@section Plain packet
Plain packet contains either the whole file, or file request (freq), or
-transition packet or email message. It is called "plain", because it
+transition packet or exec message. It is called "plain", because it
contains plaintext, but plain packets would never be stored on your hard
drive.
@verbatim
HEADER
-+-------------------------------+--...---+
-| MAGIC | TYPE | PATHLEN | PATH | PAYLOAD|
-+-------------------------------+--...---+
++--------------------------------------+--...---+
+| MAGIC | TYPE | NICE | PATHLEN | PATH | PAYLOAD|
++--------------------------------------+--...---+
@end verbatim
@multitable @columnfractions 0.2 0.3 0.5
@headitem @tab XDR type @tab Value
@item Magic number @tab
8-byte, fixed length opaque data @tab
- @verb{|N N C P P 0x00 0x00 0x01|}
+ @verb{|N N C P P 0x00 0x00 0x03|}
@item Payload type @tab
unsigned integer @tab
- 0 (file), 1 (freq), 2 (mail), 3 (transition)
+ 0 (file), 1 (freq), 2 (exec), 3 (transition)
+@item Niceness @tab
+ unsigned integer @tab
+ 1-255, preferred packet @ref{Niceness, niceness} level
@item Path length @tab
unsigned integer @tab
actual length of @emph{path} field's payload
@itemize
@item UTF-8 encoded destination path for file transfer
@item UTF-8 encoded source path for file request
- @item UTF-8 encoded, space separated, email recipients list
+ @item UTF-8 encoded, zero byte separated, exec's arguments
@item Node's id the transition packet must be relayed on
@end itemize
@end multitable
@itemize
@item File contents
@item Destination path for freq
-@item @url{http://zlib.net/, zlib} compressed email
+@item @url{https://facebook.github.io/zstd/, Zstandard} compressed exec body
@item Whole encrypted packet we need to relay on
@end itemize
+Also depending on packet's type, niceness level means:
+
+@itemize
+@item Preferable niceness level for files sent by freq
+@item @env{NNCP_NICE} variable's value passed during @ref{CfgExec} invocation.
+@end itemize
+
@node Encrypted
@section Encrypted packet
Each encrypted packet has the following header:
@verbatim
- +------------ HEADER --------------------+ +-------- ENCRYPTED --------+
- / \ / \
-+--------------------------------------------+------------+----...-----------+------+
-| MAGIC | NICE | SENDER | RCPT | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
-+-------------------------------------/------\------------+----...-----------+------+
+ +------------ HEADER --------------------+ +------------- ENCRYPTED -------------+
+ / \ / \
++--------------------------------------------+------+---------+----------...---+------+
+| MAGIC | NICE | SENDER | RCPT | EPUB | SIGN | SIZE | BLOCK 0 | BLOCK 1 ... | JUNK |
++-------------------------------------/------\------+---------+----------...---+------+
/ \
+-------------------------------------+
| MAGIC | NICE | SENDER | RCPT | EPUB |
@headitem @tab XDR type @tab Value
@item Magic number @tab
8-byte, fixed length opaque data @tab
- @verb{|N N C P E 0x00 0x00 0x03|}
+ @verb{|N N C P E 0x00 0x00 0x04|}
@item Niceness @tab
unsigned integer @tab
1-255, packet @ref{Niceness, niceness} level
Signature is calculated over all previous fields.
-All following encryption is done using @url{https://cr.yp.to/chacha.html,
-ChaCha20} algorithm. Data is splitted on 128 KiB blocks. Each block is
-encrypted with increasing nonce counter. @url{https://blake2.net/,
-BLAKE2b-256} MAC is appended to the ciphertext.
+All following encryption is done in AEAD mode using
+@url{https://cr.yp.to/chacha.html, ChaCha20}-@url{https://en.wikipedia.org/wiki/Poly1305, Poly1305}
+algorithms. Data is splitted on 128 KiB blocks. Each block is encrypted with
+increasing nonce counter.
-After the headers comes an encrypted payload size and MAC of that size.
+Authenticated and encrypted size come after the header:
@multitable @columnfractions 0.2 0.3 0.5
@headitem @tab XDR type @tab Value
Payload size.
@end multitable
-Next comes the actual encrypted payload with corresponding MAC.
+Then comes the actual payload.
Each node has static @strong{exchange} and @strong{signature} keypairs.
When node A want to send encrypted packet to node B, it:
@item derive the keys:
@enumerate
@item initialize @url{https://blake2.net/, BLAKE2Xb} XOF with
- derived ephemeral key and 224-byte output length
- @item feed @verb{|N N C P E 0x00 0x00 0x03|} magic number to XOF
- @item read 32-bytes of "size" encryption key (for ChaCha20)
- @item read 64-bytes of "size" authentication key (for BLAKE2b-MAC)
- @item read 32-bytes of payload encryption key
- @item read 64-bytes of payload authentication key
- @item optionally read 32-bytes pad generation key (for ChaCha20)
+ derived ephemeral key and 96-byte output length
+ @item feed @verb{|N N C P E 0x00 0x00 0x04|} magic number to XOF
+ @item read 32-bytes of "size" AEAD encryption key
+ @item read 32-bytes of payload AEAD encryption key
+ @item optionally read 32-bytes pad generation key
@end enumerate
-@item encrypts size, appends its ciphertext to the header
-@item appends MAC tag over that ciphertext
-@item encrypts and appends payload ciphertext
-@item appends MAC tag over that payload ciphertext
+@item encrypts size, appends its authenticated ciphertext to the header
+@item encrypts payload, appends its authenticated ciphertext
@item possibly appends any kind of "junk" noise data to hide real
- payload's size from the adversary
+ payload's size from the adversary (generated using XOF with
+ unlimited output length)
@end enumerate