2 This file is part of GNUnet.
3 Copyright (C) 2013, 2017 GNUnet e.V.
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18 Boston, MA 02110-1301, USA.
21 * @file cadet/gnunet-service-cadet-new_tunnels.c
22 * @brief Information we track per tunnel.
23 * @author Bartlomiej Polot
24 * @author Christian Grothoff
27 * - check KX estate machine -- make sure it is never stuck!
28 * - clean up KX logic, including adding sender authentication
29 * - implement connection management (evaluate, kill old ones,
30 * search for new ones)
31 * - when managing connections, distinguish those that
32 * have (recently) had traffic from those that were
33 * never ready (or not recently)
36 #include "gnunet_util_lib.h"
37 #include "gnunet_statistics_service.h"
38 #include "gnunet_signatures.h"
39 #include "gnunet-service-cadet-new.h"
40 #include "cadet_protocol.h"
41 #include "gnunet-service-cadet-new_channel.h"
42 #include "gnunet-service-cadet-new_connection.h"
43 #include "gnunet-service-cadet-new_tunnels.h"
44 #include "gnunet-service-cadet-new_peer.h"
45 #include "gnunet-service-cadet-new_paths.h"
48 #define LOG(level, ...) GNUNET_log_from(level,"cadet-tun",__VA_ARGS__)
52 * How long do we wait until tearing down an idle tunnel?
54 #define IDLE_DESTROY_DELAY GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 90)
57 * Yuck, replace by 'offsetof' expression?
60 #define AX_HEADER_SIZE (sizeof (uint32_t) * 2\
61 + sizeof (struct GNUNET_CRYPTO_EcdhePublicKey))
65 * Maximum number of skipped keys we keep in memory per tunnel.
67 #define MAX_SKIPPED_KEYS 64
70 * Maximum number of keys (and thus ratchet steps) we are willing to
71 * skip before we decide this is either a bogus packet or a DoS-attempt.
73 #define MAX_KEY_GAP 256
77 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
79 struct CadetTunnelSkippedKey
84 struct CadetTunnelSkippedKey *next;
89 struct CadetTunnelSkippedKey *prev;
92 * When was this key stored (for timeout).
94 struct GNUNET_TIME_Absolute timestamp;
99 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
104 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
107 * Key number for a given HK.
114 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
116 struct CadetTunnelAxolotl
119 * A (double linked) list of stored message keys and associated header keys
120 * for "skipped" messages, i.e. messages that have not been
121 * received despite the reception of more recent messages, (head).
123 struct CadetTunnelSkippedKey *skipped_head;
126 * Skipped messages' keys DLL, tail.
128 struct CadetTunnelSkippedKey *skipped_tail;
131 * 32-byte root key which gets updated by DH ratchet.
133 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
136 * 32-byte header key (send).
138 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
141 * 32-byte header key (recv)
143 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
146 * 32-byte next header key (send).
148 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
151 * 32-byte next header key (recv).
153 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
156 * 32-byte chain keys (used for forward-secrecy updating, send).
158 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
161 * 32-byte chain keys (used for forward-secrecy updating, recv).
163 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
166 * ECDH for key exchange (A0 / B0).
168 struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
171 * ECDH Ratchet key (send).
173 struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs;
176 * ECDH Ratchet key (recv).
178 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
181 * When does this ratchet expire and a new one is triggered.
183 struct GNUNET_TIME_Absolute ratchet_expiration;
186 * Number of elements in @a skipped_head <-> @a skipped_tail.
188 unsigned int skipped;
191 * Message number (reset to 0 with each new ratchet, next message to send).
196 * Message number (reset to 0 with each new ratchet, next message to recv).
201 * Previous message numbers (# of msgs sent under prev ratchet)
206 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
211 * Number of messages recieved since our last ratchet advance.
212 * - If this counter = 0, we cannot send a new ratchet key in next msg.
213 * - If this counter > 0, we can (but don't yet have to) send a new key.
215 unsigned int ratchet_allowed;
218 * Number of messages recieved since our last ratchet advance.
219 * - If this counter = 0, we cannot send a new ratchet key in next msg.
220 * - If this counter > 0, we can (but don't yet have to) send a new key.
222 unsigned int ratchet_counter;
228 * Struct used to save messages in a non-ready tunnel to send once connected.
230 struct CadetTunnelQueueEntry
233 * We are entries in a DLL
235 struct CadetTunnelQueueEntry *next;
238 * We are entries in a DLL
240 struct CadetTunnelQueueEntry *prev;
243 * Tunnel these messages belong in.
245 struct CadetTunnel *t;
248 * Continuation to call once sent (on the channel layer).
250 GNUNET_SCHEDULER_TaskCallback cont;
253 * Closure for @c cont.
258 * Envelope of message to send follows.
260 struct GNUNET_MQ_Envelope *env;
263 * Where to put the connection identifier into the payload
264 * of the message in @e env once we have it?
266 struct GNUNET_CADET_ConnectionTunnelIdentifier *cid;
271 * Struct containing all information regarding a tunnel to a peer.
276 * Destination of the tunnel.
278 struct CadetPeer *destination;
281 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own
282 * ephemeral key changes.
284 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
287 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
289 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
292 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
294 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
299 struct CadetTunnelAxolotl ax;
302 * Task scheduled if there are no more channels using the tunnel.
304 struct GNUNET_SCHEDULER_Task *destroy_task;
307 * Task to trim connections if too many are present.
309 struct GNUNET_SCHEDULER_Task *maintain_connections_task;
312 * Task to trigger KX.
314 struct GNUNET_SCHEDULER_Task *kx_task;
317 * Tokenizer for decrypted messages.
319 struct GNUNET_MessageStreamTokenizer *mst;
322 * Dispatcher for decrypted messages only (do NOT use for sending!).
324 struct GNUNET_MQ_Handle *mq;
327 * DLL of connections that are actively used to reach the destination peer.
329 struct CadetTConnection *connection_head;
332 * DLL of connections that are actively used to reach the destination peer.
334 struct CadetTConnection *connection_tail;
337 * Channels inside this tunnel. Maps
338 * `struct GNUNET_CADET_ChannelTunnelNumber` to a `struct CadetChannel`.
340 struct GNUNET_CONTAINER_MultiHashMap32 *channels;
343 * Channel ID for the next created channel in this tunnel.
345 struct GNUNET_CADET_ChannelTunnelNumber next_ctn;
348 * Queued messages, to transmit once tunnel gets connected.
350 struct CadetTunnelQueueEntry *tq_head;
353 * Queued messages, to transmit once tunnel gets connected.
355 struct CadetTunnelQueueEntry *tq_tail;
359 * Ephemeral message in the queue (to avoid queueing more than one).
361 struct CadetConnectionQueue *ephm_hKILL;
364 * Pong message in the queue.
366 struct CadetConnectionQueue *pong_hKILL;
369 * How long do we wait until we retry the KX?
371 struct GNUNET_TIME_Relative kx_retry_delay;
374 * When do we try the next KX?
376 struct GNUNET_TIME_Absolute next_kx_attempt;
379 * Number of connections in the @e connection_head DLL.
381 unsigned int num_connections;
384 * Number of entries in the @e tq_head DLL.
389 * State of the tunnel encryption.
391 enum CadetTunnelEState estate;
397 * Get the static string for the peer this tunnel is directed.
401 * @return Static string the destination peer's ID.
404 GCT_2s (const struct CadetTunnel *t)
411 GNUNET_snprintf (buf,
414 GCP_2s (t->destination));
420 * Get string description for tunnel encryption state.
422 * @param es Tunnel state.
424 * @return String representation.
427 estate2s (enum CadetTunnelEState es)
433 case CADET_TUNNEL_KEY_UNINITIALIZED:
434 return "CADET_TUNNEL_KEY_UNINITIALIZED";
435 case CADET_TUNNEL_KEY_SENT:
436 return "CADET_TUNNEL_KEY_SENT";
437 case CADET_TUNNEL_KEY_PING:
438 return "CADET_TUNNEL_KEY_PING";
439 case CADET_TUNNEL_KEY_OK:
440 return "CADET_TUNNEL_KEY_OK";
441 case CADET_TUNNEL_KEY_REKEY:
442 return "CADET_TUNNEL_KEY_REKEY";
444 SPRINTF (buf, "%u (UNKNOWN STATE)", es);
451 * Return the peer to which this tunnel goes.
454 * @return the destination of the tunnel
457 GCT_get_destination (struct CadetTunnel *t)
459 return t->destination;
464 * Count channels of a tunnel.
466 * @param t Tunnel on which to count.
468 * @return Number of channels.
471 GCT_count_channels (struct CadetTunnel *t)
473 return GNUNET_CONTAINER_multihashmap32_size (t->channels);
478 * Lookup a channel by its @a ctn.
480 * @param t tunnel to look in
481 * @param ctn number of channel to find
482 * @return NULL if channel does not exist
484 struct CadetChannel *
485 lookup_channel (struct CadetTunnel *t,
486 struct GNUNET_CADET_ChannelTunnelNumber ctn)
488 return GNUNET_CONTAINER_multihashmap32_get (t->channels,
494 * Count all created connections of a tunnel. Not necessarily ready connections!
496 * @param t Tunnel on which to count.
498 * @return Number of connections created, either being established or ready.
501 GCT_count_any_connections (struct CadetTunnel *t)
503 return t->num_connections;
508 * Find first connection that is ready in the list of
509 * our connections. Picks ready connections round-robin.
511 * @param t tunnel to search
512 * @return NULL if we have no connection that is ready
514 static struct CadetTConnection *
515 get_ready_connection (struct CadetTunnel *t)
517 for (struct CadetTConnection *pos = t->connection_head;
520 if (GNUNET_YES == pos->is_ready)
522 if (pos != t->connection_tail)
524 /* move 'pos' to the end, so we try other ready connections
525 first next time (round-robin, modulo availability) */
526 GNUNET_CONTAINER_DLL_remove (t->connection_head,
529 GNUNET_CONTAINER_DLL_insert_tail (t->connection_head,
540 * Get the encryption state of a tunnel.
544 * @return Tunnel's encryption state.
546 enum CadetTunnelEState
547 GCT_get_estate (struct CadetTunnel *t)
554 * Create a new Axolotl ephemeral (ratchet) key.
559 new_ephemeral (struct CadetTunnel *t)
561 GNUNET_free_non_null (t->ax.DHRs);
562 t->ax.DHRs = GNUNET_CRYPTO_ecdhe_key_create ();
568 * Called when either we have a new connection, or a new message in the
569 * queue, or some existing connection has transmission capacity. Looks
570 * at our message queue and if there is a message, picks a connection
573 * @param t tunnel to process messages on
576 trigger_transmissions (struct CadetTunnel *t);
579 /* ************************************** start core crypto ***************************** */
585 * @param plaintext Content to HMAC.
586 * @param size Size of @c plaintext.
587 * @param iv Initialization vector for the message.
588 * @param key Key to use.
589 * @param hmac[out] Destination to store the HMAC.
592 t_hmac (const void *plaintext,
595 const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
596 struct GNUNET_ShortHashCode *hmac)
598 static const char ctx[] = "cadet authentication key";
599 struct GNUNET_CRYPTO_AuthKey auth_key;
600 struct GNUNET_HashCode hash;
602 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
608 /* Two step: CADET_Hash is only 256 bits, HashCode is 512. */
609 GNUNET_CRYPTO_hmac (&auth_key,
622 * @param key Key to use.
623 * @param hash[out] Resulting HMAC.
624 * @param source Source key material (data to HMAC).
625 * @param len Length of @a source.
628 t_ax_hmac_hash (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
629 struct GNUNET_HashCode *hash,
633 static const char ctx[] = "axolotl HMAC-HASH";
634 struct GNUNET_CRYPTO_AuthKey auth_key;
636 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
640 GNUNET_CRYPTO_hmac (&auth_key,
648 * Derive a symmetric encryption key from an HMAC-HASH.
650 * @param key Key to use for the HMAC.
651 * @param[out] out Key to generate.
652 * @param source Source key material (data to HMAC).
653 * @param len Length of @a source.
656 t_hmac_derive_key (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
657 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
661 static const char ctx[] = "axolotl derive key";
662 struct GNUNET_HashCode h;
668 GNUNET_CRYPTO_kdf (out, sizeof (*out),
676 * Encrypt data with the axolotl tunnel key.
678 * @param t Tunnel whose key to use.
679 * @param dst Destination with @a size bytes for the encrypted data.
680 * @param src Source of the plaintext. Can overlap with @c dst, must contain @a size bytes
681 * @param size Size of the buffers at @a src and @a dst
684 t_ax_encrypt (struct CadetTunnel *t,
689 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
690 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
691 struct CadetTunnelAxolotl *ax;
695 ax->ratchet_counter++;
696 if ( (GNUNET_YES == ax->ratchet_allowed) &&
697 ( (ratchet_messages <= ax->ratchet_counter) ||
698 (0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us)) )
700 ax->ratchet_flag = GNUNET_YES;
702 if (GNUNET_YES == ax->ratchet_flag)
704 /* Advance ratchet */
705 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
706 struct GNUNET_HashCode dh;
707 struct GNUNET_HashCode hmac;
708 static const char ctx[] = "axolotl ratchet";
713 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
714 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs,
717 t_ax_hmac_hash (&ax->RK,
721 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
723 &hmac, sizeof (hmac),
731 ax->ratchet_flag = GNUNET_NO;
732 ax->ratchet_allowed = GNUNET_NO;
733 ax->ratchet_counter = 0;
734 ax->ratchet_expiration
735 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
739 t_hmac_derive_key (&ax->CKs,
743 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
748 out_size = GNUNET_CRYPTO_symmetric_encrypt (src,
753 GNUNET_assert (size == out_size);
754 t_hmac_derive_key (&ax->CKs,
762 * Decrypt data with the axolotl tunnel key.
764 * @param t Tunnel whose key to use.
765 * @param dst Destination for the decrypted data, must contain @a size bytes.
766 * @param src Source of the ciphertext. Can overlap with @c dst, must contain @a size bytes.
767 * @param size Size of the @a src and @a dst buffers
770 t_ax_decrypt (struct CadetTunnel *t,
775 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
776 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
777 struct CadetTunnelAxolotl *ax;
781 t_hmac_derive_key (&ax->CKr,
785 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
789 GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
790 out_size = GNUNET_CRYPTO_symmetric_decrypt (src,
795 GNUNET_assert (out_size == size);
796 t_hmac_derive_key (&ax->CKr,
804 * Encrypt header with the axolotl header key.
806 * @param t Tunnel whose key to use.
807 * @param msg Message whose header to encrypt.
810 t_h_encrypt (struct CadetTunnel *t,
811 struct GNUNET_CADET_TunnelEncryptedMessage *msg)
813 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
814 struct CadetTunnelAxolotl *ax;
818 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
822 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->Ns,
827 GNUNET_assert (AX_HEADER_SIZE == out_size);
832 * Decrypt header with the current axolotl header key.
834 * @param t Tunnel whose current ax HK to use.
835 * @param src Message whose header to decrypt.
836 * @param dst Where to decrypt header to.
839 t_h_decrypt (struct CadetTunnel *t,
840 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
841 struct GNUNET_CADET_TunnelEncryptedMessage *dst)
843 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
844 struct CadetTunnelAxolotl *ax;
848 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
852 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns,
857 GNUNET_assert (AX_HEADER_SIZE == out_size);
862 * Delete a key from the list of skipped keys.
864 * @param t Tunnel to delete from.
865 * @param key Key to delete.
868 delete_skipped_key (struct CadetTunnel *t,
869 struct CadetTunnelSkippedKey *key)
871 GNUNET_CONTAINER_DLL_remove (t->ax.skipped_head,
880 * Decrypt and verify data with the appropriate tunnel key and verify that the
881 * data has not been altered since it was sent by the remote peer.
883 * @param t Tunnel whose key to use.
884 * @param dst Destination for the plaintext.
885 * @param src Source of the message. Can overlap with @c dst.
886 * @param size Size of the message.
887 * @return Size of the decrypted data, -1 if an error was encountered.
890 try_old_ax_keys (struct CadetTunnel *t,
892 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
895 struct CadetTunnelSkippedKey *key;
896 struct GNUNET_ShortHashCode *hmac;
897 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
898 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
899 struct GNUNET_CRYPTO_SymmetricSessionKey *valid_HK;
905 LOG (GNUNET_ERROR_TYPE_DEBUG,
906 "Trying skipped keys\n");
907 hmac = &plaintext_header.hmac;
908 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
910 /* Find a correct Header Key */
912 for (key = t->ax.skipped_head; NULL != key; key = key->next)
915 AX_HEADER_SIZE + esize,
919 if (0 == memcmp (hmac,
930 /* Should've been checked in -cadet_connection.c handle_cadet_encrypted. */
931 GNUNET_assert (size > sizeof (struct GNUNET_CADET_TunnelEncryptedMessage));
932 len = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
933 GNUNET_assert (len >= sizeof (struct GNUNET_MessageHeader));
936 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
940 res = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns,
944 &plaintext_header.Ns);
945 GNUNET_assert (AX_HEADER_SIZE == res);
947 /* Find the correct message key */
948 N = ntohl (plaintext_header.Ns);
949 while ( (NULL != key) &&
952 if ( (NULL == key) ||
953 (0 != memcmp (&key->HK,
955 sizeof (*valid_HK))) )
958 /* Decrypt payload */
959 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
964 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1],
969 delete_skipped_key (t,
976 * Delete a key from the list of skipped keys.
978 * @param t Tunnel to delete from.
979 * @param HKr Header Key to use.
982 store_skipped_key (struct CadetTunnel *t,
983 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
985 struct CadetTunnelSkippedKey *key;
987 key = GNUNET_new (struct CadetTunnelSkippedKey);
988 key->timestamp = GNUNET_TIME_absolute_get ();
991 t_hmac_derive_key (&t->ax.CKr,
995 t_hmac_derive_key (&t->ax.CKr,
999 GNUNET_CONTAINER_DLL_insert (t->ax.skipped_head,
1008 * Stage skipped AX keys and calculate the message key.
1009 * Stores each HK and MK for skipped messages.
1011 * @param t Tunnel where to stage the keys.
1012 * @param HKr Header key.
1013 * @param Np Received meesage number.
1014 * @return #GNUNET_OK if keys were stored.
1015 * #GNUNET_SYSERR if an error ocurred (Np not expected).
1018 store_ax_keys (struct CadetTunnel *t,
1019 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1024 gap = Np - t->ax.Nr;
1025 LOG (GNUNET_ERROR_TYPE_DEBUG,
1026 "Storing skipped keys [%u, %u)\n",
1029 if (MAX_KEY_GAP < gap)
1031 /* Avoid DoS (forcing peer to do 2^33 chain HMAC operations) */
1032 /* TODO: start new key exchange on return */
1033 GNUNET_break_op (0);
1034 LOG (GNUNET_ERROR_TYPE_WARNING,
1035 "Got message %u, expected %u+\n",
1038 return GNUNET_SYSERR;
1042 /* Delayed message: don't store keys, flag to try old keys. */
1043 return GNUNET_SYSERR;
1046 while (t->ax.Nr < Np)
1047 store_skipped_key (t,
1050 while (t->ax.skipped > MAX_SKIPPED_KEYS)
1051 delete_skipped_key (t,
1052 t->ax.skipped_tail);
1058 * Decrypt and verify data with the appropriate tunnel key and verify that the
1059 * data has not been altered since it was sent by the remote peer.
1061 * @param t Tunnel whose key to use.
1062 * @param dst Destination for the plaintext.
1063 * @param src Source of the message. Can overlap with @c dst.
1064 * @param size Size of the message.
1065 * @return Size of the decrypted data, -1 if an error was encountered.
1068 t_ax_decrypt_and_validate (struct CadetTunnel *t,
1070 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
1073 struct CadetTunnelAxolotl *ax;
1074 struct GNUNET_ShortHashCode msg_hmac;
1075 struct GNUNET_HashCode hmac;
1076 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1079 size_t esize; /* Size of encryped payload */
1081 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
1084 /* Try current HK */
1086 AX_HEADER_SIZE + esize,
1089 if (0 != memcmp (&msg_hmac,
1093 static const char ctx[] = "axolotl ratchet";
1094 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1095 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1096 struct GNUNET_HashCode dh;
1097 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1101 AX_HEADER_SIZE + esize,
1105 if (0 != memcmp (&msg_hmac,
1109 /* Try the skipped keys, if that fails, we're out of luck. */
1110 return try_old_ax_keys (t,
1120 Np = ntohl (plaintext_header.Ns);
1121 PNp = ntohl (plaintext_header.PNs);
1122 DHRp = &plaintext_header.DHRs;
1127 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1128 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs,
1131 t_ax_hmac_hash (&ax->RK,
1134 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1136 &hmac, sizeof (hmac),
1139 /* Commit "purported" keys */
1145 ax->ratchet_allowed = GNUNET_YES;
1152 Np = ntohl (plaintext_header.Ns);
1153 PNp = ntohl (plaintext_header.PNs);
1155 if ( (Np != ax->Nr) &&
1156 (GNUNET_OK != store_ax_keys (t,
1160 /* Try the skipped keys, if that fails, we're out of luck. */
1161 return try_old_ax_keys (t,
1177 * Our tunnel became ready for the first time, notify channels
1178 * that have been waiting.
1180 * @param cls our tunnel, not used
1181 * @param key unique ID of the channel, not used
1182 * @param value the `struct CadetChannel` to notify
1183 * @return #GNUNET_OK (continue to iterate)
1186 notify_tunnel_up_cb (void *cls,
1190 struct CadetChannel *ch = value;
1192 GCCH_tunnel_up (ch);
1198 * Change the tunnel encryption state.
1199 * If the encryption state changes to OK, stop the rekey task.
1201 * @param t Tunnel whose encryption state to change, or NULL.
1202 * @param state New encryption state.
1205 GCT_change_estate (struct CadetTunnel *t,
1206 enum CadetTunnelEState state)
1208 enum CadetTunnelEState old = t->estate;
1211 LOG (GNUNET_ERROR_TYPE_DEBUG,
1212 "Tunnel %s estate changed from %d to %d\n",
1217 if ( (CADET_TUNNEL_KEY_OK != old) &&
1218 (CADET_TUNNEL_KEY_OK == t->estate) )
1220 if (NULL != t->kx_task)
1222 GNUNET_SCHEDULER_cancel (t->kx_task);
1225 if (CADET_TUNNEL_KEY_REKEY != old)
1227 /* notify all channels that have been waiting */
1228 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
1229 ¬ify_tunnel_up_cb,
1233 /* FIXME: schedule rekey task! */
1239 * Send a KX message.
1241 * FIXME: does not take care of sender-authentication yet!
1243 * @param t Tunnel on which to send it.
1244 * @param force_reply Force the other peer to reply with a KX message.
1247 send_kx (struct CadetTunnel *t,
1250 struct CadetTunnelAxolotl *ax = &t->ax;
1251 struct CadetTConnection *ct;
1252 struct CadetConnection *cc;
1253 struct GNUNET_MQ_Envelope *env;
1254 struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
1255 enum GNUNET_CADET_KX_Flags flags;
1257 ct = get_ready_connection (t);
1260 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1261 "Wanted to send KX on tunnel %s, but no connection is ready, deferring\n",
1266 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1267 "Sending KX on tunnel %s using connection %s\n",
1271 // GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
1272 env = GNUNET_MQ_msg (msg,
1273 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX);
1274 flags = GNUNET_CADET_KX_FLAG_NONE;
1275 if (GNUNET_YES == force_reply)
1276 flags |= GNUNET_CADET_KX_FLAG_FORCE_REPLY;
1277 msg->flags = htonl (flags);
1278 msg->cid = *GCC_get_id (cc);
1279 GNUNET_CRYPTO_ecdhe_key_get_public (ax->kx_0,
1280 &msg->ephemeral_key);
1281 GNUNET_CRYPTO_ecdhe_key_get_public (ax->DHRs,
1285 t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1286 t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1287 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1288 GCT_change_estate (t,
1289 CADET_TUNNEL_KEY_SENT);
1294 * Handle KX message.
1296 * FIXME: sender-authentication in KX is missing!
1298 * @param ct connection/tunnel combo that received encrypted message
1299 * @param msg the key exchange message
1302 GCT_handle_kx (struct CadetTConnection *ct,
1303 const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1305 struct CadetTunnel *t = ct->t;
1306 struct CadetTunnelAxolotl *ax = &t->ax;
1307 struct GNUNET_HashCode key_material[3];
1308 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
1309 const char salt[] = "CADET Axolotl salt";
1310 const struct GNUNET_PeerIdentity *pid;
1313 pid = GCP_get_id (t->destination);
1314 if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1316 am_I_alice = GNUNET_YES;
1317 else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1319 am_I_alice = GNUNET_NO;
1322 GNUNET_break_op (0);
1326 if (0 != (GNUNET_CADET_KX_FLAG_FORCE_REPLY & ntohl (msg->flags)))
1328 if (NULL != t->kx_task)
1330 GNUNET_SCHEDULER_cancel (t->kx_task);
1337 if (0 == memcmp (&ax->DHRr,
1339 sizeof (msg->ratchet_key)))
1341 LOG (GNUNET_ERROR_TYPE_DEBUG,
1342 " known ratchet key, exit\n");
1346 ax->DHRr = msg->ratchet_key;
1349 if (GNUNET_YES == am_I_alice)
1351 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */
1352 &msg->ephemeral_key, /* B0 */
1357 GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* B0 */
1358 &pid->public_key, /* A */
1363 if (GNUNET_YES == am_I_alice)
1365 GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* A0 */
1366 &pid->public_key, /* B */
1371 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */
1372 &msg->ephemeral_key, /* B0 */
1379 /* (This is the triple-DH, we could probably safely skip this,
1380 as A0/B0 are already in the key material.) */
1381 GNUNET_CRYPTO_ecc_ecdh (ax->kx_0, /* A0 or B0 */
1382 &msg->ephemeral_key, /* B0 or A0 */
1386 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1387 salt, sizeof (salt),
1388 &key_material, sizeof (key_material),
1391 if (0 == memcmp (&ax->RK,
1395 LOG (GNUNET_ERROR_TYPE_INFO,
1396 " known handshake key, exit\n");
1399 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1400 "Handling KX message for tunnel %s\n",
1404 if (GNUNET_YES == am_I_alice)
1410 ax->ratchet_flag = GNUNET_YES;
1418 ax->ratchet_flag = GNUNET_NO;
1419 ax->ratchet_allowed = GNUNET_NO;
1420 ax->ratchet_counter = 0;
1421 ax->ratchet_expiration
1422 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
1431 case CADET_TUNNEL_KEY_UNINITIALIZED:
1432 GCT_change_estate (t,
1433 CADET_TUNNEL_KEY_PING);
1435 case CADET_TUNNEL_KEY_SENT:
1436 /* Got a response to us sending our key; now
1437 we can start transmitting! */
1438 GCT_change_estate (t,
1439 CADET_TUNNEL_KEY_OK);
1440 trigger_transmissions (t);
1442 case CADET_TUNNEL_KEY_PING:
1443 /* Got a key yet again; need encrypted payload to advance */
1445 case CADET_TUNNEL_KEY_OK:
1446 /* Did not expect a key, but so what. */
1448 case CADET_TUNNEL_KEY_REKEY:
1449 /* Got a key yet again; need encrypted payload to advance */
1455 /* ************************************** end core crypto ***************************** */
1459 * Compute the next free channel tunnel number for this tunnel.
1461 * @param t the tunnel
1462 * @return unused number that can uniquely identify a channel in the tunnel
1464 static struct GNUNET_CADET_ChannelTunnelNumber
1465 get_next_free_ctn (struct CadetTunnel *t)
1467 struct GNUNET_CADET_ChannelTunnelNumber ret;
1470 /* FIXME: this logic does NOT prevent both ends of the
1471 channel from picking the same CTN!
1472 Need to reserve one bit of the CTN for the
1473 direction, i.e. which side established the connection! */
1474 ctn = ntohl (t->next_ctn.cn);
1476 GNUNET_CONTAINER_multihashmap32_get (t->channels,
1479 t->next_ctn.cn = htonl (ctn + 1);
1480 ret.cn = ntohl (ctn);
1486 * Add a channel to a tunnel, and notify channel that we are ready
1487 * for transmission if we are already up. Otherwise that notification
1488 * will be done later in #notify_tunnel_up_cb().
1492 * @return unique number identifying @a ch within @a t
1494 struct GNUNET_CADET_ChannelTunnelNumber
1495 GCT_add_channel (struct CadetTunnel *t,
1496 struct CadetChannel *ch)
1498 struct GNUNET_CADET_ChannelTunnelNumber ctn;
1500 ctn = get_next_free_ctn (t);
1501 GNUNET_assert (GNUNET_YES ==
1502 GNUNET_CONTAINER_multihashmap32_put (t->channels,
1505 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
1506 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1507 "Adding channel %s to tunnel %s\n",
1510 if ( (CADET_TUNNEL_KEY_OK == t->estate) ||
1511 (CADET_TUNNEL_KEY_REKEY == t->estate) )
1512 GCCH_tunnel_up (ch);
1518 * This tunnel is no longer used, destroy it.
1520 * @param cls the idle tunnel
1523 destroy_tunnel (void *cls)
1525 struct CadetTunnel *t = cls;
1526 struct CadetTConnection *ct;
1527 struct CadetTunnelQueueEntry *tq;
1529 t->destroy_task = NULL;
1530 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1531 "Destroying idle tunnel %s\n",
1533 GNUNET_assert (0 == GNUNET_CONTAINER_multihashmap32_size (t->channels));
1534 while (NULL != (ct = t->connection_head))
1536 GNUNET_assert (ct->t == t);
1537 GNUNET_CONTAINER_DLL_remove (t->connection_head,
1540 GCC_destroy (ct->cc);
1543 while (NULL != (tq = t->tq_head))
1544 GCT_send_cancel (tq);
1545 GCP_drop_tunnel (t->destination,
1547 GNUNET_CONTAINER_multihashmap32_destroy (t->channels);
1548 if (NULL != t->maintain_connections_task)
1550 GNUNET_SCHEDULER_cancel (t->maintain_connections_task);
1551 t->maintain_connections_task = NULL;
1553 GNUNET_MST_destroy (t->mst);
1554 GNUNET_MQ_destroy (t->mq);
1555 while (NULL != t->ax.skipped_head)
1556 delete_skipped_key (t,
1557 t->ax.skipped_head);
1558 GNUNET_assert (0 == t->ax.skipped);
1559 GNUNET_free_non_null (t->ax.kx_0);
1560 GNUNET_free_non_null (t->ax.DHRs);
1566 * Remove a channel from a tunnel.
1570 * @param ctn unique number identifying @a ch within @a t
1573 GCT_remove_channel (struct CadetTunnel *t,
1574 struct CadetChannel *ch,
1575 struct GNUNET_CADET_ChannelTunnelNumber ctn)
1577 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1578 "Removing channel %s from tunnel %s\n",
1581 GNUNET_assert (GNUNET_YES ==
1582 GNUNET_CONTAINER_multihashmap32_remove (t->channels,
1586 GNUNET_CONTAINER_multihashmap32_size (t->channels))
1588 t->destroy_task = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
1596 * Destroys the tunnel @a t now, without delay. Used during shutdown.
1598 * @param t tunnel to destroy
1601 GCT_destroy_tunnel_now (struct CadetTunnel *t)
1604 GNUNET_CONTAINER_multihashmap32_size (t->channels));
1605 GNUNET_SCHEDULER_cancel (t->destroy_task);
1611 * It's been a while, we should try to redo the KX, if we can.
1613 * @param cls the `struct CadetTunnel` to do KX for.
1616 retry_kx (void *cls)
1618 struct CadetTunnel *t = cls;
1622 ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) ||
1623 (CADET_TUNNEL_KEY_SENT == t->estate) )
1630 * Send normal payload from queue in @a t via connection @a ct.
1631 * Does nothing if our payload queue is empty.
1633 * @param t tunnel to send data from
1634 * @param ct connection to use for transmission (is ready)
1637 try_send_normal_payload (struct CadetTunnel *t,
1638 struct CadetTConnection *ct)
1640 struct CadetTunnelQueueEntry *tq;
1642 GNUNET_assert (GNUNET_YES == ct->is_ready);
1646 /* no messages pending right now */
1647 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1648 "Not sending payload of tunnel %s on ready connection %s (nothing pending)\n",
1653 /* ready to send message 'tq' on tunnel 'ct' */
1654 GNUNET_assert (t == tq->t);
1655 GNUNET_CONTAINER_DLL_remove (t->tq_head,
1658 if (NULL != tq->cid)
1659 *tq->cid = *GCC_get_id (ct->cc);
1660 ct->is_ready = GNUNET_NO;
1661 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1662 "Sending payload of tunnel %s on connection %s\n",
1665 GCC_transmit (ct->cc,
1667 if (NULL != tq->cont)
1668 tq->cont (tq->cont_cls);
1674 * A connection is @a is_ready for transmission. Looks at our message
1675 * queue and if there is a message, sends it out via the connection.
1677 * @param cls the `struct CadetTConnection` that is @a is_ready
1678 * @param is_ready #GNUNET_YES if connection are now ready,
1679 * #GNUNET_NO if connection are no longer ready
1682 connection_ready_cb (void *cls,
1685 struct CadetTConnection *ct = cls;
1686 struct CadetTunnel *t = ct->t;
1688 if (GNUNET_NO == is_ready)
1690 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1691 "Connection %s no longer ready for tunnel %s\n",
1694 ct->is_ready = GNUNET_NO;
1697 ct->is_ready = GNUNET_YES;
1698 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1699 "Connection %s now ready for tunnel %s in state %s\n",
1702 estate2s (t->estate));
1705 case CADET_TUNNEL_KEY_UNINITIALIZED:
1709 case CADET_TUNNEL_KEY_SENT:
1710 case CADET_TUNNEL_KEY_PING:
1711 /* opportunity to #retry_kx() starts now, schedule job */
1712 if (NULL == t->kx_task)
1715 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
1720 case CADET_TUNNEL_KEY_OK:
1721 try_send_normal_payload (t,
1724 case CADET_TUNNEL_KEY_REKEY:
1727 t->estate = CADET_TUNNEL_KEY_OK;
1734 * Called when either we have a new connection, or a new message in the
1735 * queue, or some existing connection has transmission capacity. Looks
1736 * at our message queue and if there is a message, picks a connection
1739 * @param t tunnel to process messages on
1742 trigger_transmissions (struct CadetTunnel *t)
1744 struct CadetTConnection *ct;
1746 if (NULL == t->tq_head)
1747 return; /* no messages pending right now */
1748 ct = get_ready_connection (t);
1750 return; /* no connections ready */
1751 try_send_normal_payload (t,
1757 * Function called to maintain the connections underlying our tunnel.
1758 * Tries to maintain (incl. tear down) connections for the tunnel, and
1759 * if there is a significant change, may trigger transmissions.
1761 * Basically, needs to check if there are connections that perform
1762 * badly, and if so eventually kill them and trigger a replacement.
1763 * The strategy is to open one more connection than
1764 * #DESIRED_CONNECTIONS_PER_TUNNEL, and then periodically kick out the
1765 * least-performing one, and then inquire for new ones.
1767 * @param cls the `struct CadetTunnel`
1770 maintain_connections_cb (void *cls)
1772 struct CadetTunnel *t = cls;
1774 t->maintain_connections_task = NULL;
1775 GNUNET_break (0); // FIXME: implement!
1780 * Consider using the path @a p for the tunnel @a t.
1781 * The tunnel destination is at offset @a off in path @a p.
1783 * @param cls our tunnel
1784 * @param path a path to our destination
1785 * @param off offset of the destination on path @a path
1786 * @return #GNUNET_YES (should keep iterating)
1789 consider_path_cb (void *cls,
1790 struct CadetPeerPath *path,
1793 struct CadetTunnel *t = cls;
1794 unsigned int min_length = UINT_MAX;
1795 GNUNET_CONTAINER_HeapCostType max_desire = 0;
1796 struct CadetTConnection *ct;
1798 /* Check if we care about the new path. */
1799 for (ct = t->connection_head;
1803 struct CadetPeerPath *ps;
1805 ps = GCC_get_path (ct->cc);
1807 return GNUNET_YES; /* duplicate */
1808 min_length = GNUNET_MIN (min_length,
1809 GCPP_get_length (ps));
1810 max_desire = GNUNET_MAX (max_desire,
1811 GCPP_get_desirability (ps));
1814 /* FIXME: not sure we should really just count
1815 'num_connections' here, as they may all have
1816 consistently failed to connect. */
1818 /* We iterate by increasing path length; if we have enough paths and
1819 this one is more than twice as long than what we are currently
1820 using, then ignore all of these super-long ones! */
1821 if ( (t->num_connections > DESIRED_CONNECTIONS_PER_TUNNEL) &&
1822 (min_length * 2 < off) )
1824 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1825 "Ignoring paths of length %u, they are way too long.\n",
1829 /* If we have enough paths and this one looks no better, ignore it. */
1830 if ( (t->num_connections >= DESIRED_CONNECTIONS_PER_TUNNEL) &&
1831 (min_length < GCPP_get_length (path)) &&
1832 (max_desire > GCPP_get_desirability (path)) )
1834 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1835 "Ignoring path (%u/%llu) to %s, got something better already.\n",
1836 GCPP_get_length (path),
1837 (unsigned long long) GCPP_get_desirability (path),
1838 GCP_2s (t->destination));
1842 /* Path is interesting (better by some metric, or we don't have
1843 enough paths yet). */
1844 ct = GNUNET_new (struct CadetTConnection);
1845 ct->created = GNUNET_TIME_absolute_get ();
1847 ct->cc = GCC_create (t->destination,
1850 &connection_ready_cb,
1852 /* FIXME: schedule job to kill connection (and path?) if it takes
1853 too long to get ready! (And track performance data on how long
1854 other connections took with the tunnel!)
1855 => Note: to be done within 'connection'-logic! */
1856 GNUNET_CONTAINER_DLL_insert (t->connection_head,
1859 t->num_connections++;
1860 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1861 "Found interesting path %s for tunnel %s, created connection %s\n",
1870 * Consider using the path @a p for the tunnel @a t.
1871 * The tunnel destination is at offset @a off in path @a p.
1873 * @param cls our tunnel
1874 * @param path a path to our destination
1875 * @param off offset of the destination on path @a path
1878 GCT_consider_path (struct CadetTunnel *t,
1879 struct CadetPeerPath *p,
1882 (void) consider_path_cb (t,
1891 * @param cls the `struct CadetTunnel` for which we decrypted the message
1892 * @param msg the message we received on the tunnel
1895 handle_plaintext_keepalive (void *cls,
1896 const struct GNUNET_MessageHeader *msg)
1898 struct CadetTunnel *t = cls;
1900 GNUNET_break (0); // FIXME
1905 * Check that @a msg is well-formed.
1907 * @param cls the `struct CadetTunnel` for which we decrypted the message
1908 * @param msg the message we received on the tunnel
1909 * @return #GNUNET_OK (any variable-size payload goes)
1912 check_plaintext_data (void *cls,
1913 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
1920 * We received payload data for a channel. Locate the channel
1921 * and process the data, or return an error if the channel is unknown.
1923 * @param cls the `struct CadetTunnel` for which we decrypted the message
1924 * @param msg the message we received on the tunnel
1927 handle_plaintext_data (void *cls,
1928 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
1930 struct CadetTunnel *t = cls;
1931 struct CadetChannel *ch;
1933 ch = lookup_channel (t,
1937 /* We don't know about such a channel, might have been destroyed on our
1938 end in the meantime, or never existed. Send back a DESTROY. */
1939 LOG (GNUNET_ERROR_TYPE_DEBUG,
1940 "Receicved %u bytes of application data for unknown channel %u, sending DESTROY\n",
1941 (unsigned int) (ntohs (msg->header.size) - sizeof (*msg)),
1942 ntohl (msg->ctn.cn));
1943 GCT_send_channel_destroy (t,
1947 GCCH_handle_channel_plaintext_data (ch,
1953 * We received an acknowledgement for data we sent on a channel.
1954 * Locate the channel and process it, or return an error if the
1955 * channel is unknown.
1957 * @param cls the `struct CadetTunnel` for which we decrypted the message
1958 * @param ack the message we received on the tunnel
1961 handle_plaintext_data_ack (void *cls,
1962 const struct GNUNET_CADET_ChannelDataAckMessage *ack)
1964 struct CadetTunnel *t = cls;
1965 struct CadetChannel *ch;
1967 ch = lookup_channel (t,
1971 /* We don't know about such a channel, might have been destroyed on our
1972 end in the meantime, or never existed. Send back a DESTROY. */
1973 LOG (GNUNET_ERROR_TYPE_DEBUG,
1974 "Receicved DATA_ACK for unknown channel %u, sending DESTROY\n",
1975 ntohl (ack->ctn.cn));
1976 GCT_send_channel_destroy (t,
1980 GCCH_handle_channel_plaintext_data_ack (ch,
1986 * We have received a request to open a channel to a port from
1987 * another peer. Creates the incoming channel.
1989 * @param cls the `struct CadetTunnel` for which we decrypted the message
1990 * @param cc the message we received on the tunnel
1993 handle_plaintext_channel_open (void *cls,
1994 const struct GNUNET_CADET_ChannelOpenMessage *cc)
1996 struct CadetTunnel *t = cls;
1997 struct CadetChannel *ch;
1998 struct GNUNET_CADET_ChannelTunnelNumber ctn;
2000 LOG (GNUNET_ERROR_TYPE_DEBUG,
2001 "Receicved channel OPEN on port %s from peer %s\n",
2002 GNUNET_h2s (&cc->port),
2003 GCP_2s (GCT_get_destination (t)));
2004 ctn = get_next_free_ctn (t);
2005 ch = GCCH_channel_incoming_new (t,
2009 GNUNET_assert (GNUNET_OK ==
2010 GNUNET_CONTAINER_multihashmap32_put (t->channels,
2013 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
2018 * Send a DESTROY message via the tunnel.
2020 * @param t the tunnel to transmit over
2021 * @param ctn ID of the channel to destroy
2024 GCT_send_channel_destroy (struct CadetTunnel *t,
2025 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2027 struct GNUNET_CADET_ChannelManageMessage msg;
2029 LOG (GNUNET_ERROR_TYPE_DEBUG,
2030 "Sending DESTORY message for channel ID %u\n",
2032 msg.header.size = htons (sizeof (msg));
2033 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
2034 msg.reserved = htonl (0);
2044 * We have received confirmation from the target peer that the
2045 * given channel could be established (the port is open).
2048 * @param cls the `struct CadetTunnel` for which we decrypted the message
2049 * @param cm the message we received on the tunnel
2052 handle_plaintext_channel_open_ack (void *cls,
2053 const struct GNUNET_CADET_ChannelManageMessage *cm)
2055 struct CadetTunnel *t = cls;
2056 struct CadetChannel *ch;
2058 ch = lookup_channel (t,
2062 /* We don't know about such a channel, might have been destroyed on our
2063 end in the meantime, or never existed. Send back a DESTROY. */
2064 LOG (GNUNET_ERROR_TYPE_DEBUG,
2065 "Received channel OPEN_ACK for unknown channel, sending DESTROY\n",
2067 GCT_send_channel_destroy (t,
2071 GCCH_handle_channel_open_ack (ch);
2076 * We received a message saying that a channel should be destroyed.
2077 * Pass it on to the correct channel.
2079 * @param cls the `struct CadetTunnel` for which we decrypted the message
2080 * @param cm the message we received on the tunnel
2083 handle_plaintext_channel_destroy (void *cls,
2084 const struct GNUNET_CADET_ChannelManageMessage *cm)
2086 struct CadetTunnel *t = cls;
2087 struct CadetChannel *ch;
2089 ch = lookup_channel (t,
2093 /* We don't know about such a channel, might have been destroyed on our
2094 end in the meantime, or never existed. */
2095 LOG (GNUNET_ERROR_TYPE_DEBUG,
2096 "Received channel DESTORY for unknown channel. Ignoring.\n",
2100 GCCH_handle_remote_destroy (ch);
2105 * Handles a message we decrypted, by injecting it into
2106 * our message queue (which will do the dispatching).
2108 * @param cls the `struct CadetTunnel` that got the message
2109 * @param msg the message
2110 * @return #GNUNET_OK (continue to process)
2113 handle_decrypted (void *cls,
2114 const struct GNUNET_MessageHeader *msg)
2116 struct CadetTunnel *t = cls;
2118 GNUNET_MQ_inject_message (t->mq,
2125 * Function called if we had an error processing
2126 * an incoming decrypted message.
2128 * @param cls the `struct CadetTunnel`
2129 * @param error error code
2132 decrypted_error_cb (void *cls,
2133 enum GNUNET_MQ_Error error)
2135 GNUNET_break_op (0);
2140 * Create a tunnel to @a destionation. Must only be called
2141 * from within #GCP_get_tunnel().
2143 * @param destination where to create the tunnel to
2144 * @return new tunnel to @a destination
2146 struct CadetTunnel *
2147 GCT_create_tunnel (struct CadetPeer *destination)
2149 struct GNUNET_MQ_MessageHandler handlers[] = {
2150 GNUNET_MQ_hd_fixed_size (plaintext_keepalive,
2151 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE,
2152 struct GNUNET_MessageHeader,
2154 GNUNET_MQ_hd_var_size (plaintext_data,
2155 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA,
2156 struct GNUNET_CADET_ChannelAppDataMessage,
2158 GNUNET_MQ_hd_fixed_size (plaintext_data_ack,
2159 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA_ACK,
2160 struct GNUNET_CADET_ChannelDataAckMessage,
2162 GNUNET_MQ_hd_fixed_size (plaintext_channel_open,
2163 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN,
2164 struct GNUNET_CADET_ChannelOpenMessage,
2166 GNUNET_MQ_hd_fixed_size (plaintext_channel_open_ack,
2167 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_ACK,
2168 struct GNUNET_CADET_ChannelManageMessage,
2170 GNUNET_MQ_hd_fixed_size (plaintext_channel_destroy,
2171 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY,
2172 struct GNUNET_CADET_ChannelManageMessage,
2174 GNUNET_MQ_handler_end ()
2176 struct CadetTunnel *t;
2178 t = GNUNET_new (struct CadetTunnel);
2180 t->ax.kx_0 = GNUNET_CRYPTO_ecdhe_key_create ();
2181 t->destination = destination;
2182 t->channels = GNUNET_CONTAINER_multihashmap32_create (8);
2183 (void) GCP_iterate_paths (destination,
2186 t->maintain_connections_task
2187 = GNUNET_SCHEDULER_add_now (&maintain_connections_cb,
2189 t->mq = GNUNET_MQ_queue_for_callbacks (NULL,
2194 &decrypted_error_cb,
2196 t->mst = GNUNET_MST_create (&handle_decrypted,
2203 * Add a @a connection to the @a tunnel.
2206 * @param cid connection identifer to use for the connection
2207 * @param path path to use for the connection
2210 GCT_add_inbound_connection (struct CadetTunnel *t,
2211 const struct GNUNET_CADET_ConnectionTunnelIdentifier *cid,
2212 struct CadetPeerPath *path)
2214 struct CadetTConnection *ct;
2216 ct = GNUNET_new (struct CadetTConnection);
2217 ct->created = GNUNET_TIME_absolute_get ();
2219 ct->cc = GCC_create_inbound (t->destination,
2223 &connection_ready_cb,
2225 /* FIXME: schedule job to kill connection (and path?) if it takes
2226 too long to get ready! (And track performance data on how long
2227 other connections took with the tunnel!)
2228 => Note: to be done within 'connection'-logic! */
2229 GNUNET_CONTAINER_DLL_insert (t->connection_head,
2232 t->num_connections++;
2233 LOG (GNUNET_ERROR_TYPE_DEBUG,
2234 "Tunnel %s has new connection %s\n",
2241 * Handle encrypted message.
2243 * @param ct connection/tunnel combo that received encrypted message
2244 * @param msg the encrypted message to decrypt
2247 GCT_handle_encrypted (struct CadetTConnection *ct,
2248 const struct GNUNET_CADET_TunnelEncryptedMessage *msg)
2250 struct CadetTunnel *t = ct->t;
2251 uint16_t size = ntohs (msg->header.size);
2252 char cbuf [size] GNUNET_ALIGN;
2253 ssize_t decrypted_size;
2255 LOG (GNUNET_ERROR_TYPE_DEBUG,
2256 "Tunnel %s received %u bytes of encrypted data in state %d\n",
2258 (unsigned int) size,
2263 case CADET_TUNNEL_KEY_UNINITIALIZED:
2264 /* We did not even SEND our KX, how can the other peer
2265 send us encrypted data? */
2266 GNUNET_break_op (0);
2268 case CADET_TUNNEL_KEY_SENT:
2269 /* We did not get the KX of the other peer, but that
2270 might have been lost. Ask for KX again. */
2271 GNUNET_STATISTICS_update (stats,
2272 "# received encrypted without KX",
2275 if (NULL != t->kx_task)
2276 GNUNET_SCHEDULER_cancel (t->kx_task);
2277 t->kx_task = GNUNET_SCHEDULER_add_now (&retry_kx,
2280 case CADET_TUNNEL_KEY_PING:
2281 /* Great, first payload, we might graduate to OK */
2282 case CADET_TUNNEL_KEY_OK:
2283 case CADET_TUNNEL_KEY_REKEY:
2287 GNUNET_STATISTICS_update (stats,
2288 "# received encrypted",
2291 decrypted_size = t_ax_decrypt_and_validate (t,
2296 if (-1 == decrypted_size)
2298 GNUNET_break_op (0);
2299 LOG (GNUNET_ERROR_TYPE_WARNING,
2300 "Tunnel %s failed to decrypt and validate encrypted data\n",
2302 GNUNET_STATISTICS_update (stats,
2303 "# unable to decrypt",
2308 if (CADET_TUNNEL_KEY_PING == t->estate)
2310 GCT_change_estate (t,
2311 CADET_TUNNEL_KEY_OK);
2312 trigger_transmissions (t);
2314 /* The MST will ultimately call #handle_decrypted() on each message. */
2315 GNUNET_break_op (GNUNET_OK ==
2316 GNUNET_MST_from_buffer (t->mst,
2325 * Sends an already built message on a tunnel, encrypting it and
2326 * choosing the best connection if not provided.
2328 * @param message Message to send. Function modifies it.
2329 * @param t Tunnel on which this message is transmitted.
2330 * @param cont Continuation to call once message is really sent.
2331 * @param cont_cls Closure for @c cont.
2332 * @return Handle to cancel message. NULL if @c cont is NULL.
2334 struct CadetTunnelQueueEntry *
2335 GCT_send (struct CadetTunnel *t,
2336 const struct GNUNET_MessageHeader *message,
2337 GNUNET_SCHEDULER_TaskCallback cont,
2340 struct CadetTunnelQueueEntry *tq;
2341 uint16_t payload_size;
2342 struct GNUNET_MQ_Envelope *env;
2343 struct GNUNET_CADET_TunnelEncryptedMessage *ax_msg;
2345 payload_size = ntohs (message->size);
2346 LOG (GNUNET_ERROR_TYPE_DEBUG,
2347 "Encrypting %u bytes of for tunnel %s\n",
2348 (unsigned int) payload_size,
2350 env = GNUNET_MQ_msg_extra (ax_msg,
2352 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED);
2357 ax_msg->Ns = htonl (t->ax.Ns++);
2358 ax_msg->PNs = htonl (t->ax.PNs);
2359 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax.DHRs,
2363 t_hmac (&ax_msg->Ns,
2364 AX_HEADER_SIZE + payload_size,
2369 tq = GNUNET_malloc (sizeof (*tq));
2372 tq->cid = &ax_msg->cid; /* will initialize 'ax_msg->cid' once we know the connection */
2374 tq->cont_cls = cont_cls;
2375 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head,
2378 trigger_transmissions (t);
2384 * Cancel a previously sent message while it's in the queue.
2386 * ONLY can be called before the continuation given to the send
2387 * function is called. Once the continuation is called, the message is
2388 * no longer in the queue!
2390 * @param tq Handle to the queue entry to cancel.
2393 GCT_send_cancel (struct CadetTunnelQueueEntry *tq)
2395 struct CadetTunnel *t = tq->t;
2397 GNUNET_CONTAINER_DLL_remove (t->tq_head,
2400 GNUNET_MQ_discard (tq->env);
2406 * Iterate over all connections of a tunnel.
2408 * @param t Tunnel whose connections to iterate.
2409 * @param iter Iterator.
2410 * @param iter_cls Closure for @c iter.
2413 GCT_iterate_connections (struct CadetTunnel *t,
2414 GCT_ConnectionIterator iter,
2417 for (struct CadetTConnection *ct = t->connection_head;
2426 * Closure for #iterate_channels_cb.
2433 GCT_ChannelIterator iter;
2436 * Closure for @e iter.
2443 * Helper function for #GCT_iterate_channels.
2445 * @param cls the `struct ChanIterCls`
2447 * @param value a `struct CadetChannel`
2448 * @return #GNUNET_OK
2451 iterate_channels_cb (void *cls,
2455 struct ChanIterCls *ctx = cls;
2456 struct CadetChannel *ch = value;
2458 ctx->iter (ctx->iter_cls,
2465 * Iterate over all channels of a tunnel.
2467 * @param t Tunnel whose channels to iterate.
2468 * @param iter Iterator.
2469 * @param iter_cls Closure for @c iter.
2472 GCT_iterate_channels (struct CadetTunnel *t,
2473 GCT_ChannelIterator iter,
2476 struct ChanIterCls ctx;
2479 ctx.iter_cls = iter_cls;
2480 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2481 &iterate_channels_cb,
2488 * Call #GCCH_debug() on a channel.
2490 * @param cls points to the log level to use
2492 * @param value the `struct CadetChannel` to dump
2493 * @return #GNUNET_OK (continue iteration)
2496 debug_channel (void *cls,
2500 const enum GNUNET_ErrorType *level = cls;
2501 struct CadetChannel *ch = value;
2503 GCCH_debug (ch, *level);
2508 #define LOG2(level, ...) GNUNET_log_from_nocheck(level,"cadet-tun",__VA_ARGS__)
2512 * Log all possible info about the tunnel state.
2514 * @param t Tunnel to debug.
2515 * @param level Debug level to use.
2518 GCT_debug (const struct CadetTunnel *t,
2519 enum GNUNET_ErrorType level)
2521 struct CadetTConnection *iter_c;
2524 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
2526 __FILE__, __FUNCTION__, __LINE__);
2531 "TTT TUNNEL TOWARDS %s in estate %s tq_len: %u #cons: %u\n",
2533 estate2s (t->estate),
2535 t->num_connections);
2536 #if DUMP_KEYS_TO_STDERR
2537 ax_debug (t->ax, level);
2541 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2545 "TTT connections:\n");
2546 for (iter_c = t->connection_head; NULL != iter_c; iter_c = iter_c->next)
2547 GCC_debug (iter_c->cc,
2551 "TTT TUNNEL END\n");
2555 /* end of gnunet-service-cadet-new_tunnels.c */