From: Christian Grothoff Date: Fri, 27 Jan 2017 13:30:52 +0000 (+0100) Subject: trying to make KX logic slightly more readable X-Git-Tag: taler-0.2.1~277^2 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=164e9747a9a90666c98d2dd31541bb11a3eee51d;p=oweals%2Fgnunet.git trying to make KX logic slightly more readable --- diff --git a/src/cadet/cadet_protocol.h b/src/cadet/cadet_protocol.h index 8fb260dfd..e2d6f9d0b 100644 --- a/src/cadet/cadet_protocol.h +++ b/src/cadet/cadet_protocol.h @@ -205,7 +205,9 @@ enum GNUNET_CADET_KX_Flags { struct GNUNET_CADET_TunnelKeyExchangeMessage { /** - * Type: #GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX. + * Type: #GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX or + * #GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH as part + * of `struct GNUNET_CADET_TunnelKeyExchangeAuthMessage`. */ struct GNUNET_MessageHeader header; @@ -234,17 +236,57 @@ struct GNUNET_CADET_TunnelKeyExchangeMessage */ struct GNUNET_CRYPTO_EcdhePublicKey ratchet_key; -#ifdef NEW_CADET +}; + + +/** + * Message for a Key eXchange for a tunnel, with authentication. + * Used as a response to the initial KX as well as for rekeying. + */ +struct GNUNET_CADET_TunnelKeyExchangeAuthMessage +{ + /** - * Proof that sender could compute the 3-DH, in lieu of a signature. + * Message header with key material. */ - struct GNUNET_HashCode triple_dh_proof; -#endif + struct GNUNET_CADET_TunnelKeyExchangeMessage kx; + + /** + * KDF-proof that sender could compute the 3-DH, used in lieu of a + * signature or payload data. + */ + struct GNUNET_HashCode auth; + +}; + + +/** + * Encrypted axolotl header with numbers that identify which + * keys in which ratchet are to be used to decrypt the body. + */ +struct GNUNET_CADET_AxHeader +{ + + /** + * Number of messages sent with the current ratchet key. + */ + uint32_t Ns GNUNET_PACKED; + + /** + * Number of messages sent with the previous ratchet key. + */ + uint32_t PNs GNUNET_PACKED; + + /** + * Current ratchet key. + */ + struct GNUNET_CRYPTO_EcdhePublicKey DHRs; + }; /** - * Axolotl tunnel message. + * Axolotl-encrypted tunnel message with application payload. */ struct GNUNET_CADET_TunnelEncryptedMessage { @@ -277,8 +319,13 @@ struct GNUNET_CADET_TunnelEncryptedMessage */ struct GNUNET_ShortHashCode hmac; - /**************** AX_HEADER start ****************/ - + #if NEW_CADET + /** + * Axolotl-header that specifies which keys to use in which ratchet + * to decrypt the body that follows. + */ + struct GNUNET_CADET_AxHeader ax_header; +#else /** * Number of messages sent with the current ratchet key. */ @@ -293,9 +340,7 @@ struct GNUNET_CADET_TunnelEncryptedMessage * Current ratchet key. */ struct GNUNET_CRYPTO_EcdhePublicKey DHRs; - - /**************** AX_HEADER end ****************/ - +#endif /** * Encrypted content follows. */ diff --git a/src/cadet/gnunet-service-cadet-new_tunnels.c b/src/cadet/gnunet-service-cadet-new_tunnels.c index bd46dc151..020564d8e 100644 --- a/src/cadet/gnunet-service-cadet-new_tunnels.c +++ b/src/cadet/gnunet-service-cadet-new_tunnels.c @@ -25,9 +25,9 @@ * * FIXME: * - KX: + * + clean up KX logic, including adding sender authentication * + implement rekeying * + check KX estate machine -- make sure it is never stuck! - * + clean up KX logic, including adding sender authentication * - connection management * + properly (evaluate, kill old ones, search for new ones) * + when managing connections, distinguish those that @@ -55,14 +55,6 @@ */ #define IDLE_DESTROY_DELAY GNUNET_TIME_relative_multiply(GNUNET_TIME_UNIT_SECONDS, 90) -/** - * Yuck, replace by 'offsetof' expression? - * FIXME. - */ -#define AX_HEADER_SIZE (sizeof (uint32_t) * 2\ - + sizeof (struct GNUNET_CRYPTO_EcdhePublicKey)) - - /** * Maximum number of skipped keys we keep in memory per tunnel. */ @@ -600,7 +592,8 @@ t_hmac (const void *plaintext, key, sizeof (*key), ctx, sizeof (ctx), NULL); - /* Two step: CADET_Hash is only 256 bits, HashCode is 512. */ + /* Two step: GNUNET_ShortHash is only 256 bits, + GNUNET_HashCode is 512, so we truncate. */ GNUNET_CRYPTO_hmac (&auth_key, plaintext, size, @@ -814,12 +807,12 @@ t_h_encrypt (struct CadetTunnel *t, &ax->HKs, NULL, 0, NULL); - out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->Ns, - AX_HEADER_SIZE, + out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->ax_header.Ns, + sizeof (struct GNUNET_CADET_AxHeader), &ax->HKs, &iv, - &msg->Ns); - GNUNET_assert (AX_HEADER_SIZE == out_size); + &msg->ax_header.Ns); + GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == out_size); } @@ -844,12 +837,12 @@ t_h_decrypt (struct CadetTunnel *t, &ax->HKr, NULL, 0, NULL); - out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, - AX_HEADER_SIZE, + out_size = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns, + sizeof (struct GNUNET_CADET_AxHeader), &ax->HKr, &iv, - &dst->Ns); - GNUNET_assert (AX_HEADER_SIZE == out_size); + &dst->ax_header.Ns); + GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == out_size); } @@ -906,8 +899,8 @@ try_old_ax_keys (struct CadetTunnel *t, valid_HK = NULL; for (key = t->ax.skipped_head; NULL != key; key = key->next) { - t_hmac (&src->Ns, - AX_HEADER_SIZE + esize, + t_hmac (&src->ax_header, + sizeof (struct GNUNET_CADET_AxHeader) + esize, 0, &key->HK, hmac); @@ -932,15 +925,15 @@ try_old_ax_keys (struct CadetTunnel *t, &key->HK, NULL, 0, NULL); - res = GNUNET_CRYPTO_symmetric_decrypt (&src->Ns, - AX_HEADER_SIZE, + res = GNUNET_CRYPTO_symmetric_decrypt (&src->ax_header.Ns, + sizeof (struct GNUNET_CADET_AxHeader), &key->HK, &iv, - &plaintext_header.Ns); - GNUNET_assert (AX_HEADER_SIZE == res); + &plaintext_header.ax_header.Ns); + GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == res); /* Find the correct message key */ - N = ntohl (plaintext_header.Ns); + N = ntohl (plaintext_header.ax_header.Ns); while ( (NULL != key) && (N != key->Kn) ) key = key->next; @@ -1077,8 +1070,8 @@ t_ax_decrypt_and_validate (struct CadetTunnel *t, ax = &t->ax; /* Try current HK */ - t_hmac (&src->Ns, - AX_HEADER_SIZE + esize, + t_hmac (&src->ax_header, + sizeof (struct GNUNET_CADET_AxHeader) + esize, 0, &ax->HKr, &msg_hmac); if (0 != memcmp (&msg_hmac, @@ -1092,8 +1085,8 @@ t_ax_decrypt_and_validate (struct CadetTunnel *t, struct GNUNET_CRYPTO_EcdhePublicKey *DHRp; /* Try Next HK */ - t_hmac (&src->Ns, - AX_HEADER_SIZE + esize, + t_hmac (&src->ax_header, + sizeof (struct GNUNET_CADET_AxHeader) + esize, 0, &ax->NHKr, &msg_hmac); @@ -1112,9 +1105,9 @@ t_ax_decrypt_and_validate (struct CadetTunnel *t, t_h_decrypt (t, src, &plaintext_header); - Np = ntohl (plaintext_header.Ns); - PNp = ntohl (plaintext_header.PNs); - DHRp = &plaintext_header.DHRs; + Np = ntohl (plaintext_header.ax_header.Ns); + PNp = ntohl (plaintext_header.ax_header.PNs); + DHRp = &plaintext_header.ax_header.DHRs; store_ax_keys (t, &HK, PNp); @@ -1144,8 +1137,8 @@ t_ax_decrypt_and_validate (struct CadetTunnel *t, t_h_decrypt (t, src, &plaintext_header); - Np = ntohl (plaintext_header.Ns); - PNp = ntohl (plaintext_header.PNs); + Np = ntohl (plaintext_header.ax_header.Ns); + PNp = ntohl (plaintext_header.ax_header.PNs); } if ( (Np != ax->Nr) && (GNUNET_OK != store_ax_keys (t, @@ -2473,14 +2466,14 @@ GCT_send (struct CadetTunnel *t, &ax_msg[1], message, payload_size); - ax_msg->Ns = htonl (t->ax.Ns++); - ax_msg->PNs = htonl (t->ax.PNs); + ax_msg->ax_header.Ns = htonl (t->ax.Ns++); + ax_msg->ax_header.PNs = htonl (t->ax.PNs); GNUNET_CRYPTO_ecdhe_key_get_public (t->ax.DHRs, - &ax_msg->DHRs); + &ax_msg->ax_header.DHRs); t_h_encrypt (t, ax_msg); - t_hmac (&ax_msg->Ns, - AX_HEADER_SIZE + payload_size, + t_hmac (&ax_msg->ax_header, + sizeof (struct GNUNET_CADET_AxHeader) + payload_size, 0, &t->ax.HKs, &ax_msg->hmac); diff --git a/src/include/gnunet_protocols.h b/src/include/gnunet_protocols.h index 4079aa0e4..1b6152206 100644 --- a/src/include/gnunet_protocols.h +++ b/src/include/gnunet_protocols.h @@ -2651,9 +2651,20 @@ extern "C" /** * Hop-by-hop, connection dependent ACK. + * + * @deprecated */ #define GNUNET_MESSAGE_TYPE_CADET_CONNECTION_HOP_BY_HOP_ENCRYPTED_ACK 1005 +/** + * We do not bother with ACKs for + * #GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED messages, but we instead + * poll for one if we got nothing for a while and start to be worried. + * + * @deprecated + */ +#define GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED_POLL 1006 + /** * Axolotl key exchange. */ @@ -2665,11 +2676,9 @@ extern "C" #define GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED 1008 /** - * We do not bother with ACKs for - * #GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED messages, but we instead - * poll for one if we got nothing for a while and start to be worried. + * Axolotl key exchange response with authentication. */ -#define GNUNET_MESSAGE_TYPE_CADET_TUNNEL_ENCRYPTED_POLL 1006 +#define GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH 1009 @@ -2707,6 +2716,8 @@ extern "C" /** * Reject the creation of a channel + * + * @deprecated */ #define GNUNET_MESSAGE_TYPE_CADET_CHANNEL_OPEN_NACK_DEPRECATED 1016