diff options
| author | Christian Grothoff <christian@grothoff.org> | 2018-05-16 21:36:22 +0200 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2018-05-16 21:36:38 +0200 |
| commit | da393a04d06d488bc3b424a8baa24676b53e6352 (patch) | |
| tree | 1791dfd7a18919c065f0b945c65dd62d1a7727bf /src/cadet | |
| parent | 215e607f63847c77bd26d4c97eae8c7d6ca7f4a0 (diff) | |
| download | gnunet-da393a04d06d488bc3b424a8baa24676b53e6352.tar.gz gnunet-da393a04d06d488bc3b424a8baa24676b53e6352.zip | |
log key material hashes
Diffstat (limited to 'src/cadet')
| -rw-r--r-- | src/cadet/gnunet-service-cadet_tunnels.c | 461 |
1 files changed, 245 insertions, 216 deletions
diff --git a/src/cadet/gnunet-service-cadet_tunnels.c b/src/cadet/gnunet-service-cadet_tunnels.c index 97c50dc90..6b4bda08d 100644 --- a/src/cadet/gnunet-service-cadet_tunnels.c +++ b/src/cadet/gnunet-service-cadet_tunnels.c | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | /* | 1 | /* |
| 2 | This file is part of GNUnet. | 2 | This file is part of GNUnet. |
| 3 | Copyright (C) 2013, 2017 GNUnet e.V. | 3 | Copyright (C) 2013, 2017, 2018 GNUnet e.V. |
| 4 | 4 | ||
| 5 | GNUnet is free software; you can redistribute it and/or modify | 5 | GNUnet is free software; you can redistribute it and/or modify |
| 6 | it under the terms of the GNU General Public License as published | 6 | it under the terms of the GNU General Public License as published |
| @@ -1337,11 +1337,6 @@ send_kx (struct CadetTunnel *t, | |||
| 1337 | return; | 1337 | return; |
| 1338 | } | 1338 | } |
| 1339 | cc = ct->cc; | 1339 | cc = ct->cc; |
| 1340 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1341 | "Sending KX on %s via %s in state %s\n", | ||
| 1342 | GCT_2s (t), | ||
| 1343 | GCC_2s (cc), | ||
| 1344 | estate2s (t->estate)); | ||
| 1345 | env = GNUNET_MQ_msg (msg, | 1340 | env = GNUNET_MQ_msg (msg, |
| 1346 | GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX); | 1341 | GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX); |
| 1347 | flags = GNUNET_CADET_KX_FLAG_FORCE_REPLY; /* always for KX */ | 1342 | flags = GNUNET_CADET_KX_FLAG_FORCE_REPLY; /* always for KX */ |
| @@ -1351,6 +1346,13 @@ send_kx (struct CadetTunnel *t, | |||
| 1351 | &msg->ephemeral_key); | 1346 | &msg->ephemeral_key); |
| 1352 | GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs, | 1347 | GNUNET_CRYPTO_ecdhe_key_get_public (&ax->DHRs, |
| 1353 | &msg->ratchet_key); | 1348 | &msg->ratchet_key); |
| 1349 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1350 | "Sending KX with E=%s and R=%s on %s via %s in state %s\n", | ||
| 1351 | GNUNET_e2s (&msg->ephemeral_key), | ||
| 1352 | GNUNET_e2s2 (&msg->ratchet_key), | ||
| 1353 | GCT_2s (t), | ||
| 1354 | GCC_2s (cc), | ||
| 1355 | estate2s (t->estate)); | ||
| 1354 | mark_connection_unready (ct); | 1356 | mark_connection_unready (ct); |
| 1355 | t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay); | 1357 | t->kx_retry_delay = GNUNET_TIME_STD_BACKOFF (t->kx_retry_delay); |
| 1356 | t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay); | 1358 | t->next_kx_attempt = GNUNET_TIME_relative_to_absolute (t->kx_retry_delay); |
| @@ -1404,11 +1406,6 @@ send_kx_auth (struct CadetTunnel *t, | |||
| 1404 | } | 1406 | } |
| 1405 | t->kx_auth_requested = GNUNET_NO; /* clear flag */ | 1407 | t->kx_auth_requested = GNUNET_NO; /* clear flag */ |
| 1406 | cc = ct->cc; | 1408 | cc = ct->cc; |
| 1407 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1408 | "Sending KX_AUTH on %s using %s\n", | ||
| 1409 | GCT_2s (t), | ||
| 1410 | GCC_2s (ct->cc)); | ||
| 1411 | |||
| 1412 | env = GNUNET_MQ_msg (msg, | 1409 | env = GNUNET_MQ_msg (msg, |
| 1413 | GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH); | 1410 | GNUNET_MESSAGE_TYPE_CADET_TUNNEL_KX_AUTH); |
| 1414 | flags = GNUNET_CADET_KX_FLAG_NONE; | 1411 | flags = GNUNET_CADET_KX_FLAG_NONE; |
| @@ -1424,6 +1421,17 @@ send_kx_auth (struct CadetTunnel *t, | |||
| 1424 | GNUNET_CRYPTO_hash (&ax->RK, | 1421 | GNUNET_CRYPTO_hash (&ax->RK, |
| 1425 | sizeof (ax->RK), | 1422 | sizeof (ax->RK), |
| 1426 | &msg->auth); | 1423 | &msg->auth); |
| 1424 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1425 | "Sending KX_AUTH with E=%s and R=%s and A=%s on %s using %s\n", | ||
| 1426 | GNUNET_e2s (&msg->kx.ephemeral_key), | ||
| 1427 | GNUNET_e2s2 (&msg->kx.ratchet_key), | ||
| 1428 | GNUNET_h2s (&msg->auth), | ||
| 1429 | GCT_2s (t), | ||
| 1430 | GCC_2s (ct->cc)); | ||
| 1431 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1432 | "... this is in response to foreign E=%s and R=%s\n", | ||
| 1433 | GNUNET_e2s2 (&ax->last_ephemeral), | ||
| 1434 | GNUNET_e2s (&ax->DHRr)); | ||
| 1427 | 1435 | ||
| 1428 | /* Compute when to be triggered again; actual job will | 1436 | /* Compute when to be triggered again; actual job will |
| 1429 | be scheduled via #connection_ready_cb() */ | 1437 | be scheduled via #connection_ready_cb() */ |
| @@ -1496,53 +1504,53 @@ update_ax_by_kx (struct CadetTunnelAxolotl *ax, | |||
| 1496 | pid)) | 1504 | pid)) |
| 1497 | am_I_alice = GNUNET_NO; | 1505 | am_I_alice = GNUNET_NO; |
| 1498 | else | 1506 | else |
| 1499 | { | 1507 | { |
| 1500 | GNUNET_break_op (0); | 1508 | GNUNET_break_op (0); |
| 1501 | return GNUNET_SYSERR; | 1509 | return GNUNET_SYSERR; |
| 1502 | } | 1510 | } |
| 1503 | 1511 | ||
| 1504 | if (0 == memcmp (&ax->DHRr, | 1512 | if (0 == memcmp (&ax->DHRr, |
| 1505 | ratchet_key, | 1513 | ratchet_key, |
| 1506 | sizeof (*ratchet_key))) | 1514 | sizeof (*ratchet_key))) |
| 1507 | { | 1515 | { |
| 1508 | GNUNET_STATISTICS_update (stats, | 1516 | GNUNET_STATISTICS_update (stats, |
| 1509 | "# Ratchet key already known", | 1517 | "# Ratchet key already known", |
| 1510 | 1, | 1518 | 1, |
| 1511 | GNUNET_NO); | 1519 | GNUNET_NO); |
| 1512 | LOG (GNUNET_ERROR_TYPE_DEBUG, | 1520 | LOG (GNUNET_ERROR_TYPE_DEBUG, |
| 1513 | "Ratchet key already known. Ignoring KX.\n"); | 1521 | "Ratchet key already known. Ignoring KX.\n"); |
| 1514 | return GNUNET_NO; | 1522 | return GNUNET_NO; |
| 1515 | } | 1523 | } |
| 1516 | 1524 | ||
| 1517 | ax->DHRr = *ratchet_key; | 1525 | ax->DHRr = *ratchet_key; |
| 1518 | ax->last_ephemeral = *ephemeral_key; | 1526 | ax->last_ephemeral = *ephemeral_key; |
| 1519 | /* ECDH A B0 */ | 1527 | /* ECDH A B0 */ |
| 1520 | if (GNUNET_YES == am_I_alice) | 1528 | if (GNUNET_YES == am_I_alice) |
| 1521 | { | 1529 | { |
| 1522 | GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */ | 1530 | GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */ |
| 1523 | ephemeral_key, /* B0 */ | 1531 | ephemeral_key, /* B0 */ |
| 1524 | &key_material[0]); | 1532 | &key_material[0]); |
| 1525 | } | 1533 | } |
| 1526 | else | 1534 | else |
| 1527 | { | 1535 | { |
| 1528 | GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* B0 */ | 1536 | GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* B0 */ |
| 1529 | &pid->public_key, /* A */ | 1537 | &pid->public_key, /* A */ |
| 1530 | &key_material[0]); | 1538 | &key_material[0]); |
| 1531 | } | 1539 | } |
| 1532 | 1540 | ||
| 1533 | /* ECDH A0 B */ | 1541 | /* ECDH A0 B */ |
| 1534 | if (GNUNET_YES == am_I_alice) | 1542 | if (GNUNET_YES == am_I_alice) |
| 1535 | { | 1543 | { |
| 1536 | GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* A0 */ | 1544 | GNUNET_CRYPTO_ecdh_eddsa (&ax->kx_0, /* A0 */ |
| 1537 | &pid->public_key, /* B */ | 1545 | &pid->public_key, /* B */ |
| 1538 | &key_material[1]); | 1546 | &key_material[1]); |
| 1539 | } | 1547 | } |
| 1540 | else | 1548 | else |
| 1541 | { | 1549 | { |
| 1542 | GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */ | 1550 | GNUNET_CRYPTO_eddsa_ecdh (my_private_key, /* A */ |
| 1543 | ephemeral_key, /* B0 */ | 1551 | ephemeral_key, /* B0 */ |
| 1544 | &key_material[1]); | 1552 | &key_material[1]); |
| 1545 | } | 1553 | } |
| 1546 | 1554 | ||
| 1547 | /* ECDH A0 B0 */ | 1555 | /* ECDH A0 B0 */ |
| 1548 | GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* A0 or B0 */ | 1556 | GNUNET_CRYPTO_ecc_ecdh (&ax->kx_0, /* A0 or B0 */ |
| @@ -1558,36 +1566,36 @@ update_ax_by_kx (struct CadetTunnelAxolotl *ax, | |||
| 1558 | if (0 == memcmp (&ax->RK, | 1566 | if (0 == memcmp (&ax->RK, |
| 1559 | &keys[0], | 1567 | &keys[0], |
| 1560 | sizeof (ax->RK))) | 1568 | sizeof (ax->RK))) |
| 1561 | { | 1569 | { |
| 1562 | LOG (GNUNET_ERROR_TYPE_DEBUG, | 1570 | LOG (GNUNET_ERROR_TYPE_DEBUG, |
| 1563 | "Root key of handshake already known. Ignoring KX.\n"); | 1571 | "Root key of handshake already known. Ignoring KX.\n"); |
| 1564 | GNUNET_STATISTICS_update (stats, | 1572 | GNUNET_STATISTICS_update (stats, |
| 1565 | "# Root key already known", | 1573 | "# Root key already known", |
| 1566 | 1, | 1574 | 1, |
| 1567 | GNUNET_NO); | 1575 | GNUNET_NO); |
| 1568 | return GNUNET_NO; | 1576 | return GNUNET_NO; |
| 1569 | } | 1577 | } |
| 1570 | 1578 | ||
| 1571 | ax->RK = keys[0]; | 1579 | ax->RK = keys[0]; |
| 1572 | if (GNUNET_YES == am_I_alice) | 1580 | if (GNUNET_YES == am_I_alice) |
| 1573 | { | 1581 | { |
| 1574 | ax->HKr = keys[1]; | 1582 | ax->HKr = keys[1]; |
| 1575 | ax->NHKs = keys[2]; | 1583 | ax->NHKs = keys[2]; |
| 1576 | ax->NHKr = keys[3]; | 1584 | ax->NHKr = keys[3]; |
| 1577 | ax->CKr = keys[4]; | 1585 | ax->CKr = keys[4]; |
| 1578 | ax->ratchet_flag = GNUNET_YES; | 1586 | ax->ratchet_flag = GNUNET_YES; |
| 1579 | } | 1587 | } |
| 1580 | else | 1588 | else |
| 1581 | { | 1589 | { |
| 1582 | ax->HKs = keys[1]; | 1590 | ax->HKs = keys[1]; |
| 1583 | ax->NHKr = keys[2]; | 1591 | ax->NHKr = keys[2]; |
| 1584 | ax->NHKs = keys[3]; | 1592 | ax->NHKs = keys[3]; |
| 1585 | ax->CKs = keys[4]; | 1593 | ax->CKs = keys[4]; |
| 1586 | ax->ratchet_flag = GNUNET_NO; | 1594 | ax->ratchet_flag = GNUNET_NO; |
| 1587 | ax->ratchet_expiration | 1595 | ax->ratchet_expiration |
| 1588 | = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), | 1596 | = GNUNET_TIME_absolute_add (GNUNET_TIME_absolute_get(), |
| 1589 | ratchet_time); | 1597 | ratchet_time); |
| 1590 | } | 1598 | } |
| 1591 | return GNUNET_OK; | 1599 | return GNUNET_OK; |
| 1592 | } | 1600 | } |
| 1593 | 1601 | ||
| @@ -1609,75 +1617,75 @@ retry_kx (void *cls) | |||
| 1609 | GCT_2s (t), | 1617 | GCT_2s (t), |
| 1610 | estate2s (t->estate)); | 1618 | estate2s (t->estate)); |
| 1611 | switch (t->estate) | 1619 | switch (t->estate) |
| 1612 | { | ||
| 1613 | case CADET_TUNNEL_KEY_UNINITIALIZED: /* first attempt */ | ||
| 1614 | case CADET_TUNNEL_KEY_AX_SENT: /* trying again */ | ||
| 1615 | send_kx (t, | ||
| 1616 | NULL, | ||
| 1617 | &t->ax); | ||
| 1618 | break; | ||
| 1619 | case CADET_TUNNEL_KEY_AX_RECV: | ||
| 1620 | case CADET_TUNNEL_KEY_AX_SENT_AND_RECV: | ||
| 1621 | /* We are responding, so only require reply | ||
| 1622 | if WE have a channel waiting. */ | ||
| 1623 | if (NULL != t->unverified_ax) | ||
| 1624 | { | ||
| 1625 | /* Send AX_AUTH so we might get this one verified */ | ||
| 1626 | ax = t->unverified_ax; | ||
| 1627 | } | ||
| 1628 | else | ||
| 1629 | { | ||
| 1630 | /* How can this be? */ | ||
| 1631 | GNUNET_break (0); | ||
| 1632 | ax = &t->ax; | ||
| 1633 | } | ||
| 1634 | send_kx_auth (t, | ||
| 1635 | NULL, | ||
| 1636 | ax, | ||
| 1637 | (0 == GCT_count_channels (t)) | ||
| 1638 | ? GNUNET_NO | ||
| 1639 | : GNUNET_YES); | ||
| 1640 | break; | ||
| 1641 | case CADET_TUNNEL_KEY_AX_AUTH_SENT: | ||
| 1642 | /* We are responding, so only require reply | ||
| 1643 | if WE have a channel waiting. */ | ||
| 1644 | if (NULL != t->unverified_ax) | ||
| 1645 | { | ||
| 1646 | /* Send AX_AUTH so we might get this one verified */ | ||
| 1647 | ax = t->unverified_ax; | ||
| 1648 | } | ||
| 1649 | else | ||
| 1650 | { | ||
| 1651 | /* How can this be? */ | ||
| 1652 | GNUNET_break (0); | ||
| 1653 | ax = &t->ax; | ||
| 1654 | } | ||
| 1655 | send_kx_auth (t, | ||
| 1656 | NULL, | ||
| 1657 | ax, | ||
| 1658 | (0 == GCT_count_channels (t)) | ||
| 1659 | ? GNUNET_NO | ||
| 1660 | : GNUNET_YES); | ||
| 1661 | break; | ||
| 1662 | case CADET_TUNNEL_KEY_OK: | ||
| 1663 | /* Must have been the *other* peer asking us to | ||
| 1664 | respond with a KX_AUTH. */ | ||
| 1665 | if (NULL != t->unverified_ax) | ||
| 1666 | { | 1620 | { |
| 1667 | /* Sending AX_AUTH in response to AX so we might get this one verified */ | 1621 | case CADET_TUNNEL_KEY_UNINITIALIZED: /* first attempt */ |
| 1668 | ax = t->unverified_ax; | 1622 | case CADET_TUNNEL_KEY_AX_SENT: /* trying again */ |
| 1669 | } | 1623 | send_kx (t, |
| 1670 | else | 1624 | NULL, |
| 1671 | { | 1625 | &t->ax); |
| 1672 | /* Sending AX_AUTH in response to AX_AUTH */ | 1626 | break; |
| 1673 | ax = &t->ax; | 1627 | case CADET_TUNNEL_KEY_AX_RECV: |
| 1628 | case CADET_TUNNEL_KEY_AX_SENT_AND_RECV: | ||
| 1629 | /* We are responding, so only require reply | ||
| 1630 | if WE have a channel waiting. */ | ||
| 1631 | if (NULL != t->unverified_ax) | ||
| 1632 | { | ||
| 1633 | /* Send AX_AUTH so we might get this one verified */ | ||
| 1634 | ax = t->unverified_ax; | ||
| 1635 | } | ||
| 1636 | else | ||
| 1637 | { | ||
| 1638 | /* How can this be? */ | ||
| 1639 | GNUNET_break (0); | ||
| 1640 | ax = &t->ax; | ||
| 1641 | } | ||
| 1642 | send_kx_auth (t, | ||
| 1643 | NULL, | ||
| 1644 | ax, | ||
| 1645 | (0 == GCT_count_channels (t)) | ||
| 1646 | ? GNUNET_NO | ||
| 1647 | : GNUNET_YES); | ||
| 1648 | break; | ||
| 1649 | case CADET_TUNNEL_KEY_AX_AUTH_SENT: | ||
| 1650 | /* We are responding, so only require reply | ||
| 1651 | if WE have a channel waiting. */ | ||
| 1652 | if (NULL != t->unverified_ax) | ||
| 1653 | { | ||
| 1654 | /* Send AX_AUTH so we might get this one verified */ | ||
| 1655 | ax = t->unverified_ax; | ||
| 1656 | } | ||
| 1657 | else | ||
| 1658 | { | ||
| 1659 | /* How can this be? */ | ||
| 1660 | GNUNET_break (0); | ||
| 1661 | ax = &t->ax; | ||
| 1662 | } | ||
| 1663 | send_kx_auth (t, | ||
| 1664 | NULL, | ||
| 1665 | ax, | ||
| 1666 | (0 == GCT_count_channels (t)) | ||
| 1667 | ? GNUNET_NO | ||
| 1668 | : GNUNET_YES); | ||
| 1669 | break; | ||
| 1670 | case CADET_TUNNEL_KEY_OK: | ||
| 1671 | /* Must have been the *other* peer asking us to | ||
| 1672 | respond with a KX_AUTH. */ | ||
| 1673 | if (NULL != t->unverified_ax) | ||
| 1674 | { | ||
| 1675 | /* Sending AX_AUTH in response to AX so we might get this one verified */ | ||
| 1676 | ax = t->unverified_ax; | ||
| 1677 | } | ||
| 1678 | else | ||
| 1679 | { | ||
| 1680 | /* Sending AX_AUTH in response to AX_AUTH */ | ||
| 1681 | ax = &t->ax; | ||
| 1682 | } | ||
| 1683 | send_kx_auth (t, | ||
| 1684 | NULL, | ||
| 1685 | ax, | ||
| 1686 | GNUNET_NO); | ||
| 1687 | break; | ||
| 1674 | } | 1688 | } |
| 1675 | send_kx_auth (t, | ||
| 1676 | NULL, | ||
| 1677 | ax, | ||
| 1678 | GNUNET_NO); | ||
| 1679 | break; | ||
| 1680 | } | ||
| 1681 | } | 1689 | } |
| 1682 | 1690 | ||
| 1683 | 1691 | ||
| @@ -1711,75 +1719,75 @@ GCT_handle_kx (struct CadetTConnection *ct, | |||
| 1711 | &msg->ephemeral_key, | 1719 | &msg->ephemeral_key, |
| 1712 | sizeof (msg->ephemeral_key))) ) | 1720 | sizeof (msg->ephemeral_key))) ) |
| 1713 | 1721 | ||
| 1714 | { | ||
| 1715 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1716 | "Got duplicate KX. Firing back KX_AUTH.\n"); | ||
| 1717 | GNUNET_STATISTICS_update (stats, | ||
| 1718 | "# Duplicate KX received", | ||
| 1719 | 1, | ||
| 1720 | GNUNET_NO); | ||
| 1721 | send_kx_auth (t, | ||
| 1722 | ct, | ||
| 1723 | &t->ax, | ||
| 1724 | GNUNET_NO); | ||
| 1725 | return; | ||
| 1726 | } | ||
| 1727 | #endif | ||
| 1728 | /* We only keep ONE unverified KX around, so if there is an existing one, | ||
| 1729 | clean it up. */ | ||
| 1730 | if (NULL != t->unverified_ax) | ||
| 1731 | { | ||
| 1732 | if ( (0 == | ||
| 1733 | memcmp (&t->unverified_ax->DHRr, | ||
| 1734 | &msg->ratchet_key, | ||
| 1735 | sizeof (msg->ratchet_key))) && | ||
| 1736 | (0 == | ||
| 1737 | memcmp (&t->unverified_ax->last_ephemeral, | ||
| 1738 | &msg->ephemeral_key, | ||
| 1739 | sizeof (msg->ephemeral_key))) ) | ||
| 1740 | { | 1722 | { |
| 1741 | LOG (GNUNET_ERROR_TYPE_DEBUG, | 1723 | LOG (GNUNET_ERROR_TYPE_DEBUG, |
| 1742 | "Got duplicate unverified KX on %s. Fire back KX_AUTH again.\n", | 1724 | "Got duplicate KX. Firing back KX_AUTH.\n"); |
| 1743 | GCT_2s (t)); | ||
| 1744 | GNUNET_STATISTICS_update (stats, | 1725 | GNUNET_STATISTICS_update (stats, |
| 1745 | "# Duplicate unverified KX received", | 1726 | "# Duplicate KX received", |
| 1746 | 1, | 1727 | 1, |
| 1747 | GNUNET_NO); | 1728 | GNUNET_NO); |
| 1748 | #if 1 | ||
| 1749 | send_kx_auth (t, | 1729 | send_kx_auth (t, |
| 1750 | ct, | 1730 | ct, |
| 1751 | t->unverified_ax, | 1731 | &t->ax, |
| 1752 | GNUNET_NO); | 1732 | GNUNET_NO); |
| 1753 | return; | 1733 | return; |
| 1734 | } | ||
| 1735 | #endif | ||
| 1736 | /* We only keep ONE unverified KX around, so if there is an existing one, | ||
| 1737 | clean it up. */ | ||
| 1738 | if (NULL != t->unverified_ax) | ||
| 1739 | { | ||
| 1740 | if ( (0 == | ||
| 1741 | memcmp (&t->unverified_ax->DHRr, | ||
| 1742 | &msg->ratchet_key, | ||
| 1743 | sizeof (msg->ratchet_key))) && | ||
| 1744 | (0 == | ||
| 1745 | memcmp (&t->unverified_ax->last_ephemeral, | ||
| 1746 | &msg->ephemeral_key, | ||
| 1747 | sizeof (msg->ephemeral_key))) ) | ||
| 1748 | { | ||
| 1749 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1750 | "Got duplicate unverified KX on %s. Fire back KX_AUTH again.\n", | ||
| 1751 | GCT_2s (t)); | ||
| 1752 | GNUNET_STATISTICS_update (stats, | ||
| 1753 | "# Duplicate unverified KX received", | ||
| 1754 | 1, | ||
| 1755 | GNUNET_NO); | ||
| 1756 | #if 1 | ||
| 1757 | send_kx_auth (t, | ||
| 1758 | ct, | ||
| 1759 | t->unverified_ax, | ||
| 1760 | GNUNET_NO); | ||
| 1761 | return; | ||
| 1754 | #endif | 1762 | #endif |
| 1763 | } | ||
| 1764 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1765 | "Dropping old unverified KX state. Got a fresh KX for %s.\n", | ||
| 1766 | GCT_2s (t)); | ||
| 1767 | GNUNET_STATISTICS_update (stats, | ||
| 1768 | "# Unverified KX dropped for fresh KX", | ||
| 1769 | 1, | ||
| 1770 | GNUNET_NO); | ||
| 1771 | GNUNET_break (NULL == t->unverified_ax->skipped_head); | ||
| 1772 | memset (t->unverified_ax, | ||
| 1773 | 0, | ||
| 1774 | sizeof (struct CadetTunnelAxolotl)); | ||
| 1775 | t->unverified_ax->DHRs = t->ax.DHRs; | ||
| 1776 | t->unverified_ax->kx_0 = t->ax.kx_0; | ||
| 1755 | } | 1777 | } |
| 1756 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1757 | "Dropping old unverified KX state. Got a fresh KX for %s.\n", | ||
| 1758 | GCT_2s (t)); | ||
| 1759 | GNUNET_STATISTICS_update (stats, | ||
| 1760 | "# Unverified KX dropped for fresh KX", | ||
| 1761 | 1, | ||
| 1762 | GNUNET_NO); | ||
| 1763 | GNUNET_break (NULL == t->unverified_ax->skipped_head); | ||
| 1764 | memset (t->unverified_ax, | ||
| 1765 | 0, | ||
| 1766 | sizeof (struct CadetTunnelAxolotl)); | ||
| 1767 | t->unverified_ax->DHRs = t->ax.DHRs; | ||
| 1768 | t->unverified_ax->kx_0 = t->ax.kx_0; | ||
| 1769 | } | ||
| 1770 | else | 1778 | else |
| 1771 | { | 1779 | { |
| 1772 | LOG (GNUNET_ERROR_TYPE_DEBUG, | 1780 | LOG (GNUNET_ERROR_TYPE_DEBUG, |
| 1773 | "Creating fresh unverified KX for %s.\n", | 1781 | "Creating fresh unverified KX for %s.\n", |
| 1774 | GCT_2s (t)); | 1782 | GCT_2s (t)); |
| 1775 | GNUNET_STATISTICS_update (stats, | 1783 | GNUNET_STATISTICS_update (stats, |
| 1776 | "# Fresh KX setup", | 1784 | "# Fresh KX setup", |
| 1777 | 1, | 1785 | 1, |
| 1778 | GNUNET_NO); | 1786 | GNUNET_NO); |
| 1779 | t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl); | 1787 | t->unverified_ax = GNUNET_new (struct CadetTunnelAxolotl); |
| 1780 | t->unverified_ax->DHRs = t->ax.DHRs; | 1788 | t->unverified_ax->DHRs = t->ax.DHRs; |
| 1781 | t->unverified_ax->kx_0 = t->ax.kx_0; | 1789 | t->unverified_ax->kx_0 = t->ax.kx_0; |
| 1782 | } | 1790 | } |
| 1783 | /* Set as the 'current' RK/DHRr the one we are currently using, | 1791 | /* Set as the 'current' RK/DHRr the one we are currently using, |
| 1784 | so that the duplicate-detection logic of | 1792 | so that the duplicate-detection logic of |
| 1785 | #update_ax_by_kx can work. */ | 1793 | #update_ax_by_kx can work. */ |
| @@ -1795,13 +1803,13 @@ GCT_handle_kx (struct CadetTConnection *ct, | |||
| 1795 | &msg->ratchet_key); | 1803 | &msg->ratchet_key); |
| 1796 | GNUNET_break (GNUNET_SYSERR != ret); | 1804 | GNUNET_break (GNUNET_SYSERR != ret); |
| 1797 | if (GNUNET_OK != ret) | 1805 | if (GNUNET_OK != ret) |
| 1798 | { | 1806 | { |
| 1799 | GNUNET_STATISTICS_update (stats, | 1807 | GNUNET_STATISTICS_update (stats, |
| 1800 | "# Useless KX", | 1808 | "# Useless KX", |
| 1801 | 1, | 1809 | 1, |
| 1802 | GNUNET_NO); | 1810 | GNUNET_NO); |
| 1803 | return; /* duplicate KX, nothing to do */ | 1811 | return; /* duplicate KX, nothing to do */ |
| 1804 | } | 1812 | } |
| 1805 | /* move ahead in our state machine */ | 1813 | /* move ahead in our state machine */ |
| 1806 | if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) | 1814 | if (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) |
| 1807 | GCT_change_estate (t, | 1815 | GCT_change_estate (t, |
| @@ -1812,13 +1820,13 @@ GCT_handle_kx (struct CadetTConnection *ct, | |||
| 1812 | 1820 | ||
| 1813 | /* KX is still not done, try again our end. */ | 1821 | /* KX is still not done, try again our end. */ |
| 1814 | if (CADET_TUNNEL_KEY_OK != t->estate) | 1822 | if (CADET_TUNNEL_KEY_OK != t->estate) |
| 1815 | { | 1823 | { |
| 1816 | if (NULL != t->kx_task) | 1824 | if (NULL != t->kx_task) |
| 1817 | GNUNET_SCHEDULER_cancel (t->kx_task); | 1825 | GNUNET_SCHEDULER_cancel (t->kx_task); |
| 1818 | t->kx_task | 1826 | t->kx_task |
| 1819 | = GNUNET_SCHEDULER_add_now (&retry_kx, | 1827 | = GNUNET_SCHEDULER_add_now (&retry_kx, |
| 1820 | t); | 1828 | t); |
| 1821 | } | 1829 | } |
| 1822 | } | 1830 | } |
| 1823 | 1831 | ||
| 1824 | 1832 | ||
| @@ -1843,16 +1851,33 @@ GCT_handle_kx_auth (struct CadetTConnection *ct, | |||
| 1843 | GNUNET_NO); | 1851 | GNUNET_NO); |
| 1844 | if ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) || | 1852 | if ( (CADET_TUNNEL_KEY_UNINITIALIZED == t->estate) || |
| 1845 | (CADET_TUNNEL_KEY_AX_RECV == t->estate) ) | 1853 | (CADET_TUNNEL_KEY_AX_RECV == t->estate) ) |
| 1854 | { | ||
| 1855 | /* Confusing, we got a KX_AUTH before we even send our own | ||
| 1856 | KX. This should not happen. We'll send our own KX ASAP anyway, | ||
| 1857 | so let's ignore this here. */ | ||
| 1858 | GNUNET_break_op (0); | ||
| 1859 | return; | ||
| 1860 | } | ||
| 1861 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1862 | "Handling KX_AUTH message for %s with E=%s and R=%s and A=%s\n", | ||
| 1863 | GCT_2s (t), | ||
| 1864 | GNUNET_e2s (&msg->kx.ephemeral_key), | ||
| 1865 | GNUNET_e2s2 (&msg->kx.ratchet_key), | ||
| 1866 | GNUNET_h2s (&msg->auth)); | ||
| 1846 | { | 1867 | { |
| 1847 | /* Confusing, we got a KX_AUTH before we even send our own | 1868 | struct GNUNET_CRYPTO_EcdhePublicKey ephemeral_key; |
| 1848 | KX. This should not happen. We'll send our own KX ASAP anyway, | 1869 | struct GNUNET_CRYPTO_EcdhePublicKey ratchet_key; |
| 1849 | so let's ignore this here. */ | 1870 | |
| 1850 | GNUNET_break_op (0); | 1871 | GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.kx_0, |
| 1851 | return; | 1872 | &ephemeral_key); |
| 1873 | GNUNET_CRYPTO_ecdhe_key_get_public (&t->ax.DHRs, | ||
| 1874 | &ratchet_key); | ||
| 1875 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1876 | "... my E=%s and R=%s\n", | ||
| 1877 | GNUNET_e2s2 (&ephemeral_key), | ||
| 1878 | GNUNET_e2s (&ratchet_key)); | ||
| 1852 | } | 1879 | } |
| 1853 | LOG (GNUNET_ERROR_TYPE_DEBUG, | 1880 | |
| 1854 | "Handling KX_AUTH message for %s\n", | ||
| 1855 | GCT_2s (t)); | ||
| 1856 | 1881 | ||
| 1857 | /* We do everything in ax_tmp until we've checked the authentication | 1882 | /* We do everything in ax_tmp until we've checked the authentication |
| 1858 | so we don't clobber anything we care about by accident. */ | 1883 | so we don't clobber anything we care about by accident. */ |
| @@ -1887,6 +1912,10 @@ GCT_handle_kx_auth (struct CadetTConnection *ct, | |||
| 1887 | "# KX_AUTH not using our last KX received (auth failure)", | 1912 | "# KX_AUTH not using our last KX received (auth failure)", |
| 1888 | 1, | 1913 | 1, |
| 1889 | GNUNET_NO); | 1914 | GNUNET_NO); |
| 1915 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
| 1916 | "AUTH missmatch: got %s, expected %s\n", | ||
| 1917 | GNUNET_h2s (&msg->auth), | ||
| 1918 | GNUNET_h2s2 (&kx_auth)); | ||
| 1890 | send_kx (t, | 1919 | send_kx (t, |
| 1891 | ct, | 1920 | ct, |
| 1892 | &t->ax); | 1921 | &t->ax); |