forked from Green-Sky/tomato
121 lines
5.6 KiB
Plaintext
121 lines
5.6 KiB
Plaintext
|
The TCP client and TCP server part are in a state that can be considered
|
||
|
feature complete. Why doesn't Tox support TCP yet even if those parts are
|
||
|
complete?
|
||
|
|
||
|
The answer is that a way to ensure a smooth switchover between the TCP and UDP
|
||
|
needs to be added. If Tox first connects to the other user using TCP but then,
|
||
|
due to pure chance, manages to connect using the faster direct UDP connection,
|
||
|
Tox must switch seamlessly from the TCP to the UDP connection without there
|
||
|
being any data loss or the other user going offline and then back online. The
|
||
|
transition must be seamless whatever both connected users are doing - be it
|
||
|
transferring files or simply chatting together.
|
||
|
|
||
|
Possible evil/bad or simply TCP relays going offline must not impact the
|
||
|
connection between both clients.
|
||
|
|
||
|
Typically, Tox will use more than one TCP relay to connect to other peers for
|
||
|
maximum connection stability, which means there must be a way for Tox to take
|
||
|
advantage of multiple relays in a way that the user will never be aware of, if one
|
||
|
of them goes offline/tries to slow down the connection/decides to corrupt
|
||
|
packets/etc.
|
||
|
|
||
|
To accomplish this, Tox needs something between the low level protocol (TCP) and
|
||
|
high level Tox messaging protocol; hence the name middle level.
|
||
|
|
||
|
The plan is to move some functionality from lossless_UDP to a higher level:
|
||
|
more specifically, the functionality for detecting which packets a peer is
|
||
|
missing, and the ability to request and send them again. Lossless UDP uses plain
|
||
|
text packets to request missing packets from the other peer, while Tox is
|
||
|
currently designed to kill the connection if any packet tampering is detected.
|
||
|
This works very well when connecting directly with someone because if the
|
||
|
attacker can modify packets, it means he can kill your connection anyway. With
|
||
|
TCP relays, however, that is not the case. As such the packets used to request
|
||
|
missing packets must be encrypted. If it is detected that a packet has been
|
||
|
tampered, the connection must stay intact while the evil relay must be
|
||
|
disconnected from and replaced with a good relay; the behavior must be the same
|
||
|
as if the relay had just suddenly gone offline. Of course, something to protect
|
||
|
from evil "friends" framing relays must also be implemented.
|
||
|
|
||
|
Detailed implementation details:
|
||
|
|
||
|
cookie request packet:
|
||
|
[uint8_t 24][Sender's DHT Public key (32 bytes)][Random nonce (24
|
||
|
bytes)][Encrypted message containing: [Sender's real public key (32
|
||
|
bytes)][padding (32 bytes)][uint64_t number (must be sent
|
||
|
back untouched in cookie response)]]
|
||
|
Encrypted message is encrypted with sender's DHT private key, receiver's DHT
|
||
|
public key and the nonce.
|
||
|
|
||
|
cookie response packet:
|
||
|
[uint8_t 25][Random nonce (24 bytes)][Encrypted message containing:
|
||
|
[Cookie][uint64_t number (that was sent in the request)]]
|
||
|
Encrypted message is encrypted with sender's DHT private key, receiver's DHT
|
||
|
public key and the nonce.
|
||
|
|
||
|
The Cookie should be basically:
|
||
|
[nonce][encrypted data:[uint64_t time][Sender's real public key (32
|
||
|
bytes)][Sender's DHT public key (32 bytes)]]
|
||
|
|
||
|
Handshake packet:
|
||
|
[uint8_t 26][Cookie][nonce][Encrypted message containing: [random 24 bytes base
|
||
|
nonce][session public key of the peer (32 bytes)][sha512 hash of the entire
|
||
|
Cookie sitting outside the encrypted part][Other Cookie (used by the other to
|
||
|
respond to the handshake packet)]]
|
||
|
|
||
|
The handshake packet is encrypted using the real private key of the sender, the
|
||
|
real public key of the receiver and the nonce.
|
||
|
|
||
|
|
||
|
Alice wants to connect to Bob:
|
||
|
|
||
|
Alice sends a cookie request packet to Bob and gets a cookie response back.
|
||
|
|
||
|
Alice then generates a nonce and a temporary public/private keypair.
|
||
|
|
||
|
Alice then takes that nonce and just generated private key, the obtained
|
||
|
cookie, creates a new cookie and puts them in a handshake packet, which she
|
||
|
sends to Bob.
|
||
|
|
||
|
Bob gets the handshake packet, accepts the connection request, then generates a
|
||
|
nonce and a temporary public/private keypair and sends a handshake packet back
|
||
|
with this just generated information and with the cookie field being the Other
|
||
|
Cookie contained in the received handshake.
|
||
|
|
||
|
Both then use these temporary keys to generate the session key, with which every
|
||
|
data packet sent and received will be encrypted and decrypted. The nonce sent
|
||
|
in the handshake will be used to encrypt the first data packet sent, the nonce
|
||
|
+ 1 for the second, the nonce + 2 for the third, and so on.
|
||
|
|
||
|
Data packets:
|
||
|
|
||
|
[uint8_t 27][uint16_t (in network byte order) the last 2 bytes of the nonce
|
||
|
used to encrypt this][encrypted with the session key and a nonce:[plain data]]
|
||
|
|
||
|
Plain data in the data packets:
|
||
|
|
||
|
[uint32_t our recvbuffers buffer_start, (highest packet number handled +
|
||
|
1)][uint32_t packet number if lossless, our sendbuffer buffer_end if
|
||
|
lossy][data]
|
||
|
|
||
|
data ids:
|
||
|
0: padding (skipped until we hit a non zero (data id) byte)
|
||
|
1: packet request packet (lossy packet)
|
||
|
2: connection kill packet (lossy packet) (tells the other that the connection is over)
|
||
|
...
|
||
|
16+: reserved for Messenger usage (lossless packets).
|
||
|
192+: reserved for Messenger usage (lossy packets).
|
||
|
255: reserved for Messenger usage (lossless packet)
|
||
|
|
||
|
packet request packet: [uint8_t (1)][uint8_t num][uint8_t num][uint8_t
|
||
|
num]...[uint8_t num]
|
||
|
|
||
|
The list of nums are a list of packet numbers the other is requesting.
|
||
|
In order to get the real packet numbers from this list, take the recvbuffers buffer_start
|
||
|
from the packet, subtract 1 from it and put it in packet_num, then start from the
|
||
|
beginning of the num list: if num is zero, add 255 to packet_num, then do the
|
||
|
next num. If num isn't zero, add its value to packet_num, note that the other
|
||
|
has requested we send this packet again to them, then continue to the next num in
|
||
|
the list.
|
||
|
|
||
|
|