Browse Source

MixHash for SSU2 long header

pull/1742/head
orignal 3 years ago
parent
commit
a152f36894
  1. 10
      libi2pd/Crypto.cpp
  2. 1
      libi2pd/Crypto.h
  3. 51
      libi2pd/SSU2.cpp

10
libi2pd/Crypto.cpp

@ -1305,6 +1305,16 @@ namespace crypto @@ -1305,6 +1305,16 @@ namespace crypto
SHA256_Final (m_H, &ctx);
}
void NoiseSymmetricState::MixHash (const std::vector<std::pair<uint8_t *, size_t> >& bufs)
{
SHA256_CTX ctx;
SHA256_Init (&ctx);
SHA256_Update (&ctx, m_H, 32);
for (const auto& it: bufs)
SHA256_Update (&ctx, it.first, it.second);
SHA256_Final (m_H, &ctx);
}
void NoiseSymmetricState::MixKey (const uint8_t * sharedSecret)
{
HKDF (m_CK, sharedSecret, 32, "", m_CK);

1
libi2pd/Crypto.h

@ -317,6 +317,7 @@ namespace crypto @@ -317,6 +317,7 @@ namespace crypto
uint8_t m_H[32] /*h*/, m_CK[64] /*[ck, k]*/;
void MixHash (const uint8_t * buf, size_t len);
void MixHash (const std::vector<std::pair<uint8_t *, size_t> >& bufs);
void MixKey (const uint8_t * sharedSecret);
};

51
libi2pd/SSU2.cpp

@ -59,15 +59,15 @@ namespace transport @@ -59,15 +59,15 @@ namespace transport
memset (header.h.h2.h.packetNum, 0, 4);
header.h.h2.h.type = eSSU2SessionRequest;
header.h.h2.h.flags[0] = 2; // ver
header.h.h2.h.flags[1] = 2; // netID TODO:
header.h.h2.h.flags[1] = (uint8_t)i2p::context.GetNetID (); // netID
header.h.h2.h.flags[2] = 0; // flag
RAND_bytes ((uint8_t *)&m_SourceConnID, 8);
memcpy (headerX, &m_SourceConnID, 8); // source id
memset (headerX + 8, 0, 8); // token
RAND_bytes (headerX + 8, 8); // token
memcpy (headerX + 16, m_EphemeralKeys->GetPublicKey (), 32); // X
m_Server.AddPendingOutgoingSession (boost::asio::ip::udp::endpoint (m_Address->host, m_Address->port), shared_from_this ());
// KDF for session request
m_NoiseState->MixHash (header.buf, 16); // h = SHA256(h || header) TODO: long header
m_NoiseState->MixHash ({ {header.buf, 16}, {headerX, 16} }); // h = SHA256(h || header)
m_NoiseState->MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || aepk);
uint8_t sharedSecret[32];
m_EphemeralKeys->Agree (m_Address->s, sharedSecret);
@ -79,6 +79,7 @@ namespace transport @@ -79,6 +79,7 @@ namespace transport
header.ll[1] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 12));
i2p::crypto::ChaCha20 (headerX, 48, m_Address->i, nonce, headerX);
payloadSize += 16;
m_NoiseState->MixHash (payload, 32); // h = SHA256(h || 32 byte encrypted payload from Session Request) for SessionCreated
// send
m_Server.Send (header.buf, 16, headerX, 48, payload, payloadSize, boost::asio::ip::udp::endpoint (m_Address->host, m_Address->port));
}
@ -87,12 +88,13 @@ namespace transport @@ -87,12 +88,13 @@ namespace transport
{
// we are Bob
m_SourceConnID = connID;
Header2 h2;
memcpy (h2.buf, buf, 8);
h2.ll ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), buf + (len - 12));
if (h2.h.type != eSSU2SessionRequest)
Header header;
header.h.connID = connID;
memcpy (header.h.h2.buf, buf, 8);
header.h.h2.ll ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), buf + (len - 12));
if (header.h.h2.h.type != eSSU2SessionRequest)
{
LogPrint (eLogWarning, "SSU2: Unexpected message type ", (int)h2.h.type);
LogPrint (eLogWarning, "SSU2: Unexpected message type ", (int)header.h.h2.h.type);
return;
}
const uint8_t nonce[12] = {0};
@ -100,7 +102,7 @@ namespace transport @@ -100,7 +102,7 @@ namespace transport
i2p::crypto::ChaCha20 (buf + 16, 48, i2p::context.GetSSU2IntroKey (), nonce, headerX);
memcpy (&m_DestConnID, headerX, 8);
// KDF for session request
//m_NoiseState->MixHash (header.buf, 16); // h = SHA256(h || header) TODO: long header
m_NoiseState->MixHash ( { {header.buf, 16}, {headerX, 16} } ); // h = SHA256(h || header)
m_NoiseState->MixHash (headerX + 16, 32); // h = SHA256(h || aepk);
uint8_t sharedSecret[32];
i2p::context.GetSSU2StaticKeys ().Agree (headerX + 16, sharedSecret);
@ -120,16 +122,37 @@ namespace transport @@ -120,16 +122,37 @@ namespace transport
bool SSU2Session::ProcessSessionCreated (uint8_t * buf, size_t len)
{
// we are Alice
Header2 h2;
memcpy (h2.buf, buf, 8);
Header header;
header.h.connID = m_SourceConnID;
memcpy (header.h.h2.buf, buf, 8);
uint8_t kh2[32];
i2p::crypto::HKDF (m_NoiseState->m_CK, nullptr, 0, "SessCreateHeader", kh2, 32); // k_header_2 = HKDF(chainKey, ZEROLEN, "SessCreateHeader", 32)
h2.ll ^= CreateHeaderMask (kh2, buf + (len - 12));
if (h2.h.type != eSSU2SessionCreated)
header.h.h2.ll ^= CreateHeaderMask (kh2, buf + (len - 12));
if (header.h.h2.h.type != eSSU2SessionCreated)
{
LogPrint (eLogWarning, "SSU2: Unexpected message type ", (int)header.h.h2.h.type);
return false;
}
const uint8_t nonce[12] = {0};
uint8_t headerX[48];
i2p::crypto::ChaCha20 (buf + 16, 48, kh2, nonce, headerX);
// KDF for SessionCreated
m_NoiseState->MixHash ( { {header.buf, 16}, {headerX, 16} } ); // h = SHA256(h || header)
m_NoiseState->MixHash (headerX + 16, 32); // h = SHA256(h || bepk);
uint8_t sharedSecret[32];
m_EphemeralKeys->Agree (headerX + 16, sharedSecret);
m_NoiseState->MixKey (sharedSecret);
// decrypt
uint8_t * payload = buf + 64;
if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len - 80, m_NoiseState->m_H, 32, m_NoiseState->m_CK + 32, nonce, payload, len - 80, false))
{
LogPrint (eLogWarning, "SSU2: Unexpected message type ", (int)h2.h.type);
LogPrint (eLogWarning, "SSU2: SessionCreated AEAD verification failed ");
return false;
}
// process payload
m_Server.AddSession (m_SourceConnID, shared_from_this ());
return true;
}

Loading…
Cancel
Save