diff options
author | Christian Grothoff <christian@grothoff.org> | 2017-01-28 12:30:55 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2017-01-28 12:30:55 +0100 |
commit | 5f81f7047cbb8a682803709f4821f5492930dbb2 (patch) | |
tree | bb8496d066aec413c4a27a792f6cb4a34e6cc5b0 | |
parent | 58beb5ec4ca0dae1e9adc8617c9d69e5b558b9cc (diff) | |
download | gnunet-5f81f7047cbb8a682803709f4821f5492930dbb2.tar.gz gnunet-5f81f7047cbb8a682803709f4821f5492930dbb2.zip |
slightly better documentation for KX logic
-rw-r--r-- | src/cadet/gnunet-service-cadet-new_tunnels.c | 62 |
1 files changed, 43 insertions, 19 deletions
diff --git a/src/cadet/gnunet-service-cadet-new_tunnels.c b/src/cadet/gnunet-service-cadet-new_tunnels.c index 10ff2867d..ea8559eb4 100644 --- a/src/cadet/gnunet-service-cadet-new_tunnels.c +++ b/src/cadet/gnunet-service-cadet-new_tunnels.c | |||
@@ -133,32 +133,40 @@ struct CadetTunnelAxolotl | |||
133 | struct GNUNET_CRYPTO_SymmetricSessionKey RK; | 133 | struct GNUNET_CRYPTO_SymmetricSessionKey RK; |
134 | 134 | ||
135 | /** | 135 | /** |
136 | * 32-byte header key (send). | 136 | * 32-byte header key (currently used for sending). |
137 | */ | 137 | */ |
138 | struct GNUNET_CRYPTO_SymmetricSessionKey HKs; | 138 | struct GNUNET_CRYPTO_SymmetricSessionKey HKs; |
139 | 139 | ||
140 | /** | 140 | /** |
141 | * 32-byte header key (recv) | 141 | * 32-byte header key (currently used for receiving) |
142 | */ | 142 | */ |
143 | struct GNUNET_CRYPTO_SymmetricSessionKey HKr; | 143 | struct GNUNET_CRYPTO_SymmetricSessionKey HKr; |
144 | 144 | ||
145 | /** | 145 | /** |
146 | * 32-byte next header key (send). | 146 | * 32-byte next header key (for sending), used once the |
147 | * ratchet advances. We are sure that the sender has this | ||
148 | * key as well only after @e ratchet_allowed is #GNUNET_YES. | ||
147 | */ | 149 | */ |
148 | struct GNUNET_CRYPTO_SymmetricSessionKey NHKs; | 150 | struct GNUNET_CRYPTO_SymmetricSessionKey NHKs; |
149 | 151 | ||
150 | /** | 152 | /** |
151 | * 32-byte next header key (recv). | 153 | * 32-byte next header key (for receiving). To be tried |
154 | * when decrypting with @e HKr fails and thus the sender | ||
155 | * may have advanced the ratchet. | ||
152 | */ | 156 | */ |
153 | struct GNUNET_CRYPTO_SymmetricSessionKey NHKr; | 157 | struct GNUNET_CRYPTO_SymmetricSessionKey NHKr; |
154 | 158 | ||
155 | /** | 159 | /** |
156 | * 32-byte chain keys (used for forward-secrecy updating, send). | 160 | * 32-byte chain keys (used for forward-secrecy) for |
161 | * sending messages. Updated for every message. | ||
157 | */ | 162 | */ |
158 | struct GNUNET_CRYPTO_SymmetricSessionKey CKs; | 163 | struct GNUNET_CRYPTO_SymmetricSessionKey CKs; |
159 | 164 | ||
160 | /** | 165 | /** |
161 | * 32-byte chain keys (used for forward-secrecy updating, recv). | 166 | * 32-byte chain keys (used for forward-secrecy) for |
167 | * receiving messages. Updated for every message. If | ||
168 | * messages are skipped, the respective derived MKs | ||
169 | * (and the current @HKr) are kept in the @e skipped_head DLL. | ||
162 | */ | 170 | */ |
163 | struct GNUNET_CRYPTO_SymmetricSessionKey CKr; | 171 | struct GNUNET_CRYPTO_SymmetricSessionKey CKr; |
164 | 172 | ||
@@ -168,17 +176,18 @@ struct CadetTunnelAxolotl | |||
168 | struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0; | 176 | struct GNUNET_CRYPTO_EcdhePrivateKey *kx_0; |
169 | 177 | ||
170 | /** | 178 | /** |
171 | * ECDH Ratchet key (send). | 179 | * ECDH Ratchet key (our private key in the current DH). |
172 | */ | 180 | */ |
173 | struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs; | 181 | struct GNUNET_CRYPTO_EcdhePrivateKey *DHRs; |
174 | 182 | ||
175 | /** | 183 | /** |
176 | * ECDH Ratchet key (recv). | 184 | * ECDH Ratchet key (other peer's public key in the current DH). |
177 | */ | 185 | */ |
178 | struct GNUNET_CRYPTO_EcdhePublicKey DHRr; | 186 | struct GNUNET_CRYPTO_EcdhePublicKey DHRr; |
179 | 187 | ||
180 | /** | 188 | /** |
181 | * When does this ratchet expire and a new one is triggered. | 189 | * Time when the current ratchet expires and a new one is triggered |
190 | * (if @e ratchet_allowed is #GNUNET_YES). | ||
182 | */ | 191 | */ |
183 | struct GNUNET_TIME_Absolute ratchet_expiration; | 192 | struct GNUNET_TIME_Absolute ratchet_expiration; |
184 | 193 | ||
@@ -208,16 +217,28 @@ struct CadetTunnelAxolotl | |||
208 | int ratchet_flag; | 217 | int ratchet_flag; |
209 | 218 | ||
210 | /** | 219 | /** |
211 | * Number of messages recieved since our last ratchet advance. | 220 | * True (#GNUNET_YES) if we have received a message from the |
212 | * - If this counter = 0, we cannot send a new ratchet key in next msg. | 221 | * other peer that uses the keys from our last ratchet step. |
213 | * - If this counter > 0, we can (but don't yet have to) send a new key. | 222 | * This implies that we are again allowed to advance the ratchet, |
223 | * otherwise we have to wait until the other peer sees our current | ||
224 | * ephemeral key and advances first. | ||
225 | * | ||
226 | * #GNUNET_NO if we have advanced the ratched but lack any evidence | ||
227 | * that the other peer has noticed this. | ||
214 | */ | 228 | */ |
215 | unsigned int ratchet_allowed; | 229 | int ratchet_allowed; |
216 | 230 | ||
217 | /** | 231 | /** |
218 | * Number of messages recieved since our last ratchet advance. | 232 | * Number of messages recieved since our last ratchet advance. |
219 | * - If this counter = 0, we cannot send a new ratchet key in next msg. | 233 | * |
220 | * - If this counter > 0, we can (but don't yet have to) send a new key. | 234 | * If this counter = 0, we cannot send a new ratchet key in the next |
235 | * message. | ||
236 | * | ||
237 | * If this counter > 0, we could (but don't have to) send a new key. | ||
238 | * | ||
239 | * Once the @e ratchet_counter is larger than | ||
240 | * #ratchet_messages (or @e ratchet_expiration time has past), and | ||
241 | * @e ratchet_allowed is #GNUNET_YES, we advance the ratchet. | ||
221 | */ | 242 | */ |
222 | unsigned int ratchet_counter; | 243 | unsigned int ratchet_counter; |
223 | 244 | ||
@@ -629,7 +650,7 @@ t_hmac (const void *plaintext, | |||
629 | * Perform a HMAC. | 650 | * Perform a HMAC. |
630 | * | 651 | * |
631 | * @param key Key to use. | 652 | * @param key Key to use. |
632 | * @param hash[out] Resulting HMAC. | 653 | * @param[out] hash Resulting HMAC. |
633 | * @param source Source key material (data to HMAC). | 654 | * @param source Source key material (data to HMAC). |
634 | * @param len Length of @a source. | 655 | * @param len Length of @a source. |
635 | */ | 656 | */ |
@@ -809,7 +830,7 @@ t_ax_decrypt (struct CadetTunnelAxolotl *ax, | |||
809 | * Encrypt header with the axolotl header key. | 830 | * Encrypt header with the axolotl header key. |
810 | * | 831 | * |
811 | * @param ax key material to use. | 832 | * @param ax key material to use. |
812 | * @param msg Message whose header to encrypt. | 833 | * @param[in|out] msg Message whose header to encrypt. |
813 | */ | 834 | */ |
814 | static void | 835 | static void |
815 | t_h_encrypt (struct CadetTunnelAxolotl *ax, | 836 | t_h_encrypt (struct CadetTunnelAxolotl *ax, |
@@ -822,11 +843,11 @@ t_h_encrypt (struct CadetTunnelAxolotl *ax, | |||
822 | &ax->HKs, | 843 | &ax->HKs, |
823 | NULL, 0, | 844 | NULL, 0, |
824 | NULL); | 845 | NULL); |
825 | out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->ax_header.Ns, | 846 | out_size = GNUNET_CRYPTO_symmetric_encrypt (&msg->ax_header, |
826 | sizeof (struct GNUNET_CADET_AxHeader), | 847 | sizeof (struct GNUNET_CADET_AxHeader), |
827 | &ax->HKs, | 848 | &ax->HKs, |
828 | &iv, | 849 | &iv, |
829 | &msg->ax_header.Ns); | 850 | &msg->ax_header); |
830 | GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == out_size); | 851 | GNUNET_assert (sizeof (struct GNUNET_CADET_AxHeader) == out_size); |
831 | } | 852 | } |
832 | 853 | ||
@@ -2579,6 +2600,9 @@ GCT_send (struct CadetTunnel *t, | |||
2579 | payload_size); | 2600 | payload_size); |
2580 | ax_msg->ax_header.Ns = htonl (t->ax.Ns++); | 2601 | ax_msg->ax_header.Ns = htonl (t->ax.Ns++); |
2581 | ax_msg->ax_header.PNs = htonl (t->ax.PNs); | 2602 | ax_msg->ax_header.PNs = htonl (t->ax.PNs); |
2603 | /* FIXME: we should do this once, not once per message; | ||
2604 | this is a point multiplication, and DHRs does not | ||
2605 | change all the time. */ | ||
2582 | GNUNET_CRYPTO_ecdhe_key_get_public (t->ax.DHRs, | 2606 | GNUNET_CRYPTO_ecdhe_key_get_public (t->ax.DHRs, |
2583 | &ax_msg->ax_header.DHRs); | 2607 | &ax_msg->ax_header.DHRs); |
2584 | t_h_encrypt (&t->ax, | 2608 | t_h_encrypt (&t->ax, |