2 This file is part of GNUnet.
3 Copyright (C) 2013, 2017 GNUnet e.V.
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18 Boston, MA 02110-1301, USA.
21 * @file cadet/gnunet-service-cadet-new_tunnels.c
22 * @brief Information we track per tunnel.
23 * @author Bartlomiej Polot
24 * @author Christian Grothoff
27 * - proper connection evaluation during connection management:
28 * + consider quality (or quality spread?) of current connection set
29 * when deciding how often to do maintenance
30 * + interact with PEER to drive DHT GET/PUT operations based
31 * on how much we like our connections
34 #include "gnunet_util_lib.h"
35 #include "gnunet_statistics_service.h"
36 #include "gnunet_signatures.h"
37 #include "gnunet-service-cadet-new.h"
38 #include "cadet_protocol.h"
39 #include "gnunet-service-cadet-new_channel.h"
40 #include "gnunet-service-cadet-new_connection.h"
41 #include "gnunet-service-cadet-new_tunnels.h"
42 #include "gnunet-service-cadet-new_peer.h"
43 #include "gnunet-service-cadet-new_paths.h"
46 #define LOG(level, ...) GNUNET_log_from(level,"cadet-tun",__VA_ARGS__)
49 * How often do we try to decrypt payload with unverified key
50 * material? Used to limit CPU increase upon receiving bogus
53 #define MAX_UNVERIFIED_ATTEMPTS 16
56 * How long do we wait until tearing down an idle tunnel?
58 #define IDLE_DESTROY_DELAY GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 90)
61 * How long do we wait initially before retransmitting the KX?
62 * TODO: replace by 2 RTT if/once we have connection-level RTT data!
64 #define INITIAL_KX_RETRY_DELAY GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_MILLISECONDS, 250)
67 * Maximum number of skipped keys we keep in memory per tunnel.
69 #define MAX_SKIPPED_KEYS 64
72 * Maximum number of keys (and thus ratchet steps) we are willing to
73 * skip before we decide this is either a bogus packet or a DoS-attempt.
75 #define MAX_KEY_GAP 256
79 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
81 struct CadetTunnelSkippedKey
86 struct CadetTunnelSkippedKey *next;
91 struct CadetTunnelSkippedKey *prev;
94 * When was this key stored (for timeout).
96 struct GNUNET_TIME_Absolute timestamp;
101 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
106 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
109 * Key number for a given HK.
116 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
118 struct CadetTunnelAxolotl
121 * A (double linked) list of stored message keys and associated header keys
122 * for "skipped" messages, i.e. messages that have not been
123 * received despite the reception of more recent messages, (head).
125 struct CadetTunnelSkippedKey *skipped_head;
128 * Skipped messages' keys DLL, tail.
130 struct CadetTunnelSkippedKey *skipped_tail;
133 * 32-byte root key which gets updated by DH ratchet.
135 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
138 * 32-byte header key (currently used for sending).
140 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
143 * 32-byte header key (currently used for receiving)
145 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
148 * 32-byte next header key (for sending), used once the
149 * ratchet advances. We are sure that the sender has this
150 * key as well only after @e ratchet_allowed is #GNUNET_YES.
152 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
155 * 32-byte next header key (for receiving). To be tried
156 * when decrypting with @e HKr fails and thus the sender
157 * may have advanced the ratchet.
159 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
162 * 32-byte chain keys (used for forward-secrecy) for
163 * sending messages. Updated for every message.
165 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
168 * 32-byte chain keys (used for forward-secrecy) for
169 * receiving messages. Updated for every message. If
170 * messages are skipped, the respective derived MKs
171 * (and the current @HKr) are kept in the @e skipped_head DLL.
173 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
176 * ECDH for key exchange (A0 / B0).
178 struct GNUNET_CRYPTO_EcdhePrivateKey kx_0;
181 * ECDH Ratchet key (our private key in the current DH).
183 struct GNUNET_CRYPTO_EcdhePrivateKey DHRs;
186 * ECDH Ratchet key (other peer's public key in the current DH).
188 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
191 * Time when the current ratchet expires and a new one is triggered
192 * (if @e ratchet_allowed is #GNUNET_YES).
194 struct GNUNET_TIME_Absolute ratchet_expiration;
197 * Number of elements in @a skipped_head <-> @a skipped_tail.
199 unsigned int skipped;
202 * Message number (reset to 0 with each new ratchet, next message to send).
207 * Message number (reset to 0 with each new ratchet, next message to recv).
212 * Previous message numbers (# of msgs sent under prev ratchet)
217 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
222 * True (#GNUNET_YES) if we have received a message from the
223 * other peer that uses the keys from our last ratchet step.
224 * This implies that we are again allowed to advance the ratchet,
225 * otherwise we have to wait until the other peer sees our current
226 * ephemeral key and advances first.
228 * #GNUNET_NO if we have advanced the ratched but lack any evidence
229 * that the other peer has noticed this.
234 * Number of messages recieved since our last ratchet advance.
236 * If this counter = 0, we cannot send a new ratchet key in the next
239 * If this counter > 0, we could (but don't have to) send a new key.
241 * Once the @e ratchet_counter is larger than
242 * #ratchet_messages (or @e ratchet_expiration time has past), and
243 * @e ratchet_allowed is #GNUNET_YES, we advance the ratchet.
245 unsigned int ratchet_counter;
251 * Struct used to save messages in a non-ready tunnel to send once connected.
253 struct CadetTunnelQueueEntry
256 * We are entries in a DLL
258 struct CadetTunnelQueueEntry *next;
261 * We are entries in a DLL
263 struct CadetTunnelQueueEntry *prev;
266 * Tunnel these messages belong in.
268 struct CadetTunnel *t;
271 * Continuation to call once sent (on the channel layer).
273 GCT_SendContinuation cont;
276 * Closure for @c cont.
281 * Envelope of message to send follows.
283 struct GNUNET_MQ_Envelope *env;
286 * Where to put the connection identifier into the payload
287 * of the message in @e env once we have it?
289 struct GNUNET_CADET_ConnectionTunnelIdentifier *cid;
294 * Struct containing all information regarding a tunnel to a peer.
299 * Destination of the tunnel.
301 struct CadetPeer *destination;
304 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own
305 * ephemeral key changes.
307 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
310 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
312 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
315 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
317 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
322 struct CadetTunnelAxolotl ax;
325 * Unverified Axolotl info, used only if we got a fresh KX (not a
326 * KX_AUTH) while our end of the tunnel was still up. In this case,
327 * we keep the fresh KX around but do not put it into action until
328 * we got encrypted payload that assures us of the authenticity of
331 struct CadetTunnelAxolotl *unverified_ax;
334 * Task scheduled if there are no more channels using the tunnel.
336 struct GNUNET_SCHEDULER_Task *destroy_task;
339 * Task to trim connections if too many are present.
341 struct GNUNET_SCHEDULER_Task *maintain_connections_task;
344 * Task to send messages from queue (if possible).
346 struct GNUNET_SCHEDULER_Task *send_task;
349 * Task to trigger KX.
351 struct GNUNET_SCHEDULER_Task *kx_task;
354 * Tokenizer for decrypted messages.
356 struct GNUNET_MessageStreamTokenizer *mst;
359 * Dispatcher for decrypted messages only (do NOT use for sending!).
361 struct GNUNET_MQ_Handle *mq;
364 * DLL of ready connections that are actively used to reach the destination peer.
366 struct CadetTConnection *connection_ready_head;
369 * DLL of ready connections that are actively used to reach the destination peer.
371 struct CadetTConnection *connection_ready_tail;
374 * DLL of connections that we maintain that might be used to reach the destination peer.
376 struct CadetTConnection *connection_busy_head;
379 * DLL of connections that we maintain that might be used to reach the destination peer.
381 struct CadetTConnection *connection_busy_tail;
384 * Channels inside this tunnel. Maps
385 * `struct GNUNET_CADET_ChannelTunnelNumber` to a `struct CadetChannel`.
387 struct GNUNET_CONTAINER_MultiHashMap32 *channels;
390 * Channel ID for the next created channel in this tunnel.
392 struct GNUNET_CADET_ChannelTunnelNumber next_ctn;
395 * Queued messages, to transmit once tunnel gets connected.
397 struct CadetTunnelQueueEntry *tq_head;
400 * Queued messages, to transmit once tunnel gets connected.
402 struct CadetTunnelQueueEntry *tq_tail;
405 * Identification of the connection from which we are currently processing
406 * a message. Only valid (non-NULL) during #handle_decrypted() and the
407 * handle-*()-functions called from our @e mq during that function.
409 struct CadetTConnection *current_ct;
412 * How long do we wait until we retry the KX?
414 struct GNUNET_TIME_Relative kx_retry_delay;
417 * When do we try the next KX?
419 struct GNUNET_TIME_Absolute next_kx_attempt;
422 * Number of connections in the @e connection_ready_head DLL.
424 unsigned int num_ready_connections;
427 * Number of connections in the @e connection_busy_head DLL.
429 unsigned int num_busy_connections;
432 * How often have we tried and failed to decrypt a message using
433 * the unverified KX material from @e unverified_ax? Used to
434 * stop trying after #MAX_UNVERIFIED_ATTEMPTS.
436 unsigned int unverified_attempts;
439 * Number of entries in the @e tq_head DLL.
444 * State of the tunnel encryption.
446 enum CadetTunnelEState estate;
449 * Force triggering KX_AUTH independent of @e estate.
451 int kx_auth_requested;
457 * Connection @a ct is now unready, clear it's ready flag
458 * and move it from the ready DLL to the busy DLL.
460 * @param ct connection to move to unready status
463 mark_connection_unready (struct CadetTConnection *ct)
465 struct CadetTunnel *t = ct->t;
467 GNUNET_assert (GNUNET_YES == ct->is_ready);
468 GNUNET_CONTAINER_DLL_remove (t->connection_ready_head,
469 t->connection_ready_tail,
471 GNUNET_assert (0 < t->num_ready_connections);
472 t->num_ready_connections--;
473 ct->is_ready = GNUNET_NO;
474 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
475 t->connection_busy_tail,
477 t->num_busy_connections++;
482 * Get the static string for the peer this tunnel is directed.
486 * @return Static string the destination peer's ID.
489 GCT_2s (const struct CadetTunnel *t)
494 return "Tunnel(NULL)";
495 GNUNET_snprintf (buf,
498 GNUNET_i2s (GCP_get_id (t->destination)));
504 * Get string description for tunnel encryption state.
506 * @param es Tunnel state.
508 * @return String representation.
511 estate2s (enum CadetTunnelEState es)
517 case CADET_TUNNEL_KEY_UNINITIALIZED:
518 return "CADET_TUNNEL_KEY_UNINITIALIZED";
519 case CADET_TUNNEL_KEY_AX_RECV:
520 return "CADET_TUNNEL_KEY_AX_RECV";
521 case CADET_TUNNEL_KEY_AX_SENT:
522 return "CADET_TUNNEL_KEY_AX_SENT";
523 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
524 return "CADET_TUNNEL_KEY_AX_SENT_AND_RECV";
525 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
526 return "CADET_TUNNEL_KEY_AX_AUTH_SENT";
527 case CADET_TUNNEL_KEY_OK:
528 return "CADET_TUNNEL_KEY_OK";
530 GNUNET_snprintf (buf,
532 "%u (UNKNOWN STATE)",
540 * Return the peer to which this tunnel goes.
543 * @return the destination of the tunnel
546 GCT_get_destination (struct CadetTunnel *t)
548 return t->destination;
553 * Count channels of a tunnel.
555 * @param t Tunnel on which to count.
557 * @return Number of channels.
560 GCT_count_channels (struct CadetTunnel *t)
562 return GNUNET_CONTAINER_multihashmap32_size (t->channels);
567 * Lookup a channel by its @a ctn.
569 * @param t tunnel to look in
570 * @param ctn number of channel to find
571 * @return NULL if channel does not exist
573 struct CadetChannel *
574 lookup_channel (struct CadetTunnel *t,
575 struct GNUNET_CADET_ChannelTunnelNumber ctn)
577 return GNUNET_CONTAINER_multihashmap32_get (t->channels,
583 * Count all created connections of a tunnel. Not necessarily ready connections!
585 * @param t Tunnel on which to count.
587 * @return Number of connections created, either being established or ready.
590 GCT_count_any_connections (const struct CadetTunnel *t)
592 return t->num_ready_connections + t->num_busy_connections;
597 * Find first connection that is ready in the list of
598 * our connections. Picks ready connections round-robin.
600 * @param t tunnel to search
601 * @return NULL if we have no connection that is ready
603 static struct CadetTConnection *
604 get_ready_connection (struct CadetTunnel *t)
606 return t->connection_ready_head;
611 * Get the encryption state of a tunnel.
615 * @return Tunnel's encryption state.
617 enum CadetTunnelEState
618 GCT_get_estate (struct CadetTunnel *t)
625 * Called when either we have a new connection, or a new message in the
626 * queue, or some existing connection has transmission capacity. Looks
627 * at our message queue and if there is a message, picks a connection
630 * @param cls the `struct CadetTunnel` to process messages on
633 trigger_transmissions (void *cls);
636 /* ************************************** start core crypto ***************************** */
640 * Create a new Axolotl ephemeral (ratchet) key.
642 * @param ax key material to update
645 new_ephemeral (struct CadetTunnelAxolotl *ax)
647 LOG (GNUNET_ERROR_TYPE_DEBUG,
648 "Creating new ephemeral ratchet key (DHRs)\n");
649 GNUNET_assert (GNUNET_OK ==
650 GNUNET_CRYPTO_ecdhe_key_create2 (&ax->DHRs));
657 * @param plaintext Content to HMAC.
658 * @param size Size of @c plaintext.
659 * @param iv Initialization vector for the message.
660 * @param key Key to use.
661 * @param hmac[out] Destination to store the HMAC.
664 t_hmac (const void *plaintext,
667 const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
668 struct GNUNET_ShortHashCode *hmac)
670 static const char ctx[] = "cadet authentication key";
671 struct GNUNET_CRYPTO_AuthKey auth_key;
672 struct GNUNET_HashCode hash;
674 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
680 /* Two step: GNUNET_ShortHash is only 256 bits,
681 GNUNET_HashCode is 512, so we truncate. */
682 GNUNET_CRYPTO_hmac (&auth_key,
695 * @param key Key to use.
696 * @param[out] hash Resulting HMAC.
697 * @param source Source key material (data to HMAC).
698 * @param len Length of @a source.
701 t_ax_hmac_hash (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
702 struct GNUNET_HashCode *hash,
706 static const char ctx[] = "axolotl HMAC-HASH";
707 struct GNUNET_CRYPTO_AuthKey auth_key;
709 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
713 GNUNET_CRYPTO_hmac (&auth_key,
721 * Derive a symmetric encryption key from an HMAC-HASH.
723 * @param key Key to use for the HMAC.
724 * @param[out] out Key to generate.
725 * @param source Source key material (data to HMAC).
726 * @param len Length of @a source.
729 t_hmac_derive_key (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
730 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
734 static const char ctx[] = "axolotl derive key";
735 struct GNUNET_HashCode h;
741 GNUNET_CRYPTO_kdf (out, sizeof (*out),
749 * Encrypt data with the axolotl tunnel key.
751 * @param ax key material to use.
752 * @param dst Destination with @a size bytes for the encrypted data.
753 * @param src Source of the plaintext. Can overlap with @c dst, must contain @a size bytes
754 * @param size Size of the buffers at @a src and @a dst
757 t_ax_encrypt (struct CadetTunnelAxolotl *ax,
762 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
763 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
766 ax->ratchet_counter++;
767 if ( (GNUNET_YES == ax->ratchet_allowed) &&
768 ( (ratchet_messages <= ax->ratchet_counter) ||
769 (0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us)) )
771 ax->ratchet_flag = GNUNET_YES;
773 if (GNUNET_YES == ax->ratchet_flag)
775 /* Advance ratchet */
776 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
777 struct GNUNET_HashCode dh;
778 struct GNUNET_HashCode hmac;
779 static const char ctx[] = "axolotl ratchet";
784 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
785 GNUNET_CRYPTO_ecc_ecdh (&ax->DHRs,
788 t_ax_hmac_hash (&ax->RK,
792 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
794 &hmac, sizeof (hmac),
802 ax->ratchet_flag = GNUNET_NO;
803 ax->ratchet_allowed = GNUNET_NO;
804 ax->ratchet_counter = 0;
805 ax->ratchet_expiration
806 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
810 t_hmac_derive_key (&ax->CKs,
814 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
819 out_size = GNUNET_CRYPTO_symmetric_encrypt (src,
824 GNUNET_assert (size == out_size);
825 t_hmac_derive_key (&ax->CKs,
833 * Decrypt data with the axolotl tunnel key.
835 * @param ax key material to use.
836 * @param dst Destination for the decrypted data, must contain @a size bytes.
837 * @param src Source of the ciphertext. Can overlap with @c dst, must contain @a size bytes.
838 * @param size Size of the @a src and @a dst buffers
841 t_ax_decrypt (struct CadetTunnelAxolotl *ax,
846 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
847 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
850 t_hmac_derive_key (&ax->CKr,
854 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
858 GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
859 out_size = GNUNET_CRYPTO_symmetric_decrypt (src,
864 GNUNET_assert (out_size == size);
865 t_hmac_derive_key (&ax->CKr,
873 * Encrypt header with the axolotl header key.
875 * @param ax key material to use.
876 * @param[in|out] msg Message whose header to encrypt.
879 t_h_encrypt (struct CadetTunnelAxolotl *ax,
880 struct GNUNET_CADET_TunnelEncryptedMessage *msg)
882 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
885 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
889 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->ax_header,
890 sizeof (struct GNUNET_CADET_AxHeader),
894 GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == out_size);
899 * Decrypt header with the current axolotl header key.
901 * @param ax key material to use.
902 * @param src Message whose header to decrypt.
903 * @param dst Where to decrypt header to.
906 t_h_decrypt (struct CadetTunnelAxolotl *ax,
907 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
908 struct GNUNET_CADET_TunnelEncryptedMessage *dst)
910 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
913 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
917 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns,
918 sizeof (struct GNUNET_CADET_AxHeader),
922 GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == out_size);
927 * Delete a key from the list of skipped keys.
929 * @param ax key material to delete @a key from.
930 * @param key Key to delete.
933 delete_skipped_key (struct CadetTunnelAxolotl *ax,
934 struct CadetTunnelSkippedKey *key)
936 GNUNET_CONTAINER_DLL_remove (ax->skipped_head,
945 * Decrypt and verify data with the appropriate tunnel key and verify that the
946 * data has not been altered since it was sent by the remote peer.
948 * @param ax key material to use.
949 * @param dst Destination for the plaintext.
950 * @param src Source of the message. Can overlap with @c dst.
951 * @param size Size of the message.
952 * @return Size of the decrypted data, -1 if an error was encountered.
955 try_old_ax_keys (struct CadetTunnelAxolotl *ax,
957 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
960 struct CadetTunnelSkippedKey *key;
961 struct GNUNET_ShortHashCode *hmac;
962 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
963 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
964 struct GNUNET_CRYPTO_SymmetricSessionKey *valid_HK;
970 LOG (GNUNET_ERROR_TYPE_DEBUG,
971 "Trying skipped keys\n");
972 hmac = &plaintext_header.hmac;
973 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
975 /* Find a correct Header Key */
977 for (key = ax->skipped_head; NULL != key; key = key->next)
979 t_hmac (&src->ax_header,
980 sizeof (struct GNUNET_CADET_AxHeader) + esize,
984 if (0 == memcmp (hmac,
995 /* Should've been checked in -cadet_connection.c handle_cadet_encrypted. */
996 GNUNET_assert (size > sizeof (struct GNUNET_CADET_TunnelEncryptedMessage));
997 len = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
998 GNUNET_assert (len >= sizeof (struct GNUNET_MessageHeader));
1000 /* Decrypt header */
1001 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
1005 res = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns,
1006 sizeof (struct GNUNET_CADET_AxHeader),
1009 &plaintext_header.ax_header.Ns);
1010 GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == res);
1012 /* Find the correct message key */
1013 N = ntohl (plaintext_header.ax_header.Ns);
1014 while ( (NULL != key) &&
1017 if ( (NULL == key) ||
1018 (0 != memcmp (&key->HK,
1020 sizeof (*valid_HK))) )
1023 /* Decrypt payload */
1024 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
1029 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1],
1034 delete_skipped_key (ax,
1041 * Delete a key from the list of skipped keys.
1043 * @param ax key material to delete from.
1044 * @param HKr Header Key to use.
1047 store_skipped_key (struct CadetTunnelAxolotl *ax,
1048 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
1050 struct CadetTunnelSkippedKey *key;
1052 key = GNUNET_new (struct CadetTunnelSkippedKey);
1053 key->timestamp = GNUNET_TIME_absolute_get ();
1056 t_hmac_derive_key (&ax->CKr,
1060 t_hmac_derive_key (&ax->CKr,
1064 GNUNET_CONTAINER_DLL_insert (ax->skipped_head,
1073 * Stage skipped AX keys and calculate the message key.
1074 * Stores each HK and MK for skipped messages.
1076 * @param ax key material to use
1077 * @param HKr Header key.
1078 * @param Np Received meesage number.
1079 * @return #GNUNET_OK if keys were stored.
1080 * #GNUNET_SYSERR if an error ocurred (@a Np not expected).
1083 store_ax_keys (struct CadetTunnelAxolotl *ax,
1084 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1090 LOG (GNUNET_ERROR_TYPE_DEBUG,
1091 "Storing skipped keys [%u, %u)\n",
1094 if (MAX_KEY_GAP < gap)
1096 /* Avoid DoS (forcing peer to do more than #MAX_KEY_GAP HMAC operations) */
1097 /* TODO: start new key exchange on return */
1098 GNUNET_break_op (0);
1099 LOG (GNUNET_ERROR_TYPE_WARNING,
1100 "Got message %u, expected %u+\n",
1103 return GNUNET_SYSERR;
1107 /* Delayed message: don't store keys, flag to try old keys. */
1108 return GNUNET_SYSERR;
1112 store_skipped_key (ax,
1115 while (ax->skipped > MAX_SKIPPED_KEYS)
1116 delete_skipped_key (ax,
1123 * Decrypt and verify data with the appropriate tunnel key and verify that the
1124 * data has not been altered since it was sent by the remote peer.
1126 * @param ax key material to use
1127 * @param dst Destination for the plaintext.
1128 * @param src Source of the message. Can overlap with @c dst.
1129 * @param size Size of the message.
1130 * @return Size of the decrypted data, -1 if an error was encountered.
1133 t_ax_decrypt_and_validate (struct CadetTunnelAxolotl *ax,
1135 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
1138 struct GNUNET_ShortHashCode msg_hmac;
1139 struct GNUNET_HashCode hmac;
1140 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1143 size_t esize; /* Size of encryped payload */
1145 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
1147 /* Try current HK */
1148 t_hmac (&src->ax_header,
1149 sizeof (struct GNUNET_CADET_AxHeader) + esize,
1152 if (0 != memcmp (&msg_hmac,
1156 static const char ctx[] = "axolotl ratchet";
1157 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1158 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1159 struct GNUNET_HashCode dh;
1160 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1163 t_hmac (&src->ax_header,
1164 sizeof (struct GNUNET_CADET_AxHeader) + esize,
1168 if (0 != memcmp (&msg_hmac,
1172 /* Try the skipped keys, if that fails, we're out of luck. */
1173 return try_old_ax_keys (ax,
1183 Np = ntohl (plaintext_header.ax_header.Ns);
1184 PNp = ntohl (plaintext_header.ax_header.PNs);
1185 DHRp = &plaintext_header.ax_header.DHRs;
1190 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1191 GNUNET_CRYPTO_ecc_ecdh (&ax->DHRs,
1194 t_ax_hmac_hash (&ax->RK,
1197 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1199 &hmac, sizeof (hmac),
1202 /* Commit "purported" keys */
1208 ax->ratchet_allowed = GNUNET_YES;
1215 Np = ntohl (plaintext_header.ax_header.Ns);
1216 PNp = ntohl (plaintext_header.ax_header.PNs);
1218 if ( (Np != ax->Nr) &&
1219 (GNUNET_OK != store_ax_keys (ax,
1223 /* Try the skipped keys, if that fails, we're out of luck. */
1224 return try_old_ax_keys (ax,
1240 * Our tunnel became ready for the first time, notify channels
1241 * that have been waiting.
1243 * @param cls our tunnel, not used
1244 * @param key unique ID of the channel, not used
1245 * @param value the `struct CadetChannel` to notify
1246 * @return #GNUNET_OK (continue to iterate)
1249 notify_tunnel_up_cb (void *cls,
1253 struct CadetChannel *ch = value;
1255 GCCH_tunnel_up (ch);
1261 * Change the tunnel encryption state.
1262 * If the encryption state changes to OK, stop the rekey task.
1264 * @param t Tunnel whose encryption state to change, or NULL.
1265 * @param state New encryption state.
1268 GCT_change_estate (struct CadetTunnel *t,
1269 enum CadetTunnelEState state)
1271 enum CadetTunnelEState old = t->estate;
1274 LOG (GNUNET_ERROR_TYPE_DEBUG,
1275 "%s estate changed from %s to %s\n",
1280 if ( (CADET_TUNNEL_KEY_OK != old) &&
1281 (CADET_TUNNEL_KEY_OK == t->estate) )
1283 if (NULL != t->kx_task)
1285 GNUNET_SCHEDULER_cancel (t->kx_task);
1288 /* notify all channels that have been waiting */
1289 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
1290 ¬ify_tunnel_up_cb,
1292 if (NULL != t->send_task)
1293 GNUNET_SCHEDULER_cancel (t->send_task);
1294 t->send_task = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
1301 * Send a KX message.
1303 * @param t tunnel on which to send the KX_AUTH
1304 * @param ct Tunnel and connection on which to send the KX_AUTH, NULL if
1305 * we are to find one that is ready.
1306 * @param ax axolotl key context to use
1309 send_kx (struct CadetTunnel *t,
1310 struct CadetTConnection *ct,
1311 struct CadetTunnelAxolotl *ax)
1313 struct CadetConnection *cc;
1314 struct GNUNET_MQ_Envelope *env;
1315 struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
1316 enum GNUNET_CADET_KX_Flags flags;
1319 ct = get_ready_connection (t);
1322 LOG (GNUNET_ERROR_TYPE_DEBUG,
1323 "Wanted to send %s in state %s, but no connection is ready, deferring\n",
1325 estate2s (t->estate));
1326 t->next_kx_attempt = GNUNET_TIME_absolute_get ();
1330 LOG (GNUNET_ERROR_TYPE_DEBUG,
1331 "Sending KX on %s via %s in state %s\n",
1334 estate2s (t->estate));
1335 env = GNUNET_MQ_msg (msg,
1336 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX);
1337 flags = GNUNET_CADET_KX_FLAG_FORCE_REPLY; /* always for KX */
1338 msg->flags = htonl (flags);
1339 msg->cid = *GCC_get_id (cc);
1340 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->kx_0,
1341 &msg->ephemeral_key);
1342 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1344 mark_connection_unready (ct);
1345 t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1346 t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1347 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1348 GCT_change_estate (t,
1349 CADET_TUNNEL_KEY_AX_SENT);
1350 else if (CADET_TUNNEL_KEY_AX_RECV == t->estate)
1351 GCT_change_estate (t,
1352 CADET_TUNNEL_KEY_AX_SENT_AND_RECV);
1359 * Send a KX_AUTH message.
1361 * @param t tunnel on which to send the KX_AUTH
1362 * @param ct Tunnel and connection on which to send the KX_AUTH, NULL if
1363 * we are to find one that is ready.
1364 * @param ax axolotl key context to use
1365 * @param force_reply Force the other peer to reply with a KX_AUTH message
1366 * (set if we would like to transmit right now, but cannot)
1369 send_kx_auth (struct CadetTunnel *t,
1370 struct CadetTConnection *ct,
1371 struct CadetTunnelAxolotl *ax,
1374 struct CadetConnection *cc;
1375 struct GNUNET_MQ_Envelope *env;
1376 struct GNUNET_CADET_TunnelKeyExchangeAuthMessage *msg;
1377 enum GNUNET_CADET_KX_Flags flags;
1379 if ( (NULL == ct) ||
1380 (GNUNET_NO == ct->is_ready) )
1381 ct = get_ready_connection (t);
1384 LOG (GNUNET_ERROR_TYPE_DEBUG,
1385 "Wanted to send KX_AUTH on %s, but no connection is ready, deferring\n",
1387 t->next_kx_attempt = GNUNET_TIME_absolute_get ();
1388 t->kx_auth_requested = GNUNET_YES; /* queue KX_AUTH independent of estate */
1391 t->kx_auth_requested = GNUNET_NO; /* clear flag */
1393 LOG (GNUNET_ERROR_TYPE_DEBUG,
1394 "Sending KX_AUTH on %s using %s\n",
1398 env = GNUNET_MQ_msg (msg,
1399 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH);
1400 flags = GNUNET_CADET_KX_FLAG_NONE;
1401 if (GNUNET_YES == force_reply)
1402 flags |= GNUNET_CADET_KX_FLAG_FORCE_REPLY;
1403 msg->kx.flags = htonl (flags);
1404 msg->kx.cid = *GCC_get_id (cc);
1405 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->kx_0,
1406 &msg->kx.ephemeral_key);
1407 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1408 &msg->kx.ratchet_key);
1409 /* Compute authenticator (this is the main difference to #send_kx()) */
1410 GNUNET_CRYPTO_hash (&ax->RK,
1414 /* Compute when to be triggered again; actual job will
1415 be scheduled via #connection_ready_cb() */
1417 = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1419 = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1421 /* Send via cc, mark it as unready */
1422 mark_connection_unready (ct);
1424 /* Update state machine, unless we are already OK */
1425 if (CADET_TUNNEL_KEY_OK != t->estate)
1426 GCT_change_estate (t,
1427 CADET_TUNNEL_KEY_AX_AUTH_SENT);
1435 * Cleanup state used by @a ax.
1437 * @param ax state to free, but not memory of @a ax itself
1440 cleanup_ax (struct CadetTunnelAxolotl *ax)
1442 while (NULL != ax->skipped_head)
1443 delete_skipped_key (ax,
1445 GNUNET_assert (0 == ax->skipped);
1446 GNUNET_CRYPTO_ecdhe_key_clear (&ax->kx_0);
1447 GNUNET_CRYPTO_ecdhe_key_clear (&ax->DHRs);
1452 * Update our Axolotl key state based on the KX data we received.
1453 * Computes the new chain keys, and root keys, etc, and also checks
1454 * wether this is a replay of the current chain.
1456 * @param[in|out] axolotl chain key state to recompute
1457 * @param pid peer identity of the other peer
1458 * @param ephemeral_key ephemeral public key of the other peer
1459 * @param ratchet_key senders next ephemeral public key
1460 * @return #GNUNET_OK on success, #GNUNET_NO if the resulting
1461 * root key is already in @a ax and thus the KX is useless;
1462 * #GNUNET_SYSERR on hard errors (i.e. @a pid is #my_full_id)
1465 update_ax_by_kx (struct CadetTunnelAxolotl *ax,
1466 const struct GNUNET_PeerIdentity *pid,
1467 const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral_key,
1468 const struct GNUNET_CRYPTO_EcdhePublicKey *ratchet_key)
1470 struct GNUNET_HashCode key_material[3];
1471 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
1472 const char salt[] = "CADET Axolotl salt";
1475 if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1477 am_I_alice = GNUNET_YES;
1478 else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1480 am_I_alice = GNUNET_NO;
1483 GNUNET_break_op (0);
1484 return GNUNET_SYSERR;
1487 if (0 == memcmp (&ax->DHRr,
1489 sizeof (*ratchet_key)))
1491 LOG (GNUNET_ERROR_TYPE_DEBUG,
1492 "Ratchet key already known. Ignoring KX.\n");
1496 ax->DHRr = *ratchet_key;
1499 if (GNUNET_YES == am_I_alice)
1501 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */
1502 ephemeral_key, /* B0 */
1507 GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* B0 */
1508 &pid->public_key, /* A */
1513 if (GNUNET_YES == am_I_alice)
1515 GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* A0 */
1516 &pid->public_key, /* B */
1521 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */
1522 ephemeral_key, /* B0 */
1529 /* (This is the triple-DH, we could probably safely skip this,
1530 as A0/B0 are already in the key material.) */
1531 GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* A0 or B0 */
1532 ephemeral_key, /* B0 or A0 */
1536 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1537 salt, sizeof (salt),
1538 &key_material, sizeof (key_material),
1541 if (0 == memcmp (&ax->RK,
1545 LOG (GNUNET_ERROR_TYPE_DEBUG,
1546 "Root key of handshake already known. Ignoring KX.\n");
1551 if (GNUNET_YES == am_I_alice)
1557 ax->ratchet_flag = GNUNET_YES;
1565 ax->ratchet_flag = GNUNET_NO;
1566 ax->ratchet_expiration
1567 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
1575 * Try to redo the KX or KX_AUTH handshake, if we can.
1577 * @param cls the `struct CadetTunnel` to do KX for.
1580 retry_kx (void *cls)
1582 struct CadetTunnel *t = cls;
1583 struct CadetTunnelAxolotl *ax;
1586 LOG (GNUNET_ERROR_TYPE_DEBUG,
1587 "Trying to make KX progress on %s in state %s\n",
1589 estate2s (t->estate));
1592 case CADET_TUNNEL_KEY_UNINITIALIZED: /* first attempt */
1593 case CADET_TUNNEL_KEY_AX_SENT: /* trying again */
1598 case CADET_TUNNEL_KEY_AX_RECV:
1599 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
1600 /* We are responding, so only require reply
1601 if WE have a channel waiting. */
1602 if (NULL != t->unverified_ax)
1604 /* Send AX_AUTH so we might get this one verified */
1605 ax = t->unverified_ax;
1609 /* How can this be? */
1616 (0 == GCT_count_channels (t))
1620 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
1621 /* We are responding, so only require reply
1622 if WE have a channel waiting. */
1623 if (NULL != t->unverified_ax)
1625 /* Send AX_AUTH so we might get this one verified */
1626 ax = t->unverified_ax;
1630 /* How can this be? */
1637 (0 == GCT_count_channels (t))
1641 case CADET_TUNNEL_KEY_OK:
1642 /* Must have been the *other* peer asking us to
1643 respond with a KX_AUTH. */
1644 if (NULL != t->unverified_ax)
1646 /* Sending AX_AUTH in response to AX so we might get this one verified */
1647 ax = t->unverified_ax;
1651 /* Sending AX_AUTH in response to AX_AUTH */
1664 * Handle KX message that lacks authentication (and which will thus
1665 * only be considered authenticated after we respond with our own
1666 * KX_AUTH and finally successfully decrypt payload).
1668 * @param ct connection/tunnel combo that received encrypted message
1669 * @param msg the key exchange message
1672 GCT_handle_kx (struct CadetTConnection *ct,
1673 const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1675 struct CadetTunnel *t = ct->t;
1676 struct CadetTunnelAxolotl *ax;
1680 memcmp (&t->ax.DHRr,
1682 sizeof (msg->ratchet_key)))
1684 LOG (GNUNET_ERROR_TYPE_DEBUG,
1685 "Got duplicate KX. Firing back KX_AUTH.\n");
1693 /* We only keep ONE unverified KX around, so if there is an existing one,
1695 if (NULL != t->unverified_ax)
1698 memcmp (&t->unverified_ax->DHRr,
1700 sizeof (msg->ratchet_key)))
1702 LOG (GNUNET_ERROR_TYPE_DEBUG,
1703 "Got duplicate unverified KX on %s. Fire back KX_AUTH again.\n",
1711 LOG (GNUNET_ERROR_TYPE_DEBUG,
1712 "Dropping old unverified KX state. Got a fresh KX for %s.\n",
1714 memset (t->unverified_ax,
1716 sizeof (struct CadetTunnelAxolotl));
1717 t->unverified_ax->DHRs = t->ax.DHRs;
1718 t->unverified_ax->kx_0 = t->ax.kx_0;
1722 LOG (GNUNET_ERROR_TYPE_DEBUG,
1723 "Creating fresh unverified KX for %s.\n",
1725 t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);
1726 t->unverified_ax->DHRs = t->ax.DHRs;
1727 t->unverified_ax->kx_0 = t->ax.kx_0;
1729 /* Set as the 'current' RK/DHRr the one we are currently using,
1730 so that the duplicate-detection logic of
1731 #update_ax_by_kx can work. */
1732 t->unverified_ax->RK = t->ax.RK;
1733 t->unverified_ax->DHRr = t->ax.DHRr;
1734 t->unverified_attempts = 0;
1735 ax = t->unverified_ax;
1737 /* Update 'ax' by the new key material */
1738 ret = update_ax_by_kx (ax,
1739 GCP_get_id (t->destination),
1740 &msg->ephemeral_key,
1742 GNUNET_break (GNUNET_SYSERR != ret);
1743 if (GNUNET_OK != ret)
1744 return; /* duplicate KX, nothing to do */
1746 /* move ahead in our state machine */
1747 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1748 GCT_change_estate (t,
1749 CADET_TUNNEL_KEY_AX_RECV);
1750 else if (CADET_TUNNEL_KEY_AX_SENT == t->estate)
1751 GCT_change_estate (t,
1752 CADET_TUNNEL_KEY_AX_SENT_AND_RECV);
1754 /* KX is still not done, try again our end. */
1755 if (CADET_TUNNEL_KEY_OK != t->estate)
1757 if (NULL != t->kx_task)
1758 GNUNET_SCHEDULER_cancel (t->kx_task);
1760 = GNUNET_SCHEDULER_add_now (&retry_kx,
1767 * Handle KX_AUTH message.
1769 * @param ct connection/tunnel combo that received encrypted message
1770 * @param msg the key exchange message
1773 GCT_handle_kx_auth (struct CadetTConnection *ct,
1774 const struct GNUNET_CADET_TunnelKeyExchangeAuthMessage *msg)
1776 struct CadetTunnel *t = ct->t;
1777 struct CadetTunnelAxolotl ax_tmp;
1778 struct GNUNET_HashCode kx_auth;
1781 if ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) ||
1782 (CADET_TUNNEL_KEY_AX_RECV == t->estate) )
1784 /* Confusing, we got a KX_AUTH before we even send our own
1785 KX. This should not happen. We'll send our own KX ASAP anyway,
1786 so let's ignore this here. */
1787 GNUNET_break_op (0);
1790 LOG (GNUNET_ERROR_TYPE_DEBUG,
1791 "Handling KX_AUTH message for %s\n",
1794 /* We do everything in ax_tmp until we've checked the authentication
1795 so we don't clobber anything we care about by accident. */
1798 /* Update 'ax' by the new key material */
1799 ret = update_ax_by_kx (&ax_tmp,
1800 GCP_get_id (t->destination),
1801 &msg->kx.ephemeral_key,
1802 &msg->kx.ratchet_key);
1803 if (GNUNET_OK != ret)
1805 if (GNUNET_NO == ret)
1806 GNUNET_STATISTICS_update (stats,
1807 "# redundant KX_AUTH received",
1811 GNUNET_break (0); /* connect to self!? */
1814 GNUNET_CRYPTO_hash (&ax_tmp.RK,
1817 if (0 != memcmp (&kx_auth,
1821 /* This KX_AUTH is not using the latest KX/KX_AUTH data
1822 we transmitted to the sender, refuse it, try KX again. */
1823 GNUNET_STATISTICS_update (stats,
1824 "# KX_AUTH not using our last KX received (auth failure)",
1832 /* Yep, we're good. */
1834 if (NULL != t->unverified_ax)
1836 /* We got some "stale" KX before, drop that. */
1837 cleanup_ax (t->unverified_ax);
1838 GNUNET_free (t->unverified_ax);
1839 t->unverified_ax = NULL;
1842 /* move ahead in our state machine */
1845 case CADET_TUNNEL_KEY_UNINITIALIZED:
1846 case CADET_TUNNEL_KEY_AX_RECV:
1847 /* Checked above, this is impossible. */
1850 case CADET_TUNNEL_KEY_AX_SENT: /* This is the normal case */
1851 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV: /* both peers started KX */
1852 case CADET_TUNNEL_KEY_AX_AUTH_SENT: /* both peers now did KX_AUTH */
1853 GCT_change_estate (t,
1854 CADET_TUNNEL_KEY_OK);
1856 case CADET_TUNNEL_KEY_OK:
1857 /* Did not expect another KX_AUTH, but so what, still acceptable.
1858 Nothing to do here. */
1865 /* ************************************** end core crypto ***************************** */
1869 * Compute the next free channel tunnel number for this tunnel.
1871 * @param t the tunnel
1872 * @return unused number that can uniquely identify a channel in the tunnel
1874 static struct GNUNET_CADET_ChannelTunnelNumber
1875 get_next_free_ctn (struct CadetTunnel *t)
1877 #define HIGH_BIT 0x8000000
1878 struct GNUNET_CADET_ChannelTunnelNumber ret;
1883 cmp = GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
1884 GCP_get_id (GCT_get_destination (t)));
1890 GNUNET_assert (0); // loopback must never go here!
1891 ctn = ntohl (t->next_ctn.cn);
1893 GNUNET_CONTAINER_multihashmap32_get (t->channels,
1896 ctn = ((ctn + 1) & (~ HIGH_BIT));
1898 t->next_ctn.cn = htonl ((ctn + 1) & (~ HIGH_BIT));
1899 ret.cn = htonl (ctn | highbit);
1905 * Add a channel to a tunnel, and notify channel that we are ready
1906 * for transmission if we are already up. Otherwise that notification
1907 * will be done later in #notify_tunnel_up_cb().
1911 * @return unique number identifying @a ch within @a t
1913 struct GNUNET_CADET_ChannelTunnelNumber
1914 GCT_add_channel (struct CadetTunnel *t,
1915 struct CadetChannel *ch)
1917 struct GNUNET_CADET_ChannelTunnelNumber ctn;
1919 ctn = get_next_free_ctn (t);
1920 if (NULL != t->destroy_task)
1922 GNUNET_SCHEDULER_cancel (t->destroy_task);
1923 t->destroy_task = NULL;
1925 GNUNET_assert (GNUNET_YES ==
1926 GNUNET_CONTAINER_multihashmap32_put (t->channels,
1929 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
1930 LOG (GNUNET_ERROR_TYPE_DEBUG,
1931 "Adding %s to %s\n",
1936 case CADET_TUNNEL_KEY_UNINITIALIZED:
1937 /* waiting for connection to start KX */
1939 case CADET_TUNNEL_KEY_AX_RECV:
1940 case CADET_TUNNEL_KEY_AX_SENT:
1941 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
1942 /* we're currently waiting for KX to complete */
1944 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
1945 /* waiting for OTHER peer to send us data,
1946 we might need to prompt more aggressively! */
1947 if (NULL == t->kx_task)
1949 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
1953 case CADET_TUNNEL_KEY_OK:
1954 /* We are ready. Tell the new channel that we are up. */
1955 GCCH_tunnel_up (ch);
1963 * We lost a connection, remove it from our list and clean up
1964 * the connection object itself.
1966 * @param ct binding of connection to tunnel of the connection that was lost.
1969 GCT_connection_lost (struct CadetTConnection *ct)
1971 struct CadetTunnel *t = ct->t;
1973 if (GNUNET_YES == ct->is_ready)
1974 GNUNET_CONTAINER_DLL_remove (t->connection_ready_head,
1975 t->connection_ready_tail,
1978 GNUNET_CONTAINER_DLL_remove (t->connection_busy_head,
1979 t->connection_busy_tail,
1986 * Clean up connection @a ct of a tunnel.
1988 * @param cls the `struct CadetTunnel`
1989 * @param ct connection to clean up
1992 destroy_t_connection (void *cls,
1993 struct CadetTConnection *ct)
1995 struct CadetTunnel *t = cls;
1996 struct CadetConnection *cc = ct->cc;
1998 GNUNET_assert (ct->t == t);
1999 GCT_connection_lost (ct);
2000 GCC_destroy_without_tunnel (cc);
2005 * This tunnel is no longer used, destroy it.
2007 * @param cls the idle tunnel
2010 destroy_tunnel (void *cls)
2012 struct CadetTunnel *t = cls;
2013 struct CadetTunnelQueueEntry *tq;
2015 t->destroy_task = NULL;
2016 LOG (GNUNET_ERROR_TYPE_DEBUG,
2017 "Destroying idle %s\n",
2019 GNUNET_assert (0 == GCT_count_channels (t));
2020 GCT_iterate_connections (t,
2021 &destroy_t_connection,
2023 GNUNET_assert (NULL == t->connection_ready_head);
2024 GNUNET_assert (NULL == t->connection_busy_head);
2025 while (NULL != (tq = t->tq_head))
2027 if (NULL != tq->cont)
2028 tq->cont (tq->cont_cls,
2030 GCT_send_cancel (tq);
2032 GCP_drop_tunnel (t->destination,
2034 GNUNET_CONTAINER_multihashmap32_destroy (t->channels);
2035 if (NULL != t->maintain_connections_task)
2037 GNUNET_SCHEDULER_cancel (t->maintain_connections_task);
2038 t->maintain_connections_task = NULL;
2040 if (NULL != t->send_task)
2042 GNUNET_SCHEDULER_cancel (t->send_task);
2043 t->send_task = NULL;
2045 if (NULL != t->kx_task)
2047 GNUNET_SCHEDULER_cancel (t->kx_task);
2050 GNUNET_MST_destroy (t->mst);
2051 GNUNET_MQ_destroy (t->mq);
2052 if (NULL != t->unverified_ax)
2054 cleanup_ax (t->unverified_ax);
2055 GNUNET_free (t->unverified_ax);
2057 cleanup_ax (&t->ax);
2058 GNUNET_assert (NULL == t->destroy_task);
2064 * Remove a channel from a tunnel.
2068 * @param ctn unique number identifying @a ch within @a t
2071 GCT_remove_channel (struct CadetTunnel *t,
2072 struct CadetChannel *ch,
2073 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2075 LOG (GNUNET_ERROR_TYPE_DEBUG,
2076 "Removing %s from %s\n",
2079 GNUNET_assert (GNUNET_YES ==
2080 GNUNET_CONTAINER_multihashmap32_remove (t->channels,
2084 GCT_count_channels (t)) &&
2085 (NULL == t->destroy_task) )
2088 = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
2096 * Destroy remaining channels during shutdown.
2098 * @param cls the `struct CadetTunnel` of the channel
2099 * @param key key of the channel
2100 * @param value the `struct CadetChannel`
2101 * @return #GNUNET_OK (continue to iterate)
2104 destroy_remaining_channels (void *cls,
2108 struct CadetChannel *ch = value;
2110 GCCH_handle_remote_destroy (ch,
2117 * Destroys the tunnel @a t now, without delay. Used during shutdown.
2119 * @param t tunnel to destroy
2122 GCT_destroy_tunnel_now (struct CadetTunnel *t)
2124 GNUNET_assert (GNUNET_YES == shutting_down);
2125 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2126 &destroy_remaining_channels,
2129 GCT_count_channels (t));
2130 if (NULL != t->destroy_task)
2132 GNUNET_SCHEDULER_cancel (t->destroy_task);
2133 t->destroy_task = NULL;
2140 * Send normal payload from queue in @a t via connection @a ct.
2141 * Does nothing if our payload queue is empty.
2143 * @param t tunnel to send data from
2144 * @param ct connection to use for transmission (is ready)
2147 try_send_normal_payload (struct CadetTunnel *t,
2148 struct CadetTConnection *ct)
2150 struct CadetTunnelQueueEntry *tq;
2152 GNUNET_assert (GNUNET_YES == ct->is_ready);
2156 /* no messages pending right now */
2157 LOG (GNUNET_ERROR_TYPE_DEBUG,
2158 "Not sending payload of %s on ready %s (nothing pending)\n",
2163 /* ready to send message 'tq' on tunnel 'ct' */
2164 GNUNET_assert (t == tq->t);
2165 GNUNET_CONTAINER_DLL_remove (t->tq_head,
2168 if (NULL != tq->cid)
2169 *tq->cid = *GCC_get_id (ct->cc);
2170 mark_connection_unready (ct);
2171 LOG (GNUNET_ERROR_TYPE_DEBUG,
2172 "Sending payload of %s on %s\n",
2175 GCC_transmit (ct->cc,
2177 if (NULL != tq->cont)
2178 tq->cont (tq->cont_cls,
2179 GCC_get_id (ct->cc));
2185 * A connection is @a is_ready for transmission. Looks at our message
2186 * queue and if there is a message, sends it out via the connection.
2188 * @param cls the `struct CadetTConnection` that is @a is_ready
2189 * @param is_ready #GNUNET_YES if connection are now ready,
2190 * #GNUNET_NO if connection are no longer ready
2193 connection_ready_cb (void *cls,
2196 struct CadetTConnection *ct = cls;
2197 struct CadetTunnel *t = ct->t;
2199 if (GNUNET_NO == is_ready)
2201 LOG (GNUNET_ERROR_TYPE_DEBUG,
2202 "%s no longer ready for %s\n",
2205 mark_connection_unready (ct);
2208 GNUNET_assert (GNUNET_NO == ct->is_ready);
2209 GNUNET_CONTAINER_DLL_remove (t->connection_busy_head,
2210 t->connection_busy_tail,
2212 GNUNET_assert (0 < t->num_busy_connections);
2213 t->num_busy_connections--;
2214 ct->is_ready = GNUNET_YES;
2215 GNUNET_CONTAINER_DLL_insert_tail (t->connection_ready_head,
2216 t->connection_ready_tail,
2218 t->num_ready_connections++;
2220 LOG (GNUNET_ERROR_TYPE_DEBUG,
2221 "%s now ready for %s in state %s\n",
2224 estate2s (t->estate));
2227 case CADET_TUNNEL_KEY_UNINITIALIZED:
2228 /* Do not begin KX if WE have no channels waiting! */
2229 if (0 == GCT_count_channels (t))
2231 /* We are uninitialized, just transmit immediately,
2232 without undue delay. */
2233 if (NULL != t->kx_task)
2235 GNUNET_SCHEDULER_cancel (t->kx_task);
2242 case CADET_TUNNEL_KEY_AX_RECV:
2243 case CADET_TUNNEL_KEY_AX_SENT:
2244 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
2245 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
2246 /* we're currently waiting for KX to complete, schedule job */
2247 if (NULL == t->kx_task)
2249 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2253 case CADET_TUNNEL_KEY_OK:
2254 if (GNUNET_YES == t->kx_auth_requested)
2256 if (NULL != t->kx_task)
2258 GNUNET_SCHEDULER_cancel (t->kx_task);
2267 try_send_normal_payload (t,
2275 * Called when either we have a new connection, or a new message in the
2276 * queue, or some existing connection has transmission capacity. Looks
2277 * at our message queue and if there is a message, picks a connection
2280 * @param cls the `struct CadetTunnel` to process messages on
2283 trigger_transmissions (void *cls)
2285 struct CadetTunnel *t = cls;
2286 struct CadetTConnection *ct;
2288 t->send_task = NULL;
2289 if (NULL == t->tq_head)
2290 return; /* no messages pending right now */
2291 ct = get_ready_connection (t);
2293 return; /* no connections ready */
2294 try_send_normal_payload (t,
2300 * Closure for #evaluate_connection. Used to assemble summary information
2301 * about the existing connections so we can evaluate a new path.
2303 struct EvaluationSummary
2307 * Minimum length of any of our connections, `UINT_MAX` if we have none.
2309 unsigned int min_length;
2312 * Maximum length of any of our connections, 0 if we have none.
2314 unsigned int max_length;
2317 * Minimum desirability of any of our connections, UINT64_MAX if we have none.
2319 GNUNET_CONTAINER_HeapCostType min_desire;
2322 * Maximum desirability of any of our connections, 0 if we have none.
2324 GNUNET_CONTAINER_HeapCostType max_desire;
2327 * Path we are comparing against for #evaluate_connection, can be NULL.
2329 struct CadetPeerPath *path;
2332 * Connection deemed the "worst" so far encountered by #evaluate_connection,
2333 * NULL if we did not yet encounter any connections.
2335 struct CadetTConnection *worst;
2338 * Numeric score of @e worst, only set if @e worst is non-NULL.
2343 * Set to #GNUNET_YES if we have a connection over @e path already.
2351 * Evaluate a connection, updating our summary information in @a cls about
2352 * what kinds of connections we have.
2354 * @param cls the `struct EvaluationSummary *` to update
2355 * @param ct a connection to include in the summary
2358 evaluate_connection (void *cls,
2359 struct CadetTConnection *ct)
2361 struct EvaluationSummary *es = cls;
2362 struct CadetConnection *cc = ct->cc;
2363 struct CadetPeerPath *ps = GCC_get_path (cc);
2364 const struct CadetConnectionMetrics *metrics;
2365 GNUNET_CONTAINER_HeapCostType ct_desirability;
2366 struct GNUNET_TIME_Relative uptime;
2367 struct GNUNET_TIME_Relative last_use;
2370 double success_rate;
2374 LOG (GNUNET_ERROR_TYPE_DEBUG,
2375 "Ignoring duplicate path %s.\n",
2376 GCPP_2s (es->path));
2377 es->duplicate = GNUNET_YES;
2380 ct_desirability = GCPP_get_desirability (ps);
2381 ct_length = GCPP_get_length (ps);
2382 metrics = GCC_get_metrics (cc);
2383 uptime = GNUNET_TIME_absolute_get_duration (metrics->age);
2384 last_use = GNUNET_TIME_absolute_get_duration (metrics->last_use);
2385 /* We add 1.0 here to avoid division by zero. */
2386 success_rate = (metrics->num_acked_transmissions + 1.0) / (metrics->num_successes + 1.0);
2389 + 100.0 / (1.0 + ct_length) /* longer paths = better */
2390 + sqrt (uptime.rel_value_us / 60000000LL) /* larger uptime = better */
2391 - last_use.rel_value_us / 1000L; /* longer idle = worse */
2392 score *= success_rate; /* weigh overall by success rate */
2394 if ( (NULL == es->worst) ||
2395 (score < es->worst_score) )
2398 es->worst_score = score;
2400 es->min_length = GNUNET_MIN (es->min_length,
2402 es->max_length = GNUNET_MAX (es->max_length,
2404 es->min_desire = GNUNET_MIN (es->min_desire,
2406 es->max_desire = GNUNET_MAX (es->max_desire,
2412 * Consider using the path @a p for the tunnel @a t.
2413 * The tunnel destination is at offset @a off in path @a p.
2415 * @param cls our tunnel
2416 * @param path a path to our destination
2417 * @param off offset of the destination on path @a path
2418 * @return #GNUNET_YES (should keep iterating)
2421 consider_path_cb (void *cls,
2422 struct CadetPeerPath *path,
2425 struct CadetTunnel *t = cls;
2426 struct EvaluationSummary es;
2427 struct CadetTConnection *ct;
2429 GNUNET_assert (off < GCPP_get_length (path));
2430 es.min_length = UINT_MAX;
2433 es.min_desire = UINT64_MAX;
2435 es.duplicate = GNUNET_NO;
2438 /* Compute evaluation summary over existing connections. */
2439 GCT_iterate_connections (t,
2440 &evaluate_connection,
2442 if (GNUNET_YES == es.duplicate)
2445 /* FIXME: not sure we should really just count
2446 'num_connections' here, as they may all have
2447 consistently failed to connect. */
2449 /* We iterate by increasing path length; if we have enough paths and
2450 this one is more than twice as long than what we are currently
2451 using, then ignore all of these super-long ones! */
2452 if ( (GCT_count_any_connections (t) > DESIRED_CONNECTIONS_PER_TUNNEL) &&
2453 (es.min_length * 2 < off) &&
2454 (es.max_length < off) )
2456 LOG (GNUNET_ERROR_TYPE_DEBUG,
2457 "Ignoring paths of length %u, they are way too long.\n",
2461 /* If we have enough paths and this one looks no better, ignore it. */
2462 if ( (GCT_count_any_connections (t) >= DESIRED_CONNECTIONS_PER_TUNNEL) &&
2463 (es.min_length < GCPP_get_length (path)) &&
2464 (es.min_desire > GCPP_get_desirability (path)) &&
2465 (es.max_length < off) )
2467 LOG (GNUNET_ERROR_TYPE_DEBUG,
2468 "Ignoring path (%u/%llu) to %s, got something better already.\n",
2469 GCPP_get_length (path),
2470 (unsigned long long) GCPP_get_desirability (path),
2471 GCP_2s (t->destination));
2475 /* Path is interesting (better by some metric, or we don't have
2476 enough paths yet). */
2477 ct = GNUNET_new (struct CadetTConnection);
2478 ct->created = GNUNET_TIME_absolute_get ();
2480 ct->cc = GCC_create (t->destination,
2483 GNUNET_CADET_OPTION_DEFAULT, /* FIXME: set based on what channels want/need! */
2485 &connection_ready_cb,
2488 /* FIXME: schedule job to kill connection (and path?) if it takes
2489 too long to get ready! (And track performance data on how long
2490 other connections took with the tunnel!)
2491 => Note: to be done within 'connection'-logic! */
2492 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
2493 t->connection_busy_tail,
2495 t->num_busy_connections++;
2496 LOG (GNUNET_ERROR_TYPE_DEBUG,
2497 "Found interesting path %s for %s, created %s\n",
2506 * Function called to maintain the connections underlying our tunnel.
2507 * Tries to maintain (incl. tear down) connections for the tunnel, and
2508 * if there is a significant change, may trigger transmissions.
2510 * Basically, needs to check if there are connections that perform
2511 * badly, and if so eventually kill them and trigger a replacement.
2512 * The strategy is to open one more connection than
2513 * #DESIRED_CONNECTIONS_PER_TUNNEL, and then periodically kick out the
2514 * least-performing one, and then inquire for new ones.
2516 * @param cls the `struct CadetTunnel`
2519 maintain_connections_cb (void *cls)
2521 struct CadetTunnel *t = cls;
2522 struct GNUNET_TIME_Relative delay;
2523 struct EvaluationSummary es;
2525 t->maintain_connections_task = NULL;
2526 LOG (GNUNET_ERROR_TYPE_DEBUG,
2527 "Performing connection maintenance for %s.\n",
2530 es.min_length = UINT_MAX;
2533 es.min_desire = UINT64_MAX;
2536 es.duplicate = GNUNET_NO;
2537 GCT_iterate_connections (t,
2538 &evaluate_connection,
2540 if ( (NULL != es.worst) &&
2541 (GCT_count_any_connections (t) > DESIRED_CONNECTIONS_PER_TUNNEL) )
2543 /* Clear out worst-performing connection 'es.worst'. */
2544 destroy_t_connection (t,
2548 /* Consider additional paths */
2549 (void) GCP_iterate_paths (t->destination,
2553 /* FIXME: calculate when to try again based on how well we are doing;
2554 in particular, if we have to few connections, we might be able
2555 to do without this (as PATHS should tell us whenever a new path
2556 is available instantly; however, need to make sure this job is
2557 restarted after that happens).
2558 Furthermore, if the paths we do know are in a reasonably narrow
2559 quality band and are plentyful, we might also consider us stabilized
2560 and then reduce the frequency accordingly. */
2561 delay = GNUNET_TIME_UNIT_MINUTES;
2562 t->maintain_connections_task
2563 = GNUNET_SCHEDULER_add_delayed (delay,
2564 &maintain_connections_cb,
2570 * Consider using the path @a p for the tunnel @a t.
2571 * The tunnel destination is at offset @a off in path @a p.
2573 * @param cls our tunnel
2574 * @param path a path to our destination
2575 * @param off offset of the destination on path @a path
2578 GCT_consider_path (struct CadetTunnel *t,
2579 struct CadetPeerPath *p,
2582 LOG (GNUNET_ERROR_TYPE_DEBUG,
2583 "Considering %s for %s\n",
2586 (void) consider_path_cb (t,
2593 * We got a keepalive. Track in statistics.
2595 * @param cls the `struct CadetTunnel` for which we decrypted the message
2596 * @param msg the message we received on the tunnel
2599 handle_plaintext_keepalive (void *cls,
2600 const struct GNUNET_MessageHeader *msg)
2602 struct CadetTunnel *t = cls;
2604 LOG (GNUNET_ERROR_TYPE_DEBUG,
2605 "Received KEEPALIVE on %s\n",
2607 GNUNET_STATISTICS_update (stats,
2608 "# keepalives received",
2615 * Check that @a msg is well-formed.
2617 * @param cls the `struct CadetTunnel` for which we decrypted the message
2618 * @param msg the message we received on the tunnel
2619 * @return #GNUNET_OK (any variable-size payload goes)
2622 check_plaintext_data (void *cls,
2623 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
2630 * We received payload data for a channel. Locate the channel
2631 * and process the data, or return an error if the channel is unknown.
2633 * @param cls the `struct CadetTunnel` for which we decrypted the message
2634 * @param msg the message we received on the tunnel
2637 handle_plaintext_data (void *cls,
2638 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
2640 struct CadetTunnel *t = cls;
2641 struct CadetChannel *ch;
2643 ch = lookup_channel (t,
2647 /* We don't know about such a channel, might have been destroyed on our
2648 end in the meantime, or never existed. Send back a DESTROY. */
2649 LOG (GNUNET_ERROR_TYPE_DEBUG,
2650 "Received %u bytes of application data for unknown channel %u, sending DESTROY\n",
2651 (unsigned int) (ntohs (msg->header.size) - sizeof (*msg)),
2652 ntohl (msg->ctn.cn));
2653 GCT_send_channel_destroy (t,
2657 GCCH_handle_channel_plaintext_data (ch,
2658 GCC_get_id (t->current_ct->cc),
2664 * We received an acknowledgement for data we sent on a channel.
2665 * Locate the channel and process it, or return an error if the
2666 * channel is unknown.
2668 * @param cls the `struct CadetTunnel` for which we decrypted the message
2669 * @param ack the message we received on the tunnel
2672 handle_plaintext_data_ack (void *cls,
2673 const struct GNUNET_CADET_ChannelDataAckMessage *ack)
2675 struct CadetTunnel *t = cls;
2676 struct CadetChannel *ch;
2678 ch = lookup_channel (t,
2682 /* We don't know about such a channel, might have been destroyed on our
2683 end in the meantime, or never existed. Send back a DESTROY. */
2684 LOG (GNUNET_ERROR_TYPE_DEBUG,
2685 "Received DATA_ACK for unknown channel %u, sending DESTROY\n",
2686 ntohl (ack->ctn.cn));
2687 GCT_send_channel_destroy (t,
2691 GCCH_handle_channel_plaintext_data_ack (ch,
2692 GCC_get_id (t->current_ct->cc),
2698 * We have received a request to open a channel to a port from
2699 * another peer. Creates the incoming channel.
2701 * @param cls the `struct CadetTunnel` for which we decrypted the message
2702 * @param copen the message we received on the tunnel
2705 handle_plaintext_channel_open (void *cls,
2706 const struct GNUNET_CADET_ChannelOpenMessage *copen)
2708 struct CadetTunnel *t = cls;
2709 struct CadetChannel *ch;
2711 ch = GNUNET_CONTAINER_multihashmap32_get (t->channels,
2712 ntohl (copen->ctn.cn));
2715 LOG (GNUNET_ERROR_TYPE_DEBUG,
2716 "Received duplicate channel CHANNEL_OPEN on port %s from %s (%s), resending ACK\n",
2717 GNUNET_h2s (&copen->port),
2720 GCCH_handle_duplicate_open (ch,
2721 GCC_get_id (t->current_ct->cc));
2724 LOG (GNUNET_ERROR_TYPE_DEBUG,
2725 "Received CHANNEL_OPEN on port %s from %s\n",
2726 GNUNET_h2s (&copen->port),
2728 ch = GCCH_channel_incoming_new (t,
2731 ntohl (copen->opt));
2732 if (NULL != t->destroy_task)
2734 GNUNET_SCHEDULER_cancel (t->destroy_task);
2735 t->destroy_task = NULL;
2737 GNUNET_assert (GNUNET_OK ==
2738 GNUNET_CONTAINER_multihashmap32_put (t->channels,
2739 ntohl (copen->ctn.cn),
2741 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
2746 * Send a DESTROY message via the tunnel.
2748 * @param t the tunnel to transmit over
2749 * @param ctn ID of the channel to destroy
2752 GCT_send_channel_destroy (struct CadetTunnel *t,
2753 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2755 struct GNUNET_CADET_ChannelManageMessage msg;
2757 LOG (GNUNET_ERROR_TYPE_DEBUG,
2758 "Sending DESTORY message for channel ID %u\n",
2760 msg.header.size = htons (sizeof (msg));
2761 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
2762 msg.reserved = htonl (0);
2772 * We have received confirmation from the target peer that the
2773 * given channel could be established (the port is open).
2776 * @param cls the `struct CadetTunnel` for which we decrypted the message
2777 * @param cm the message we received on the tunnel
2780 handle_plaintext_channel_open_ack (void *cls,
2781 const struct GNUNET_CADET_ChannelManageMessage *cm)
2783 struct CadetTunnel *t = cls;
2784 struct CadetChannel *ch;
2786 ch = lookup_channel (t,
2790 /* We don't know about such a channel, might have been destroyed on our
2791 end in the meantime, or never existed. Send back a DESTROY. */
2792 LOG (GNUNET_ERROR_TYPE_DEBUG,
2793 "Received channel OPEN_ACK for unknown channel %u, sending DESTROY\n",
2794 ntohl (cm->ctn.cn));
2795 GCT_send_channel_destroy (t,
2799 LOG (GNUNET_ERROR_TYPE_DEBUG,
2800 "Received channel OPEN_ACK on channel %s from %s\n",
2803 GCCH_handle_channel_open_ack (ch,
2804 GCC_get_id (t->current_ct->cc));
2809 * We received a message saying that a channel should be destroyed.
2810 * Pass it on to the correct channel.
2812 * @param cls the `struct CadetTunnel` for which we decrypted the message
2813 * @param cm the message we received on the tunnel
2816 handle_plaintext_channel_destroy (void *cls,
2817 const struct GNUNET_CADET_ChannelManageMessage *cm)
2819 struct CadetTunnel *t = cls;
2820 struct CadetChannel *ch;
2822 ch = lookup_channel (t,
2826 /* We don't know about such a channel, might have been destroyed on our
2827 end in the meantime, or never existed. */
2828 LOG (GNUNET_ERROR_TYPE_DEBUG,
2829 "Received channel DESTORY for unknown channel %u. Ignoring.\n",
2830 ntohl (cm->ctn.cn));
2833 LOG (GNUNET_ERROR_TYPE_DEBUG,
2834 "Received channel DESTROY on %s from %s\n",
2837 GCCH_handle_remote_destroy (ch,
2838 GCC_get_id (t->current_ct->cc));
2843 * Handles a message we decrypted, by injecting it into
2844 * our message queue (which will do the dispatching).
2846 * @param cls the `struct CadetTunnel` that got the message
2847 * @param msg the message
2848 * @return #GNUNET_OK (continue to process)
2851 handle_decrypted (void *cls,
2852 const struct GNUNET_MessageHeader *msg)
2854 struct CadetTunnel *t = cls;
2856 GNUNET_assert (NULL != t->current_ct);
2857 GNUNET_MQ_inject_message (t->mq,
2864 * Function called if we had an error processing
2865 * an incoming decrypted message.
2867 * @param cls the `struct CadetTunnel`
2868 * @param error error code
2871 decrypted_error_cb (void *cls,
2872 enum GNUNET_MQ_Error error)
2874 GNUNET_break_op (0);
2879 * Create a tunnel to @a destionation. Must only be called
2880 * from within #GCP_get_tunnel().
2882 * @param destination where to create the tunnel to
2883 * @return new tunnel to @a destination
2885 struct CadetTunnel *
2886 GCT_create_tunnel (struct CadetPeer *destination)
2888 struct CadetTunnel *t = GNUNET_new (struct CadetTunnel);
2889 struct GNUNET_MQ_MessageHandler handlers[] = {
2890 GNUNET_MQ_hd_fixed_size (plaintext_keepalive,
2891 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE,
2892 struct GNUNET_MessageHeader,
2894 GNUNET_MQ_hd_var_size (plaintext_data,
2895 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA,
2896 struct GNUNET_CADET_ChannelAppDataMessage,
2898 GNUNET_MQ_hd_fixed_size (plaintext_data_ack,
2899 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA_ACK,
2900 struct GNUNET_CADET_ChannelDataAckMessage,
2902 GNUNET_MQ_hd_fixed_size (plaintext_channel_open,
2903 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN,
2904 struct GNUNET_CADET_ChannelOpenMessage,
2906 GNUNET_MQ_hd_fixed_size (plaintext_channel_open_ack,
2907 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_ACK,
2908 struct GNUNET_CADET_ChannelManageMessage,
2910 GNUNET_MQ_hd_fixed_size (plaintext_channel_destroy,
2911 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY,
2912 struct GNUNET_CADET_ChannelManageMessage,
2914 GNUNET_MQ_handler_end ()
2917 t->kx_retry_delay = INITIAL_KX_RETRY_DELAY;
2918 new_ephemeral (&t->ax);
2919 GNUNET_assert (GNUNET_OK ==
2920 GNUNET_CRYPTO_ecdhe_key_create2 (&t->ax.kx_0));
2921 t->destination = destination;
2922 t->channels = GNUNET_CONTAINER_multihashmap32_create (8);
2923 t->maintain_connections_task
2924 = GNUNET_SCHEDULER_add_now (&maintain_connections_cb,
2926 t->mq = GNUNET_MQ_queue_for_callbacks (NULL,
2931 &decrypted_error_cb,
2933 t->mst = GNUNET_MST_create (&handle_decrypted,
2940 * Add a @a connection to the @a tunnel.
2943 * @param cid connection identifer to use for the connection
2944 * @param options options for the connection
2945 * @param path path to use for the connection
2946 * @return #GNUNET_OK on success,
2947 * #GNUNET_SYSERR on failure (duplicate connection)
2950 GCT_add_inbound_connection (struct CadetTunnel *t,
2951 const struct GNUNET_CADET_ConnectionTunnelIdentifier *cid,
2952 enum GNUNET_CADET_ChannelOption options,
2953 struct CadetPeerPath *path)
2955 struct CadetTConnection *ct;
2957 ct = GNUNET_new (struct CadetTConnection);
2958 ct->created = GNUNET_TIME_absolute_get ();
2960 ct->cc = GCC_create_inbound (t->destination,
2965 &connection_ready_cb,
2969 LOG (GNUNET_ERROR_TYPE_DEBUG,
2970 "%s refused inbound %s (duplicate)\n",
2974 return GNUNET_SYSERR;
2976 /* FIXME: schedule job to kill connection (and path?) if it takes
2977 too long to get ready! (And track performance data on how long
2978 other connections took with the tunnel!)
2979 => Note: to be done within 'connection'-logic! */
2980 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
2981 t->connection_busy_tail,
2983 t->num_busy_connections++;
2984 LOG (GNUNET_ERROR_TYPE_DEBUG,
2993 * Handle encrypted message.
2995 * @param ct connection/tunnel combo that received encrypted message
2996 * @param msg the encrypted message to decrypt
2999 GCT_handle_encrypted (struct CadetTConnection *ct,
3000 const struct GNUNET_CADET_TunnelEncryptedMessage *msg)
3002 struct CadetTunnel *t = ct->t;
3003 uint16_t size = ntohs (msg->header.size);
3004 char cbuf [size] GNUNET_ALIGN;
3005 ssize_t decrypted_size;
3007 LOG (GNUNET_ERROR_TYPE_DEBUG,
3008 "%s received %u bytes of encrypted data in state %d\n",
3010 (unsigned int) size,
3015 case CADET_TUNNEL_KEY_UNINITIALIZED:
3016 case CADET_TUNNEL_KEY_AX_RECV:
3017 /* We did not even SEND our KX, how can the other peer
3018 send us encrypted data? Must have been that we went
3019 down and the other peer still things we are up.
3020 Let's send it KX back. */
3021 GNUNET_STATISTICS_update (stats,
3022 "# received encrypted without any KX",
3025 if (NULL != t->kx_task)
3027 GNUNET_SCHEDULER_cancel (t->kx_task);
3034 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
3035 /* We send KX, and other peer send KX to us at the same time.
3036 Neither KX is AUTH'ed, so let's try KX_AUTH this time. */
3037 GNUNET_STATISTICS_update (stats,
3038 "# received encrypted without KX_AUTH",
3041 if (NULL != t->kx_task)
3043 GNUNET_SCHEDULER_cancel (t->kx_task);
3051 case CADET_TUNNEL_KEY_AX_SENT:
3052 /* We did not get the KX of the other peer, but that
3053 might have been lost. Send our KX again immediately. */
3054 GNUNET_STATISTICS_update (stats,
3055 "# received encrypted without KX",
3058 if (NULL != t->kx_task)
3060 GNUNET_SCHEDULER_cancel (t->kx_task);
3067 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
3068 /* Great, first payload, we might graduate to OK! */
3069 case CADET_TUNNEL_KEY_OK:
3070 /* We are up and running, all good. */
3074 GNUNET_STATISTICS_update (stats,
3075 "# received encrypted",
3078 decrypted_size = -1;
3079 if (CADET_TUNNEL_KEY_OK == t->estate)
3081 /* We have well-established key material available,
3082 try that. (This is the common case.) */
3083 decrypted_size = t_ax_decrypt_and_validate (&t->ax,
3089 if ( (-1 == decrypted_size) &&
3090 (NULL != t->unverified_ax) )
3092 /* We have un-authenticated KX material available. We should try
3093 this as a back-up option, in case the sender crashed and
3095 decrypted_size = t_ax_decrypt_and_validate (t->unverified_ax,
3099 if (-1 != decrypted_size)
3101 /* It worked! Treat this as authentication of the AX data! */
3102 cleanup_ax (&t->ax);
3103 t->ax = *t->unverified_ax;
3104 GNUNET_free (t->unverified_ax);
3105 t->unverified_ax = NULL;
3107 if (CADET_TUNNEL_KEY_AX_AUTH_SENT == t->estate)
3109 /* First time it worked, move tunnel into production! */
3110 GCT_change_estate (t,
3111 CADET_TUNNEL_KEY_OK);
3112 if (NULL != t->send_task)
3113 GNUNET_SCHEDULER_cancel (t->send_task);
3114 t->send_task = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
3118 if (NULL != t->unverified_ax)
3120 /* We had unverified KX material that was useless; so increment
3121 counter and eventually move to ignore it. Note that we even do
3122 this increment if we successfully decrypted with the old KX
3123 material and thus didn't even both with the new one. This is
3124 the ideal case, as a malicious injection of bogus KX data
3125 basically only causes us to increment a counter a few times. */
3126 t->unverified_attempts++;
3127 LOG (GNUNET_ERROR_TYPE_DEBUG,
3128 "Failed to decrypt message with unverified KX data %u times\n",
3129 t->unverified_attempts);
3130 if (t->unverified_attempts > MAX_UNVERIFIED_ATTEMPTS)
3132 cleanup_ax (t->unverified_ax);
3133 GNUNET_free (t->unverified_ax);
3134 t->unverified_ax = NULL;
3138 if (-1 == decrypted_size)
3140 /* Decryption failed for good, complain. */
3141 LOG (GNUNET_ERROR_TYPE_WARNING,
3142 "%s failed to decrypt and validate encrypted data, retrying KX\n",
3144 GNUNET_STATISTICS_update (stats,
3145 "# unable to decrypt",
3148 if (NULL != t->kx_task)
3150 GNUNET_SCHEDULER_cancel (t->kx_task);
3159 /* The MST will ultimately call #handle_decrypted() on each message. */
3161 GNUNET_break_op (GNUNET_OK ==
3162 GNUNET_MST_from_buffer (t->mst,
3167 t->current_ct = NULL;
3172 * Sends an already built message on a tunnel, encrypting it and
3173 * choosing the best connection if not provided.
3175 * @param message Message to send. Function modifies it.
3176 * @param t Tunnel on which this message is transmitted.
3177 * @param cont Continuation to call once message is really sent.
3178 * @param cont_cls Closure for @c cont.
3179 * @return Handle to cancel message
3181 struct CadetTunnelQueueEntry *
3182 GCT_send (struct CadetTunnel *t,
3183 const struct GNUNET_MessageHeader *message,
3184 GCT_SendContinuation cont,
3187 struct CadetTunnelQueueEntry *tq;
3188 uint16_t payload_size;
3189 struct GNUNET_MQ_Envelope *env;
3190 struct GNUNET_CADET_TunnelEncryptedMessage *ax_msg;
3192 if (CADET_TUNNEL_KEY_OK != t->estate)
3197 payload_size = ntohs (message->size);
3198 LOG (GNUNET_ERROR_TYPE_DEBUG,
3199 "Encrypting %u bytes for %s\n",
3200 (unsigned int) payload_size,
3202 env = GNUNET_MQ_msg_extra (ax_msg,
3204 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED);
3205 t_ax_encrypt (&t->ax,
3209 ax_msg->ax_header.Ns = htonl (t->ax.Ns++);
3210 ax_msg->ax_header.PNs = htonl (t->ax.PNs);
3211 /* FIXME: we should do this once, not once per message;
3212 this is a point multiplication, and DHRs does not
3213 change all the time. */
3214 GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.DHRs,
3215 &ax_msg->ax_header.DHRs);
3216 t_h_encrypt (&t->ax,
3218 t_hmac (&ax_msg->ax_header,
3219 sizeof (struct GNUNET_CADET_AxHeader) + payload_size,
3224 tq = GNUNET_malloc (sizeof (*tq));
3227 tq->cid = &ax_msg->cid; /* will initialize 'ax_msg->cid' once we know the connection */
3229 tq->cont_cls = cont_cls;
3230 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head,
3233 if (NULL != t->send_task)
3234 GNUNET_SCHEDULER_cancel (t->send_task);
3236 = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
3243 * Cancel a previously sent message while it's in the queue.
3245 * ONLY can be called before the continuation given to the send
3246 * function is called. Once the continuation is called, the message is
3247 * no longer in the queue!
3249 * @param tq Handle to the queue entry to cancel.
3252 GCT_send_cancel (struct CadetTunnelQueueEntry *tq)
3254 struct CadetTunnel *t = tq->t;
3256 GNUNET_CONTAINER_DLL_remove (t->tq_head,
3259 GNUNET_MQ_discard (tq->env);
3265 * Iterate over all connections of a tunnel.
3267 * @param t Tunnel whose connections to iterate.
3268 * @param iter Iterator.
3269 * @param iter_cls Closure for @c iter.
3272 GCT_iterate_connections (struct CadetTunnel *t,
3273 GCT_ConnectionIterator iter,
3276 struct CadetTConnection *n;
3277 for (struct CadetTConnection *ct = t->connection_ready_head;
3285 for (struct CadetTConnection *ct = t->connection_busy_head;
3297 * Closure for #iterate_channels_cb.
3304 GCT_ChannelIterator iter;
3307 * Closure for @e iter.
3314 * Helper function for #GCT_iterate_channels.
3316 * @param cls the `struct ChanIterCls`
3318 * @param value a `struct CadetChannel`
3319 * @return #GNUNET_OK
3322 iterate_channels_cb (void *cls,
3326 struct ChanIterCls *ctx = cls;
3327 struct CadetChannel *ch = value;
3329 ctx->iter (ctx->iter_cls,
3336 * Iterate over all channels of a tunnel.
3338 * @param t Tunnel whose channels to iterate.
3339 * @param iter Iterator.
3340 * @param iter_cls Closure for @c iter.
3343 GCT_iterate_channels (struct CadetTunnel *t,
3344 GCT_ChannelIterator iter,
3347 struct ChanIterCls ctx;
3350 ctx.iter_cls = iter_cls;
3351 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
3352 &iterate_channels_cb,
3359 * Call #GCCH_debug() on a channel.
3361 * @param cls points to the log level to use
3363 * @param value the `struct CadetChannel` to dump
3364 * @return #GNUNET_OK (continue iteration)
3367 debug_channel (void *cls,
3371 const enum GNUNET_ErrorType *level = cls;
3372 struct CadetChannel *ch = value;
3374 GCCH_debug (ch, *level);
3379 #define LOG2(level, ...) GNUNET_log_from_nocheck(level,"cadet-tun",__VA_ARGS__)
3383 * Log all possible info about the tunnel state.
3385 * @param t Tunnel to debug.
3386 * @param level Debug level to use.
3389 GCT_debug (const struct CadetTunnel *t,
3390 enum GNUNET_ErrorType level)
3392 struct CadetTConnection *iter_c;
3395 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
3397 __FILE__, __FUNCTION__, __LINE__);
3402 "TTT TUNNEL TOWARDS %s in estate %s tq_len: %u #cons: %u\n",
3404 estate2s (t->estate),
3406 GCT_count_any_connections (t));
3409 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
3413 "TTT connections:\n");
3414 for (iter_c = t->connection_ready_head; NULL != iter_c; iter_c = iter_c->next)
3415 GCC_debug (iter_c->cc,
3417 for (iter_c = t->connection_busy_head; NULL != iter_c; iter_c = iter_c->next)
3418 GCC_debug (iter_c->cc,
3422 "TTT TUNNEL END\n");
3426 /* end of gnunet-service-cadet-new_tunnels.c */