Browse Source

Initial revision.

Bernd Fix 3 years ago
81 changed files with 11790 additions and 2 deletions
  1. +4
  2. +32
  3. BIN
  4. BIN
  5. BIN
  6. BIN
  7. BIN
  8. BIN
  9. BIN
  10. BIN
  11. BIN
  12. BIN
  13. BIN
  14. BIN
  15. BIN
  16. BIN
  17. +262
  18. +38
  19. +58
  20. +306
  21. +33
  22. +19
  23. +68
  24. +103
  25. +22
  26. +16
  27. +2
  28. +12
  29. +7
  30. +47
  31. +4
  32. +31
  33. +63
  34. BIN
  35. BIN
  36. +25
  37. +505
  38. +717
  39. +87
  40. +4
  41. +59
  42. +46
  43. +115
  44. +37
  45. +93
  46. +8
  47. +20
  48. +65
  49. +834
  50. +39
  51. +23
  52. +73
  53. +1377
  54. +240
  55. +169
  56. +132
  57. +7
  58. +217
  59. +1422
  60. +1793
  61. +99
  62. +120
  63. +36
  64. +37
  65. +33
  66. +351
  67. +127
  68. +23
  69. +87
  70. +385
  71. +781
  72. +114
  73. +12
  74. +39
  75. +18
  76. +109
  77. +87
  78. +36
  79. +3
  80. +40
  81. +19

+ 4
- 0
.gitignore View File

@ -72,3 +72,7 @@
# Project-local glide cache, RE:

+ 32
- 2 View File

@ -1,3 +1,33 @@
# gnunet-specs
# GNUnet protocol specification
Implementation-agnostic specification of GNUnet P2P protocols
Author: Bernd Fix
All files are licensed under GNU AGPL-3.0.
## Documentation
* papers: 3rd party papers on GNUnet and crypto (mostly academic)
* raw: raw ASCII protocol definition
* reports: findings in the GNUnet source code
* specification: texinfo protocol definition
## Source code
All source code is written in Golang (version 1.10+) without additional
3rd party libraries (although some source code files from
[] are re-used).
### ./src/cmd folder
* vanityid: Compute GNUnet vanity peer id
* peer_mockup: Golang-based peer to test message exchange
### ./src/gnunet folder
Packages used to implement GNUnet protocols (currently only TRANSPORT)
GNUnet P2P protocol specification

doc/papers/LightSec14_Tolga_Acar.pdf View File

doc/papers/SCTP-Go.pdf View File

doc/papers/aff.pdf View File

doc/papers/anonymity.pdf View File

doc/papers/curve25519-20060209.pdf View File

doc/papers/ebe.pdf View File

doc/papers/ecrs.pdf View File

doc/papers/ed25519-20110926.pdf View File

doc/papers/gcrypt.pdf View File

doc/papers/nss2011.pdf View File

doc/papers/pwnat.pdf View File

doc/papers/slides-interim-2014-cfrg-1-3.pptx View File

doc/papers/transport.pdf View File

doc/papers/txirefcard-a4.pdf View File

+ 262
- 0
doc/raw/crypto.txt View File

@ -0,0 +1,262 @@
0. Intro
GNUnet makes use of various cryptographic mechanisms (signing, hashing,
encrypting, ...) in various different flavors. This section will shortly
explain these mechanisms:
0.1. Elliptic Curve Cryptography (ECC)
Signatures in GNUnet are based on EdDSA [1],[2]. EdDSA is a secure and
fast ECC signature scheme based on the twisted Edwards curve Ed25519. The
private key is a 32 byte seed value (which is used to derive an integer
'd'); the public key is the point '[d]B' where 'B' is the base point of
Used for: - long-term signing key
(persistent, public key is the peer ID)
- short-term signing key
(transient, valid for ~12h)
The key exchange scheme is based on ECDHE with Curve25519 key pairs.
Long-term signing key EdDSA
Short-term signing key ECDSA on Ed25519
Key for key exchange ECDHE on Curve25519
Session key(s) AES / Twofish
1. Initial setup
1.1. Long-term signing key
A peer generates a long-term signing key pair for the EdDSA signature
algorithm with the Ed25519 curve from a random seed. For further details
see the Ed25519 paper [1] and RFC 8032 [2].
1.2. PeerIdentity
The PeerIdentity is the public key of the long-term signing key of a
peer. A human-readable representation of the PeerIdentity is a custom
Base32 encoding of the public key (see A.1 for details)
2. Periodically
2.1. {REKEY_FREQUENCY: 12 hrs} Ephemeral key
A Peer generates an ephemeral signing key pair for the EdDSA signature
algorithm with the Ed25519 curve from a random seed. It creates a
"CORE_EPHEMERAL_KEY" message (see "CORE protocol") and signs it with the
long-term signing key created in step 1.1
This ephemeral key will be used with the ECDHE key exchange algorithm to
establish session keys for symmetrical encryption between the peers.
3. On demand
2.1. {on start-up, expiration or change of TRANSPORT protocols}
The peer constructs a new HELLO message for itself and puts it into the
DHT (see chapter "HELLO" protocol). A HELLO message contains the identity
of the peer and a list of available end-points where the peer accepts
connections from other peers. Each end-point defines an expiration date
(to handle cases where the globally-visible IP address of a peer changes
over time like for DSL clients). The HELLO in URI format looks like:
4. Establishing a channel to a target peer
4.1. Lookup HELLO of target peer
The peer looks up the HELLO for a target peer with a known peer identity
from either a local list of "known" peers with non-expired lifetime or
looks up the HELLO message of the target peer in the DHT (see chapter
"HELLO protocol"). It selects (one or more an end-points of the target
peer (see chapter "ATS") for a connection to the target.
4.2. Connecting to target end-point
The peer connects to the selected end-point(s) of the target peer thus
establishing a uni-directional (e.g. UDP) or bi-directional (e.g. TCP)
channel to the target.
In case of a uni-directional channel the target will try to establish
a back-channel to the peer as soon as it knows how to do so (usually
after step 4.3.1). For simplification we assume that a bi-directional
message exchange between peer and target exists.
4.3. HELLO protocol to negotiate session keys for transport
The peer
[5] Message exchange
(1) Services queue messages for a target peer
- message is processed immediately (if requested by service)
- (smaller) messages are bundled (max 64k total)
=> raw packet:
(2) raw packet is encrypted:
- AES-GCM (nonce, timestamp {obsolete in future version})
- Twofish
=> transport packet
[6] Transport
(1) TCP:
- direct message exchange (bi-directional)
(2) UDP:
Each UDP packet has the following structure:
- peerid of sender (32 bytes)
{ future extension:
- ephemeral key
- signature of payload (64 bytes)
- HMAC (32/64 bytes)
- payload (up to MTU-header size)
[A] Appendices
(1) Base32 conversion between binary data and string representation
A binary array of size m is viewed as a consecutive stream of bits from
left to right. Bytes are ordered with ascending address, while bits (in
a byte) are ordered MSB to LSB.
For encoding the stream is partitioned into 5-bit chunks; the last chunk
is right-padded with 0's if 8*m is not divisible by 5. Each chunk (value
between 0 and 31) is encoded into a character; the mapping for encoding
is the same as in [3].
For decoding each character is converted to a 5-bit chunk based on the
encoder mapping (with one addition: the character 'U' maps to the value
27). The chunks are concatenated to produce a bit stream to be stored
in the output array.
B. Crypto-related constants
B.1. Signature purpose
| Name | Value | Comment |
| SIG_TEST | 0 | Only used in test cases! |
| SIG_TRANSPORT_PONG_OWN | 1 | Signature for confirming that this peer uses a particular address. |
| SIG_TRANSPORT_DISCONNECT | 2 | Signature for confirming that this peer intends to disconnect. |
| SIG_REVOCATION | 3 | Signature for confirming a key revocation. |
| SIG_NAMESPACE_ADVERTISEMENT | 4 | Signature for a namespace/pseudonym advertisement. |
| SIG_PEER_PLACEMENT | 5 | Signature by which a peer affirms that it is providing a certain |
| | | bit of content (used in LOCation URIs). |
| SIG_FS_KBLOCK | 6 | Obsolete, legacy value. |
| SIG_FS_SBLOCK | 7 | Obsolete, legacy value. |
| SIG_FS_NBLOCK | 8 | Obsolete, legacy value. |
| SIG_FS_NBLOCK_KSIG | 9 | Obsolete, legacy value. |
| SIG_RESOLVER_RESPONSE | 10 | Signature of an DNS_Advertisement |
| SIG_DNS_RECORD | 11 | |
| SIG_CHAT_MESSAGE | 12 | Signature of a chat message. |
| SIG_CHAT_RECEIPT | 13 | Signature of confirmation receipt for a chat message. |
| SIG_NSE_SEND | 14 | Signature of a network size estimate message. |
| SIG_GNS_RECORD_SIGN | 15 | Signature of a gnunet naming system record block. |
| SIG_ECC_KEY | 16 | Purpose is to set a session key. |
| SIG__FS_UBLOCK | 17 | UBlock Signature, done using DSS, not ECC |
| SIG_REGEX_ACCEPT | 18 | Accept state in regex DFA. Peer affirms that it offers the |
| | | matching service. |
| SIG_MULTICAST_MESSAGE | 19 | Signature of a multicast message sent by the origin. |
| SIG_CONVERSATION_RING | 20 | Signature of a conversation ring. |
| SIG_SECRETSHARING_DKG1 | ? 22 | Signature for the first round of distributed key generation. |
| SIG_SECRETSHARING_DKG2 | ? 23 | Signature for the second round of distributed key generation. |
| SIG_SECRETSHARING_DECRYPTION | 23 | Signature for cooperative decryption. |
| SIG_MULTICAST_REQUEST | 24 | Signature of a multicast request sent by a member. |
| SIG_SENSOR_ANOMALY_REPORT | 25 | Signature for a sensor anomaly report message. |
| SIG_GNUID_TOKEN | 26 | Signature for a GNUid Token. |
| SIG_GNUID_TICKET | 27 | Signature for a GNUid Ticket. |
| SIG_CREDENTIAL | 28 | Signature for a GNUnet credential. |
[B] References

+ 38
- 0
doc/raw/protocols/core.txt View File

@ -0,0 +1,38 @@
1. CORE Protocol
A. Message Formats
+ Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| type | 2 / uint16 (nbo) | Message type: CORE_EPHEMERAL_KEY (88) |
| sender_stat | 4 / uint32 (nbo) | enum PeerStateMachine |
| signature | 64 | EdDSA signature |
| sign_length | 4 / uint32 (nbo) | Length of signed block (incl. this) |
| purpose | 4 / uint32 (nbo) | Signature purpose (see chapter "CRYPTO") |
| create_time | 8 / uint64 (nbo) | Time of key creation. |
| expire_time | 8 / uint64 (nbo) | Time of key expiration. |
| eph_key | 32 | Ephemeral EdDSA public key |
| peerid | 32 | Peer identity (EdDSA public key) |

+ 58
- 0
doc/raw/protocols/hello.txt View File

@ -0,0 +1,58 @@
1. HELLO Protocol
The HELLO protocol (see chapter "HELLO Protocol" for details) is a plain-
text (unencrypted) message exchange to establish a secure (encrypted)
message exchange between the peers after a physical connection has been
4.3.1 The peer sends its HELLO message: This tells the target which
peer is connecting. The target retrieves the peer identity (thus
learning the long-term signature verification key (public EdDSA
key) and a list of available end-points for a possibly required
back-channel to the peer. If the target accepts the peer (not on
a black-list or filtered out) and the channel is uni-directional,
the target creates a back-channel to the peer. If the target
does not accept the peer and the channel is bi-directional, the
target resets the connection.
(5) peers exchange (unencrypted) and validate ephemeral keys and derive
a shared secret (ECDHE)
(6) the shared secret is used to derive (HKDF) two session keys for
AES-256 and Twofish
A. Message Formats
+ Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| type | 2 / uint16 (nbo) | GNUnet message type = HELLO (17) |
| friend_only | 4 / uint32 (nbo) | = 1: do not gossip this HELLO |
| peerid | 32 | EdDSA public key (long-term) |
| addresses | variable | List of variable length addresses |
| transport | variable | Name of transport ('\0' terminated) |
| addr_size | 2 / uint16 (nbo) | Length of address |
| expire_on | 8 / uint64 (nbo) | UNIX timestamp |
| address | adr_size | Address (transport-dependend) |

+ 306
- 0
doc/raw/transport.txt View File

@ -0,0 +1,306 @@
1. Establishing a GNUnet session between two peers
A session between two GNUnet peers enables the exchange of P2P messages
between them. A session is a wrapper around two uni-directional channels
(A -> B, B -> A) that in theory can even utilize two distinct transport
mechanisms (e.g. UDP and HTTPS).
The most common (and reliable) transport mechanism is TCP/IP that has
the additional advantage of being bi-directional - it bundles channel
and back-channel into a single transport. The following sections will
describe how a TCP-based session between to peers A (initiator) and B
(target) is established.
After negotiating the session and a shared session key, the exchange of
messages between A and B will be encrypted with forward secrecy (see
chapter "Crypto" for more details).
1.1. Pre-Requisites
Each peer has a unique peer ID that is the public key of the long-term
EdDSA signing key (see chapter "Crypto" for details). It is represented
as a 32 byte binary.
Each peer also has a list of end-points that can be used by other peers
to connect to it. An end-point specifies the transport protocol (e.g.
TCP) and an address (e.g. an IPv4 or IPv6 address and a port). The
format of an address is of course dependent on the transport protocol;
an HTTPS transport for example requires an URL address.
We assume that the initiator A of a session knows how to connect to an
address on target B. The bootstrap is usually done by hard-coding a
single, reliable and available GNUnet peer identity and its addresses.
Every peer participating in the network will "learn" about more peers
and their addresses later in the process.
1.2. GNUnet message format
The communication between two peers is based on GNUnet messages. An
individual GNUnet message cannot exceed the size of 64kB; it has at
least a size of 4 bytes (just a header with an empty payload).
All GNUnet messages have a standard header of the following form:
| Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| type | 2 / uint16 (nbo) | GNUnet message type |
The annotation "(nbo)" indicates "network-byte order"; integers of that
kind are stored in "big-endian" format (MSB first) in the message body.
The field types used in messages are mostly self-explanatory and are used
in nearly all programming languages. The following field types need an
string a sequence of 8-bit characters delimited by '\0'
(C/C++ character string)
time uint64 value of the number of microseconds since
midnight Jan 1st, 1970 (Unix epoch in usec)
address uint8 array of variable length (with no terminator)
The internal structure of an address depends on the
transport protocol used (TCP and UDP addresses for
example are composed of a 4 (IPv4) or 16 (IPv6) uint8
array followed by the port as uint16 (nbo)).
1.3. Establishing a session between peers (TCP connection)
Peer A (initiator) establishes a TCP connection to an address of peer B.
After the TCP/IP connection is built, peer A starts the message exchange
to establish a GNUnet session with the other peer.
1.3.1. Exchange TRANSPORT_TCP_WELCOME messages
Peer A sends a TRANSPORT_TCP_WELCOME message to peer B, so that peer B
can learn the peer identity of the initiating peer:
| Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| type | 2 / uint16 (nbo) | TRANSPORT_TCP_WELCOME (61) |
| peer_id | 32 | Peer ID of sender (A) |
Peer B replies with a TRANSPORT_TCP_WELCOME message, so that peer A can
check it is talking to the correct target peer B (and terminate the TCP
connection if that is not the case).
Peer B can also send a TRANSPORT_SESSION_QUOTA message to inform peer A
about a the maximum bandwidth it has assigned to this session. Only rogue
peers ignore this request:
| Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| quota | 4 / uint32 (nbo) | Assigned bandwith to session (B/s) |
Peer B can also send a TRANSPORT_SESSION_SYN message to
A --> B 00:24:00:3d:d3:b3:ac:f3:85:0e:cc:df:82:dd:fe:45
B --> A 00:24:00:3d:92:dc:bf:39:40:2d:c6:3c:97:a6:81:e0
B --> A 00:08:01:7b:ff:ff:ff:ff
= SessionQuotaMsg{4.000GB/s}
1.3.2. Send HELLO message
1.3.2. Send HELLO message
Peer A sends a HELLO message to peer B to announce its peer identity
and its list of available end-points (list of 0 or more HELLOADDR blocks):
| Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| type | 2 / uint16 (nbo) | HELLO (17) |
| friend_only | 32 / uint32 (nbo) | =1: don't gossip HELLO |
| peer_id | 32 | Peer ID of sender |
| addr_list | * / []HELLOADDR | List of HELLO addresses (can be empty) |
The field 'friend_only' is either 0 (=NO) or 1 (=YES) and specifies if the
receiving peer may gossip this HELLO message to other peers (see section
"GOSSIP Protocol" for details).
As mentioned earlier, Peer B could build a separate back-channel to peer
A for a GNUnet connection although that is not necessary for our TCP
connection which is bi-directional. In this case (TCP), the HELLO message
may contain no end-point specifications (address_list is empty):
If the HELLO message contains HELLOADDR blocks, these have the following
| Field | Size / type | Comment |
| transport | * / string | Name of transport |
| addr_size | 2 / uint16 (nbo) | Size of address entry |
| expire_on | 8 / time (nbo) | Expiration date |
| address | * / address | Address specification (addr_size bytes) |
Peers should persistently store received HELLO messages (until the addresses
contained in it expire).
==> 00:3a:00:11:00:00:00:00:d3:b3:ac:f3:85:0e:cc:df
1.3.2. PING/PONG handshake
Peer A sends a TRANSPORT_PING message to Peer B:
| Field | Size / type | Comment |
| size | 2 / uint16 (nbo) | Total length of message (incl. size) |
| type | 2 / uint16 (nbo) | TRANSPORT_PING (372) |
| challenge | 4 / uint32 | Challenge code (to ensure fresh reply) |
| target_id | 32 | Peer ID of target peer |
| addr | * / address | Address on target peer |
==> 00:36:01:74:54:94:ab:a1:92:dc:bf:39:40:2d:c6:3c
<== SessionQuotaMsg{4.000GB/s}
<== SessionSyn{2018-07-11T12:26:56.000763Z}
==> SessionSynAck{2018-07-11T12:26:56.000763Z}
<== PongMsg{?,Address{tcp:},2712376404}
*** PONG signature verified
<== SessionAck{}
1.2. Peer B initiates a connection to Peer A
<== 00:24:00:3d:92:dc:bf:39:40:2d:c6:3c:97:a6:81:e0
==> 00:24:00:3d:d3:b3:ac:f3:85:0e:cc:df:82:dd:fe:45
<== 00:28:00:11:00:00:00:00:92:dc:bf:39:40:2d:c6:3c
<== PingMsg{TESTSWW51V6DZ0PXZS2G623HHH8TNSJJQYV31S8Q2DWXT0DWH5B0,Address{tcp:},279093666}
==> PongMsg{OK,Address{tcp:},279093666}
<== SessionQuotaMsg{4.000GB/s}
<== SessionSyn{2018-07-11T12:00:31.000255Z}
==> SessionSynAck{2018-07-11T12:00:31.000255Z}
<== SessionAck{}
*** CONNECTION etsablished with peer 'JBEBYEA05Q33S5X6G7GFSP3WEGBX78WCABYY0JDWT0E0M2WC098G'

+ 33
- 0
doc/reports/2018-07-07_SigPurpose.txt View File

@ -0,0 +1,33 @@
In ./src/include/gnunet_signature.h (lines 146-169) the following
constants are defined:
> /**
> * Signature of a conversation ring.
> */
> /**
> * Signature for the first round of distributed key generation.
> */
> /**
> * Signature for the second round of distributed key generation.
> */
> /**
> * Signature for cooperatice decryption.
> */
> /**
> * Signature of a multicast request sent by a member.
> */
The value "21" is missing and "23" is defined twice. Is that on purpose
(due to some history I don't know) or a bug?
Thanks, Bernd.

+ 19
- 0
doc/reports/2018-07-11_EdDSA.txt View File

@ -0,0 +1,19 @@
The EdDSA signature implementation in GNUnet calls the 'gcry_pk_sign
(&sig, msg, prv)' function not with the message itself, but with the
SHA512 hash value of the message.
Due to the intricities of EdDSA signing this is not necessary (hashing
is done in the sign function itself, as more than just the message is
hashed for this).
Although the GNUnet approach is not breaking things technically, it
produces unnecesary load: It is running an extra SHA512 - and because
the signed message is usually rather small (from what I have seen until
now the signed data is smaller than the 64 bytes of a SHA512 result),
the sign functions even needs to hash more data than necessary.
I guess that changing the sign/verify procedure would break
compatibility between new and old nodes and is therefore not feasable. I
just want to mention this in case a major version change is considered.
Thanks for your attention, Bernd.

+ 68
- 0
doc/reports/2018-07-12_ECDSA.txt View File

@ -0,0 +1,68 @@
The ECC crypto schemes (in ./src/util) have three different "mechanisms"
(two for signatures and one for ECDHE key exchange): EdDSA, ECDSA and ECDHE.
I am fine with EdDSA (except for minor irritations), but would like to
comment on the other two:
Good, but it is used with curve Ed25519. The problem is that ECDHE
requires scalar multiplication of a point on the curve (that is not the
base point!) - and that functionality is not available in many Ed25519
implementations - they often only provide sign/verify operations.
A more natural choice for me would be ECDHE with Curve25519.
Interestingly in ./src/include/gnunet_crypto_lib.h (line 248) I read:
> /**
> * Public ECC key (always for Curve25519) encoded in a format suitable
> * for network transmission and encryption (ECDH),
> * See
> */
> struct GNUNET_CRYPTO_EcdhePublicKey
So it looks like that was the initial intention here too: Using ECDHE
with Curve25519. Unfortunately this is not what is implemented (see
./src/util/crypto_ecc.c (line 563):
> if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL,
> "(genkey(ecc(curve \"" CURVE "\")"
> "(flags eddsa no-keytest)))")))
Does libgcrypt support Curve25519? If it does, a change here would be
rather straight-forward. As only ephemeral keys are involved, no side
effects on persistent information is to be expected.
One last question: Is it correct that an ephemeral key for ECDHE has a
lifetime of ~12h? Will all sessions between two peers use the same
shared secret for the time the two 12h periods overlap (between 6h and 12h)?
I also have some problems with this one - and it is used everywhere in
GNUnet for (user) identities (although not by the crypto used for secure
message exchange in sessions).
AFAIK is the choice of curve for ECDSA limited (NIST curves basically).
I think that is one of the reason we have EdDSA in the first place. But
maybe I am wrong here...
In ./src/include/gnunet_crypto_lib.h (line 248) I read:
> /**
> * Public ECC key (always for Curve25519) encoded in a format suitable
> * for network transmission and ECDSA signatures.
> */
> struct GNUNET_CRYPTO_EcdsaPublicKey
Maybe this is just a copy&paste effect, but it seems that the original
intention was to use Curve25519 - as for ECDHE. Because ECDSA would
require not only scalar multiplication of a curve point but also point
addition, implementors will run into the same problems as with ECDHE
Changing the code to really use Curve25519 would ease the pain
significantly. But if someone asks me, I would replace ECDSA with EdDSA

+ 103
- 0
doc/reports/2018-07-13_ECDSA-2.txt View File

@ -0,0 +1,103 @@
On 07/13/2018 12:31 PM, Christian Grothoff wrote:
> On 07/13/2018 12:33 AM, Bernd Fix wrote:
>> ECDHE: ------ Good, but it is used with curve Ed25519. The problem
>> is that ECDHE requires scalar multiplication of a point on the
>> curve (that is not the base point!) - and that functionality is
>> not available in many Ed25519 implementations - they often only
>> provide sign/verify operations.
>> A more natural choice for me would be ECDHE with Curve25519.
> EdDSA here does not refer to the actual EdDSA signature algorithm,
> but to the point compression algorithm which should be used by
> libgcrypt (see page 37,
My point was that EdDSA (and the flag "eddsa" used with gcrypt) refers
to and enforces the Ed25519 curve. For implementations not using gcrypt
that can be a problem as ECDHE requires operations on the curve (scalar
multiplication of a arbitrary point) that a lot of libraries do not
support. But I understand why that is not an issue for GNUnet itself.
> Now, I can see why you might argue that the resulting point should
> be in X25519 format for Curve25519, that would seem to require the
> 0x40 byte to explicitly request the algorithm's native compression
> method to be used. I don't mind changing the point format for the
> ECDHE case to X25519 (at a point where we break compatibility).
As you said: X25519 is based on Curve25519, not Ed25519 (although there
is a bijective mapping between them). And yes, I would "add/strip" the
compression indicator for points when retrieving/storing keys (so public
keys remain 256 bits in size and cause no alignment issues). But this
approach seems void given your next statement:
> Well, there is one tricky bit with that I forgot to point out in my
> previous message: we do use (rarely) the same point/key for both
> ECDHE and EdDSA (specifically, in Taler). Hence, here it is
> relevant to have the same public key representation across both
> schemes.
This constraint of course make things trickier, because that means we
are stuck in using Ed25519 for ECDHE. A possible solution (again: not
for GNUnet itself, but for implementators in general) for using Ed25519
points with ECDHE is to use the bijective mapping between Ed25519 and
Curve25519 and to do the ECDHE on Curve25519. Not nice probably, but
that could work.
>> ECDSA: ------ I also have some problems with this one - and it is
>> used everywhere in GNUnet for (user) identities (although not by
>> the crypto used for secure message exchange in sessions).
>> AFAIK is the choice of curve for ECDSA limited (NIST curves
>> basically). I think that is one of the reason we have EdDSA in the
>> first place. But maybe I am wrong here...
> You are. You can use Curve25519 with ECDSA, and that is what we do in
> GNUnet. No NIST curves to be found.
Well, ECDSA in GNUnet is used with Ed25519 (and not Curve25519). Even
the gcrypt manual
"Here is an example on how to create a key using curve Ed25519 with the
ECDSA signature algorithm. Note that the use of ECDSA with that curve is
in general not recommended."
Yes, you *can* use ECDSA with Ed25519 (gcrypt implements it) or
Curve25519, but to my knowledge both curve types (Montgomery/twisted
Edwards) are not *recommended* for ECDSA, which was designed with
Weierstrass curves in mind (but I am not so deep into ECC that I can
recall the exact security considerations leading to that statement - or
do you consider that statement incorrect?)
>> Changing the code to really use Curve25519 would ease the pain
>> significantly. But if someone asks me, I would replace ECDSA with
>> EdDSA completely...
> Please note that this is not so easy: we use ECDSA specifically
> because the following holds (needed for GNS):
> Suppose A := aG. Let b := xa for some random x. Then B := xaG.
> Now, suppose I give you my public key A and x. Now I can sign
> something with xa as the private key, and you can verify the
> signature using xA.
> EdDSA applies h(ax) to the private key, and this hashing destroys the
> (otherwise) linear relationship as with
> A := h(a)G, b := xa and B := h(xa)G
> no longer allows for xA = B (and also not h(x)A = B).
> Doing GNS-crypto (which is what we do with identities) thus would
> require you to re-implement parts of EdDSA to get past the 'h'
> application. Doable, but messy. So please make sure that if you do
> try to change this, that the GNS crypto is still 'happy'.
Let's assume ECDSA is used with Curve25519 (ignoring my previous
arguments against this). For me it then looks like all requirements for
GNS-crypto are also satisfied. So are there any other arguments to at
least switch ECDSA from Ed25519 to Curve25519?

+ 22
- 0
doc/reports/2018-07-13_ECDSA-3.txt View File

@ -0,0 +1,22 @@
On 07/13/2018 04:50 PM, Christian Grothoff wrote:
> On 07/13/2018 06:39 PM, Bernd Fix wrote:
>> This constraint of course make things trickier, because that means we
>> are stuck in using Ed25519 for ECDHE. A possible solution (again: not
>> for GNUnet itself, but for implementators in general) for using Ed25519
>> points with ECDHE is to use the bijective mapping between Ed25519 and
>> Curve25519 and to do the ECDHE on Curve25519. Not nice probably, but
>> that could work.
> Well, there is another possibility: simply have *two* versions of
> ECDHE/X25519: one for Taler where we mix it with EdDSA, and another one
> for GNUnet core/cadet KX where we do not rely on this property.
And maybe even a third one: I stumbled across an approach to use
Curve25519 keypairs for both ECDH and Ed25519 signatures
Would that be feasible also for Taler? Since Taler (afaik) relies on
some GNUnet mechanisms, it seems preferable not to introduce YACS (Yet
Another Crypto Scheme)...

+ 16
- 0
doc/reports/2018-07-13_ECDSA.txt View File

@ -0,0 +1,16 @@
I think that most problems mentioned in my previous post originate in
the '#define CURVE "Ed25519"' statement at curve_ecc.c:37. All key
parameter definitions (EdDSA, ECDSA and ECDHE) use that value leading to
the described problems. I think that the curve key parameter needs to be
set individually for each purpose.
I have created a new branch "new_crypto" to collect the changes I see
fit for the EC crypto stuff. I hope to be able to push it later today
(if not, I will not be able to do so before next Wednesday).
As more changes in crypto are pending (iirc it was mentioned that the
timestamp will be removed from the HMAC computation), we could collect
these changes in that new branch.
Any suggestions or comments?

+ 2
- 0
doc/reports/pending View File

@ -0,0 +1,2 @@

+ 12
- 0
doc/specification/.gitignore View File

@ -0,0 +1,12 @@

+ 7
- 0
doc/specification/chapters/messages.texi View File

@ -0,0 +1,7 @@
@node Messages
@chapter Messages
@c *********************************************************************
@include chapters/messages/transport.texi
@c *********************************************************************

+ 47
- 0
doc/specification/chapters/messages/transport.texi View File

@ -0,0 +1,47 @@
@node Transport
@section Transport
@emph{Transport} in this chapter refers to the transport of GNUnet messages
as sent and received by the various subsystems of GNUnet (like DHT, NSE, FS,
GNS, ...) between peers in the P2P network. For the purpose of this chapter
such a message `M` is treated as a binary object of size `m` (in bytes).
Every node (peer) in GNUnet is identified by the hash codes of its public key.
@table @samp
@item StartMessage
Message from the transport service to the library asking to check if both
processes agree about this peers identity.
| msg_size | msg_type | options |
| |
+ +
| |
+ peer_identity +
| |
+ +
| |
@end example
@item @samp{msg_size}
uint16: size of the message = 40 bytes
@item @samp{msg_type}
@item @samp{peer_identity}
Identity we think we have. If it does not match, the receiver should
print out an error message and disconnect.
@end itemize
@end table

+ 4
- 0
doc/specification/chapters/overview.texi View File

@ -0,0 +1,4 @@
@node Overview
@chapter Overview

+ 31
- 0
doc/specification/chapters/services.texi View File

@ -0,0 +1,31 @@
@node Services
@chapter Services
A GNUnet instance running on one node is an assembly of services that exchange
messages (see Chapter "Messages" for details) -- among themselves and with
services running on other nodes.
GNUnet services on a node usually utilize other, more basic GNUnet services
to provide their functionality. The following graph shows the dependencies
and message channels between the most basic GNUnet services:
@float GNUnet services
@end float
@node Mandatory services for a GNUnet node
@section Mandatory services for a GNUnet node
The services marked with a background color in the above figure comprise the
smallest set of services a node must provide to be useful for the network --
even if it is only providing a simple DHT storage service. These mandatory
services are:
@c *********************************************************************
@include chapters/services/core.texi
@c *********************************************************************
@c *********************************************************************
@include chapters/services/transport.texi
@c *********************************************************************

+ 63
- 0
doc/specification/chapters/services/core.texi View File

@ -0,0 +1,63 @@
@subsection CORE
One of the most important services in GNUnet is the CORE service managing
connections and handling encryption between peers.
Every peer has a private (secret) key and an associated public key for the
Ed25519 signature scheme (see @url{}); this keypair
is usually created if a GNUnet instance is started for the first time. The
keypair is unique, so the Ed25519 public key (32 octets in standard compact
format) serves as a GNUnet @dfn{peer identity}.
A @dfn{connection} is a bi-directional channel suitable for message exchange
between two peers. The connection uses a specific transport method (e.g.
TCP/IP) available on both end-points. The TRANSPORT service is creating,
processing and dropping connections to other peers on behalf of CORE.
The CORE service will try to maintain a certain number of open connections to
other peers; this number depends on the estimated size (number of participants)
of the network as determined by the NSE service (Network Size Estimation). If
@math{s} is the size of the network, than the number of concurrent connections
is @math{ n = \lceil log_2\;s \rceil}.
To connect to the network, a peer needs to learn about the identities of other
peers on the network. This is done by providing a single (active) peer identity
(and its addresses) at start-up; in the course of exchanging messages with this
peer CORE will discover the identities of other nodes it can try connect to.
CORE will maintain a persistent database of node identities it has discovered
(and probably has been connected to).
A node publishes its identity and addresses (initially and in case of address
changes) in the DHT, so other nodes can look it up and connect to it if
desired. In the same way CORE uses the DHT to lookup addresses of peers (based
on their identity) it want to establish a connection with.
After a connection is established, the peers will start exchanging messages
over it.
Out-bound GNUnet messages (originating from local GNUnet services including
CORE itself) are queued for further processing. CORE decides if and when a message is to be sent to
another peer. Based on the maximum size of the out-bound transport packet (MTU, depends
on the transport method used), it can either bundle smaller GNUnet messages
into a single transport packet, or create a sequence of fragments from a single
GNUnet message, in case the GNUnet message is larger than a transport
packet. If the GNUnet message(s) do not fill a transport packet completely,
the transport packet is padded with random data to its maximum size. A
transport packet is than encrypted with a session key negotiated between the
two peers during the creation of a connection (see section on "Packet
encryption") before leaving the peer.
In-bound transport packets are first decrypted and than either split into
multiple GNUnet messages or defragmented (reassembled) in case of a large
GNUnet message. The received messages are either processed by CORE itself, are
forwarded to local GNUnet services or relayed to other peers. Messages that
cannot be handled (e.g. because a local service is temporarily unavailable)
are simply dropped.
@subsubsection Cryptographic operations
@subsubsection GNUnet Anonymization Protocol
The protocol governing this process is the GNUnet Anonymization Protocol (GAP)
(see @url{,,paper}).

doc/specification/chapters/services/services-01.dia View File

doc/specification/chapters/services/services-01.png View File

Before After
Width: 1878  |  Height: 2048  |  Size: 82 KiB

+ 25
- 0
doc/specification/chapters/services/transport.texi View File

@ -0,0 +1,25 @@
@subsection TRANSPORT
The TRANSPORT service handles all message exchanges between a local peer and
other peers on the network. It can -- depending on the computer hardware it
is running on -- support multiple transport methods between peers: TCP/IP,
UDP/IP, ICMP, HTTP, Bluetooth, WiFi and others.
Each transport method has its unique way of specifying a peer address; TCP/IP
expects an IP address and a port number, while HTTP expects an URL. So a
single peer can have multiple addresses (one for each available transport
method). CORE links all these addresses to one peer identity. While a peer
address can (and often do) change over time, the peer identity is fixed.
The TRANSPORT service establishes, maintains, processes and drops connections
with other peers on request of the CORE service. If a new connection to a peer
identity is requested, the ATS (Automatic Transport Selection) decides which
available transport method should be used. To improve performance and
reliability, multiple channels on different transport methods can be created
between two peers at the same time; the sender sends the next message on the
channel with the best throughput.
Connection requests from other peers can be filtered by the TRANSPORT service
(e.g. by implementing a black-list of banned peers), all other requests are
forwarded to the CORE service for validation and approval.

+ 505
- 0
doc/specification/fdl-1.3.texi View File

@ -0,0 +1,505 @@
@c The GNU Free Documentation License.
@center Version 1.3, 3 November 2008
@c This file is intended to be included within another document,
@c hence no sectioning command or @node.
Copyright @copyright{} 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@end display
@enumerate 0
The purpose of this License is to make a manual, textbook, or other
functional and useful document @dfn{free} in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it,
with or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible
for modifications made by others.
This License is a kind of ``copyleft'', which means that derivative
works of the document must themselves be free in the same sense. It
complements the GNU General Public License, which is a copyleft
license designed for free software.
We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the
software does. But this License is not limited to software manuals;
it can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License
principally for works whose purpose is instruction or reference.
This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be
distributed under the terms of this License. Such a notice grants a
world-wide, royalty-free license, unlimited in duration, to use that
work under the conditions stated herein. The ``Document'', below,
refers to any such manual or work. Any member of the public is a
licensee, and is addressed as ``you''. You accept the license if you
copy, modify or distribute the work in a way requiring permission
under copyright law.
A ``Modified Version'' of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated into another language.
A ``Secondary Section'' is a named appendix or a front-matter section
of the Document that deals exclusively with the relationship of the
publishers or authors of the Document to the Document's overall
subject (or to related matters) and contains nothing that could fall
directly within that overall subject. (Thus, if the Document is in
part a textbook of mathematics, a Secondary Section may not explain
any mathematics.) The relationship could be a matter of historical
connection with the subject or with related matters, or of legal,
commercial, philosophical, ethical or political position regarding
The ``Invariant Sections'' are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says that the Document is released under this License. If a
section does not fit the above definition of Secondary then it is not
allowed to be designated as Invariant. The Document may contain zero
Invariant Sections. If the Document does not identify any Invariant
Sections then there are none.
The ``Cover Texts'' are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the Document is released under this License. A Front-Cover Text may
be at most 5 words, and a Back-Cover Text may be at most 25 words.
A ``Transparent'' copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the
general public, that is suitable for revising the document
straightforwardly with generic text editors or (for images composed of
pixels) generic paint programs or (for drawings) some widely available
drawing editor, and that is suitable for input to text formatters or
for automatic translation to a variety of formats suitable for input
to text formatters. A copy made in an otherwise Transparent file
format whose markup, or absence of markup, has been arranged to thwart
or discourage subsequent modification by readers is not Transparent.
An image format is not Transparent if used for any substantial amount
of text. A copy that is not ``Transparent'' is called ``Opaque''.
Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, La@TeX{} input
format, SGML or XML using a publicly available
DTD, and standard-conforming simple HTML,
PostScript or PDF designed for human modification. Examples
of transparent image formats include PNG, XCF and
JPG. Opaque formats include proprietary formats that can be
read and edited only by proprietary word processors, SGML or
XML for which the DTD and/or processing tools are
not generally available, and the machine-generated HTML,
PostScript or PDF produced by some word processors for
output purposes only.
The ``Title Page'' means, for a printed book, the title page itself,
plus such following pages as are needed to hold, legibly, the material
this License requires to appear in the title page. For works in
formats which do not have any title page as such, ``Title Page'' means
the text near the most prominent appearance of the work's title,
preceding the beginning of the body of the text.
The ``publisher'' means any person or entity that distributes copies
of the Document to the public.
A section ``Entitled XYZ'' means a named subunit of the Document whose
title either is precisely XYZ or contains XYZ in parentheses following
text that translates XYZ in another language. (Here XYZ stands for a
specific section name mentioned below, such as ``Acknowledgements'',
``Dedications'', ``Endorsements'', or ``History''.) To ``Preserve the Title''
of such a section when you modify the Document means that it remains a
section ``Entitled XYZ'' according to this definition.
The Document may include Warranty Disclaimers next to the notice which
states that this License applies to the Document. These Warranty
Disclaimers are considered to be included by reference in this
License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and has
no effect on the meaning of this License.
You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies
to the Document are reproduced in all copies, and that you add no other
conditions whatsoever to those of this License. You may not use
technical measures to obstruct or control the reading or further
copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough
number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and
you may publicly display copies.
If you publish printed copies (or copies in media that commonly have
printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on
the back cover. Both covers must also clearly and legibly identify
you as the publisher of these copies. The front cover must present
the full title with all words of the title equally prominent and
visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve
the title of the Document and satisfy these conditions, can be treated
as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto adjacent
If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along with each Opaque copy, or state in or with each Opaque copy
a computer-network location from which the general network-using
public has access to download using public-standard network protocols
a complete Transparent copy of the Document, free of added material.
If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure
that this Transparent copy will remain thus accessible at the stated
location until at least one year after the last time you distribute an
Opaque copy (directly or through your agents or retailers) of that
edition to the public.
It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give
them a chance to provide you with an updated version of the Document.
You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release
the Modified Version under precisely this License, with the Modified
Version filling the role of the Document, thus licensing distribution
and modification of the Modified Version to whoever possesses a copy
of it. In addition, you must do these things in the Modified Version:
@enumerate A
Use in the Title Page (and on the covers, if any) a title distinct
from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section
of the Document). You may use the same title as a previous version
if the original publisher of that version gives permission.
List on the Title Page, as authors, one or more persons or entities
responsible for authorship of the modifications in the Modified
Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has fewer than five),
unless they release you from this requirement.
State on the Title page the name of the publisher of the
Modified Version, as the publisher.
Preserve all the copyright notices of the Document.
Add an appropriate copyright notice for your modifications
adjacent to the other copyright notices.
Include, immediately after the copyright notices, a license notice
giving the public permission to use the Modified Version under the
terms of this License, in the form shown in the Addendum below.
Preserve in that license notice the full lists of Invariant Sections
and required Cover Texts given in the Document's license notice.
Include an unaltered copy of this License.
Preserve the section Entitled ``History'', Preserve its Title, and add
to it an item stating at least the title, year, new authors, and
publisher of the Modified Version as given on the Title Page. If
there is no section Entitled ``History'' in the Document, create one
stating the title, year, authors, and publisher of the Document as
given on its Title Page, then add an item describing the Modified
Version as stated in the previous sentence.
Preserve the network location, if any, given in the Document for
public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions
it was based on. These may be placed in the ``History'' section.
You may omit a network location for a work that was published at
least four years before the Document itself, or if the original
publisher of the version it refers to gives permission.
For any section Entitled ``Acknowledgements'' or ``Dedications'', Preserve
the Title of the section, and preserve in the section all the
substance and tone of each of the contributor acknowledgements and/or
dedications given therein.
Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers
or the equivalent are not considered part of the section titles.
Delete any section Entitled ``Endorsements''. Such a section
may not be included in the Modified Version.
Do not retitle any existing section to be Entitled ``Endorsements'' or
to conflict in title with any Invariant Section.
Preserve any Warranty Disclaimers.
@end enumerate
If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all
of these sections as invariant. To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice.
These titles must be distinct from any other section titles.
You may add a section Entitled ``Endorsements'', provided it contains
nothing but endorsements of your Modified Version by various
parties---for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list
of Cover Texts in the Modified Version. Only one passage of
Front-Cover Text and one of Back-Cover Text may be added by (or
through arrangements made by) any one entity. If the Document already
includes a cover text for the same cover, previously added by you or
by arrangement made by the same entity you are acting on behalf of,
you may not add another; but you may replace the old one, on explicit
permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version.
You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified
versions, provided that you include in the combination all of the
Invariant Sections of all of the original documents, unmodified, and
list them all as Invariant Sections of your combined work in its
license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name but
different contents, make the title of each such section unique by
adding at the end of it, in parentheses, the name of the original
author or publisher of that section if known, or else a unique number.
Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled ``History''
in the various original documents, forming one section Entitled
``History''; likewise combine any sections Entitled ``Acknowledgements'',
and any sections Entitled ``Dedications''. You must delete all
sections Entitled ``Endorsements.''
You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in
the collection, provided that you follow the rules of this License for
verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this
License into the extracted document, and follow this License in all
other respects regarding verbatim copying of that document.
A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, is called an ``aggregate'' if the copyright
resulting from the compilation is not used to limit the legal rights
of the compilation's users beyond what the individual works permit.
When the Document is included in an aggregate, this License does not
apply to the other works in the aggregate which are not themselves
derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half of
the entire aggregate, the Document's Cover Texts may be placed on
covers that bracket the Document within the aggregate, or the
electronic equivalent of covers if the Document is in electronic form.
Otherwise they must appear on printed covers that bracket the whole
Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections. You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also include
the original English version of this License and the original versions
of those notices and disclaimers. In case of a disagreement between
the translation and the original version of this License or a notice
or disclaimer, the original version will prevail.
If a section in the Document is Entitled ``Acknowledgements'',
``Dedications'', or ``History'', the requirement (section 4) to Preserve
its Title (section 1) will typically require changing the actual
You may not copy, modify, sublicense, or distribute the Document
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense, or distribute it is void, and
will automatically terminate your rights under this License.
However, if you cease all violation of this License, then your license
from a particular copyright holder is reinstated (a) provisionally,
unless and until the copyright holder explicitly and finally
terminates your license, and (b) permanently, if the copyright holder
fails to notify you of the violation by some reasonable means prior to
60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, receipt of a copy of some or all of the same material does
not give you any rights to use it.
The Free Software Foundation may publish new, revised versions
of the GNU Free Documentation License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns. See
Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this
License ``or any later version'' applies to it, you have the option of
following the terms and conditions either of that specified version or
of any later version that has been published (not as a draft) by the
Free Software Foundation. If the Document does not specify a version
number of this License, you may choose any version ever published (not
as a draft) by the Free Software Foundation. If the Document
specifies that a proxy can decide which future versions of this
License can be used, that proxy's public statement of acceptance of a
version permanently authorizes you to choose that version for the
``Massive Multiauthor Collaboration Site'' (or ``MMC Site'') means any
World Wide Web server that publishes copyrightable works and also
provides prominent facilities for anybody to edit those works. A
public wiki that anybody can edit is an example of such a server. A
``Massive Multiauthor Collaboration'' (or ``MMC'') contained in the
site means any set of copyrightable works thus published on the MMC
``CC-BY-SA'' means the Creative Commons Attribution-Share Alike 3.0
license published by Creative Commons Corporation, a not-for-profit
corporation with a principal place of business in San Francisco,
California, as well as future copyleft versions of that license
published by that same organization.
``Incorporate'' means to publish or republish a Document, in whole or
in part, as part of another Document.
An MMC is ``eligible for relicensing'' if it is licensed under this
License, and if all works that were first published under this License
somewhere other than this MMC, and subsequently incorporated in whole
or in part into the MMC, (1) had no cover texts or invariant sections,
and (2) were thus incorporated prior to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the site
under CC-BY-SA on the same site at any time before August 1, 2009,
provided the MMC is eligible for relicensing.
@end enumerate
@heading ADDENDUM: How to use this License for your documents
To use this License in a document you have written, include a copy of
the License in the document and put the following copyright and
license notices just after the title page:
Copyright (C) @var{year} @var{your name}.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled ``GNU
Free Documentation License''.
@end group
@end smallexample
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts,
replace the ``with@dots{}Texts.''@: line with this:
with the Invariant Sections being @var{list their titles}, with
the Front-Cover Texts being @var{list}, and with the Back-Cover Texts
being @var{list}.
@end group
@end smallexample
If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
If your document contains nontrivial examples of program code, we
recommend releasing these examples in parallel under your choice of
free software license, such as the GNU General Public License,
to permit their use in free software.
@c Local Variables:
@c ispell-local-pdict: "ispell-dict"
@c End:

+ 717
- 0
doc/specification/gpl-3.0.texi View File

@ -0,0 +1,717 @@
@c The GNU General Public License.
@center Version 3, 29 June 2007
@c This file is intended to be included within another document,
@c hence no sectioning command or @node.
Copyright @copyright{} 2007 Free Software Foundation, Inc. @url{}
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
@end display
@heading Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom
to share and change all versions of a program---to make sure it remains
free software for all its users. We, the Free Software Foundation,
use the GNU General Public License for most of our software; it
applies also to any other work released this way by its authors. You
can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you
have certain responsibilities if you distribute copies of the
software, or if you modify it: responsibilities to respect the freedom
of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too,
receive or can get the source code. And you must show them these
terms so they know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the
manufacturer can do so. This is fundamentally incompatible with the
aim of protecting users' freedom to change the software. The
systematic pattern of such abuse occurs in the area of products for
individuals to use, which is precisely where it is most unacceptable.
Therefore, we have designed this version of the GPL to prohibit the
practice for those products. If such problems arise substantially in
other domains, we stand ready to extend this provision to those
domains in future versions of the GPL, as needed to protect the
freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish
to avoid the special danger that patents applied to a free program
could make it effectively proprietary. To prevent this, the GPL
assures that patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
@enumerate 0
@item Definitions.
``This License'' refers to version 3 of the GNU General Public License.
``Copyright'' also means copyright-like laws that apply to other kinds
of works, such as semiconductor masks.
``The Program'' refers to any copyrightable work licensed under this
License. Each licensee is addressed as ``you''. ``Licensees'' and
``recipients'' may be individuals or organizations.
To ``modify'' a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of
an exact copy. The resulting work is called a ``modified version'' of
the earlier work or a work ``based on'' the earlier work.
A ``covered work'' means either the unmodified Program or a work based
on the Program.
To ``propagate'' a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To ``convey'' a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user
through a computer network, with no transfer of a copy, is not
An interactive user interface displays ``Appropriate Legal Notices'' to
the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
@item Source Code.
The ``source code'' for a work means the preferred form of the work for
making modifications to it. ``Object code'' means any non-source form
of a work.
A ``Standard Interface'' means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The ``System Libraries'' of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
``Major Component'', in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The ``Corresponding Source'' for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users can
regenerate automatically from other parts of the Corresponding Source.
The Corresponding Source for a work in source code form is that same
@item Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not convey,
without conditions so long as your license otherwise remains in force.
You may convey covered works to others for the sole purpose of having
them make modifications exclusively for you, or provide you with
facilities for running those works, provided that you comply with the
terms of this License in conveying all material for which you do not
control copyright. Those thus making or running the covered works for
you must do so exclusively on your behalf, under your direction and