/*
This file is part of GNUnet.
- (C) 2013 Christian Grothoff (and other contributing authors)
+ Copyright (C) 2013 Christian Grothoff (and other contributing authors)
GNUnet is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
#define REKEY_WAIT GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 5)
-#define CONNECTIONS_PER_TUNNEL 3
-
#if !defined(GNUNET_CULL_LOGGING)
#define DUMP_KEYS_TO_STDERR GNUNET_YES
#else
#define DUMP_KEYS_TO_STDERR GNUNET_NO
#endif
+#define MAX_SKIPPED_KEYS 64
+#define MAX_KEY_GAP 256
+#define AX_HEADER_SIZE (sizeof (uint32_t) * 2\
+ + sizeof (struct GNUNET_CRYPTO_EcdhePublicKey))
+
+
/******************************************************************************/
/******************************** STRUCTS **********************************/
/******************************************************************************/
struct GNUNET_CRYPTO_SymmetricSessionKey d_key_old;
/**
- * Challenge to send in a ping and expect in the pong.
+ * Same as @c e_key_old, for the case of two simultaneous KX.
+ * This can happen if cadet decides to start a re-key while the peer has also
+ * started its re-key (due to network delay this is impossible to avoid).
+ * In this case, the key material generated with the peer's old ephemeral
+ * *might* (but doesn't have to) be incorrect.
+ * Since no more than two re-keys can happen simultaneously, this is enough.
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey e_key_old2;
+
+ /**
+ * Same as @c d_key_old, for the case described in @c e_key_old2.
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey d_key_old2;
+
+ /**
+ * Challenge to send and expect in the PONG.
*/
uint32_t challenge;
* Task for delayed destruction of the Key eXchange context, to allow delayed
* messages with the old key to be decrypted successfully.
*/
- GNUNET_SCHEDULER_TaskIdentifier finish_task;
+ struct GNUNET_SCHEDULER_Task *finish_task;
+};
+
+/**
+ * Encryption systems possible.
+ */
+enum CadetTunnelEncryption
+{
+ /**
+ * Default Axolotl system.
+ */
+ CADET_Axolotl,
+
+ /**
+ * Fallback OTR-style encryption.
+ */
+ CADET_OTR
+};
+
+/**
+ * Struct to old keys for skipped messages while advancing the Axolotl ratchet.
+ */
+struct CadetTunnelSkippedKey
+{
+ /**
+ * DLL next.
+ */
+ struct CadetTunnelSkippedKey *next;
+
+ /**
+ * DLL prev.
+ */
+ struct CadetTunnelSkippedKey *prev;
+
+ /**
+ * When was this key stored (for timeout).
+ */
+ struct GNUNET_TIME_Absolute timestamp;
+
+ /**
+ * Header key.
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey HK;
+
+ /**
+ * Message key.
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey MK;
+};
+
+
+/**
+ * Axolotl data, according to https://github.com/trevp/axolotl/wiki .
+ */
+struct CadetTunnelAxolotl
+{
+ /**
+ * A (double linked) list of stored message keys and associated header keys
+ * for "skipped" messages, i.e. messages that have not been
+ * received despite the reception of more recent messages, (head).
+ */
+ struct CadetTunnelSkippedKey *skipped_head;
+
+ /**
+ * Skipped messages' keys DLL, tail.
+ */
+ struct CadetTunnelSkippedKey *skipped_tail;
+
+ /**
+ * Elements in @a skipped_head <-> @a skipped_tail.
+ */
+ unsigned int skipped;
+
+ /**
+ * 32-byte root key which gets updated by DH ratchet.
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey RK;
+
+ /**
+ * 32-byte header key (send).
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey HKs;
+
+ /**
+ * 32-byte header key (recv)
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey HKr;
+
+ /**
+ * 32-byte next header key (send).
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey NHKs;
+
+ /**
+ * 32-byte next header key (recv).
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey NHKr;
+
+ /**
+ * 32-byte chain keys (used for forward-secrecy updating, send).
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey CKs;
+
+ /**
+ * 32-byte chain keys (used for forward-secrecy updating, recv).
+ */
+ struct GNUNET_CRYPTO_SymmetricSessionKey CKr;
+
+ /**
+ * ECDH for key exchange (A0 / B0).
+ */
+ struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0;
+
+ /**
+ * ECDH Identity key (recv).
+ */
+ struct GNUNET_CRYPTO_EcdhePublicKey DHIr;
+
+ /**
+ * ECDH Ratchet key (send).
+ */
+ struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs;
+
+ /**
+ * ECDH Ratchet key (recv).
+ */
+ struct GNUNET_CRYPTO_EcdhePublicKey DHRr;
+
+ /**
+ * Message number (reset to 0 with each new ratchet, next message to send).
+ */
+ uint32_t Ns;
+
+ /**
+ * Message number (reset to 0 with each new ratchet, next message to recv).
+ */
+ uint32_t Nr;
+
+ /**
+ * Previous message numbers (# of msgs sent under prev ratchet)
+ */
+ uint32_t PNs;
+
+ /**
+ * True (#GNUNET_YES) if we have to send a new ratchet key in next msg.
+ */
+ int ratchet_flag;
+
+ /**
+ * Number of messages recieved since our last ratchet advance.
+ * - If this counter = 0, we cannot send a new ratchet key in next msg.
+ * - If this counter > 0, we can (but don't yet have to) send a new key.
+ */
+ unsigned int ratchet_allowed;
+
+ /**
+ * Number of messages recieved since our last ratchet advance.
+ * - If this counter = 0, we cannot send a new ratchet key in next msg.
+ * - If this counter > 0, we can (but don't yet have to) send a new key.
+ */
+ unsigned int ratchet_counter;
+
+ /**
+ * When does this ratchet expire and a new one is triggered.
+ */
+ struct GNUNET_TIME_Absolute ratchet_expiration;
};
/**
*/
struct CadetTunnel
{
- /**
- * Endpoint of the tunnel.
- */
+ /**
+ * Endpoint of the tunnel.
+ */
struct CadetPeer *peer;
- /**
- * State of the tunnel connectivity.
- */
+ /**
+ * Type of encryption used in the tunnel.
+ */
+ enum CadetTunnelEncryption enc_type;
+
+ /**
+ * Axolotl info.
+ */
+ struct CadetTunnelAxolotl *ax;
+
+ /**
+ * State of the tunnel connectivity.
+ */
enum CadetTunnelCState cstate;
/**
/**
* Task to start the rekey process.
*/
- GNUNET_SCHEDULER_TaskIdentifier rekey_task;
+ struct GNUNET_SCHEDULER_Task * rekey_task;
/**
* Paths that are actively used to reach the destination peer.
/**
* Destroy flag: if true, destroy on last message.
*/
- GNUNET_SCHEDULER_TaskIdentifier destroy_task;
+ struct GNUNET_SCHEDULER_Task * destroy_task;
/**
* Queued messages, to transmit once tunnel gets connected.
/**
* Task to trim connections if too many are present.
*/
- GNUNET_SCHEDULER_TaskIdentifier trim_connections_task;
+ struct GNUNET_SCHEDULER_Task * trim_connections_task;
+
+ /**
+ * Ephemeral message in the queue (to avoid queueing more than one).
+ */
+ struct CadetConnectionQueue *ephm_h;
+
+ /**
+ * Pong message in the queue.
+ */
+ struct CadetConnectionQueue *pong_h;
};
};
+/**
+ * Cached Axolotl key with signature.
+ */
+struct CadetAxolotlSignedKey
+{
+ /**
+ * Information about what is being signed (@a permanent_key).
+ */
+ struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
+
+ /**
+ * Permanent public ECDH key.
+ */
+ struct GNUNET_CRYPTO_EcdhePublicKey permanent_key;
+
+ /**
+ * An EdDSA signature of the permanent ECDH key with the Peer's ID key.
+ */
+ struct GNUNET_CRYPTO_EddsaSignature signature;
+} GNUNET_PACKED;
+
+
/******************************************************************************/
/******************************* GLOBALS ***********************************/
/******************************************************************************/
static unsigned long long default_ttl;
/**
- * Own private key.
+ * Own Peer ID private key.
+ */
+const static struct GNUNET_CRYPTO_EddsaPrivateKey *id_key;
+
+
+/******************************** AXOLOTL ************************************/
+
+static struct GNUNET_CRYPTO_EcdhePrivateKey *ax_key;
+
+/**
+ * Own Axolotl permanent public key (cache).
+ */
+static struct CadetAxolotlSignedKey ax_identity;
+
+/**
+ * How many messages are needed to trigger a ratchet advance.
+ */
+static unsigned long long ratchet_messages;
+
+/**
+ * How long until we trigger a ratched advance.
*/
-const static struct GNUNET_CRYPTO_EddsaPrivateKey *my_private_key;
+static struct GNUNET_TIME_Relative ratchet_time;
+
+
+/******************************** OTR ***********************************/
/**
- * Own ephemeral private key.
+ * Own global OTR ephemeral private key.
*/
-static struct GNUNET_CRYPTO_EcdhePrivateKey *my_ephemeral_key;
+static struct GNUNET_CRYPTO_EcdhePrivateKey *otr_ephemeral_key;
/**
- * Cached message used to perform a key exchange.
+ * Cached message used to perform a OTR key exchange.
*/
-static struct GNUNET_CADET_KX_Ephemeral kx_msg;
+static struct GNUNET_CADET_KX_Ephemeral otr_kx_msg;
/**
- * Task to generate a new ephemeral key.
+ * Task to generate a new OTR ephemeral key.
*/
-static GNUNET_SCHEDULER_TaskIdentifier rekey_task;
+static struct GNUNET_SCHEDULER_Task *rekey_task;
/**
- * Rekey period.
+ * OTR Rekey period.
*/
static struct GNUNET_TIME_Relative rekey_period;
+
/******************************************************************************/
/******************************** STATIC ***********************************/
/******************************************************************************/
*
* @return Size of the part of the ephemeral key message that must be signed.
*/
-size_t
+static size_t
ephemeral_purpose_size (void)
{
return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
}
+/**
+ * Ephemeral key message purpose size.
+ *
+ * @return Size of the part of the ephemeral key message that must be signed.
+ */
+static size_t
+ax_purpose_size (void)
+{
+ return sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
+ sizeof (struct GNUNET_CRYPTO_EcdhePublicKey);
+}
+
+
/**
* Size of the encrypted part of a ping message.
*
* @return Size of the encrypted part of a ping message.
*/
-size_t
+static size_t
ping_encryption_size (void)
{
- return sizeof (struct GNUNET_PeerIdentity) + sizeof (uint32_t);
+ return sizeof (uint32_t);
}
{
int fwd;
- /* If channel is outgoing, is origin in the FWD direction and fwd is YES */
- fwd = GCCH_is_origin (tch->ch, GNUNET_YES);
+ /* If channel is incoming, is terminal in the FWD direction and fwd is YES */
+ fwd = GCCH_is_terminal (tch->ch, GNUNET_YES);
return GCCH_get_buffer (tch->ch, fwd);
}
const struct GNUNET_CRYPTO_SymmetricSessionKey *key;
if (NULL != t->kx_ctx
- && GNUNET_SCHEDULER_NO_TASK == t->kx_ctx->finish_task)
+ && NULL == t->kx_ctx->finish_task)
{
struct GNUNET_TIME_Relative age;
struct GNUNET_HashCode hash;
#if DUMP_KEYS_TO_STDERR
- LOG (GNUNET_ERROR_TYPE_INFO, " HMAC with key %s\n",
+ LOG (GNUNET_ERROR_TYPE_INFO, " HMAC %u bytes with key %s\n", size,
GNUNET_h2s ((struct GNUNET_HashCode *) key));
#endif
GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
/**
- * Decrypt and verify data with the appropriate tunnel key.
+ * Perform a HMAC.
*
* @param key Key to use.
- * @param dst Destination for the plaintext.
- * @param src Source of the encrypted data. Can overlap with @c dst.
- * @param size Size of the encrypted data.
- * @param iv Initialization Vector to use.
- *
- * @return Size of the decrypted data, -1 if an error was encountered.
+ * @param hash[out] Resulting HMAC.
+ * @param source Source key material (data to HMAC).
+ * @param len Length of @a source.
*/
-static int
-decrypt (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
- void *dst, const void *src, size_t size, uint32_t iv)
+static void
+t_ax_hmac_hash (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
+ struct GNUNET_HashCode *hash,
+ void *source, unsigned int len)
{
- struct GNUNET_CRYPTO_SymmetricInitializationVector siv;
- size_t out_size;
+ static const char ctx[] = "axolotl HMAC-HASH";
+ struct GNUNET_CRYPTO_AuthKey auth_key;
- LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt start\n");
- LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv\n");
- GNUNET_CRYPTO_symmetric_derive_iv (&siv, key, &iv, sizeof (iv), NULL);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv done\n");
- out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, key, &siv, dst);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt end\n");
+ GNUNET_CRYPTO_hmac_derive_key (&auth_key, key,
+ ctx, sizeof (ctx),
+ NULL);
+ GNUNET_CRYPTO_hmac (&auth_key, source, len, hash);
+}
- return out_size;
+
+/**
+ * Derive a key from a HMAC-HASH.
+ *
+ * @param key Key to use for the HMAC.
+ * @param out Key to generate.
+ * @param source Source key material (data to HMAC).
+ * @param len Length of @a source.
+ */
+static void
+t_hmac_derive_key (struct GNUNET_CRYPTO_SymmetricSessionKey *key,
+ struct GNUNET_CRYPTO_SymmetricSessionKey *out,
+ void *source, unsigned int len)
+{
+ static const char ctx[] = "axolotl derive key";
+ struct GNUNET_HashCode h;
+
+ t_ax_hmac_hash (key, &h, source, len);
+ GNUNET_CRYPTO_kdf (out, sizeof (*out), ctx, sizeof (ctx),
+ &h, sizeof (h), NULL);
}
/**
- * Decrypt and verify data with the most recent tunnel key.
+ * Encrypt data with the axolotl tunnel key.
*
* @param t Tunnel whose key to use.
- * @param dst Destination for the plaintext.
- * @param src Source of the encrypted data. Can overlap with @c dst.
- * @param size Size of the encrypted data.
- * @param iv Initialization Vector to use.
+ * @param dst Destination for the encrypted data.
+ * @param src Source of the plaintext. Can overlap with @c dst.
+ * @param size Size of the plaintext.
*
- * @return Size of the decrypted data, -1 if an error was encountered.
+ * @return Size of the encrypted data.
*/
static int
-t_decrypt (struct CadetTunnel *t, void *dst, const void *src,
- size_t size, uint32_t iv)
+t_ax_encrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
{
+ struct GNUNET_CRYPTO_SymmetricSessionKey MK;
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ struct CadetTunnelAxolotl *ax;
size_t out_size;
-#if DUMP_KEYS_TO_STDERR
- LOG (GNUNET_ERROR_TYPE_DEBUG, " t_decrypt with %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
-#endif
- if (t->estate == CADET_TUNNEL_KEY_UNINITIALIZED)
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt start\n");
+
+ ax = t->ax;
+
+ ax->ratchet_counter++;
+ if (GNUNET_YES == ax->ratchet_allowed
+ && (ratchet_messages <= ax->ratchet_counter
+ || 0 == GNUNET_TIME_absolute_get_remaining (ax->ratchet_expiration).rel_value_us))
{
- GNUNET_STATISTICS_update (stats, "# non decryptable data", 1, GNUNET_NO);
- LOG (GNUNET_ERROR_TYPE_WARNING,
- "got data on %s without a valid key\n",
- GCT_2s (t));
- GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
- return -1;
+ ax->ratchet_flag = GNUNET_YES;
}
- out_size = decrypt (&t->d_key, dst, src, size, iv);
+ if (GNUNET_YES == ax->ratchet_flag)
+ {
+ /* Advance ratchet */
+ struct GNUNET_CRYPTO_SymmetricSessionKey keys[3];
+ struct GNUNET_HashCode dh;
+ struct GNUNET_HashCode hmac;
+ static const char ctx[] = "axolotl ratchet";
+
+ ax->DHRs = GNUNET_CRYPTO_ecdhe_key_create ();
+ ax->HKs = ax->NHKs;
+
+ /* RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) */
+ GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, &ax->DHRr, &dh);
+ t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
+ GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
+ &hmac, sizeof (hmac), NULL);
+ ax->RK = keys[0];
+ ax->NHKs = keys[1];
+ ax->CKs = keys[2];
+
+ ax->PNs = ax->Ns;
+ ax->Ns = 0;
+ ax->ratchet_flag = GNUNET_NO;
+ ax->ratchet_allowed = GNUNET_NO;
+ ax->ratchet_counter = 0;
+ ax->ratchet_expiration =
+ GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
+ }
+
+ t_hmac_derive_key (&ax->CKs, &MK, "0", 1);
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " CKs: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKs));
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC with key %u: %s\n", ax->Ns,
+ GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
+ #endif
+
+ out_size = GNUNET_CRYPTO_symmetric_encrypt (src, size, &MK, &iv, dst);
+
+ t_hmac_derive_key (&ax->CKs, &ax->CKs, "1", 1);
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt end\n");
return out_size;
}
/**
- * Decrypt and verify data with the appropriate tunnel key and verify that the
- * data has not been altered since it was sent by the remote peer.
+ * Decrypt data with the axolotl tunnel key.
*
* @param t Tunnel whose key to use.
- * @param dst Destination for the plaintext.
- * @param src Source of the encrypted data. Can overlap with @c dst.
- * @param size Size of the encrypted data.
- * @param iv Initialization Vector to use.
- * @param msg_hmac HMAC of the message, cannot be NULL.
+ * @param dst Destination for the decrypted data.
+ * @param src Source of the ciphertext. Can overlap with @c dst.
+ * @param size Size of the ciphertext.
*
- * @return Size of the decrypted data, -1 if an error was encountered.
+ * @return Size of the decrypted data.
*/
static int
-t_decrypt_and_validate (struct CadetTunnel *t,
- void *dst, const void *src,
- size_t size, uint32_t iv,
- const struct GNUNET_CADET_Hash *msg_hmac)
+t_ax_decrypt (struct CadetTunnel *t, void *dst, const void *src, size_t size)
{
- struct GNUNET_CRYPTO_SymmetricSessionKey *key;
- struct GNUNET_CADET_Hash hmac;
- int decrypted_size;
+ struct GNUNET_CRYPTO_SymmetricSessionKey MK;
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ struct CadetTunnelAxolotl *ax;
+ size_t out_size;
- /* Try primary (newest) key */
- key = &t->d_key;
- decrypted_size = decrypt (key, dst, src, size, iv);
- t_hmac (src, size, iv, key, &hmac);
- if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
- return decrypted_size;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt start\n");
- /* If no key exchange is going on, we just failed */
- if (NULL == t->kx_ctx)
- {
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
- "Failed checksum validation on tunnel %s with no KX\n",
- GCT_2s (t));
- GNUNET_STATISTICS_update (stats, "# wrong HMAC", 1, GNUNET_NO);
- return -1;
+ ax = t->ax;
+
+ t_hmac_derive_key (&ax->CKr, &MK, "0", 1);
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &MK, NULL, 0, NULL);
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " CKr: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKr));
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with key %u: %s\n", ax->Nr,
+ GNUNET_h2s ((struct GNUNET_HashCode *) &MK));
+ #endif
+
+ GNUNET_assert (size >= sizeof (struct GNUNET_MessageHeader));
+ out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, &MK, &iv, dst);
+ GNUNET_assert (out_size == size);
+
+ t_hmac_derive_key (&ax->CKr, &ax->CKr, "1", 1);
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt end\n");
+
+ return out_size;
+}
+
+
+/**
+ * Encrypt header with the axolotl header key.
+ *
+ * @param t Tunnel whose key to use.
+ * @param msg Message whose header to encrypt.
+ */
+static void
+t_h_encrypt (struct CadetTunnel *t, struct GNUNET_CADET_AX *msg)
+{
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ struct CadetTunnelAxolotl *ax;
+ size_t out_size;
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_h_encrypt start\n");
+
+ ax = t->ax;
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKs, NULL, 0, NULL);
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_ENC_H with key %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKs));
+ #endif
+
+ out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->Ns, AX_HEADER_SIZE,
+ &ax->HKs, &iv, &msg->Ns);
+
+ GNUNET_assert (AX_HEADER_SIZE == out_size);
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_encrypt end\n");
+}
+
+
+/**
+ * Decrypt header with the current axolotl header key.
+ *
+ * @param t Tunnel whose current ax HK to use.
+ * @param src Message whose header to decrypt.
+ * @param dst Where to decrypt header to.
+ */
+static void
+t_h_decrypt (struct CadetTunnel *t, const struct GNUNET_CADET_AX *src,
+ struct GNUNET_CADET_AX *dst)
+{
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ struct CadetTunnelAxolotl *ax;
+ size_t out_size;
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_h_decrypt start\n");
+
+ ax = t->ax;
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &ax->HKr, NULL, 0, NULL);
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC_H with key %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKr));
+ #endif
+
+ out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, AX_HEADER_SIZE,
+ &ax->HKr, &iv, &dst->Ns);
+
+ GNUNET_assert (AX_HEADER_SIZE == out_size);
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_ax_decrypt end\n");
+}
+
+
+/**
+ * Decrypt and verify data with the appropriate tunnel key.
+ *
+ * @param key Key to use.
+ * @param dst Destination for the plaintext.
+ * @param src Source of the encrypted data. Can overlap with @c dst.
+ * @param size Size of the encrypted data.
+ * @param iv Initialization Vector to use.
+ *
+ * @return Size of the decrypted data, -1 if an error was encountered.
+ */
+static int
+decrypt (const struct GNUNET_CRYPTO_SymmetricSessionKey *key,
+ void *dst, const void *src, size_t size, uint32_t iv)
+{
+ struct GNUNET_CRYPTO_SymmetricInitializationVector siv;
+ size_t out_size;
+
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt start\n");
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv\n");
+ GNUNET_CRYPTO_symmetric_derive_iv (&siv, key, &iv, sizeof (iv), NULL);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt iv done\n");
+ out_size = GNUNET_CRYPTO_symmetric_decrypt (src, size, key, &siv, dst);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " decrypt end\n");
+
+ return out_size;
+}
+
+
+/**
+ * Decrypt and verify data with the most recent tunnel key.
+ *
+ * @param t Tunnel whose key to use.
+ * @param dst Destination for the plaintext.
+ * @param src Source of the encrypted data. Can overlap with @c dst.
+ * @param size Size of the encrypted data.
+ * @param iv Initialization Vector to use.
+ *
+ * @return Size of the decrypted data, -1 if an error was encountered.
+ */
+static int
+t_decrypt (struct CadetTunnel *t, void *dst, const void *src,
+ size_t size, uint32_t iv)
+{
+ size_t out_size;
+
+#if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " t_decrypt with %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
+#endif
+ if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
+ {
+ GNUNET_STATISTICS_update (stats, "# non decryptable data", 1, GNUNET_NO);
+ LOG (GNUNET_ERROR_TYPE_WARNING,
+ "got data on %s without a valid key\n",
+ GCT_2s (t));
+ GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
+ return -1;
}
- /* Try secondary (from previous KX period) key */
+ out_size = decrypt (&t->d_key, dst, src, size, iv);
+
+ return out_size;
+}
+
+
+/**
+ * Decrypt and verify data with the appropriate tunnel key and verify that the
+ * data has not been altered since it was sent by the remote peer.
+ *
+ * @param t Tunnel whose key to use.
+ * @param dst Destination for the plaintext.
+ * @param src Source of the encrypted data. Can overlap with @c dst.
+ * @param size Size of the encrypted data.
+ * @param iv Initialization Vector to use.
+ * @param msg_hmac HMAC of the message, cannot be NULL.
+ *
+ * @return Size of the decrypted data, -1 if an error was encountered.
+ */
+static int
+t_decrypt_and_validate (struct CadetTunnel *t,
+ void *dst, const void *src,
+ size_t size, uint32_t iv,
+ const struct GNUNET_CADET_Hash *msg_hmac)
+{
+ struct GNUNET_CRYPTO_SymmetricSessionKey *key;
+ struct GNUNET_CADET_Hash hmac;
+ int decrypted_size;
+
+ /* Try primary (newest) key */
+ key = &t->d_key;
+ decrypted_size = decrypt (key, dst, src, size, iv);
+ t_hmac (src, size, iv, key, &hmac);
+ if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
+ return decrypted_size;
+
+ /* If no key exchange is going on, we just failed. */
+ if (NULL == t->kx_ctx)
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Failed checksum validation on tunnel %s with no KX\n",
+ GCT_2s (t));
+ GNUNET_STATISTICS_update (stats, "# wrong HMAC no KX", 1, GNUNET_NO);
+ return -1;
+ }
+
+ /* Try secondary key, from previous KX period. */
key = &t->kx_ctx->d_key_old;
decrypted_size = decrypt (key, dst, src, size, iv);
t_hmac (src, size, iv, key, &hmac);
if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
return decrypted_size;
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ /* Hail Mary, try tertiary, key, in case of parallel re-keys. */
+ key = &t->kx_ctx->d_key_old2;
+ decrypted_size = decrypt (key, dst, src, size, iv);
+ t_hmac (src, size, iv, key, &hmac);
+ if (0 == memcmp (msg_hmac, &hmac, sizeof (hmac)))
+ return decrypted_size;
+
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Failed checksum validation on tunnel %s with KX\n",
GCT_2s (t));
- GNUNET_STATISTICS_update (stats, "# wrong HMAC", 1, GNUNET_NO);
+ GNUNET_STATISTICS_update (stats, "# wrong HMAC with KX", 1, GNUNET_NO);
return -1;
}
+/**
+ * Decrypt and verify data with the appropriate tunnel key and verify that the
+ * data has not been altered since it was sent by the remote peer.
+ *
+ * @param t Tunnel whose key to use.
+ * @param dst Destination for the plaintext.
+ * @param src Source of the message. Can overlap with @c dst.
+ * @param size Size of the message.
+ *
+ * @return Size of the decrypted data, -1 if an error was encountered.
+ */
+static int
+try_old_ax_keys (struct CadetTunnel *t, struct GNUNET_CADET_AX *dst,
+ const struct GNUNET_CADET_AX *src, size_t size)
+{
+ struct CadetTunnelSkippedKey *key;
+ struct GNUNET_CADET_Hash hmac;
+ struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+ size_t res;
+ size_t len;
+
+
+ for (key = t->ax->skipped_head; NULL != key; key = key->next)
+ {
+ t_hmac (&src->Ns, AX_HEADER_SIZE, 0, &key->HK, &hmac);
+ if (0 != memcmp (&hmac, &src->hmac, sizeof (hmac)))
+ break;
+ }
+ if (NULL == key)
+ return -1;
+
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " AX_DEC with skipped key %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &key->MK));
+ #endif
+
+ GNUNET_assert (size > sizeof (struct GNUNET_CADET_AX));
+ len = size - sizeof (struct GNUNET_CADET_AX);
+ GNUNET_CRYPTO_symmetric_derive_iv (&iv, &key->MK, NULL, 0, NULL);
+ res = GNUNET_CRYPTO_symmetric_decrypt (&src[1], len, &key->MK, &iv, &dst[1]);
+
+ GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
+ t->ax->skipped--;
+ GNUNET_free (key);
+
+ return res;
+}
+
+
+/**
+ * Delete a key from the list of skipped keys.
+ *
+ * @param t Tunnel to delete from.
+ * @param HKr Header Key to use.
+ */
+static void
+store_skipped_key (struct CadetTunnel *t,
+ const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr)
+{
+ struct CadetTunnelSkippedKey *key;
+
+ key = GNUNET_new (struct CadetTunnelSkippedKey);
+ key->timestamp = GNUNET_TIME_absolute_get ();
+ t_hmac_derive_key (&t->ax->CKr, &key->MK, "0", 1);
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, " storing MK for Nr %u: %s\n",
+ t->ax->Nr, GNUNET_h2s ((struct GNUNET_HashCode *) &key->MK));
+ LOG (GNUNET_ERROR_TYPE_INFO, " for CKr: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->ax->CKr));
+ #endif
+ t_hmac_derive_key (&t->ax->CKr, &t->ax->CKr, "1", 1);
+ GNUNET_CONTAINER_DLL_insert (t->ax->skipped_head, t->ax->skipped_tail, key);
+ t->ax->Nr++;
+ t->ax->skipped++;
+}
+
+
+/**
+ * Delete a key from the list of skipped keys.
+ *
+ * @param t Tunnel to delete from.
+ * @param key Key to delete.
+ */
+static void
+delete_skipped_key (struct CadetTunnel *t, struct CadetTunnelSkippedKey *key)
+{
+ GNUNET_CONTAINER_DLL_remove (t->ax->skipped_head, t->ax->skipped_tail, key);
+ GNUNET_free (key);
+ t->ax->skipped--;
+}
+
+
+/**
+ * Stage skipped AX keys and calculate the message key.
+ *
+ * Stores each HK and MK for skipped messages.
+ *
+ * @param t Tunnel where to stage the keys.
+ * @param HKr Header key.
+ * @param Np Received meesage number.
+ */
+static void
+store_ax_keys (struct CadetTunnel *t,
+ const struct GNUNET_CRYPTO_SymmetricSessionKey *HKr,
+ uint32_t Np)
+{
+ int gap;
+
+ gap = Np - t->ax->Nr;
+ if (MAX_KEY_GAP < gap || 0 > gap)
+ {
+ /* Avoid DoS (forcing peer to do 2*33 chain HMAC operations) */
+ /* TODO: start new key exchange on return */
+ GNUNET_break_op (0);
+ return;
+ }
+
+ while (t->ax->Nr < Np)
+ store_skipped_key (t, HKr);
+
+ while (t->ax->skipped > MAX_SKIPPED_KEYS)
+ delete_skipped_key (t, t->ax->skipped_tail);
+}
+
+
+/**
+ * Decrypt and verify data with the appropriate tunnel key and verify that the
+ * data has not been altered since it was sent by the remote peer.
+ *
+ * @param t Tunnel whose key to use.
+ * @param dst Destination for the plaintext.
+ * @param src Source of the message. Can overlap with @c dst.
+ * @param size Size of the message.
+ *
+ * @return Size of the decrypted data, -1 if an error was encountered.
+ */
+static int
+t_ax_decrypt_and_validate (struct CadetTunnel *t, void *dst,
+ const struct GNUNET_CADET_AX *src, size_t size)
+{
+ struct CadetTunnelAxolotl *ax;
+ struct GNUNET_CADET_Hash msg_hmac;
+ struct GNUNET_HashCode hmac;
+ struct GNUNET_CADET_AX *dstmsg;
+ uint32_t Np;
+ uint32_t PNp;
+ size_t esize;
+ size_t osize;
+
+ ax = t->ax;
+ dstmsg = dst;
+ esize = size - sizeof (struct GNUNET_CADET_AX);
+
+ if (NULL == ax)
+ return -1;
+
+ /* Try current HK */
+ t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->HKr, &msg_hmac);
+ if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
+ {
+ static const char ctx[] = "axolotl ratchet";
+ struct GNUNET_CRYPTO_SymmetricSessionKey keys[3]; /* RKp, NHKp, CKp */
+ struct GNUNET_CRYPTO_SymmetricSessionKey HK;
+ struct GNUNET_HashCode dh;
+ struct GNUNET_CRYPTO_EcdhePublicKey *DHRp;
+
+ /* Try Next HK */
+ t_hmac (&src->Ns, AX_HEADER_SIZE + esize, 0, &ax->NHKr, &msg_hmac);
+ if (0 != memcmp (&msg_hmac, &src->hmac, sizeof (msg_hmac)))
+ {
+ /* Try the skipped keys, if that fails, we're out of luck. */
+ return try_old_ax_keys (t, dst, src, size);
+ }
+ LOG (GNUNET_ERROR_TYPE_INFO, "next HK\n");
+
+ HK = ax->HKr;
+ ax->HKr = ax->NHKr;
+ t_h_decrypt (t, src, dstmsg);
+ Np = ntohl (dstmsg->Ns);
+ PNp = ntohl (dstmsg->PNs);
+ DHRp = &dstmsg->DHRs;
+ store_ax_keys (t, &HK, PNp);
+
+ /* RKp, NHKp, CKp = KDF (HMAC-HASH (RK, DH (DHRp, DHRs))) */
+ GNUNET_CRYPTO_ecc_ecdh (ax->DHRs, DHRp, &dh);
+ t_ax_hmac_hash (&ax->RK, &hmac, &dh, sizeof (dh));
+ GNUNET_CRYPTO_kdf (keys, sizeof (keys), ctx, sizeof (ctx),
+ &hmac, sizeof (hmac), NULL);
+
+ /* Commit "purported" keys */
+ ax->RK = keys[0];
+ ax->NHKr = keys[1];
+ ax->CKr = keys[2];
+ ax->DHRr = *DHRp;
+ ax->Nr = 0;
+ ax->ratchet_allowed = GNUNET_YES;
+ }
+ else
+ {
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "current HK\n");
+ t_h_decrypt (t, src, dstmsg);
+ Np = ntohl (dstmsg->Ns);
+ PNp = ntohl (dstmsg->PNs);
+ }
+
+ if (Np > ax->Nr)
+ store_ax_keys (t, &ax->HKr, Np);
+
+ ax->Nr = Np + 1;
+
+ osize = t_ax_decrypt (t, dst, &src[1], esize);
+ if (osize != esize)
+ {
+ GNUNET_break_op (0);
+ return -1;
+ }
+
+ return osize;
+}
+
+
/**
* Create key material by doing ECDH on the local and remote ephemeral keys.
*
* @param key_material Where to store the key material.
- * @param ephemeral_key Peer's public ephemeral key.
+ * @param ephemeral Peer's public ephemeral key.
+ *
+ * @return GNUNET_OK if it went fine, GNUNET_SYSERR otherwise.
*/
-void
-derive_key_material (struct GNUNET_HashCode *key_material,
- const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral_key)
+static int
+derive_otr_key_material (struct GNUNET_HashCode *key_material,
+ const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral)
{
if (GNUNET_OK !=
- GNUNET_CRYPTO_ecc_ecdh (my_ephemeral_key,
- ephemeral_key,
- key_material))
+ GNUNET_CRYPTO_ecc_ecdh (otr_ephemeral_key, ephemeral, key_material))
{
GNUNET_break (0);
+ return GNUNET_SYSERR;
}
+ return GNUNET_OK;
}
}
+/**
+ * Derive the tunnel's keys using our own and the peer's ephemeral keys.
+ *
+ * @param t Tunnel for which to create the keys.
+ *
+ * @return GNUNET_OK if successful, GNUNET_SYSERR otherwise.
+ */
+static int
+create_otr_keys (struct CadetTunnel *t)
+{
+ struct GNUNET_HashCode km;
+
+ if (GNUNET_OK != derive_otr_key_material (&km, &t->peers_ephemeral_key))
+ return GNUNET_SYSERR;
+ derive_symmertic (&t->e_key, &my_full_id, GCP_get_id (t->peer), &km);
+ derive_symmertic (&t->d_key, GCP_get_id (t->peer), &my_full_id, &km);
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, "ME: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
+ LOG (GNUNET_ERROR_TYPE_INFO, "PE: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
+ LOG (GNUNET_ERROR_TYPE_INFO, "KM: %s\n", GNUNET_h2s (&km));
+ LOG (GNUNET_ERROR_TYPE_INFO, "EK: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
+ LOG (GNUNET_ERROR_TYPE_INFO, "DK: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
+ #endif
+ return GNUNET_OK;
+}
+
+
/**
* Create a new Key eXchange context for the tunnel.
*
- * If context exists, just cancels the finish_task, does not create new nonce.
- * Otherwise copies the keys, timestamps the KX and creates a new nonce.
+ * If the old keys were verified, keep them for old traffic. Create a new KX
+ * timestamp and a new nonce.
*
* @param t Tunnel for which to create the KX ctx.
+ *
+ * @return GNUNET_OK if successful, GNUNET_SYSERR otherwise.
*/
-static void
+static int
create_kx_ctx (struct CadetTunnel *t)
{
LOG (GNUNET_ERROR_TYPE_INFO, " new kx ctx for %s\n", GCT_2s (t));
if (NULL != t->kx_ctx)
{
- if (GNUNET_SCHEDULER_NO_TASK != t->kx_ctx->finish_task)
+ if (NULL != t->kx_ctx->finish_task)
{
LOG (GNUNET_ERROR_TYPE_INFO, " resetting exisiting finish task\n");
GNUNET_SCHEDULER_cancel (t->kx_ctx->finish_task);
- t->kx_ctx->finish_task = GNUNET_SCHEDULER_NO_TASK;
+ t->kx_ctx->finish_task = NULL;
}
- return;
+ }
+ else
+ {
+ t->kx_ctx = GNUNET_new (struct CadetTunnelKXCtx);
+ t->kx_ctx->challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
+ UINT32_MAX);
}
- t->kx_ctx = GNUNET_new (struct CadetTunnelKXCtx);
- t->kx_ctx->challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
- UINT32_MAX);
- t->kx_ctx->d_key_old = t->d_key;
- t->kx_ctx->e_key_old = t->e_key;
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ {
+ LOG (GNUNET_ERROR_TYPE_INFO, " backing up keys\n");
+ t->kx_ctx->d_key_old = t->d_key;
+ t->kx_ctx->e_key_old = t->e_key;
+ }
+ else
+ LOG (GNUNET_ERROR_TYPE_INFO, " old keys not valid, not saving\n");
t->kx_ctx->rekey_start_time = GNUNET_TIME_absolute_get ();
+ return create_otr_keys (t);
}
{
struct GNUNET_TIME_Relative delay;
- if (NULL == t->kx_ctx || GNUNET_SCHEDULER_NO_TASK != t->kx_ctx->finish_task)
+ if (NULL == t->kx_ctx || NULL != t->kx_ctx->finish_task)
return;
if (is_key_null (&t->kx_ctx->e_key_old))
}
-/**
- * Derive the tunnel's keys using our own and the peer's ephemeral keys.
- *
- * @param t Tunnel for which to create the keys.
- */
-static void
-create_keys (struct CadetTunnel *t)
-{
- struct GNUNET_HashCode km;
-
- derive_key_material (&km, &t->peers_ephemeral_key);
- derive_symmertic (&t->e_key, &my_full_id, GCP_get_id (t->peer), &km);
- derive_symmertic (&t->d_key, GCP_get_id (t->peer), &my_full_id, &km);
-#if DUMP_KEYS_TO_STDERR
- LOG (GNUNET_ERROR_TYPE_INFO, "ME: %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &kx_msg.ephemeral_key));
- LOG (GNUNET_ERROR_TYPE_INFO, "PE: %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
- LOG (GNUNET_ERROR_TYPE_INFO, "KM: %s\n", GNUNET_h2s (&km));
- LOG (GNUNET_ERROR_TYPE_INFO, "EK: %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
- LOG (GNUNET_ERROR_TYPE_INFO, "DK: %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
-#endif
-}
-
/**
* Pick a connection on which send the next data message.
LOG (GNUNET_ERROR_TYPE_DEBUG, "queue data on Tunnel %s\n", GCT_2s (t));
- if (GNUNET_YES == is_ready (t))
- {
- GNUNET_break (0);
- return NULL;
- }
+ GNUNET_assert (GNUNET_NO == is_ready (t));
tqd = GNUNET_malloc (sizeof (struct CadetTunnelDelayed) + size);
int force, GCT_sent cont, void *cont_cls,
struct CadetTunnelQueue *existing_q)
{
+ struct GNUNET_MessageHeader *msg;
+ struct GNUNET_CADET_Encrypted *otr_msg;
+ struct GNUNET_CADET_AX *ax_msg;
struct CadetTunnelQueue *tq;
- struct GNUNET_CADET_Encrypted *msg;
size_t size = ntohs (message->size);
- char cbuf[sizeof (struct GNUNET_CADET_Encrypted) + size];
+ const uint16_t max_overhead = sizeof (struct GNUNET_CADET_Encrypted)
+ + sizeof (struct GNUNET_CADET_AX);
+ char cbuf[max_overhead + size];
+ size_t esize;
uint32_t mid;
uint32_t iv;
uint16_t type;
GNUNET_assert (GNUNET_NO == GCT_is_loopback (t));
- iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
- msg = (struct GNUNET_CADET_Encrypted *) cbuf;
- msg->header.type = htons (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED);
- msg->iv = iv;
- GNUNET_assert (t_encrypt (t, &msg[1], message, size, iv, GNUNET_NO) == size);
- t_hmac (&msg[1], size, iv, select_key (t), &msg->hmac);
- msg->header.size = htons (sizeof (struct GNUNET_CADET_Encrypted) + size);
+ if (CADET_Axolotl == t->enc_type)
+ {
+ ax_msg = (struct GNUNET_CADET_AX *) cbuf;
+ msg = &ax_msg->header;
+ msg->size = htons (sizeof (struct GNUNET_CADET_AX) + size);
+ msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_AX);
+ ax_msg->reserved = 0;
+ esize = t_ax_encrypt (t, &ax_msg[1], message, size);
+ ax_msg->Ns = htonl (t->ax->Ns++);
+ ax_msg->PNs = htonl (t->ax->PNs);
+ GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &ax_msg->DHRs);
+ t_h_encrypt (t, ax_msg);
+ t_hmac (&ax_msg->Ns, AX_HEADER_SIZE + esize, 0, &t->ax->HKs, &ax_msg->hmac);
+ }
+ else
+ {
+ otr_msg = (struct GNUNET_CADET_Encrypted *) cbuf;
+ msg = &otr_msg->header;
+ iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
+ otr_msg->iv = iv;
+ esize = t_encrypt (t, &otr_msg[1], message, size, iv, GNUNET_NO);
+ t_hmac (&otr_msg[1], size, iv, select_key (t), &otr_msg->hmac);
+ msg->size = htons (sizeof (struct GNUNET_CADET_Encrypted) + size);
+ msg->type = htons (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED);
+ otr_msg->ttl = htonl (default_ttl);
+ }
+ GNUNET_assert (esize == size);
if (NULL == c)
c = tunnel_get_connection (t);
if (NULL == c)
{
/* Why is tunnel 'ready'? Should have been queued! */
- if (GNUNET_SCHEDULER_NO_TASK != t->destroy_task)
+ if (NULL != t->destroy_task)
{
GNUNET_break (0);
GCT_debug (t, GNUNET_ERROR_TYPE_WARNING);
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_ACK:
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_NACK:
- msg->cid = *GCC_get_id (c);
- msg->ttl = htonl (default_ttl);
break;
default:
GNUNET_break (0);
if (NULL == cont)
{
- GNUNET_break (NULL == GCC_send_prebuilt_message (&msg->header, type, mid, c,
- fwd, force, NULL, NULL));
+ GNUNET_break (NULL == GCC_send_prebuilt_message (msg, type,
+ mid, c, fwd, force, NULL, NULL));
return NULL;
}
if (NULL == existing_q)
tq = existing_q;
tq->tqd = NULL;
}
- tq->cq = GCC_send_prebuilt_message (&msg->header, type, mid, c, fwd, force,
+ tq->cq = GCC_send_prebuilt_message (msg, type, mid, c, fwd, force,
&tun_message_sent, tq);
GNUNET_assert (NULL != tq->cq);
tq->cont = cont;
struct CadetTunnelDelayed *next;
unsigned int room;
- LOG (GNUNET_ERROR_TYPE_DEBUG,
- "GCT_send_queued_data on tunnel %s\n",
- GCT_2s (t));
+ LOG (GNUNET_ERROR_TYPE_INFO, "Send queued data, tunnel %s\n", GCT_2s (t));
if (GCT_is_loopback (t))
{
}
+/**
+ * @brief Resend the AX KX until we complete the handshake.
+ *
+ * @param cls Closure (tunnel).
+ * @param tc Task context.
+ */
+static void
+ax_kx_resend (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
+{
+ struct CadetTunnel *t = cls;
+
+ t->rekey_task = NULL;
+
+ if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
+ return;
+
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ return;
+
+ GCT_send_ax_kx (t, GNUNET_YES);
+}
+
+
+/**
+ * Callback called when a queued message is sent.
+ *
+ * @param cls Closure.
+ * @param c Connection this message was on.
+ * @param type Type of message sent.
+ * @param fwd Was this a FWD going message?
+ * @param size Size of the message.
+ */
+static void
+ephm_sent (void *cls,
+ struct CadetConnection *c,
+ struct CadetConnectionQueue *q,
+ uint16_t type, int fwd, size_t size)
+{
+ struct CadetTunnel *t = cls;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "ephemeral sent %s\n", GC_m2s (type));
+
+ t->ephm_h = NULL;
+
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ return;
+
+ if (CADET_Axolotl == t->enc_type && CADET_TUNNEL_KEY_OK != t->estate)
+ {
+ if (NULL != t->rekey_task)
+ {
+ GNUNET_break (0);
+ GNUNET_SCHEDULER_cancel (t->rekey_task);
+ }
+ t->rekey_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+ &ax_kx_resend, t);
+ }
+}
+
+
+/**
+ * Callback called when a queued message is sent.
+ *
+ * @param cls Closure.
+ * @param c Connection this message was on.
+ * @param type Type of message sent.
+ * @param fwd Was this a FWD going message?
+ * @param size Size of the message.
+ */
+static void
+pong_sent (void *cls,
+ struct CadetConnection *c,
+ struct CadetConnectionQueue *q,
+ uint16_t type, int fwd, size_t size)
+{
+ struct CadetTunnel *t = cls;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "pong_sent %s\n", GC_m2s (type));
+
+ t->pong_h = NULL;
+}
+
+
/**
* Sends key exchange message on a tunnel, choosing the best connection.
* Should not be called on loopback tunnels.
*
* @param t Tunnel on which this message is transmitted.
* @param message Message to send. Function modifies it.
+ *
+ * @return Handle to the message in the connection queue.
*/
-static void
+static struct CadetConnectionQueue *
send_kx (struct CadetTunnel *t,
const struct GNUNET_MessageHeader *message)
{
char cbuf[sizeof (struct GNUNET_CADET_KX) + size];
uint16_t type;
int fwd;
+ GCC_sent cont;
LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT KX on Tunnel %s\n", GCT_2s (t));
/* Avoid loopback. */
if (GCT_is_loopback (t))
{
- LOG (GNUNET_ERROR_TYPE_DEBUG, " loopback!\n");
GNUNET_break (0);
- return;
+ return NULL;
}
type = ntohs (message->type);
- /* Even if tunnel is being destroyed, send anyway.
+ /* Even if tunnel is "being destroyed", send anyway.
* Could be a response to a rekey initiated by remote peer,
* who is trying to create a new channel!
*/
/* Must have a connection, or be looking for one. */
if (NULL == t->connection_head)
{
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "%s with no connection\n", GC_m2s (type));
if (CADET_TUNNEL_SEARCHING != t->cstate)
{
- LOG (GNUNET_ERROR_TYPE_ERROR, "\n\n\n");
GNUNET_break (0);
- LOG (GNUNET_ERROR_TYPE_ERROR, "no connection, sending %s\n", GC_m2s (type));
GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
GCP_debug (t->peer, GNUNET_ERROR_TYPE_ERROR);
- LOG (GNUNET_ERROR_TYPE_ERROR, "\n\n\n");
}
- return;
+ return NULL;
}
msg = (struct GNUNET_CADET_KX *) cbuf;
c = tunnel_get_connection (t);
if (NULL == c)
{
- if (GNUNET_SCHEDULER_NO_TASK == t->destroy_task
- && CADET_TUNNEL_READY == t->cstate)
+ if (NULL == t->destroy_task && CADET_TUNNEL_READY == t->cstate)
{
GNUNET_break (0);
GCT_debug (t, GNUNET_ERROR_TYPE_ERROR);
}
- return;
+ return NULL;
}
switch (type)
{
case GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL:
- case GNUNET_MESSAGE_TYPE_CADET_KX_PING:
+ case GNUNET_MESSAGE_TYPE_CADET_AX_KX:
+ GNUNET_assert (NULL == t->ephm_h);
+ cont = &ephm_sent;
+ break;
case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
- memcpy (&msg[1], message, size);
+ GNUNET_assert (NULL == t->pong_h);
+ cont = &pong_sent;
break;
+
default:
- LOG (GNUNET_ERROR_TYPE_DEBUG, "unkown type %s\n",
- GC_m2s (type));
- GNUNET_break (0);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "unkown type %s\n", GC_m2s (type));
+ GNUNET_assert (0);
}
+ memcpy (&msg[1], message, size);
+
+ fwd = GCC_is_origin (c, GNUNET_YES);
- fwd = GCC_is_origin (t->connection_head->c, GNUNET_YES);
- /* TODO save handle and cancel in case of a unneeded retransmission */
- GNUNET_assert (NULL == GCC_send_prebuilt_message (&msg->header, type, 0, c,
- fwd, GNUNET_YES,
- NULL, NULL));
+ return GCC_send_prebuilt_message (&msg->header, type, 0, c,
+ fwd, GNUNET_YES,
+ cont, t);
}
send_ephemeral (struct CadetTunnel *t)
{
LOG (GNUNET_ERROR_TYPE_INFO, "===> EPHM for %s\n", GCT_2s (t));
+ if (NULL != t->ephm_h)
+ {
+ LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
+ return;
+ }
- kx_msg.sender_status = htonl (t->estate);
- send_kx (t, &kx_msg.header);
-}
-
-/**
- * Send a ping message on a tunnel.
- *
- * @param t Tunnel on which to send the ping.
- */
-static void
-send_ping (struct CadetTunnel *t)
-{
- struct GNUNET_CADET_KX_Ping msg;
-
- LOG (GNUNET_ERROR_TYPE_INFO, "===> PING for %s\n", GCT_2s (t));
- msg.header.size = htons (sizeof (msg));
- msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_PING);
- msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
- msg.target = *GCP_get_id (t->peer);
- msg.nonce = t->kx_ctx->challenge;
-
- LOG (GNUNET_ERROR_TYPE_DEBUG, " sending %u\n", msg.nonce);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " towards %s\n", GNUNET_i2s (&msg.target));
- t_encrypt (t, &msg.target, &msg.target,
- ping_encryption_size(), msg.iv, GNUNET_YES);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " e sending %u\n", msg.nonce);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " e towards %s\n", GNUNET_i2s (&msg.target));
-
- send_kx (t, &msg.header);
+ otr_kx_msg.sender_status = htonl (t->estate);
+ otr_kx_msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
+ otr_kx_msg.nonce = t->kx_ctx->challenge;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " send nonce c %u\n", otr_kx_msg.nonce);
+ t_encrypt (t, &otr_kx_msg.nonce, &otr_kx_msg.nonce,
+ ping_encryption_size(), otr_kx_msg.iv, GNUNET_YES);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " send nonce e %u\n", otr_kx_msg.nonce);
+ t->ephm_h = send_kx (t, &otr_kx_msg.header);
}
struct GNUNET_CADET_KX_Pong msg;
LOG (GNUNET_ERROR_TYPE_INFO, "===> PONG for %s\n", GCT_2s (t));
+ if (NULL != t->pong_h)
+ {
+ LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
+ return;
+ }
msg.header.size = htons (sizeof (msg));
msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_PONG);
msg.iv = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
sizeof (msg.nonce), msg.iv, GNUNET_YES);
LOG (GNUNET_ERROR_TYPE_DEBUG, " e sending %u\n", msg.nonce);
- send_kx (t, &msg.header);
+ t->pong_h = send_kx (t, &msg.header);
}
{
struct CadetTunnel *t = cls;
- t->rekey_task = GNUNET_SCHEDULER_NO_TASK;
+ t->rekey_task = NULL;
LOG (GNUNET_ERROR_TYPE_INFO, "Re-key Tunnel %s\n", GCT_2s (t));
if (NULL != tc && 0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
return;
- create_kx_ctx (t);
-
- if (NULL == t->kx_ctx)
- {
- create_keys (t);
- }
- else
- {
- struct GNUNET_TIME_Relative duration;
+ GNUNET_assert (NULL != t->kx_ctx);
+ struct GNUNET_TIME_Relative duration;
- duration = GNUNET_TIME_absolute_get_duration (t->kx_ctx->rekey_start_time);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " kx started %s ago\n",
- GNUNET_STRINGS_relative_time_to_string (duration, GNUNET_YES));
+ duration = GNUNET_TIME_absolute_get_duration (t->kx_ctx->rekey_start_time);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " kx started %s ago\n",
+ GNUNET_STRINGS_relative_time_to_string (duration, GNUNET_YES));
- // FIXME make duration of old keys configurable
- if (duration.rel_value_us >= GNUNET_TIME_UNIT_MINUTES.rel_value_us)
- {
- memset (&t->kx_ctx->d_key_old, 0, sizeof (t->kx_ctx->d_key_old));
- memset (&t->kx_ctx->e_key_old, 0, sizeof (t->kx_ctx->e_key_old));
- }
+ // FIXME make duration of old keys configurable
+ if (duration.rel_value_us >= GNUNET_TIME_UNIT_MINUTES.rel_value_us)
+ {
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " deleting old keys\n");
+ memset (&t->kx_ctx->d_key_old, 0, sizeof (t->kx_ctx->d_key_old));
+ memset (&t->kx_ctx->e_key_old, 0, sizeof (t->kx_ctx->e_key_old));
}
send_ephemeral (t);
switch (t->estate)
{
case CADET_TUNNEL_KEY_UNINITIALIZED:
- t->estate = CADET_TUNNEL_KEY_SENT;
+ GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
break;
+
case CADET_TUNNEL_KEY_SENT:
break;
+
case CADET_TUNNEL_KEY_OK:
- t->estate = CADET_TUNNEL_KEY_REKEY;
- /* fall-thru */
+ /* Inconsistent!
+ * - state should have changed during rekey_iterator
+ * - task should have been canceled at pong_handle
+ */
+ GNUNET_break (0);
+ GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
+ break;
+
case CADET_TUNNEL_KEY_PING:
case CADET_TUNNEL_KEY_REKEY:
- send_ping (t);
break;
+
default:
LOG (GNUNET_ERROR_TYPE_DEBUG, "Unexpected state %u\n", t->estate);
}
long n = (long) cls;
uint32_t r;
- if (GNUNET_SCHEDULER_NO_TASK != t->rekey_task)
+ if (NULL != t->rekey_task)
return GNUNET_YES;
if (GNUNET_YES == GCT_is_loopback (t))
return GNUNET_YES;
+ if (CADET_OTR != t->enc_type)
+ return GNUNET_YES;
+
r = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, (uint32_t) n * 100);
delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, r);
t->rekey_task = GNUNET_SCHEDULER_add_delayed (delay, &rekey_tunnel, t);
+ if (GNUNET_OK == create_kx_ctx (t))
+ GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
+ else
+ {
+ GNUNET_break (0);
+ // FIXME restart kx
+ }
return GNUNET_YES;
}
* @param tc TaskContext.
*/
static void
-rekey (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
+global_otr_rekey (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
{
struct GNUNET_TIME_Absolute time;
long n;
- rekey_task = GNUNET_SCHEDULER_NO_TASK;
+ rekey_task = NULL;
if (0 != (GNUNET_SCHEDULER_REASON_SHUTDOWN & tc->reason))
return;
- GNUNET_free_non_null (my_ephemeral_key);
- my_ephemeral_key = GNUNET_CRYPTO_ecdhe_key_create ();
+ GNUNET_free_non_null (otr_ephemeral_key);
+ otr_ephemeral_key = GNUNET_CRYPTO_ecdhe_key_create ();
time = GNUNET_TIME_absolute_get ();
- kx_msg.creation_time = GNUNET_TIME_absolute_hton (time);
+ otr_kx_msg.creation_time = GNUNET_TIME_absolute_hton (time);
time = GNUNET_TIME_absolute_add (time, rekey_period);
time = GNUNET_TIME_absolute_add (time, GNUNET_TIME_UNIT_MINUTES);
- kx_msg.expiration_time = GNUNET_TIME_absolute_hton (time);
- GNUNET_CRYPTO_ecdhe_key_get_public (my_ephemeral_key, &kx_msg.ephemeral_key);
+ otr_kx_msg.expiration_time = GNUNET_TIME_absolute_hton (time);
+ GNUNET_CRYPTO_ecdhe_key_get_public (otr_ephemeral_key, &otr_kx_msg.ephemeral_key);
+ LOG (GNUNET_ERROR_TYPE_INFO, "GLOBAL OTR RE-KEY, NEW EPHM: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_eddsa_sign (my_private_key,
- &kx_msg.purpose,
- &kx_msg.signature));
+ GNUNET_CRYPTO_eddsa_sign (id_key,
+ &otr_kx_msg.purpose,
+ &otr_kx_msg.signature));
n = (long) GNUNET_CONTAINER_multipeermap_size (tunnels);
GNUNET_CONTAINER_multipeermap_iterate (tunnels, &rekey_iterator, (void *) n);
- rekey_task = GNUNET_SCHEDULER_add_delayed (rekey_period, &rekey, NULL);
+ rekey_task = GNUNET_SCHEDULER_add_delayed (rekey_period,
+ &global_otr_rekey, NULL);
}
}
+/**
+ * Create a new Axolotl ephemeral (ratchet) key.
+ *
+ * @param t Tunnel.
+ */
+static void
+new_ephemeral (struct CadetTunnel *t)
+{
+ GNUNET_free_non_null (t->ax->DHRs);
+ t->ax->DHRs = GNUNET_CRYPTO_ecdhe_key_create();
+}
+
+
+/**
+ * Free Axolotl data.
+ *
+ * @param t Tunnel.
+ */
+static void
+destroy_ax (struct CadetTunnel *t)
+{
+ if (NULL == t->ax)
+ return;
+
+ GNUNET_free_non_null (t->ax->DHRs);
+ GNUNET_free_non_null (t->ax->kx_0);
+
+ GNUNET_free (t->ax);
+ t->ax = NULL;
+
+ if (NULL != t->rekey_task)
+ {
+ GNUNET_SCHEDULER_cancel (t->rekey_task);
+ t->rekey_task = NULL;
+ }
+ if (NULL != t->ephm_h)
+ {
+ GCC_cancel (t->ephm_h);
+ t->ephm_h = NULL;
+ }
+}
+
+
+
/**
* The peer's ephemeral key has changed: update the symmetrical keys.
*
return;
}
- create_kx_ctx (t);
+ /* If we get a proper OTR-style ephemeral, fallback to old crypto. */
+ if (NULL != t->ax)
+ {
+ destroy_ax (t);
+ t->enc_type = CADET_OTR;
+ if (NULL != t->rekey_task)
+ GNUNET_SCHEDULER_cancel (t->rekey_task);
+ if (GNUNET_OK != create_kx_ctx (t))
+ {
+ // FIXME restart kx
+ GNUNET_break (0);
+ return;
+ }
+ rekey_tunnel (t, NULL);
+ GNUNET_STATISTICS_update (stats, "# otr-downgrades", -1, GNUNET_NO);
+ }
+
+ /**
+ * If the key is different from what we know, derive the new E/D keys.
+ * Else destroy the rekey ctx (duplicate EPHM after successful KX).
+ */
if (0 != memcmp (&t->peers_ephemeral_key, &msg->ephemeral_key,
sizeof (msg->ephemeral_key)))
{
+ #if DUMP_KEYS_TO_STDERR
+ LOG (GNUNET_ERROR_TYPE_INFO, "OLD: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
+ LOG (GNUNET_ERROR_TYPE_INFO, "NEW: %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &msg->ephemeral_key));
+ #endif
t->peers_ephemeral_key = msg->ephemeral_key;
- create_keys (t);
+
+ if (GNUNET_OK != create_kx_ctx (t))
+ {
+ // FIXME restart kx
+ GNUNET_break (0);
+ return;
+ }
+
if (CADET_TUNNEL_KEY_OK == t->estate)
{
- t->estate = CADET_TUNNEL_KEY_REKEY;
+ GCT_change_estate (t, CADET_TUNNEL_KEY_REKEY);
}
- if (GNUNET_SCHEDULER_NO_TASK != t->rekey_task)
+ if (NULL != t->rekey_task)
GNUNET_SCHEDULER_cancel (t->rekey_task);
t->rekey_task = GNUNET_SCHEDULER_add_now (rekey_tunnel, t);
}
- else if (CADET_TUNNEL_KEY_OK == t->estate)
- {
- destroy_kx_ctx (t);
- }
if (CADET_TUNNEL_KEY_SENT == t->estate)
{
- LOG (GNUNET_ERROR_TYPE_DEBUG, " our key was sent, sending ping\n");
- send_ping (t);
- t->estate = CADET_TUNNEL_KEY_PING;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " our key was sent, sending challenge\n");
+ send_ephemeral (t);
+ GCT_change_estate (t, CADET_TUNNEL_KEY_PING);
}
-}
-
-
-/**
- * Peer wants to check our symmetrical keys by sending an encrypted challenge.
- * Answer with by retransmitting the challenge with the "opposite" key.
- *
- * @param t Tunnel this message came on.
- * @param msg Key eXchange Ping message.
- */
-static void
-handle_ping (struct CadetTunnel *t,
- const struct GNUNET_CADET_KX_Ping *msg)
-{
- struct GNUNET_CADET_KX_Ping res;
- if (ntohs (msg->header.size) != sizeof (res))
+ if (CADET_TUNNEL_KEY_UNINITIALIZED != ntohl(msg->sender_status))
{
- GNUNET_break_op (0);
- return;
- }
+ uint32_t nonce;
- LOG (GNUNET_ERROR_TYPE_INFO, "<=== PING for %s\n", GCT_2s (t));
- t_decrypt (t, &res.target, &msg->target, ping_encryption_size (), msg->iv);
- if (0 != memcmp (&my_full_id, &res.target, sizeof (my_full_id)))
- {
- /* probably peer hasn't got our new EPHM yet and derived the wrong keys */
- GNUNET_STATISTICS_update (stats, "# malformed PINGs", 1, GNUNET_NO);
- LOG (GNUNET_ERROR_TYPE_INFO, " malformed PING on %s\n", GCT_2s (t));
- LOG (GNUNET_ERROR_TYPE_DEBUG, " e got %u\n", msg->nonce);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " e towards %s\n", GNUNET_i2s (&msg->target));
- LOG (GNUNET_ERROR_TYPE_DEBUG, " got %u\n", res.nonce);
- LOG (GNUNET_ERROR_TYPE_DEBUG, " towards %s\n", GNUNET_i2s (&res.target));
- create_kx_ctx (t);
- send_ephemeral (t);
- send_ping (t);
- return;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " recv nonce e %u\n", msg->nonce);
+ t_decrypt (t, &nonce, &msg->nonce, ping_encryption_size (), msg->iv);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " recv nonce c %u\n", nonce);
+ send_pong (t, nonce);
}
-
- send_pong (t, res.nonce);
}
* @param msg Key eXchange Pong message.
*/
static void
-handle_pong (struct CadetTunnel *t,
- const struct GNUNET_CADET_KX_Pong *msg)
+handle_pong (struct CadetTunnel *t, const struct GNUNET_CADET_KX_Pong *msg)
{
uint32_t challenge;
LOG (GNUNET_ERROR_TYPE_INFO, "<=== PONG for %s\n", GCT_2s (t));
- if (GNUNET_SCHEDULER_NO_TASK == t->rekey_task)
+ if (NULL == t->rekey_task)
{
GNUNET_STATISTICS_update (stats, "# duplicate PONG messages", 1, GNUNET_NO);
return;
}
- t_decrypt (t, &challenge, &msg->nonce, sizeof (uint32_t), msg->iv);
+ if (NULL == t->kx_ctx)
+ {
+ GNUNET_STATISTICS_update (stats, "# stray PONG messages", 1, GNUNET_NO);
+ return;
+ }
+ t_decrypt (t, &challenge, &msg->nonce, sizeof (uint32_t), msg->iv);
if (challenge != t->kx_ctx->challenge)
{
LOG (GNUNET_ERROR_TYPE_WARNING, "Wrong PONG challenge on %s\n", GCT_2s (t));
LOG (GNUNET_ERROR_TYPE_DEBUG, "PONG: %u (e: %u). Expected: %u.\n",
challenge, msg->nonce, t->kx_ctx->challenge);
send_ephemeral (t);
- send_ping (t);
return;
}
GNUNET_SCHEDULER_cancel (t->rekey_task);
- t->rekey_task = GNUNET_SCHEDULER_NO_TASK;
+ t->rekey_task = NULL;
/* Don't free the old keys right away, but after a delay.
* Rationale: the KX could have happened over a very fast connection,
}
+/**
+ * Handle Axolotl handshake.
+ *
+ * @param t Tunnel this message came on.
+ * @param msg Key eXchange Pong message.
+ */
+static void
+handle_kx_ax (struct CadetTunnel *t, const struct GNUNET_CADET_AX_KX *msg)
+{
+ struct CadetTunnelAxolotl *ax;
+ struct GNUNET_HashCode key_material[3];
+ struct GNUNET_CRYPTO_SymmetricSessionKey keys[5];
+ const struct GNUNET_CRYPTO_EcdhePublicKey *pub;
+ const struct GNUNET_CRYPTO_EcdhePrivateKey *priv;
+ const char salt[] = "CADET Axolotl salt";
+ const struct GNUNET_PeerIdentity *pid;
+ int am_I_alice;
+
+ LOG (GNUNET_ERROR_TYPE_INFO, "<=== AX_KX on %s\n", GCT_2s (t));
+
+ if (NULL == t->ax)
+ {
+ /* Something is wrong if ax is NULL. Whose fault it is? */
+ GNUNET_break_op (CADET_OTR == t->enc_type);
+ GNUNET_break (CADET_Axolotl == t->enc_type);
+ return;
+ }
+
+ if (GNUNET_OK != GCP_check_key (t->peer, &msg->permanent_key,
+ &msg->purpose, &msg->signature))
+ {
+ GNUNET_break_op (0);
+ return;
+ }
+
+ pid = GCT_get_destination (t);
+ if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
+ am_I_alice = GNUNET_YES;
+ else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id, pid))
+ am_I_alice = GNUNET_NO;
+ else
+ {
+ GNUNET_break_op (0);
+ return;
+ }
+
+ if (GNUNET_YES == ntohl (msg->force_reply))
+ GCT_send_ax_kx (t, GNUNET_NO);
+
+ if (CADET_TUNNEL_KEY_OK == t->estate)
+ return;
+
+ LOG (GNUNET_ERROR_TYPE_INFO, " is Alice? %s\n", am_I_alice ? "YES" : "NO");
+
+ ax = t->ax;
+ ax->DHRr = msg->ratchet_key;
+ ax->DHIr = msg->permanent_key;
+
+ /* ECDH A B0 */
+ if (GNUNET_YES == am_I_alice)
+ {
+ priv = ax_key; /* A */
+ pub = &msg->ephemeral_key; /* B0 */
+ }
+ else
+ {
+ priv = ax->kx_0; /* B0 */
+ pub = &ax->DHIr; /* A */
+ }
+ GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[0]);
+
+ /* ECDH A0 B */
+ if (GNUNET_YES == am_I_alice)
+ {
+ priv = ax->kx_0; /* A0 */
+ pub = &ax->DHIr; /* B */
+ }
+ else
+ {
+ priv = ax_key; /* B */
+ pub = &msg->ephemeral_key; /* A0 */
+ }
+ GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[1]);
+
+ /* ECDH A0 B0*/
+ priv = ax->kx_0; /* A0 or B0 */
+ pub = &msg->ephemeral_key; /* B0 or A0 */
+ GNUNET_CRYPTO_ecc_ecdh (priv, pub, &key_material[2]);
+
+ #if DUMP_KEYS_TO_STDERR
+ {
+ unsigned int i;
+ for (i = 0; i < 3; i++)
+ LOG (GNUNET_ERROR_TYPE_INFO, "km[%u]: %s\n",
+ i, GNUNET_h2s (&key_material[i]));
+ }
+ #endif
+
+ /* KDF */
+ GNUNET_CRYPTO_kdf (keys, sizeof (keys),
+ salt, sizeof (salt),
+ &key_material, sizeof (key_material), NULL);
+
+ ax->RK = keys[0];
+ if (GNUNET_YES == am_I_alice)
+ {
+ ax->HKr = keys[1];
+ ax->NHKs = keys[2];
+ ax->NHKr = keys[3];
+ ax->CKr = keys[4];
+ ax->ratchet_flag = GNUNET_YES;
+ }
+ else
+ {
+ ax->HKs = keys[1];
+ ax->NHKr = keys[2];
+ ax->NHKs = keys[3];
+ ax->CKs = keys[4];
+ ax->ratchet_flag = GNUNET_NO;
+ ax->ratchet_allowed = GNUNET_NO;
+ ax->ratchet_counter = 0;
+ ax->ratchet_expiration =
+ GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), ratchet_time);
+ }
+ GCT_change_estate (t, CADET_TUNNEL_KEY_OK);
+}
+
+
/**
* Demultiplex by message type and call appropriate handler for a message
* towards a channel of a local tunnel.
break;
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_CREATE:
- handle_ch_create (t,
- (struct GNUNET_CADET_ChannelCreate *) msgh);
+ handle_ch_create (t, (struct GNUNET_CADET_ChannelCreate *) msgh);
break;
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_NACK:
- handle_ch_nack (t,
- (struct GNUNET_CADET_ChannelManage *) msgh);
+ handle_ch_nack (t, (struct GNUNET_CADET_ChannelManage *) msgh);
break;
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_ACK:
- handle_ch_ack (t,
- (struct GNUNET_CADET_ChannelManage *) msgh,
- fwd);
+ handle_ch_ack (t, (struct GNUNET_CADET_ChannelManage *) msgh, fwd);
break;
case GNUNET_MESSAGE_TYPE_CADET_CHANNEL_DESTROY:
- handle_ch_destroy (t,
- (struct GNUNET_CADET_ChannelManage *) msgh,
- fwd);
+ handle_ch_destroy (t, (struct GNUNET_CADET_ChannelManage *) msgh, fwd);
break;
default:
/******************************************************************************/
/******************************** API ***********************************/
/******************************************************************************/
-
/**
- * Decrypt and demultiplex by message type. Call appropriate handler
- * for every message.
+ * Decrypt old format and demultiplex by message type. Call appropriate handler
+ * for a message towards a channel of a local tunnel.
*
* @param t Tunnel this message came on.
- * @param msg Encrypted message.
+ * @param msg Message header.
*/
void
GCT_handle_encrypted (struct CadetTunnel *t,
- const struct GNUNET_CADET_Encrypted *msg)
+ const struct GNUNET_MessageHeader *msg)
{
- size_t size = ntohs (msg->header.size);
- size_t payload_size = size - sizeof (struct GNUNET_CADET_Encrypted);
+ uint16_t size = ntohs (msg->size);
+ char cbuf [size];
+ size_t payload_size;
int decrypted_size;
- char cbuf [payload_size];
+ uint16_t type;
struct GNUNET_MessageHeader *msgh;
unsigned int off;
- decrypted_size = t_decrypt_and_validate (t, cbuf, &msg[1], payload_size,
- msg->iv, &msg->hmac);
+ type = ntohs (msg->type);
+ if (GNUNET_MESSAGE_TYPE_CADET_ENCRYPTED == type)
+ {
+ const struct GNUNET_CADET_Encrypted *emsg;
+
+ emsg = (struct GNUNET_CADET_Encrypted *) msg;
+ payload_size = size - sizeof (struct GNUNET_CADET_Encrypted);
+ decrypted_size = t_decrypt_and_validate (t, cbuf, &emsg[1], payload_size,
+ emsg->iv, &emsg->hmac);
+ }
+ else if (GNUNET_MESSAGE_TYPE_CADET_AX == type)
+ {
+ const struct GNUNET_CADET_AX *emsg;
+
+ emsg = (struct GNUNET_CADET_AX *) msg;
+ decrypted_size = t_ax_decrypt_and_validate (t, cbuf, emsg, size);
+ }
if (-1 == decrypted_size)
{
uint16_t type;
type = ntohs (message->type);
- LOG (GNUNET_ERROR_TYPE_DEBUG, "kx message received\n", type);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "kx message received: %s\n", GC_m2s (type));
switch (type)
{
case GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL:
- handle_ephemeral (t, (struct GNUNET_CADET_KX_Ephemeral *) message);
+ handle_ephemeral (t, (const struct GNUNET_CADET_KX_Ephemeral *) message);
break;
- case GNUNET_MESSAGE_TYPE_CADET_KX_PING:
- handle_ping (t, (struct GNUNET_CADET_KX_Ping *) message);
+ case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
+ handle_pong (t, (const struct GNUNET_CADET_KX_Pong *) message);
break;
- case GNUNET_MESSAGE_TYPE_CADET_KX_PONG:
- handle_pong (t, (struct GNUNET_CADET_KX_Pong *) message);
+ case GNUNET_MESSAGE_TYPE_CADET_AX_KX:
+ handle_kx_ax (t, (const struct GNUNET_CADET_AX_KX *) message);
break;
default:
GNUNET_break_op (0);
- LOG (GNUNET_ERROR_TYPE_DEBUG, "kx message not known (%u)\n", type);
+ LOG (GNUNET_ERROR_TYPE_WARNING, "kx message %s unknown\n", GC_m2s (type));
}
}
-
/**
* Initialize the tunnel subsystem.
*
LOG (GNUNET_ERROR_TYPE_DEBUG, "init\n");
- expected_overhead =
- sizeof (struct GNUNET_CADET_Encrypted) + sizeof (struct GNUNET_CADET_Data);
+ expected_overhead = 0;
+ expected_overhead += sizeof (struct GNUNET_CADET_Encrypted);
+ expected_overhead += sizeof (struct GNUNET_CADET_Data);
+ expected_overhead += sizeof (struct GNUNET_CADET_ACK);
GNUNET_assert (GNUNET_CONSTANTS_CADET_P2P_OVERHEAD == expected_overhead);
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_number (c, "CADET", "DEFAULT_TTL",
&default_ttl))
{
- GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_DEBUG,
"CADET", "DEFAULT_TTL", "USING DEFAULT");
default_ttl = 64;
}
{
rekey_period = GNUNET_TIME_UNIT_DAYS;
}
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_number (c, "CADET", "RATCHET_MESSAGES",
+ &ratchet_messages))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
+ "CADET", "RATCHET_MESSAGES", "USING DEFAULT");
+ ratchet_messages = 64;
+ }
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_time (c, "CADET", "RATCHET_TIME",
+ &ratchet_time))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_WARNING,
+ "CADET", "RATCHET_TIME", "USING DEFAULT");
+ ratchet_time = GNUNET_TIME_UNIT_HOURS;
+ }
+
- my_private_key = key;
- kx_msg.header.size = htons (sizeof (kx_msg));
- kx_msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL);
- kx_msg.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_KX);
- kx_msg.purpose.size = htonl (ephemeral_purpose_size ());
- kx_msg.origin_identity = my_full_id;
- rekey_task = GNUNET_SCHEDULER_add_now (&rekey, NULL);
+ id_key = key;
+
+ otr_kx_msg.header.size = htons (sizeof (otr_kx_msg));
+ otr_kx_msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_KX_EPHEMERAL);
+ otr_kx_msg.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_KX);
+ otr_kx_msg.purpose.size = htonl (ephemeral_purpose_size ());
+ otr_kx_msg.origin_identity = my_full_id;
+ rekey_task = GNUNET_SCHEDULER_add_now (&global_otr_rekey, NULL);
+
+ ax_key = GNUNET_CRYPTO_ecdhe_key_create ();
+ GNUNET_CRYPTO_ecdhe_key_get_public (ax_key, &ax_identity.permanent_key);
+ ax_identity.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CADET_AXKX);
+ ax_identity.purpose.size = htonl (ax_purpose_size ());
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_eddsa_sign (id_key,
+ &ax_identity.purpose,
+ &ax_identity.signature));
tunnels = GNUNET_CONTAINER_multipeermap_create (128, GNUNET_YES);
}
void
GCT_shutdown (void)
{
- if (GNUNET_SCHEDULER_NO_TASK != rekey_task)
+ if (NULL != rekey_task)
{
GNUNET_SCHEDULER_cancel (rekey_task);
- rekey_task = GNUNET_SCHEDULER_NO_TASK;
+ rekey_task = NULL;
}
GNUNET_CONTAINER_multipeermap_iterate (tunnels, &destroy_iterator, NULL);
GNUNET_CONTAINER_multipeermap_destroy (tunnels);
+ GNUNET_free (ax_key);
}
GNUNET_free (t);
return NULL;
}
+ t->ax = GNUNET_new (struct CadetTunnelAxolotl);
+ new_ephemeral (t);
+ t->ax->kx_0 = GNUNET_CRYPTO_ecdhe_key_create ();
return t;
}
}
else if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
{
- LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered rekey\n");
- if (GNUNET_SCHEDULER_NO_TASK != t->rekey_task)
- GNUNET_SCHEDULER_cancel (t->rekey_task);
- rekey_tunnel (t, NULL);
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " cstate triggered kx\n");
+ GCT_send_ax_kx (t, GNUNET_NO);
+ }
+ else
+ {
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "estate %s\n", estate2s (t->estate));
}
}
t->cstate = cstate;
}
}
+
/**
* Change the tunnel encryption state.
*
- * @param t Tunnel whose encryption state to change.
+ * @param t Tunnel whose encryption state to change, or NULL.
* @param state New encryption state.
*/
void
GCT_change_estate (struct CadetTunnel* t, enum CadetTunnelEState state)
{
+ enum CadetTunnelEState old;
+
if (NULL == t)
return;
- LOG (GNUNET_ERROR_TYPE_DEBUG,
- "Tunnel %s estate was %s\n",
+
+ old = t->estate;
+ t->estate = state;
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate was %s\n",
+ GCP_2s (t->peer), estate2s (old));
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s estate is now %s\n",
GCP_2s (t->peer), estate2s (t->estate));
- LOG (GNUNET_ERROR_TYPE_DEBUG,
- "Tunnel %s estate is now %s\n",
- GCP_2s (t->peer), estate2s (state));
+
+ /* Send queued data if enc state changes to OK */
if (myid != GCP_get_short_id (t->peer) &&
- CADET_TUNNEL_KEY_OK != t->estate && CADET_TUNNEL_KEY_OK == state)
+ CADET_TUNNEL_KEY_OK != old && CADET_TUNNEL_KEY_OK == t->estate)
{
- t->estate = state;
send_queued_data (t);
- return;
}
- t->estate = state;
}
{
struct CadetTunnel *t = cls;
- t->trim_connections_task = GNUNET_SCHEDULER_NO_TASK;
+ t->trim_connections_task = NULL;
if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN))
return;
for (c = iter = t->connection_head; NULL != iter; iter = iter->next)
{
- if ((NULL == c || iter->created.abs_value_us > c->created.abs_value_us)
+ if ((iter->created.abs_value_us > c->created.abs_value_us)
&& GNUNET_NO == GCC_is_direct (iter->c))
{
c = iter;
GNUNET_CONTAINER_DLL_insert (t->connection_head, t->connection_tail, aux);
if (CADET_TUNNEL_SEARCHING == t->cstate)
- GCT_change_estate (t, CADET_TUNNEL_WAITING);
+ GCT_change_cstate (t, CADET_TUNNEL_WAITING);
- if (GNUNET_SCHEDULER_NO_TASK != t->trim_connections_task)
+ if (NULL != t->trim_connections_task)
t->trim_connections_task = GNUNET_SCHEDULER_add_now (&trim_connections, t);
}
conns = GCT_count_connections (t);
if (0 == conns
- && GNUNET_SCHEDULER_NO_TASK == t->destroy_task
+ && NULL == t->destroy_task
&& CADET_TUNNEL_SHUTDOWN != t->cstate
&& GNUNET_NO == shutting_down)
{
/* Start new connections if needed */
if (CONNECTIONS_PER_TUNNEL > conns
- && GNUNET_SCHEDULER_NO_TASK == t->destroy_task
+ && NULL == t->destroy_task
&& CADET_TUNNEL_SHUTDOWN != t->cstate
&& GNUNET_NO == shutting_down)
{
LOG (GNUNET_ERROR_TYPE_DEBUG, " adding %p to %p\n", aux, t->channel_head);
GNUNET_CONTAINER_DLL_insert_tail (t->channel_head, t->channel_tail, aux);
- if (GNUNET_SCHEDULER_NO_TASK != t->destroy_task)
+ if (NULL != t->destroy_task)
{
GNUNET_SCHEDULER_cancel (t->destroy_task);
- t->destroy_task = GNUNET_SCHEDULER_NO_TASK;
+ t->destroy_task = NULL;
LOG (GNUNET_ERROR_TYPE_DEBUG, " undo destroy!\n");
}
}
"Tunnel at %p should have been freed by GCT_shutdown\n", t);
return;
}
- t->destroy_task = GNUNET_SCHEDULER_NO_TASK;
+ t->destroy_task = NULL;
t->cstate = CADET_TUNNEL_SHUTDOWN;
for (iter = t->connection_head; NULL != iter; iter = iter->next)
if (GNUNET_YES == shutting_down)
return; /* Will be destroyed immediately anyway */
- if (GNUNET_SCHEDULER_NO_TASK != t->destroy_task)
+ if (NULL != t->destroy_task)
{
LOG (GNUNET_ERROR_TYPE_WARNING,
"Tunnel %s is already scheduled for destruction. Tunnel debug dump:\n",
return;
}
- LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s empty: destroying scheduled\n",
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s empty: scheduling destruction\n",
GCT_2s (t));
// FIXME make delay a config option
t->destroy_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MINUTES,
&delayed_destroy, t);
- LOG (GNUNET_ERROR_TYPE_DEBUG, "Scheduled destroy of %p as %llX\n",
+ LOG (GNUNET_ERROR_TYPE_DEBUG, "Scheduled destroy of %p as %llu\n",
t, t->destroy_task);
}
GCT_destroy_if_empty (struct CadetTunnel *t)
{
LOG (GNUNET_ERROR_TYPE_DEBUG, "Tunnel %s destroy if empty\n", GCT_2s (t));
- if (1 < GCT_count_channels (t))
+ if (0 < GCT_count_channels (t))
return;
GCT_destroy_empty (t);
/* Should only happen on shutdown, but it's ok. */
}
- if (GNUNET_SCHEDULER_NO_TASK != t->destroy_task)
+ if (NULL != t->destroy_task)
{
LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling dest: %llX\n", t->destroy_task);
GNUNET_SCHEDULER_cancel (t->destroy_task);
- t->destroy_task = GNUNET_SCHEDULER_NO_TASK;
+ t->destroy_task = NULL;
}
- if (GNUNET_SCHEDULER_NO_TASK != t->trim_connections_task)
+ if (NULL != t->trim_connections_task)
{
LOG (GNUNET_ERROR_TYPE_DEBUG, "cancelling trim: %llX\n",
t->trim_connections_task);
GNUNET_SCHEDULER_cancel (t->trim_connections_task);
- t->trim_connections_task = GNUNET_SCHEDULER_NO_TASK;
+ t->trim_connections_task = NULL;
}
GNUNET_STATISTICS_update (stats, "# tunnels", -1, GNUNET_NO);
GCP_set_tunnel (t->peer, NULL);
- if (GNUNET_SCHEDULER_NO_TASK != t->rekey_task)
+ if (NULL != t->rekey_task)
{
GNUNET_SCHEDULER_cancel (t->rekey_task);
- t->rekey_task = GNUNET_SCHEDULER_NO_TASK;
+ t->rekey_task = NULL;
}
if (NULL != t->kx_ctx)
{
- if (GNUNET_SCHEDULER_NO_TASK != t->kx_ctx->finish_task)
+ if (NULL != t->kx_ctx->finish_task)
GNUNET_SCHEDULER_cancel (t->kx_ctx->finish_task);
GNUNET_free (t->kx_ctx);
}
+
+ if (NULL != t->ax)
+ destroy_ax (t);
+
GNUNET_free (t);
}
return 0;
for (count = 0, iter = t->connection_head; NULL != iter; iter = iter->next)
- if (CADET_CONNECTION_DESTROYED != GCC_get_state (iter->c))
+ if (CADET_CONNECTION_READY == GCC_get_state (iter->c))
count++;
return count;
{
if (NULL == t)
{
- GNUNET_assert (0);
+ GNUNET_break (0);
return (enum CadetTunnelEState) -1;
}
return t->estate;
if (NULL == t->channel_head)
{
/* Probably getting buffer for a channel create/handshake. */
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " no channels, allow max\n");
return 64;
}
return;
}
+ if (CADET_TUNNEL_READY != t->cstate)
+ return;
+
buffer = GCT_get_channels_buffer (t);
LOG (GNUNET_ERROR_TYPE_DEBUG, " buffer %u\n", buffer);
/* Make sure there is no overflow */
if (allowed > buffer)
- {
return;
- }
/* Authorize connections to send more data */
- to_allow = buffer; /* - allowed; */
+ to_allow = buffer - allowed;
for (iter = t->connection_head;
NULL != iter && to_allow > 0;
iter = iter->next)
{
- allow_per_connection = to_allow/cs;
- to_allow -= allow_per_connection;
- cs--;
- if (get_connection_allowed (iter) > 64 / 3)
+ if (CADET_CONNECTION_READY != GCC_get_state (iter->c)
+ || get_connection_allowed (iter) > 64 / 3)
{
continue;
}
+ allow_per_connection = to_allow/cs;
+ to_allow -= allow_per_connection;
+ cs--;
GCC_allow (iter->c, allow_per_connection,
GCC_is_origin (iter->c, GNUNET_NO));
}
- GNUNET_break (to_allow == 0); //FIXME tripped
+ if (0 != to_allow)
+ {
+ /* Since we don't allow if it's allowed to send 64/3, this can happen. */
+ LOG (GNUNET_ERROR_TYPE_DEBUG, " reminding to_allow: %u\n", to_allow);
+ }
}
return send_prebuilt_message (message, t, c, force, cont, cont_cls, NULL);
}
+
+/**
+ * Send an Axolotl KX message.
+ *
+ * @param t Tunnel on which to send it.
+ * @param force_reply Force the other peer to reply with a KX message.
+ */
+void
+GCT_send_ax_kx (struct CadetTunnel *t, int force_reply)
+{
+ struct GNUNET_CADET_AX_KX msg;
+
+ LOG (GNUNET_ERROR_TYPE_INFO, "===> AX_KX for %s\n", GCT_2s (t));
+ if (NULL != t->ephm_h)
+ {
+ LOG (GNUNET_ERROR_TYPE_INFO, " already queued\n");
+ return;
+ }
+
+ msg.header.size = htons (sizeof (msg));
+ msg.header.type = htons (GNUNET_MESSAGE_TYPE_CADET_AX_KX);
+ msg.force_reply = htonl (force_reply);
+ msg.permanent_key = ax_identity.permanent_key;
+ msg.purpose = ax_identity.purpose;
+ msg.signature = ax_identity.signature;
+ GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->kx_0, &msg.ephemeral_key);
+ GNUNET_CRYPTO_ecdhe_key_get_public (t->ax->DHRs, &msg.ratchet_key);
+
+ t->ephm_h = send_kx (t, &msg.header);
+ if (CADET_TUNNEL_KEY_OK != t->estate)
+ GCT_change_estate (t, CADET_TUNNEL_KEY_SENT);
+}
+
+
/**
* Sends an already built and encrypted message on a tunnel, choosing the best
* connection. Useful for re-queueing messages queued on a destroyed connection.
struct CadetTConnection *iter;
for (iter = t->connection_head; NULL != iter; iter = iter->next)
- if (GCC_get_path (iter->c) == p)
+ if (path_equivalent (GCC_get_path (iter->c), p))
return GNUNET_YES;
return GNUNET_NO;
/***************************** INFO/DEBUG *******************************/
/******************************************************************************/
+static void
+ax_debug (const struct CadetTunnelAxolotl *ax, enum GNUNET_ErrorType level)
+{
+ struct GNUNET_CRYPTO_EcdhePublicKey pub;
+ struct CadetTunnelSkippedKey *iter;
+
+
+ LOG2 (level, "TTT RK\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->RK));
+
+ LOG2 (level, "TTT HKs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKs));
+ LOG2 (level, "TTT HKr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->HKr));
+ LOG2 (level, "TTT NHKs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->NHKs));
+ LOG2 (level, "TTT NHKr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->NHKr));
+
+ LOG2 (level, "TTT CKs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKs));
+ LOG2 (level, "TTT CKr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->CKr));
+
+ GNUNET_CRYPTO_ecdhe_key_get_public (ax_key, &pub);
+ LOG2 (level, "TTT DHIs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &pub));
+ LOG2 (level, "TTT DHIr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->DHIr));
+ GNUNET_CRYPTO_ecdhe_key_get_public (ax->DHRs, &pub);
+ LOG2 (level, "TTT DHRs\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &pub));
+ LOG2 (level, "TTT DHRr\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &ax->DHRr));
+
+ LOG2 (level, "TTT Nr\t %u\tNs\t%u\n", ax->Nr, ax->Ns);
+ LOG2 (level, "TTT PNs\t %u\tSkipped\t%u\n", ax->PNs, ax->skipped);
+ LOG2 (level, "TTT Ratchet\t%u\n", ax->ratchet_flag);
+
+ for (iter = ax->skipped_head; NULL != iter; iter = iter->next)
+ {
+ LOG2 (level, "TTT HK\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &iter->HK));
+ LOG2 (level, "TTT MK\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &iter->MK));
+ }
+}
+
/**
* Log all possible info about the tunnel state.
*
LOG2 (level, "TTT kx_ctx %p, rekey_task %u, finish task %u\n",
t->kx_ctx, t->rekey_task, t->kx_ctx ? t->kx_ctx->finish_task : 0);
#if DUMP_KEYS_TO_STDERR
- LOG2 (level, "TTT my EPHM\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &kx_msg.ephemeral_key));
- LOG2 (level, "TTT peers EPHM:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
- LOG2 (level, "TTT ENC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
- LOG2 (level, "TTT DEC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
- if (t->kx_ctx)
- {
- LOG2 (level, "TTT OLD ENC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->e_key_old));
- LOG2 (level, "TTT OLD DEC key:\t %s\n",
- GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->d_key_old));
+ if (CADET_Axolotl == t->enc_type)
+ {
+ ax_debug (t->ax, level);
+ }
+ else
+ {
+ LOG2 (level, "TTT my EPHM\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &otr_kx_msg.ephemeral_key));
+ LOG2 (level, "TTT peers EPHM:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->peers_ephemeral_key));
+ LOG2 (level, "TTT ENC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->e_key));
+ LOG2 (level, "TTT DEC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->d_key));
+ if (t->kx_ctx)
+ {
+ LOG2 (level, "TTT OLD ENC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->e_key_old));
+ LOG2 (level, "TTT OLD DEC key:\t %s\n",
+ GNUNET_h2s ((struct GNUNET_HashCode *) &t->kx_ctx->d_key_old));
+ }
}
#endif
LOG2 (level, "TTT tq_head %p, tq_tail %p\n", t->tq_head, t->tq_tail);