[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r26035 - in gnunet: . src/core src/hello src/include src/pe
From: |
gnunet |
Subject: |
[GNUnet-SVN] r26035 - in gnunet: . src/core src/hello src/include src/peerinfo-tool src/testing src/transport src/util |
Date: |
Tue, 5 Feb 2013 21:49:21 +0100 |
Author: grothoff
Date: 2013-02-05 21:49:21 +0100 (Tue, 05 Feb 2013)
New Revision: 26035
Added:
gnunet/README.1st
Modified:
gnunet/NEWS
gnunet/README
gnunet/src/core/Makefile.am
gnunet/src/core/gnunet-service-core.c
gnunet/src/core/gnunet-service-core_kx.c
gnunet/src/core/gnunet-service-core_kx.h
gnunet/src/core/gnunet-service-core_neighbours.c
gnunet/src/hello/gnunet-hello.c
gnunet/src/hello/hello.c
gnunet/src/hello/test_hello.c
gnunet/src/include/gnunet_crypto_lib.h
gnunet/src/include/gnunet_hello_lib.h
gnunet/src/include/gnunet_protocols.h
gnunet/src/include/gnunet_signatures.h
gnunet/src/include/gnunet_testing_lib.h
gnunet/src/peerinfo-tool/gnunet-peerinfo.c
gnunet/src/testing/gnunet-testing.c
gnunet/src/testing/testing.c
gnunet/src/transport/gnunet-service-transport.c
gnunet/src/transport/gnunet-service-transport.h
gnunet/src/transport/gnunet-service-transport_hello.c
gnunet/src/transport/gnunet-service-transport_hello.h
gnunet/src/transport/gnunet-service-transport_neighbours.c
gnunet/src/transport/gnunet-service-transport_validation.c
gnunet/src/transport/gnunet-service-transport_validation.h
gnunet/src/transport/test_plugin_transport.c
gnunet/src/util/crypto_aes.c
gnunet/src/util/crypto_hash.c
gnunet/src/util/gnunet-ecc.c
gnunet/src/util/gnunet-rsa.c
gnunet/src/util/test_crypto_aes.c
gnunet/src/util/test_crypto_aes_weak.c
Log:
switching to ECDHE cryptography f, implementation is incomplete and INSECURE,
do not use for anything but testing
Modified: gnunet/NEWS
===================================================================
--- gnunet/NEWS 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/NEWS 2013-02-05 20:49:21 UTC (rev 26035)
@@ -1 +1,12 @@
-See ChangeLog.
+======================================================================
+
+THIS SVN VERSION OF GNUNET IS INCOMPATIBLE TO ALL PREVIOUS RELEASES.
+WE ARE WORKING ON CHANGING FUNDAMENTAL PARTS OF THE CRYPTOGRAPHIC
+PARTS OF THE SYSTEM.
+
+THE CURRENT IMPLEMENTATION DOES NOT GIVE YOU ANY SECURITY (AS SOME
+CRYPTO IS DISABLED/INCOMPLETE) AND WILL LIKELY NOT BE COMPATIBLE WITH
+YESTERDAYS OR TOMORROWS VERSION. AS SUCH, DO NOT USE IT, OTHER THAN
+FOR DEVELOPMENT!
+
+=======================================================================
Modified: gnunet/README
===================================================================
--- gnunet/README 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/README 2013-02-05 20:49:21 UTC (rev 26035)
@@ -1,3 +1,16 @@
+======================================================================
+
+THIS SVN VERSION OF GNUNET IS INCOMPATIBLE TO ALL PREVIOUS RELEASES.
+WE ARE WORKING ON CHANGING FUNDAMENTAL PARTS OF THE CRYPTOGRAPHIC
+PARTS OF THE SYSTEM.
+
+THE CURRENT IMPLEMENTATION DOES NOT GIVE YOU ANY SECURITY (AS SOME
+CRYPTO IS DISABLED/INCOMPLETE) AND WILL LIKELY NOT BE COMPATIBLE WITH
+YESTERDAYS OR TOMORROWS VERSION. AS SUCH, DO NOT USE IT, OTHER THAN
+FOR DEVELOPMENT!
+
+=======================================================================
+
Welcome to GNUnet
Added: gnunet/README.1st
===================================================================
--- gnunet/README.1st (rev 0)
+++ gnunet/README.1st 2013-02-05 20:49:21 UTC (rev 26035)
@@ -0,0 +1,12 @@
+======================================================================
+
+THIS SVN VERSION OF GNUNET IS INCOMPATIBLE TO ALL PREVIOUS RELEASES.
+WE ARE WORKING ON CHANGING FUNDAMENTAL PARTS OF THE CRYPTOGRAPHIC
+PARTS OF THE SYSTEM.
+
+THE CURRENT IMPLEMENTATION DOES NOT GIVE YOU ANY SECURITY (AS SOME
+CRYPTO IS DISABLED/INCOMPLETE) AND WILL LIKELY NOT BE COMPATIBLE WITH
+YESTERDAYS OR TOMORROWS VERSION. AS SUCH, DO NOT USE IT, OTHER THAN
+FOR DEVELOPMENT!
+
+=======================================================================
Modified: gnunet/src/core/Makefile.am
===================================================================
--- gnunet/src/core/Makefile.am 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/core/Makefile.am 2013-02-05 20:49:21 UTC (rev 26035)
@@ -46,8 +46,6 @@
gnunet-service-core_sessions.c gnunet-service-core_sessions.h \
gnunet-service-core_typemap.c gnunet-service-core_typemap.h
gnunet_service_core_LDADD = \
- $(top_builddir)/src/hello/libgnunethello.la \
- $(top_builddir)/src/peerinfo/libgnunetpeerinfo.la \
$(top_builddir)/src/statistics/libgnunetstatistics.la \
$(top_builddir)/src/transport/libgnunettransport.la \
$(top_builddir)/src/util/libgnunetutil.la \
Modified: gnunet/src/core/gnunet-service-core.c
===================================================================
--- gnunet/src/core/gnunet-service-core.c 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/core/gnunet-service-core.c 2013-02-05 20:49:21 UTC (rev
26035)
@@ -56,7 +56,7 @@
/**
* Hostkey generation context
*/
-static struct GNUNET_CRYPTO_RsaKeyGenerationContext *keygen;
+static struct GNUNET_CRYPTO_EccKeyGenerationContext *keygen;
/**
@@ -72,7 +72,7 @@
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Core service shutting down.\n");
if (NULL != keygen)
{
- GNUNET_CRYPTO_rsa_key_create_stop (keygen);
+ GNUNET_CRYPTO_ecc_key_create_stop (keygen);
keygen = NULL;
}
GSC_CLIENTS_done ();
@@ -99,14 +99,14 @@
*/
static void
key_generation_cb (void *cls,
- struct GNUNET_CRYPTO_RsaPrivateKey *pk,
+ struct GNUNET_CRYPTO_EccPrivateKey *pk,
const char *emsg)
{
keygen = NULL;
if (NULL == pk)
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- _("Failed to read hostkey: %s\n"),
+ _("Failed to read or generate private key: %s\n"),
emsg);
GNUNET_SCHEDULER_shutdown ();
return;
@@ -141,7 +141,7 @@
GSC_cfg = c;
GSC_server = server;
if (GNUNET_OK !=
- GNUNET_CONFIGURATION_get_value_filename (GSC_cfg, "GNUNETD", "HOSTKEY",
+ GNUNET_CONFIGURATION_get_value_filename (GSC_cfg, "PEER", "PRIVATE_KEY",
&keyfile))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@@ -155,7 +155,7 @@
NULL);
GNUNET_SERVER_suspend (server);
GSC_TYPEMAP_init ();
- keygen = GNUNET_CRYPTO_rsa_key_create_start (keyfile, &key_generation_cb,
NULL);
+ keygen = GNUNET_CRYPTO_ecc_key_create_start (keyfile, &key_generation_cb,
NULL);
GNUNET_free (keyfile);
if (NULL == keygen)
{
Modified: gnunet/src/core/gnunet-service-core_kx.c
===================================================================
--- gnunet/src/core/gnunet-service-core_kx.c 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/core/gnunet-service-core_kx.c 2013-02-05 20:49:21 UTC (rev
26035)
@@ -30,8 +30,6 @@
#include "gnunet-service-core_neighbours.h"
#include "gnunet-service-core_sessions.h"
#include "gnunet_statistics_service.h"
-#include "gnunet_peerinfo_service.h"
-#include "gnunet_hello_lib.h"
#include "gnunet_constants.h"
#include "gnunet_signatures.h"
#include "gnunet_protocols.h"
@@ -39,14 +37,9 @@
/**
- * Set to GNUNET_YES to perform some slightly expensive internal invariant
checks.
- */
-#define EXTRA_CHECKS GNUNET_YES
-
-/**
* How long do we wait for SET_KEY confirmation initially?
*/
-#define INITIAL_SET_KEY_RETRY_FREQUENCY GNUNET_TIME_relative_multiply
(MAX_SET_KEY_DELAY, 1)
+#define INITIAL_SET_KEY_RETRY_FREQUENCY GNUNET_TIME_relative_multiply
(GNUNET_TIME_UNIT_SECONDS, 10)
/**
* What is the minimum frequency for a PING message?
@@ -56,8 +49,12 @@
/**
* How often do we rekey?
*/
-#define REKEY_FREQUENCY GNUNET_TIME_relative_multiply
(GNUNET_TIME_UNIT_MINUTES, 90)
+#define REKEY_FREQUENCY GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_HOURS,
12)
+/**
+ * What time difference do we tolerate?
+ */
+#define REKEY_TOLERANCE GNUNET_TIME_relative_multiply
(GNUNET_TIME_UNIT_MINUTES, 5)
/**
* What is the maximum age of a message for us to consider processing
@@ -68,14 +65,62 @@
*/
#define MAX_MESSAGE_AGE GNUNET_TIME_UNIT_DAYS
+
+
+GNUNET_NETWORK_STRUCT_BEGIN
+
/**
- * What is the maximum delay for a SET_KEY message?
+ * Message transmitted with the signed ephemeral key of a peer. The
+ * session key is then derived from the two ephemeral keys (ECDHE).
*/
-#define MAX_SET_KEY_DELAY GNUNET_TIME_relative_multiply
(GNUNET_TIME_UNIT_SECONDS, 10)
+struct EphemeralKeyMessage
+{
+ /**
+ * Message type is CORE_EPHEMERAL_KEY.
+ */
+ struct GNUNET_MessageHeader header;
-GNUNET_NETWORK_STRUCT_BEGIN
+ /**
+ * Status of the sender (should be in "enum PeerStateMachine"), nbo.
+ */
+ int32_t sender_status GNUNET_PACKED;
+ /**
+ * An ECC signature of the 'origin' asserting the validity of
+ * the given ephemeral key.
+ */
+ struct GNUNET_CRYPTO_EccSignature signature;
+
+ /**
+ * Information about what is being signed.
+ */
+ struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
+
+ /**
+ * At what time was this key created (beginning of validity).
+ */
+ struct GNUNET_TIME_AbsoluteNBO creation_time;
+
+ /**
+ * When does the given ephemeral key expire (end of validity).
+ */
+ struct GNUNET_TIME_AbsoluteNBO expiration_time;
+
+ /**
+ * Ephemeral public ECC key (always for NIST P-521) encoded in a format
suitable
+ * for network transmission as created using 'gcry_sexp_sprint'.
+ */
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded ephemeral_key;
+
+ /**
+ * Public key of the signing peer (persistent version, not the ephemeral
public key).
+ */
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded origin_public_key;
+
+};
+
+
/**
* We're sending an (encrypted) PING to the other peer to check if he
* can decrypt. The other peer should respond with a PONG with the
@@ -128,9 +173,9 @@
uint32_t challenge GNUNET_PACKED;
/**
- * Reserved, always 'GNUNET_BANDWIDTH_VALUE_MAX'.
+ * Reserved, always zero.
*/
- struct GNUNET_BANDWIDTH_Value32NBO reserved;
+ uint32_t reserved;
/**
* Intended target of the PING, used primarily to check
@@ -141,51 +186,6 @@
/**
- * Message transmitted to set (or update) a session key.
- */
-struct SetKeyMessage
-{
-
- /**
- * Message type is either CORE_SET_KEY.
- */
- struct GNUNET_MessageHeader header;
-
- /**
- * Status of the sender (should be in "enum PeerStateMachine"), nbo.
- */
- int32_t sender_status GNUNET_PACKED;
-
- /**
- * Purpose of the signature, will be
- * GNUNET_SIGNATURE_PURPOSE_SET_KEY.
- */
- struct GNUNET_CRYPTO_RsaSignaturePurpose purpose;
-
- /**
- * At what time was this key created?
- */
- struct GNUNET_TIME_AbsoluteNBO creation_time;
-
- /**
- * The encrypted session key.
- */
- struct GNUNET_CRYPTO_RsaEncryptedData encrypted_key;
-
- /**
- * Who is the intended recipient?
- */
- struct GNUNET_PeerIdentity target;
-
- /**
- * Signature of the stuff above (starting at purpose).
- */
- struct GNUNET_CRYPTO_RsaSignature signature;
-
-};
-
-
-/**
* Encapsulation for encrypted messages exchanged between
* peers. Followed by the actual encrypted data.
*/
@@ -216,9 +216,9 @@
uint32_t sequence_number GNUNET_PACKED;
/**
- * Reserved, always 'GNUNET_BANDWIDTH_VALUE_MAX'.
+ * Reserved, always zero.
*/
- struct GNUNET_BANDWIDTH_Value32NBO reserved;
+ uint32_t reserved;
/**
* Timestamp. Used to prevent reply of ancient messages
@@ -263,23 +263,18 @@
KX_STATE_KEY_RECEIVED,
/**
- * The other peer has confirmed our session key with a message
- * encrypted with his session key (which we got). Key exchange
- * is done.
+ * The other peer has confirmed our session key + PING with a PONG
+ * message encrypted with his session key (which we got). Key
+ * exchange is done.
*/
KX_STATE_UP,
/**
- * We're rekeying, so we have received the other peer's session
- * key, but he didn't get ours yet.
+ * We're rekeying, so we have sent the other peer our new ephemeral
+ * key, but we did not get a matching PONG yet.
*/
- KX_STATE_REKEY,
+ KX_STATE_REKEY_SENT
- /**
- * We're rekeying but have not yet received confirmation for our new
- * key from the other peer.
- */
- KX_STATE_REKEY_SENT
};
@@ -288,64 +283,28 @@
*/
struct GSC_KeyExchangeInfo
{
- /**
- * Identity of the peer.
- */
- struct GNUNET_PeerIdentity peer;
/**
- * SetKeyMessage to transmit (initialized the first
- * time our status goes past 'KX_STATE_KEY_SENT').
+ * DLL.
*/
- struct SetKeyMessage skm;
+ struct GSC_KeyExchangeInfo *next;
/**
- * PING message we transmit to the other peer.
+ * DLL.
*/
- struct PingMessage ping;
+ struct GSC_KeyExchangeInfo *prev;
/**
- * SetKeyMessage we received and did not process yet.
+ * Identity of the peer.
*/
- struct SetKeyMessage *skm_received;
+ struct GNUNET_PeerIdentity peer;
/**
- * PING message we received from the other peer and
- * did not process yet (or NULL).
+ * PING message we transmit to the other peer.
*/
- struct PingMessage *ping_received;
+ struct PingMessage ping;
/**
- * PONG message we received from the other peer and
- * did not process yet (or NULL).
- */
- struct PongMessage *pong_received;
-
- /**
- * Encrypted message we received from the other peer and
- * did not process yet (or NULL).
- */
- struct EncryptedMessage *emsg_received;
-
- /**
- * Non-NULL if we are currently looking up HELLOs for this peer.
- * for this peer.
- */
- struct GNUNET_PEERINFO_IteratorContext *pitr;
-
- /**
- * Public key of the neighbour, NULL if we don't have it yet.
- */
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded *public_key;
-
- /**
- * We received a PONG message before we got the "public_key"
- * (or the SET_KEY). We keep it here until we have a key
- * to decrypt it. NULL if no PONG is pending.
- */
- struct PongMessage *pending_pong;
-
- /**
* Key we use to encrypt our messages for the other peer
* (initialized by us when we do the handshake).
*/
@@ -358,14 +317,9 @@
struct GNUNET_CRYPTO_AesSessionKey decrypt_key;
/**
- * At what time did we generate our encryption key?
- */
- struct GNUNET_TIME_Absolute encrypt_key_created;
-
- /**
* At what time did the other peer generate the decryption key?
*/
- struct GNUNET_TIME_Absolute decrypt_key_created;
+ struct GNUNET_TIME_Absolute foreign_key_expires;
/**
* When should the session time out (if there are no PONGs)?
@@ -418,77 +372,62 @@
/**
- * Handle to peerinfo service.
+ * Our private key.
*/
-static struct GNUNET_PEERINFO_Handle *peerinfo;
+static struct GNUNET_CRYPTO_EccPrivateKey *my_private_key;
/**
- * Our private key.
+ * Our ephemeral private key.
*/
-static struct GNUNET_CRYPTO_RsaPrivateKey *my_private_key;
+static struct GNUNET_CRYPTO_EccPrivateKey *my_ephemeral_key;
/**
+ * Current message we send for a key exchange.
+ */
+static struct EphemeralKeyMessage current_ekm;
+
+/**
* Our public key.
*/
-static struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded my_public_key;
+static struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded my_public_key;
/**
* Our message stream tokenizer (for encrypted payload).
*/
static struct GNUNET_SERVER_MessageStreamTokenizer *mst;
+/**
+ * DLL head.
+ */
+static struct GSC_KeyExchangeInfo *kx_head;
-#if EXTRA_CHECKS
/**
- * Check internal invariants of the given KX record.
- *
- * @param kx record to check
- * @param file filename for error reporting
- * @param line line number for error reporting
+ * DLL tail.
+ */
+static struct GSC_KeyExchangeInfo *kx_tail;
+
+/**
+ * Task scheduled for periodic re-generation (and thus rekeying) of our
+ * ephemeral key.
*/
-static void
-check_kx_record (struct GSC_KeyExchangeInfo *kx,
- const char *file,
- int line)
-{
- struct GNUNET_HashCode hc;
+static GNUNET_SCHEDULER_TaskIdentifier rekey_task;
- if (NULL == kx->public_key)
- return;
- GNUNET_CRYPTO_hash (kx->public_key, sizeof (*kx->public_key), &hc);
- GNUNET_assert_at (0 == memcmp (&hc, &kx->peer, sizeof (struct
GNUNET_HashCode)), file, line);
-}
-
/**
- * Check internal invariants of the given KX record.
- *
- * @param kx record to check
- */
-#define CHECK_KX(kx) check_kx_record(kx, __FILE__, __LINE__)
-#else
-#define CHECK_KX(kx)
-#endif
-
-/**
* Derive an authentication key from "set key" information
*
* @param akey authentication key to derive
* @param skey session key to use
* @param seed seed to use
- * @param creation_time creation time to use
*/
static void
derive_auth_key (struct GNUNET_CRYPTO_AuthKey *akey,
- const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed,
- struct GNUNET_TIME_Absolute creation_time)
+ const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed)
{
static const char ctx[] = "authentication key";
- struct GNUNET_TIME_AbsoluteNBO ctbe;
- ctbe = GNUNET_TIME_absolute_hton (creation_time);
GNUNET_CRYPTO_hmac_derive_key (akey, skey, &seed, sizeof (seed), &skey->key,
- sizeof (skey->key), &ctbe, sizeof (ctbe), ctx,
+ sizeof (skey->key), ctx,
sizeof (ctx), NULL);
}
@@ -539,6 +478,31 @@
/**
+ * Derive an AES key from key material
+ *
+ * @param sender peer identity of the sender
+ * @param receiver peer identity of the sender
+ * @param key_material high entropy key material to use
+ * @param skey set to derived session key
+ */
+static void
+derive_aes_key (const struct GNUNET_PeerIdentity *sender,
+ const struct GNUNET_PeerIdentity *receiver,
+ const struct GNUNET_HashCode *key_material,
+ struct GNUNET_CRYPTO_AesSessionKey *skey)
+{
+ static const char ctx[] = "aes key generation vector";
+
+ GNUNET_CRYPTO_kdf (skey, sizeof (struct GNUNET_CRYPTO_AesSessionKey),
+ ctx, sizeof (ctx),
+ skey, sizeof (struct GNUNET_CRYPTO_AesSessionKey),
+ sender, sizeof (struct GNUNET_PeerIdentity),
+ receiver, sizeof (struct GNUNET_PeerIdentity),
+ NULL);
+}
+
+
+/**
* Encrypt size bytes from in and write the result to out. Use the
* key for outbound traffic of the given neighbour.
*
@@ -601,8 +565,7 @@
return GNUNET_NO;
}
if ( (kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP) &&
- (kx->status != KX_STATE_REKEY_SENT) &&
- (kx->status != KX_STATE_REKEY) )
+ (kx->status != KX_STATE_REKEY_SENT) )
{
GNUNET_break_op (0);
return GNUNET_SYSERR;
@@ -651,88 +614,34 @@
struct GSC_KeyExchangeInfo *kx = cls;
kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
- kx->set_key_retry_frequency =
- GNUNET_TIME_relative_multiply (kx->set_key_retry_frequency, 2);
+ kx->set_key_retry_frequency = GNUNET_TIME_STD_BACKOFF
(kx->set_key_retry_frequency);
send_key (kx);
}
/**
- * PEERINFO is giving us a HELLO for a peer. Add the public key to
- * the neighbour's struct and continue with the key exchange. Or, if
- * we did not get a HELLO, just do nothing.
+ * Create a fresh PING message for transmission to the other peer.
*
- * @param cls the 'struct GSC_KeyExchangeInfo' to retry sending the key for
- * @param peer the peer for which this is the HELLO
- * @param hello HELLO message of that peer
- * @param err_msg NULL if successful, otherwise contains error message
+ * @param kx key exchange context to create PING for
*/
static void
-process_hello (void *cls, const struct GNUNET_PeerIdentity *peer,
- const struct GNUNET_HELLO_Message *hello, const char *err_msg)
+setup_fresh_ping (struct GSC_KeyExchangeInfo *kx)
{
- struct GSC_KeyExchangeInfo *kx = cls;
- struct SetKeyMessage *skm;
+ struct PingMessage pp;
+ struct PingMessage *pm;
+ struct GNUNET_CRYPTO_AesInitializationVector iv;
- CHECK_KX (kx);
- if (NULL != err_msg)
- {
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- _("Error in communication with PEERINFO service\n"));
- kx->pitr = NULL;
- if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
- GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
- kx->retry_set_key_task =
- GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
- &set_key_retry_task, kx);
- return;
- }
- if (NULL == peer)
- {
- kx->pitr = NULL;
- if (NULL != kx->public_key)
- return; /* done here */
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Failed to obtain public key for peer `%4s', delaying
processing of SET_KEY\n",
- GNUNET_i2s (&kx->peer));
- GNUNET_STATISTICS_update (GSC_stats,
- gettext_noop
- ("# Delayed connecting due to lack of public
key"),
- 1, GNUNET_NO);
- if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
- GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
- kx->retry_set_key_task =
- GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
- &set_key_retry_task, kx);
- return;
- }
- GNUNET_break (0 == memcmp (peer, &kx->peer, sizeof (struct
GNUNET_PeerIdentity)));
- if (NULL != kx->public_key)
- {
- /* already have public key, why are we here? */
- GNUNET_break (0);
- return;
- }
- GNUNET_assert (GNUNET_SCHEDULER_NO_TASK == kx->retry_set_key_task);
- kx->public_key =
- GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded));
- if (GNUNET_OK != GNUNET_HELLO_get_key (hello, kx->public_key))
- {
- GNUNET_break (0);
- GNUNET_free (kx->public_key);
- kx->public_key = NULL;
- CHECK_KX (kx);
- return;
- }
- CHECK_KX (kx);
- send_key (kx);
- if (NULL != kx->skm_received)
- {
- skm = kx->skm_received;
- kx->skm_received = NULL;
- GSC_KX_handle_set_key (kx, &skm->header);
- GNUNET_free (skm);
- }
+ pm = &kx->ping;
+ pm->header.size = htons (sizeof (struct PingMessage));
+ pm->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PING);
+ pm->iv_seed =
+ GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
+ derive_iv (&iv, &kx->encrypt_key, pm->iv_seed, &kx->peer);
+ pp.challenge = kx->ping_challenge;
+ pp.target = kx->peer;
+ do_encrypt (kx, &iv, &pp.target, &pm->target,
+ sizeof (struct PingMessage) - ((void *) &pm->target -
+ (void *) pm));
}
@@ -747,7 +656,8 @@
{
struct GSC_KeyExchangeInfo *kx;
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Initiating key exchange with `%s'\n",
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+ "Initiating key exchange with `%s'\n",
GNUNET_i2s (pid));
GNUNET_STATISTICS_update (GSC_stats,
gettext_noop ("# key exchanges initiated"), 1,
@@ -755,11 +665,11 @@
kx = GNUNET_malloc (sizeof (struct GSC_KeyExchangeInfo));
kx->peer = *pid;
kx->set_key_retry_frequency = INITIAL_SET_KEY_RETRY_FREQUENCY;
- kx->pitr =
- GNUNET_PEERINFO_iterate (peerinfo, pid,
- GNUNET_TIME_UNIT_FOREVER_REL /* timeout? */ ,
- &process_hello, kx);
- CHECK_KX (kx);
+ GNUNET_CONTAINER_DLL_insert (kx_head,
+ kx_tail,
+ kx);
+ kx->status = KX_STATE_KEY_SENT;
+ send_key (kx);
return kx;
}
@@ -774,11 +684,6 @@
{
GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# key exchanges
stopped"),
1, GNUNET_NO);
- if (NULL != kx->pitr)
- {
- GNUNET_PEERINFO_iterate_cancel (kx->pitr);
- kx->pitr = NULL;
- }
if (kx->retry_set_key_task != GNUNET_SCHEDULER_NO_TASK)
{
GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
@@ -789,16 +694,26 @@
GNUNET_SCHEDULER_cancel (kx->keep_alive_task);
kx->keep_alive_task = GNUNET_SCHEDULER_NO_TASK;
}
- GNUNET_free_non_null (kx->skm_received);
- GNUNET_free_non_null (kx->ping_received);
- GNUNET_free_non_null (kx->pong_received);
- GNUNET_free_non_null (kx->emsg_received);
- GNUNET_free_non_null (kx->public_key);
+ GNUNET_CONTAINER_DLL_remove (kx_head,
+ kx_tail,
+ kx);
GNUNET_free (kx);
}
/**
+ * Send our PING to the other peer.
+ *
+ * @param kx key exchange context
+ */
+static void
+send_ping (struct GSC_KeyExchangeInfo *kx)
+{
+ GSC_NEIGHBOURS_transmit (&kx->peer, &kx->ping.header,
+ MIN_PING_FREQUENCY);
+}
+
+/**
* We received a SET_KEY message. Validate and update
* our key material and status.
*
@@ -806,146 +721,142 @@
* @param msg the set key message we received
*/
void
-GSC_KX_handle_set_key (struct GSC_KeyExchangeInfo *kx,
- const struct GNUNET_MessageHeader *msg)
+GSC_KX_handle_ephemeral_key (struct GSC_KeyExchangeInfo *kx,
+ const struct GNUNET_MessageHeader *msg)
{
- const struct SetKeyMessage *m;
- struct GNUNET_TIME_Absolute t;
- struct GNUNET_CRYPTO_AesSessionKey k;
- struct PingMessage *ping;
- struct PongMessage *pong;
- enum KxStateMachine sender_status;
+ const struct EphemeralKeyMessage *m;
+ struct GNUNET_TIME_Absolute start_t;
+ struct GNUNET_TIME_Absolute end_t;
+ struct GNUNET_TIME_Absolute now;
+ struct GNUNET_PeerIdentity signer_id;
+ enum KxStateMachine sender_status;
uint16_t size;
+ struct GNUNET_HashCode key_material;
- CHECK_KX (kx);
size = ntohs (msg->size);
- if (size != sizeof (struct SetKeyMessage))
+ if (sizeof (struct EphemeralKeyMessage) != size)
{
GNUNET_break_op (0);
return;
}
- m = (const struct SetKeyMessage *) msg;
- GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# session keys
received"),
+ m = (const struct EphemeralKeyMessage *) msg;
+ GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# ephemeral keys
received"),
1, GNUNET_NO);
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Core service receives `%s' request from `%4s'.\n", "SET_KEY",
+ "Core service receives `%s' request from `%4s'.\n",
"EPHEMERAL_KEY",
GNUNET_i2s (&kx->peer));
- if (NULL == kx->public_key)
- {
- GNUNET_free_non_null (kx->skm_received);
- kx->skm_received = (struct SetKeyMessage *) GNUNET_copy_message (msg);
- return;
- }
+ GNUNET_CRYPTO_hash (&m->origin_public_key,
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded),
+ &signer_id.hashPubKey);
if (0 !=
- memcmp (&m->target, &GSC_my_identity,
+ memcmp (&signer_id, &kx->peer,
sizeof (struct GNUNET_PeerIdentity)))
- {
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- _("`%s' is for `%s', not for me. Ignoring.\n"), "SET_KEY",
- GNUNET_i2s (&m->target));
+ {
+ GNUNET_break_op (0);
return;
}
if ((ntohl (m->purpose.size) !=
- sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
+ sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
sizeof (struct GNUNET_TIME_AbsoluteNBO) +
- sizeof (struct GNUNET_CRYPTO_RsaEncryptedData) +
- sizeof (struct GNUNET_PeerIdentity)) ||
+ sizeof (struct GNUNET_TIME_AbsoluteNBO) +
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded) +
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)) ||
(GNUNET_OK !=
- GNUNET_CRYPTO_rsa_verify (GNUNET_SIGNATURE_PURPOSE_SET_KEY, &m->purpose,
- &m->signature, kx->public_key)))
+ GNUNET_CRYPTO_ecc_verify (GNUNET_SIGNATURE_PURPOSE_SET_ECC_KEY,
+ &m->purpose,
+ &m->signature, &m->origin_public_key)))
{
/* invalid signature */
- CHECK_KX (kx);
GNUNET_break_op (0);
return;
}
- t = GNUNET_TIME_absolute_ntoh (m->creation_time);
- if (((kx->status == KX_STATE_KEY_RECEIVED) || (kx->status == KX_STATE_UP)) &&
- (t.abs_value < kx->decrypt_key_created.abs_value))
+ start_t = GNUNET_TIME_absolute_ntoh (m->creation_time);
+ end_t = GNUNET_TIME_absolute_ntoh (m->expiration_time);
+ now = GNUNET_TIME_absolute_get ();
+ if ( (end_t.abs_value < GNUNET_TIME_absolute_subtract (now,
REKEY_TOLERANCE).abs_value) ||
+ (start_t.abs_value > GNUNET_TIME_absolute_add (now,
REKEY_TOLERANCE).abs_value) )
{
- /* this could rarely happen due to massive re-ordering of
- * messages on the network level, but is most likely either
- * a bug or some adversary messing with us. Report. */
- GNUNET_break_op (0);
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ _("Ephemeral key message rejected as its validity range does
not match our system time (%llu not in [%llu,%llu]).\n"),
+ now.abs_value,
+ start_t.abs_value,
+ end_t.abs_value);
return;
}
- if ((GNUNET_CRYPTO_rsa_decrypt
- (my_private_key, &m->encrypted_key, &k,
- sizeof (struct GNUNET_CRYPTO_AesSessionKey)) !=
- sizeof (struct GNUNET_CRYPTO_AesSessionKey)) ||
- (GNUNET_OK != GNUNET_CRYPTO_aes_check_session_key (&k)))
+ if (GNUNET_OK !=
+ GNUNET_CRYPTO_ecc_ecdh (my_ephemeral_key,
+ &m->ephemeral_key,
+ &key_material))
{
- /* failed to decrypt !? */
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- "Invalid key %x decrypted by %s from message %u (origin: %s)\n",
- (unsigned int) GNUNET_CRYPTO_crc32_n (&k, sizeof (struct
GNUNET_CRYPTO_AesSessionKey)),
- GNUNET_i2s (&GSC_my_identity),
- (unsigned int) GNUNET_CRYPTO_crc32_n (&m->encrypted_key, sizeof
(struct GNUNET_CRYPTO_RsaEncryptedData)),
- GNUNET_h2s (&kx->peer.hashPubKey));
- GNUNET_break_op (0);
+ GNUNET_break (0);
return;
}
GNUNET_STATISTICS_update (GSC_stats,
- gettext_noop ("# SET_KEY messages decrypted"), 1,
+ gettext_noop ("# EPHEMERAL_KEY messages
decrypted"), 1,
GNUNET_NO);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received SET_KEY from `%s'\n",
- GNUNET_i2s (&kx->peer));
- kx->decrypt_key = k;
- if (kx->decrypt_key_created.abs_value != t.abs_value)
+ derive_aes_key (&GSC_my_identity,
+ &kx->peer,
+ &key_material,
+ &kx->encrypt_key);
+ derive_aes_key (&kx->peer,
+ &GSC_my_identity,
+ &key_material,
+ &kx->decrypt_key);
+ /* fresh key, reset sequence numbers */
+ kx->last_sequence_number_received = 0;
+ kx->last_packets_bitmap = 0;
+ kx->foreign_key_expires = end_t;
+ setup_fresh_ping (kx);
+
+ /* check if we still need to send the sender our key */
+ sender_status = (enum KxStateMachine) ntohl (m->sender_status);
+ switch (sender_status)
{
- /* fresh key, reset sequence numbers */
- kx->last_sequence_number_received = 0;
- kx->last_packets_bitmap = 0;
- kx->decrypt_key_created = t;
+ case KX_STATE_DOWN:
+ /* makes no sense, should be at least KX_STATE_KEY_SENT */
+ GNUNET_break_op (0);
+ break;
+ case KX_STATE_KEY_SENT:
+ send_key (kx);
+ break;
+ case KX_STATE_KEY_RECEIVED:
+ case KX_STATE_UP:
+ case KX_STATE_REKEY_SENT:
+ /* other peer already got our key */
+ break;
+ default:
+ GNUNET_break (0);
+ break;
}
- sender_status = (enum KxStateMachine) ntohl (m->sender_status);
+ /* check if we need to confirm everything is fine via PING + PONG */
switch (kx->status)
{
case KX_STATE_DOWN:
kx->status = KX_STATE_KEY_RECEIVED;
- /* we're not up, so we are already doing 'send_key' */
+ send_ping (kx);
break;
case KX_STATE_KEY_SENT:
kx->status = KX_STATE_KEY_RECEIVED;
- /* we're not up, so we are already doing 'send_key' */
+ send_ping (kx);
break;
case KX_STATE_KEY_RECEIVED:
- /* we're not up, so we are already doing 'send_key' */
+ send_ping (kx);
break;
case KX_STATE_UP:
- if ((sender_status == KX_STATE_DOWN) ||
- (sender_status == KX_STATE_KEY_SENT))
- send_key (kx); /* we are up, but other peer is not! */
+ kx->status = KX_STATE_KEY_RECEIVED;
+ /* we got a new key, need to reconfirm! */
+ send_ping (kx);
break;
- case KX_STATE_REKEY:
- if ((sender_status == KX_STATE_DOWN) ||
- (sender_status == KX_STATE_KEY_SENT))
- send_key (kx); /* we are up, but other peer is not! */
- break;
case KX_STATE_REKEY_SENT:
- if ((sender_status == KX_STATE_DOWN) ||
- (sender_status == KX_STATE_KEY_SENT))
- send_key (kx); /* we are up, but other peer is not! */
+ kx->status = KX_STATE_KEY_RECEIVED;
+ /* we got a new key, need to reconfirm! */
+ send_ping (kx);
break;
default:
GNUNET_break (0);
break;
}
- if (NULL != kx->ping_received)
- {
- ping = kx->ping_received;
- kx->ping_received = NULL;
- GSC_KX_handle_ping (kx, &ping->header);
- GNUNET_free (ping);
- }
- if (NULL != kx->pong_received)
- {
- pong = kx->pong_received;
- kx->pong_received = NULL;
- GSC_KX_handle_pong (kx, &pong->header);
- GNUNET_free (pong);
- }
}
@@ -976,12 +887,14 @@
GNUNET_STATISTICS_update (GSC_stats,
gettext_noop ("# PING messages received"), 1,
GNUNET_NO);
- if ((kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP) &&
- (kx->status != KX_STATE_REKEY_SENT))
+ if ( (kx->status != KX_STATE_KEY_RECEIVED) &&
+ (kx->status != KX_STATE_UP) &&
+ (kx->status != KX_STATE_REKEY_SENT))
{
- /* defer */
- GNUNET_free_non_null (kx->ping_received);
- kx->ping_received = (struct PingMessage *) GNUNET_copy_message (msg);
+ /* ignore */
+ GNUNET_STATISTICS_update (GSC_stats,
+ gettext_noop ("# PING messages dropped (out of
order)"), 1,
+ GNUNET_NO);
return;
}
m = (const struct PingMessage *) msg;
@@ -1012,10 +925,8 @@
GNUNET_break_op (0);
return;
}
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received PING from `%s'\n",
- GNUNET_i2s (&kx->peer));
/* construct PONG */
- tx.reserved = GNUNET_BANDWIDTH_VALUE_MAX;
+ tx.reserved = 0;
tx.challenge = t.challenge;
tx.target = t.target;
tp.header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PONG);
@@ -1034,76 +945,6 @@
/**
- * Create a fresh SET KEY message for transmission to the other peer.
- * Also creates a new key.
- *
- * @param kx key exchange context to create SET KEY message for
- */
-static void
-setup_fresh_setkey (struct GSC_KeyExchangeInfo *kx)
-{
- struct SetKeyMessage *skm;
-
- GNUNET_CRYPTO_aes_create_session_key (&kx->encrypt_key);
- kx->encrypt_key_created = GNUNET_TIME_absolute_get ();
- skm = &kx->skm;
- skm->header.size = htons (sizeof (struct SetKeyMessage));
- skm->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_SET_KEY);
- skm->purpose.size =
- htonl (sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
- sizeof (struct GNUNET_TIME_AbsoluteNBO) +
- sizeof (struct GNUNET_CRYPTO_RsaEncryptedData) +
- sizeof (struct GNUNET_PeerIdentity));
- skm->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SET_KEY);
- skm->creation_time = GNUNET_TIME_absolute_hton (kx->encrypt_key_created);
- skm->target = kx->peer;
- CHECK_KX (kx);
- GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_encrypt (&kx->encrypt_key,
- sizeof (struct
-
GNUNET_CRYPTO_AesSessionKey),
- kx->public_key,
- &skm->encrypted_key));
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Encrypting key %x for %s resulting in message %u (origin: %s)\n",
- (unsigned int) GNUNET_CRYPTO_crc32_n (&kx->encrypt_key, sizeof
(struct GNUNET_CRYPTO_AesSessionKey)),
- GNUNET_i2s (&kx->peer),
- (unsigned int) GNUNET_CRYPTO_crc32_n (&skm->encrypted_key, sizeof
(struct GNUNET_CRYPTO_RsaEncryptedData)),
- GNUNET_h2s (&GSC_my_identity.hashPubKey));
-
- GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_sign (my_private_key, &skm->purpose,
- &skm->signature));
-}
-
-
-/**
- * Create a fresh PING message for transmission to the other peer.
- *
- * @param kx key exchange context to create PING for
- */
-static void
-setup_fresh_ping (struct GSC_KeyExchangeInfo *kx)
-{
- struct PingMessage pp;
- struct PingMessage *pm;
- struct GNUNET_CRYPTO_AesInitializationVector iv;
-
- pm = &kx->ping;
- pm->header.size = htons (sizeof (struct PingMessage));
- pm->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PING);
- pm->iv_seed =
- GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
- derive_iv (&iv, &kx->encrypt_key, pm->iv_seed, &kx->peer);
- pp.challenge = kx->ping_challenge;
- pp.target = kx->peer;
- do_encrypt (kx, &iv, &pp.target, &pm->target,
- sizeof (struct PingMessage) - ((void *) &pm->target -
- (void *) pm));
-}
-
-
-/**
* Task triggered when a neighbour entry is about to time out
* (and we should prevent this by sending a PING).
*
@@ -1125,7 +966,7 @@
gettext_noop ("# sessions terminated by
timeout"),
1, GNUNET_NO);
GSC_SESSIONS_end (&kx->peer);
- kx->status = KX_STATE_DOWN;
+ kx->status = KX_STATE_KEY_SENT;
send_key (kx);
return;
}
@@ -1168,49 +1009,6 @@
/**
- * Trigger rekeying event.
- *
- * @param cls the 'struct GSC_KeyExchangeInfo'
- * @param tc schedule context (unused)
- */
-static void
-trigger_rekey (void *cls,
- const struct GNUNET_SCHEDULER_TaskContext *tc)
-{
- struct GSC_KeyExchangeInfo *kx = cls;
-
- GNUNET_break (KX_STATE_UP == kx->status);
- kx->status = KX_STATE_REKEY;
- kx->set_key_retry_frequency = INITIAL_SET_KEY_RETRY_FREQUENCY;
- kx->retry_set_key_task =
- GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
- &set_key_retry_task, kx);
-}
-
-
-/**
- * Schedule rekey operation.
- *
- * @param kx key exchange to schedule rekey for
- */
-static void
-schedule_rekey (struct GSC_KeyExchangeInfo *kx)
-{
- struct GNUNET_TIME_Relative rdelay;
-
- if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
- GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
- rdelay = REKEY_FREQUENCY;
- /* randomize rekey frequency by one minute to avoid synchronization */
- rdelay.rel_value += GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK,
- 60 * 1000);
- kx->retry_set_key_task = GNUNET_SCHEDULER_add_delayed (REKEY_FREQUENCY,
- &trigger_rekey,
- kx);
-}
-
-
-/**
* We received a PONG message. Validate and update our status.
*
* @param kx key exchange context for the the PONG
@@ -1222,7 +1020,6 @@
{
const struct PongMessage *m;
struct PongMessage t;
- struct EncryptedMessage *emsg;
struct GNUNET_CRYPTO_AesInitializationVector iv;
uint16_t msize;
@@ -1238,17 +1035,19 @@
switch (kx->status)
{
case KX_STATE_DOWN:
+ GNUNET_STATISTICS_update (GSC_stats,
+ gettext_noop ("# PONG messages dropped
(connection down)"), 1,
+ GNUNET_NO);
return;
case KX_STATE_KEY_SENT:
- GNUNET_free_non_null (kx->pong_received);
- kx->pong_received = (struct PongMessage *) GNUNET_copy_message (msg);
+ GNUNET_STATISTICS_update (GSC_stats,
+ gettext_noop ("# PONG messages dropped (out of
order)"), 1,
+ GNUNET_NO);
return;
case KX_STATE_KEY_RECEIVED:
break;
case KX_STATE_UP:
break;
- case KX_STATE_REKEY:
- break;
case KX_STATE_REKEY_SENT:
break;
default:
@@ -1289,13 +1088,19 @@
}
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received PONG from `%s'\n",
GNUNET_i2s (&kx->peer));
+ /* no need to resend key any longer */
+ if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
+ {
+ GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
+ kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
+ }
switch (kx->status)
{
case KX_STATE_DOWN:
- GNUNET_break (0); /* should be impossible */
+ GNUNET_assert (0); /* should be impossible */
return;
case KX_STATE_KEY_SENT:
- GNUNET_break (0); /* should be impossible */
+ GNUNET_assert (0); /* should be impossible */
return;
case KX_STATE_KEY_RECEIVED:
GNUNET_STATISTICS_update (GSC_stats,
@@ -1304,32 +1109,22 @@
GNUNET_NO);
kx->status = KX_STATE_UP;
GSC_SESSIONS_create (&kx->peer, kx);
- CHECK_KX (kx);
- schedule_rekey (kx);
GNUNET_assert (GNUNET_SCHEDULER_NO_TASK == kx->keep_alive_task);
- if (NULL != kx->emsg_received)
- {
- emsg = kx->emsg_received;
- kx->emsg_received = NULL;
- GSC_KX_handle_encrypted_message (kx, &emsg->header, NULL,
- 0 /* FIXME: ATSI */ );
- GNUNET_free (emsg);
- }
update_timeout (kx);
break;
case KX_STATE_UP:
+ GNUNET_STATISTICS_update (GSC_stats,
+ gettext_noop
+ ("# timeouts prevented via PONG"), 1,
+ GNUNET_NO);
update_timeout (kx);
break;
- case KX_STATE_REKEY:
- update_timeout (kx);
- break;
case KX_STATE_REKEY_SENT:
GNUNET_STATISTICS_update (GSC_stats,
gettext_noop
("# rekey operations confirmed via PONG"), 1,
GNUNET_NO);
kx->status = KX_STATE_UP;
- schedule_rekey (kx);
update_timeout (kx);
break;
default:
@@ -1340,87 +1135,26 @@
/**
- * Send our key (and encrypted PING) to the other peer.
+ * Send our key to the other peer.
*
* @param kx key exchange context
*/
static void
send_key (struct GSC_KeyExchangeInfo *kx)
{
- CHECK_KX (kx);
if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
{
GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
}
- if (KX_STATE_UP == kx->status)
- return; /* nothing to do */
- if (NULL == kx->public_key)
- {
- if (NULL != kx->pitr)
- return;
- /* lookup public key, then try again */
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Trying to obtain public key for `%s'\n",
- GNUNET_i2s (&kx->peer));
- kx->pitr =
- GNUNET_PEERINFO_iterate (peerinfo, &kx->peer,
- GNUNET_TIME_UNIT_FOREVER_REL /* timeout? */ ,
- &process_hello, kx);
- return;
- }
-
- /* update status */
- switch (kx->status)
- {
- case KX_STATE_DOWN:
- kx->status = KX_STATE_KEY_SENT;
- /* setup SET KEY message */
- setup_fresh_setkey (kx);
- setup_fresh_ping (kx);
- GNUNET_STATISTICS_update (GSC_stats,
- gettext_noop
- ("# SET_KEY and PING messages created"), 1,
- GNUNET_NO);
- break;
- case KX_STATE_KEY_SENT:
- break;
- case KX_STATE_KEY_RECEIVED:
- break;
- case KX_STATE_UP:
- GNUNET_break (0);
- return;
- case KX_STATE_REKEY:
- kx->status = KX_STATE_REKEY_SENT;
- /* setup fresh SET KEY message */
- setup_fresh_setkey (kx);
- setup_fresh_ping (kx);
- GNUNET_STATISTICS_update (GSC_stats,
- gettext_noop
- ("# SET_KEY and PING messages created"), 1,
- GNUNET_NO);
- GNUNET_STATISTICS_update (GSC_stats,
- gettext_noop
- ("# REKEY operations performed"), 1,
- GNUNET_NO);
- break;
- case KX_STATE_REKEY_SENT:
- break;
- default:
- GNUNET_break (0);
- return;
- }
-
/* always update sender status in SET KEY message */
- /* Not sending rekey sent state to be compatible with GNUnet 0.9.2 */
- kx->skm.sender_status = htonl ((int32_t) ((kx->status ==
KX_STATE_REKEY_SENT) ?
- KX_STATE_KEY_RECEIVED :
kx->status));
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending SET_KEY and PING to `%s'\n",
- GNUNET_i2s (&kx->peer));
- GSC_NEIGHBOURS_transmit (&kx->peer, &kx->skm.header,
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+ "Sending key to `%s' (my status: %d)\n",
+ GNUNET_i2s (&kx->peer),
+ kx->status);
+ current_ekm.sender_status = htonl ((int32_t) (kx->status));
+ GSC_NEIGHBOURS_transmit (&kx->peer, ¤t_ekm.header,
kx->set_key_retry_frequency);
- GSC_NEIGHBOURS_transmit (&kx->peer, &kx->ping.header,
- kx->set_key_retry_frequency);
kx->retry_set_key_task =
GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
&set_key_retry_task, kx);
@@ -1451,7 +1185,7 @@
htonl (GNUNET_CRYPTO_random_u32
(GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX));
ph->sequence_number = htonl (++kx->last_sequence_number_sent);
- ph->reserved = GNUNET_BANDWIDTH_VALUE_MAX;
+ ph->reserved = 0;
ph->timestamp = GNUNET_TIME_absolute_hton (GNUNET_TIME_absolute_get ());
memcpy (&ph[1], payload, payload_size);
@@ -1466,8 +1200,9 @@
used - ENCRYPTED_HEADER_SIZE));
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Encrypted %u bytes for %s\n",
used - ENCRYPTED_HEADER_SIZE, GNUNET_i2s (&kx->peer));
- derive_auth_key (&auth_key, &kx->encrypt_key, ph->iv_seed,
- kx->encrypt_key_created);
+ derive_auth_key (&auth_key,
+ &kx->encrypt_key,
+ ph->iv_seed);
GNUNET_CRYPTO_hmac (&auth_key, &em->sequence_number,
used - ENCRYPTED_HEADER_SIZE, &em->hmac);
GSC_NEIGHBOURS_transmit (&kx->peer, &em->header,
@@ -1531,31 +1266,35 @@
return;
}
m = (const struct EncryptedMessage *) msg;
- if ((kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP) &&
- (kx->status != KX_STATE_REKEY_SENT) )
+ if (kx->status != KX_STATE_UP)
{
GNUNET_STATISTICS_update (GSC_stats,
gettext_noop
- ("# failed to decrypt message (no session key)"),
+ ("# DATA message dropped (out of order)"),
1, GNUNET_NO);
return;
}
- if (KX_STATE_KEY_RECEIVED == kx->status)
+ if (0 == GNUNET_TIME_absolute_get_remaining
(kx->foreign_key_expires).rel_value)
{
- /* defer */
- GNUNET_free_non_null (kx->emsg_received);
- kx->emsg_received = (struct EncryptedMessage *) GNUNET_copy_message (msg);
+ kx->status = KX_STATE_KEY_SENT;
+ GNUNET_STATISTICS_update (GSC_stats,
+ gettext_noop
+ ("# DATA message dropped (session key expired)"),
+ 1, GNUNET_NO);
+ send_key (kx);
return;
}
+
/* validate hash */
- derive_auth_key (&auth_key, &kx->decrypt_key, m->iv_seed,
- kx->decrypt_key_created);
+ derive_auth_key (&auth_key, &kx->decrypt_key, m->iv_seed);
GNUNET_CRYPTO_hmac (&auth_key, &m->sequence_number,
size - ENCRYPTED_HEADER_SIZE, &ph);
if (0 != memcmp (&ph, &m->hmac, sizeof (struct GNUNET_HashCode)))
{
/* checksum failed */
- GNUNET_log (GNUNET_ERROR_TYPE_WARNING, "Failed checksum validation for a
message from `%s'\n", GNUNET_i2s (&kx->peer));
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+ "Failed checksum validation for a message from `%s'\n",
+ GNUNET_i2s (&kx->peer));
return;
}
derive_iv (&iv, &kx->decrypt_key, m->iv_seed, &GSC_my_identity);
@@ -1572,7 +1311,7 @@
snum = ntohl (pt->sequence_number);
if (kx->last_sequence_number_received == snum)
{
- GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Received duplicate message, ignoring.\n");
/* duplicate, ignore */
GNUNET_STATISTICS_update (GSC_stats,
@@ -1583,7 +1322,7 @@
if ((kx->last_sequence_number_received > snum) &&
(kx->last_sequence_number_received - snum > 32))
{
- GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Received ancient out of sequence message, ignoring.\n");
/* ancient out of sequence, ignore */
GNUNET_STATISTICS_update (GSC_stats,
@@ -1598,7 +1337,7 @@
if ((kx->last_packets_bitmap & rotbit) != 0)
{
- GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Received duplicate message, ignoring.\n");
GNUNET_STATISTICS_update (GSC_stats,
gettext_noop ("# bytes dropped (duplicates)"),
@@ -1624,8 +1363,8 @@
if (GNUNET_TIME_absolute_get_duration (t).rel_value >
MAX_MESSAGE_AGE.rel_value)
{
- GNUNET_log (GNUNET_ERROR_TYPE_INFO,
- _("Message received far too old (%s). Content ignored.\n"),
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+ "Message received far too old (%s). Content ignored.\n",
GNUNET_STRINGS_relative_time_to_string
(GNUNET_TIME_absolute_get_duration (t), GNUNET_YES));
GNUNET_STATISTICS_update (GSC_stats,
gettext_noop
@@ -1684,28 +1423,89 @@
/**
+ * Setup the message that links the ephemeral key to our persistent
+ * public key and generate the appropriate signature.
+ */
+static void
+sign_ephemeral_key ()
+{
+ current_ekm.header.size = htons (sizeof (struct EphemeralKeyMessage));
+ current_ekm.header.type = htons (GNUNET_MESSAGE_TYPE_CORE_EPHEMERAL_KEY);
+ current_ekm.sender_status = 0; /* to be set later */
+ current_ekm.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_SET_ECC_KEY);
+ current_ekm.purpose.size = htonl (sizeof (struct
GNUNET_CRYPTO_EccSignaturePurpose) +
+ sizeof (struct GNUNET_TIME_AbsoluteNBO) +
+ sizeof (struct GNUNET_TIME_AbsoluteNBO) +
+ sizeof (struct
GNUNET_CRYPTO_EccPublicKeyBinaryEncoded) +
+ sizeof (struct
GNUNET_CRYPTO_EccPublicKeyBinaryEncoded));
+ current_ekm.creation_time = GNUNET_TIME_absolute_hton
(GNUNET_TIME_absolute_get ());
+ current_ekm.expiration_time = GNUNET_TIME_absolute_hton
(GNUNET_TIME_relative_to_absolute (GNUNET_TIME_relative_add (REKEY_FREQUENCY,
+
REKEY_TOLERANCE)));
+ GNUNET_CRYPTO_ecc_key_get_public (my_ephemeral_key,
+ ¤t_ekm.ephemeral_key);
+ current_ekm.origin_public_key = my_public_key;
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_ecc_sign (my_private_key,
+ ¤t_ekm.purpose,
+ ¤t_ekm.signature));
+}
+
+
+/**
+ * Task run to trigger rekeying.
+ *
+ * @param cls closure, NULL
+ * @param tc scheduler context
+ */
+static void
+do_rekey (void *cls,
+ const struct GNUNET_SCHEDULER_TaskContext *tc)
+{
+ struct GSC_KeyExchangeInfo *pos;
+
+ rekey_task = GNUNET_SCHEDULER_add_delayed (REKEY_FREQUENCY,
+ &do_rekey,
+ NULL);
+ if (NULL != my_ephemeral_key)
+ GNUNET_CRYPTO_ecc_key_free (my_ephemeral_key);
+ my_ephemeral_key = GNUNET_CRYPTO_ecc_key_create ();
+ GNUNET_assert (NULL != my_ephemeral_key);
+ sign_ephemeral_key ();
+ for (pos = kx_head; NULL != pos; pos = pos->next)
+ {
+ pos->status = KX_STATE_REKEY_SENT;
+ send_key (pos);
+ }
+}
+
+
+/**
* Initialize KX subsystem.
*
* @param pk private key to use for the peer
* @return GNUNET_OK on success, GNUNET_SYSERR on failure
*/
int
-GSC_KX_init (struct GNUNET_CRYPTO_RsaPrivateKey *pk)
+GSC_KX_init (struct GNUNET_CRYPTO_EccPrivateKey *pk)
{
+ GNUNET_assert (NULL != pk);
my_private_key = pk;
- GNUNET_CRYPTO_rsa_key_get_public (my_private_key, &my_public_key);
+ GNUNET_CRYPTO_ecc_key_get_public (my_private_key, &my_public_key);
GNUNET_CRYPTO_hash (&my_public_key, sizeof (my_public_key),
&GSC_my_identity.hashPubKey);
- peerinfo = GNUNET_PEERINFO_connect (GSC_cfg);
- if (NULL == peerinfo)
+ my_ephemeral_key = GNUNET_CRYPTO_ecc_key_create ();
+ if (NULL == my_ephemeral_key)
{
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- _("Could not access PEERINFO service. Exiting.\n"));
- GNUNET_CRYPTO_rsa_key_free (my_private_key);
+ GNUNET_break (0);
+ GNUNET_CRYPTO_ecc_key_free (my_private_key);
my_private_key = NULL;
return GNUNET_SYSERR;
}
+ sign_ephemeral_key ();
mst = GNUNET_SERVER_mst_create (&deliver_message, NULL);
+ rekey_task = GNUNET_SCHEDULER_add_delayed (REKEY_FREQUENCY,
+ &do_rekey,
+ NULL);
return GNUNET_OK;
}
@@ -1716,15 +1516,20 @@
void
GSC_KX_done ()
{
+ if (GNUNET_SCHEDULER_NO_TASK != rekey_task)
+ {
+ GNUNET_SCHEDULER_cancel (rekey_task);
+ rekey_task = GNUNET_SCHEDULER_NO_TASK;
+ }
if (NULL != my_private_key)
{
- GNUNET_CRYPTO_rsa_key_free (my_private_key);
+ GNUNET_CRYPTO_ecc_key_free (my_private_key);
my_private_key = NULL;
}
- if (NULL != peerinfo)
+ if (NULL != my_ephemeral_key)
{
- GNUNET_PEERINFO_disconnect (peerinfo);
- peerinfo = NULL;
+ GNUNET_CRYPTO_ecc_key_free (my_ephemeral_key);
+ my_ephemeral_key = NULL;
}
if (NULL != mst)
{
Modified: gnunet/src/core/gnunet-service-core_kx.h
===================================================================
--- gnunet/src/core/gnunet-service-core_kx.h 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/core/gnunet-service-core_kx.h 2013-02-05 20:49:21 UTC (rev
26035)
@@ -37,15 +37,15 @@
/**
- * We received a SET_KEY message. Validate and update
+ * We received a EPHEMERAL_KEY message. Validate and update
* our key material and status.
*
* @param kx key exchange status for the corresponding peer
* @param msg the set key message we received
*/
void
-GSC_KX_handle_set_key (struct GSC_KeyExchangeInfo *kx,
- const struct GNUNET_MessageHeader *msg);
+GSC_KX_handle_ephemeral_key (struct GSC_KeyExchangeInfo *kx,
+ const struct GNUNET_MessageHeader *msg);
/**
@@ -125,7 +125,7 @@
* @return GNUNET_OK on success, GNUNET_SYSERR on failure
*/
int
-GSC_KX_init (struct GNUNET_CRYPTO_RsaPrivateKey *pk);
+GSC_KX_init (struct GNUNET_CRYPTO_EccPrivateKey *pk);
/**
Modified: gnunet/src/core/gnunet-service-core_neighbours.c
===================================================================
--- gnunet/src/core/gnunet-service-core_neighbours.c 2013-02-05 20:48:40 UTC
(rev 26034)
+++ gnunet/src/core/gnunet-service-core_neighbours.c 2013-02-05 20:49:21 UTC
(rev 26035)
@@ -400,8 +400,8 @@
type = ntohs (message->type);
switch (type)
{
- case GNUNET_MESSAGE_TYPE_CORE_SET_KEY:
- GSC_KX_handle_set_key (n->kxinfo, message);
+ case GNUNET_MESSAGE_TYPE_CORE_EPHEMERAL_KEY:
+ GSC_KX_handle_ephemeral_key (n->kxinfo, message);
break;
case GNUNET_MESSAGE_TYPE_CORE_PING:
GSC_KX_handle_ping (n->kxinfo, message);
Modified: gnunet/src/hello/gnunet-hello.c
===================================================================
--- gnunet/src/hello/gnunet-hello.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/hello/gnunet-hello.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -107,7 +107,7 @@
struct GNUNET_DISK_FileHandle *fh;
struct GNUNET_HELLO_Message *orig;
struct GNUNET_HELLO_Message *result;
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded pk;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded pk;
uint64_t fsize;
GNUNET_log_setup ("gnunet-hello", "INFO", NULL);
Modified: gnunet/src/hello/hello.c
===================================================================
--- gnunet/src/hello/hello.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/hello/hello.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -59,7 +59,7 @@
/**
* The public key of the peer.
*/
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded publicKey;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded publicKey;
};
GNUNET_NETWORK_STRUCT_END
@@ -201,7 +201,7 @@
* @return the hello message
*/
struct GNUNET_HELLO_Message *
-GNUNET_HELLO_create (const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
+GNUNET_HELLO_create (const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
*publicKey,
GNUNET_HELLO_GenerateAddressListCallback addrgen,
void *addrgen_cls)
@@ -227,7 +227,7 @@
hello->header.type = htons (GNUNET_MESSAGE_TYPE_HELLO);
hello->header.size = htons (sizeof (struct GNUNET_HELLO_Message) + used);
memcpy (&hello->publicKey, publicKey,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded));
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded));
memcpy (&hello[1], buffer, used);
return hello;
}
@@ -274,7 +274,7 @@
wpos = 0;
woff = (ret != NULL) ? (char *) &ret[1] : NULL;
GNUNET_CRYPTO_hash (&msg->publicKey,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded),
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded),
&address.peer.hashPubKey);
while (insize > 0)
{
@@ -503,7 +503,7 @@
*/
int
GNUNET_HELLO_get_key (const struct GNUNET_HELLO_Message *hello,
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
*publicKey)
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
*publicKey)
{
uint16_t ret = ntohs (hello->header.size);
@@ -532,7 +532,7 @@
(ntohs (hello->header.type) != GNUNET_MESSAGE_TYPE_HELLO))
return GNUNET_SYSERR;
GNUNET_CRYPTO_hash (&hello->publicKey,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded),
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded),
&peer->hashPubKey);
return GNUNET_OK;
}
@@ -641,7 +641,7 @@
if (0 !=
memcmp (&h1->publicKey, &h2->publicKey,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded)))
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)))
return GNUNET_TIME_UNIT_ZERO_ABS;
ec.expiration_limit = now;
ec.result = GNUNET_TIME_UNIT_FOREVER_ABS;
@@ -833,7 +833,7 @@
struct GNUNET_HELLO_ComposeUriContext ctx;
ctx.plugins_find = plugins_find;
- char *pkey = GNUNET_CRYPTO_rsa_public_key_to_string (&(hello->publicKey));
+ char *pkey = GNUNET_CRYPTO_ecc_public_key_to_string (&(hello->publicKey));
GNUNET_asprintf (&(ctx.uri),
"%s%s",
GNUNET_HELLO_URI_PREFIX,
@@ -1005,7 +1005,7 @@
*/
int
GNUNET_HELLO_parse_uri (const char *uri,
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded *pubkey,
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pubkey,
struct GNUNET_HELLO_Message **hello,
GNUNET_HELLO_TransportPluginsFind plugins_find)
{
Modified: gnunet/src/hello/test_hello.c
===================================================================
--- gnunet/src/hello/test_hello.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/hello/test_hello.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -93,8 +93,8 @@
struct GNUNET_HELLO_Message *msg1;
struct GNUNET_HELLO_Message *msg2;
struct GNUNET_HELLO_Message *msg3;
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded publicKey;
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded pk;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded publicKey;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded pk;
struct GNUNET_TIME_Absolute startup_time;
unsigned int i;
Modified: gnunet/src/include/gnunet_crypto_lib.h
===================================================================
--- gnunet/src/include/gnunet_crypto_lib.h 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/include/gnunet_crypto_lib.h 2013-02-05 20:49:21 UTC (rev
26035)
@@ -323,10 +323,6 @@
*/
unsigned char key[GNUNET_CRYPTO_AES_KEY_LENGTH];
- /**
- * checksum!
- */
- uint32_t crc32 GNUNET_PACKED;
};
GNUNET_NETWORK_STRUCT_END
@@ -451,17 +447,6 @@
/**
- * Check that a new session key is well-formed.
- *
- * @param key key to check
- * @return GNUNET_OK if the key is valid
- */
-int
-GNUNET_CRYPTO_aes_check_session_key (const struct GNUNET_CRYPTO_AesSessionKey
- *key);
-
-
-/**
* Encrypt a block with the public key of another
* host that uses the same cyper.
*
@@ -1199,7 +1184,7 @@
* @return string representing 'pub'
*/
char *
-GNUNET_CRYPTO_ecc_public_key_to_string (struct
GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pub);
+GNUNET_CRYPTO_ecc_public_key_to_string (const struct
GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pub);
/**
Modified: gnunet/src/include/gnunet_hello_lib.h
===================================================================
--- gnunet/src/include/gnunet_hello_lib.h 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/include/gnunet_hello_lib.h 2013-02-05 20:49:21 UTC (rev
26035)
@@ -183,7 +183,7 @@
* @return the hello message
*/
struct GNUNET_HELLO_Message *
-GNUNET_HELLO_create (const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
+GNUNET_HELLO_create (const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
*publicKey,
GNUNET_HELLO_GenerateAddressListCallback addrgen,
void *addrgen_cls);
@@ -310,7 +310,7 @@
*/
int
GNUNET_HELLO_get_key (const struct GNUNET_HELLO_Message *hello,
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
*publicKey);
@@ -364,7 +364,7 @@
*/
int
GNUNET_HELLO_parse_uri (const char *uri,
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded *pubkey,
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pubkey,
struct GNUNET_HELLO_Message **hello,
GNUNET_HELLO_TransportPluginsFind plugins_find);
Modified: gnunet/src/include/gnunet_protocols.h
===================================================================
--- gnunet/src/include/gnunet_protocols.h 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/include/gnunet_protocols.h 2013-02-05 20:49:21 UTC (rev
26035)
@@ -313,11 +313,6 @@
#define GNUNET_MESSAGE_TYPE_CORE_PEER_CONNECTED 80
/**
- * Session key exchange between peers.
- */
-#define GNUNET_MESSAGE_TYPE_CORE_SET_KEY 81
-
-/**
* Encapsulation for an encrypted message between peers.
*/
#define GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE 82
@@ -347,6 +342,12 @@
*/
#define GNUNET_MESSAGE_TYPE_CORE_BINARY_TYPE_MAP 87
+/**
+ * Session key exchange between peers.
+ */
+#define GNUNET_MESSAGE_TYPE_CORE_EPHEMERAL_KEY 88
+
+
/*******************************************************************************
* DATASTORE message types
******************************************************************************/
Modified: gnunet/src/include/gnunet_signatures.h
===================================================================
--- gnunet/src/include/gnunet_signatures.h 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/include/gnunet_signatures.h 2013-02-05 20:49:21 UTC (rev
26035)
@@ -53,11 +53,6 @@
#define GNUNET_SIGNATURE_PURPOSE_TRANSPORT_DISCONNECT 2
/**
- * Purpose is to set a session key.
- */
-#define GNUNET_SIGNATURE_PURPOSE_SET_KEY 3
-
-/**
* Signature for a namespace/pseudonym advertisement (by
* the namespace owner).
*/
@@ -115,12 +110,18 @@
*/
#define GNUNET_SIGNATURE_PURPOSE_NSE_SEND 14
-
/**
* Signature of a gnunet naming system record block
*/
#define GNUNET_SIGNATURE_PURPOSE_GNS_RECORD_SIGN 15
+/**
+ * Purpose is to set a session key.
+ */
+#define GNUNET_SIGNATURE_PURPOSE_SET_ECC_KEY 16
+
+
+
#if 0 /* keep Emacsens' auto-indent happy */
{
#endif
Modified: gnunet/src/include/gnunet_testing_lib.h
===================================================================
--- gnunet/src/include/gnunet_testing_lib.h 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/include/gnunet_testing_lib.h 2013-02-05 20:49:21 UTC (rev
26035)
@@ -44,7 +44,13 @@
#endif
#endif
-#define GNUNET_TESTING_HOSTKEYFILESIZE 914
+/**
+ * Size of each hostkey in the hostkey file (in BYTES). This is the
+ * maximum length of the S-expressions generated by libgcrypt for the
+ * curves (rounded up to the next full KB to make IO nicer); it is NOT
+ * the number of bits in the key.
+ */
+#define GNUNET_TESTING_HOSTKEYFILESIZE 2048
/**
* Handle for a system on which GNUnet peers are executed;
@@ -138,7 +144,7 @@
* key; if NULL, GNUNET_SYSERR is returned immediately
* @return NULL on error (not enough keys)
*/
-struct GNUNET_CRYPTO_RsaPrivateKey *
+struct GNUNET_CRYPTO_EccPrivateKey *
GNUNET_TESTING_hostkey_get (const struct GNUNET_TESTING_System *system,
uint32_t key_number,
struct GNUNET_PeerIdentity *id);
Modified: gnunet/src/peerinfo-tool/gnunet-peerinfo.c
===================================================================
--- gnunet/src/peerinfo-tool/gnunet-peerinfo.c 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/peerinfo-tool/gnunet-peerinfo.c 2013-02-05 20:49:21 UTC (rev
26035)
@@ -167,7 +167,7 @@
/**
* My public key.
*/
-static struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded my_public_key;
+static struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded my_public_key;
/**
* Head of list of print contexts.
@@ -524,7 +524,7 @@
run (void *cls, char *const *args, const char *cfgfile,
const struct GNUNET_CONFIGURATION_Handle *c)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *priv;
+ struct GNUNET_CRYPTO_EccPrivateKey *priv;
char *fn;
cfg = c;
@@ -551,22 +551,22 @@
{
/* load private key */
if (GNUNET_OK !=
- GNUNET_CONFIGURATION_get_value_filename (cfg, "GNUNETD", "HOSTKEY",
+ GNUNET_CONFIGURATION_get_value_filename (cfg, "PEER", "PRIVATE_KEY",
&fn))
{
FPRINTF (stderr, _("Could not find option `%s:%s' in configuration.\n"),
"GNUNETD", "HOSTKEYFILE");
return;
}
- if (NULL == (priv = GNUNET_CRYPTO_rsa_key_create_from_file (fn)))
+ if (NULL == (priv = GNUNET_CRYPTO_ecc_key_create_from_file (fn)))
{
FPRINTF (stderr, _("Loading hostkey from `%s' failed.\n"), fn);
GNUNET_free (fn);
return;
}
GNUNET_free (fn);
- GNUNET_CRYPTO_rsa_key_get_public (priv, &my_public_key);
- GNUNET_CRYPTO_rsa_key_free (priv);
+ GNUNET_CRYPTO_ecc_key_get_public (priv, &my_public_key);
+ GNUNET_CRYPTO_ecc_key_free (priv);
GNUNET_CRYPTO_hash (&my_public_key, sizeof (my_public_key),
&my_peer_identity.hashPubKey);
}
Modified: gnunet/src/testing/gnunet-testing.c
===================================================================
--- gnunet/src/testing/gnunet-testing.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/testing/gnunet-testing.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -28,7 +28,7 @@
#include "gnunet_testing_lib.h"
-#define HOSTKEYFILESIZE 914
+#define HOSTKEYFILESIZE 1024
/**
* Final status code.
@@ -119,11 +119,13 @@
static int
create_hostkeys (const unsigned int no)
{
+ static char pad[HOSTKEYFILESIZE];
struct GNUNET_TESTING_System *system;
struct GNUNET_PeerIdentity id;
struct GNUNET_DISK_FileHandle *fd;
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
- struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *pkb;
+ struct GNUNET_CRYPTO_EccPrivateKey *pk;
+ struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *pkb;
+ ssize_t ret;
system = GNUNET_TESTING_system_create ("testing", NULL, NULL);
pk = GNUNET_TESTING_hostkey_get (system, create_no, &id);
@@ -140,14 +142,20 @@
GNUNET_DISK_PERM_USER_READ |
GNUNET_DISK_PERM_USER_WRITE);
GNUNET_assert (fd != NULL);
- pkb = GNUNET_CRYPTO_rsa_encode_key (pk);
- GNUNET_assert (HOSTKEYFILESIZE ==
- GNUNET_DISK_file_write (fd, pkb, ntohs (pkb->len)));
+ pkb = GNUNET_CRYPTO_ecc_encode_key (pk);
+ ret = GNUNET_DISK_file_write (fd, pkb,
+ ntohs (pkb->size));
+ GNUNET_assert (ntohs (pkb->size) == ret);
+ GNUNET_assert (ntohs (pkb->size) < HOSTKEYFILESIZE);
+ GNUNET_assert (HOSTKEYFILESIZE - ret ==
+ GNUNET_DISK_file_write (fd, pad,
+ HOSTKEYFILESIZE - ret));
+
GNUNET_assert (GNUNET_OK == GNUNET_DISK_file_close (fd));
GNUNET_log_from (GNUNET_ERROR_TYPE_DEBUG, "transport-testing",
"Wrote hostkey to file: `%s'\n", create_hostkey);
GNUNET_free (pkb);
- GNUNET_CRYPTO_rsa_key_free (pk);
+ GNUNET_CRYPTO_ecc_key_free (pk);
GNUNET_TESTING_system_destroy (system, GNUNET_YES);
return 0;
}
Modified: gnunet/src/testing/testing.c
===================================================================
--- gnunet/src/testing/testing.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/testing/testing.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -202,7 +202,7 @@
GNUNET_assert (NULL == system->hostkeys_data);
data_dir = GNUNET_OS_installation_get_path (GNUNET_OS_IPK_DATADIR);
- GNUNET_asprintf (&filename, "%s/testing_hostkeys.dat", data_dir);
+ GNUNET_asprintf (&filename, "%s/testing_hostkeys.ecc", data_dir);
GNUNET_free (data_dir);
if (GNUNET_YES != GNUNET_DISK_file_test (filename))
@@ -525,13 +525,13 @@
* key; if NULL, GNUNET_SYSERR is returned immediately
* @return NULL on error (not enough keys)
*/
-struct GNUNET_CRYPTO_RsaPrivateKey *
+struct GNUNET_CRYPTO_EccPrivateKey *
GNUNET_TESTING_hostkey_get (const struct GNUNET_TESTING_System *system,
uint32_t key_number,
struct GNUNET_PeerIdentity *id)
{
- struct GNUNET_CRYPTO_RsaPrivateKey *private_key;
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded public_key;
+ struct GNUNET_CRYPTO_EccPrivateKey *private_key;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded public_key;
if ((NULL == id) || (NULL == system->hostkeys_data))
return NULL;
@@ -541,7 +541,7 @@
_("Key number %u does not exist\n"), key_number);
return NULL;
}
- private_key = GNUNET_CRYPTO_rsa_decode_key (system->hostkeys_data +
+ private_key = GNUNET_CRYPTO_ecc_decode_key (system->hostkeys_data +
(key_number *
GNUNET_TESTING_HOSTKEYFILESIZE),
GNUNET_TESTING_HOSTKEYFILESIZE);
@@ -551,9 +551,9 @@
_("Error while decoding key %u\n"), key_number);
return NULL;
}
- GNUNET_CRYPTO_rsa_key_get_public (private_key, &public_key);
+ GNUNET_CRYPTO_ecc_key_get_public (private_key, &public_key);
GNUNET_CRYPTO_hash (&public_key,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded),
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded),
&(id->hashPubKey));
return private_key;
}
@@ -855,7 +855,7 @@
char *config_filename;
char *libexec_binary;
char *emsg_;
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
+ struct GNUNET_CRYPTO_EccPrivateKey *pk;
if (NULL != emsg)
*emsg = NULL;
@@ -897,12 +897,13 @@
return NULL;
}
if (NULL != pk)
- GNUNET_CRYPTO_rsa_key_free (pk);
+ GNUNET_CRYPTO_ecc_key_free (pk);
GNUNET_assert (GNUNET_OK ==
GNUNET_CONFIGURATION_get_value_string (cfg, "PATHS",
"SERVICEHOME",
&service_home));
- GNUNET_snprintf (hostkey_filename, sizeof (hostkey_filename), "%s/.hostkey",
+ /* FIXME: might be better to evaluate actual configuration option here... */
+ GNUNET_snprintf (hostkey_filename, sizeof (hostkey_filename),
"%s/private.ecc",
service_home);
GNUNET_free (service_home);
fd = GNUNET_DISK_file_open (hostkey_filename,
@@ -978,7 +979,7 @@
GNUNET_TESTING_peer_get_identity (const struct GNUNET_TESTING_Peer *peer,
struct GNUNET_PeerIdentity *id)
{
- GNUNET_CRYPTO_rsa_key_free (GNUNET_TESTING_hostkey_get (peer->system,
+ GNUNET_CRYPTO_ecc_key_free (GNUNET_TESTING_hostkey_get (peer->system,
peer->key_number,
id));
}
Modified: gnunet/src/transport/gnunet-service-transport.c
===================================================================
--- gnunet/src/transport/gnunet-service-transport.c 2013-02-05 20:48:40 UTC
(rev 26034)
+++ gnunet/src/transport/gnunet-service-transport.c 2013-02-05 20:49:21 UTC
(rev 26035)
@@ -65,7 +65,7 @@
/**
* Hostkey generation context
*/
-struct GNUNET_CRYPTO_RsaKeyGenerationContext *GST_keygen;
+struct GNUNET_CRYPTO_EccKeyGenerationContext *GST_keygen;
/**
* Handle to our service's server.
@@ -75,12 +75,12 @@
/**
* Our public key.
*/
-struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded GST_my_public_key;
+struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded GST_my_public_key;
/**
* Our private key.
*/
-struct GNUNET_CRYPTO_RsaPrivateKey *GST_my_private_key;
+struct GNUNET_CRYPTO_EccPrivateKey *GST_my_private_key;
/**
* ATS handle.
@@ -557,7 +557,7 @@
{
if (NULL != GST_keygen)
{
- GNUNET_CRYPTO_rsa_key_create_stop (GST_keygen);
+ GNUNET_CRYPTO_ecc_key_create_stop (GST_keygen);
GST_keygen = NULL;
}
GST_neighbours_stop ();
@@ -583,7 +583,7 @@
}
if (NULL != GST_my_private_key)
{
- GNUNET_CRYPTO_rsa_key_free (GST_my_private_key);
+ GNUNET_CRYPTO_ecc_key_free (GST_my_private_key);
GST_my_private_key = NULL;
}
GST_server = NULL;
@@ -599,10 +599,9 @@
*/
static void
key_generation_cb (void *cls,
- struct GNUNET_CRYPTO_RsaPrivateKey *pk,
+ struct GNUNET_CRYPTO_EccPrivateKey *pk,
const char *emsg)
{
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded tmp;
long long unsigned int max_fd_cfg;
int max_fd_rlimit;
int max_fd;
@@ -627,14 +626,10 @@
return;
}
GST_peerinfo = GNUNET_PEERINFO_connect (GST_cfg);
- memset (&GST_my_public_key, '\0', sizeof (GST_my_public_key));
- memset (&tmp, '\0', sizeof (tmp));
- GNUNET_CRYPTO_rsa_key_get_public (GST_my_private_key, &GST_my_public_key);
+ GNUNET_CRYPTO_ecc_key_get_public (GST_my_private_key, &GST_my_public_key);
GNUNET_CRYPTO_hash (&GST_my_public_key, sizeof (GST_my_public_key),
&GST_my_identity.hashPubKey);
-
GNUNET_assert (NULL != GST_my_private_key);
- GNUNET_assert (0 != memcmp (&GST_my_public_key, &tmp, sizeof
(GST_my_public_key)));
GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &shutdown_task,
NULL);
@@ -712,7 +707,7 @@
/* setup globals */
GST_cfg = c;
if (GNUNET_OK !=
- GNUNET_CONFIGURATION_get_value_filename (c, "GNUNETD", "HOSTKEY",
+ GNUNET_CONFIGURATION_get_value_filename (c, "PEER", "PRIVATE_KEY",
&keyfile))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@@ -729,7 +724,7 @@
}
GST_server = server;
GNUNET_SERVER_suspend (server);
- GST_keygen = GNUNET_CRYPTO_rsa_key_create_start (keyfile,
&key_generation_cb, NULL);
+ GST_keygen = GNUNET_CRYPTO_ecc_key_create_start (keyfile,
&key_generation_cb, NULL);
GNUNET_free (keyfile);
if (NULL == GST_keygen)
{
Modified: gnunet/src/transport/gnunet-service-transport.h
===================================================================
--- gnunet/src/transport/gnunet-service-transport.h 2013-02-05 20:48:40 UTC
(rev 26034)
+++ gnunet/src/transport/gnunet-service-transport.h 2013-02-05 20:49:21 UTC
(rev 26035)
@@ -55,12 +55,12 @@
/**
* Our public key.
*/
-extern struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded GST_my_public_key;
+extern struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded GST_my_public_key;
/**
* Our private key.
*/
-extern struct GNUNET_CRYPTO_RsaPrivateKey *GST_my_private_key;
+extern struct GNUNET_CRYPTO_EccPrivateKey *GST_my_private_key;
/**
* ATS handle.
Modified: gnunet/src/transport/gnunet-service-transport_hello.c
===================================================================
--- gnunet/src/transport/gnunet-service-transport_hello.c 2013-02-05
20:48:40 UTC (rev 26034)
+++ gnunet/src/transport/gnunet-service-transport_hello.c 2013-02-05
20:49:21 UTC (rev 26035)
@@ -74,7 +74,7 @@
/**
* Signature for a 'struct TransportPongMessage' for this address.
*/
- struct GNUNET_CRYPTO_RsaSignature pong_signature;
+ struct GNUNET_CRYPTO_EccSignature pong_signature;
};
@@ -299,7 +299,7 @@
*/
int
GST_hello_test_address (const struct GNUNET_HELLO_Address *address,
- struct GNUNET_CRYPTO_RsaSignature **sig,
+ struct GNUNET_CRYPTO_EccSignature **sig,
struct GNUNET_TIME_Absolute **sig_expiration)
{
struct OwnAddressList *al;
Modified: gnunet/src/transport/gnunet-service-transport_hello.h
===================================================================
--- gnunet/src/transport/gnunet-service-transport_hello.h 2013-02-05
20:48:40 UTC (rev 26034)
+++ gnunet/src/transport/gnunet-service-transport_hello.h 2013-02-05
20:49:21 UTC (rev 26035)
@@ -92,7 +92,7 @@
*/
int
GST_hello_test_address (const struct GNUNET_HELLO_Address *address,
- struct GNUNET_CRYPTO_RsaSignature **sig,
+ struct GNUNET_CRYPTO_EccSignature **sig,
struct GNUNET_TIME_Absolute **sig_expiration);
Modified: gnunet/src/transport/gnunet-service-transport_neighbours.c
===================================================================
--- gnunet/src/transport/gnunet-service-transport_neighbours.c 2013-02-05
20:48:40 UTC (rev 26034)
+++ gnunet/src/transport/gnunet-service-transport_neighbours.c 2013-02-05
20:49:21 UTC (rev 26035)
@@ -318,7 +318,7 @@
* Purpose of the signature. Extends over the timestamp.
* Purpose should be GNUNET_SIGNATURE_PURPOSE_TRANSPORT_DISCONNECT.
*/
- struct GNUNET_CRYPTO_RsaSignaturePurpose purpose;
+ struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
/**
* Absolute time at the sender. Only the most recent connect
@@ -329,14 +329,14 @@
/**
* Public key of the sender.
*/
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded public_key;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded public_key;
/**
* Signature of the peer that sends us the disconnect. Only
* valid if the timestamp is AFTER the timestamp from the
* corresponding 'CONNECT' message.
*/
- struct GNUNET_CRYPTO_RsaSignature signature;
+ struct GNUNET_CRYPTO_EccSignature signature;
};
@@ -1205,8 +1205,8 @@
htons (GNUNET_MESSAGE_TYPE_TRANSPORT_SESSION_DISCONNECT);
disconnect_msg.reserved = htonl (0);
disconnect_msg.purpose.size =
- htonl (sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded) +
+ htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded) +
sizeof (struct GNUNET_TIME_AbsoluteNBO));
disconnect_msg.purpose.purpose =
htonl (GNUNET_MESSAGE_TYPE_TRANSPORT_SESSION_DISCONNECT);
@@ -1214,7 +1214,7 @@
GNUNET_TIME_absolute_hton (GNUNET_TIME_absolute_get ());
disconnect_msg.public_key = GST_my_public_key;
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_sign (GST_my_private_key,
+ GNUNET_CRYPTO_ecc_sign (GST_my_private_key,
&disconnect_msg.purpose,
&disconnect_msg.signature));
@@ -3195,7 +3195,7 @@
return;
}
GNUNET_CRYPTO_hash (&sdm->public_key,
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded),
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded),
&hc);
if (0 != memcmp (peer, &hc, sizeof (struct GNUNET_PeerIdentity)))
{
@@ -3203,15 +3203,15 @@
return;
}
if (ntohl (sdm->purpose.size) !=
- sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
- sizeof (struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded) +
+ sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
+ sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded) +
sizeof (struct GNUNET_TIME_AbsoluteNBO))
{
GNUNET_break_op (0);
return;
}
if (GNUNET_OK !=
- GNUNET_CRYPTO_rsa_verify
+ GNUNET_CRYPTO_ecc_verify
(GNUNET_MESSAGE_TYPE_TRANSPORT_SESSION_DISCONNECT, &sdm->purpose,
&sdm->signature, &sdm->public_key))
{
Modified: gnunet/src/transport/gnunet-service-transport_validation.c
===================================================================
--- gnunet/src/transport/gnunet-service-transport_validation.c 2013-02-05
20:48:40 UTC (rev 26034)
+++ gnunet/src/transport/gnunet-service-transport_validation.c 2013-02-05
20:49:21 UTC (rev 26035)
@@ -149,13 +149,13 @@
/**
* Signature.
*/
- struct GNUNET_CRYPTO_RsaSignature signature;
+ struct GNUNET_CRYPTO_EccSignature signature;
/**
* GNUNET_SIGNATURE_PURPOSE_TRANSPORT_PONG_OWN to confirm that this is a
* plausible address for the signing peer.
*/
- struct GNUNET_CRYPTO_RsaSignaturePurpose purpose;
+ struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
/**
* When does this signature expire?
@@ -190,7 +190,7 @@
/**
* Public key of the peer.
*/
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded public_key;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded public_key;
/**
* The identity of the peer. FIXME: duplicated (also in 'address')
@@ -636,7 +636,7 @@
* if we don't have an existing entry and no public key was given
*/
static struct ValidationEntry *
-find_validation_entry (const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
+find_validation_entry (const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
*public_key, const struct GNUNET_HELLO_Address *address)
{
struct ValidationEntryMatchContext vemc;
@@ -688,7 +688,7 @@
const struct GNUNET_HELLO_Message *hello = cls;
struct ValidationEntry *ve;
struct GNUNET_PeerIdentity pid;
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded public_key;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded public_key;
if (GNUNET_TIME_absolute_get_remaining (expiration).rel_value == 0)
return GNUNET_OK; /* expired */
@@ -789,7 +789,7 @@
*/
static void
multicast_pong (void *cls,
- const struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
+ const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
*public_key, struct GNUNET_TIME_Absolute valid_until,
struct GNUNET_TIME_Absolute validation_block,
const struct GNUNET_HELLO_Address *address)
@@ -835,7 +835,7 @@
const struct TransportPingMessage *ping;
struct TransportPongMessage *pong;
struct GNUNET_TRANSPORT_PluginFunctions *papi;
- struct GNUNET_CRYPTO_RsaSignature *sig_cache;
+ struct GNUNET_CRYPTO_EccSignature *sig_cache;
struct GNUNET_TIME_Absolute *sig_cache_exp;
const char *addr;
const char *addrend;
@@ -931,7 +931,7 @@
{
addrend = NULL; /* make gcc happy */
slen = 0;
- static struct GNUNET_CRYPTO_RsaSignature no_address_signature;
+ static struct GNUNET_CRYPTO_EccSignature no_address_signature;
static struct GNUNET_TIME_Absolute no_address_signature_expiration;
sig_cache = &no_address_signature;
@@ -951,7 +951,7 @@
htons (sizeof (struct TransportPongMessage) + alen + slen);
pong->header.type = htons (GNUNET_MESSAGE_TYPE_TRANSPORT_PONG);
pong->purpose.size =
- htonl (sizeof (struct GNUNET_CRYPTO_RsaSignaturePurpose) +
+ htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
sizeof (uint32_t) + sizeof (struct GNUNET_TIME_AbsoluteNBO) +
alen + slen);
pong->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_TRANSPORT_PONG_OWN);
@@ -981,7 +981,7 @@
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Creating buggy PONG signature to
indicate ownership.\n");
pong->expiration = GNUNET_TIME_absolute_hton
(GNUNET_TIME_relative_to_absolute (PONG_SIGNATURE_LIFETIME));
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_sign (GST_my_private_key, &pong->purpose,
+ GNUNET_CRYPTO_ecc_sign (GST_my_private_key, &pong->purpose,
&pong->signature));
}
else
@@ -1001,7 +1001,7 @@
*sig_cache_exp = GNUNET_TIME_relative_to_absolute
(PONG_SIGNATURE_LIFETIME);
pong->expiration = GNUNET_TIME_absolute_hton (*sig_cache_exp);
GNUNET_assert (GNUNET_OK ==
- GNUNET_CRYPTO_rsa_sign (GST_my_private_key,
&pong->purpose,
+ GNUNET_CRYPTO_ecc_sign (GST_my_private_key,
&pong->purpose,
sig_cache));
}
else
@@ -1080,7 +1080,7 @@
/**
* Public key of the peer whose address is being validated.
*/
- struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded public_key;
+ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded public_key;
};
@@ -1197,7 +1197,7 @@
}
if (GNUNET_OK !=
- GNUNET_CRYPTO_rsa_verify (GNUNET_SIGNATURE_PURPOSE_TRANSPORT_PONG_OWN,
+ GNUNET_CRYPTO_ecc_verify (GNUNET_SIGNATURE_PURPOSE_TRANSPORT_PONG_OWN,
&pong->purpose, &pong->signature,
&ve->public_key))
{
Modified: gnunet/src/transport/gnunet-service-transport_validation.h
===================================================================
--- gnunet/src/transport/gnunet-service-transport_validation.h 2013-02-05
20:48:40 UTC (rev 26034)
+++ gnunet/src/transport/gnunet-service-transport_validation.h 2013-02-05
20:49:21 UTC (rev 26035)
@@ -134,7 +134,7 @@
*/
typedef void (*GST_ValidationAddressCallback) (void *cls,
const struct
-
GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded
+
GNUNET_CRYPTO_EccPublicKeyBinaryEncoded
* public_key,
struct GNUNET_TIME_Absolute
valid_until,
Modified: gnunet/src/transport/test_plugin_transport.c
===================================================================
--- gnunet/src/transport/test_plugin_transport.c 2013-02-05 20:48:40 UTC
(rev 26034)
+++ gnunet/src/transport/test_plugin_transport.c 2013-02-05 20:49:21 UTC
(rev 26035)
@@ -43,12 +43,12 @@
#define WAIT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 5)
#define TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 30)
-#define HOSTKEY_FILE "test_plugin_hostkey"
+#define HOSTKEY_FILE "test_plugin_hostkey.ecc"
/**
* Our public key.
*/
-static struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded my_public_key;
+static struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded my_public_key;
/**
* Our identity.
@@ -58,7 +58,7 @@
/**
* Our private key.
*/
-static struct GNUNET_CRYPTO_RsaPrivateKey *my_private_key;
+static struct GNUNET_CRYPTO_EccPrivateKey *my_private_key;
/**
* Our configuration.
@@ -533,7 +533,7 @@
"NEIGHBOUR_LIMIT",
&tneigh)) ||
(GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (c,
- "GNUNETD",
"HOSTKEY",
+ "PEER",
"PRIVATE_KEY",
&keyfile)))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
@@ -576,7 +576,7 @@
max_connect_per_transport = (uint32_t) tneigh;
- my_private_key = GNUNET_CRYPTO_rsa_key_create_from_file (keyfile);
+ my_private_key = GNUNET_CRYPTO_ecc_key_create_from_file (keyfile);
GNUNET_free (keyfile);
if (NULL == my_private_key)
{
@@ -585,7 +585,7 @@
end_badly_now ();
return;
}
- GNUNET_CRYPTO_rsa_key_get_public (my_private_key, &my_public_key);
+ GNUNET_CRYPTO_ecc_key_get_public (my_private_key, &my_public_key);
GNUNET_CRYPTO_hash (&my_public_key, sizeof (my_public_key),
&my_identity.hashPubKey);
Modified: gnunet/src/util/crypto_aes.c
===================================================================
--- gnunet/src/util/crypto_aes.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/util/crypto_aes.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -42,33 +42,10 @@
{
gcry_randomize (&key->key[0], GNUNET_CRYPTO_AES_KEY_LENGTH,
GCRY_STRONG_RANDOM);
- key->crc32 =
- htonl (GNUNET_CRYPTO_crc32_n (key, GNUNET_CRYPTO_AES_KEY_LENGTH));
}
/**
- * Check that a new session key is well-formed.
- *
- * @return GNUNET_OK if the key is valid
- */
-int
-GNUNET_CRYPTO_aes_check_session_key (const struct GNUNET_CRYPTO_AesSessionKey
- *key)
-{
- uint32_t crc;
-
- crc = GNUNET_CRYPTO_crc32_n (key, GNUNET_CRYPTO_AES_KEY_LENGTH);
- if (ntohl (key->crc32) != crc)
- {
- GNUNET_break_op (0);
- return GNUNET_SYSERR;
- }
- return GNUNET_OK;
-}
-
-
-/**
* Initialize AES cipher.
*
* @param handle handle to initialize
@@ -85,12 +62,6 @@
{
int rc;
- if (GNUNET_OK !=
- GNUNET_CRYPTO_aes_check_session_key (sessionkey))
- {
- GNUNET_break (0);
- return GNUNET_SYSERR;
- }
GNUNET_assert (0 ==
gcry_cipher_open (handle, GCRY_CIPHER_AES256,
GCRY_CIPHER_MODE_CFB, 0));
Modified: gnunet/src/util/crypto_hash.c
===================================================================
--- gnunet/src/util/crypto_hash.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/util/crypto_hash.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -419,8 +419,6 @@
GNUNET_CRYPTO_AES_KEY_LENGTH +
sizeof (struct GNUNET_CRYPTO_AesInitializationVector));
memcpy (skey, hc, GNUNET_CRYPTO_AES_KEY_LENGTH);
- skey->crc32 =
- htonl (GNUNET_CRYPTO_crc32_n (skey, GNUNET_CRYPTO_AES_KEY_LENGTH));
memcpy (iv, &((char *) hc)[GNUNET_CRYPTO_AES_KEY_LENGTH],
sizeof (struct GNUNET_CRYPTO_AesInitializationVector));
}
Modified: gnunet/src/util/gnunet-ecc.c
===================================================================
--- gnunet/src/util/gnunet-ecc.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/util/gnunet-ecc.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -65,38 +65,12 @@
/**
- * Create a new private key. Caller must free return value.
- *
- * @return fresh private key
- */
-static struct GNUNET_CRYPTO_EccPrivateKey *
-ecc_key_create ()
-{
- struct GNUNET_CRYPTO_EccPrivateKey *ret;
- gcry_sexp_t s_key;
- gcry_sexp_t s_keyparam;
-
- GNUNET_assert (0 ==
- gcry_sexp_build (&s_keyparam, NULL,
- "(genkey(ecc(nbits %d)(ecc-use-e 3:257)))",
- 2048));
- GNUNET_assert (0 == gcry_pk_genkey (&s_key, s_keyparam));
- gcry_sexp_release (s_keyparam);
-#if EXTRA_CHECKS
- GNUNET_assert (0 == gcry_pk_testkey (s_key));
-#endif
- ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccPrivateKey));
- ret->sexp = s_key;
- return ret;
-}
-
-
-/**
* Create a flat file with a large number of key pairs for testing.
*/
static void
create_keys (const char *fn)
{
+ static char pad[GNUNET_TESTING_HOSTKEYFILESIZE];
FILE *f;
struct GNUNET_CRYPTO_EccPrivateKey *pk;
struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *enc;
@@ -116,28 +90,34 @@
{
fprintf (stderr,
".");
- if (NULL == (pk = ecc_key_create ()))
+ if (NULL == (pk = GNUNET_CRYPTO_ecc_key_create ()))
{
GNUNET_break (0);
break;
}
enc = GNUNET_CRYPTO_ecc_encode_key (pk);
- if (htons (enc->size) != fwrite (enc, 1, htons (enc->size), f))
- {
- fprintf (stderr,
- _("\nFailed to write to `%s': %s\n"),
- fn,
- STRERROR (errno));
- GNUNET_CRYPTO_ecc_key_free (pk);
- GNUNET_free (enc);
- break;
- }
+ GNUNET_assert (ntohs (enc->size) <= GNUNET_TESTING_HOSTKEYFILESIZE);
+ if ( (ntohs (enc->size) != fwrite (enc, 1, ntohs (enc->size), f)) ||
+ (GNUNET_TESTING_HOSTKEYFILESIZE - ntohs (enc->size)
+ != fwrite (pad, 1, GNUNET_TESTING_HOSTKEYFILESIZE - ntohs
(enc->size), f)) )
+ {
+ fprintf (stderr,
+ _("\nFailed to write to `%s': %s\n"),
+ fn,
+ STRERROR (errno));
+ GNUNET_CRYPTO_ecc_key_free (pk);
+ GNUNET_free (enc);
+ break;
+ }
GNUNET_CRYPTO_ecc_key_free (pk);
GNUNET_free (enc);
}
- if (0 == make_keys)
+ if (UINT_MAX == make_keys)
fprintf (stderr,
- _("Finished!\n"));
+ _("\nFinished!\n"));
+ else
+ fprintf (stderr,
+ _("\nError, %u keys not generated\n"), make_keys);
fclose (f);
}
Modified: gnunet/src/util/gnunet-rsa.c
===================================================================
--- gnunet/src/util/gnunet-rsa.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/util/gnunet-rsa.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -25,7 +25,6 @@
*/
#include "platform.h"
#include "gnunet_util_lib.h"
-#include "gnunet_testing_lib.h"
#include <gcrypt.h>
@@ -49,109 +48,8 @@
*/
static int weak_random;
-/**
- * Option set to create a bunch of keys at once.
- */
-static unsigned int make_keys;
/**
- * The private information of an RSA key pair.
- * NOTE: this must match the definition in crypto_ksk.c and crypto_rsa.c!
- */
-struct GNUNET_CRYPTO_RsaPrivateKey
-{
- gcry_sexp_t sexp;
-};
-
-
-/**
- * Create a new private key. Caller must free return value.
- *
- * @return fresh private key
- */
-static struct GNUNET_CRYPTO_RsaPrivateKey *
-rsa_key_create ()
-{
- struct GNUNET_CRYPTO_RsaPrivateKey *ret;
- gcry_sexp_t s_key;
- gcry_sexp_t s_keyparam;
-
- GNUNET_assert (0 ==
- gcry_sexp_build (&s_keyparam, NULL,
- "(genkey(rsa(nbits %d)(rsa-use-e 3:257)))",
- 2048));
- GNUNET_assert (0 == gcry_pk_genkey (&s_key, s_keyparam));
- gcry_sexp_release (s_keyparam);
-#if EXTRA_CHECKS
- GNUNET_assert (0 == gcry_pk_testkey (s_key));
-#endif
- ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_RsaPrivateKey));
- ret->sexp = s_key;
- return ret;
-}
-
-
-/**
- * Create a flat file with a large number of key pairs for testing.
- */
-static void
-create_keys (const char *fn)
-{
- FILE *f;
- struct GNUNET_CRYPTO_RsaPrivateKey *pk;
- struct GNUNET_CRYPTO_RsaPrivateKeyBinaryEncoded *enc;
-
- if (NULL == (f = fopen (fn, "w+")))
- {
- fprintf (stderr,
- _("Failed to open `%s': %s\n"),
- fn,
- STRERROR (errno));
- return;
- }
- fprintf (stderr,
- _("Generating %u keys, please wait"),
- make_keys);
- while (0 < make_keys--)
- {
- fprintf (stderr,
- ".");
- if (NULL == (pk = rsa_key_create ()))
- {
- GNUNET_break (0);
- break;
- }
- enc = GNUNET_CRYPTO_rsa_encode_key (pk);
- if (GNUNET_TESTING_HOSTKEYFILESIZE != htons (enc->len))
- {
- /* sometimes we get a different key length because 'd' or 'u' start
- with leading bits; skip those... */
- GNUNET_CRYPTO_rsa_key_free (pk);
- GNUNET_free (enc);
- make_keys++;
- continue;
- }
- if (htons (enc->len) != fwrite (enc, 1, htons (enc->len), f))
- {
- fprintf (stderr,
- _("\nFailed to write to `%s': %s\n"),
- fn,
- STRERROR (errno));
- GNUNET_CRYPTO_rsa_key_free (pk);
- GNUNET_free (enc);
- break;
- }
- GNUNET_CRYPTO_rsa_key_free (pk);
- GNUNET_free (enc);
- }
- if (0 == make_keys)
- fprintf (stderr,
- _("Finished!\n"));
- fclose (f);
-}
-
-
-/**
* Main function that will be run by the scheduler.
*
* @param cls closure
@@ -174,11 +72,6 @@
}
if (0 != weak_random)
GNUNET_CRYPTO_random_disable_entropy_gathering ();
- if (make_keys > 0)
- {
- create_keys (args[0]);
- return;
- }
pk = GNUNET_CRYPTO_rsa_key_create_from_file (args[0]);
if (NULL == pk)
return;
@@ -225,9 +118,6 @@
main (int argc, char *const*argv)
{
static const struct GNUNET_GETOPT_CommandLineOption options[] = {
- { 'g', "generate-keys", "COUNT",
- gettext_noop ("create COUNT public-private key pairs (for testing)"),
- 1, &GNUNET_GETOPT_set_uint, &make_keys },
{ 'p', "print-public-key", NULL,
gettext_noop ("print the public key in ASCII format"),
0, &GNUNET_GETOPT_set_one, &print_public_key },
Modified: gnunet/src/util/test_crypto_aes.c
===================================================================
--- gnunet/src/util/test_crypto_aes.c 2013-02-05 20:48:40 UTC (rev 26034)
+++ gnunet/src/util/test_crypto_aes.c 2013-02-05 20:49:21 UTC (rev 26035)
@@ -95,18 +95,7 @@
ret = 0;
memcpy (key.key, raw_key, GNUNET_CRYPTO_AES_KEY_LENGTH);
- key.crc32 =
- htonl (GNUNET_CRYPTO_crc32_n (&key, GNUNET_CRYPTO_AES_KEY_LENGTH));
- if (ntohl (key.crc32) != (unsigned int) 38125195LL)
- {
- printf ("Static key has different CRC: %u - %u\n", ntohl (key.crc32),
- key.crc32);
-
- ret = 1;
- goto error;
- }
-
if (GNUNET_CRYPTO_AES_KEY_LENGTH !=
GNUNET_CRYPTO_aes_encrypt (plain, GNUNET_CRYPTO_AES_KEY_LENGTH, &key,
(const struct
Modified: gnunet/src/util/test_crypto_aes_weak.c
===================================================================
--- gnunet/src/util/test_crypto_aes_weak.c 2013-02-05 20:48:40 UTC (rev
26034)
+++ gnunet/src/util/test_crypto_aes_weak.c 2013-02-05 20:49:21 UTC (rev
26035)
@@ -91,9 +91,6 @@
weak_key.key[30] = (char) (0xaa);
weak_key.key[31] = (char) (0xaa);
/* memset(&weak_key, 0, 32); */
- weak_key.crc32 =
- htonl (GNUNET_CRYPTO_crc32_n (&weak_key, GNUNET_CRYPTO_AES_KEY_LENGTH));
-
size =
GNUNET_CRYPTO_aes_encrypt (WEAK_KEY_TESTSTRING,
strlen (WEAK_KEY_TESTSTRING) + 1, &weak_key,
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r26035 - in gnunet: . src/core src/hello src/include src/peerinfo-tool src/testing src/transport src/util,
gnunet <=