From 938477682cd6212a88a67c31f46e46c205c7d989 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Sat, 18 Nov 2017 23:07:12 +0300
Subject: [PATCH] Recipient in encrypted packet is needed for future changes

---
 VERSION                                       |  2 +-
 doc/news.ru.texi                              |  7 ++-
 doc/news.texi                                 |  3 ++
 doc/pkt.texi                                  | 27 ++++------
 src/cypherpunks.ru/nncp/cmd/nncp-pkt/main.go  |  6 +--
 src/cypherpunks.ru/nncp/cmd/nncp-xfer/main.go |  2 +-
 src/cypherpunks.ru/nncp/jobs.go               |  2 +-
 src/cypherpunks.ru/nncp/pkt.go                | 54 ++++++++++---------
 8 files changed, 55 insertions(+), 48 deletions(-)

diff --git a/VERSION b/VERSION
index f304084..d3827e7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.13
+1.0
diff --git a/doc/news.ru.texi b/doc/news.ru.texi
index 5c5ee0d..6d83db8 100644
--- a/doc/news.ru.texi
+++ b/doc/news.ru.texi
@@ -1,10 +1,13 @@
 @node Новости
 @section Новости
 
-@node Релиз 0.13
-@subsection Релиз 0.13
+@node Релиз 1.0
+@subsection Релиз 1.0
 @itemize
 @item
+@strong{Несовместимое} изменение формата зашифрованных пакетов. Работа
+со старыми версиями не поддерживается.
+@item
 В команде @command{nncp-call} разрешается иметь только одного
 обработчика контрольной суммы в фоне. Это полезно когда тысячи маленьких
 входящих пакетов могут создать много горутин.
diff --git a/doc/news.texi b/doc/news.texi
index d673d80..e03a11c 100644
--- a/doc/news.texi
+++ b/doc/news.texi
@@ -7,6 +7,9 @@ See also this page @ref{Новости, on russian}.
 @section Release 0.13
 @itemize
 @item
+@strong{Incompatible} encrypted packet format changes. Older versions
+are not supported.
+@item
 Single background checksum verifier worker is allowed in
 @command{nncp-call}. This is helpful when thousands of small inbound
 packets could create many goroutines.
diff --git a/doc/pkt.texi b/doc/pkt.texi
index 4549505..c010399 100644
--- a/doc/pkt.texi
+++ b/doc/pkt.texi
@@ -70,13 +70,13 @@ Each encrypted packet has the following header:
 @verbatim
   +------------ HEADER -------------+   +-------- ENCRYPTED --------+
  /                                   \ /                             \
-+-------------------------------------+------------+----...-----------+------+
-| MAGIC | NICE | SENDER | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
-+------------------------------/------\------------+----...-----------+------+
-                              /        \
-               +-------------------------------------+
-               | MAGIC | NICE | RCPT | SENDER | EPUB |
-               +-------------------------------------+
++--------------------------------------------+------------+----...-----------+------+
+| MAGIC | NICE | SENDER | RCPT | EPUB | SIGN | SIZE | MAC | CIPHERTEXT | MAC | JUNK |
++-------------------------------------/------\------------+----...-----------+------+
+                                     /        \
+                      +-------------------------------------+
+                      | MAGIC | NICE | SENDER | RCPT | EPUB |
+                      +-------------------------------------+
 @end verbatim
 
 @multitable @columnfractions 0.2 0.3 0.5
@@ -90,6 +90,9 @@ Each encrypted packet has the following header:
 @item Sender @tab
     32-byte, fixed length opaque data @tab
     Sender node's id
+@item Recipient @tab
+    32-byte, fixed length opaque data @tab
+    Recipient node's id
 @item Exchange public key @tab
     32-byte, fixed length opaque data @tab
     Ephemeral curve25519 public key
@@ -98,15 +101,7 @@ Each encrypted packet has the following header:
     ed25519 signature for that packet's header
 @end multitable
 
-Signature is calculated over the following structure:
-
-@itemize
-@item Magic number
-@item Niceness
-@item Recipient (32-byte recipient node's id)
-@item Sender
-@item Exchange public key
-@end itemize
+Signature is calculated over all previous fields.
 
 All following encryption is done using
 @url{https://www.schneier.com/academic/twofish/, Twofish} algorithm with
diff --git a/src/cypherpunks.ru/nncp/cmd/nncp-pkt/main.go b/src/cypherpunks.ru/nncp/cmd/nncp-pkt/main.go
index 93759b6..170b9e1 100644
--- a/src/cypherpunks.ru/nncp/cmd/nncp-pkt/main.go
+++ b/src/cypherpunks.ru/nncp/cmd/nncp-pkt/main.go
@@ -112,7 +112,7 @@ func main() {
 	}
 	var pktEnc nncp.PktEnc
 	_, err = xdr.Unmarshal(bytes.NewReader(beginning), &pktEnc)
-	if err == nil && pktEnc.Magic == nncp.MagicNNCPEv1 {
+	if err == nil && pktEnc.Magic == nncp.MagicNNCPEv2 {
 		if *dump {
 			cfgRaw, err := ioutil.ReadFile(nncp.CfgPathFromEnv(cfgPath))
 			if err != nil {
@@ -143,8 +143,8 @@ func main() {
 			return
 		}
 		fmt.Printf(
-			"Packet type: encrypted\nNiceness: %d\nSender: %s\n",
-			pktEnc.Nice, pktEnc.Sender,
+			"Packet type: encrypted\nNiceness: %d\nSender: %s\nRecipient: %s\n",
+			pktEnc.Nice, pktEnc.Sender, pktEnc.Recipient,
 		)
 		return
 	}
diff --git a/src/cypherpunks.ru/nncp/cmd/nncp-xfer/main.go b/src/cypherpunks.ru/nncp/cmd/nncp-xfer/main.go
index bcd7625..5abac1f 100644
--- a/src/cypherpunks.ru/nncp/cmd/nncp-xfer/main.go
+++ b/src/cypherpunks.ru/nncp/cmd/nncp-xfer/main.go
@@ -174,7 +174,7 @@ func main() {
 			}
 			var pktEnc nncp.PktEnc
 			_, err = xdr.Unmarshal(fd, &pktEnc)
-			if err != nil || pktEnc.Magic != nncp.MagicNNCPEv1 {
+			if err != nil || pktEnc.Magic != nncp.MagicNNCPEv2 {
 				ctx.LogD("nncp-xfer", sds, "is not a packet")
 				fd.Close()
 				continue
diff --git a/src/cypherpunks.ru/nncp/jobs.go b/src/cypherpunks.ru/nncp/jobs.go
index 1f3afd1..4a59db0 100644
--- a/src/cypherpunks.ru/nncp/jobs.go
+++ b/src/cypherpunks.ru/nncp/jobs.go
@@ -64,7 +64,7 @@ func (ctx *Ctx) Jobs(nodeId *NodeId, xx TRxTx) chan Job {
 				continue
 			}
 			var pktEnc PktEnc
-			if _, err = xdr.Unmarshal(fd, &pktEnc); err != nil || pktEnc.Magic != MagicNNCPEv1 {
+			if _, err = xdr.Unmarshal(fd, &pktEnc); err != nil || pktEnc.Magic != MagicNNCPEv2 {
 				fd.Close()
 				continue
 			}
diff --git a/src/cypherpunks.ru/nncp/pkt.go b/src/cypherpunks.ru/nncp/pkt.go
index b35f83e..fa46282 100644
--- a/src/cypherpunks.ru/nncp/pkt.go
+++ b/src/cypherpunks.ru/nncp/pkt.go
@@ -53,7 +53,7 @@ const (
 
 var (
 	MagicNNCPPv1 [8]byte = [8]byte{'N', 'N', 'C', 'P', 'P', 0, 0, 1}
-	MagicNNCPEv1 [8]byte = [8]byte{'N', 'N', 'C', 'P', 'E', 0, 0, 1}
+	MagicNNCPEv2 [8]byte = [8]byte{'N', 'N', 'C', 'P', 'E', 0, 0, 2}
 	BadMagic     error   = errors.New("Unknown magic number")
 	BadPktType   error   = errors.New("Unknown packet type")
 
@@ -71,17 +71,18 @@ type Pkt struct {
 type PktTbs struct {
 	Magic     [8]byte
 	Nice      uint8
-	Recipient *NodeId
 	Sender    *NodeId
+	Recipient *NodeId
 	ExchPub   *[32]byte
 }
 
 type PktEnc struct {
-	Magic   [8]byte
-	Nice    uint8
-	Sender  *NodeId
-	ExchPub *[32]byte
-	Sign    *[ed25519.SignatureSize]byte
+	Magic     [8]byte
+	Nice      uint8
+	Sender    *NodeId
+	Recipient *NodeId
+	ExchPub   *[32]byte
+	Sign      *[ed25519.SignatureSize]byte
 }
 
 func init() {
@@ -102,11 +103,12 @@ func init() {
 		panic(err)
 	}
 	pktEnc := PktEnc{
-		Magic:   MagicNNCPEv1,
-		Nice:    123,
-		Sender:  dummyId,
-		ExchPub: new([32]byte),
-		Sign:    new([ed25519.SignatureSize]byte),
+		Magic:     MagicNNCPEv2,
+		Nice:      123,
+		Sender:    dummyId,
+		Recipient: dummyId,
+		ExchPub:   new([32]byte),
+		Sign:      new([ed25519.SignatureSize]byte),
 	}
 	n, err = xdr.Marshal(&buf, pktEnc)
 	if err != nil {
@@ -157,10 +159,10 @@ func PktEncWrite(our *NodeOur, their *Node, pkt *Pkt, nice uint8, size, padSize
 		return err
 	}
 	tbs := PktTbs{
-		Magic:     MagicNNCPEv1,
+		Magic:     MagicNNCPEv2,
 		Nice:      nice,
-		Recipient: their.Id,
 		Sender:    our.Id,
+		Recipient: their.Id,
 		ExchPub:   pubEph,
 	}
 	var tbsBuf bytes.Buffer
@@ -170,18 +172,19 @@ func PktEncWrite(our *NodeOur, their *Node, pkt *Pkt, nice uint8, size, padSize
 	signature := new([ed25519.SignatureSize]byte)
 	copy(signature[:], ed25519.Sign(our.SignPrv, tbsBuf.Bytes()))
 	pktEnc := PktEnc{
-		Magic:   MagicNNCPEv1,
-		Nice:    nice,
-		Sender:  our.Id,
-		ExchPub: pubEph,
-		Sign:    signature,
+		Magic:     MagicNNCPEv2,
+		Nice:      nice,
+		Sender:    our.Id,
+		Recipient: their.Id,
+		ExchPub:   pubEph,
+		Sign:      signature,
 	}
 	if _, err = xdr.Marshal(out, &pktEnc); err != nil {
 		return err
 	}
 	sharedKey := new([32]byte)
 	curve25519.ScalarMult(sharedKey, prvEph, their.ExchPub)
-	kdf := hkdf.New(blake256, sharedKey[:], nil, MagicNNCPEv1[:])
+	kdf := hkdf.New(blake256, sharedKey[:], nil, MagicNNCPEv2[:])
 
 	keyEnc := make([]byte, 32)
 	if _, err = io.ReadFull(kdf, keyEnc); err != nil {
@@ -257,10 +260,10 @@ func PktEncWrite(our *NodeOur, their *Node, pkt *Pkt, nice uint8, size, padSize
 
 func TbsVerify(our *NodeOur, their *Node, pktEnc *PktEnc) (bool, error) {
 	tbs := PktTbs{
-		Magic:     MagicNNCPEv1,
+		Magic:     MagicNNCPEv2,
 		Nice:      pktEnc.Nice,
-		Recipient: our.Id,
 		Sender:    their.Id,
+		Recipient: our.Id,
 		ExchPub:   pktEnc.ExchPub,
 	}
 	var tbsBuf bytes.Buffer
@@ -276,13 +279,16 @@ func PktEncRead(our *NodeOur, nodes map[NodeId]*Node, data io.Reader, out io.Wri
 	if err != nil {
 		return nil, 0, err
 	}
-	if pktEnc.Magic != MagicNNCPEv1 {
+	if pktEnc.Magic != MagicNNCPEv2 {
 		return nil, 0, BadMagic
 	}
 	their, known := nodes[*pktEnc.Sender]
 	if !known {
 		return nil, 0, errors.New("Unknown sender")
 	}
+	if *pktEnc.Recipient != *our.Id {
+		return nil, 0, errors.New("Invalid recipient")
+	}
 	verified, err := TbsVerify(our, their, &pktEnc)
 	if err != nil {
 		return nil, 0, err
@@ -292,7 +298,7 @@ func PktEncRead(our *NodeOur, nodes map[NodeId]*Node, data io.Reader, out io.Wri
 	}
 	sharedKey := new([32]byte)
 	curve25519.ScalarMult(sharedKey, our.ExchPrv, pktEnc.ExchPub)
-	kdf := hkdf.New(blake256, sharedKey[:], nil, MagicNNCPEv1[:])
+	kdf := hkdf.New(blake256, sharedKey[:], nil, MagicNNCPEv2[:])
 
 	keyEnc := make([]byte, 32)
 	if _, err = io.ReadFull(kdf, keyEnc); err != nil {
-- 
2.44.0