sanitize KX logic by always having the same peer go first

author: Christian Grothoff <christian@grothoff.org> 2018-05-17 00:09:07 +0200
committer: Christian Grothoff <christian@grothoff.org> 2018-05-17 00:09:07 +0200
commit: 7cab5e7bd71c7f6e72833c12a4853db121dce581 (patch)
tree: 74170ed9c9e20744c0f883136ad2080fc3b197bd /src/cadet
parent: da393a04d06d488bc3b424a8baa24676b53e6352 (diff)
download: gnunet-7cab5e7bd71c7f6e72833c12a4853db121dce581.tar.gz
gnunet-7cab5e7bd71c7f6e72833c12a4853db121dce581.zip
1 files changed, 157 insertions, 184 deletions
diff --git a/src/cadet/gnunet-service-cadet_tunnels.c b/src/cadet/gnunet-service-cadet_tunnels.c
index 6b4bda08d..2565b8f18 100644
--- a/src/cadet/gnunet-service-cadet_tunnels.c
+++ b/src/cadet/gnunet-service-cadet_tunnels.c
@@ -459,6 +459,29 @@ struct CadetTunnel
 /**
+ * Am I Alice or Bob, or talking to myself?
+ *
+ * @param other the other peer
+ * @return #GNUNET_YES for Alice, #GNUNET_NO for Bob, #GNUNET_SYSERR if talking to myself
+ */
+static int
+alice_or_bob (const struct GNUNET_PeerIdentity *other)
+{
+  if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
+                                           other))
+    return GNUNET_YES;
+  else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
+                                                other))
+    return GNUNET_NO;
+  else
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
+}
+/**
 * Connection @a ct is now unready, clear it's ready flag
 * and move it from the ready DLL to the busy DLL.
 *
@@ -1324,6 +1347,8 @@ send_kx (struct CadetTunnel *t,
  struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
  enum GNUNET_CADET_KX_Flags flags;
+  if (GNUNET_YES != alice_or_bob (GCP_get_id (t->destination)))
+    return; /* only Alice may send KX */
  if ( (NULL == ct) ||
       (GNUNET_NO == ct->is_ready) )
    ct = get_ready_connection (t);
@@ -1346,13 +1371,6 @@ send_kx (struct CadetTunnel *t,
                                      &msg->ephemeral_key);
  GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
                                      &msg->ratchet_key);
-  LOG (GNUNET_ERROR_TYPE_DEBUG,
-       "Sending KX with E=%s and R=%s on %s via %s in state %s\n",
-       GNUNET_e2s (&msg->ephemeral_key),
-       GNUNET_e2s2 (&msg->ratchet_key),
-       GCT_2s (t),
-       GCC_2s (cc),
-       estate2s (t->estate));
  mark_connection_unready (ct);
  t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
  t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
@@ -1421,18 +1439,6 @@ send_kx_auth (struct CadetTunnel *t,
  GNUNET_CRYPTO_hash (&ax->RK,
                      sizeof (ax->RK),
                      &msg->auth);
-  LOG (GNUNET_ERROR_TYPE_DEBUG,
-       "Sending KX_AUTH with E=%s and R=%s and A=%s on %s using %s\n",
-       GNUNET_e2s (&msg->kx.ephemeral_key),
-       GNUNET_e2s2 (&msg->kx.ratchet_key),
-       GNUNET_h2s (&msg->auth),
-       GCT_2s (t),
-       GCC_2s (ct->cc));
-  LOG (GNUNET_ERROR_TYPE_DEBUG,
-       "... this is in response to foreign E=%s and R=%s\n",
-       GNUNET_e2s2 (&ax->last_ephemeral),
-       GNUNET_e2s (&ax->DHRr));
  /* Compute when to be triggered again; actual job will
     be scheduled via #connection_ready_cb() */
  t->kx_retry_delay
@@ -1497,66 +1503,57 @@ update_ax_by_kx (struct CadetTunnelAxolotl *ax,
  const char salt[] = "CADET Axolotl salt";
  int am_I_alice;
-  if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
+  if (GNUNET_SYSERR == (am_I_alice = alice_or_bob (pid)))
-                                           pid))
+  {
-    am_I_alice = GNUNET_YES;
+    GNUNET_break_op (0);
-  else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
+    return GNUNET_SYSERR;
-                                                pid))
+  }
-    am_I_alice = GNUNET_NO;
-  else
-    {
-      GNUNET_break_op (0);
-      return GNUNET_SYSERR;
-    }
  if (0 == memcmp (&ax->DHRr,
                   ratchet_key,
                   sizeof (*ratchet_key)))
-    {
+  {
-      GNUNET_STATISTICS_update (stats,
+    GNUNET_STATISTICS_update (stats,
-                                "# Ratchet key already known",
+                              "# Ratchet key already known",
-                                1,
+                              1,
-                                GNUNET_NO);
+                              GNUNET_NO);
-      LOG (GNUNET_ERROR_TYPE_DEBUG,
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
-           "Ratchet key already known. Ignoring KX.\n");
+         "Ratchet key already known. Ignoring KX.\n");
-      return GNUNET_NO;
+    return GNUNET_NO;
-    }
+  }
  ax->DHRr = *ratchet_key;
  ax->last_ephemeral = *ephemeral_key;
  /* ECDH A B0 */
  if (GNUNET_YES == am_I_alice)
-    {
+  {
-      GNUNET_CRYPTO_eddsa_ecdh (my_private_key,      /* A */
+    GNUNET_CRYPTO_eddsa_ecdh (my_private_key,      /* a */
-                                ephemeral_key,       /* B0 */
+                              ephemeral_key,       /* B0 */
-                                &key_material[0]);
+                              &key_material[0]);
-    }
+  }
  else
-    {
+  {
-      GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0,            /* B0 */
+    GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0,            /* b0 */
-                                &pid->public_key,     /* A */
+                              &pid->public_key,     /* A */
-                                &key_material[0]);
+                              &key_material[0]);
-    }
+  }
  /* ECDH A0 B */
  if (GNUNET_YES == am_I_alice)
-    {
+  {
-      GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0,            /* A0 */
+    GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0,            /* a0 */
-                                &pid->public_key,     /* B */
+                              &pid->public_key,     /* B */
-                                &key_material[1]);
+                              &key_material[1]);
-    }
+  }
  else
-    {
+  {
-      GNUNET_CRYPTO_eddsa_ecdh (my_private_key,      /* A */
+    GNUNET_CRYPTO_eddsa_ecdh (my_private_key,      /* b  */
-                                ephemeral_key,       /* B0 */
+                              ephemeral_key,       /* A0 */
-                                &key_material[1]);
+                              &key_material[1]);
-    }
+  }
  /* ECDH A0 B0 */
-  GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0,             /* A0 or B0 */
+  GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0,             /* a0 or b0 */
                          ephemeral_key,         /* B0 or A0 */
                          &key_material[2]);
  /* KDF */
  GNUNET_CRYPTO_kdf (keys, sizeof (keys),
                     salt, sizeof (salt),
@@ -1566,36 +1563,36 @@ update_ax_by_kx (struct CadetTunnelAxolotl *ax,
  if (0 == memcmp (&ax->RK,
                   &keys[0],
                   sizeof (ax->RK)))
-    {
+  {
-      LOG (GNUNET_ERROR_TYPE_DEBUG,
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
-           "Root key of handshake already known. Ignoring KX.\n");
+         "Root key already known. Ignoring KX.\n");
-      GNUNET_STATISTICS_update (stats,
+    GNUNET_STATISTICS_update (stats,
-                                "# Root key already known",
+                              "# Root key already known",
-                                1,
+                              1,
-                                GNUNET_NO);
+                              GNUNET_NO);
-      return GNUNET_NO;
+    return GNUNET_NO;
-    }
+  }
  ax->RK = keys[0];
  if (GNUNET_YES == am_I_alice)
-    {
+  {
-      ax->HKr = keys[1];
+    ax->HKr = keys[1];
-      ax->NHKs = keys[2];
+    ax->NHKs = keys[2];
-      ax->NHKr = keys[3];
+    ax->NHKr = keys[3];
-      ax->CKr = keys[4];
+    ax->CKr = keys[4];
-      ax->ratchet_flag = GNUNET_YES;
+    ax->ratchet_flag = GNUNET_YES;
-    }
+  }
  else
-    {
+  {
-      ax->HKs = keys[1];
+    ax->HKs = keys[1];
-      ax->NHKr = keys[2];
+    ax->NHKr = keys[2];
-      ax->NHKs = keys[3];
+    ax->NHKs = keys[3];
-      ax->CKs = keys[4];
+    ax->CKs = keys[4];
-      ax->ratchet_flag = GNUNET_NO;
+    ax->ratchet_flag = GNUNET_NO;
-      ax->ratchet_expiration
+    ax->ratchet_expiration
-        = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
+      = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
-                                    ratchet_time);
+                                  ratchet_time);
-    }
+  }
  return GNUNET_OK;
 }
@@ -1702,13 +1699,18 @@ GCT_handle_kx (struct CadetTConnection *ct,
               const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
 {
  struct CadetTunnel *t = ct->t;
-  struct CadetTunnelAxolotl *ax;
  int ret;
  GNUNET_STATISTICS_update (stats,
                            "# KX received",
                            1,
                            GNUNET_NO);
+  if (GNUNET_YES == alice_or_bob (GCP_get_id (t->destination)))
+  {
+    /* Bob is not allowed to send KX! */
+    GNUNET_break_op (0);
+    return;
+  }
 #if 1
  if ( (0 ==
        memcmp (&t->ax.DHRr,
@@ -1720,8 +1722,6 @@ GCT_handle_kx (struct CadetTConnection *ct,
                sizeof (msg->ephemeral_key))) )
    {
-      LOG (GNUNET_ERROR_TYPE_DEBUG,
-           "Got duplicate KX. Firing back KX_AUTH.\n");
      GNUNET_STATISTICS_update (stats,
                                "# Duplicate KX received",
                                1,
@@ -1736,80 +1736,73 @@ GCT_handle_kx (struct CadetTConnection *ct,
  /* We only keep ONE unverified KX around, so if there is an existing one,
     clean it up. */
  if (NULL != t->unverified_ax)
+  {
+    if ( (0 ==
+          memcmp (&t->unverified_ax->DHRr,
+                  &msg->ratchet_key,
+                  sizeof (msg->ratchet_key))) &&
+         (0 ==
+          memcmp (&t->unverified_ax->last_ephemeral,
+                  &msg->ephemeral_key,
+                  sizeof (msg->ephemeral_key))) )
    {
-      if ( (0 ==
-            memcmp (&t->unverified_ax->DHRr,
-                    &msg->ratchet_key,
-                    sizeof (msg->ratchet_key))) &&
-           (0 ==
-            memcmp (&t->unverified_ax->last_ephemeral,
-                    &msg->ephemeral_key,
-                    sizeof (msg->ephemeral_key))) )
-        {
-          LOG (GNUNET_ERROR_TYPE_DEBUG,
-               "Got duplicate unverified KX on %s. Fire back KX_AUTH again.\n",
-               GCT_2s (t));
-          GNUNET_STATISTICS_update (stats,
-                                    "# Duplicate unverified KX received",
-                                    1,
-                                    GNUNET_NO);
-#if 1
-          send_kx_auth (t,
-                        ct,
-                        t->unverified_ax,
-                        GNUNET_NO);
-          return;
-#endif
-        }
-      LOG (GNUNET_ERROR_TYPE_DEBUG,
-           "Dropping old unverified KX state. Got a fresh KX for %s.\n",
-           GCT_2s (t));
      GNUNET_STATISTICS_update (stats,
-                                "# Unverified KX dropped for fresh KX",
+                                "# Duplicate unverified KX received",
                                1,
                                GNUNET_NO);
-      GNUNET_break (NULL == t->unverified_ax->skipped_head);
+#if 1
-      memset (t->unverified_ax,
+      send_kx_auth (t,
-              0,
+                    ct,
-              sizeof (struct CadetTunnelAxolotl));
+                    t->unverified_ax,
-      t->unverified_ax->DHRs = t->ax.DHRs;
+                    GNUNET_NO);
-      t->unverified_ax->kx_0 = t->ax.kx_0;
+      return;
+#endif
    }
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
+         "Dropping old unverified KX state.\n");
+    GNUNET_STATISTICS_update (stats,
+                              "# Unverified KX dropped for fresh KX",
+                              1,
+                              GNUNET_NO);
+    GNUNET_break (NULL == t->unverified_ax->skipped_head);
+    memset (t->unverified_ax,
+            0,
+            sizeof (struct CadetTunnelAxolotl));
+  }
  else
-    {
+  {
-      LOG (GNUNET_ERROR_TYPE_DEBUG,
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
-           "Creating fresh unverified KX for %s.\n",
+         "Creating fresh unverified KX for %s\n",
-           GCT_2s (t));
+         GCT_2s (t));
-      GNUNET_STATISTICS_update (stats,
+    GNUNET_STATISTICS_update (stats,
-                                "# Fresh KX setup",
+                              "# Fresh KX setup",
-                                1,
+                              1,
-                                GNUNET_NO);
+                              GNUNET_NO);
-      t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);
+    t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);
-      t->unverified_ax->DHRs = t->ax.DHRs;
+  }
-      t->unverified_ax->kx_0 = t->ax.kx_0;
-    }
  /* Set as the 'current' RK/DHRr the one we are currently using,
     so that the duplicate-detection logic of
     #update_ax_by_kx can work. */
  t->unverified_ax->RK = t->ax.RK;
  t->unverified_ax->DHRr = t->ax.DHRr;
+  t->unverified_ax->DHRs = t->ax.DHRs;
+  t->unverified_ax->kx_0 = t->ax.kx_0;
  t->unverified_attempts = 0;
-  ax = t->unverified_ax;
  /* Update 'ax' by the new key material */
-  ret = update_ax_by_kx (ax,
+  ret = update_ax_by_kx (t->unverified_ax,
                         GCP_get_id (t->destination),
                         &msg->ephemeral_key,
                         &msg->ratchet_key);
  GNUNET_break (GNUNET_SYSERR != ret);
  if (GNUNET_OK != ret)
-    {
+  {
-      GNUNET_STATISTICS_update (stats,
+    GNUNET_STATISTICS_update (stats,
-                                "# Useless KX",
+                              "# Useless KX",
-                                1,
+                              1,
-                                GNUNET_NO);
+                              GNUNET_NO);
-      return; /* duplicate KX, nothing to do */
+    return; /* duplicate KX, nothing to do */
-    }
+  }
  /* move ahead in our state machine */
  if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
    GCT_change_estate (t,
@@ -1820,13 +1813,13 @@ GCT_handle_kx (struct CadetTConnection *ct,
  /* KX is still not done, try again our end. */
  if (CADET_TUNNEL_KEY_OK != t->estate)
-    {
+  {
-      if (NULL != t->kx_task)
+    if (NULL != t->kx_task)
-        GNUNET_SCHEDULER_cancel (t->kx_task);
+      GNUNET_SCHEDULER_cancel (t->kx_task);
-      t->kx_task
+    t->kx_task
-        = GNUNET_SCHEDULER_add_now (&retry_kx,
+      = GNUNET_SCHEDULER_add_now (&retry_kx,
-                                    t);
+                                  t);
-    }
+  }
 }
@@ -1851,34 +1844,16 @@ GCT_handle_kx_auth (struct CadetTConnection *ct,
                            GNUNET_NO);
  if ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) ||
       (CADET_TUNNEL_KEY_AX_RECV == t->estate) )
-    {
-      /* Confusing, we got a KX_AUTH before we even send our own
-         KX. This should not happen. We'll send our own KX ASAP anyway,
-         so let's ignore this here. */
-      GNUNET_break_op (0);
-      return;
-    }
-  LOG (GNUNET_ERROR_TYPE_DEBUG,
-       "Handling KX_AUTH message for %s with E=%s and R=%s and A=%s\n",
-       GCT_2s (t),
-       GNUNET_e2s (&msg->kx.ephemeral_key),
-       GNUNET_e2s2 (&msg->kx.ratchet_key),
-       GNUNET_h2s (&msg->auth));
  {
-    struct GNUNET_CRYPTO_EcdhePublicKey ephemeral_key;
+    /* Confusing, we got a KX_AUTH before we even send our own
-    struct GNUNET_CRYPTO_EcdhePublicKey ratchet_key;
+       KX. This should not happen. We'll send our own KX ASAP anyway,
+       so let's ignore this here. */
-    GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.kx_0,
+    GNUNET_break_op (0);
-                                        &ephemeral_key);
+    return;
-    GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.DHRs,
-                                        &ratchet_key);
-    LOG (GNUNET_ERROR_TYPE_DEBUG,
-         "... my E=%s and R=%s\n",
-         GNUNET_e2s2 (&ephemeral_key),
-         GNUNET_e2s (&ratchet_key));
  }
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "Handling KX_AUTH message for %s\n",
+       GCT_2s (t));
  /* We do everything in ax_tmp until we've checked the authentication
     so we don't clobber anything we care about by accident. */
  ax_tmp = t->ax;
@@ -1912,10 +1887,8 @@ GCT_handle_kx_auth (struct CadetTConnection *ct,
                              "# KX_AUTH not using our last KX received (auth failure)",
                              1,
                              GNUNET_NO);
-    LOG (GNUNET_ERROR_TYPE_DEBUG,
+    LOG (GNUNET_ERROR_TYPE_WARNING,
-         "AUTH missmatch: got %s, expected %s\n",
+         "KX AUTH missmatch!\n");
-         GNUNET_h2s (&msg->auth),
-         GNUNET_h2s2 (&kx_auth));
    send_kx (t,
             ct,
             &t->ax);
author	Christian Grothoff <christian@grothoff.org>	2018-05-17 00:09:07 +0200
committer	Christian Grothoff <christian@grothoff.org>	2018-05-17 00:09:07 +0200
commit	7cab5e7bd71c7f6e72833c12a4853db121dce581 (patch)
tree	74170ed9c9e20744c0f883136ad2080fc3b197bd /src/cadet
parent	da393a04d06d488bc3b424a8baa24676b53e6352 (diff)
download	gnunet-7cab5e7bd71c7f6e72833c12a4853db121dce581.tar.gz gnunet-7cab5e7bd71c7f6e72833c12a4853db121dce581.zip

diff --git a/src/cadet/gnunet-service-cadet_tunnels.c b/src/cadet/gnunet-service-cadet_tunnels.c index 6b4bda08d..2565b8f18 100644 --- a/src/cadet/gnunet-service-cadet_tunnels.c +++ b/src/cadet/gnunet-service-cadet_tunnels.c
@@ -459,6 +459,29 @@ struct CadetTunnel
459		459
460		460
461	/**	461	/**
		462	* Am I Alice or Bob, or talking to myself?
		463	*
		464	* @param other the other peer
		465	* @return #GNUNET_YES for Alice, #GNUNET_NO for Bob, #GNUNET_SYSERR if talking to myself
		466	*/
		467	static int
		468	alice_or_bob (const struct GNUNET_PeerIdentity *other)
		469	{
		470	if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
		471	other))
		472	return GNUNET_YES;
		473	else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,
		474	other))
		475	return GNUNET_NO;
		476	else
		477	{
		478	GNUNET_break_op (0);
		479	return GNUNET_SYSERR;
		480	}
		481	}
		482
		483
		484	/**
462	* Connection @a ct is now unready, clear it's ready flag	485	* Connection @a ct is now unready, clear it's ready flag
463	* and move it from the ready DLL to the busy DLL.	486	* and move it from the ready DLL to the busy DLL.
464	*	487	*
@@ -1324,6 +1347,8 @@ send_kx (struct CadetTunnel *t,
1324	struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;	1347	struct GNUNET_CADET_TunnelKeyExchangeMessage *msg;
1325	enum GNUNET_CADET_KX_Flags flags;	1348	enum GNUNET_CADET_KX_Flags flags;
1326		1349
		1350	if (GNUNET_YES != alice_or_bob (GCP_get_id (t->destination)))
		1351	return; /* only Alice may send KX */
1327	if ( (NULL == ct) \|\|	1352	if ( (NULL == ct) \|\|
1328	(GNUNET_NO == ct->is_ready) )	1353	(GNUNET_NO == ct->is_ready) )
1329	ct = get_ready_connection (t);	1354	ct = get_ready_connection (t);
@@ -1346,13 +1371,6 @@ send_kx (struct CadetTunnel *t,
1346	&msg->ephemeral_key);	1371	&msg->ephemeral_key);
1347	GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,	1372	GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs,
1348	&msg->ratchet_key);	1373	&msg->ratchet_key);
1349	LOG (GNUNET_ERROR_TYPE_DEBUG,
1350	"Sending KX with E=%s and R=%s on %s via %s in state %s\n",
1351	GNUNET_e2s (&msg->ephemeral_key),
1352	GNUNET_e2s2 (&msg->ratchet_key),
1353	GCT_2s (t),
1354	GCC_2s (cc),
1355	estate2s (t->estate));
1356	mark_connection_unready (ct);	1374	mark_connection_unready (ct);
1357	t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);	1375	t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay);
1358	t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);	1376	t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay);
@@ -1421,18 +1439,6 @@ send_kx_auth (struct CadetTunnel *t,
1421	GNUNET_CRYPTO_hash (&ax->RK,	1439	GNUNET_CRYPTO_hash (&ax->RK,
1422	sizeof (ax->RK),	1440	sizeof (ax->RK),
1423	&msg->auth);	1441	&msg->auth);
1424	LOG (GNUNET_ERROR_TYPE_DEBUG,
1425	"Sending KX_AUTH with E=%s and R=%s and A=%s on %s using %s\n",
1426	GNUNET_e2s (&msg->kx.ephemeral_key),
1427	GNUNET_e2s2 (&msg->kx.ratchet_key),
1428	GNUNET_h2s (&msg->auth),
1429	GCT_2s (t),
1430	GCC_2s (ct->cc));
1431	LOG (GNUNET_ERROR_TYPE_DEBUG,
1432	"... this is in response to foreign E=%s and R=%s\n",
1433	GNUNET_e2s2 (&ax->last_ephemeral),
1434	GNUNET_e2s (&ax->DHRr));
1435
1436	/* Compute when to be triggered again; actual job will	1442	/* Compute when to be triggered again; actual job will
1437	be scheduled via #connection_ready_cb() */	1443	be scheduled via #connection_ready_cb() */
1438	t->kx_retry_delay	1444	t->kx_retry_delay
@@ -1497,66 +1503,57 @@ update_ax_by_kx (struct CadetTunnelAxolotl *ax,
1497	const char salt[] = "CADET Axolotl salt";	1503	const char salt[] = "CADET Axolotl salt";
1498	int am_I_alice;	1504	int am_I_alice;
1499		1505
1500	if (0 > GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,	1506	if (GNUNET_SYSERR == (am_I_alice = alice_or_bob (pid)))
1501	pid))	1507	{
1502	am_I_alice = GNUNET_YES;	1508	GNUNET_break_op (0);
1503	else if (0 < GNUNET_CRYPTO_cmp_peer_identity (&my_full_id,	1509	return GNUNET_SYSERR;
1504	pid))	1510	}
1505	am_I_alice = GNUNET_NO;
1506	else
1507	{
1508	GNUNET_break_op (0);
1509	return GNUNET_SYSERR;
1510	}
1511
1512	if (0 == memcmp (&ax->DHRr,	1511	if (0 == memcmp (&ax->DHRr,
1513	ratchet_key,	1512	ratchet_key,
1514	sizeof (*ratchet_key)))	1513	sizeof (*ratchet_key)))
1515	{	1514	{
1516	GNUNET_STATISTICS_update (stats,	1515	GNUNET_STATISTICS_update (stats,
1517	"# Ratchet key already known",	1516	"# Ratchet key already known",
1518	1,	1517	1,
1519	GNUNET_NO);	1518	GNUNET_NO);
1520	LOG (GNUNET_ERROR_TYPE_DEBUG,	1519	LOG (GNUNET_ERROR_TYPE_DEBUG,
1521	"Ratchet key already known. Ignoring KX.\n");	1520	"Ratchet key already known. Ignoring KX.\n");
1522	return GNUNET_NO;	1521	return GNUNET_NO;
1523	}	1522	}
1524		1523
1525	ax->DHRr = *ratchet_key;	1524	ax->DHRr = *ratchet_key;
1526	ax->last_ephemeral = *ephemeral_key;	1525	ax->last_ephemeral = *ephemeral_key;
1527	/* ECDH A B0 */	1526	/* ECDH A B0 */
1528	if (GNUNET_YES == am_I_alice)	1527	if (GNUNET_YES == am_I_alice)
1529	{	1528	{
1530	GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */	1529	GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* a */
1531	ephemeral_key, /* B0 */	1530	ephemeral_key, /* B0 */
1532	&key_material[0]);	1531	&key_material[0]);
1533	}	1532	}
1534	else	1533	else
1535	{	1534	{
1536	GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* B0 */	1535	GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* b0 */
1537	&pid->public_key, /* A */	1536	&pid->public_key, /* A */
1538	&key_material[0]);	1537	&key_material[0]);
1539	}	1538	}
1540
1541	/* ECDH A0 B */	1539	/* ECDH A0 B */
1542	if (GNUNET_YES == am_I_alice)	1540	if (GNUNET_YES == am_I_alice)
1543	{	1541	{
1544	GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* A0 */	1542	GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* a0 */
1545	&pid->public_key, /* B */	1543	&pid->public_key, /* B */
1546	&key_material[1]);	1544	&key_material[1]);
1547	}	1545	}
1548	else	1546	else
1549	{	1547	{
1550	GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */	1548	GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* b */
1551	ephemeral_key, /* B0 */	1549	ephemeral_key, /* A0 */
1552	&key_material[1]);	1550	&key_material[1]);
1553	}	1551	}
1554		1552
1555	/* ECDH A0 B0 */	1553	/* ECDH A0 B0 */
1556	GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* A0 or B0 */	1554	GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* a0 or b0 */
1557	ephemeral_key, /* B0 or A0 */	1555	ephemeral_key, /* B0 or A0 */
1558	&key_material[2]);	1556	&key_material[2]);
1559
1560	/* KDF */	1557	/* KDF */
1561	GNUNET_CRYPTO_kdf (keys, sizeof (keys),	1558	GNUNET_CRYPTO_kdf (keys, sizeof (keys),
1562	salt, sizeof (salt),	1559	salt, sizeof (salt),
@@ -1566,36 +1563,36 @@ update_ax_by_kx (struct CadetTunnelAxolotl *ax,
1566	if (0 == memcmp (&ax->RK,	1563	if (0 == memcmp (&ax->RK,
1567	&keys[0],	1564	&keys[0],
1568	sizeof (ax->RK)))	1565	sizeof (ax->RK)))
1569	{	1566	{
1570	LOG (GNUNET_ERROR_TYPE_DEBUG,	1567	LOG (GNUNET_ERROR_TYPE_DEBUG,
1571	"Root key of handshake already known. Ignoring KX.\n");	1568	"Root key already known. Ignoring KX.\n");
1572	GNUNET_STATISTICS_update (stats,	1569	GNUNET_STATISTICS_update (stats,
1573	"# Root key already known",	1570	"# Root key already known",
1574	1,	1571	1,
1575	GNUNET_NO);	1572	GNUNET_NO);
1576	return GNUNET_NO;	1573	return GNUNET_NO;
1577	}	1574	}
1578		1575
1579	ax->RK = keys[0];	1576	ax->RK = keys[0];
1580	if (GNUNET_YES == am_I_alice)	1577	if (GNUNET_YES == am_I_alice)
1581	{	1578	{
1582	ax->HKr = keys[1];	1579	ax->HKr = keys[1];
1583	ax->NHKs = keys[2];	1580	ax->NHKs = keys[2];
1584	ax->NHKr = keys[3];	1581	ax->NHKr = keys[3];
1585	ax->CKr = keys[4];	1582	ax->CKr = keys[4];
1586	ax->ratchet_flag = GNUNET_YES;	1583	ax->ratchet_flag = GNUNET_YES;
1587	}	1584	}
1588	else	1585	else
1589	{	1586	{
1590	ax->HKs = keys[1];	1587	ax->HKs = keys[1];
1591	ax->NHKr = keys[2];	1588	ax->NHKr = keys[2];
1592	ax->NHKs = keys[3];	1589	ax->NHKs = keys[3];
1593	ax->CKs = keys[4];	1590	ax->CKs = keys[4];
1594	ax->ratchet_flag = GNUNET_NO;	1591	ax->ratchet_flag = GNUNET_NO;
1595	ax->ratchet_expiration	1592	ax->ratchet_expiration
1596	= GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),	1593	= GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(),
1597	ratchet_time);	1594	ratchet_time);
1598	}	1595	}
1599	return GNUNET_OK;	1596	return GNUNET_OK;
1600	}	1597	}
1601		1598
@@ -1702,13 +1699,18 @@ GCT_handle_kx (struct CadetTConnection *ct,
1702	const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)	1699	const struct GNUNET_CADET_TunnelKeyExchangeMessage *msg)
1703	{	1700	{
1704	struct CadetTunnel *t = ct->t;	1701	struct CadetTunnel *t = ct->t;
1705	struct CadetTunnelAxolotl *ax;
1706	int ret;	1702	int ret;
1707		1703
1708	GNUNET_STATISTICS_update (stats,	1704	GNUNET_STATISTICS_update (stats,
1709	"# KX received",	1705	"# KX received",
1710	1,	1706	1,
1711	GNUNET_NO);	1707	GNUNET_NO);
		1708	if (GNUNET_YES == alice_or_bob (GCP_get_id (t->destination)))
		1709	{
		1710	/* Bob is not allowed to send KX! */
		1711	GNUNET_break_op (0);
		1712	return;
		1713	}
1712	#if 1	1714	#if 1
1713	if ( (0 ==	1715	if ( (0 ==
1714	memcmp (&t->ax.DHRr,	1716	memcmp (&t->ax.DHRr,
@@ -1720,8 +1722,6 @@ GCT_handle_kx (struct CadetTConnection *ct,
1720	sizeof (msg->ephemeral_key))) )	1722	sizeof (msg->ephemeral_key))) )
1721		1723
1722	{	1724	{
1723	LOG (GNUNET_ERROR_TYPE_DEBUG,
1724	"Got duplicate KX. Firing back KX_AUTH.\n");
1725	GNUNET_STATISTICS_update (stats,	1725	GNUNET_STATISTICS_update (stats,
1726	"# Duplicate KX received",	1726	"# Duplicate KX received",
1727	1,	1727	1,
@@ -1736,80 +1736,73 @@ GCT_handle_kx (struct CadetTConnection *ct,
1736	/* We only keep ONE unverified KX around, so if there is an existing one,	1736	/* We only keep ONE unverified KX around, so if there is an existing one,
1737	clean it up. */	1737	clean it up. */
1738	if (NULL != t->unverified_ax)	1738	if (NULL != t->unverified_ax)
		1739	{
		1740	if ( (0 ==
		1741	memcmp (&t->unverified_ax->DHRr,
		1742	&msg->ratchet_key,
		1743	sizeof (msg->ratchet_key))) &&
		1744	(0 ==
		1745	memcmp (&t->unverified_ax->last_ephemeral,
		1746	&msg->ephemeral_key,
		1747	sizeof (msg->ephemeral_key))) )
1739	{	1748	{
1740	if ( (0 ==
1741	memcmp (&t->unverified_ax->DHRr,
1742	&msg->ratchet_key,
1743	sizeof (msg->ratchet_key))) &&
1744	(0 ==
1745	memcmp (&t->unverified_ax->last_ephemeral,
1746	&msg->ephemeral_key,
1747	sizeof (msg->ephemeral_key))) )
1748	{
1749	LOG (GNUNET_ERROR_TYPE_DEBUG,
1750	"Got duplicate unverified KX on %s. Fire back KX_AUTH again.\n",
1751	GCT_2s (t));
1752	GNUNET_STATISTICS_update (stats,
1753	"# Duplicate unverified KX received",
1754	1,
1755	GNUNET_NO);
1756	#if 1
1757	send_kx_auth (t,
1758	ct,
1759	t->unverified_ax,
1760	GNUNET_NO);
1761	return;
1762	#endif
1763	}
1764	LOG (GNUNET_ERROR_TYPE_DEBUG,
1765	"Dropping old unverified KX state. Got a fresh KX for %s.\n",
1766	GCT_2s (t));
1767	GNUNET_STATISTICS_update (stats,	1749	GNUNET_STATISTICS_update (stats,
1768	"# Unverified KX dropped for fresh KX",	1750	"# Duplicate unverified KX received",
1769	1,	1751	1,
1770	GNUNET_NO);	1752	GNUNET_NO);
1771	GNUNET_break (NULL == t->unverified_ax->skipped_head);	1753	#if 1
1772	memset (t->unverified_ax,	1754	send_kx_auth (t,
1773	0,	1755	ct,
1774	sizeof (struct CadetTunnelAxolotl));	1756	t->unverified_ax,
1775	t->unverified_ax->DHRs = t->ax.DHRs;	1757	GNUNET_NO);
1776	t->unverified_ax->kx_0 = t->ax.kx_0;	1758	return;
		1759	#endif
1777	}	1760	}
		1761	LOG (GNUNET_ERROR_TYPE_DEBUG,
		1762	"Dropping old unverified KX state.\n");
		1763	GNUNET_STATISTICS_update (stats,
		1764	"# Unverified KX dropped for fresh KX",
		1765	1,
		1766	GNUNET_NO);
		1767	GNUNET_break (NULL == t->unverified_ax->skipped_head);
		1768	memset (t->unverified_ax,
		1769	0,
		1770	sizeof (struct CadetTunnelAxolotl));
		1771	}
1778	else	1772	else
1779	{	1773	{
1780	LOG (GNUNET_ERROR_TYPE_DEBUG,	1774	LOG (GNUNET_ERROR_TYPE_DEBUG,
1781	"Creating fresh unverified KX for %s.\n",	1775	"Creating fresh unverified KX for %s\n",
1782	GCT_2s (t));	1776	GCT_2s (t));
1783	GNUNET_STATISTICS_update (stats,	1777	GNUNET_STATISTICS_update (stats,
1784	"# Fresh KX setup",	1778	"# Fresh KX setup",
1785	1,	1779	1,
1786	GNUNET_NO);	1780	GNUNET_NO);
1787	t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);	1781	t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl);
1788	t->unverified_ax->DHRs = t->ax.DHRs;	1782	}
1789	t->unverified_ax->kx_0 = t->ax.kx_0;
1790	}
1791	/* Set as the 'current' RK/DHRr the one we are currently using,	1783	/* Set as the 'current' RK/DHRr the one we are currently using,
1792	so that the duplicate-detection logic of	1784	so that the duplicate-detection logic of
1793	#update_ax_by_kx can work. */	1785	#update_ax_by_kx can work. */
1794	t->unverified_ax->RK = t->ax.RK;	1786	t->unverified_ax->RK = t->ax.RK;
1795	t->unverified_ax->DHRr = t->ax.DHRr;	1787	t->unverified_ax->DHRr = t->ax.DHRr;
		1788	t->unverified_ax->DHRs = t->ax.DHRs;
		1789	t->unverified_ax->kx_0 = t->ax.kx_0;
1796	t->unverified_attempts = 0;	1790	t->unverified_attempts = 0;
1797	ax = t->unverified_ax;
1798		1791
1799	/* Update 'ax' by the new key material */	1792	/* Update 'ax' by the new key material */
1800	ret = update_ax_by_kx (ax,	1793	ret = update_ax_by_kx (t->unverified_ax,
1801	GCP_get_id (t->destination),	1794	GCP_get_id (t->destination),
1802	&msg->ephemeral_key,	1795	&msg->ephemeral_key,
1803	&msg->ratchet_key);	1796	&msg->ratchet_key);
1804	GNUNET_break (GNUNET_SYSERR != ret);	1797	GNUNET_break (GNUNET_SYSERR != ret);
1805	if (GNUNET_OK != ret)	1798	if (GNUNET_OK != ret)
1806	{	1799	{
1807	GNUNET_STATISTICS_update (stats,	1800	GNUNET_STATISTICS_update (stats,
1808	"# Useless KX",	1801	"# Useless KX",
1809	1,	1802	1,
1810	GNUNET_NO);	1803	GNUNET_NO);
1811	return; /* duplicate KX, nothing to do */	1804	return; /* duplicate KX, nothing to do */
1812	}	1805	}
1813	/* move ahead in our state machine */	1806	/* move ahead in our state machine */
1814	if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)	1807	if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate)
1815	GCT_change_estate (t,	1808	GCT_change_estate (t,
@@ -1820,13 +1813,13 @@ GCT_handle_kx (struct CadetTConnection *ct,
1820		1813
1821	/* KX is still not done, try again our end. */	1814	/* KX is still not done, try again our end. */
1822	if (CADET_TUNNEL_KEY_OK != t->estate)	1815	if (CADET_TUNNEL_KEY_OK != t->estate)
1823	{	1816	{
1824	if (NULL != t->kx_task)	1817	if (NULL != t->kx_task)
1825	GNUNET_SCHEDULER_cancel (t->kx_task);	1818	GNUNET_SCHEDULER_cancel (t->kx_task);
1826	t->kx_task	1819	t->kx_task
1827	= GNUNET_SCHEDULER_add_now (&retry_kx,	1820	= GNUNET_SCHEDULER_add_now (&retry_kx,
1828	t);	1821	t);
1829	}	1822	}
1830	}	1823	}
1831		1824
1832		1825
@@ -1851,34 +1844,16 @@ GCT_handle_kx_auth (struct CadetTConnection *ct,
1851	GNUNET_NO);	1844	GNUNET_NO);
1852	if ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) \|\|	1845	if ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) \|\|
1853	(CADET_TUNNEL_KEY_AX_RECV == t->estate) )	1846	(CADET_TUNNEL_KEY_AX_RECV == t->estate) )
1854	{
1855	/* Confusing, we got a KX_AUTH before we even send our own
1856	KX. This should not happen. We'll send our own KX ASAP anyway,
1857	so let's ignore this here. */
1858	GNUNET_break_op (0);
1859	return;
1860	}
1861	LOG (GNUNET_ERROR_TYPE_DEBUG,
1862	"Handling KX_AUTH message for %s with E=%s and R=%s and A=%s\n",
1863	GCT_2s (t),
1864	GNUNET_e2s (&msg->kx.ephemeral_key),
1865	GNUNET_e2s2 (&msg->kx.ratchet_key),
1866	GNUNET_h2s (&msg->auth));
1867	{	1847	{
1868	struct GNUNET_CRYPTO_EcdhePublicKey ephemeral_key;	1848	/* Confusing, we got a KX_AUTH before we even send our own
1869	struct GNUNET_CRYPTO_EcdhePublicKey ratchet_key;	1849	KX. This should not happen. We'll send our own KX ASAP anyway,
1870		1850	so let's ignore this here. */
1871	GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.kx_0,	1851	GNUNET_break_op (0);
1872	&ephemeral_key);	1852	return;
1873	GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.DHRs,
1874	&ratchet_key);
1875	LOG (GNUNET_ERROR_TYPE_DEBUG,
1876	"... my E=%s and R=%s\n",
1877	GNUNET_e2s2 (&ephemeral_key),
1878	GNUNET_e2s (&ratchet_key));
1879	}	1853	}
1880		1854	LOG (GNUNET_ERROR_TYPE_DEBUG,
1881		1855	"Handling KX_AUTH message for %s\n",
		1856	GCT_2s (t));
1882	/* We do everything in ax_tmp until we've checked the authentication	1857	/* We do everything in ax_tmp until we've checked the authentication
1883	so we don't clobber anything we care about by accident. */	1858	so we don't clobber anything we care about by accident. */
1884	ax_tmp = t->ax;	1859	ax_tmp = t->ax;
@@ -1912,10 +1887,8 @@ GCT_handle_kx_auth (struct CadetTConnection *ct,
1912	"# KX_AUTH not using our last KX received (auth failure)",	1887	"# KX_AUTH not using our last KX received (auth failure)",
1913	1,	1888	1,
1914	GNUNET_NO);	1889	GNUNET_NO);
1915	LOG (GNUNET_ERROR_TYPE_DEBUG,	1890	LOG (GNUNET_ERROR_TYPE_WARNING,
1916	"AUTH missmatch: got %s, expected %s\n",	1891	"KX AUTH missmatch!\n");
1917	GNUNET_h2s (&msg->auth),
1918	GNUNET_h2s2 (&kx_auth));
1919	send_kx (t,	1892	send_kx (t,
1920	ct,	1893	ct,
1921	&t->ax);	1894	&t->ax);