#define DUMP_KEYS_TO_STDERR GNUNET_NO
#endif
+#define MIN_TUNNEL_BUFFER 8
+#define MAX_TUNNEL_BUFFER 64
+#define MAX_SKIPPED_KEYS 64
+#define MAX_KEY_GAP 256
#define AX_HEADER_SIZE (sizeof (uint32_t) * 2\
+ sizeof (struct GNUNET_CRYPTO_EcdhePublicKey))
struct GNUNET_CRYPTO_SymmetricSessionKey MK;
};
+
/**
- * Axolotl data, according to @url https://github.com/trevp/axolotl/wiki .
+ * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
*/
struct CadetTunnelAxolotl
{
/**
* A (double linked) list of stored message keys and associated header keys
- * for "skipped" messages, i.e. messages that have not bee*n
+ * for "skipped" messages, i.e. messages that have not been
* received despite the reception of more recent messages, (head).
*/
struct CadetTunnelSkippedKey *skipped_head;
/**
* Elements in @a skipped_head <-> @a skipped_tail.
*/
- uint skipped;
+ unsigned int skipped;
/**
* 32-byte root key which gets updated by DH ratchet.
*/
struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
- /**
- * ECDH Identity key (recv).
- */
- struct GNUNET_CRYPTO_EcdhePublicKey DHIr;
-
/**
* ECDH Ratchet key (send).
*/
struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
/**
- * Message number (reset to 0 with each new ratchet, send)
+ * Message number (reset to 0 with each new ratchet, next message to send).
*/
uint32_t Ns;
/**
- * Message numbers (reset to 0 with each new ratchet, recv)
+ * Message number (reset to 0 with each new ratchet, next message to recv).
*/
uint32_t Nr;
uint32_t PNs;
/**
- * True (#GNUNET_YES) if the party will send a new ratchet key in next msg.
+ * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
*/
int ratchet_flag;
+
+ /**
+ * Number of messages recieved since our last ratchet advance.
+ * - If this counter = 0, we cannot send a new ratchet key in next msg.
+ * - If this counter > 0, we can (but don't yet have to) send a new key.
+ */
+ unsigned int ratchet_allowed;
+
+ /**
+ * Number of messages recieved since our last ratchet advance.
+ * - If this counter = 0, we cannot send a new ratchet key in next msg.
+ * - If this counter > 0, we can (but don't yet have to) send a new key.
+ */
+ unsigned int ratchet_counter;
+
+ /**
+ * When does this ratchet expire and a new one is triggered.
+ */
+ struct GNUNET_TIME_Absolute ratchet_expiration;
};
/**
};
-/**
- * Cached Axolotl key with signature.
- */
-struct CadetAxolotlSignedKey
-{
- /**
- * Information about what is being signed (@a permanent_key).
- */
- struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
-
- /**
- * Permanent public ECDH key.
- */
- struct GNUNET_CRYPTO_EcdhePublicKey permanent_key;
-
- /**
- * An EdDSA signature of the permanent ECDH key with the Peer's ID key.
- */
- struct GNUNET_CRYPTO_EddsaSignature signature;
-} GNUNET_PACKED;
-
-
/******************************************************************************/
/******************************* GLOBALS ***********************************/
/******************************************************************************/
*/
static unsigned long long default_ttl;
-
/**
* Own Peer ID private key.
*/
const static struct GNUNET_CRYPTO_EddsaPrivateKey *id_key;
+
/******************************** AXOLOTL ************************************/
-static struct GNUNET_CRYPTO_EcdhePrivateKey *ax_key;
+/**
+ * How many messages are needed to trigger a ratchet advance.
+ */
+static unsigned long long ratchet_messages;
/**
- * Own Axolotl permanent public key (cache).
+ * How long until we trigger a ratched advance.
*/
-static struct CadetAxolotlSignedKey ax_identity;
+static struct GNUNET_TIME_Relative ratchet_time;
-/******************************** OTR ***********************************/
+/******************************** OTR ***********************************/
/**
* Own global OTR ephemeral private key.
{
int ready;
- GCT_debug (t, GNUNET_ERROR_TYPE_DEBUG);
ready = CADET_TUNNEL_READY == t->cstate
&& (CADET_TUNNEL_KEY_OK == t->estate
|| CADET_TUNNEL_KEY_REKEY == t->estate);
}
-/**
- * Ephemeral key message purpose size.
- *
- * @return Size of the part of the ephemeral key message that must be signed.
- */
-static size_t
-ax_purpose_size (void)
-{
- return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
- sizeof (struct GNUNET_CRYPTO_EcdhePublicKey);
-}
-
-
/**
* Size of the encrypted part of a ping message.
*
* @param t Tunnel on which the message came.
* @param msg The ephemeral key message.
*
- * @return GNUNET_OK if message is fine, GNUNET_SYSERR otherwise.
+ * @return #GNUNET_OK if message is fine, #GNUNET_SYSERR otherwise.
*/
int
check_ephemeral (struct CadetTunnel *t,
struct GNUNET_HashCode hash;
#if DUMP_KEYS_TO_STDERR
- LOG (GNUNET_ERROR_TYPE_INFO, " HMAC with key %s\n",
+ LOG (GNUNET_ERROR_TYPE_INFO, " HMAC %u bytes with key %s\n", size,
GNUNET_h2s ((struct GNUNET_HashCode *) key));
#endif
GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
ax = t->ax;
+ ax->ratchet_counter++;
+ if (GNUNET_YES == ax->ratchet_allowed
+ && (ratchet_messages <= ax->ratchet_counter
+ || 0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us))
+ {
+ ax->ratchet_flag = GNUNET_YES;
+ }
+
if (GNUNET_YES == ax->ratchet_flag)
{
/* Advance ratchet */
ax->PNs = ax->Ns;
ax->Ns = 0;
ax->ratchet_flag = GNUNET_NO;
+ ax->ratchet_allowed = GNUNET_NO;
+ ax->ratchet_counter = 0;
+ ax->ratchet_expiration =
+ GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
}
t_hmac_derive_key (&ax->CKs, &MK, "0", 1);
GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
#if DUMP_KEYS_TO_STDERR
- LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC with key %s\n",
+ LOG (GNUNET_ERROR_TYPE_INFO, " CKs: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKs));
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC with key %u: %s\n", ax->Ns,
GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
#endif
}
+/**
+ * Decrypt data with the axolotl tunnel key.
+ *
+ * @param t Tunnel whose key to use.
+ * @param dst Destination for the decrypted data.
+ * @param src Source of the ciphertext. Can overlap with @c dst.
+ * @param size Size of the ciphertext.
+ *
+ * @return Size of the decrypted data.
+ */
+static int
+t_ax_decrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
+{
+ struct GNUNET_CRYPTO_SymmetricSessionKey MK;
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ struct CadetTunnelAxolotl *ax;
+ size_t out_size;
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt start\n");
+
+ ax = t->ax;
+
+ t_hmac_derive_key (&ax->CKr, &MK, "0", 1);
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " CKr: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKr));
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with key %u: %s\n", ax->Nr,
+ GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
+ #endif
+
+ GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
+ out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, &MK, &iv, dst);
+ GNUNET_assert (out_size == size);
+
+ t_hmac_derive_key (&ax->CKr, &ax->CKr, "1", 1);
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt end\n");
+
+ return out_size;
+}
+
+
/**
* Encrypt header with the axolotl header key.
*
}
+/**
+ * Decrypt header with the current axolotl header key.
+ *
+ * @param t Tunnel whose current ax HK to use.
+ * @param src Message whose header to decrypt.
+ * @param dst Where to decrypt header to.
+ */
+static void
+t_h_decrypt (struct CadetTunnel *t, const struct GNUNET_CADET_AX *src,
+ struct GNUNET_CADET_AX *dst)
+{
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ struct CadetTunnelAxolotl *ax;
+ size_t out_size;
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_h_decrypt start\n");
+
+ ax = t->ax;
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKr, NULL, 0, NULL);
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC_H with key %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKr));
+ #endif
+
+ out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, AX_HEADER_SIZE,
+ &ax->HKr, &iv, &dst->Ns);
+
+ GNUNET_assert (AX_HEADER_SIZE == out_size);
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt end\n");
+}
+
+
/**
* Decrypt and verify data with the appropriate tunnel key.
*
return -1;
}
+
/**
* Decrypt and verify data with the appropriate tunnel key and verify that the
* data has not been altered since it was sent by the remote peer.
*
* @param t Tunnel whose key to use.
* @param dst Destination for the plaintext.
- * @param src Source of the encrypted data. Can overlap with @c dst.
- * @param size Size of the encrypted data.
- * @param msg_hmac HMAC of the message, cannot be NULL.
+ * @param src Source of the message. Can overlap with @c dst.
+ * @param size Size of the message.
*
* @return Size of the decrypted data, -1 if an error was encountered.
*/
static int
-t_ax_decrypt_and_validate (struct CadetTunnel *t,
- void *dst, const void *src, size_t size,
- const struct GNUNET_CADET_Hash *msg_hmac)
+try_old_ax_keys (struct CadetTunnel *t, struct GNUNET_CADET_AX *dst,
+ const struct GNUNET_CADET_AX *src, size_t size)
+{
+ struct CadetTunnelSkippedKey *key;
+ struct GNUNET_CADET_Hash hmac;
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ size_t res;
+ size_t len;
+
+
+ for (key = t->ax->skipped_head; NULL != key; key = key->next)
+ {
+ t_hmac (&src->Ns, AX_HEADER_SIZE, 0, &key->HK, &hmac);
+ if (0 != memcmp (&hmac, &src->hmac, sizeof (hmac)))
+ break;
+ }
+ if (NULL == key)
+ return -1;
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with skipped key %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &key->MK));
+ #endif
+
+ GNUNET_assert (size > sizeof (struct GNUNET_CADET_AX));
+ len = size - sizeof (struct GNUNET_CADET_AX);
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &key->MK, NULL, 0, NULL);
+ res = GNUNET_CRYPTO_symmetric_decrypt (&src[1], len, &key->MK, &iv, &dst[1]);
+
+ GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
+ t->ax->skipped--;
+ GNUNET_free (key);
+
+ return res;
+}
+
+
+/**
+ * Delete a key from the list of skipped keys.
+ *
+ * @param t Tunnel to delete from.
+ * @param HKr Header Key to use.
+ */
+static void
+store_skipped_key (struct CadetTunnel *t,
+ const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
+{
+ struct CadetTunnelSkippedKey *key;
+
+ key = GNUNET_new (struct CadetTunnelSkippedKey);
+ key->timestamp = GNUNET_TIME_absolute_get ();
+ t_hmac_derive_key (&t->ax->CKr, &key->MK, "0", 1);
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " storing MK for Nr %u: %s\n",
+ t->ax->Nr, GNUNET_h2s ((struct GNUNET_HashCode *) &key->MK));
+ LOG (GNUNET_ERROR_TYPE_INFO, " for CKr: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->ax->CKr));
+ #endif
+ t_hmac_derive_key (&t->ax->CKr, &t->ax->CKr, "1", 1);
+ GNUNET_CONTAINER_DLL_insert (t->ax->skipped_head, t->ax->skipped_tail, key);
+ t->ax->Nr++;
+ t->ax->skipped++;
+}
+
+
+/**
+ * Delete a key from the list of skipped keys.
+ *
+ * @param t Tunnel to delete from.
+ * @param key Key to delete.
+ */
+static void
+delete_skipped_key (struct CadetTunnel *t, struct CadetTunnelSkippedKey *key)
+{
+ GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
+ GNUNET_free (key);
+ t->ax->skipped--;
+}
+
+
+/**
+ * Stage skipped AX keys and calculate the message key.
+ *
+ * Stores each HK and MK for skipped messages.
+ *
+ * @param t Tunnel where to stage the keys.
+ * @param HKr Header key.
+ * @param Np Received meesage number.
+ */
+static void
+store_ax_keys (struct CadetTunnel *t,
+ const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
+ uint32_t Np)
+{
+ int gap;
+
+ gap = Np - t->ax->Nr;
+ if (MAX_KEY_GAP < gap || 0 > gap)
+ {
+ /* Avoid DoS (forcing peer to do 2*33 chain HMAC operations) */
+ /* TODO: start new key exchange on return */
+ GNUNET_break_op (0);
+ return;
+ }
+
+ while (t->ax->Nr < Np)
+ store_skipped_key (t, HKr);
+
+ while (t->ax->skipped > MAX_SKIPPED_KEYS)
+ delete_skipped_key (t, t->ax->skipped_tail);
+}
+
+
+/**
+ * Decrypt and verify data with the appropriate tunnel key and verify that the
+ * data has not been altered since it was sent by the remote peer.
+ *
+ * @param t Tunnel whose key to use.
+ * @param dst Destination for the plaintext.
+ * @param src Source of the message. Can overlap with @c dst.
+ * @param size Size of the message.
+ *
+ * @return Size of the decrypted data, -1 if an error was encountered.
+ */
+static int
+t_ax_decrypt_and_validate (struct CadetTunnel *t, void *dst,
+ const struct GNUNET_CADET_AX *src, size_t size)
{
struct CadetTunnelAxolotl *ax;
+ struct GNUNET_CADET_Hash msg_hmac;
+ struct GNUNET_HashCode hmac;
+ struct GNUNET_CADET_AX *dstmsg;
+ uint32_t Np;
+ uint32_t PNp;
+ size_t esize;
+ size_t osize;
ax = t->ax;
+ dstmsg = dst;
+ esize = size - sizeof (struct GNUNET_CADET_AX);
if (NULL == ax)
return -1;
- /* */
- /* */
+ /* Try current HK */
+ t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->HKr, &msg_hmac);
+ if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
+ {
+ static const char ctx[] = "axolotl ratchet";
+ struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
+ struct GNUNET_CRYPTO_SymmetricSessionKey HK;
+ struct GNUNET_HashCode dh;
+ struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
- GNUNET_break (0);
+ /* Try Next HK */
+ t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->NHKr, &msg_hmac);
+ if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
+ {
+ /* Try the skipped keys, if that fails, we're out of luck. */
+ return try_old_ax_keys (t, dst, src, size);
+ }
+ LOG (GNUNET_ERROR_TYPE_INFO, "next HK\n");
+
+ HK = ax->HKr;
+ ax->HKr = ax->NHKr;
+ t_h_decrypt (t, src, dstmsg);
+ Np = ntohl (dstmsg->Ns);
+ PNp = ntohl (dstmsg->PNs);
+ DHRp = &dstmsg->DHRs;
+ store_ax_keys (t, &HK, PNp);
+
+ /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
+ GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, DHRp, &dh);
+ t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
+ GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
+ &hmac, sizeof (hmac), NULL);
- return 0;
+ /* Commit "purported" keys */
+ ax->RK = keys[0];
+ ax->NHKr = keys[1];
+ ax->CKr = keys[2];
+ ax->DHRr = *DHRp;
+ ax->Nr = 0;
+ ax->ratchet_allowed = GNUNET_YES;
+ }
+ else
+ {
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "current HK\n");
+ t_h_decrypt (t, src, dstmsg);
+ Np = ntohl (dstmsg->Ns);
+ PNp = ntohl (dstmsg->PNs);
+ }
+
+ if (Np > ax->Nr)
+ store_ax_keys (t, &ax->HKr, Np);
+
+ ax->Nr = Np + 1;
+
+ osize = t_ax_decrypt (t, dst, &src[1], esize);
+ if (osize != esize)
+ {
+ GNUNET_break_op (0);
+ return -1;
+ }
+
+ return osize;
}
* Create key material by doing ECDH on the local and remote ephemeral keys.
*
* @param key_material Where to store the key material.
- * @param ephemeral_key Peer's public ephemeral key.
+ * @param ephemeral Peer's public ephemeral key.
+ *
+ * @return GNUNET_OK if it went fine, GNUNET_SYSERR otherwise.
*/
-void
-derive_key_material (struct GNUNET_HashCode *key_material,
- const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral_key)
+static int
+derive_otr_key_material (struct GNUNET_HashCode *key_material,
+ const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral)
{
if (GNUNET_OK !=
- GNUNET_CRYPTO_ecc_ecdh (otr_ephemeral_key,
- ephemeral_key,
- key_material))
+ GNUNET_CRYPTO_ecc_ecdh (otr_ephemeral_key, ephemeral, key_material))
{
GNUNET_break (0);
+ return GNUNET_SYSERR;
}
+ return GNUNET_OK;
}
* Derive the tunnel's keys using our own and the peer's ephemeral keys.
*
* @param t Tunnel for which to create the keys.
+ *
+ * @return GNUNET_OK if successful, GNUNET_SYSERR otherwise.
*/
-static void
-create_keys (struct CadetTunnel *t)
+static int
+create_otr_keys (struct CadetTunnel *t)
{
struct GNUNET_HashCode km;
- derive_key_material (&km, &t->peers_ephemeral_key);
+ if (GNUNET_OK != derive_otr_key_material (&km, &t->peers_ephemeral_key))
+ return GNUNET_SYSERR;
derive_symmertic (&t->e_key, &my_full_id, GCP_get_id (t->peer), &km);
derive_symmertic (&t->d_key, GCP_get_id (t->peer), &my_full_id, &km);
#if DUMP_KEYS_TO_STDERR
LOG (GNUNET_ERROR_TYPE_INFO, "DK: %s\n",
GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
#endif
+ return GNUNET_OK;
}
* timestamp and a new nonce.
*
* @param t Tunnel for which to create the KX ctx.
+ *
+ * @return GNUNET_OK if successful, GNUNET_SYSERR otherwise.
*/
-static void
+static int
create_kx_ctx (struct CadetTunnel *t)
{
LOG (GNUNET_ERROR_TYPE_INFO, " new kx ctx for %s\n", GCT_2s (t));
else
LOG (GNUNET_ERROR_TYPE_INFO, " old keys not valid, not saving\n");
t->kx_ctx->rekey_start_time = GNUNET_TIME_absolute_get ();
- create_keys (t);
+ return create_otr_keys (t);
}
LOG (GNUNET_ERROR_TYPE_DEBUG, "queue data on Tunnel %s\n", GCT_2s (t));
- if (GNUNET_YES == is_ready (t))
- {
- GNUNET_break (0);
- return NULL;
- }
+ GNUNET_assert (GNUNET_NO == is_ready (t));
tqd = GNUNET_malloc (sizeof (struct CadetTunnelDelayed) + size);
{
ax_msg = (struct GNUNET_CADET_AX *) cbuf;
msg = &ax_msg->header;
- msg->size = htons (sizeof (struct GNUNET_CADET_Encrypted) + size);
+ msg->size = htons (sizeof (struct GNUNET_CADET_AX) + size);
msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_AX);
+ ax_msg->reserved = 0;
esize = t_ax_encrypt (t, &ax_msg[1], message, size);
ax_msg->Ns = htonl (t->ax->Ns++);
ax_msg->PNs = htonl (t->ax->PNs);
GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &ax_msg->DHRs);
t_h_encrypt (t, ax_msg);
- t_hmac (&ax_msg->Ns, AX_HEADER_SIZE, 0, &t->ax->HKs, &ax_msg->hmac);
+ t_hmac (&ax_msg->Ns, AX_HEADER_SIZE + esize, 0, &t->ax->HKs, &ax_msg->hmac);
}
else
{
t_hmac (&otr_msg[1], size, iv, select_key (t), &otr_msg->hmac);
msg->size = htons (sizeof (struct GNUNET_CADET_Encrypted) + size);
msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED);
+ otr_msg->ttl = htonl (default_ttl);
}
GNUNET_assert (esize == size);
}
+/**
+ * @brief Resend the AX KX until we complete the handshake.
+ *
+ * @param cls Closure (tunnel).
+ * @param tc Task context.
+ */
+static void
+ax_kx_resend (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
+{
+ struct CadetTunnel *t = cls;
+
+ t->rekey_task = NULL;
+
+ if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
+ return;
+
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ return;
+
+ GCT_send_ax_kx (t, GNUNET_YES);
+}
+
+
/**
* Callback called when a queued message is sent.
*
*/
static void
ephm_sent (void *cls,
- struct CadetConnection *c,
- struct CadetConnectionQueue *q,
- uint16_t type, int fwd, size_t size)
+ struct CadetConnection *c,
+ struct CadetConnectionQueue *q,
+ uint16_t type, int fwd, size_t size)
{
struct CadetTunnel *t = cls;
LOG (GNUNET_ERROR_TYPE_DEBUG, "ephemeral sent %s\n", GC_m2s (type));
+
t->ephm_h = NULL;
+
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ return;
+
+ if (CADET_Axolotl == t->enc_type && CADET_TUNNEL_KEY_OK != t->estate)
+ {
+ if (NULL != t->rekey_task)
+ {
+ GNUNET_break (0);
+ GNUNET_SCHEDULER_cancel (t->rekey_task);
+ }
+ t->rekey_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+ &ax_kx_resend, t);
+ }
}
+
/**
* Callback called when a queued message is sent.
*
t->pong_h = NULL;
}
+
/**
* Sends key exchange message on a tunnel, choosing the best connection.
* Should not be called on loopback tunnels.
r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, (uint32_t) n * 100);
delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, r);
t->rekey_task = GNUNET_SCHEDULER_add_delayed (delay, &rekey_tunnel, t);
- create_kx_ctx (t);
- GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
+ if (GNUNET_OK == create_kx_ctx (t))
+ GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
+ else
+ {
+ GNUNET_break (0);
+ // FIXME restart kx
+ }
return GNUNET_YES;
}
GNUNET_free (t->ax);
t->ax = NULL;
-}
+ if (NULL != t->rekey_task)
+ {
+ GNUNET_SCHEDULER_cancel (t->rekey_task);
+ t->rekey_task = NULL;
+ }
+ if (NULL != t->ephm_h)
+ {
+ GCC_cancel (t->ephm_h);
+ t->ephm_h = NULL;
+ }
+}
/**
t->enc_type = CADET_OTR;
if (NULL != t->rekey_task)
GNUNET_SCHEDULER_cancel (t->rekey_task);
- create_kx_ctx (t);
+ if (GNUNET_OK != create_kx_ctx (t))
+ {
+ // FIXME restart kx
+ GNUNET_break (0);
+ return;
+ }
rekey_tunnel (t, NULL);
+ GNUNET_STATISTICS_update (stats, "# otr-downgrades", -1, GNUNET_NO);
}
/**
#endif
t->peers_ephemeral_key = msg->ephemeral_key;
- create_kx_ctx (t);
+ if (GNUNET_OK != create_kx_ctx (t))
+ {
+ // FIXME restart kx
+ GNUNET_break (0);
+ return;
+ }
if (CADET_TUNNEL_KEY_OK == t->estate)
{
* @param msg Key eXchange Pong message.
*/
static void
-handle_pong (struct CadetTunnel *t, const struct GNUNET_CADET_KX_Pong *msg)
+handle_pong (struct CadetTunnel *t,
+ const struct GNUNET_CADET_KX_Pong *msg)
{
uint32_t challenge;
struct CadetTunnelAxolotl *ax;
struct GNUNET_HashCode key_material[3];
struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
- const struct GNUNET_CRYPTO_EcdhePublicKey *pub;
- const struct GNUNET_CRYPTO_EcdhePrivateKey *priv;
const char salt[] = "CADET Axolotl salt";
const struct GNUNET_PeerIdentity *pid;
int am_I_alice;
return;
}
- if (GNUNET_OK != GCP_check_key (t->peer, &msg->permanent_key,
- &msg->purpose, &msg->signature))
- {
- GNUNET_break_op (0);
- return;
- }
-
pid = GCT_get_destination (t);
if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
am_I_alice = GNUNET_YES;
return;
}
+ if (GNUNET_CADET_AX_KX_FLAG_FORCE_REPLY ==
+ (GNUNET_CADET_AX_KX_FLAG_FORCE_REPLY & ntohl (msg->flags)))
+ GCT_send_ax_kx (t, GNUNET_NO);
+
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ return;
+
LOG (GNUNET_ERROR_TYPE_INFO, " is Alice? %s\n", am_I_alice ? "YES" : "NO");
ax = t->ax;
ax->DHRr = msg->ratchet_key;
- ax->DHIr = msg->permanent_key;
/* ECDH A B0 */
if (GNUNET_YES == am_I_alice)
{
- priv = ax_key; /* A */
- pub = &msg->ephemeral_key; /* B0 */
+ GNUNET_CRYPTO_eddsa_ecdh (id_key, /* A */
+ &msg->ephemeral_key, /* B0 */
+ &key_material[0]);
}
else
{
- priv = ax->kx_0; /* B0 */
- pub = &ax->DHIr; /* A */
+ GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* B0 */
+ &pid->public_key, /* A */
+ &key_material[0]);
}
- GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[0]);
/* ECDH A0 B */
if (GNUNET_YES == am_I_alice)
{
- priv = ax->kx_0; /* A0 */
- pub = &ax->DHIr; /* B */
+ GNUNET_CRYPTO_ecdh_eddsa (ax->kx_0, /* A0 */
+ &pid->public_key, /* B */
+ &key_material[1]);
}
else
{
- priv = ax_key; /* B */
- pub = &msg->ephemeral_key; /* A0 */
+ GNUNET_CRYPTO_eddsa_ecdh (id_key, /* A */
+ &msg->ephemeral_key, /* B0 */
+ &key_material[1]);
+
+
}
- GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[1]);
- /* ECDH A0 B0*/
- priv = ax->kx_0; /* A0 or B0 */
- pub = &msg->ephemeral_key; /* B0 or A0 */
- GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[2]);
+ /* ECDH A0 B0 */
+ /* (This is the triple-DH, we could probably safely skip this,
+ as A0/B0 are already in the key material.) */
+ GNUNET_CRYPTO_ecc_ecdh (ax->kx_0, /* A0 or B0 */
+ &msg->ephemeral_key, /* B0 or A0 */
+ &key_material[2]);
#if DUMP_KEYS_TO_STDERR
{
ax->NHKs = keys[3];
ax->CKs = keys[4];
ax->ratchet_flag = GNUNET_NO;
+ ax->ratchet_allowed = GNUNET_NO;
+ ax->ratchet_counter = 0;
+ ax->ratchet_expiration =
+ GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
}
GCT_change_estate (t, CADET_TUNNEL_KEY_OK);
}
GCT_handle_encrypted (struct CadetTunnel *t,
const struct GNUNET_MessageHeader *msg)
{
- size_t size = ntohs (msg->size);
+ uint16_t size = ntohs (msg->size);
+ char cbuf [size];
size_t payload_size;
int decrypted_size;
- char cbuf [size];
- uint16_t type = ntohs (msg->type);
- struct GNUNET_MessageHeader *msgh;
+ uint16_t type;
+ const struct GNUNET_MessageHeader *msgh;
unsigned int off;
- if (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED == type)
+ type = ntohs (msg->type);
+ switch (type)
{
- const struct GNUNET_CADET_Encrypted *emsg;
+ case GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED:
+ {
+ const struct GNUNET_CADET_Encrypted *emsg;
- emsg = (struct GNUNET_CADET_Encrypted *) msg;
- payload_size = size - sizeof (struct GNUNET_CADET_Encrypted);
- decrypted_size = t_decrypt_and_validate (t, cbuf, &emsg[1], payload_size,
- emsg->iv, &emsg->hmac);
- }
- else if (GNUNET_MESSAGE_TYPE_CADET_AX == type)
- {
- const struct GNUNET_CADET_AX *emsg;
+ emsg = (const struct GNUNET_CADET_Encrypted *) msg;
+ payload_size = size - sizeof (struct GNUNET_CADET_Encrypted);
+ decrypted_size = t_decrypt_and_validate (t, cbuf, &emsg[1], payload_size,
+ emsg->iv, &emsg->hmac);
+ }
+ break;
+ case GNUNET_MESSAGE_TYPE_CADET_AX:
+ {
+ const struct GNUNET_CADET_AX *emsg;
- emsg = (struct GNUNET_CADET_AX *) msg;
- payload_size = size - sizeof (struct GNUNET_CADET_AX);
- decrypted_size = t_ax_decrypt_and_validate (t, cbuf, &emsg[1],
- payload_size, &emsg->hmac);
+ emsg = (const struct GNUNET_CADET_AX *) msg;
+ decrypted_size = t_ax_decrypt_and_validate (t, cbuf, emsg, size);
+ }
+ break;
+ default:
+ GNUNET_break_op (0);
+ return;
}
-
if (-1 == decrypted_size)
{
GNUNET_break_op (0);
return;
}
+ /* FIXME: this is bad, as the structs returned from
+ this loop may be unaligned, see util's MST for
+ how to do this right. */
off = 0;
while (off < decrypted_size)
{
uint16_t msize;
- msgh = (struct GNUNET_MessageHeader *) &cbuf[off];
+ msgh = (const struct GNUNET_MessageHeader *) &cbuf[off];
msize = ntohs (msgh->size);
if (msize < sizeof (struct GNUNET_MessageHeader))
{
GNUNET_CONFIGURATION_get_value_number (c, "CADET", "DEFAULT_TTL",
&default_ttl))
{
- GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_DEBUG,
"CADET", "DEFAULT_TTL", "USING DEFAULT");
default_ttl = 64;
}
{
rekey_period = GNUNET_TIME_UNIT_DAYS;
}
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_number (c, "CADET", "RATCHET_MESSAGES",
+ &ratchet_messages))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
+ "CADET", "RATCHET_MESSAGES", "USING DEFAULT");
+ ratchet_messages = 64;
+ }
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_time (c, "CADET", "RATCHET_TIME",
+ &ratchet_time))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
+ "CADET", "RATCHET_TIME", "USING DEFAULT");
+ ratchet_time = GNUNET_TIME_UNIT_HOURS;
+ }
+
id_key = key;
otr_kx_msg.purpose.size = htonl (ephemeral_purpose_size ());
otr_kx_msg.origin_identity = my_full_id;
rekey_task = GNUNET_SCHEDULER_add_now (&global_otr_rekey, NULL);
-
- ax_key = GNUNET_CRYPTO_ecdhe_key_create ();
- GNUNET_CRYPTO_ecdhe_key_get_public (ax_key, &ax_identity.permanent_key);
- ax_identity.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_AXKX);
- ax_identity.purpose.size = htonl (ax_purpose_size ());
- GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_eddsa_sign (id_key,
- &ax_identity.purpose,
- &ax_identity.signature));
-
tunnels = GNUNET_CONTAINER_multipeermap_create (128, GNUNET_YES);
}
}
GNUNET_CONTAINER_multipeermap_iterate (tunnels, &destroy_iterator, NULL);
GNUNET_CONTAINER_multipeermap_destroy (tunnels);
- GNUNET_free (ax_key);
}
else if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
{
LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered kx\n");
- GCT_send_ax_kx (t);
+ GCT_send_ax_kx (t, GNUNET_NO);
}
else
{
GNUNET_CONTAINER_multipeermap_remove (tunnels,
GCP_get_id (t->peer), t));
+ while (NULL != t->tq_head)
+ unqueue_data (t->tq_head);
+
for (iter_c = t->connection_head; NULL != iter_c; iter_c = next_c)
{
next_c = iter_c->next;
{
/* Probably getting buffer for a channel create/handshake. */
LOG (GNUNET_ERROR_TYPE_DEBUG, " no channels, allow max\n");
- return 64;
+ return MIN_TUNNEL_BUFFER;
}
buffer = 0;
if (ch_buf > buffer)
buffer = ch_buf;
}
+ if (MIN_TUNNEL_BUFFER > buffer)
+ return MIN_TUNNEL_BUFFER;
+
+ if (MAX_TUNNEL_BUFFER < buffer)
+ {
+ GNUNET_break (0);
+ return MAX_TUNNEL_BUFFER;
+ }
return buffer;
}
if (GNUNET_NO == is_ready (t))
{
- if (count_queued_data (t) > 3)
+ if (count_queued_data (t) >= 3)
return 0;
else
return 1;
if (NULL != t->channel_head)
LOG (GNUNET_ERROR_TYPE_DEBUG, " head ch: %p\n", t->channel_head->ch);
+ if (NULL != t->tq_head)
+ send_queued_data (t);
+
/* Get buffer space */
buffer = GCT_get_connections_buffer (t);
if (0 == buffer)
{
if (NULL != q->cq)
{
+ GNUNET_assert (NULL == q->tqd);
GCC_cancel (q->cq);
/* tun_message_sent() will be called and free q */
}
* Send an Axolotl KX message.
*
* @param t Tunnel on which to send it.
+ * @param force_reply Force the other peer to reply with a KX message.
*/
void
-GCT_send_ax_kx (struct CadetTunnel *t)
+GCT_send_ax_kx (struct CadetTunnel *t, int force_reply)
{
struct GNUNET_CADET_AX_KX msg;
+ enum GNUNET_CADET_AX_KX_Flags flags;
LOG (GNUNET_ERROR_TYPE_INFO, "===> AX_KX for %s\n", GCT_2s (t));
+ if (NULL != t->ephm_h)
+ {
+ LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
+ return;
+ }
msg.header.size = htons (sizeof (msg));
msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_AX_KX);
- msg.permanent_key = ax_identity.permanent_key;
- msg.purpose = ax_identity.purpose;
- msg.signature = ax_identity.signature;
+ flags = GNUNET_CADET_AX_KX_FLAG_NONE;
+ if (force_reply)
+ flags |= GNUNET_CADET_AX_KX_FLAG_FORCE_REPLY;
+ msg.flags = htonl (flags);
GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->kx_0, &msg.ephemeral_key);
GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &msg.ratchet_key);
t->ephm_h = send_kx (t, &msg.header);
- GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
+ if (CADET_TUNNEL_KEY_OK != t->estate)
+ GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
}
/***************************** INFO/DEBUG *******************************/
/******************************************************************************/
+static void
+ax_debug (const struct CadetTunnelAxolotl *ax, enum GNUNET_ErrorType level)
+{
+ struct GNUNET_CRYPTO_EcdhePublicKey pub;
+ struct CadetTunnelSkippedKey *iter;
+
+
+ LOG2 (level, "TTT RK\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->RK));
+
+ LOG2 (level, "TTT HKs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKs));
+ LOG2 (level, "TTT HKr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKr));
+ LOG2 (level, "TTT NHKs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->NHKs));
+ LOG2 (level, "TTT NHKr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->NHKr));
+
+ LOG2 (level, "TTT CKs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKs));
+ LOG2 (level, "TTT CKr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKr));
+
+ GNUNET_CRYPTO_ecdhe_key_get_public (ax->DHRs, &pub);
+ LOG2 (level, "TTT DHRs\t %s\n",
+ GNUNET_i2s ((struct GNUNET_PeerIdentity *) &pub));
+ LOG2 (level, "TTT DHRr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->DHRr));
+
+ LOG2 (level, "TTT Nr\t %u\tNs\t%u\n", ax->Nr, ax->Ns);
+ LOG2 (level, "TTT PNs\t %u\tSkipped\t%u\n", ax->PNs, ax->skipped);
+ LOG2 (level, "TTT Ratchet\t%u\n", ax->ratchet_flag);
+
+ for (iter = ax->skipped_head; NULL != iter; iter = iter->next)
+ {
+ LOG2 (level, "TTT HK\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &iter->HK));
+ LOG2 (level, "TTT MK\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &iter->MK));
+ }
+}
+
/**
* Log all possible info about the tunnel state.
*
LOG2 (level, "TTT kx_ctx %p, rekey_task %u, finish task %u\n",
t->kx_ctx, t->rekey_task, t->kx_ctx ? t->kx_ctx->finish_task : 0);
#if DUMP_KEYS_TO_STDERR
- LOG2 (level, "TTT my EPHM\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
- LOG2 (level, "TTT peers EPHM:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
- LOG2 (level, "TTT ENC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
- LOG2 (level, "TTT DEC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
- if (t->kx_ctx)
- {
- LOG2 (level, "TTT OLD ENC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->e_key_old));
- LOG2 (level, "TTT OLD DEC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->d_key_old));
+ if (CADET_Axolotl == t->enc_type)
+ {
+ ax_debug (t->ax, level);
+ }
+ else
+ {
+ LOG2 (level, "TTT my EPHM\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
+ LOG2 (level, "TTT peers EPHM:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
+ LOG2 (level, "TTT ENC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
+ LOG2 (level, "TTT DEC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
+ if (t->kx_ctx)
+ {
+ LOG2 (level, "TTT OLD ENC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->e_key_old));
+ LOG2 (level, "TTT OLD DEC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->d_key_old));
+ }
}
#endif
LOG2 (level, "TTT tq_head %p, tq_tail %p\n", t->tq_head, t->tq_tail);