1
0

Version.h 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. #ifndef Version_H
  16. #define Version_H
  17. #include "util/Linker.h"
  18. Linker_require("util/version/Version.c")
  19. #include <stdint.h>
  20. /*
  21. * Cjdns Protocol Versions
  22. *
  23. * The first argument to Version_COMPAT is the new version, the second argument is a list of
  24. * older versions with which it is compatible. All versions are obviously assumed to be compatible
  25. * with themselves and any version which is compatible with the most recent version to date is
  26. * assumed to be compatible with all future versions.
  27. */
  28. #ifndef Version_COMPAT
  29. // defined otherwise in Version.c
  30. #define Version_COMPAT(one, twoRange)
  31. #endif
  32. /*
  33. * Version 0:
  34. * January 2012
  35. *
  36. * First version.
  37. */
  38. Version_COMPAT(0, ([]))
  39. /*
  40. * Version 1:
  41. * October 2012
  42. *
  43. * When you send someone a message through cjdns, it's encrypted.
  44. * When you send the first message to a router, it has a nice header on it which tells them your key
  45. * and allows them to establish a cryptographic session with you. For every message after that, they
  46. * need to remember that session and use it to decrypt the message.
  47. *
  48. * The way they remember which session a message is associated with is to look at the switching
  49. * label from that message and compare that with the label which was used when the first message was
  50. * sent (with the header).
  51. *
  52. * What I didn't think about at the time is that labels change. Nodes find a better path to a
  53. * destination and expect the same session to work. It would work if the other end knew which
  54. * session to use but it can't know, the label is different.
  55. *
  56. * This is a protocol bug.
  57. *
  58. * In my opinion, the best way to fix it is to send an additional header before the crypto nonce
  59. * which tells the foreign node who it came from. When the handshake message is sent, the node will
  60. * send a 4 byte integer which the other end will store. Every time the other end sends a
  61. * non-handshake message to this end, it will prepend that same integer to the encrypted message and
  62. * on recieving a message, a node will use that number to do a lookup of the correct session to use.
  63. * The number can be a pointer or index offset so this can be quite fast.
  64. * Integer 0xFFFFFFFF shall be reserved and handshake messages which contain this value must be
  65. * ignored or treated as protocol 0 messages.
  66. *
  67. * But this is a protocol break.
  68. *
  69. * If a node gets handed a number and doesn't know what to do with it, it will think it's a
  70. * CryptoAuth header and it will fail. New nodes would be able to try a message as the old form if
  71. * the new form doesn't work but old nodes will just fail if they are ever sent a message in the new
  72. * form.
  73. *
  74. * Proposed Solution:
  75. * A key will be sent in all findNodes responses in the router, this key will be "np" for nodes'
  76. * protocol (version).
  77. * It will contain a string representation of a list of the protocol version numbers for the nodes
  78. * which it is introducing. The numbers will all be the same number of bytes and the first byte will
  79. * give that number. The length of the string will always be equal to one, plus the number of nodes
  80. * times the value of the first byte.
  81. *
  82. * This example shows the p which would accompany a findNodes response containing 1 node with
  83. * protocol version zero and one node with protocol version 1.
  84. *
  85. * "np": "\x01\x00\x01"
  86. *
  87. * 2:np3:\x01\x00\x01
  88. *
  89. * This example shows the p which would accompany a findNodes response containing 1 node with
  90. * protocol version 300 and two nodes with protocol version 5.
  91. *
  92. * "np": "\x02\x01\x2c\x00\x05\x00\x05"
  93. *
  94. * 2:np7:\x02\x01\x2c\x00\x05\x00\x05
  95. *
  96. * All multi-byte numbers shall be encoded in big endian encoding.
  97. *
  98. * Each node will have an internal compatibility matrix giving protocol version numbers which
  99. * can communicate, a node shall not respond to a findNodes message with a response containing any
  100. * nodes which are known to be incompatible with the protocol version of the requesting node.
  101. * Versions which are beyond the highest version number in the compatability matrix will be assumed
  102. * to have the same compatability as the highest number in the table.
  103. *
  104. * All messages shall contain shall contain an "p" key as well but these will have a benc integer
  105. * representing the protocol version of the sending node.
  106. *
  107. * Change to the Ping switch control message:
  108. * New switch ping messages will all be 8 or more bytes long, they will begin with a magic field
  109. * and then a version number which is the version of the sending node.
  110. * The magic will be set to 0x09f91102 for all ping messages and to 0x9d74e35b in the response
  111. * messages (these numbers shall be big endian encoded). Following this number will be a 4 byte
  112. * field containing the protocol version. Nodes which only speak protocol version 0 will be
  113. * identifyable because they echo back 0x09f91102 rather than replacing it and they will be unlikely
  114. * to send a ping request whose content begins with 0x09f91102.
  115. *
  116. * Protocol1.1
  117. * In protocol0 there was a single pool of sessions shared between the outer and inner layer.
  118. * In protocol1 it was split because one pool needed to have handles and the other pool didn't.
  119. * The problem with this is communications do not necessarily travel back and forth along the
  120. * same path and protocol1 exhibited a pathology wherein one node was direct sending packets to
  121. * another while the other was routing the responses via an intermediary.
  122. * There were 2 CryptoAuth sessions between the two nodes and neither session was entering run
  123. * state. So protocol1 was broken and the new protocol1 (protocol1.1) sends session handles on top
  124. * of the CryptoAuth handshake headers even if the handshake is in the inner layer (under the Ipv6
  125. * header). It does not however send handles in the inner layer when the inner layer CryptoAuth
  126. * session is in HANDSHAKE3 state or above.
  127. * Protocol1.1 still identifies itself as Protocol1, it will not be able to communicate with
  128. * protocol0 in some circumstances. If it knows nothing about the other node and it forwards a
  129. * message via an intermediary, the message will be unreadable at the other end.
  130. *
  131. * Protocol1.2
  132. * Changes in protocol1.1 are reverted as a solution was found in the implementation.
  133. */
  134. Version_COMPAT(1, ([0]))
  135. /*
  136. * Version 2:
  137. * February 21, 2013
  138. *
  139. * Remove compatibility layer for communicating with version 0 nodes.
  140. *
  141. * August 22, 2014
  142. * The Version_2_COMPAT ifdefs were removed in e2a7ebc4d7c54b6b5fac2c0ba5c7882af8b238f2
  143. */
  144. Version_COMPAT(2, ([1]))
  145. /*
  146. * Version 3:
  147. * August 16, 2013
  148. *
  149. * In version 1, handles were introduced so that a session could be looked when a packet came in.
  150. * During the initiation of a session, the node's handle was placed before the CryptoAuth block
  151. * unless the message was a layer-3 (forwarded) message in which case it was at the beginning
  152. * inside of the innermost CryptoAuth block. This handle was transferred to the peer so they could
  153. * tell how *this* node identifies the session.
  154. *
  155. * When a layer-2 (non-forwarded) message was received which was *not* a session initiation packet,
  156. * the peer's handle was placed before the CryptoAuth block in order for the peer to be able to
  157. * lookup the session in their table.
  158. *
  159. * Unfortunately the handle outside of the CryptoAuth initiation block was not authenticated in any
  160. * way and a switch could alter it accidently or maliciously causing the wrong session identifier
  161. * to be stored leading to the session failing until it eventually times out.
  162. *
  163. * To fix this bug the handle attached to the initiation message has been moved into the CryptoAuth
  164. * block where it should have been in the first place. Obviously the peer's handle is still placed
  165. * outside of the CryptoAuth block so it can serve it's function.
  166. *
  167. * As of version 3, implementations must not send handles which are less than 4 so that when they
  168. * receive them back, they will not be confused with the initial 4 bytes of a CryptoAuth setup
  169. * packet which is not preceeded by a handle.
  170. */
  171. Version_COMPAT(3, ([1,2]))
  172. /*
  173. * Version 4:
  174. * August 27, 2013
  175. *
  176. * This version makes no protocol changes but fixes a nasty bug with forwarding which caused
  177. * messages to be forwarded to random nodes, updated to encourage nodes to forward via others
  178. * who do not have the bug.
  179. */
  180. Version_COMPAT(4, ([1,2,3]))
  181. /*
  182. * Version 5:
  183. * September 4, 2013
  184. *
  185. * This version introduces a new RPC call for getting directly connected peers from a node.
  186. * The new RPC call is called "gp" and it takes a target label called "tar" which must be an
  187. * 8 byte long benc string. It returns a list of peers exactly the same as a search but they
  188. * must all be direct peers and they are the peers whose labels have smallest XOR distance
  189. * from "tar".
  190. */
  191. Version_COMPAT(5, ([1,2,3,4]))
  192. /*
  193. * Version 6:
  194. * December 14, 2013
  195. *
  196. * Drop support for versions older than 5
  197. */
  198. Version_COMPAT(6, ([5]))
  199. /*
  200. * Version 7:
  201. * March 16, 2014
  202. *
  203. * A ceremonial version which has the pathfinder2 implemented.
  204. * this is still compatible with the same versions and doesn't expressly change the protocol
  205. * although it is nolonger able to communicate with *older* version 5 nodes which do not advertize
  206. * their encoding scheme.
  207. */
  208. Version_COMPAT(7, ([5,6]))
  209. /*
  210. * Version 8:
  211. * August 22, 2014
  212. *
  213. * Previous to version 8, switch headers had a "Type" field which indicated the data type.
  214. * The data type is now inferred from the content of the packet and in the case of need to send
  215. * a control (error) packet, the switch sends a "handle" which is set to 0xffffffff.
  216. * Also switches previous to v8 zeroed the priority field, now it is left untouched.
  217. */
  218. Version_COMPAT(8, ([5,6,7]))
  219. /*
  220. * Version 9:
  221. * September 12, 2014
  222. *
  223. * Version 8 was sending improper checksums on error frames, corrected in v9.
  224. */
  225. Version_COMPAT(9, ([5,6,7,8]))
  226. /*
  227. * Version 10:
  228. * September 18, 2014
  229. *
  230. * Drop support for pre-v7
  231. */
  232. Version_COMPAT(10, ([7,8,9]))
  233. /*
  234. * Version 11:
  235. * October 7, 2014
  236. *
  237. * New QoS system and changes to SwitchHeader structure, see SwitchHeader.h
  238. */
  239. Version_COMPAT(11, ([7,8,9,10]))
  240. /*
  241. * Version 12:
  242. * November 21, 2014
  243. *
  244. * New inter-router API "nh" which has same semantics as "fn" but gets the next hop in
  245. * a hypothetical packet forwarding operation.
  246. */
  247. Version_COMPAT(12, ([7,8,9,10,11]))
  248. /*
  249. * Version 13:
  250. * December 30, 2014
  251. *
  252. * 1. Drop nodes older than 12.
  253. *
  254. * 2. Change of ETHInterface protocol.
  255. * We determined that the ETHInterface frame format was not possible to evolve
  256. * so we determined to add the low 16 bits of the version number to the header.
  257. * This was brought about by a need to include the message length in the header
  258. * to fix ethernet cards which fail to strip the CRC from the received message.
  259. *
  260. * The beacon contains a version number so if an old node is beaconing then the
  261. * new node can still speak the old protocol. If the new node is beaconing and
  262. * an old node receives it and responds, it will fail as we have determined that
  263. * there is no reasonable way for the new node to determine that an old format
  264. * message is old. It will begin working again if the old node sends a beacon.
  265. */
  266. Version_COMPAT(13, ([12]))
  267. /*
  268. * Version 14:
  269. * January 23, 2014
  270. *
  271. * Cerimonial version 14 to indicate a bug-fix in the getPeers function which
  272. * previously returned the same list of peers every time. Furthermore the switch
  273. * pinger was fixed to set the labelShift field correctly, fixing a bug which
  274. * caused spurious loss of switch ping packets (culminating in peers "missing"
  275. * from the routing table).
  276. */
  277. Version_COMPAT(14, ([12,13]))
  278. /**
  279. * Version 15:
  280. * January 29, 2014
  281. *
  282. * Cerimonial version 15 to indicate a change in routing behavior, for each incoming
  283. * packet, remember the path it took, if no path to the return node is known,
  284. * use the path that the incoming packet took for the response.
  285. */
  286. Version_COMPAT(15, ([12,13,14]))
  287. /**
  288. * Version 16:
  289. * February 13, 2014
  290. *
  291. * Verschlumbesserung
  292. *
  293. * This version comprises a major refactoring both in the internal organizatin of and the behavior
  294. * of cjdns. First on the internal organization note, the file formerly known as Ducttape.c is no
  295. * more, it made cjdns when cjdns didn't work but now it's time has passed, long live Ducttape.
  296. * Ducttape has been broken up into a series of 5 modules, SwitchAdapter, ControlHandler,
  297. * SessionManager, UpperDistributor and TUNAdapter. Furthermore Interface.h has been removed and
  298. * replaced with Iface.h. Interface.h was "gendered", meaning the male side of one interface could
  299. * only be linked with the female side of the other, Iface is ungendered and is linked (potentially
  300. * to any other interface in the project) using Iface_plumb(). Furthermore Iface has been adapted
  301. * to facilitate manual tail-call optimization.
  302. *
  303. * A new protocol called PFChan seperates the Pathfinder from the (packet handling) core. The
  304. * pathfinder is nolonger required to answer any questions for the core synchronously and since it
  305. * now communicated using Message and Iface as opposed to function calls, it may be seperated into
  306. * an external process. Furthermore the EventEmitter (module to which the pathfinder connects) is
  307. * capable of accepting connections from multiple pathfinders, allowing advanced external
  308. * pathfinders to be developed outside of the main cjdns project.
  309. *
  310. * On the point of protocol, two new headers have been defined, one is sent over the wire to other
  311. * nodes and the other is merely internal protocol for communicating with the SessionManager.
  312. * DataHeader is a new header, sent over the wire between any two v16+ nodes, it replaces the faux
  313. * IPv6 headers which previously were sent over the wire. RouteHeader is used internally to tell
  314. * SessionManager where one wants the packet to go but is never seen on the wire. The final and
  315. * perhaps most significant change in this version is the loss of packet forwarding. No longer does
  316. * a v16 node attempt to forward a message to another node in case that it does not know a route to
  317. * the final destination instead it bufferes the packet and triggers a DHT search in the same way
  318. * that Ethernet buffers a frame and triggers an ARP request. This vastly simplifies the debugging
  319. * of weird routing behaviors.
  320. */
  321. Version_COMPAT(16, ([12,13,14,15]))
  322. /**
  323. * Version 17:
  324. * October 9, 2015
  325. *
  326. * Ouvrir le parapluie
  327. *
  328. * When a node connects to another node, before v17, the connection password is double-hashed and
  329. * sent while the password hash and a field called Derivations were hashed together (and then
  330. * hashed with the shared secret from Curve25519 crypto) so that theoretically the hash of the
  331. * password and a various value of Derivations could be passed to another node who could then
  332. * establish a more heavily secured session. After v17 Derivations now is meaningless and the
  333. * previously meaningless bit A which had been set in the CryptoHeader_Challenge is now cleared
  334. * (see CryptoHeader.h)
  335. *
  336. * Also v17 adds a new authType, authType 2 which is for logging in with name and password.
  337. * In pre-17 when a session setup packet is sent, the double-hash of the password is sent as a
  338. * key so that the server can lookup the correct password to test.
  339. * This means someone with the session setup packet could crack to find the actual password and
  340. * then connect to the server. The change introduces a "login" in addition to the password, this
  341. * instead is hashed and sent so if the attacker cracks the hash, they'll get the login and will
  342. * not be able to login to the server.
  343. */
  344. Version_COMPAT(17, ([16]))
  345. /**
  346. * Version 18:
  347. * May 13, 2016
  348. *
  349. * Rimpasto
  350. *
  351. * In early 2016 a fundimental flaw was discovered in the way in which the Pathfinder works.
  352. * This flaw was named The Drawbridge Bug. When a node starts, it populates it's switch table
  353. * in first-come-first-serve order. This is desired behavior, we must occasionally reshuffle
  354. * the switch table in order to avoid persistent holes in the table which cause unduly long
  355. * switch label directors.
  356. * Unfortunately when a node reshuffles it's switch table, this breaks labels which pass through
  357. * the node. More unfortunately, it is not always clear that they were broken. For instance:
  358. * A->B->C->D->E and C resets and now the same path goes A->B->C->X->Y, the traditional Pathfinder
  359. * would think that D->E is broken and might replace it with D->Y, which is an incorrect inference
  360. * but will work for making this particular path again - thus positively reinforcing the wrong
  361. * inferrence.
  362. * Furthermore this problem has caused the NodeStore to make conclusions which are provably
  363. * incorrect and this caused assertion failures which caused nodes to reset, causing more and more
  364. * reshuffling of switch tables and more and more crashes.
  365. * A secondary and more difficult problem is that the paths resolved by the DHT style routing
  366. * system are longer than they need to be because as the search wanders looking for a node which
  367. * knows the full path, so too does the traffic.
  368. * There exist many routing algorithms which are far more efficient and some are believed to scale
  369. * smoothly to millions of nodes but the routing table's resistance to poison is specific to cjdns
  370. * and other algorithms are mostly highly susceptable. A similar issue to poison-resiliance is that
  371. * cjdns nodes need not implement any highly complex behaviors in order to keep the network
  372. * functioning, they only answer a few simple questions such as "who do you know whose address is
  373. * numerically close to X" and "which of your peers has a path numerically close to Y". Most other
  374. * routing algorithms require complex implementations and even a small deviation in behavior on
  375. * one node could be disastrous.
  376. *
  377. * v18 Rimpasto is a rethink of the routing infrastructure. First we accept that the problem is
  378. * harder than it was intially thought to be. The old routing infrastructure is now optional and
  379. * is replaced by something known as subnode, subnode connects to what are called supernodes.
  380. * The supernode code is in a different codebase which is written in nodejs and is called cjdnsnode.
  381. * The subnode is mostly located in subnode directory in the project but it makes use of a few parts
  382. * of the old dht directory.
  383. * The subnode configuration contains a set of supernodes, not anyone can just start up a supernode
  384. * and use it to damage the network, subnodes need to trust a supernode in order to use it.
  385. * The subnode uses findNode and getPeers requests to find a path to a supernode and then it sends
  386. * a findPath query to the supernode in order to answer all of it's routing needs. The supernode
  387. * is expected to be able to construct a route label for the optimal path between any one of it's
  388. * clients and any other node in the network but how that is done is up to the supernode.
  389. * The subnode still answers all of the queries made by the old DHT based routing code but for
  390. * findNode queries, the subnode answers the query by requesting the information from the supernode,
  391. *
  392. * This version allows optional/experimental subnode using SUBNODE=1 in the build.
  393. */
  394. Version_COMPAT(18, ([16,17]))
  395. /**
  396. * Version 19:
  397. * February 21, 2017
  398. *
  399. * shibboleth
  400. *
  401. * This is a mostly cerimonial release, the supernode/subnode infrastructure is still not completely
  402. * ready. This release is largely cerimonial, there are no breaking changes to the protocol.
  403. * There have been improvements to the CryptoAuth handshake which should make it less likely that
  404. * the CryptoAuth session will go into a bad state and the nodes be unable to talk to eachother.
  405. */
  406. Version_COMPAT(19, ([16,17,18]))
  407. /**
  408. * Version 20:
  409. * March 16, 2017
  410. *
  411. * baratiner
  412. *
  413. * In this release the default behavior is to try to solicit supernodes by asking peers then to
  414. * attempt to announce to a supernode, however the old messages are still supported and they are
  415. * handled by the old nodestore. When something needs to be found, this version will use both the
  416. * old DHT and its supernode (if it has one) at the same time.
  417. */
  418. Version_COMPAT(20, ([16,17,18,19]))
  419. /**
  420. * Version 21:
  421. * June 23, 2020
  422. *
  423. * Disintermediated
  424. *
  425. * Changes to allow multiple peerings to the same node over different media. For example over
  426. * IPv4 and IPv6, or Ethernet and IPv4. To support this there is a new switch message called
  427. * RPATH which gets the reverse path for a connection. Perviously we used getpeers and then
  428. * found ourselves in the list, but since we may appear in the list multiple times, that is
  429. * nolonger acceptable.
  430. * Secondly, we changed the way announcements to the route server are filtered, filtering them
  431. * by label (actually peerNum) rather than by ipv6. This means the sync with snode is different.
  432. * Third, we added a new field "dnd" (do not disturb) to DHT messages, which indicates that our
  433. * DHT server is down and we would rather not be bothered with lots of find-node or get-peer
  434. * traffic. When running in SUBNODE mode, "dnd" is enabled.
  435. */
  436. Version_COMPAT(21, ([20]))
  437. /**
  438. * Version 22:
  439. * May 26, 2021
  440. *
  441. * Noisemaker
  442. *
  443. * When communicating with v22 or above, use a varient of NOISE protocol rather than the aging
  444. * CryptoAuth code.
  445. */
  446. Version_COMPAT(22, ([21,20]))
  447. /**
  448. * The current protocol version.
  449. */
  450. #define Version_CURRENT_PROTOCOL 22
  451. #define Version_21_COMPAT
  452. #define Version_20_COMPAT
  453. #define Version_MINIMUM_COMPATIBLE 20
  454. #define Version_DEFAULT_ASSUMPTION 20
  455. /**
  456. * Check the compatibility matrix and return whether two versions are compatible.
  457. * If a version is not listed on the table, the highest version on the table is
  458. * substituted for it but if the return value is yes, it is changed to maybe.
  459. *
  460. * @param version1 the first version
  461. * @param version2 the second version
  462. * @return 1 meaning compatible or 0 meaning incompatible.
  463. */
  464. int Version_isCompatible(uint32_t one, uint32_t two);
  465. #endif