devp2p: drop pre-EIP8 support, fix snappy negotiation (#758)

Support for previous versions was
[removed](7194c847b6)
from geth in 2021 after other clients had migrated - should be safe to
remove here also.

* fix snappy detection - it should use the hello version, not the RLPx
handshake
* simplify generation of auth messages
* pad 100-300 bytes like spec suggests

TODO: error handling is all over the place - will be addressed in a
follow-up PR

eth/p2p/auth.nim

@@ -8,7 +8,10 @@
 #            MIT license (LICENSE-MIT)
 #
 
-## This module implements Ethereum RLPx authentication
+## This module implements Ethereum EIP-8 RLPx authentication - pre-EIP-8
+## messages are not supported
+## https://github.com/ethereum/devp2p/blob/5713591d0366da78a913a811c7502d9ca91d29a8/rlpx.md#initial-handshake
+## https://github.com/ethereum/EIPs/blob/b479473414cf94445b450c266a9dedc079a12158/EIPS/eip-8.md
 
 {.push raises: [].}
 
@@ -25,57 +28,49 @@ export results
 type keccak256 = keccak.keccak256
 
 const
-  SupportedRlpxVersion* = 4'u8
-
   # Auth message sizes
+  MsgLenLenEIP8* = 2
+    ## auth-size = size of enc-auth-body, encoded as a big-endian 16-bit integer
+    ## ack-size = size of enc-ack-body, encoded as a big-endian 16-bit integer
 
-  # Pre EIP8
+  MinPadLenEIP8* = 100
-  PlainAuthMessageV4Length* = 194
+  MaxPadLenEIP8* = 300
-  AuthMessageV4Length* = 307
+    ## Padding makes message length unpredictable which makes packet filtering
+    ## a tiny bit harder - although not necessary any more, we always add at
+    ## least 100 bytes of padding to make the message distinguishable from
+    ## pre-EIP8 and at most 200 to stay within recommendation
 
-  # EIP8
   # signature + pubkey + nounce + version + rlp encoding overhead
   # 65 + 64 + 32 + 1 + 7 = 169
   PlainAuthMessageEIP8Length = 169
-  PlainAuthMessageMaxEIP8* = PlainAuthMessageEIP8Length + 255 # with padding
+  PlainAuthMessageMaxEIP8 = PlainAuthMessageEIP8Length + MaxPadLenEIP8
   # Min. encrypted message + size prefix = 284
-  AuthMessageEIP8Length* = PlainAuthMessageEIP8Length + eciesOverheadLength + 2
+  AuthMessageEIP8Length* =
-  AuthMessageMaxEIP8* = AuthMessageEIP8Length + 255 # with padding
+    eciesEncryptedLength(PlainAuthMessageEIP8Length) + MsgLenLenEIP8
+  AuthMessageMaxEIP8* = AuthMessageEIP8Length + MaxPadLenEIP8
+    ## Minimal output buffer size to pass into `authMessage`
 
   # Ack message sizes
 
-  # Pre EIP8
-  PlainAckMessageV4Length* = 97
-  AckMessageV4Length* = 210
-
-  # EIP 8
   # pubkey + nounce + version + rlp encoding overhead
   # 64 + 32 + 1 + 5 = 102
-  PlainAckMessageEIP8Length* = 102
+  PlainAckMessageEIP8Length = 102
-  PlainAckMessageMaxEIP8* = PlainAckMessageEIP8Length + 255 # with padding
+  PlainAckMessageMaxEIP8 = PlainAckMessageEIP8Length + MaxPadLenEIP8
   # Min. encrypted message + size prefix = 217
-  AckMessageEIP8Length* = PlainAckMessageEIP8Length + eciesOverheadLength + 2
+  AckMessageEIP8Length* = eciesEncryptedLength(PlainAckMessageMaxEIP8) + MsgLenLenEIP8
-  AckMessageMaxEIP8* = AckMessageEIP8Length + 255 # with padding
+  AckMessageMaxEIP8* = AckMessageEIP8Length + MaxPadLenEIP8
+    ## Minimal output buffer size to pass into `ackMessage`
+
+  Vsn = [byte 4]
+    ## auth-vsn = 4
+    ## ack-vsn = 4
 
 type
   Nonce* = array[KeyLength, byte]
 
-  AuthMessageV4* {.packed.} = object
-    signature: array[RawSignatureSize, byte]
-    keyhash: array[keccak256.sizeDigest, byte]
-    pubkey: array[RawPublicKeySize, byte]
-    nonce: array[keccak256.sizeDigest, byte]
-    flag: byte
-
-  AckMessageV4* {.packed.} = object
-    pubkey: array[RawPublicKeySize, byte]
-    nonce: array[keccak256.sizeDigest, byte]
-    flag: byte
-
   HandshakeFlag* = enum
-    Initiator,      ## `Handshake` owner is connection initiator
+    Initiator ## `Handshake` owner is connection initiator
-    Responder,      ## `Handshake` owner is connection responder
+    Responder ## `Handshake` owner is connection responder
-    EIP8            ## Flag indicates that EIP-8 handshake is used
 
   AuthError* = enum
     EcdhError = "auth: ECDH shared secret could not be calculated"
@@ -89,7 +84,6 @@ type
     IncompleteError = "auth: data incomplete"
 
   Handshake* = object
-    version*: uint8             ## protocol version
     flags*: set[HandshakeFlag] ## handshake flags
     host*: KeyPair ## host keypair
     ephemeral*: KeyPair ## ephemeral host keypair
@@ -97,7 +91,6 @@ type
     remoteEPubkey*: PublicKey ## remote host ephemeral public key
     initiatorNonce*: Nonce ## initiator nonce
     responderNonce*: Nonce ## responder nonce
-    expectedLength*: int        ## expected incoming message length
 
   ConnectionSecret* = object
     aesKey*: array[aes256.sizeKey, byte]
@@ -111,291 +104,154 @@ template toa(a, b, c: untyped): untyped =
   toOpenArray((a), (b), (b) + (c) - 1)
 
 proc mapErrTo[T, E](r: Result[T, E], v: static AuthError): AuthResult[T] =
-  r.mapErr(proc (e: E): AuthError = v)
+  r.mapErr(
+    proc(e: E): AuthError =
+      v
+  )
 
 proc init*(
-    T: type Handshake, rng: var HmacDrbgContext, host: KeyPair,
+    T: type Handshake,
-    flags: set[HandshakeFlag] = {Initiator},
+    rng: var HmacDrbgContext,
-    version: uint8 = SupportedRlpxVersion): T =
+    host: KeyPair,
+    flags: set[HandshakeFlag],
+): T =
   ## Create new `Handshake` object.
   var
     initiatorNonce: Nonce
     responderNonce: Nonce
-    expectedLength: int
     ephemeral = KeyPair.random(rng)
 
   if Initiator in flags:
-    expectedLength = AckMessageV4Length
     rng.generate(initiatorNonce)
   else:
-    expectedLength = AuthMessageV4Length
     rng.generate(responderNonce)
 
   return T(
-    version: version,
     flags: flags,
     host: host,
     ephemeral: ephemeral,
     initiatorNonce: initiatorNonce,
     responderNonce: responderNonce,
-    expectedLength: expectedLength
   )
 
-proc authMessagePreEIP8(h: var Handshake,
+proc authMessage*(
+    h: var Handshake,
     rng: var HmacDrbgContext,
     pubkey: PublicKey,
     output: var openArray[byte],
-                        outlen: var int,
+): AuthResult[int] =
-                        flag: byte = 0,
+  ## Create EIP8 authentication message - returns length of encoded message
-                        encrypt: bool = true): AuthResult[void] =
+  ## The output should be a buffer of AuthMessageMaxEIP8 bytes at least.
-  ## Create plain pre-EIP8 authentication message.
+  if len(output) < AuthMessageMaxEIP8:
-  var
-    buffer: array[PlainAuthMessageV4Length, byte]
-  outlen = 0
-  let header = cast[ptr AuthMessageV4](addr buffer[0])
-
-  var secret = ecdhSharedSecret(h.host.seckey, pubkey)
-  secret.data = secret.data xor h.initiatorNonce
-
-  let signature = sign(h.ephemeral.seckey, SkMessage(secret.data))
-  secret.clear()
-
-  h.remoteHPubkey = pubkey
-  header.signature = signature.toRaw()
-  header.keyhash = keccak256.digest(h.ephemeral.pubkey.toRaw()).data
-  header.pubkey = h.host.pubkey.toRaw()
-  header.nonce = h.initiatorNonce
-  header.flag = flag
-  if encrypt:
-    if len(output) < AuthMessageV4Length:
     return err(AuthError.BufferOverrun)
-    if eciesEncrypt(rng, buffer, output, h.remoteHPubkey).isErr:
-      return err(AuthError.EciesError)
-    outlen = AuthMessageV4Length
-  else:
-    if len(output) < PlainAuthMessageV4Length:
-      return err(AuthError.BufferOverrun)
-    copyMem(addr output[0], addr buffer[0], PlainAuthMessageV4Length)
-    outlen = PlainAuthMessageV4Length
 
-  ok()
+  var padsize = int(rng.generate(byte))
-
+  while padsize > (MaxPadLenEIP8 - MinPadLenEIP8):
-proc authMessageEIP8(h: var Handshake,
-                     rng: var HmacDrbgContext,
-                     pubkey: PublicKey,
-                     output: var openArray[byte],
-                     outlen: var int,
-                     flag: byte = 0,
-                     encrypt: bool = true): AuthResult[void] =
-  ## Create EIP8 authentication message.
-  var
-    buffer: array[PlainAuthMessageMaxEIP8, byte]
-
-  doAssert(EIP8 in h.flags)
-  outlen = 0
-
-  var secret = ecdhSharedSecret(h.host.seckey, pubkey)
-  secret.data = secret.data xor h.initiatorNonce
-
-  let signature = sign(h.ephemeral.seckey, SkMessage(secret.data))
-  secret.clear()
-
-  h.remoteHPubkey = pubkey
-  var payload = rlp.encodeList(signature.toRaw(),
-                               h.host.pubkey.toRaw(),
-                               h.initiatorNonce,
-                               [byte(h.version)])
-  doAssert(len(payload) == PlainAuthMessageEIP8Length)
-  let
-    pencsize = eciesEncryptedLength(len(payload))
-
-  var padsize = int(rng.generate(byte)) # aka rand(max)
-  while padsize <= (AuthMessageV4Length - (pencsize + 2)):
     padsize = int(rng.generate(byte))
+  padsize += MinPadLenEIP8
 
-  # It is possible to make packet size constant by uncommenting this line
-  # padsize = 24
   let
+    pencsize = eciesEncryptedLength(PlainAuthMessageEIP8Length)
     wosize = pencsize + padsize
     fullsize = wosize + 2
 
-  rng.generate(toa(buffer, PlainAuthMessageEIP8Length, padsize))
+  doAssert fullsize <= len(output), "We checked against max possible length above"
 
-  if encrypt:
+  var secret = ecdhSharedSecret(h.host.seckey, pubkey)
-    if len(output) < fullsize:
+  secret.data = secret.data xor h.initiatorNonce
-      return err(AuthError.BufferOverrun)
 
+  let signature = sign(h.ephemeral.seckey, SkMessage(secret.data))
+  secret.clear()
+
+  h.remoteHPubkey = pubkey
+  var payload =
+    rlp.encodeList(signature.toRaw(), h.host.pubkey.toRaw(), h.initiatorNonce, Vsn)
+  doAssert(len(payload) == PlainAuthMessageEIP8Length)
+
+  var buffer {.noinit.}: array[PlainAuthMessageMaxEIP8, byte]
   copyMem(addr buffer[0], addr payload[0], len(payload))
+  rng.generate(toa(buffer, PlainAuthMessageEIP8Length, padsize))
 
   let wosizeBE = uint16(wosize).toBytesBE()
   output[0 ..< 2] = wosizeBE
-    if eciesEncrypt(rng, toa(buffer, 0, len(payload) + padsize),
+  if eciesEncrypt(
-                    toa(output, 2, wosize), pubkey,
+    rng,
-                    toa(output, 0, 2)).isErr:
+    toa(buffer, 0, len(payload) + padsize),
+    toa(output, 2, wosize),
+    pubkey,
+    toa(output, 0, 2),
+  ).isErr:
     return err(AuthError.EciesError)
-    outlen = fullsize
+
-  else:
+  ok(fullsize)
-    let plainsize = len(payload) + padsize
+
-    if len(output) < plainsize:
+proc ackMessage*(
+    h: var Handshake, rng: var HmacDrbgContext, output: var openArray[byte]
+): AuthResult[int] =
+  ## Create EIP8 authentication ack message - returns length of encoded message
+  ## The output should be a buffer of AckMessageMaxEIP8 bytes at least.
+  if len(output) < AckMessageMaxEIP8:
     return err(AuthError.BufferOverrun)
-    copyMem(addr output[0], addr buffer[0], plainsize)
-    outlen = plainsize
 
-  ok()
+  var padsize = int(rng.generate(byte))
-
+  while padsize > (MaxPadLenEIP8 - MinPadLenEIP8):
-proc ackMessagePreEIP8(h: var Handshake,
+    padsize = int(rng.generate(byte))
-                       rng: var HmacDrbgContext,
+  padsize += MinPadLenEIP8
-                       output: var openArray[byte],
-                       outlen: var int,
-                       flag: byte = 0,
-                       encrypt: bool = true): AuthResult[void] =
-  ## Create plain pre-EIP8 authentication ack message.
-  var buffer: array[PlainAckMessageV4Length, byte]
-  outlen = 0
-  let header = cast[ptr AckMessageV4](addr buffer[0])
-  header.pubkey = h.ephemeral.pubkey.toRaw()
-  header.nonce = h.responderNonce
-  header.flag = flag
-  if encrypt:
-    if len(output) < AckMessageV4Length:
-      return err(AuthError.BufferOverrun)
-    if eciesEncrypt(rng, buffer, output, h.remoteHPubkey).isErr:
-      return err(AuthError.EciesError)
-    outlen = AckMessageV4Length
-  else:
-    if len(output) < PlainAckMessageV4Length:
-      return err(AuthError.BufferOverrun)
-    copyMem(addr output[0], addr buffer[0], PlainAckMessageV4Length)
-    outlen = PlainAckMessageV4Length
-
-  ok()
-
-proc ackMessageEIP8(h: var Handshake,
-                    rng: var HmacDrbgContext,
-                    output: var openArray[byte],
-                    outlen: var int,
-                    flag: byte = 0,
-                    encrypt: bool = true): AuthResult[void] =
-  ## Create EIP8 authentication ack message.
-  var
-    buffer: array[PlainAckMessageMaxEIP8, byte]
-    padsize: array[1, byte]
-  doAssert(EIP8 in h.flags)
-  var payload = rlp.encodeList(h.ephemeral.pubkey.toRaw(),
-                               h.responderNonce,
-                               [byte(h.version)])
-  doAssert(len(payload) == PlainAckMessageEIP8Length)
-  outlen = 0
-  let pencsize = eciesEncryptedLength(len(payload))
-  while true:
-    generate(rng, padsize)
-    if int(padsize[0]) > (AckMessageV4Length - (pencsize + 2)):
-      break
-  # It is possible to make packet size constant by uncommenting this line
-  # padsize = 0
-  let wosize = pencsize + int(padsize[0])
-  let fullsize = wosize + 2
-  if int(padsize[0]) > 0:
-    rng.generate(toa(buffer, PlainAckMessageEIP8Length, int(padsize[0])))
-
-  copyMem(addr buffer[0], addr payload[0], len(payload))
-  if encrypt:
-    if len(output) < fullsize:
-      return err(AuthError.BufferOverrun)
-    output[0..<2] = uint16(wosize).toBytesBE()
-    if eciesEncrypt(rng, toa(buffer, 0, len(payload) + int(padsize[0])),
-                    toa(output, 2, wosize), h.remoteHPubkey,
-                    toa(output, 0, 2)).isErr:
-      return err(AuthError.EciesError)
-    outlen = fullsize
-  else:
-    let plainsize = len(payload) + int(padsize[0])
-    if len(output) < plainsize:
-      return err(AuthError.BufferOverrun)
-    copyMem(addr output[0], addr buffer[0], plainsize)
-    outlen = plainsize
-
-  ok()
-
-template authSize*(h: Handshake, encrypt: bool = true): int =
-  ## Get number of bytes needed to store AuthMessage.
-  if EIP8 in h.flags:
-    if encrypt: (AuthMessageMaxEIP8) else: (PlainAuthMessageMaxEIP8)
-  else:
-    if encrypt: (AuthMessageV4Length) else: (PlainAuthMessageV4Length)
-
-template ackSize*(h: Handshake, encrypt: bool = true): int =
-  ## Get number of bytes needed to store AckMessage.
-  if EIP8 in h.flags:
-    if encrypt: (AckMessageMaxEIP8) else: (PlainAckMessageMaxEIP8)
-  else:
-    if encrypt: (AckMessageV4Length) else: (PlainAckMessageV4Length)
-
-proc authMessage*(h: var Handshake, rng: var HmacDrbgContext,
-                  pubkey: PublicKey,
-                  output: var openArray[byte],
-                  outlen: var int, flag: byte = 0,
-                  encrypt: bool = true): AuthResult[void] =
-  ## Create new AuthMessage for specified `pubkey` and store it inside
-  ## of `output`, size of generated AuthMessage will stored in `outlen`.
-  if EIP8 in h.flags:
-    authMessageEIP8(h, rng, pubkey, output, outlen, flag, encrypt)
-  else:
-    authMessagePreEIP8(h, rng, pubkey, output, outlen, flag, encrypt)
-
-proc ackMessage*(h: var Handshake, rng: var HmacDrbgContext,
-                 output: var openArray[byte],
-                 outlen: var int, flag: byte = 0,
-                 encrypt: bool = true): AuthResult[void] =
-  ## Create new AckMessage and store it inside of `output`, size of generated
-  ## AckMessage will stored in `outlen`.
-  if EIP8 in h.flags:
-    ackMessageEIP8(h, rng, output, outlen, flag, encrypt)
-  else:
-    ackMessagePreEIP8(h, rng, output, outlen, flag, encrypt)
-
-proc decodeAuthMessageV4(h: var Handshake, m: openArray[byte]): AuthResult[void] =
-  ## Decodes V4 AuthMessage.
-  var
-    buffer: array[PlainAuthMessageV4Length, byte]
-
-  doAssert(Responder in h.flags)
-  if eciesDecrypt(m, buffer, h.host.seckey).isErr:
-    return err(EciesError)
 
   let
-    header = cast[ptr AuthMessageV4](addr buffer[0])
+    pencsize = eciesEncryptedLength(PlainAckMessageEIP8Length)
-    pubkey = ? PublicKey.fromRaw(header.pubkey).mapErrTo(InvalidPubKey)
+    wosize = pencsize + padsize
-    signature = ? Signature.fromRaw(header.signature).mapErrTo(SignatureError)
+    fullsize = wosize + 2
 
-  var secret = ecdhSharedSecret(h.host.seckey, pubkey)
+  doAssert fullsize <= len(output), "We checked against max possible length above"
-  secret.data = secret.data xor header.nonce
 
-  var recovered = recover(signature, SkMessage(secret.data))
+  var
-  secret.clear()
+    buffer: array[PlainAckMessageMaxEIP8, byte]
+    payload = rlp.encodeList(h.ephemeral.pubkey.toRaw(), h.responderNonce, Vsn)
+  doAssert(len(payload) == PlainAckMessageEIP8Length)
 
-  h.remoteEPubkey = ? recovered.mapErrTo(SignatureError)
+  copyMem(addr buffer[0], addr payload[0], PlainAckMessageEIP8Length)
-  h.initiatorNonce = header.nonce
+  rng.generate(toa(buffer, PlainAckMessageEIP8Length, padsize))
-  h.remoteHPubkey = pubkey
 
-  ok()
+  output[0 ..< MsgLenLenEIP8] = uint16(wosize).toBytesBE()
 
-proc decodeAuthMessageEIP8(h: var Handshake, m: openArray[byte]): AuthResult[void] =
+  if eciesEncrypt(
+    rng,
+    toa(buffer, 0, PlainAckMessageEIP8Length + padsize),
+    toa(output, MsgLenLenEIP8, wosize),
+    h.remoteHPubkey,
+    toa(output, 0, MsgLenLenEIP8),
+  ).isErr:
+    return err(AuthError.EciesError)
+  ok(fullsize)
+
+proc decodeMsgLen*(h: Handshake, input: openArray[byte]): AuthResult[int] =
+  if input.len < 2:
+    return err(AuthError.IncompleteError)
+  let len = int(uint16.fromBytesBE(input)) + 2
+  if len < AuthMessageEIP8Length:
+    return err(AuthError.IncompleteError)
+  ok(len)
+
+proc decodeAuthMessage*(h: var Handshake, m: openArray[byte]): AuthResult[void] =
   ## Decodes EIP-8 AuthMessage.
-  let size = uint16.fromBytesBE(m)
+  let
-  h.expectedLength = 2 + int(size)
+    expectedLength = ?h.decodeMsgLen(m)
+    size = expectedLength - MsgLenLenEIP8
 
   # Check if the prefixed size is => than the minimum
-  if h.expectedLength < AuthMessageEIP8Length:
+  if expectedLength < AuthMessageEIP8Length:
     return err(AuthError.IncompleteError)
 
-  if h.expectedLength > len(m):
+  if expectedLength > len(m):
     return err(AuthError.IncompleteError)
 
-  var buffer = newSeq[byte](eciesDecryptedLength(int(size)))
+  var buffer = newSeq[byte](eciesDecryptedLength(size))
   if eciesDecrypt(
-      toa(m, 2, int(size)), buffer, h.host.seckey, toa(m, 0, 2)).isErr:
+    toa(m, MsgLenLenEIP8, int(size)), buffer, h.host.seckey, toa(m, 0, MsgLenLenEIP8)
+  ).isErr:
     return err(AuthError.EciesError)
+
   try:
     var reader = rlpFromBytes(buffer)
     if not reader.isList() or reader.listLen() < 4:
@@ -412,9 +268,7 @@ proc decodeAuthMessageEIP8(h: var Handshake, m: openArray[byte]): AuthResult[voi
       signatureBr = reader.listElem(0).toBytes()
       pubkeyBr = reader.listElem(1).toBytes()
       nonceBr = reader.listElem(2).toBytes()
-      versionBr = reader.listElem(3).toBytes()
 
-    let
       signature = ?Signature.fromRaw(signatureBr).mapErrTo(SignatureError)
       pubkey = ?PublicKey.fromRaw(pubkeyBr).mapErrTo(InvalidPubKey)
       nonce = toArray(KeyLength, nonceBr)
@@ -428,97 +282,49 @@ proc decodeAuthMessageEIP8(h: var Handshake, m: openArray[byte]): AuthResult[voi
     h.remoteEPubkey = ?recovered.mapErrTo(SignatureError)
     h.initiatorNonce = nonce
     h.remoteHPubkey = pubkey
-    h.version = versionBr[0]
     ok()
   except CatchableError:
     err(AuthError.RlpError)
 
-proc decodeAckMessageEIP8*(h: var Handshake, m: openArray[byte]): AuthResult[void] =
+proc decodeAckMessage*(h: var Handshake, m: openArray[byte]): AuthResult[void] =
   ## Decodes EIP-8 AckMessage.
-  let size = uint16.fromBytesBE(m)
+  let
-  h.expectedLength = 2 + int(size)
+    expectedLength = ?h.decodeMsgLen(m)
+    size = expectedLength - MsgLenLenEIP8
 
   # Check if the prefixed size is => than the minimum
-  if h.expectedLength < AckMessageEIP8Length:
+  if expectedLength > len(m):
     return err(AuthError.IncompleteError)
 
-  if h.expectedLength > len(m):
+  var buffer = newSeq[byte](eciesDecryptedLength(size))
-    return err(AuthError.IncompleteError)
-
-  var buffer = newSeq[byte](eciesDecryptedLength(int(size)))
   if eciesDecrypt(
-      toa(m, 2, int(size)), buffer, h.host.seckey, toa(m, 0, 2)).isErr:
+    toa(m, MsgLenLenEIP8, size), buffer, h.host.seckey, toa(m, 0, MsgLenLenEIP8)
+  ).isErr:
     return err(AuthError.EciesError)
   try:
     var reader = rlpFromBytes(buffer)
+    # The last element, the version, is ignored
     if not reader.isList() or reader.listLen() < 3:
       return err(AuthError.InvalidAck)
     if reader.listElem(0).blobLen != RawPublicKeySize:
       return err(AuthError.InvalidAck)
     if reader.listElem(1).blobLen != KeyLength:
       return err(AuthError.InvalidAck)
-    if reader.listElem(2).blobLen != 1:
+
-      return err(AuthError.InvalidAck)
     let
       pubkeyBr = reader.listElem(0).toBytes()
       nonceBr = reader.listElem(1).toBytes()
-      versionBr = reader.listElem(2).toBytes()
 
     h.remoteEPubkey = ?PublicKey.fromRaw(pubkeyBr).mapErrTo(InvalidPubKey)
     h.responderNonce = toArray(KeyLength, nonceBr)
-    h.version = versionBr[0]
 
     ok()
   except CatchableError:
     err(AuthError.RlpError)
 
-proc decodeAckMessageV4(h: var Handshake, m: openArray[byte]): AuthResult[void] =
-  ## Decodes V4 AckMessage.
-  var
-    buffer: array[PlainAckMessageV4Length, byte]
-  doAssert(Initiator in h.flags)
-
-  if eciesDecrypt(m, buffer, h.host.seckey).isErr:
-    return err(AuthError.EciesError)
-  var header = cast[ptr AckMessageV4](addr buffer[0])
-
-  h.remoteEPubkey = ? PublicKey.fromRaw(header.pubkey).mapErrTo(InvalidPubKey)
-  h.responderNonce = header.nonce
-
-  ok()
-
-proc decodeAuthMessage*(h: var Handshake, input: openArray[byte]): AuthResult[void] =
-  ## Decodes AuthMessage from `input`.
-  # Using the smallest min. message length of the two types
-  if len(input) < AuthMessageEIP8Length:
-    return err(AuthError.IncompleteError)
-
-  if len(input) == AuthMessageV4Length:
-    let res = h.decodeAuthMessageV4(input)
-    if res.isOk(): return res
-
-  let res = h.decodeAuthMessageEIP8(input)
-  if res.isOk():
-    h.flags.incl(EIP8)
-  res
-
-proc decodeAckMessage*(h: var Handshake, input: openArray[byte]): AuthResult[void] =
-  ## Decodes AckMessage from `input`.
-  # Using the smallest min. message length of the two types
-  if len(input) < AckMessageV4Length:
-    return err(AuthError.IncompleteError)
-
-  if len(input) == AckMessageV4Length:
-    let res = h.decodeAckMessageV4(input)
-    if res.isOk(): return res
-
-  let res = h.decodeAckMessageEIP8(input)
-  if res.isOk(): h.flags.incl(EIP8)
-  res
-
 proc getSecrets*(
-  h: Handshake, authmsg: openArray[byte],
+    h: Handshake, authmsg: openArray[byte], ackmsg: openArray[byte]
-  ackmsg: openArray[byte]): ConnectionSecret =
+): ConnectionSecret =
   ## Derive secrets from handshake `h` using encrypted AuthMessage `authmsg` and
   ## encrypted AckMessage `ackmsg`.
   var

eth/p2p/rlpx.nim

@@ -27,7 +27,7 @@
 import
   std/[algorithm, deques, options, typetraits, os],
   stew/shims/macros, chronicles, nimcrypto/utils, chronos, metrics,
-  ".."/[rlp, common, async_utils],
+  ".."/[rlp, async_utils],
   ./private/p2p_types, "."/[kademlia, auth, rlpxcrypt, enode, p2p_protocol_dsl]
 
 # TODO: This doesn't get enabled currently in any of the builds, so we send a
@@ -76,8 +76,6 @@ type
   DisconnectionReasonList = object
     value: DisconnectionReason
 
-  Address = enode.Address
-
 proc read(rlp: var Rlp; T: type DisconnectionReasonList): T
     {.gcsafe, raises: [RlpError].} =
   ## Rlp mixin: `DisconnectionReasonList` parser
@@ -108,7 +106,6 @@ proc read(rlp: var Rlp; T: type DisconnectionReasonList): T
 
   raise newException(RlpTypeMismatch, "Single entry list expected")
 
-
 const
   devp2pVersion* = 4
   maxMsgSize = 1024 * 1024 * 10
@@ -543,45 +540,37 @@ proc resolveResponseFuture(peer: Peer, msgId: uint64, msg: pointer, reqId: uint6
 
     trace "late or dup RPLx reply ignored"
 
-
 proc recvMsg*(peer: Peer): Future[tuple[msgId: uint64, msgData: Rlp]] {.async.} =
   ##  This procs awaits the next complete RLPx message in the TCP stream
 
   var headerBytes: array[32, byte]
   await peer.transport.readExactly(addr headerBytes[0], 32)
 
-  var msgSize: int
   var msgHeader: RlpxHeader
-  if decryptHeaderAndGetMsgSize(peer.secretsState,
+  let msgSize = decryptHeader(
-                                headerBytes, msgSize, msgHeader).isErr():
+      peer.secretsState, headerBytes, msgHeader).valueOr:
     await peer.disconnectAndRaise(BreachOfProtocol,
                                   "Cannot decrypt RLPx frame header")
+    0 # TODO raises analysis insufficient
 
   if msgSize > maxMsgSize:
     await peer.disconnectAndRaise(BreachOfProtocol,
                                   "RLPx message exceeds maximum size")
 
   let remainingBytes = encryptedLength(msgSize) - 32
-  # TODO: Migrate this to a thread-local seq
-  # JACEK:
-  #  or pass it in, allowing the caller to choose - they'll likely be in a
-  #  better position to decide if buffer should be reused or not. this will
-  #  also be useful for chunked messages where part of the buffer may have
-  #  been processed and needs filling in
   var encryptedBytes = newSeq[byte](remainingBytes)
   await peer.transport.readExactly(addr encryptedBytes[0], len(encryptedBytes))
 
   let decryptedMaxLength = decryptedLength(msgSize)
   var
     decryptedBytes = newSeq[byte](decryptedMaxLength)
-    decryptedBytesCount = 0
 
   if decryptBody(peer.secretsState, encryptedBytes, msgSize,
-                 decryptedBytes, decryptedBytesCount).isErr():
+                 decryptedBytes).isErr():
     await peer.disconnectAndRaise(BreachOfProtocol,
                                   "Cannot decrypt RLPx frame body")
 
-  decryptedBytes.setLen(decryptedBytesCount)
+  decryptedBytes.setLen(msgSize)
 
   when useSnappy:
     if peer.snappyEnabled:
@@ -1138,21 +1127,10 @@ template `^`(arr): auto =
   # variable as an open array
   arr.toOpenArray(0, `arr Len` - 1)
 
-proc initSecretState(p: Peer, hs: Handshake, authMsg, ackMsg: openArray[byte]) =
+template setSnappySupport(peer: Peer, node: EthereumNode, hello: DevP2P.hello) =
-  var secrets = hs.getSecrets(authMsg, ackMsg)
-  initSecretState(secrets, p.secretsState)
-  burnMem(secrets)
-
-template setSnappySupport(peer: Peer, node: EthereumNode, handshake: Handshake) =
   when useSnappy:
     peer.snappyEnabled = node.protocolVersion >= devp2pSnappyVersion.uint64 and
-                         handshake.version >= devp2pSnappyVersion.uint64
+                         hello.version >= devp2pSnappyVersion.uint64
-
-template getVersion(handshake: Handshake): uint64 =
-  when useSnappy:
-    handshake.version
-  else:
-    devp2pVersion
 
 template baseProtocolVersion(node: EthereumNode): untyped =
   when useSnappy:
@@ -1160,13 +1138,6 @@ template baseProtocolVersion(node: EthereumNode): untyped =
   else:
     devp2pVersion
 
-template baseProtocolVersion(peer: Peer): uint64 =
-  when useSnappy:
-    if peer.snappyEnabled: devp2pSnappyVersion
-    else: devp2pVersion
-  else:
-    devp2pVersion
-
 type
   RlpxError* = enum
     TransportConnectError,
@@ -1180,6 +1151,79 @@ type
     PeerDisconnectedError,
     TooManyPeersError
 
+proc initiatorHandshake(
+    node: EthereumNode, transport: StreamTransport, pubkey: PublicKey
+): Future[ConnectionSecret] {.
+    async: (raises: [CancelledError, TransportError, EthP2PError])
+.} =
+  # https://github.com/ethereum/devp2p/blob/5713591d0366da78a913a811c7502d9ca91d29a8/rlpx.md#initial-handshake
+  var
+    handshake = Handshake.init(node.rng[], node.keys, {Initiator})
+    authMsg: array[AuthMessageMaxEIP8, byte]
+
+  let
+    authMsgLen = handshake.authMessage(node.rng[], pubkey, authMsg).expect(
+        "No errors with correctly sized buffer"
+      )
+
+    writeRes = await transport.write(addr authMsg[0], authMsgLen)
+  if writeRes != authMsgLen:
+    raisePeerDisconnected("Unexpected disconnect while authenticating", TcpError)
+
+  var ackMsg = newSeqOfCap[byte](1024)
+  ackMsg.setLen(MsgLenLenEIP8)
+  await transport.readExactly(addr ackMsg[0], len(ackMsg))
+
+  let ackMsgLen = handshake.decodeMsgLen(ackMsg).valueOr:
+    raise (ref MalformedMessageError)(
+      msg: "Could not decode handshake ack length: " & $error
+    )
+
+  ackMsg.setLen(ackMsgLen)
+  await transport.readExactly(addr ackMsg[MsgLenLenEIP8], ackMsgLen - MsgLenLenEIP8)
+
+  handshake.decodeAckMessage(ackMsg).isOkOr:
+    raise (ref MalformedMessageError)(msg: "Could not decode handshake ack: " & $error)
+
+  handshake.getSecrets(^authMsg, ackMsg)
+
+proc responderHandshake(
+    node: EthereumNode, transport: StreamTransport
+): Future[(ConnectionSecret, PublicKey)] {.
+    async: (raises: [CancelledError, TransportError, EthP2PError])
+.} =
+  # https://github.com/ethereum/devp2p/blob/5713591d0366da78a913a811c7502d9ca91d29a8/rlpx.md#initial-handshake
+  var
+    handshake = Handshake.init(node.rng[], node.keys, {auth.Responder})
+    authMsg = newSeqOfCap[byte](1024)
+
+  authMsg.setLen(MsgLenLenEIP8)
+  await transport.readExactly(addr authMsg[0], len(authMsg))
+
+  let authMsgLen = handshake.decodeMsgLen(authMsg).valueOr:
+    raise (ref MalformedMessageError)(
+      msg: "Could not decode handshake auth length: " & $error
+    )
+
+  authMsg.setLen(authMsgLen)
+  await transport.readExactly(addr authMsg[MsgLenLenEIP8], authMsgLen - MsgLenLenEIP8)
+
+  handshake.decodeAuthMessage(authMsg).isOkOr:
+    raise (ref MalformedMessageError)(
+      msg: "Could not decode handshake auth message: " & $error
+    )
+
+  var ackMsg: array[AckMessageMaxEIP8, byte]
+  let ackMsgLen = handshake.ackMessage(node.rng[], ackMsg).expect(
+      "no errors with correcly sized buffer"
+    )
+
+  var res = await transport.write(addr ackMsg[0], ackMsgLen)
+  if res != ackMsgLen:
+    raisePeerDisconnected("Unexpected disconnect while authenticating", TcpError)
+
+  (handshake.getSecrets(authMsg, ^ackMsg), handshake.remoteHPubkey)
+
 proc rlpxConnect*(node: EthereumNode, remote: Node):
     Future[Result[Peer, RlpxError]] {.async.} =
   # TODO: Should we not set some timeouts on the `connect` and `readExactly`s?
@@ -1208,64 +1252,23 @@ proc rlpxConnect*(node: EthereumNode, remote: Node):
       trace "TCP connect with peer failed", err = $e.name, errMsg = $e.msg
       return err(TransportConnectError)
 
-  # RLPx initial handshake
-  var
-    handshake = Handshake.init(
-      node.rng[], node.keys, {Initiator, EIP8}, node.baseProtocolVersion)
-    authMsg: array[AuthMessageMaxEIP8, byte]
-    authMsgLen = 0
-  # TODO: Rework this so we won't have to pass an array as parameter?
-  authMessage(
-    handshake, node.rng[], remote.node.pubkey, authMsg, authMsgLen).tryGet()
-
-  let writeRes =
   try:
-      await peer.transport.write(addr authMsg[0], authMsgLen)
+    let secrets = await node.initiatorHandshake(peer.transport, remote.node.pubkey)
-    except TransportError:
+    initSecretState(secrets, peer.secretsState)
-      return err(RlpxHandshakeTransportError)
-    except CatchableError as e: # TODO: Only TransportErrors can occur?
-      raiseAssert($e.name & " " & $e.msg)
-  if writeRes != authMsgLen:
-    return err(RlpxHandshakeTransportError)
-
-  let initialSize = handshake.expectedLength
-  var ackMsg = newSeqOfCap[byte](1024)
-  ackMsg.setLen(initialSize)
-
-  try:
-    await peer.transport.readExactly(addr ackMsg[0], len(ackMsg))
   except TransportError:
     return err(RlpxHandshakeTransportError)
+  except EthP2PError:
+    return err(RlpxHandshakeError)
   except CatchableError as e:
     raiseAssert($e.name & " " & $e.msg)
 
-  let res = handshake.decodeAckMessage(ackMsg)
-  if res.isErr and res.error == AuthError.IncompleteError:
-    ackMsg.setLen(handshake.expectedLength)
-    try:
-      await peer.transport.readExactly(addr ackMsg[initialSize],
-                                         len(ackMsg) - initialSize)
-    except TransportError:
-      return err(RlpxHandshakeTransportError)
-    except CatchableError as e: # TODO: Only TransportErrors can occur?
-      raiseAssert($e.name & " " & $e.msg)
-
-    # TODO: Bullet 1 of https://github.com/status-im/nim-eth/issues/559
-    let res = handshake.decodeAckMessage(ackMsg)
-    if res.isErr():
-      trace "rlpxConnect handshake error", error = res.error
-      return err(RlpxHandshakeError)
-
-  peer.setSnappySupport(node, handshake)
-  peer.initSecretState(handshake, ^authMsg, ackMsg)
-
   logConnectedPeer peer
 
   # RLPx p2p capability handshake: After the initial handshake, both sides of
   # the connection must send either Hello or a Disconnect message.
   let
     sendHelloFut = peer.hello(
-      handshake.getVersion(),
+      node.baseProtocolVersion(),
       node.clientId,
       node.capabilities,
       uint(node.address.tcpPort),
@@ -1304,6 +1307,8 @@ proc rlpxConnect*(node: EthereumNode, remote: Node):
     trace "Wrong devp2p identity in Hello message"
     return err(InvalidIdentityError)
 
+  peer.setSnappySupport(node, response)
+
   trace "DevP2P handshake completed", peer = remote,
     clientId = response.clientId
 
@@ -1338,56 +1343,17 @@ proc rlpxAccept*(
   initTracing(devp2pInfo, node.protocols)
 
   let peer = Peer(transport: transport, network: node)
-  var handshake = Handshake.init(node.rng[], node.keys, {auth.Responder})
   var ok = false
   try:
-    let initialSize = handshake.expectedLength
+    let (secrets, pubkey) = await node.responderHandshake(transport)
-    var authMsg = newSeqOfCap[byte](1024)
+    initSecretState(secrets, peer.secretsState)
-
-    authMsg.setLen(initialSize)
-    # TODO: Should we not set some timeouts on these `readExactly`s?
-    await transport.readExactly(addr authMsg[0], len(authMsg))
-    var ret = handshake.decodeAuthMessage(authMsg)
-    if ret.isErr and ret.error == AuthError.IncompleteError:
-      # Eip8 auth message is possible, but not likely
-      authMsg.setLen(handshake.expectedLength)
-      await transport.readExactly(addr authMsg[initialSize],
-                                  len(authMsg) - initialSize)
-      ret = handshake.decodeAuthMessage(authMsg)
-
-    if ret.isErr():
-      # It is likely that errors on the handshake Auth is just garbage arriving
-      # on the TCP port as it is the first data on the incoming connection,
-      # hence log them as trace.
-      trace "rlpxAccept handshake error", error = ret.error
-      if not isNil(peer.transport):
-        peer.transport.close()
-
-      rlpx_accept_failure.inc()
-      rlpx_accept_failure.inc(labelValues = ["handshake_error"])
-      return nil
-
-    ret.get()
-
-    peer.setSnappySupport(node, handshake)
-    handshake.version = uint8(peer.baseProtocolVersion)
-
-    var ackMsg: array[AckMessageMaxEIP8, byte]
-    var ackMsgLen: int
-    handshake.ackMessage(node.rng[], ackMsg, ackMsgLen).tryGet()
-    var res = await transport.write(addr ackMsg[0], ackMsgLen)
-    if res != ackMsgLen:
-      raisePeerDisconnected("Unexpected disconnect while authenticating",
-                            TcpError)
-
-    peer.initSecretState(handshake, authMsg, ^ackMsg)
 
     let listenPort = transport.localAddress().port
 
     logAcceptedPeer peer
 
     var sendHelloFut = peer.hello(
-      peer.baseProtocolVersion,
+      node.baseProtocolVersion(),
       node.clientId,
       node.capabilities,
       listenPort.uint,
@@ -1400,14 +1366,15 @@ proc rlpxAccept*(
 
     trace "Received Hello", version=response.version, id=response.clientId
 
-    if not validatePubKeyInHello(response, handshake.remoteHPubkey):
+    if not validatePubKeyInHello(response, pubkey):
-      trace "A Remote nodeId is not its public key" # XXX: Do we care?
+      raise (ref MalformedMessageError)(msg: "Wrong pubkey in hello message")
+
+    peer.setSnappySupport(node, response)
 
     let remote = transport.remoteAddress()
     let address = Address(ip: remote.address, tcpPort: remote.port,
                           udpPort: remote.port)
-    peer.remote = newNode(
+    peer.remote = newNode(ENode(pubkey: pubkey, address: address))
-      ENode(pubkey: handshake.remoteHPubkey, address: address))
 
     trace "devp2p handshake completed", peer = peer.remote,
       clientId = response.clientId

eth/p2p/rlpxcrypt.nim

@@ -61,8 +61,8 @@ proc sxor[T](a: var openArray[T], b: openArray[T]) {.inline.} =
 proc initSecretState*(secrets: ConnectionSecret, context: var SecretState) =
   ## Initialized `context` with values from `secrets`.
 
-  # FIXME: Yes, the encryption is insecure,
+  # This scheme is insecure, see:
-  # see: https://github.com/ethereum/devp2p/issues/32
+  # https://github.com/ethereum/devp2p/issues/32
   # https://github.com/ethereum/py-evm/blob/master/p2p/peer.py#L159-L160
   var iv: array[context.aesenc.sizeBlock, byte]
   context.aesenc.init(secrets.aesKey, iv)
@@ -132,8 +132,8 @@ proc encrypt*(c: var SecretState, header: openArray[byte],
   var frameMac = tmpmac.finish()
   tmpmac.clear()
   # return header_ciphertext + header_mac + frame_ciphertext + frame_mac
-  copyMem(addr output[headerMacPos], addr headerMac.data[0], RlpHeaderLength)
+  copyMem(addr output[headerMacPos], addr headerMac.data[0], RlpMacLength)
-  copyMem(addr output[frameMacPos], addr frameMac.data[0], RlpHeaderLength)
+  copyMem(addr output[frameMacPos], addr frameMac.data[0], RlpMacLength)
   ok()
 
 proc encryptMsg*(msg: openArray[byte], secrets: var SecretState): seq[byte] =
@@ -160,7 +160,7 @@ proc getBodySize*(a: RlpxHeader): int =
   (int(a[0]) shl 16) or (int(a[1]) shl 8) or int(a[2])
 
 proc decryptHeader*(c: var SecretState, data: openArray[byte],
-                    output: var openArray[byte]): RlpxResult[void] =
+                    output: var RlpxHeader): RlpxResult[int] =
   ## Decrypts header `data` using SecretState `c` context and store
   ## result into `output`.
   ##
@@ -190,30 +190,14 @@ proc decryptHeader*(c: var SecretState, data: openArray[byte],
   let headerMacPos = RlpHeaderLength
   if not equalMem(cast[pointer](unsafeAddr data[headerMacPos]),
                   cast[pointer](addr expectMac.data[0]), RlpMacLength):
-    result = err(IncorrectMac)
+    err(IncorrectMac)
   else:
     # return self.aes_dec.update(header_ciphertext)
     c.aesdec.decrypt(toa(data, 0, RlpHeaderLength), output)
-    result = ok()
+    ok(output.getBodySize())
-
-proc decryptHeaderAndGetMsgSize*(c: var SecretState,
-                                 encryptedHeader: openArray[byte],
-                                 outSize: var int,
-                                 outHeader: var RlpxHeader): RlpxResult[void] =
-  result = decryptHeader(c, encryptedHeader, outHeader)
-  if result.isOk():
-    outSize = outHeader.getBodySize
-
-proc decryptHeaderAndGetMsgSize*(c: var SecretState,
-                                 encryptedHeader: openArray[byte],
-                                 outSize: var int): RlpxResult[void] =
-  var decryptedHeader: RlpxHeader
-  result = decryptHeader(c, encryptedHeader, decryptedHeader)
-  if result.isOk():
-    outSize = decryptedHeader.getBodySize
 
 proc decryptBody*(c: var SecretState, data: openArray[byte], bodysize: int,
-                  output: var openArray[byte], outlen: var int): RlpxResult[void] =
+                  output: var openArray[byte]): RlpxResult[void] =
   ## Decrypts body `data` using SecretState `c` context and store
   ## result into `output`.
   ##
@@ -224,7 +208,6 @@ proc decryptBody*(c: var SecretState, data: openArray[byte], bodysize: int,
   var
     tmpmac: keccak256
     aes: array[RlpHeaderLength, byte]
-  outlen = 0
   let rsize = roundup16(bodysize)
   if len(data) < rsize + RlpMacLength:
     return err(IncompleteError)
@@ -245,8 +228,7 @@ proc decryptBody*(c: var SecretState, data: openArray[byte], bodysize: int,
   let bodyMacPos = rsize
   if not equalMem(cast[pointer](unsafeAddr data[bodyMacPos]),
                   cast[pointer](addr expectMac.data[0]), RlpMacLength):
-    result = err(IncorrectMac)
+    err(IncorrectMac)
   else:
     c.aesdec.decrypt(toa(data, 0, rsize), output)
-    outlen = bodysize
+    ok()
-    result = ok()

tests/p2p/test_auth.nim

@@ -14,87 +14,6 @@ import
   nimcrypto/[utils, keccak],
   ../../eth/common/keys, ../../eth/p2p/auth
 
-# This was generated by `print` actual auth message generated by
-# https://github.com/ethereum/py-evm/blob/master/tests/p2p/test_auth.py
-const pyevmAuth = """
-  22034ad2e7545e2b0bf02ecb1e40db478dfbbf7aeecc834aec2523eb2b7e74ee
-  77ba40c70a83bfe9f2ab91f0131546dcf92c3ee8282d9907fee093017fd0302d
-  0034fdb5419558137e0d44cd13d319afe5629eeccb47fd9dfe55cc6089426e46
-  cc762dd8a0636e07a54b31169eba0c7a20a1ac1ef68596f1f283b5c676bae406
-  4abfcce24799d09f67e392632d3ffdc12e3d6430dcb0ea19c318343ffa7aae74
-  d4cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb
-  1100"""
-
-# This data comes from https://gist.github.com/fjl/3a78780d17c755d22df2
-const data = [
-  ("initiator_private_key",
-   "5e173f6ac3c669587538e7727cf19b782a4f2fda07c1eaa662c593e5e85e3051"),
-  ("receiver_private_key",
-   "c45f950382d542169ea207959ee0220ec1491755abe405cd7498d6b16adb6df8"),
-  ("initiator_ephemeral_private_key",
-   "19c2185f4f40634926ebed3af09070ca9e029f2edd5fae6253074896205f5f6c"),
-  ("receiver_ephemeral_private_key",
-   "d25688cf0ab10afa1a0e2dba7853ed5f1e5bf1c631757ed4e103b593ff3f5620"),
-  ("auth_plaintext",
-   """884c36f7ae6b406637c1f61b2f57e1d2cab813d24c6559aaf843c3f48962f32f
-      46662c066d39669b7b2e3ba14781477417600e7728399278b1b5d801a519aa57
-      0034fdb5419558137e0d44cd13d319afe5629eeccb47fd9dfe55cc6089426e46
-      cc762dd8a0636e07a54b31169eba0c7a20a1ac1ef68596f1f283b5c676bae406
-      4abfcce24799d09f67e392632d3ffdc12e3d6430dcb0ea19c318343ffa7aae74
-      d4cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb
-      1100"""),
-  ("authresp_plaintext",
-   """802b052f8b066640bba94a4fc39d63815c377fced6fcb84d27f791c9921ddf3e
-      9bf0108e298f490812847109cbd778fae393e80323fd643209841a3b7f110397
-      f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7
-      00"""),
-  ("auth_ciphertext",
-   """04a0274c5951e32132e7f088c9bdfdc76c9d91f0dc6078e848f8e3361193dbdc
-      43b94351ea3d89e4ff33ddcefbc80070498824857f499656c4f79bbd97b6c51a
-      514251d69fd1785ef8764bd1d262a883f780964cce6a14ff206daf1206aa073a
-      2d35ce2697ebf3514225bef186631b2fd2316a4b7bcdefec8d75a1025ba2c540
-      4a34e7795e1dd4bc01c6113ece07b0df13b69d3ba654a36e35e69ff9d482d88d
-      2f0228e7d96fe11dccbb465a1831c7d4ad3a026924b182fc2bdfe016a6944312
-      021da5cc459713b13b86a686cf34d6fe6615020e4acf26bf0d5b7579ba813e77
-      23eb95b3cef9942f01a58bd61baee7c9bdd438956b426a4ffe238e61746a8c93
-      d5e10680617c82e48d706ac4953f5e1c4c4f7d013c87d34a06626f498f34576d
-      c017fdd3d581e83cfd26cf125b6d2bda1f1d56"""),
-  ("authresp_ciphertext",
-   """049934a7b2d7f9af8fd9db941d9da281ac9381b5740e1f64f7092f3588d4f87f
-      5ce55191a6653e5e80c1c5dd538169aa123e70dc6ffc5af1827e546c0e958e42
-      dad355bcc1fcb9cdf2cf47ff524d2ad98cbf275e661bf4cf00960e74b5956b79
-      9771334f426df007350b46049adb21a6e78ab1408d5e6ccde6fb5e69f0f4c92b
-      b9c725c02f99fa72b9cdc8dd53cff089e0e73317f61cc5abf6152513cb7d833f
-      09d2851603919bf0fbe44d79a09245c6e8338eb502083dc84b846f2fee1cc310
-      d2cc8b1b9334728f97220bb799376233e113"""),
-  ("ecdhe_shared_secret",
-   "e3f407f83fc012470c26a93fdff534100f2c6f736439ce0ca90e9914f7d1c381"),
-  ("initiator_nonce",
-   "cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb11"),
-  ("receiver_nonce",
-   "f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7"),
-  ("aes_secret",
-   "c0458fa97a5230830e05f4f20b7c755c1d4e54b1ce5cf43260bb191eef4e418d"),
-  ("mac_secret",
-   "48c938884d5067a1598272fcddaa4b833cd5e7d92e8228c0ecdfabbe68aef7f1"),
-  ("token",
-   "3f9ec2592d1554852b1f54d228f042ed0a9310ea86d038dc2b401ba8cd7fdac4"),
-  ("initial_egress_MAC",
-   "09771e93b1a6109e97074cbe2d2b0cf3d3878efafe68f53c41bb60c0ec49097e"),
-  ("initial_ingress_MAC",
-   "75823d96e23136c89666ee025fb21a432be906512b3dd4a3049e898adb433847"),
-  ("initiator_hello_packet",
-   """6ef23fcf1cec7312df623f9ae701e63b550cdb8517fefd8dd398fc2acd1d935e
-      6e0434a2b96769078477637347b7b01924fff9ff1c06df2f804df3b0402bbb9f
-      87365b3c6856b45e1e2b6470986813c3816a71bff9d69dd297a5dbd935ab578f
-      6e5d7e93e4506a44f307c332d95e8a4b102585fd8ef9fc9e3e055537a5cec2e9"""),
-  ("receiver_hello_packet",
-   """6ef23fcf1cec7312df623f9ae701e63be36a1cdd1b19179146019984f3625d4a
-      6e0434a2b96769050577657247b7b02bc6c314470eca7e3ef650b98c83e9d7dd
-      4830b3f718ff562349aead2530a8d28a8484604f92e5fced2c6183f304344ab0
-      e7c301a0c05559f4c25db65e36820b4b909a226171a60ac6cb7beea09376d6d8""")
-]
-
 # These test vectors were copied from EIP8 specification
 # https://github.com/ethereum/EIPs/blob/master/EIPS/eip-8.md
 const eip8data = [
@@ -110,17 +29,6 @@ const eip8data = [
    "7e968bba13b6c50e2c4cd7f241cc0d64d1ac25c7f5952df231ac6a2bda8ee5d6"),
   ("receiver_nonce",
    "559aead08264d5795d3909718cdd05abd49572e84fe55590eef31a88a08fdffd"),
-  ("auth_ciphertext_v4",
-   """048ca79ad18e4b0659fab4853fe5bc58eb83992980f4c9cc147d2aa31532efd29
-      a3d3dc6a3d89eaf913150cfc777ce0ce4af2758bf4810235f6e6ceccfee1acc6b
-      22c005e9e3a49d6448610a58e98744ba3ac0399e82692d67c1f58849050b3024e
-      21a52c9d3b01d871ff5f210817912773e610443a9ef142e91cdba0bd77b5fdf07
-      69b05671fc35f83d83e4d3b0b000c6b2a1b1bba89e0fc51bf4e460df3105c444f
-      14be226458940d6061c296350937ffd5e3acaceeaaefd3c6f74be8e23e0f45163
-      cc7ebd76220f0128410fd05250273156d548a414444ae2f7dea4dfca2d43c057a
-      db701a715bf59f6fb66b2d1d20f2c703f851cbf5ac47396d9ca65b6260bd141ac
-      4d53e2de585a73d1750780db4c9ee4cd4d225173a4592ee77e2bd94d0be3691f3
-      b406f9bba9b591fc63facc016bfa8"""),
   ("auth_ciphertext_eip8",
    """01b304ab7578555167be8154d5cc456f567d5ba302662433674222360f08d5f15
       34499d3678b513b0fca474f3a514b18e75683032eb63fccb16c156dc6eb2c0b15
@@ -151,14 +59,6 @@ const eip8data = [
       f37407ac044b55be0908ecb94d4ed172ece66fd31bfdadf2b97a8bc690163ee11
       f5b575a4b44e36e2bfb2f0fce91676fd64c7773bac6a003f481fddd0bae0a1f31
       aa27504e2a533af4cef3b623f4791b2cca6d490"""),
-  ("authack_ciphertext_v4",
-   """049f8abcfa9c0dc65b982e98af921bc0ba6e4243169348a236abe9df5f93aa69d
-      99cadddaa387662b0ff2c08e9006d5a11a278b1b3331e5aaabf0a32f01281b6f4
-      ede0e09a2d5f585b26513cb794d9635a57563921c04a9090b4f14ee42be1a5461
-      049af4ea7a7f49bf4c97a352d39c8d02ee4acc416388c1c66cec761d2bc1c72da
-      6ba143477f049c9d2dde846c252c111b904f630ac98e51609b3b1f58168ddca65
-      05b7196532e5f85b259a20c45e1979491683fee108e9660edbf38f3add489ae73
-      e3dda2c71bd1497113d5c755e942d1"""),
   ("authack_ciphertext_eip8",
    """01ea0451958701280a56482929d3b0757da8f7fbe5286784beead59d95089c217
       c9b917788989470b0e330cc6e4fb383c0340ed85fab836ec9fb8a49672712aeab
@@ -204,12 +104,6 @@ const eip8data = [
 
 let rng = newRng()
 
-proc testValue(s: string): string =
-  for item in data:
-    if item[0] == s:
-      result = item[1]
-      break
-
 proc testE8Value(s: string): string =
   for item in eip8data:
     if item[0] == s:
@@ -217,118 +111,6 @@ proc testE8Value(s: string): string =
       break
 
 suite "Ethereum P2P handshake test suite":
-  block:
-    proc newTestHandshake(flags: set[HandshakeFlag]): Handshake =
-      if Initiator in flags:
-        let pk = PrivateKey.fromHex(testValue("initiator_private_key"))[]
-        result = Handshake.init(rng[], pk.toKeyPair(), flags)
-
-        let epki = testValue("initiator_ephemeral_private_key")
-        result.ephemeral = PrivateKey.fromHex(epki)[].toKeyPair()
-        let nonce = fromHex(stripSpaces(testValue("initiator_nonce")))
-        result.initiatorNonce[0..^1] = nonce[0..^1]
-      elif Responder in flags:
-        let pk = PrivateKey.fromHex(testValue("receiver_private_key"))[]
-        result = Handshake.init(rng[], pk.toKeyPair(), flags)
-        let epkr = testValue("receiver_ephemeral_private_key")
-        result.ephemeral = PrivateKey.fromHex(epkr)[].toKeyPair()
-        let nonce = fromHex(stripSpaces(testValue("receiver_nonce")))
-        result.responderNonce[0..^1] = nonce[0..^1]
-
-    test "Create plain auth message":
-      var initiator = newTestHandshake({Initiator})
-      var responder = newTestHandshake({Responder})
-      var m0 = newSeq[byte](initiator.authSize(false))
-      var k0 = 0
-      initiator.authMessage(
-        rng[], responder.host.pubkey, m0, k0, 0, false).expect("auth success")
-      var expect1 = fromHex(stripSpaces(testValue("auth_plaintext")))
-      var expect2 = fromHex(stripSpaces(pyevmAuth))
-      check:
-        m0[65..^1] == expect1[65..^1]
-        m0[0..^1] == expect2[0..^1]
-
-    test "Auth message decoding":
-      var initiator = newTestHandshake({Initiator})
-      var responder = newTestHandshake({Responder})
-      var m0 = newSeq[byte](initiator.authSize())
-      var k0 = 0
-      let remoteEPubkey0 = initiator.ephemeral.pubkey
-      let remoteHPubkey0 = initiator.host.pubkey
-
-      initiator.authMessage(
-        rng[], responder.host.pubkey, m0, k0).expect("auth success")
-      responder.decodeAuthMessage(m0).expect("decode success")
-      check:
-        responder.initiatorNonce[0..^1] == initiator.initiatorNonce[0..^1]
-        responder.remoteEPubkey == remoteEPubkey0
-        responder.remoteHPubkey == remoteHPubkey0
-
-    test "ACK message expectation":
-      var initiator = newTestHandshake({Initiator})
-      var responder = newTestHandshake({Responder})
-      var m0 = newSeq[byte](initiator.authSize())
-      var m1 = newSeq[byte](responder.ackSize(false))
-      var k0 = 0
-      var k1 = 0
-      var expect0 = fromHex(stripSpaces(testValue("authresp_plaintext")))
-      initiator.authMessage(
-        rng[], responder.host.pubkey, m0, k0).expect("auth success")
-      responder.decodeAuthMessage(m0).expect("decode success")
-      responder.ackMessage(rng[], m1, k1, 0, false).expect("ack success")
-      check:
-        m1 == expect0
-        responder.initiatorNonce == initiator.initiatorNonce
-
-    test "ACK message decoding":
-      var initiator = newTestHandshake({Initiator})
-      var responder = newTestHandshake({Responder})
-      var m0 = newSeq[byte](initiator.authSize())
-      var m1 = newSeq[byte](responder.ackSize())
-      var k0 = 0
-      var k1 = 0
-
-      initiator.authMessage(
-        rng[], responder.host.pubkey, m0, k0).expect("auth success")
-      responder.decodeAuthMessage(m0).expect("decode success")
-      responder.ackMessage(rng[], m1, k1).expect("ack success")
-      initiator.decodeAckMessage(m1).expect("decode success")
-      let remoteEPubkey0 = responder.ephemeral.pubkey
-      let remoteHPubkey0 = responder.host.pubkey
-      check:
-        initiator.remoteEPubkey == remoteEPubkey0
-        initiator.remoteHPubkey == remoteHPubkey0
-        initiator.responderNonce == responder.responderNonce
-
-    test "Check derived secrets":
-      var initiator = newTestHandshake({Initiator})
-      var responder = newTestHandshake({Responder})
-      var authm = fromHex(stripSpaces(testValue("auth_ciphertext")))
-      var ackm = fromHex(stripSpaces(testValue("authresp_ciphertext")))
-      var taes = fromHex(stripSpaces(testValue("aes_secret")))
-      var tmac = fromHex(stripSpaces(testValue("mac_secret")))
-      var temac = fromHex(stripSpaces(testValue("initial_egress_MAC")))
-      var timac = fromHex(stripSpaces(testValue("initial_ingress_MAC")))
-
-      responder.decodeAuthMessage(authm).expect("decode success")
-      initiator.decodeAckMessage(ackm).expect("ack success")
-      var csecInitiator = initiator.getSecrets(authm, ackm)
-      var csecResponder = responder.getSecrets(authm, ackm)
-      check:
-        csecInitiator.aesKey == csecResponder.aesKey
-        csecInitiator.macKey == csecResponder.macKey
-        taes[0..^1] == csecInitiator.aesKey[0..^1]
-        tmac[0..^1] == csecInitiator.macKey[0..^1]
-      let iemac = csecInitiator.egressMac.finish()
-      let iimac = csecInitiator.ingressMac.finish()
-      let remac = csecResponder.egressMac.finish()
-      let rimac = csecResponder.ingressMac.finish()
-      check:
-        iemac.data[0..^1] == temac[0..^1]
-        iimac.data[0..^1] == timac[0..^1]
-        remac.data[0..^1] == timac[0..^1]
-        rimac.data[0..^1] == temac[0..^1]
-
   block:
     proc newTestHandshake(flags: set[HandshakeFlag]): Handshake =
       if Initiator in flags:
@@ -348,25 +130,6 @@ suite "Ethereum P2P handshake test suite":
         let nonce = fromHex(stripSpaces(testE8Value("receiver_nonce")))
         result.responderNonce[0..^1] = nonce[0..^1]
 
-    test "AUTH/ACK v4 test vectors": # auth/ack v4
-      var initiator = newTestHandshake({Initiator})
-      var responder = newTestHandshake({Responder})
-      var m0 = fromHex(stripSpaces(testE8Value("auth_ciphertext_v4")))
-      responder.decodeAuthMessage(m0).expect("decode success")
-      check:
-        responder.initiatorNonce[0..^1] == initiator.initiatorNonce[0..^1]
-      let remoteEPubkey0 = initiator.ephemeral.pubkey
-      let remoteHPubkey0 = initiator.host.pubkey
-      check:
-        responder.remoteEPubkey == remoteEPubkey0
-        responder.remoteHPubkey == remoteHPubkey0
-      var m1 = fromHex(stripSpaces(testE8Value("authack_ciphertext_v4")))
-      initiator.decodeAckMessage(m1).expect("decode success")
-      let remoteEPubkey1 = responder.ephemeral.pubkey
-      check:
-        initiator.remoteEPubkey == remoteEPubkey1
-        initiator.responderNonce[0..^1] == responder.responderNonce[0..^1]
-
     test "AUTH/ACK EIP-8 test vectors":
       var initiator = newTestHandshake({Initiator})
       var responder = newTestHandshake({Responder})
@@ -390,8 +153,6 @@ suite "Ethereum P2P handshake test suite":
       var csecInitiator = initiator.getSecrets(m0, m1)
       var csecResponder = responder.getSecrets(m0, m1)
       check:
-        int(initiator.version) == 4
-        int(responder.version) == 4
         csecInitiator.aesKey == csecResponder.aesKey
         csecInitiator.macKey == csecResponder.macKey
         taes[0..^1] == csecInitiator.aesKey[0..^1]
@@ -418,25 +179,21 @@ suite "Ethereum P2P handshake test suite":
       initiator.decodeAckMessage(m1).expect("decode success")
       let remoteEPubkey1 = responder.ephemeral.pubkey
       check:
-        int(initiator.version) == 57
-        int(responder.version) == 56
         initiator.remoteEPubkey == remoteEPubkey1
         initiator.responderNonce[0..^1] == responder.responderNonce[0..^1]
 
     test "100 AUTH/ACK EIP-8 handshakes":
       for i in 1..100:
-        var initiator = newTestHandshake({Initiator, EIP8})
+        var initiator = newTestHandshake({Initiator})
         var responder = newTestHandshake({Responder})
-        var m0 = newSeq[byte](initiator.authSize())
+        var m0 = newSeq[byte](AuthMessageMaxEIP8)
-        var k0 = 0
+        let k0 = initiator.authMessage(
-        var k1 = 0
+          rng[], responder.host.pubkey, m0).expect("auth success")
-        initiator.authMessage(
-          rng[], responder.host.pubkey, m0, k0).expect("auth success")
         m0.setLen(k0)
         responder.decodeAuthMessage(m0).expect("decode success")
-        check (EIP8 in responder.flags) == true
+
-        var m1 = newSeq[byte](responder.ackSize())
+        var m1 = newSeq[byte](AckMessageMaxEIP8)
-        responder.ackMessage(rng[], m1, k1).expect("ack success")
+        let k1 = responder.ackMessage(rng[], m1).expect("ack success")
         m1.setLen(k1)
         initiator.decodeAckMessage(m1).expect("decode success")
         var csecInitiator = initiator.getSecrets(m0, m1)
@@ -449,15 +206,13 @@ suite "Ethereum P2P handshake test suite":
       for i in 1..100:
         var initiator = newTestHandshake({Initiator})
         var responder = newTestHandshake({Responder})
-        var m0 = newSeq[byte](initiator.authSize())
+        var m0 = newSeq[byte](AuthMessageMaxEIP8)
-        var k0 = 0
+        let k0 = initiator.authMessage(
-        var k1 = 0
+          rng[], responder.host.pubkey, m0).expect("auth success")
-        initiator.authMessage(
-          rng[], responder.host.pubkey, m0, k0).expect("auth success")
         m0.setLen(k0)
         responder.decodeAuthMessage(m0).expect("auth success")
-        var m1 = newSeq[byte](responder.ackSize())
+        var m1 = newSeq[byte](AckMessageMaxEIP8)
-        responder.ackMessage(rng[], m1, k1).expect("ack success")
+        let k1 = responder.ackMessage(rng[], m1).expect("ack success")
         m1.setLen(k1)
         initiator.decodeAckMessage(m1).expect("ack success")
 
@@ -507,10 +262,10 @@ suite "Ethereum P2P handshake test suite":
         res.error == AuthError.IncompleteError
 
     test "Invalid AckMessage - Minimum input size":
-      var initiator = newTestHandshake({Initiator, EIP8})
+      var initiator = newTestHandshake({Initiator,})
 
       # 1 byte short on minimum size
-      let m = newSeq[byte](AckMessageV4Length - 1)
+      let m = newSeq[byte](AckMessageEIP8Length - 1)
 
       let res = initiator.decodeAckMessage(m)
       check:
@@ -518,7 +273,7 @@ suite "Ethereum P2P handshake test suite":
         res.error == AuthError.IncompleteError
 
     test "Invalid AckMessage - Minimum size prefix":
-      var initiator = newTestHandshake({Initiator, EIP8})
+      var initiator = newTestHandshake({Initiator})
 
       # Minimum size for EIP8 AckMessage
       var m = newSeq[byte](AckMessageEIP8Length)
@@ -532,7 +287,7 @@ suite "Ethereum P2P handshake test suite":
         res.error == AuthError.IncompleteError
 
     test "Invalid AckMessage - Size prefix bigger than input":
-      var initiator = newTestHandshake({Initiator, EIP8})
+      var initiator = newTestHandshake({Initiator})
 
       # Minimum size for EIP8 AckMessage
       var m = newSeq[byte](AckMessageEIP8Length)

tests/p2p/test_crypt.nim

@@ -11,176 +11,147 @@
 
 import
   unittest2,
-  nimcrypto/[utils, sysrand],
+  nimcrypto/[utils, keccak, sysrand],
   ../../eth/common/keys, ../../eth/p2p/[auth, rlpxcrypt]
 
-const data = [
+# EIP-8 test case
-  ("initiator_private_key",
+# https://github.com/ethereum/EIPs/blob/master/EIPS/eip-8.md#rlpx-handshake
-   "5e173f6ac3c669587538e7727cf19b782a4f2fda07c1eaa662c593e5e85e3051"),
+
-  ("receiver_private_key",
+const
-   "c45f950382d542169ea207959ee0220ec1491755abe405cd7498d6b16adb6df8"),
+  staticKeyA = fromHex("49a7b37aa6f6645917e7b807e9d1c00d4fa71f18343b0d4122a4d2df64dd6fee")
-  ("initiator_ephemeral_private_key",
+  staticKeyB = fromHex("b71c71a67e1177ad4e901695e1b4b9ee17ae16c6668d313eac2f96dbcda3f291")
-   "19c2185f4f40634926ebed3af09070ca9e029f2edd5fae6253074896205f5f6c"),
+  ephemeralKeyA = fromHex("869d6ecf5211f1cc60418a13b9d870b22959d0c16f02bec714c960dd2298a32d")
-  ("receiver_ephemeral_private_key",
+  ephemeralKeyB = fromHex("e238eb8e04fee6511ab04c6dd3c89ce097b11f25d584863ac2b6d5b35b1847e4")
-   "d25688cf0ab10afa1a0e2dba7853ed5f1e5bf1c631757ed4e103b593ff3f5620"),
+  nonceA = fromHex("7e968bba13b6c50e2c4cd7f241cc0d64d1ac25c7f5952df231ac6a2bda8ee5d6")
-  ("auth_plaintext",
+  nonceB = fromHex("559aead08264d5795d3909718cdd05abd49572e84fe55590eef31a88a08fdffd")
-   """884c36f7ae6b406637c1f61b2f57e1d2cab813d24c6559aaf843c3f48962f32f
+
-      46662c066d39669b7b2e3ba14781477417600e7728399278b1b5d801a519aa57
+  auth1 = fromHex(stripSpaces("""
-      0034fdb5419558137e0d44cd13d319afe5629eeccb47fd9dfe55cc6089426e46
+    048ca79ad18e4b0659fab4853fe5bc58eb83992980f4c9cc147d2aa31532efd29a3d3dc6a3d89eaf
-      cc762dd8a0636e07a54b31169eba0c7a20a1ac1ef68596f1f283b5c676bae406
+    913150cfc777ce0ce4af2758bf4810235f6e6ceccfee1acc6b22c005e9e3a49d6448610a58e98744
-      4abfcce24799d09f67e392632d3ffdc12e3d6430dcb0ea19c318343ffa7aae74
+    ba3ac0399e82692d67c1f58849050b3024e21a52c9d3b01d871ff5f210817912773e610443a9ef14
-      d4cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb
+    2e91cdba0bd77b5fdf0769b05671fc35f83d83e4d3b0b000c6b2a1b1bba89e0fc51bf4e460df3105
-      1100"""),
+    c444f14be226458940d6061c296350937ffd5e3acaceeaaefd3c6f74be8e23e0f45163cc7ebd7622
-  ("authresp_plaintext",
+    0f0128410fd05250273156d548a414444ae2f7dea4dfca2d43c057adb701a715bf59f6fb66b2d1d2
-   """802b052f8b066640bba94a4fc39d63815c377fced6fcb84d27f791c9921ddf3e
+    0f2c703f851cbf5ac47396d9ca65b6260bd141ac4d53e2de585a73d1750780db4c9ee4cd4d225173
-      9bf0108e298f490812847109cbd778fae393e80323fd643209841a3b7f110397
+    a4592ee77e2bd94d0be3691f3b406f9bba9b591fc63facc016bfa8"""))
-      f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7
+  auth2 = fromHex(stripSpaces("""
-      00"""),
+    01b304ab7578555167be8154d5cc456f567d5ba302662433674222360f08d5f1534499d3678b513b
-  ("auth_ciphertext",
+    0fca474f3a514b18e75683032eb63fccb16c156dc6eb2c0b1593f0d84ac74f6e475f1b8d56116b84
-   """04a0274c5951e32132e7f088c9bdfdc76c9d91f0dc6078e848f8e3361193dbdc
+    9634a8c458705bf83a626ea0384d4d7341aae591fae42ce6bd5c850bfe0b999a694a49bbbaf3ef6c
-      43b94351ea3d89e4ff33ddcefbc80070498824857f499656c4f79bbd97b6c51a
+    da61110601d3b4c02ab6c30437257a6e0117792631a4b47c1d52fc0f8f89caadeb7d02770bf999cc
-      514251d69fd1785ef8764bd1d262a883f780964cce6a14ff206daf1206aa073a
+    147d2df3b62e1ffb2c9d8c125a3984865356266bca11ce7d3a688663a51d82defaa8aad69da39ab6
-      2d35ce2697ebf3514225bef186631b2fd2316a4b7bcdefec8d75a1025ba2c540
+    d5470e81ec5f2a7a47fb865ff7cca21516f9299a07b1bc63ba56c7a1a892112841ca44b6e0034dee
-      4a34e7795e1dd4bc01c6113ece07b0df13b69d3ba654a36e35e69ff9d482d88d
+    70c9adabc15d76a54f443593fafdc3b27af8059703f88928e199cb122362a4b35f62386da7caad09
-      2f0228e7d96fe11dccbb465a1831c7d4ad3a026924b182fc2bdfe016a6944312
+    c001edaeb5f8a06d2b26fb6cb93c52a9fca51853b68193916982358fe1e5369e249875bb8d0d0ec3
-      021da5cc459713b13b86a686cf34d6fe6615020e4acf26bf0d5b7579ba813e77
+    6f917bc5e1eafd5896d46bd61ff23f1a863a8a8dcd54c7b109b771c8e61ec9c8908c733c0263440e
-      23eb95b3cef9942f01a58bd61baee7c9bdd438956b426a4ffe238e61746a8c93
+    2aa067241aaa433f0bb053c7b31a838504b148f570c0ad62837129e547678c5190341e4f1693956c
-      d5e10680617c82e48d706ac4953f5e1c4c4f7d013c87d34a06626f498f34576d
+    3bf7678318e2d5b5340c9e488eefea198576344afbdf66db5f51204a6961a63ce072c8926c"""))
-      c017fdd3d581e83cfd26cf125b6d2bda1f1d56"""),
+  auth3 = fromHex(stripSpaces("""
-  ("authresp_ciphertext",
+    01b8044c6c312173685d1edd268aa95e1d495474c6959bcdd10067ba4c9013df9e40ff45f5bfd6f7
-   """049934a7b2d7f9af8fd9db941d9da281ac9381b5740e1f64f7092f3588d4f87f
+    2471f93a91b493f8e00abc4b80f682973de715d77ba3a005a242eb859f9a211d93a347fa64b597bf
-      5ce55191a6653e5e80c1c5dd538169aa123e70dc6ffc5af1827e546c0e958e42
+    280a6b88e26299cf263b01b8dfdb712278464fd1c25840b995e84d367d743f66c0e54a586725b7bb
-      dad355bcc1fcb9cdf2cf47ff524d2ad98cbf275e661bf4cf00960e74b5956b79
+    f12acca27170ae3283c1073adda4b6d79f27656993aefccf16e0d0409fe07db2dc398a1b7e8ee93b
-      9771334f426df007350b46049adb21a6e78ab1408d5e6ccde6fb5e69f0f4c92b
+    cd181485fd332f381d6a050fba4c7641a5112ac1b0b61168d20f01b479e19adf7fdbfa0905f63352
-      b9c725c02f99fa72b9cdc8dd53cff089e0e73317f61cc5abf6152513cb7d833f
+    bfc7e23cf3357657455119d879c78d3cf8c8c06375f3f7d4861aa02a122467e069acaf513025ff19
-      09d2851603919bf0fbe44d79a09245c6e8338eb502083dc84b846f2fee1cc310
+    6641f6d2810ce493f51bee9c966b15c5043505350392b57645385a18c78f14669cc4d960446c1757
-      d2cc8b1b9334728f97220bb799376233e113"""),
+    1b7c5d725021babbcd786957f3d17089c084907bda22c2b2675b4378b114c601d858802a55345a15
-  ("ecdhe_shared_secret",
+    116bc61da4193996187ed70d16730e9ae6b3bb8787ebcaea1871d850997ddc08b4f4ea668fbf3740
-   "e3f407f83fc012470c26a93fdff534100f2c6f736439ce0ca90e9914f7d1c381"),
+    7ac044b55be0908ecb94d4ed172ece66fd31bfdadf2b97a8bc690163ee11f5b575a4b44e36e2bfb2
-  ("initiator_nonce",
+    f0fce91676fd64c7773bac6a003f481fddd0bae0a1f31aa27504e2a533af4cef3b623f4791b2cca6
-   "cd26fecb93657d1cd9e9eaf4f8be720b56dd1d39f190c4e1c6b7ec66f077bb11"),
+    d490"""))
-  ("receiver_nonce",
+  ack1 = fromHex(stripSpaces("""
-   "f37ec61d84cea03dcc5e8385db93248584e8af4b4d1c832d8c7453c0089687a7"),
+    049f8abcfa9c0dc65b982e98af921bc0ba6e4243169348a236abe9df5f93aa69d99cadddaa387662
-  ("aes_secret",
+    b0ff2c08e9006d5a11a278b1b3331e5aaabf0a32f01281b6f4ede0e09a2d5f585b26513cb794d963
-   "c0458fa97a5230830e05f4f20b7c755c1d4e54b1ce5cf43260bb191eef4e418d"),
+    5a57563921c04a9090b4f14ee42be1a5461049af4ea7a7f49bf4c97a352d39c8d02ee4acc416388c
-  ("mac_secret",
+    1c66cec761d2bc1c72da6ba143477f049c9d2dde846c252c111b904f630ac98e51609b3b1f58168d
-   "48c938884d5067a1598272fcddaa4b833cd5e7d92e8228c0ecdfabbe68aef7f1"),
+    dca6505b7196532e5f85b259a20c45e1979491683fee108e9660edbf38f3add489ae73e3dda2c71b
-  ("token",
+    d1497113d5c755e942d1"""))
-   "3f9ec2592d1554852b1f54d228f042ed0a9310ea86d038dc2b401ba8cd7fdac4"),
+  ack2 = fromHex(stripSpaces("""
-  ("initial_egress_MAC",
+    01ea0451958701280a56482929d3b0757da8f7fbe5286784beead59d95089c217c9b917788989470
-   "09771e93b1a6109e97074cbe2d2b0cf3d3878efafe68f53c41bb60c0ec49097e"),
+    b0e330cc6e4fb383c0340ed85fab836ec9fb8a49672712aeabbdfd1e837c1ff4cace34311cd7f4de
-  ("initial_ingress_MAC",
+    05d59279e3524ab26ef753a0095637ac88f2b499b9914b5f64e143eae548a1066e14cd2f4bd7f814
-   "75823d96e23136c89666ee025fb21a432be906512b3dd4a3049e898adb433847"),
+    c4652f11b254f8a2d0191e2f5546fae6055694aed14d906df79ad3b407d94692694e259191cde171
-  ("initiator_hello_packet",
+    ad542fc588fa2b7333313d82a9f887332f1dfc36cea03f831cb9a23fea05b33deb999e85489e645f
-   """6ef23fcf1cec7312df623f9ae701e63b550cdb8517fefd8dd398fc2acd1d935e
+    6aab1872475d488d7bd6c7c120caf28dbfc5d6833888155ed69d34dbdc39c1f299be1057810f34fb
-      6e0434a2b96769078477637347b7b01924fff9ff1c06df2f804df3b0402bbb9f
+    e754d021bfca14dc989753d61c413d261934e1a9c67ee060a25eefb54e81a4d14baff922180c395d
-      87365b3c6856b45e1e2b6470986813c3816a71bff9d69dd297a5dbd935ab578f
+    3f998d70f46f6b58306f969627ae364497e73fc27f6d17ae45a413d322cb8814276be6ddd13b885b
-      6e5d7e93e4506a44f307c332d95e8a4b102585fd8ef9fc9e3e055537a5cec2e9"""),
+    201b943213656cde498fa0e9ddc8e0b8f8a53824fbd82254f3e2c17e8eaea009c38b4aa0a3f306e8
-  ("receiver_hello_packet",
+    797db43c25d68e86f262e564086f59a2fc60511c42abfb3057c247a8a8fe4fb3ccbadde17514b7ac
-   """6ef23fcf1cec7312df623f9ae701e63be36a1cdd1b19179146019984f3625d4a
+    8000cdb6a912778426260c47f38919a91f25f4b5ffb455d6aaaf150f7e5529c100ce62d6d92826a7
-      6e0434a2b96769050577657247b7b02bc6c314470eca7e3ef650b98c83e9d7dd
+    1778d809bdf60232ae21ce8a437eca8223f45ac37f6487452ce626f549b3b5fdee26afd2072e4bc7
-      4830b3f718ff562349aead2530a8d28a8484604f92e5fced2c6183f304344ab0
+    5833c2464c805246155289f4"""))
-      e7c301a0c05559f4c25db65e36820b4b909a226171a60ac6cb7beea09376d6d8""")
+  ack3 = fromHex(stripSpaces("""
-]
+    01f004076e58aae772bb101ab1a8e64e01ee96e64857ce82b1113817c6cdd52c09d26f7b90981cd7
+    ae835aeac72e1573b8a0225dd56d157a010846d888dac7464baf53f2ad4e3d584531fa203658fab0
+    3a06c9fd5e35737e417bc28c1cbf5e5dfc666de7090f69c3b29754725f84f75382891c561040ea1d
+    dc0d8f381ed1b9d0d4ad2a0ec021421d847820d6fa0ba66eaf58175f1b235e851c7e2124069fbc20
+    2888ddb3ac4d56bcbd1b9b7eab59e78f2e2d400905050f4a92dec1c4bdf797b3fc9b2f8e84a482f3
+    d800386186712dae00d5c386ec9387a5e9c9a1aca5a573ca91082c7d68421f388e79127a5177d4f8
+    590237364fd348c9611fa39f78dcdceee3f390f07991b7b47e1daa3ebcb6ccc9607811cb17ce51f1
+    c8c2c5098dbdd28fca547b3f58c01a424ac05f869f49c6a34672ea2cbbc558428aa1fe48bbfd6115
+    8b1b735a65d99f21e70dbc020bfdface9f724a0d1fb5895db971cc81aa7608baa0920abb0a565c9c
+    436e2fd13323428296c86385f2384e408a31e104670df0791d93e743a3a5194ee6b076fb6323ca59
+    3011b7348c16cf58f66b9633906ba54a2ee803187344b394f75dd2e663a57b956cb830dd7a908d4f
+    39a2336a61ef9fda549180d4ccde21514d117b6c6fd07a9102b5efe710a32af4eeacae2cb3b1dec0
+    35b9593b48b9d3ca4c13d245d5f04169b0b1"""))
+
+  aesSecret2 = fromHex("80e8632c05fed6fc2a13b0f8d31a3cf645366239170ea067065aba8e28bac487")
+  macSecret2 = fromHex("2ea74ec5dae199227dff1af715362700e989d889d7a493cb0639691efb8e5f98")
 
 let rng = newRng()
 
-proc testValue(s: string): string =
-  for item in data:
-    if item[0] == s:
-      result = item[1]
-      break
-
 suite "Ethereum RLPx encryption/decryption test suite":
   proc newTestHandshake(flags: set[HandshakeFlag]): Handshake =
     if Initiator in flags:
-      let pk = PrivateKey.fromHex(testValue("initiator_private_key"))[]
+      let pk = PrivateKey.fromRaw(staticKeyA)[]
       result = Handshake.init(rng[], pk.toKeyPair(), flags)
-      let epki = testValue("initiator_ephemeral_private_key")
+      result.ephemeral = PrivateKey.fromRaw(ephemeralKeyA)[].toKeyPair()
-      result.ephemeral = PrivateKey.fromHex(epki)[].toKeyPair()
+      result.initiatorNonce[0..^1] = nonceA
-      let nonce = fromHex(stripSpaces(testValue("initiator_nonce")))
-      result.initiatorNonce[0..^1] = nonce[0..^1]
     elif Responder in flags:
-      let pk = PrivateKey.fromHex(testValue("receiver_private_key"))[]
+      let pk = PrivateKey.fromRaw(staticKeyB)[]
       result = Handshake.init(rng[], pk.toKeyPair(), flags)
-      let epkr = testValue("receiver_ephemeral_private_key")
+      result.ephemeral = PrivateKey.fromRaw(ephemeralKeyB)[].toKeyPair()
-      result.ephemeral = PrivateKey.fromHex(epkr)[].toKeyPair()
+      result.responderNonce[0..^1] = nonceB
-      let nonce = fromHex(stripSpaces(testValue("receiver_nonce")))
-      result.responderNonce[0..^1] = nonce[0..^1]
 
-  test "Encrypt/Decrypt Hello packet test vectors":
+  test "Fail on pre-EIP8 messages":
     var initiator = newTestHandshake({Initiator})
     var responder = newTestHandshake({Responder})
-    var authm = fromHex(stripSpaces(testValue("auth_ciphertext")))
+    check: responder.decodeAuthMessage(auth1).isErr()
-    var ackm = fromHex(stripSpaces(testValue("authresp_ciphertext")))
+    check: initiator.decodeAckMessage(ack1).isErr()
-    var stateInitiator0, stateInitiator1: SecretState
-    var stateResponder0, stateResponder1: SecretState
-    responder.decodeAuthMessage(authm).expect("success")
-    initiator.decodeAckMessage(ackm).expect("success")
 
-    var csecInitiator = initiator.getSecrets(authm, ackm)
+  test "Correct shared EIP-8 secret":
-    var csecResponder = responder.getSecrets(authm, ackm)
+    var initiator = newTestHandshake({Initiator})
-    initSecretState(csecInitiator, stateInitiator0)
+    var responder = newTestHandshake({Responder})
-    initSecretState(csecResponder, stateResponder0)
+
-    initSecretState(csecInitiator, stateInitiator1)
+    check: responder.decodeAuthMessage(auth2).isOk()
-    initSecretState(csecResponder, stateResponder1)
+    check: initiator.decodeAckMessage(ack2).isOk()
-    var packet0 = testValue("initiator_hello_packet")
+
-    var initiatorHello = fromHex(stripSpaces(packet0))
+    var csecResponder = responder.getSecrets(auth2, ack2)
-    var packet1 = testValue("receiver_hello_packet")
-    var responderHello = fromHex(stripSpaces(packet1))
-    var header: array[RlpHeaderLength, byte]
 
-    block:
-      check stateResponder0.decryptHeader(toOpenArray(initiatorHello, 0, 31),
-                                          header).isOk()
-      let bodysize = getBodySize(header)
-      check bodysize == 79
-      # we need body size to be rounded to 16 bytes boundary to properly
-      # encrypt/decrypt it.
-      var body = newSeq[byte](decryptedLength(bodysize))
-      var decrsize = 0
     check:
-        stateResponder0.decryptBody(
+      csecResponder.aesKey == aesSecret2
-          toOpenArray(initiatorHello, 32, len(initiatorHello) - 1),
+      csecResponder.macKey == macSecret2
-          getBodySize(header), body, decrsize).isOk()
+    var tmpMac = csecResponder.ingressMac
-        decrsize == 79
+    tmpMac.update("foo".toOpenArrayByte(0, 2))
-      body.setLen(decrsize)
-      var hello = newSeq[byte](encryptedLength(bodysize))
     check:
-        stateInitiator1.encrypt(header, body, hello).isOk()
+      tmpMac.finish().data == fromHex("0c7ec6340062cc46f5e9f1e3cf86f8c8c403c5a0964f5df0ebd34a75ddc86db5")
-        hello == initiatorHello
+
-    block:
+  test "Can parse auth/ack with extra bytes":
-      check stateInitiator0.decryptHeader(toOpenArray(responderHello, 0, 31),
+    var initiator = newTestHandshake({Initiator})
-                                          header).isOk()
+    var responder = newTestHandshake({Responder})
-      let bodysize = getBodySize(header)
+    check: responder.decodeAuthMessage(auth3).isOk()
-      check bodysize == 79
+    check: initiator.decodeAckMessage(ack3).isOk()
-      # we need body size to be rounded to 16 bytes boundary to properly
-      # encrypt/decrypt it.
-      var body = newSeq[byte](decryptedLength(bodysize))
-      var decrsize = 0
-      check:
-        stateInitiator0.decryptBody(
-          toOpenArray(responderHello, 32, len(initiatorHello) - 1),
-          getBodySize(header), body, decrsize).isOk()
-        decrsize == 79
-      body.setLen(decrsize)
-      var hello = newSeq[byte](encryptedLength(bodysize))
-      check:
-        stateResponder1.encrypt(header, body, hello).isOk()
-        hello == responderHello
 
   test "Continuous stream of different lengths (1000 times)":
     var initiator = newTestHandshake({Initiator})
     var responder = newTestHandshake({Responder})
-    var m0 = newSeq[byte](initiator.authSize())
+    var m0 = newSeq[byte](AuthMessageMaxEIP8)
-    var k0 = 0
+    let k0 = initiator.authMessage(rng[], responder.host.pubkey,
-    var k1 = 0
+                                m0).expect("correct buf size")
-    check initiator.authMessage(rng[], responder.host.pubkey,
-                                m0, k0).isOk
     m0.setLen(k0)
     check responder.decodeAuthMessage(m0).isOk
-    var m1 = newSeq[byte](responder.ackSize())
+    var m1 = newSeq[byte](AckMessageMaxEIP8)
-    check responder.ackMessage(rng[], m1, k1).isOk
+    let k1 = responder.ackMessage(rng[], m1).expect("correct buf size")
     m1.setLen(k1)
     check initiator.decodeAckMessage(m1).isOk
 
@@ -210,13 +181,11 @@ suite "Ethereum RLPx encryption/decryption test suite":
         var length = getBodySize(rheader)
         check length == len(ibody)
         var rbody = newSeq[byte](decryptedLength(length))
-        var decrsize = 0
         check:
           stateResponder.decryptBody(
             toOpenArray(encrypted, 32, len(encrypted) - 1),
-            length, rbody, decrsize).isOk()
+            length, rbody).isOk()
-          decrsize == length
+        rbody.setLen(length)
-        rbody.setLen(decrsize)
         check:
           iheader == rheader
           ibody == rbody
@@ -238,12 +207,10 @@ suite "Ethereum RLPx encryption/decryption test suite":
         var length = getBodySize(rheader)
         check length == len(ibody)
         var rbody = newSeq[byte](decryptedLength(length))
-        var decrsize = 0
         check:
           stateInitiator.decryptBody(
             toOpenArray(encrypted, 32, len(encrypted) - 1),
-            length, rbody, decrsize).isOk()
+            length, rbody).isOk()
-          decrsize == length
         rbody.setLen(length)
         check:
           iheader == rheader