|
|
|
|
@ -1,4 +1,4 @@
|
|
|
|
|
Wire Protocol (version 0)
|
|
|
|
|
Wire Protocol (version ½)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
|
|
|
@ -7,53 +7,79 @@ document are to be interpreted as described in RFC 2119 [RFC2119].
|
|
|
|
|
|
|
|
|
|
LLARP supports by default an authenticated and framed transport over UTP [1]
|
|
|
|
|
|
|
|
|
|
1088 byte fragments are sent over UTP in an ordered fashion.
|
|
|
|
|
Handshake:
|
|
|
|
|
|
|
|
|
|
The each fragment has the following structure:
|
|
|
|
|
Alice establishes a UTP "connection" with Bob.
|
|
|
|
|
|
|
|
|
|
[ 32 bytes blake2 keyed hash of the following 1056 bytes ]
|
|
|
|
|
[ 24 bytes random nonce ]
|
|
|
|
|
[ 1032 bytes encrypted payload ]
|
|
|
|
|
Alice sends a LIM a_L encrpyted with the initial b_K key
|
|
|
|
|
|
|
|
|
|
the decrypted payload has the following structure:
|
|
|
|
|
if Bob accepts Alice's router, Bob replies with a LIM b_L encrpyted via the
|
|
|
|
|
initial a_K key.
|
|
|
|
|
|
|
|
|
|
[ big endian unsigned 32 bit flags (F) ]
|
|
|
|
|
[ big endian unsigned 32 bit fragment length (N) ]
|
|
|
|
|
[ N bytes of plaintext payload ]
|
|
|
|
|
next the session keys are generated via:
|
|
|
|
|
|
|
|
|
|
if F is non zero then more fragments for the current message being transmitted
|
|
|
|
|
are expected. If F is zero then this fragment is the last in the sequence.
|
|
|
|
|
a_h = HS(a_K + a_L.n)
|
|
|
|
|
b_h = HS(b_K + b_L.n)
|
|
|
|
|
a_K = TKE(A.p, B_a.e, sk, a_h)
|
|
|
|
|
b_K = TKE(A.p, B_a.e, sk, b_h)
|
|
|
|
|
|
|
|
|
|
On each fragment append the N bytes of payload to an internal buffer.
|
|
|
|
|
This internal buffer MUST NOT exceed 8192 bytes, the maximum size of an inter
|
|
|
|
|
node message.
|
|
|
|
|
A.tx_K = b_K
|
|
|
|
|
A.rx_K = a_K
|
|
|
|
|
B.tx_K = a_K
|
|
|
|
|
B.rx_K = B_K
|
|
|
|
|
|
|
|
|
|
When the last fragment in the sequence is reached the internal buffer is
|
|
|
|
|
processed as a link layer message (see proto_v0.txt)
|
|
|
|
|
the initial value of a_K is HS(A.k) and b_K is HS(B.k)
|
|
|
|
|
|
|
|
|
|
Handshake phase:
|
|
|
|
|
1128 byte fragments are sent over UTP in an ordered fashion.
|
|
|
|
|
|
|
|
|
|
Before data flows a protocol handshake must happen.
|
|
|
|
|
The each fragment F has the following structure:
|
|
|
|
|
|
|
|
|
|
The first message sent is a LIM (L) (see proto_v0.txt) by the connection initiator, Alice.
|
|
|
|
|
[ 32 bytes blake2 keyed hash of the following 1096 bytes (h)]
|
|
|
|
|
[ 32 bytes random nonce (n)]
|
|
|
|
|
[ 1064 bytes encrypted payload (p)]
|
|
|
|
|
|
|
|
|
|
The receiving end MUST verify the signatures of the LIM and RC.
|
|
|
|
|
If any verification fails at any phase the underlying UTP session MUST be reset.
|
|
|
|
|
the recipiant verifies F.h == MDS(F.n + F.p, rx_K) and the UTP session
|
|
|
|
|
is reset if verification fails.
|
|
|
|
|
|
|
|
|
|
Each side re-computes the session key.
|
|
|
|
|
the decrypted payload P has the following structure:
|
|
|
|
|
|
|
|
|
|
the session key kdf for K is:
|
|
|
|
|
[ 24 bytes random (A) ]
|
|
|
|
|
[ big endian unsigned 32 bit message id (I) ]
|
|
|
|
|
[ big endian unsigned 16 bit fragment length (N) ]
|
|
|
|
|
[ big endian unsigned 16 bit fragment remaining bytes (R) ]
|
|
|
|
|
[ N bytes of plaintext payload (X) ]
|
|
|
|
|
[ trailing bytes discarded ]
|
|
|
|
|
|
|
|
|
|
t_h = HS(K + L.n)
|
|
|
|
|
K = TKE(A.p, B_a.e, sk, t_h)
|
|
|
|
|
link layer messages fragmented and delievered in any order the sender chooses.
|
|
|
|
|
|
|
|
|
|
the initial value of K is HS(B.k)
|
|
|
|
|
recipaint ensures a buffer for message number P.I exists, allocating one if it
|
|
|
|
|
does not exist.
|
|
|
|
|
|
|
|
|
|
recipiant appends P.X to the end of the buffer for message P.I
|
|
|
|
|
|
|
|
|
|
if P.R is zero then message number P.I is completed and processed as a link
|
|
|
|
|
layer messages. otherwise the recipiant expects P.R additional bytes.
|
|
|
|
|
P.R's value MUST decrease by P.N in the next fragment sent.
|
|
|
|
|
|
|
|
|
|
message size MUST NOT exceed 8192 bytes.
|
|
|
|
|
|
|
|
|
|
if a message is not received in 2 seconds it is discarded and any further
|
|
|
|
|
fragments for the message are also discarded.
|
|
|
|
|
|
|
|
|
|
P.I MUST have the initial value 0
|
|
|
|
|
P.I MUST be incremeneted by 1 for each new messsage transmitted
|
|
|
|
|
P.I MAY wrap around back to 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
after every fragment F the session key K is mutated via:
|
|
|
|
|
|
|
|
|
|
K = HS(K + P.A)
|
|
|
|
|
|
|
|
|
|
Periodically the connection initiator MUST renegotiate the session key by
|
|
|
|
|
sending a LIM after L.p milliseconds have elapsed.
|
|
|
|
|
|
|
|
|
|
If either party's RC changes while a connection is established they MUST
|
|
|
|
|
renegotioate the session keys to ensure the new RC is sent.
|
|
|
|
|
If the local RC changes while a connection is established they MUST
|
|
|
|
|
renegotioate the session keys by sending a LIM to ensure the new RC is sent.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
references:
|
|
|
|
|
|
Jeff Becker
6 years ago