2 This file is part of GNUnet.
3 Copyright (C) 2013 Christian Grothoff (and other contributing authors)
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 59 Temple Place - Suite 330,
18 Boston, MA 02111-1307, USA.
22 #include "gnunet_util_lib.h"
24 #include "gnunet_signatures.h"
25 #include "gnunet_statistics_service.h"
27 #include "cadet_protocol.h"
28 #include "cadet_path.h"
30 #include "gnunet-service-cadet_tunnel.h"
31 #include "gnunet-service-cadet_connection.h"
32 #include "gnunet-service-cadet_channel.h"
33 #include "gnunet-service-cadet_peer.h"
35 #define LOG(level, ...) GNUNET_log_from(level,"cadet-tun",__VA_ARGS__)
36 #define LOG2(level, ...) GNUNET_log_from_nocheck(level,"cadet-tun",__VA_ARGS__)
38 #define REKEY_WAIT GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 5)
40 #if !defined(GNUNET_CULL_LOGGING)
41 #define DUMP_KEYS_TO_STDERR GNUNET_YES
43 #define DUMP_KEYS_TO_STDERR GNUNET_NO
46 #define MAX_SKIPPED_KEYS 64
47 #define MAX_KEY_GAP 256
48 #define AX_HEADER_SIZE (sizeof (uint32_t) * 2\
49 + sizeof (struct GNUNET_CRYPTO_EcdhePublicKey))
52 /******************************************************************************/
53 /******************************** STRUCTS **********************************/
54 /******************************************************************************/
58 struct CadetTChannel *next;
59 struct CadetTChannel *prev;
60 struct CadetChannel *ch;
65 * Connection list and metadata.
67 struct CadetTConnection
72 struct CadetTConnection *next;
77 struct CadetTConnection *prev;
82 struct CadetConnection *c;
85 * Creation time, to keep oldest connection alive.
87 struct GNUNET_TIME_Absolute created;
90 * Connection throughput, to keep fastest connection alive.
96 * Structure used during a Key eXchange.
98 struct CadetTunnelKXCtx
101 * Encryption ("our") old "confirmed" key, for encrypting traffic sent by us
102 * end before the key exchange is finished or times out.
104 struct GNUNET_CRYPTO_SymmetricSessionKey e_key_old;
107 * Decryption ("their") old "confirmed" key, for decrypting traffic sent by
108 * the other end before the key exchange started.
110 struct GNUNET_CRYPTO_SymmetricSessionKey d_key_old;
113 * Same as @c e_key_old, for the case of two simultaneous KX.
114 * This can happen if cadet decides to start a re-key while the peer has also
115 * started its re-key (due to network delay this is impossible to avoid).
116 * In this case, the key material generated with the peer's old ephemeral
117 * *might* (but doesn't have to) be incorrect.
118 * Since no more than two re-keys can happen simultaneously, this is enough.
120 struct GNUNET_CRYPTO_SymmetricSessionKey e_key_old2;
123 * Same as @c d_key_old, for the case described in @c e_key_old2.
125 struct GNUNET_CRYPTO_SymmetricSessionKey d_key_old2;
128 * Challenge to send and expect in the PONG.
133 * When the rekey started. One minute after this the new key will be used.
135 struct GNUNET_TIME_Absolute rekey_start_time;
138 * Task for delayed destruction of the Key eXchange context, to allow delayed
139 * messages with the old key to be decrypted successfully.
141 struct GNUNET_SCHEDULER_Task *finish_task;
145 * Encryption systems possible.
147 enum CadetTunnelEncryption
150 * Default Axolotl system.
155 * Fallback OTR-style encryption.
161 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
163 struct CadetTunnelSkippedKey
168 struct CadetTunnelSkippedKey *next;
173 struct CadetTunnelSkippedKey *prev;
176 * When was this key stored (for timeout).
178 struct GNUNET_TIME_Absolute timestamp;
183 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
188 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
193 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
195 struct CadetTunnelAxolotl
198 * A (double linked) list of stored message keys and associated header keys
199 * for "skipped" messages, i.e. messages that have not been
200 * received despite the reception of more recent messages, (head).
202 struct CadetTunnelSkippedKey *skipped_head;
205 * Skipped messages' keys DLL, tail.
207 struct CadetTunnelSkippedKey *skipped_tail;
210 * Elements in @a skipped_head <-> @a skipped_tail.
212 unsigned int skipped;
215 * 32-byte root key which gets updated by DH ratchet.
217 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
220 * 32-byte header key (send).
222 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
225 * 32-byte header key (recv)
227 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
230 * 32-byte next header key (send).
232 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
235 * 32-byte next header key (recv).
237 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
240 * 32-byte chain keys (used for forward-secrecy updating, send).
242 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
245 * 32-byte chain keys (used for forward-secrecy updating, recv).
247 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
250 * ECDH for key exchange (A0 / B0).
252 struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
255 * ECDH Identity key (recv).
257 struct GNUNET_CRYPTO_EcdhePublicKey DHIr;
260 * ECDH Ratchet key (send).
262 struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs;
265 * ECDH Ratchet key (recv).
267 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
270 * Message number (reset to 0 with each new ratchet, next message to send).
275 * Message number (reset to 0 with each new ratchet, next message to recv).
280 * Previous message numbers (# of msgs sent under prev ratchet)
285 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
290 * Number of messages recieved since our last ratchet advance.
291 * - If this counter = 0, we cannot send a new ratchet key in next msg.
292 * - If this counter > 0, we can (but don't yet have to) send a new key.
294 unsigned int ratchet_allowed;
297 * Number of messages recieved since our last ratchet advance.
298 * - If this counter = 0, we cannot send a new ratchet key in next msg.
299 * - If this counter > 0, we can (but don't yet have to) send a new key.
301 unsigned int ratchet_counter;
304 * When does this ratchet expire and a new one is triggered.
306 struct GNUNET_TIME_Absolute ratchet_expiration;
310 * Struct containing all information regarding a tunnel to a peer.
315 * Endpoint of the tunnel.
317 struct CadetPeer *peer;
320 * Type of encryption used in the tunnel.
322 enum CadetTunnelEncryption enc_type;
327 struct CadetTunnelAxolotl *ax;
330 * State of the tunnel connectivity.
332 enum CadetTunnelCState cstate;
335 * State of the tunnel encryption.
337 enum CadetTunnelEState estate;
340 * Key eXchange context.
342 struct CadetTunnelKXCtx *kx_ctx;
345 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own ephemeral
348 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
351 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
353 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
356 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
358 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
361 * Task to start the rekey process.
363 struct GNUNET_SCHEDULER_Task * rekey_task;
366 * Paths that are actively used to reach the destination peer.
368 struct CadetTConnection *connection_head;
369 struct CadetTConnection *connection_tail;
372 * Next connection number.
377 * Channels inside this tunnel.
379 struct CadetTChannel *channel_head;
380 struct CadetTChannel *channel_tail;
383 * Channel ID for the next created channel.
385 CADET_ChannelNumber next_chid;
388 * Destroy flag: if true, destroy on last message.
390 struct GNUNET_SCHEDULER_Task * destroy_task;
393 * Queued messages, to transmit once tunnel gets connected.
395 struct CadetTunnelDelayed *tq_head;
396 struct CadetTunnelDelayed *tq_tail;
399 * Task to trim connections if too many are present.
401 struct GNUNET_SCHEDULER_Task * trim_connections_task;
404 * Ephemeral message in the queue (to avoid queueing more than one).
406 struct CadetConnectionQueue *ephm_h;
409 * Pong message in the queue.
411 struct CadetConnectionQueue *pong_h;
416 * Struct used to save messages in a non-ready tunnel to send once connected.
418 struct CadetTunnelDelayed
423 struct CadetTunnelDelayed *next;
424 struct CadetTunnelDelayed *prev;
429 struct CadetTunnel *t;
432 * Tunnel queue given to the channel to cancel request. Update on send_queued.
434 struct CadetTunnelQueue *tq;
439 /* struct GNUNET_MessageHeader *msg; */
444 * Handle for messages queued but not yet sent.
446 struct CadetTunnelQueue
449 * Connection queue handle, to cancel if necessary.
451 struct CadetConnectionQueue *cq;
454 * Handle in case message hasn't been given to a connection yet.
456 struct CadetTunnelDelayed *tqd;
459 * Continuation to call once sent.
464 * Closure for @c cont.
471 * Cached Axolotl key with signature.
473 struct CadetAxolotlSignedKey
476 * Information about what is being signed (@a permanent_key).
478 struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
481 * Permanent public ECDH key.
483 struct GNUNET_CRYPTO_EcdhePublicKey permanent_key;
486 * An EdDSA signature of the permanent ECDH key with the Peer's ID key.
488 struct GNUNET_CRYPTO_EddsaSignature signature;
492 /******************************************************************************/
493 /******************************* GLOBALS ***********************************/
494 /******************************************************************************/
497 * Global handle to the statistics service.
499 extern struct GNUNET_STATISTICS_Handle *stats;
502 * Local peer own ID (memory efficient handle).
504 extern GNUNET_PEER_Id myid;
507 * Local peer own ID (full value).
509 extern struct GNUNET_PeerIdentity my_full_id;
513 * Don't try to recover tunnels if shutting down.
515 extern int shutting_down;
519 * Set of all tunnels, in order to trigger a new exchange on rekey.
520 * Indexed by peer's ID.
522 static struct GNUNET_CONTAINER_MultiPeerMap *tunnels;
525 * Default TTL for payload packets.
527 static unsigned long long default_ttl;
530 * Own Peer ID private key.
532 const static struct GNUNET_CRYPTO_EddsaPrivateKey *id_key;
535 /******************************** AXOLOTL ************************************/
537 static struct GNUNET_CRYPTO_EcdhePrivateKey *ax_key;
540 * Own Axolotl permanent public key (cache).
542 static struct CadetAxolotlSignedKey ax_identity;
545 * How many messages are needed to trigger a ratchet advance.
547 static unsigned long long ratchet_messages;
550 * How long until we trigger a ratched advance.
552 static struct GNUNET_TIME_Relative ratchet_time;
555 /******************************** OTR ***********************************/
558 * Own global OTR ephemeral private key.
560 static struct GNUNET_CRYPTO_EcdhePrivateKey *otr_ephemeral_key;
563 * Cached message used to perform a OTR key exchange.
565 static struct GNUNET_CADET_KX_Ephemeral otr_kx_msg;
568 * Task to generate a new OTR ephemeral key.
570 static struct GNUNET_SCHEDULER_Task *rekey_task;
575 static struct GNUNET_TIME_Relative rekey_period;
578 /******************************************************************************/
579 /******************************** STATIC ***********************************/
580 /******************************************************************************/
583 * Get string description for tunnel connectivity state.
585 * @param cs Tunnel state.
587 * @return String representation.
590 cstate2s (enum CadetTunnelCState cs)
596 case CADET_TUNNEL_NEW:
597 return "CADET_TUNNEL_NEW";
598 case CADET_TUNNEL_SEARCHING:
599 return "CADET_TUNNEL_SEARCHING";
600 case CADET_TUNNEL_WAITING:
601 return "CADET_TUNNEL_WAITING";
602 case CADET_TUNNEL_READY:
603 return "CADET_TUNNEL_READY";
604 case CADET_TUNNEL_SHUTDOWN:
605 return "CADET_TUNNEL_SHUTDOWN";
607 SPRINTF (buf, "%u (UNKNOWN STATE)", cs);
615 * Get string description for tunnel encryption state.
617 * @param es Tunnel state.
619 * @return String representation.
622 estate2s (enum CadetTunnelEState es)
628 case CADET_TUNNEL_KEY_UNINITIALIZED:
629 return "CADET_TUNNEL_KEY_UNINITIALIZED";
630 case CADET_TUNNEL_KEY_SENT:
631 return "CADET_TUNNEL_KEY_SENT";
632 case CADET_TUNNEL_KEY_PING:
633 return "CADET_TUNNEL_KEY_PING";
634 case CADET_TUNNEL_KEY_OK:
635 return "CADET_TUNNEL_KEY_OK";
636 case CADET_TUNNEL_KEY_REKEY:
637 return "CADET_TUNNEL_KEY_REKEY";
639 SPRINTF (buf, "%u (UNKNOWN STATE)", es);
647 * @brief Check if tunnel is ready to send traffic.
649 * Tunnel must be connected and with encryption correctly set up.
651 * @param t Tunnel to check.
653 * @return #GNUNET_YES if ready, #GNUNET_NO otherwise
656 is_ready (struct CadetTunnel *t)
660 GCT_debug (t, GNUNET_ERROR_TYPE_DEBUG);
661 ready = CADET_TUNNEL_READY == t->cstate
662 && (CADET_TUNNEL_KEY_OK == t->estate
663 || CADET_TUNNEL_KEY_REKEY == t->estate);
664 ready = ready || GCT_is_loopback (t);
670 * Check if a key is invalid (NULL pointer or all 0)
672 * @param key Key to check.
674 * @return #GNUNET_YES if key is null, #GNUNET_NO if exists and is not 0.
677 is_key_null (struct GNUNET_CRYPTO_SymmetricSessionKey *key)
679 struct GNUNET_CRYPTO_SymmetricSessionKey null_key;
684 memset (&null_key, 0, sizeof (null_key));
685 if (0 == memcmp (key, &null_key, sizeof (null_key)))
692 * Ephemeral key message purpose size.
694 * @return Size of the part of the ephemeral key message that must be signed.
697 ephemeral_purpose_size (void)
699 return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
700 sizeof (struct GNUNET_TIME_AbsoluteNBO) +
701 sizeof (struct GNUNET_TIME_AbsoluteNBO) +
702 sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) +
703 sizeof (struct GNUNET_PeerIdentity);
708 * Ephemeral key message purpose size.
710 * @return Size of the part of the ephemeral key message that must be signed.
713 ax_purpose_size (void)
715 return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
716 sizeof (struct GNUNET_CRYPTO_EcdhePublicKey);
721 * Size of the encrypted part of a ping message.
723 * @return Size of the encrypted part of a ping message.
726 ping_encryption_size (void)
728 return sizeof (uint32_t);
733 * Get the channel's buffer. ONLY FOR NON-LOOPBACK CHANNELS!!
735 * @param tch Tunnel's channel handle.
737 * @return Amount of messages the channel can still buffer towards the client.
740 get_channel_buffer (const struct CadetTChannel *tch)
744 /* If channel is incoming, is terminal in the FWD direction and fwd is YES */
745 fwd = GCCH_is_terminal (tch->ch, GNUNET_YES);
747 return GCCH_get_buffer (tch->ch, fwd);
752 * Get the channel's allowance status.
754 * @param tch Tunnel's channel handle.
756 * @return #GNUNET_YES if we allowed the client to send data to us.
759 get_channel_allowed (const struct CadetTChannel *tch)
763 /* If channel is outgoing, is origin in the FWD direction and fwd is YES */
764 fwd = GCCH_is_origin (tch->ch, GNUNET_YES);
766 return GCCH_get_allowed (tch->ch, fwd);
771 * Get the connection's buffer.
773 * @param tc Tunnel's connection handle.
775 * @return Amount of messages the connection can still buffer.
778 get_connection_buffer (const struct CadetTConnection *tc)
782 /* If connection is outgoing, is origin in the FWD direction and fwd is YES */
783 fwd = GCC_is_origin (tc->c, GNUNET_YES);
785 return GCC_get_buffer (tc->c, fwd);
790 * Get the connection's allowance.
792 * @param tc Tunnel's connection handle.
794 * @return Amount of messages we have allowed the next peer to send us.
797 get_connection_allowed (const struct CadetTConnection *tc)
801 /* If connection is outgoing, is origin in the FWD direction and fwd is YES */
802 fwd = GCC_is_origin (tc->c, GNUNET_YES);
804 return GCC_get_allowed (tc->c, fwd);
809 * Check that a ephemeral key message s well formed and correctly signed.
811 * @param t Tunnel on which the message came.
812 * @param msg The ephemeral key message.
814 * @return GNUNET_OK if message is fine, GNUNET_SYSERR otherwise.
817 check_ephemeral (struct CadetTunnel *t,
818 const struct GNUNET_CADET_KX_Ephemeral *msg)
820 /* Check message size */
821 if (ntohs (msg->header.size) != sizeof (struct GNUNET_CADET_KX_Ephemeral))
822 return GNUNET_SYSERR;
824 /* Check signature size */
825 if (ntohl (msg->purpose.size) != ephemeral_purpose_size ())
826 return GNUNET_SYSERR;
829 if (0 != memcmp (&msg->origin_identity,
830 GCP_get_id (t->peer),
831 sizeof (struct GNUNET_PeerIdentity)))
832 return GNUNET_SYSERR;
834 /* Check signature */
836 GNUNET_CRYPTO_eddsa_verify (GNUNET_SIGNATURE_PURPOSE_CADET_KX,
839 &msg->origin_identity.public_key))
840 return GNUNET_SYSERR;
847 * Select the best key to use for encryption (send), based on KX status.
849 * Normally, return the current key. If there is a KX in progress and the old
850 * key is fresh enough, return the old key.
852 * @param t Tunnel to choose the key from.
854 * @return The optimal key to encrypt/hmac outgoing traffic.
856 static const struct GNUNET_CRYPTO_SymmetricSessionKey *
857 select_key (const struct CadetTunnel *t)
859 const struct GNUNET_CRYPTO_SymmetricSessionKey *key;
861 if (NULL != t->kx_ctx
862 && NULL == t->kx_ctx->finish_task)
864 struct GNUNET_TIME_Relative age;
866 age = GNUNET_TIME_absolute_get_duration (t->kx_ctx->rekey_start_time);
867 LOG (GNUNET_ERROR_TYPE_DEBUG,
868 " key exchange in progress, started %s ago\n",
869 GNUNET_STRINGS_relative_time_to_string (age, GNUNET_YES));
870 // FIXME make duration of old keys configurable
871 if (age.rel_value_us < GNUNET_TIME_UNIT_MINUTES.rel_value_us)
873 LOG (GNUNET_ERROR_TYPE_DEBUG, " using old key\n");
874 key = &t->kx_ctx->e_key_old;
878 LOG (GNUNET_ERROR_TYPE_DEBUG, " using new key (old key too old)\n");
884 LOG (GNUNET_ERROR_TYPE_DEBUG, " no KX: using current key\n");
894 * @param plaintext Content to HMAC.
895 * @param size Size of @c plaintext.
896 * @param iv Initialization vector for the message.
897 * @param key Key to use.
898 * @param hmac[out] Destination to store the HMAC.
901 t_hmac (const void *plaintext, size_t size,
902 uint32_t iv, const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
903 struct GNUNET_CADET_Hash *hmac)
905 static const char ctx[] = "cadet authentication key";
906 struct GNUNET_CRYPTO_AuthKey auth_key;
907 struct GNUNET_HashCode hash;
909 #if DUMP_KEYS_TO_STDERR
910 LOG (GNUNET_ERROR_TYPE_INFO, " HMAC %u bytes with key %s\n", size,
911 GNUNET_h2s ((struct GNUNET_HashCode *) key));
913 GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
918 /* Two step: CADET_Hash is only 256 bits, HashCode is 512. */
919 GNUNET_CRYPTO_hmac (&auth_key, plaintext, size, &hash);
920 memcpy (hmac, &hash, sizeof (*hmac));
925 * Encrypt daforce_newest_keyta with the tunnel key.
927 * @param t Tunnel whose key to use.
928 * @param dst Destination for the encrypted data.
929 * @param src Source of the plaintext. Can overlap with @c dst.
930 * @param size Size of the plaintext.
931 * @param iv Initialization Vector to use.
932 * @param force_newest_key Force the use of the newest key, otherwise
933 * CADET will use the old key when allowed.
934 * This can happen in the case when a KX is going on
935 * and the old one hasn't expired.
938 t_encrypt (struct CadetTunnel *t, void *dst, const void *src,
939 size_t size, uint32_t iv, int force_newest_key)
941 struct GNUNET_CRYPTO_SymmetricInitializationVector siv;
942 const struct GNUNET_CRYPTO_SymmetricSessionKey *key;
945 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_encrypt start\n");
947 key = GNUNET_YES == force_newest_key ? &t->e_key : select_key (t);
948 #if DUMP_KEYS_TO_STDERR
949 LOG (GNUNET_ERROR_TYPE_INFO, " ENC with key %s\n",
950 GNUNET_h2s ((struct GNUNET_HashCode *) key));
952 GNUNET_CRYPTO_symmetric_derive_iv (&siv, key, &iv, sizeof (iv), NULL);
953 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_encrypt IV derived\n");
954 out_size = GNUNET_CRYPTO_symmetric_encrypt (src, size, key, &siv, dst);
955 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_encrypt end\n");
964 * @param key Key to use.
965 * @param hash[out] Resulting HMAC.
966 * @param source Source key material (data to HMAC).
967 * @param len Length of @a source.
970 t_ax_hmac_hash (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
971 struct GNUNET_HashCode *hash,
972 void *source, unsigned int len)
974 static const char ctx[] = "axolotl HMAC-HASH";
975 struct GNUNET_CRYPTO_AuthKey auth_key;
977 GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
980 GNUNET_CRYPTO_hmac (&auth_key, source, len, hash);
985 * Derive a key from a HMAC-HASH.
987 * @param key Key to use for the HMAC.
988 * @param out Key to generate.
989 * @param source Source key material (data to HMAC).
990 * @param len Length of @a source.
993 t_hmac_derive_key (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
994 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
995 void *source, unsigned int len)
997 static const char ctx[] = "axolotl derive key";
998 struct GNUNET_HashCode h;
1000 t_ax_hmac_hash (key, &h, source, len);
1001 GNUNET_CRYPTO_kdf (out, sizeof (*out), ctx, sizeof (ctx),
1002 &h, sizeof (h), NULL);
1007 * Encrypt data with the axolotl tunnel key.
1009 * @param t Tunnel whose key to use.
1010 * @param dst Destination for the encrypted data.
1011 * @param src Source of the plaintext. Can overlap with @c dst.
1012 * @param size Size of the plaintext.
1014 * @return Size of the encrypted data.
1017 t_ax_encrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
1019 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
1020 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
1021 struct CadetTunnelAxolotl *ax;
1024 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt start\n");
1028 ax->ratchet_counter++;
1029 if (GNUNET_YES == ax->ratchet_allowed
1030 && (ratchet_messages <= ax->ratchet_counter
1031 || 0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us))
1033 ax->ratchet_flag = GNUNET_YES;
1036 if (GNUNET_YES == ax->ratchet_flag)
1038 /* Advance ratchet */
1039 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
1040 struct GNUNET_HashCode dh;
1041 struct GNUNET_HashCode hmac;
1042 static const char ctx[] = "axolotl ratchet";
1044 ax->DHRs = GNUNET_CRYPTO_ecdhe_key_create ();
1047 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
1048 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, &ax->DHRr, &dh);
1049 t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
1050 GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
1051 &hmac, sizeof (hmac), NULL);
1058 ax->ratchet_flag = GNUNET_NO;
1059 ax->ratchet_allowed = GNUNET_NO;
1060 ax->ratchet_counter = 0;
1061 ax->ratchet_expiration =
1062 GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
1065 t_hmac_derive_key (&ax->CKs, &MK, "0", 1);
1066 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
1068 #if DUMP_KEYS_TO_STDERR
1069 LOG (GNUNET_ERROR_TYPE_INFO, " CKs: %s\n",
1070 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKs));
1071 LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC with key %u: %s\n", ax->Ns,
1072 GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
1075 out_size = GNUNET_CRYPTO_symmetric_encrypt (src, size, &MK, &iv, dst);
1077 t_hmac_derive_key (&ax->CKs, &ax->CKs, "1", 1);
1079 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt end\n");
1086 * Decrypt data with the axolotl tunnel key.
1088 * @param t Tunnel whose key to use.
1089 * @param dst Destination for the decrypted data.
1090 * @param src Source of the ciphertext. Can overlap with @c dst.
1091 * @param size Size of the ciphertext.
1093 * @return Size of the decrypted data.
1096 t_ax_decrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
1098 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
1099 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
1100 struct CadetTunnelAxolotl *ax;
1103 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt start\n");
1107 t_hmac_derive_key (&ax->CKr, &MK, "0", 1);
1108 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
1110 #if DUMP_KEYS_TO_STDERR
1111 LOG (GNUNET_ERROR_TYPE_INFO, " CKr: %s\n",
1112 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKr));
1113 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with key %u: %s\n", ax->Nr,
1114 GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
1117 GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
1118 out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, &MK, &iv, dst);
1119 GNUNET_assert (out_size == size);
1121 t_hmac_derive_key (&ax->CKr, &ax->CKr, "1", 1);
1123 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt end\n");
1130 * Encrypt header with the axolotl header key.
1132 * @param t Tunnel whose key to use.
1133 * @param msg Message whose header to encrypt.
1136 t_h_encrypt (struct CadetTunnel *t, struct GNUNET_CADET_AX *msg)
1138 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
1139 struct CadetTunnelAxolotl *ax;
1142 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_h_encrypt start\n");
1145 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKs, NULL, 0, NULL);
1147 #if DUMP_KEYS_TO_STDERR
1148 LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC_H with key %s\n",
1149 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKs));
1152 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->Ns, AX_HEADER_SIZE,
1153 &ax->HKs, &iv, &msg->Ns);
1155 GNUNET_assert (AX_HEADER_SIZE == out_size);
1157 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt end\n");
1162 * Decrypt header with the current axolotl header key.
1164 * @param t Tunnel whose current ax HK to use.
1165 * @param src Message whose header to decrypt.
1166 * @param dst Where to decrypt header to.
1169 t_h_decrypt (struct CadetTunnel *t, const struct GNUNET_CADET_AX *src,
1170 struct GNUNET_CADET_AX *dst)
1172 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
1173 struct CadetTunnelAxolotl *ax;
1176 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_h_decrypt start\n");
1179 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKr, NULL, 0, NULL);
1181 #if DUMP_KEYS_TO_STDERR
1182 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC_H with key %s\n",
1183 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKr));
1186 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, AX_HEADER_SIZE,
1187 &ax->HKr, &iv, &dst->Ns);
1189 GNUNET_assert (AX_HEADER_SIZE == out_size);
1191 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt end\n");
1196 * Decrypt and verify data with the appropriate tunnel key.
1198 * @param key Key to use.
1199 * @param dst Destination for the plaintext.
1200 * @param src Source of the encrypted data. Can overlap with @c dst.
1201 * @param size Size of the encrypted data.
1202 * @param iv Initialization Vector to use.
1204 * @return Size of the decrypted data, -1 if an error was encountered.
1207 decrypt (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
1208 void *dst, const void *src, size_t size, uint32_t iv)
1210 struct GNUNET_CRYPTO_SymmetricInitializationVector siv;
1213 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt start\n");
1214 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv\n");
1215 GNUNET_CRYPTO_symmetric_derive_iv (&siv, key, &iv, sizeof (iv), NULL);
1216 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv done\n");
1217 out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, key, &siv, dst);
1218 LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt end\n");
1225 * Decrypt and verify data with the most recent tunnel key.
1227 * @param t Tunnel whose key to use.
1228 * @param dst Destination for the plaintext.
1229 * @param src Source of the encrypted data. Can overlap with @c dst.
1230 * @param size Size of the encrypted data.
1231 * @param iv Initialization Vector to use.
1233 * @return Size of the decrypted data, -1 if an error was encountered.
1236 t_decrypt (struct CadetTunnel *t, void *dst, const void *src,
1237 size_t size, uint32_t iv)
1241 #if DUMP_KEYS_TO_STDERR
1242 LOG (GNUNET_ERROR_TYPE_DEBUG, " t_decrypt with %s\n",
1243 GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
1245 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1247 GNUNET_STATISTICS_update (stats, "# non decryptable data", 1, GNUNET_NO);
1248 LOG (GNUNET_ERROR_TYPE_WARNING,
1249 "got data on %s without a valid key\n",
1251 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1255 out_size = decrypt (&t->d_key, dst, src, size, iv);
1262 * Decrypt and verify data with the appropriate tunnel key and verify that the
1263 * data has not been altered since it was sent by the remote peer.
1265 * @param t Tunnel whose key to use.
1266 * @param dst Destination for the plaintext.
1267 * @param src Source of the encrypted data. Can overlap with @c dst.
1268 * @param size Size of the encrypted data.
1269 * @param iv Initialization Vector to use.
1270 * @param msg_hmac HMAC of the message, cannot be NULL.
1272 * @return Size of the decrypted data, -1 if an error was encountered.
1275 t_decrypt_and_validate (struct CadetTunnel *t,
1276 void *dst, const void *src,
1277 size_t size, uint32_t iv,
1278 const struct GNUNET_CADET_Hash *msg_hmac)
1280 struct GNUNET_CRYPTO_SymmetricSessionKey *key;
1281 struct GNUNET_CADET_Hash hmac;
1284 /* Try primary (newest) key */
1286 decrypted_size = decrypt (key, dst, src, size, iv);
1287 t_hmac (src, size, iv, key, &hmac);
1288 if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
1289 return decrypted_size;
1291 /* If no key exchange is going on, we just failed. */
1292 if (NULL == t->kx_ctx)
1294 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1295 "Failed checksum validation on tunnel %s with no KX\n",
1297 GNUNET_STATISTICS_update (stats, "# wrong HMAC no KX", 1, GNUNET_NO);
1301 /* Try secondary key, from previous KX period. */
1302 key = &t->kx_ctx->d_key_old;
1303 decrypted_size = decrypt (key, dst, src, size, iv);
1304 t_hmac (src, size, iv, key, &hmac);
1305 if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
1306 return decrypted_size;
1308 /* Hail Mary, try tertiary, key, in case of parallel re-keys. */
1309 key = &t->kx_ctx->d_key_old2;
1310 decrypted_size = decrypt (key, dst, src, size, iv);
1311 t_hmac (src, size, iv, key, &hmac);
1312 if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
1313 return decrypted_size;
1315 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1316 "Failed checksum validation on tunnel %s with KX\n",
1318 GNUNET_STATISTICS_update (stats, "# wrong HMAC with KX", 1, GNUNET_NO);
1324 * Decrypt and verify data with the appropriate tunnel key and verify that the
1325 * data has not been altered since it was sent by the remote peer.
1327 * @param t Tunnel whose key to use.
1328 * @param dst Destination for the plaintext.
1329 * @param src Source of the message. Can overlap with @c dst.
1330 * @param size Size of the message.
1332 * @return Size of the decrypted data, -1 if an error was encountered.
1335 try_old_ax_keys (struct CadetTunnel *t, struct GNUNET_CADET_AX *dst,
1336 const struct GNUNET_CADET_AX *src, size_t size)
1338 struct CadetTunnelSkippedKey *key;
1339 struct GNUNET_CADET_Hash hmac;
1340 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
1345 for (key = t->ax->skipped_head; NULL != key; key = key->next)
1347 t_hmac (&src->Ns, AX_HEADER_SIZE, 0, &key->HK, &hmac);
1348 if (0 != memcmp (&hmac, &src->hmac, sizeof (hmac)))
1354 #if DUMP_KEYS_TO_STDERR
1355 LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with skipped key %s\n",
1356 GNUNET_h2s ((struct GNUNET_HashCode *) &key->MK));
1359 GNUNET_assert (size > sizeof (struct GNUNET_CADET_AX));
1360 len = size - sizeof (struct GNUNET_CADET_AX);
1361 GNUNET_CRYPTO_symmetric_derive_iv (&iv, &key->MK, NULL, 0, NULL);
1362 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1], len, &key->MK, &iv, &dst[1]);
1364 GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
1373 * Delete a key from the list of skipped keys.
1375 * @param t Tunnel to delete from.
1376 * @param HKr Header Key to use.
1379 store_skipped_key (struct CadetTunnel *t,
1380 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
1382 struct CadetTunnelSkippedKey *key;
1384 key = GNUNET_new (struct CadetTunnelSkippedKey);
1385 key->timestamp = GNUNET_TIME_absolute_get ();
1386 t_hmac_derive_key (&t->ax->CKr, &key->MK, "0", 1);
1387 #if DUMP_KEYS_TO_STDERR
1388 LOG (GNUNET_ERROR_TYPE_INFO, " storing MK for Nr %u: %s\n",
1389 t->ax->Nr, GNUNET_h2s ((struct GNUNET_HashCode *) &key->MK));
1390 LOG (GNUNET_ERROR_TYPE_INFO, " for CKr: %s\n",
1391 GNUNET_h2s ((struct GNUNET_HashCode *) &t->ax->CKr));
1393 t_hmac_derive_key (&t->ax->CKr, &t->ax->CKr, "1", 1);
1394 GNUNET_CONTAINER_DLL_insert (t->ax->skipped_head, t->ax->skipped_tail, key);
1401 * Delete a key from the list of skipped keys.
1403 * @param t Tunnel to delete from.
1404 * @param key Key to delete.
1407 delete_skipped_key (struct CadetTunnel *t, struct CadetTunnelSkippedKey *key)
1409 GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
1416 * Stage skipped AX keys and calculate the message key.
1418 * Stores each HK and MK for skipped messages.
1420 * @param t Tunnel where to stage the keys.
1421 * @param HKr Header key.
1422 * @param Np Received meesage number.
1425 store_ax_keys (struct CadetTunnel *t,
1426 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1431 gap = Np - t->ax->Nr;
1432 if (MAX_KEY_GAP < gap || 0 > gap)
1434 /* Avoid DoS (forcing peer to do 2*33 chain HMAC operations) */
1435 /* TODO: start new key exchange on return */
1436 GNUNET_break_op (0);
1440 while (t->ax->Nr < Np)
1441 store_skipped_key (t, HKr);
1443 while (t->ax->skipped > MAX_SKIPPED_KEYS)
1444 delete_skipped_key (t, t->ax->skipped_tail);
1449 * Decrypt and verify data with the appropriate tunnel key and verify that the
1450 * data has not been altered since it was sent by the remote peer.
1452 * @param t Tunnel whose key to use.
1453 * @param dst Destination for the plaintext.
1454 * @param src Source of the message. Can overlap with @c dst.
1455 * @param size Size of the message.
1457 * @return Size of the decrypted data, -1 if an error was encountered.
1460 t_ax_decrypt_and_validate (struct CadetTunnel *t, void *dst,
1461 const struct GNUNET_CADET_AX *src, size_t size)
1463 struct CadetTunnelAxolotl *ax;
1464 struct GNUNET_CADET_Hash msg_hmac;
1465 struct GNUNET_HashCode hmac;
1466 struct GNUNET_CADET_AX *dstmsg;
1474 esize = size - sizeof (struct GNUNET_CADET_AX);
1479 /* Try current HK */
1480 t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->HKr, &msg_hmac);
1481 if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
1483 static const char ctx[] = "axolotl ratchet";
1484 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1485 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1486 struct GNUNET_HashCode dh;
1487 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1490 t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->NHKr, &msg_hmac);
1491 if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
1493 /* Try the skipped keys, if that fails, we're out of luck. */
1494 return try_old_ax_keys (t, dst, src, size);
1496 LOG (GNUNET_ERROR_TYPE_INFO, "next HK\n");
1500 t_h_decrypt (t, src, dstmsg);
1501 Np = ntohl (dstmsg->Ns);
1502 PNp = ntohl (dstmsg->PNs);
1503 DHRp = &dstmsg->DHRs;
1504 store_ax_keys (t, &HK, PNp);
1506 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1507 GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, DHRp, &dh);
1508 t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
1509 GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
1510 &hmac, sizeof (hmac), NULL);
1512 /* Commit "purported" keys */
1518 ax->ratchet_allowed = GNUNET_YES;
1522 LOG (GNUNET_ERROR_TYPE_DEBUG, "current HK\n");
1523 t_h_decrypt (t, src, dstmsg);
1524 Np = ntohl (dstmsg->Ns);
1525 PNp = ntohl (dstmsg->PNs);
1529 store_ax_keys (t, &ax->HKr, Np);
1533 osize = t_ax_decrypt (t, dst, &src[1], esize);
1536 GNUNET_break_op (0);
1545 * Create key material by doing ECDH on the local and remote ephemeral keys.
1547 * @param key_material Where to store the key material.
1548 * @param ephemeral Peer's public ephemeral key.
1550 * @return GNUNET_OK if it went fine, GNUNET_SYSERR otherwise.
1553 derive_otr_key_material (struct GNUNET_HashCode *key_material,
1554 const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral)
1557 GNUNET_CRYPTO_ecc_ecdh (otr_ephemeral_key, ephemeral, key_material))
1560 return GNUNET_SYSERR;
1567 * Create a symmetic key from the identities of both ends and the key material
1570 * @param key Destination for the generated key.
1571 * @param sender ID of the peer that will encrypt with @c key.
1572 * @param receiver ID of the peer that will decrypt with @c key.
1573 * @param key_material Hash created with ECDH with the ephemeral keys.
1576 derive_symmertic (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
1577 const struct GNUNET_PeerIdentity *sender,
1578 const struct GNUNET_PeerIdentity *receiver,
1579 const struct GNUNET_HashCode *key_material)
1581 const char salt[] = "CADET kx salt";
1583 GNUNET_CRYPTO_kdf (key, sizeof (struct GNUNET_CRYPTO_SymmetricSessionKey),
1584 salt, sizeof (salt),
1585 key_material, sizeof (struct GNUNET_HashCode),
1586 sender, sizeof (struct GNUNET_PeerIdentity),
1587 receiver, sizeof (struct GNUNET_PeerIdentity),
1593 * Derive the tunnel's keys using our own and the peer's ephemeral keys.
1595 * @param t Tunnel for which to create the keys.
1597 * @return GNUNET_OK if successful, GNUNET_SYSERR otherwise.
1600 create_otr_keys (struct CadetTunnel *t)
1602 struct GNUNET_HashCode km;
1604 if (GNUNET_OK != derive_otr_key_material (&km, &t->peers_ephemeral_key))
1605 return GNUNET_SYSERR;
1606 derive_symmertic (&t->e_key, &my_full_id, GCP_get_id (t->peer), &km);
1607 derive_symmertic (&t->d_key, GCP_get_id (t->peer), &my_full_id, &km);
1608 #if DUMP_KEYS_TO_STDERR
1609 LOG (GNUNET_ERROR_TYPE_INFO, "ME: %s\n",
1610 GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
1611 LOG (GNUNET_ERROR_TYPE_INFO, "PE: %s\n",
1612 GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
1613 LOG (GNUNET_ERROR_TYPE_INFO, "KM: %s\n", GNUNET_h2s (&km));
1614 LOG (GNUNET_ERROR_TYPE_INFO, "EK: %s\n",
1615 GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
1616 LOG (GNUNET_ERROR_TYPE_INFO, "DK: %s\n",
1617 GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
1624 * Create a new Key eXchange context for the tunnel.
1626 * If the old keys were verified, keep them for old traffic. Create a new KX
1627 * timestamp and a new nonce.
1629 * @param t Tunnel for which to create the KX ctx.
1631 * @return GNUNET_OK if successful, GNUNET_SYSERR otherwise.
1634 create_kx_ctx (struct CadetTunnel *t)
1636 LOG (GNUNET_ERROR_TYPE_INFO, " new kx ctx for %s\n", GCT_2s (t));
1638 if (NULL != t->kx_ctx)
1640 if (NULL != t->kx_ctx->finish_task)
1642 LOG (GNUNET_ERROR_TYPE_INFO, " resetting exisiting finish task\n");
1643 GNUNET_SCHEDULER_cancel (t->kx_ctx->finish_task);
1644 t->kx_ctx->finish_task = NULL;
1649 t->kx_ctx = GNUNET_new (struct CadetTunnelKXCtx);
1650 t->kx_ctx->challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
1654 if (CADET_TUNNEL_KEY_OK == t->estate)
1656 LOG (GNUNET_ERROR_TYPE_INFO, " backing up keys\n");
1657 t->kx_ctx->d_key_old = t->d_key;
1658 t->kx_ctx->e_key_old = t->e_key;
1661 LOG (GNUNET_ERROR_TYPE_INFO, " old keys not valid, not saving\n");
1662 t->kx_ctx->rekey_start_time = GNUNET_TIME_absolute_get ();
1663 return create_otr_keys (t);
1668 * @brief Finish the Key eXchange and destroy the old keys.
1670 * @param cls Closure (Tunnel for which to finish the KX).
1671 * @param tc Task context.
1674 finish_kx (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
1676 struct CadetTunnel *t = cls;
1678 LOG (GNUNET_ERROR_TYPE_INFO, "finish KX for %s\n", GCT_2s (t));
1680 if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
1682 LOG (GNUNET_ERROR_TYPE_INFO, " shutdown\n");
1686 GNUNET_free (t->kx_ctx);
1692 * Destroy a Key eXchange context for the tunnel. This function only schedules
1693 * the destruction, the freeing of the memory (and clearing of old key material)
1694 * happens after a delay!
1696 * @param t Tunnel whose KX ctx to destroy.
1699 destroy_kx_ctx (struct CadetTunnel *t)
1701 struct GNUNET_TIME_Relative delay;
1703 if (NULL == t->kx_ctx || NULL != t->kx_ctx->finish_task)
1706 if (is_key_null (&t->kx_ctx->e_key_old))
1708 t->kx_ctx->finish_task = GNUNET_SCHEDULER_add_now (finish_kx, t);
1712 delay = GNUNET_TIME_relative_divide (rekey_period, 4);
1713 delay = GNUNET_TIME_relative_min (delay, GNUNET_TIME_UNIT_MINUTES);
1715 t->kx_ctx->finish_task = GNUNET_SCHEDULER_add_delayed (delay, finish_kx, t);
1721 * Pick a connection on which send the next data message.
1723 * @param t Tunnel on which to send the message.
1725 * @return The connection on which to send the next message.
1727 static struct CadetConnection *
1728 tunnel_get_connection (struct CadetTunnel *t)
1730 struct CadetTConnection *iter;
1731 struct CadetConnection *best;
1733 unsigned int lowest_q;
1735 LOG (GNUNET_ERROR_TYPE_DEBUG, "tunnel_get_connection %s\n", GCT_2s (t));
1737 lowest_q = UINT_MAX;
1738 for (iter = t->connection_head; NULL != iter; iter = iter->next)
1740 LOG (GNUNET_ERROR_TYPE_DEBUG, " connection %s: %u\n",
1741 GCC_2s (iter->c), GCC_get_state (iter->c));
1742 if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
1744 qn = GCC_get_qn (iter->c, GCC_is_origin (iter->c, GNUNET_YES));
1745 LOG (GNUNET_ERROR_TYPE_DEBUG, " q_n %u, \n", qn);
1753 LOG (GNUNET_ERROR_TYPE_DEBUG, " selected: connection %s\n", GCC_2s (best));
1759 * Callback called when a queued message is sent.
1761 * Calculates the average time and connection packet tracking.
1763 * @param cls Closure (TunnelQueue handle).
1764 * @param c Connection this message was on.
1765 * @param q Connection queue handle (unused).
1766 * @param type Type of message sent.
1767 * @param fwd Was this a FWD going message?
1768 * @param size Size of the message.
1771 tun_message_sent (void *cls,
1772 struct CadetConnection *c,
1773 struct CadetConnectionQueue *q,
1774 uint16_t type, int fwd, size_t size)
1776 struct CadetTunnelQueue *qt = cls;
1777 struct CadetTunnel *t;
1779 LOG (GNUNET_ERROR_TYPE_DEBUG, "tun_message_sent\n");
1781 GNUNET_assert (NULL != qt->cont);
1782 t = NULL == c ? NULL : GCC_get_tunnel (c);
1783 qt->cont (qt->cont_cls, t, qt, type, size);
1789 count_queued_data (const struct CadetTunnel *t)
1791 struct CadetTunnelDelayed *iter;
1794 for (count = 0, iter = t->tq_head; iter != NULL; iter = iter->next)
1801 * Delete a queued message: either was sent or the channel was destroyed
1802 * before the tunnel's key exchange had a chance to finish.
1804 * @param tqd Delayed queue handle.
1807 unqueue_data (struct CadetTunnelDelayed *tqd)
1809 GNUNET_CONTAINER_DLL_remove (tqd->t->tq_head, tqd->t->tq_tail, tqd);
1815 * Cache a message to be sent once tunnel is online.
1817 * @param t Tunnel to hold the message.
1818 * @param msg Message itself (copy will be made).
1820 static struct CadetTunnelDelayed *
1821 queue_data (struct CadetTunnel *t, const struct GNUNET_MessageHeader *msg)
1823 struct CadetTunnelDelayed *tqd;
1824 uint16_t size = ntohs (msg->size);
1826 LOG (GNUNET_ERROR_TYPE_DEBUG, "queue data on Tunnel %s\n", GCT_2s (t));
1828 GNUNET_assert (GNUNET_NO == is_ready (t));
1830 tqd = GNUNET_malloc (sizeof (struct CadetTunnelDelayed) + size);
1833 memcpy (&tqd[1], msg, size);
1834 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head, t->tq_tail, tqd);
1840 * Sends an already built message on a tunnel, encrypting it and
1841 * choosing the best connection.
1843 * @param message Message to send. Function modifies it.
1844 * @param t Tunnel on which this message is transmitted.
1845 * @param c Connection to use (autoselect if NULL).
1846 * @param force Force the tunnel to take the message (buffer overfill).
1847 * @param cont Continuation to call once message is really sent.
1848 * @param cont_cls Closure for @c cont.
1849 * @param existing_q In case this a transmission of previously queued data,
1850 * this should be TunnelQueue given to the client.
1853 * @return Handle to cancel message.
1854 * NULL if @c cont is NULL or an error happens and message is dropped.
1856 static struct CadetTunnelQueue *
1857 send_prebuilt_message (const struct GNUNET_MessageHeader *message,
1858 struct CadetTunnel *t, struct CadetConnection *c,
1859 int force, GCT_sent cont, void *cont_cls,
1860 struct CadetTunnelQueue *existing_q)
1862 struct GNUNET_MessageHeader *msg;
1863 struct GNUNET_CADET_Encrypted *otr_msg;
1864 struct GNUNET_CADET_AX *ax_msg;
1865 struct CadetTunnelQueue *tq;
1866 size_t size = ntohs (message->size);
1867 const uint16_t max_overhead = sizeof (struct GNUNET_CADET_Encrypted)
1868 + sizeof (struct GNUNET_CADET_AX);
1869 char cbuf[max_overhead + size];
1876 LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT Send on Tunnel %s\n", GCT_2s (t));
1878 if (GNUNET_NO == is_ready (t))
1880 struct CadetTunnelDelayed *tqd;
1881 /* A non null existing_q indicates sending of queued data.
1882 * Should only happen after tunnel becomes ready.
1884 GNUNET_assert (NULL == existing_q);
1885 tqd = queue_data (t, message);
1888 tq = GNUNET_new (struct CadetTunnelQueue);
1892 tq->cont_cls = cont_cls;
1896 GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
1898 if (CADET_Axolotl == t->enc_type)
1900 ax_msg = (struct GNUNET_CADET_AX *) cbuf;
1901 msg = &ax_msg->header;
1902 msg->size = htons (sizeof (struct GNUNET_CADET_AX) + size);
1903 msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_AX);
1904 ax_msg->reserved = 0;
1905 esize = t_ax_encrypt (t, &ax_msg[1], message, size);
1906 ax_msg->Ns = htonl (t->ax->Ns++);
1907 ax_msg->PNs = htonl (t->ax->PNs);
1908 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &ax_msg->DHRs);
1909 t_h_encrypt (t, ax_msg);
1910 t_hmac (&ax_msg->Ns, AX_HEADER_SIZE + esize, 0, &t->ax->HKs, &ax_msg->hmac);
1914 otr_msg = (struct GNUNET_CADET_Encrypted *) cbuf;
1915 msg = &otr_msg->header;
1916 iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
1918 esize = t_encrypt (t, &otr_msg[1], message, size, iv, GNUNET_NO);
1919 t_hmac (&otr_msg[1], size, iv, select_key (t), &otr_msg->hmac);
1920 msg->size = htons (sizeof (struct GNUNET_CADET_Encrypted) + size);
1921 msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED);
1922 otr_msg->ttl = htonl (default_ttl);
1924 GNUNET_assert (esize == size);
1927 c = tunnel_get_connection (t);
1930 /* Why is tunnel 'ready'? Should have been queued! */
1931 if (NULL != t->destroy_task)
1934 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
1936 return NULL; /* Drop... */
1940 type = ntohs (message->type);
1943 case GNUNET_MESSAGE_TYPE_CADET_DATA:
1944 case GNUNET_MESSAGE_TYPE_CADET_DATA_ACK:
1945 if (GNUNET_MESSAGE_TYPE_CADET_DATA == type)
1946 mid = ntohl (((struct GNUNET_CADET_Data *) message)->mid);
1948 mid = ntohl (((struct GNUNET_CADET_DataACK *) message)->mid);
1950 case GNUNET_MESSAGE_TYPE_CADET_KEEPALIVE:
1951 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_CREATE:
1952 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
1953 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_ACK:
1954 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_NACK:
1958 LOG (GNUNET_ERROR_TYPE_ERROR, "type %s not valid\n", GC_m2s (type));
1960 LOG (GNUNET_ERROR_TYPE_DEBUG, "type %s\n", GC_m2s (type));
1962 fwd = GCC_is_origin (c, GNUNET_YES);
1966 GNUNET_break (NULL == GCC_send_prebuilt_message (msg, type,
1967 mid, c, fwd, force, NULL, NULL));
1970 if (NULL == existing_q)
1972 tq = GNUNET_new (struct CadetTunnelQueue); /* FIXME valgrind: leak*/
1979 tq->cq = GCC_send_prebuilt_message (msg, type, mid, c, fwd, force,
1980 &tun_message_sent, tq);
1981 GNUNET_assert (NULL != tq->cq);
1983 tq->cont_cls = cont_cls;
1990 * Send all cached messages that we can, tunnel is online.
1992 * @param t Tunnel that holds the messages. Cannot be loopback.
1995 send_queued_data (struct CadetTunnel *t)
1997 struct CadetTunnelDelayed *tqd;
1998 struct CadetTunnelDelayed *next;
2001 LOG (GNUNET_ERROR_TYPE_INFO, "Send queued data, tunnel %s\n", GCT_2s (t));
2003 if (GCT_is_loopback (t))
2009 if (GNUNET_NO == is_ready (t))
2011 LOG (GNUNET_ERROR_TYPE_DEBUG, " not ready yet: %s/%s\n",
2012 estate2s (t->estate), cstate2s (t->cstate));
2016 room = GCT_get_connections_buffer (t);
2017 LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer space: %u\n", room);
2018 LOG (GNUNET_ERROR_TYPE_DEBUG, " tq head: %p\n", t->tq_head);
2019 for (tqd = t->tq_head; NULL != tqd && room > 0; tqd = next)
2021 LOG (GNUNET_ERROR_TYPE_DEBUG, " sending queued data\n");
2024 send_prebuilt_message ((struct GNUNET_MessageHeader *) &tqd[1],
2025 tqd->t, NULL, GNUNET_YES,
2026 NULL != tqd->tq ? tqd->tq->cont : NULL,
2027 NULL != tqd->tq ? tqd->tq->cont_cls : NULL,
2031 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_send_queued_data end\n", GCP_2s (t->peer));
2036 * @brief Resend the AX KX until we complete the handshake.
2038 * @param cls Closure (tunnel).
2039 * @param tc Task context.
2042 ax_kx_resend (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
2044 struct CadetTunnel *t = cls;
2046 t->rekey_task = NULL;
2048 if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
2051 if (CADET_TUNNEL_KEY_OK == t->estate)
2054 GCT_send_ax_kx (t, GNUNET_YES);
2059 * Callback called when a queued message is sent.
2061 * @param cls Closure.
2062 * @param c Connection this message was on.
2063 * @param type Type of message sent.
2064 * @param fwd Was this a FWD going message?
2065 * @param size Size of the message.
2068 ephm_sent (void *cls,
2069 struct CadetConnection *c,
2070 struct CadetConnectionQueue *q,
2071 uint16_t type, int fwd, size_t size)
2073 struct CadetTunnel *t = cls;
2074 LOG (GNUNET_ERROR_TYPE_DEBUG, "ephemeral sent %s\n", GC_m2s (type));
2078 if (CADET_TUNNEL_KEY_OK == t->estate)
2081 if (CADET_Axolotl == t->enc_type && CADET_TUNNEL_KEY_OK != t->estate)
2083 if (NULL != t->rekey_task)
2086 GNUNET_SCHEDULER_cancel (t->rekey_task);
2088 t->rekey_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
2095 * Callback called when a queued message is sent.
2097 * @param cls Closure.
2098 * @param c Connection this message was on.
2099 * @param type Type of message sent.
2100 * @param fwd Was this a FWD going message?
2101 * @param size Size of the message.
2104 pong_sent (void *cls,
2105 struct CadetConnection *c,
2106 struct CadetConnectionQueue *q,
2107 uint16_t type, int fwd, size_t size)
2109 struct CadetTunnel *t = cls;
2110 LOG (GNUNET_ERROR_TYPE_DEBUG, "pong_sent %s\n", GC_m2s (type));
2117 * Sends key exchange message on a tunnel, choosing the best connection.
2118 * Should not be called on loopback tunnels.
2120 * @param t Tunnel on which this message is transmitted.
2121 * @param message Message to send. Function modifies it.
2123 * @return Handle to the message in the connection queue.
2125 static struct CadetConnectionQueue *
2126 send_kx (struct CadetTunnel *t,
2127 const struct GNUNET_MessageHeader *message)
2129 struct CadetConnection *c;
2130 struct GNUNET_CADET_KX *msg;
2131 size_t size = ntohs (message->size);
2132 char cbuf[sizeof (struct GNUNET_CADET_KX) + size];
2137 LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT KX on Tunnel %s\n", GCT_2s (t));
2139 /* Avoid loopback. */
2140 if (GCT_is_loopback (t))
2145 type = ntohs (message->type);
2147 /* Even if tunnel is "being destroyed", send anyway.
2148 * Could be a response to a rekey initiated by remote peer,
2149 * who is trying to create a new channel!
2152 /* Must have a connection, or be looking for one. */
2153 if (NULL == t->connection_head)
2155 LOG (GNUNET_ERROR_TYPE_DEBUG, "%s with no connection\n", GC_m2s (type));
2156 if (CADET_TUNNEL_SEARCHING != t->cstate)
2159 GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
2160 GCP_debug (t->peer, GNUNET_ERROR_TYPE_ERROR);
2165 msg = (struct GNUNET_CADET_KX *) cbuf;
2166 msg->header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX);
2167 msg->header.size = htons (sizeof (struct GNUNET_CADET_KX) + size);
2168 c = tunnel_get_connection (t);
2171 if (NULL == t->destroy_task && CADET_TUNNEL_READY == t->cstate)
2174 GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
2180 case GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL:
2181 case GNUNET_MESSAGE_TYPE_CADET_AX_KX:
2182 GNUNET_assert (NULL == t->ephm_h);
2185 case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
2186 GNUNET_assert (NULL == t->pong_h);
2191 LOG (GNUNET_ERROR_TYPE_DEBUG, "unkown type %s\n", GC_m2s (type));
2194 memcpy (&msg[1], message, size);
2196 fwd = GCC_is_origin (c, GNUNET_YES);
2198 return GCC_send_prebuilt_message (&msg->header, type, 0, c,
2205 * Send the ephemeral key on a tunnel.
2207 * @param t Tunnel on which to send the key.
2210 send_ephemeral (struct CadetTunnel *t)
2212 LOG (GNUNET_ERROR_TYPE_INFO, "===> EPHM for %s\n", GCT_2s (t));
2213 if (NULL != t->ephm_h)
2215 LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
2219 otr_kx_msg.sender_status = htonl (t->estate);
2220 otr_kx_msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
2221 otr_kx_msg.nonce = t->kx_ctx->challenge;
2222 LOG (GNUNET_ERROR_TYPE_DEBUG, " send nonce c %u\n", otr_kx_msg.nonce);
2223 t_encrypt (t, &otr_kx_msg.nonce, &otr_kx_msg.nonce,
2224 ping_encryption_size(), otr_kx_msg.iv, GNUNET_YES);
2225 LOG (GNUNET_ERROR_TYPE_DEBUG, " send nonce e %u\n", otr_kx_msg.nonce);
2226 t->ephm_h = send_kx (t, &otr_kx_msg.header);
2231 * Send a pong message on a tunnel.
2233 * @param t Tunnel on which to send the pong.
2234 * @param challenge Value sent in the ping that we have to send back.
2237 send_pong (struct CadetTunnel *t, uint32_t challenge)
2239 struct GNUNET_CADET_KX_Pong msg;
2241 LOG (GNUNET_ERROR_TYPE_INFO, "===> PONG for %s\n", GCT_2s (t));
2242 if (NULL != t->pong_h)
2244 LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
2247 msg.header.size = htons (sizeof (msg));
2248 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_PONG);
2249 msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
2250 msg.nonce = challenge;
2251 LOG (GNUNET_ERROR_TYPE_DEBUG, " sending %u\n", msg.nonce);
2252 t_encrypt (t, &msg.nonce, &msg.nonce,
2253 sizeof (msg.nonce), msg.iv, GNUNET_YES);
2254 LOG (GNUNET_ERROR_TYPE_DEBUG, " e sending %u\n", msg.nonce);
2256 t->pong_h = send_kx (t, &msg.header);
2261 * Initiate a rekey with the remote peer.
2263 * @param cls Closure (tunnel).
2264 * @param tc TaskContext.
2267 rekey_tunnel (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
2269 struct CadetTunnel *t = cls;
2271 t->rekey_task = NULL;
2273 LOG (GNUNET_ERROR_TYPE_INFO, "Re-key Tunnel %s\n", GCT_2s (t));
2274 if (NULL != tc && 0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
2277 GNUNET_assert (NULL != t->kx_ctx);
2278 struct GNUNET_TIME_Relative duration;
2280 duration = GNUNET_TIME_absolute_get_duration (t->kx_ctx->rekey_start_time);
2281 LOG (GNUNET_ERROR_TYPE_DEBUG, " kx started %s ago\n",
2282 GNUNET_STRINGS_relative_time_to_string (duration, GNUNET_YES));
2284 // FIXME make duration of old keys configurable
2285 if (duration.rel_value_us >= GNUNET_TIME_UNIT_MINUTES.rel_value_us)
2287 LOG (GNUNET_ERROR_TYPE_DEBUG, " deleting old keys\n");
2288 memset (&t->kx_ctx->d_key_old, 0, sizeof (t->kx_ctx->d_key_old));
2289 memset (&t->kx_ctx->e_key_old, 0, sizeof (t->kx_ctx->e_key_old));
2296 case CADET_TUNNEL_KEY_UNINITIALIZED:
2297 GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
2300 case CADET_TUNNEL_KEY_SENT:
2303 case CADET_TUNNEL_KEY_OK:
2305 * - state should have changed during rekey_iterator
2306 * - task should have been canceled at pong_handle
2309 GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
2312 case CADET_TUNNEL_KEY_PING:
2313 case CADET_TUNNEL_KEY_REKEY:
2317 LOG (GNUNET_ERROR_TYPE_DEBUG, "Unexpected state %u\n", t->estate);
2320 // FIXME exponential backoff
2321 struct GNUNET_TIME_Relative delay;
2323 delay = GNUNET_TIME_relative_divide (rekey_period, 16);
2324 delay = GNUNET_TIME_relative_min (delay, REKEY_WAIT);
2325 LOG (GNUNET_ERROR_TYPE_DEBUG, " next call in %s\n",
2326 GNUNET_STRINGS_relative_time_to_string (delay, GNUNET_YES));
2327 t->rekey_task = GNUNET_SCHEDULER_add_delayed (delay, &rekey_tunnel, t);
2332 * Our ephemeral key has changed, create new session key on all tunnels.
2334 * Each tunnel will start the Key Exchange with a random delay between
2335 * 0 and number_of_tunnels*100 milliseconds, so there are 10 key exchanges
2336 * per second, on average.
2338 * @param cls Closure (size of the hashmap).
2339 * @param key Current public key.
2340 * @param value Value in the hash map (tunnel).
2342 * @return #GNUNET_YES, so we should continue to iterate,
2345 rekey_iterator (void *cls,
2346 const struct GNUNET_PeerIdentity *key,
2349 struct CadetTunnel *t = value;
2350 struct GNUNET_TIME_Relative delay;
2351 long n = (long) cls;
2354 if (NULL != t->rekey_task)
2357 if (GNUNET_YES == GCT_is_loopback (t))
2360 if (CADET_OTR != t->enc_type)
2363 r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, (uint32_t) n * 100);
2364 delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, r);
2365 t->rekey_task = GNUNET_SCHEDULER_add_delayed (delay, &rekey_tunnel, t);
2366 if (GNUNET_OK == create_kx_ctx (t))
2367 GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
2379 * Create a new ephemeral key and key message, schedule next rekeying.
2381 * @param cls Closure (unused).
2382 * @param tc TaskContext.
2385 global_otr_rekey (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
2387 struct GNUNET_TIME_Absolute time;
2392 if (0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
2395 GNUNET_free_non_null (otr_ephemeral_key);
2396 otr_ephemeral_key = GNUNET_CRYPTO_ecdhe_key_create ();
2398 time = GNUNET_TIME_absolute_get ();
2399 otr_kx_msg.creation_time = GNUNET_TIME_absolute_hton (time);
2400 time = GNUNET_TIME_absolute_add (time, rekey_period);
2401 time = GNUNET_TIME_absolute_add (time, GNUNET_TIME_UNIT_MINUTES);
2402 otr_kx_msg.expiration_time = GNUNET_TIME_absolute_hton (time);
2403 GNUNET_CRYPTO_ecdhe_key_get_public (otr_ephemeral_key, &otr_kx_msg.ephemeral_key);
2404 LOG (GNUNET_ERROR_TYPE_INFO, "GLOBAL OTR RE-KEY, NEW EPHM: %s\n",
2405 GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
2407 GNUNET_assert (GNUNET_OK ==
2408 GNUNET_CRYPTO_eddsa_sign (id_key,
2409 &otr_kx_msg.purpose,
2410 &otr_kx_msg.signature));
2412 n = (long) GNUNET_CONTAINER_multipeermap_size (tunnels);
2413 GNUNET_CONTAINER_multipeermap_iterate (tunnels, &rekey_iterator, (void *) n);
2415 rekey_task = GNUNET_SCHEDULER_add_delayed (rekey_period,
2416 &global_otr_rekey, NULL);
2421 * Called only on shutdown, destroy every tunnel.
2423 * @param cls Closure (unused).
2424 * @param key Current public key.
2425 * @param value Value in the hash map (tunnel).
2427 * @return #GNUNET_YES, so we should continue to iterate,
2430 destroy_iterator (void *cls,
2431 const struct GNUNET_PeerIdentity *key,
2434 struct CadetTunnel *t = value;
2436 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_shutdown destroying tunnel at %p\n", t);
2443 * Notify remote peer that we don't know a channel he is talking about,
2444 * probably CHANNEL_DESTROY was missed.
2446 * @param t Tunnel on which to notify.
2447 * @param gid ID of the channel.
2450 send_channel_destroy (struct CadetTunnel *t, unsigned int gid)
2452 struct GNUNET_CADET_ChannelManage msg;
2454 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
2455 msg.header.size = htons (sizeof (msg));
2456 msg.chid = htonl (gid);
2458 LOG (GNUNET_ERROR_TYPE_DEBUG,
2459 "WARNING destroying unknown channel %u on tunnel %s\n",
2461 send_prebuilt_message (&msg.header, t, NULL, GNUNET_YES, NULL, NULL, NULL);
2466 * Demultiplex data per channel and call appropriate channel handler.
2468 * @param t Tunnel on which the data came.
2469 * @param msg Data message.
2470 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2471 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2472 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2473 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2476 handle_data (struct CadetTunnel *t,
2477 const struct GNUNET_CADET_Data *msg,
2480 struct CadetChannel *ch;
2484 size = ntohs (msg->header.size);
2486 sizeof (struct GNUNET_CADET_Data) +
2487 sizeof (struct GNUNET_MessageHeader))
2492 LOG (GNUNET_ERROR_TYPE_DEBUG, " payload of type %s\n",
2493 GC_m2s (ntohs (msg[1].header.type)));
2496 ch = GCT_get_channel (t, ntohl (msg->chid));
2499 GNUNET_STATISTICS_update (stats, "# data on unknown channel",
2501 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel 0x%X unknown\n",
2503 send_channel_destroy (t, ntohl (msg->chid));
2507 GCCH_handle_data (ch, msg, fwd);
2512 * Demultiplex data ACKs per channel and update appropriate channel buffer info.
2514 * @param t Tunnel on which the DATA ACK came.
2515 * @param msg DATA ACK message.
2516 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2517 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2518 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2519 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2522 handle_data_ack (struct CadetTunnel *t,
2523 const struct GNUNET_CADET_DataACK *msg,
2526 struct CadetChannel *ch;
2530 size = ntohs (msg->header.size);
2531 if (size != sizeof (struct GNUNET_CADET_DataACK))
2538 ch = GCT_get_channel (t, ntohl (msg->chid));
2541 GNUNET_STATISTICS_update (stats, "# data ack on unknown channel",
2543 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
2548 GCCH_handle_data_ack (ch, msg, fwd);
2553 * Handle channel create.
2555 * @param t Tunnel on which the data came.
2556 * @param msg Data message.
2559 handle_ch_create (struct CadetTunnel *t,
2560 const struct GNUNET_CADET_ChannelCreate *msg)
2562 struct CadetChannel *ch;
2566 size = ntohs (msg->header.size);
2567 if (size != sizeof (struct GNUNET_CADET_ChannelCreate))
2574 ch = GCT_get_channel (t, ntohl (msg->chid));
2575 if (NULL != ch && ! GCT_is_loopback (t))
2577 /* Probably a retransmission, safe to ignore */
2578 LOG (GNUNET_ERROR_TYPE_DEBUG, " already exists...\n");
2580 ch = GCCH_handle_create (t, msg);
2582 GCT_add_channel (t, ch);
2588 * Handle channel NACK: check correctness and call channel handler for NACKs.
2590 * @param t Tunnel on which the NACK came.
2591 * @param msg NACK message.
2594 handle_ch_nack (struct CadetTunnel *t,
2595 const struct GNUNET_CADET_ChannelManage *msg)
2597 struct CadetChannel *ch;
2601 size = ntohs (msg->header.size);
2602 if (size != sizeof (struct GNUNET_CADET_ChannelManage))
2609 ch = GCT_get_channel (t, ntohl (msg->chid));
2612 GNUNET_STATISTICS_update (stats, "# channel NACK on unknown channel",
2614 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
2619 GCCH_handle_nack (ch);
2624 * Handle a CHANNEL ACK (SYNACK/ACK).
2626 * @param t Tunnel on which the CHANNEL ACK came.
2627 * @param msg CHANNEL ACK message.
2628 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2629 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2630 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2631 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2634 handle_ch_ack (struct CadetTunnel *t,
2635 const struct GNUNET_CADET_ChannelManage *msg,
2638 struct CadetChannel *ch;
2642 size = ntohs (msg->header.size);
2643 if (size != sizeof (struct GNUNET_CADET_ChannelManage))
2650 ch = GCT_get_channel (t, ntohl (msg->chid));
2653 GNUNET_STATISTICS_update (stats, "# channel ack on unknown channel",
2655 LOG (GNUNET_ERROR_TYPE_DEBUG, "WARNING channel %u unknown\n",
2660 GCCH_handle_ack (ch, msg, fwd);
2665 * Handle a channel destruction message.
2667 * @param t Tunnel on which the message came.
2668 * @param msg Channel destroy message.
2669 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
2670 * #GNUNET_YES if message is FWD on the respective channel (loopback)
2671 * #GNUNET_NO if message is BCK on the respective channel (loopback)
2672 * #GNUNET_SYSERR if message on a one-ended channel (remote)
2675 handle_ch_destroy (struct CadetTunnel *t,
2676 const struct GNUNET_CADET_ChannelManage *msg,
2679 struct CadetChannel *ch;
2683 size = ntohs (msg->header.size);
2684 if (size != sizeof (struct GNUNET_CADET_ChannelManage))
2691 ch = GCT_get_channel (t, ntohl (msg->chid));
2694 /* Probably a retransmission, safe to ignore */
2698 GCCH_handle_destroy (ch, msg, fwd);
2703 * Create a new Axolotl ephemeral (ratchet) key.
2708 new_ephemeral (struct CadetTunnel *t)
2710 GNUNET_free_non_null (t->ax->DHRs);
2711 t->ax->DHRs = GNUNET_CRYPTO_ecdhe_key_create();
2716 * Free Axolotl data.
2721 destroy_ax (struct CadetTunnel *t)
2726 GNUNET_free_non_null (t->ax->DHRs);
2727 GNUNET_free_non_null (t->ax->kx_0);
2729 GNUNET_free (t->ax);
2732 if (NULL != t->rekey_task)
2734 GNUNET_SCHEDULER_cancel (t->rekey_task);
2735 t->rekey_task = NULL;
2737 if (NULL != t->ephm_h)
2739 GCC_cancel (t->ephm_h);
2747 * The peer's ephemeral key has changed: update the symmetrical keys.
2749 * @param t Tunnel this message came on.
2750 * @param msg Key eXchange message.
2753 handle_ephemeral (struct CadetTunnel *t,
2754 const struct GNUNET_CADET_KX_Ephemeral *msg)
2756 LOG (GNUNET_ERROR_TYPE_INFO, "<=== EPHM for %s\n", GCT_2s (t));
2758 if (GNUNET_OK != check_ephemeral (t, msg))
2760 GNUNET_break_op (0);
2764 /* If we get a proper OTR-style ephemeral, fallback to old crypto. */
2768 t->enc_type = CADET_OTR;
2769 if (NULL != t->rekey_task)
2770 GNUNET_SCHEDULER_cancel (t->rekey_task);
2771 if (GNUNET_OK != create_kx_ctx (t))
2777 rekey_tunnel (t, NULL);
2778 GNUNET_STATISTICS_update (stats, "# otr-downgrades", -1, GNUNET_NO);
2782 * If the key is different from what we know, derive the new E/D keys.
2783 * Else destroy the rekey ctx (duplicate EPHM after successful KX).
2785 if (0 != memcmp (&t->peers_ephemeral_key, &msg->ephemeral_key,
2786 sizeof (msg->ephemeral_key)))
2788 #if DUMP_KEYS_TO_STDERR
2789 LOG (GNUNET_ERROR_TYPE_INFO, "OLD: %s\n",
2790 GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
2791 LOG (GNUNET_ERROR_TYPE_INFO, "NEW: %s\n",
2792 GNUNET_h2s ((struct GNUNET_HashCode *) &msg->ephemeral_key));
2794 t->peers_ephemeral_key = msg->ephemeral_key;
2796 if (GNUNET_OK != create_kx_ctx (t))
2803 if (CADET_TUNNEL_KEY_OK == t->estate)
2805 GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
2807 if (NULL != t->rekey_task)
2808 GNUNET_SCHEDULER_cancel (t->rekey_task);
2809 t->rekey_task = GNUNET_SCHEDULER_add_now (rekey_tunnel, t);
2811 if (CADET_TUNNEL_KEY_SENT == t->estate)
2813 LOG (GNUNET_ERROR_TYPE_DEBUG, " our key was sent, sending challenge\n");
2815 GCT_change_estate (t, CADET_TUNNEL_KEY_PING);
2818 if (CADET_TUNNEL_KEY_UNINITIALIZED != ntohl(msg->sender_status))
2822 LOG (GNUNET_ERROR_TYPE_DEBUG, " recv nonce e %u\n", msg->nonce);
2823 t_decrypt (t, &nonce, &msg->nonce, ping_encryption_size (), msg->iv);
2824 LOG (GNUNET_ERROR_TYPE_DEBUG, " recv nonce c %u\n", nonce);
2825 send_pong (t, nonce);
2831 * Peer has answer to our challenge.
2832 * If answer is successful, consider the key exchange finished and clean
2833 * up all related state.
2835 * @param t Tunnel this message came on.
2836 * @param msg Key eXchange Pong message.
2839 handle_pong (struct CadetTunnel *t, const struct GNUNET_CADET_KX_Pong *msg)
2843 LOG (GNUNET_ERROR_TYPE_INFO, "<=== PONG for %s\n", GCT_2s (t));
2844 if (NULL == t->rekey_task)
2846 GNUNET_STATISTICS_update (stats, "# duplicate PONG messages", 1, GNUNET_NO);
2849 if (NULL == t->kx_ctx)
2851 GNUNET_STATISTICS_update (stats, "# stray PONG messages", 1, GNUNET_NO);
2855 t_decrypt (t, &challenge, &msg->nonce, sizeof (uint32_t), msg->iv);
2856 if (challenge != t->kx_ctx->challenge)
2858 LOG (GNUNET_ERROR_TYPE_WARNING, "Wrong PONG challenge on %s\n", GCT_2s (t));
2859 LOG (GNUNET_ERROR_TYPE_DEBUG, "PONG: %u (e: %u). Expected: %u.\n",
2860 challenge, msg->nonce, t->kx_ctx->challenge);
2864 GNUNET_SCHEDULER_cancel (t->rekey_task);
2865 t->rekey_task = NULL;
2867 /* Don't free the old keys right away, but after a delay.
2868 * Rationale: the KX could have happened over a very fast connection,
2869 * with payload traffic still signed with the old key stuck in a slower
2871 * Don't keep the keys longer than 1/4 the rekey period, and no longer than
2875 GCT_change_estate (t, CADET_TUNNEL_KEY_OK);
2880 * Handle Axolotl handshake.
2882 * @param t Tunnel this message came on.
2883 * @param msg Key eXchange Pong message.
2886 handle_kx_ax (struct CadetTunnel *t, const struct GNUNET_CADET_AX_KX *msg)
2888 struct CadetTunnelAxolotl *ax;
2889 struct GNUNET_HashCode key_material[3];
2890 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
2891 const struct GNUNET_CRYPTO_EcdhePublicKey *pub;
2892 const struct GNUNET_CRYPTO_EcdhePrivateKey *priv;
2893 const char salt[] = "CADET Axolotl salt";
2894 const struct GNUNET_PeerIdentity *pid;
2897 LOG (GNUNET_ERROR_TYPE_INFO, "<=== AX_KX on %s\n", GCT_2s (t));
2901 /* Something is wrong if ax is NULL. Whose fault it is? */
2902 GNUNET_break_op (CADET_OTR == t->enc_type);
2903 GNUNET_break (CADET_Axolotl == t->enc_type);
2907 if (GNUNET_OK != GCP_check_key (t->peer, &msg->permanent_key,
2908 &msg->purpose, &msg->signature))
2910 GNUNET_break_op (0);
2914 pid = GCT_get_destination (t);
2915 if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
2916 am_I_alice = GNUNET_YES;
2917 else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
2918 am_I_alice = GNUNET_NO;
2921 GNUNET_break_op (0);
2925 if (GNUNET_YES == ntohl (msg->force_reply))
2926 GCT_send_ax_kx (t, GNUNET_NO);
2928 if (CADET_TUNNEL_KEY_OK == t->estate)
2931 LOG (GNUNET_ERROR_TYPE_INFO, " is Alice? %s\n", am_I_alice ? "YES" : "NO");
2934 ax->DHRr = msg->ratchet_key;
2935 ax->DHIr = msg->permanent_key;
2938 if (GNUNET_YES == am_I_alice)
2940 priv = ax_key; /* A */
2941 pub = &msg->ephemeral_key; /* B0 */
2945 priv = ax->kx_0; /* B0 */
2946 pub = &ax->DHIr; /* A */
2948 GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[0]);
2951 if (GNUNET_YES == am_I_alice)
2953 priv = ax->kx_0; /* A0 */
2954 pub = &ax->DHIr; /* B */
2958 priv = ax_key; /* B */
2959 pub = &msg->ephemeral_key; /* A0 */
2961 GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[1]);
2964 priv = ax->kx_0; /* A0 or B0 */
2965 pub = &msg->ephemeral_key; /* B0 or A0 */
2966 GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[2]);
2968 #if DUMP_KEYS_TO_STDERR
2971 for (i = 0; i < 3; i++)
2972 LOG (GNUNET_ERROR_TYPE_INFO, "km[%u]: %s\n",
2973 i, GNUNET_h2s (&key_material[i]));
2978 GNUNET_CRYPTO_kdf (keys, sizeof (keys),
2979 salt, sizeof (salt),
2980 &key_material, sizeof (key_material), NULL);
2983 if (GNUNET_YES == am_I_alice)
2989 ax->ratchet_flag = GNUNET_YES;
2997 ax->ratchet_flag = GNUNET_NO;
2998 ax->ratchet_allowed = GNUNET_NO;
2999 ax->ratchet_counter = 0;
3000 ax->ratchet_expiration =
3001 GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
3003 GCT_change_estate (t, CADET_TUNNEL_KEY_OK);
3008 * Demultiplex by message type and call appropriate handler for a message
3009 * towards a channel of a local tunnel.
3011 * @param t Tunnel this message came on.
3012 * @param msgh Message header.
3013 * @param fwd Is this message fwd? This only is meaningful in loopback channels.
3014 * #GNUNET_YES if message is FWD on the respective channel (loopback)
3015 * #GNUNET_NO if message is BCK on the respective channel (loopback)
3016 * #GNUNET_SYSERR if message on a one-ended channel (remote)
3019 handle_decrypted (struct CadetTunnel *t,
3020 const struct GNUNET_MessageHeader *msgh,
3025 type = ntohs (msgh->type);
3026 LOG (GNUNET_ERROR_TYPE_INFO, "<=== %s on %s\n", GC_m2s (type), GCT_2s (t));
3030 case GNUNET_MESSAGE_TYPE_CADET_KEEPALIVE:
3031 /* Do nothing, connection aleady got updated. */
3032 GNUNET_STATISTICS_update (stats, "# keepalives received", 1, GNUNET_NO);
3035 case GNUNET_MESSAGE_TYPE_CADET_DATA:
3036 /* Don't send hop ACK, wait for client to ACK */
3037 handle_data (t, (struct GNUNET_CADET_Data *) msgh, fwd);
3040 case GNUNET_MESSAGE_TYPE_CADET_DATA_ACK:
3041 handle_data_ack (t, (struct GNUNET_CADET_DataACK *) msgh, fwd);
3044 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_CREATE:
3045 handle_ch_create (t, (struct GNUNET_CADET_ChannelCreate *) msgh);
3048 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_NACK:
3049 handle_ch_nack (t, (struct GNUNET_CADET_ChannelManage *) msgh);
3052 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_ACK:
3053 handle_ch_ack (t, (struct GNUNET_CADET_ChannelManage *) msgh, fwd);
3056 case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
3057 handle_ch_destroy (t, (struct GNUNET_CADET_ChannelManage *) msgh, fwd);
3061 GNUNET_break_op (0);
3062 LOG (GNUNET_ERROR_TYPE_WARNING,
3063 "end-to-end message not known (%u)\n",
3064 ntohs (msgh->type));
3065 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
3069 /******************************************************************************/
3070 /******************************** API ***********************************/
3071 /******************************************************************************/
3073 * Decrypt old format and demultiplex by message type. Call appropriate handler
3074 * for a message towards a channel of a local tunnel.
3076 * @param t Tunnel this message came on.
3077 * @param msg Message header.
3080 GCT_handle_encrypted (struct CadetTunnel *t,
3081 const struct GNUNET_MessageHeader *msg)
3083 uint16_t size = ntohs (msg->size);
3085 size_t payload_size;
3088 struct GNUNET_MessageHeader *msgh;
3091 type = ntohs (msg->type);
3092 if (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED == type)
3094 const struct GNUNET_CADET_Encrypted *emsg;
3096 emsg = (struct GNUNET_CADET_Encrypted *) msg;
3097 payload_size = size - sizeof (struct GNUNET_CADET_Encrypted);
3098 decrypted_size = t_decrypt_and_validate (t, cbuf, &emsg[1], payload_size,
3099 emsg->iv, &emsg->hmac);
3101 else if (GNUNET_MESSAGE_TYPE_CADET_AX == type)
3103 const struct GNUNET_CADET_AX *emsg;
3105 emsg = (struct GNUNET_CADET_AX *) msg;
3106 decrypted_size = t_ax_decrypt_and_validate (t, cbuf, emsg, size);
3109 if (-1 == decrypted_size)
3111 GNUNET_break_op (0);
3116 while (off < decrypted_size)
3120 msgh = (struct GNUNET_MessageHeader *) &cbuf[off];
3121 msize = ntohs (msgh->size);
3122 if (msize < sizeof (struct GNUNET_MessageHeader))
3124 GNUNET_break_op (0);
3127 handle_decrypted (t, msgh, GNUNET_SYSERR);
3134 * Demultiplex an encapsulated KX message by message type.
3136 * @param t Tunnel on which the message came.
3137 * @param message Payload of KX message.
3140 GCT_handle_kx (struct CadetTunnel *t,
3141 const struct GNUNET_MessageHeader *message)
3145 type = ntohs (message->type);
3146 LOG (GNUNET_ERROR_TYPE_DEBUG, "kx message received: %s\n", GC_m2s (type));
3149 case GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL:
3150 handle_ephemeral (t, (const struct GNUNET_CADET_KX_Ephemeral *) message);
3153 case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
3154 handle_pong (t, (const struct GNUNET_CADET_KX_Pong *) message);
3157 case GNUNET_MESSAGE_TYPE_CADET_AX_KX:
3158 handle_kx_ax (t, (const struct GNUNET_CADET_AX_KX *) message);
3162 GNUNET_break_op (0);
3163 LOG (GNUNET_ERROR_TYPE_WARNING, "kx message %s unknown\n", GC_m2s (type));
3168 * Initialize the tunnel subsystem.
3170 * @param c Configuration handle.
3171 * @param key ECC private key, to derive all other keys and do crypto.
3174 GCT_init (const struct GNUNET_CONFIGURATION_Handle *c,
3175 const struct GNUNET_CRYPTO_EddsaPrivateKey *key)
3177 int expected_overhead;
3179 LOG (GNUNET_ERROR_TYPE_DEBUG, "init\n");
3181 expected_overhead = 0;
3182 expected_overhead += sizeof (struct GNUNET_CADET_Encrypted);
3183 expected_overhead += sizeof (struct GNUNET_CADET_Data);
3184 expected_overhead += sizeof (struct GNUNET_CADET_ACK);
3185 GNUNET_assert (GNUNET_CONSTANTS_CADET_P2P_OVERHEAD == expected_overhead);
3188 GNUNET_CONFIGURATION_get_value_number (c, "CADET", "DEFAULT_TTL",
3191 GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_DEBUG,
3192 "CADET", "DEFAULT_TTL", "USING DEFAULT");
3196 GNUNET_CONFIGURATION_get_value_time (c, "CADET", "REKEY_PERIOD",
3199 rekey_period = GNUNET_TIME_UNIT_DAYS;
3202 GNUNET_CONFIGURATION_get_value_number (c, "CADET", "RATCHET_MESSAGES",
3205 GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
3206 "CADET", "RATCHET_MESSAGES", "USING DEFAULT");
3207 ratchet_messages = 64;
3210 GNUNET_CONFIGURATION_get_value_time (c, "CADET", "RATCHET_TIME",
3213 GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
3214 "CADET", "RATCHET_TIME", "USING DEFAULT");
3215 ratchet_time = GNUNET_TIME_UNIT_HOURS;
3221 otr_kx_msg.header.size = htons (sizeof (otr_kx_msg));
3222 otr_kx_msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL);
3223 otr_kx_msg.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_KX);
3224 otr_kx_msg.purpose.size = htonl (ephemeral_purpose_size ());
3225 otr_kx_msg.origin_identity = my_full_id;
3226 rekey_task = GNUNET_SCHEDULER_add_now (&global_otr_rekey, NULL);
3228 ax_key = GNUNET_CRYPTO_ecdhe_key_create ();
3229 GNUNET_CRYPTO_ecdhe_key_get_public (ax_key, &ax_identity.permanent_key);
3230 ax_identity.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_AXKX);
3231 ax_identity.purpose.size = htonl (ax_purpose_size ());
3232 GNUNET_assert (GNUNET_OK ==
3233 GNUNET_CRYPTO_eddsa_sign (id_key,
3234 &ax_identity.purpose,
3235 &ax_identity.signature));
3237 tunnels = GNUNET_CONTAINER_multipeermap_create (128, GNUNET_YES);
3242 * Shut down the tunnel subsystem.
3247 if (NULL != rekey_task)
3249 GNUNET_SCHEDULER_cancel (rekey_task);
3252 GNUNET_CONTAINER_multipeermap_iterate (tunnels, &destroy_iterator, NULL);
3253 GNUNET_CONTAINER_multipeermap_destroy (tunnels);
3254 GNUNET_free (ax_key);
3261 * @param destination Peer this tunnel is towards.
3263 struct CadetTunnel *
3264 GCT_new (struct CadetPeer *destination)
3266 struct CadetTunnel *t;
3268 t = GNUNET_new (struct CadetTunnel);
3270 t->peer = destination;
3273 GNUNET_CONTAINER_multipeermap_put (tunnels, GCP_get_id (destination), t,
3274 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_FAST))
3280 t->ax = GNUNET_new (struct CadetTunnelAxolotl);
3282 t->ax->kx_0 = GNUNET_CRYPTO_ecdhe_key_create ();
3288 * Change the tunnel's connection state.
3290 * @param t Tunnel whose connection state to change.
3291 * @param cstate New connection state.
3294 GCT_change_cstate (struct CadetTunnel* t, enum CadetTunnelCState cstate)
3298 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s cstate %s => %s\n",
3299 GCP_2s (t->peer), cstate2s (t->cstate), cstate2s (cstate));
3300 if (myid != GCP_get_short_id (t->peer) &&
3301 CADET_TUNNEL_READY != t->cstate &&
3302 CADET_TUNNEL_READY == cstate)
3305 if (CADET_TUNNEL_KEY_OK == t->estate)
3307 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered send queued data\n");
3308 send_queued_data (t);
3310 else if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
3312 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered kx\n");
3313 GCT_send_ax_kx (t, GNUNET_NO);
3317 LOG (GNUNET_ERROR_TYPE_DEBUG, "estate %s\n", estate2s (t->estate));
3322 if (CADET_TUNNEL_READY == cstate
3323 && CONNECTIONS_PER_TUNNEL <= GCT_count_connections (t))
3325 LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered stop dht\n");
3326 GCP_stop_search (t->peer);
3332 * Change the tunnel encryption state.
3334 * @param t Tunnel whose encryption state to change, or NULL.
3335 * @param state New encryption state.
3338 GCT_change_estate (struct CadetTunnel* t, enum CadetTunnelEState state)
3340 enum CadetTunnelEState old;
3347 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate was %s\n",
3348 GCP_2s (t->peer), estate2s (old));
3349 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate is now %s\n",
3350 GCP_2s (t->peer), estate2s (t->estate));
3352 /* Send queued data if enc state changes to OK */
3353 if (myid != GCP_get_short_id (t->peer) &&
3354 CADET_TUNNEL_KEY_OK != old && CADET_TUNNEL_KEY_OK == t->estate)
3356 send_queued_data (t);
3362 * @brief Check if tunnel has too many connections, and remove one if necessary.
3364 * Currently this means the newest connection, unless it is a direct one.
3365 * Implemented as a task to avoid freeing a connection that is in the middle
3366 * of being created/processed.
3368 * @param cls Closure (Tunnel to check).
3369 * @param tc Task context.
3372 trim_connections (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
3374 struct CadetTunnel *t = cls;
3376 t->trim_connections_task = NULL;
3378 if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
3381 if (GCT_count_connections (t) > 2 * CONNECTIONS_PER_TUNNEL)
3383 struct CadetTConnection *iter;
3384 struct CadetTConnection *c;
3386 for (c = iter = t->connection_head; NULL != iter; iter = iter->next)
3388 if ((iter->created.abs_value_us > c->created.abs_value_us)
3389 && GNUNET_NO == GCC_is_direct (iter->c))
3396 LOG (GNUNET_ERROR_TYPE_DEBUG, "Too many connections on tunnel %s\n",
3398 LOG (GNUNET_ERROR_TYPE_DEBUG, "Destroying connection %s\n",
3411 * Add a connection to a tunnel.
3414 * @param c Connection.
3417 GCT_add_connection (struct CadetTunnel *t, struct CadetConnection *c)
3419 struct CadetTConnection *aux;
3421 GNUNET_assert (NULL != c);
3423 LOG (GNUNET_ERROR_TYPE_DEBUG, "add connection %s\n", GCC_2s (c));
3424 LOG (GNUNET_ERROR_TYPE_DEBUG, " to tunnel %s\n", GCT_2s (t));
3425 for (aux = t->connection_head; aux != NULL; aux = aux->next)
3429 aux = GNUNET_new (struct CadetTConnection);
3431 aux->created = GNUNET_TIME_absolute_get ();
3433 GNUNET_CONTAINER_DLL_insert (t->connection_head, t->connection_tail, aux);
3435 if (CADET_TUNNEL_SEARCHING == t->cstate)
3436 GCT_change_cstate (t, CADET_TUNNEL_WAITING);
3438 if (NULL != t->trim_connections_task)
3439 t->trim_connections_task = GNUNET_SCHEDULER_add_now (&trim_connections, t);
3444 * Remove a connection from a tunnel.
3447 * @param c Connection.
3450 GCT_remove_connection (struct CadetTunnel *t,
3451 struct CadetConnection *c)
3453 struct CadetTConnection *aux;
3454 struct CadetTConnection *next;
3457 LOG (GNUNET_ERROR_TYPE_DEBUG, "Removing connection %s from tunnel %s\n",
3458 GCC_2s (c), GCT_2s (t));
3459 for (aux = t->connection_head; aux != NULL; aux = next)
3464 GNUNET_CONTAINER_DLL_remove (t->connection_head, t->connection_tail, aux);
3469 conns = GCT_count_connections (t);
3471 && NULL == t->destroy_task
3472 && CADET_TUNNEL_SHUTDOWN != t->cstate
3473 && GNUNET_NO == shutting_down)
3475 if (0 == GCT_count_any_connections (t))
3476 GCT_change_cstate (t, CADET_TUNNEL_SEARCHING);
3478 GCT_change_cstate (t, CADET_TUNNEL_WAITING);
3481 /* Start new connections if needed */
3482 if (CONNECTIONS_PER_TUNNEL > conns
3483 && NULL == t->destroy_task
3484 && CADET_TUNNEL_SHUTDOWN != t->cstate
3485 && GNUNET_NO == shutting_down)
3487 LOG (GNUNET_ERROR_TYPE_DEBUG, " too few connections, getting new ones\n");
3488 GCP_connect (t->peer); /* Will change cstate to WAITING when possible */
3492 /* If not marked as ready, no change is needed */
3493 if (CADET_TUNNEL_READY != t->cstate)
3496 /* Check if any connection is ready to maintain cstate */
3497 for (aux = t->connection_head; aux != NULL; aux = aux->next)
3498 if (CADET_CONNECTION_READY == GCC_get_state (aux->c))
3504 * Add a channel to a tunnel.
3507 * @param ch Channel.
3510 GCT_add_channel (struct CadetTunnel *t, struct CadetChannel *ch)
3512 struct CadetTChannel *aux;
3514 GNUNET_assert (NULL != ch);
3516 LOG (GNUNET_ERROR_TYPE_DEBUG, "Adding channel %p to tunnel %p\n", ch, t);
3518 for (aux = t->channel_head; aux != NULL; aux = aux->next)
3520 LOG (GNUNET_ERROR_TYPE_DEBUG, " already there %p\n", aux->ch);
3525 aux = GNUNET_new (struct CadetTChannel);
3527 LOG (GNUNET_ERROR_TYPE_DEBUG, " adding %p to %p\n", aux, t->channel_head);
3528 GNUNET_CONTAINER_DLL_insert_tail (t->channel_head, t->channel_tail, aux);
3530 if (NULL != t->destroy_task)
3532 GNUNET_SCHEDULER_cancel (t->destroy_task);
3533 t->destroy_task = NULL;
3534 LOG (GNUNET_ERROR_TYPE_DEBUG, " undo destroy!\n");
3540 * Remove a channel from a tunnel.
3543 * @param ch Channel.
3546 GCT_remove_channel (struct CadetTunnel *t, struct CadetChannel *ch)
3548 struct CadetTChannel *aux;
3550 LOG (GNUNET_ERROR_TYPE_DEBUG, "Removing channel %p from tunnel %p\n", ch, t);
3551 for (aux = t->channel_head; aux != NULL; aux = aux->next)
3555 LOG (GNUNET_ERROR_TYPE_DEBUG, " found! %s\n", GCCH_2s (ch));
3556 GNUNET_CONTAINER_DLL_remove (t->channel_head, t->channel_tail, aux);
3565 * Search for a channel by global ID.
3567 * @param t Tunnel containing the channel.
3568 * @param chid Public channel number.
3570 * @return channel handler, NULL if doesn't exist
3572 struct CadetChannel *
3573 GCT_get_channel (struct CadetTunnel *t, CADET_ChannelNumber chid)
3575 struct CadetTChannel *iter;
3580 for (iter = t->channel_head; NULL != iter; iter = iter->next)
3582 if (GCCH_get_id (iter->ch) == chid)
3586 return NULL == iter ? NULL : iter->ch;
3591 * @brief Destroy a tunnel and free all resources.
3593 * Should only be called a while after the tunnel has been marked as destroyed,
3594 * in case there is a new channel added to the same peer shortly after marking
3595 * the tunnel. This way we avoid a new public key handshake.
3597 * @param cls Closure (tunnel to destroy).
3598 * @param tc Task context.
3601 delayed_destroy (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
3603 struct CadetTunnel *t = cls;
3604 struct CadetTConnection *iter;
3606 LOG (GNUNET_ERROR_TYPE_DEBUG, "delayed destroying tunnel %p\n", t);
3607 if (0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
3609 LOG (GNUNET_ERROR_TYPE_WARNING,
3610 "Not destroying tunnel, due to shutdown. "
3611 "Tunnel at %p should have been freed by GCT_shutdown\n", t);
3614 t->destroy_task = NULL;
3615 t->cstate = CADET_TUNNEL_SHUTDOWN;
3617 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3619 GCC_send_destroy (iter->c);
3626 * Tunnel is empty: destroy it.
3628 * Notifies all connections about the destruction.
3630 * @param t Tunnel to destroy.
3633 GCT_destroy_empty (struct CadetTunnel *t)
3635 if (GNUNET_YES == shutting_down)
3636 return; /* Will be destroyed immediately anyway */
3638 if (NULL != t->destroy_task)
3640 LOG (GNUNET_ERROR_TYPE_WARNING,
3641 "Tunnel %s is already scheduled for destruction. Tunnel debug dump:\n",
3643 GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
3645 /* should never happen, tunnel can only become empty once, and the
3646 * task identifier should be NO_TASK (cleaned when the tunnel was created
3647 * or became un-empty)
3652 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s empty: scheduling destruction\n",
3655 // FIXME make delay a config option
3656 t->destroy_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MINUTES,
3657 &delayed_destroy, t);
3658 LOG (GNUNET_ERROR_TYPE_DEBUG, "Scheduled destroy of %p as %llu\n",
3659 t, t->destroy_task);
3664 * Destroy tunnel if empty (no more channels).
3666 * @param t Tunnel to destroy if empty.
3669 GCT_destroy_if_empty (struct CadetTunnel *t)
3671 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s destroy if empty\n", GCT_2s (t));
3672 if (0 < GCT_count_channels (t))
3675 GCT_destroy_empty (t);
3680 * Destroy the tunnel.
3682 * This function does not generate any warning traffic to clients or peers.
3685 * Cancel messages belonging to this tunnel queued to neighbors.
3686 * Free any allocated resources linked to the tunnel.
3688 * @param t The tunnel to destroy.
3691 GCT_destroy (struct CadetTunnel *t)
3693 struct CadetTConnection *iter_c;
3694 struct CadetTConnection *next_c;
3695 struct CadetTChannel *iter_ch;
3696 struct CadetTChannel *next_ch;
3701 LOG (GNUNET_ERROR_TYPE_DEBUG, "destroying tunnel %s\n", GCP_2s (t->peer));
3703 GNUNET_break (GNUNET_YES ==
3704 GNUNET_CONTAINER_multipeermap_remove (tunnels,
3705 GCP_get_id (t->peer), t));
3707 for (iter_c = t->connection_head; NULL != iter_c; iter_c = next_c)
3709 next_c = iter_c->next;
3710 GCC_destroy (iter_c->c);
3712 for (iter_ch = t->channel_head; NULL != iter_ch; iter_ch = next_ch)
3714 next_ch = iter_ch->next;
3715 GCCH_destroy (iter_ch->ch);
3716 /* Should only happen on shutdown, but it's ok. */
3719 if (NULL != t->destroy_task)
3721 LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling dest: %llX\n", t->destroy_task);
3722 GNUNET_SCHEDULER_cancel (t->destroy_task);
3723 t->destroy_task = NULL;
3726 if (NULL != t->trim_connections_task)
3728 LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling trim: %llX\n",
3729 t->trim_connections_task);
3730 GNUNET_SCHEDULER_cancel (t->trim_connections_task);
3731 t->trim_connections_task = NULL;
3734 GNUNET_STATISTICS_update (stats, "# tunnels", -1, GNUNET_NO);
3735 GCP_set_tunnel (t->peer, NULL);
3737 if (NULL != t->rekey_task)
3739 GNUNET_SCHEDULER_cancel (t->rekey_task);
3740 t->rekey_task = NULL;
3742 if (NULL != t->kx_ctx)
3744 if (NULL != t->kx_ctx->finish_task)
3745 GNUNET_SCHEDULER_cancel (t->kx_ctx->finish_task);
3746 GNUNET_free (t->kx_ctx);
3757 * @brief Use the given path for the tunnel.
3758 * Update the next and prev hops (and RCs).
3759 * (Re)start the path refresh in case the tunnel is locally owned.
3761 * @param t Tunnel to update.
3762 * @param p Path to use.
3764 * @return Connection created.
3766 struct CadetConnection *
3767 GCT_use_path (struct CadetTunnel *t, struct CadetPeerPath *p)
3769 struct CadetConnection *c;
3770 struct GNUNET_CADET_Hash cid;
3771 unsigned int own_pos;
3773 if (NULL == t || NULL == p)
3779 if (CADET_TUNNEL_SHUTDOWN == t->cstate)
3785 for (own_pos = 0; own_pos < p->length; own_pos++)
3787 if (p->peers[own_pos] == myid)
3790 if (own_pos >= p->length)
3792 GNUNET_break_op (0);
3796 GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, &cid, sizeof (cid));
3797 c = GCC_new (&cid, t, p, own_pos);
3800 /* Path was flawed */
3803 GCT_add_connection (t, c);
3809 * Count all created connections of a tunnel. Not necessarily ready connections!
3811 * @param t Tunnel on which to count.
3813 * @return Number of connections created, either being established or ready.
3816 GCT_count_any_connections (struct CadetTunnel *t)
3818 struct CadetTConnection *iter;
3824 for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
3832 * Count established (ready) connections of a tunnel.
3834 * @param t Tunnel on which to count.
3836 * @return Number of connections.
3839 GCT_count_connections (struct CadetTunnel *t)
3841 struct CadetTConnection *iter;
3847 for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
3848 if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
3856 * Count channels of a tunnel.
3858 * @param t Tunnel on which to count.
3860 * @return Number of channels.
3863 GCT_count_channels (struct CadetTunnel *t)
3865 struct CadetTChannel *iter;
3868 for (count = 0, iter = t->channel_head;
3870 iter = iter->next, count++) /* skip */;
3877 * Get the connectivity state of a tunnel.
3881 * @return Tunnel's connectivity state.
3883 enum CadetTunnelCState
3884 GCT_get_cstate (struct CadetTunnel *t)
3889 return (enum CadetTunnelCState) -1;
3896 * Get the encryption state of a tunnel.
3900 * @return Tunnel's encryption state.
3902 enum CadetTunnelEState
3903 GCT_get_estate (struct CadetTunnel *t)
3908 return (enum CadetTunnelEState) -1;
3914 * Get the maximum buffer space for a tunnel towards a local client.
3918 * @return Biggest buffer space offered by any channel in the tunnel.
3921 GCT_get_channels_buffer (struct CadetTunnel *t)
3923 struct CadetTChannel *iter;
3924 unsigned int buffer;
3925 unsigned int ch_buf;
3927 if (NULL == t->channel_head)
3929 /* Probably getting buffer for a channel create/handshake. */
3930 LOG (GNUNET_ERROR_TYPE_DEBUG, " no channels, allow max\n");
3935 for (iter = t->channel_head; NULL != iter; iter = iter->next)
3937 ch_buf = get_channel_buffer (iter);
3938 if (ch_buf > buffer)
3946 * Get the total buffer space for a tunnel for P2P traffic.
3950 * @return Buffer space offered by all connections in the tunnel.
3953 GCT_get_connections_buffer (struct CadetTunnel *t)
3955 struct CadetTConnection *iter;
3956 unsigned int buffer;
3958 if (GNUNET_NO == is_ready (t))
3960 if (count_queued_data (t) > 3)
3967 for (iter = t->connection_head; NULL != iter; iter = iter->next)
3969 if (GCC_get_state (iter->c) != CADET_CONNECTION_READY)
3973 buffer += get_connection_buffer (iter);
3981 * Get the tunnel's destination.
3985 * @return ID of the destination peer.
3987 const struct GNUNET_PeerIdentity *
3988 GCT_get_destination (struct CadetTunnel *t)
3990 return GCP_get_id (t->peer);
3995 * Get the tunnel's next free global channel ID.
3999 * @return GID of a channel free to use.
4002 GCT_get_next_chid (struct CadetTunnel *t)
4004 CADET_ChannelNumber chid;
4005 CADET_ChannelNumber mask;
4008 /* Set bit 30 depending on the ID relationship. Bit 31 is always 0 for GID.
4009 * If our ID is bigger or loopback tunnel, start at 0, bit 30 = 0
4010 * If peer's ID is bigger, start at 0x4... bit 30 = 1
4012 result = GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, GCP_get_id (t->peer));
4017 t->next_chid |= mask;
4019 while (NULL != GCT_get_channel (t, t->next_chid))
4021 LOG (GNUNET_ERROR_TYPE_DEBUG, "Channel %u exists...\n", t->next_chid);
4022 t->next_chid = (t->next_chid + 1) & ~GNUNET_CADET_LOCAL_CHANNEL_ID_CLI;
4023 t->next_chid |= mask;
4025 chid = t->next_chid;
4026 t->next_chid = (t->next_chid + 1) & ~GNUNET_CADET_LOCAL_CHANNEL_ID_CLI;
4027 t->next_chid |= mask;
4034 * Send ACK on one or more channels due to buffer in connections.
4036 * @param t Channel which has some free buffer space.
4039 GCT_unchoke_channels (struct CadetTunnel *t)
4041 struct CadetTChannel *iter;
4042 unsigned int buffer;
4043 unsigned int channels = GCT_count_channels (t);
4044 unsigned int choked_n;
4045 struct CadetChannel *choked[channels];
4047 LOG (GNUNET_ERROR_TYPE_DEBUG, "GCT_unchoke_channels on %s\n", GCT_2s (t));
4048 LOG (GNUNET_ERROR_TYPE_DEBUG, " head: %p\n", t->channel_head);
4049 if (NULL != t->channel_head)
4050 LOG (GNUNET_ERROR_TYPE_DEBUG, " head ch: %p\n", t->channel_head->ch);
4052 /* Get buffer space */
4053 buffer = GCT_get_connections_buffer (t);
4059 /* Count and remember choked channels */
4061 for (iter = t->channel_head; NULL != iter; iter = iter->next)
4063 if (GNUNET_NO == get_channel_allowed (iter))
4065 choked[choked_n++] = iter->ch;
4069 /* Unchoke random channels */
4070 while (0 < buffer && 0 < choked_n)
4072 unsigned int r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK,
4074 GCCH_allow_client (choked[r], GCCH_is_origin (choked[r], GNUNET_YES));
4077 choked[r] = choked[choked_n];
4083 * Send ACK on one or more connections due to buffer space to the client.
4085 * Iterates all connections of the tunnel and sends ACKs appropriately.
4090 GCT_send_connection_acks (struct CadetTunnel *t)
4092 struct CadetTConnection *iter;
4095 uint32_t allow_per_connection;
4097 unsigned int buffer;
4099 LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel send connection ACKs on %s\n",
4108 if (CADET_TUNNEL_READY != t->cstate)
4111 buffer = GCT_get_channels_buffer (t);
4112 LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer %u\n", buffer);
4114 /* Count connections, how many messages are already allowed */
4115 cs = GCT_count_connections (t);
4116 for (allowed = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
4118 allowed += get_connection_allowed (iter);
4120 LOG (GNUNET_ERROR_TYPE_DEBUG, " allowed %u\n", allowed);
4122 /* Make sure there is no overflow */
4123 if (allowed > buffer)
4126 /* Authorize connections to send more data */
4127 to_allow = buffer - allowed;
4129 for (iter = t->connection_head;
4130 NULL != iter && to_allow > 0;
4133 if (CADET_CONNECTION_READY != GCC_get_state (iter->c)
4134 || get_connection_allowed (iter) > 64 / 3)
4138 allow_per_connection = to_allow/cs;
4139 to_allow -= allow_per_connection;
4141 GCC_allow (iter->c, allow_per_connection,
4142 GCC_is_origin (iter->c, GNUNET_NO));
4147 /* Since we don't allow if it's allowed to send 64/3, this can happen. */
4148 LOG (GNUNET_ERROR_TYPE_DEBUG, " reminding to_allow: %u\n", to_allow);
4154 * Cancel a previously sent message while it's in the queue.
4156 * ONLY can be called before the continuation given to the send function
4157 * is called. Once the continuation is called, the message is no longer in the
4160 * @param q Handle to the queue.
4163 GCT_cancel (struct CadetTunnelQueue *q)
4168 /* tun_message_sent() will be called and free q */
4170 else if (NULL != q->tqd)
4172 unqueue_data (q->tqd);
4174 if (NULL != q->cont)
4175 q->cont (q->cont_cls, NULL, q, 0, 0);
4186 * Sends an already built message on a tunnel, encrypting it and
4187 * choosing the best connection if not provided.
4189 * @param message Message to send. Function modifies it.
4190 * @param t Tunnel on which this message is transmitted.
4191 * @param c Connection to use (autoselect if NULL).
4192 * @param force Force the tunnel to take the message (buffer overfill).
4193 * @param cont Continuation to call once message is really sent.
4194 * @param cont_cls Closure for @c cont.
4196 * @return Handle to cancel message. NULL if @c cont is NULL.
4198 struct CadetTunnelQueue *
4199 GCT_send_prebuilt_message (const struct GNUNET_MessageHeader *message,
4200 struct CadetTunnel *t, struct CadetConnection *c,
4201 int force, GCT_sent cont, void *cont_cls)
4203 return send_prebuilt_message (message, t, c, force, cont, cont_cls, NULL);
4208 * Send an Axolotl KX message.
4210 * @param t Tunnel on which to send it.
4211 * @param force_reply Force the other peer to reply with a KX message.
4214 GCT_send_ax_kx (struct CadetTunnel *t, int force_reply)
4216 struct GNUNET_CADET_AX_KX msg;
4218 LOG (GNUNET_ERROR_TYPE_INFO, "===> AX_KX for %s\n", GCT_2s (t));
4219 if (NULL != t->ephm_h)
4221 LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
4225 msg.header.size = htons (sizeof (msg));
4226 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_AX_KX);
4227 msg.force_reply = htonl (force_reply);
4228 msg.permanent_key = ax_identity.permanent_key;
4229 msg.purpose = ax_identity.purpose;
4230 msg.signature = ax_identity.signature;
4231 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->kx_0, &msg.ephemeral_key);
4232 GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &msg.ratchet_key);
4234 t->ephm_h = send_kx (t, &msg.header);
4235 if (CADET_TUNNEL_KEY_OK != t->estate)
4236 GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
4241 * Sends an already built and encrypted message on a tunnel, choosing the best
4242 * connection. Useful for re-queueing messages queued on a destroyed connection.
4244 * @param message Message to send. Function modifies it.
4245 * @param t Tunnel on which this message is transmitted.
4248 GCT_resend_message (const struct GNUNET_MessageHeader *message,
4249 struct CadetTunnel *t)
4251 struct CadetConnection *c;
4254 c = tunnel_get_connection (t);
4257 /* TODO queue in tunnel, marked as encrypted */
4258 LOG (GNUNET_ERROR_TYPE_DEBUG, "No connection available, dropping.\n");
4261 fwd = GCC_is_origin (c, GNUNET_YES);
4262 GNUNET_break (NULL == GCC_send_prebuilt_message (message, 0, 0, c, fwd,
4263 GNUNET_YES, NULL, NULL));
4268 * Is the tunnel directed towards the local peer?
4272 * @return #GNUNET_YES if it is loopback.
4275 GCT_is_loopback (const struct CadetTunnel *t)
4277 return (myid == GCP_get_short_id (t->peer));
4282 * Is the tunnel this path already?
4287 * @return #GNUNET_YES a connection uses this path.
4290 GCT_is_path_used (const struct CadetTunnel *t, const struct CadetPeerPath *p)
4292 struct CadetTConnection *iter;
4294 for (iter = t->connection_head; NULL != iter; iter = iter->next)
4295 if (path_equivalent (GCC_get_path (iter->c), p))
4303 * Get a cost of a path for a tunnel considering existing connections.
4306 * @param path Candidate path.
4308 * @return Cost of the path (path length + number of overlapping nodes)
4311 GCT_get_path_cost (const struct CadetTunnel *t,
4312 const struct CadetPeerPath *path)
4314 struct CadetTConnection *iter;
4315 const struct CadetPeerPath *aux;
4316 unsigned int overlap;
4324 GNUNET_assert (NULL != t);
4326 for (i = 0; i < path->length; i++)
4328 for (iter = t->connection_head; NULL != iter; iter = iter->next)
4330 aux = GCC_get_path (iter->c);
4334 for (j = 0; j < aux->length; j++)
4336 if (path->peers[i] == aux->peers[j])
4344 return path->length + overlap;
4349 * Get the static string for the peer this tunnel is directed.
4353 * @return Static string the destination peer's ID.
4356 GCT_2s (const struct CadetTunnel *t)
4361 return GCP_2s (t->peer);
4365 /******************************************************************************/
4366 /***************************** INFO/DEBUG *******************************/
4367 /******************************************************************************/
4370 ax_debug (const struct CadetTunnelAxolotl *ax, enum GNUNET_ErrorType level)
4372 struct GNUNET_CRYPTO_EcdhePublicKey pub;
4373 struct CadetTunnelSkippedKey *iter;
4376 LOG2 (level, "TTT RK\t %s\n",
4377 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->RK));
4379 LOG2 (level, "TTT HKs\t %s\n",
4380 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKs));
4381 LOG2 (level, "TTT HKr\t %s\n",
4382 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKr));
4383 LOG2 (level, "TTT NHKs\t %s\n",
4384 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->NHKs));
4385 LOG2 (level, "TTT NHKr\t %s\n",
4386 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->NHKr));
4388 LOG2 (level, "TTT CKs\t %s\n",
4389 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKs));
4390 LOG2 (level, "TTT CKr\t %s\n",
4391 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKr));
4393 GNUNET_CRYPTO_ecdhe_key_get_public (ax_key, &pub);
4394 LOG2 (level, "TTT DHIs\t %s\n",
4395 GNUNET_h2s ((struct GNUNET_HashCode *) &pub));
4396 LOG2 (level, "TTT DHIr\t %s\n",
4397 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->DHIr));
4398 GNUNET_CRYPTO_ecdhe_key_get_public (ax->DHRs, &pub);
4399 LOG2 (level, "TTT DHRs\t %s\n",
4400 GNUNET_h2s ((struct GNUNET_HashCode *) &pub));
4401 LOG2 (level, "TTT DHRr\t %s\n",
4402 GNUNET_h2s ((struct GNUNET_HashCode *) &ax->DHRr));
4404 LOG2 (level, "TTT Nr\t %u\tNs\t%u\n", ax->Nr, ax->Ns);
4405 LOG2 (level, "TTT PNs\t %u\tSkipped\t%u\n", ax->PNs, ax->skipped);
4406 LOG2 (level, "TTT Ratchet\t%u\n", ax->ratchet_flag);
4408 for (iter = ax->skipped_head; NULL != iter; iter = iter->next)
4410 LOG2 (level, "TTT HK\t %s\n",
4411 GNUNET_h2s ((struct GNUNET_HashCode *) &iter->HK));
4412 LOG2 (level, "TTT MK\t %s\n",
4413 GNUNET_h2s ((struct GNUNET_HashCode *) &iter->MK));
4418 * Log all possible info about the tunnel state.
4420 * @param t Tunnel to debug.
4421 * @param level Debug level to use.
4424 GCT_debug (const struct CadetTunnel *t, enum GNUNET_ErrorType level)
4426 struct CadetTChannel *iterch;
4427 struct CadetTConnection *iterc;
4430 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
4432 __FILE__, __FUNCTION__, __LINE__);
4436 LOG2 (level, "TTT DEBUG TUNNEL TOWARDS %s\n", GCT_2s (t));
4437 LOG2 (level, "TTT cstate %s, estate %s\n",
4438 cstate2s (t->cstate), estate2s (t->estate));
4439 LOG2 (level, "TTT kx_ctx %p, rekey_task %u, finish task %u\n",
4440 t->kx_ctx, t->rekey_task, t->kx_ctx ? t->kx_ctx->finish_task : 0);
4441 #if DUMP_KEYS_TO_STDERR
4442 if (CADET_Axolotl == t->enc_type)
4444 ax_debug (t->ax, level);
4448 LOG2 (level, "TTT my EPHM\t %s\n",
4449 GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
4450 LOG2 (level, "TTT peers EPHM:\t %s\n",
4451 GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
4452 LOG2 (level, "TTT ENC key:\t %s\n",
4453 GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
4454 LOG2 (level, "TTT DEC key:\t %s\n",
4455 GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
4458 LOG2 (level, "TTT OLD ENC key:\t %s\n",
4459 GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->e_key_old));
4460 LOG2 (level, "TTT OLD DEC key:\t %s\n",
4461 GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->d_key_old));
4465 LOG2 (level, "TTT tq_head %p, tq_tail %p\n", t->tq_head, t->tq_tail);
4466 LOG2 (level, "TTT destroy %u\n", t->destroy_task);
4468 LOG2 (level, "TTT channels:\n");
4469 for (iterch = t->channel_head; NULL != iterch; iterch = iterch->next)
4471 LOG2 (level, "TTT - %s\n", GCCH_2s (iterch->ch));
4474 LOG2 (level, "TTT connections:\n");
4475 for (iterc = t->connection_head; NULL != iterc; iterc = iterc->next)
4477 GCC_debug (iterc->c, level);
4480 LOG2 (level, "TTT DEBUG TUNNEL END\n");
4485 * Iterate all tunnels.
4487 * @param iter Iterator.
4488 * @param cls Closure for @c iter.
4491 GCT_iterate_all (GNUNET_CONTAINER_PeerMapIterator iter, void *cls)
4493 GNUNET_CONTAINER_multipeermap_iterate (tunnels, iter, cls);
4498 * Count all tunnels.
4500 * @return Number of tunnels to remote peers kept by this peer.
4503 GCT_count_all (void)
4505 return GNUNET_CONTAINER_multipeermap_size (tunnels);
4510 * Iterate all connections of a tunnel.
4512 * @param t Tunnel whose connections to iterate.
4513 * @param iter Iterator.
4514 * @param cls Closure for @c iter.
4517 GCT_iterate_connections (struct CadetTunnel *t, GCT_conn_iter iter, void *cls)
4519 struct CadetTConnection *ct;
4521 for (ct = t->connection_head; NULL != ct; ct = ct->next)
4527 * Iterate all channels of a tunnel.
4529 * @param t Tunnel whose channels to iterate.
4530 * @param iter Iterator.
4531 * @param cls Closure for @c iter.
4534 GCT_iterate_channels (struct CadetTunnel *t, GCT_chan_iter iter, void *cls)
4536 struct CadetTChannel *cht;
4538 for (cht = t->channel_head; NULL != cht; cht = cht->next)
4539 iter (cls, cht->ch);