2 This file is part of GNUnet.
3 Copyright (C) 2013, 2017, 2018 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
21 * @file cadet/gnunet-service-cadet_tunnels.c
22 * @brief Information we track per tunnel.
23 * @author Bartlomiej Polot
24 * @author Christian Grothoff
27 * - proper connection evaluation during connection management:
28 * + consider quality (or quality spread?) of current connection set
29 * when deciding how often to do maintenance
30 * + interact with PEER to drive DHT GET/PUT operations based
31 * on how much we like our connections
34 #include "gnunet_util_lib.h"
35 #include "gnunet_statistics_service.h"
36 #include "gnunet_signatures.h"
37 #include "cadet_protocol.h"
38 #include "gnunet-service-cadet_channel.h"
39 #include "gnunet-service-cadet_connection.h"
40 #include "gnunet-service-cadet_tunnels.h"
41 #include "gnunet-service-cadet_peer.h"
42 #include "gnunet-service-cadet_paths.h"
45 #define LOG(level, ...) GNUNET_log_from (level, "cadet-tun", __VA_ARGS__)
48 * How often do we try to decrypt payload with unverified key
49 * material? Used to limit CPU increase upon receiving bogus
52 #define MAX_UNVERIFIED_ATTEMPTS 16
55 * How long do we wait until tearing down an idle tunnel?
57 #define IDLE_DESTROY_DELAY GNUNET_TIME_relative_multiply ( \
58 GNUNET_TIME_UNIT_SECONDS, 90)
61 * How long do we wait initially before retransmitting the KX?
62 * TODO: replace by 2 RTT if/once we have connection-level RTT data!
64 #define INITIAL_KX_RETRY_DELAY GNUNET_TIME_relative_multiply ( \
65 GNUNET_TIME_UNIT_MILLISECONDS, 250)
68 * Maximum number of skipped keys we keep in memory per tunnel.
70 #define MAX_SKIPPED_KEYS 64
73 * Maximum number of keys (and thus ratchet steps) we are willing to
74 * skip before we decide this is either a bogus packet or a DoS-attempt.
76 #define MAX_KEY_GAP 256
80 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
82 struct CadetTunnelSkippedKey
87 struct CadetTunnelSkippedKey *next;
92 struct CadetTunnelSkippedKey *prev;
95 * When was this key stored (for timeout).
97 struct GNUNET_TIME_Absolute timestamp;
102 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
107 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
110 * Key number for a given HK.
117 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
119 struct CadetTunnelAxolotl
122 * A (double linked) list of stored message keys and associated header keys
123 * for "skipped" messages, i.e. messages that have not been
124 * received despite the reception of more recent messages, (head).
126 struct CadetTunnelSkippedKey *skipped_head;
129 * Skipped messages' keys DLL, tail.
131 struct CadetTunnelSkippedKey *skipped_tail;
134 * 32-byte root key which gets updated by DH ratchet.
136 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
139 * 32-byte header key (currently used for sending).
141 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
144 * 32-byte header key (currently used for receiving)
146 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
149 * 32-byte next header key (for sending), used once the
150 * ratchet advances. We are sure that the sender has this
151 * key as well only after @e ratchet_allowed is #GNUNET_YES.
153 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
156 * 32-byte next header key (for receiving). To be tried
157 * when decrypting with @e HKr fails and thus the sender
158 * may have advanced the ratchet.
160 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
163 * 32-byte chain keys (used for forward-secrecy) for
164 * sending messages. Updated for every message.
166 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
169 * 32-byte chain keys (used for forward-secrecy) for
170 * receiving messages. Updated for every message. If
171 * messages are skipped, the respective derived MKs
172 * (and the current @HKr) are kept in the @e skipped_head DLL.
174 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
177 * ECDH for key exchange (A0 / B0).
179 struct GNUNET_CRYPTO_EcdhePrivateKey kx_0;
182 * ECDH Ratchet key (our private key in the current DH).
184 struct GNUNET_CRYPTO_EcdhePrivateKey DHRs;
187 * ECDH Ratchet key (other peer's public key in the current DH).
189 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
192 * Last ephemeral public key received from the other peer,
193 * for duplicate detection.
195 struct GNUNET_CRYPTO_EcdhePublicKey last_ephemeral;
198 * Time when the current ratchet expires and a new one is triggered
199 * (if @e ratchet_allowed is #GNUNET_YES).
201 struct GNUNET_TIME_Absolute ratchet_expiration;
204 * Number of elements in @a skipped_head <-> @a skipped_tail.
206 unsigned int skipped;
209 * Message number (reset to 0 with each new ratchet, next message to send).
214 * Message number (reset to 0 with each new ratchet, next message to recv).
219 * Previous message numbers (# of msgs sent under prev ratchet)
224 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
229 * True (#GNUNET_YES) if we have received a message from the
230 * other peer that uses the keys from our last ratchet step.
231 * This implies that we are again allowed to advance the ratchet,
232 * otherwise we have to wait until the other peer sees our current
233 * ephemeral key and advances first.
235 * #GNUNET_NO if we have advanced the ratched but lack any evidence
236 * that the other peer has noticed this.
241 * Number of messages recieved since our last ratchet advance.
243 * If this counter = 0, we cannot send a new ratchet key in the next
246 * If this counter > 0, we could (but don't have to) send a new key.
248 * Once the @e ratchet_counter is larger than
249 * #ratchet_messages (or @e ratchet_expiration time has past), and
250 * @e ratchet_allowed is #GNUNET_YES, we advance the ratchet.
252 unsigned int ratchet_counter;
257 * Struct used to save messages in a non-ready tunnel to send once connected.
259 struct CadetTunnelQueueEntry
262 * We are entries in a DLL
264 struct CadetTunnelQueueEntry *next;
267 * We are entries in a DLL
269 struct CadetTunnelQueueEntry *prev;
272 * Tunnel these messages belong in.
274 struct CadetTunnel *t;
277 * Continuation to call once sent (on the channel layer).
279 GCT_SendContinuation cont;
282 * Closure for @c cont.
287 * Envelope of message to send follows.
289 struct GNUNET_MQ_Envelope *env;
292 * Where to put the connection identifier into the payload
293 * of the message in @e env once we have it?
295 struct GNUNET_CADET_ConnectionTunnelIdentifier *cid;
300 * Struct containing all information regarding a tunnel to a peer.
305 * Destination of the tunnel.
307 struct CadetPeer *destination;
310 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own
311 * ephemeral key changes.
313 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
316 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
318 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
321 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
323 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
328 struct CadetTunnelAxolotl ax;
331 * Unverified Axolotl info, used only if we got a fresh KX (not a
332 * KX_AUTH) while our end of the tunnel was still up. In this case,
333 * we keep the fresh KX around but do not put it into action until
334 * we got encrypted payload that assures us of the authenticity of
337 struct CadetTunnelAxolotl *unverified_ax;
340 * Task scheduled if there are no more channels using the tunnel.
342 struct GNUNET_SCHEDULER_Task *destroy_task;
345 * Task to trim connections if too many are present.
347 struct GNUNET_SCHEDULER_Task *maintain_connections_task;
350 * Task to send messages from queue (if possible).
352 struct GNUNET_SCHEDULER_Task *send_task;
355 * Task to trigger KX.
357 struct GNUNET_SCHEDULER_Task *kx_task;
360 * Tokenizer for decrypted messages.
362 struct GNUNET_MessageStreamTokenizer *mst;
365 * Dispatcher for decrypted messages only (do NOT use for sending!).
367 struct GNUNET_MQ_Handle *mq;
370 * DLL of ready connections that are actively used to reach the destination peer.
372 struct CadetTConnection *connection_ready_head;
375 * DLL of ready connections that are actively used to reach the destination peer.
377 struct CadetTConnection *connection_ready_tail;
380 * DLL of connections that we maintain that might be used to reach the destination peer.
382 struct CadetTConnection *connection_busy_head;
385 * DLL of connections that we maintain that might be used to reach the destination peer.
387 struct CadetTConnection *connection_busy_tail;
390 * Channels inside this tunnel. Maps
391 * `struct GNUNET_CADET_ChannelTunnelNumber` to a `struct CadetChannel`.
393 struct GNUNET_CONTAINER_MultiHashMap32 *channels;
396 * Channel ID for the next created channel in this tunnel.
398 struct GNUNET_CADET_ChannelTunnelNumber next_ctn;
401 * Queued messages, to transmit once tunnel gets connected.
403 struct CadetTunnelQueueEntry *tq_head;
406 * Queued messages, to transmit once tunnel gets connected.
408 struct CadetTunnelQueueEntry *tq_tail;
411 * Identification of the connection from which we are currently processing
412 * a message. Only valid (non-NULL) during #handle_decrypted() and the
413 * handle-*()-functions called from our @e mq during that function.
415 struct CadetTConnection *current_ct;
418 * How long do we wait until we retry the KX?
420 struct GNUNET_TIME_Relative kx_retry_delay;
423 * When do we try the next KX?
425 struct GNUNET_TIME_Absolute next_kx_attempt;
428 * Number of connections in the @e connection_ready_head DLL.
430 unsigned int num_ready_connections;
433 * Number of connections in the @e connection_busy_head DLL.
435 unsigned int num_busy_connections;
438 * How often have we tried and failed to decrypt a message using
439 * the unverified KX material from @e unverified_ax? Used to
440 * stop trying after #MAX_UNVERIFIED_ATTEMPTS.
442 unsigned int unverified_attempts;
445 * Number of entries in the @e tq_head DLL.
450 * State of the tunnel encryption.
452 enum CadetTunnelEState estate;
455 * Force triggering KX_AUTH independent of @e estate.
457 int kx_auth_requested;
462 * Am I Alice or Betty (some call her Bob), or talking to myself?
464 * @param other the other peer
465 * @return #GNUNET_YES for Alice, #GNUNET_NO for Betty, #GNUNET_SYSERR if talking to myself
468 alice_or_betty (const struct GNUNET_PeerIdentity *other)
470 if (0 > GNUNET_memcmp (&my_full_id,
473 else if (0 < GNUNET_memcmp (&my_full_id,
479 return GNUNET_SYSERR;
485 * Connection @a ct is now unready, clear it's ready flag
486 * and move it from the ready DLL to the busy DLL.
488 * @param ct connection to move to unready status
491 mark_connection_unready (struct CadetTConnection *ct)
493 struct CadetTunnel *t = ct->t;
495 GNUNET_assert (GNUNET_YES == ct->is_ready);
496 GNUNET_CONTAINER_DLL_remove (t->connection_ready_head,
497 t->connection_ready_tail,
499 GNUNET_assert (0 < t->num_ready_connections);
500 t->num_ready_connections--;
501 ct->is_ready = GNUNET_NO;
502 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
503 t->connection_busy_tail,
505 t->num_busy_connections++;
510 * Get the static string for the peer this tunnel is directed.
514 * @return Static string the destination peer's ID.
517 GCT_2s (const struct CadetTunnel *t)
522 return "Tunnel(NULL)";
523 GNUNET_snprintf (buf,
526 GNUNET_i2s (GCP_get_id (t->destination)));
532 * Get string description for tunnel encryption state.
534 * @param es Tunnel state.
536 * @return String representation.
539 estate2s (enum CadetTunnelEState es)
545 case CADET_TUNNEL_KEY_UNINITIALIZED:
546 return "CADET_TUNNEL_KEY_UNINITIALIZED";
547 case CADET_TUNNEL_KEY_AX_RECV:
548 return "CADET_TUNNEL_KEY_AX_RECV";
549 case CADET_TUNNEL_KEY_AX_SENT:
550 return "CADET_TUNNEL_KEY_AX_SENT";
551 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
552 return "CADET_TUNNEL_KEY_AX_SENT_AND_RECV";
553 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
554 return "CADET_TUNNEL_KEY_AX_AUTH_SENT";
555 case CADET_TUNNEL_KEY_OK:
556 return "CADET_TUNNEL_KEY_OK";
558 GNUNET_snprintf (buf,
560 "%u (UNKNOWN STATE)",
567 * Return the peer to which this tunnel goes.
570 * @return the destination of the tunnel
573 GCT_get_destination (struct CadetTunnel *t)
575 return t->destination;
580 * Count channels of a tunnel.
582 * @param t Tunnel on which to count.
584 * @return Number of channels.
587 GCT_count_channels (struct CadetTunnel *t)
589 return GNUNET_CONTAINER_multihashmap32_size (t->channels);
594 * Lookup a channel by its @a ctn.
596 * @param t tunnel to look in
597 * @param ctn number of channel to find
598 * @return NULL if channel does not exist
600 struct CadetChannel *
601 lookup_channel (struct CadetTunnel *t,
602 struct GNUNET_CADET_ChannelTunnelNumber ctn)
604 return GNUNET_CONTAINER_multihashmap32_get (t->channels,
610 * Count all created connections of a tunnel. Not necessarily ready connections!
612 * @param t Tunnel on which to count.
614 * @return Number of connections created, either being established or ready.
617 GCT_count_any_connections (const struct CadetTunnel *t)
619 return t->num_ready_connections + t->num_busy_connections;
624 * Find first connection that is ready in the list of
625 * our connections. Picks ready connections round-robin.
627 * @param t tunnel to search
628 * @return NULL if we have no connection that is ready
630 static struct CadetTConnection *
631 get_ready_connection (struct CadetTunnel *t)
633 struct CadetTConnection *hd = t->connection_ready_head;
635 GNUNET_assert ((NULL == hd) ||
636 (GNUNET_YES == hd->is_ready));
642 * Get the encryption state of a tunnel.
646 * @return Tunnel's encryption state.
648 enum CadetTunnelEState
649 GCT_get_estate (struct CadetTunnel *t)
656 * Called when either we have a new connection, or a new message in the
657 * queue, or some existing connection has transmission capacity. Looks
658 * at our message queue and if there is a message, picks a connection
661 * @param cls the `struct CadetTunnel` to process messages on
664 trigger_transmissions (void *cls);
667 /* ************************************** start core crypto ***************************** */
671 * Create a new Axolotl ephemeral (ratchet) key.
673 * @param ax key material to update
676 new_ephemeral (struct CadetTunnelAxolotl *ax)
678 LOG (GNUNET_ERROR_TYPE_DEBUG,
679 "Creating new ephemeral ratchet key (DHRs)\n");
680 GNUNET_assert (GNUNET_OK ==
681 GNUNET_CRYPTO_ecdhe_key_create2 (&ax->DHRs));
688 * @param plaintext Content to HMAC.
689 * @param size Size of @c plaintext.
690 * @param iv Initialization vector for the message.
691 * @param key Key to use.
692 * @param hmac[out] Destination to store the HMAC.
695 t_hmac (const void *plaintext,
698 const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
699 struct GNUNET_ShortHashCode *hmac)
701 static const char ctx[] = "cadet authentication key";
702 struct GNUNET_CRYPTO_AuthKey auth_key;
703 struct GNUNET_HashCode hash;
705 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
711 /* Two step: GNUNET_ShortHash is only 256 bits,
712 GNUNET_HashCode is 512, so we truncate. */
713 GNUNET_CRYPTO_hmac (&auth_key,
726 * @param key Key to use.
727 * @param[out] hash Resulting HMAC.
728 * @param source Source key material (data to HMAC).
729 * @param len Length of @a source.
732 t_ax_hmac_hash (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
733 struct GNUNET_HashCode *hash,
737 static const char ctx[] = "axolotl HMAC-HASH";
738 struct GNUNET_CRYPTO_AuthKey auth_key;
740 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
744 GNUNET_CRYPTO_hmac (&auth_key,
752 * Derive a symmetric encryption key from an HMAC-HASH.
754 * @param key Key to use for the HMAC.
755 * @param[out] out Key to generate.
756 * @param source Source key material (data to HMAC).
757 * @param len Length of @a source.
760 t_hmac_derive_key (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
761 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
765 static const char ctx[] = "axolotl derive key";
766 struct GNUNET_HashCode h;
772 GNUNET_CRYPTO_kdf (out, sizeof(*out),
780 * Encrypt data with the axolotl tunnel key.
782 * @param ax key material to use.
783 * @param dst Destination with @a size bytes for the encrypted data.
784 * @param src Source of the plaintext. Can overlap with @c dst, must contain @a size bytes
785 * @param size Size of the buffers at @a src and @a dst
788 t_ax_encrypt (struct CadetTunnelAxolotl *ax,
793 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
794 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
797 ax->ratchet_counter++;
798 if ((GNUNET_YES == ax->ratchet_allowed) &&
799 ((ratchet_messages <= ax->ratchet_counter) ||
800 (0 == GNUNET_TIME_absolute_get_remaining (
801 ax->ratchet_expiration).rel_value_us)))
803 ax->ratchet_flag = GNUNET_YES;
805 if (GNUNET_YES == ax->ratchet_flag)
807 /* Advance ratchet */
808 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
809 struct GNUNET_HashCode dh;
810 struct GNUNET_HashCode hmac;
811 static const char ctx[] = "axolotl ratchet";
816 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
817 GNUNET_CRYPTO_ecc_ecdh (&ax->DHRs,
820 t_ax_hmac_hash (&ax->RK,
824 GNUNET_CRYPTO_kdf (keys, sizeof(keys),
834 ax->ratchet_flag = GNUNET_NO;
835 ax->ratchet_allowed = GNUNET_NO;
836 ax->ratchet_counter = 0;
837 ax->ratchet_expiration
838 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get (),
842 t_hmac_derive_key (&ax->CKs,
846 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
851 out_size = GNUNET_CRYPTO_symmetric_encrypt (src,
856 GNUNET_assert (size == out_size);
857 t_hmac_derive_key (&ax->CKs,
865 * Decrypt data with the axolotl tunnel key.
867 * @param ax key material to use.
868 * @param dst Destination for the decrypted data, must contain @a size bytes.
869 * @param src Source of the ciphertext. Can overlap with @c dst, must contain @a size bytes.
870 * @param size Size of the @a src and @a dst buffers
873 t_ax_decrypt (struct CadetTunnelAxolotl *ax,
878 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
879 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
882 t_hmac_derive_key (&ax->CKr,
886 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
890 GNUNET_assert (size >= sizeof(struct GNUNET_MessageHeader));
891 out_size = GNUNET_CRYPTO_symmetric_decrypt (src,
896 GNUNET_assert (out_size == size);
897 t_hmac_derive_key (&ax->CKr,
905 * Encrypt header with the axolotl header key.
907 * @param ax key material to use.
908 * @param[in|out] msg Message whose header to encrypt.
911 t_h_encrypt (struct CadetTunnelAxolotl *ax,
912 struct GNUNET_CADET_TunnelEncryptedMessage *msg)
914 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
917 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
921 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->ax_header,
923 GNUNET_CADET_AxHeader),
927 GNUNET_assert (sizeof(struct GNUNET_CADET_AxHeader) == out_size);
932 * Decrypt header with the current axolotl header key.
934 * @param ax key material to use.
935 * @param src Message whose header to decrypt.
936 * @param dst Where to decrypt header to.
939 t_h_decrypt (struct CadetTunnelAxolotl *ax,
940 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
941 struct GNUNET_CADET_TunnelEncryptedMessage *dst)
943 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
946 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
950 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns,
952 GNUNET_CADET_AxHeader),
956 GNUNET_assert (sizeof(struct GNUNET_CADET_AxHeader) == out_size);
961 * Delete a key from the list of skipped keys.
963 * @param ax key material to delete @a key from.
964 * @param key Key to delete.
967 delete_skipped_key (struct CadetTunnelAxolotl *ax,
968 struct CadetTunnelSkippedKey *key)
970 GNUNET_CONTAINER_DLL_remove (ax->skipped_head,
979 * Decrypt and verify data with the appropriate tunnel key and verify that the
980 * data has not been altered since it was sent by the remote peer.
982 * @param ax key material to use.
983 * @param dst Destination for the plaintext.
984 * @param src Source of the message. Can overlap with @c dst.
985 * @param size Size of the message.
986 * @return Size of the decrypted data, -1 if an error was encountered.
989 try_old_ax_keys (struct CadetTunnelAxolotl *ax,
991 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
994 struct CadetTunnelSkippedKey *key;
995 struct GNUNET_ShortHashCode *hmac;
996 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
997 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
998 struct GNUNET_CRYPTO_SymmetricSessionKey *valid_HK;
1004 LOG (GNUNET_ERROR_TYPE_DEBUG,
1005 "Trying skipped keys\n");
1006 hmac = &plaintext_header.hmac;
1007 esize = size - sizeof(struct GNUNET_CADET_TunnelEncryptedMessage);
1009 /* Find a correct Header Key */
1011 for (key = ax->skipped_head; NULL != key; key = key->next)
1013 t_hmac (&src->ax_header,
1014 sizeof(struct GNUNET_CADET_AxHeader) + esize,
1018 if (0 == GNUNET_memcmp (hmac,
1021 valid_HK = &key->HK;
1028 /* Should've been checked in -cadet_connection.c handle_cadet_encrypted. */
1029 GNUNET_assert (size > sizeof(struct GNUNET_CADET_TunnelEncryptedMessage));
1030 len = size - sizeof(struct GNUNET_CADET_TunnelEncryptedMessage);
1031 GNUNET_assert (len >= sizeof(struct GNUNET_MessageHeader));
1033 /* Decrypt header */
1034 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
1038 res = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns,
1039 sizeof(struct GNUNET_CADET_AxHeader),
1042 &plaintext_header.ax_header.Ns);
1043 GNUNET_assert (sizeof(struct GNUNET_CADET_AxHeader) == res);
1045 /* Find the correct message key */
1046 N = ntohl (plaintext_header.ax_header.Ns);
1047 while ((NULL != key) &&
1050 if ((NULL == key) ||
1051 (0 != GNUNET_memcmp (&key->HK,
1055 /* Decrypt payload */
1056 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
1061 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1],
1066 delete_skipped_key (ax,
1073 * Delete a key from the list of skipped keys.
1075 * @param ax key material to delete from.
1076 * @param HKr Header Key to use.
1079 store_skipped_key (struct CadetTunnelAxolotl *ax,
1080 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
1082 struct CadetTunnelSkippedKey *key;
1084 key = GNUNET_new (struct CadetTunnelSkippedKey);
1085 key->timestamp = GNUNET_TIME_absolute_get ();
1088 t_hmac_derive_key (&ax->CKr,
1092 t_hmac_derive_key (&ax->CKr,
1096 GNUNET_CONTAINER_DLL_insert (ax->skipped_head,
1105 * Stage skipped AX keys and calculate the message key.
1106 * Stores each HK and MK for skipped messages.
1108 * @param ax key material to use
1109 * @param HKr Header key.
1110 * @param Np Received meesage number.
1111 * @return #GNUNET_OK if keys were stored.
1112 * #GNUNET_SYSERR if an error ocurred (@a Np not expected).
1115 store_ax_keys (struct CadetTunnelAxolotl *ax,
1116 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1122 LOG (GNUNET_ERROR_TYPE_DEBUG,
1123 "Storing skipped keys [%u, %u)\n",
1126 if (MAX_KEY_GAP < gap)
1128 /* Avoid DoS (forcing peer to do more than #MAX_KEY_GAP HMAC operations) */
1129 /* TODO: start new key exchange on return */
1130 GNUNET_break_op (0);
1131 LOG (GNUNET_ERROR_TYPE_WARNING,
1132 "Got message %u, expected %u+\n",
1135 return GNUNET_SYSERR;
1139 /* Delayed message: don't store keys, flag to try old keys. */
1140 return GNUNET_SYSERR;
1144 store_skipped_key (ax,
1147 while (ax->skipped > MAX_SKIPPED_KEYS)
1148 delete_skipped_key (ax,
1155 * Decrypt and verify data with the appropriate tunnel key and verify that the
1156 * data has not been altered since it was sent by the remote peer.
1158 * @param ax key material to use
1159 * @param dst Destination for the plaintext.
1160 * @param src Source of the message. Can overlap with @c dst.
1161 * @param size Size of the message.
1162 * @return Size of the decrypted data, -1 if an error was encountered.
1165 t_ax_decrypt_and_validate (struct CadetTunnelAxolotl *ax,
1168 GNUNET_CADET_TunnelEncryptedMessage *src,
1171 struct GNUNET_ShortHashCode msg_hmac;
1172 struct GNUNET_HashCode hmac;
1173 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1176 size_t esize; /* Size of encryped payload */
1178 esize = size - sizeof(struct GNUNET_CADET_TunnelEncryptedMessage);
1180 /* Try current HK */
1181 t_hmac (&src->ax_header,
1182 sizeof(struct GNUNET_CADET_AxHeader) + esize,
1185 if (0 != GNUNET_memcmp (&msg_hmac,
1188 static const char ctx[] = "axolotl ratchet";
1189 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1190 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1191 struct GNUNET_HashCode dh;
1192 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1195 t_hmac (&src->ax_header,
1196 sizeof(struct GNUNET_CADET_AxHeader) + esize,
1200 if (0 != GNUNET_memcmp (&msg_hmac,
1203 /* Try the skipped keys, if that fails, we're out of luck. */
1204 return try_old_ax_keys (ax,
1214 Np = ntohl (plaintext_header.ax_header.Ns);
1215 PNp = ntohl (plaintext_header.ax_header.PNs);
1216 DHRp = &plaintext_header.ax_header.DHRs;
1221 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1222 GNUNET_CRYPTO_ecc_ecdh (&ax->DHRs,
1225 t_ax_hmac_hash (&ax->RK,
1228 GNUNET_CRYPTO_kdf (keys, sizeof(keys),
1230 &hmac, sizeof(hmac),
1233 /* Commit "purported" keys */
1239 ax->ratchet_allowed = GNUNET_YES;
1246 Np = ntohl (plaintext_header.ax_header.Ns);
1247 PNp = ntohl (plaintext_header.ax_header.PNs);
1249 if ((Np != ax->Nr) &&
1250 (GNUNET_OK != store_ax_keys (ax,
1254 /* Try the skipped keys, if that fails, we're out of luck. */
1255 return try_old_ax_keys (ax,
1271 * Our tunnel became ready for the first time, notify channels
1272 * that have been waiting.
1274 * @param cls our tunnel, not used
1275 * @param key unique ID of the channel, not used
1276 * @param value the `struct CadetChannel` to notify
1277 * @return #GNUNET_OK (continue to iterate)
1280 notify_tunnel_up_cb (void *cls,
1284 struct CadetChannel *ch = value;
1286 GCCH_tunnel_up (ch);
1292 * Change the tunnel encryption state.
1293 * If the encryption state changes to OK, stop the rekey task.
1295 * @param t Tunnel whose encryption state to change, or NULL.
1296 * @param state New encryption state.
1299 GCT_change_estate (struct CadetTunnel *t,
1300 enum CadetTunnelEState state)
1302 enum CadetTunnelEState old = t->estate;
1305 LOG (GNUNET_ERROR_TYPE_DEBUG,
1306 "%s estate changed from %s to %s\n",
1311 if ((CADET_TUNNEL_KEY_OK != old) &&
1312 (CADET_TUNNEL_KEY_OK == t->estate))
1314 if (NULL != t->kx_task)
1316 GNUNET_SCHEDULER_cancel (t->kx_task);
1319 /* notify all channels that have been waiting */
1320 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
1321 ¬ify_tunnel_up_cb,
1323 if (NULL != t->send_task)
1324 GNUNET_SCHEDULER_cancel (t->send_task);
1325 t->send_task = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
1332 * Send a KX message.
1334 * @param t tunnel on which to send the KX_AUTH
1335 * @param ct Tunnel and connection on which to send the KX_AUTH, NULL if
1336 * we are to find one that is ready.
1337 * @param ax axolotl key context to use
1340 send_kx (struct CadetTunnel *t,
1341 struct CadetTConnection *ct,
1342 struct CadetTunnelAxolotl *ax)
1344 struct CadetConnection *cc;
1345 struct GNUNET_MQ_Envelope *env;
1346 struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
1347 enum GNUNET_CADET_KX_Flags flags;
1349 if (GNUNET_YES != alice_or_betty (GCP_get_id (t->destination)))
1350 return; /* only Alice may send KX */
1352 (GNUNET_NO == ct->is_ready))
1353 ct = get_ready_connection (t);
1356 LOG (GNUNET_ERROR_TYPE_DEBUG,
1357 "Wanted to send %s in state %s, but no connection is ready, deferring\n",
1359 estate2s (t->estate));
1360 t->next_kx_attempt = GNUNET_TIME_absolute_get ();
1364 env = GNUNET_MQ_msg (msg,
1365 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX);
1366 flags = GNUNET_CADET_KX_FLAG_FORCE_REPLY; /* always for KX */
1367 msg->flags = htonl (flags);
1368 msg->cid = *GCC_get_id (cc);
1369 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->kx_0,
1370 &msg->ephemeral_key);
1372 msg->ephemeral_key_XXX = ax->kx_0;
1373 msg->private_key_XXX = *my_private_key;
1375 LOG (GNUNET_ERROR_TYPE_DEBUG,
1376 "Sending KX message to %s with ephemeral %s on CID %s\n",
1378 GNUNET_e2s (&msg->ephemeral_key),
1379 GNUNET_sh2s (&msg->cid.connection_of_tunnel));
1380 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1382 mark_connection_unready (ct);
1383 t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1384 t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1385 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1386 GCT_change_estate (t,
1387 CADET_TUNNEL_KEY_AX_SENT);
1388 else if (CADET_TUNNEL_KEY_AX_RECV == t->estate)
1389 GCT_change_estate (t,
1390 CADET_TUNNEL_KEY_AX_SENT_AND_RECV);
1393 GNUNET_STATISTICS_update (stats,
1401 * Send a KX_AUTH message.
1403 * @param t tunnel on which to send the KX_AUTH
1404 * @param ct Tunnel and connection on which to send the KX_AUTH, NULL if
1405 * we are to find one that is ready.
1406 * @param ax axolotl key context to use
1407 * @param force_reply Force the other peer to reply with a KX_AUTH message
1408 * (set if we would like to transmit right now, but cannot)
1411 send_kx_auth (struct CadetTunnel *t,
1412 struct CadetTConnection *ct,
1413 struct CadetTunnelAxolotl *ax,
1416 struct CadetConnection *cc;
1417 struct GNUNET_MQ_Envelope *env;
1418 struct GNUNET_CADET_TunnelKeyExchangeAuthMessage *msg;
1419 enum GNUNET_CADET_KX_Flags flags;
1422 (GNUNET_NO == ct->is_ready))
1423 ct = get_ready_connection (t);
1426 LOG (GNUNET_ERROR_TYPE_DEBUG,
1427 "Wanted to send KX_AUTH on %s, but no connection is ready, deferring\n",
1429 t->next_kx_attempt = GNUNET_TIME_absolute_get ();
1430 t->kx_auth_requested = GNUNET_YES; /* queue KX_AUTH independent of estate */
1433 t->kx_auth_requested = GNUNET_NO; /* clear flag */
1435 env = GNUNET_MQ_msg (msg,
1436 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH);
1437 flags = GNUNET_CADET_KX_FLAG_NONE;
1438 if (GNUNET_YES == force_reply)
1439 flags |= GNUNET_CADET_KX_FLAG_FORCE_REPLY;
1440 msg->kx.flags = htonl (flags);
1441 msg->kx.cid = *GCC_get_id (cc);
1442 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->kx_0,
1443 &msg->kx.ephemeral_key);
1444 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1445 &msg->kx.ratchet_key);
1447 msg->kx.ephemeral_key_XXX = ax->kx_0;
1448 msg->kx.private_key_XXX = *my_private_key;
1449 msg->r_ephemeral_key_XXX = ax->last_ephemeral;
1451 LOG (GNUNET_ERROR_TYPE_DEBUG,
1452 "Sending KX_AUTH message to %s with ephemeral %s on CID %s\n",
1454 GNUNET_e2s (&msg->kx.ephemeral_key),
1455 GNUNET_sh2s (&msg->kx.cid.connection_of_tunnel));
1457 /* Compute authenticator (this is the main difference to #send_kx()) */
1458 GNUNET_CRYPTO_hash (&ax->RK,
1461 /* Compute when to be triggered again; actual job will
1462 be scheduled via #connection_ready_cb() */
1464 = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1466 = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1468 /* Send via cc, mark it as unready */
1469 mark_connection_unready (ct);
1471 /* Update state machine, unless we are already OK */
1472 if (CADET_TUNNEL_KEY_OK != t->estate)
1473 GCT_change_estate (t,
1474 CADET_TUNNEL_KEY_AX_AUTH_SENT);
1477 GNUNET_STATISTICS_update (stats,
1478 "# KX_AUTH transmitted",
1485 * Cleanup state used by @a ax.
1487 * @param ax state to free, but not memory of @a ax itself
1490 cleanup_ax (struct CadetTunnelAxolotl *ax)
1492 while (NULL != ax->skipped_head)
1493 delete_skipped_key (ax,
1495 GNUNET_assert (0 == ax->skipped);
1496 GNUNET_CRYPTO_ecdhe_key_clear (&ax->kx_0);
1497 GNUNET_CRYPTO_ecdhe_key_clear (&ax->DHRs);
1502 * Update our Axolotl key state based on the KX data we received.
1503 * Computes the new chain keys, and root keys, etc, and also checks
1504 * whether this is a replay of the current chain.
1506 * @param[in|out] axolotl chain key state to recompute
1507 * @param pid peer identity of the other peer
1508 * @param ephemeral_key ephemeral public key of the other peer
1509 * @param ratchet_key senders next ephemeral public key
1510 * @return #GNUNET_OK on success, #GNUNET_NO if the resulting
1511 * root key is already in @a ax and thus the KX is useless;
1512 * #GNUNET_SYSERR on hard errors (i.e. @a pid is #my_full_id)
1515 update_ax_by_kx (struct CadetTunnelAxolotl *ax,
1516 const struct GNUNET_PeerIdentity *pid,
1517 const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral_key,
1518 const struct GNUNET_CRYPTO_EcdhePublicKey *ratchet_key)
1520 struct GNUNET_HashCode key_material[3];
1521 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
1522 const char salt[] = "CADET Axolotl salt";
1525 if (GNUNET_SYSERR == (am_I_alice = alice_or_betty (pid)))
1527 GNUNET_break_op (0);
1528 return GNUNET_SYSERR;
1530 if (0 == GNUNET_memcmp (&ax->DHRr,
1533 GNUNET_STATISTICS_update (stats,
1534 "# Ratchet key already known",
1537 LOG (GNUNET_ERROR_TYPE_DEBUG,
1538 "Ratchet key already known. Ignoring KX.\n");
1542 ax->DHRr = *ratchet_key;
1543 ax->last_ephemeral = *ephemeral_key;
1545 if (GNUNET_YES == am_I_alice)
1547 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* a */
1548 ephemeral_key, /* B0 */
1553 GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* b0 */
1554 &pid->public_key, /* A */
1558 if (GNUNET_YES == am_I_alice)
1560 GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* a0 */
1561 &pid->public_key, /* B */
1566 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* b */
1567 ephemeral_key, /* A0 */
1572 GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* a0 or b0 */
1573 ephemeral_key, /* B0 or A0 */
1576 GNUNET_CRYPTO_kdf (keys, sizeof(keys),
1578 &key_material, sizeof(key_material),
1581 if (0 == memcmp (&ax->RK,
1585 LOG (GNUNET_ERROR_TYPE_DEBUG,
1586 "Root key already known. Ignoring KX.\n");
1587 GNUNET_STATISTICS_update (stats,
1588 "# Root key already known",
1595 if (GNUNET_YES == am_I_alice)
1601 ax->ratchet_flag = GNUNET_YES;
1609 ax->ratchet_flag = GNUNET_NO;
1610 ax->ratchet_expiration
1611 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get (),
1619 * Try to redo the KX or KX_AUTH handshake, if we can.
1621 * @param cls the `struct CadetTunnel` to do KX for.
1624 retry_kx (void *cls)
1626 struct CadetTunnel *t = cls;
1627 struct CadetTunnelAxolotl *ax;
1630 LOG (GNUNET_ERROR_TYPE_DEBUG,
1631 "Trying to make KX progress on %s in state %s\n",
1633 estate2s (t->estate));
1636 case CADET_TUNNEL_KEY_UNINITIALIZED: /* first attempt */
1637 case CADET_TUNNEL_KEY_AX_SENT: /* trying again */
1643 case CADET_TUNNEL_KEY_AX_RECV:
1644 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
1645 /* We are responding, so only require reply
1646 if WE have a channel waiting. */
1647 if (NULL != t->unverified_ax)
1649 /* Send AX_AUTH so we might get this one verified */
1650 ax = t->unverified_ax;
1654 /* How can this be? */
1661 (0 == GCT_count_channels (t))
1666 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
1667 /* We are responding, so only require reply
1668 if WE have a channel waiting. */
1669 if (NULL != t->unverified_ax)
1671 /* Send AX_AUTH so we might get this one verified */
1672 ax = t->unverified_ax;
1676 /* How can this be? */
1683 (0 == GCT_count_channels (t))
1688 case CADET_TUNNEL_KEY_OK:
1689 /* Must have been the *other* peer asking us to
1690 respond with a KX_AUTH. */
1691 if (NULL != t->unverified_ax)
1693 /* Sending AX_AUTH in response to AX so we might get this one verified */
1694 ax = t->unverified_ax;
1698 /* Sending AX_AUTH in response to AX_AUTH */
1711 * Handle KX message that lacks authentication (and which will thus
1712 * only be considered authenticated after we respond with our own
1713 * KX_AUTH and finally successfully decrypt payload).
1715 * @param ct connection/tunnel combo that received encrypted message
1716 * @param msg the key exchange message
1719 GCT_handle_kx (struct CadetTConnection *ct,
1720 const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1722 struct CadetTunnel *t = ct->t;
1725 GNUNET_STATISTICS_update (stats,
1730 alice_or_betty (GCP_get_id (t->destination)))
1732 /* Betty/Bob is not allowed to send KX! */
1733 GNUNET_break_op (0);
1736 LOG (GNUNET_ERROR_TYPE_DEBUG,
1737 "Received KX message from %s with ephemeral %s from %s on connection %s\n",
1739 GNUNET_e2s (&msg->ephemeral_key),
1740 GNUNET_i2s (GCP_get_id (t->destination)),
1744 memcmp (&t->ax.DHRr,
1746 sizeof(msg->ratchet_key))) &&
1748 memcmp (&t->ax.last_ephemeral,
1749 &msg->ephemeral_key,
1750 sizeof(msg->ephemeral_key))))
1753 GNUNET_STATISTICS_update (stats,
1754 "# Duplicate KX received",
1764 /* We only keep ONE unverified KX around, so if there is an existing one,
1766 if (NULL != t->unverified_ax)
1769 memcmp (&t->unverified_ax->DHRr,
1771 sizeof(msg->ratchet_key))) &&
1773 memcmp (&t->unverified_ax->last_ephemeral,
1774 &msg->ephemeral_key,
1775 sizeof(msg->ephemeral_key))))
1777 GNUNET_STATISTICS_update (stats,
1778 "# Duplicate unverified KX received",
1789 LOG (GNUNET_ERROR_TYPE_DEBUG,
1790 "Dropping old unverified KX state.\n");
1791 GNUNET_STATISTICS_update (stats,
1792 "# Unverified KX dropped for fresh KX",
1795 GNUNET_break (NULL == t->unverified_ax->skipped_head);
1796 memset (t->unverified_ax,
1798 sizeof(struct CadetTunnelAxolotl));
1802 LOG (GNUNET_ERROR_TYPE_DEBUG,
1803 "Creating fresh unverified KX for %s\n",
1805 GNUNET_STATISTICS_update (stats,
1809 t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);
1811 /* Set as the 'current' RK/DHRr the one we are currently using,
1812 so that the duplicate-detection logic of
1813 #update_ax_by_kx can work. */
1814 t->unverified_ax->RK = t->ax.RK;
1815 t->unverified_ax->DHRr = t->ax.DHRr;
1816 t->unverified_ax->DHRs = t->ax.DHRs;
1817 t->unverified_ax->kx_0 = t->ax.kx_0;
1818 t->unverified_attempts = 0;
1820 /* Update 'ax' by the new key material */
1821 ret = update_ax_by_kx (t->unverified_ax,
1822 GCP_get_id (t->destination),
1823 &msg->ephemeral_key,
1825 GNUNET_break (GNUNET_SYSERR != ret);
1826 if (GNUNET_OK != ret)
1828 GNUNET_STATISTICS_update (stats,
1832 return; /* duplicate KX, nothing to do */
1834 /* move ahead in our state machine */
1835 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1836 GCT_change_estate (t,
1837 CADET_TUNNEL_KEY_AX_RECV);
1838 else if (CADET_TUNNEL_KEY_AX_SENT == t->estate)
1839 GCT_change_estate (t,
1840 CADET_TUNNEL_KEY_AX_SENT_AND_RECV);
1842 /* KX is still not done, try again our end. */
1843 if (CADET_TUNNEL_KEY_OK != t->estate)
1845 if (NULL != t->kx_task)
1846 GNUNET_SCHEDULER_cancel (t->kx_task);
1848 = GNUNET_SCHEDULER_add_now (&retry_kx,
1856 check_ee (const struct GNUNET_CRYPTO_EcdhePrivateKey *e1,
1857 const struct GNUNET_CRYPTO_EcdhePrivateKey *e2)
1859 struct GNUNET_CRYPTO_EcdhePublicKey p1;
1860 struct GNUNET_CRYPTO_EcdhePublicKey p2;
1861 struct GNUNET_HashCode hc1;
1862 struct GNUNET_HashCode hc2;
1864 GNUNET_CRYPTO_ecdhe_key_get_public (e1,
1866 GNUNET_CRYPTO_ecdhe_key_get_public (e2,
1868 GNUNET_assert (GNUNET_OK ==
1869 GNUNET_CRYPTO_ecc_ecdh (e1,
1872 GNUNET_assert (GNUNET_OK ==
1873 GNUNET_CRYPTO_ecc_ecdh (e2,
1876 GNUNET_break (0 == GNUNET_memcmp (&hc1,
1882 check_ed (const struct GNUNET_CRYPTO_EcdhePrivateKey *e1,
1883 const struct GNUNET_CRYPTO_EddsaPrivateKey *e2)
1885 struct GNUNET_CRYPTO_EcdhePublicKey p1;
1886 struct GNUNET_CRYPTO_EddsaPublicKey p2;
1887 struct GNUNET_HashCode hc1;
1888 struct GNUNET_HashCode hc2;
1890 GNUNET_CRYPTO_ecdhe_key_get_public (e1,
1892 GNUNET_CRYPTO_eddsa_key_get_public (e2,
1894 GNUNET_assert (GNUNET_OK ==
1895 GNUNET_CRYPTO_ecdh_eddsa (e1,
1898 GNUNET_assert (GNUNET_OK ==
1899 GNUNET_CRYPTO_eddsa_ecdh (e2,
1902 GNUNET_break (0 == GNUNET_memcmp (&hc1,
1908 test_crypto_bug (const struct GNUNET_CRYPTO_EcdhePrivateKey *e1,
1909 const struct GNUNET_CRYPTO_EcdhePrivateKey *e2,
1910 const struct GNUNET_CRYPTO_EddsaPrivateKey *d1,
1911 const struct GNUNET_CRYPTO_EddsaPrivateKey *d2)
1923 * Handle KX_AUTH message.
1925 * @param ct connection/tunnel combo that received encrypted message
1926 * @param msg the key exchange message
1929 GCT_handle_kx_auth (struct CadetTConnection *ct,
1930 const struct GNUNET_CADET_TunnelKeyExchangeAuthMessage *msg)
1932 struct CadetTunnel *t = ct->t;
1933 struct CadetTunnelAxolotl ax_tmp;
1934 struct GNUNET_HashCode kx_auth;
1937 GNUNET_STATISTICS_update (stats,
1938 "# KX_AUTH received",
1941 if ((CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) ||
1942 (CADET_TUNNEL_KEY_AX_RECV == t->estate))
1944 /* Confusing, we got a KX_AUTH before we even send our own
1945 KX. This should not happen. We'll send our own KX ASAP anyway,
1946 so let's ignore this here. */
1947 GNUNET_break_op (0);
1950 LOG (GNUNET_ERROR_TYPE_DEBUG,
1951 "Handling KX_AUTH message from %s with ephemeral %s\n",
1953 GNUNET_e2s (&msg->kx.ephemeral_key));
1954 /* We do everything in ax_tmp until we've checked the authentication
1955 so we don't clobber anything we care about by accident. */
1958 /* Update 'ax' by the new key material */
1959 ret = update_ax_by_kx (&ax_tmp,
1960 GCP_get_id (t->destination),
1961 &msg->kx.ephemeral_key,
1962 &msg->kx.ratchet_key);
1963 if (GNUNET_OK != ret)
1965 if (GNUNET_NO == ret)
1966 GNUNET_STATISTICS_update (stats,
1967 "# redundant KX_AUTH received",
1971 GNUNET_break (0); /* connect to self!? */
1974 GNUNET_CRYPTO_hash (&ax_tmp.RK,
1977 if (0 != GNUNET_memcmp (&kx_auth,
1980 /* This KX_AUTH is not using the latest KX/KX_AUTH data
1981 we transmitted to the sender, refuse it, try KX again. */
1982 GNUNET_STATISTICS_update (stats,
1983 "# KX_AUTH not using our last KX received (auth failure)",
1986 LOG (GNUNET_ERROR_TYPE_WARNING,
1987 "KX AUTH mismatch!\n");
1990 struct GNUNET_CRYPTO_EcdhePublicKey ephemeral_key;
1992 GNUNET_CRYPTO_ecdhe_key_get_public (&ax_tmp.kx_0,
1994 if (0 != GNUNET_memcmp (&ephemeral_key,
1995 &msg->r_ephemeral_key_XXX))
1997 LOG (GNUNET_ERROR_TYPE_WARNING,
1998 "My ephemeral is %s!\n",
1999 GNUNET_e2s (&ephemeral_key));
2000 LOG (GNUNET_ERROR_TYPE_WARNING,
2001 "Response is for ephemeral %s!\n",
2002 GNUNET_e2s (&msg->r_ephemeral_key_XXX));
2006 test_crypto_bug (&ax_tmp.kx_0,
2007 &msg->kx.ephemeral_key_XXX,
2009 &msg->kx.private_key_XXX);
2013 if (NULL == t->kx_task)
2015 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2020 /* Yep, we're good. */
2022 if (NULL != t->unverified_ax)
2024 /* We got some "stale" KX before, drop that. */
2025 cleanup_ax (t->unverified_ax);
2026 GNUNET_free (t->unverified_ax);
2027 t->unverified_ax = NULL;
2030 /* move ahead in our state machine */
2033 case CADET_TUNNEL_KEY_UNINITIALIZED:
2034 case CADET_TUNNEL_KEY_AX_RECV:
2035 /* Checked above, this is impossible. */
2039 case CADET_TUNNEL_KEY_AX_SENT: /* This is the normal case */
2040 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV: /* both peers started KX */
2041 case CADET_TUNNEL_KEY_AX_AUTH_SENT: /* both peers now did KX_AUTH */
2042 GCT_change_estate (t,
2043 CADET_TUNNEL_KEY_OK);
2046 case CADET_TUNNEL_KEY_OK:
2047 /* Did not expect another KX_AUTH, but so what, still acceptable.
2048 Nothing to do here. */
2051 if (0 != (GNUNET_CADET_KX_FLAG_FORCE_REPLY & ntohl (msg->kx.flags)))
2061 /* ************************************** end core crypto ***************************** */
2065 * Compute the next free channel tunnel number for this tunnel.
2067 * @param t the tunnel
2068 * @return unused number that can uniquely identify a channel in the tunnel
2070 static struct GNUNET_CADET_ChannelTunnelNumber
2071 get_next_free_ctn (struct CadetTunnel *t)
2073 #define HIGH_BIT 0x8000000
2074 struct GNUNET_CADET_ChannelTunnelNumber ret;
2079 cmp = GNUNET_memcmp (&my_full_id,
2080 GCP_get_id (GCT_get_destination (t)));
2086 GNUNET_assert (0); // loopback must never go here!
2087 ctn = ntohl (t->next_ctn.cn);
2089 GNUNET_CONTAINER_multihashmap32_get (t->channels,
2092 ctn = ((ctn + 1) & (~HIGH_BIT));
2094 t->next_ctn.cn = htonl ((ctn + 1) & (~HIGH_BIT));
2095 ret.cn = htonl (ctn | highbit);
2101 * Add a channel to a tunnel, and notify channel that we are ready
2102 * for transmission if we are already up. Otherwise that notification
2103 * will be done later in #notify_tunnel_up_cb().
2107 * @return unique number identifying @a ch within @a t
2109 struct GNUNET_CADET_ChannelTunnelNumber
2110 GCT_add_channel (struct CadetTunnel *t,
2111 struct CadetChannel *ch)
2113 struct GNUNET_CADET_ChannelTunnelNumber ctn;
2115 ctn = get_next_free_ctn (t);
2116 if (NULL != t->destroy_task)
2118 GNUNET_SCHEDULER_cancel (t->destroy_task);
2119 t->destroy_task = NULL;
2121 GNUNET_assert (GNUNET_YES ==
2122 GNUNET_CONTAINER_multihashmap32_put (t->channels,
2125 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
2126 LOG (GNUNET_ERROR_TYPE_DEBUG,
2127 "Adding %s to %s\n",
2132 case CADET_TUNNEL_KEY_UNINITIALIZED:
2133 /* waiting for connection to start KX */
2136 case CADET_TUNNEL_KEY_AX_RECV:
2137 case CADET_TUNNEL_KEY_AX_SENT:
2138 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
2139 /* we're currently waiting for KX to complete */
2142 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
2143 /* waiting for OTHER peer to send us data,
2144 we might need to prompt more aggressively! */
2145 if (NULL == t->kx_task)
2147 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2152 case CADET_TUNNEL_KEY_OK:
2153 /* We are ready. Tell the new channel that we are up. */
2154 GCCH_tunnel_up (ch);
2162 * We lost a connection, remove it from our list and clean up
2163 * the connection object itself.
2165 * @param ct binding of connection to tunnel of the connection that was lost.
2168 GCT_connection_lost (struct CadetTConnection *ct)
2170 struct CadetTunnel *t = ct->t;
2172 if (GNUNET_YES == ct->is_ready)
2174 GNUNET_CONTAINER_DLL_remove (t->connection_ready_head,
2175 t->connection_ready_tail,
2177 t->num_ready_connections--;
2181 GNUNET_CONTAINER_DLL_remove (t->connection_busy_head,
2182 t->connection_busy_tail,
2184 t->num_busy_connections--;
2191 * Clean up connection @a ct of a tunnel.
2193 * @param cls the `struct CadetTunnel`
2194 * @param ct connection to clean up
2197 destroy_t_connection (void *cls,
2198 struct CadetTConnection *ct)
2200 struct CadetTunnel *t = cls;
2201 struct CadetConnection *cc = ct->cc;
2203 GNUNET_assert (ct->t == t);
2204 GCT_connection_lost (ct);
2205 GCC_destroy_without_tunnel (cc);
2210 * This tunnel is no longer used, destroy it.
2212 * @param cls the idle tunnel
2215 destroy_tunnel (void *cls)
2217 struct CadetTunnel *t = cls;
2218 struct CadetTunnelQueueEntry *tq;
2220 t->destroy_task = NULL;
2221 LOG (GNUNET_ERROR_TYPE_DEBUG,
2222 "Destroying idle %s\n",
2224 GNUNET_assert (0 == GCT_count_channels (t));
2225 GCT_iterate_connections (t,
2226 &destroy_t_connection,
2228 GNUNET_assert (NULL == t->connection_ready_head);
2229 GNUNET_assert (NULL == t->connection_busy_head);
2230 while (NULL != (tq = t->tq_head))
2232 if (NULL != tq->cont)
2233 tq->cont (tq->cont_cls,
2235 GCT_send_cancel (tq);
2237 GCP_drop_tunnel (t->destination,
2239 GNUNET_CONTAINER_multihashmap32_destroy (t->channels);
2240 if (NULL != t->maintain_connections_task)
2242 GNUNET_SCHEDULER_cancel (t->maintain_connections_task);
2243 t->maintain_connections_task = NULL;
2245 if (NULL != t->send_task)
2247 GNUNET_SCHEDULER_cancel (t->send_task);
2248 t->send_task = NULL;
2250 if (NULL != t->kx_task)
2252 GNUNET_SCHEDULER_cancel (t->kx_task);
2255 GNUNET_MST_destroy (t->mst);
2256 GNUNET_MQ_destroy (t->mq);
2257 if (NULL != t->unverified_ax)
2259 cleanup_ax (t->unverified_ax);
2260 GNUNET_free (t->unverified_ax);
2262 cleanup_ax (&t->ax);
2263 GNUNET_assert (NULL == t->destroy_task);
2269 * Remove a channel from a tunnel.
2273 * @param ctn unique number identifying @a ch within @a t
2276 GCT_remove_channel (struct CadetTunnel *t,
2277 struct CadetChannel *ch,
2278 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2280 LOG (GNUNET_ERROR_TYPE_DEBUG,
2281 "Removing %s from %s\n",
2284 GNUNET_assert (GNUNET_YES ==
2285 GNUNET_CONTAINER_multihashmap32_remove (t->channels,
2289 GCT_count_channels (t)) &&
2290 (NULL == t->destroy_task))
2293 = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
2301 * Destroy remaining channels during shutdown.
2303 * @param cls the `struct CadetTunnel` of the channel
2304 * @param key key of the channel
2305 * @param value the `struct CadetChannel`
2306 * @return #GNUNET_OK (continue to iterate)
2309 destroy_remaining_channels (void *cls,
2313 struct CadetChannel *ch = value;
2315 GCCH_handle_remote_destroy (ch,
2322 * Destroys the tunnel @a t now, without delay. Used during shutdown.
2324 * @param t tunnel to destroy
2327 GCT_destroy_tunnel_now (struct CadetTunnel *t)
2329 GNUNET_assert (GNUNET_YES == shutting_down);
2330 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2331 &destroy_remaining_channels,
2334 GCT_count_channels (t));
2335 if (NULL != t->destroy_task)
2337 GNUNET_SCHEDULER_cancel (t->destroy_task);
2338 t->destroy_task = NULL;
2345 * Send normal payload from queue in @a t via connection @a ct.
2346 * Does nothing if our payload queue is empty.
2348 * @param t tunnel to send data from
2349 * @param ct connection to use for transmission (is ready)
2352 try_send_normal_payload (struct CadetTunnel *t,
2353 struct CadetTConnection *ct)
2355 struct CadetTunnelQueueEntry *tq;
2357 GNUNET_assert (GNUNET_YES == ct->is_ready);
2361 /* no messages pending right now */
2362 LOG (GNUNET_ERROR_TYPE_DEBUG,
2363 "Not sending payload of %s on ready %s (nothing pending)\n",
2368 /* ready to send message 'tq' on tunnel 'ct' */
2369 GNUNET_assert (t == tq->t);
2370 GNUNET_CONTAINER_DLL_remove (t->tq_head,
2373 if (NULL != tq->cid)
2374 *tq->cid = *GCC_get_id (ct->cc);
2375 mark_connection_unready (ct);
2376 LOG (GNUNET_ERROR_TYPE_DEBUG,
2377 "Sending payload of %s on %s\n",
2380 GCC_transmit (ct->cc,
2382 if (NULL != tq->cont)
2383 tq->cont (tq->cont_cls,
2384 GCC_get_id (ct->cc));
2390 * A connection is @a is_ready for transmission. Looks at our message
2391 * queue and if there is a message, sends it out via the connection.
2393 * @param cls the `struct CadetTConnection` that is @a is_ready
2394 * @param is_ready #GNUNET_YES if connection are now ready,
2395 * #GNUNET_NO if connection are no longer ready
2398 connection_ready_cb (void *cls,
2401 struct CadetTConnection *ct = cls;
2402 struct CadetTunnel *t = ct->t;
2404 if (GNUNET_NO == is_ready)
2406 LOG (GNUNET_ERROR_TYPE_DEBUG,
2407 "%s no longer ready for %s\n",
2410 mark_connection_unready (ct);
2413 GNUNET_assert (GNUNET_NO == ct->is_ready);
2414 GNUNET_CONTAINER_DLL_remove (t->connection_busy_head,
2415 t->connection_busy_tail,
2417 GNUNET_assert (0 < t->num_busy_connections);
2418 t->num_busy_connections--;
2419 ct->is_ready = GNUNET_YES;
2420 GNUNET_CONTAINER_DLL_insert_tail (t->connection_ready_head,
2421 t->connection_ready_tail,
2423 t->num_ready_connections++;
2425 LOG (GNUNET_ERROR_TYPE_DEBUG,
2426 "%s now ready for %s in state %s\n",
2429 estate2s (t->estate));
2432 case CADET_TUNNEL_KEY_UNINITIALIZED:
2433 /* Do not begin KX if WE have no channels waiting! */
2434 if (0 != GNUNET_TIME_absolute_get_remaining (
2435 t->next_kx_attempt).rel_value_us)
2436 return; /* wait for timeout before retrying */
2437 /* We are uninitialized, just transmit immediately,
2438 without undue delay. */
2439 if (NULL != t->kx_task)
2441 GNUNET_SCHEDULER_cancel (t->kx_task);
2448 GCT_count_channels (t)) &&
2449 (NULL == t->destroy_task))
2452 = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
2458 case CADET_TUNNEL_KEY_AX_RECV:
2459 case CADET_TUNNEL_KEY_AX_SENT:
2460 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
2461 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
2462 /* we're currently waiting for KX to complete, schedule job */
2463 if (NULL == t->kx_task)
2465 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2470 case CADET_TUNNEL_KEY_OK:
2471 if (GNUNET_YES == t->kx_auth_requested)
2473 if (0 != GNUNET_TIME_absolute_get_remaining (
2474 t->next_kx_attempt).rel_value_us)
2475 return; /* wait for timeout */
2476 if (NULL != t->kx_task)
2478 GNUNET_SCHEDULER_cancel (t->kx_task);
2487 try_send_normal_payload (t,
2495 * Called when either we have a new connection, or a new message in the
2496 * queue, or some existing connection has transmission capacity. Looks
2497 * at our message queue and if there is a message, picks a connection
2500 * @param cls the `struct CadetTunnel` to process messages on
2503 trigger_transmissions (void *cls)
2505 struct CadetTunnel *t = cls;
2506 struct CadetTConnection *ct;
2508 t->send_task = NULL;
2509 if (NULL == t->tq_head)
2510 return; /* no messages pending right now */
2511 ct = get_ready_connection (t);
2513 return; /* no connections ready */
2514 try_send_normal_payload (t,
2520 * Closure for #evaluate_connection. Used to assemble summary information
2521 * about the existing connections so we can evaluate a new path.
2523 struct EvaluationSummary
2526 * Minimum length of any of our connections, `UINT_MAX` if we have none.
2528 unsigned int min_length;
2531 * Maximum length of any of our connections, 0 if we have none.
2533 unsigned int max_length;
2536 * Minimum desirability of any of our connections, UINT64_MAX if we have none.
2538 GNUNET_CONTAINER_HeapCostType min_desire;
2541 * Maximum desirability of any of our connections, 0 if we have none.
2543 GNUNET_CONTAINER_HeapCostType max_desire;
2546 * Path we are comparing against for #evaluate_connection, can be NULL.
2548 struct CadetPeerPath *path;
2551 * Connection deemed the "worst" so far encountered by #evaluate_connection,
2552 * NULL if we did not yet encounter any connections.
2554 struct CadetTConnection *worst;
2557 * Numeric score of @e worst, only set if @e worst is non-NULL.
2562 * Set to #GNUNET_YES if we have a connection over @e path already.
2569 * Evaluate a connection, updating our summary information in @a cls about
2570 * what kinds of connections we have.
2572 * @param cls the `struct EvaluationSummary *` to update
2573 * @param ct a connection to include in the summary
2576 evaluate_connection (void *cls,
2577 struct CadetTConnection *ct)
2579 struct EvaluationSummary *es = cls;
2580 struct CadetConnection *cc = ct->cc;
2581 unsigned int ct_length;
2582 struct CadetPeerPath *ps;
2583 const struct CadetConnectionMetrics *metrics;
2584 GNUNET_CONTAINER_HeapCostType ct_desirability;
2585 struct GNUNET_TIME_Relative uptime;
2586 struct GNUNET_TIME_Relative last_use;
2588 double success_rate;
2590 ps = GCC_get_path (cc,
2592 LOG (GNUNET_ERROR_TYPE_DEBUG,
2593 "Evaluating path %s of existing %s\n",
2598 LOG (GNUNET_ERROR_TYPE_DEBUG,
2599 "Ignoring duplicate path %s.\n",
2600 GCPP_2s (es->path));
2601 es->duplicate = GNUNET_YES;
2604 if (NULL != es->path)
2606 int duplicate = GNUNET_YES;
2608 for (unsigned int i = 0; i < ct_length; i++)
2610 GNUNET_assert (GCPP_get_length (es->path) > i);
2611 if (GCPP_get_peer_at_offset (es->path,
2613 GCPP_get_peer_at_offset (ps,
2616 duplicate = GNUNET_NO;
2620 if (GNUNET_YES == duplicate)
2622 LOG (GNUNET_ERROR_TYPE_DEBUG,
2623 "Ignoring overlapping path %s.\n",
2624 GCPP_2s (es->path));
2625 es->duplicate = GNUNET_YES;
2630 LOG (GNUNET_ERROR_TYPE_DEBUG,
2631 "Known path %s differs from proposed path\n",
2636 ct_desirability = GCPP_get_desirability (ps);
2637 metrics = GCC_get_metrics (cc);
2638 uptime = GNUNET_TIME_absolute_get_duration (metrics->age);
2639 last_use = GNUNET_TIME_absolute_get_duration (metrics->last_use);
2640 /* We add 1.0 here to avoid division by zero. */
2641 success_rate = (metrics->num_acked_transmissions + 1.0)
2642 / (metrics->num_successes + 1.0);
2645 + 100.0 / (1.0 + ct_length) /* longer paths = better */
2646 + sqrt (uptime.rel_value_us / 60000000LL) /* larger uptime = better */
2647 - last_use.rel_value_us / 1000L; /* longer idle = worse */
2648 score *= success_rate; /* weigh overall by success rate */
2650 if ((NULL == es->worst) ||
2651 (score < es->worst_score))
2654 es->worst_score = score;
2656 es->min_length = GNUNET_MIN (es->min_length,
2658 es->max_length = GNUNET_MAX (es->max_length,
2660 es->min_desire = GNUNET_MIN (es->min_desire,
2662 es->max_desire = GNUNET_MAX (es->max_desire,
2668 * Consider using the path @a p for the tunnel @a t.
2669 * The tunnel destination is at offset @a off in path @a p.
2671 * @param cls our tunnel
2672 * @param path a path to our destination
2673 * @param off offset of the destination on path @a path
2674 * @return #GNUNET_YES (should keep iterating)
2677 consider_path_cb (void *cls,
2678 struct CadetPeerPath *path,
2681 struct CadetTunnel *t = cls;
2682 struct EvaluationSummary es;
2683 struct CadetTConnection *ct;
2685 GNUNET_assert (off < GCPP_get_length (path));
2686 GNUNET_assert (GCPP_get_peer_at_offset (path,
2687 off) == t->destination);
2688 es.min_length = UINT_MAX;
2691 es.min_desire = UINT64_MAX;
2693 es.duplicate = GNUNET_NO;
2696 /* Compute evaluation summary over existing connections. */
2697 LOG (GNUNET_ERROR_TYPE_DEBUG,
2698 "Evaluating proposed path %s for target %s\n",
2701 /* FIXME: suspect this does not ACTUALLY iterate
2702 over all existing paths, otherwise dup detection
2704 GCT_iterate_connections (t,
2705 &evaluate_connection,
2707 if (GNUNET_YES == es.duplicate)
2710 /* FIXME: not sure we should really just count
2711 'num_connections' here, as they may all have
2712 consistently failed to connect. */
2714 /* We iterate by increasing path length; if we have enough paths and
2715 this one is more than twice as long than what we are currently
2716 using, then ignore all of these super-long ones! */
2717 if ((GCT_count_any_connections (t) > DESIRED_CONNECTIONS_PER_TUNNEL) &&
2718 (es.min_length * 2 < off) &&
2719 (es.max_length < off))
2721 LOG (GNUNET_ERROR_TYPE_DEBUG,
2722 "Ignoring paths of length %u, they are way too long.\n",
2726 /* If we have enough paths and this one looks no better, ignore it. */
2727 if ((GCT_count_any_connections (t) >= DESIRED_CONNECTIONS_PER_TUNNEL) &&
2728 (es.min_length < GCPP_get_length (path)) &&
2729 (es.min_desire > GCPP_get_desirability (path)) &&
2730 (es.max_length < off))
2732 LOG (GNUNET_ERROR_TYPE_DEBUG,
2733 "Ignoring path (%u/%llu) to %s, got something better already.\n",
2734 GCPP_get_length (path),
2735 (unsigned long long) GCPP_get_desirability (path),
2736 GCP_2s (t->destination));
2740 /* Path is interesting (better by some metric, or we don't have
2741 enough paths yet). */
2742 ct = GNUNET_new (struct CadetTConnection);
2743 ct->created = GNUNET_TIME_absolute_get ();
2745 ct->cc = GCC_create (t->destination,
2749 &connection_ready_cb,
2752 /* FIXME: schedule job to kill connection (and path?) if it takes
2753 too long to get ready! (And track performance data on how long
2754 other connections took with the tunnel!)
2755 => Note: to be done within 'connection'-logic! */
2756 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
2757 t->connection_busy_tail,
2759 t->num_busy_connections++;
2760 LOG (GNUNET_ERROR_TYPE_DEBUG,
2761 "Found interesting path %s for %s, created %s\n",
2770 * Function called to maintain the connections underlying our tunnel.
2771 * Tries to maintain (incl. tear down) connections for the tunnel, and
2772 * if there is a significant change, may trigger transmissions.
2774 * Basically, needs to check if there are connections that perform
2775 * badly, and if so eventually kill them and trigger a replacement.
2776 * The strategy is to open one more connection than
2777 * #DESIRED_CONNECTIONS_PER_TUNNEL, and then periodically kick out the
2778 * least-performing one, and then inquire for new ones.
2780 * @param cls the `struct CadetTunnel`
2783 maintain_connections_cb (void *cls)
2785 struct CadetTunnel *t = cls;
2786 struct GNUNET_TIME_Relative delay;
2787 struct EvaluationSummary es;
2789 t->maintain_connections_task = NULL;
2790 LOG (GNUNET_ERROR_TYPE_DEBUG,
2791 "Performing connection maintenance for %s.\n",
2794 es.min_length = UINT_MAX;
2797 es.min_desire = UINT64_MAX;
2800 es.duplicate = GNUNET_NO;
2801 GCT_iterate_connections (t,
2802 &evaluate_connection,
2804 if ((NULL != es.worst) &&
2805 (GCT_count_any_connections (t) > DESIRED_CONNECTIONS_PER_TUNNEL))
2807 /* Clear out worst-performing connection 'es.worst'. */
2808 destroy_t_connection (t,
2812 /* Consider additional paths */
2813 (void) GCP_iterate_paths (t->destination,
2817 /* FIXME: calculate when to try again based on how well we are doing;
2818 in particular, if we have to few connections, we might be able
2819 to do without this (as PATHS should tell us whenever a new path
2820 is available instantly; however, need to make sure this job is
2821 restarted after that happens).
2822 Furthermore, if the paths we do know are in a reasonably narrow
2823 quality band and are plentyful, we might also consider us stabilized
2824 and then reduce the frequency accordingly. */delay = GNUNET_TIME_UNIT_MINUTES;
2825 t->maintain_connections_task
2826 = GNUNET_SCHEDULER_add_delayed (delay,
2827 &maintain_connections_cb,
2833 * Consider using the path @a p for the tunnel @a t.
2834 * The tunnel destination is at offset @a off in path @a p.
2836 * @param cls our tunnel
2837 * @param path a path to our destination
2838 * @param off offset of the destination on path @a path
2841 GCT_consider_path (struct CadetTunnel *t,
2842 struct CadetPeerPath *p,
2845 LOG (GNUNET_ERROR_TYPE_DEBUG,
2846 "Considering %s for %s (offset %u)\n",
2850 (void) consider_path_cb (t,
2857 * We got a keepalive. Track in statistics.
2859 * @param cls the `struct CadetTunnel` for which we decrypted the message
2860 * @param msg the message we received on the tunnel
2863 handle_plaintext_keepalive (void *cls,
2864 const struct GNUNET_MessageHeader *msg)
2866 struct CadetTunnel *t = cls;
2868 LOG (GNUNET_ERROR_TYPE_DEBUG,
2869 "Received KEEPALIVE on %s\n",
2871 GNUNET_STATISTICS_update (stats,
2872 "# keepalives received",
2879 * Check that @a msg is well-formed.
2881 * @param cls the `struct CadetTunnel` for which we decrypted the message
2882 * @param msg the message we received on the tunnel
2883 * @return #GNUNET_OK (any variable-size payload goes)
2886 check_plaintext_data (void *cls,
2887 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
2894 * We received payload data for a channel. Locate the channel
2895 * and process the data, or return an error if the channel is unknown.
2897 * @param cls the `struct CadetTunnel` for which we decrypted the message
2898 * @param msg the message we received on the tunnel
2901 handle_plaintext_data (void *cls,
2902 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
2904 struct CadetTunnel *t = cls;
2905 struct CadetChannel *ch;
2907 ch = lookup_channel (t,
2911 /* We don't know about such a channel, might have been destroyed on our
2912 end in the meantime, or never existed. Send back a DESTROY. */
2913 LOG (GNUNET_ERROR_TYPE_DEBUG,
2914 "Received %u bytes of application data for unknown channel %u, sending DESTROY\n",
2915 (unsigned int) (ntohs (msg->header.size) - sizeof(*msg)),
2916 ntohl (msg->ctn.cn));
2917 GCT_send_channel_destroy (t,
2921 GCCH_handle_channel_plaintext_data (ch,
2922 GCC_get_id (t->current_ct->cc),
2928 * We received an acknowledgement for data we sent on a channel.
2929 * Locate the channel and process it, or return an error if the
2930 * channel is unknown.
2932 * @param cls the `struct CadetTunnel` for which we decrypted the message
2933 * @param ack the message we received on the tunnel
2936 handle_plaintext_data_ack (void *cls,
2937 const struct GNUNET_CADET_ChannelDataAckMessage *ack)
2939 struct CadetTunnel *t = cls;
2940 struct CadetChannel *ch;
2942 ch = lookup_channel (t,
2946 /* We don't know about such a channel, might have been destroyed on our
2947 end in the meantime, or never existed. Send back a DESTROY. */
2948 LOG (GNUNET_ERROR_TYPE_DEBUG,
2949 "Received DATA_ACK for unknown channel %u, sending DESTROY\n",
2950 ntohl (ack->ctn.cn));
2951 GCT_send_channel_destroy (t,
2955 GCCH_handle_channel_plaintext_data_ack (ch,
2956 GCC_get_id (t->current_ct->cc),
2962 * We have received a request to open a channel to a port from
2963 * another peer. Creates the incoming channel.
2965 * @param cls the `struct CadetTunnel` for which we decrypted the message
2966 * @param copen the message we received on the tunnel
2969 handle_plaintext_channel_open (void *cls,
2971 GNUNET_CADET_ChannelOpenMessage *copen)
2973 struct CadetTunnel *t = cls;
2974 struct CadetChannel *ch;
2976 ch = GNUNET_CONTAINER_multihashmap32_get (t->channels,
2977 ntohl (copen->ctn.cn));
2980 LOG (GNUNET_ERROR_TYPE_DEBUG,
2981 "Received duplicate channel CHANNEL_OPEN on h_port %s from %s (%s), resending ACK\n",
2982 GNUNET_h2s (&copen->h_port),
2985 GCCH_handle_duplicate_open (ch,
2986 GCC_get_id (t->current_ct->cc));
2989 LOG (GNUNET_ERROR_TYPE_DEBUG,
2990 "Received CHANNEL_OPEN on h_port %s from %s\n",
2991 GNUNET_h2s (&copen->h_port),
2993 ch = GCCH_channel_incoming_new (t,
2996 ntohl (copen->opt));
2997 if (NULL != t->destroy_task)
2999 GNUNET_SCHEDULER_cancel (t->destroy_task);
3000 t->destroy_task = NULL;
3002 GNUNET_assert (GNUNET_OK ==
3003 GNUNET_CONTAINER_multihashmap32_put (t->channels,
3004 ntohl (copen->ctn.cn),
3006 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
3011 * Send a DESTROY message via the tunnel.
3013 * @param t the tunnel to transmit over
3014 * @param ctn ID of the channel to destroy
3017 GCT_send_channel_destroy (struct CadetTunnel *t,
3018 struct GNUNET_CADET_ChannelTunnelNumber ctn)
3020 struct GNUNET_CADET_ChannelDestroyMessage msg;
3022 LOG (GNUNET_ERROR_TYPE_DEBUG,
3023 "Sending DESTORY message for channel ID %u\n",
3025 msg.header.size = htons (sizeof(msg));
3026 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
3027 msg.reserved = htonl (0);
3037 * We have received confirmation from the target peer that the
3038 * given channel could be established (the port is open).
3041 * @param cls the `struct CadetTunnel` for which we decrypted the message
3042 * @param cm the message we received on the tunnel
3045 handle_plaintext_channel_open_ack (void *cls,
3047 GNUNET_CADET_ChannelOpenAckMessage *cm)
3049 struct CadetTunnel *t = cls;
3050 struct CadetChannel *ch;
3052 ch = lookup_channel (t,
3056 /* We don't know about such a channel, might have been destroyed on our
3057 end in the meantime, or never existed. Send back a DESTROY. */
3058 LOG (GNUNET_ERROR_TYPE_DEBUG,
3059 "Received channel OPEN_ACK for unknown channel %u, sending DESTROY\n",
3060 ntohl (cm->ctn.cn));
3061 GCT_send_channel_destroy (t,
3065 LOG (GNUNET_ERROR_TYPE_DEBUG,
3066 "Received channel OPEN_ACK on channel %s from %s\n",
3069 GCCH_handle_channel_open_ack (ch,
3070 GCC_get_id (t->current_ct->cc),
3076 * We received a message saying that a channel should be destroyed.
3077 * Pass it on to the correct channel.
3079 * @param cls the `struct CadetTunnel` for which we decrypted the message
3080 * @param cm the message we received on the tunnel
3083 handle_plaintext_channel_destroy (void *cls,
3085 GNUNET_CADET_ChannelDestroyMessage *cm)
3087 struct CadetTunnel *t = cls;
3088 struct CadetChannel *ch;
3090 ch = lookup_channel (t,
3094 /* We don't know about such a channel, might have been destroyed on our
3095 end in the meantime, or never existed. */
3096 LOG (GNUNET_ERROR_TYPE_DEBUG,
3097 "Received channel DESTORY for unknown channel %u. Ignoring.\n",
3098 ntohl (cm->ctn.cn));
3101 LOG (GNUNET_ERROR_TYPE_DEBUG,
3102 "Received channel DESTROY on %s from %s\n",
3105 GCCH_handle_remote_destroy (ch,
3106 GCC_get_id (t->current_ct->cc));
3111 * Handles a message we decrypted, by injecting it into
3112 * our message queue (which will do the dispatching).
3114 * @param cls the `struct CadetTunnel` that got the message
3115 * @param msg the message
3116 * @return #GNUNET_OK on success (always)
3117 * #GNUNET_NO to stop further processing (no error)
3118 * #GNUNET_SYSERR to stop further processing with error
3121 handle_decrypted (void *cls,
3122 const struct GNUNET_MessageHeader *msg)
3124 struct CadetTunnel *t = cls;
3126 GNUNET_assert (NULL != t->current_ct);
3127 GNUNET_MQ_inject_message (t->mq,
3134 * Function called if we had an error processing
3135 * an incoming decrypted message.
3137 * @param cls the `struct CadetTunnel`
3138 * @param error error code
3141 decrypted_error_cb (void *cls,
3142 enum GNUNET_MQ_Error error)
3144 GNUNET_break_op (0);
3149 * Create a tunnel to @a destionation. Must only be called
3150 * from within #GCP_get_tunnel().
3152 * @param destination where to create the tunnel to
3153 * @return new tunnel to @a destination
3155 struct CadetTunnel *
3156 GCT_create_tunnel (struct CadetPeer *destination)
3158 struct CadetTunnel *t = GNUNET_new (struct CadetTunnel);
3159 struct GNUNET_MQ_MessageHandler handlers[] = {
3160 GNUNET_MQ_hd_fixed_size (plaintext_keepalive,
3161 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE,
3162 struct GNUNET_MessageHeader,
3164 GNUNET_MQ_hd_var_size (plaintext_data,
3165 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA,
3166 struct GNUNET_CADET_ChannelAppDataMessage,
3168 GNUNET_MQ_hd_fixed_size (plaintext_data_ack,
3169 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA_ACK,
3170 struct GNUNET_CADET_ChannelDataAckMessage,
3172 GNUNET_MQ_hd_fixed_size (plaintext_channel_open,
3173 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN,
3174 struct GNUNET_CADET_ChannelOpenMessage,
3176 GNUNET_MQ_hd_fixed_size (plaintext_channel_open_ack,
3177 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_ACK,
3178 struct GNUNET_CADET_ChannelOpenAckMessage,
3180 GNUNET_MQ_hd_fixed_size (plaintext_channel_destroy,
3181 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY,
3182 struct GNUNET_CADET_ChannelDestroyMessage,
3184 GNUNET_MQ_handler_end ()
3187 t->kx_retry_delay = INITIAL_KX_RETRY_DELAY;
3188 new_ephemeral (&t->ax);
3189 GNUNET_assert (GNUNET_OK ==
3190 GNUNET_CRYPTO_ecdhe_key_create2 (&t->ax.kx_0));
3191 t->destination = destination;
3192 t->channels = GNUNET_CONTAINER_multihashmap32_create (8);
3193 t->maintain_connections_task
3194 = GNUNET_SCHEDULER_add_now (&maintain_connections_cb,
3196 t->mq = GNUNET_MQ_queue_for_callbacks (NULL,
3201 &decrypted_error_cb,
3203 t->mst = GNUNET_MST_create (&handle_decrypted,
3210 * Add a @a connection to the @a tunnel.
3213 * @param cid connection identifer to use for the connection
3214 * @param options options for the connection
3215 * @param path path to use for the connection
3216 * @return #GNUNET_OK on success,
3217 * #GNUNET_SYSERR on failure (duplicate connection)
3220 GCT_add_inbound_connection (struct CadetTunnel *t,
3222 GNUNET_CADET_ConnectionTunnelIdentifier *cid,
3223 struct CadetPeerPath *path)
3225 struct CadetTConnection *ct;
3227 ct = GNUNET_new (struct CadetTConnection);
3228 ct->created = GNUNET_TIME_absolute_get ();
3230 ct->cc = GCC_create_inbound (t->destination,
3234 &connection_ready_cb,
3238 LOG (GNUNET_ERROR_TYPE_DEBUG,
3239 "%s refused inbound %s (duplicate)\n",
3243 return GNUNET_SYSERR;
3245 /* FIXME: schedule job to kill connection (and path?) if it takes
3246 too long to get ready! (And track performance data on how long
3247 other connections took with the tunnel!)
3248 => Note: to be done within 'connection'-logic! */
3249 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
3250 t->connection_busy_tail,
3252 t->num_busy_connections++;
3253 LOG (GNUNET_ERROR_TYPE_DEBUG,
3262 * Handle encrypted message.
3264 * @param ct connection/tunnel combo that received encrypted message
3265 * @param msg the encrypted message to decrypt
3268 GCT_handle_encrypted (struct CadetTConnection *ct,
3269 const struct GNUNET_CADET_TunnelEncryptedMessage *msg)
3271 struct CadetTunnel *t = ct->t;
3272 uint16_t size = ntohs (msg->header.size);
3273 char cbuf [size] GNUNET_ALIGN;
3274 ssize_t decrypted_size;
3276 LOG (GNUNET_ERROR_TYPE_DEBUG,
3277 "%s received %u bytes of encrypted data in state %d\n",
3279 (unsigned int) size,
3284 case CADET_TUNNEL_KEY_UNINITIALIZED:
3285 case CADET_TUNNEL_KEY_AX_RECV:
3286 /* We did not even SEND our KX, how can the other peer
3287 send us encrypted data? Must have been that we went
3288 down and the other peer still things we are up.
3289 Let's send it KX back. */
3290 GNUNET_STATISTICS_update (stats,
3291 "# received encrypted without any KX",
3294 if (NULL != t->kx_task)
3296 GNUNET_SCHEDULER_cancel (t->kx_task);
3304 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
3305 /* We send KX, and other peer send KX to us at the same time.
3306 Neither KX is AUTH'ed, so let's try KX_AUTH this time. */
3307 GNUNET_STATISTICS_update (stats,
3308 "# received encrypted without KX_AUTH",
3311 if (NULL != t->kx_task)
3313 GNUNET_SCHEDULER_cancel (t->kx_task);
3322 case CADET_TUNNEL_KEY_AX_SENT:
3323 /* We did not get the KX of the other peer, but that
3324 might have been lost. Send our KX again immediately. */
3325 GNUNET_STATISTICS_update (stats,
3326 "# received encrypted without KX",
3329 if (NULL != t->kx_task)
3331 GNUNET_SCHEDULER_cancel (t->kx_task);
3339 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
3340 /* Great, first payload, we might graduate to OK! */
3341 case CADET_TUNNEL_KEY_OK:
3342 /* We are up and running, all good. */
3346 decrypted_size = -1;
3347 if (CADET_TUNNEL_KEY_OK == t->estate)
3349 /* We have well-established key material available,
3350 try that. (This is the common case.) */
3351 decrypted_size = t_ax_decrypt_and_validate (&t->ax,
3357 if ((-1 == decrypted_size) &&
3358 (NULL != t->unverified_ax))
3360 /* We have un-authenticated KX material available. We should try
3361 this as a back-up option, in case the sender crashed and
3363 decrypted_size = t_ax_decrypt_and_validate (t->unverified_ax,
3367 if (-1 != decrypted_size)
3369 /* It worked! Treat this as authentication of the AX data! */
3370 cleanup_ax (&t->ax);
3371 t->ax = *t->unverified_ax;
3372 GNUNET_free (t->unverified_ax);
3373 t->unverified_ax = NULL;
3375 if (CADET_TUNNEL_KEY_AX_AUTH_SENT == t->estate)
3377 /* First time it worked, move tunnel into production! */
3378 GCT_change_estate (t,
3379 CADET_TUNNEL_KEY_OK);
3380 if (NULL != t->send_task)
3381 GNUNET_SCHEDULER_cancel (t->send_task);
3382 t->send_task = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
3386 if (NULL != t->unverified_ax)
3388 /* We had unverified KX material that was useless; so increment
3389 counter and eventually move to ignore it. Note that we even do
3390 this increment if we successfully decrypted with the old KX
3391 material and thus didn't even both with the new one. This is
3392 the ideal case, as a malicious injection of bogus KX data
3393 basically only causes us to increment a counter a few times. */t->unverified_attempts++;
3394 LOG (GNUNET_ERROR_TYPE_DEBUG,
3395 "Failed to decrypt message with unverified KX data %u times\n",
3396 t->unverified_attempts);
3397 if (t->unverified_attempts > MAX_UNVERIFIED_ATTEMPTS)
3399 cleanup_ax (t->unverified_ax);
3400 GNUNET_free (t->unverified_ax);
3401 t->unverified_ax = NULL;
3405 if (-1 == decrypted_size)
3407 /* Decryption failed for good, complain. */
3408 LOG (GNUNET_ERROR_TYPE_WARNING,
3409 "%s failed to decrypt and validate encrypted data, retrying KX\n",
3411 GNUNET_STATISTICS_update (stats,
3412 "# unable to decrypt",
3415 if (NULL != t->kx_task)
3417 GNUNET_SCHEDULER_cancel (t->kx_task);
3425 GNUNET_STATISTICS_update (stats,
3426 "# decrypted bytes",
3430 /* The MST will ultimately call #handle_decrypted() on each message. */
3432 GNUNET_break_op (GNUNET_OK ==
3433 GNUNET_MST_from_buffer (t->mst,
3438 t->current_ct = NULL;
3443 * Sends an already built message on a tunnel, encrypting it and
3444 * choosing the best connection if not provided.
3446 * @param message Message to send. Function modifies it.
3447 * @param t Tunnel on which this message is transmitted.
3448 * @param cont Continuation to call once message is really sent.
3449 * @param cont_cls Closure for @c cont.
3450 * @return Handle to cancel message
3452 struct CadetTunnelQueueEntry *
3453 GCT_send (struct CadetTunnel *t,
3454 const struct GNUNET_MessageHeader *message,
3455 GCT_SendContinuation cont,
3458 struct CadetTunnelQueueEntry *tq;
3459 uint16_t payload_size;
3460 struct GNUNET_MQ_Envelope *env;
3461 struct GNUNET_CADET_TunnelEncryptedMessage *ax_msg;
3463 if (CADET_TUNNEL_KEY_OK != t->estate)
3468 payload_size = ntohs (message->size);
3469 LOG (GNUNET_ERROR_TYPE_DEBUG,
3470 "Encrypting %u bytes for %s\n",
3471 (unsigned int) payload_size,
3473 env = GNUNET_MQ_msg_extra (ax_msg,
3475 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED);
3476 t_ax_encrypt (&t->ax,
3480 GNUNET_STATISTICS_update (stats,
3481 "# encrypted bytes",
3484 ax_msg->ax_header.Ns = htonl (t->ax.Ns++);
3485 ax_msg->ax_header.PNs = htonl (t->ax.PNs);
3486 /* FIXME: we should do this once, not once per message;
3487 this is a point multiplication, and DHRs does not
3488 change all the time. */
3489 GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.DHRs,
3490 &ax_msg->ax_header.DHRs);
3491 t_h_encrypt (&t->ax,
3493 t_hmac (&ax_msg->ax_header,
3494 sizeof(struct GNUNET_CADET_AxHeader) + payload_size,
3499 tq = GNUNET_malloc (sizeof(*tq));
3502 tq->cid = &ax_msg->cid; /* will initialize 'ax_msg->cid' once we know the connection */
3504 tq->cont_cls = cont_cls;
3505 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head,
3508 if (NULL != t->send_task)
3509 GNUNET_SCHEDULER_cancel (t->send_task);
3511 = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
3518 * Cancel a previously sent message while it's in the queue.
3520 * ONLY can be called before the continuation given to the send
3521 * function is called. Once the continuation is called, the message is
3522 * no longer in the queue!
3524 * @param tq Handle to the queue entry to cancel.
3527 GCT_send_cancel (struct CadetTunnelQueueEntry *tq)
3529 struct CadetTunnel *t = tq->t;
3531 GNUNET_CONTAINER_DLL_remove (t->tq_head,
3534 GNUNET_MQ_discard (tq->env);
3540 * Iterate over all connections of a tunnel.
3542 * @param t Tunnel whose connections to iterate.
3543 * @param iter Iterator.
3544 * @param iter_cls Closure for @c iter.
3547 GCT_iterate_connections (struct CadetTunnel *t,
3548 GCT_ConnectionIterator iter,
3551 struct CadetTConnection *n;
3553 for (struct CadetTConnection *ct = t->connection_ready_head;
3561 for (struct CadetTConnection *ct = t->connection_busy_head;
3573 * Closure for #iterate_channels_cb.
3580 GCT_ChannelIterator iter;
3583 * Closure for @e iter.
3590 * Helper function for #GCT_iterate_channels.
3592 * @param cls the `struct ChanIterCls`
3594 * @param value a `struct CadetChannel`
3595 * @return #GNUNET_OK
3598 iterate_channels_cb (void *cls,
3602 struct ChanIterCls *ctx = cls;
3603 struct CadetChannel *ch = value;
3605 ctx->iter (ctx->iter_cls,
3612 * Iterate over all channels of a tunnel.
3614 * @param t Tunnel whose channels to iterate.
3615 * @param iter Iterator.
3616 * @param iter_cls Closure for @c iter.
3619 GCT_iterate_channels (struct CadetTunnel *t,
3620 GCT_ChannelIterator iter,
3623 struct ChanIterCls ctx;
3626 ctx.iter_cls = iter_cls;
3627 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
3628 &iterate_channels_cb,
3634 * Call #GCCH_debug() on a channel.
3636 * @param cls points to the log level to use
3638 * @param value the `struct CadetChannel` to dump
3639 * @return #GNUNET_OK (continue iteration)
3642 debug_channel (void *cls,
3646 const enum GNUNET_ErrorType *level = cls;
3647 struct CadetChannel *ch = value;
3649 GCCH_debug (ch, *level);
3654 #define LOG2(level, ...) GNUNET_log_from_nocheck (level, "cadet-tun", \
3659 * Log all possible info about the tunnel state.
3661 * @param t Tunnel to debug.
3662 * @param level Debug level to use.
3665 GCT_debug (const struct CadetTunnel *t,
3666 enum GNUNET_ErrorType level)
3668 #if ! defined(GNUNET_CULL_LOGGING)
3669 struct CadetTConnection *iter_c;
3672 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
3674 __FILE__, __FUNCTION__, __LINE__);
3679 "TTT TUNNEL TOWARDS %s in estate %s tq_len: %u #cons: %u\n",
3681 estate2s (t->estate),
3683 GCT_count_any_connections (t));
3686 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
3690 "TTT connections:\n");
3691 for (iter_c = t->connection_ready_head; NULL != iter_c; iter_c = iter_c->next)
3692 GCC_debug (iter_c->cc,
3694 for (iter_c = t->connection_busy_head; NULL != iter_c; iter_c = iter_c->next)
3695 GCC_debug (iter_c->cc,
3699 "TTT TUNNEL END\n");
3704 /* end of gnunet-service-cadet_tunnels.c */