@verb{|N N C P P 0x00 0x00 0x03|}
@item Payload type @tab
unsigned integer @tab
- 0 (file), 1 (freq), 2 (exec), 3 (transition)
+ 0 (file), 1 (freq), 2 (exec), 3 (transition), 4 (exec-fat)
@item Niceness @tab
unsigned integer @tab
1-255, preferred packet @ref{Niceness, niceness} level
Path has fixed size because of hiding its actual length -- it is
valuable metadata. Payload is appended to the header -- it is not stored
-as XDR field, because most XDR libraries will store all that data in the
-memory.
+as XDR field, because XDR has no ability to pass more than 4 GiB of
+opaque data. Moreover most XDR libraries store fields in the memory in
+practice.
Depending on the packet's type, payload could store:
@item Destination path for freq
@item @url{https://facebook.github.io/zstd/, Zstandard} compressed exec body
@item Whole encrypted packet we need to relay on
+@item Uncompressed exec body
@end itemize
Also depending on packet's type, niceness level means:
@headitem @tab XDR type @tab Value
@item Magic number @tab
8-byte, fixed length opaque data @tab
- @verb{|N N C P E 0x00 0x00 0x04|}
+ @verb{|N N C P E 0x00 0x00 0x05|}
@item Niceness @tab
unsigned integer @tab
1-255, packet @ref{Niceness, niceness} level
Ephemeral curve25519 public key
@item Signature @tab
64-byte, fixed length opaque data @tab
- ed25519 signature for that packet's header
+ ed25519 signature for that packet's header over all previous fields.
@end multitable
-Signature is calculated over all previous fields.
-
All following encryption is done in AEAD mode using
@url{https://cr.yp.to/chacha.html, ChaCha20}-@url{https://en.wikipedia.org/wiki/Poly1305, Poly1305}
-algorithms. Data is splitted on 128 KiB blocks. Each block is encrypted with
-increasing nonce counter.
-
-Authenticated and encrypted size come after the header:
-
-@multitable @columnfractions 0.2 0.3 0.5
-@headitem @tab XDR type @tab Value
-@item Size @tab
- unsigned hyper integer @tab
- Payload size.
-@end multitable
+algorithms. Authenticated data is BLAKE3-256 hash of the unsigned
+portion of the header (the same data used in the signature). Size is
+XDR-encoded unsigned hyper integer, carrying the payload size, encrypted
+as a single AEAD-block (with the tag) independently from the following
+blocks. It is encoded with the zero nonce.
-Then comes the actual payload.
+Payload with possible padding is divided on 128 KiB blocks blocks. They
+are encrypted with the same authenticated data and increasing big-endian
+64-bit nonce, starting at 1.
Each node has static @strong{exchange} and @strong{signature} keypairs.
When node A want to send encrypted packet to node B, it:
@item takes remote node's exchange public key and performs
Diffie-Hellman computation on this remote static public key and
private ephemeral one
-@item derive the keys:
- @enumerate
- @item initialize @url{https://blake2.net/, BLAKE2Xb} XOF with
- derived ephemeral key and 96-byte output length
- @item feed @verb{|N N C P E 0x00 0x00 0x04|} magic number to XOF
- @item read 32-bytes of "size" AEAD encryption key
- @item read 32-bytes of payload AEAD encryption key
- @item optionally read 32-bytes pad generation key
- @end enumerate
+@item derives 32-bytes AEAD encryption key with BLAKE3 derivation
+ function. Source key is the derived ephemeral key. Context is
+ @verb{|N N C P E 0x00 0x00 0x05|} magic number
+@item calculates authenticated data: it is BLAKE3-256 hash of the
+ unsigned header (same used for signing)
@item encrypts size, appends its authenticated ciphertext to the header
-@item encrypts payload, appends its authenticated ciphertext
+ (with authenticated data, nonce=0)
+@item encrypts each payload block, appending its authenticated ciphertext
+ (with authenticated data, nonce starting at 1, increasing with each block)
@item possibly appends any kind of "junk" noise data to hide real
- payload's size from the adversary (generated using XOF with
- unlimited output length)
+ payload's size from the adversary (generated using BLAKE3 XOF, with
+ the key derived from the ephemeral one and context string of
+ @verb{|N N C P E 0x00 0x00 0x05 <SP> P A D|})
@end enumerate