2 This file is part of GNUnet.
3 Copyright (C) 2013 Christian Grothoff (and other contributing authors)
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 59 Temple Place - Suite 330,
18 Boston, MA 02111-1307, USA.
22 #include "gnunet_util_lib.h"
24 #include "gnunet_signatures.h"
25 #include "gnunet_statistics_service.h"
27 #include "cadet_protocol.h"
28 #include "cadet_path.h"
30 #include "gnunet-service-cadet_tunnel.h"
31 #include "gnunet-service-cadet_connection.h"
32 #include "gnunet-service-cadet_channel.h"
33 #include "gnunet-service-cadet_peer.h"
35 #define LOG(level, ...) GNUNET_log_from(level,"cadet-tun",__VA_ARGS__)
36 #define LOG2(level, ...) GNUNET_log_from_nocheck(level,"cadet-tun",__VA_ARGS__)
38 #define REKEY_WAIT GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 5)
40 #if !defined(GNUNET_CULL_LOGGING)
41 #define DUMP_KEYS_TO_STDERR GNUNET_YES
43 #define DUMP_KEYS_TO_STDERR GNUNET_NO
46 /******************************************************************************/
47 /******************************** STRUCTS **********************************/
48 /******************************************************************************/
52 struct CadetTChannel *next;
53 struct CadetTChannel *prev;
54 struct CadetChannel *ch;
59 * Connection list and metadata.
61 struct CadetTConnection
66 struct CadetTConnection *next;
71 struct CadetTConnection *prev;
76 struct CadetConnection *c;
79 * Creation time, to keep oldest connection alive.
81 struct GNUNET_TIME_Absolute created;
84 * Connection throughput, to keep fastest connection alive.
90 * Structure used during a Key eXchange.
92 struct CadetTunnelKXCtx
95 * Encryption ("our") old "confirmed" key, for encrypting traffic sent by us
96 * end before the key exchange is finished or times out.
98 struct GNUNET_CRYPTO_SymmetricSessionKey e_key_old;
101 * Decryption ("their") old "confirmed" key, for decrypting traffic sent by
102 * the other end before the key exchange started.
104 struct GNUNET_CRYPTO_SymmetricSessionKey d_key_old;
107 * Same as @c e_key_old, for the case of two simultaneous KX.
108 * This can happen if cadet decides to start a re-key while the peer has also
109 * started its re-key (due to network delay this is impossible to avoid).
110 * In this case, the key material generated with the peer's old ephemeral
111 * *might* (but doesn't have to) be incorrect.
112 * Since no more than two re-keys can happen simultaneously, this is enough.
114 struct GNUNET_CRYPTO_SymmetricSessionKey e_key_old2;
117 * Same as @c d_key_old, for the case described in @c e_key_old2.
119 struct GNUNET_CRYPTO_SymmetricSessionKey d_key_old2;
122 * Challenge to send and expect in the PONG.
127 * When the rekey started. One minute after this the new key will be used.
129 struct GNUNET_TIME_Absolute rekey_start_time;
132 * Task for delayed destruction of the Key eXchange context, to allow delayed
133 * messages with the old key to be decrypted successfully.
135 struct GNUNET_SCHEDULER_Task *finish_task;
139 * Encryption systems possible.
141 enum CadetTunnelEncryption
144 * Default Axolotl system.
149 * Fallback OTR-style encryption.
154 struct CadetTunnelSkippedKey
156 struct CadetTunnelSkippedKey *next;
157 struct CadetTunnelSkippedKey *prev;
159 struct GNUNET_TIME_Absolute timestamp;
161 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
162 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
166 * Axolotl data, according to https://github.com/trevp/axolotl/wiki
168 struct CadetTunnelAxolotl
171 * A (double linked) list of stored message keys and associated header keys
172 * for "skipped" messages, i.e. messages that have not bee*n
173 * received despite the reception of more recent messages, (head)/
175 struct CadetTunnelSkippedKey *skipped_head;
178 * Skipped messages' keys DLL, tail.
180 struct CadetTunnelSkippedKey *skipped_tail;
183 * Elements in @a skipped_head <-> @a skipped_tail.
188 * 32-byte root key which gets updated by DH ratchet
190 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
193 * 32-byte header key (send)
195 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
198 * 32-byte header key (recv)
200 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
203 * 32-byte next header key (send)
205 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
208 * 32-byte next header key (recv)
210 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
213 * 32-byte chain keys (used for forward-secrecy updating, send)
215 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
218 * 32-byte chain keys (used for forward-secrecy updating, recv)
220 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
223 * ECDH for key exchange (A0 / B0)
225 struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
228 * ECDH Ratchet key (send)
230 struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs;
233 * ECDH Ratchet key (recv)
235 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
238 * Message number (reset to 0 with each new ratchet, send)
243 * Message numbers (reset to 0 with each new ratchet, recv)
248 * Previous message numbers (# of msgs sent under prev ratchet)
253 * True (#GNUNET_YES) if the party will send a new ratchet key in next msg.
259 * Struct containing all information regarding a tunnel to a peer.
264 * Endpoint of the tunnel.
266 struct CadetPeer *peer;
269 * Type of encryption used in the tunnel.
271 enum CadetTunnelEncryption enc_type;
276 struct CadetTunnelAxolotl *ax;
279 * State of the tunnel connectivity.
281 enum CadetTunnelCState cstate;
284 * State of the tunnel encryption.
286 enum CadetTunnelEState estate;
289 * Key eXchange context.
291 struct CadetTunnelKXCtx *kx_ctx;
294 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own ephemeral
297 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
300 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
302 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
305 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
307 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
310 * Task to start the rekey process.
312 struct GNUNET_SCHEDULER_Task * rekey_task;
315 * Paths that are actively used to reach the destination peer.
317 struct CadetTConnection *connection_head;
318 struct CadetTConnection *connection_tail;
321 * Next connection number.
326 * Channels inside this tunnel.
328 struct CadetTChannel *channel_head;
329 struct CadetTChannel *channel_tail;
332 * Channel ID for the next created channel.
334 CADET_ChannelNumber next_chid;
337 * Destroy flag: if true, destroy on last message.
339 struct GNUNET_SCHEDULER_Task * destroy_task;
342 * Queued messages, to transmit once tunnel gets connected.
344 struct CadetTunnelDelayed *tq_head;
345 struct CadetTunnelDelayed *tq_tail;
348 * Task to trim connections if too many are present.
350 struct GNUNET_SCHEDULER_Task * trim_connections_task;
353 * Ephemeral message in the queue (to avoid queueing more than one).
355 struct CadetConnectionQueue *ephm_h;
358 * Pong message in the queue.
360 struct CadetConnectionQueue *pong_h;
365 * Struct used to save messages in a non-ready tunnel to send once connected.
367 struct CadetTunnelDelayed
372 struct CadetTunnelDelayed *next;
373 struct CadetTunnelDelayed *prev;
378 struct CadetTunnel *t;
381 * Tunnel queue given to the channel to cancel request. Update on send_queued.
383 struct CadetTunnelQueue *tq;
388 /* struct GNUNET_MessageHeader *msg; */
393 * Handle for messages queued but not yet sent.
395 struct CadetTunnelQueue
398 * Connection queue handle, to cancel if necessary.
400 struct CadetConnectionQueue *cq;
403 * Handle in case message hasn't been given to a connection yet.
405 struct CadetTunnelDelayed *tqd;
408 * Continuation to call once sent.
413 * Closure for @c cont.
420 * Cached Axolotl key with signature.
422 struct CadetAxolotlSignedKey
425 * Information about what is being signed (@a permanent_key).
427 struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
430 * Permanent public ECDH key.
432 struct GNUNET_CRYPTO_EcdhePublicKey permanent_key;
435 * An EdDSA signature of the permanent ECDH key with the Peer's ID key.
437 struct GNUNET_CRYPTO_EddsaSignature signature;
441 /******************************************************************************/
442 /******************************* GLOBALS ***********************************/
443 /******************************************************************************/
446 * Global handle to the statistics service.
448 extern struct GNUNET_STATISTICS_Handle *stats;
451 * Local peer own ID (memory efficient handle).
453 extern GNUNET_PEER_Id myid;
456 * Local peer own ID (full value).
458 extern struct GNUNET_PeerIdentity my_full_id;
462 * Don't try to recover tunnels if shutting down.
464 extern int shutting_down;
468 * Set of all tunnels, in order to trigger a new exchange on rekey.
469 * Indexed by peer's ID.
471 static struct GNUNET_CONTAINER_MultiPeerMap *tunnels;
474 * Default TTL for payload packets.
476 static unsigned long long default_ttl;
480 * Own Peer ID private key.
482 const static struct GNUNET_CRYPTO_EddsaPrivateKey *id_key;
484 /******************************** AXOLOTL ************************************/
486 static struct GNUNET_CRYPTO_EcdhePrivateKey *ax_key;
489 * Own Axolotl permanent public key (cache).
491 static struct CadetAxolotlSignedKey ax_identity;
493 /******************************** OTR ***********************************/
497 * Own global OTR ephemeral private key.
499 static struct GNUNET_CRYPTO_EcdhePrivateKey *otr_ephemeral_key;
502 * Cached message used to perform a OTR key exchange.
504 static struct GNUNET_CADET_KX_Ephemeral otr_kx_msg;
507 * Task to generate a new OTR ephemeral key.
509 static struct GNUNET_SCHEDULER_Task *rekey_task;
514 static struct GNUNET_TIME_Relative rekey_period;
517 /******************************************************************************/
518 /******************************** STATIC ***********************************/
519 /******************************************************************************/
522 * Get string description for tunnel connectivity state.
524 * @param cs Tunnel state.
526 * @return String representation.
529 cstate2s (enum CadetTunnelCState cs)
535 case CADET_TUNNEL_NEW:
536 return "CADET_TUNNEL_NEW";
537 case CADET_TUNNEL_SEARCHING:
538 return "CADET_TUNNEL_SEARCHING";
539 case CADET_TUNNEL_WAITING:
540 return "CADET_TUNNEL_WAITING";
541 case CADET_TUNNEL_READY:
542 return "CADET_TUNNEL_READY";
543 case CADET_TUNNEL_SHUTDOWN:
544 return "CADET_TUNNEL_SHUTDOWN";
546 SPRINTF (buf, "%u (UNKNOWN STATE)", cs);
554 * Get string description for tunnel encryption state.
556 * @param es Tunnel state.
558 * @return String representation.
561 estate2s (enum CadetTunnelEState es)
567 case CADET_TUNNEL_KEY_UNINITIALIZED:
568 return "CADET_TUNNEL_KEY_UNINITIALIZED";
569 case CADET_TUNNEL_KEY_SENT:
570 return "CADET_TUNNEL_KEY_SENT";
571 case CADET_TUNNEL_KEY_PING:
572 return "CADET_TUNNEL_KEY_PING";
573 case CADET_TUNNEL_KEY_OK:
574 return "CADET_TUNNEL_KEY_OK";
575 case CADET_TUNNEL_KEY_REKEY:
576 return "CADET_TUNNEL_KEY_REKEY";
578 SPRINTF (buf, "%u (UNKNOWN STATE)", es);
586 * @brief Check if tunnel is ready to send traffic.
588 * Tunnel must be connected and with encryption correctly set up.
590 * @param t Tunnel to check.
592 * @return #GNUNET_YES if ready, #GNUNET_NO otherwise
595 is_ready (struct CadetTunnel *t)
599 GCT_debug (t, GNUNET_ERROR_TYPE_DEBUG);
600 ready = CADET_TUNNEL_READY == t->cstate
601 && (CADET_TUNNEL_KEY_OK == t->estate
602 || CADET_TUNNEL_KEY_REKEY == t->estate);
603 ready = ready || GCT_is_loopback (t);
609 * Check if a key is invalid (NULL pointer or all 0)
611 * @param key Key to check.
613 * @return #GNUNET_YES if key is null, #GNUNET_NO if exists and is not 0.
616 is_key_null (struct GNUNET_CRYPTO_SymmetricSessionKey *key)
618 struct GNUNET_CRYPTO_SymmetricSessionKey null_key;
623 memset (&null_key, 0, sizeof (null_key));
624 if (0 == memcmp (key, &null_key, sizeof (null_key)))
631 * Ephemeral key message purpose size.
633 * @return Size of the part of the ephemeral key message that must be signed.
636 ephemeral_purpose_size (void)
638 return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
639 sizeof (struct GNUNET_TIME_AbsoluteNBO) +
640 sizeof (struct GNUNET_TIME_AbsoluteNBO) +
641 sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) +
642 sizeof (struct GNUNET_PeerIdentity);
647 * Ephemeral key message purpose size.
649 * @return Size of the part of the ephemeral key message that must be signed.
652 ax_purpose_size (void)
654 return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
655 sizeof (struct GNUNET_CRYPTO_EcdhePublicKey);
660 * Size of the encrypted part of a ping message.
662 * @return Size of the encrypted part of a ping message.
665 ping_encryption_size (void)
667 return sizeof (uint32_t);
672 * Get the channel's buffer. ONLY FOR NON-LOOPBACK CHANNELS!!
674 * @param tch Tunnel's channel handle.
676 * @return Amount of messages the channel can still buffer towards the client.
679 get_channel_buffer (const struct CadetTChannel *tch)
683 /* If channel is incoming, is terminal in the FWD direction and fwd is YES */
684 fwd = GCCH_is_terminal (tch->ch, GNUNET_YES);
686 return GCCH_get_buffer (tch->ch, fwd);
691 * Get the channel's allowance status.
693 * @param tch Tunnel's channel handle.
695 * @return #GNUNET_YES if we allowed the client to send data to us.
698 get_channel_allowed (const struct CadetTChannel *tch)
702 /* If channel is outgoing, is origin in the FWD direction and fwd is YES */
703 fwd = GCCH_is_origin (tch->ch, GNUNET_YES);
705 return GCCH_get_allowed (tch->ch, fwd);
710 * Get the connection's buffer.
712 * @param tc Tunnel's connection handle.
714 * @return Amount of messages the connection can still buffer.
717 get_connection_buffer (const struct CadetTConnection *tc)
721 /* If connection is outgoing, is origin in the FWD direction and fwd is YES */
722 fwd = GCC_is_origin (tc->c, GNUNET_YES);
724 return GCC_get_buffer (tc->c, fwd);
729 * Get the connection's allowance.
731 * @param tc Tunnel's connection handle.
733 * @return Amount of messages we have allowed the next peer to send us.
736 get_connection_allowed (const struct CadetTConnection *tc)
740 /* If connection is outgoing, is origin in the FWD direction and fwd is YES */
741 fwd = GCC_is_origin (tc->c, GNUNET_YES);
743 return GCC_get_allowed (tc->c, fwd);
748 * Check that a ephemeral key message s well formed and correctly signed.
750 * @param t Tunnel on which the message came.
751 * @param msg The ephemeral key message.
753 * @return GNUNET_OK if message is fine, GNUNET_SYSERR otherwise.
756 check_ephemeral (struct CadetTunnel *t,
757 const struct GNUNET_CADET_KX_Ephemeral *msg)
759 /* Check message size */
760 if (ntohs (msg->header.size) != sizeof (struct GNUNET_CADET_KX_Ephemeral))
761 return GNUNET_SYSERR;
763 /* Check signature size */
764 if (ntohl (msg->purpose.size) != ephemeral_purpose_size ())
765 return GNUNET_SYSERR;
768 if (0 != memcmp (&msg->origin_identity,
769 GCP_get_id (t->peer),
770 sizeof (struct GNUNET_PeerIdentity)))
771 return GNUNET_SYSERR;
773 /* Check signature */
775 GNUNET_CRYPTO_eddsa_verify (GNUNET_SIGNATURE_PURPOSE_CADET_KX,
778 &msg->origin_identity.public_key))
779 return GNUNET_SYSERR;
786 * Select the best key to use for encryption (send), based on KX status.
788 * Normally, return the current key. If there is a KX in progress and the old
789 * key is fresh enough, return the old key.
791 * @param t Tunnel to choose the key from.
793 * @return The optimal key to encrypt/hmac outgoing traffic.
795 static const struct GNUNET_CRYPTO_SymmetricSessionKey *
796 select_key (const struct CadetTunnel *t)
798 const struct GNUNET_CRYPTO_SymmetricSessionKey *key;
800 if (NULL != t->kx_ctx
801 && NULL == t->kx_ctx->finish_task)
803 struct GNUNET_TIME_Relative age;
805 age = GNUNET_TIME_absolute_get_duration (t->kx_ctx->rekey_start_time);
806 LOG (GNUNET_ERROR_TYPE_DEBUG,
807 " key exchange in progress, started %s ago\n",
808 GNUNET_STRINGS_relative_time_to_string (age, GNUNET_YES));
809 // FIXME make duration of old keys configurable
810 if (age.rel_value_us < GNUNET_TIME_UNIT_MINUTES.rel_value_us)
812 LOG (GNUNET_ERROR_TYPE_DEBUG, " using old key\n");
813 key = &t->kx_ctx->e_key_old;
817 LOG (GNUNET_ERROR_TYPE_DEBUG, " using new key (old key too old)\n");
823 LOG (GNUNET_ERROR_TYPE_DEBUG, " no KX: using current key\n");
833 * @param plaintext Content to HMAC.
834 * @param size Size of @c plaintext.
835 * @param iv Initialization vector for the message.
836 * @param key Key to use.
837 * @param hmac[out] Destination to store the HMAC.
840 t_hmac (const void *plaintext, size_t size,
841 uint32_t iv, const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
842 struct GNUNET_CADET_Hash *hmac)
844 static const char ctx[] = "cadet authentication key";
845 struct GNUNET_CRYPTO_AuthKey auth_key;
846 struct GNUNET_HashCode hash;
848 #if DUMP_KEYS_TO_STDERR
849 LOG (GNUNET_ERROR_TYPE_INFO, " HMAC with key %s\n",
850 GNUNET_h2s ((struct GNUNET_HashCode *) key));
852 GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
857 /* Two step: CADET_Hash is only 256 bits, HashCode is 512. */
858 GNUNET_CRYPTO_hmac (&auth_key, plaintext, size, &hash);
859 memcpy (hmac, &hash, sizeof (*hmac));
864 * Encrypt daforce_newest_keyta with the tunnel key.
866 * @param t Tunnel whose key to use.
867 * @param dst Destination for the encrypted data.
868 * @param src Source of the plaintext. Can overlap with @c dst.
869 * @param size Size of the plaintext.
870 * @param iv Initialization Vector to use.
871 * @param force_newest_key Force the use of the newest key, otherwise
872 * CADET will use the old key when allowed.
873 * This can happen in the case when a KX is going on
874 * and the old one hasn't expired.
877 t_encrypt (struct CadetTunnel *t, void *dst, const void *src,
878 size_t size, uint32_t iv, int force_newest_key)
880 struct GNUNET_CRYPTO_SymmetricInitializationVector siv;
881 const struct GNUNET_CRYPTO_SymmetricSessionKey *key;
884 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_encrypt start\n");
886 key = GNUNET_YES == force_newest_key ? &t->e_key : select_key (t);
887 #if DUMP_KEYS_TO_STDERR
888 LOG (GNUNET_ERROR_TYPE_INFO, " ENC with key %s\n",
889 GNUNET_h2s ((struct GNUNET_HashCode *) key));
891 GNUNET_CRYPTO_symmetric_derive_iv (&siv, key, &iv, sizeof (iv), NULL);
892 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_encrypt IV derived\n");
893 out_size = GNUNET_CRYPTO_symmetric_encrypt (src, size, key, &siv, dst);
894 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_encrypt end\n");
901 * Generate a new key with a HMAC mechanism from the existing chain key.
903 * @param ax Axolotl context.
904 * @param key[out] Derived key.
905 * @param source Source key material (data to HMAC).
906 * @param len Length of @a source.
909 t_ax_hmac_hash (struct CadetTunnelAxolotl *ax,
910 struct GNUNET_CRYPTO_SymmetricSessionKey *key,
911 void *source, unsigned int len)
913 static const char ctx[] = "axolotl key derivation";
914 struct GNUNET_CRYPTO_AuthKey auth_key;
915 struct GNUNET_HashCode hash;
917 GNUNET_CRYPTO_hmac_derive_key (&auth_key, &ax->CKs,
920 GNUNET_CRYPTO_hmac (&auth_key, source, len, &hash);
921 GNUNET_CRYPTO_kdf (key, sizeof (*key),
923 &hash, sizeof (hash));
928 * Encrypt data with the tunnel key.
930 * @param t Tunnel whose key to use.
931 * @param dst Destination for the encrypted data.
932 * @param src Source of the plaintext. Can overlap with @c dst.
933 * @param size Size of the plaintext.
935 * @return Size of the encrypted data.
938 t_ax_encrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
940 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
941 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
942 struct CadetTunnelAxolotl *ax;
945 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt start\n");
949 if (GNUNET_YES == ax->ratchet_flag)
951 /* Advance ratchet */
954 t_ax_hmac_hash (ax, &MK, "0", 1);
955 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
957 #if DUMP_KEYS_TO_STDERR
958 LOG (GNUNET_ERROR_TYPE_INFO, " ENC with key %s\n",
959 GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
962 out_size = GNUNET_CRYPTO_symmetric_encrypt (src, size, &MK, &iv, dst);
964 t_ax_hmac_hash (ax, &ax->CKs, "1", 1);
966 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt end\n");
973 * Decrypt and verify data with the appropriate tunnel key.
975 * @param key Key to use.
976 * @param dst Destination for the plaintext.
977 * @param src Source of the encrypted data. Can overlap with @c dst.
978 * @param size Size of the encrypted data.
979 * @param iv Initialization Vector to use.
981 * @return Size of the decrypted data, -1 if an error was encountered.
984 decrypt (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
985 void *dst, const void *src, size_t size, uint32_t iv)
987 struct GNUNET_CRYPTO_SymmetricInitializationVector siv;
990 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt start\n");
991 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv\n");
992 GNUNET_CRYPTO_symmetric_derive_iv (&siv, key, &iv, sizeof (iv), NULL);
993 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv done\n");
994 out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, key, &siv, dst);
995 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt end\n");
1002 * Decrypt and verify data with the most recent tunnel key.
1004 * @param t Tunnel whose key to use.
1005 * @param dst Destination for the plaintext.
1006 * @param src Source of the encrypted data. Can overlap with @c dst.
1007 * @param size Size of the encrypted data.
1008 * @param iv Initialization Vector to use.
1010 * @return Size of the decrypted data, -1 if an error was encountered.
1013 t_decrypt (struct CadetTunnel *t, void *dst, const void *src,
1014 size_t size, uint32_t iv)
1018 #if DUMP_KEYS_TO_STDERR
1019 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_decrypt with %s\n",
1020 GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
1022 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1024 GNUNET_STATISTICS_update (stats, "# non decryptable data", 1, GNUNET_NO);
1025 LOG (GNUNET_ERROR_TYPE_WARNING,
1026 "got data on %s without a valid key\n",
1028 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1032 out_size = decrypt (&t->d_key, dst, src, size, iv);
1039 * Decrypt and verify data with the appropriate tunnel key and verify that the
1040 * data has not been altered since it was sent by the remote peer.
1042 * @param t Tunnel whose key to use.
1043 * @param dst Destination for the plaintext.
1044 * @param src Source of the encrypted data. Can overlap with @c dst.
1045 * @param size Size of the encrypted data.
1046 * @param iv Initialization Vector to use.
1047 * @param msg_hmac HMAC of the message, cannot be NULL.
1049 * @return Size of the decrypted data, -1 if an error was encountered.
1052 t_decrypt_and_validate (struct CadetTunnel *t,
1053 void *dst, const void *src,
1054 size_t size, uint32_t iv,
1055 const struct GNUNET_CADET_Hash *msg_hmac)
1057 struct GNUNET_CRYPTO_SymmetricSessionKey *key;
1058 struct GNUNET_CADET_Hash hmac;
1061 /* Try primary (newest) key */
1063 decrypted_size = decrypt (key, dst, src, size, iv);
1064 t_hmac (src, size, iv, key, &hmac);
1065 if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
1066 return decrypted_size;
1068 /* If no key exchange is going on, we just failed. */
1069 if (NULL == t->kx_ctx)
1071 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1072 "Failed checksum validation on tunnel %s with no KX\n",
1074 GNUNET_STATISTICS_update (stats, "# wrong HMAC no KX", 1, GNUNET_NO);
1078 /* Try secondary key, from previous KX period. */
1079 key = &t->kx_ctx->d_key_old;
1080 decrypted_size = decrypt (key, dst, src, size, iv);
1081 t_hmac (src, size, iv, key, &hmac);
1082 if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
1083 return decrypted_size;
1085 /* Hail Mary, try tertiary, key, in case of parallel re-keys. */
1086 key = &t->kx_ctx->d_key_old2;
1087 decrypted_size = decrypt (key, dst, src, size, iv);
1088 t_hmac (src, size, iv, key, &hmac);
1089 if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
1090 return decrypted_size;
1092 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1093 "Failed checksum validation on tunnel %s with KX\n",
1095 GNUNET_STATISTICS_update (stats, "# wrong HMAC with KX", 1, GNUNET_NO);
1100 * Decrypt and verify data with the appropriate tunnel key and verify that the
1101 * data has not been altered since it was sent by the remote peer.
1103 * @param t Tunnel whose key to use.
1104 * @param dst Destination for the plaintext.
1105 * @param src Source of the encrypted data. Can overlap with @c dst.
1106 * @param size Size of the encrypted data.
1107 * @param msg_hmac HMAC of the message, cannot be NULL.
1109 * @return Size of the decrypted data, -1 if an error was encountered.
1112 t_ax_decrypt_and_validate (struct CadetTunnel *t,
1113 void *dst, const void *src, size_t size,
1114 const struct GNUNET_CADET_Hash *msg_hmac)
1116 struct CadetTunnelAxolotl *ax;
1131 * Create key material by doing ECDH on the local and remote ephemeral keys.
1133 * @param key_material Where to store the key material.
1134 * @param ephemeral_key Peer's public ephemeral key.
1137 derive_key_material (struct GNUNET_HashCode *key_material,
1138 const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral_key)
1141 GNUNET_CRYPTO_ecc_ecdh (otr_ephemeral_key,
1151 * Create a symmetic key from the identities of both ends and the key material
1154 * @param key Destination for the generated key.
1155 * @param sender ID of the peer that will encrypt with @c key.
1156 * @param receiver ID of the peer that will decrypt with @c key.
1157 * @param key_material Hash created with ECDH with the ephemeral keys.
1160 derive_symmertic (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
1161 const struct GNUNET_PeerIdentity *sender,
1162 const struct GNUNET_PeerIdentity *receiver,
1163 const struct GNUNET_HashCode *key_material)
1165 const char salt[] = "CADET kx salt";
1167 GNUNET_CRYPTO_kdf (key, sizeof (struct GNUNET_CRYPTO_SymmetricSessionKey),
1168 salt, sizeof (salt),
1169 key_material, sizeof (struct GNUNET_HashCode),
1170 sender, sizeof (struct GNUNET_PeerIdentity),
1171 receiver, sizeof (struct GNUNET_PeerIdentity),
1177 * Derive the tunnel's keys using our own and the peer's ephemeral keys.
1179 * @param t Tunnel for which to create the keys.
1182 create_keys (struct CadetTunnel *t)
1184 struct GNUNET_HashCode km;
1186 derive_key_material (&km, &t->peers_ephemeral_key);
1187 derive_symmertic (&t->e_key, &my_full_id, GCP_get_id (t->peer), &km);
1188 derive_symmertic (&t->d_key, GCP_get_id (t->peer), &my_full_id, &km);
1189 #if DUMP_KEYS_TO_STDERR
1190 LOG (GNUNET_ERROR_TYPE_INFO, "ME: %s\n",
1191 GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
1192 LOG (GNUNET_ERROR_TYPE_INFO, "PE: %s\n",
1193 GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
1194 LOG (GNUNET_ERROR_TYPE_INFO, "KM: %s\n", GNUNET_h2s (&km));
1195 LOG (GNUNET_ERROR_TYPE_INFO, "EK: %s\n",
1196 GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
1197 LOG (GNUNET_ERROR_TYPE_INFO, "DK: %s\n",
1198 GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
1204 * Create a new Key eXchange context for the tunnel.
1206 * If the old keys were verified, keep them for old traffic. Create a new KX
1207 * timestamp and a new nonce.
1209 * @param t Tunnel for which to create the KX ctx.
1212 create_kx_ctx (struct CadetTunnel *t)
1214 LOG (GNUNET_ERROR_TYPE_INFO, " new kx ctx for %s\n", GCT_2s (t));
1216 if (NULL != t->kx_ctx)
1218 if (NULL != t->kx_ctx->finish_task)
1220 LOG (GNUNET_ERROR_TYPE_INFO, " resetting exisiting finish task\n");
1221 GNUNET_SCHEDULER_cancel (t->kx_ctx->finish_task);
1222 t->kx_ctx->finish_task = NULL;
1227 t->kx_ctx = GNUNET_new (struct CadetTunnelKXCtx);
1228 t->kx_ctx->challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
1232 if (CADET_TUNNEL_KEY_OK == t->estate)
1234 LOG (GNUNET_ERROR_TYPE_INFO, " backing up keys\n");
1235 t->kx_ctx->d_key_old = t->d_key;
1236 t->kx_ctx->e_key_old = t->e_key;
1239 LOG (GNUNET_ERROR_TYPE_INFO, " old keys not valid, not saving\n");
1240 t->kx_ctx->rekey_start_time = GNUNET_TIME_absolute_get ();
1246 * @brief Finish the Key eXchange and destroy the old keys.
1248 * @param cls Closure (Tunnel for which to finish the KX).
1249 * @param tc Task context.
1252 finish_kx (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
1254 struct CadetTunnel *t = cls;
1256 LOG (GNUNET_ERROR_TYPE_INFO, "finish KX for %s\n", GCT_2s (t));
1258 if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
1260 LOG (GNUNET_ERROR_TYPE_INFO, " shutdown\n");
1264 GNUNET_free (t->kx_ctx);
1270 * Destroy a Key eXchange context for the tunnel. This function only schedules
1271 * the destruction, the freeing of the memory (and clearing of old key material)
1272 * happens after a delay!
1274 * @param t Tunnel whose KX ctx to destroy.
1277 destroy_kx_ctx (struct CadetTunnel *t)
1279 struct GNUNET_TIME_Relative delay;
1281 if (NULL == t->kx_ctx || NULL != t->kx_ctx->finish_task)
1284 if (is_key_null (&t->kx_ctx->e_key_old))
1286 t->kx_ctx->finish_task = GNUNET_SCHEDULER_add_now (finish_kx, t);
1290 delay = GNUNET_TIME_relative_divide (rekey_period, 4);
1291 delay = GNUNET_TIME_relative_min (delay, GNUNET_TIME_UNIT_MINUTES);
1293 t->kx_ctx->finish_task = GNUNET_SCHEDULER_add_delayed (delay, finish_kx, t);
1299 * Pick a connection on which send the next data message.
1301 * @param t Tunnel on which to send the message.
1303 * @return The connection on which to send the next message.
1305 static struct CadetConnection *
1306 tunnel_get_connection (struct CadetTunnel *t)
1308 struct CadetTConnection *iter;
1309 struct CadetConnection *best;
1311 unsigned int lowest_q;
1313 LOG (GNUNET_ERROR_TYPE_DEBUG, "tunnel_get_connection %s\n", GCT_2s (t));
1315 lowest_q = UINT_MAX;
1316 for (iter = t->connection_head; NULL != iter; iter = iter->next)
1318 LOG (GNUNET_ERROR_TYPE_DEBUG, " connection %s: %u\n",
1319 GCC_2s (iter->c), GCC_get_state (iter->c));
1320 if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
1322 qn = GCC_get_qn (iter->c, GCC_is_origin (iter->c, GNUNET_YES));
1323 LOG (GNUNET_ERROR_TYPE_DEBUG, " q_n %u, \n", qn);
1331 LOG (GNUNET_ERROR_TYPE_DEBUG, " selected: connection %s\n", GCC_2s (best));
1337 * Callback called when a queued message is sent.
1339 * Calculates the average time and connection packet tracking.
1341 * @param cls Closure (TunnelQueue handle).
1342 * @param c Connection this message was on.
1343 * @param q Connection queue handle (unused).
1344 * @param type Type of message sent.
1345 * @param fwd Was this a FWD going message?
1346 * @param size Size of the message.
1349 tun_message_sent (void *cls,
1350 struct CadetConnection *c,
1351 struct CadetConnectionQueue *q,
1352 uint16_t type, int fwd, size_t size)
1354 struct CadetTunnelQueue *qt = cls;
1355 struct CadetTunnel *t;
1357 LOG (GNUNET_ERROR_TYPE_DEBUG, "tun_message_sent\n");
1359 GNUNET_assert (NULL != qt->cont);
1360 t = NULL == c ? NULL : GCC_get_tunnel (c);
1361 qt->cont (qt->cont_cls, t, qt, type, size);
1367 count_queued_data (const struct CadetTunnel *t)
1369 struct CadetTunnelDelayed *iter;
1372 for (count = 0, iter = t->tq_head; iter != NULL; iter = iter->next)
1379 * Delete a queued message: either was sent or the channel was destroyed
1380 * before the tunnel's key exchange had a chance to finish.
1382 * @param tqd Delayed queue handle.
1385 unqueue_data (struct CadetTunnelDelayed *tqd)
1387 GNUNET_CONTAINER_DLL_remove (tqd->t->tq_head, tqd->t->tq_tail, tqd);
1393 * Cache a message to be sent once tunnel is online.
1395 * @param t Tunnel to hold the message.
1396 * @param msg Message itself (copy will be made).
1398 static struct CadetTunnelDelayed *
1399 queue_data (struct CadetTunnel *t, const struct GNUNET_MessageHeader *msg)
1401 struct CadetTunnelDelayed *tqd;
1402 uint16_t size = ntohs (msg->size);
1404 LOG (GNUNET_ERROR_TYPE_DEBUG, "queue data on Tunnel %s\n", GCT_2s (t));
1406 if (GNUNET_YES == is_ready (t))
1412 tqd = GNUNET_malloc (sizeof (struct CadetTunnelDelayed) + size);
1415 memcpy (&tqd[1], msg, size);
1416 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head, t->tq_tail, tqd);
1422 * Sends an already built message on a tunnel, encrypting it and
1423 * choosing the best connection.
1425 * @param message Message to send. Function modifies it.
1426 * @param t Tunnel on which this message is transmitted.
1427 * @param c Connection to use (autoselect if NULL).
1428 * @param force Force the tunnel to take the message (buffer overfill).
1429 * @param cont Continuation to call once message is really sent.
1430 * @param cont_cls Closure for @c cont.
1431 * @param existing_q In case this a transmission of previously queued data,
1432 * this should be TunnelQueue given to the client.
1435 * @return Handle to cancel message.
1436 * NULL if @c cont is NULL or an error happens and message is dropped.
1438 static struct CadetTunnelQueue *
1439 send_prebuilt_message (const struct GNUNET_MessageHeader *message,
1440 struct CadetTunnel *t, struct CadetConnection *c,
1441 int force, GCT_sent cont, void *cont_cls,
1442 struct CadetTunnelQueue *existing_q)
1444 struct CadetTunnelQueue *tq;
1445 struct GNUNET_CADET_Encrypted *msg;
1446 size_t size = ntohs (message->size);
1447 char cbuf[sizeof (struct GNUNET_CADET_Encrypted) + size];
1454 LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT Send on Tunnel %s\n", GCT_2s (t));
1456 if (GNUNET_NO == is_ready (t))
1458 struct CadetTunnelDelayed *tqd;
1459 /* A non null existing_q indicates sending of queued data.
1460 * Should only happen after tunnel becomes ready.
1462 GNUNET_assert (NULL == existing_q);
1463 tqd = queue_data (t, message);
1466 tq = GNUNET_new (struct CadetTunnelQueue);
1470 tq->cont_cls = cont_cls;
1474 GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
1476 iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
1477 msg = (struct GNUNET_CADET_Encrypted *) cbuf;
1478 msg->header.type = htons (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED);
1481 if (CADET_Axolotl == t->enc_type)
1482 esize = t_ax_encrypt (t, &msg[1], message, size);
1484 esize = t_encrypt (t, &msg[1], message, size, iv, GNUNET_NO);
1485 GNUNET_assert (esize == size);
1486 t_hmac (&msg[1], size, iv, select_key (t), &msg->hmac);
1487 msg->header.size = htons (sizeof (struct GNUNET_CADET_Encrypted) + size);
1490 c = tunnel_get_connection (t);
1493 /* Why is tunnel 'ready'? Should have been queued! */
1494 if (NULL != t->destroy_task)
1497 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1499 return NULL; /* Drop... */
1503 type = ntohs (message->type);
1506 case GNUNET_MESSAGE_TYPE_CADET_DATA:
1507 case GNUNET_MESSAGE_TYPE_CADET_DATA_ACK:
1508 if (GNUNET_MESSAGE_TYPE_CADET_DATA == type)
1509 mid = ntohl (((struct GNUNET_CADET_Data *) message)->mid);
1511 mid = ntohl (((struct GNUNET_CADET_DataACK *) message)->mid);
1513 case GNUNET_MESSAGE_TYPE_CADET_KEEPALIVE:
1514 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_CREATE:
1515 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
1516 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_ACK:
1517 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_NACK:
1518 msg->cid = *GCC_get_id (c);
1519 msg->ttl = htonl (default_ttl);
1523 LOG (GNUNET_ERROR_TYPE_ERROR, "type %s not valid\n", GC_m2s (type));
1525 LOG (GNUNET_ERROR_TYPE_DEBUG, "type %s\n", GC_m2s (type));
1527 fwd = GCC_is_origin (c, GNUNET_YES);
1531 GNUNET_break (NULL == GCC_send_prebuilt_message (&msg->header, type, mid, c,
1532 fwd, force, NULL, NULL));
1535 if (NULL == existing_q)
1537 tq = GNUNET_new (struct CadetTunnelQueue); /* FIXME valgrind: leak*/
1544 tq->cq = GCC_send_prebuilt_message (&msg->header, type, mid, c, fwd, force,
1545 &tun_message_sent, tq);
1546 GNUNET_assert (NULL != tq->cq);
1548 tq->cont_cls = cont_cls;
1555 * Send all cached messages that we can, tunnel is online.
1557 * @param t Tunnel that holds the messages. Cannot be loopback.
1560 send_queued_data (struct CadetTunnel *t)
1562 struct CadetTunnelDelayed *tqd;
1563 struct CadetTunnelDelayed *next;
1566 LOG (GNUNET_ERROR_TYPE_INFO, "Send queued data, tunnel %s\n", GCT_2s (t));
1568 if (GCT_is_loopback (t))
1574 if (GNUNET_NO == is_ready (t))
1576 LOG (GNUNET_ERROR_TYPE_DEBUG, " not ready yet: %s/%s\n",
1577 estate2s (t->estate), cstate2s (t->cstate));
1581 room = GCT_get_connections_buffer (t);
1582 LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer space: %u\n", room);
1583 LOG (GNUNET_ERROR_TYPE_DEBUG, " tq head: %p\n", t->tq_head);
1584 for (tqd = t->tq_head; NULL != tqd && room > 0; tqd = next)
1586 LOG (GNUNET_ERROR_TYPE_DEBUG, " sending queued data\n");
1589 send_prebuilt_message ((struct GNUNET_MessageHeader *) &tqd[1],
1590 tqd->t, NULL, GNUNET_YES,
1591 NULL != tqd->tq ? tqd->tq->cont : NULL,
1592 NULL != tqd->tq ? tqd->tq->cont_cls : NULL,
1596 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_send_queued_data end\n", GCP_2s (t->peer));
1601 * Callback called when a queued message is sent.
1603 * @param cls Closure.
1604 * @param c Connection this message was on.
1605 * @param type Type of message sent.
1606 * @param fwd Was this a FWD going message?
1607 * @param size Size of the message.
1610 ephm_sent (void *cls,
1611 struct CadetConnection *c,
1612 struct CadetConnectionQueue *q,
1613 uint16_t type, int fwd, size_t size)
1615 struct CadetTunnel *t = cls;
1616 LOG (GNUNET_ERROR_TYPE_DEBUG, "ephemeral sent %s\n", GC_m2s (type));
1621 * Callback called when a queued message is sent.
1623 * @param cls Closure.
1624 * @param c Connection this message was on.
1625 * @param type Type of message sent.
1626 * @param fwd Was this a FWD going message?
1627 * @param size Size of the message.
1630 pong_sent (void *cls,
1631 struct CadetConnection *c,
1632 struct CadetConnectionQueue *q,
1633 uint16_t type, int fwd, size_t size)
1635 struct CadetTunnel *t = cls;
1636 LOG (GNUNET_ERROR_TYPE_DEBUG, "pong_sent %s\n", GC_m2s (type));
1642 * Sends key exchange message on a tunnel, choosing the best connection.
1643 * Should not be called on loopback tunnels.
1645 * @param t Tunnel on which this message is transmitted.
1646 * @param message Message to send. Function modifies it.
1648 * @return Handle to the message in the connection queue.
1650 static struct CadetConnectionQueue *
1651 send_kx (struct CadetTunnel *t,
1652 const struct GNUNET_MessageHeader *message)
1654 struct CadetConnection *c;
1655 struct GNUNET_CADET_KX *msg;
1656 size_t size = ntohs (message->size);
1657 char cbuf[sizeof (struct GNUNET_CADET_KX) + size];
1662 LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT KX on Tunnel %s\n", GCT_2s (t));
1664 /* Avoid loopback. */
1665 if (GCT_is_loopback (t))
1670 type = ntohs (message->type);
1672 /* Even if tunnel is "being destroyed", send anyway.
1673 * Could be a response to a rekey initiated by remote peer,
1674 * who is trying to create a new channel!
1677 /* Must have a connection, or be looking for one. */
1678 if (NULL == t->connection_head)
1680 LOG (GNUNET_ERROR_TYPE_DEBUG, "%s with no connection\n", GC_m2s (type));
1681 if (CADET_TUNNEL_SEARCHING != t->cstate)
1684 GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
1685 GCP_debug (t->peer, GNUNET_ERROR_TYPE_ERROR);
1690 msg = (struct GNUNET_CADET_KX *) cbuf;
1691 msg->header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX);
1692 msg->header.size = htons (sizeof (struct GNUNET_CADET_KX) + size);
1693 c = tunnel_get_connection (t);
1696 if (NULL == t->destroy_task && CADET_TUNNEL_READY == t->cstate)
1699 GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
1705 case GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL:
1706 case GNUNET_MESSAGE_TYPE_CADET_AX_KX:
1707 GNUNET_assert (NULL == t->ephm_h);
1710 case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
1711 GNUNET_assert (NULL == t->pong_h);
1716 LOG (GNUNET_ERROR_TYPE_DEBUG, "unkown type %s\n", GC_m2s (type));
1719 memcpy (&msg[1], message, size);
1721 fwd = GCC_is_origin (c, GNUNET_YES);
1723 return GCC_send_prebuilt_message (&msg->header, type, 0, c,
1730 * Send the ephemeral key on a tunnel.
1732 * @param t Tunnel on which to send the key.
1735 send_ephemeral (struct CadetTunnel *t)
1737 LOG (GNUNET_ERROR_TYPE_INFO, "===> EPHM for %s\n", GCT_2s (t));
1738 if (NULL != t->ephm_h)
1740 LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
1744 otr_kx_msg.sender_status = htonl (t->estate);
1745 otr_kx_msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
1746 otr_kx_msg.nonce = t->kx_ctx->challenge;
1747 LOG (GNUNET_ERROR_TYPE_DEBUG, " send nonce c %u\n", otr_kx_msg.nonce);
1748 t_encrypt (t, &otr_kx_msg.nonce, &otr_kx_msg.nonce,
1749 ping_encryption_size(), otr_kx_msg.iv, GNUNET_YES);
1750 LOG (GNUNET_ERROR_TYPE_DEBUG, " send nonce e %u\n", otr_kx_msg.nonce);
1751 t->ephm_h = send_kx (t, &otr_kx_msg.header);
1756 * Send a pong message on a tunnel.
1758 * @param t Tunnel on which to send the pong.
1759 * @param challenge Value sent in the ping that we have to send back.
1762 send_pong (struct CadetTunnel *t, uint32_t challenge)
1764 struct GNUNET_CADET_KX_Pong msg;
1766 LOG (GNUNET_ERROR_TYPE_INFO, "===> PONG for %s\n", GCT_2s (t));
1767 if (NULL != t->pong_h)
1769 LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
1772 msg.header.size = htons (sizeof (msg));
1773 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_PONG);
1774 msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
1775 msg.nonce = challenge;
1776 LOG (GNUNET_ERROR_TYPE_DEBUG, " sending %u\n", msg.nonce);
1777 t_encrypt (t, &msg.nonce, &msg.nonce,
1778 sizeof (msg.nonce), msg.iv, GNUNET_YES);
1779 LOG (GNUNET_ERROR_TYPE_DEBUG, " e sending %u\n", msg.nonce);
1781 t->pong_h = send_kx (t, &msg.header);
1786 * Initiate a rekey with the remote peer.
1788 * @param cls Closure (tunnel).
1789 * @param tc TaskContext.
1792 rekey_tunnel (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
1794 struct CadetTunnel *t = cls;
1796 t->rekey_task = NULL;
1798 LOG (GNUNET_ERROR_TYPE_INFO, "Re-key Tunnel %s\n", GCT_2s (t));
1799 if (NULL != tc && 0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
1802 GNUNET_assert (NULL != t->kx_ctx);
1803 struct GNUNET_TIME_Relative duration;
1805 duration = GNUNET_TIME_absolute_get_duration (t->kx_ctx->rekey_start_time);
1806 LOG (GNUNET_ERROR_TYPE_DEBUG, " kx started %s ago\n",
1807 GNUNET_STRINGS_relative_time_to_string (duration, GNUNET_YES));
1809 // FIXME make duration of old keys configurable
1810 if (duration.rel_value_us >= GNUNET_TIME_UNIT_MINUTES.rel_value_us)
1812 LOG (GNUNET_ERROR_TYPE_DEBUG, " deleting old keys\n");
1813 memset (&t->kx_ctx->d_key_old, 0, sizeof (t->kx_ctx->d_key_old));
1814 memset (&t->kx_ctx->e_key_old, 0, sizeof (t->kx_ctx->e_key_old));
1821 case CADET_TUNNEL_KEY_UNINITIALIZED:
1822 GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
1825 case CADET_TUNNEL_KEY_SENT:
1828 case CADET_TUNNEL_KEY_OK:
1830 * - state should have changed during rekey_iterator
1831 * - task should have been canceled at pong_handle
1834 GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
1837 case CADET_TUNNEL_KEY_PING:
1838 case CADET_TUNNEL_KEY_REKEY:
1842 LOG (GNUNET_ERROR_TYPE_DEBUG, "Unexpected state %u\n", t->estate);
1845 // FIXME exponential backoff
1846 struct GNUNET_TIME_Relative delay;
1848 delay = GNUNET_TIME_relative_divide (rekey_period, 16);
1849 delay = GNUNET_TIME_relative_min (delay, REKEY_WAIT);
1850 LOG (GNUNET_ERROR_TYPE_DEBUG, " next call in %s\n",
1851 GNUNET_STRINGS_relative_time_to_string (delay, GNUNET_YES));
1852 t->rekey_task = GNUNET_SCHEDULER_add_delayed (delay, &rekey_tunnel, t);
1857 * Our ephemeral key has changed, create new session key on all tunnels.
1859 * Each tunnel will start the Key Exchange with a random delay between
1860 * 0 and number_of_tunnels*100 milliseconds, so there are 10 key exchanges
1861 * per second, on average.
1863 * @param cls Closure (size of the hashmap).
1864 * @param key Current public key.
1865 * @param value Value in the hash map (tunnel).
1867 * @return #GNUNET_YES, so we should continue to iterate,
1870 rekey_iterator (void *cls,
1871 const struct GNUNET_PeerIdentity *key,
1874 struct CadetTunnel *t = value;
1875 struct GNUNET_TIME_Relative delay;
1876 long n = (long) cls;
1879 if (NULL != t->rekey_task)
1882 if (GNUNET_YES == GCT_is_loopback (t))
1885 if (CADET_OTR != t->enc_type)
1888 r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, (uint32_t) n * 100);
1889 delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, r);
1890 t->rekey_task = GNUNET_SCHEDULER_add_delayed (delay, &rekey_tunnel, t);
1892 GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
1899 * Create a new ephemeral key and key message, schedule next rekeying.
1901 * @param cls Closure (unused).
1902 * @param tc TaskContext.
1905 global_otr_rekey (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
1907 struct GNUNET_TIME_Absolute time;
1912 if (0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
1915 GNUNET_free_non_null (otr_ephemeral_key);
1916 otr_ephemeral_key = GNUNET_CRYPTO_ecdhe_key_create ();
1918 time = GNUNET_TIME_absolute_get ();
1919 otr_kx_msg.creation_time = GNUNET_TIME_absolute_hton (time);
1920 time = GNUNET_TIME_absolute_add (time, rekey_period);
1921 time = GNUNET_TIME_absolute_add (time, GNUNET_TIME_UNIT_MINUTES);
1922 otr_kx_msg.expiration_time = GNUNET_TIME_absolute_hton (time);
1923 GNUNET_CRYPTO_ecdhe_key_get_public (otr_ephemeral_key, &otr_kx_msg.ephemeral_key);
1924 LOG (GNUNET_ERROR_TYPE_INFO, "GLOBAL OTR RE-KEY, NEW EPHM: %s\n",
1925 GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
1927 GNUNET_assert (GNUNET_OK ==
1928 GNUNET_CRYPTO_eddsa_sign (id_key,
1929 &otr_kx_msg.purpose,
1930 &otr_kx_msg.signature));
1932 n = (long) GNUNET_CONTAINER_multipeermap_size (tunnels);
1933 GNUNET_CONTAINER_multipeermap_iterate (tunnels, &rekey_iterator, (void *) n);
1935 rekey_task = GNUNET_SCHEDULER_add_delayed (rekey_period,
1936 &global_otr_rekey, NULL);
1941 * Called only on shutdown, destroy every tunnel.
1943 * @param cls Closure (unused).
1944 * @param key Current public key.
1945 * @param value Value in the hash map (tunnel).
1947 * @return #GNUNET_YES, so we should continue to iterate,
1950 destroy_iterator (void *cls,
1951 const struct GNUNET_PeerIdentity *key,
1954 struct CadetTunnel *t = value;
1956 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_shutdown destroying tunnel at %p\n", t);
1963 * Notify remote peer that we don't know a channel he is talking about,
1964 * probably CHANNEL_DESTROY was missed.
1966 * @param t Tunnel on which to notify.
1967 * @param gid ID of the channel.
1970 send_channel_destroy (struct CadetTunnel *t, unsigned int gid)
1972 struct GNUNET_CADET_ChannelManage msg;
1974 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
1975 msg.header.size = htons (sizeof (msg));
1976 msg.chid = htonl (gid);
1978 LOG (GNUNET_ERROR_TYPE_DEBUG,
1979 "WARNING destroying unknown channel %u on tunnel %s\n",
1981 send_prebuilt_message (&msg.header, t, NULL, GNUNET_YES, NULL, NULL, NULL);
1986 * Demultiplex data per channel and call appropriate channel handler.
1988 * @param t Tunnel on which the data came.
1989 * @param msg Data message.
1990 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
1991 * #GNUNET_YES if message is FWD on the respective channel (loopback)
1992 * #GNUNET_NO if message is BCK on the respective channel (loopback)
1993 * #GNUNET_SYSERR if message on a one-ended channel (remote)
1996 handle_data (struct CadetTunnel *t,
1997 const struct GNUNET_CADET_Data *msg,
2000 struct CadetChannel *ch;
2004 size = ntohs (msg->header.size);
2006 sizeof (struct GNUNET_CADET_Data) +
2007 sizeof (struct GNUNET_MessageHeader))
2012 LOG (GNUNET_ERROR_TYPE_DEBUG, " payload of type %s\n",
2013 GC_m2s (ntohs (msg[1].header.type)));
2016 ch = GCT_get_channel (t, ntohl (msg->chid));
2019 GNUNET_STATISTICS_update (stats, "# data on unknown channel",
2021 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel 0x%X unknown\n",
2023 send_channel_destroy (t, ntohl (msg->chid));
2027 GCCH_handle_data (ch, msg, fwd);
2032 * Demultiplex data ACKs per channel and update appropriate channel buffer info.
2034 * @param t Tunnel on which the DATA ACK came.
2035 * @param msg DATA ACK message.
2036 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2037 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2038 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2039 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2042 handle_data_ack (struct CadetTunnel *t,
2043 const struct GNUNET_CADET_DataACK *msg,
2046 struct CadetChannel *ch;
2050 size = ntohs (msg->header.size);
2051 if (size != sizeof (struct GNUNET_CADET_DataACK))
2058 ch = GCT_get_channel (t, ntohl (msg->chid));
2061 GNUNET_STATISTICS_update (stats, "# data ack on unknown channel",
2063 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
2068 GCCH_handle_data_ack (ch, msg, fwd);
2073 * Handle channel create.
2075 * @param t Tunnel on which the data came.
2076 * @param msg Data message.
2079 handle_ch_create (struct CadetTunnel *t,
2080 const struct GNUNET_CADET_ChannelCreate *msg)
2082 struct CadetChannel *ch;
2086 size = ntohs (msg->header.size);
2087 if (size != sizeof (struct GNUNET_CADET_ChannelCreate))
2094 ch = GCT_get_channel (t, ntohl (msg->chid));
2095 if (NULL != ch && ! GCT_is_loopback (t))
2097 /* Probably a retransmission, safe to ignore */
2098 LOG (GNUNET_ERROR_TYPE_DEBUG, " already exists...\n");
2100 ch = GCCH_handle_create (t, msg);
2102 GCT_add_channel (t, ch);
2108 * Handle channel NACK: check correctness and call channel handler for NACKs.
2110 * @param t Tunnel on which the NACK came.
2111 * @param msg NACK message.
2114 handle_ch_nack (struct CadetTunnel *t,
2115 const struct GNUNET_CADET_ChannelManage *msg)
2117 struct CadetChannel *ch;
2121 size = ntohs (msg->header.size);
2122 if (size != sizeof (struct GNUNET_CADET_ChannelManage))
2129 ch = GCT_get_channel (t, ntohl (msg->chid));
2132 GNUNET_STATISTICS_update (stats, "# channel NACK on unknown channel",
2134 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
2139 GCCH_handle_nack (ch);
2144 * Handle a CHANNEL ACK (SYNACK/ACK).
2146 * @param t Tunnel on which the CHANNEL ACK came.
2147 * @param msg CHANNEL ACK message.
2148 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2149 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2150 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2151 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2154 handle_ch_ack (struct CadetTunnel *t,
2155 const struct GNUNET_CADET_ChannelManage *msg,
2158 struct CadetChannel *ch;
2162 size = ntohs (msg->header.size);
2163 if (size != sizeof (struct GNUNET_CADET_ChannelManage))
2170 ch = GCT_get_channel (t, ntohl (msg->chid));
2173 GNUNET_STATISTICS_update (stats, "# channel ack on unknown channel",
2175 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
2180 GCCH_handle_ack (ch, msg, fwd);
2185 * Handle a channel destruction message.
2187 * @param t Tunnel on which the message came.
2188 * @param msg Channel destroy message.
2189 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2190 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2191 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2192 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2195 handle_ch_destroy (struct CadetTunnel *t,
2196 const struct GNUNET_CADET_ChannelManage *msg,
2199 struct CadetChannel *ch;
2203 size = ntohs (msg->header.size);
2204 if (size != sizeof (struct GNUNET_CADET_ChannelManage))
2211 ch = GCT_get_channel (t, ntohl (msg->chid));
2214 /* Probably a retransmission, safe to ignore */
2218 GCCH_handle_destroy (ch, msg, fwd);
2223 * Create a new Axolotl ephemeral (ratchet) key.
2228 new_ephemeral (struct CadetTunnel *t)
2230 GNUNET_free_non_null (t->ax->DHRs);
2231 t->ax->DHRs = GNUNET_CRYPTO_ecdhe_key_create();
2236 * Free Axolotl data.
2241 destroy_ax (struct CadetTunnel *t)
2246 GNUNET_free_non_null (t->ax->DHRs);
2247 GNUNET_free_non_null (t->ax->kx_0);
2249 GNUNET_free (t->ax);
2256 * The peer's ephemeral key has changed: update the symmetrical keys.
2258 * @param t Tunnel this message came on.
2259 * @param msg Key eXchange message.
2262 handle_ephemeral (struct CadetTunnel *t,
2263 const struct GNUNET_CADET_KX_Ephemeral *msg)
2265 LOG (GNUNET_ERROR_TYPE_INFO, "<=== EPHM for %s\n", GCT_2s (t));
2267 if (GNUNET_OK != check_ephemeral (t, msg))
2269 GNUNET_break_op (0);
2273 /* If we get a proper OTR-style ephemeral, fallback to old crypto. */
2277 t->enc_type = CADET_OTR;
2278 if (NULL != t->rekey_task)
2279 GNUNET_SCHEDULER_cancel (t->rekey_task);
2281 rekey_tunnel (t, NULL);
2285 * If the key is different from what we know, derive the new E/D keys.
2286 * Else destroy the rekey ctx (duplicate EPHM after successful KX).
2288 if (0 != memcmp (&t->peers_ephemeral_key, &msg->ephemeral_key,
2289 sizeof (msg->ephemeral_key)))
2291 #if DUMP_KEYS_TO_STDERR
2292 LOG (GNUNET_ERROR_TYPE_INFO, "OLD: %s\n",
2293 GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
2294 LOG (GNUNET_ERROR_TYPE_INFO, "NEW: %s\n",
2295 GNUNET_h2s ((struct GNUNET_HashCode *) &msg->ephemeral_key));
2297 t->peers_ephemeral_key = msg->ephemeral_key;
2301 if (CADET_TUNNEL_KEY_OK == t->estate)
2303 GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
2305 if (NULL != t->rekey_task)
2306 GNUNET_SCHEDULER_cancel (t->rekey_task);
2307 t->rekey_task = GNUNET_SCHEDULER_add_now (rekey_tunnel, t);
2309 if (CADET_TUNNEL_KEY_SENT == t->estate)
2311 LOG (GNUNET_ERROR_TYPE_DEBUG, " our key was sent, sending challenge\n");
2313 GCT_change_estate (t, CADET_TUNNEL_KEY_PING);
2316 if (CADET_TUNNEL_KEY_UNINITIALIZED != ntohl(msg->sender_status))
2320 LOG (GNUNET_ERROR_TYPE_DEBUG, " recv nonce e %u\n", msg->nonce);
2321 t_decrypt (t, &nonce, &msg->nonce, ping_encryption_size (), msg->iv);
2322 LOG (GNUNET_ERROR_TYPE_DEBUG, " recv nonce c %u\n", nonce);
2323 send_pong (t, nonce);
2329 * Peer has answer to our challenge.
2330 * If answer is successful, consider the key exchange finished and clean
2331 * up all related state.
2333 * @param t Tunnel this message came on.
2334 * @param msg Key eXchange Pong message.
2337 handle_pong (struct CadetTunnel *t, const struct GNUNET_CADET_KX_Pong *msg)
2341 LOG (GNUNET_ERROR_TYPE_INFO, "<=== PONG for %s\n", GCT_2s (t));
2342 if (NULL == t->rekey_task)
2344 GNUNET_STATISTICS_update (stats, "# duplicate PONG messages", 1, GNUNET_NO);
2347 if (NULL == t->kx_ctx)
2349 GNUNET_STATISTICS_update (stats, "# stray PONG messages", 1, GNUNET_NO);
2353 t_decrypt (t, &challenge, &msg->nonce, sizeof (uint32_t), msg->iv);
2354 if (challenge != t->kx_ctx->challenge)
2356 LOG (GNUNET_ERROR_TYPE_WARNING, "Wrong PONG challenge on %s\n", GCT_2s (t));
2357 LOG (GNUNET_ERROR_TYPE_DEBUG, "PONG: %u (e: %u). Expected: %u.\n",
2358 challenge, msg->nonce, t->kx_ctx->challenge);
2362 GNUNET_SCHEDULER_cancel (t->rekey_task);
2363 t->rekey_task = NULL;
2365 /* Don't free the old keys right away, but after a delay.
2366 * Rationale: the KX could have happened over a very fast connection,
2367 * with payload traffic still signed with the old key stuck in a slower
2369 * Don't keep the keys longer than 1/4 the rekey period, and no longer than
2373 GCT_change_estate (t, CADET_TUNNEL_KEY_OK);
2378 * Handle Axolotl handshake.
2380 * @param t Tunnel this message came on.
2381 * @param msg Key eXchange Pong message.
2384 handle_kx_ax (struct CadetTunnel *t, const struct GNUNET_CADET_AX_KX *msg)
2386 struct CadetTunnelAxolotl *ax;
2387 struct GNUNET_HashCode key_material[3];
2388 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
2389 const struct GNUNET_CRYPTO_EcdhePublicKey *pub;
2390 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv;
2391 const char salt[] = "CADET Axolotl salt";
2392 const struct GNUNET_PeerIdentity *pid;
2395 LOG (GNUNET_ERROR_TYPE_INFO, "<=== AX_KX on %s\n", GCT_2s (t));
2399 /* Something is wrong if ax is NULL. Whose fault it is? */
2400 GNUNET_break_op (CADET_OTR == t->enc_type);
2401 GNUNET_break (CADET_Axolotl == t->enc_type);
2405 if (GNUNET_OK != GCP_check_key (t->peer, &msg->permanent_key,
2406 &msg->purpose, &msg->signature))
2408 GNUNET_break_op (0);
2412 pid = GCT_get_destination (t);
2413 if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
2414 am_I_alice = GNUNET_YES;
2415 else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
2416 am_I_alice = GNUNET_NO;
2419 GNUNET_break_op (0);
2423 LOG (GNUNET_ERROR_TYPE_INFO, " is Alice? %s\n", am_I_alice ? "YES" : "NO");
2426 ax->DHRr = msg->ratchet_key;
2429 if (GNUNET_YES == am_I_alice)
2431 priv = ax_key; /* A */
2432 pub = &msg->ephemeral_key; /* B0 */
2436 priv = ax->kx_0; /* B0 */
2437 pub = &msg->permanent_key; /* A */
2439 GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[0]);
2442 if (GNUNET_YES == am_I_alice)
2444 priv = ax->kx_0; /* A0 */
2445 pub = &msg->permanent_key; /* B */
2449 priv = ax_key; /* B */
2450 pub = &msg->ephemeral_key; /* A0 */
2452 GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[1]);
2455 priv = ax->kx_0; /* A0 or B0 */
2456 pub = &msg->ephemeral_key; /* B0 or A0 */
2457 GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[2]);
2459 #if DUMP_KEYS_TO_STDERR
2462 for (i = 0; i < 3; i++)
2463 LOG (GNUNET_ERROR_TYPE_INFO, "km[%u]: %s\n",
2464 i, GNUNET_h2s (&key_material[i]));
2469 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
2470 salt, sizeof (salt),
2471 &key_material, sizeof (key_material), NULL);
2474 if (GNUNET_YES == am_I_alice)
2480 ax->ratchet_flag = GNUNET_YES;
2488 ax->ratchet_flag = GNUNET_NO;
2494 * Demultiplex by message type and call appropriate handler for a message
2495 * towards a channel of a local tunnel.
2497 * @param t Tunnel this message came on.
2498 * @param msgh Message header.
2499 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2500 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2501 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2502 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2505 handle_decrypted (struct CadetTunnel *t,
2506 const struct GNUNET_MessageHeader *msgh,
2511 type = ntohs (msgh->type);
2512 LOG (GNUNET_ERROR_TYPE_INFO, "<=== %s on %s\n", GC_m2s (type), GCT_2s (t));
2516 case GNUNET_MESSAGE_TYPE_CADET_KEEPALIVE:
2517 /* Do nothing, connection aleady got updated. */
2518 GNUNET_STATISTICS_update (stats, "# keepalives received", 1, GNUNET_NO);
2521 case GNUNET_MESSAGE_TYPE_CADET_DATA:
2522 /* Don't send hop ACK, wait for client to ACK */
2523 handle_data (t, (struct GNUNET_CADET_Data *) msgh, fwd);
2526 case GNUNET_MESSAGE_TYPE_CADET_DATA_ACK:
2527 handle_data_ack (t, (struct GNUNET_CADET_DataACK *) msgh, fwd);
2530 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_CREATE:
2531 handle_ch_create (t, (struct GNUNET_CADET_ChannelCreate *) msgh);
2534 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_NACK:
2535 handle_ch_nack (t, (struct GNUNET_CADET_ChannelManage *) msgh);
2538 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_ACK:
2539 handle_ch_ack (t, (struct GNUNET_CADET_ChannelManage *) msgh, fwd);
2542 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
2543 handle_ch_destroy (t, (struct GNUNET_CADET_ChannelManage *) msgh, fwd);
2547 GNUNET_break_op (0);
2548 LOG (GNUNET_ERROR_TYPE_WARNING,
2549 "end-to-end message not known (%u)\n",
2550 ntohs (msgh->type));
2551 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
2555 /******************************************************************************/
2556 /******************************** API ***********************************/
2557 /******************************************************************************/
2559 * Decrypt old format and demultiplex by message type. Call appropriate handler
2560 * for a message towards a channel of a local tunnel.
2562 * @param t Tunnel this message came on.
2563 * @param msg Message header.
2566 GCT_handle_encrypted (struct CadetTunnel *t,
2567 const struct GNUNET_MessageHeader *msg)
2569 size_t size = ntohs (msg->size);
2570 size_t payload_size;
2573 uint16_t type = ntohs (msg->type);
2574 struct GNUNET_MessageHeader *msgh;
2577 if (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED == type)
2579 const struct GNUNET_CADET_Encrypted *emsg;
2581 emsg = (struct GNUNET_CADET_Encrypted *) msg;
2582 payload_size = size - sizeof (struct GNUNET_CADET_Encrypted);
2583 decrypted_size = t_decrypt_and_validate (t, cbuf, &emsg[1], payload_size,
2584 emsg->iv, &emsg->hmac);
2586 else if (GNUNET_MESSAGE_TYPE_CADET_AX == type)
2588 const struct GNUNET_CADET_AX *emsg;
2590 emsg = (struct GNUNET_CADET_AX *) msg;
2591 payload_size = size - sizeof (struct GNUNET_CADET_AX);
2592 decrypted_size = t_ax_decrypt_and_validate (t, cbuf, &emsg[1],
2593 payload_size, &emsg->hmac);
2596 if (-1 == decrypted_size)
2598 GNUNET_break_op (0);
2603 while (off < decrypted_size)
2607 msgh = (struct GNUNET_MessageHeader *) &cbuf[off];
2608 msize = ntohs (msgh->size);
2609 if (msize < sizeof (struct GNUNET_MessageHeader))
2611 GNUNET_break_op (0);
2614 handle_decrypted (t, msgh, GNUNET_SYSERR);
2621 * Demultiplex an encapsulated KX message by message type.
2623 * @param t Tunnel on which the message came.
2624 * @param message Payload of KX message.
2627 GCT_handle_kx (struct CadetTunnel *t,
2628 const struct GNUNET_MessageHeader *message)
2632 type = ntohs (message->type);
2633 LOG (GNUNET_ERROR_TYPE_DEBUG, "kx message received: %s\n", GC_m2s (type));
2636 case GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL:
2637 handle_ephemeral (t, (const struct GNUNET_CADET_KX_Ephemeral *) message);
2640 case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
2641 handle_pong (t, (const struct GNUNET_CADET_KX_Pong *) message);
2644 case GNUNET_MESSAGE_TYPE_CADET_AX_KX:
2645 handle_kx_ax (t, (const struct GNUNET_CADET_AX_KX *) message);
2649 GNUNET_break_op (0);
2650 LOG (GNUNET_ERROR_TYPE_WARNING, "kx message %s unknown\n", GC_m2s (type));
2655 * Initialize the tunnel subsystem.
2657 * @param c Configuration handle.
2658 * @param key ECC private key, to derive all other keys and do crypto.
2661 GCT_init (const struct GNUNET_CONFIGURATION_Handle *c,
2662 const struct GNUNET_CRYPTO_EddsaPrivateKey *key)
2664 int expected_overhead;
2666 LOG (GNUNET_ERROR_TYPE_DEBUG, "init\n");
2668 expected_overhead = 0;
2669 expected_overhead += sizeof (struct GNUNET_CADET_Encrypted);
2670 expected_overhead += sizeof (struct GNUNET_CADET_Data);
2671 expected_overhead += sizeof (struct GNUNET_CADET_ACK);
2672 GNUNET_assert (GNUNET_CONSTANTS_CADET_P2P_OVERHEAD == expected_overhead);
2675 GNUNET_CONFIGURATION_get_value_number (c, "CADET", "DEFAULT_TTL",
2678 GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
2679 "CADET", "DEFAULT_TTL", "USING DEFAULT");
2683 GNUNET_CONFIGURATION_get_value_time (c, "CADET", "REKEY_PERIOD",
2686 rekey_period = GNUNET_TIME_UNIT_DAYS;
2691 otr_kx_msg.header.size = htons (sizeof (otr_kx_msg));
2692 otr_kx_msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL);
2693 otr_kx_msg.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_KX);
2694 otr_kx_msg.purpose.size = htonl (ephemeral_purpose_size ());
2695 otr_kx_msg.origin_identity = my_full_id;
2696 rekey_task = GNUNET_SCHEDULER_add_now (&global_otr_rekey, NULL);
2698 ax_key = GNUNET_CRYPTO_ecdhe_key_create ();
2699 GNUNET_CRYPTO_ecdhe_key_get_public (ax_key, &ax_identity.permanent_key);
2700 ax_identity.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_AXKX);
2701 ax_identity.purpose.size = htonl (ax_purpose_size ());
2702 GNUNET_assert (GNUNET_OK ==
2703 GNUNET_CRYPTO_eddsa_sign (id_key,
2704 &ax_identity.purpose,
2705 &ax_identity.signature));
2707 tunnels = GNUNET_CONTAINER_multipeermap_create (128, GNUNET_YES);
2712 * Shut down the tunnel subsystem.
2717 if (NULL != rekey_task)
2719 GNUNET_SCHEDULER_cancel (rekey_task);
2722 GNUNET_CONTAINER_multipeermap_iterate (tunnels, &destroy_iterator, NULL);
2723 GNUNET_CONTAINER_multipeermap_destroy (tunnels);
2724 GNUNET_free (ax_key);
2731 * @param destination Peer this tunnel is towards.
2733 struct CadetTunnel *
2734 GCT_new (struct CadetPeer *destination)
2736 struct CadetTunnel *t;
2738 t = GNUNET_new (struct CadetTunnel);
2740 t->peer = destination;
2743 GNUNET_CONTAINER_multipeermap_put (tunnels, GCP_get_id (destination), t,
2744 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_FAST))
2750 t->ax = GNUNET_new (struct CadetTunnelAxolotl);
2752 t->ax->kx_0 = GNUNET_CRYPTO_ecdhe_key_create ();
2758 * Change the tunnel's connection state.
2760 * @param t Tunnel whose connection state to change.
2761 * @param cstate New connection state.
2764 GCT_change_cstate (struct CadetTunnel* t, enum CadetTunnelCState cstate)
2768 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s cstate %s => %s\n",
2769 GCP_2s (t->peer), cstate2s (t->cstate), cstate2s (cstate));
2770 if (myid != GCP_get_short_id (t->peer) &&
2771 CADET_TUNNEL_READY != t->cstate &&
2772 CADET_TUNNEL_READY == cstate)
2775 if (CADET_TUNNEL_KEY_OK == t->estate)
2777 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered send queued data\n");
2778 send_queued_data (t);
2780 else if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
2782 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered kx\n");
2787 LOG (GNUNET_ERROR_TYPE_DEBUG, "estate %s\n", estate2s (t->estate));
2792 if (CADET_TUNNEL_READY == cstate
2793 && CONNECTIONS_PER_TUNNEL <= GCT_count_connections (t))
2795 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered stop dht\n");
2796 GCP_stop_search (t->peer);
2802 * Change the tunnel encryption state.
2804 * @param t Tunnel whose encryption state to change, or NULL.
2805 * @param state New encryption state.
2808 GCT_change_estate (struct CadetTunnel* t, enum CadetTunnelEState state)
2810 enum CadetTunnelEState old;
2817 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate was %s\n",
2818 GCP_2s (t->peer), estate2s (old));
2819 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate is now %s\n",
2820 GCP_2s (t->peer), estate2s (t->estate));
2822 /* Send queued data if enc state changes to OK */
2823 if (myid != GCP_get_short_id (t->peer) &&
2824 CADET_TUNNEL_KEY_OK != old && CADET_TUNNEL_KEY_OK == t->estate)
2826 send_queued_data (t);
2832 * @brief Check if tunnel has too many connections, and remove one if necessary.
2834 * Currently this means the newest connection, unless it is a direct one.
2835 * Implemented as a task to avoid freeing a connection that is in the middle
2836 * of being created/processed.
2838 * @param cls Closure (Tunnel to check).
2839 * @param tc Task context.
2842 trim_connections (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
2844 struct CadetTunnel *t = cls;
2846 t->trim_connections_task = NULL;
2848 if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
2851 if (GCT_count_connections (t) > 2 * CONNECTIONS_PER_TUNNEL)
2853 struct CadetTConnection *iter;
2854 struct CadetTConnection *c;
2856 for (c = iter = t->connection_head; NULL != iter; iter = iter->next)
2858 if ((iter->created.abs_value_us > c->created.abs_value_us)
2859 && GNUNET_NO == GCC_is_direct (iter->c))
2866 LOG (GNUNET_ERROR_TYPE_DEBUG, "Too many connections on tunnel %s\n",
2868 LOG (GNUNET_ERROR_TYPE_DEBUG, "Destroying connection %s\n",
2881 * Add a connection to a tunnel.
2884 * @param c Connection.
2887 GCT_add_connection (struct CadetTunnel *t, struct CadetConnection *c)
2889 struct CadetTConnection *aux;
2891 GNUNET_assert (NULL != c);
2893 LOG (GNUNET_ERROR_TYPE_DEBUG, "add connection %s\n", GCC_2s (c));
2894 LOG (GNUNET_ERROR_TYPE_DEBUG, " to tunnel %s\n", GCT_2s (t));
2895 for (aux = t->connection_head; aux != NULL; aux = aux->next)
2899 aux = GNUNET_new (struct CadetTConnection);
2901 aux->created = GNUNET_TIME_absolute_get ();
2903 GNUNET_CONTAINER_DLL_insert (t->connection_head, t->connection_tail, aux);
2905 if (CADET_TUNNEL_SEARCHING == t->cstate)
2906 GCT_change_cstate (t, CADET_TUNNEL_WAITING);
2908 if (NULL != t->trim_connections_task)
2909 t->trim_connections_task = GNUNET_SCHEDULER_add_now (&trim_connections, t);
2914 * Remove a connection from a tunnel.
2917 * @param c Connection.
2920 GCT_remove_connection (struct CadetTunnel *t,
2921 struct CadetConnection *c)
2923 struct CadetTConnection *aux;
2924 struct CadetTConnection *next;
2927 LOG (GNUNET_ERROR_TYPE_DEBUG, "Removing connection %s from tunnel %s\n",
2928 GCC_2s (c), GCT_2s (t));
2929 for (aux = t->connection_head; aux != NULL; aux = next)
2934 GNUNET_CONTAINER_DLL_remove (t->connection_head, t->connection_tail, aux);
2939 conns = GCT_count_connections (t);
2941 && NULL == t->destroy_task
2942 && CADET_TUNNEL_SHUTDOWN != t->cstate
2943 && GNUNET_NO == shutting_down)
2945 if (0 == GCT_count_any_connections (t))
2946 GCT_change_cstate (t, CADET_TUNNEL_SEARCHING);
2948 GCT_change_cstate (t, CADET_TUNNEL_WAITING);
2951 /* Start new connections if needed */
2952 if (CONNECTIONS_PER_TUNNEL > conns
2953 && NULL == t->destroy_task
2954 && CADET_TUNNEL_SHUTDOWN != t->cstate
2955 && GNUNET_NO == shutting_down)
2957 LOG (GNUNET_ERROR_TYPE_DEBUG, " too few connections, getting new ones\n");
2958 GCP_connect (t->peer); /* Will change cstate to WAITING when possible */
2962 /* If not marked as ready, no change is needed */
2963 if (CADET_TUNNEL_READY != t->cstate)
2966 /* Check if any connection is ready to maintain cstate */
2967 for (aux = t->connection_head; aux != NULL; aux = aux->next)
2968 if (CADET_CONNECTION_READY == GCC_get_state (aux->c))
2974 * Add a channel to a tunnel.
2977 * @param ch Channel.
2980 GCT_add_channel (struct CadetTunnel *t, struct CadetChannel *ch)
2982 struct CadetTChannel *aux;
2984 GNUNET_assert (NULL != ch);
2986 LOG (GNUNET_ERROR_TYPE_DEBUG, "Adding channel %p to tunnel %p\n", ch, t);
2988 for (aux = t->channel_head; aux != NULL; aux = aux->next)
2990 LOG (GNUNET_ERROR_TYPE_DEBUG, " already there %p\n", aux->ch);
2995 aux = GNUNET_new (struct CadetTChannel);
2997 LOG (GNUNET_ERROR_TYPE_DEBUG, " adding %p to %p\n", aux, t->channel_head);
2998 GNUNET_CONTAINER_DLL_insert_tail (t->channel_head, t->channel_tail, aux);
3000 if (NULL != t->destroy_task)
3002 GNUNET_SCHEDULER_cancel (t->destroy_task);
3003 t->destroy_task = NULL;
3004 LOG (GNUNET_ERROR_TYPE_DEBUG, " undo destroy!\n");
3010 * Remove a channel from a tunnel.
3013 * @param ch Channel.
3016 GCT_remove_channel (struct CadetTunnel *t, struct CadetChannel *ch)
3018 struct CadetTChannel *aux;
3020 LOG (GNUNET_ERROR_TYPE_DEBUG, "Removing channel %p from tunnel %p\n", ch, t);
3021 for (aux = t->channel_head; aux != NULL; aux = aux->next)
3025 LOG (GNUNET_ERROR_TYPE_DEBUG, " found! %s\n", GCCH_2s (ch));
3026 GNUNET_CONTAINER_DLL_remove (t->channel_head, t->channel_tail, aux);
3035 * Search for a channel by global ID.
3037 * @param t Tunnel containing the channel.
3038 * @param chid Public channel number.
3040 * @return channel handler, NULL if doesn't exist
3042 struct CadetChannel *
3043 GCT_get_channel (struct CadetTunnel *t, CADET_ChannelNumber chid)
3045 struct CadetTChannel *iter;
3050 for (iter = t->channel_head; NULL != iter; iter = iter->next)
3052 if (GCCH_get_id (iter->ch) == chid)
3056 return NULL == iter ? NULL : iter->ch;
3061 * @brief Destroy a tunnel and free all resources.
3063 * Should only be called a while after the tunnel has been marked as destroyed,
3064 * in case there is a new channel added to the same peer shortly after marking
3065 * the tunnel. This way we avoid a new public key handshake.
3067 * @param cls Closure (tunnel to destroy).
3068 * @param tc Task context.
3071 delayed_destroy (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
3073 struct CadetTunnel *t = cls;
3074 struct CadetTConnection *iter;
3076 LOG (GNUNET_ERROR_TYPE_DEBUG, "delayed destroying tunnel %p\n", t);
3077 if (0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
3079 LOG (GNUNET_ERROR_TYPE_WARNING,
3080 "Not destroying tunnel, due to shutdown. "
3081 "Tunnel at %p should have been freed by GCT_shutdown\n", t);
3084 t->destroy_task = NULL;
3085 t->cstate = CADET_TUNNEL_SHUTDOWN;
3087 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3089 GCC_send_destroy (iter->c);
3096 * Tunnel is empty: destroy it.
3098 * Notifies all connections about the destruction.
3100 * @param t Tunnel to destroy.
3103 GCT_destroy_empty (struct CadetTunnel *t)
3105 if (GNUNET_YES == shutting_down)
3106 return; /* Will be destroyed immediately anyway */
3108 if (NULL != t->destroy_task)
3110 LOG (GNUNET_ERROR_TYPE_WARNING,
3111 "Tunnel %s is already scheduled for destruction. Tunnel debug dump:\n",
3113 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
3115 /* should never happen, tunnel can only become empty once, and the
3116 * task identifier should be NO_TASK (cleaned when the tunnel was created
3117 * or became un-empty)
3122 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s empty: scheduling destruction\n",
3125 // FIXME make delay a config option
3126 t->destroy_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MINUTES,
3127 &delayed_destroy, t);
3128 LOG (GNUNET_ERROR_TYPE_DEBUG, "Scheduled destroy of %p as %llu\n",
3129 t, t->destroy_task);
3134 * Destroy tunnel if empty (no more channels).
3136 * @param t Tunnel to destroy if empty.
3139 GCT_destroy_if_empty (struct CadetTunnel *t)
3141 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s destroy if empty\n", GCT_2s (t));
3142 if (0 < GCT_count_channels (t))
3145 GCT_destroy_empty (t);
3150 * Destroy the tunnel.
3152 * This function does not generate any warning traffic to clients or peers.
3155 * Cancel messages belonging to this tunnel queued to neighbors.
3156 * Free any allocated resources linked to the tunnel.
3158 * @param t The tunnel to destroy.
3161 GCT_destroy (struct CadetTunnel *t)
3163 struct CadetTConnection *iter_c;
3164 struct CadetTConnection *next_c;
3165 struct CadetTChannel *iter_ch;
3166 struct CadetTChannel *next_ch;
3171 LOG (GNUNET_ERROR_TYPE_DEBUG, "destroying tunnel %s\n", GCP_2s (t->peer));
3173 GNUNET_break (GNUNET_YES ==
3174 GNUNET_CONTAINER_multipeermap_remove (tunnels,
3175 GCP_get_id (t->peer), t));
3177 for (iter_c = t->connection_head; NULL != iter_c; iter_c = next_c)
3179 next_c = iter_c->next;
3180 GCC_destroy (iter_c->c);
3182 for (iter_ch = t->channel_head; NULL != iter_ch; iter_ch = next_ch)
3184 next_ch = iter_ch->next;
3185 GCCH_destroy (iter_ch->ch);
3186 /* Should only happen on shutdown, but it's ok. */
3189 if (NULL != t->destroy_task)
3191 LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling dest: %llX\n", t->destroy_task);
3192 GNUNET_SCHEDULER_cancel (t->destroy_task);
3193 t->destroy_task = NULL;
3196 if (NULL != t->trim_connections_task)
3198 LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling trim: %llX\n",
3199 t->trim_connections_task);
3200 GNUNET_SCHEDULER_cancel (t->trim_connections_task);
3201 t->trim_connections_task = NULL;
3204 GNUNET_STATISTICS_update (stats, "# tunnels", -1, GNUNET_NO);
3205 GCP_set_tunnel (t->peer, NULL);
3207 if (NULL != t->rekey_task)
3209 GNUNET_SCHEDULER_cancel (t->rekey_task);
3210 t->rekey_task = NULL;
3212 if (NULL != t->kx_ctx)
3214 if (NULL != t->kx_ctx->finish_task)
3215 GNUNET_SCHEDULER_cancel (t->kx_ctx->finish_task);
3216 GNUNET_free (t->kx_ctx);
3227 * @brief Use the given path for the tunnel.
3228 * Update the next and prev hops (and RCs).
3229 * (Re)start the path refresh in case the tunnel is locally owned.
3231 * @param t Tunnel to update.
3232 * @param p Path to use.
3234 * @return Connection created.
3236 struct CadetConnection *
3237 GCT_use_path (struct CadetTunnel *t, struct CadetPeerPath *p)
3239 struct CadetConnection *c;
3240 struct GNUNET_CADET_Hash cid;
3241 unsigned int own_pos;
3243 if (NULL == t || NULL == p)
3249 if (CADET_TUNNEL_SHUTDOWN == t->cstate)
3255 for (own_pos = 0; own_pos < p->length; own_pos++)
3257 if (p->peers[own_pos] == myid)
3260 if (own_pos >= p->length)
3262 GNUNET_break_op (0);
3266 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &cid, sizeof (cid));
3267 c = GCC_new (&cid, t, p, own_pos);
3270 /* Path was flawed */
3273 GCT_add_connection (t, c);
3279 * Count all created connections of a tunnel. Not necessarily ready connections!
3281 * @param t Tunnel on which to count.
3283 * @return Number of connections created, either being established or ready.
3286 GCT_count_any_connections (struct CadetTunnel *t)
3288 struct CadetTConnection *iter;
3294 for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
3302 * Count established (ready) connections of a tunnel.
3304 * @param t Tunnel on which to count.
3306 * @return Number of connections.
3309 GCT_count_connections (struct CadetTunnel *t)
3311 struct CadetTConnection *iter;
3317 for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
3318 if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
3326 * Count channels of a tunnel.
3328 * @param t Tunnel on which to count.
3330 * @return Number of channels.
3333 GCT_count_channels (struct CadetTunnel *t)
3335 struct CadetTChannel *iter;
3338 for (count = 0, iter = t->channel_head;
3340 iter = iter->next, count++) /* skip */;
3347 * Get the connectivity state of a tunnel.
3351 * @return Tunnel's connectivity state.
3353 enum CadetTunnelCState
3354 GCT_get_cstate (struct CadetTunnel *t)
3359 return (enum CadetTunnelCState) -1;
3366 * Get the encryption state of a tunnel.
3370 * @return Tunnel's encryption state.
3372 enum CadetTunnelEState
3373 GCT_get_estate (struct CadetTunnel *t)
3378 return (enum CadetTunnelEState) -1;
3384 * Get the maximum buffer space for a tunnel towards a local client.
3388 * @return Biggest buffer space offered by any channel in the tunnel.
3391 GCT_get_channels_buffer (struct CadetTunnel *t)
3393 struct CadetTChannel *iter;
3394 unsigned int buffer;
3395 unsigned int ch_buf;
3397 if (NULL == t->channel_head)
3399 /* Probably getting buffer for a channel create/handshake. */
3400 LOG (GNUNET_ERROR_TYPE_DEBUG, " no channels, allow max\n");
3405 for (iter = t->channel_head; NULL != iter; iter = iter->next)
3407 ch_buf = get_channel_buffer (iter);
3408 if (ch_buf > buffer)
3416 * Get the total buffer space for a tunnel for P2P traffic.
3420 * @return Buffer space offered by all connections in the tunnel.
3423 GCT_get_connections_buffer (struct CadetTunnel *t)
3425 struct CadetTConnection *iter;
3426 unsigned int buffer;
3428 if (GNUNET_NO == is_ready (t))
3430 if (count_queued_data (t) > 3)
3437 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3439 if (GCC_get_state (iter->c) != CADET_CONNECTION_READY)
3443 buffer += get_connection_buffer (iter);
3451 * Get the tunnel's destination.
3455 * @return ID of the destination peer.
3457 const struct GNUNET_PeerIdentity *
3458 GCT_get_destination (struct CadetTunnel *t)
3460 return GCP_get_id (t->peer);
3465 * Get the tunnel's next free global channel ID.
3469 * @return GID of a channel free to use.
3472 GCT_get_next_chid (struct CadetTunnel *t)
3474 CADET_ChannelNumber chid;
3475 CADET_ChannelNumber mask;
3478 /* Set bit 30 depending on the ID relationship. Bit 31 is always 0 for GID.
3479 * If our ID is bigger or loopback tunnel, start at 0, bit 30 = 0
3480 * If peer's ID is bigger, start at 0x4... bit 30 = 1
3482 result = GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, GCP_get_id (t->peer));
3487 t->next_chid |= mask;
3489 while (NULL != GCT_get_channel (t, t->next_chid))
3491 LOG (GNUNET_ERROR_TYPE_DEBUG, "Channel %u exists...\n", t->next_chid);
3492 t->next_chid = (t->next_chid + 1) & ~GNUNET_CADET_LOCAL_CHANNEL_ID_CLI;
3493 t->next_chid |= mask;
3495 chid = t->next_chid;
3496 t->next_chid = (t->next_chid + 1) & ~GNUNET_CADET_LOCAL_CHANNEL_ID_CLI;
3497 t->next_chid |= mask;
3504 * Send ACK on one or more channels due to buffer in connections.
3506 * @param t Channel which has some free buffer space.
3509 GCT_unchoke_channels (struct CadetTunnel *t)
3511 struct CadetTChannel *iter;
3512 unsigned int buffer;
3513 unsigned int channels = GCT_count_channels (t);
3514 unsigned int choked_n;
3515 struct CadetChannel *choked[channels];
3517 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_unchoke_channels on %s\n", GCT_2s (t));
3518 LOG (GNUNET_ERROR_TYPE_DEBUG, " head: %p\n", t->channel_head);
3519 if (NULL != t->channel_head)
3520 LOG (GNUNET_ERROR_TYPE_DEBUG, " head ch: %p\n", t->channel_head->ch);
3522 /* Get buffer space */
3523 buffer = GCT_get_connections_buffer (t);
3529 /* Count and remember choked channels */
3531 for (iter = t->channel_head; NULL != iter; iter = iter->next)
3533 if (GNUNET_NO == get_channel_allowed (iter))
3535 choked[choked_n++] = iter->ch;
3539 /* Unchoke random channels */
3540 while (0 < buffer && 0 < choked_n)
3542 unsigned int r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK,
3544 GCCH_allow_client (choked[r], GCCH_is_origin (choked[r], GNUNET_YES));
3547 choked[r] = choked[choked_n];
3553 * Send ACK on one or more connections due to buffer space to the client.
3555 * Iterates all connections of the tunnel and sends ACKs appropriately.
3560 GCT_send_connection_acks (struct CadetTunnel *t)
3562 struct CadetTConnection *iter;
3565 uint32_t allow_per_connection;
3567 unsigned int buffer;
3569 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel send connection ACKs on %s\n",
3578 if (CADET_TUNNEL_READY != t->cstate)
3581 buffer = GCT_get_channels_buffer (t);
3582 LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer %u\n", buffer);
3584 /* Count connections, how many messages are already allowed */
3585 cs = GCT_count_connections (t);
3586 for (allowed = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
3588 allowed += get_connection_allowed (iter);
3590 LOG (GNUNET_ERROR_TYPE_DEBUG, " allowed %u\n", allowed);
3592 /* Make sure there is no overflow */
3593 if (allowed > buffer)
3596 /* Authorize connections to send more data */
3597 to_allow = buffer - allowed;
3599 for (iter = t->connection_head;
3600 NULL != iter && to_allow > 0;
3603 if (CADET_CONNECTION_READY != GCC_get_state (iter->c)
3604 || get_connection_allowed (iter) > 64 / 3)
3608 allow_per_connection = to_allow/cs;
3609 to_allow -= allow_per_connection;
3611 GCC_allow (iter->c, allow_per_connection,
3612 GCC_is_origin (iter->c, GNUNET_NO));
3617 /* Since we don't allow if it's allowed to send 64/3, this can happen. */
3618 LOG (GNUNET_ERROR_TYPE_DEBUG, " reminding to_allow: %u\n", to_allow);
3624 * Cancel a previously sent message while it's in the queue.
3626 * ONLY can be called before the continuation given to the send function
3627 * is called. Once the continuation is called, the message is no longer in the
3630 * @param q Handle to the queue.
3633 GCT_cancel (struct CadetTunnelQueue *q)
3638 /* tun_message_sent() will be called and free q */
3640 else if (NULL != q->tqd)
3642 unqueue_data (q->tqd);
3644 if (NULL != q->cont)
3645 q->cont (q->cont_cls, NULL, q, 0, 0);
3656 * Sends an already built message on a tunnel, encrypting it and
3657 * choosing the best connection if not provided.
3659 * @param message Message to send. Function modifies it.
3660 * @param t Tunnel on which this message is transmitted.
3661 * @param c Connection to use (autoselect if NULL).
3662 * @param force Force the tunnel to take the message (buffer overfill).
3663 * @param cont Continuation to call once message is really sent.
3664 * @param cont_cls Closure for @c cont.
3666 * @return Handle to cancel message. NULL if @c cont is NULL.
3668 struct CadetTunnelQueue *
3669 GCT_send_prebuilt_message (const struct GNUNET_MessageHeader *message,
3670 struct CadetTunnel *t, struct CadetConnection *c,
3671 int force, GCT_sent cont, void *cont_cls)
3673 return send_prebuilt_message (message, t, c, force, cont, cont_cls, NULL);
3678 * Send an Axolotl KX message.
3680 * @param t Tunnel on which to send it.
3683 GCT_send_ax_kx (struct CadetTunnel *t)
3685 struct GNUNET_CADET_AX_KX msg;
3687 LOG (GNUNET_ERROR_TYPE_INFO, "===> AX_KX for %s\n", GCT_2s (t));
3689 msg.header.size = htons (sizeof (msg));
3690 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_AX_KX);
3691 msg.permanent_key = ax_identity.permanent_key;
3692 msg.purpose = ax_identity.purpose;
3693 msg.signature = ax_identity.signature;
3694 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->kx_0, &msg.ephemeral_key);
3695 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &msg.ratchet_key);
3697 t->ephm_h = send_kx (t, &msg.header);
3702 * Sends an already built and encrypted message on a tunnel, choosing the best
3703 * connection. Useful for re-queueing messages queued on a destroyed connection.
3705 * @param message Message to send. Function modifies it.
3706 * @param t Tunnel on which this message is transmitted.
3709 GCT_resend_message (const struct GNUNET_MessageHeader *message,
3710 struct CadetTunnel *t)
3712 struct CadetConnection *c;
3715 c = tunnel_get_connection (t);
3718 /* TODO queue in tunnel, marked as encrypted */
3719 LOG (GNUNET_ERROR_TYPE_DEBUG, "No connection available, dropping.\n");
3722 fwd = GCC_is_origin (c, GNUNET_YES);
3723 GNUNET_break (NULL == GCC_send_prebuilt_message (message, 0, 0, c, fwd,
3724 GNUNET_YES, NULL, NULL));
3729 * Is the tunnel directed towards the local peer?
3733 * @return #GNUNET_YES if it is loopback.
3736 GCT_is_loopback (const struct CadetTunnel *t)
3738 return (myid == GCP_get_short_id (t->peer));
3743 * Is the tunnel this path already?
3748 * @return #GNUNET_YES a connection uses this path.
3751 GCT_is_path_used (const struct CadetTunnel *t, const struct CadetPeerPath *p)
3753 struct CadetTConnection *iter;
3755 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3756 if (path_equivalent (GCC_get_path (iter->c), p))
3764 * Get a cost of a path for a tunnel considering existing connections.
3767 * @param path Candidate path.
3769 * @return Cost of the path (path length + number of overlapping nodes)
3772 GCT_get_path_cost (const struct CadetTunnel *t,
3773 const struct CadetPeerPath *path)
3775 struct CadetTConnection *iter;
3776 const struct CadetPeerPath *aux;
3777 unsigned int overlap;
3785 GNUNET_assert (NULL != t);
3787 for (i = 0; i < path->length; i++)
3789 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3791 aux = GCC_get_path (iter->c);
3795 for (j = 0; j < aux->length; j++)
3797 if (path->peers[i] == aux->peers[j])
3805 return path->length + overlap;
3810 * Get the static string for the peer this tunnel is directed.
3814 * @return Static string the destination peer's ID.
3817 GCT_2s (const struct CadetTunnel *t)
3822 return GCP_2s (t->peer);
3826 /******************************************************************************/
3827 /***************************** INFO/DEBUG *******************************/
3828 /******************************************************************************/
3831 * Log all possible info about the tunnel state.
3833 * @param t Tunnel to debug.
3834 * @param level Debug level to use.
3837 GCT_debug (const struct CadetTunnel *t, enum GNUNET_ErrorType level)
3839 struct CadetTChannel *iterch;
3840 struct CadetTConnection *iterc;
3843 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
3845 __FILE__, __FUNCTION__, __LINE__);
3849 LOG2 (level, "TTT DEBUG TUNNEL TOWARDS %s\n", GCT_2s (t));
3850 LOG2 (level, "TTT cstate %s, estate %s\n",
3851 cstate2s (t->cstate), estate2s (t->estate));
3852 LOG2 (level, "TTT kx_ctx %p, rekey_task %u, finish task %u\n",
3853 t->kx_ctx, t->rekey_task, t->kx_ctx ? t->kx_ctx->finish_task : 0);
3854 #if DUMP_KEYS_TO_STDERR
3855 LOG2 (level, "TTT my EPHM\t %s\n",
3856 GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
3857 LOG2 (level, "TTT peers EPHM:\t %s\n",
3858 GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
3859 LOG2 (level, "TTT ENC key:\t %s\n",
3860 GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
3861 LOG2 (level, "TTT DEC key:\t %s\n",
3862 GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
3865 LOG2 (level, "TTT OLD ENC key:\t %s\n",
3866 GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->e_key_old));
3867 LOG2 (level, "TTT OLD DEC key:\t %s\n",
3868 GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->d_key_old));
3871 LOG2 (level, "TTT tq_head %p, tq_tail %p\n", t->tq_head, t->tq_tail);
3872 LOG2 (level, "TTT destroy %u\n", t->destroy_task);
3874 LOG2 (level, "TTT channels:\n");
3875 for (iterch = t->channel_head; NULL != iterch; iterch = iterch->next)
3877 LOG2 (level, "TTT - %s\n", GCCH_2s (iterch->ch));
3880 LOG2 (level, "TTT connections:\n");
3881 for (iterc = t->connection_head; NULL != iterc; iterc = iterc->next)
3883 GCC_debug (iterc->c, level);
3886 LOG2 (level, "TTT DEBUG TUNNEL END\n");
3891 * Iterate all tunnels.
3893 * @param iter Iterator.
3894 * @param cls Closure for @c iter.
3897 GCT_iterate_all (GNUNET_CONTAINER_PeerMapIterator iter, void *cls)
3899 GNUNET_CONTAINER_multipeermap_iterate (tunnels, iter, cls);
3904 * Count all tunnels.
3906 * @return Number of tunnels to remote peers kept by this peer.
3909 GCT_count_all (void)
3911 return GNUNET_CONTAINER_multipeermap_size (tunnels);
3916 * Iterate all connections of a tunnel.
3918 * @param t Tunnel whose connections to iterate.
3919 * @param iter Iterator.
3920 * @param cls Closure for @c iter.
3923 GCT_iterate_connections (struct CadetTunnel *t, GCT_conn_iter iter, void *cls)
3925 struct CadetTConnection *ct;
3927 for (ct = t->connection_head; NULL != ct; ct = ct->next)
3933 * Iterate all channels of a tunnel.
3935 * @param t Tunnel whose channels to iterate.
3936 * @param iter Iterator.
3937 * @param cls Closure for @c iter.
3940 GCT_iterate_channels (struct CadetTunnel *t, GCT_chan_iter iter, void *cls)
3942 struct CadetTChannel *cht;
3944 for (cht = t->channel_head; NULL != cht; cht = cht->next)
3945 iter (cls, cht->ch);