From a112c3a1edd8d1115ff2be3aea260a28a660c2ea Mon Sep 17 00:00:00 2001
From: zzz <zzz@i2pmail.org>
Date: Wed, 14 Dec 2022 14:15:56 -0500
Subject: [PATCH] SSU2: Consolidate dup encrypt header keys in IES2/OES2

---
 .../transport/udp/InboundEstablishState2.java | 16 ++++++++-------
 .../udp/OutboundEstablishState2.java          | 20 +++++++++----------
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java b/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
index acc7cb83bf..1c7fae5497 100644
--- a/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
+++ b/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
@@ -48,7 +48,6 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
     private final long _token;
     private final HandshakeState _handshakeState;
     private byte[] _sendHeaderEncryptKey1;
-    private final byte[] _rcvHeaderEncryptKey1;
     private byte[] _sendHeaderEncryptKey2;
     private byte[] _rcvHeaderEncryptKey2;
     private byte[] _sessCrForReTX;
@@ -86,7 +85,6 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
                                                   transport.getSSU2StaticPubKey(), 0);
         byte[] introKey = transport.getSSU2StaticIntroKey();
         _sendHeaderEncryptKey1 = introKey;
-        _rcvHeaderEncryptKey1 = introKey;
         //_sendHeaderEncryptKey2 set below
         //_rcvHeaderEncryptKey2 set below
         int off = pkt.getOffset();
@@ -104,7 +102,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
             _currentState = InboundState.IB_STATE_TOKEN_REQUEST_RECEIVED;
             // decrypt in-place
             ChaChaPolyCipherState chacha = new ChaChaPolyCipherState();
-            chacha.initializeKey(_rcvHeaderEncryptKey1, 0);
+            chacha.initializeKey(introKey, 0);
             long n = DataHelper.fromLong(data, off + PKT_NUM_OFFSET, 4);
             chacha.setNonce(n);
             chacha.decryptWithAd(data, off, LONG_HEADER_SIZE,
@@ -119,6 +117,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
         } else if (type == SESSION_REQUEST_FLAG_BYTE &&
                    (token == 0 ||
                     (ENFORCE_TOKEN && !_transport.getEstablisher().isInboundTokenValid(_remoteHostId, token)))) {
+            // i2pd thru 0.9.55 ignores zero token + termination in retry
             if (_log.shouldInfo())
                 _log.info("Invalid token " + token + " in session request from: " + _aliceSocketAddress);
             if (token == 0)
@@ -178,7 +177,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
         }
         packetReceived();
         if (_log.shouldDebug())
-            _log.debug("New " + this);
+            _log.debug("New req type " + type + " len " + len + " on " + this);
     }
 
     @Override
@@ -428,8 +427,8 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
     }
 
     public void gotTermination(int reason, long count) {
-        if (_log.shouldInfo())
-            _log.info("Got TERMINATION block, reason: " + reason + " count: " + count);
+        if (_log.shouldWarn())
+            _log.warn("Got TERMINATION block, reason: " + reason + " count: " + count + " on " + this);
         // this sets the state to FAILED
         fail();
         _transport.getEstablisher().receiveSessionDestroy(_remoteHostId);
@@ -479,7 +478,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
     }
     public HandshakeState getHandshakeState() { return _handshakeState; }
     public byte[] getSendHeaderEncryptKey1() { return _sendHeaderEncryptKey1; }
-    public byte[] getRcvHeaderEncryptKey1() { return _rcvHeaderEncryptKey1; }
+    public byte[] getRcvHeaderEncryptKey1() { return _transport.getSSU2StaticIntroKey(); }
     public byte[] getSendHeaderEncryptKey2() { return _sendHeaderEncryptKey2; }
     public synchronized byte[] getRcvHeaderEncryptKey2() { return _rcvHeaderEncryptKey2; }
     public InetSocketAddress getSentAddress() { return _aliceSocketAddress; }
@@ -574,6 +573,8 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
             if (_log.shouldWarn())
                 _log.warn("Got retx token request on: " + this);
             // Est. mgr will resend retry and call retryPacketSent()
+            // Note that Java I2P < 0.9.57 doesn't handle retransmitted retries correctly,
+            // so this won't work for them
             long now = _context.clock().now();
             // rate limit
             _nextSend = Math.max(now, _lastSend + 750);
@@ -912,6 +913,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
         buf.append(" lifetime: ").append(DataHelper.formatDuration(getLifetime()));
         buf.append(" Rcv ID: ").append(_rcvConnID);
         buf.append(" Send ID: ").append(_sendConnID);
+        buf.append(" Token: ").append(_token);
         if (_sentRelayTag > 0)
             buf.append(" RelayTag: ").append(_sentRelayTag);
         buf.append(' ').append(_currentState);
diff --git a/router/java/src/net/i2p/router/transport/udp/OutboundEstablishState2.java b/router/java/src/net/i2p/router/transport/udp/OutboundEstablishState2.java
index ada2b9eba7..a741daea0b 100644
--- a/router/java/src/net/i2p/router/transport/udp/OutboundEstablishState2.java
+++ b/router/java/src/net/i2p/router/transport/udp/OutboundEstablishState2.java
@@ -49,8 +49,8 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
     private final Map<Hash, IntroState> _introducers;
     private long _token;
     private HandshakeState _handshakeState;
-    private final byte[] _sendHeaderEncryptKey1;
-    private final byte[] _rcvHeaderEncryptKey1;
+    // Bob's intro key, same for send and receive
+    private final byte[] _headerEncryptKey1;
     private byte[] _sendHeaderEncryptKey2;
     private byte[] _rcvHeaderEncryptKey2;
     private final byte[] _rcvRetryHeaderEncryptKey2;
@@ -211,8 +211,7 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
         _rcvConnID = rcid;
 
         byte[] ik = introKey.getData();
-        _sendHeaderEncryptKey1 = ik;
-        _rcvHeaderEncryptKey1 = ik;
+        _headerEncryptKey1 = ik;
         _sendHeaderEncryptKey2 = ik;
         //_rcvHeaderEncryptKey2 will be set after the Session Request message is created
         _rcvRetryHeaderEncryptKey2 = ik;
@@ -343,7 +342,7 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
 
     public void gotTermination(int reason, long count) {
         if (_log.shouldWarn())
-            _log.warn("Got TERMINATION block, reason: " + reason + " count: " + count);
+            _log.warn("Got TERMINATION block, reason: " + reason + " count: " + count + " on " + this);
         // this sets the state to FAILED
         fail();
         _transport.getEstablisher().receiveSessionDestroy(_remoteHostId, this);
@@ -450,8 +449,8 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
         return _transport.getEstablisher().getInboundToken(_remoteHostId);
     }
     public HandshakeState getHandshakeState() { return _handshakeState; }
-    public byte[] getSendHeaderEncryptKey1() { return _sendHeaderEncryptKey1; }
-    public byte[] getRcvHeaderEncryptKey1() { return _rcvHeaderEncryptKey1; }
+    public byte[] getSendHeaderEncryptKey1() { return _headerEncryptKey1; }
+    public byte[] getRcvHeaderEncryptKey1() { return _headerEncryptKey1; }
     public byte[] getSendHeaderEncryptKey2() { return _sendHeaderEncryptKey2; }
     /**
      *  @return null before Session Request is sent (i.e. we sent a Token Request first)
@@ -509,7 +508,7 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
             _token = token;
         _timeReceived = 0;
         ChaChaPolyCipherState chacha = new ChaChaPolyCipherState();
-        chacha.initializeKey(_rcvHeaderEncryptKey1, 0);
+        chacha.initializeKey(_headerEncryptKey1, 0);
         long n = DataHelper.fromLong(data, off + PKT_NUM_OFFSET, 4);
         chacha.setNonce(n);
         try {
@@ -536,7 +535,7 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
             throw new GeneralSecurityException("Skew exceeded in Retry: " + _skew);
         createNewState(_routerAddress);
         if (_log.shouldDebug())
-            _log.debug("Received a retry on " + this);
+            _log.debug("Received a retry token " + token + " on " + this);
         _currentState = OutboundState.OB_STATE_RETRY_RECEIVED;
     }
 
@@ -718,7 +717,7 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
                                      _remotePeer.calculateHash(),
                                      false, _rtt, sender, rcvr,
                                      _sendConnID, _rcvConnID,
-                                     _sendHeaderEncryptKey1, h_ab, h_ba);
+                                     _headerEncryptKey1, h_ab, h_ba);
             _currentState = OutboundState.OB_STATE_CONFIRMED_COMPLETELY;
             _pstate.confirmedPacketsSent(_sessConfForReTX);
             // PS2.super adds CLOCK_SKEW_FUDGE that doesn't apply here
@@ -806,6 +805,7 @@ class OutboundEstablishState2 extends OutboundEstablishState implements SSU2Payl
                " lifetime: " + DataHelper.formatDuration(getLifetime()) +
                " Rcv ID: " + _rcvConnID +
                " Send ID: " + _sendConnID +
+               " Token: " + _token +
                ' ' + _currentState +
                (_introducers != null ? (" Introducers: " + _introducers.toString()) : "");
     }