p2p/discover: implement v5.1 wire protocol (#21647)

This change implements the Discovery v5.1 wire protocol and also adds an interactive test suite for this protocol.

p2p/discover: implement v5.1 wire protocol (#21647)
This change implements the Discovery v5.1 wire protocol and also adds an interactive test suite for this protocol.
524aaf5e · Felix Lange · GitHub · 4eb01b21 · 524aaf5e · 524aaf5e
Unverified Commit 524aaf5e authored Oct 14, 2020 by Felix Lange Committed by GitHub Oct 14, 2020
23 changed files
--- a/cmd/devp2p/README.md
+++ b/cmd/devp2p/README.md
+# The devp2p command
+
+The devp2p command line tool is a utility for low-level peer-to-peer debugging and
+protocol development purposes. It can do many things.
+
+### ENR Decoding
+
+Use `devp2p enrdump <base64>` to verify and display an Ethereum Node Record.
+
+### Node Key Management
+
+The `devp2p key ...` command family deals with node key files.
+
+Run `devp2p key generate mynode.key` to create a new node key in the `mynode.key` file.
+
+Run `devp2p key to-enode mynode.key -ip 127.0.0.1 -tcp 30303` to create an enode:// URL
+corresponding to the given node key and address information.
+
+### Maintaining DNS Discovery Node Lists
+
+The devp2p command can create and publish DNS discovery node lists.
+
+Run `devp2p dns sign <directory>` to update the signature of a DNS discovery tree.
+
+Run `devp2p dns sync <enrtree-URL>` to download a complete DNS discovery tree.
+
+Run `devp2p dns to-cloudflare <directory>` to publish a tree to CloudFlare DNS.
+
+Run `devp2p dns to-route53 <directory>` to publish a tree to Amazon Route53.
+
+You can find more information about these commands in the [DNS Discovery Setup Guide][dns-tutorial].
+
+### Discovery v4 Utilities
+
+The `devp2p discv4 ...` command family deals with the [Node Discovery v4][discv4]
+protocol.
+
+Run `devp2p discv4 ping <enode/ENR>` to ping a node.
+
+Run `devp2p discv4 resolve <enode/ENR>` to find the most recent node record of a node in
+the DHT.
+
+Run `devp2p discv4 crawl <nodes.json path>` to create or update a JSON node set.
+
+### Discovery v5 Utilities
+
+The `devp2p discv5 ...` command family deals with the [Node Discovery v5][discv5]
+protocol. This protocol is currently under active development.
+
+Run `devp2p discv5 ping <ENR>` to ping a node.
+
+Run `devp2p discv5 resolve <ENR>` to find the most recent node record of a node in
+the discv5 DHT.
+
+Run `devp2p discv5 listen` to run a Discovery v5 node.
+
+Run `devp2p discv5 crawl <nodes.json path>` to create or update a JSON node set containing
+discv5 nodes.
+
+### Discovery Test Suites
+
+The devp2p command also contains interactive test suites for Discovery v4 and Discovery
+v5.
+
+To run these tests against your implementation, you need to set up a networking
+environment where two separate UDP listening addresses are available on the same machine.
+The two listening addresses must also be routed such that they are able to reach the node
+you want to test.
+
+For example, if you want to run the test on your local host, and the node under test is
+also on the local host, you need to assign two IP addresses (or a larger range) to your
+loopback interface. On macOS, this can be done by executing the following command:
+
+    sudo ifconfig lo0 add 127.0.0.2
+
+You can now run either test suite as follows: Start the node under test first, ensuring
+that it won't talk to the Internet (i.e. disable bootstrapping). An easy way to prevent
+unintended connections to the global DHT is listening on `127.0.0.1`.
+
+Now get the ENR of your node and store it in the `NODE` environment variable.
+
+Start the test by running `devp2p discv5 test -listen1 127.0.0.1 -listen2 127.0.0.2 $NODE`.
+
+[dns-tutorial]: https://geth.ethereum.org/docs/developers/dns-discovery-setup
+[discv4]: https://github.com/ethereum/devp2p/tree/master/discv4.md
+[discv5]: https://github.com/ethereum/devp2p/tree/master/discv5/discv5.md
--- a/cmd/devp2p/discv4cmd.go
+++ b/cmd/devp2p/discv4cmd.go
@@ -286,7 +286,11 @@ func listen(ln *enode.LocalNode, addr string) *net.UDPConn {
 	}
 	usocket := socket.(*net.UDPConn)
 	uaddr := socket.LocalAddr().(*net.UDPAddr)
-	ln.SetFallbackIP(net.IP{127, 0, 0, 1})
+	if uaddr.IP.IsUnspecified() {
+		ln.SetFallbackIP(net.IP{127, 0, 0, 1})
+	} else {
+		ln.SetFallbackIP(uaddr.IP)
+	}
 	ln.SetFallbackUDP(uaddr.Port)
 	return usocket
 }
@@ -294,7 +298,11 @@ func listen(ln *enode.LocalNode, addr string) *net.UDPConn {
 func parseBootnodes(ctx *cli.Context) ([]*enode.Node, error) {
 	s := params.RinkebyBootnodes
 	if ctx.IsSet(bootnodesFlag.Name) {
-		s = strings.Split(ctx.String(bootnodesFlag.Name), ",")
+		input := ctx.String(bootnodesFlag.Name)
+		if input == "" {
+			return nil, nil
+		}
+		s = strings.Split(input, ",")
 	}
 	nodes := make([]*enode.Node, len(s))
 	var err error

--- a/cmd/devp2p/discv5cmd.go
+++ b/cmd/devp2p/discv5cmd.go
@@ -18,9 +18,13 @@ package main

 import (
 	"fmt"
+	"os"
 	"time"

+	"github.com/ethereum/go-ethereum/cmd/devp2p/internal/v5test"
 	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/internal/utesting"
+	"github.com/ethereum/go-ethereum/log"
 	"github.com/ethereum/go-ethereum/p2p/discover"
 	"gopkg.in/urfave/cli.v1"
 )
@@ -33,6 +37,7 @@ var (
 			discv5PingCommand,
 			discv5ResolveCommand,
 			discv5CrawlCommand,
+			discv5TestCommand,
 			discv5ListenCommand,
 		},
 	}
@@ -53,6 +58,12 @@ var (
 		Action: discv5Crawl,
 		Flags:  []cli.Flag{bootnodesFlag, crawlTimeoutFlag},
 	}
+	discv5TestCommand = cli.Command{
+		Name:   "test",
+		Usage:  "Runs protocol tests against a node",
+		Action: discv5Test,
+		Flags:  []cli.Flag{testPatternFlag, testListen1Flag, testListen2Flag},
+	}
 	discv5ListenCommand = cli.Command{
 		Name:   "listen",
 		Usage:  "Runs a node",
@@ -103,6 +114,30 @@ func discv5Crawl(ctx *cli.Context) error {
 	return nil
 }

+func discv5Test(ctx *cli.Context) error {
+	// Disable logging unless explicitly enabled.
+	if !ctx.GlobalIsSet("verbosity") && !ctx.GlobalIsSet("vmodule") {
+		log.Root().SetHandler(log.DiscardHandler())
+	}
+
+	// Filter and run test cases.
+	suite := &v5test.Suite{
+		Dest:    getNodeArg(ctx),
+		Listen1: ctx.String(testListen1Flag.Name),
+		Listen2: ctx.String(testListen2Flag.Name),
+	}
+	tests := suite.AllTests()
+	if ctx.IsSet(testPatternFlag.Name) {
+		tests = utesting.MatchTests(tests, ctx.String(testPatternFlag.Name))
+	}
+	results := utesting.RunTests(tests, os.Stdout)
+	if fails := utesting.CountFailures(results); fails > 0 {
+		return fmt.Errorf("%v/%v tests passed.", len(tests)-fails, len(tests))
+	}
+	fmt.Printf("%v/%v passed\n", len(tests), len(tests))
+	return nil
+}
+
 func discv5Listen(ctx *cli.Context) error {
 	disc := startV5(ctx)
 	defer disc.Close()

--- a/cmd/devp2p/internal/v5test/discv5tests.go
+++ b/cmd/devp2p/internal/v5test/discv5tests.go
--- a/cmd/devp2p/internal/v5test/framework.go
+++ b/cmd/devp2p/internal/v5test/framework.go
+// Copyright 2020 The go-ethereum Authors
+// This file is part of go-ethereum.
+//
+// go-ethereum is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// go-ethereum is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with go-ethereum. If not, see <http://www.gnu.org/licenses/>.
+
+package v5test
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"encoding/binary"
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/ethereum/go-ethereum/common/mclock"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/p2p/discover/v5wire"
+	"github.com/ethereum/go-ethereum/p2p/enode"
+	"github.com/ethereum/go-ethereum/p2p/enr"
+)
+
+// readError represents an error during packet reading.
+// This exists to facilitate type-switching on the result of conn.read.
+type readError struct {
+	err error
+}
+
+func (p *readError) Kind() byte          { return 99 }
+func (p *readError) Name() string        { return fmt.Sprintf("error: %v", p.err) }
+func (p *readError) Error() string       { return p.err.Error() }
+func (p *readError) Unwrap() error       { return p.err }
+func (p *readError) RequestID() []byte   { return nil }
+func (p *readError) SetRequestID([]byte) {}
+
+// readErrorf creates a readError with the given text.
+func readErrorf(format string, args ...interface{}) *readError {
+	return &readError{fmt.Errorf(format, args...)}
+}
+
+// This is the response timeout used in tests.
+const waitTime = 300 * time.Millisecond
+
+// conn is a connection to the node under test.
+type conn struct {
+	localNode  *enode.LocalNode
+	localKey   *ecdsa.PrivateKey
+	remote     *enode.Node
+	remoteAddr *net.UDPAddr
+	listeners  []net.PacketConn
+
+	log           logger
+	codec         *v5wire.Codec
+	lastRequest   v5wire.Packet
+	lastChallenge *v5wire.Whoareyou
+	idCounter     uint32
+}
+
+type logger interface {
+	Logf(string, ...interface{})
+}
+
+// newConn sets up a connection to the given node.
+func newConn(dest *enode.Node, log logger) *conn {
+	key, err := crypto.GenerateKey()
+	if err != nil {
+		panic(err)
+	}
+	db, err := enode.OpenDB("")
+	if err != nil {
+		panic(err)
+	}
+	ln := enode.NewLocalNode(db, key)
+
+	return &conn{
+		localKey:   key,
+		localNode:  ln,
+		remote:     dest,
+		remoteAddr: &net.UDPAddr{IP: dest.IP(), Port: dest.UDP()},
+		codec:      v5wire.NewCodec(ln, key, mclock.System{}),
+		log:        log,
+	}
+}
+
+func (tc *conn) setEndpoint(c net.PacketConn) {
+	tc.localNode.SetStaticIP(laddr(c).IP)
+	tc.localNode.SetFallbackUDP(laddr(c).Port)
+}
+
+func (tc *conn) listen(ip string) net.PacketConn {
+	l, err := net.ListenPacket("udp", fmt.Sprintf("%v:0", ip))
+	if err != nil {
+		panic(err)
+	}
+	tc.listeners = append(tc.listeners, l)
+	return l
+}
+
+// close shuts down all listeners and the local node.
+func (tc *conn) close() {
+	for _, l := range tc.listeners {
+		l.Close()
+	}
+	tc.localNode.Database().Close()
+}
+
+// nextReqID creates a request id.
+func (tc *conn) nextReqID() []byte {
+	id := make([]byte, 4)
+	tc.idCounter++
+	binary.BigEndian.PutUint32(id, tc.idCounter)
+	return id
+}
+
+// reqresp performs a request/response interaction on the given connection.
+// The request is retried if a handshake is requested.
+func (tc *conn) reqresp(c net.PacketConn, req v5wire.Packet) v5wire.Packet {
+	reqnonce := tc.write(c, req, nil)
+	switch resp := tc.read(c).(type) {
+	case *v5wire.Whoareyou:
+		if resp.Nonce != reqnonce {
+			return readErrorf("wrong nonce %x in WHOAREYOU (want %x)", resp.Nonce[:], reqnonce[:])
+		}
+		resp.Node = tc.remote
+		tc.write(c, req, resp)
+		return tc.read(c)
+	default:
+		return resp
+	}
+}
+
+// findnode sends a FINDNODE request and waits for its responses.
+func (tc *conn) findnode(c net.PacketConn, dists []uint) ([]*enode.Node, error) {
+	var (
+		findnode = &v5wire.Findnode{ReqID: tc.nextReqID(), Distances: dists}
+		reqnonce = tc.write(c, findnode, nil)
+		first    = true
+		total    uint8
+		results  []*enode.Node
+	)
+	for n := 1; n > 0; {
+		switch resp := tc.read(c).(type) {
+		case *v5wire.Whoareyou:
+			// Handle handshake.
+			if resp.Nonce == reqnonce {
+				resp.Node = tc.remote
+				tc.write(c, findnode, resp)
+			} else {
+				return nil, fmt.Errorf("unexpected WHOAREYOU (nonce %x), waiting for NODES", resp.Nonce[:])
+			}
+		case *v5wire.Ping:
+			// Handle ping from remote.
+			tc.write(c, &v5wire.Pong{
+				ReqID:  resp.ReqID,
+				ENRSeq: tc.localNode.Seq(),
+			}, nil)
+		case *v5wire.Nodes:
+			// Got NODES! Check request ID.
+			if !bytes.Equal(resp.ReqID, findnode.ReqID) {
+				return nil, fmt.Errorf("NODES response has wrong request id %x", resp.ReqID)
+			}
+			// Check total count. It should be greater than one
+			// and needs to be the same across all responses.
+			if first {
+				if resp.Total == 0 || resp.Total > 6 {
+					return nil, fmt.Errorf("invalid NODES response 'total' %d (not in (0,7))", resp.Total)
+				}
+				total = resp.Total
+				n = int(total) - 1
+				first = false
+			} else {
+				n--
+				if resp.Total != total {
+					return nil, fmt.Errorf("invalid NODES response 'total' %d (!= %d)", resp.Total, total)
+				}
+			}
+			// Check nodes.
+			nodes, err := checkRecords(resp.Nodes)
+			if err != nil {
+				return nil, fmt.Errorf("invalid node in NODES response: %v", err)
+			}
+			results = append(results, nodes...)
+		default:
+			return nil, fmt.Errorf("expected NODES, got %v", resp)
+		}
+	}
+	return results, nil
+}
+
+// write sends a packet on the given connection.
+func (tc *conn) write(c net.PacketConn, p v5wire.Packet, challenge *v5wire.Whoareyou) v5wire.Nonce {
+	packet, nonce, err := tc.codec.Encode(tc.remote.ID(), tc.remoteAddr.String(), p, challenge)
+	if err != nil {
+		panic(fmt.Errorf("can't encode %v packet: %v", p.Name(), err))
+	}
+	if _, err := c.WriteTo(packet, tc.remoteAddr); err != nil {
+		tc.logf("Can't send %s: %v", p.Name(), err)
+	} else {
+		tc.logf(">> %s", p.Name())
+	}
+	return nonce
+}
+
+// read waits for an incoming packet on the given connection.
+func (tc *conn) read(c net.PacketConn) v5wire.Packet {
+	buf := make([]byte, 1280)
+	if err := c.SetReadDeadline(time.Now().Add(waitTime)); err != nil {
+		return &readError{err}
+	}
+	n, fromAddr, err := c.ReadFrom(buf)
+	if err != nil {
+		return &readError{err}
+	}
+	_, _, p, err := tc.codec.Decode(buf[:n], fromAddr.String())
+	if err != nil {
+		return &readError{err}
+	}
+	tc.logf("<< %s", p.Name())
+	return p
+}
+
+// logf prints to the test log.
+func (tc *conn) logf(format string, args ...interface{}) {
+	if tc.log != nil {
+		tc.log.Logf("(%s) %s", tc.localNode.ID().TerminalString(), fmt.Sprintf(format, args...))
+	}
+}
+
+func laddr(c net.PacketConn) *net.UDPAddr {
+	return c.LocalAddr().(*net.UDPAddr)
+}
+
+func checkRecords(records []*enr.Record) ([]*enode.Node, error) {
+	nodes := make([]*enode.Node, len(records))
+	for i := range records {
+		n, err := enode.New(enode.ValidSchemes, records[i])
+		if err != nil {
+			return nil, err
+		}
+		nodes[i] = n
+	}
+	return nodes, nil
+}
+
+func containsUint(ints []uint, x uint) bool {
+	for i := range ints {
+		if ints[i] == x {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/utesting/utesting.go
+++ b/internal/utesting/utesting.go
@@ -65,10 +65,17 @@ func MatchTests(tests []Test, expr string) []Test {
 func RunTests(tests []Test, report io.Writer) []Result {
 	results := make([]Result, len(tests))
 	for i, test := range tests {
+		var output io.Writer
+		buffer := new(bytes.Buffer)
+		output = buffer
+		if report != nil {
+			output = io.MultiWriter(buffer, report)
+		}
 		start := time.Now()
 		results[i].Name = test.Name
-		results[i].Failed, results[i].Output = Run(test)
+		results[i].Failed = run(test, output)
 		results[i].Duration = time.Since(start)
+		results[i].Output = buffer.String()
 		if report != nil {
 			printResult(results[i], report)
 		}
@@ -80,7 +87,6 @@ func printResult(r Result, w io.Writer) {
 	pd := r.Duration.Truncate(100 * time.Microsecond)
 	if r.Failed {
 		fmt.Fprintf(w, "-- FAIL %s (%v)\n", r.Name, pd)
-		fmt.Fprintln(w, r.Output)
 	} else {
 		fmt.Fprintf(w, "-- OK %s (%v)\n", r.Name, pd)
 	}
@@ -99,7 +105,13 @@ func CountFailures(rr []Result) int {

 // Run executes a single test.
 func Run(test Test) (bool, string) {
-	t := new(T)
+	output := new(bytes.Buffer)
+	failed := run(test, output)
+	return failed, output.String()
+}
+
+func run(test Test, output io.Writer) bool {
+	t := &T{output: output}
 	done := make(chan struct{})
 	go func() {
 		defer close(done)
@@ -114,7 +126,7 @@ func Run(test Test) (bool, string) {
 		test.Fn(t)
 	}()
 	<-done
-	return t.failed, t.output.String()
+	return t.failed
 }

 // T is the value given to the test function. The test can signal failures
@@ -122,7 +134,7 @@ func Run(test Test) (bool, string) {
 type T struct {
 	mu     sync.Mutex
 	failed bool
-	output bytes.Buffer
+	output io.Writer
 }

 // FailNow marks the test as having failed and stops its execution by calling
@@ -151,7 +163,7 @@ func (t *T) Failed() bool {
 func (t *T) Log(vs ...interface{}) {
 	t.mu.Lock()
 	defer t.mu.Unlock()
-	fmt.Fprintln(&t.output, vs...)
+	fmt.Fprintln(t.output, vs...)
 }

 // Logf formats its arguments according to the format, analogous to Printf, and records
@@ -162,7 +174,7 @@ func (t *T) Logf(format string, vs ...interface{}) {
 	if len(format) == 0 || format[len(format)-1] != '\n' {
 		format += "\n"
 	}
-	fmt.Fprintf(&t.output, format, vs...)
+	fmt.Fprintf(t.output, format, vs...)
 }

 // Error is equivalent to Log followed by Fail.

--- a/p2p/discover/node.go
+++ b/p2p/discover/node.go
@@ -46,7 +46,10 @@ func encodePubkey(key *ecdsa.PublicKey) encPubkey {
 	return e
 }

-func decodePubkey(curve elliptic.Curve, e encPubkey) (*ecdsa.PublicKey, error) {
+func decodePubkey(curve elliptic.Curve, e []byte) (*ecdsa.PublicKey, error) {
+	if len(e) != len(encPubkey{}) {
+		return nil, errors.New("wrong size public key data")
+	}
 	p := &ecdsa.PublicKey{Curve: curve, X: new(big.Int), Y: new(big.Int)}
 	half := len(e) / 2
 	p.X.SetBytes(e[:half])

--- a/p2p/discover/table_util_test.go
+++ b/p2p/discover/table_util_test.go
@@ -146,7 +146,6 @@ func (t *pingRecorder) updateRecord(n *enode.Node) {
 func (t *pingRecorder) Self() *enode.Node           { return nullNode }
 func (t *pingRecorder) lookupSelf() []*enode.Node   { return nil }
 func (t *pingRecorder) lookupRandom() []*enode.Node { return nil }
-func (t *pingRecorder) close()                      {}

 // ping simulates a ping request.
 func (t *pingRecorder) ping(n *enode.Node) (seq uint64, err error) {
@@ -188,15 +187,16 @@ func hasDuplicates(slice []*node) bool {
 	return false
 }

+// checkNodesEqual checks whether the two given node lists contain the same nodes.
 func checkNodesEqual(got, want []*enode.Node) error {
 	if len(got) == len(want) {
 		for i := range got {
 			if !nodeEqual(got[i], want[i]) {
 				goto NotEqual
 			}
-			return nil
 		}
 	}
+	return nil

 NotEqual:
 	output := new(bytes.Buffer)
@@ -227,6 +227,7 @@ func sortedByDistanceTo(distbase enode.ID, slice []*node) bool {
 	})
 }

+// hexEncPrivkey decodes h as a private key.
 func hexEncPrivkey(h string) *ecdsa.PrivateKey {
 	b, err := hex.DecodeString(h)
 	if err != nil {
@@ -239,6 +240,7 @@ func hexEncPrivkey(h string) *ecdsa.PrivateKey {
 	return key
 }

+// hexEncPubkey decodes h as a public key.
 func hexEncPubkey(h string) (ret encPubkey) {
 	b, err := hex.DecodeString(h)
 	if err != nil {

--- a/p2p/discover/v4_lookup_test.go
+++ b/p2p/discover/v4_lookup_test.go
@@ -34,7 +34,7 @@ func TestUDPv4_Lookup(t *testing.T) {
 	test := newUDPTest(t)

 	// Lookup on empty table returns no nodes.
-	targetKey, _ := decodePubkey(crypto.S256(), lookupTestnet.target)
+	targetKey, _ := decodePubkey(crypto.S256(), lookupTestnet.target[:])
 	if results := test.udp.LookupPubkey(targetKey); len(results) > 0 {
 		t.Fatalf("lookup on empty table returned %d results: %#v", len(results), results)
 	}
@@ -279,17 +279,21 @@ func (tn *preminedTestnet) nodesAtDistance(dist int) []v4wire.Node {
 	return result
 }

-func (tn *preminedTestnet) neighborsAtDistance(base *enode.Node, distance uint, elems int) []*enode.Node {
-	nodes := nodesByDistance{target: base.ID()}
+func (tn *preminedTestnet) neighborsAtDistances(base *enode.Node, distances []uint, elems int) []*enode.Node {
+	var result []*enode.Node
 	for d := range lookupTestnet.dists {
 		for i := range lookupTestnet.dists[d] {
 			n := lookupTestnet.node(d, i)
-			if uint(enode.LogDist(n.ID(), base.ID())) == distance {
-				nodes.push(wrapNode(n), elems)
+			d := enode.LogDist(base.ID(), n.ID())
+			if containsUint(uint(d), distances) {
+				result = append(result, n)
+				if len(result) >= elems {
+					return result
+				}
 			}
 		}
 	}
-	return unwrapNodes(nodes.entries)
+	return result
 }

 func (tn *preminedTestnet) closest(n int) (nodes []*enode.Node) {

--- a/p2p/discover/v5_encoding.go
+++ b/p2p/discover/v5_encoding.go
--- a/p2p/discover/v5_udp.go
+++ b/p2p/discover/v5_udp.go
--- a/p2p/discover/v5_udp_test.go
+++ b/p2p/discover/v5_udp_test.go
--- a/p2p/discover/v5wire/crypto.go
+++ b/p2p/discover/v5wire/crypto.go
+// Copyright 2020 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package v5wire
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"errors"
+	"fmt"
+	"hash"
+
+	"github.com/ethereum/go-ethereum/common/math"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/p2p/enode"
+	"golang.org/x/crypto/hkdf"
+)
+
+const (
+	// Encryption/authentication parameters.
+	aesKeySize   = 16
+	gcmNonceSize = 12
+)
+
+// Nonce represents a nonce used for AES/GCM.
+type Nonce [gcmNonceSize]byte
+
+// EncodePubkey encodes a public key.
+func EncodePubkey(key *ecdsa.PublicKey) []byte {
+	switch key.Curve {
+	case crypto.S256():
+		return crypto.CompressPubkey(key)
+	default:
+		panic("unsupported curve " + key.Curve.Params().Name + " in EncodePubkey")
+	}
+}
+
+// DecodePubkey decodes a public key in compressed format.
+func DecodePubkey(curve elliptic.Curve, e []byte) (*ecdsa.PublicKey, error) {
+	switch curve {
+	case crypto.S256():
+		if len(e) != 33 {
+			return nil, errors.New("wrong size public key data")
+		}
+		return crypto.DecompressPubkey(e)
+	default:
+		return nil, fmt.Errorf("unsupported curve %s in DecodePubkey", curve.Params().Name)
+	}
+}
+
+// idNonceHash computes the ID signature hash used in the handshake.
+func idNonceHash(h hash.Hash, challenge, ephkey []byte, destID enode.ID) []byte {
+	h.Reset()
+	h.Write([]byte("discovery v5 identity proof"))
+	h.Write(challenge)
+	h.Write(ephkey)
+	h.Write(destID[:])
+	return h.Sum(nil)
+}
+
+// makeIDSignature creates the ID nonce signature.
+func makeIDSignature(hash hash.Hash, key *ecdsa.PrivateKey, challenge, ephkey []byte, destID enode.ID) ([]byte, error) {
+	input := idNonceHash(hash, challenge, ephkey, destID)
+	switch key.Curve {
+	case crypto.S256():
+		idsig, err := crypto.Sign(input, key)
+		if err != nil {
+			return nil, err
+		}
+		return idsig[:len(idsig)-1], nil // remove recovery ID
+	default:
+		return nil, fmt.Errorf("unsupported curve %s", key.Curve.Params().Name)
+	}
+}
+
+// s256raw is an unparsed secp256k1 public key ENR entry.
+type s256raw []byte
+
+func (s256raw) ENRKey() string { return "secp256k1" }
+
+// verifyIDSignature checks that signature over idnonce was made by the given node.
+func verifyIDSignature(hash hash.Hash, sig []byte, n *enode.Node, challenge, ephkey []byte, destID enode.ID) error {
+	switch idscheme := n.Record().IdentityScheme(); idscheme {
+	case "v4":
+		var pubkey s256raw
+		if n.Load(&pubkey) != nil {
+			return errors.New("no secp256k1 public key in record")
+		}
+		input := idNonceHash(hash, challenge, ephkey, destID)
+		if !crypto.VerifySignature(pubkey, input, sig) {
+			return errInvalidNonceSig
+		}
+		return nil
+	default:
+		return fmt.Errorf("can't verify ID nonce signature against scheme %q", idscheme)
+	}
+}
+
+type hashFn func() hash.Hash
+
+// deriveKeys creates the session keys.
+func deriveKeys(hash hashFn, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, n1, n2 enode.ID, challenge []byte) *session {
+	const text = "discovery v5 key agreement"
+	var info = make([]byte, 0, len(text)+len(n1)+len(n2))
+	info = append(info, text...)
+	info = append(info, n1[:]...)
+	info = append(info, n2[:]...)
+
+	eph := ecdh(priv, pub)
+	if eph == nil {
+		return nil
+	}
+	kdf := hkdf.New(hash, eph, challenge, info)
+	sec := session{writeKey: make([]byte, aesKeySize), readKey: make([]byte, aesKeySize)}
+	kdf.Read(sec.writeKey)
+	kdf.Read(sec.readKey)
+	for i := range eph {
+		eph[i] = 0
+	}
+	return &sec
+}
+
+// ecdh creates a shared secret.
+func ecdh(privkey *ecdsa.PrivateKey, pubkey *ecdsa.PublicKey) []byte {
+	secX, secY := pubkey.ScalarMult(pubkey.X, pubkey.Y, privkey.D.Bytes())
+	if secX == nil {
+		return nil
+	}
+	sec := make([]byte, 33)
+	sec[0] = 0x02 | byte(secY.Bit(0))
+	math.ReadBits(secX, sec[1:])
+	return sec
+}
+
+// encryptGCM encrypts pt using AES-GCM with the given key and nonce. The ciphertext is
+// appended to dest, which must not overlap with plaintext. The resulting ciphertext is 16
+// bytes longer than plaintext because it contains an authentication tag.
+func encryptGCM(dest, key, nonce, plaintext, authData []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		panic(fmt.Errorf("can't create block cipher: %v", err))
+	}
+	aesgcm, err := cipher.NewGCMWithNonceSize(block, gcmNonceSize)
+	if err != nil {
+		panic(fmt.Errorf("can't create GCM: %v", err))
+	}
+	return aesgcm.Seal(dest, nonce, plaintext, authData), nil
+}
+
+// decryptGCM decrypts ct using AES-GCM with the given key and nonce.
+func decryptGCM(key, nonce, ct, authData []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("can't create block cipher: %v", err)
+	}
+	if len(nonce) != gcmNonceSize {
+		return nil, fmt.Errorf("invalid GCM nonce size: %d", len(nonce))
+	}
+	aesgcm, err := cipher.NewGCMWithNonceSize(block, gcmNonceSize)
+	if err != nil {
+		return nil, fmt.Errorf("can't create GCM: %v", err)
+	}
+	pt := make([]byte, 0, len(ct))
+	return aesgcm.Open(pt, nonce, ct, authData)
+}
--- a/p2p/discover/v5wire/crypto_test.go
+++ b/p2p/discover/v5wire/crypto_test.go
+// Copyright 2020 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package v5wire
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/sha256"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/p2p/enode"
+)
+
+func TestVector_ECDH(t *testing.T) {
+	var (
+		staticKey = hexPrivkey("0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736")
+		publicKey = hexPubkey(crypto.S256(), "0x039961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231")
+		want      = hexutil.MustDecode("0x033b11a2a1f214567e1537ce5e509ffd9b21373247f2a3ff6841f4976f53165e7e")
+	)
+	result := ecdh(staticKey, publicKey)
+	check(t, "shared-secret", result, want)
+}
+
+func TestVector_KDF(t *testing.T) {
+	var (
+		ephKey = hexPrivkey("0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736")
+		cdata  = hexutil.MustDecode("0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000")
+		net    = newHandshakeTest()
+	)
+	defer net.close()
+
+	destKey := &testKeyB.PublicKey
+	s := deriveKeys(sha256.New, ephKey, destKey, net.nodeA.id(), net.nodeB.id(), cdata)
+	t.Logf("ephemeral-key = %#x", ephKey.D)
+	t.Logf("dest-pubkey = %#x", EncodePubkey(destKey))
+	t.Logf("node-id-a = %#x", net.nodeA.id().Bytes())
+	t.Logf("node-id-b = %#x", net.nodeB.id().Bytes())
+	t.Logf("challenge-data = %#x", cdata)
+	check(t, "initiator-key", s.writeKey, hexutil.MustDecode("0xdccc82d81bd610f4f76d3ebe97a40571"))
+	check(t, "recipient-key", s.readKey, hexutil.MustDecode("0xac74bb8773749920b0d3a8881c173ec5"))
+}
+
+func TestVector_IDSignature(t *testing.T) {
+	var (
+		key    = hexPrivkey("0xfb757dc581730490a1d7a00deea65e9b1936924caaea8f44d476014856b68736")
+		destID = enode.HexID("0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9")
+		ephkey = hexutil.MustDecode("0x039961e4c2356d61bedb83052c115d311acb3a96f5777296dcf297351130266231")
+		cdata  = hexutil.MustDecode("0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000")
+	)
+
+	sig, err := makeIDSignature(sha256.New(), key, cdata, ephkey, destID)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("static-key = %#x", key.D)
+	t.Logf("challenge-data = %#x", cdata)
+	t.Logf("ephemeral-pubkey = %#x", ephkey)
+	t.Logf("node-id-B = %#x", destID.Bytes())
+	expected := "0x94852a1e2318c4e5e9d422c98eaf19d1d90d876b29cd06ca7cb7546d0fff7b484fe86c09a064fe72bdbef73ba8e9c34df0cd2b53e9d65528c2c7f336d5dfc6e6"
+	check(t, "id-signature", sig, hexutil.MustDecode(expected))
+}
+
+func TestDeriveKeys(t *testing.T) {
+	t.Parallel()
+
+	var (
+		n1    = enode.ID{1}
+		n2    = enode.ID{2}
+		cdata = []byte{1, 2, 3, 4}
+	)
+	sec1 := deriveKeys(sha256.New, testKeyA, &testKeyB.PublicKey, n1, n2, cdata)
+	sec2 := deriveKeys(sha256.New, testKeyB, &testKeyA.PublicKey, n1, n2, cdata)
+	if sec1 == nil || sec2 == nil {
+		t.Fatal("key agreement failed")
+	}
+	if !reflect.DeepEqual(sec1, sec2) {
+		t.Fatalf("keys not equal:\n  %+v\n  %+v", sec1, sec2)
+	}
+}
+
+func check(t *testing.T, what string, x, y []byte) {
+	t.Helper()
+
+	if !bytes.Equal(x, y) {
+		t.Errorf("wrong %s: %#x != %#x", what, x, y)
+	} else {
+		t.Logf("%s = %#x", what, x)
+	}
+}
+
+func hexPrivkey(input string) *ecdsa.PrivateKey {
+	key, err := crypto.HexToECDSA(strings.TrimPrefix(input, "0x"))
+	if err != nil {
+		panic(err)
+	}
+	return key
+}
+
+func hexPubkey(curve elliptic.Curve, input string) *ecdsa.PublicKey {
+	key, err := DecodePubkey(curve, hexutil.MustDecode(input))
+	if err != nil {
+		panic(err)
+	}
+	return key
+}
--- a/p2p/discover/v5wire/encoding.go
+++ b/p2p/discover/v5wire/encoding.go
--- a/p2p/discover/v5_encoding_test.go
+++ b/p2p/discover/v5_encoding_test.go
--- a/p2p/discover/v5wire/msg.go
+++ b/p2p/discover/v5wire/msg.go
+// Copyright 2019 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package v5wire
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/ethereum/go-ethereum/common/mclock"
+	"github.com/ethereum/go-ethereum/p2p/enode"
+	"github.com/ethereum/go-ethereum/p2p/enr"
+	"github.com/ethereum/go-ethereum/rlp"
+)
+
+// Packet is implemented by all message types.
+type Packet interface {
+	Name() string        // Name returns a string corresponding to the message type.
+	Kind() byte          // Kind returns the message type.
+	RequestID() []byte   // Returns the request ID.
+	SetRequestID([]byte) // Sets the request ID.
+}
+
+// Message types.
+const (
+	PingMsg byte = iota + 1
+	PongMsg
+	FindnodeMsg
+	NodesMsg
+	TalkRequestMsg
+	TalkResponseMsg
+	RequestTicketMsg
+	TicketMsg
+	RegtopicMsg
+	RegconfirmationMsg
+	TopicQueryMsg
+
+	UnknownPacket   = byte(255) // any non-decryptable packet
+	WhoareyouPacket = byte(254) // the WHOAREYOU packet
+)
+
+// Protocol messages.
+type (
+	// Unknown represents any packet that can't be decrypted.
+	Unknown struct {
+		Nonce Nonce
+	}
+
+	// WHOAREYOU contains the handshake challenge.
+	Whoareyou struct {
+		ChallengeData []byte   // Encoded challenge
+		Nonce         Nonce    // Nonce of request packet
+		IDNonce       [16]byte // Identity proof data
+		RecordSeq     uint64   // ENR sequence number of recipient
+
+		// Node is the locally known node record of recipient.
+		// This must be set by the caller of Encode.
+		Node *enode.Node
+
+		sent mclock.AbsTime // for handshake GC.
+	}
+
+	// PING is sent during liveness checks.
+	Ping struct {
+		ReqID  []byte
+		ENRSeq uint64
+	}
+
+	// PONG is the reply to PING.
+	Pong struct {
+		ReqID  []byte
+		ENRSeq uint64
+		ToIP   net.IP // These fields should mirror the UDP envelope address of the ping
+		ToPort uint16 // packet, which provides a way to discover the the external address (after NAT).
+	}
+
+	// FINDNODE is a query for nodes in the given bucket.
+	Findnode struct {
+		ReqID     []byte
+		Distances []uint
+	}
+
+	// NODES is the reply to FINDNODE and TOPICQUERY.
+	Nodes struct {
+		ReqID []byte
+		Total uint8
+		Nodes []*enr.Record
+	}
+
+	// TALKREQ is an application-level request.
+	TalkRequest struct {
+		ReqID    []byte
+		Protocol string
+		Message  []byte
+	}
+
+	// TALKRESP is the reply to TALKREQ.
+	TalkResponse struct {
+		ReqID   []byte
+		Message []byte
+	}
+
+	// REQUESTTICKET requests a ticket for a topic queue.
+	RequestTicket struct {
+		ReqID []byte
+		Topic []byte
+	}
+
+	// TICKET is the response to REQUESTTICKET.
+	Ticket struct {
+		ReqID  []byte
+		Ticket []byte
+	}
+
+	// REGTOPIC registers the sender in a topic queue using a ticket.
+	Regtopic struct {
+		ReqID  []byte
+		Ticket []byte
+		ENR    *enr.Record
+	}
+
+	// REGCONFIRMATION is the reply to REGTOPIC.
+	Regconfirmation struct {
+		ReqID      []byte
+		Registered bool
+	}
+
+	// TOPICQUERY asks for nodes with the given topic.
+	TopicQuery struct {
+		ReqID []byte
+		Topic []byte
+	}
+)
+
+// DecodeMessage decodes the message body of a packet.
+func DecodeMessage(ptype byte, body []byte) (Packet, error) {
+	var dec Packet
+	switch ptype {
+	case PingMsg:
+		dec = new(Ping)
+	case PongMsg:
+		dec = new(Pong)
+	case FindnodeMsg:
+		dec = new(Findnode)
+	case NodesMsg:
+		dec = new(Nodes)
+	case TalkRequestMsg:
+		dec = new(TalkRequest)
+	case TalkResponseMsg:
+		dec = new(TalkResponse)
+	case RequestTicketMsg:
+		dec = new(RequestTicket)
+	case TicketMsg:
+		dec = new(Ticket)
+	case RegtopicMsg:
+		dec = new(Regtopic)
+	case RegconfirmationMsg:
+		dec = new(Regconfirmation)
+	case TopicQueryMsg:
+		dec = new(TopicQuery)
+	default:
+		return nil, fmt.Errorf("unknown packet type %d", ptype)
+	}
+	if err := rlp.DecodeBytes(body, dec); err != nil {
+		return nil, err
+	}
+	if dec.RequestID() != nil && len(dec.RequestID()) > 8 {
+		return nil, ErrInvalidReqID
+	}
+	return dec, nil
+}
+
+func (*Whoareyou) Name() string        { return "WHOAREYOU/v5" }
+func (*Whoareyou) Kind() byte          { return WhoareyouPacket }
+func (*Whoareyou) RequestID() []byte   { return nil }
+func (*Whoareyou) SetRequestID([]byte) {}
+
+func (*Unknown) Name() string        { return "UNKNOWN/v5" }
+func (*Unknown) Kind() byte          { return UnknownPacket }
+func (*Unknown) RequestID() []byte   { return nil }
+func (*Unknown) SetRequestID([]byte) {}
+
+func (*Ping) Name() string             { return "PING/v5" }
+func (*Ping) Kind() byte               { return PingMsg }
+func (p *Ping) RequestID() []byte      { return p.ReqID }
+func (p *Ping) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*Pong) Name() string             { return "PONG/v5" }
+func (*Pong) Kind() byte               { return PongMsg }
+func (p *Pong) RequestID() []byte      { return p.ReqID }
+func (p *Pong) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*Findnode) Name() string             { return "FINDNODE/v5" }
+func (*Findnode) Kind() byte               { return FindnodeMsg }
+func (p *Findnode) RequestID() []byte      { return p.ReqID }
+func (p *Findnode) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*Nodes) Name() string             { return "NODES/v5" }
+func (*Nodes) Kind() byte               { return NodesMsg }
+func (p *Nodes) RequestID() []byte      { return p.ReqID }
+func (p *Nodes) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*TalkRequest) Name() string             { return "TALKREQ/v5" }
+func (*TalkRequest) Kind() byte               { return TalkRequestMsg }
+func (p *TalkRequest) RequestID() []byte      { return p.ReqID }
+func (p *TalkRequest) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*TalkResponse) Name() string             { return "TALKRESP/v5" }
+func (*TalkResponse) Kind() byte               { return TalkResponseMsg }
+func (p *TalkResponse) RequestID() []byte      { return p.ReqID }
+func (p *TalkResponse) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*RequestTicket) Name() string             { return "REQTICKET/v5" }
+func (*RequestTicket) Kind() byte               { return RequestTicketMsg }
+func (p *RequestTicket) RequestID() []byte      { return p.ReqID }
+func (p *RequestTicket) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*Regtopic) Name() string             { return "REGTOPIC/v5" }
+func (*Regtopic) Kind() byte               { return RegtopicMsg }
+func (p *Regtopic) RequestID() []byte      { return p.ReqID }
+func (p *Regtopic) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*Ticket) Name() string             { return "TICKET/v5" }
+func (*Ticket) Kind() byte               { return TicketMsg }
+func (p *Ticket) RequestID() []byte      { return p.ReqID }
+func (p *Ticket) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*Regconfirmation) Name() string             { return "REGCONFIRMATION/v5" }
+func (*Regconfirmation) Kind() byte               { return RegconfirmationMsg }
+func (p *Regconfirmation) RequestID() []byte      { return p.ReqID }
+func (p *Regconfirmation) SetRequestID(id []byte) { p.ReqID = id }
+
+func (*TopicQuery) Name() string             { return "TOPICQUERY/v5" }
+func (*TopicQuery) Kind() byte               { return TopicQueryMsg }
+func (p *TopicQuery) RequestID() []byte      { return p.ReqID }
+func (p *TopicQuery) SetRequestID(id []byte) { p.ReqID = id }
--- a/p2p/discover/v5_session.go
+++ b/p2p/discover/v5_session.go
@@ -14,22 +14,33 @@
 // You should have received a copy of the GNU Lesser General Public License
 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.

-package discover
+package v5wire

 import (
+	"crypto/ecdsa"
 	crand "crypto/rand"
+	"encoding/binary"
+	"time"

 	"github.com/ethereum/go-ethereum/common/mclock"
+	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/p2p/enode"
 	"github.com/hashicorp/golang-lru/simplelru"
 )

-// The sessionCache keeps negotiated encryption keys and
+const handshakeTimeout = time.Second
+
+// The SessionCache keeps negotiated encryption keys and
 // state for in-progress handshakes in the Discovery v5 wire protocol.
-type sessionCache struct {
+type SessionCache struct {
 	sessions   *simplelru.LRU
-	handshakes map[sessionID]*whoareyouV5
+	handshakes map[sessionID]*Whoareyou
 	clock      mclock.Clock
+
+	// hooks for overriding randomness.
+	nonceGen        func(uint32) (Nonce, error)
+	maskingIVGen    func([]byte) error
+	ephemeralKeyGen func() (*ecdsa.PrivateKey, error)
 }

 // sessionID identifies a session or handshake.
@@ -45,27 +56,45 @@ type session struct {
 	nonceCounter uint32
 }

-func newSessionCache(maxItems int, clock mclock.Clock) *sessionCache {
+// keysFlipped returns a copy of s with the read and write keys flipped.
+func (s *session) keysFlipped() *session {
+	return &session{s.readKey, s.writeKey, s.nonceCounter}
+}
+
+func NewSessionCache(maxItems int, clock mclock.Clock) *SessionCache {
 	cache, err := simplelru.NewLRU(maxItems, nil)
 	if err != nil {
 		panic("can't create session cache")
 	}
-	return &sessionCache{
-		sessions:   cache,
-		handshakes: make(map[sessionID]*whoareyouV5),
-		clock:      clock,
+	return &SessionCache{
+		sessions:        cache,
+		handshakes:      make(map[sessionID]*Whoareyou),
+		clock:           clock,
+		nonceGen:        generateNonce,
+		maskingIVGen:    generateMaskingIV,
+		ephemeralKeyGen: crypto.GenerateKey,
 	}
 }

+func generateNonce(counter uint32) (n Nonce, err error) {
+	binary.BigEndian.PutUint32(n[:4], counter)
+	_, err = crand.Read(n[4:])
+	return n, err
+}
+
+func generateMaskingIV(buf []byte) error {
+	_, err := crand.Read(buf)
+	return err
+}
+
 // nextNonce creates a nonce for encrypting a message to the given session.
-func (sc *sessionCache) nextNonce(id enode.ID, addr string) []byte {
-	n := make([]byte, gcmNonceSize)
-	crand.Read(n)
-	return n
+func (sc *SessionCache) nextNonce(s *session) (Nonce, error) {
+	s.nonceCounter++
+	return sc.nonceGen(s.nonceCounter)
 }

 // session returns the current session for the given node, if any.
-func (sc *sessionCache) session(id enode.ID, addr string) *session {
+func (sc *SessionCache) session(id enode.ID, addr string) *session {
 	item, ok := sc.sessions.Get(sessionID{id, addr})
 	if !ok {
 		return nil
@@ -74,46 +103,36 @@ func (sc *sessionCache) session(id enode.ID, addr string) *session {
 }

 // readKey returns the current read key for the given node.
-func (sc *sessionCache) readKey(id enode.ID, addr string) []byte {
+func (sc *SessionCache) readKey(id enode.ID, addr string) []byte {
 	if s := sc.session(id, addr); s != nil {
 		return s.readKey
 	}
 	return nil
 }

-// writeKey returns the current read key for the given node.
-func (sc *sessionCache) writeKey(id enode.ID, addr string) []byte {
-	if s := sc.session(id, addr); s != nil {
-		return s.writeKey
-	}
-	return nil
-}
-
 // storeNewSession stores new encryption keys in the cache.
-func (sc *sessionCache) storeNewSession(id enode.ID, addr string, r, w []byte) {
-	sc.sessions.Add(sessionID{id, addr}, &session{
-		readKey: r, writeKey: w,
-	})
+func (sc *SessionCache) storeNewSession(id enode.ID, addr string, s *session) {
+	sc.sessions.Add(sessionID{id, addr}, s)
 }

 // getHandshake gets the handshake challenge we previously sent to the given remote node.
-func (sc *sessionCache) getHandshake(id enode.ID, addr string) *whoareyouV5 {
+func (sc *SessionCache) getHandshake(id enode.ID, addr string) *Whoareyou {
 	return sc.handshakes[sessionID{id, addr}]
 }

 // storeSentHandshake stores the handshake challenge sent to the given remote node.
-func (sc *sessionCache) storeSentHandshake(id enode.ID, addr string, challenge *whoareyouV5) {
+func (sc *SessionCache) storeSentHandshake(id enode.ID, addr string, challenge *Whoareyou) {
 	challenge.sent = sc.clock.Now()
 	sc.handshakes[sessionID{id, addr}] = challenge
 }

 // deleteHandshake deletes handshake data for the given node.
-func (sc *sessionCache) deleteHandshake(id enode.ID, addr string) {
+func (sc *SessionCache) deleteHandshake(id enode.ID, addr string) {
 	delete(sc.handshakes, sessionID{id, addr})
 }

 // handshakeGC deletes timed-out handshakes.
-func (sc *sessionCache) handshakeGC() {
+func (sc *SessionCache) handshakeGC() {
 	deadline := sc.clock.Now().Add(-handshakeTimeout)
 	for key, challenge := range sc.handshakes {
 		if challenge.sent < deadline {

--- a/p2p/discover/v5wire/testdata/v5.1-ping-handshake-enr.txt
+++ b/p2p/discover/v5wire/testdata/v5.1-ping-handshake-enr.txt
+# src-node-id = 0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb
+# dest-node-id = 0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9
+# nonce = 0xffffffffffffffffffffffff
+# read-key = 0x53b1c075f41876423154e157470c2f48
+# ping.req-id = 0x00000001
+# ping.enr-seq = 1
+# 
+# handshake inputs:
+# 
+# whoareyou.challenge-data = 0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000
+# whoareyou.request-nonce = 0x0102030405060708090a0b0c
+# whoareyou.id-nonce = 0x0102030405060708090a0b0c0d0e0f10
+# whoareyou.enr-seq = 0
+# ephemeral-key = 0x0288ef00023598499cb6c940146d050d2b1fb914198c327f76aad590bead68b6
+# ephemeral-pubkey = 0x039a003ba6517b473fa0cd74aefe99dadfdb34627f90fec6362df85803908f53a5
+
+00000000000000000000000000000000088b3d4342774649305f313964a39e55
+ea96c005ad539c8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3
+4c4f53245d08da4bb23698868350aaad22e3ab8dd034f548a1c43cd246be9856
+2fafa0a1fa86d8e7a3b95ae78cc2b988ded6a5b59eb83ad58097252188b902b2
+1481e30e5e285f19735796706adff216ab862a9186875f9494150c4ae06fa4d1
+f0396c93f215fa4ef524e0ed04c3c21e39b1868e1ca8105e585ec17315e755e6
+cfc4dd6cb7fd8e1a1f55e49b4b5eb024221482105346f3c82b15fdaae36a3bb1
+2a494683b4a3c7f2ae41306252fed84785e2bbff3b022812d0882f06978df84a
+80d443972213342d04b9048fc3b1d5fcb1df0f822152eced6da4d3f6df27e70e
+4539717307a0208cd208d65093ccab5aa596a34d7511401987662d8cf62b1394
+71
--- a/p2p/discover/v5wire/testdata/v5.1-ping-handshake.txt
+++ b/p2p/discover/v5wire/testdata/v5.1-ping-handshake.txt
+# src-node-id = 0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb
+# dest-node-id = 0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9
+# nonce = 0xffffffffffffffffffffffff
+# read-key = 0x4f9fac6de7567d1e3b1241dffe90f662
+# ping.req-id = 0x00000001
+# ping.enr-seq = 1
+# 
+# handshake inputs:
+# 
+# whoareyou.challenge-data = 0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000001
+# whoareyou.request-nonce = 0x0102030405060708090a0b0c
+# whoareyou.id-nonce = 0x0102030405060708090a0b0c0d0e0f10
+# whoareyou.enr-seq = 1
+# ephemeral-key = 0x0288ef00023598499cb6c940146d050d2b1fb914198c327f76aad590bead68b6
+# ephemeral-pubkey = 0x039a003ba6517b473fa0cd74aefe99dadfdb34627f90fec6362df85803908f53a5
+
+00000000000000000000000000000000088b3d4342774649305f313964a39e55
+ea96c005ad521d8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3
+4c4f53245d08da4bb252012b2cba3f4f374a90a75cff91f142fa9be3e0a5f3ef
+268ccb9065aeecfd67a999e7fdc137e062b2ec4a0eb92947f0d9a74bfbf44dfb
+a776b21301f8b65efd5796706adff216ab862a9186875f9494150c4ae06fa4d1
+f0396c93f215fa4ef524f1eadf5f0f4126b79336671cbcf7a885b1f8bd2a5d83
+9cf8
--- a/p2p/discover/v5wire/testdata/v5.1-ping-message.txt
+++ b/p2p/discover/v5wire/testdata/v5.1-ping-message.txt
+# src-node-id = 0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb
+# dest-node-id = 0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9
+# nonce = 0xffffffffffffffffffffffff
+# read-key = 0x00000000000000000000000000000000
+# ping.req-id = 0x00000001
+# ping.enr-seq = 2
+
+00000000000000000000000000000000088b3d4342774649325f313964a39e55
+ea96c005ad52be8c7560413a7008f16c9e6d2f43bbea8814a546b7409ce783d3
+4c4f53245d08dab84102ed931f66d1492acb308fa1c6715b9d139b81acbdcc
--- a/p2p/discover/v5wire/testdata/v5.1-whoareyou.txt
+++ b/p2p/discover/v5wire/testdata/v5.1-whoareyou.txt
+# src-node-id = 0xaaaa8419e9f49d0083561b48287df592939a8d19947d8c0ef88f2a4856a69fbb
+# dest-node-id = 0xbbbb9d047f0488c0b5a93c1c3f2d8bafc7c8ff337024a55434a0d0555de64db9
+# whoareyou.challenge-data = 0x000000000000000000000000000000006469736376350001010102030405060708090a0b0c00180102030405060708090a0b0c0d0e0f100000000000000000
+# whoareyou.request-nonce = 0x0102030405060708090a0b0c
+# whoareyou.id-nonce = 0x0102030405060708090a0b0c0d0e0f10
+# whoareyou.enr-seq = 0
+
+00000000000000000000000000000000088b3d434277464933a1ccc59f5967ad
+1d6035f15e528627dde75cd68292f9e6c27d6b66c8100a873fcbaed4e16b8d
--- a/p2p/netutil/error.go
+++ b/p2p/netutil/error.go