@@ -1190,8 +1190,8 @@ bool V2Transport::ProcessReceivedGarbageBytes() noexcept
11901190 if (m_recv_buffer.size () >= BIP324Cipher::GARBAGE_TERMINATOR_LEN) {
11911191 if (MakeByteSpan (m_recv_buffer).last (BIP324Cipher::GARBAGE_TERMINATOR_LEN) == m_cipher.GetReceiveGarbageTerminator ()) {
11921192 // Garbage terminator received. Store garbage to authenticate it as AAD later.
1193- m_recv_garbage = std::move (m_recv_buffer);
1194- m_recv_garbage .resize (m_recv_garbage .size () - BIP324Cipher::GARBAGE_TERMINATOR_LEN);
1193+ m_recv_aad = std::move (m_recv_buffer);
1194+ m_recv_aad .resize (m_recv_aad .size () - BIP324Cipher::GARBAGE_TERMINATOR_LEN);
11951195 m_recv_buffer.clear ();
11961196 SetReceiveState (RecvState::VERSION);
11971197 } else if (m_recv_buffer.size () == MAX_GARBAGE_LEN + BIP324Cipher::GARBAGE_TERMINATOR_LEN) {
@@ -1235,43 +1235,37 @@ bool V2Transport::ProcessReceivedPacketBytes() noexcept
12351235 // as GetMaxBytesToProcess only allows up to LENGTH_LEN into the buffer before that point.
12361236 m_recv_decode_buffer.resize (m_recv_len);
12371237 bool ignore{false };
1238- Span<const std::byte> aad;
1239- if (m_recv_state == RecvState::VERSION) aad = MakeByteSpan (m_recv_garbage);
12401238 bool ret = m_cipher.Decrypt (
12411239 /* input=*/ MakeByteSpan (m_recv_buffer).subspan (BIP324Cipher::LENGTH_LEN),
1242- /* aad=*/ aad ,
1240+ /* aad=*/ MakeByteSpan (m_recv_aad) ,
12431241 /* ignore=*/
12441242 /* contents=*/ MakeWritableByteSpan (m_recv_decode_buffer));
12451243 if (!ret) {
12461244 LogPrint (BCLog::NET, " V2 transport error: packet decryption failure (%u bytes), peer=%d\n "
12471245 return false ;
12481246 }
1247+ // We have decrypted a valid packet with the AAD we expected, so clear the expected AAD.
1248+ ClearShrink (m_recv_aad);
12491249 // Feed the last 4 bytes of the Poly1305 authentication tag (and its timing) into our RNG.
12501250 RandAddEvent (ReadLE32 (m_recv_buffer.data () + m_recv_buffer.size () - 4 ));
12511251
1252- // At this point we have a valid packet decrypted into m_recv_decode_buffer. Depending on
1253- // the current state, decide what to do with it.
1254- switch (m_recv_state ) {
1255- case RecvState::VERSION:
1256- if (!ignore) {
1252+ // At this point we have a valid packet decrypted into m_recv_decode_buffer. If it's not a
1253+ // decoy, which we simply ignore, use the current state to decide what to do with it.
1254+ if (!ignore ) {
1255+ switch (m_recv_state) {
1256+ case RecvState::VERSION:
12571257 // Version message received; transition to application phase. The contents is
12581258 // ignored, but can be used for future extensions.
12591259 SetReceiveState (RecvState::APP);
1260- }
1261- // We have decrypted one valid packet (which may or may not have been a decoy) with the
1262- // received garbage as AAD. We no longer need the received garbage and further packets
1263- // are expected to use the empty string as AAD.
1264- ClearShrink (m_recv_garbage);
1265- break ;
1266- case RecvState::APP:
1267- if (!ignore) {
1260+ break ;
1261+ case RecvState::APP:
12681262 // Application message decrypted correctly. It can be extracted using GetMessage().
12691263 SetReceiveState (RecvState::APP_READY);
1264+ break ;
1265+ default :
1266+ // Any other state is invalid (this function should not have been called).
1267+ Assume (false );
12701268 }
1271- break ;
1272- default :
1273- // Any other state is invalid (this function should not have been called).
1274- Assume (false );
12751269 }
12761270 // Wipe the receive buffer where the next packet will be received into.
12771271 ClearShrink (m_recv_buffer);
0 commit comments