tomato/docs/Tox_middle_level_network_protocol.txt

The TCP client and TCP server part are in a state that can be considered 
feature complete. Why doesn't Tox support TCP yet even if those parts are 
complete?

The answer is that a way to ensure a smooth switchover between the TCP and UDP 
needs to be added. If Tox first connects to the other user using TCP but then, 
due to pure chance, manages to connect using the faster direct UDP connection, 
Tox must switch seamlessly from the TCP to the UDP connection without there 
being any data loss or the other user going offline and then back online. The 
transition must be seamless whatever both connected users are doing - be it 
transferring files or simply chatting together.

Possible evil/bad or simply TCP relays going offline must not impact the 
connection between both clients.

Typically, Tox will use more than one TCP relay to connect to other peers for 
maximum connection stability, which means there must be a way for Tox to take 
advantage of multiple relays in a way that the user will never be aware of, if one
of them goes offline/tries to slow down the connection/decides to corrupt 
packets/etc.

To accomplish this, Tox needs something between the low level protocol (TCP) and 
high level Tox messaging protocol; hence the name middle level.

The plan is to move some functionality from lossless_UDP to a higher level: 
more specifically, the functionality for detecting which packets a peer is 
missing, and the ability to request and send them again. Lossless UDP uses plain 
text packets to request missing packets from the other peer, while Tox is 
currently designed to kill the connection if any packet tampering is detected. 
This works very well when connecting directly with someone because if the 
attacker can modify packets, it means he can kill your connection anyway. With 
TCP relays, however, that is not the case. As such the packets used to request 
missing packets must be encrypted. If it is detected that a packet has been 
tampered, the connection must stay intact while the evil relay must be 
disconnected from and replaced with a good relay; the behavior must be the same 
as if the relay had just suddenly gone offline. Of course, something to protect 
from evil "friends" framing relays must also be implemented.

Detailed implementation details:

cookie request packet:
[uint8_t 24][Sender's DHT Public key (32 bytes)][Random nonce (24 
bytes)][Encrypted message containing: [Sender's real public key (32 
bytes)][padding (32 bytes)][uint64_t number (must be sent 
back untouched in cookie response)]]
Encrypted message is encrypted with sender's DHT private key, receiver's DHT
public key and the nonce.

cookie response packet:
[uint8_t 25][Random nonce (24 bytes)][Encrypted message containing: 
[Cookie][uint64_t number (that was sent in the request)]]
Encrypted message is encrypted with sender's DHT private key, receiver's DHT
public key and the nonce.

The Cookie should be basically:
[nonce][encrypted data:[uint64_t time][Sender's real public key (32 
bytes)][Sender's DHT public key (32 bytes)]]

Handshake packet:
[uint8_t 26][Cookie][nonce][Encrypted message containing: [random 24 bytes base 
nonce][session public key of the peer (32 bytes)][sha512 hash of the entire 
Cookie sitting outside the encrypted part][Other Cookie (used by the other to 
respond to the handshake packet)]]

The handshake packet is encrypted using the real private key of the sender, the 
real public key of the receiver and the nonce.


Alice wants to connect to Bob:

Alice sends a cookie request packet to Bob and gets a cookie response back.

Alice then generates a nonce and a temporary public/private keypair.

Alice then takes that nonce and just generated private key, the obtained 
cookie, creates a new cookie and puts them in a handshake packet, which she 
sends to Bob.

Bob gets the handshake packet, accepts the connection request, then generates a 
nonce and a temporary public/private keypair and sends a handshake packet back 
with this just generated information and with the cookie field being the Other 
Cookie contained in the received handshake.

Both then use these temporary keys to generate the session key, with which every 
data packet sent and received will be encrypted and decrypted. The nonce sent 
in the handshake will be used to encrypt the first data packet sent, the nonce 
+ 1 for the second, the nonce + 2 for the third, and so on.

Data packets:

[uint8_t 27][uint16_t (in network byte order) the last 2 bytes of the nonce 
used to encrypt this][encrypted with the session key and a nonce:[plain data]]

Plain data in the data packets:

[uint32_t our recvbuffers buffer_start, (highest packet number handled + 
1)][uint32_t packet number if lossless, our sendbuffer buffer_end if 
lossy][data]

data ids:
0: padding (skipped until we hit a non zero (data id) byte)
1: packet request packet (lossy packet)
2: connection kill packet (lossy packet) (tells the other that the connection is over)
...
16+: reserved for Messenger usage (lossless packets).
192+: reserved for Messenger usage (lossy packets).
255: reserved for Messenger usage (lossless packet)

packet request packet: [uint8_t (1)][uint8_t num][uint8_t num][uint8_t 
num]...[uint8_t num]

The list of nums are a list of packet numbers the other is requesting.
In order to get the real packet numbers from this list, take the recvbuffers buffer_start
from the packet, subtract 1 from it and put it in packet_num, then start from the
beginning of the num list: if num is zero, add 255 to packet_num, then do the
next num. If num isn't zero, add its value to packet_num, note that the other
has requested we send this packet again to them, then continue to the next num in
the list.