mirror of
https://github.com/PurpleI2P/i2pd
synced 2024-11-10 00:00:29 +03:00
293 lines
8.8 KiB
C++
293 lines
8.8 KiB
C++
#include <openssl/rand.h>
|
|
#include <openssl/sha.h>
|
|
#include <openssl/hmac.h>
|
|
#include <stdlib.h>
|
|
#include <vector>
|
|
#include "Log.h"
|
|
#include "I2PEndian.h"
|
|
#include "Crypto.h"
|
|
#include "Ed25519.h"
|
|
#include "NTCP2.h"
|
|
|
|
namespace i2p
|
|
{
|
|
namespace transport
|
|
{
|
|
NTCP2Session::NTCP2Session (NTCP2Server& server, std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter):
|
|
TransportSession (in_RemoteRouter, 30),
|
|
m_Server (server), m_Socket (m_Server.GetService ()),
|
|
m_IsEstablished (false), m_IsTerminated (false),
|
|
m_SessionRequestBuffer (nullptr), m_SessionCreatedBuffer (nullptr)
|
|
{
|
|
auto addr = in_RemoteRouter->GetNTCPAddress ();
|
|
if (addr->ntcp2)
|
|
{
|
|
memcpy (m_RemoteStaticKey, addr->ntcp2->staticKey, 32);
|
|
memcpy (m_IV, addr->ntcp2->iv, 16);
|
|
}
|
|
else
|
|
LogPrint (eLogWarning, "NTCP2: Missing NTCP2 parameters");
|
|
}
|
|
|
|
NTCP2Session::~NTCP2Session ()
|
|
{
|
|
delete[] m_SessionRequestBuffer;
|
|
delete[] m_SessionCreatedBuffer;
|
|
}
|
|
|
|
void NTCP2Session::Terminate ()
|
|
{
|
|
if (!m_IsTerminated)
|
|
{
|
|
m_IsTerminated = true;
|
|
m_IsEstablished = false;
|
|
m_Socket.close ();
|
|
LogPrint (eLogDebug, "NTCP2: session terminated");
|
|
}
|
|
}
|
|
|
|
void NTCP2Session::Done ()
|
|
{
|
|
m_Server.GetService ().post (std::bind (&NTCP2Session::Terminate, shared_from_this ()));
|
|
}
|
|
|
|
void NTCP2Session::KeyDerivationFunction1 (const uint8_t * rs, const uint8_t * pub, uint8_t * derived)
|
|
{
|
|
static const char protocolName[] = "Noise_XK_25519_ChaChaPoly_SHA256"; // 32 bytes
|
|
uint8_t h[64];
|
|
memcpy (m_CK, protocolName, 32);
|
|
SHA256 ((const uint8_t *)protocolName, 32, h);
|
|
// h = SHA256(h || rs)
|
|
memcpy (h + 32, rs, 32);
|
|
SHA256 (h, 64, h);
|
|
// h = SHA256(h || pub)
|
|
memcpy (h + 32, pub, 32);
|
|
SHA256 (h, 64, m_H);
|
|
// x25519 between rs and priv
|
|
uint8_t inputKeyMaterial[32];
|
|
BN_CTX * ctx = BN_CTX_new ();
|
|
i2p::crypto::GetEd25519 ()->ScalarMul (rs, m_ExpandedPrivateKey, inputKeyMaterial, ctx); // rs*priv
|
|
BN_CTX_free (ctx);
|
|
// temp_key = HMAC-SHA256(ck, input_key_material)
|
|
uint8_t tempKey[32]; unsigned int len;
|
|
HMAC(EVP_sha256(), m_CK, 32, inputKeyMaterial, 32, tempKey, &len);
|
|
// ck = HMAC-SHA256(temp_key, byte(0x01))
|
|
inputKeyMaterial[0] = 1;
|
|
HMAC(EVP_sha256(), tempKey, 32, inputKeyMaterial, 1, m_CK, &len);
|
|
// derived = HMAC-SHA256(temp_key, ck || byte(0x02))
|
|
m_CK[32] = 2;
|
|
HMAC(EVP_sha256(), tempKey, 32, m_CK, 33, derived, &len);
|
|
}
|
|
|
|
void NTCP2Session::KeyDerivationFunction2 (const uint8_t * pub, const uint8_t * sessionRequest, size_t sessionRequestLen, uint8_t * derived)
|
|
{
|
|
uint8_t h[64];
|
|
memcpy (h, m_H, 32);
|
|
memcpy (h + 32, sessionRequest + 32, 32); // encrypted payload
|
|
SHA256 (h, 64, h);
|
|
int paddingLength = sessionRequestLen - 64;
|
|
if (paddingLength > 0)
|
|
{
|
|
std::vector<uint8_t> h1(paddingLength + 32);
|
|
memcpy (h1.data (), h, 32);
|
|
memcpy (h1.data () + 32, sessionRequest + 64, paddingLength);
|
|
SHA256 (h1.data (), paddingLength + 32, h);
|
|
}
|
|
memcpy (h + 32, pub, 32);
|
|
SHA256 (h, 64, m_H);
|
|
|
|
// x25519 between remote pub and priv
|
|
uint8_t inputKeyMaterial[32];
|
|
BN_CTX * ctx = BN_CTX_new ();
|
|
i2p::crypto::GetEd25519 ()->ScalarMul (pub, m_ExpandedPrivateKey, inputKeyMaterial, ctx);
|
|
BN_CTX_free (ctx);
|
|
// temp_key = HMAC-SHA256(ck, input_key_material)
|
|
uint8_t tempKey[32]; unsigned int len;
|
|
HMAC(EVP_sha256(), m_CK, 32, inputKeyMaterial, 32, tempKey, &len);
|
|
// ck = HMAC-SHA256(temp_key, byte(0x01))
|
|
inputKeyMaterial[0] = 1;
|
|
HMAC(EVP_sha256(), tempKey, 32, inputKeyMaterial, 1, m_CK, &len);
|
|
// derived = HMAC-SHA256(temp_key, ck || byte(0x02))
|
|
m_CK[32] = 2;
|
|
HMAC(EVP_sha256(), tempKey, 32, m_CK, 33, derived, &len);
|
|
}
|
|
|
|
void NTCP2Session::CreateEphemeralKey (uint8_t * pub)
|
|
{
|
|
uint8_t key[32];
|
|
RAND_bytes (key, 32);
|
|
i2p::crypto::Ed25519::ExpandPrivateKey (key, m_ExpandedPrivateKey);
|
|
BN_CTX * ctx = BN_CTX_new ();
|
|
i2p::crypto::GetEd25519 ()->ScalarMulB (m_ExpandedPrivateKey, pub, ctx);
|
|
BN_CTX_free (ctx);
|
|
}
|
|
|
|
void NTCP2Session::SendSessionRequest ()
|
|
{
|
|
// create buffer and fill padding
|
|
auto paddingLength = rand () % (287 - 64); // message length doesn't exceed 287 bytes
|
|
m_SessionRequestBufferLen = paddingLength + 64;
|
|
m_SessionRequestBuffer = new uint8_t[m_SessionRequestBufferLen];
|
|
RAND_bytes (m_SessionRequestBuffer + 64, paddingLength);
|
|
// generate key pair (X)
|
|
uint8_t x[32];
|
|
CreateEphemeralKey (x);
|
|
// encrypt X
|
|
i2p::crypto::CBCEncryption encryption;
|
|
encryption.SetKey (GetRemoteIdentity ()->GetIdentHash ());
|
|
encryption.SetIV (m_IV);
|
|
encryption.Encrypt (x, 32, m_SessionRequestBuffer);
|
|
encryption.GetIV (m_IV); // save IV for SessionCreated
|
|
// encryption key for next block
|
|
uint8_t key[32];
|
|
KeyDerivationFunction1 (m_RemoteStaticKey, x, key);
|
|
// fill options
|
|
uint8_t options[32]; // actual options size is 16 bytes
|
|
memset (options, 0, 16);
|
|
htobe16buf (options, 2); // ver
|
|
htobe16buf (options + 2, paddingLength); // padLen
|
|
htobe16buf (options + 4, 550); // m3p2Len TODO:
|
|
// 2 bytes reserved
|
|
htobe32buf (options + 8, i2p::util::GetSecondsSinceEpoch ()); // tsA
|
|
// 4 bytes reserved
|
|
// sign and encrypt options, use m_H as AD
|
|
uint8_t nonce[12];
|
|
memset (nonce, 0, 12); // set nonce to zero
|
|
i2p::crypto::AEADChaCha20Poly1305 (options, 16, m_H, 32, key, nonce, m_SessionRequestBuffer + 32, 32, true); // encrypt
|
|
// send message
|
|
boost::asio::async_write (m_Socket, boost::asio::buffer (m_SessionRequestBuffer, m_SessionRequestBufferLen), boost::asio::transfer_all (),
|
|
std::bind(&NTCP2Session::HandleSessionRequestSent, shared_from_this (), std::placeholders::_1, std::placeholders::_2));
|
|
}
|
|
|
|
void NTCP2Session::HandleSessionRequestSent (const boost::system::error_code& ecode, std::size_t bytes_transferred)
|
|
{
|
|
(void) bytes_transferred;
|
|
if (ecode)
|
|
{
|
|
LogPrint (eLogWarning, "NTCP2: couldn't send SessionRequest message: ", ecode.message ());
|
|
Terminate ();
|
|
}
|
|
else
|
|
{
|
|
m_SessionCreatedBuffer = new uint8_t[287]; // TODO: determine actual max size
|
|
// we receive first 56 bytes (32 Y, and 24 ChaCha/Poly frame) first
|
|
boost::asio::async_read (m_Socket, boost::asio::buffer(m_SessionCreatedBuffer, 56), boost::asio::transfer_all (),
|
|
std::bind(&NTCP2Session::HandleSessionCreatedReceived, shared_from_this (), std::placeholders::_1, std::placeholders::_2));
|
|
}
|
|
}
|
|
|
|
void NTCP2Session::HandleSessionCreatedReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
|
|
{
|
|
if (ecode)
|
|
{
|
|
LogPrint (eLogWarning, "NTCP2: SessionCreated read error: ", ecode.message ());
|
|
Terminate ();
|
|
}
|
|
else
|
|
{
|
|
LogPrint (eLogInfo, "NTCP2: SessionCreated received ", bytes_transferred);
|
|
uint8_t y[32];
|
|
// decrypt Y
|
|
i2p::crypto::CBCDecryption decryption;
|
|
decryption.SetKey (GetRemoteIdentity ()->GetIdentHash ());
|
|
decryption.SetIV (m_IV);
|
|
decryption.Decrypt (m_SessionCreatedBuffer, 32, y);
|
|
// decryption key for next block
|
|
uint8_t key[32];
|
|
KeyDerivationFunction2 (y, m_SessionRequestBuffer, m_SessionRequestBufferLen, key);
|
|
// decrypt and verify MAC
|
|
uint8_t payload[8];
|
|
uint8_t nonce[12];
|
|
memset (nonce, 0, 12); // set nonce to zero
|
|
if (i2p::crypto::AEADChaCha20Poly1305 (m_SessionCreatedBuffer + 32, 8, m_H, 32, key, nonce, payload, 8, false)) // decrypt
|
|
{
|
|
// TODO:
|
|
}
|
|
else
|
|
{
|
|
LogPrint (eLogWarning, "NTCP2: SessionCreated MAC verification failed ");
|
|
Terminate ();
|
|
}
|
|
}
|
|
}
|
|
|
|
void NTCP2Session::ClientLogin ()
|
|
{
|
|
SendSessionRequest ();
|
|
}
|
|
|
|
NTCP2Server::NTCP2Server ():
|
|
m_IsRunning (false), m_Thread (nullptr), m_Work (m_Service)
|
|
{
|
|
}
|
|
|
|
NTCP2Server::~NTCP2Server ()
|
|
{
|
|
Stop ();
|
|
}
|
|
|
|
void NTCP2Server::Start ()
|
|
{
|
|
if (!m_IsRunning)
|
|
{
|
|
m_IsRunning = true;
|
|
m_Thread = new std::thread (std::bind (&NTCP2Server::Run, this));
|
|
}
|
|
}
|
|
|
|
void NTCP2Server::Stop ()
|
|
{
|
|
if (m_IsRunning)
|
|
{
|
|
m_IsRunning = false;
|
|
m_Service.stop ();
|
|
if (m_Thread)
|
|
{
|
|
m_Thread->join ();
|
|
delete m_Thread;
|
|
m_Thread = nullptr;
|
|
}
|
|
}
|
|
}
|
|
|
|
void NTCP2Server::Run ()
|
|
{
|
|
while (m_IsRunning)
|
|
{
|
|
try
|
|
{
|
|
m_Service.run ();
|
|
}
|
|
catch (std::exception& ex)
|
|
{
|
|
LogPrint (eLogError, "NTCP2: runtime exception: ", ex.what ());
|
|
}
|
|
}
|
|
}
|
|
|
|
void NTCP2Server::Connect(const boost::asio::ip::address & address, uint16_t port, std::shared_ptr<NTCP2Session> conn)
|
|
{
|
|
LogPrint (eLogDebug, "NTCP2: Connecting to ", address ,":", port);
|
|
m_Service.post([this, address, port, conn]()
|
|
{
|
|
conn->GetSocket ().async_connect (boost::asio::ip::tcp::endpoint (address, port), std::bind (&NTCP2Server::HandleConnect, this, std::placeholders::_1, conn));
|
|
});
|
|
}
|
|
|
|
void NTCP2Server::HandleConnect (const boost::system::error_code& ecode, std::shared_ptr<NTCP2Session> conn)
|
|
{
|
|
if (ecode)
|
|
{
|
|
LogPrint (eLogInfo, "NTCP2: Connect error ", ecode.message ());
|
|
conn->Terminate ();
|
|
}
|
|
else
|
|
{
|
|
LogPrint (eLogDebug, "NTCP2: Connected to ", conn->GetSocket ().remote_endpoint ());
|
|
conn->ClientLogin ();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|