1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
The TCP client and TCP server part are in a state that can be considered
feature complete. Why doesn't Tox support TCP yet even if those parts are
complete?
The answer is that a way to ensure a smooth switchover between the TCP and UDP
needs to be added. If Tox first connects to the other user using TCP but then,
due to pure chance, manages to connect using the faster direct UDP connection,
Tox must switch seamlessly from the TCP to the UDP connection without there
being any data loss or the other user going offline and then back online. The
transition must be seamless whatever both connected users are doing - be it
transferring files or simply chatting together.
Possible evil/bad or simply TCP relays going offline must not impact the
connection between both clients.
Typically, Tox will use more than one TCP relay to connect to other peers for
maximum connection stability, which means there must be a way for Tox to take
advantage of multiple relays in a way that the user will never be aware of, if one
of them goes offline/tries to slow down the connection/decides to corrupt
packets/etc.
To accomplish this, Tox needs something between the low level protocol (TCP) and
high level Tox messaging protocol; hence the name middle level.
The plan is to move some functionality from lossless_UDP to a higher level:
more specifically, the functionality for detecting which packets a peer is
missing, and the ability to request and send them again. Lossless UDP uses plain
text packets to request missing packets from the other peer, while Tox is
currently designed to kill the connection if any packet tampering is detected.
This works very well when connecting directly with someone because if the
attacker can modify packets, it means he can kill your connection anyway. With
TCP relays, however, that is not the case. As such the packets used to request
missing packets must be encrypted. If it is detected that a packet has been
tampered, the connection must stay intact while the evil relay must be
disconnected from and replaced with a good relay; the behavior must be the same
as if the relay had just suddenly gone offline. Of course, something to protect
from evil "friends" framing relays must also be implemented.
Detailed implementation details:
cookie request packet:
[uint8_t 24][Sender's DHT Public key (32 bytes)][Random nonce (24
bytes)][Encrypted message containing: [Sender's real public key (32
bytes)][padding (32 bytes)][uint64_t number (must be sent
back untouched in cookie response)]]
Encrypted message is encrypted with sender's DHT private key, receiver's DHT
public key and the nonce.
cookie response packet:
[uint8_t 25][Random nonce (24 bytes)][Encrypted message containing:
[Cookie][uint64_t number (that was sent in the request)]]
Encrypted message is encrypted with sender's DHT private key, receiver's DHT
public key and the nonce.
The Cookie should be basically:
[nonce][encrypted data:[uint64_t time][Sender's real public key (32
bytes)][Sender's DHT public key (32 bytes)]]
Handshake packet:
[uint8_t 26][Cookie][nonce][Encrypted message containing: [random 24 bytes base
nonce][session public key of the peer (32 bytes)][sha512 hash of the entire
Cookie sitting outside the encrypted part][Other Cookie (used by the other to
respond to the handshake packet)]]
The handshake packet is encrypted using the real private key of the sender, the
real public key of the receiver and the nonce.
Alice wants to connect to Bob:
Alice sends a cookie request packet to Bob and gets a cookie response back.
Alice then generates a nonce and a temporary public/private keypair.
Alice then takes that nonce and just generated private key, the obtained
cookie, creates a new cookie and puts them in a handshake packet, which she
sends to Bob.
Bob gets the handshake packet, accepts the connection request, then generates a
nonce and a temporary public/private keypair and sends a handshake packet back
with this just generated information and with the cookie field being the Other
Cookie contained in the received handshake.
Both then use these temporary keys to generate the session key, with which every
data packet sent and received will be encrypted and decrypted. The nonce sent
in the handshake will be used to encrypt the first data packet sent, the nonce
+ 1 for the second, the nonce + 2 for the third, and so on.
Data packets:
[uint8_t 27][uint16_t (in network byte order) the last 2 bytes of the nonce
used to encrypt this][encrypted with the session key and a nonce:[plain data]]
Plain data in the data packets:
[uint32_t our recvbuffers buffer_start, (highest packet number handled +
1)][uint32_t packet number if lossless, our sendbuffer buffer_end if
lossy][data]
data ids:
0: padding (skipped until we hit a non zero (data id) byte)
1: packet request packet (lossy packet)
2: connection kill packet (lossy packet) (tells the other that the connection is over)
...
16+: reserved for Messenger usage (lossless packets).
192+: reserved for Messenger usage (lossy packets).
255: reserved for Messenger usage (lossless packet)
packet request packet: [uint8_t (1)][uint8_t num][uint8_t num][uint8_t
num]...[uint8_t num]
The list of nums are a list of packet numbers the other is requesting.
In order to get the real packet numbers from this list, take the recvbuffers buffer_start
from the packet, subtract 1 from it and put it in packet_num, then start from the
beginning of the num list: if num is zero, add 255 to packet_num, then do the
next num. If num isn't zero, add its value to packet_num, note that the other
has requested we send this packet again to them, then continue to the next num in
the list.
|