2 This file is part of GNUnet.
3 Copyright (C) 2013, 2017 GNUnet e.V.
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18 Boston, MA 02110-1301, USA.
21 * @file cadet/gnunet-service-cadet_tunnel.c
22 * @brief logical links between CADET clients
23 * @author Bartlomiej Polot
26 #include "gnunet_util_lib.h"
27 #include "gnunet_signatures.h"
28 #include "gnunet_statistics_service.h"
29 #include "cadet_protocol.h"
30 #include "cadet_path.h"
31 #include "gnunet-service-cadet_tunnel.h"
32 #include "gnunet-service-cadet_connection.h"
33 #include "gnunet-service-cadet_channel.h"
34 #include "gnunet-service-cadet_peer.h"
36 #define LOG(level, ...) GNUNET_log_from(level,"cadet-tun",__VA_ARGS__)
37 #define LOG2(level, ...) GNUNET_log_from_nocheck(level,"cadet-tun",__VA_ARGS__)
39 #define REKEY_WAIT GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 5)
41 #if !defined(GNUNET_CULL_LOGGING)
42 #define DUMP_KEYS_TO_STDERR GNUNET_YES
44 #define DUMP_KEYS_TO_STDERR GNUNET_NO
47 #define MIN_TUNNEL_BUFFER 8
48 #define MAX_TUNNEL_BUFFER 64
49 #define MAX_SKIPPED_KEYS 64
50 #define MAX_KEY_GAP 256
51 #define AX_HEADER_SIZE (sizeof (uint32_t) * 2\
52 + sizeof (struct GNUNET_CRYPTO_EcdhePublicKey))
54 /******************************************************************************/
55 /******************************** STRUCTS **********************************/
56 /******************************************************************************/
60 struct CadetTChannel *next;
61 struct CadetTChannel *prev;
62 struct CadetChannel *ch;
67 * Entry in list of connections used by tunnel, with metadata.
69 struct CadetTConnection
74 struct CadetTConnection *next;
79 struct CadetTConnection *prev;
84 struct CadetConnection *c;
87 * Creation time, to keep oldest connection alive.
89 struct GNUNET_TIME_Absolute created;
92 * Connection throughput, to keep fastest connection alive.
99 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
101 struct CadetTunnelSkippedKey
106 struct CadetTunnelSkippedKey *next;
111 struct CadetTunnelSkippedKey *prev;
114 * When was this key stored (for timeout).
116 struct GNUNET_TIME_Absolute timestamp;
121 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
126 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
129 * Key number for a given HK.
136 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
138 struct CadetTunnelAxolotl
141 * A (double linked) list of stored message keys and associated header keys
142 * for "skipped" messages, i.e. messages that have not been
143 * received despite the reception of more recent messages, (head).
145 struct CadetTunnelSkippedKey *skipped_head;
148 * Skipped messages' keys DLL, tail.
150 struct CadetTunnelSkippedKey *skipped_tail;
153 * Elements in @a skipped_head <-> @a skipped_tail.
155 unsigned int skipped;
158 * 32-byte root key which gets updated by DH ratchet.
160 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
163 * 32-byte header key (send).
165 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
168 * 32-byte header key (recv)
170 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
173 * 32-byte next header key (send).
175 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
178 * 32-byte next header key (recv).
180 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
183 * 32-byte chain keys (used for forward-secrecy updating, send).
185 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
188 * 32-byte chain keys (used for forward-secrecy updating, recv).
190 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
193 * ECDH for key exchange (A0 / B0).
195 struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
198 * ECDH Ratchet key (send).
200 struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs;
203 * ECDH Ratchet key (recv).
205 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
208 * Message number (reset to 0 with each new ratchet, next message to send).
213 * Message number (reset to 0 with each new ratchet, next message to recv).
218 * Previous message numbers (# of msgs sent under prev ratchet)
223 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
228 * Number of messages recieved since our last ratchet advance.
229 * - If this counter = 0, we cannot send a new ratchet key in next msg.
230 * - If this counter > 0, we can (but don't yet have to) send a new key.
232 unsigned int ratchet_allowed;
235 * Number of messages recieved since our last ratchet advance.
236 * - If this counter = 0, we cannot send a new ratchet key in next msg.
237 * - If this counter > 0, we can (but don't yet have to) send a new key.
239 unsigned int ratchet_counter;
242 * When does this ratchet expire and a new one is triggered.
244 struct GNUNET_TIME_Absolute ratchet_expiration;
249 * Struct containing all information regarding a tunnel to a peer.
254 * Endpoint of the tunnel.
256 struct CadetPeer *peer;
261 struct CadetTunnelAxolotl *ax;
264 * State of the tunnel connectivity.
266 enum CadetTunnelCState cstate;
269 * State of the tunnel encryption.
271 enum CadetTunnelEState estate;
274 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own ephemeral
277 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
280 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
282 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
285 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
287 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
290 * Task to start the rekey process.
292 struct GNUNET_SCHEDULER_Task *rekey_task;
295 * Paths that are actively used to reach the destination peer.
297 struct CadetTConnection *connection_head;
298 struct CadetTConnection *connection_tail;
301 * Next connection number.
306 * Channels inside this tunnel.
308 struct CadetTChannel *channel_head;
309 struct CadetTChannel *channel_tail;
312 * Channel ID for the next created channel.
314 struct GNUNET_CADET_ChannelTunnelNumber next_ctn;
317 * Destroy flag: if true, destroy on last message.
319 struct GNUNET_SCHEDULER_Task * destroy_task;
322 * Queued messages, to transmit once tunnel gets connected.
324 struct CadetTunnelDelayed *tq_head;
325 struct CadetTunnelDelayed *tq_tail;
328 * Task to trim connections if too many are present.
330 struct GNUNET_SCHEDULER_Task * trim_connections_task;
333 * Ephemeral message in the queue (to avoid queueing more than one).
335 struct CadetConnectionQueue *ephm_h;
338 * Pong message in the queue.
340 struct CadetConnectionQueue *pong_h;
345 * Struct used to save messages in a non-ready tunnel to send once connected.
347 struct CadetTunnelDelayed
352 struct CadetTunnelDelayed *next;
353 struct CadetTunnelDelayed *prev;
358 struct CadetTunnel *t;
361 * Tunnel queue given to the channel to cancel request. Update on send_queued.
363 struct CadetTunnelQueue *tq;
368 /* struct GNUNET_MessageHeader *msg; */
373 * Handle for messages queued but not yet sent.
375 struct CadetTunnelQueue
378 * Connection queue handle, to cancel if necessary.
380 struct CadetConnectionQueue *cq;
383 * Handle in case message hasn't been given to a connection yet.
385 struct CadetTunnelDelayed *tqd;
388 * Continuation to call once sent.
393 * Closure for @c cont.
399 /******************************************************************************/
400 /******************************* GLOBALS ***********************************/
401 /******************************************************************************/
404 * Global handle to the statistics service.
406 extern struct GNUNET_STATISTICS_Handle *stats;
409 * Local peer own ID (memory efficient handle).
411 extern GNUNET_PEER_Id myid;
414 * Local peer own ID (full value).
416 extern struct GNUNET_PeerIdentity my_full_id;
420 * Don't try to recover tunnels if shutting down.
422 extern int shutting_down;
426 * Set of all tunnels, in order to trigger a new exchange on rekey.
427 * Indexed by peer's ID.
429 static struct GNUNET_CONTAINER_MultiPeerMap *tunnels;
432 * Own Peer ID private key.
434 const static struct GNUNET_CRYPTO_EddsaPrivateKey *id_key;
437 /******************************** AXOLOTL ************************************/
440 * How many messages are needed to trigger a ratchet advance.
442 static unsigned long long ratchet_messages;
445 * How long until we trigger a ratched advance.
447 static struct GNUNET_TIME_Relative ratchet_time;
450 /******************************************************************************/
451 /******************************** STATIC ***********************************/
452 /******************************************************************************/
455 * Get string description for tunnel connectivity state.
457 * @param cs Tunnel state.
459 * @return String representation.
462 cstate2s (enum CadetTunnelCState cs)
468 case CADET_TUNNEL_NEW:
469 return "CADET_TUNNEL_NEW";
470 case CADET_TUNNEL_SEARCHING:
471 return "CADET_TUNNEL_SEARCHING";
472 case CADET_TUNNEL_WAITING:
473 return "CADET_TUNNEL_WAITING";
474 case CADET_TUNNEL_READY:
475 return "CADET_TUNNEL_READY";
476 case CADET_TUNNEL_SHUTDOWN:
477 return "CADET_TUNNEL_SHUTDOWN";
479 SPRINTF (buf, "%u (UNKNOWN STATE)", cs);
487 * Get string description for tunnel encryption state.
489 * @param es Tunnel state.
491 * @return String representation.
494 estate2s (enum CadetTunnelEState es)
500 case CADET_TUNNEL_KEY_UNINITIALIZED:
501 return "CADET_TUNNEL_KEY_UNINITIALIZED";
502 case CADET_TUNNEL_KEY_AX_SENT:
503 return "CADET_TUNNEL_KEY_AX_SENT";
504 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
505 return "CADET_TUNNEL_KEY_AX_AUTH_SENT";
506 case CADET_TUNNEL_KEY_OK:
507 return "CADET_TUNNEL_KEY_OK";
508 case CADET_TUNNEL_KEY_REKEY:
509 return "CADET_TUNNEL_KEY_REKEY";
511 SPRINTF (buf, "%u (UNKNOWN STATE)", es);
519 * @brief Check if tunnel is ready to send traffic.
521 * Tunnel must be connected and with encryption correctly set up.
523 * @param t Tunnel to check.
525 * @return #GNUNET_YES if ready, #GNUNET_NO otherwise
528 is_ready (struct CadetTunnel *t)
534 conn_ok = CADET_TUNNEL_READY == t->cstate;
535 enc_ok = CADET_TUNNEL_KEY_OK == t->estate
536 || CADET_TUNNEL_KEY_REKEY == t->estate
537 || CADET_TUNNEL_KEY_AX_AUTH_SENT == t->estate;
538 ready = conn_ok && enc_ok;
539 ready = ready || GCT_is_loopback (t);
545 * Get the channel's buffer. ONLY FOR NON-LOOPBACK CHANNELS!!
547 * @param tch Tunnel's channel handle.
549 * @return Amount of messages the channel can still buffer towards the client.
552 get_channel_buffer (const struct CadetTChannel *tch)
556 /* If channel is incoming, is terminal in the FWD direction and fwd is YES */
557 fwd = GCCH_is_terminal (tch->ch, GNUNET_YES);
559 return GCCH_get_buffer (tch->ch, fwd);
564 * Get the channel's allowance status.
566 * @param tch Tunnel's channel handle.
568 * @return #GNUNET_YES if we allowed the client to send data to us.
571 get_channel_allowed (const struct CadetTChannel *tch)
575 /* If channel is outgoing, is origin in the FWD direction and fwd is YES */
576 fwd = GCCH_is_origin (tch->ch, GNUNET_YES);
578 return GCCH_get_allowed (tch->ch, fwd);
583 * Get the connection's buffer.
585 * @param tc Tunnel's connection handle.
587 * @return Amount of messages the connection can still buffer.
590 get_connection_buffer (const struct CadetTConnection *tc)
594 /* If connection is outgoing, is origin in the FWD direction and fwd is YES */
595 fwd = GCC_is_origin (tc->c, GNUNET_YES);
597 return GCC_get_buffer (tc->c, fwd);
602 * Get the connection's allowance.
604 * @param tc Tunnel's connection handle.
606 * @return Amount of messages we have allowed the next peer to send us.
609 get_connection_allowed (const struct CadetTConnection *tc)
613 /* If connection is outgoing, is origin in the FWD direction and fwd is YES */
614 fwd = GCC_is_origin (tc->c, GNUNET_YES);
616 return GCC_get_allowed (tc->c, fwd);
621 * Create a new Axolotl ephemeral (ratchet) key.
626 new_ephemeral (struct CadetTunnel *t)
628 GNUNET_free_non_null (t->ax->DHRs);
629 t->ax->DHRs = GNUNET_CRYPTO_ecdhe_key_create();
630 #if DUMP_KEYS_TO_STDERR
632 struct GNUNET_CRYPTO_EcdhePublicKey pub;
633 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &pub);
634 LOG (GNUNET_ERROR_TYPE_DEBUG, " new DHRs generated: pub %s\n",
635 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &pub));
644 * @param plaintext Content to HMAC.
645 * @param size Size of @c plaintext.
646 * @param iv Initialization vector for the message.
647 * @param key Key to use.
648 * @param hmac[out] Destination to store the HMAC.
651 t_hmac (const void *plaintext, size_t size,
652 uint32_t iv, const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
653 struct GNUNET_ShortHashCode *hmac)
655 static const char ctx[] = "cadet authentication key";
656 struct GNUNET_CRYPTO_AuthKey auth_key;
657 struct GNUNET_HashCode hash;
659 #if DUMP_KEYS_TO_STDERR
660 LOG (GNUNET_ERROR_TYPE_INFO, " HMAC %u bytes with key %s\n", size,
661 GNUNET_i2s ((struct GNUNET_PeerIdentity *) key));
663 GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
668 /* Two step: CADET_Hash is only 256 bits, HashCode is 512. */
669 GNUNET_CRYPTO_hmac (&auth_key, plaintext, size, &hash);
670 GNUNET_memcpy (hmac, &hash, sizeof (*hmac));
677 * @param key Key to use.
678 * @param hash[out] Resulting HMAC.
679 * @param source Source key material (data to HMAC).
680 * @param len Length of @a source.
683 t_ax_hmac_hash (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
684 struct GNUNET_HashCode *hash,
685 void *source, unsigned int len)
687 static const char ctx[] = "axolotl HMAC-HASH";
688 struct GNUNET_CRYPTO_AuthKey auth_key;
690 GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
693 GNUNET_CRYPTO_hmac (&auth_key, source, len, hash);
698 * Derive a key from a HMAC-HASH.
700 * @param key Key to use for the HMAC.
701 * @param out Key to generate.
702 * @param source Source key material (data to HMAC).
703 * @param len Length of @a source.
706 t_hmac_derive_key (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
707 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
708 void *source, unsigned int len)
710 static const char ctx[] = "axolotl derive key";
711 struct GNUNET_HashCode h;
713 t_ax_hmac_hash (key, &h, source, len);
714 GNUNET_CRYPTO_kdf (out, sizeof (*out), ctx, sizeof (ctx),
715 &h, sizeof (h), NULL);
720 * Encrypt data with the axolotl tunnel key.
722 * @param t Tunnel whose key to use.
723 * @param dst Destination for the encrypted data.
724 * @param src Source of the plaintext. Can overlap with @c dst.
725 * @param size Size of the plaintext.
727 * @return Size of the encrypted data.
730 t_ax_encrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
732 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
733 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
734 struct CadetTunnelAxolotl *ax;
740 ax->ratchet_counter++;
741 if (GNUNET_YES == ax->ratchet_allowed
742 && (ratchet_messages <= ax->ratchet_counter
743 || 0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us))
745 ax->ratchet_flag = GNUNET_YES;
748 if (GNUNET_YES == ax->ratchet_flag)
750 /* Advance ratchet */
751 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
752 struct GNUNET_HashCode dh;
753 struct GNUNET_HashCode hmac;
754 static const char ctx[] = "axolotl ratchet";
759 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
760 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, &ax->DHRr, &dh);
761 t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
762 GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
763 &hmac, sizeof (hmac), NULL);
770 ax->ratchet_flag = GNUNET_NO;
771 ax->ratchet_allowed = GNUNET_NO;
772 ax->ratchet_counter = 0;
773 ax->ratchet_expiration =
774 GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
777 t_hmac_derive_key (&ax->CKs, &MK, "0", 1);
778 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
780 #if DUMP_KEYS_TO_STDERR
781 LOG (GNUNET_ERROR_TYPE_DEBUG, " CKs: %s\n",
782 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->CKs));
783 LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC with key %u: %s\n", ax->Ns,
784 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &MK));
787 out_size = GNUNET_CRYPTO_symmetric_encrypt (src, size, &MK, &iv, dst);
788 t_hmac_derive_key (&ax->CKs, &ax->CKs, "1", 1);
797 * Decrypt data with the axolotl tunnel key.
799 * @param t Tunnel whose key to use.
800 * @param dst Destination for the decrypted data.
801 * @param src Source of the ciphertext. Can overlap with @c dst.
802 * @param size Size of the ciphertext.
804 * @return Size of the decrypted data.
807 t_ax_decrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
809 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
810 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
811 struct CadetTunnelAxolotl *ax;
818 t_hmac_derive_key (&ax->CKr, &MK, "0", 1);
819 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
821 #if DUMP_KEYS_TO_STDERR
822 LOG (GNUNET_ERROR_TYPE_DEBUG, " CKr: %s\n",
823 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->CKr));
824 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with key %u: %s\n", ax->Nr,
825 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &MK));
828 GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
829 out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, &MK, &iv, dst);
830 GNUNET_assert (out_size == size);
832 t_hmac_derive_key (&ax->CKr, &ax->CKr, "1", 1);
841 * Encrypt header with the axolotl header key.
843 * @param t Tunnel whose key to use.
844 * @param msg Message whose header to encrypt.
847 t_h_encrypt (struct CadetTunnel *t, struct GNUNET_CADET_TunnelEncryptedMessage *msg)
849 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
850 struct CadetTunnelAxolotl *ax;
855 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKs, NULL, 0, NULL);
857 #if DUMP_KEYS_TO_STDERR
858 LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC_H with key %s\n",
859 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->HKs));
862 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->Ns, AX_HEADER_SIZE,
863 &ax->HKs, &iv, &msg->Ns);
865 GNUNET_assert (AX_HEADER_SIZE == out_size);
871 * Decrypt header with the current axolotl header key.
873 * @param t Tunnel whose current ax HK to use.
874 * @param src Message whose header to decrypt.
875 * @param dst Where to decrypt header to.
878 t_h_decrypt (struct CadetTunnel *t, const struct GNUNET_CADET_TunnelEncryptedMessage *src,
879 struct GNUNET_CADET_TunnelEncryptedMessage *dst)
881 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
882 struct CadetTunnelAxolotl *ax;
888 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKr, NULL, 0, NULL);
890 #if DUMP_KEYS_TO_STDERR
891 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC_H with key %s\n",
892 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->HKr));
895 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, AX_HEADER_SIZE,
896 &ax->HKr, &iv, &dst->Ns);
898 GNUNET_assert (AX_HEADER_SIZE == out_size);
905 * Decrypt and verify data with the appropriate tunnel key and verify that the
906 * data has not been altered since it was sent by the remote peer.
908 * @param t Tunnel whose key to use.
909 * @param dst Destination for the plaintext.
910 * @param src Source of the message. Can overlap with @c dst.
911 * @param size Size of the message.
913 * @return Size of the decrypted data, -1 if an error was encountered.
916 try_old_ax_keys (struct CadetTunnel *t, void *dst,
917 const struct GNUNET_CADET_TunnelEncryptedMessage *src, size_t size)
919 struct CadetTunnelSkippedKey *key;
920 struct GNUNET_ShortHashCode *hmac;
921 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
922 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
923 struct GNUNET_CRYPTO_SymmetricSessionKey *valid_HK;
929 LOG (GNUNET_ERROR_TYPE_DEBUG, "Trying old keys\n");
930 hmac = &plaintext_header.hmac;
931 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
933 /* Find a correct Header Key */
934 for (key = t->ax->skipped_head; NULL != key; key = key->next)
936 #if DUMP_KEYS_TO_STDERR
937 LOG (GNUNET_ERROR_TYPE_DEBUG, " Trying hmac with key %s\n",
938 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &key->HK));
940 t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &key->HK, hmac);
941 if (0 == memcmp (hmac, &src->hmac, sizeof (*hmac)))
943 LOG (GNUNET_ERROR_TYPE_DEBUG, " hmac correct\n");
951 /* Should've been checked in -cadet_connection.c handle_cadet_encrypted. */
952 GNUNET_assert (size > sizeof (struct GNUNET_CADET_TunnelEncryptedMessage));
953 len = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
954 GNUNET_assert (len >= sizeof (struct GNUNET_MessageHeader));
957 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &key->HK, NULL, 0, NULL);
958 res = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, AX_HEADER_SIZE,
959 &key->HK, &iv, &plaintext_header.Ns);
960 GNUNET_assert (AX_HEADER_SIZE == res);
961 LOG (GNUNET_ERROR_TYPE_DEBUG, " Message %u, previous: %u\n",
962 ntohl (plaintext_header.Ns), ntohl (plaintext_header.PNs));
964 /* Find the correct Message Key */
965 N = ntohl (plaintext_header.Ns);
966 while (NULL != key && N != key->Kn)
968 if (NULL == key || 0 != memcmp (&key->HK, valid_HK, sizeof (*valid_HK)))
971 #if DUMP_KEYS_TO_STDERR
972 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC_H with skipped key %s\n",
973 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &key->HK));
974 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with skipped key %u: %s\n",
975 key->Kn, GNUNET_i2s ((struct GNUNET_PeerIdentity *) &key->MK));
978 /* Decrypt payload */
979 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &key->MK, NULL, 0, NULL);
980 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1], len, &key->MK, &iv, dst);
983 GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
985 GNUNET_free (key); /* GNUNET_free overwrites memory with 0xbaadf00d */
992 * Delete a key from the list of skipped keys.
994 * @param t Tunnel to delete from.
995 * @param HKr Header Key to use.
998 store_skipped_key (struct CadetTunnel *t,
999 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
1001 struct CadetTunnelSkippedKey *key;
1003 key = GNUNET_new (struct CadetTunnelSkippedKey);
1004 key->timestamp = GNUNET_TIME_absolute_get ();
1005 key->Kn = t->ax->Nr;
1006 key->HK = t->ax->HKr;
1007 t_hmac_derive_key (&t->ax->CKr, &key->MK, "0", 1);
1008 #if DUMP_KEYS_TO_STDERR
1009 LOG (GNUNET_ERROR_TYPE_DEBUG, " storing MK for Nr %u: %s\n",
1010 key->Kn, GNUNET_i2s ((struct GNUNET_PeerIdentity *) &key->MK));
1011 LOG (GNUNET_ERROR_TYPE_DEBUG, " for CKr: %s\n",
1012 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &t->ax->CKr));
1014 t_hmac_derive_key (&t->ax->CKr, &t->ax->CKr, "1", 1);
1015 GNUNET_CONTAINER_DLL_insert (t->ax->skipped_head, t->ax->skipped_tail, key);
1022 * Delete a key from the list of skipped keys.
1024 * @param t Tunnel to delete from.
1025 * @param key Key to delete.
1028 delete_skipped_key (struct CadetTunnel *t, struct CadetTunnelSkippedKey *key)
1030 GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
1037 * Stage skipped AX keys and calculate the message key.
1039 * Stores each HK and MK for skipped messages.
1041 * @param t Tunnel where to stage the keys.
1042 * @param HKr Header key.
1043 * @param Np Received meesage number.
1045 * @return GNUNET_OK if keys were stored.
1046 * GNUNET_SYSERR if an error ocurred (Np not expected).
1049 store_ax_keys (struct CadetTunnel *t,
1050 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1056 gap = Np - t->ax->Nr;
1057 LOG (GNUNET_ERROR_TYPE_INFO, "Storing keys [%u, %u)\n", t->ax->Nr, Np);
1058 if (MAX_KEY_GAP < gap)
1060 /* Avoid DoS (forcing peer to do 2*33 chain HMAC operations) */
1061 /* TODO: start new key exchange on return */
1062 GNUNET_break_op (0);
1063 LOG (GNUNET_ERROR_TYPE_WARNING, "Got message %u, expected %u+\n",
1065 return GNUNET_SYSERR;
1069 /* Delayed message: don't store keys, flag to try old keys. */
1070 return GNUNET_SYSERR;
1073 while (t->ax->Nr < Np)
1074 store_skipped_key (t, HKr);
1076 while (t->ax->skipped > MAX_SKIPPED_KEYS)
1077 delete_skipped_key (t, t->ax->skipped_tail);
1084 * Decrypt and verify data with the appropriate tunnel key and verify that the
1085 * data has not been altered since it was sent by the remote peer.
1087 * @param t Tunnel whose key to use.
1088 * @param dst Destination for the plaintext.
1089 * @param src Source of the message. Can overlap with @c dst.
1090 * @param size Size of the message.
1092 * @return Size of the decrypted data, -1 if an error was encountered.
1095 t_ax_decrypt_and_validate (struct CadetTunnel *t, void *dst,
1096 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
1099 struct CadetTunnelAxolotl *ax;
1100 struct GNUNET_ShortHashCode msg_hmac;
1101 struct GNUNET_HashCode hmac;
1102 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1105 size_t esize; /* Size of encryped payload */
1106 size_t osize; /* Size of output (decrypted payload) */
1108 esize = size - sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
1113 /* Try current HK */
1114 t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->HKr, &msg_hmac);
1115 if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
1117 static const char ctx[] = "axolotl ratchet";
1118 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1119 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1120 struct GNUNET_HashCode dh;
1121 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1124 LOG (GNUNET_ERROR_TYPE_DEBUG, " trying next HK\n");
1125 t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->NHKr, &msg_hmac);
1126 if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
1128 /* Try the skipped keys, if that fails, we're out of luck. */
1129 return try_old_ax_keys (t, dst, src, size);
1131 LOG (GNUNET_ERROR_TYPE_INFO, "next HK worked\n");
1135 t_h_decrypt (t, src, &plaintext_header);
1136 Np = ntohl (plaintext_header.Ns);
1137 PNp = ntohl (plaintext_header.PNs);
1138 DHRp = &plaintext_header.DHRs;
1139 store_ax_keys (t, &HK, PNp);
1141 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1142 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, DHRp, &dh);
1143 t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
1144 GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
1145 &hmac, sizeof (hmac), NULL);
1147 /* Commit "purported" keys */
1153 ax->ratchet_allowed = GNUNET_YES;
1157 LOG (GNUNET_ERROR_TYPE_DEBUG, "current HK\n");
1158 t_h_decrypt (t, src, &plaintext_header);
1159 Np = ntohl (plaintext_header.Ns);
1160 PNp = ntohl (plaintext_header.PNs);
1162 LOG (GNUNET_ERROR_TYPE_INFO, " got AX Nr %u\n", Np);
1164 if (GNUNET_OK != store_ax_keys (t, &ax->HKr, Np))
1165 /* Try the skipped keys, if that fails, we're out of luck. */
1166 return try_old_ax_keys (t, dst, src, size);
1168 osize = t_ax_decrypt (t, dst, &src[1], esize);
1173 GNUNET_break_op (0);
1182 * Pick a connection on which send the next data message.
1184 * @param t Tunnel on which to send the message.
1186 * @return The connection on which to send the next message.
1188 static struct CadetConnection *
1189 tunnel_get_connection (struct CadetTunnel *t)
1191 struct CadetTConnection *iter;
1192 struct CadetConnection *best;
1194 unsigned int lowest_q;
1196 LOG (GNUNET_ERROR_TYPE_DEBUG, "tunnel_get_connection %s\n", GCT_2s (t));
1198 lowest_q = UINT_MAX;
1199 for (iter = t->connection_head; NULL != iter; iter = iter->next)
1201 LOG (GNUNET_ERROR_TYPE_DEBUG, " connection %s: %u\n",
1202 GCC_2s (iter->c), GCC_get_state (iter->c));
1203 if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
1205 qn = GCC_get_qn (iter->c, GCC_is_origin (iter->c, GNUNET_YES));
1206 LOG (GNUNET_ERROR_TYPE_DEBUG, " q_n %u, \n", qn);
1214 LOG (GNUNET_ERROR_TYPE_DEBUG, " selected: connection %s\n", GCC_2s (best));
1220 * Callback called when a queued message is sent.
1222 * Calculates the average time and connection packet tracking.
1224 * @param cls Closure (TunnelQueue handle).
1225 * @param c Connection this message was on.
1226 * @param q Connection queue handle (unused).
1227 * @param type Type of message sent.
1228 * @param fwd Was this a FWD going message?
1229 * @param size Size of the message.
1232 tun_message_sent (void *cls,
1233 struct CadetConnection *c,
1234 struct CadetConnectionQueue *q,
1235 uint16_t type, int fwd, size_t size)
1237 struct CadetTunnelQueue *qt = cls;
1238 struct CadetTunnel *t;
1240 LOG (GNUNET_ERROR_TYPE_DEBUG, "tun_message_sent\n");
1242 GNUNET_assert (NULL != qt->cont);
1243 t = NULL == c ? NULL : GCC_get_tunnel (c);
1244 qt->cont (qt->cont_cls, t, qt, type, size);
1250 count_queued_data (const struct CadetTunnel *t)
1252 struct CadetTunnelDelayed *iter;
1255 for (count = 0, iter = t->tq_head; iter != NULL; iter = iter->next)
1262 * Delete a queued message: either was sent or the channel was destroyed
1263 * before the tunnel's key exchange had a chance to finish.
1265 * @param tqd Delayed queue handle.
1268 unqueue_data (struct CadetTunnelDelayed *tqd)
1270 GNUNET_CONTAINER_DLL_remove (tqd->t->tq_head, tqd->t->tq_tail, tqd);
1276 * Cache a message to be sent once tunnel is online.
1278 * @param t Tunnel to hold the message.
1279 * @param msg Message itself (copy will be made).
1281 static struct CadetTunnelDelayed *
1282 queue_data (struct CadetTunnel *t, const struct GNUNET_MessageHeader *msg)
1284 struct CadetTunnelDelayed *tqd;
1285 uint16_t size = ntohs (msg->size);
1287 LOG (GNUNET_ERROR_TYPE_DEBUG, "queue data on Tunnel %s\n", GCT_2s (t));
1289 GNUNET_assert (GNUNET_NO == is_ready (t));
1291 tqd = GNUNET_malloc (sizeof (struct CadetTunnelDelayed) + size);
1294 GNUNET_memcpy (&tqd[1], msg, size);
1295 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head, t->tq_tail, tqd);
1301 * Sends an already built message on a tunnel, encrypting it and
1302 * choosing the best connection.
1304 * @param message Message to send. Function modifies it.
1305 * @param t Tunnel on which this message is transmitted.
1306 * @param c Connection to use (autoselect if NULL).
1307 * @param force Force the tunnel to take the message (buffer overfill).
1308 * @param cont Continuation to call once message is really sent.
1309 * @param cont_cls Closure for @c cont.
1310 * @param existing_q In case this a transmission of previously queued data,
1311 * this should be TunnelQueue given to the client.
1313 * @return Handle to cancel message.
1314 * NULL if @c cont is NULL or an error happens and message is dropped.
1316 static struct CadetTunnelQueue *
1317 send_prebuilt_message (const struct GNUNET_MessageHeader *message,
1318 struct CadetTunnel *t,
1319 struct CadetConnection *c,
1323 struct CadetTunnelQueue *existing_q)
1325 struct GNUNET_MessageHeader *msg;
1326 struct GNUNET_CADET_TunnelEncryptedMessage *ax_msg;
1327 struct CadetTunnelQueue *tq;
1328 size_t size = ntohs (message->size);
1329 char cbuf[sizeof (struct GNUNET_CADET_TunnelEncryptedMessage) + size] GNUNET_ALIGN;
1334 LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT Send on Tunnel %s\n", GCT_2s (t));
1336 if (GNUNET_NO == is_ready (t))
1338 struct CadetTunnelDelayed *tqd;
1339 /* A non null existing_q indicates sending of queued data.
1340 * Should only happen after tunnel becomes ready.
1342 GNUNET_assert (NULL == existing_q);
1343 tqd = queue_data (t, message);
1346 tq = GNUNET_new (struct CadetTunnelQueue);
1350 tq->cont_cls = cont_cls;
1354 GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
1356 ax_msg = (struct GNUNET_CADET_TunnelEncryptedMessage *) cbuf;
1357 msg = &ax_msg->header;
1358 msg->size = htons (sizeof (struct GNUNET_CADET_TunnelEncryptedMessage) + size);
1359 msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED);
1360 esize = t_ax_encrypt (t, &ax_msg[1], message, size);
1361 ax_msg->Ns = htonl (t->ax->Ns++);
1362 ax_msg->PNs = htonl (t->ax->PNs);
1363 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &ax_msg->DHRs);
1364 t_h_encrypt (t, ax_msg);
1365 t_hmac (&ax_msg->Ns, AX_HEADER_SIZE + esize, 0, &t->ax->HKs, &ax_msg->hmac);
1366 GNUNET_assert (esize == size);
1369 c = tunnel_get_connection (t);
1372 /* Why is tunnel 'ready'? Should have been queued! */
1373 if (NULL != t->destroy_task)
1376 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1378 return NULL; /* Drop... */
1380 fwd = GCC_is_origin (c, GNUNET_YES);
1381 ax_msg->cid = *GCC_get_id (c);
1382 ax_msg->cemi = GCC_get_pid (c, fwd);
1384 type = htons (message->type);
1385 LOG (GNUNET_ERROR_TYPE_DEBUG,
1386 "Sending message of type %s with CEMI %u and CID %s\n",
1388 htonl (ax_msg->cemi.pid),
1389 GNUNET_sh2s (&ax_msg->cid.connection_of_tunnel));
1393 (void) GCC_send_prebuilt_message (msg,
1401 if (NULL == existing_q)
1403 tq = GNUNET_new (struct CadetTunnelQueue); /* FIXME valgrind: leak*/
1411 tq->cont_cls = cont_cls;
1412 tq->cq = GCC_send_prebuilt_message (msg,
1418 &tun_message_sent, tq);
1419 GNUNET_assert (NULL != tq->cq);
1426 * Send all cached messages that we can, tunnel is online.
1428 * @param t Tunnel that holds the messages. Cannot be loopback.
1431 send_queued_data (struct CadetTunnel *t)
1433 struct CadetTunnelDelayed *tqd;
1434 struct CadetTunnelDelayed *next;
1437 LOG (GNUNET_ERROR_TYPE_INFO, "Send queued data, tunnel %s\n", GCT_2s (t));
1439 if (GCT_is_loopback (t))
1445 if (GNUNET_NO == is_ready (t))
1447 LOG (GNUNET_ERROR_TYPE_WARNING, " not ready yet: %s/%s\n",
1448 estate2s (t->estate), cstate2s (t->cstate));
1452 room = GCT_get_connections_buffer (t);
1453 LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer space: %u\n", room);
1454 LOG (GNUNET_ERROR_TYPE_DEBUG, " tq head: %p\n", t->tq_head);
1455 for (tqd = t->tq_head; NULL != tqd && room > 0; tqd = next)
1457 LOG (GNUNET_ERROR_TYPE_DEBUG, " sending queued data\n");
1460 send_prebuilt_message ((struct GNUNET_MessageHeader *) &tqd[1],
1461 tqd->t, NULL, GNUNET_YES,
1462 NULL != tqd->tq ? tqd->tq->cont : NULL,
1463 NULL != tqd->tq ? tqd->tq->cont_cls : NULL,
1467 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_send_queued_data end\n", GCP_2s (t->peer));
1472 * @brief Resend the KX until we complete the handshake.
1474 * @param cls Closure (tunnel).
1477 kx_resend (void *cls)
1479 struct CadetTunnel *t = cls;
1481 t->rekey_task = NULL;
1482 if (CADET_TUNNEL_KEY_OK == t->estate)
1484 /* Should have been canceled on estate change */
1489 GCT_send_kx (t, CADET_TUNNEL_KEY_AX_SENT >= t->estate);
1494 * Callback called when a queued message is sent.
1496 * @param cls Closure.
1497 * @param c Connection this message was on.
1498 * @param type Type of message sent.
1499 * @param fwd Was this a FWD going message?
1500 * @param size Size of the message.
1503 ephm_sent (void *cls,
1504 struct CadetConnection *c,
1505 struct CadetConnectionQueue *q,
1506 uint16_t type, int fwd, size_t size)
1508 struct CadetTunnel *t = cls;
1509 LOG (GNUNET_ERROR_TYPE_DEBUG, "ephemeral sent %s\n", GC_m2s (type));
1513 if (CADET_TUNNEL_KEY_OK == t->estate)
1516 if (NULL != t->rekey_task)
1519 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1520 GNUNET_SCHEDULER_cancel (t->rekey_task);
1522 t->rekey_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
1529 * Called only on shutdown, destroy every tunnel.
1531 * @param cls Closure (unused).
1532 * @param key Current public key.
1533 * @param value Value in the hash map (tunnel).
1535 * @return #GNUNET_YES, so we should continue to iterate,
1538 destroy_iterator (void *cls,
1539 const struct GNUNET_PeerIdentity *key,
1542 struct CadetTunnel *t = value;
1544 LOG (GNUNET_ERROR_TYPE_DEBUG,
1545 "GCT_shutdown destroying tunnel at %p\n", t);
1552 * Notify remote peer that we don't know a channel he is talking about,
1553 * probably CHANNEL_DESTROY was missed.
1555 * @param t Tunnel on which to notify.
1556 * @param gid ID of the channel.
1559 send_channel_destroy (struct CadetTunnel *t,
1560 struct GNUNET_CADET_ChannelTunnelNumber gid)
1562 struct GNUNET_CADET_ChannelManageMessage msg;
1564 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
1565 msg.header.size = htons (sizeof (msg));
1568 LOG (GNUNET_ERROR_TYPE_DEBUG,
1569 "WARNING destroying unknown channel %u on tunnel %s\n",
1572 send_prebuilt_message (&msg.header, t, NULL, GNUNET_YES, NULL, NULL, NULL);
1577 * Demultiplex data per channel and call appropriate channel handler.
1579 * @param t Tunnel on which the data came.
1580 * @param msg Data message.
1581 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
1582 * #GNUNET_YES if message is FWD on the respective channel (loopback)
1583 * #GNUNET_NO if message is BCK on the respective channel (loopback)
1584 * #GNUNET_SYSERR if message on a one-ended channel (remote)
1587 handle_data (struct CadetTunnel *t,
1588 const struct GNUNET_CADET_ChannelAppDataMessage *msg,
1591 struct CadetChannel *ch;
1597 size = ntohs (msg->header.size);
1599 sizeof (struct GNUNET_CADET_ChannelAppDataMessage) +
1600 sizeof (struct GNUNET_MessageHeader))
1605 type = ntohs (msg[1].header.type);
1606 LOG (GNUNET_ERROR_TYPE_DEBUG, " payload of type %s\n", GC_m2s (type));
1607 SPRINTF (buf, "# received payload of type %hu", type);
1608 GNUNET_STATISTICS_update (stats, buf, 1, GNUNET_NO);
1612 ch = GCT_get_channel (t, msg->ctn);
1615 GNUNET_STATISTICS_update (stats,
1616 "# data on unknown channel",
1619 LOG (GNUNET_ERROR_TYPE_DEBUG,
1620 "channel 0x%X unknown\n",
1621 ntohl (msg->ctn.cn));
1622 send_channel_destroy (t, msg->ctn);
1626 GCCH_handle_data (ch, msg, fwd);
1631 * Demultiplex data ACKs per channel and update appropriate channel buffer info.
1633 * @param t Tunnel on which the DATA ACK came.
1634 * @param msg DATA ACK message.
1635 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
1636 * #GNUNET_YES if message is FWD on the respective channel (loopback)
1637 * #GNUNET_NO if message is BCK on the respective channel (loopback)
1638 * #GNUNET_SYSERR if message on a one-ended channel (remote)
1641 handle_data_ack (struct CadetTunnel *t,
1642 const struct GNUNET_CADET_ChannelDataAckMessage *msg,
1645 struct CadetChannel *ch;
1649 size = ntohs (msg->header.size);
1650 if (size != sizeof (struct GNUNET_CADET_ChannelDataAckMessage))
1657 ch = GCT_get_channel (t, msg->ctn);
1660 GNUNET_STATISTICS_update (stats, "# data ack on unknown channel",
1662 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
1663 ntohl (msg->ctn.cn));
1667 GCCH_handle_data_ack (ch, msg, fwd);
1672 * Handle channel create.
1674 * @param t Tunnel on which the message came.
1675 * @param msg ChannelCreate message.
1678 handle_ch_create (struct CadetTunnel *t,
1679 const struct GNUNET_CADET_ChannelOpenMessage *msg)
1681 struct CadetChannel *ch;
1685 size = ntohs (msg->header.size);
1686 if (size != sizeof (struct GNUNET_CADET_ChannelOpenMessage))
1688 GNUNET_break_op (0);
1693 ch = GCT_get_channel (t, msg->ctn);
1694 if (NULL != ch && ! GCT_is_loopback (t))
1696 /* Probably a retransmission, safe to ignore */
1697 LOG (GNUNET_ERROR_TYPE_DEBUG, " already exists...\n");
1699 ch = GCCH_handle_create (t, msg);
1701 GCT_add_channel (t, ch);
1707 * Handle channel NACK: check correctness and call channel handler for NACKs.
1709 * @param t Tunnel on which the NACK came.
1710 * @param msg NACK message.
1713 handle_ch_nack (struct CadetTunnel *t,
1714 const struct GNUNET_CADET_ChannelManageMessage *msg)
1716 struct CadetChannel *ch;
1720 size = ntohs (msg->header.size);
1721 if (size != sizeof (struct GNUNET_CADET_ChannelManageMessage))
1728 ch = GCT_get_channel (t, msg->ctn);
1731 GNUNET_STATISTICS_update (stats, "# channel NACK on unknown channel",
1733 LOG (GNUNET_ERROR_TYPE_DEBUG,
1734 "WARNING channel %u unknown\n",
1735 ntohl (msg->ctn.cn));
1739 GCCH_handle_nack (ch);
1744 * Handle a CHANNEL ACK (SYNACK/ACK).
1746 * @param t Tunnel on which the CHANNEL ACK came.
1747 * @param msg CHANNEL ACK message.
1748 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
1749 * #GNUNET_YES if message is FWD on the respective channel (loopback)
1750 * #GNUNET_NO if message is BCK on the respective channel (loopback)
1751 * #GNUNET_SYSERR if message on a one-ended channel (remote)
1754 handle_ch_ack (struct CadetTunnel *t,
1755 const struct GNUNET_CADET_ChannelManageMessage *msg,
1758 struct CadetChannel *ch;
1762 size = ntohs (msg->header.size);
1763 if (size != sizeof (struct GNUNET_CADET_ChannelManageMessage))
1770 ch = GCT_get_channel (t, msg->ctn);
1773 GNUNET_STATISTICS_update (stats,
1774 "# channel ack on unknown channel",
1777 LOG (GNUNET_ERROR_TYPE_DEBUG,
1778 "WARNING channel %u unknown\n",
1779 ntohl (msg->ctn.cn));
1783 GCCH_handle_ack (ch, msg, fwd);
1788 * Handle a channel destruction message.
1790 * @param t Tunnel on which the message came.
1791 * @param msg Channel destroy message.
1792 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
1793 * #GNUNET_YES if message is FWD on the respective channel (loopback)
1794 * #GNUNET_NO if message is BCK on the respective channel (loopback)
1795 * #GNUNET_SYSERR if message on a one-ended channel (remote)
1798 handle_ch_destroy (struct CadetTunnel *t,
1799 const struct GNUNET_CADET_ChannelManageMessage *msg,
1802 struct CadetChannel *ch;
1806 size = ntohs (msg->header.size);
1807 if (size != sizeof (struct GNUNET_CADET_ChannelManageMessage))
1814 ch = GCT_get_channel (t, msg->ctn);
1817 /* Probably a retransmission, safe to ignore */
1821 GCCH_handle_destroy (ch, msg, fwd);
1826 * Free Axolotl data.
1831 destroy_ax (struct CadetTunnel *t)
1836 GNUNET_free_non_null (t->ax->DHRs);
1837 GNUNET_free_non_null (t->ax->kx_0);
1838 while (NULL != t->ax->skipped_head)
1839 delete_skipped_key (t, t->ax->skipped_head);
1840 GNUNET_assert (0 == t->ax->skipped);
1842 GNUNET_free (t->ax);
1845 if (NULL != t->rekey_task)
1847 GNUNET_SCHEDULER_cancel (t->rekey_task);
1848 t->rekey_task = NULL;
1850 if (NULL != t->ephm_h)
1852 GCC_cancel (t->ephm_h);
1859 * Demultiplex by message type and call appropriate handler for a message
1860 * towards a channel of a local tunnel.
1862 * @param t Tunnel this message came on.
1863 * @param msgh Message header.
1864 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
1865 * #GNUNET_YES if message is FWD on the respective channel (loopback)
1866 * #GNUNET_NO if message is BCK on the respective channel (loopback)
1867 * #GNUNET_SYSERR if message on a one-ended channel (remote)
1870 handle_decrypted (struct CadetTunnel *t,
1871 const struct GNUNET_MessageHeader *msgh,
1877 type = ntohs (msgh->type);
1878 LOG (GNUNET_ERROR_TYPE_DEBUG, "<-- %s on %s\n", GC_m2s (type), GCT_2s (t));
1879 SPRINTF (buf, "# received encrypted of type %hu (%s)", type, GC_m2s (type));
1880 GNUNET_STATISTICS_update (stats, buf, 1, GNUNET_NO);
1884 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE:
1885 /* Do nothing, connection aleady got updated. */
1886 GNUNET_STATISTICS_update (stats, "# keepalives received", 1, GNUNET_NO);
1889 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA:
1890 /* Don't send hop ACK, wait for client to ACK */
1891 handle_data (t, (struct GNUNET_CADET_ChannelAppDataMessage *) msgh, fwd);
1894 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA_ACK:
1895 handle_data_ack (t, (struct GNUNET_CADET_ChannelDataAckMessage *) msgh, fwd);
1898 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN:
1899 handle_ch_create (t, (struct GNUNET_CADET_ChannelOpenMessage *) msgh);
1902 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_NACK_DEPRECATED:
1903 handle_ch_nack (t, (struct GNUNET_CADET_ChannelManageMessage *) msgh);
1906 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_ACK:
1907 handle_ch_ack (t, (struct GNUNET_CADET_ChannelManageMessage *) msgh, fwd);
1910 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
1911 handle_ch_destroy (t, (struct GNUNET_CADET_ChannelManageMessage *) msgh, fwd);
1915 GNUNET_break_op (0);
1916 LOG (GNUNET_ERROR_TYPE_WARNING,
1917 "end-to-end message not known (%u)\n",
1918 ntohs (msgh->type));
1919 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1924 /******************************************************************************/
1925 /******************************** API ***********************************/
1926 /******************************************************************************/
1929 * Decrypt and process an encrypted message.
1931 * Calls the appropriate handler for a message in a channel of a local tunnel.
1933 * @param t Tunnel this message came on.
1934 * @param msg Message header.
1937 GCT_handle_encrypted (struct CadetTunnel *t,
1938 const struct GNUNET_CADET_TunnelEncryptedMessage *msg)
1940 uint16_t size = ntohs (msg->header.size);
1943 const struct GNUNET_MessageHeader *msgh;
1946 GNUNET_STATISTICS_update (stats, "# received encrypted", 1, GNUNET_NO);
1948 decrypted_size = t_ax_decrypt_and_validate (t, cbuf, msg, size);
1950 if (-1 == decrypted_size)
1952 GNUNET_STATISTICS_update (stats, "# unable to decrypt", 1, GNUNET_NO);
1953 if (CADET_TUNNEL_KEY_AX_AUTH_SENT <= t->estate)
1955 GNUNET_break_op (0);
1956 LOG (GNUNET_ERROR_TYPE_WARNING, "Wrong crypto, tunnel %s\n", GCT_2s (t));
1957 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1961 GCT_change_estate (t, CADET_TUNNEL_KEY_OK);
1963 /* FIXME: this is bad, as the structs returned from
1964 this loop may be unaligned, see util's MST for
1965 how to do this right. */
1967 while (off + sizeof (struct GNUNET_MessageHeader) <= decrypted_size)
1971 msgh = (const struct GNUNET_MessageHeader *) &cbuf[off];
1972 msize = ntohs (msgh->size);
1973 if (msize < sizeof (struct GNUNET_MessageHeader))
1975 GNUNET_break_op (0);
1978 if (off + msize < decrypted_size)
1980 GNUNET_break_op (0);
1983 handle_decrypted (t, msgh, GNUNET_SYSERR);
1990 * Handle a Key eXchange message.
1992 * @param t Tunnel on which the message came.
1993 * @param msg KX message itself.
1996 GCT_handle_kx (struct CadetTunnel *t,
1997 const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1999 struct CadetTunnelAxolotl *ax;
2000 struct GNUNET_HashCode key_material[3];
2001 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
2002 const char salt[] = "CADET Axolotl salt";
2003 const struct GNUNET_PeerIdentity *pid;
2008 LOG (GNUNET_ERROR_TYPE_INFO, "<== { KX} on %s\n", GCT_2s (t));
2012 /* Something is wrong if ax is NULL. Whose fault it is? */
2017 pid = GCT_get_destination (t);
2018 if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
2019 am_I_alice = GNUNET_YES;
2020 else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
2021 am_I_alice = GNUNET_NO;
2024 GNUNET_break_op (0);
2028 if (0 != (GNUNET_CADET_KX_FLAG_FORCE_REPLY & ntohl (msg->flags)))
2030 if (NULL != t->rekey_task)
2032 GNUNET_SCHEDULER_cancel (t->rekey_task);
2033 t->rekey_task = NULL;
2035 GCT_send_kx (t, GNUNET_NO);
2038 if (0 == memcmp (&ax->DHRr, &msg->ratchet_key, sizeof(msg->ratchet_key)))
2040 LOG (GNUNET_ERROR_TYPE_INFO, " known ratchet key, exit\n");
2044 LOG (GNUNET_ERROR_TYPE_INFO, " is Alice? %s\n", am_I_alice ? "YES" : "NO");
2046 ax->DHRr = msg->ratchet_key;
2049 if (GNUNET_YES == am_I_alice)
2051 GNUNET_CRYPTO_eddsa_ecdh (id_key, /* A */
2052 &msg->ephemeral_key, /* B0 */
2057 GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* B0 */
2058 &pid->public_key, /* A */
2063 if (GNUNET_YES == am_I_alice)
2065 GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* A0 */
2066 &pid->public_key, /* B */
2071 GNUNET_CRYPTO_eddsa_ecdh (id_key, /* A */
2072 &msg->ephemeral_key, /* B0 */
2079 /* (This is the triple-DH, we could probably safely skip this,
2080 as A0/B0 are already in the key material.) */
2081 GNUNET_CRYPTO_ecc_ecdh (ax->kx_0, /* A0 or B0 */
2082 &msg->ephemeral_key, /* B0 or A0 */
2085 #if DUMP_KEYS_TO_STDERR
2088 for (i = 0; i < 3; i++)
2089 LOG (GNUNET_ERROR_TYPE_INFO, "km[%u]: %s\n",
2090 i, GNUNET_h2s (&key_material[i]));
2095 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
2096 salt, sizeof (salt),
2097 &key_material, sizeof (key_material), NULL);
2099 if (0 == memcmp (&ax->RK, &keys[0], sizeof(ax->RK)))
2101 LOG (GNUNET_ERROR_TYPE_INFO, " known handshake key, exit\n");
2105 if (GNUNET_YES == am_I_alice)
2111 ax->ratchet_flag = GNUNET_YES;
2119 ax->ratchet_flag = GNUNET_NO;
2120 ax->ratchet_allowed = GNUNET_NO;
2121 ax->ratchet_counter = 0;
2122 ax->ratchet_expiration =
2123 GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
2129 GCT_change_estate (t, CADET_TUNNEL_KEY_AX_AUTH_SENT);
2130 send_queued_data (t);
2136 * Initialize the tunnel subsystem.
2138 * @param c Configuration handle.
2139 * @param key ECC private key, to derive all other keys and do crypto.
2142 GCT_init (const struct GNUNET_CONFIGURATION_Handle *c,
2143 const struct GNUNET_CRYPTO_EddsaPrivateKey *key)
2145 unsigned int expected_overhead;
2147 LOG (GNUNET_ERROR_TYPE_DEBUG, "init\n");
2149 expected_overhead = 0;
2150 expected_overhead += sizeof (struct GNUNET_CADET_TunnelEncryptedMessage);
2151 expected_overhead += sizeof (struct GNUNET_CADET_ChannelAppDataMessage);
2152 expected_overhead += sizeof (struct GNUNET_CADET_ConnectionEncryptedAckMessage);
2153 GNUNET_assert (GNUNET_CONSTANTS_CADET_P2P_OVERHEAD == expected_overhead);
2156 GNUNET_CONFIGURATION_get_value_number (c,
2161 GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
2165 ratchet_messages = 64;
2168 GNUNET_CONFIGURATION_get_value_time (c,
2173 GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
2174 "CADET", "RATCHET_TIME", "USING DEFAULT");
2175 ratchet_time = GNUNET_TIME_UNIT_HOURS;
2180 tunnels = GNUNET_CONTAINER_multipeermap_create (128, GNUNET_YES);
2185 * Shut down the tunnel subsystem.
2190 LOG (GNUNET_ERROR_TYPE_DEBUG, "Shutting down tunnels\n");
2191 GNUNET_CONTAINER_multipeermap_iterate (tunnels, &destroy_iterator, NULL);
2192 GNUNET_CONTAINER_multipeermap_destroy (tunnels);
2199 * @param destination Peer this tunnel is towards.
2201 struct CadetTunnel *
2202 GCT_new (struct CadetPeer *destination)
2204 struct CadetTunnel *t;
2206 t = GNUNET_new (struct CadetTunnel);
2208 t->peer = destination;
2211 GNUNET_CONTAINER_multipeermap_put (tunnels, GCP_get_id (destination), t,
2212 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_FAST))
2218 t->ax = GNUNET_new (struct CadetTunnelAxolotl);
2220 t->ax->kx_0 = GNUNET_CRYPTO_ecdhe_key_create ();
2226 * Change the tunnel's connection state.
2228 * @param t Tunnel whose connection state to change.
2229 * @param cstate New connection state.
2232 GCT_change_cstate (struct CadetTunnel* t, enum CadetTunnelCState cstate)
2236 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s cstate %s => %s\n",
2237 GCP_2s (t->peer), cstate2s (t->cstate), cstate2s (cstate));
2238 if (myid != GCP_get_short_id (t->peer) &&
2239 CADET_TUNNEL_READY != t->cstate &&
2240 CADET_TUNNEL_READY == cstate)
2243 if (CADET_TUNNEL_KEY_OK == t->estate)
2245 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered send queued data\n");
2246 send_queued_data (t);
2248 else if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
2250 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered KX\n");
2251 GCT_send_kx (t, GNUNET_NO);
2255 LOG (GNUNET_ERROR_TYPE_DEBUG, "estate %s\n", estate2s (t->estate));
2260 if (CADET_TUNNEL_READY == cstate
2261 && CONNECTIONS_PER_TUNNEL <= GCT_count_connections (t))
2263 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered stop dht\n");
2264 GCP_stop_search (t->peer);
2270 * Change the tunnel encryption state.
2272 * If the encryption state changes to OK, stop the rekey task.
2274 * @param t Tunnel whose encryption state to change, or NULL.
2275 * @param state New encryption state.
2278 GCT_change_estate (struct CadetTunnel* t, enum CadetTunnelEState state)
2280 enum CadetTunnelEState old;
2287 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate was %s\n",
2288 GCP_2s (t->peer), estate2s (old));
2289 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate is now %s\n",
2290 GCP_2s (t->peer), estate2s (t->estate));
2292 if (CADET_TUNNEL_KEY_OK != old && CADET_TUNNEL_KEY_OK == t->estate)
2294 if (NULL != t->rekey_task)
2296 GNUNET_SCHEDULER_cancel (t->rekey_task);
2297 t->rekey_task = NULL;
2299 /* Send queued data if tunnel is not loopback */
2300 if (myid != GCP_get_short_id (t->peer))
2301 send_queued_data (t);
2307 * @brief Check if tunnel has too many connections, and remove one if necessary.
2309 * Currently this means the newest connection, unless it is a direct one.
2310 * Implemented as a task to avoid freeing a connection that is in the middle
2311 * of being created/processed.
2313 * @param cls Closure (Tunnel to check).
2316 trim_connections (void *cls)
2318 struct CadetTunnel *t = cls;
2320 t->trim_connections_task = NULL;
2321 if (GCT_count_connections (t) > 2 * CONNECTIONS_PER_TUNNEL)
2323 struct CadetTConnection *iter;
2324 struct CadetTConnection *c;
2326 for (c = iter = t->connection_head; NULL != iter; iter = iter->next)
2328 if ((iter->created.abs_value_us > c->created.abs_value_us)
2329 && GNUNET_NO == GCC_is_direct (iter->c))
2336 LOG (GNUNET_ERROR_TYPE_DEBUG, "Too many connections on tunnel %s\n",
2338 LOG (GNUNET_ERROR_TYPE_DEBUG, "Destroying connection %s\n",
2351 * Add a connection to a tunnel.
2354 * @param c Connection.
2357 GCT_add_connection (struct CadetTunnel *t, struct CadetConnection *c)
2359 struct CadetTConnection *aux;
2361 GNUNET_assert (NULL != c);
2363 LOG (GNUNET_ERROR_TYPE_DEBUG, "add connection %s\n", GCC_2s (c));
2364 LOG (GNUNET_ERROR_TYPE_DEBUG, " to tunnel %s\n", GCT_2s (t));
2365 for (aux = t->connection_head; aux != NULL; aux = aux->next)
2369 aux = GNUNET_new (struct CadetTConnection);
2371 aux->created = GNUNET_TIME_absolute_get ();
2373 GNUNET_CONTAINER_DLL_insert (t->connection_head, t->connection_tail, aux);
2375 if (CADET_TUNNEL_SEARCHING == t->cstate)
2376 GCT_change_cstate (t, CADET_TUNNEL_WAITING);
2378 if (NULL != t->trim_connections_task)
2379 t->trim_connections_task = GNUNET_SCHEDULER_add_now (&trim_connections, t);
2384 * Remove a connection from a tunnel.
2387 * @param c Connection.
2390 GCT_remove_connection (struct CadetTunnel *t,
2391 struct CadetConnection *c)
2393 struct CadetTConnection *aux;
2394 struct CadetTConnection *next;
2397 LOG (GNUNET_ERROR_TYPE_DEBUG, "Removing connection %s from tunnel %s\n",
2398 GCC_2s (c), GCT_2s (t));
2399 for (aux = t->connection_head; aux != NULL; aux = next)
2404 GNUNET_CONTAINER_DLL_remove (t->connection_head, t->connection_tail, aux);
2409 conns = GCT_count_connections (t);
2411 && NULL == t->destroy_task
2412 && CADET_TUNNEL_SHUTDOWN != t->cstate
2413 && GNUNET_NO == shutting_down)
2415 if (0 == GCT_count_any_connections (t))
2416 GCT_change_cstate (t, CADET_TUNNEL_SEARCHING);
2418 GCT_change_cstate (t, CADET_TUNNEL_WAITING);
2421 /* Start new connections if needed */
2422 if (CONNECTIONS_PER_TUNNEL > conns
2423 && CADET_TUNNEL_SHUTDOWN != t->cstate
2424 && GNUNET_NO == shutting_down)
2426 LOG (GNUNET_ERROR_TYPE_DEBUG, " too few connections, getting new ones\n");
2427 GCP_connect (t->peer); /* Will change cstate to WAITING when possible */
2431 /* If not marked as ready, no change is needed */
2432 if (CADET_TUNNEL_READY != t->cstate)
2435 /* Check if any connection is ready to maintain cstate */
2436 for (aux = t->connection_head; aux != NULL; aux = aux->next)
2437 if (CADET_CONNECTION_READY == GCC_get_state (aux->c))
2443 * Add a channel to a tunnel.
2446 * @param ch Channel.
2449 GCT_add_channel (struct CadetTunnel *t,
2450 struct CadetChannel *ch)
2452 struct CadetTChannel *aux;
2454 GNUNET_assert (NULL != ch);
2456 LOG (GNUNET_ERROR_TYPE_DEBUG, "Adding channel %p to tunnel %p\n", ch, t);
2458 for (aux = t->channel_head; aux != NULL; aux = aux->next)
2460 LOG (GNUNET_ERROR_TYPE_DEBUG, " already there %p\n", aux->ch);
2465 aux = GNUNET_new (struct CadetTChannel);
2467 LOG (GNUNET_ERROR_TYPE_DEBUG,
2468 " adding %p to %p\n", aux, t->channel_head);
2469 GNUNET_CONTAINER_DLL_insert_tail (t->channel_head,
2473 if (NULL != t->destroy_task)
2475 GNUNET_SCHEDULER_cancel (t->destroy_task);
2476 t->destroy_task = NULL;
2477 LOG (GNUNET_ERROR_TYPE_DEBUG, " undo destroy!\n");
2483 * Remove a channel from a tunnel.
2486 * @param ch Channel.
2489 GCT_remove_channel (struct CadetTunnel *t, struct CadetChannel *ch)
2491 struct CadetTChannel *aux;
2493 LOG (GNUNET_ERROR_TYPE_DEBUG, "Removing channel %p from tunnel %p\n", ch, t);
2494 for (aux = t->channel_head; aux != NULL; aux = aux->next)
2498 LOG (GNUNET_ERROR_TYPE_DEBUG, " found! %s\n", GCCH_2s (ch));
2499 GNUNET_CONTAINER_DLL_remove (t->channel_head,
2510 * Search for a channel by global ID.
2512 * @param t Tunnel containing the channel.
2513 * @param ctn Public channel number.
2515 * @return channel handler, NULL if doesn't exist
2517 struct CadetChannel *
2518 GCT_get_channel (struct CadetTunnel *t,
2519 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2521 struct CadetTChannel *iter;
2526 for (iter = t->channel_head; NULL != iter; iter = iter->next)
2528 if (GCCH_get_id (iter->ch).cn == ctn.cn)
2532 return NULL == iter ? NULL : iter->ch;
2537 * @brief Destroy a tunnel and free all resources.
2539 * Should only be called a while after the tunnel has been marked as destroyed,
2540 * in case there is a new channel added to the same peer shortly after marking
2541 * the tunnel. This way we avoid a new public key handshake.
2543 * @param cls Closure (tunnel to destroy).
2546 delayed_destroy (void *cls)
2548 struct CadetTunnel *t = cls;
2549 struct CadetTConnection *iter;
2551 t->destroy_task = NULL;
2552 LOG (GNUNET_ERROR_TYPE_DEBUG,
2553 "delayed destroying tunnel %p\n",
2555 t->cstate = CADET_TUNNEL_SHUTDOWN;
2556 for (iter = t->connection_head; NULL != iter; iter = iter->next)
2558 GCC_send_destroy (iter->c);
2565 * Tunnel is empty: destroy it.
2567 * Notifies all connections about the destruction.
2569 * @param t Tunnel to destroy.
2572 GCT_destroy_empty (struct CadetTunnel *t)
2574 if (GNUNET_YES == shutting_down)
2575 return; /* Will be destroyed immediately anyway */
2577 if (NULL != t->destroy_task)
2579 LOG (GNUNET_ERROR_TYPE_WARNING,
2580 "Tunnel %s is already scheduled for destruction. Tunnel debug dump:\n",
2582 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
2584 /* should never happen, tunnel can only become empty once, and the
2585 * task identifier should be NO_TASK (cleaned when the tunnel was created
2586 * or became un-empty)
2591 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s empty: scheduling destruction\n",
2594 // FIXME make delay a config option
2595 t->destroy_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MINUTES,
2596 &delayed_destroy, t);
2597 LOG (GNUNET_ERROR_TYPE_DEBUG, "Scheduled destroy of %p as %p\n",
2598 t, t->destroy_task);
2603 * Destroy tunnel if empty (no more channels).
2605 * @param t Tunnel to destroy if empty.
2608 GCT_destroy_if_empty (struct CadetTunnel *t)
2610 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s destroy if empty\n", GCT_2s (t));
2611 if (0 < GCT_count_channels (t))
2614 GCT_destroy_empty (t);
2619 * Destroy the tunnel.
2621 * This function does not generate any warning traffic to clients or peers.
2624 * Cancel messages belonging to this tunnel queued to neighbors.
2625 * Free any allocated resources linked to the tunnel.
2627 * @param t The tunnel to destroy.
2630 GCT_destroy (struct CadetTunnel *t)
2632 struct CadetTConnection *iter_c;
2633 struct CadetTConnection *next_c;
2634 struct CadetTChannel *iter_ch;
2635 struct CadetTChannel *next_ch;
2636 unsigned int keepalives_queued;
2641 LOG (GNUNET_ERROR_TYPE_DEBUG,
2642 "destroying tunnel %s\n",
2644 GNUNET_break (GNUNET_YES ==
2645 GNUNET_CONTAINER_multipeermap_remove (tunnels,
2646 GCP_get_id (t->peer), t));
2648 for (iter_c = t->connection_head; NULL != iter_c; iter_c = next_c)
2650 next_c = iter_c->next;
2651 GCC_destroy (iter_c->c);
2653 for (iter_ch = t->channel_head; NULL != iter_ch; iter_ch = next_ch)
2655 next_ch = iter_ch->next;
2656 GCCH_destroy (iter_ch->ch);
2657 /* Should only happen on shutdown, but it's ok. */
2659 keepalives_queued = 0;
2660 while (NULL != t->tq_head)
2662 /* Should have been cleaned by destuction of channel. */
2663 struct GNUNET_MessageHeader *mh;
2666 mh = (struct GNUNET_MessageHeader *) &t->tq_head[1];
2667 type = ntohs (mh->type);
2668 if (0 == keepalives_queued && GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE == type)
2670 keepalives_queued = 1;
2671 LOG (GNUNET_ERROR_TYPE_DEBUG,
2672 "one keepalive left behind on tunnel shutdown\n");
2674 else if (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY == type)
2676 LOG (GNUNET_ERROR_TYPE_WARNING,
2677 "tunnel destroyed before a CHANNEL_DESTROY was sent to peer\n");
2682 LOG (GNUNET_ERROR_TYPE_ERROR,
2683 "message left behind on tunnel shutdown: %s\n",
2686 unqueue_data (t->tq_head);
2690 if (NULL != t->destroy_task)
2692 LOG (GNUNET_ERROR_TYPE_DEBUG,
2693 "cancelling dest: %p\n",
2695 GNUNET_SCHEDULER_cancel (t->destroy_task);
2696 t->destroy_task = NULL;
2699 if (NULL != t->trim_connections_task)
2701 LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling trim: %p\n",
2702 t->trim_connections_task);
2703 GNUNET_SCHEDULER_cancel (t->trim_connections_task);
2704 t->trim_connections_task = NULL;
2707 GNUNET_STATISTICS_update (stats, "# tunnels", -1, GNUNET_NO);
2708 GCP_set_tunnel (t->peer, NULL);
2710 if (NULL != t->rekey_task)
2712 GNUNET_SCHEDULER_cancel (t->rekey_task);
2713 t->rekey_task = NULL;
2723 * @brief Use the given path for the tunnel.
2724 * Update the next and prev hops (and RCs).
2725 * (Re)start the path refresh in case the tunnel is locally owned.
2727 * @param t Tunnel to update.
2728 * @param p Path to use.
2730 * @return Connection created.
2732 struct CadetConnection *
2733 GCT_use_path (struct CadetTunnel *t, struct CadetPeerPath *path)
2735 struct CadetConnection *c;
2736 struct GNUNET_CADET_ConnectionTunnelIdentifier cid;
2737 unsigned int own_pos;
2739 if (NULL == t || NULL == path)
2745 if (CADET_TUNNEL_SHUTDOWN == t->cstate)
2751 for (own_pos = 0; own_pos < path->length; own_pos++)
2753 if (path->peers[own_pos] == myid)
2756 if (own_pos >= path->length)
2758 GNUNET_break_op (0);
2762 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &cid, sizeof (cid));
2763 c = GCC_new (&cid, t, path, own_pos);
2766 /* Path was flawed */
2769 GCT_add_connection (t, c);
2775 * Count all created connections of a tunnel. Not necessarily ready connections!
2777 * @param t Tunnel on which to count.
2779 * @return Number of connections created, either being established or ready.
2782 GCT_count_any_connections (struct CadetTunnel *t)
2784 struct CadetTConnection *iter;
2790 for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
2798 * Count established (ready) connections of a tunnel.
2800 * @param t Tunnel on which to count.
2802 * @return Number of connections.
2805 GCT_count_connections (struct CadetTunnel *t)
2807 struct CadetTConnection *iter;
2813 for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
2814 if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
2822 * Count channels of a tunnel.
2824 * @param t Tunnel on which to count.
2826 * @return Number of channels.
2829 GCT_count_channels (struct CadetTunnel *t)
2831 struct CadetTChannel *iter;
2834 for (count = 0, iter = t->channel_head;
2836 iter = iter->next, count++) /* skip */;
2843 * Get the connectivity state of a tunnel.
2847 * @return Tunnel's connectivity state.
2849 enum CadetTunnelCState
2850 GCT_get_cstate (struct CadetTunnel *t)
2855 return (enum CadetTunnelCState) -1;
2862 * Get the encryption state of a tunnel.
2866 * @return Tunnel's encryption state.
2868 enum CadetTunnelEState
2869 GCT_get_estate (struct CadetTunnel *t)
2874 return (enum CadetTunnelEState) -1;
2880 * Get the maximum buffer space for a tunnel towards a local client.
2884 * @return Biggest buffer space offered by any channel in the tunnel.
2887 GCT_get_channels_buffer (struct CadetTunnel *t)
2889 struct CadetTChannel *iter;
2890 unsigned int buffer;
2891 unsigned int ch_buf;
2893 if (NULL == t->channel_head)
2895 /* Probably getting buffer for a channel create/handshake. */
2896 LOG (GNUNET_ERROR_TYPE_DEBUG, " no channels, allow max\n");
2897 return MIN_TUNNEL_BUFFER;
2901 for (iter = t->channel_head; NULL != iter; iter = iter->next)
2903 ch_buf = get_channel_buffer (iter);
2904 if (ch_buf > buffer)
2907 if (MIN_TUNNEL_BUFFER > buffer)
2908 return MIN_TUNNEL_BUFFER;
2910 if (MAX_TUNNEL_BUFFER < buffer)
2913 return MAX_TUNNEL_BUFFER;
2920 * Get the total buffer space for a tunnel for P2P traffic.
2924 * @return Buffer space offered by all connections in the tunnel.
2927 GCT_get_connections_buffer (struct CadetTunnel *t)
2929 struct CadetTConnection *iter;
2930 unsigned int buffer;
2932 if (GNUNET_NO == is_ready (t))
2934 if (count_queued_data (t) >= 3)
2941 for (iter = t->connection_head; NULL != iter; iter = iter->next)
2943 if (GCC_get_state (iter->c) != CADET_CONNECTION_READY)
2947 buffer += get_connection_buffer (iter);
2955 * Get the tunnel's destination.
2959 * @return ID of the destination peer.
2961 const struct GNUNET_PeerIdentity *
2962 GCT_get_destination (struct CadetTunnel *t)
2964 return GCP_get_id (t->peer);
2969 * Get the tunnel's next free global channel ID.
2973 * @return GID of a channel free to use.
2975 struct GNUNET_CADET_ChannelTunnelNumber
2976 GCT_get_next_ctn (struct CadetTunnel *t)
2978 struct GNUNET_CADET_ChannelTunnelNumber ctn;
2979 struct GNUNET_CADET_ChannelTunnelNumber mask;
2982 /* Set bit 30 depending on the ID relationship. Bit 31 is always 0 for GID.
2983 * If our ID is bigger or loopback tunnel, start at 0, bit 30 = 0
2984 * If peer's ID is bigger, start at 0x4... bit 30 = 1
2986 result = GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, GCP_get_id (t->peer));
2988 mask.cn = htonl (0x40000000);
2991 t->next_ctn.cn |= mask.cn;
2993 while (NULL != GCT_get_channel (t, t->next_ctn))
2995 LOG (GNUNET_ERROR_TYPE_DEBUG,
2996 "Channel %u exists...\n",
2998 t->next_ctn.cn = htonl ((ntohl (t->next_ctn.cn) + 1) & ~GNUNET_CADET_LOCAL_CHANNEL_ID_CLI);
2999 t->next_ctn.cn |= mask.cn;
3002 t->next_ctn.cn = (t->next_ctn.cn + 1) & ~GNUNET_CADET_LOCAL_CHANNEL_ID_CLI;
3003 t->next_ctn.cn |= mask.cn;
3010 * Send ACK on one or more channels due to buffer in connections.
3012 * @param t Channel which has some free buffer space.
3015 GCT_unchoke_channels (struct CadetTunnel *t)
3017 struct CadetTChannel *iter;
3018 unsigned int buffer;
3019 unsigned int channels = GCT_count_channels (t);
3020 unsigned int choked_n;
3021 struct CadetChannel *choked[channels];
3023 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_unchoke_channels on %s\n", GCT_2s (t));
3024 LOG (GNUNET_ERROR_TYPE_DEBUG, " head: %p\n", t->channel_head);
3025 if (NULL != t->channel_head)
3026 LOG (GNUNET_ERROR_TYPE_DEBUG, " head ch: %p\n", t->channel_head->ch);
3028 if (NULL != t->tq_head)
3029 send_queued_data (t);
3031 /* Get buffer space */
3032 buffer = GCT_get_connections_buffer (t);
3038 /* Count and remember choked channels */
3040 for (iter = t->channel_head; NULL != iter; iter = iter->next)
3042 if (GNUNET_NO == get_channel_allowed (iter))
3044 choked[choked_n++] = iter->ch;
3048 /* Unchoke random channels */
3049 while (0 < buffer && 0 < choked_n)
3051 unsigned int r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK,
3053 GCCH_allow_client (choked[r], GCCH_is_origin (choked[r], GNUNET_YES));
3056 choked[r] = choked[choked_n];
3062 * Send ACK on one or more connections due to buffer space to the client.
3064 * Iterates all connections of the tunnel and sends ACKs appropriately.
3069 GCT_send_connection_acks (struct CadetTunnel *t)
3071 struct CadetTConnection *iter;
3074 uint32_t allow_per_connection;
3076 unsigned int buffer;
3078 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel send connection ACKs on %s\n",
3087 if (CADET_TUNNEL_READY != t->cstate)
3090 buffer = GCT_get_channels_buffer (t);
3091 LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer %u\n", buffer);
3093 /* Count connections, how many messages are already allowed */
3094 cs = GCT_count_connections (t);
3095 for (allowed = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
3097 allowed += get_connection_allowed (iter);
3099 LOG (GNUNET_ERROR_TYPE_DEBUG, " allowed %u\n", allowed);
3101 /* Make sure there is no overflow */
3102 if (allowed > buffer)
3105 /* Authorize connections to send more data */
3106 to_allow = buffer - allowed;
3108 for (iter = t->connection_head;
3109 NULL != iter && to_allow > 0;
3112 if (CADET_CONNECTION_READY != GCC_get_state (iter->c)
3113 || get_connection_allowed (iter) > 64 / 3)
3117 GNUNET_assert(cs != 0);
3118 allow_per_connection = to_allow/cs;
3119 to_allow -= allow_per_connection;
3121 GCC_allow (iter->c, allow_per_connection,
3122 GCC_is_origin (iter->c, GNUNET_NO));
3127 /* Since we don't allow if it's allowed to send 64/3, this can happen. */
3128 LOG (GNUNET_ERROR_TYPE_DEBUG, " reminding to_allow: %u\n", to_allow);
3134 * Cancel a previously sent message while it's in the queue.
3136 * ONLY can be called before the continuation given to the send function
3137 * is called. Once the continuation is called, the message is no longer in the
3140 * @param q Handle to the queue.
3143 GCT_cancel (struct CadetTunnelQueue *q)
3147 GNUNET_assert (NULL == q->tqd);
3149 /* tun_message_sent() will be called and free q */
3151 else if (NULL != q->tqd)
3153 unqueue_data (q->tqd);
3155 if (NULL != q->cont)
3156 q->cont (q->cont_cls, NULL, q, 0, 0);
3167 * Check if the tunnel has queued traffic.
3169 * @param t Tunnel to check.
3171 * @return #GNUNET_YES if there is queued traffic
3172 * #GNUNET_NO otherwise
3175 GCT_has_queued_traffic (struct CadetTunnel *t)
3177 return (NULL != t->tq_head) ? GNUNET_YES : GNUNET_NO;
3182 * Sends an already built message on a tunnel, encrypting it and
3183 * choosing the best connection if not provided.
3185 * @param message Message to send. Function modifies it.
3186 * @param t Tunnel on which this message is transmitted.
3187 * @param c Connection to use (autoselect if NULL).
3188 * @param force Force the tunnel to take the message (buffer overfill).
3189 * @param cont Continuation to call once message is really sent.
3190 * @param cont_cls Closure for @c cont.
3192 * @return Handle to cancel message. NULL if @c cont is NULL.
3194 struct CadetTunnelQueue *
3195 GCT_send_prebuilt_message (const struct GNUNET_MessageHeader *message,
3196 struct CadetTunnel *t,
3197 struct CadetConnection *c,
3198 int force, GCT_sent cont, void *cont_cls)
3200 return send_prebuilt_message (message, t, c, force, cont, cont_cls, NULL);
3205 * Send a KX message.
3207 * @param t Tunnel on which to send it.
3208 * @param force_reply Force the other peer to reply with a KX message.
3211 GCT_send_kx (struct CadetTunnel *t, int force_reply)
3213 static struct CadetEncryptedMessageIdentifier zero;
3214 struct CadetConnection *c;
3215 struct GNUNET_CADET_TunnelKeyExchangeMessage msg;
3216 enum GNUNET_CADET_KX_Flags flags;
3218 LOG (GNUNET_ERROR_TYPE_INFO, "==> { KX} on %s\n", GCT_2s (t));
3219 if (NULL != t->ephm_h)
3221 LOG (GNUNET_ERROR_TYPE_INFO, " already queued, nop\n");
3224 GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
3226 c = tunnel_get_connection (t);
3229 if (NULL == t->destroy_task && CADET_TUNNEL_READY == t->cstate)
3232 GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
3237 msg.header.size = htons (sizeof (msg));
3238 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX);
3239 flags = GNUNET_CADET_KX_FLAG_NONE;
3240 if (GNUNET_YES == force_reply)
3241 flags |= GNUNET_CADET_KX_FLAG_FORCE_REPLY;
3242 msg.flags = htonl (flags);
3243 msg.cid = *GCC_get_id (c);
3244 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->kx_0, &msg.ephemeral_key);
3245 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &msg.ratchet_key);
3247 t->ephm_h = GCC_send_prebuilt_message (&msg.header,
3251 GCC_is_origin (c, GNUNET_YES),
3252 GNUNET_YES, &ephm_sent, t);
3253 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
3254 GCT_change_estate (t, CADET_TUNNEL_KEY_AX_SENT);
3259 * Is the tunnel directed towards the local peer?
3263 * @return #GNUNET_YES if it is loopback.
3266 GCT_is_loopback (const struct CadetTunnel *t)
3268 return (myid == GCP_get_short_id (t->peer));
3273 * Is the tunnel this path already?
3278 * @return #GNUNET_YES a connection uses this path.
3281 GCT_is_path_used (const struct CadetTunnel *t, const struct CadetPeerPath *p)
3283 struct CadetTConnection *iter;
3285 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3286 if (path_equivalent (GCC_get_path (iter->c), p))
3294 * Get a cost of a path for a tunnel considering existing connections.
3297 * @param path Candidate path.
3299 * @return Cost of the path (path length + number of overlapping nodes)
3302 GCT_get_path_cost (const struct CadetTunnel *t,
3303 const struct CadetPeerPath *path)
3305 struct CadetTConnection *iter;
3306 const struct CadetPeerPath *aux;
3307 unsigned int overlap;
3315 GNUNET_assert (NULL != t);
3317 for (i = 0; i < path->length; i++)
3319 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3321 aux = GCC_get_path (iter->c);
3325 for (j = 0; j < aux->length; j++)
3327 if (path->peers[i] == aux->peers[j])
3335 return path->length + overlap;
3340 * Get the static string for the peer this tunnel is directed.
3344 * @return Static string the destination peer's ID.
3347 GCT_2s (const struct CadetTunnel *t)
3352 return GCP_2s (t->peer);
3356 /******************************************************************************/
3357 /***************************** INFO/DEBUG *******************************/
3358 /******************************************************************************/
3361 ax_debug (const struct CadetTunnelAxolotl *ax, enum GNUNET_ErrorType level)
3363 struct GNUNET_CRYPTO_EcdhePublicKey pub;
3364 struct CadetTunnelSkippedKey *iter;
3366 LOG2 (level, "TTT RK \t %s\n",
3367 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->RK));
3369 LOG2 (level, "TTT HKs \t %s\n",
3370 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->HKs));
3371 LOG2 (level, "TTT HKr \t %s\n",
3372 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->HKr));
3373 LOG2 (level, "TTT NHKs\t %s\n",
3374 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->NHKs));
3375 LOG2 (level, "TTT NHKr\t %s\n",
3376 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->NHKr));
3378 LOG2 (level, "TTT CKs \t %s\n",
3379 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->CKs));
3380 LOG2 (level, "TTT CKr \t %s\n",
3381 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->CKr));
3383 GNUNET_CRYPTO_ecdhe_key_get_public (ax->DHRs, &pub);
3384 LOG2 (level, "TTT DHRs\t %s\n",
3385 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &pub));
3386 LOG2 (level, "TTT DHRr\t %s\n",
3387 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &ax->DHRr));
3389 LOG2 (level, "TTT Nr\t %u\tNs\t%u\n", ax->Nr, ax->Ns);
3390 LOG2 (level, "TTT PNs\t %u\tSkipped\t%u\n", ax->PNs, ax->skipped);
3391 LOG2 (level, "TTT Ratchet\t%u\n", ax->ratchet_flag);
3393 for (iter = ax->skipped_head; NULL != iter; iter = iter->next)
3395 LOG2 (level, "TTT HK\t %s\n",
3396 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &iter->HK));
3397 LOG2 (level, "TTT MK\t %s\n",
3398 GNUNET_i2s ((struct GNUNET_PeerIdentity *) &iter->MK));
3403 * Log all possible info about the tunnel state.
3405 * @param t Tunnel to debug.
3406 * @param level Debug level to use.
3409 GCT_debug (const struct CadetTunnel *t, enum GNUNET_ErrorType level)
3411 struct CadetTChannel *iter_ch;
3412 struct CadetTConnection *iter_c;
3415 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
3417 __FILE__, __FUNCTION__, __LINE__);
3421 LOG2 (level, "TTT DEBUG TUNNEL TOWARDS %s\n", GCT_2s (t));
3422 LOG2 (level, "TTT cstate %s, estate %s\n",
3423 cstate2s (t->cstate), estate2s (t->estate));
3424 #if DUMP_KEYS_TO_STDERR
3425 ax_debug (t->ax, level);
3427 LOG2 (level, "TTT tq_head %p, tq_tail %p\n", t->tq_head, t->tq_tail);
3428 LOG2 (level, "TTT destroy %p\n", t->destroy_task);
3429 LOG2 (level, "TTT channels:\n");
3430 for (iter_ch = t->channel_head; NULL != iter_ch; iter_ch = iter_ch->next)
3432 GCCH_debug (iter_ch->ch, level);
3435 LOG2 (level, "TTT connections:\n");
3436 for (iter_c = t->connection_head; NULL != iter_c; iter_c = iter_c->next)
3438 GCC_debug (iter_c->c, level);
3441 LOG2 (level, "TTT DEBUG TUNNEL END\n");
3446 * Iterate all tunnels.
3448 * @param iter Iterator.
3449 * @param cls Closure for @c iter.
3452 GCT_iterate_all (GNUNET_CONTAINER_PeerMapIterator iter, void *cls)
3454 GNUNET_CONTAINER_multipeermap_iterate (tunnels, iter, cls);
3459 * Count all tunnels.
3461 * @return Number of tunnels to remote peers kept by this peer.
3464 GCT_count_all (void)
3466 return GNUNET_CONTAINER_multipeermap_size (tunnels);
3471 * Iterate all connections of a tunnel.
3473 * @param t Tunnel whose connections to iterate.
3474 * @param iter Iterator.
3475 * @param cls Closure for @c iter.
3478 GCT_iterate_connections (struct CadetTunnel *t, GCT_conn_iter iter, void *cls)
3480 struct CadetTConnection *ct;
3482 for (ct = t->connection_head; NULL != ct; ct = ct->next)
3488 * Iterate all channels of a tunnel.
3490 * @param t Tunnel whose channels to iterate.
3491 * @param iter Iterator.
3492 * @param cls Closure for @c iter.
3495 GCT_iterate_channels (struct CadetTunnel *t, GCT_chan_iter iter, void *cls)
3497 struct CadetTChannel *cht;
3499 for (cht = t->channel_head; NULL != cht; cht = cht->next)
3500 iter (cls, cht->ch);
projects / oweals / gnunet.git / blob