#saltr (irc2p) | I2P+ 2.10.0-14+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | notbob.i2p | ramble.i2p | drop.i2p | shinobi.i2p | wall.i2p | /msg an op for voice

orignal zzz don't take him seriously

orignal just FYI

dr|z3d who dat, orignal?

not_bob 2024 notbob stats are out for top 100 jumps, total jumps and hosts.txt grabs.

not_bob You may or may not get it on my blog yet as they won't sinkl for another 45 min or so.

not_bob sync.

dr|z3d *thumbs up* not_bob_afk

Over dr|z3d: I am getting a "broken pipe" from time to time on my I2PSnark standalone that suddently stops all ongoing torrent. Should I make an issue about it on your git and is there a way to restart torrents on error automatically?

zzz spent another couple days banging my head trying to get dnscrypt working

zzz I'm so so so stuck

zzz I'm as stumped as I've been on anything in years

zzz it's failing on the chacha/poly I'm sending

zzz I've stuffed debugging into the Go server and verified it has the same key and nonce as I do

zzz all the servers use the C libsodium lib

orignal dr|z3d on i2p-dev

orignal what is dnscrypt?

zzz but our chacha/poly code must be standard because java talks to i2pd just fine

zzz it's encrypted DNS over UDP. It's better than DoH and I'd like to switch to it

orignal please explain what's th eissue

orignal who does encryption?

zzz I'm following the spec and sending a query to a test server, but the poly1305 tag isn't right, the server fails to decrypt it

zzz in this case, I'm the client, encrypting the request

orignal tell me what you are doing and I will try to using openssl

orignal what server and what spec

zzz thanks but it's kind of a complicated spec to implement

orignal come on

zzz datatracker.ietf.org/doc/draft-denis-dprive-dnscrypt

zzz not saying you can't do it, of course you can, but not asking you to do that work

dr|z3d *** chuckles. ***

dr|z3d "come on!"

orignal we want to try chacha/ploy only

dr|z3d sounds hugely frustrating, zzz.

dr|z3d in other news, I should have a new hosts in last 24h count badge/bubble working.

zzz it's the old DJB style with 8 byte counter and nonce, instead of 4/12, but it's really the same because it's only actually using 8 bytes of nonce

zzz and the nonce for the first packet is all zeros so there's no endian issue either

zzz I even tried flopping the endian of the key even though I'm sure it's right

dr|z3d presumably you've tried padding to 12 bytes?

zzz actually the java chacha/poly code is 8/8 even though our specs say 4/12

zzz all our protocols say "12 byte nonce with the first 4 are zeros" so it's really the same thing

zzz I never did any chacha/poly test vectors, never bothered, since we got NTCP2 working with i2pd I knew it was right

zzz orignal did you ever do chacha/poly test vectors?

zzz I did do a chacha-only test vector, just not the chacha/poly

orignal github.com/PurpleI2P/i2pd/blob/openssl/tests/test-aeadchacha20poly1305.cpp

zzz thanks, maybe I'll add that

zzz my chacha test vector is the same 'ladies and gentlemen' text

zzz but ofc it has to work or everything would be broken

orignal I took it from the RFC

zzz yup

zzz // vectors as in RFC 7539

zzz byte[] plaintext = DataHelper.getASCII("Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.");

zzz good on you to write a test, I guess I was too lazy

orignal because I had to make it working. I had psi's implemtation of chacha20 and poly1305 only

orignal and not AEAD

orignal openssl was later

zzz I really hate staring at DJB C code in libsodium/libnacl/etc its so darn fugly

orignal why libsoudium? I doubt it's different than openssl

zzz basically that's the way the spec is written and that's what all the server implementations out there use

zzz 11. Authenticated Encryption And Key Exchange Algorithm

zzz The Box-XChaChaPoly construction, and the way to use it described in

zzz this section, must be referenced in certificates as version 2 of the

zzz public-key authenticated encryption system.

zzz The construction, originally implemented in the libsodium

zzz cryptographic library and exposed under the name

zzz "crypto_box_curve25519xchacha20poly1305", uses the Curve25119

zzz elliptic curve in Montgomery form and the hchacha20 hash function for

zzz key exchange, the XChaCha20 stream cipher, and Poly1305 for message

zzz authentication.

orignal what is xchacha20?

zzz you do a X25519 DH, then hash it with HChaCha20, which is a little different than normal ChaCha20, and that hash is the key for regular chacha/poly

zzz and I've verified that key matches in my client and the go server, and the initial nonce is all zeros

orignal so what we do?

orignal change nonces?

zzz the only thing I can think of is to write a c test program using libsodium and put printf's into libsodium to print out the poly1305 key and the internal chacha state

orignal do you know if this one exists in openssl?

orignal you can try it from command line

zzz don't know but the HChaCha20 part is a little obscure

dr|z3d re new hosts badge: cake.i2p/file/iDVIMulznC_pFQWvDfigIrM2Q9acHQGkUgRv43Coo_YdiNg6FDAS/newHosts.webp

orignal github.com/PurpleI2P/i2pd/blob/openssl/libi2pd/Crypto.cpp#L688-L694

orignal see what I do

orignal EVP_EncryptInit_ex(m_Ctx, NULL, NULL, key, nonce);

orignal maybe this line

zzz here's the libsodium xchacha decrypt code where it's failing the poly tag

zzz crypto_core_hchacha20(subkey, n, k, NULL);

zzz crypto_stream_chacha20(block0, crypto_stream_chacha20_KEYBYTES,

zzz n + 16, subkey);

zzz if (crypto_onetimeauth_poly1305_verify(mac, c, clen, block0) != 0) {

zzz sodium_memzero(subkey, sizeof subkey);

zzz return -1;

zzz }

dr|z3d probably a bad idea, but what about a new server type that provides proxied dns.

zzz yeah no

dr|z3d similar to http proxy, so csv list of servers (b32s) can be specified.

zzz we already do DoH which is fine

zzz but there's more dnscrypt servers out there and it's a better protocol

dr|z3d I'm thinking something which has a more general application that just looking up time server addresses.

zzz and that application is... ?

dr|z3d that application is providing a distributed dns server framework for anyone that wants to use i2p for lookups instead of their current provider.

zzz just do DoH thru the outproxy?

dr|z3d yeah, but then you're limited to outproxies.

dr|z3d there's probably a ton more people prepared to host a DNS server on the network than there are people prepared to run an outproxy

zzz we have more outproxies (2) than we do DNS server proxies (0)

dr|z3d exactly.

dr|z3d because we don't have a simple method for provisioning a dns server/client setup.

orignal but wahere is ad?

zzz there's no ad used

dr|z3d also, last time I checked we had 3 outproxy services, unless something changed.

orignal that's why

orignal we alays use with ad

dr|z3d and, also, fyi, iirc acetone provides a dns proxy service.

zzz not sure we always do, but my chacha/poly code supports NULL ad

orignal it's just a tunnel

orignal do you have thier test vector?

orignal e.g. correctly encrypted block

zzz they have a HChaCha20 vector in the spec I linked, but that's it. I'm sure there's vectors for the full protocol somewhere but they aren't in the spec

orignal can you just run it and save input and output?

zzz they put the MAC before the data so I have to flop it around

dr|z3d maybe off the mark, maybe not, zzz: cake.i2p/view/AdKbXNnxJ9_4qr7yanWUR0OmuqjbrqUhh75UozWOu_tooWtaH1U7/AdKbXNnxJ9.txt

orignal not a problem I can do it with openssl

zzz I have everything logged at every step, both in my code and in the Go server. What I don't have is logging inside the libsodium code

orignal I mean log an input and encrypted output

zzz yeah I have that

orignal so you have proper test vectors

zzz keys, DH, subkey, hchacha, plaintext, ciphertext, UDP packet, nonces, ...

zzz no I don't have test vectors, just logs

orignal yes, I ean you have the key, nonce, input

orignal and correct output

zzz I'll code up the chacha/poly test vectors and also try to decrypt what I encrypted just to double check

zzz but I'm too cranky to do it now

orignal I wan to play with openssl to acheieve the same result

dr|z3d switch focus, find something else to do, then come back to it.

zzz yup

dr|z3d you want to look at my WIP new hosts counter code?

dr|z3d or you could look at my WIP netdb search code for leasesets, probably a lot less challenging :)

zzz FYI HChaCha20 hash is the same as ChaCha20 hash but without the final addition. It's the quarter rounds only

zzz but then my eyes would be bleeding ((

orignal strage

orignal so they use non-standard chacha20?

zzz no. chacha20 is standard, but they also use hchacha20 to generate a subkey to pass to chacha20

zzz and also earlier in the KDF

zzz well, it's the DJB 8/8 standard, not the RFC 4/12 standard, but that doesn't matter, they're using 8 byte nonces

zzz so it's the same thing

zzz the block counter isn't overflowing 256GB ))

orignal so, just 8 bytes nonce and mac first?

zzz yup but don't take my word for it, look at the spec, maybe I'm reading something wrong

zzz crankiness over I guess, test vector passes (ofc)

zzz Tag

zzz 00000072 1a e1 0b 59 4f 09 e2 6a 7e 90 2e cb d0 60 06 91 |...YO..j~....`..|

zzz Plaintext

zzz 00000000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c |Ladies and Gentl|

dr|z3d smells like progress.

zzz not really, we knew it worked

zzz found the xchacha20-poly1305 test vectors in libsodium, let's see if those work

not_bob_afk zzz: Jump stats for 2024 are out on my page, notbob.i2p/cgi-bin/blog.cgi

zzz cool. I might do mine, or might not

not_bob_afk I did notice a major drop off in jumps. But, a huge increase in requests for my hosts.txt files.

zzz can't even get the simplest vector to work - input length 0

zzz { "065ff46a9dddb1ab047ee5914d6d575a828b8cc1f454b24e8cd0f57efdc49a34", "f83262646ce01293b9923a65a073df78c54b2e799cd6c4e5", "", "4c72340416339dcdea01b760db5adaf7" }

zzz key iv plaintext ciphertext

zzz the way I read the spec is:

zzz xchacha20poly1305(key, iv, in, out) {

zzz subkey = hchacha20(key, iv[0:15];

zzz chachapoly1305(subkey, iv[16:23], in, out);

zzz }

orignal which one is key?

zzz key iv plaintext ciphertext

dr|z3d ok, new hosts count badge implemented, for the dark theme only for now, flicker eliminated.

dr|z3d the count will only display if you have the services section collapsed. new + dev build shortly.

orignal failed too

zzz hmph

zzz here's what I got

zzz key

zzz 00000000 06 5f f4 6a 9d dd b1 ab 04 7e e5 91 4d 6d 57 5a |._.j.....~..MmWZ|

zzz 00000010 82 8b 8c c1 f4 54 b2 4e 8c d0 f5 7e fd c4 9a 34 |.....T.N...~...4|

zzz iv

zzz 00000000 f8 32 62 64 6c e0 12 93 b9 92 3a 65 a0 73 df 78 |.2bdl.....:e.s.x|

zzz 00000010 c5 4b 2e 79 9c d6 c4 e5 |.K.y.... |

zzz chacha in

zzz 00000000 | |

zzz subkey

zzz 00000000 5c 05 31 ca 5d 8c 83 31 24 97 94 ae 8b 14 fa 2e |\.1.]..1$.......|

zzz 00000010 31 b5 40 71 fa c5 73 c5 43 be 30 57 a6 00 a2 fc |1.@q..s.C.0W....|

zzz chacha out (mac last)

zzz 00000000 f9 e2 83 14 af 09 d2 ce f6 7c d1 69 0c 4b 1a 00 |.........|.i.K..|

zzz chacha out (mac first)

zzz 00000000 f9 e2 83 14 af 09 d2 ce f6 7c d1 69 0c 4b 1a 00 |.........|.i.K..|

zzz EXPECTED:

zzz 00000000 4c 72 34 04 16 33 9d cd ea 01 b7 60 db 5a da f7 |Lr4..3.....`.Z..|

orignal let me print subkey

zzz I know my subkey is right, because my hchacha20 vector from the spec passes, and it also matches the dnscrypt go subkey

orignal my subkey is c7 22 55 41 56 2d 12 cf 52 ba 13 b6 b2 14 4d c0 3a b3 65 0f 03 1c 77 5a 07 e8 e4 4e 96 4a 80 78

orignal wait

orignal for xchacha20

orignal <zzz> subkey = hchacha20(key, iv[0:15];

orignal what do you encrypt here?

orignal key is for key, 16 bytes for iv is iv

orignal but what is data?

zzz there is no data, it's not the full chacha20, it's just the 20 quarter rounds. no data

zzz public static void hash(byte[] key, byte[] iv, int ivOffset,

zzz byte[] out, int outOffset) {

zzz int[] input = new int[16];

zzz int[] output = new int[16];

zzz ChaChaCore.initKey256(input, key, 0);

zzz for (int i = 0; i < 4; i++) {

zzz input[12 + i] = (int) DataHelper.fromLongLE(iv, ivOffset + (4 * i), 4);

zzz }

zzz // no final addition

zzz ChaChaCore.hhash(output, input);

zzz for (int i = 0; i < 4; i++) {

zzz DataHelper.toLongLE(out, outOffset + (4 * i), 4, output[i] & 0xffffffffL);

zzz }

zzz for (int i = 0; i < 4; i++) {

zzz DataHelper.toLongLE(out, outOffset + 16 + (4 * i), 4, output[12 + i] & 0xffffffffL);

zzz }

orignal can I make one from regular chacha20?

zzz you have to find the code that does all the quarter rounds, and then the final addition, and remove the final addition

zzz public static void hhash(int[] output, int[] input)

zzz {

zzz int index;

zzz // Copy the input to the output to start with.

zzz System.arraycopy(input, 0, output, 0, 16);

zzz // Perform the 20 ChaCha rounds in groups of two.

zzz for (index = 0; index < 20; index += 2) {

zzz // Column round.

zzz quarterRound(output, 0, 4, 8, 12);

zzz quarterRound(output, 1, 5, 9, 13);

zzz quarterRound(output, 2, 6, 10, 14);

zzz quarterRound(output, 3, 7, 11, 15);

zzz // Diagonal round.

zzz quarterRound(output, 0, 5, 10, 15);

zzz quarterRound(output, 1, 6, 11, 12);

zzz quarterRound(output, 2, 7, 8, 13);

zzz quarterRound(output, 3, 4, 9, 14);

zzz }

zzz // NO FINAL ADDITION HERE

zzz }

orignal I have such code

orignal though it could be done using openssl

zzz ok. do the test vectors from the dnscrypt spec section 17.2

orignal I will take old psi's code

orignal np

orignal but a little later

zzz thx. it's basically just a HKDF

orignal HKDF?

orignal please tell me

zzz hash-based key derivation function

zzz take the key and hash it to create a subkey

orignal HKDF is HMAC

zzz yeah maybe not a great analogy

orignal the problem is that own implemntation is slow

orignal openssl't chacha20 uses SSE

orignal and assembly code

dr|z3d you got it licked yet, zzz?

mareki2p One prblem with cryptography is that mathematicians like to have the oposite endianess of bits inside a byte than C-like languages have.