuffer + 32, 32, true); // encrypt
i2p::crypto::AEADChaCha20Poly1305 (options, 16, m_Establisher->m_H, 32, m_Establisher->m_K, nonce, m_SessionCreatedBuffer + 32, 32, true); // encrypt
// fill padding
RAND_bytes (m_SessionCreatedBuffer + 56, paddingLen);
// send message
@ -324,15 +321,15 @@ namespace transport @@ -324,15 +321,15 @@ namespace transport
// decrypt Y
i2p::crypto::CBCDecryption decryption;
decryption.SetKey (GetRemoteIdentity ()->GetIdentHash ());
decryption.SetIV (m_IV);
decryption.Decrypt (m_SessionCreatedBuffer, 32, m_Y);
decryption.SetIV (m_Establisher->m_IV);
decryption.Decrypt (m_SessionCreatedBuffer, 32, m_Establisher->m_Y);
// decryption key for next block (m_K)
KeyDerivationFunction2 (m_EphemeralPrivateKey, m_Y, m_SessionRequestBuffer, m_SessionRequestBufferLen, m_K);
m_Establisher->KeyDerivationFunction2 (m_Establisher->m_EphemeralPrivateKey, m_Establisher->m_Y, m_SessionRequestBuffer, m_SessionRequestBufferLen, m_Establisher->m_K);
// decrypt and verify MAC
uint8_t payload[16];
uint8_t nonce[12];
memset (nonce, 0, 12); // set nonce to zero
if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionCreatedBuffer + 32, 16, m_H, 32, m_K, nonce, payload, 16, false)) // decrypt
if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionCreatedBuffer + 32, 16, m_Establisher->GetH (), 32, m_Establisher->m_K, nonce, payload, 16, false)) // decrypt
{
uint16_t paddingLen = bufbe16toh(payload + 2);
LogPrint (eLogDebug, "NTCP2: padding length ", paddingLen);
@ -372,7 +369,7 @@ namespace transport @@ -372,7 +369,7 @@ namespace transport
{
// update AD
uint8_t h[80];
memcpy (h, m_H, 32);
memcpy (h, m_Establisher->GetH (), 32);
memcpy (h + 32, m_SessionCreatedBuffer + 32, 32); // encrypted payload
SHA256 (h, 64, h);
int paddingLength = m_SessionCreatedBufferLen - 64;
@ -387,11 +384,11 @@ namespace transport @@ -387,11 +384,11 @@ namespace transport
m_SessionConfirmedBuffer = new uint8_t[2048]; // TODO: actual size
uint8_t nonce[12];
CreateNonce (1, nonce);
i2p::crypto::AEADChaCha20Poly1305 (i2p::context.GetNTCP2StaticPublicKey (), 32, h, 32, m_K, nonce, m_SessionConfirmedBuffer, 48, true); // encrypt
i2p::crypto::AEADChaCha20Poly1305 (i2p::context.GetNTCP2StaticPublicKey (), 32, h, 32, m_Establisher->m_K, nonce, m_SessionConfirmedBuffer, 48, true); // encrypt
// part 2
// update AD again
memcpy (h + 32, m_SessionConfirmedBuffer, 48);
SHA256 (h, 80, m_H);
SHA256 (h, 80, m_Establisher->m_H);
size_t m3p2Len = i2p::context.GetRouterInfo ().GetBufferLen () + 20;
std::vector<uint8_t> buf(m3p2Len - 16);
@ -402,11 +399,11 @@ namespace transport @@ -402,11 +399,11 @@ namespace transport
uint8_t key[32];
KeyDerivationFunction3 (i2p::context.GetNTCP2StaticPrivateKey (), key);
memset (nonce, 0, 12); // set nonce to 0 again
i2p::crypto::AEADChaCha20Poly1305 (buf.data (), m3p2Len - 16, m_H, 32, key, nonce, m_SessionConfirmedBuffer + 48, m3p2Len, true); // encrypt
i2p::crypto::AEADChaCha20Poly1305 (buf.data (), m3p2Len - 16, m_Establisher->GetH (), 32, key, nonce, m_SessionConfirmedBuffer + 48, m3p2Len, true); // encrypt
uint8_t tmp[48];
memcpy (tmp, m_SessionConfirmedBuffer, 48);
memcpy (m_SessionConfirmedBuffer + 16, m_H, 32); // h || ciphertext
SHA256 (m_SessionConfirmedBuffer + 16, m3p2Len + 32, m_H); //h = SHA256(h || ciphertext);
memcpy (m_SessionConfirmedBuffer + 16, m_Establisher->GetH (), 32); // h || ciphertext
SHA256 (m_SessionConfirmedBuffer + 16, m3p2Len + 32, m_Establisher->m_H); //h = SHA256(h || ciphertext);
memcpy (m_SessionConfirmedBuffer, tmp, 48);
// send message

27
libi2pd/NTCP2.h

@ -4,6 +4,7 @@ @@ -4,6 +4,7 @@
#include <inttypes.h>
#include <memory>
#include <thread>
#include <openssl/bn.h>
#include <boost/asio.hpp>
#include "RouterInfo.h"
#include "TransportSession.h"
@ -12,6 +13,25 @@ namespace i2p @@ -12,6 +13,25 @@ namespace i2p
{
namespace transport
{
struct NTCP2Establisher
{
NTCP2Establisher () { m_Ctx = BN_CTX_new (); };
~NTCP2Establisher () { BN_CTX_free (m_Ctx); };
const uint8_t * GetCK () const { return m_CK; };
const uint8_t * GetH () const { return m_H; };
void MixKey (const uint8_t * inputKeyMaterial, uint8_t * derived);
void KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * priv, const uint8_t * pub, uint8_t * derived); // for SessionRequest
void KeyDerivationFunction2 (const uint8_t * priv, const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived); // for SessionCreate
void CreateEphemeralKey (uint8_t * pub);
BN_CTX * m_Ctx;
uint8_t m_EphemeralPrivateKey[32]; // x25519
uint8_t m_RemoteStaticKey[32], m_IV[16], m_H[32] /*h*/, m_CK[33] /*ck*/, m_K[32] /* derived after SessionCreated */, m_Y[32] /* or X for Bob */;
};
class NTCP2Server;
class NTCP2Session: public TransportSession, public std::enable_shared_from_this<NTCP2Session>
{
@ -30,15 +50,11 @@ namespace transport @@ -30,15 +50,11 @@ namespace transport
private:
void MixKey (const uint8_t * inputKeyMaterial, uint8_t * derived);
void CreateNonce (uint64_t seqn, uint8_t * nonce);
void KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * priv, const uint8_t * pub, uint8_t * derived); // for SessionRequest
void KeyDerivationFunction2 (const uint8_t * priv, const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived); // for SessionCreate
void KeyDerivationFunction3 (const uint8_t * staticPrivKey, uint8_t * derived); // for SessionConfirmed part 2
void KeyDerivationFunctionDataPhase ();
// establish
void CreateEphemeralKey (uint8_t * pub);
void SendSessionRequest ();
void SendSessionCreated ();
void SendSessionConfirmed ();
@ -67,8 +83,7 @@ namespace transport @@ -67,8 +83,7 @@ namespace transport
boost::asio::ip::tcp::socket m_Socket;
bool m_IsEstablished, m_IsTerminated;
uint8_t m_EphemeralPrivateKey[32]; // x25519
uint8_t m_RemoteStaticKey[32], m_IV[16], m_H[32] /*h*/, m_CK[33] /*ck*/, m_K[32] /* derived after SessionCreated */, m_Y[32] /* or X for Bob */;
std::unique_ptr<NTCP2Establisher> m_Establisher;
uint8_t * m_SessionRequestBuffer, * m_SessionCreatedBuffer, * m_SessionConfirmedBuffer;
size_t m_SessionRequestBufferLen, m_SessionCreatedBufferLen;
// data phase

Loading…
Cancel
Save