decrypt garlic on ECIES router

4 years ago · 6362a7bba5
parent 1740715c00
commit 6362a7bba5
3 changed files with 24 additions and 21 deletions
--- a/libi2pd/ECIESX25519AEADRatchetSession.cpp
+++ b/libi2pd/ECIESX25519AEADRatchetSession.cpp
@ -176,15 +176,6 @@ namespace garlic
 		memcpy (m_H, hh, 32);
 	}

-	void ECIESX25519AEADRatchetSession::MixHash (const uint8_t * buf, size_t len)
-	{
-		SHA256_CTX ctx;
-		SHA256_Init (&ctx);
-		SHA256_Update (&ctx, m_H, 32);
-		SHA256_Update (&ctx, buf, len);
-		SHA256_Final (m_H, &ctx);
-	}
-
 	void ECIESX25519AEADRatchetSession::CreateNonce (uint64_t seqn, uint8_t * nonce)
 	{
 		memset (nonce, 0, 4);
@ -257,7 +248,7 @@ namespace garlic

 		uint8_t sharedSecret[32];
 		GetOwner ()->Decrypt (m_Aepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519(bsk, aepk)
-		i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
+		MixKey (sharedSecret);

 		// decrypt flags/static
 		uint8_t nonce[12], fs[32];
@ -277,7 +268,7 @@ namespace garlic
 			// static key, fs is apk
 			memcpy (m_RemoteStaticKey, fs, 32);
 			GetOwner ()->Decrypt (fs, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519(bsk, apk)
-			i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
+			MixKey (sharedSecret);
 		}
 		else // all zeros flags
 			CreateNonce (1, nonce);
@ -289,10 +280,13 @@ namespace garlic
 			LogPrint (eLogWarning, "Garlic: Payload section AEAD verification failed");
 			return false;
 		}
-		if (isStatic) MixHash (buf, len); // h = SHA256(h || ciphertext)
+		
 		m_State = eSessionStateNewSessionReceived;
-		GetOwner ()->AddECIESx25519Session (m_RemoteStaticKey, shared_from_this ());
-
+		if (isStatic) 
+		{	
+			MixHash (buf, len); // h = SHA256(h || ciphertext)
+			GetOwner ()->AddECIESx25519Session (m_RemoteStaticKey, shared_from_this ());
+		}	
 		HandlePayload (payload.data (), len - 16, nullptr, 0);

 		return true;
@ -469,7 +463,7 @@ namespace garlic
 		MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || aepk)
 		uint8_t sharedSecret[32];
 		m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // x25519(aesk, bpk)
-		i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
+		MixKey (sharedSecret);
 		// encrypt static key section
 		uint8_t nonce[12];
 		CreateNonce (0, nonce);
@ -482,7 +476,7 @@ namespace garlic
 		offset += 48;
 		// KDF2
 		GetOwner ()->Decrypt (m_RemoteStaticKey, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519 (ask, bpk)
-		i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
+		MixKey (sharedSecret); 
 		// encrypt payload
 		if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len, m_H, 32, m_CK + 32, nonce, out + offset, len + 16, true)) // encrypt
 		{
@ -520,9 +514,9 @@ namespace garlic
 		MixHash (m_EphemeralKeys->GetPublicKey (), 32); // h = SHA256(h || bepk)
 		uint8_t sharedSecret[32];
 		m_EphemeralKeys->Agree (m_Aepk, sharedSecret); // sharedSecret = x25519(besk, aepk)
-		i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK, 32); // chainKey = HKDF(chainKey, sharedSecret, "", 32)
+		MixKey (sharedSecret);
 		m_EphemeralKeys->Agree (m_RemoteStaticKey, sharedSecret); // sharedSecret = x25519(besk, apk)
-		i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
+		MixKey (sharedSecret);
 		uint8_t nonce[12];
 		CreateNonce (0, nonce);
 		// calculate hash for zero length
@ -607,9 +601,9 @@ namespace garlic
 		{
 			// only fist time, we assume ephemeral keys the same
 			m_EphemeralKeys->Agree (bepk, sharedSecret); // sharedSecret = x25519(aesk, bepk)
-			i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK, 32); // chainKey = HKDF(chainKey, sharedSecret, "", 32)
+			MixKey (sharedSecret);
 			GetOwner ()->Decrypt (bepk, sharedSecret, nullptr, i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD_RATCHET); // x25519 (ask, bepk)
-			i2p::crypto::HKDF (m_CK, sharedSecret, 32, "", m_CK); // [chainKey, key] = HKDF(chainKey, sharedSecret, "", 64)
+			MixKey (sharedSecret);
 		}
 		uint8_t nonce[12];
 		CreateNonce (0, nonce);
--- a/libi2pd/RouterContext.cpp
+++ b/libi2pd/RouterContext.cpp
@ -653,6 +653,15 @@ namespace i2p
 		i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len)));
 	}

+	bool RouterContext::HandleCloveI2NPMessage (I2NPMessageType typeID, const uint8_t * payload, size_t len) 
+	{ 
+		auto msg = CreateI2NPMessage (typeID, payload, len);
+		if (!msg) return false;
+		i2p::HandleI2NPMessage (msg);
+		return true; 
+	} 
+
+		
 	void RouterContext::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		std::unique_lock<std::mutex> l(m_GarlicMutex);
--- a/libi2pd/RouterContext.h
+++ b/libi2pd/RouterContext.h
@ -135,7 +135,7 @@ namespace i2p

 			// implements GarlicDestination
 			void HandleI2NPMessage (const uint8_t * buf, size_t len);
-			bool HandleCloveI2NPMessage (I2NPMessageType typeID, const uint8_t * payload, size_t len) { return false; }; // not implemented
+			bool HandleCloveI2NPMessage (I2NPMessageType typeID, const uint8_t * payload, size_t len);

 		private: