2 This file is part of GNUnet.
3 Copyright (C) 2013, 2017 GNUnet e.V.
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18 Boston, MA 02110-1301, USA.
21 * @file cadet/gnunet-service-cadet-new_tunnels.c
22 * @brief Information we track per tunnel.
23 * @author Bartlomiej Polot
24 * @author Christian Grothoff
27 * - check KX estate machine -- make sure it is never stuck!
28 * - clean up KX logic, including adding sender authentication
29 * - implement connection management (evaluate, kill old ones,
30 * search for new ones)
31 * - when managing connections, distinguish those that
32 * have (recently) had traffic from those that were
33 * never ready (or not recently)
36 #include "gnunet_util_lib.h"
37 #include "gnunet_statistics_service.h"
38 #include "gnunet_signatures.h"
39 #include "gnunet-service-cadet-new.h"
40 #include "cadet_protocol.h"
41 #include "gnunet-service-cadet-new_channel.h"
42 #include "gnunet-service-cadet-new_connection.h"
43 #include "gnunet-service-cadet-new_tunnels.h"
44 #include "gnunet-service-cadet-new_peer.h"
45 #include "gnunet-service-cadet-new_paths.h"
48 #define LOG(level, ...) GNUNET_log_from(level,"cadet-tun",__VA_ARGS__)
52 * How long do we wait until tearing down an idle tunnel?
54 #define IDLE_DESTROY_DELAY GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 90)
57 * Yuck, replace by 'offsetof' expression?
60 #define AX_HEADER_SIZE (sizeof (uint32_t) * 2\
61 + sizeof (struct GNUNET_CRYPTO_EcdhePublicKey))
65 * Maximum number of skipped keys we keep in memory per tunnel.
67 #define MAX_SKIPPED_KEYS 64
70 * Maximum number of keys (and thus ratchet steps) we are willing to
71 * skip before we decide this is either a bogus packet or a DoS-attempt.
73 #define MAX_KEY_GAP 256
77 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
79 struct CadetTunnelSkippedKey
84 struct CadetTunnelSkippedKey *next;
89 struct CadetTunnelSkippedKey *prev;
92 * When was this key stored (for timeout).
94 struct GNUNET_TIME_Absolute timestamp;
99 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
104 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
107 * Key number for a given HK.
114 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
116 struct CadetTunnelAxolotl
119 * A (double linked) list of stored message keys and associated header keys
120 * for "skipped" messages, i.e. messages that have not been
121 * received despite the reception of more recent messages, (head).
123 struct CadetTunnelSkippedKey *skipped_head;
126 * Skipped messages' keys DLL, tail.
128 struct CadetTunnelSkippedKey *skipped_tail;
131 * 32-byte root key which gets updated by DH ratchet.
133 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
136 * 32-byte header key (send).
138 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
141 * 32-byte header key (recv)
143 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
146 * 32-byte next header key (send).
148 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
151 * 32-byte next header key (recv).
153 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
156 * 32-byte chain keys (used for forward-secrecy updating, send).
158 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
161 * 32-byte chain keys (used for forward-secrecy updating, recv).
163 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
166 * ECDH for key exchange (A0 / B0).
168 struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
171 * ECDH Ratchet key (send).
173 struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs;
176 * ECDH Ratchet key (recv).
178 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
181 * When does this ratchet expire and a new one is triggered.
183 struct GNUNET_TIME_Absolute ratchet_expiration;
186 * Number of elements in @a skipped_head <-> @a skipped_tail.
188 unsigned int skipped;
191 * Message number (reset to 0 with each new ratchet, next message to send).
196 * Message number (reset to 0 with each new ratchet, next message to recv).
201 * Previous message numbers (# of msgs sent under prev ratchet)
206 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
211 * Number of messages recieved since our last ratchet advance.
212 * - If this counter = 0, we cannot send a new ratchet key in next msg.
213 * - If this counter > 0, we can (but don't yet have to) send a new key.
215 unsigned int ratchet_allowed;
218 * Number of messages recieved since our last ratchet advance.
219 * - If this counter = 0, we cannot send a new ratchet key in next msg.
220 * - If this counter > 0, we can (but don't yet have to) send a new key.
222 unsigned int ratchet_counter;
228 * Struct used to save messages in a non-ready tunnel to send once connected.
230 struct CadetTunnelQueueEntry
233 * We are entries in a DLL
235 struct CadetTunnelQueueEntry *next;
238 * We are entries in a DLL
240 struct CadetTunnelQueueEntry *prev;
243 * Tunnel these messages belong in.
245 struct CadetTunnel *t;
248 * Continuation to call once sent (on the channel layer).
250 GNUNET_SCHEDULER_TaskCallback cont;
253 * Closure for @c cont.
258 * Envelope of message to send follows.
260 struct GNUNET_MQ_Envelope *env;
263 * Where to put the connection identifier into the payload
264 * of the message in @e env once we have it?
266 struct GNUNET_CADET_ConnectionTunnelIdentifier *cid;
271 * Struct containing all information regarding a tunnel to a peer.
276 * Destination of the tunnel.
278 struct CadetPeer *destination;
281 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own
282 * ephemeral key changes.
284 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
287 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
289 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
292 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
294 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
299 struct CadetTunnelAxolotl ax;
302 * Task scheduled if there are no more channels using the tunnel.
304 struct GNUNET_SCHEDULER_Task *destroy_task;
307 * Task to trim connections if too many are present.
309 struct GNUNET_SCHEDULER_Task *maintain_connections_task;
312 * Task to trigger KX.
314 struct GNUNET_SCHEDULER_Task *kx_task;
317 * Tokenizer for decrypted messages.
319 struct GNUNET_MessageStreamTokenizer *mst;
322 * Dispatcher for decrypted messages only (do NOT use for sending!).
324 struct GNUNET_MQ_Handle *mq;
327 * DLL of connections that are actively used to reach the destination peer.
329 struct CadetTConnection *connection_head;
332 * DLL of connections that are actively used to reach the destination peer.
334 struct CadetTConnection *connection_tail;
337 * Channels inside this tunnel. Maps
338 * `struct GNUNET_CADET_ChannelTunnelNumber` to a `struct CadetChannel`.
340 struct GNUNET_CONTAINER_MultiHashMap32 *channels;
343 * Channel ID for the next created channel in this tunnel.
345 struct GNUNET_CADET_ChannelTunnelNumber next_ctn;
348 * Queued messages, to transmit once tunnel gets connected.
350 struct CadetTunnelQueueEntry *tq_head;
353 * Queued messages, to transmit once tunnel gets connected.
355 struct CadetTunnelQueueEntry *tq_tail;
359 * Ephemeral message in the queue (to avoid queueing more than one).
361 struct CadetConnectionQueue *ephm_hKILL;
364 * Pong message in the queue.
366 struct CadetConnectionQueue *pong_hKILL;
369 * How long do we wait until we retry the KX?
371 struct GNUNET_TIME_Relative kx_retry_delay;
374 * When do we try the next KX?
376 struct GNUNET_TIME_Absolute next_kx_attempt;
379 * Number of connections in the @e connection_head DLL.
381 unsigned int num_connections;
384 * Number of entries in the @e tq_head DLL.
389 * State of the tunnel encryption.
391 enum CadetTunnelEState estate;
397 * Get the static string for the peer this tunnel is directed.
401 * @return Static string the destination peer's ID.
404 GCT_2s (const struct CadetTunnel *t)
408 GNUNET_snprintf (buf,
411 GNUNET_i2s (GCP_get_id (t->destination)));
417 * Get string description for tunnel encryption state.
419 * @param es Tunnel state.
421 * @return String representation.
424 estate2s (enum CadetTunnelEState es)
430 case CADET_TUNNEL_KEY_UNINITIALIZED:
431 return "CADET_TUNNEL_KEY_UNINITIALIZED";
432 case CADET_TUNNEL_KEY_SENT:
433 return "CADET_TUNNEL_KEY_SENT";
434 case CADET_TUNNEL_KEY_PING:
435 return "CADET_TUNNEL_KEY_PING";
436 case CADET_TUNNEL_KEY_OK:
437 return "CADET_TUNNEL_KEY_OK";
438 case CADET_TUNNEL_KEY_REKEY:
439 return "CADET_TUNNEL_KEY_REKEY";
441 SPRINTF (buf, "%u (UNKNOWN STATE)", es);
448 * Return the peer to which this tunnel goes.
451 * @return the destination of the tunnel
454 GCT_get_destination (struct CadetTunnel *t)
456 return t->destination;
461 * Count channels of a tunnel.
463 * @param t Tunnel on which to count.
465 * @return Number of channels.
468 GCT_count_channels (struct CadetTunnel *t)
470 return GNUNET_CONTAINER_multihashmap32_size (t->channels);
475 * Lookup a channel by its @a ctn.
477 * @param t tunnel to look in
478 * @param ctn number of channel to find
479 * @return NULL if channel does not exist
481 struct CadetChannel *
482 lookup_channel (struct CadetTunnel *t,
483 struct GNUNET_CADET_ChannelTunnelNumber ctn)
485 return GNUNET_CONTAINER_multihashmap32_get (t->channels,
491 * Count all created connections of a tunnel. Not necessarily ready connections!
493 * @param t Tunnel on which to count.
495 * @return Number of connections created, either being established or ready.
498 GCT_count_any_connections (struct CadetTunnel *t)
500 return t->num_connections;
505 * Find first connection that is ready in the list of
506 * our connections. Picks ready connections round-robin.
508 * @param t tunnel to search
509 * @return NULL if we have no connection that is ready
511 static struct CadetTConnection *
512 get_ready_connection (struct CadetTunnel *t)
514 for (struct CadetTConnection *pos = t->connection_head;
517 if (GNUNET_YES == pos->is_ready)
519 if (pos != t->connection_tail)
521 /* move 'pos' to the end, so we try other ready connections
522 first next time (round-robin, modulo availability) */
523 GNUNET_CONTAINER_DLL_remove (t->connection_head,
526 GNUNET_CONTAINER_DLL_insert_tail (t->connection_head,
537 * Get the encryption state of a tunnel.
541 * @return Tunnel's encryption state.
543 enum CadetTunnelEState
544 GCT_get_estate (struct CadetTunnel *t)
551 * Create a new Axolotl ephemeral (ratchet) key.
556 new_ephemeral (struct CadetTunnel *t)
558 GNUNET_free_non_null (t->ax.DHRs);
559 t->ax.DHRs = GNUNET_CRYPTO_ecdhe_key_create ();
565 * Called when either we have a new connection, or a new message in the
566 * queue, or some existing connection has transmission capacity. Looks
567 * at our message queue and if there is a message, picks a connection
570 * @param t tunnel to process messages on
573 trigger_transmissions (struct CadetTunnel *t);
576 /* ************************************** start core crypto ***************************** */
582 * @param plaintext Content to HMAC.
583 * @param size Size of @c plaintext.
584 * @param iv Initialization vector for the message.
585 * @param key Key to use.
586 * @param hmac[out] Destination to store the HMAC.
589 t_hmac (const void *plaintext,
592 const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
593 struct GNUNET_ShortHashCode *hmac)
595 static const char ctx[] = "cadet authentication key";
596 struct GNUNET_CRYPTO_AuthKey auth_key;
597 struct GNUNET_HashCode hash;
599 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
605 /* Two step: CADET_Hash is only 256 bits, HashCode is 512. */
606 GNUNET_CRYPTO_hmac (&auth_key,
619 * @param key Key to use.
620 * @param hash[out] Resulting HMAC.
621 * @param source Source key material (data to HMAC).
622 * @param len Length of @a source.
625 t_ax_hmac_hash (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
626 struct GNUNET_HashCode *hash,
630 static const char ctx[] = "axolotl HMAC-HASH";
631 struct GNUNET_CRYPTO_AuthKey auth_key;
633 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
637 GNUNET_CRYPTO_hmac (&auth_key,
645 * Derive a symmetric encryption key from an HMAC-HASH.
647 * @param key Key to use for the HMAC.
648 * @param[out] out Key to generate.
649 * @param source Source key material (data to HMAC).
650 * @param len Length of @a source.
653 t_hmac_derive_key (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
654 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
658 static const char ctx[] = "axolotl derive key";
659 struct GNUNET_HashCode h;
665 GNUNET_CRYPTO_kdf (out, sizeof (*out),
673 * Encrypt data with the axolotl tunnel key.
675 * @param t Tunnel whose key to use.
676 * @param dst Destination with @a size bytes for the encrypted data.
677 * @param src Source of the plaintext. Can overlap with @c dst, must contain @a size bytes
678 * @param size Size of the buffers at @a src and @a dst
681 t_ax_encrypt (struct CadetTunnel *t,
686 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
687 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
688 struct CadetTunnelAxolotl *ax;
692 ax->ratchet_counter++;
693 if ( (GNUNET_YES == ax->ratchet_allowed) &&
694 ( (ratchet_messages <= ax->ratchet_counter) ||
695 (0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us)) )
697 ax->ratchet_flag = GNUNET_YES;
699 if (GNUNET_YES == ax->ratchet_flag)
701 /* Advance ratchet */
702 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
703 struct GNUNET_HashCode dh;
704 struct GNUNET_HashCode hmac;
705 static const char ctx[] = "axolotl ratchet";
710 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
711 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs,
714 t_ax_hmac_hash (&ax->RK,
718 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
720 &hmac, sizeof (hmac),
728 ax->ratchet_flag = GNUNET_NO;
729 ax->ratchet_allowed = GNUNET_NO;
730 ax->ratchet_counter = 0;
731 ax->ratchet_expiration
732 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
736 t_hmac_derive_key (&ax->CKs,
740 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
745 out_size = GNUNET_CRYPTO_symmetric_encrypt (src,
750 GNUNET_assert (size == out_size);
751 t_hmac_derive_key (&ax->CKs,
759 * Decrypt data with the axolotl tunnel key.
761 * @param t Tunnel whose key to use.
762 * @param dst Destination for the decrypted data, must contain @a size bytes.
763 * @param src Source of the ciphertext. Can overlap with @c dst, must contain @a size bytes.
764 * @param size Size of the @a src and @a dst buffers
767 t_ax_decrypt (struct CadetTunnel *t,
772 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
773 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
774 struct CadetTunnelAxolotl *ax;
778 t_hmac_derive_key (&ax->CKr,
782 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
786 GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
787 out_size = GNUNET_CRYPTO_symmetric_decrypt (src,
792 GNUNET_assert (out_size == size);
793 t_hmac_derive_key (&ax->CKr,
801 * Encrypt header with the axolotl header key.
803 * @param t Tunnel whose key to use.
804 * @param msg Message whose header to encrypt.
807 t_h_encrypt (struct CadetTunnel *t,
808 struct GNUNET_CADET_TunnelEncryptedMessage *msg)
810 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
811 struct CadetTunnelAxolotl *ax;
815 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
819 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->Ns,
824 GNUNET_assert (AX_HEADER_SIZE == out_size);
829 * Decrypt header with the current axolotl header key.
831 * @param t Tunnel whose current ax HK to use.
832 * @param src Message whose header to decrypt.
833 * @param dst Where to decrypt header to.
836 t_h_decrypt (struct CadetTunnel *t,
837 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
838 struct GNUNET_CADET_TunnelEncryptedMessage *dst)
840 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
841 struct CadetTunnelAxolotl *ax;
845 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
849 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns,
854 GNUNET_assert (AX_HEADER_SIZE == out_size);
859 * Delete a key from the list of skipped keys.
861 * @param t Tunnel to delete from.
862 * @param key Key to delete.
865 delete_skipped_key (struct CadetTunnel *t,
866 struct CadetTunnelSkippedKey *key)
868 GNUNET_CONTAINER_DLL_remove (t->ax.skipped_head,
877 * Decrypt and verify data with the appropriate tunnel key and verify that the
878 * data has not been altered since it was sent by the remote peer.
880 * @param t Tunnel whose key to use.
881 * @param dst Destination for the plaintext.
882 * @param src Source of the message. Can overlap with @c dst.
883 * @param size Size of the message.
884 * @return Size of the decrypted data, -1 if an error was encountered.
887 try_old_ax_keys (struct CadetTunnel *t,
889 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
892 struct CadetTunnelSkippedKey *key;
893 struct GNUNET_ShortHashCode *hmac;
894 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
895 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
896 struct GNUNET_CRYPTO_SymmetricSessionKey *valid_HK;
902 LOG (GNUNET_ERROR_TYPE_DEBUG,
903 "Trying skipped keys\n");
904 hmac = &plaintext_header.hmac;
905 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
907 /* Find a correct Header Key */
909 for (key = t->ax.skipped_head; NULL != key; key = key->next)
912 AX_HEADER_SIZE + esize,
916 if (0 == memcmp (hmac,
927 /* Should've been checked in -cadet_connection.c handle_cadet_encrypted. */
928 GNUNET_assert (size > sizeof (struct GNUNET_CADET_TunnelEncryptedMessage));
929 len = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
930 GNUNET_assert (len >= sizeof (struct GNUNET_MessageHeader));
933 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
937 res = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns,
941 &plaintext_header.Ns);
942 GNUNET_assert (AX_HEADER_SIZE == res);
944 /* Find the correct message key */
945 N = ntohl (plaintext_header.Ns);
946 while ( (NULL != key) &&
949 if ( (NULL == key) ||
950 (0 != memcmp (&key->HK,
952 sizeof (*valid_HK))) )
955 /* Decrypt payload */
956 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
961 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1],
966 delete_skipped_key (t,
973 * Delete a key from the list of skipped keys.
975 * @param t Tunnel to delete from.
976 * @param HKr Header Key to use.
979 store_skipped_key (struct CadetTunnel *t,
980 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
982 struct CadetTunnelSkippedKey *key;
984 key = GNUNET_new (struct CadetTunnelSkippedKey);
985 key->timestamp = GNUNET_TIME_absolute_get ();
988 t_hmac_derive_key (&t->ax.CKr,
992 t_hmac_derive_key (&t->ax.CKr,
996 GNUNET_CONTAINER_DLL_insert (t->ax.skipped_head,
1005 * Stage skipped AX keys and calculate the message key.
1006 * Stores each HK and MK for skipped messages.
1008 * @param t Tunnel where to stage the keys.
1009 * @param HKr Header key.
1010 * @param Np Received meesage number.
1011 * @return #GNUNET_OK if keys were stored.
1012 * #GNUNET_SYSERR if an error ocurred (Np not expected).
1015 store_ax_keys (struct CadetTunnel *t,
1016 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1021 gap = Np - t->ax.Nr;
1022 LOG (GNUNET_ERROR_TYPE_DEBUG,
1023 "Storing skipped keys [%u, %u)\n",
1026 if (MAX_KEY_GAP < gap)
1028 /* Avoid DoS (forcing peer to do 2^33 chain HMAC operations) */
1029 /* TODO: start new key exchange on return */
1030 GNUNET_break_op (0);
1031 LOG (GNUNET_ERROR_TYPE_WARNING,
1032 "Got message %u, expected %u+\n",
1035 return GNUNET_SYSERR;
1039 /* Delayed message: don't store keys, flag to try old keys. */
1040 return GNUNET_SYSERR;
1043 while (t->ax.Nr < Np)
1044 store_skipped_key (t,
1047 while (t->ax.skipped > MAX_SKIPPED_KEYS)
1048 delete_skipped_key (t,
1049 t->ax.skipped_tail);
1055 * Decrypt and verify data with the appropriate tunnel key and verify that the
1056 * data has not been altered since it was sent by the remote peer.
1058 * @param t Tunnel whose key to use.
1059 * @param dst Destination for the plaintext.
1060 * @param src Source of the message. Can overlap with @c dst.
1061 * @param size Size of the message.
1062 * @return Size of the decrypted data, -1 if an error was encountered.
1065 t_ax_decrypt_and_validate (struct CadetTunnel *t,
1067 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
1070 struct CadetTunnelAxolotl *ax;
1071 struct GNUNET_ShortHashCode msg_hmac;
1072 struct GNUNET_HashCode hmac;
1073 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1076 size_t esize; /* Size of encryped payload */
1078 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
1081 /* Try current HK */
1083 AX_HEADER_SIZE + esize,
1086 if (0 != memcmp (&msg_hmac,
1090 static const char ctx[] = "axolotl ratchet";
1091 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1092 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1093 struct GNUNET_HashCode dh;
1094 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1098 AX_HEADER_SIZE + esize,
1102 if (0 != memcmp (&msg_hmac,
1106 /* Try the skipped keys, if that fails, we're out of luck. */
1107 return try_old_ax_keys (t,
1117 Np = ntohl (plaintext_header.Ns);
1118 PNp = ntohl (plaintext_header.PNs);
1119 DHRp = &plaintext_header.DHRs;
1124 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1125 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs,
1128 t_ax_hmac_hash (&ax->RK,
1131 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1133 &hmac, sizeof (hmac),
1136 /* Commit "purported" keys */
1142 ax->ratchet_allowed = GNUNET_YES;
1149 Np = ntohl (plaintext_header.Ns);
1150 PNp = ntohl (plaintext_header.PNs);
1152 if ( (Np != ax->Nr) &&
1153 (GNUNET_OK != store_ax_keys (t,
1157 /* Try the skipped keys, if that fails, we're out of luck. */
1158 return try_old_ax_keys (t,
1174 * Our tunnel became ready for the first time, notify channels
1175 * that have been waiting.
1177 * @param cls our tunnel, not used
1178 * @param key unique ID of the channel, not used
1179 * @param value the `struct CadetChannel` to notify
1180 * @return #GNUNET_OK (continue to iterate)
1183 notify_tunnel_up_cb (void *cls,
1187 struct CadetChannel *ch = value;
1189 GCCH_tunnel_up (ch);
1195 * Change the tunnel encryption state.
1196 * If the encryption state changes to OK, stop the rekey task.
1198 * @param t Tunnel whose encryption state to change, or NULL.
1199 * @param state New encryption state.
1202 GCT_change_estate (struct CadetTunnel *t,
1203 enum CadetTunnelEState state)
1205 enum CadetTunnelEState old = t->estate;
1208 LOG (GNUNET_ERROR_TYPE_DEBUG,
1209 "Tunnel %s estate changed from %d to %d\n",
1214 if ( (CADET_TUNNEL_KEY_OK != old) &&
1215 (CADET_TUNNEL_KEY_OK == t->estate) )
1217 if (NULL != t->kx_task)
1219 GNUNET_SCHEDULER_cancel (t->kx_task);
1222 if (CADET_TUNNEL_KEY_REKEY != old)
1224 /* notify all channels that have been waiting */
1225 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
1226 ¬ify_tunnel_up_cb,
1230 /* FIXME: schedule rekey task! */
1236 * Send a KX message.
1238 * FIXME: does not take care of sender-authentication yet!
1240 * @param t Tunnel on which to send it.
1241 * @param force_reply Force the other peer to reply with a KX message.
1244 send_kx (struct CadetTunnel *t,
1247 struct CadetTunnelAxolotl *ax = &t->ax;
1248 struct CadetTConnection *ct;
1249 struct CadetConnection *cc;
1250 struct GNUNET_MQ_Envelope *env;
1251 struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
1252 enum GNUNET_CADET_KX_Flags flags;
1254 ct = get_ready_connection (t);
1257 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1258 "Wanted to send KX on tunnel %s, but no connection is ready, deferring\n",
1263 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1264 "Sending KX on tunnel %s using connection %s\n",
1268 // GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
1269 env = GNUNET_MQ_msg (msg,
1270 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX);
1271 flags = GNUNET_CADET_KX_FLAG_NONE;
1272 if (GNUNET_YES == force_reply)
1273 flags |= GNUNET_CADET_KX_FLAG_FORCE_REPLY;
1274 msg->flags = htonl (flags);
1275 msg->cid = *GCC_get_id (cc);
1276 GNUNET_CRYPTO_ecdhe_key_get_public (ax->kx_0,
1277 &msg->ephemeral_key);
1278 GNUNET_CRYPTO_ecdhe_key_get_public (ax->DHRs,
1282 t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1283 t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1284 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1285 GCT_change_estate (t,
1286 CADET_TUNNEL_KEY_SENT);
1291 * Handle KX message.
1293 * FIXME: sender-authentication in KX is missing!
1295 * @param ct connection/tunnel combo that received encrypted message
1296 * @param msg the key exchange message
1299 GCT_handle_kx (struct CadetTConnection *ct,
1300 const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1302 struct CadetTunnel *t = ct->t;
1303 struct CadetTunnelAxolotl *ax = &t->ax;
1304 struct GNUNET_HashCode key_material[3];
1305 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
1306 const char salt[] = "CADET Axolotl salt";
1307 const struct GNUNET_PeerIdentity *pid;
1310 pid = GCP_get_id (t->destination);
1311 if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1313 am_I_alice = GNUNET_YES;
1314 else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1316 am_I_alice = GNUNET_NO;
1319 GNUNET_break_op (0);
1323 if (0 != (GNUNET_CADET_KX_FLAG_FORCE_REPLY & ntohl (msg->flags)))
1325 if (NULL != t->kx_task)
1327 GNUNET_SCHEDULER_cancel (t->kx_task);
1334 if (0 == memcmp (&ax->DHRr,
1336 sizeof (msg->ratchet_key)))
1338 LOG (GNUNET_ERROR_TYPE_DEBUG,
1339 " known ratchet key, exit\n");
1343 ax->DHRr = msg->ratchet_key;
1346 if (GNUNET_YES == am_I_alice)
1348 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */
1349 &msg->ephemeral_key, /* B0 */
1354 GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* B0 */
1355 &pid->public_key, /* A */
1360 if (GNUNET_YES == am_I_alice)
1362 GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* A0 */
1363 &pid->public_key, /* B */
1368 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */
1369 &msg->ephemeral_key, /* B0 */
1376 /* (This is the triple-DH, we could probably safely skip this,
1377 as A0/B0 are already in the key material.) */
1378 GNUNET_CRYPTO_ecc_ecdh (ax->kx_0, /* A0 or B0 */
1379 &msg->ephemeral_key, /* B0 or A0 */
1383 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1384 salt, sizeof (salt),
1385 &key_material, sizeof (key_material),
1388 if (0 == memcmp (&ax->RK,
1392 LOG (GNUNET_ERROR_TYPE_INFO,
1393 " known handshake key, exit\n");
1396 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1397 "Handling KX message for tunnel %s\n",
1401 if (GNUNET_YES == am_I_alice)
1407 ax->ratchet_flag = GNUNET_YES;
1415 ax->ratchet_flag = GNUNET_NO;
1416 ax->ratchet_allowed = GNUNET_NO;
1417 ax->ratchet_counter = 0;
1418 ax->ratchet_expiration
1419 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
1428 case CADET_TUNNEL_KEY_UNINITIALIZED:
1429 GCT_change_estate (t,
1430 CADET_TUNNEL_KEY_PING);
1432 case CADET_TUNNEL_KEY_SENT:
1433 /* Got a response to us sending our key; now
1434 we can start transmitting! */
1435 GCT_change_estate (t,
1436 CADET_TUNNEL_KEY_OK);
1437 trigger_transmissions (t);
1439 case CADET_TUNNEL_KEY_PING:
1440 /* Got a key yet again; need encrypted payload to advance */
1442 case CADET_TUNNEL_KEY_OK:
1443 /* Did not expect a key, but so what. */
1445 case CADET_TUNNEL_KEY_REKEY:
1446 /* Got a key yet again; need encrypted payload to advance */
1452 /* ************************************** end core crypto ***************************** */
1456 * Compute the next free channel tunnel number for this tunnel.
1458 * @param t the tunnel
1459 * @return unused number that can uniquely identify a channel in the tunnel
1461 static struct GNUNET_CADET_ChannelTunnelNumber
1462 get_next_free_ctn (struct CadetTunnel *t)
1464 struct GNUNET_CADET_ChannelTunnelNumber ret;
1467 /* FIXME: this logic does NOT prevent both ends of the
1468 channel from picking the same CTN!
1469 Need to reserve one bit of the CTN for the
1470 direction, i.e. which side established the connection! */
1471 ctn = ntohl (t->next_ctn.cn);
1473 GNUNET_CONTAINER_multihashmap32_get (t->channels,
1476 t->next_ctn.cn = htonl (ctn + 1);
1477 ret.cn = ntohl (ctn);
1483 * Add a channel to a tunnel, and notify channel that we are ready
1484 * for transmission if we are already up. Otherwise that notification
1485 * will be done later in #notify_tunnel_up_cb().
1489 * @return unique number identifying @a ch within @a t
1491 struct GNUNET_CADET_ChannelTunnelNumber
1492 GCT_add_channel (struct CadetTunnel *t,
1493 struct CadetChannel *ch)
1495 struct GNUNET_CADET_ChannelTunnelNumber ctn;
1497 ctn = get_next_free_ctn (t);
1498 GNUNET_assert (GNUNET_YES ==
1499 GNUNET_CONTAINER_multihashmap32_put (t->channels,
1502 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
1503 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1504 "Adding channel %s to tunnel %s\n",
1507 if ( (CADET_TUNNEL_KEY_OK == t->estate) ||
1508 (CADET_TUNNEL_KEY_REKEY == t->estate) )
1509 GCCH_tunnel_up (ch);
1515 * This tunnel is no longer used, destroy it.
1517 * @param cls the idle tunnel
1520 destroy_tunnel (void *cls)
1522 struct CadetTunnel *t = cls;
1523 struct CadetTConnection *ct;
1524 struct CadetTunnelQueueEntry *tq;
1526 t->destroy_task = NULL;
1527 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1528 "Destroying idle tunnel %s\n",
1530 GNUNET_assert (0 == GNUNET_CONTAINER_multihashmap32_size (t->channels));
1531 while (NULL != (ct = t->connection_head))
1533 GNUNET_assert (ct->t == t);
1534 GNUNET_CONTAINER_DLL_remove (t->connection_head,
1537 GCC_destroy (ct->cc);
1540 while (NULL != (tq = t->tq_head))
1541 GCT_send_cancel (tq);
1542 GCP_drop_tunnel (t->destination,
1544 GNUNET_CONTAINER_multihashmap32_destroy (t->channels);
1545 if (NULL != t->maintain_connections_task)
1547 GNUNET_SCHEDULER_cancel (t->maintain_connections_task);
1548 t->maintain_connections_task = NULL;
1550 GNUNET_MST_destroy (t->mst);
1551 GNUNET_MQ_destroy (t->mq);
1552 while (NULL != t->ax.skipped_head)
1553 delete_skipped_key (t,
1554 t->ax.skipped_head);
1555 GNUNET_assert (0 == t->ax.skipped);
1556 GNUNET_free_non_null (t->ax.kx_0);
1557 GNUNET_free_non_null (t->ax.DHRs);
1563 * Remove a channel from a tunnel.
1567 * @param ctn unique number identifying @a ch within @a t
1570 GCT_remove_channel (struct CadetTunnel *t,
1571 struct CadetChannel *ch,
1572 struct GNUNET_CADET_ChannelTunnelNumber ctn)
1574 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1575 "Removing channel %s from tunnel %s\n",
1578 GNUNET_assert (GNUNET_YES ==
1579 GNUNET_CONTAINER_multihashmap32_remove (t->channels,
1583 GNUNET_CONTAINER_multihashmap32_size (t->channels))
1585 t->destroy_task = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
1593 * Destroys the tunnel @a t now, without delay. Used during shutdown.
1595 * @param t tunnel to destroy
1598 GCT_destroy_tunnel_now (struct CadetTunnel *t)
1601 GNUNET_CONTAINER_multihashmap32_size (t->channels));
1602 GNUNET_SCHEDULER_cancel (t->destroy_task);
1608 * It's been a while, we should try to redo the KX, if we can.
1610 * @param cls the `struct CadetTunnel` to do KX for.
1613 retry_kx (void *cls)
1615 struct CadetTunnel *t = cls;
1619 ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) ||
1620 (CADET_TUNNEL_KEY_SENT == t->estate) )
1627 * Send normal payload from queue in @a t via connection @a ct.
1628 * Does nothing if our payload queue is empty.
1630 * @param t tunnel to send data from
1631 * @param ct connection to use for transmission (is ready)
1634 try_send_normal_payload (struct CadetTunnel *t,
1635 struct CadetTConnection *ct)
1637 struct CadetTunnelQueueEntry *tq;
1639 GNUNET_assert (GNUNET_YES == ct->is_ready);
1643 /* no messages pending right now */
1644 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1645 "Not sending payload of tunnel %s on ready connection %s (nothing pending)\n",
1650 /* ready to send message 'tq' on tunnel 'ct' */
1651 GNUNET_assert (t == tq->t);
1652 GNUNET_CONTAINER_DLL_remove (t->tq_head,
1655 if (NULL != tq->cid)
1656 *tq->cid = *GCC_get_id (ct->cc);
1657 ct->is_ready = GNUNET_NO;
1658 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1659 "Sending payload of tunnel %s on connection %s\n",
1662 GCC_transmit (ct->cc,
1664 if (NULL != tq->cont)
1665 tq->cont (tq->cont_cls);
1671 * A connection is @a is_ready for transmission. Looks at our message
1672 * queue and if there is a message, sends it out via the connection.
1674 * @param cls the `struct CadetTConnection` that is @a is_ready
1675 * @param is_ready #GNUNET_YES if connection are now ready,
1676 * #GNUNET_NO if connection are no longer ready
1679 connection_ready_cb (void *cls,
1682 struct CadetTConnection *ct = cls;
1683 struct CadetTunnel *t = ct->t;
1685 if (GNUNET_NO == is_ready)
1687 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1688 "Connection %s no longer ready for tunnel %s\n",
1691 ct->is_ready = GNUNET_NO;
1694 ct->is_ready = GNUNET_YES;
1695 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1696 "Connection %s now ready for tunnel %s in state %s\n",
1699 estate2s (t->estate));
1702 case CADET_TUNNEL_KEY_UNINITIALIZED:
1706 case CADET_TUNNEL_KEY_SENT:
1707 case CADET_TUNNEL_KEY_PING:
1708 /* opportunity to #retry_kx() starts now, schedule job */
1709 if (NULL == t->kx_task)
1712 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
1717 case CADET_TUNNEL_KEY_OK:
1718 try_send_normal_payload (t,
1721 case CADET_TUNNEL_KEY_REKEY:
1724 t->estate = CADET_TUNNEL_KEY_OK;
1731 * Called when either we have a new connection, or a new message in the
1732 * queue, or some existing connection has transmission capacity. Looks
1733 * at our message queue and if there is a message, picks a connection
1736 * @param t tunnel to process messages on
1739 trigger_transmissions (struct CadetTunnel *t)
1741 struct CadetTConnection *ct;
1743 if (NULL == t->tq_head)
1744 return; /* no messages pending right now */
1745 ct = get_ready_connection (t);
1747 return; /* no connections ready */
1748 try_send_normal_payload (t,
1754 * Function called to maintain the connections underlying our tunnel.
1755 * Tries to maintain (incl. tear down) connections for the tunnel, and
1756 * if there is a significant change, may trigger transmissions.
1758 * Basically, needs to check if there are connections that perform
1759 * badly, and if so eventually kill them and trigger a replacement.
1760 * The strategy is to open one more connection than
1761 * #DESIRED_CONNECTIONS_PER_TUNNEL, and then periodically kick out the
1762 * least-performing one, and then inquire for new ones.
1764 * @param cls the `struct CadetTunnel`
1767 maintain_connections_cb (void *cls)
1769 struct CadetTunnel *t = cls;
1771 t->maintain_connections_task = NULL;
1772 GNUNET_break (0); // FIXME: implement!
1777 * Consider using the path @a p for the tunnel @a t.
1778 * The tunnel destination is at offset @a off in path @a p.
1780 * @param cls our tunnel
1781 * @param path a path to our destination
1782 * @param off offset of the destination on path @a path
1783 * @return #GNUNET_YES (should keep iterating)
1786 consider_path_cb (void *cls,
1787 struct CadetPeerPath *path,
1790 struct CadetTunnel *t = cls;
1791 unsigned int min_length = UINT_MAX;
1792 GNUNET_CONTAINER_HeapCostType max_desire = 0;
1793 struct CadetTConnection *ct;
1795 /* Check if we care about the new path. */
1796 for (ct = t->connection_head;
1800 struct CadetPeerPath *ps;
1802 ps = GCC_get_path (ct->cc);
1804 return GNUNET_YES; /* duplicate */
1805 min_length = GNUNET_MIN (min_length,
1806 GCPP_get_length (ps));
1807 max_desire = GNUNET_MAX (max_desire,
1808 GCPP_get_desirability (ps));
1811 /* FIXME: not sure we should really just count
1812 'num_connections' here, as they may all have
1813 consistently failed to connect. */
1815 /* We iterate by increasing path length; if we have enough paths and
1816 this one is more than twice as long than what we are currently
1817 using, then ignore all of these super-long ones! */
1818 if ( (t->num_connections > DESIRED_CONNECTIONS_PER_TUNNEL) &&
1819 (min_length * 2 < off) )
1821 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1822 "Ignoring paths of length %u, they are way too long.\n",
1826 /* If we have enough paths and this one looks no better, ignore it. */
1827 if ( (t->num_connections >= DESIRED_CONNECTIONS_PER_TUNNEL) &&
1828 (min_length < GCPP_get_length (path)) &&
1829 (max_desire > GCPP_get_desirability (path)) )
1831 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1832 "Ignoring path (%u/%llu) to %s, got something better already.\n",
1833 GCPP_get_length (path),
1834 (unsigned long long) GCPP_get_desirability (path),
1835 GCP_2s (t->destination));
1839 /* Path is interesting (better by some metric, or we don't have
1840 enough paths yet). */
1841 ct = GNUNET_new (struct CadetTConnection);
1842 ct->created = GNUNET_TIME_absolute_get ();
1844 ct->cc = GCC_create (t->destination,
1847 &connection_ready_cb,
1849 /* FIXME: schedule job to kill connection (and path?) if it takes
1850 too long to get ready! (And track performance data on how long
1851 other connections took with the tunnel!)
1852 => Note: to be done within 'connection'-logic! */
1853 GNUNET_CONTAINER_DLL_insert (t->connection_head,
1856 t->num_connections++;
1857 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1858 "Found interesting path %s for tunnel %s, created connection %s\n",
1867 * Consider using the path @a p for the tunnel @a t.
1868 * The tunnel destination is at offset @a off in path @a p.
1870 * @param cls our tunnel
1871 * @param path a path to our destination
1872 * @param off offset of the destination on path @a path
1875 GCT_consider_path (struct CadetTunnel *t,
1876 struct CadetPeerPath *p,
1879 (void) consider_path_cb (t,
1888 * @param cls the `struct CadetTunnel` for which we decrypted the message
1889 * @param msg the message we received on the tunnel
1892 handle_plaintext_keepalive (void *cls,
1893 const struct GNUNET_MessageHeader *msg)
1895 struct CadetTunnel *t = cls;
1897 GNUNET_break (0); // FIXME
1902 * Check that @a msg is well-formed.
1904 * @param cls the `struct CadetTunnel` for which we decrypted the message
1905 * @param msg the message we received on the tunnel
1906 * @return #GNUNET_OK (any variable-size payload goes)
1909 check_plaintext_data (void *cls,
1910 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
1917 * We received payload data for a channel. Locate the channel
1918 * and process the data, or return an error if the channel is unknown.
1920 * @param cls the `struct CadetTunnel` for which we decrypted the message
1921 * @param msg the message we received on the tunnel
1924 handle_plaintext_data (void *cls,
1925 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
1927 struct CadetTunnel *t = cls;
1928 struct CadetChannel *ch;
1930 ch = lookup_channel (t,
1934 /* We don't know about such a channel, might have been destroyed on our
1935 end in the meantime, or never existed. Send back a DESTROY. */
1936 LOG (GNUNET_ERROR_TYPE_DEBUG,
1937 "Receicved %u bytes of application data for unknown channel %u, sending DESTROY\n",
1938 (unsigned int) (ntohs (msg->header.size) - sizeof (*msg)),
1939 ntohl (msg->ctn.cn));
1940 GCT_send_channel_destroy (t,
1944 GCCH_handle_channel_plaintext_data (ch,
1950 * We received an acknowledgement for data we sent on a channel.
1951 * Locate the channel and process it, or return an error if the
1952 * channel is unknown.
1954 * @param cls the `struct CadetTunnel` for which we decrypted the message
1955 * @param ack the message we received on the tunnel
1958 handle_plaintext_data_ack (void *cls,
1959 const struct GNUNET_CADET_ChannelDataAckMessage *ack)
1961 struct CadetTunnel *t = cls;
1962 struct CadetChannel *ch;
1964 ch = lookup_channel (t,
1968 /* We don't know about such a channel, might have been destroyed on our
1969 end in the meantime, or never existed. Send back a DESTROY. */
1970 LOG (GNUNET_ERROR_TYPE_DEBUG,
1971 "Receicved DATA_ACK for unknown channel %u, sending DESTROY\n",
1972 ntohl (ack->ctn.cn));
1973 GCT_send_channel_destroy (t,
1977 GCCH_handle_channel_plaintext_data_ack (ch,
1983 * We have received a request to open a channel to a port from
1984 * another peer. Creates the incoming channel.
1986 * @param cls the `struct CadetTunnel` for which we decrypted the message
1987 * @param cc the message we received on the tunnel
1990 handle_plaintext_channel_open (void *cls,
1991 const struct GNUNET_CADET_ChannelOpenMessage *cc)
1993 struct CadetTunnel *t = cls;
1994 struct CadetChannel *ch;
1995 struct GNUNET_CADET_ChannelTunnelNumber ctn;
1997 LOG (GNUNET_ERROR_TYPE_DEBUG,
1998 "Receicved channel OPEN on port %s from peer %s\n",
1999 GNUNET_h2s (&cc->port),
2000 GCP_2s (GCT_get_destination (t)));
2001 ctn = get_next_free_ctn (t);
2002 ch = GCCH_channel_incoming_new (t,
2006 GNUNET_assert (GNUNET_OK ==
2007 GNUNET_CONTAINER_multihashmap32_put (t->channels,
2010 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
2015 * Send a DESTROY message via the tunnel.
2017 * @param t the tunnel to transmit over
2018 * @param ctn ID of the channel to destroy
2021 GCT_send_channel_destroy (struct CadetTunnel *t,
2022 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2024 struct GNUNET_CADET_ChannelManageMessage msg;
2026 LOG (GNUNET_ERROR_TYPE_DEBUG,
2027 "Sending DESTORY message for channel ID %u\n",
2029 msg.header.size = htons (sizeof (msg));
2030 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
2031 msg.reserved = htonl (0);
2041 * We have received confirmation from the target peer that the
2042 * given channel could be established (the port is open).
2045 * @param cls the `struct CadetTunnel` for which we decrypted the message
2046 * @param cm the message we received on the tunnel
2049 handle_plaintext_channel_open_ack (void *cls,
2050 const struct GNUNET_CADET_ChannelManageMessage *cm)
2052 struct CadetTunnel *t = cls;
2053 struct CadetChannel *ch;
2055 ch = lookup_channel (t,
2059 /* We don't know about such a channel, might have been destroyed on our
2060 end in the meantime, or never existed. Send back a DESTROY. */
2061 LOG (GNUNET_ERROR_TYPE_DEBUG,
2062 "Received channel OPEN_ACK for unknown channel, sending DESTROY\n",
2064 GCT_send_channel_destroy (t,
2068 GCCH_handle_channel_open_ack (ch);
2073 * We received a message saying that a channel should be destroyed.
2074 * Pass it on to the correct channel.
2076 * @param cls the `struct CadetTunnel` for which we decrypted the message
2077 * @param cm the message we received on the tunnel
2080 handle_plaintext_channel_destroy (void *cls,
2081 const struct GNUNET_CADET_ChannelManageMessage *cm)
2083 struct CadetTunnel *t = cls;
2084 struct CadetChannel *ch;
2086 ch = lookup_channel (t,
2090 /* We don't know about such a channel, might have been destroyed on our
2091 end in the meantime, or never existed. */
2092 LOG (GNUNET_ERROR_TYPE_DEBUG,
2093 "Received channel DESTORY for unknown channel. Ignoring.\n",
2097 GCCH_handle_remote_destroy (ch);
2102 * Handles a message we decrypted, by injecting it into
2103 * our message queue (which will do the dispatching).
2105 * @param cls the `struct CadetTunnel` that got the message
2106 * @param msg the message
2107 * @return #GNUNET_OK (continue to process)
2110 handle_decrypted (void *cls,
2111 const struct GNUNET_MessageHeader *msg)
2113 struct CadetTunnel *t = cls;
2115 GNUNET_MQ_inject_message (t->mq,
2122 * Function called if we had an error processing
2123 * an incoming decrypted message.
2125 * @param cls the `struct CadetTunnel`
2126 * @param error error code
2129 decrypted_error_cb (void *cls,
2130 enum GNUNET_MQ_Error error)
2132 GNUNET_break_op (0);
2137 * Create a tunnel to @a destionation. Must only be called
2138 * from within #GCP_get_tunnel().
2140 * @param destination where to create the tunnel to
2141 * @return new tunnel to @a destination
2143 struct CadetTunnel *
2144 GCT_create_tunnel (struct CadetPeer *destination)
2146 struct GNUNET_MQ_MessageHandler handlers[] = {
2147 GNUNET_MQ_hd_fixed_size (plaintext_keepalive,
2148 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE,
2149 struct GNUNET_MessageHeader,
2151 GNUNET_MQ_hd_var_size (plaintext_data,
2152 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA,
2153 struct GNUNET_CADET_ChannelAppDataMessage,
2155 GNUNET_MQ_hd_fixed_size (plaintext_data_ack,
2156 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA_ACK,
2157 struct GNUNET_CADET_ChannelDataAckMessage,
2159 GNUNET_MQ_hd_fixed_size (plaintext_channel_open,
2160 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN,
2161 struct GNUNET_CADET_ChannelOpenMessage,
2163 GNUNET_MQ_hd_fixed_size (plaintext_channel_open_ack,
2164 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_ACK,
2165 struct GNUNET_CADET_ChannelManageMessage,
2167 GNUNET_MQ_hd_fixed_size (plaintext_channel_destroy,
2168 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY,
2169 struct GNUNET_CADET_ChannelManageMessage,
2171 GNUNET_MQ_handler_end ()
2173 struct CadetTunnel *t;
2175 t = GNUNET_new (struct CadetTunnel);
2177 t->ax.kx_0 = GNUNET_CRYPTO_ecdhe_key_create ();
2178 t->destination = destination;
2179 t->channels = GNUNET_CONTAINER_multihashmap32_create (8);
2180 (void) GCP_iterate_paths (destination,
2183 t->maintain_connections_task
2184 = GNUNET_SCHEDULER_add_now (&maintain_connections_cb,
2186 t->mq = GNUNET_MQ_queue_for_callbacks (NULL,
2191 &decrypted_error_cb,
2193 t->mst = GNUNET_MST_create (&handle_decrypted,
2200 * Add a @a connection to the @a tunnel.
2203 * @param cid connection identifer to use for the connection
2204 * @param path path to use for the connection
2207 GCT_add_inbound_connection (struct CadetTunnel *t,
2208 const struct GNUNET_CADET_ConnectionTunnelIdentifier *cid,
2209 struct CadetPeerPath *path)
2211 struct CadetTConnection *ct;
2213 ct = GNUNET_new (struct CadetTConnection);
2214 ct->created = GNUNET_TIME_absolute_get ();
2216 ct->cc = GCC_create_inbound (t->destination,
2220 &connection_ready_cb,
2222 /* FIXME: schedule job to kill connection (and path?) if it takes
2223 too long to get ready! (And track performance data on how long
2224 other connections took with the tunnel!)
2225 => Note: to be done within 'connection'-logic! */
2226 GNUNET_CONTAINER_DLL_insert (t->connection_head,
2229 t->num_connections++;
2230 LOG (GNUNET_ERROR_TYPE_DEBUG,
2231 "Tunnel %s has new connection %s\n",
2238 * Handle encrypted message.
2240 * @param ct connection/tunnel combo that received encrypted message
2241 * @param msg the encrypted message to decrypt
2244 GCT_handle_encrypted (struct CadetTConnection *ct,
2245 const struct GNUNET_CADET_TunnelEncryptedMessage *msg)
2247 struct CadetTunnel *t = ct->t;
2248 uint16_t size = ntohs (msg->header.size);
2249 char cbuf [size] GNUNET_ALIGN;
2250 ssize_t decrypted_size;
2252 LOG (GNUNET_ERROR_TYPE_DEBUG,
2253 "Tunnel %s received %u bytes of encrypted data in state %d\n",
2255 (unsigned int) size,
2260 case CADET_TUNNEL_KEY_UNINITIALIZED:
2261 /* We did not even SEND our KX, how can the other peer
2262 send us encrypted data? */
2263 GNUNET_break_op (0);
2265 case CADET_TUNNEL_KEY_SENT:
2266 /* We did not get the KX of the other peer, but that
2267 might have been lost. Ask for KX again. */
2268 GNUNET_STATISTICS_update (stats,
2269 "# received encrypted without KX",
2272 if (NULL != t->kx_task)
2273 GNUNET_SCHEDULER_cancel (t->kx_task);
2274 t->kx_task = GNUNET_SCHEDULER_add_now (&retry_kx,
2277 case CADET_TUNNEL_KEY_PING:
2278 /* Great, first payload, we might graduate to OK */
2279 case CADET_TUNNEL_KEY_OK:
2280 case CADET_TUNNEL_KEY_REKEY:
2284 GNUNET_STATISTICS_update (stats,
2285 "# received encrypted",
2288 decrypted_size = t_ax_decrypt_and_validate (t,
2293 if (-1 == decrypted_size)
2295 GNUNET_break_op (0);
2296 LOG (GNUNET_ERROR_TYPE_WARNING,
2297 "Tunnel %s failed to decrypt and validate encrypted data\n",
2299 GNUNET_STATISTICS_update (stats,
2300 "# unable to decrypt",
2305 if (CADET_TUNNEL_KEY_PING == t->estate)
2307 GCT_change_estate (t,
2308 CADET_TUNNEL_KEY_OK);
2309 trigger_transmissions (t);
2311 /* The MST will ultimately call #handle_decrypted() on each message. */
2312 GNUNET_break_op (GNUNET_OK ==
2313 GNUNET_MST_from_buffer (t->mst,
2322 * Sends an already built message on a tunnel, encrypting it and
2323 * choosing the best connection if not provided.
2325 * @param message Message to send. Function modifies it.
2326 * @param t Tunnel on which this message is transmitted.
2327 * @param cont Continuation to call once message is really sent.
2328 * @param cont_cls Closure for @c cont.
2329 * @return Handle to cancel message. NULL if @c cont is NULL.
2331 struct CadetTunnelQueueEntry *
2332 GCT_send (struct CadetTunnel *t,
2333 const struct GNUNET_MessageHeader *message,
2334 GNUNET_SCHEDULER_TaskCallback cont,
2337 struct CadetTunnelQueueEntry *tq;
2338 uint16_t payload_size;
2339 struct GNUNET_MQ_Envelope *env;
2340 struct GNUNET_CADET_TunnelEncryptedMessage *ax_msg;
2342 payload_size = ntohs (message->size);
2343 LOG (GNUNET_ERROR_TYPE_DEBUG,
2344 "Encrypting %u bytes of for tunnel %s\n",
2345 (unsigned int) payload_size,
2347 env = GNUNET_MQ_msg_extra (ax_msg,
2349 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED);
2354 ax_msg->Ns = htonl (t->ax.Ns++);
2355 ax_msg->PNs = htonl (t->ax.PNs);
2356 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax.DHRs,
2360 t_hmac (&ax_msg->Ns,
2361 AX_HEADER_SIZE + payload_size,
2366 tq = GNUNET_malloc (sizeof (*tq));
2369 tq->cid = &ax_msg->cid; /* will initialize 'ax_msg->cid' once we know the connection */
2371 tq->cont_cls = cont_cls;
2372 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head,
2375 trigger_transmissions (t);
2381 * Cancel a previously sent message while it's in the queue.
2383 * ONLY can be called before the continuation given to the send
2384 * function is called. Once the continuation is called, the message is
2385 * no longer in the queue!
2387 * @param tq Handle to the queue entry to cancel.
2390 GCT_send_cancel (struct CadetTunnelQueueEntry *tq)
2392 struct CadetTunnel *t = tq->t;
2394 GNUNET_CONTAINER_DLL_remove (t->tq_head,
2397 GNUNET_MQ_discard (tq->env);
2403 * Iterate over all connections of a tunnel.
2405 * @param t Tunnel whose connections to iterate.
2406 * @param iter Iterator.
2407 * @param iter_cls Closure for @c iter.
2410 GCT_iterate_connections (struct CadetTunnel *t,
2411 GCT_ConnectionIterator iter,
2414 for (struct CadetTConnection *ct = t->connection_head;
2423 * Closure for #iterate_channels_cb.
2430 GCT_ChannelIterator iter;
2433 * Closure for @e iter.
2440 * Helper function for #GCT_iterate_channels.
2442 * @param cls the `struct ChanIterCls`
2444 * @param value a `struct CadetChannel`
2445 * @return #GNUNET_OK
2448 iterate_channels_cb (void *cls,
2452 struct ChanIterCls *ctx = cls;
2453 struct CadetChannel *ch = value;
2455 ctx->iter (ctx->iter_cls,
2462 * Iterate over all channels of a tunnel.
2464 * @param t Tunnel whose channels to iterate.
2465 * @param iter Iterator.
2466 * @param iter_cls Closure for @c iter.
2469 GCT_iterate_channels (struct CadetTunnel *t,
2470 GCT_ChannelIterator iter,
2473 struct ChanIterCls ctx;
2476 ctx.iter_cls = iter_cls;
2477 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2478 &iterate_channels_cb,
2485 * Call #GCCH_debug() on a channel.
2487 * @param cls points to the log level to use
2489 * @param value the `struct CadetChannel` to dump
2490 * @return #GNUNET_OK (continue iteration)
2493 debug_channel (void *cls,
2497 const enum GNUNET_ErrorType *level = cls;
2498 struct CadetChannel *ch = value;
2500 GCCH_debug (ch, *level);
2505 #define LOG2(level, ...) GNUNET_log_from_nocheck(level,"cadet-tun",__VA_ARGS__)
2509 * Log all possible info about the tunnel state.
2511 * @param t Tunnel to debug.
2512 * @param level Debug level to use.
2515 GCT_debug (const struct CadetTunnel *t,
2516 enum GNUNET_ErrorType level)
2518 struct CadetTConnection *iter_c;
2521 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
2523 __FILE__, __FUNCTION__, __LINE__);
2528 "TTT TUNNEL TOWARDS %s in estate %s tq_len: %u #cons: %u\n",
2530 estate2s (t->estate),
2532 t->num_connections);
2533 #if DUMP_KEYS_TO_STDERR
2534 ax_debug (t->ax, level);
2538 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2542 "TTT connections:\n");
2543 for (iter_c = t->connection_head; NULL != iter_c; iter_c = iter_c->next)
2544 GCC_debug (iter_c->cc,
2548 "TTT TUNNEL END\n");
2552 /* end of gnunet-service-cadet-new_tunnels.c */