[freenet-dev] [freenet-cvs] r15523 - trunk/freenet/src/freenet/node

Matthew Toseland toad at amphibian.dyndns.org
Wed Oct 24 15:23:10 UTC 2007 

Comments below...

What exactly is this key for? I believe it is for round trip verification ... 
does resetting it have any impact on forward secrecy?

On Wednesday 24 October 2007 15:15, you wrote:
> Author: nextgens
> Date: 2007-10-24 14:15:17 +0000 (Wed, 24 Oct 2007)
> New Revision: 15523
> 
> Modified:
>    trunk/freenet/src/freenet/node/FNPPacketMangler.java
> Log:
> JFK: 
> 	Change the transient key on a regular basis (at least once every 30mins). 
We need it to be deterministic if we want to have a strict PFS interval.
> 
> Modified: trunk/freenet/src/freenet/node/FNPPacketMangler.java
> ===================================================================
> --- trunk/freenet/src/freenet/node/FNPPacketMangler.java	2007-10-24 09:53:20 
UTC (rev 15522)
> +++ trunk/freenet/src/freenet/node/FNPPacketMangler.java	2007-10-24 14:15:17 
UTC (rev 15523)
> -	// The following is used in the HMAC calculation of JFK message3 and 
message4
> +	/** The following is used in the HMAC calculation of JFK message3 and 
message4 */
>  	private static final byte[] JFK_PREFIX_INITIATOR, JFK_PREFIX_RESPONDER;
>  	static {
>  		byte[] I = null,R = null;
> @@ -103,6 +100,21 @@
>  	private static final int TRANSIENT_KEY_SIZE = HASH_LENGTH;
>  	/** The key used to authenticate the hmac */
>  	private final byte[] transientKey = new byte[TRANSIENT_KEY_SIZE];
> +	public static final int TRANSIENT_KEY_REKEYING_MIN_INTERVAL = 30*60*1000;
> +	/** The Runnable in charge of rekeying on a regular basis */
> +	private final Runnable transitentKeyRekeyer = new Runnable() {
> +		public void run() {
> +			resetTransientKey();
> +			
> +			try {
> +				// Ugly hack to let the node start up. When we are first
> +				// called in the constructor the ticker is not available!
> +				while(!node.isHasStarted())
> +					Thread.sleep(1000);
> +			} catch (InterruptedException e) {}
> +			node.getTicker().queueTimedJob(transitentKeyRekeyer, 
TRANSIENT_KEY_REKEYING_MIN_INTERVAL);
> +		}
> +	};

All you have to do is add a start() method to FNPPacketMangler, and have it 
called during the start() phase of the node (before PacketSender start). 
Include the initial scheduling of the above in that method.

>  	/** Minimum headers overhead */
>  	private static final int HEADERS_LENGTH_MINIMUM =
>  		4 + // sequence number
> @@ -139,7 +151,10 @@
>  		fullHeadersLengthMinimum = HEADERS_LENGTH_MINIMUM + 
sock.getHeadersLength();
>  		fullHeadersLengthOneMessage = HEADERS_LENGTH_ONE_MESSAGE + 
sock.getHeadersLength();
>  		logMINOR = Logger.shouldLog(Logger.MINOR, this);
> -		resetTransientKey();
> +		
> +		// Yeah there is a race condition... the key might be at 0 for a while...
> +		// but it will get reset soonish and current runs will be invalidated.
> +		node.executor.execute(transitentKeyRekeyer, "JFK transientRekeyer");
>  	}

Should be in start(), *not* in FNPPM.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://emu.freenetproject.org/pipermail/devl/attachments/20071024/81f73dec/attachment.pgp

More information about the Devl mailing list