2 This file is part of GNUnet.
3 Copyright (C) 2013, 2017, 2018 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
21 * @file cadet/gnunet-service-cadet_tunnels.c
22 * @brief Information we track per tunnel.
23 * @author Bartlomiej Polot
24 * @author Christian Grothoff
27 * - proper connection evaluation during connection management:
28 * + consider quality (or quality spread?) of current connection set
29 * when deciding how often to do maintenance
30 * + interact with PEER to drive DHT GET/PUT operations based
31 * on how much we like our connections
34 #include "gnunet_util_lib.h"
35 #include "gnunet_statistics_service.h"
36 #include "gnunet_signatures.h"
37 #include "cadet_protocol.h"
38 #include "gnunet-service-cadet_channel.h"
39 #include "gnunet-service-cadet_connection.h"
40 #include "gnunet-service-cadet_tunnels.h"
41 #include "gnunet-service-cadet_peer.h"
42 #include "gnunet-service-cadet_paths.h"
45 #define LOG(level, ...) GNUNET_log_from (level, "cadet-tun", __VA_ARGS__)
48 * How often do we try to decrypt payload with unverified key
49 * material? Used to limit CPU increase upon receiving bogus
52 #define MAX_UNVERIFIED_ATTEMPTS 16
55 * How long do we wait until tearing down an idle tunnel?
57 #define IDLE_DESTROY_DELAY GNUNET_TIME_relative_multiply ( \
58 GNUNET_TIME_UNIT_SECONDS, 90)
61 * How long do we wait initially before retransmitting the KX?
62 * TODO: replace by 2 RTT if/once we have connection-level RTT data!
64 #define INITIAL_KX_RETRY_DELAY GNUNET_TIME_relative_multiply ( \
65 GNUNET_TIME_UNIT_MILLISECONDS, 250)
68 * Maximum number of skipped keys we keep in memory per tunnel.
70 #define MAX_SKIPPED_KEYS 64
73 * Maximum number of keys (and thus ratchet steps) we are willing to
74 * skip before we decide this is either a bogus packet or a DoS-attempt.
76 #define MAX_KEY_GAP 256
80 * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
82 struct CadetTunnelSkippedKey
87 struct CadetTunnelSkippedKey *next;
92 struct CadetTunnelSkippedKey *prev;
95 * When was this key stored (for timeout).
97 struct GNUNET_TIME_Absolute timestamp;
102 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
107 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
110 * Key number for a given HK.
117 * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
119 struct CadetTunnelAxolotl
122 * A (double linked) list of stored message keys and associated header keys
123 * for "skipped" messages, i.e. messages that have not been
124 * received despite the reception of more recent messages, (head).
126 struct CadetTunnelSkippedKey *skipped_head;
129 * Skipped messages' keys DLL, tail.
131 struct CadetTunnelSkippedKey *skipped_tail;
134 * 32-byte root key which gets updated by DH ratchet.
136 struct GNUNET_CRYPTO_SymmetricSessionKey RK;
139 * 32-byte header key (currently used for sending).
141 struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
144 * 32-byte header key (currently used for receiving)
146 struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
149 * 32-byte next header key (for sending), used once the
150 * ratchet advances. We are sure that the sender has this
151 * key as well only after @e ratchet_allowed is #GNUNET_YES.
153 struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
156 * 32-byte next header key (for receiving). To be tried
157 * when decrypting with @e HKr fails and thus the sender
158 * may have advanced the ratchet.
160 struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
163 * 32-byte chain keys (used for forward-secrecy) for
164 * sending messages. Updated for every message.
166 struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
169 * 32-byte chain keys (used for forward-secrecy) for
170 * receiving messages. Updated for every message. If
171 * messages are skipped, the respective derived MKs
172 * (and the current @HKr) are kept in the @e skipped_head DLL.
174 struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
177 * ECDH for key exchange (A0 / B0).
179 struct GNUNET_CRYPTO_EcdhePrivateKey kx_0;
182 * ECDH Ratchet key (our private key in the current DH).
184 struct GNUNET_CRYPTO_EcdhePrivateKey DHRs;
187 * ECDH Ratchet key (other peer's public key in the current DH).
189 struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
192 * Last ephemeral public key received from the other peer,
193 * for duplicate detection.
195 struct GNUNET_CRYPTO_EcdhePublicKey last_ephemeral;
198 * Time when the current ratchet expires and a new one is triggered
199 * (if @e ratchet_allowed is #GNUNET_YES).
201 struct GNUNET_TIME_Absolute ratchet_expiration;
204 * Number of elements in @a skipped_head <-> @a skipped_tail.
206 unsigned int skipped;
209 * Message number (reset to 0 with each new ratchet, next message to send).
214 * Message number (reset to 0 with each new ratchet, next message to recv).
219 * Previous message numbers (# of msgs sent under prev ratchet)
224 * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
229 * True (#GNUNET_YES) if we have received a message from the
230 * other peer that uses the keys from our last ratchet step.
231 * This implies that we are again allowed to advance the ratchet,
232 * otherwise we have to wait until the other peer sees our current
233 * ephemeral key and advances first.
235 * #GNUNET_NO if we have advanced the ratched but lack any evidence
236 * that the other peer has noticed this.
241 * Number of messages recieved since our last ratchet advance.
243 * If this counter = 0, we cannot send a new ratchet key in the next
246 * If this counter > 0, we could (but don't have to) send a new key.
248 * Once the @e ratchet_counter is larger than
249 * #ratchet_messages (or @e ratchet_expiration time has past), and
250 * @e ratchet_allowed is #GNUNET_YES, we advance the ratchet.
252 unsigned int ratchet_counter;
257 * Struct used to save messages in a non-ready tunnel to send once connected.
259 struct CadetTunnelQueueEntry
262 * We are entries in a DLL
264 struct CadetTunnelQueueEntry *next;
267 * We are entries in a DLL
269 struct CadetTunnelQueueEntry *prev;
272 * Tunnel these messages belong in.
274 struct CadetTunnel *t;
277 * Continuation to call once sent (on the channel layer).
279 GCT_SendContinuation cont;
282 * Closure for @c cont.
287 * Envelope of message to send follows.
289 struct GNUNET_MQ_Envelope *env;
292 * Where to put the connection identifier into the payload
293 * of the message in @e env once we have it?
295 struct GNUNET_CADET_ConnectionTunnelIdentifier *cid;
300 * Struct containing all information regarding a tunnel to a peer.
305 * Destination of the tunnel.
307 struct CadetPeer *destination;
310 * Peer's ephemeral key, to recreate @c e_key and @c d_key when own
311 * ephemeral key changes.
313 struct GNUNET_CRYPTO_EcdhePublicKey peers_ephemeral_key;
316 * Encryption ("our") key. It is only "confirmed" if kx_ctx is NULL.
318 struct GNUNET_CRYPTO_SymmetricSessionKey e_key;
321 * Decryption ("their") key. It is only "confirmed" if kx_ctx is NULL.
323 struct GNUNET_CRYPTO_SymmetricSessionKey d_key;
328 struct CadetTunnelAxolotl ax;
331 * Unverified Axolotl info, used only if we got a fresh KX (not a
332 * KX_AUTH) while our end of the tunnel was still up. In this case,
333 * we keep the fresh KX around but do not put it into action until
334 * we got encrypted payload that assures us of the authenticity of
337 struct CadetTunnelAxolotl *unverified_ax;
340 * Task scheduled if there are no more channels using the tunnel.
342 struct GNUNET_SCHEDULER_Task *destroy_task;
345 * Task to trim connections if too many are present.
347 struct GNUNET_SCHEDULER_Task *maintain_connections_task;
350 * Task to send messages from queue (if possible).
352 struct GNUNET_SCHEDULER_Task *send_task;
355 * Task to trigger KX.
357 struct GNUNET_SCHEDULER_Task *kx_task;
360 * Tokenizer for decrypted messages.
362 struct GNUNET_MessageStreamTokenizer *mst;
365 * Dispatcher for decrypted messages only (do NOT use for sending!).
367 struct GNUNET_MQ_Handle *mq;
370 * DLL of ready connections that are actively used to reach the destination peer.
372 struct CadetTConnection *connection_ready_head;
375 * DLL of ready connections that are actively used to reach the destination peer.
377 struct CadetTConnection *connection_ready_tail;
380 * DLL of connections that we maintain that might be used to reach the destination peer.
382 struct CadetTConnection *connection_busy_head;
385 * DLL of connections that we maintain that might be used to reach the destination peer.
387 struct CadetTConnection *connection_busy_tail;
390 * Channels inside this tunnel. Maps
391 * `struct GNUNET_CADET_ChannelTunnelNumber` to a `struct CadetChannel`.
393 struct GNUNET_CONTAINER_MultiHashMap32 *channels;
396 * Channel ID for the next created channel in this tunnel.
398 struct GNUNET_CADET_ChannelTunnelNumber next_ctn;
401 * Queued messages, to transmit once tunnel gets connected.
403 struct CadetTunnelQueueEntry *tq_head;
406 * Queued messages, to transmit once tunnel gets connected.
408 struct CadetTunnelQueueEntry *tq_tail;
411 * Identification of the connection from which we are currently processing
412 * a message. Only valid (non-NULL) during #handle_decrypted() and the
413 * handle-*()-functions called from our @e mq during that function.
415 struct CadetTConnection *current_ct;
418 * How long do we wait until we retry the KX?
420 struct GNUNET_TIME_Relative kx_retry_delay;
423 * When do we try the next KX?
425 struct GNUNET_TIME_Absolute next_kx_attempt;
428 * Number of connections in the @e connection_ready_head DLL.
430 unsigned int num_ready_connections;
433 * Number of connections in the @e connection_busy_head DLL.
435 unsigned int num_busy_connections;
438 * How often have we tried and failed to decrypt a message using
439 * the unverified KX material from @e unverified_ax? Used to
440 * stop trying after #MAX_UNVERIFIED_ATTEMPTS.
442 unsigned int unverified_attempts;
445 * Number of entries in the @e tq_head DLL.
450 * State of the tunnel encryption.
452 enum CadetTunnelEState estate;
455 * Force triggering KX_AUTH independent of @e estate.
457 int kx_auth_requested;
462 * Am I Alice or Betty (some call her Bob), or talking to myself?
464 * @param other the other peer
465 * @return #GNUNET_YES for Alice, #GNUNET_NO for Betty, #GNUNET_SYSERR if talking to myself
468 alice_or_betty (const struct GNUNET_PeerIdentity *other)
470 if (0 > GNUNET_memcmp (&my_full_id,
473 else if (0 < GNUNET_memcmp (&my_full_id,
479 return GNUNET_SYSERR;
485 * Connection @a ct is now unready, clear it's ready flag
486 * and move it from the ready DLL to the busy DLL.
488 * @param ct connection to move to unready status
491 mark_connection_unready (struct CadetTConnection *ct)
493 struct CadetTunnel *t = ct->t;
495 GNUNET_assert (GNUNET_YES == ct->is_ready);
496 GNUNET_CONTAINER_DLL_remove (t->connection_ready_head,
497 t->connection_ready_tail,
499 GNUNET_assert (0 < t->num_ready_connections);
500 t->num_ready_connections--;
501 ct->is_ready = GNUNET_NO;
502 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
503 t->connection_busy_tail,
505 t->num_busy_connections++;
510 * Get the static string for the peer this tunnel is directed.
514 * @return Static string the destination peer's ID.
517 GCT_2s (const struct CadetTunnel *t)
522 return "Tunnel(NULL)";
523 GNUNET_snprintf (buf,
526 GNUNET_i2s (GCP_get_id (t->destination)));
532 * Get string description for tunnel encryption state.
534 * @param es Tunnel state.
536 * @return String representation.
539 estate2s (enum CadetTunnelEState es)
545 case CADET_TUNNEL_KEY_UNINITIALIZED:
546 return "CADET_TUNNEL_KEY_UNINITIALIZED";
548 case CADET_TUNNEL_KEY_AX_RECV:
549 return "CADET_TUNNEL_KEY_AX_RECV";
551 case CADET_TUNNEL_KEY_AX_SENT:
552 return "CADET_TUNNEL_KEY_AX_SENT";
554 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
555 return "CADET_TUNNEL_KEY_AX_SENT_AND_RECV";
557 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
558 return "CADET_TUNNEL_KEY_AX_AUTH_SENT";
560 case CADET_TUNNEL_KEY_OK:
561 return "CADET_TUNNEL_KEY_OK";
564 GNUNET_snprintf (buf,
566 "%u (UNKNOWN STATE)",
574 * Return the peer to which this tunnel goes.
577 * @return the destination of the tunnel
580 GCT_get_destination (struct CadetTunnel *t)
582 return t->destination;
587 * Count channels of a tunnel.
589 * @param t Tunnel on which to count.
591 * @return Number of channels.
594 GCT_count_channels (struct CadetTunnel *t)
596 return GNUNET_CONTAINER_multihashmap32_size (t->channels);
601 * Lookup a channel by its @a ctn.
603 * @param t tunnel to look in
604 * @param ctn number of channel to find
605 * @return NULL if channel does not exist
607 struct CadetChannel *
608 lookup_channel (struct CadetTunnel *t,
609 struct GNUNET_CADET_ChannelTunnelNumber ctn)
611 return GNUNET_CONTAINER_multihashmap32_get (t->channels,
617 * Count all created connections of a tunnel. Not necessarily ready connections!
619 * @param t Tunnel on which to count.
621 * @return Number of connections created, either being established or ready.
624 GCT_count_any_connections (const struct CadetTunnel *t)
626 return t->num_ready_connections + t->num_busy_connections;
631 * Find first connection that is ready in the list of
632 * our connections. Picks ready connections round-robin.
634 * @param t tunnel to search
635 * @return NULL if we have no connection that is ready
637 static struct CadetTConnection *
638 get_ready_connection (struct CadetTunnel *t)
640 struct CadetTConnection *hd = t->connection_ready_head;
642 GNUNET_assert ((NULL == hd) ||
643 (GNUNET_YES == hd->is_ready));
649 * Get the encryption state of a tunnel.
653 * @return Tunnel's encryption state.
655 enum CadetTunnelEState
656 GCT_get_estate (struct CadetTunnel *t)
663 * Called when either we have a new connection, or a new message in the
664 * queue, or some existing connection has transmission capacity. Looks
665 * at our message queue and if there is a message, picks a connection
668 * @param cls the `struct CadetTunnel` to process messages on
671 trigger_transmissions (void *cls);
674 /* ************************************** start core crypto ***************************** */
678 * Create a new Axolotl ephemeral (ratchet) key.
680 * @param ax key material to update
683 new_ephemeral (struct CadetTunnelAxolotl *ax)
685 LOG (GNUNET_ERROR_TYPE_DEBUG,
686 "Creating new ephemeral ratchet key (DHRs)\n");
687 GNUNET_assert (GNUNET_OK ==
688 GNUNET_CRYPTO_ecdhe_key_create2 (&ax->DHRs));
695 * @param plaintext Content to HMAC.
696 * @param size Size of @c plaintext.
697 * @param iv Initialization vector for the message.
698 * @param key Key to use.
699 * @param hmac[out] Destination to store the HMAC.
702 t_hmac (const void *plaintext,
705 const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
706 struct GNUNET_ShortHashCode *hmac)
708 static const char ctx[] = "cadet authentication key";
709 struct GNUNET_CRYPTO_AuthKey auth_key;
710 struct GNUNET_HashCode hash;
712 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
718 /* Two step: GNUNET_ShortHash is only 256 bits,
719 GNUNET_HashCode is 512, so we truncate. */
720 GNUNET_CRYPTO_hmac (&auth_key,
733 * @param key Key to use.
734 * @param[out] hash Resulting HMAC.
735 * @param source Source key material (data to HMAC).
736 * @param len Length of @a source.
739 t_ax_hmac_hash (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
740 struct GNUNET_HashCode *hash,
744 static const char ctx[] = "axolotl HMAC-HASH";
745 struct GNUNET_CRYPTO_AuthKey auth_key;
747 GNUNET_CRYPTO_hmac_derive_key (&auth_key,
751 GNUNET_CRYPTO_hmac (&auth_key,
759 * Derive a symmetric encryption key from an HMAC-HASH.
761 * @param key Key to use for the HMAC.
762 * @param[out] out Key to generate.
763 * @param source Source key material (data to HMAC).
764 * @param len Length of @a source.
767 t_hmac_derive_key (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
768 struct GNUNET_CRYPTO_SymmetricSessionKey *out,
772 static const char ctx[] = "axolotl derive key";
773 struct GNUNET_HashCode h;
779 GNUNET_CRYPTO_kdf (out, sizeof(*out),
787 * Encrypt data with the axolotl tunnel key.
789 * @param ax key material to use.
790 * @param dst Destination with @a size bytes for the encrypted data.
791 * @param src Source of the plaintext. Can overlap with @c dst, must contain @a size bytes
792 * @param size Size of the buffers at @a src and @a dst
795 t_ax_encrypt (struct CadetTunnelAxolotl *ax,
800 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
801 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
804 ax->ratchet_counter++;
805 if ((GNUNET_YES == ax->ratchet_allowed) &&
806 ((ratchet_messages <= ax->ratchet_counter) ||
807 (0 == GNUNET_TIME_absolute_get_remaining (
808 ax->ratchet_expiration).rel_value_us)))
810 ax->ratchet_flag = GNUNET_YES;
812 if (GNUNET_YES == ax->ratchet_flag)
814 /* Advance ratchet */
815 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
816 struct GNUNET_HashCode dh;
817 struct GNUNET_HashCode hmac;
818 static const char ctx[] = "axolotl ratchet";
823 /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
824 GNUNET_CRYPTO_ecc_ecdh (&ax->DHRs,
827 t_ax_hmac_hash (&ax->RK,
831 GNUNET_CRYPTO_kdf (keys, sizeof(keys),
841 ax->ratchet_flag = GNUNET_NO;
842 ax->ratchet_allowed = GNUNET_NO;
843 ax->ratchet_counter = 0;
844 ax->ratchet_expiration
845 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get (),
849 t_hmac_derive_key (&ax->CKs,
853 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
858 out_size = GNUNET_CRYPTO_symmetric_encrypt (src,
863 GNUNET_assert (size == out_size);
864 t_hmac_derive_key (&ax->CKs,
872 * Decrypt data with the axolotl tunnel key.
874 * @param ax key material to use.
875 * @param dst Destination for the decrypted data, must contain @a size bytes.
876 * @param src Source of the ciphertext. Can overlap with @c dst, must contain @a size bytes.
877 * @param size Size of the @a src and @a dst buffers
880 t_ax_decrypt (struct CadetTunnelAxolotl *ax,
885 struct GNUNET_CRYPTO_SymmetricSessionKey MK;
886 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
889 t_hmac_derive_key (&ax->CKr,
893 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
897 GNUNET_assert (size >= sizeof(struct GNUNET_MessageHeader));
898 out_size = GNUNET_CRYPTO_symmetric_decrypt (src,
903 GNUNET_assert (out_size == size);
904 t_hmac_derive_key (&ax->CKr,
912 * Encrypt header with the axolotl header key.
914 * @param ax key material to use.
915 * @param[in|out] msg Message whose header to encrypt.
918 t_h_encrypt (struct CadetTunnelAxolotl *ax,
919 struct GNUNET_CADET_TunnelEncryptedMessage *msg)
921 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
924 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
928 out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->ax_header,
930 GNUNET_CADET_AxHeader),
934 GNUNET_assert (sizeof(struct GNUNET_CADET_AxHeader) == out_size);
939 * Decrypt header with the current axolotl header key.
941 * @param ax key material to use.
942 * @param src Message whose header to decrypt.
943 * @param dst Where to decrypt header to.
946 t_h_decrypt (struct CadetTunnelAxolotl *ax,
947 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
948 struct GNUNET_CADET_TunnelEncryptedMessage *dst)
950 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
953 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
957 out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns,
959 GNUNET_CADET_AxHeader),
963 GNUNET_assert (sizeof(struct GNUNET_CADET_AxHeader) == out_size);
968 * Delete a key from the list of skipped keys.
970 * @param ax key material to delete @a key from.
971 * @param key Key to delete.
974 delete_skipped_key (struct CadetTunnelAxolotl *ax,
975 struct CadetTunnelSkippedKey *key)
977 GNUNET_CONTAINER_DLL_remove (ax->skipped_head,
986 * Decrypt and verify data with the appropriate tunnel key and verify that the
987 * data has not been altered since it was sent by the remote peer.
989 * @param ax key material to use.
990 * @param dst Destination for the plaintext.
991 * @param src Source of the message. Can overlap with @c dst.
992 * @param size Size of the message.
993 * @return Size of the decrypted data, -1 if an error was encountered.
996 try_old_ax_keys (struct CadetTunnelAxolotl *ax,
998 const struct GNUNET_CADET_TunnelEncryptedMessage *src,
1001 struct CadetTunnelSkippedKey *key;
1002 struct GNUNET_ShortHashCode *hmac;
1003 struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
1004 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1005 struct GNUNET_CRYPTO_SymmetricSessionKey *valid_HK;
1011 LOG (GNUNET_ERROR_TYPE_DEBUG,
1012 "Trying skipped keys\n");
1013 hmac = &plaintext_header.hmac;
1014 esize = size - sizeof(struct GNUNET_CADET_TunnelEncryptedMessage);
1016 /* Find a correct Header Key */
1018 for (key = ax->skipped_head; NULL != key; key = key->next)
1020 t_hmac (&src->ax_header,
1021 sizeof(struct GNUNET_CADET_AxHeader) + esize,
1025 if (0 == GNUNET_memcmp (hmac,
1028 valid_HK = &key->HK;
1035 /* Should've been checked in -cadet_connection.c handle_cadet_encrypted. */
1036 GNUNET_assert (size > sizeof(struct GNUNET_CADET_TunnelEncryptedMessage));
1037 len = size - sizeof(struct GNUNET_CADET_TunnelEncryptedMessage);
1038 GNUNET_assert (len >= sizeof(struct GNUNET_MessageHeader));
1040 /* Decrypt header */
1041 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
1045 res = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns,
1046 sizeof(struct GNUNET_CADET_AxHeader),
1049 &plaintext_header.ax_header.Ns);
1050 GNUNET_assert (sizeof(struct GNUNET_CADET_AxHeader) == res);
1052 /* Find the correct message key */
1053 N = ntohl (plaintext_header.ax_header.Ns);
1054 while ((NULL != key) &&
1057 if ((NULL == key) ||
1058 (0 != GNUNET_memcmp (&key->HK,
1062 /* Decrypt payload */
1063 GNUNET_CRYPTO_symmetric_derive_iv (&iv,
1068 res = GNUNET_CRYPTO_symmetric_decrypt (&src[1],
1073 delete_skipped_key (ax,
1080 * Delete a key from the list of skipped keys.
1082 * @param ax key material to delete from.
1083 * @param HKr Header Key to use.
1086 store_skipped_key (struct CadetTunnelAxolotl *ax,
1087 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
1089 struct CadetTunnelSkippedKey *key;
1091 key = GNUNET_new (struct CadetTunnelSkippedKey);
1092 key->timestamp = GNUNET_TIME_absolute_get ();
1095 t_hmac_derive_key (&ax->CKr,
1099 t_hmac_derive_key (&ax->CKr,
1103 GNUNET_CONTAINER_DLL_insert (ax->skipped_head,
1112 * Stage skipped AX keys and calculate the message key.
1113 * Stores each HK and MK for skipped messages.
1115 * @param ax key material to use
1116 * @param HKr Header key.
1117 * @param Np Received meesage number.
1118 * @return #GNUNET_OK if keys were stored.
1119 * #GNUNET_SYSERR if an error ocurred (@a Np not expected).
1122 store_ax_keys (struct CadetTunnelAxolotl *ax,
1123 const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
1129 LOG (GNUNET_ERROR_TYPE_DEBUG,
1130 "Storing skipped keys [%u, %u)\n",
1133 if (MAX_KEY_GAP < gap)
1135 /* Avoid DoS (forcing peer to do more than #MAX_KEY_GAP HMAC operations) */
1136 /* TODO: start new key exchange on return */
1137 GNUNET_break_op (0);
1138 LOG (GNUNET_ERROR_TYPE_WARNING,
1139 "Got message %u, expected %u+\n",
1142 return GNUNET_SYSERR;
1146 /* Delayed message: don't store keys, flag to try old keys. */
1147 return GNUNET_SYSERR;
1151 store_skipped_key (ax,
1154 while (ax->skipped > MAX_SKIPPED_KEYS)
1155 delete_skipped_key (ax,
1162 * Decrypt and verify data with the appropriate tunnel key and verify that the
1163 * data has not been altered since it was sent by the remote peer.
1165 * @param ax key material to use
1166 * @param dst Destination for the plaintext.
1167 * @param src Source of the message. Can overlap with @c dst.
1168 * @param size Size of the message.
1169 * @return Size of the decrypted data, -1 if an error was encountered.
1172 t_ax_decrypt_and_validate (struct CadetTunnelAxolotl *ax,
1175 GNUNET_CADET_TunnelEncryptedMessage *src,
1178 struct GNUNET_ShortHashCode msg_hmac;
1179 struct GNUNET_HashCode hmac;
1180 struct GNUNET_CADET_TunnelEncryptedMessage plaintext_header;
1183 size_t esize; /* Size of encryped payload */
1185 esize = size - sizeof(struct GNUNET_CADET_TunnelEncryptedMessage);
1187 /* Try current HK */
1188 t_hmac (&src->ax_header,
1189 sizeof(struct GNUNET_CADET_AxHeader) + esize,
1192 if (0 != GNUNET_memcmp (&msg_hmac,
1195 static const char ctx[] = "axolotl ratchet";
1196 struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
1197 struct GNUNET_CRYPTO_SymmetricSessionKey HK;
1198 struct GNUNET_HashCode dh;
1199 struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
1202 t_hmac (&src->ax_header,
1203 sizeof(struct GNUNET_CADET_AxHeader) + esize,
1207 if (0 != GNUNET_memcmp (&msg_hmac,
1210 /* Try the skipped keys, if that fails, we're out of luck. */
1211 return try_old_ax_keys (ax,
1221 Np = ntohl (plaintext_header.ax_header.Ns);
1222 PNp = ntohl (plaintext_header.ax_header.PNs);
1223 DHRp = &plaintext_header.ax_header.DHRs;
1228 /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
1229 GNUNET_CRYPTO_ecc_ecdh (&ax->DHRs,
1232 t_ax_hmac_hash (&ax->RK,
1235 GNUNET_CRYPTO_kdf (keys, sizeof(keys),
1237 &hmac, sizeof(hmac),
1240 /* Commit "purported" keys */
1246 ax->ratchet_allowed = GNUNET_YES;
1253 Np = ntohl (plaintext_header.ax_header.Ns);
1254 PNp = ntohl (plaintext_header.ax_header.PNs);
1256 if ((Np != ax->Nr) &&
1257 (GNUNET_OK != store_ax_keys (ax,
1261 /* Try the skipped keys, if that fails, we're out of luck. */
1262 return try_old_ax_keys (ax,
1278 * Our tunnel became ready for the first time, notify channels
1279 * that have been waiting.
1281 * @param cls our tunnel, not used
1282 * @param key unique ID of the channel, not used
1283 * @param value the `struct CadetChannel` to notify
1284 * @return #GNUNET_OK (continue to iterate)
1287 notify_tunnel_up_cb (void *cls,
1291 struct CadetChannel *ch = value;
1293 GCCH_tunnel_up (ch);
1299 * Change the tunnel encryption state.
1300 * If the encryption state changes to OK, stop the rekey task.
1302 * @param t Tunnel whose encryption state to change, or NULL.
1303 * @param state New encryption state.
1306 GCT_change_estate (struct CadetTunnel *t,
1307 enum CadetTunnelEState state)
1309 enum CadetTunnelEState old = t->estate;
1312 LOG (GNUNET_ERROR_TYPE_DEBUG,
1313 "%s estate changed from %s to %s\n",
1318 if ((CADET_TUNNEL_KEY_OK != old) &&
1319 (CADET_TUNNEL_KEY_OK == t->estate))
1321 if (NULL != t->kx_task)
1323 GNUNET_SCHEDULER_cancel (t->kx_task);
1326 /* notify all channels that have been waiting */
1327 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
1328 ¬ify_tunnel_up_cb,
1330 if (NULL != t->send_task)
1331 GNUNET_SCHEDULER_cancel (t->send_task);
1332 t->send_task = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
1339 * Send a KX message.
1341 * @param t tunnel on which to send the KX_AUTH
1342 * @param ct Tunnel and connection on which to send the KX_AUTH, NULL if
1343 * we are to find one that is ready.
1344 * @param ax axolotl key context to use
1347 send_kx (struct CadetTunnel *t,
1348 struct CadetTConnection *ct,
1349 struct CadetTunnelAxolotl *ax)
1351 struct CadetConnection *cc;
1352 struct GNUNET_MQ_Envelope *env;
1353 struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
1354 enum GNUNET_CADET_KX_Flags flags;
1356 if (GNUNET_YES != alice_or_betty (GCP_get_id (t->destination)))
1357 return; /* only Alice may send KX */
1359 (GNUNET_NO == ct->is_ready))
1360 ct = get_ready_connection (t);
1363 LOG (GNUNET_ERROR_TYPE_DEBUG,
1364 "Wanted to send %s in state %s, but no connection is ready, deferring\n",
1366 estate2s (t->estate));
1367 t->next_kx_attempt = GNUNET_TIME_absolute_get ();
1371 env = GNUNET_MQ_msg (msg,
1372 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX);
1373 flags = GNUNET_CADET_KX_FLAG_FORCE_REPLY; /* always for KX */
1374 msg->flags = htonl (flags);
1375 msg->cid = *GCC_get_id (cc);
1376 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->kx_0,
1377 &msg->ephemeral_key);
1379 msg->ephemeral_key_XXX = ax->kx_0;
1380 msg->private_key_XXX = *my_private_key;
1382 LOG (GNUNET_ERROR_TYPE_DEBUG,
1383 "Sending KX message to %s with ephemeral %s on CID %s\n",
1385 GNUNET_e2s (&msg->ephemeral_key),
1386 GNUNET_sh2s (&msg->cid.connection_of_tunnel));
1387 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1389 mark_connection_unready (ct);
1390 t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1391 t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1392 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1393 GCT_change_estate (t,
1394 CADET_TUNNEL_KEY_AX_SENT);
1395 else if (CADET_TUNNEL_KEY_AX_RECV == t->estate)
1396 GCT_change_estate (t,
1397 CADET_TUNNEL_KEY_AX_SENT_AND_RECV);
1400 GNUNET_STATISTICS_update (stats,
1408 * Send a KX_AUTH message.
1410 * @param t tunnel on which to send the KX_AUTH
1411 * @param ct Tunnel and connection on which to send the KX_AUTH, NULL if
1412 * we are to find one that is ready.
1413 * @param ax axolotl key context to use
1414 * @param force_reply Force the other peer to reply with a KX_AUTH message
1415 * (set if we would like to transmit right now, but cannot)
1418 send_kx_auth (struct CadetTunnel *t,
1419 struct CadetTConnection *ct,
1420 struct CadetTunnelAxolotl *ax,
1423 struct CadetConnection *cc;
1424 struct GNUNET_MQ_Envelope *env;
1425 struct GNUNET_CADET_TunnelKeyExchangeAuthMessage *msg;
1426 enum GNUNET_CADET_KX_Flags flags;
1429 (GNUNET_NO == ct->is_ready))
1430 ct = get_ready_connection (t);
1433 LOG (GNUNET_ERROR_TYPE_DEBUG,
1434 "Wanted to send KX_AUTH on %s, but no connection is ready, deferring\n",
1436 t->next_kx_attempt = GNUNET_TIME_absolute_get ();
1437 t->kx_auth_requested = GNUNET_YES; /* queue KX_AUTH independent of estate */
1440 t->kx_auth_requested = GNUNET_NO; /* clear flag */
1442 env = GNUNET_MQ_msg (msg,
1443 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH);
1444 flags = GNUNET_CADET_KX_FLAG_NONE;
1445 if (GNUNET_YES == force_reply)
1446 flags |= GNUNET_CADET_KX_FLAG_FORCE_REPLY;
1447 msg->kx.flags = htonl (flags);
1448 msg->kx.cid = *GCC_get_id (cc);
1449 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->kx_0,
1450 &msg->kx.ephemeral_key);
1451 GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1452 &msg->kx.ratchet_key);
1454 msg->kx.ephemeral_key_XXX = ax->kx_0;
1455 msg->kx.private_key_XXX = *my_private_key;
1456 msg->r_ephemeral_key_XXX = ax->last_ephemeral;
1458 LOG (GNUNET_ERROR_TYPE_DEBUG,
1459 "Sending KX_AUTH message to %s with ephemeral %s on CID %s\n",
1461 GNUNET_e2s (&msg->kx.ephemeral_key),
1462 GNUNET_sh2s (&msg->kx.cid.connection_of_tunnel));
1464 /* Compute authenticator (this is the main difference to #send_kx()) */
1465 GNUNET_CRYPTO_hash (&ax->RK,
1468 /* Compute when to be triggered again; actual job will
1469 be scheduled via #connection_ready_cb() */
1471 = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1473 = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
1475 /* Send via cc, mark it as unready */
1476 mark_connection_unready (ct);
1478 /* Update state machine, unless we are already OK */
1479 if (CADET_TUNNEL_KEY_OK != t->estate)
1480 GCT_change_estate (t,
1481 CADET_TUNNEL_KEY_AX_AUTH_SENT);
1484 GNUNET_STATISTICS_update (stats,
1485 "# KX_AUTH transmitted",
1492 * Cleanup state used by @a ax.
1494 * @param ax state to free, but not memory of @a ax itself
1497 cleanup_ax (struct CadetTunnelAxolotl *ax)
1499 while (NULL != ax->skipped_head)
1500 delete_skipped_key (ax,
1502 GNUNET_assert (0 == ax->skipped);
1503 GNUNET_CRYPTO_ecdhe_key_clear (&ax->kx_0);
1504 GNUNET_CRYPTO_ecdhe_key_clear (&ax->DHRs);
1509 * Update our Axolotl key state based on the KX data we received.
1510 * Computes the new chain keys, and root keys, etc, and also checks
1511 * wether this is a replay of the current chain.
1513 * @param[in|out] axolotl chain key state to recompute
1514 * @param pid peer identity of the other peer
1515 * @param ephemeral_key ephemeral public key of the other peer
1516 * @param ratchet_key senders next ephemeral public key
1517 * @return #GNUNET_OK on success, #GNUNET_NO if the resulting
1518 * root key is already in @a ax and thus the KX is useless;
1519 * #GNUNET_SYSERR on hard errors (i.e. @a pid is #my_full_id)
1522 update_ax_by_kx (struct CadetTunnelAxolotl *ax,
1523 const struct GNUNET_PeerIdentity *pid,
1524 const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral_key,
1525 const struct GNUNET_CRYPTO_EcdhePublicKey *ratchet_key)
1527 struct GNUNET_HashCode key_material[3];
1528 struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
1529 const char salt[] = "CADET Axolotl salt";
1532 if (GNUNET_SYSERR == (am_I_alice = alice_or_betty (pid)))
1534 GNUNET_break_op (0);
1535 return GNUNET_SYSERR;
1537 if (0 == GNUNET_memcmp (&ax->DHRr,
1540 GNUNET_STATISTICS_update (stats,
1541 "# Ratchet key already known",
1544 LOG (GNUNET_ERROR_TYPE_DEBUG,
1545 "Ratchet key already known. Ignoring KX.\n");
1549 ax->DHRr = *ratchet_key;
1550 ax->last_ephemeral = *ephemeral_key;
1552 if (GNUNET_YES == am_I_alice)
1554 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* a */
1555 ephemeral_key, /* B0 */
1560 GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* b0 */
1561 &pid->public_key, /* A */
1565 if (GNUNET_YES == am_I_alice)
1567 GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* a0 */
1568 &pid->public_key, /* B */
1573 GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* b */
1574 ephemeral_key, /* A0 */
1579 GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* a0 or b0 */
1580 ephemeral_key, /* B0 or A0 */
1583 GNUNET_CRYPTO_kdf (keys, sizeof(keys),
1585 &key_material, sizeof(key_material),
1588 if (0 == memcmp (&ax->RK,
1592 LOG (GNUNET_ERROR_TYPE_DEBUG,
1593 "Root key already known. Ignoring KX.\n");
1594 GNUNET_STATISTICS_update (stats,
1595 "# Root key already known",
1602 if (GNUNET_YES == am_I_alice)
1608 ax->ratchet_flag = GNUNET_YES;
1616 ax->ratchet_flag = GNUNET_NO;
1617 ax->ratchet_expiration
1618 = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get (),
1626 * Try to redo the KX or KX_AUTH handshake, if we can.
1628 * @param cls the `struct CadetTunnel` to do KX for.
1631 retry_kx (void *cls)
1633 struct CadetTunnel *t = cls;
1634 struct CadetTunnelAxolotl *ax;
1637 LOG (GNUNET_ERROR_TYPE_DEBUG,
1638 "Trying to make KX progress on %s in state %s\n",
1640 estate2s (t->estate));
1643 case CADET_TUNNEL_KEY_UNINITIALIZED: /* first attempt */
1644 case CADET_TUNNEL_KEY_AX_SENT: /* trying again */
1650 case CADET_TUNNEL_KEY_AX_RECV:
1651 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
1652 /* We are responding, so only require reply
1653 if WE have a channel waiting. */
1654 if (NULL != t->unverified_ax)
1656 /* Send AX_AUTH so we might get this one verified */
1657 ax = t->unverified_ax;
1661 /* How can this be? */
1668 (0 == GCT_count_channels (t))
1673 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
1674 /* We are responding, so only require reply
1675 if WE have a channel waiting. */
1676 if (NULL != t->unverified_ax)
1678 /* Send AX_AUTH so we might get this one verified */
1679 ax = t->unverified_ax;
1683 /* How can this be? */
1690 (0 == GCT_count_channels (t))
1695 case CADET_TUNNEL_KEY_OK:
1696 /* Must have been the *other* peer asking us to
1697 respond with a KX_AUTH. */
1698 if (NULL != t->unverified_ax)
1700 /* Sending AX_AUTH in response to AX so we might get this one verified */
1701 ax = t->unverified_ax;
1705 /* Sending AX_AUTH in response to AX_AUTH */
1718 * Handle KX message that lacks authentication (and which will thus
1719 * only be considered authenticated after we respond with our own
1720 * KX_AUTH and finally successfully decrypt payload).
1722 * @param ct connection/tunnel combo that received encrypted message
1723 * @param msg the key exchange message
1726 GCT_handle_kx (struct CadetTConnection *ct,
1727 const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1729 struct CadetTunnel *t = ct->t;
1732 GNUNET_STATISTICS_update (stats,
1737 alice_or_betty (GCP_get_id (t->destination)))
1739 /* Betty/Bob is not allowed to send KX! */
1740 GNUNET_break_op (0);
1743 LOG (GNUNET_ERROR_TYPE_DEBUG,
1744 "Received KX message from %s with ephemeral %s from %s on connection %s\n",
1746 GNUNET_e2s (&msg->ephemeral_key),
1747 GNUNET_i2s (GCP_get_id (t->destination)),
1751 memcmp (&t->ax.DHRr,
1753 sizeof(msg->ratchet_key))) &&
1755 memcmp (&t->ax.last_ephemeral,
1756 &msg->ephemeral_key,
1757 sizeof(msg->ephemeral_key))))
1760 GNUNET_STATISTICS_update (stats,
1761 "# Duplicate KX received",
1771 /* We only keep ONE unverified KX around, so if there is an existing one,
1773 if (NULL != t->unverified_ax)
1776 memcmp (&t->unverified_ax->DHRr,
1778 sizeof(msg->ratchet_key))) &&
1780 memcmp (&t->unverified_ax->last_ephemeral,
1781 &msg->ephemeral_key,
1782 sizeof(msg->ephemeral_key))))
1784 GNUNET_STATISTICS_update (stats,
1785 "# Duplicate unverified KX received",
1796 LOG (GNUNET_ERROR_TYPE_DEBUG,
1797 "Dropping old unverified KX state.\n");
1798 GNUNET_STATISTICS_update (stats,
1799 "# Unverified KX dropped for fresh KX",
1802 GNUNET_break (NULL == t->unverified_ax->skipped_head);
1803 memset (t->unverified_ax,
1805 sizeof(struct CadetTunnelAxolotl));
1809 LOG (GNUNET_ERROR_TYPE_DEBUG,
1810 "Creating fresh unverified KX for %s\n",
1812 GNUNET_STATISTICS_update (stats,
1816 t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);
1818 /* Set as the 'current' RK/DHRr the one we are currently using,
1819 so that the duplicate-detection logic of
1820 #update_ax_by_kx can work. */
1821 t->unverified_ax->RK = t->ax.RK;
1822 t->unverified_ax->DHRr = t->ax.DHRr;
1823 t->unverified_ax->DHRs = t->ax.DHRs;
1824 t->unverified_ax->kx_0 = t->ax.kx_0;
1825 t->unverified_attempts = 0;
1827 /* Update 'ax' by the new key material */
1828 ret = update_ax_by_kx (t->unverified_ax,
1829 GCP_get_id (t->destination),
1830 &msg->ephemeral_key,
1832 GNUNET_break (GNUNET_SYSERR != ret);
1833 if (GNUNET_OK != ret)
1835 GNUNET_STATISTICS_update (stats,
1839 return; /* duplicate KX, nothing to do */
1841 /* move ahead in our state machine */
1842 if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1843 GCT_change_estate (t,
1844 CADET_TUNNEL_KEY_AX_RECV);
1845 else if (CADET_TUNNEL_KEY_AX_SENT == t->estate)
1846 GCT_change_estate (t,
1847 CADET_TUNNEL_KEY_AX_SENT_AND_RECV);
1849 /* KX is still not done, try again our end. */
1850 if (CADET_TUNNEL_KEY_OK != t->estate)
1852 if (NULL != t->kx_task)
1853 GNUNET_SCHEDULER_cancel (t->kx_task);
1855 = GNUNET_SCHEDULER_add_now (&retry_kx,
1863 check_ee (const struct GNUNET_CRYPTO_EcdhePrivateKey *e1,
1864 const struct GNUNET_CRYPTO_EcdhePrivateKey *e2)
1866 struct GNUNET_CRYPTO_EcdhePublicKey p1;
1867 struct GNUNET_CRYPTO_EcdhePublicKey p2;
1868 struct GNUNET_HashCode hc1;
1869 struct GNUNET_HashCode hc2;
1871 GNUNET_CRYPTO_ecdhe_key_get_public (e1,
1873 GNUNET_CRYPTO_ecdhe_key_get_public (e2,
1875 GNUNET_assert (GNUNET_OK ==
1876 GNUNET_CRYPTO_ecc_ecdh (e1,
1879 GNUNET_assert (GNUNET_OK ==
1880 GNUNET_CRYPTO_ecc_ecdh (e2,
1883 GNUNET_break (0 == GNUNET_memcmp (&hc1,
1889 check_ed (const struct GNUNET_CRYPTO_EcdhePrivateKey *e1,
1890 const struct GNUNET_CRYPTO_EddsaPrivateKey *e2)
1892 struct GNUNET_CRYPTO_EcdhePublicKey p1;
1893 struct GNUNET_CRYPTO_EddsaPublicKey p2;
1894 struct GNUNET_HashCode hc1;
1895 struct GNUNET_HashCode hc2;
1897 GNUNET_CRYPTO_ecdhe_key_get_public (e1,
1899 GNUNET_CRYPTO_eddsa_key_get_public (e2,
1901 GNUNET_assert (GNUNET_OK ==
1902 GNUNET_CRYPTO_ecdh_eddsa (e1,
1905 GNUNET_assert (GNUNET_OK ==
1906 GNUNET_CRYPTO_eddsa_ecdh (e2,
1909 GNUNET_break (0 == GNUNET_memcmp (&hc1,
1915 test_crypto_bug (const struct GNUNET_CRYPTO_EcdhePrivateKey *e1,
1916 const struct GNUNET_CRYPTO_EcdhePrivateKey *e2,
1917 const struct GNUNET_CRYPTO_EddsaPrivateKey *d1,
1918 const struct GNUNET_CRYPTO_EddsaPrivateKey *d2)
1930 * Handle KX_AUTH message.
1932 * @param ct connection/tunnel combo that received encrypted message
1933 * @param msg the key exchange message
1936 GCT_handle_kx_auth (struct CadetTConnection *ct,
1937 const struct GNUNET_CADET_TunnelKeyExchangeAuthMessage *msg)
1939 struct CadetTunnel *t = ct->t;
1940 struct CadetTunnelAxolotl ax_tmp;
1941 struct GNUNET_HashCode kx_auth;
1944 GNUNET_STATISTICS_update (stats,
1945 "# KX_AUTH received",
1948 if ((CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) ||
1949 (CADET_TUNNEL_KEY_AX_RECV == t->estate))
1951 /* Confusing, we got a KX_AUTH before we even send our own
1952 KX. This should not happen. We'll send our own KX ASAP anyway,
1953 so let's ignore this here. */
1954 GNUNET_break_op (0);
1957 LOG (GNUNET_ERROR_TYPE_DEBUG,
1958 "Handling KX_AUTH message from %s with ephemeral %s\n",
1960 GNUNET_e2s (&msg->kx.ephemeral_key));
1961 /* We do everything in ax_tmp until we've checked the authentication
1962 so we don't clobber anything we care about by accident. */
1965 /* Update 'ax' by the new key material */
1966 ret = update_ax_by_kx (&ax_tmp,
1967 GCP_get_id (t->destination),
1968 &msg->kx.ephemeral_key,
1969 &msg->kx.ratchet_key);
1970 if (GNUNET_OK != ret)
1972 if (GNUNET_NO == ret)
1973 GNUNET_STATISTICS_update (stats,
1974 "# redundant KX_AUTH received",
1978 GNUNET_break (0); /* connect to self!? */
1981 GNUNET_CRYPTO_hash (&ax_tmp.RK,
1984 if (0 != GNUNET_memcmp (&kx_auth,
1987 /* This KX_AUTH is not using the latest KX/KX_AUTH data
1988 we transmitted to the sender, refuse it, try KX again. */
1989 GNUNET_STATISTICS_update (stats,
1990 "# KX_AUTH not using our last KX received (auth failure)",
1993 LOG (GNUNET_ERROR_TYPE_WARNING,
1994 "KX AUTH mismatch!\n");
1997 struct GNUNET_CRYPTO_EcdhePublicKey ephemeral_key;
1999 GNUNET_CRYPTO_ecdhe_key_get_public (&ax_tmp.kx_0,
2001 if (0 != GNUNET_memcmp (&ephemeral_key,
2002 &msg->r_ephemeral_key_XXX))
2004 LOG (GNUNET_ERROR_TYPE_WARNING,
2005 "My ephemeral is %s!\n",
2006 GNUNET_e2s (&ephemeral_key));
2007 LOG (GNUNET_ERROR_TYPE_WARNING,
2008 "Response is for ephemeral %s!\n",
2009 GNUNET_e2s (&msg->r_ephemeral_key_XXX));
2013 test_crypto_bug (&ax_tmp.kx_0,
2014 &msg->kx.ephemeral_key_XXX,
2016 &msg->kx.private_key_XXX);
2020 if (NULL == t->kx_task)
2022 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2027 /* Yep, we're good. */
2029 if (NULL != t->unverified_ax)
2031 /* We got some "stale" KX before, drop that. */
2032 cleanup_ax (t->unverified_ax);
2033 GNUNET_free (t->unverified_ax);
2034 t->unverified_ax = NULL;
2037 /* move ahead in our state machine */
2040 case CADET_TUNNEL_KEY_UNINITIALIZED:
2041 case CADET_TUNNEL_KEY_AX_RECV:
2042 /* Checked above, this is impossible. */
2046 case CADET_TUNNEL_KEY_AX_SENT: /* This is the normal case */
2047 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV: /* both peers started KX */
2048 case CADET_TUNNEL_KEY_AX_AUTH_SENT: /* both peers now did KX_AUTH */
2049 GCT_change_estate (t,
2050 CADET_TUNNEL_KEY_OK);
2053 case CADET_TUNNEL_KEY_OK:
2054 /* Did not expect another KX_AUTH, but so what, still acceptable.
2055 Nothing to do here. */
2058 if (0 != (GNUNET_CADET_KX_FLAG_FORCE_REPLY & ntohl (msg->kx.flags)))
2068 /* ************************************** end core crypto ***************************** */
2072 * Compute the next free channel tunnel number for this tunnel.
2074 * @param t the tunnel
2075 * @return unused number that can uniquely identify a channel in the tunnel
2077 static struct GNUNET_CADET_ChannelTunnelNumber
2078 get_next_free_ctn (struct CadetTunnel *t)
2080 #define HIGH_BIT 0x8000000
2081 struct GNUNET_CADET_ChannelTunnelNumber ret;
2086 cmp = GNUNET_memcmp (&my_full_id,
2087 GCP_get_id (GCT_get_destination (t)));
2093 GNUNET_assert (0); // loopback must never go here!
2094 ctn = ntohl (t->next_ctn.cn);
2096 GNUNET_CONTAINER_multihashmap32_get (t->channels,
2099 ctn = ((ctn + 1) & (~HIGH_BIT));
2101 t->next_ctn.cn = htonl ((ctn + 1) & (~HIGH_BIT));
2102 ret.cn = htonl (ctn | highbit);
2108 * Add a channel to a tunnel, and notify channel that we are ready
2109 * for transmission if we are already up. Otherwise that notification
2110 * will be done later in #notify_tunnel_up_cb().
2114 * @return unique number identifying @a ch within @a t
2116 struct GNUNET_CADET_ChannelTunnelNumber
2117 GCT_add_channel (struct CadetTunnel *t,
2118 struct CadetChannel *ch)
2120 struct GNUNET_CADET_ChannelTunnelNumber ctn;
2122 ctn = get_next_free_ctn (t);
2123 if (NULL != t->destroy_task)
2125 GNUNET_SCHEDULER_cancel (t->destroy_task);
2126 t->destroy_task = NULL;
2128 GNUNET_assert (GNUNET_YES ==
2129 GNUNET_CONTAINER_multihashmap32_put (t->channels,
2132 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
2133 LOG (GNUNET_ERROR_TYPE_DEBUG,
2134 "Adding %s to %s\n",
2139 case CADET_TUNNEL_KEY_UNINITIALIZED:
2140 /* waiting for connection to start KX */
2143 case CADET_TUNNEL_KEY_AX_RECV:
2144 case CADET_TUNNEL_KEY_AX_SENT:
2145 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
2146 /* we're currently waiting for KX to complete */
2149 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
2150 /* waiting for OTHER peer to send us data,
2151 we might need to prompt more aggressively! */
2152 if (NULL == t->kx_task)
2154 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2159 case CADET_TUNNEL_KEY_OK:
2160 /* We are ready. Tell the new channel that we are up. */
2161 GCCH_tunnel_up (ch);
2169 * We lost a connection, remove it from our list and clean up
2170 * the connection object itself.
2172 * @param ct binding of connection to tunnel of the connection that was lost.
2175 GCT_connection_lost (struct CadetTConnection *ct)
2177 struct CadetTunnel *t = ct->t;
2179 if (GNUNET_YES == ct->is_ready)
2181 GNUNET_CONTAINER_DLL_remove (t->connection_ready_head,
2182 t->connection_ready_tail,
2184 t->num_ready_connections--;
2188 GNUNET_CONTAINER_DLL_remove (t->connection_busy_head,
2189 t->connection_busy_tail,
2191 t->num_busy_connections--;
2198 * Clean up connection @a ct of a tunnel.
2200 * @param cls the `struct CadetTunnel`
2201 * @param ct connection to clean up
2204 destroy_t_connection (void *cls,
2205 struct CadetTConnection *ct)
2207 struct CadetTunnel *t = cls;
2208 struct CadetConnection *cc = ct->cc;
2210 GNUNET_assert (ct->t == t);
2211 GCT_connection_lost (ct);
2212 GCC_destroy_without_tunnel (cc);
2217 * This tunnel is no longer used, destroy it.
2219 * @param cls the idle tunnel
2222 destroy_tunnel (void *cls)
2224 struct CadetTunnel *t = cls;
2225 struct CadetTunnelQueueEntry *tq;
2227 t->destroy_task = NULL;
2228 LOG (GNUNET_ERROR_TYPE_DEBUG,
2229 "Destroying idle %s\n",
2231 GNUNET_assert (0 == GCT_count_channels (t));
2232 GCT_iterate_connections (t,
2233 &destroy_t_connection,
2235 GNUNET_assert (NULL == t->connection_ready_head);
2236 GNUNET_assert (NULL == t->connection_busy_head);
2237 while (NULL != (tq = t->tq_head))
2239 if (NULL != tq->cont)
2240 tq->cont (tq->cont_cls,
2242 GCT_send_cancel (tq);
2244 GCP_drop_tunnel (t->destination,
2246 GNUNET_CONTAINER_multihashmap32_destroy (t->channels);
2247 if (NULL != t->maintain_connections_task)
2249 GNUNET_SCHEDULER_cancel (t->maintain_connections_task);
2250 t->maintain_connections_task = NULL;
2252 if (NULL != t->send_task)
2254 GNUNET_SCHEDULER_cancel (t->send_task);
2255 t->send_task = NULL;
2257 if (NULL != t->kx_task)
2259 GNUNET_SCHEDULER_cancel (t->kx_task);
2262 GNUNET_MST_destroy (t->mst);
2263 GNUNET_MQ_destroy (t->mq);
2264 if (NULL != t->unverified_ax)
2266 cleanup_ax (t->unverified_ax);
2267 GNUNET_free (t->unverified_ax);
2269 cleanup_ax (&t->ax);
2270 GNUNET_assert (NULL == t->destroy_task);
2276 * Remove a channel from a tunnel.
2280 * @param ctn unique number identifying @a ch within @a t
2283 GCT_remove_channel (struct CadetTunnel *t,
2284 struct CadetChannel *ch,
2285 struct GNUNET_CADET_ChannelTunnelNumber ctn)
2287 LOG (GNUNET_ERROR_TYPE_DEBUG,
2288 "Removing %s from %s\n",
2291 GNUNET_assert (GNUNET_YES ==
2292 GNUNET_CONTAINER_multihashmap32_remove (t->channels,
2296 GCT_count_channels (t)) &&
2297 (NULL == t->destroy_task))
2300 = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
2308 * Destroy remaining channels during shutdown.
2310 * @param cls the `struct CadetTunnel` of the channel
2311 * @param key key of the channel
2312 * @param value the `struct CadetChannel`
2313 * @return #GNUNET_OK (continue to iterate)
2316 destroy_remaining_channels (void *cls,
2320 struct CadetChannel *ch = value;
2322 GCCH_handle_remote_destroy (ch,
2329 * Destroys the tunnel @a t now, without delay. Used during shutdown.
2331 * @param t tunnel to destroy
2334 GCT_destroy_tunnel_now (struct CadetTunnel *t)
2336 GNUNET_assert (GNUNET_YES == shutting_down);
2337 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
2338 &destroy_remaining_channels,
2341 GCT_count_channels (t));
2342 if (NULL != t->destroy_task)
2344 GNUNET_SCHEDULER_cancel (t->destroy_task);
2345 t->destroy_task = NULL;
2352 * Send normal payload from queue in @a t via connection @a ct.
2353 * Does nothing if our payload queue is empty.
2355 * @param t tunnel to send data from
2356 * @param ct connection to use for transmission (is ready)
2359 try_send_normal_payload (struct CadetTunnel *t,
2360 struct CadetTConnection *ct)
2362 struct CadetTunnelQueueEntry *tq;
2364 GNUNET_assert (GNUNET_YES == ct->is_ready);
2368 /* no messages pending right now */
2369 LOG (GNUNET_ERROR_TYPE_DEBUG,
2370 "Not sending payload of %s on ready %s (nothing pending)\n",
2375 /* ready to send message 'tq' on tunnel 'ct' */
2376 GNUNET_assert (t == tq->t);
2377 GNUNET_CONTAINER_DLL_remove (t->tq_head,
2380 if (NULL != tq->cid)
2381 *tq->cid = *GCC_get_id (ct->cc);
2382 mark_connection_unready (ct);
2383 LOG (GNUNET_ERROR_TYPE_DEBUG,
2384 "Sending payload of %s on %s\n",
2387 GCC_transmit (ct->cc,
2389 if (NULL != tq->cont)
2390 tq->cont (tq->cont_cls,
2391 GCC_get_id (ct->cc));
2397 * A connection is @a is_ready for transmission. Looks at our message
2398 * queue and if there is a message, sends it out via the connection.
2400 * @param cls the `struct CadetTConnection` that is @a is_ready
2401 * @param is_ready #GNUNET_YES if connection are now ready,
2402 * #GNUNET_NO if connection are no longer ready
2405 connection_ready_cb (void *cls,
2408 struct CadetTConnection *ct = cls;
2409 struct CadetTunnel *t = ct->t;
2411 if (GNUNET_NO == is_ready)
2413 LOG (GNUNET_ERROR_TYPE_DEBUG,
2414 "%s no longer ready for %s\n",
2417 mark_connection_unready (ct);
2420 GNUNET_assert (GNUNET_NO == ct->is_ready);
2421 GNUNET_CONTAINER_DLL_remove (t->connection_busy_head,
2422 t->connection_busy_tail,
2424 GNUNET_assert (0 < t->num_busy_connections);
2425 t->num_busy_connections--;
2426 ct->is_ready = GNUNET_YES;
2427 GNUNET_CONTAINER_DLL_insert_tail (t->connection_ready_head,
2428 t->connection_ready_tail,
2430 t->num_ready_connections++;
2432 LOG (GNUNET_ERROR_TYPE_DEBUG,
2433 "%s now ready for %s in state %s\n",
2436 estate2s (t->estate));
2439 case CADET_TUNNEL_KEY_UNINITIALIZED:
2440 /* Do not begin KX if WE have no channels waiting! */
2441 if (0 != GNUNET_TIME_absolute_get_remaining (
2442 t->next_kx_attempt).rel_value_us)
2443 return; /* wait for timeout before retrying */
2444 /* We are uninitialized, just transmit immediately,
2445 without undue delay. */
2446 if (NULL != t->kx_task)
2448 GNUNET_SCHEDULER_cancel (t->kx_task);
2455 GCT_count_channels (t)) &&
2456 (NULL == t->destroy_task))
2459 = GNUNET_SCHEDULER_add_delayed (IDLE_DESTROY_DELAY,
2465 case CADET_TUNNEL_KEY_AX_RECV:
2466 case CADET_TUNNEL_KEY_AX_SENT:
2467 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
2468 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
2469 /* we're currently waiting for KX to complete, schedule job */
2470 if (NULL == t->kx_task)
2472 = GNUNET_SCHEDULER_add_at (t->next_kx_attempt,
2477 case CADET_TUNNEL_KEY_OK:
2478 if (GNUNET_YES == t->kx_auth_requested)
2480 if (0 != GNUNET_TIME_absolute_get_remaining (
2481 t->next_kx_attempt).rel_value_us)
2482 return; /* wait for timeout */
2483 if (NULL != t->kx_task)
2485 GNUNET_SCHEDULER_cancel (t->kx_task);
2494 try_send_normal_payload (t,
2502 * Called when either we have a new connection, or a new message in the
2503 * queue, or some existing connection has transmission capacity. Looks
2504 * at our message queue and if there is a message, picks a connection
2507 * @param cls the `struct CadetTunnel` to process messages on
2510 trigger_transmissions (void *cls)
2512 struct CadetTunnel *t = cls;
2513 struct CadetTConnection *ct;
2515 t->send_task = NULL;
2516 if (NULL == t->tq_head)
2517 return; /* no messages pending right now */
2518 ct = get_ready_connection (t);
2520 return; /* no connections ready */
2521 try_send_normal_payload (t,
2527 * Closure for #evaluate_connection. Used to assemble summary information
2528 * about the existing connections so we can evaluate a new path.
2530 struct EvaluationSummary
2533 * Minimum length of any of our connections, `UINT_MAX` if we have none.
2535 unsigned int min_length;
2538 * Maximum length of any of our connections, 0 if we have none.
2540 unsigned int max_length;
2543 * Minimum desirability of any of our connections, UINT64_MAX if we have none.
2545 GNUNET_CONTAINER_HeapCostType min_desire;
2548 * Maximum desirability of any of our connections, 0 if we have none.
2550 GNUNET_CONTAINER_HeapCostType max_desire;
2553 * Path we are comparing against for #evaluate_connection, can be NULL.
2555 struct CadetPeerPath *path;
2558 * Connection deemed the "worst" so far encountered by #evaluate_connection,
2559 * NULL if we did not yet encounter any connections.
2561 struct CadetTConnection *worst;
2564 * Numeric score of @e worst, only set if @e worst is non-NULL.
2569 * Set to #GNUNET_YES if we have a connection over @e path already.
2576 * Evaluate a connection, updating our summary information in @a cls about
2577 * what kinds of connections we have.
2579 * @param cls the `struct EvaluationSummary *` to update
2580 * @param ct a connection to include in the summary
2583 evaluate_connection (void *cls,
2584 struct CadetTConnection *ct)
2586 struct EvaluationSummary *es = cls;
2587 struct CadetConnection *cc = ct->cc;
2588 unsigned int ct_length;
2589 struct CadetPeerPath *ps;
2590 const struct CadetConnectionMetrics *metrics;
2591 GNUNET_CONTAINER_HeapCostType ct_desirability;
2592 struct GNUNET_TIME_Relative uptime;
2593 struct GNUNET_TIME_Relative last_use;
2595 double success_rate;
2597 ps = GCC_get_path (cc,
2599 LOG (GNUNET_ERROR_TYPE_DEBUG,
2600 "Evaluating path %s of existing %s\n",
2605 LOG (GNUNET_ERROR_TYPE_DEBUG,
2606 "Ignoring duplicate path %s.\n",
2607 GCPP_2s (es->path));
2608 es->duplicate = GNUNET_YES;
2611 if (NULL != es->path)
2613 int duplicate = GNUNET_YES;
2615 for (unsigned int i = 0; i < ct_length; i++)
2617 GNUNET_assert (GCPP_get_length (es->path) > i);
2618 if (GCPP_get_peer_at_offset (es->path,
2620 GCPP_get_peer_at_offset (ps,
2623 duplicate = GNUNET_NO;
2627 if (GNUNET_YES == duplicate)
2629 LOG (GNUNET_ERROR_TYPE_DEBUG,
2630 "Ignoring overlapping path %s.\n",
2631 GCPP_2s (es->path));
2632 es->duplicate = GNUNET_YES;
2637 LOG (GNUNET_ERROR_TYPE_DEBUG,
2638 "Known path %s differs from proposed path\n",
2643 ct_desirability = GCPP_get_desirability (ps);
2644 metrics = GCC_get_metrics (cc);
2645 uptime = GNUNET_TIME_absolute_get_duration (metrics->age);
2646 last_use = GNUNET_TIME_absolute_get_duration (metrics->last_use);
2647 /* We add 1.0 here to avoid division by zero. */
2648 success_rate = (metrics->num_acked_transmissions + 1.0)
2649 / (metrics->num_successes + 1.0);
2652 + 100.0 / (1.0 + ct_length) /* longer paths = better */
2653 + sqrt (uptime.rel_value_us / 60000000LL) /* larger uptime = better */
2654 - last_use.rel_value_us / 1000L; /* longer idle = worse */
2655 score *= success_rate; /* weigh overall by success rate */
2657 if ((NULL == es->worst) ||
2658 (score < es->worst_score))
2661 es->worst_score = score;
2663 es->min_length = GNUNET_MIN (es->min_length,
2665 es->max_length = GNUNET_MAX (es->max_length,
2667 es->min_desire = GNUNET_MIN (es->min_desire,
2669 es->max_desire = GNUNET_MAX (es->max_desire,
2675 * Consider using the path @a p for the tunnel @a t.
2676 * The tunnel destination is at offset @a off in path @a p.
2678 * @param cls our tunnel
2679 * @param path a path to our destination
2680 * @param off offset of the destination on path @a path
2681 * @return #GNUNET_YES (should keep iterating)
2684 consider_path_cb (void *cls,
2685 struct CadetPeerPath *path,
2688 struct CadetTunnel *t = cls;
2689 struct EvaluationSummary es;
2690 struct CadetTConnection *ct;
2692 GNUNET_assert (off < GCPP_get_length (path));
2693 GNUNET_assert (GCPP_get_peer_at_offset (path,
2694 off) == t->destination);
2695 es.min_length = UINT_MAX;
2698 es.min_desire = UINT64_MAX;
2700 es.duplicate = GNUNET_NO;
2703 /* Compute evaluation summary over existing connections. */
2704 LOG (GNUNET_ERROR_TYPE_DEBUG,
2705 "Evaluating proposed path %s for target %s\n",
2708 /* FIXME: suspect this does not ACTUALLY iterate
2709 over all existing paths, otherwise dup detection
2711 GCT_iterate_connections (t,
2712 &evaluate_connection,
2714 if (GNUNET_YES == es.duplicate)
2717 /* FIXME: not sure we should really just count
2718 'num_connections' here, as they may all have
2719 consistently failed to connect. */
2721 /* We iterate by increasing path length; if we have enough paths and
2722 this one is more than twice as long than what we are currently
2723 using, then ignore all of these super-long ones! */
2724 if ((GCT_count_any_connections (t) > DESIRED_CONNECTIONS_PER_TUNNEL) &&
2725 (es.min_length * 2 < off) &&
2726 (es.max_length < off))
2728 LOG (GNUNET_ERROR_TYPE_DEBUG,
2729 "Ignoring paths of length %u, they are way too long.\n",
2733 /* If we have enough paths and this one looks no better, ignore it. */
2734 if ((GCT_count_any_connections (t) >= DESIRED_CONNECTIONS_PER_TUNNEL) &&
2735 (es.min_length < GCPP_get_length (path)) &&
2736 (es.min_desire > GCPP_get_desirability (path)) &&
2737 (es.max_length < off))
2739 LOG (GNUNET_ERROR_TYPE_DEBUG,
2740 "Ignoring path (%u/%llu) to %s, got something better already.\n",
2741 GCPP_get_length (path),
2742 (unsigned long long) GCPP_get_desirability (path),
2743 GCP_2s (t->destination));
2747 /* Path is interesting (better by some metric, or we don't have
2748 enough paths yet). */
2749 ct = GNUNET_new (struct CadetTConnection);
2750 ct->created = GNUNET_TIME_absolute_get ();
2752 ct->cc = GCC_create (t->destination,
2756 &connection_ready_cb,
2759 /* FIXME: schedule job to kill connection (and path?) if it takes
2760 too long to get ready! (And track performance data on how long
2761 other connections took with the tunnel!)
2762 => Note: to be done within 'connection'-logic! */
2763 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
2764 t->connection_busy_tail,
2766 t->num_busy_connections++;
2767 LOG (GNUNET_ERROR_TYPE_DEBUG,
2768 "Found interesting path %s for %s, created %s\n",
2777 * Function called to maintain the connections underlying our tunnel.
2778 * Tries to maintain (incl. tear down) connections for the tunnel, and
2779 * if there is a significant change, may trigger transmissions.
2781 * Basically, needs to check if there are connections that perform
2782 * badly, and if so eventually kill them and trigger a replacement.
2783 * The strategy is to open one more connection than
2784 * #DESIRED_CONNECTIONS_PER_TUNNEL, and then periodically kick out the
2785 * least-performing one, and then inquire for new ones.
2787 * @param cls the `struct CadetTunnel`
2790 maintain_connections_cb (void *cls)
2792 struct CadetTunnel *t = cls;
2793 struct GNUNET_TIME_Relative delay;
2794 struct EvaluationSummary es;
2796 t->maintain_connections_task = NULL;
2797 LOG (GNUNET_ERROR_TYPE_DEBUG,
2798 "Performing connection maintenance for %s.\n",
2801 es.min_length = UINT_MAX;
2804 es.min_desire = UINT64_MAX;
2807 es.duplicate = GNUNET_NO;
2808 GCT_iterate_connections (t,
2809 &evaluate_connection,
2811 if ((NULL != es.worst) &&
2812 (GCT_count_any_connections (t) > DESIRED_CONNECTIONS_PER_TUNNEL))
2814 /* Clear out worst-performing connection 'es.worst'. */
2815 destroy_t_connection (t,
2819 /* Consider additional paths */
2820 (void) GCP_iterate_paths (t->destination,
2824 /* FIXME: calculate when to try again based on how well we are doing;
2825 in particular, if we have to few connections, we might be able
2826 to do without this (as PATHS should tell us whenever a new path
2827 is available instantly; however, need to make sure this job is
2828 restarted after that happens).
2829 Furthermore, if the paths we do know are in a reasonably narrow
2830 quality band and are plentyful, we might also consider us stabilized
2831 and then reduce the frequency accordingly. */delay = GNUNET_TIME_UNIT_MINUTES;
2832 t->maintain_connections_task
2833 = GNUNET_SCHEDULER_add_delayed (delay,
2834 &maintain_connections_cb,
2840 * Consider using the path @a p for the tunnel @a t.
2841 * The tunnel destination is at offset @a off in path @a p.
2843 * @param cls our tunnel
2844 * @param path a path to our destination
2845 * @param off offset of the destination on path @a path
2848 GCT_consider_path (struct CadetTunnel *t,
2849 struct CadetPeerPath *p,
2852 LOG (GNUNET_ERROR_TYPE_DEBUG,
2853 "Considering %s for %s (offset %u)\n",
2857 (void) consider_path_cb (t,
2864 * We got a keepalive. Track in statistics.
2866 * @param cls the `struct CadetTunnel` for which we decrypted the message
2867 * @param msg the message we received on the tunnel
2870 handle_plaintext_keepalive (void *cls,
2871 const struct GNUNET_MessageHeader *msg)
2873 struct CadetTunnel *t = cls;
2875 LOG (GNUNET_ERROR_TYPE_DEBUG,
2876 "Received KEEPALIVE on %s\n",
2878 GNUNET_STATISTICS_update (stats,
2879 "# keepalives received",
2886 * Check that @a msg is well-formed.
2888 * @param cls the `struct CadetTunnel` for which we decrypted the message
2889 * @param msg the message we received on the tunnel
2890 * @return #GNUNET_OK (any variable-size payload goes)
2893 check_plaintext_data (void *cls,
2894 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
2901 * We received payload data for a channel. Locate the channel
2902 * and process the data, or return an error if the channel is unknown.
2904 * @param cls the `struct CadetTunnel` for which we decrypted the message
2905 * @param msg the message we received on the tunnel
2908 handle_plaintext_data (void *cls,
2909 const struct GNUNET_CADET_ChannelAppDataMessage *msg)
2911 struct CadetTunnel *t = cls;
2912 struct CadetChannel *ch;
2914 ch = lookup_channel (t,
2918 /* We don't know about such a channel, might have been destroyed on our
2919 end in the meantime, or never existed. Send back a DESTROY. */
2920 LOG (GNUNET_ERROR_TYPE_DEBUG,
2921 "Received %u bytes of application data for unknown channel %u, sending DESTROY\n",
2922 (unsigned int) (ntohs (msg->header.size) - sizeof(*msg)),
2923 ntohl (msg->ctn.cn));
2924 GCT_send_channel_destroy (t,
2928 GCCH_handle_channel_plaintext_data (ch,
2929 GCC_get_id (t->current_ct->cc),
2935 * We received an acknowledgement for data we sent on a channel.
2936 * Locate the channel and process it, or return an error if the
2937 * channel is unknown.
2939 * @param cls the `struct CadetTunnel` for which we decrypted the message
2940 * @param ack the message we received on the tunnel
2943 handle_plaintext_data_ack (void *cls,
2944 const struct GNUNET_CADET_ChannelDataAckMessage *ack)
2946 struct CadetTunnel *t = cls;
2947 struct CadetChannel *ch;
2949 ch = lookup_channel (t,
2953 /* We don't know about such a channel, might have been destroyed on our
2954 end in the meantime, or never existed. Send back a DESTROY. */
2955 LOG (GNUNET_ERROR_TYPE_DEBUG,
2956 "Received DATA_ACK for unknown channel %u, sending DESTROY\n",
2957 ntohl (ack->ctn.cn));
2958 GCT_send_channel_destroy (t,
2962 GCCH_handle_channel_plaintext_data_ack (ch,
2963 GCC_get_id (t->current_ct->cc),
2969 * We have received a request to open a channel to a port from
2970 * another peer. Creates the incoming channel.
2972 * @param cls the `struct CadetTunnel` for which we decrypted the message
2973 * @param copen the message we received on the tunnel
2976 handle_plaintext_channel_open (void *cls,
2978 GNUNET_CADET_ChannelOpenMessage *copen)
2980 struct CadetTunnel *t = cls;
2981 struct CadetChannel *ch;
2983 ch = GNUNET_CONTAINER_multihashmap32_get (t->channels,
2984 ntohl (copen->ctn.cn));
2987 LOG (GNUNET_ERROR_TYPE_DEBUG,
2988 "Received duplicate channel CHANNEL_OPEN on h_port %s from %s (%s), resending ACK\n",
2989 GNUNET_h2s (&copen->h_port),
2992 GCCH_handle_duplicate_open (ch,
2993 GCC_get_id (t->current_ct->cc));
2996 LOG (GNUNET_ERROR_TYPE_DEBUG,
2997 "Received CHANNEL_OPEN on h_port %s from %s\n",
2998 GNUNET_h2s (&copen->h_port),
3000 ch = GCCH_channel_incoming_new (t,
3003 ntohl (copen->opt));
3004 if (NULL != t->destroy_task)
3006 GNUNET_SCHEDULER_cancel (t->destroy_task);
3007 t->destroy_task = NULL;
3009 GNUNET_assert (GNUNET_OK ==
3010 GNUNET_CONTAINER_multihashmap32_put (t->channels,
3011 ntohl (copen->ctn.cn),
3013 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
3018 * Send a DESTROY message via the tunnel.
3020 * @param t the tunnel to transmit over
3021 * @param ctn ID of the channel to destroy
3024 GCT_send_channel_destroy (struct CadetTunnel *t,
3025 struct GNUNET_CADET_ChannelTunnelNumber ctn)
3027 struct GNUNET_CADET_ChannelDestroyMessage msg;
3029 LOG (GNUNET_ERROR_TYPE_DEBUG,
3030 "Sending DESTORY message for channel ID %u\n",
3032 msg.header.size = htons (sizeof(msg));
3033 msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY);
3034 msg.reserved = htonl (0);
3044 * We have received confirmation from the target peer that the
3045 * given channel could be established (the port is open).
3048 * @param cls the `struct CadetTunnel` for which we decrypted the message
3049 * @param cm the message we received on the tunnel
3052 handle_plaintext_channel_open_ack (void *cls,
3054 GNUNET_CADET_ChannelOpenAckMessage *cm)
3056 struct CadetTunnel *t = cls;
3057 struct CadetChannel *ch;
3059 ch = lookup_channel (t,
3063 /* We don't know about such a channel, might have been destroyed on our
3064 end in the meantime, or never existed. Send back a DESTROY. */
3065 LOG (GNUNET_ERROR_TYPE_DEBUG,
3066 "Received channel OPEN_ACK for unknown channel %u, sending DESTROY\n",
3067 ntohl (cm->ctn.cn));
3068 GCT_send_channel_destroy (t,
3072 LOG (GNUNET_ERROR_TYPE_DEBUG,
3073 "Received channel OPEN_ACK on channel %s from %s\n",
3076 GCCH_handle_channel_open_ack (ch,
3077 GCC_get_id (t->current_ct->cc),
3083 * We received a message saying that a channel should be destroyed.
3084 * Pass it on to the correct channel.
3086 * @param cls the `struct CadetTunnel` for which we decrypted the message
3087 * @param cm the message we received on the tunnel
3090 handle_plaintext_channel_destroy (void *cls,
3092 GNUNET_CADET_ChannelDestroyMessage *cm)
3094 struct CadetTunnel *t = cls;
3095 struct CadetChannel *ch;
3097 ch = lookup_channel (t,
3101 /* We don't know about such a channel, might have been destroyed on our
3102 end in the meantime, or never existed. */
3103 LOG (GNUNET_ERROR_TYPE_DEBUG,
3104 "Received channel DESTORY for unknown channel %u. Ignoring.\n",
3105 ntohl (cm->ctn.cn));
3108 LOG (GNUNET_ERROR_TYPE_DEBUG,
3109 "Received channel DESTROY on %s from %s\n",
3112 GCCH_handle_remote_destroy (ch,
3113 GCC_get_id (t->current_ct->cc));
3118 * Handles a message we decrypted, by injecting it into
3119 * our message queue (which will do the dispatching).
3121 * @param cls the `struct CadetTunnel` that got the message
3122 * @param msg the message
3123 * @return #GNUNET_OK on success (always)
3124 * #GNUNET_NO to stop further processing (no error)
3125 * #GNUNET_SYSERR to stop further processing with error
3128 handle_decrypted (void *cls,
3129 const struct GNUNET_MessageHeader *msg)
3131 struct CadetTunnel *t = cls;
3133 GNUNET_assert (NULL != t->current_ct);
3134 GNUNET_MQ_inject_message (t->mq,
3141 * Function called if we had an error processing
3142 * an incoming decrypted message.
3144 * @param cls the `struct CadetTunnel`
3145 * @param error error code
3148 decrypted_error_cb (void *cls,
3149 enum GNUNET_MQ_Error error)
3151 GNUNET_break_op (0);
3156 * Create a tunnel to @a destionation. Must only be called
3157 * from within #GCP_get_tunnel().
3159 * @param destination where to create the tunnel to
3160 * @return new tunnel to @a destination
3162 struct CadetTunnel *
3163 GCT_create_tunnel (struct CadetPeer *destination)
3165 struct CadetTunnel *t = GNUNET_new (struct CadetTunnel);
3166 struct GNUNET_MQ_MessageHandler handlers[] = {
3167 GNUNET_MQ_hd_fixed_size (plaintext_keepalive,
3168 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_KEEPALIVE,
3169 struct GNUNET_MessageHeader,
3171 GNUNET_MQ_hd_var_size (plaintext_data,
3172 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA,
3173 struct GNUNET_CADET_ChannelAppDataMessage,
3175 GNUNET_MQ_hd_fixed_size (plaintext_data_ack,
3176 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_APP_DATA_ACK,
3177 struct GNUNET_CADET_ChannelDataAckMessage,
3179 GNUNET_MQ_hd_fixed_size (plaintext_channel_open,
3180 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN,
3181 struct GNUNET_CADET_ChannelOpenMessage,
3183 GNUNET_MQ_hd_fixed_size (plaintext_channel_open_ack,
3184 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_ACK,
3185 struct GNUNET_CADET_ChannelOpenAckMessage,
3187 GNUNET_MQ_hd_fixed_size (plaintext_channel_destroy,
3188 GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY,
3189 struct GNUNET_CADET_ChannelDestroyMessage,
3191 GNUNET_MQ_handler_end ()
3194 t->kx_retry_delay = INITIAL_KX_RETRY_DELAY;
3195 new_ephemeral (&t->ax);
3196 GNUNET_assert (GNUNET_OK ==
3197 GNUNET_CRYPTO_ecdhe_key_create2 (&t->ax.kx_0));
3198 t->destination = destination;
3199 t->channels = GNUNET_CONTAINER_multihashmap32_create (8);
3200 t->maintain_connections_task
3201 = GNUNET_SCHEDULER_add_now (&maintain_connections_cb,
3203 t->mq = GNUNET_MQ_queue_for_callbacks (NULL,
3208 &decrypted_error_cb,
3210 t->mst = GNUNET_MST_create (&handle_decrypted,
3217 * Add a @a connection to the @a tunnel.
3220 * @param cid connection identifer to use for the connection
3221 * @param options options for the connection
3222 * @param path path to use for the connection
3223 * @return #GNUNET_OK on success,
3224 * #GNUNET_SYSERR on failure (duplicate connection)
3227 GCT_add_inbound_connection (struct CadetTunnel *t,
3229 GNUNET_CADET_ConnectionTunnelIdentifier *cid,
3230 struct CadetPeerPath *path)
3232 struct CadetTConnection *ct;
3234 ct = GNUNET_new (struct CadetTConnection);
3235 ct->created = GNUNET_TIME_absolute_get ();
3237 ct->cc = GCC_create_inbound (t->destination,
3241 &connection_ready_cb,
3245 LOG (GNUNET_ERROR_TYPE_DEBUG,
3246 "%s refused inbound %s (duplicate)\n",
3250 return GNUNET_SYSERR;
3252 /* FIXME: schedule job to kill connection (and path?) if it takes
3253 too long to get ready! (And track performance data on how long
3254 other connections took with the tunnel!)
3255 => Note: to be done within 'connection'-logic! */
3256 GNUNET_CONTAINER_DLL_insert (t->connection_busy_head,
3257 t->connection_busy_tail,
3259 t->num_busy_connections++;
3260 LOG (GNUNET_ERROR_TYPE_DEBUG,
3269 * Handle encrypted message.
3271 * @param ct connection/tunnel combo that received encrypted message
3272 * @param msg the encrypted message to decrypt
3275 GCT_handle_encrypted (struct CadetTConnection *ct,
3276 const struct GNUNET_CADET_TunnelEncryptedMessage *msg)
3278 struct CadetTunnel *t = ct->t;
3279 uint16_t size = ntohs (msg->header.size);
3280 char cbuf [size] GNUNET_ALIGN;
3281 ssize_t decrypted_size;
3283 LOG (GNUNET_ERROR_TYPE_DEBUG,
3284 "%s received %u bytes of encrypted data in state %d\n",
3286 (unsigned int) size,
3291 case CADET_TUNNEL_KEY_UNINITIALIZED:
3292 case CADET_TUNNEL_KEY_AX_RECV:
3293 /* We did not even SEND our KX, how can the other peer
3294 send us encrypted data? Must have been that we went
3295 down and the other peer still things we are up.
3296 Let's send it KX back. */
3297 GNUNET_STATISTICS_update (stats,
3298 "# received encrypted without any KX",
3301 if (NULL != t->kx_task)
3303 GNUNET_SCHEDULER_cancel (t->kx_task);
3311 case CADET_TUNNEL_KEY_AX_SENT_AND_RECV:
3312 /* We send KX, and other peer send KX to us at the same time.
3313 Neither KX is AUTH'ed, so let's try KX_AUTH this time. */
3314 GNUNET_STATISTICS_update (stats,
3315 "# received encrypted without KX_AUTH",
3318 if (NULL != t->kx_task)
3320 GNUNET_SCHEDULER_cancel (t->kx_task);
3329 case CADET_TUNNEL_KEY_AX_SENT:
3330 /* We did not get the KX of the other peer, but that
3331 might have been lost. Send our KX again immediately. */
3332 GNUNET_STATISTICS_update (stats,
3333 "# received encrypted without KX",
3336 if (NULL != t->kx_task)
3338 GNUNET_SCHEDULER_cancel (t->kx_task);
3346 case CADET_TUNNEL_KEY_AX_AUTH_SENT:
3347 /* Great, first payload, we might graduate to OK! */
3348 case CADET_TUNNEL_KEY_OK:
3349 /* We are up and running, all good. */
3353 decrypted_size = -1;
3354 if (CADET_TUNNEL_KEY_OK == t->estate)
3356 /* We have well-established key material available,
3357 try that. (This is the common case.) */
3358 decrypted_size = t_ax_decrypt_and_validate (&t->ax,
3364 if ((-1 == decrypted_size) &&
3365 (NULL != t->unverified_ax))
3367 /* We have un-authenticated KX material available. We should try
3368 this as a back-up option, in case the sender crashed and
3370 decrypted_size = t_ax_decrypt_and_validate (t->unverified_ax,
3374 if (-1 != decrypted_size)
3376 /* It worked! Treat this as authentication of the AX data! */
3377 cleanup_ax (&t->ax);
3378 t->ax = *t->unverified_ax;
3379 GNUNET_free (t->unverified_ax);
3380 t->unverified_ax = NULL;
3382 if (CADET_TUNNEL_KEY_AX_AUTH_SENT == t->estate)
3384 /* First time it worked, move tunnel into production! */
3385 GCT_change_estate (t,
3386 CADET_TUNNEL_KEY_OK);
3387 if (NULL != t->send_task)
3388 GNUNET_SCHEDULER_cancel (t->send_task);
3389 t->send_task = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
3393 if (NULL != t->unverified_ax)
3395 /* We had unverified KX material that was useless; so increment
3396 counter and eventually move to ignore it. Note that we even do
3397 this increment if we successfully decrypted with the old KX
3398 material and thus didn't even both with the new one. This is
3399 the ideal case, as a malicious injection of bogus KX data
3400 basically only causes us to increment a counter a few times. */t->unverified_attempts++;
3401 LOG (GNUNET_ERROR_TYPE_DEBUG,
3402 "Failed to decrypt message with unverified KX data %u times\n",
3403 t->unverified_attempts);
3404 if (t->unverified_attempts > MAX_UNVERIFIED_ATTEMPTS)
3406 cleanup_ax (t->unverified_ax);
3407 GNUNET_free (t->unverified_ax);
3408 t->unverified_ax = NULL;
3412 if (-1 == decrypted_size)
3414 /* Decryption failed for good, complain. */
3415 LOG (GNUNET_ERROR_TYPE_WARNING,
3416 "%s failed to decrypt and validate encrypted data, retrying KX\n",
3418 GNUNET_STATISTICS_update (stats,
3419 "# unable to decrypt",
3422 if (NULL != t->kx_task)
3424 GNUNET_SCHEDULER_cancel (t->kx_task);
3432 GNUNET_STATISTICS_update (stats,
3433 "# decrypted bytes",
3437 /* The MST will ultimately call #handle_decrypted() on each message. */
3439 GNUNET_break_op (GNUNET_OK ==
3440 GNUNET_MST_from_buffer (t->mst,
3445 t->current_ct = NULL;
3450 * Sends an already built message on a tunnel, encrypting it and
3451 * choosing the best connection if not provided.
3453 * @param message Message to send. Function modifies it.
3454 * @param t Tunnel on which this message is transmitted.
3455 * @param cont Continuation to call once message is really sent.
3456 * @param cont_cls Closure for @c cont.
3457 * @return Handle to cancel message
3459 struct CadetTunnelQueueEntry *
3460 GCT_send (struct CadetTunnel *t,
3461 const struct GNUNET_MessageHeader *message,
3462 GCT_SendContinuation cont,
3465 struct CadetTunnelQueueEntry *tq;
3466 uint16_t payload_size;
3467 struct GNUNET_MQ_Envelope *env;
3468 struct GNUNET_CADET_TunnelEncryptedMessage *ax_msg;
3470 if (CADET_TUNNEL_KEY_OK != t->estate)
3475 payload_size = ntohs (message->size);
3476 LOG (GNUNET_ERROR_TYPE_DEBUG,
3477 "Encrypting %u bytes for %s\n",
3478 (unsigned int) payload_size,
3480 env = GNUNET_MQ_msg_extra (ax_msg,
3482 GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED);
3483 t_ax_encrypt (&t->ax,
3487 GNUNET_STATISTICS_update (stats,
3488 "# encrypted bytes",
3491 ax_msg->ax_header.Ns = htonl (t->ax.Ns++);
3492 ax_msg->ax_header.PNs = htonl (t->ax.PNs);
3493 /* FIXME: we should do this once, not once per message;
3494 this is a point multiplication, and DHRs does not
3495 change all the time. */
3496 GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.DHRs,
3497 &ax_msg->ax_header.DHRs);
3498 t_h_encrypt (&t->ax,
3500 t_hmac (&ax_msg->ax_header,
3501 sizeof(struct GNUNET_CADET_AxHeader) + payload_size,
3506 tq = GNUNET_malloc (sizeof(*tq));
3509 tq->cid = &ax_msg->cid; /* will initialize 'ax_msg->cid' once we know the connection */
3511 tq->cont_cls = cont_cls;
3512 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head,
3515 if (NULL != t->send_task)
3516 GNUNET_SCHEDULER_cancel (t->send_task);
3518 = GNUNET_SCHEDULER_add_now (&trigger_transmissions,
3525 * Cancel a previously sent message while it's in the queue.
3527 * ONLY can be called before the continuation given to the send
3528 * function is called. Once the continuation is called, the message is
3529 * no longer in the queue!
3531 * @param tq Handle to the queue entry to cancel.
3534 GCT_send_cancel (struct CadetTunnelQueueEntry *tq)
3536 struct CadetTunnel *t = tq->t;
3538 GNUNET_CONTAINER_DLL_remove (t->tq_head,
3541 GNUNET_MQ_discard (tq->env);
3547 * Iterate over all connections of a tunnel.
3549 * @param t Tunnel whose connections to iterate.
3550 * @param iter Iterator.
3551 * @param iter_cls Closure for @c iter.
3554 GCT_iterate_connections (struct CadetTunnel *t,
3555 GCT_ConnectionIterator iter,
3558 struct CadetTConnection *n;
3560 for (struct CadetTConnection *ct = t->connection_ready_head;
3568 for (struct CadetTConnection *ct = t->connection_busy_head;
3580 * Closure for #iterate_channels_cb.
3587 GCT_ChannelIterator iter;
3590 * Closure for @e iter.
3597 * Helper function for #GCT_iterate_channels.
3599 * @param cls the `struct ChanIterCls`
3601 * @param value a `struct CadetChannel`
3602 * @return #GNUNET_OK
3605 iterate_channels_cb (void *cls,
3609 struct ChanIterCls *ctx = cls;
3610 struct CadetChannel *ch = value;
3612 ctx->iter (ctx->iter_cls,
3619 * Iterate over all channels of a tunnel.
3621 * @param t Tunnel whose channels to iterate.
3622 * @param iter Iterator.
3623 * @param iter_cls Closure for @c iter.
3626 GCT_iterate_channels (struct CadetTunnel *t,
3627 GCT_ChannelIterator iter,
3630 struct ChanIterCls ctx;
3633 ctx.iter_cls = iter_cls;
3634 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
3635 &iterate_channels_cb,
3641 * Call #GCCH_debug() on a channel.
3643 * @param cls points to the log level to use
3645 * @param value the `struct CadetChannel` to dump
3646 * @return #GNUNET_OK (continue iteration)
3649 debug_channel (void *cls,
3653 const enum GNUNET_ErrorType *level = cls;
3654 struct CadetChannel *ch = value;
3656 GCCH_debug (ch, *level);
3661 #define LOG2(level, ...) GNUNET_log_from_nocheck (level, "cadet-tun", \
3666 * Log all possible info about the tunnel state.
3668 * @param t Tunnel to debug.
3669 * @param level Debug level to use.
3672 GCT_debug (const struct CadetTunnel *t,
3673 enum GNUNET_ErrorType level)
3675 #if ! defined(GNUNET_CULL_LOGGING)
3676 struct CadetTConnection *iter_c;
3679 do_log = GNUNET_get_log_call_status (level & (~GNUNET_ERROR_TYPE_BULK),
3681 __FILE__, __FUNCTION__, __LINE__);
3686 "TTT TUNNEL TOWARDS %s in estate %s tq_len: %u #cons: %u\n",
3688 estate2s (t->estate),
3690 GCT_count_any_connections (t));
3693 GNUNET_CONTAINER_multihashmap32_iterate (t->channels,
3697 "TTT connections:\n");
3698 for (iter_c = t->connection_ready_head; NULL != iter_c; iter_c = iter_c->next)
3699 GCC_debug (iter_c->cc,
3701 for (iter_c = t->connection_busy_head; NULL != iter_c; iter_c = iter_c->next)
3702 GCC_debug (iter_c->cc,
3706 "TTT TUNNEL END\n");
3711 /* end of gnunet-service-cadet_tunnels.c */