2 This file is part of GNUnet.
3 (C) 2009, 2010, 2011 Christian Grothoff (and other contributing authors)
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 59 Temple Place - Suite 330,
18 Boston, MA 02111-1307, USA.
22 * @file core/gnunet-service-core_kx.c
23 * @brief code for managing the key exchange (SET_KEY, PING, PONG) with other peers
24 * @author Christian Grothoff
27 #include "gnunet-service-core_kx.h"
28 #include "gnunet-service-core.h"
29 #include "gnunet-service-core_clients.h"
30 #include "gnunet-service-core_neighbours.h"
31 #include "gnunet-service-core_sessions.h"
32 #include "gnunet_statistics_service.h"
33 #include "gnunet_peerinfo_service.h"
34 #include "gnunet_hello_lib.h"
35 #include "gnunet_constants.h"
36 #include "gnunet_signatures.h"
37 #include "gnunet_protocols.h"
41 * How long do we wait for SET_KEY confirmation initially?
43 #define INITIAL_SET_KEY_RETRY_FREQUENCY GNUNET_TIME_relative_multiply (MAX_SET_KEY_DELAY, 1)
46 * What is the minimum frequency for a PING message?
48 #define MIN_PING_FREQUENCY GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 5)
51 * What is the maximum age of a message for us to consider processing
52 * it? Note that this looks at the timestamp used by the other peer,
53 * so clock skew between machines does come into play here. So this
54 * should be picked high enough so that a little bit of clock skew
55 * does not prevent peers from connecting to us.
57 #define MAX_MESSAGE_AGE GNUNET_TIME_UNIT_DAYS
60 * What is the maximum delay for a SET_KEY message?
62 #define MAX_SET_KEY_DELAY GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 10)
65 GNUNET_NETWORK_STRUCT_BEGIN
68 * We're sending an (encrypted) PING to the other peer to check if he
69 * can decrypt. The other peer should respond with a PONG with the
70 * same content, except this time encrypted with the receiver's key.
75 * Message type is CORE_PING.
77 struct GNUNET_MessageHeader header;
82 uint32_t iv_seed GNUNET_PACKED;
85 * Intended target of the PING, used primarily to check
86 * that decryption actually worked.
88 struct GNUNET_PeerIdentity target;
91 * Random number chosen to make reply harder.
93 uint32_t challenge GNUNET_PACKED;
98 * Response to a PING. Includes data from the original PING.
103 * Message type is CORE_PONG.
105 struct GNUNET_MessageHeader header;
110 uint32_t iv_seed GNUNET_PACKED;
113 * Random number to make faking the reply harder. Must be
114 * first field after header (this is where we start to encrypt!).
116 uint32_t challenge GNUNET_PACKED;
119 * Reserved, always 'GNUNET_BANDWIDTH_VALUE_MAX'.
121 struct GNUNET_BANDWIDTH_Value32NBO reserved;
124 * Intended target of the PING, used primarily to check
125 * that decryption actually worked.
127 struct GNUNET_PeerIdentity target;
132 * Message transmitted to set (or update) a session key.
138 * Message type is either CORE_SET_KEY.
140 struct GNUNET_MessageHeader header;
143 * Status of the sender (should be in "enum PeerStateMachine"), nbo.
145 int32_t sender_status GNUNET_PACKED;
148 * Purpose of the signature, will be
149 * GNUNET_SIGNATURE_PURPOSE_SET_KEY.
151 struct GNUNET_CRYPTO_RsaSignaturePurpose purpose;
154 * At what time was this key created?
156 struct GNUNET_TIME_AbsoluteNBO creation_time;
159 * The encrypted session key.
161 struct GNUNET_CRYPTO_RsaEncryptedData encrypted_key;
164 * Who is the intended recipient?
166 struct GNUNET_PeerIdentity target;
169 * Signature of the stuff above (starting at purpose).
171 struct GNUNET_CRYPTO_RsaSignature signature;
177 * Encapsulation for encrypted messages exchanged between
178 * peers. Followed by the actual encrypted data.
180 struct EncryptedMessage
183 * Message type is either CORE_ENCRYPTED_MESSAGE.
185 struct GNUNET_MessageHeader header;
188 * Random value used for IV generation.
190 uint32_t iv_seed GNUNET_PACKED;
193 * MAC of the encrypted message (starting at 'sequence_number'),
194 * used to verify message integrity. Everything after this value
195 * (excluding this value itself) will be encrypted and authenticated.
196 * ENCRYPTED_HEADER_SIZE must be set to the offset of the *next* field.
198 GNUNET_HashCode hmac;
201 * Sequence number, in network byte order. This field
202 * must be the first encrypted/decrypted field
204 uint32_t sequence_number GNUNET_PACKED;
207 * Reserved, always 'GNUNET_BANDWIDTH_VALUE_MAX'.
209 struct GNUNET_BANDWIDTH_Value32NBO reserved;
212 * Timestamp. Used to prevent reply of ancient messages
213 * (recent messages are caught with the sequence number).
215 struct GNUNET_TIME_AbsoluteNBO timestamp;
218 GNUNET_NETWORK_STRUCT_END
220 * Number of bytes (at the beginning) of "struct EncryptedMessage"
221 * that are NOT encrypted.
223 #define ENCRYPTED_HEADER_SIZE (offsetof(struct EncryptedMessage, sequence_number))
227 * State machine for our P2P encryption handshake. Everyone starts in
228 * "DOWN", if we receive the other peer's key (other peer initiated)
229 * we start in state RECEIVED (since we will immediately send our
230 * own); otherwise we start in SENT. If we get back a PONG from
231 * within either state, we move up to CONFIRMED (the PONG will always
232 * be sent back encrypted with the key we sent to the other peer).
242 * We've sent our session key.
247 * We've received the other peers session key.
249 KX_STATE_KEY_RECEIVED,
252 * The other peer has confirmed our session key with a message
253 * encrypted with his session key (which we got). Key exchange
261 * Information about the status of a key exchange with another peer.
263 struct GSC_KeyExchangeInfo
266 * Identity of the peer.
268 struct GNUNET_PeerIdentity peer;
271 * SetKeyMessage to transmit (initialized the first
272 * time our status goes past 'KX_STATE_KEY_SENT').
274 struct SetKeyMessage skm;
277 * PING message we transmit to the other peer.
279 struct PingMessage ping;
282 * SetKeyMessage we received and did not process yet.
284 struct SetKeyMessage *skm_received;
287 * PING message we received from the other peer and
288 * did not process yet (or NULL).
290 struct PingMessage *ping_received;
293 * PONG message we received from the other peer and
294 * did not process yet (or NULL).
296 struct PongMessage *pong_received;
299 * Encrypted message we received from the other peer and
300 * did not process yet (or NULL).
302 struct EncryptedMessage *emsg_received;
305 * Non-NULL if we are currently looking up HELLOs for this peer.
308 struct GNUNET_PEERINFO_IteratorContext *pitr;
311 * Public key of the neighbour, NULL if we don't have it yet.
313 struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded *public_key;
316 * We received a PONG message before we got the "public_key"
317 * (or the SET_KEY). We keep it here until we have a key
318 * to decrypt it. NULL if no PONG is pending.
320 struct PongMessage *pending_pong;
323 * Key we use to encrypt our messages for the other peer
324 * (initialized by us when we do the handshake).
326 struct GNUNET_CRYPTO_AesSessionKey encrypt_key;
329 * Key we use to decrypt messages from the other peer
330 * (given to us by the other peer during the handshake).
332 struct GNUNET_CRYPTO_AesSessionKey decrypt_key;
335 * At what time did we generate our encryption key?
337 struct GNUNET_TIME_Absolute encrypt_key_created;
340 * At what time did the other peer generate the decryption key?
342 struct GNUNET_TIME_Absolute decrypt_key_created;
345 * When should the session time out (if there are no PONGs)?
347 struct GNUNET_TIME_Absolute timeout;
350 * At what frequency are we currently re-trying SET_KEY messages?
352 struct GNUNET_TIME_Relative set_key_retry_frequency;
355 * ID of task used for re-trying SET_KEY and PING message.
357 GNUNET_SCHEDULER_TaskIdentifier retry_set_key_task;
360 * ID of task used for sending keep-alive pings.
362 GNUNET_SCHEDULER_TaskIdentifier keep_alive_task;
365 * Bit map indicating which of the 32 sequence numbers before the last
366 * were received (good for accepting out-of-order packets and
367 * estimating reliability of the connection)
369 unsigned int last_packets_bitmap;
372 * last sequence number received on this connection (highest)
374 uint32_t last_sequence_number_received;
377 * last sequence number transmitted
379 uint32_t last_sequence_number_sent;
382 * What was our PING challenge number (for this peer)?
384 uint32_t ping_challenge;
387 * What is our connection status?
389 enum KxStateMachine status;
396 * Handle to peerinfo service.
398 static struct GNUNET_PEERINFO_Handle *peerinfo;
403 static struct GNUNET_CRYPTO_RsaPrivateKey *my_private_key;
408 static struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded my_public_key;
411 * Our message stream tokenizer (for encrypted payload).
413 static struct GNUNET_SERVER_MessageStreamTokenizer *mst;
418 * Derive an authentication key from "set key" information
421 derive_auth_key (struct GNUNET_CRYPTO_AuthKey *akey,
422 const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed,
423 struct GNUNET_TIME_Absolute creation_time)
425 static const char ctx[] = "authentication key";
426 struct GNUNET_TIME_AbsoluteNBO ctbe;
429 ctbe = GNUNET_TIME_absolute_hton (creation_time);
430 GNUNET_CRYPTO_hmac_derive_key (akey, skey, &seed, sizeof (seed), &skey->key,
431 sizeof (skey->key), &ctbe, sizeof (ctbe), ctx,
437 * Derive an IV from packet information
440 derive_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
441 const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed,
442 const struct GNUNET_PeerIdentity *identity)
444 static const char ctx[] = "initialization vector";
446 GNUNET_CRYPTO_aes_derive_iv (iv, skey, &seed, sizeof (seed),
447 &identity->hashPubKey.bits,
448 sizeof (identity->hashPubKey.bits), ctx,
453 * Derive an IV from pong packet information
456 derive_pong_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
457 const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed,
458 uint32_t challenge, const struct GNUNET_PeerIdentity *identity)
460 static const char ctx[] = "pong initialization vector";
462 GNUNET_CRYPTO_aes_derive_iv (iv, skey, &seed, sizeof (seed),
463 &identity->hashPubKey.bits,
464 sizeof (identity->hashPubKey.bits), &challenge,
465 sizeof (challenge), ctx, sizeof (ctx), NULL);
470 * Encrypt size bytes from in and write the result to out. Use the
471 * key for outbound traffic of the given neighbour.
473 * @param kx key information context
474 * @param iv initialization vector to use
475 * @param in ciphertext
476 * @param out plaintext
477 * @param size size of in/out
478 * @return GNUNET_OK on success
481 do_encrypt (struct GSC_KeyExchangeInfo *kx,
482 const struct GNUNET_CRYPTO_AesInitializationVector *iv,
483 const void *in, void *out, size_t size)
485 if (size != (uint16_t) size)
490 GNUNET_assert (size ==
491 GNUNET_CRYPTO_aes_encrypt (in, (uint16_t) size,
492 &kx->encrypt_key, iv, out));
493 GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# bytes encrypted"), size,
496 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
497 "Encrypted %u bytes for `%4s' using key %u, IV %u\n",
498 (unsigned int) size, GNUNET_i2s (&kx->peer),
499 (unsigned int) kx->encrypt_key.crc32, GNUNET_CRYPTO_crc32_n (iv,
510 * Decrypt size bytes from in and write the result to out. Use the
511 * key for inbound traffic of the given neighbour. This function does
512 * NOT do any integrity-checks on the result.
514 * @param kx key information context
515 * @param iv initialization vector to use
516 * @param in ciphertext
517 * @param out plaintext
518 * @param size size of in/out
519 * @return GNUNET_OK on success
522 do_decrypt (struct GSC_KeyExchangeInfo *kx,
523 const struct GNUNET_CRYPTO_AesInitializationVector *iv,
524 const void *in, void *out, size_t size)
526 if (size != (uint16_t) size)
531 if ((kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP))
534 return GNUNET_SYSERR;
537 GNUNET_CRYPTO_aes_decrypt (in, (uint16_t) size, &kx->decrypt_key, iv,
541 return GNUNET_SYSERR;
543 GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# bytes decrypted"), size,
546 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
547 "Decrypted %u bytes from `%4s' using key %u, IV %u\n",
548 (unsigned int) size, GNUNET_i2s (&kx->peer),
549 (unsigned int) kx->decrypt_key.crc32, GNUNET_CRYPTO_crc32_n (iv,
558 * Send our key (and encrypted PING) to the other peer.
560 * @param kx key exchange context
563 send_key (struct GSC_KeyExchangeInfo *kx);
567 * Task that will retry "send_key" if our previous attempt failed.
569 * @param cls our 'struct GSC_KeyExchangeInfo'
570 * @param tc scheduler context
573 set_key_retry_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
575 struct GSC_KeyExchangeInfo *kx = cls;
577 kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
578 kx->set_key_retry_frequency =
579 GNUNET_TIME_relative_multiply (kx->set_key_retry_frequency, 2);
585 * PEERINFO is giving us a HELLO for a peer. Add the public key to
586 * the neighbour's struct and continue with the key exchange. Or, if
587 * we did not get a HELLO, just do nothing.
589 * @param cls the 'struct GSC_KeyExchangeInfo' to retry sending the key for
590 * @param peer the peer for which this is the HELLO
591 * @param hello HELLO message of that peer
592 * @param err_msg NULL if successful, otherwise contains error message
595 process_hello (void *cls, const struct GNUNET_PeerIdentity *peer,
596 const struct GNUNET_HELLO_Message *hello, const char *err_msg)
598 struct GSC_KeyExchangeInfo *kx = cls;
599 struct SetKeyMessage *skm;
603 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
604 _("Error in communication with PEERINFO service\n"));
606 if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
607 GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
608 kx->retry_set_key_task =
609 GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
610 &set_key_retry_task, kx);
616 if (kx->public_key != NULL)
617 return; /* done here */
619 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
620 "Failed to obtain public key for peer `%4s', delaying processing of SET_KEY\n",
621 GNUNET_i2s (&kx->peer));
623 GNUNET_STATISTICS_update (GSC_stats,
625 ("# Delayed connecting due to lack of public key"),
627 if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
628 GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
629 kx->retry_set_key_task =
630 GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
631 &set_key_retry_task, kx);
634 if (kx->public_key != NULL)
636 /* already have public key, why are we here? */
640 GNUNET_assert (GNUNET_SCHEDULER_NO_TASK == kx->retry_set_key_task);
642 GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded));
643 if (GNUNET_OK != GNUNET_HELLO_get_key (hello, kx->public_key))
646 GNUNET_free (kx->public_key);
647 kx->public_key = NULL;
651 if (NULL != kx->skm_received)
653 skm = kx->skm_received;
654 kx->skm_received = NULL;
655 GSC_KX_handle_set_key (kx, &skm->header);
662 * Start the key exchange with the given peer.
664 * @param pid identity of the peer to do a key exchange with
665 * @return key exchange information context
667 struct GSC_KeyExchangeInfo *
668 GSC_KX_start (const struct GNUNET_PeerIdentity *pid)
670 struct GSC_KeyExchangeInfo *kx;
673 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Initiating key exchange with `%s'\n",
676 GNUNET_STATISTICS_update (GSC_stats,
677 gettext_noop ("# key exchanges initiated"), 1,
679 kx = GNUNET_malloc (sizeof (struct GSC_KeyExchangeInfo));
681 kx->set_key_retry_frequency = INITIAL_SET_KEY_RETRY_FREQUENCY;
683 GNUNET_PEERINFO_iterate (peerinfo, pid,
684 GNUNET_TIME_UNIT_FOREVER_REL /* timeout? */ ,
691 * Stop key exchange with the given peer. Clean up key material.
693 * @param kx key exchange to stop
696 GSC_KX_stop (struct GSC_KeyExchangeInfo *kx)
698 GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# key exchanges stopped"),
700 if (kx->pitr != NULL)
702 GNUNET_PEERINFO_iterate_cancel (kx->pitr);
705 if (kx->retry_set_key_task != GNUNET_SCHEDULER_NO_TASK)
707 GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
708 kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
710 if (kx->keep_alive_task != GNUNET_SCHEDULER_NO_TASK)
712 GNUNET_SCHEDULER_cancel (kx->keep_alive_task);
713 kx->keep_alive_task = GNUNET_SCHEDULER_NO_TASK;
715 GNUNET_free_non_null (kx->skm_received);
716 GNUNET_free_non_null (kx->ping_received);
717 GNUNET_free_non_null (kx->pong_received);
718 GNUNET_free_non_null (kx->emsg_received);
719 GNUNET_free_non_null (kx->public_key);
725 * We received a SET_KEY message. Validate and update
726 * our key material and status.
728 * @param kx key exchange status for the corresponding peer
729 * @param msg the set key message we received
732 GSC_KX_handle_set_key (struct GSC_KeyExchangeInfo *kx,
733 const struct GNUNET_MessageHeader *msg)
735 const struct SetKeyMessage *m;
736 struct GNUNET_TIME_Absolute t;
737 struct GNUNET_CRYPTO_AesSessionKey k;
738 struct PingMessage *ping;
739 struct PongMessage *pong;
740 enum KxStateMachine sender_status;
743 size = ntohs (msg->size);
744 if (size != sizeof (struct SetKeyMessage))
749 m = (const struct SetKeyMessage *) msg;
750 GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# session keys received"),
754 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
755 "Core service receives `%s' request from `%4s'.\n", "SET_KEY",
756 GNUNET_i2s (&kx->peer));
758 if (kx->public_key == NULL)
760 GNUNET_free_non_null (kx->skm_received);
761 kx->skm_received = (struct SetKeyMessage *) GNUNET_copy_message (msg);
765 memcmp (&m->target, &GSC_my_identity,
766 sizeof (struct GNUNET_PeerIdentity)))
768 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
769 _("`%s' is for `%s', not for me. Ignoring.\n"), "SET_KEY",
770 GNUNET_i2s (&m->target));
773 if ((ntohl (m->purpose.size) !=
774 sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
775 sizeof (struct GNUNET_TIME_AbsoluteNBO) +
776 sizeof (struct GNUNET_CRYPTO_RsaEncryptedData) +
777 sizeof (struct GNUNET_PeerIdentity)) ||
779 GNUNET_CRYPTO_rsa_verify (GNUNET_SIGNATURE_PURPOSE_SET_KEY, &m->purpose,
780 &m->signature, kx->public_key)))
782 /* invalid signature */
786 t = GNUNET_TIME_absolute_ntoh (m->creation_time);
787 if (((kx->status == KX_STATE_KEY_RECEIVED) || (kx->status == KX_STATE_UP)) &&
788 (t.abs_value < kx->decrypt_key_created.abs_value))
790 /* this could rarely happen due to massive re-ordering of
791 * messages on the network level, but is most likely either
792 * a bug or some adversary messing with us. Report. */
796 if ((GNUNET_CRYPTO_rsa_decrypt
797 (my_private_key, &m->encrypted_key, &k,
798 sizeof (struct GNUNET_CRYPTO_AesSessionKey)) !=
799 sizeof (struct GNUNET_CRYPTO_AesSessionKey)) ||
800 (GNUNET_OK != GNUNET_CRYPTO_aes_check_session_key (&k)))
802 /* failed to decrypt !? */
806 GNUNET_STATISTICS_update (GSC_stats,
807 gettext_noop ("# SET_KEY messages decrypted"), 1,
810 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received SET_KEY from `%s'\n",
811 GNUNET_i2s (&kx->peer));
814 if (kx->decrypt_key_created.abs_value != t.abs_value)
816 /* fresh key, reset sequence numbers */
817 kx->last_sequence_number_received = 0;
818 kx->last_packets_bitmap = 0;
819 kx->decrypt_key_created = t;
821 sender_status = (enum KxStateMachine) ntohl (m->sender_status);
826 kx->status = KX_STATE_KEY_RECEIVED;
827 /* we're not up, so we are already doing 'send_key' */
829 case KX_STATE_KEY_SENT:
830 kx->status = KX_STATE_KEY_RECEIVED;
831 /* we're not up, so we are already doing 'send_key' */
833 case KX_STATE_KEY_RECEIVED:
834 /* we're not up, so we are already doing 'send_key' */
837 if ((sender_status == KX_STATE_DOWN) ||
838 (sender_status == KX_STATE_KEY_SENT))
839 send_key (kx); /* we are up, but other peer is not! */
845 if (kx->ping_received != NULL)
847 ping = kx->ping_received;
848 kx->ping_received = NULL;
849 GSC_KX_handle_ping (kx, &ping->header);
852 if (kx->pong_received != NULL)
854 pong = kx->pong_received;
855 kx->pong_received = NULL;
856 GSC_KX_handle_pong (kx, &pong->header);
863 * We received a PING message. Validate and transmit
866 * @param kx key exchange status for the corresponding peer
867 * @param msg the encrypted PING message itself
870 GSC_KX_handle_ping (struct GSC_KeyExchangeInfo *kx,
871 const struct GNUNET_MessageHeader *msg)
873 const struct PingMessage *m;
874 struct PingMessage t;
875 struct PongMessage tx;
876 struct PongMessage tp;
877 struct GNUNET_CRYPTO_AesInitializationVector iv;
880 msize = ntohs (msg->size);
881 if (msize != sizeof (struct PingMessage))
886 GNUNET_STATISTICS_update (GSC_stats,
887 gettext_noop ("# PING messages received"), 1,
889 if ((kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP))
892 GNUNET_free_non_null (kx->ping_received);
893 kx->ping_received = (struct PingMessage *) GNUNET_copy_message (msg);
896 m = (const struct PingMessage *) msg;
898 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
899 "Core service receives `%s' request from `%4s'.\n", "PING",
900 GNUNET_i2s (&kx->peer));
902 derive_iv (&iv, &kx->decrypt_key, m->iv_seed, &GSC_my_identity);
904 do_decrypt (kx, &iv, &m->target, &t.target,
905 sizeof (struct PingMessage) - ((void *) &m->target -
912 memcmp (&t.target, &GSC_my_identity, sizeof (struct GNUNET_PeerIdentity)))
917 GNUNET_snprintf (sender, sizeof (sender), "%8s", GNUNET_i2s (&kx->peer));
918 GNUNET_snprintf (peer, sizeof (peer), "%8s", GNUNET_i2s (&t.target));
919 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
921 ("Received PING from `%s' for different identity: I am `%s', PONG identity: `%s'\n"),
922 sender, GNUNET_i2s (&GSC_my_identity), peer);
927 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received PING from `%s'\n",
928 GNUNET_i2s (&kx->peer));
931 tx.reserved = GNUNET_BANDWIDTH_VALUE_MAX;
932 tx.challenge = t.challenge;
933 tx.target = t.target;
934 tp.header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PONG);
935 tp.header.size = htons (sizeof (struct PongMessage));
937 GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
938 derive_pong_iv (&iv, &kx->encrypt_key, tp.iv_seed, t.challenge, &kx->peer);
939 do_encrypt (kx, &iv, &tx.challenge, &tp.challenge,
940 sizeof (struct PongMessage) - ((void *) &tp.challenge -
942 GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# PONG messages created"),
944 GSC_NEIGHBOURS_transmit (&kx->peer, &tp.header,
945 GNUNET_TIME_UNIT_FOREVER_REL /* FIXME: timeout */ );
950 * Create a fresh SET KEY message for transmission to the other peer.
951 * Also creates a new key.
953 * @param kx key exchange context to create SET KEY message for
956 setup_fresh_setkey (struct GSC_KeyExchangeInfo *kx)
958 struct SetKeyMessage *skm;
960 GNUNET_CRYPTO_aes_create_session_key (&kx->encrypt_key);
961 kx->encrypt_key_created = GNUNET_TIME_absolute_get ();
963 skm->header.size = htons (sizeof (struct SetKeyMessage));
964 skm->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_SET_KEY);
966 htonl (sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
967 sizeof (struct GNUNET_TIME_AbsoluteNBO) +
968 sizeof (struct GNUNET_CRYPTO_RsaEncryptedData) +
969 sizeof (struct GNUNET_PeerIdentity));
970 skm->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SET_KEY);
971 skm->creation_time = GNUNET_TIME_absolute_hton (kx->encrypt_key_created);
972 skm->target = kx->peer;
973 GNUNET_assert (GNUNET_OK ==
974 GNUNET_CRYPTO_rsa_encrypt (&kx->encrypt_key,
976 GNUNET_CRYPTO_AesSessionKey),
978 &skm->encrypted_key));
979 GNUNET_assert (GNUNET_OK ==
980 GNUNET_CRYPTO_rsa_sign (my_private_key, &skm->purpose,
986 * Create a fresh PING message for transmission to the other peer.
988 * @param kx key exchange context to create PING for
991 setup_fresh_ping (struct GSC_KeyExchangeInfo *kx)
993 struct PingMessage pp;
994 struct PingMessage *pm;
995 struct GNUNET_CRYPTO_AesInitializationVector iv;
998 pm->header.size = htons (sizeof (struct PingMessage));
999 pm->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PING);
1001 GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
1002 derive_iv (&iv, &kx->encrypt_key, pm->iv_seed, &kx->peer);
1003 pp.challenge = kx->ping_challenge;
1004 pp.target = kx->peer;
1005 do_encrypt (kx, &iv, &pp.target, &pm->target,
1006 sizeof (struct PingMessage) - ((void *) &pm->target -
1012 * Task triggered when a neighbour entry is about to time out
1013 * (and we should prevent this by sending a PING).
1015 * @param cls the 'struct GSC_KeyExchangeInfo'
1016 * @param tc scheduler context (not used)
1019 send_keep_alive (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
1021 struct GSC_KeyExchangeInfo *kx = cls;
1022 struct GNUNET_TIME_Relative retry;
1023 struct GNUNET_TIME_Relative left;
1025 kx->keep_alive_task = GNUNET_SCHEDULER_NO_TASK;
1026 left = GNUNET_TIME_absolute_get_remaining (kx->timeout);
1027 if (left.rel_value == 0)
1029 GNUNET_STATISTICS_update (GSC_stats,
1030 gettext_noop ("# sessions terminated by timeout"),
1032 GSC_SESSIONS_end (&kx->peer);
1033 kx->status = KX_STATE_DOWN;
1037 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending KEEPALIVE to `%s'\n",
1038 GNUNET_i2s (&kx->peer));
1040 GNUNET_STATISTICS_update (GSC_stats,
1041 gettext_noop ("# keepalive messages sent"), 1,
1043 setup_fresh_ping (kx);
1044 GSC_NEIGHBOURS_transmit (&kx->peer, &kx->ping.header,
1045 kx->set_key_retry_frequency);
1047 GNUNET_TIME_relative_max (GNUNET_TIME_relative_divide (left, 2),
1048 MIN_PING_FREQUENCY);
1049 kx->keep_alive_task =
1050 GNUNET_SCHEDULER_add_delayed (retry, &send_keep_alive, kx);
1055 * We've seen a valid message from the other peer.
1056 * Update the time when the session would time out
1057 * and delay sending our keep alive message further.
1059 * @param kx key exchange where we saw activity
1062 update_timeout (struct GSC_KeyExchangeInfo *kx)
1065 GNUNET_TIME_relative_to_absolute
1066 (GNUNET_CONSTANTS_IDLE_CONNECTION_TIMEOUT);
1067 if (kx->keep_alive_task != GNUNET_SCHEDULER_NO_TASK)
1068 GNUNET_SCHEDULER_cancel (kx->keep_alive_task);
1069 kx->keep_alive_task =
1070 GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_relative_divide
1071 (GNUNET_CONSTANTS_IDLE_CONNECTION_TIMEOUT,
1072 2), &send_keep_alive, kx);
1077 * We received a PONG message. Validate and update our status.
1079 * @param kx key exchange context for the the PONG
1080 * @param msg the encrypted PONG message itself
1083 GSC_KX_handle_pong (struct GSC_KeyExchangeInfo *kx,
1084 const struct GNUNET_MessageHeader *msg)
1086 const struct PongMessage *m;
1087 struct PongMessage t;
1088 struct EncryptedMessage *emsg;
1089 struct GNUNET_CRYPTO_AesInitializationVector iv;
1092 msize = ntohs (msg->size);
1093 if (msize != sizeof (struct PongMessage))
1095 GNUNET_break_op (0);
1098 GNUNET_STATISTICS_update (GSC_stats,
1099 gettext_noop ("# PONG messages received"), 1,
1101 if ((kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP))
1103 if (kx->status == KX_STATE_KEY_SENT)
1105 GNUNET_free_non_null (kx->pong_received);
1106 kx->pong_received = (struct PongMessage *) GNUNET_copy_message (msg);
1110 m = (const struct PongMessage *) msg;
1112 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1113 "Core service receives `%s' response from `%4s'.\n", "PONG",
1114 GNUNET_i2s (&kx->peer));
1116 /* mark as garbage, just to be sure */
1117 memset (&t, 255, sizeof (t));
1118 derive_pong_iv (&iv, &kx->decrypt_key, m->iv_seed, kx->ping_challenge,
1121 do_decrypt (kx, &iv, &m->challenge, &t.challenge,
1122 sizeof (struct PongMessage) - ((void *) &m->challenge -
1125 GNUNET_break_op (0);
1128 GNUNET_STATISTICS_update (GSC_stats,
1129 gettext_noop ("# PONG messages decrypted"), 1,
1131 if ((0 != memcmp (&t.target, &kx->peer, sizeof (struct GNUNET_PeerIdentity)))
1132 || (kx->ping_challenge != t.challenge))
1134 /* PONG malformed */
1136 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1137 "Received malformed `%s' wanted sender `%4s' with challenge %u\n",
1138 "PONG", GNUNET_i2s (&kx->peer),
1139 (unsigned int) kx->ping_challenge);
1140 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1141 "Received malformed `%s' received from `%4s' with challenge %u\n",
1142 "PONG", GNUNET_i2s (&t.target), (unsigned int) t.challenge);
1147 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received PONG from `%s'\n",
1148 GNUNET_i2s (&kx->peer));
1153 GNUNET_break (0); /* should be impossible */
1155 case KX_STATE_KEY_SENT:
1156 GNUNET_break (0); /* should be impossible */
1158 case KX_STATE_KEY_RECEIVED:
1159 GNUNET_STATISTICS_update (GSC_stats,
1161 ("# session keys confirmed via PONG"), 1,
1163 kx->status = KX_STATE_UP;
1164 GSC_SESSIONS_create (&kx->peer, kx);
1165 if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
1167 GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
1168 kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
1170 GNUNET_assert (kx->keep_alive_task == GNUNET_SCHEDULER_NO_TASK);
1171 if (kx->emsg_received != NULL)
1173 emsg = kx->emsg_received;
1174 kx->emsg_received = NULL;
1175 GSC_KX_handle_encrypted_message (kx, &emsg->header, NULL,
1176 0 /* FIXME: ATSI */ );
1179 update_timeout (kx);
1182 update_timeout (kx);
1192 * Send our key (and encrypted PING) to the other peer.
1194 * @param kx key exchange context
1197 send_key (struct GSC_KeyExchangeInfo *kx)
1199 GNUNET_assert (kx->retry_set_key_task == GNUNET_SCHEDULER_NO_TASK);
1200 if (KX_STATE_UP == kx->status)
1201 return; /* nothing to do */
1202 if (kx->public_key == NULL)
1204 /* lookup public key, then try again */
1206 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1207 "Trying to obtain public key for `%s'\n",
1208 GNUNET_i2s (&kx->peer));
1211 GNUNET_PEERINFO_iterate (peerinfo, &kx->peer,
1212 GNUNET_TIME_UNIT_FOREVER_REL /* timeout? */ ,
1213 &process_hello, kx);
1221 kx->status = KX_STATE_KEY_SENT;
1222 /* setup SET KEY message */
1223 setup_fresh_setkey (kx);
1224 setup_fresh_ping (kx);
1225 GNUNET_STATISTICS_update (GSC_stats,
1227 ("# SET_KEY and PING messages created"), 1,
1230 case KX_STATE_KEY_SENT:
1232 case KX_STATE_KEY_RECEIVED:
1242 /* always update sender status in SET KEY message */
1243 kx->skm.sender_status = htonl ((int32_t) kx->status);
1245 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending SET_KEY and PING to `%s'\n",
1246 GNUNET_i2s (&kx->peer));
1248 GSC_NEIGHBOURS_transmit (&kx->peer, &kx->skm.header,
1249 kx->set_key_retry_frequency);
1250 GSC_NEIGHBOURS_transmit (&kx->peer, &kx->ping.header,
1251 kx->set_key_retry_frequency);
1252 kx->retry_set_key_task =
1253 GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
1254 &set_key_retry_task, kx);
1259 * Encrypt and transmit a message with the given payload.
1261 * @param kx key exchange context
1262 * @param payload payload of the message
1263 * @param payload_size number of bytes in 'payload'
1266 GSC_KX_encrypt_and_transmit (struct GSC_KeyExchangeInfo *kx,
1267 const void *payload, size_t payload_size)
1269 size_t used = payload_size + sizeof (struct EncryptedMessage);
1270 char pbuf[used]; /* plaintext */
1271 char cbuf[used]; /* ciphertext */
1272 struct EncryptedMessage *em; /* encrypted message */
1273 struct EncryptedMessage *ph; /* plaintext header */
1274 struct GNUNET_CRYPTO_AesInitializationVector iv;
1275 struct GNUNET_CRYPTO_AuthKey auth_key;
1277 ph = (struct EncryptedMessage *) pbuf;
1279 htonl (GNUNET_CRYPTO_random_u32
1280 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX));
1281 ph->sequence_number = htonl (++kx->last_sequence_number_sent);
1282 ph->reserved = GNUNET_BANDWIDTH_VALUE_MAX;
1283 ph->timestamp = GNUNET_TIME_absolute_hton (GNUNET_TIME_absolute_get ());
1284 memcpy (&ph[1], payload, payload_size);
1286 em = (struct EncryptedMessage *) cbuf;
1287 em->header.size = htons (used);
1288 em->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE);
1289 em->iv_seed = ph->iv_seed;
1290 derive_iv (&iv, &kx->encrypt_key, ph->iv_seed, &kx->peer);
1291 GNUNET_assert (GNUNET_OK ==
1292 do_encrypt (kx, &iv, &ph->sequence_number,
1293 &em->sequence_number,
1294 used - ENCRYPTED_HEADER_SIZE));
1296 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Encrypted %u bytes for %s\n",
1297 used - ENCRYPTED_HEADER_SIZE, GNUNET_i2s (&kx->peer));
1299 derive_auth_key (&auth_key, &kx->encrypt_key, ph->iv_seed,
1300 kx->encrypt_key_created);
1301 GNUNET_CRYPTO_hmac (&auth_key, &em->sequence_number,
1302 used - ENCRYPTED_HEADER_SIZE, &em->hmac);
1303 GSC_NEIGHBOURS_transmit (&kx->peer, &em->header,
1304 GNUNET_TIME_UNIT_FOREVER_REL);
1309 * Closure for 'deliver_message'
1311 struct DeliverMessageContext
1315 * Performance information for the connection.
1317 const struct GNUNET_ATS_Information *atsi;
1320 * Sender of the message.
1322 const struct GNUNET_PeerIdentity *peer;
1325 * Number of entries in 'atsi' array.
1327 uint32_t atsi_count;
1332 * We received an encrypted message. Decrypt, validate and
1333 * pass on to the appropriate clients.
1335 * @param kx key exchange context for encrypting the message
1336 * @param msg encrypted message
1337 * @param atsi performance data
1338 * @param atsi_count number of entries in ats (excluding 0-termination)
1341 GSC_KX_handle_encrypted_message (struct GSC_KeyExchangeInfo *kx,
1342 const struct GNUNET_MessageHeader *msg,
1343 const struct GNUNET_ATS_Information *atsi,
1344 uint32_t atsi_count)
1346 const struct EncryptedMessage *m;
1347 struct EncryptedMessage *pt; /* plaintext */
1350 struct GNUNET_TIME_Absolute t;
1351 struct GNUNET_CRYPTO_AesInitializationVector iv;
1352 struct GNUNET_CRYPTO_AuthKey auth_key;
1353 struct DeliverMessageContext dmc;
1354 uint16_t size = ntohs (msg->size);
1358 sizeof (struct EncryptedMessage) + sizeof (struct GNUNET_MessageHeader))
1360 GNUNET_break_op (0);
1363 m = (const struct EncryptedMessage *) msg;
1364 if ((kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP))
1366 GNUNET_STATISTICS_update (GSC_stats,
1368 ("# failed to decrypt message (no session key)"),
1372 if (kx->status == KX_STATE_KEY_RECEIVED)
1375 GNUNET_free_non_null (kx->ping_received);
1376 kx->emsg_received = (struct EncryptedMessage *) GNUNET_copy_message (msg);
1380 derive_auth_key (&auth_key, &kx->decrypt_key, m->iv_seed,
1381 kx->decrypt_key_created);
1382 GNUNET_CRYPTO_hmac (&auth_key, &m->sequence_number,
1383 size - ENCRYPTED_HEADER_SIZE, &ph);
1384 if (0 != memcmp (&ph, &m->hmac, sizeof (GNUNET_HashCode)))
1386 /* checksum failed */
1387 GNUNET_break_op (0);
1390 derive_iv (&iv, &kx->decrypt_key, m->iv_seed, &GSC_my_identity);
1393 do_decrypt (kx, &iv, &m->sequence_number, &buf[ENCRYPTED_HEADER_SIZE],
1394 size - ENCRYPTED_HEADER_SIZE))
1397 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Decrypted %u bytes from %s\n",
1398 size - ENCRYPTED_HEADER_SIZE, GNUNET_i2s (&kx->peer));
1400 pt = (struct EncryptedMessage *) buf;
1402 /* validate sequence number */
1403 snum = ntohl (pt->sequence_number);
1404 if (kx->last_sequence_number_received == snum)
1406 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1407 "Received duplicate message, ignoring.\n");
1408 /* duplicate, ignore */
1409 GNUNET_STATISTICS_update (GSC_stats,
1410 gettext_noop ("# bytes dropped (duplicates)"),
1414 if ((kx->last_sequence_number_received > snum) &&
1415 (kx->last_sequence_number_received - snum > 32))
1417 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1418 "Received ancient out of sequence message, ignoring.\n");
1419 /* ancient out of sequence, ignore */
1420 GNUNET_STATISTICS_update (GSC_stats,
1422 ("# bytes dropped (out of sequence)"), size,
1426 if (kx->last_sequence_number_received > snum)
1428 unsigned int rotbit = 1 << (kx->last_sequence_number_received - snum - 1);
1430 if ((kx->last_packets_bitmap & rotbit) != 0)
1432 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1433 "Received duplicate message, ignoring.\n");
1434 GNUNET_STATISTICS_update (GSC_stats,
1435 gettext_noop ("# bytes dropped (duplicates)"),
1437 /* duplicate, ignore */
1440 kx->last_packets_bitmap |= rotbit;
1442 if (kx->last_sequence_number_received < snum)
1444 unsigned int shift = (snum - kx->last_sequence_number_received);
1446 if (shift >= 8 * sizeof (kx->last_packets_bitmap))
1447 kx->last_packets_bitmap = 0;
1449 kx->last_packets_bitmap <<= shift;
1450 kx->last_sequence_number_received = snum;
1453 /* check timestamp */
1454 t = GNUNET_TIME_absolute_ntoh (pt->timestamp);
1455 if (GNUNET_TIME_absolute_get_duration (t).rel_value >
1456 MAX_MESSAGE_AGE.rel_value)
1458 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1459 _("Message received far too old (%llu ms). Content ignored.\n"),
1460 GNUNET_TIME_absolute_get_duration (t).rel_value);
1461 GNUNET_STATISTICS_update (GSC_stats,
1463 ("# bytes dropped (ancient message)"), size,
1468 /* process decrypted message(s) */
1469 update_timeout (kx);
1470 GNUNET_STATISTICS_update (GSC_stats,
1471 gettext_noop ("# bytes of payload decrypted"),
1472 size - sizeof (struct EncryptedMessage), GNUNET_NO);
1474 dmc.atsi_count = atsi_count;
1475 dmc.peer = &kx->peer;
1477 GNUNET_SERVER_mst_receive (mst, &dmc,
1478 &buf[sizeof (struct EncryptedMessage)],
1479 size - sizeof (struct EncryptedMessage),
1480 GNUNET_YES, GNUNET_NO))
1481 GNUNET_break_op (0);
1486 * Deliver P2P message to interested clients.
1487 * Invokes send twice, once for clients that want the full message, and once
1488 * for clients that only want the header
1490 * @param cls always NULL
1491 * @param client who sent us the message (struct GSC_KeyExchangeInfo)
1492 * @param m the message
1495 deliver_message (void *cls, void *client, const struct GNUNET_MessageHeader *m)
1497 struct DeliverMessageContext *dmc = client;
1499 switch (ntohs (m->type))
1501 case GNUNET_MESSAGE_TYPE_CORE_BINARY_TYPE_MAP:
1502 case GNUNET_MESSAGE_TYPE_CORE_COMPRESSED_TYPE_MAP:
1503 GSC_SESSIONS_set_typemap (dmc->peer, m);
1506 GSC_CLIENTS_deliver_message (dmc->peer, dmc->atsi, dmc->atsi_count, m,
1508 GNUNET_CORE_OPTION_SEND_FULL_INBOUND);
1509 GSC_CLIENTS_deliver_message (dmc->peer, dmc->atsi, dmc->atsi_count, m,
1510 sizeof (struct GNUNET_MessageHeader),
1511 GNUNET_CORE_OPTION_SEND_HDR_INBOUND);
1517 * Initialize KX subsystem.
1519 * @return GNUNET_OK on success, GNUNET_SYSERR on failure
1527 GNUNET_CONFIGURATION_get_value_filename (GSC_cfg, "GNUNETD", "HOSTKEY",
1530 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1532 ("Core service is lacking HOSTKEY configuration setting. Exiting.\n"));
1533 return GNUNET_SYSERR;
1535 my_private_key = GNUNET_CRYPTO_rsa_key_create_from_file (keyfile);
1536 GNUNET_free (keyfile);
1537 if (my_private_key == NULL)
1539 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1540 _("Core service could not access hostkey. Exiting.\n"));
1541 return GNUNET_SYSERR;
1543 GNUNET_CRYPTO_rsa_key_get_public (my_private_key, &my_public_key);
1544 GNUNET_CRYPTO_hash (&my_public_key, sizeof (my_public_key),
1545 &GSC_my_identity.hashPubKey);
1546 peerinfo = GNUNET_PEERINFO_connect (GSC_cfg);
1547 if (NULL == peerinfo)
1549 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1550 _("Could not access PEERINFO service. Exiting.\n"));
1551 GNUNET_CRYPTO_rsa_key_free (my_private_key);
1552 my_private_key = NULL;
1553 return GNUNET_SYSERR;
1555 mst = GNUNET_SERVER_mst_create (&deliver_message, NULL);
1561 * Shutdown KX subsystem.
1566 if (my_private_key != NULL)
1568 GNUNET_CRYPTO_rsa_key_free (my_private_key);
1569 my_private_key = NULL;
1571 if (peerinfo != NULL)
1573 GNUNET_PEERINFO_disconnect (peerinfo);
1578 GNUNET_SERVER_mst_destroy (mst);
1583 /* end of gnunet-service-core_kx.c */