|
|
@ -176,15 +176,6 @@ namespace garlic |
|
|
|
memcpy (m_H, hh, 32); |
|
|
|
memcpy (m_H, hh, 32); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
void ECIESX25519AEADRatchetSession::MixHash (const uint8_t * buf, size_t len) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
SHA256_CTX ctx; |
|
|
|
|
|
|
|
SHA256_Init (&ctx); |
|
|
|
|
|
|
|
SHA256_Update (&ctx, m_H, 32); |
|
|
|
|
|
|
|
SHA256_Update (&ctx, buf, len); |
|
|
|
|
|
|
|
SHA256_Final (m_H, &ctx); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void ECIESX25519AEADRatchetSession::CreateNonce (uint64_t seqn, uint8_t * nonce) |
|
|
|
void ECIESX25519AEADRatchetSession::CreateNonce (uint64_t seqn, uint8_t * nonce) |
|
|
|
{ |
|
|
|
{ |
|
|
|
memset (nonce, 0, 4); |
|
|
|
memset (nonce, 0, 4); |
|
|
@ -257,7 +248,7 @@ namespace garlic |
|
|
|
|
|
|
|
|
|
|
|
uint8_t sharedSecret[32]; |
|
|
|
uint8_t sharedSecret[32]; |
|
|
|
GetOwner ()->Decrypt (m_Aepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519(bsk, aepk)
|
|
|
|
GetOwner ()->Decrypt (m_Aepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519(bsk, aepk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
|
|
|
|
|
|
|
|
// decrypt flags/static
|
|
|
|
// decrypt flags/static
|
|
|
|
uint8_t nonce[12], fs[32]; |
|
|
|
uint8_t nonce[12], fs[32]; |
|
|
@ -277,7 +268,7 @@ namespace garlic |
|
|
|
// static key, fs is apk
|
|
|
|
// static key, fs is apk
|
|
|
|
memcpy (m_RemoteStaticKey, fs, 32); |
|
|
|
memcpy (m_RemoteStaticKey, fs, 32); |
|
|
|
GetOwner ()->Decrypt (fs, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519(bsk, apk)
|
|
|
|
GetOwner ()->Decrypt (fs, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519(bsk, apk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
} |
|
|
|
} |
|
|
|
else // all zeros flags
|
|
|
|
else // all zeros flags
|
|
|
|
CreateNonce (1, nonce); |
|
|
|
CreateNonce (1, nonce); |
|
|
@ -289,10 +280,13 @@ namespace garlic |
|
|
|
LogPrint (eLogWarning, "Garlic: Payload section AEAD verification failed"); |
|
|
|
LogPrint (eLogWarning, "Garlic: Payload section AEAD verification failed"); |
|
|
|
return false; |
|
|
|
return false; |
|
|
|
} |
|
|
|
} |
|
|
|
if (isStatic) MixHash (buf, len); // h = SHA256(h || ciphertext)
|
|
|
|
|
|
|
|
m_State = eSessionStateNewSessionReceived; |
|
|
|
m_State = eSessionStateNewSessionReceived; |
|
|
|
GetOwner ()->AddECIESx25519Session (m_RemoteStaticKey, shared_from_this ()); |
|
|
|
if (isStatic) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
MixHash (buf, len); // h = SHA256(h || ciphertext)
|
|
|
|
|
|
|
|
GetOwner ()->AddECIESx25519Session (m_RemoteStaticKey, shared_from_this ()); |
|
|
|
|
|
|
|
} |
|
|
|
HandlePayload (payload.data (), len - 16, nullptr, 0); |
|
|
|
HandlePayload (payload.data (), len - 16, nullptr, 0); |
|
|
|
|
|
|
|
|
|
|
|
return true; |
|
|
|
return true; |
|
|
@ -469,7 +463,7 @@ namespace garlic |
|
|
|
MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || aepk)
|
|
|
|
MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || aepk)
|
|
|
|
uint8_t sharedSecret[32]; |
|
|
|
uint8_t sharedSecret[32]; |
|
|
|
m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // x25519(aesk, bpk)
|
|
|
|
m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // x25519(aesk, bpk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
// encrypt static key section
|
|
|
|
// encrypt static key section
|
|
|
|
uint8_t nonce[12]; |
|
|
|
uint8_t nonce[12]; |
|
|
|
CreateNonce (0, nonce); |
|
|
|
CreateNonce (0, nonce); |
|
|
@ -482,7 +476,7 @@ namespace garlic |
|
|
|
offset += 48; |
|
|
|
offset += 48; |
|
|
|
// KDF2
|
|
|
|
// KDF2
|
|
|
|
GetOwner ()->Decrypt (m_RemoteStaticKey, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519 (ask, bpk)
|
|
|
|
GetOwner ()->Decrypt (m_RemoteStaticKey, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519 (ask, bpk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
// encrypt payload
|
|
|
|
// encrypt payload
|
|
|
|
if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len, m_H, 32, m_CK + 32, nonce, out + offset, len + 16, true)) // encrypt
|
|
|
|
if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len, m_H, 32, m_CK + 32, nonce, out + offset, len + 16, true)) // encrypt
|
|
|
|
{ |
|
|
|
{ |
|
|
@ -520,9 +514,9 @@ namespace garlic |
|
|
|
MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || bepk)
|
|
|
|
MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || bepk)
|
|
|
|
uint8_t sharedSecret[32]; |
|
|
|
uint8_t sharedSecret[32]; |
|
|
|
m_EphemeralKeys->Agree (m_Aepk, sharedSecret); // sharedSecret = x25519(besk, aepk)
|
|
|
|
m_EphemeralKeys->Agree (m_Aepk, sharedSecret); // sharedSecret = x25519(besk, aepk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK, 32); // chainKey = HKDF(chainKey, sharedSecret, "", 32)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // sharedSecret = x25519(besk, apk)
|
|
|
|
m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // sharedSecret = x25519(besk, apk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
uint8_t nonce[12]; |
|
|
|
uint8_t nonce[12]; |
|
|
|
CreateNonce (0, nonce); |
|
|
|
CreateNonce (0, nonce); |
|
|
|
// calculate hash for zero length
|
|
|
|
// calculate hash for zero length
|
|
|
@ -607,9 +601,9 @@ namespace garlic |
|
|
|
{ |
|
|
|
{ |
|
|
|
// only fist time, we assume ephemeral keys the same
|
|
|
|
// only fist time, we assume ephemeral keys the same
|
|
|
|
m_EphemeralKeys->Agree (bepk, sharedSecret); // sharedSecret = x25519(aesk, bepk)
|
|
|
|
m_EphemeralKeys->Agree (bepk, sharedSecret); // sharedSecret = x25519(aesk, bepk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK, 32); // chainKey = HKDF(chainKey, sharedSecret, "", 32)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
GetOwner ()->Decrypt (bepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519 (ask, bepk)
|
|
|
|
GetOwner ()->Decrypt (bepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519 (ask, bepk)
|
|
|
|
i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
|
|
|
|
MixKey (sharedSecret); |
|
|
|
} |
|
|
|
} |
|
|
|
uint8_t nonce[12]; |
|
|
|
uint8_t nonce[12]; |
|
|
|
CreateNonce (0, nonce); |
|
|
|
CreateNonce (0, nonce); |
|
|
|