
UFTP - Encrypted UDP based FTP with multicast


1. Introduction

A UFTP session consists of 3 main phases: The Announce/Register phase, the
File Transfer phase, and the Completion/Confirmation phase.  The File Transfer
phase additionally consists of the File Info phase and the Data Transfer phase
for each file sent.

The Announce/Register phase sets up the multicast file transfer session and
negotiates all encryption parameters.  The server sends out an announcement
over a public multicast address which the clients are expected to be listening
on.  All subsequent messages from the server go over a private multicast
address specified in the announcement.  Allowed clients send a registration to
respond to the announcement.  The server will then send either a confirmation
message if there encryption is disabled, or the encryption keys for the
session if encryption is enabled.  If the client receives the encryption keys,
it sends an acknowledgment back to the server.

The File Transfer phase starts with the File Info phase for the first file to
send.  The server sends a message describing the file in question.  Besides
the name and size of the file, this message describes how the file will be
broken down.   A file is divided into a number of blocks, and these blocks are
grouped into sections.  A block is a piece of the file that is sent in a
single packet.  A section is a grouping of blocks that can be sent together
before the server needs to request feedback from the clients.  The total
number of blocks and sections is included in this message.

Continuing the File Transfer phase is the Data Transfer phase for the first
file.  Data packets, each of which is a block, are sent by the server at a
rate specified by the user. Because UDP does not guarantee that packets will
arrive in order, each block is numbered so the client can properly reassemble
the file.  When the server finishes a section, it send a message to the
clients requesting status.  The clients then send back a status message
containing the list of NAKs (negative acknowledgments) for the blocks in that
section. Once all sections have been sent, if the server has received a non
zero number of NAKs from any client, the server will begin a second pass of
the data, this time only sending the packets that were NAKed.  The server will
continue with subsequent passes of the data until all clients have either
received the file or have timed out while the server was waited for a status
message.  When a client has received the entire file, it sends a completion
message in response to the next status request.

The File Info phase and the Data Transfer phase are then repeated for each
file to be sent during the session

The Completion/Confirmation phase shuts down the session between the server
and clients.  It starts with a message from the server indication the end of
the session.  The clients then respond with a completion message, and the
server responds to each completion with a confirmation message.


2. Definitions

Server: A process run on demand that sends one or more files.

Client: Daemon process that receives files.

Public multicast address: A multicast address that a client or proxy expects
    to receive announcements from a server on.

Private multicast address: Specified by the server when a session is
    initiated.  All traffic from the server other than announcements are
    sent to this address.

Proxy: Daemon process that relays UFTP traffic between servers and clients.

Server proxy: A proxy, typically local to a server, that forms the upstream
    end of a multicast tunnel.  It listens on the public multicast address
    (and private multicast address when specified) and forwards downstream
    packets to a specific address downstream.  Upstream packets are forwarded
    back where the announcement originated from.

Client proxy: A proxy, typically local to one or more clients, that forms the
    downstream end of a multicast tunnel.  It receives unicast data from one
    or more server proxies and forwards downstream traffic to the multicast
    address specified in the packet header.  Upstream traffic from clients
    is gathered and forwarded back where the announcement came from as an
    aggregated response.

Response proxy: A proxy that functions as a response aggregator in situations
    where the server has direct multicast accessibility to clients but the
    number of clients are to high for the server to handle itself.  It
    listens on the public multicast address (and private multicast address
    when specified), but does not forward packets from the server since those
    packets reach clients directly.  It does however send some messages
    directly to clients in the process of establishing encryption keys.
    Upstream traffic  from clients is gathered and forwarded back where the
    announcement came from as an aggregated response.  Clients in this
    environment are configured  to send all responses to a specific response
    proxy.  Messages sent directly from response proxies to clients use
    multicast (either the primary public address, or the private address,
    depending on the message).

Block: A piece of a file to be sent in a single packet.

Section: A grouping of blocks.  A section of blocks is the most the server can
    send before requesting status from a client.  A client can send back a
    single status message to represent the NAKs for an entire section.


3. Encryption Setup

The encryption protocol borrows from TLS (RFC5246), DTLS (RFC4347) and
MIKEY (RFC3830).  Due to the large amount of traffic that may be generated
while communicating with a large number of clients, the required messages are
made as small as possible and integrated into the original UFTP messaging
structure to minimize the amount of traffic in the setup phase.

Valid block encryption algorithms are DES-CBC, 3 key Triple DES-CBC,
AES-128-CBC, and AES-256-CBC.  While AES is more secure and therefore 
preferred, DES and Triple DES are supported for environments where AES is
not available.

For the block encryption algorithm chosen, there are:

encryption_key_length
IV_length

For each message to be encrypted, an IV must be generated as follows:

For a 128-bit IV:

IV = S XOR (group_ID + IP + T)

For a 64-bit IV:

IV = S XOR (group_ID + IP) XOR T

where group_ID is the group ID, T is the 64-bit UNIX timestamp (32-bit seconds
followed by 32-bit microseconds since the UNIX epoch of 1/1/1970 00:00:00 UTC),
IP is the IP address of the message sender, and S is a salt of size IV_length,
derived below.

Valid hash algorithms are SHA-1, and SHA-256.  While SHA-256 is preferred,
SHA-1 is supported for environments where SHA-256 is not available.

For the hash algorithm chosen, there is:

hash_length

The server has the option to use either a symmetric key HMAC or RSA signatures
for authentication of encrypted messages.  HMAC is smaller and faster, while 
RSA protects against attacks from within the group.  When using RSA signatures,
to maintain identical block sizes between FILESEG and STATUS messages, all
clients MUST use a key the same length as the server.  Clients may maintain
multiple private keys of differing lengths to accommodate different servers.

In the ANNOUNCE message, the server sends a random number and its RSA public
key.  The random number is 32 bytes, with the first 4 being the current time
in the standard UNIX time format, and the remaining 28 generated by a secure
random number generator.  Each client then sends in the REGISTER its own random
number, constructed identically to the server's, and a 48 byte premaster secret
key encrypted with the server's public key.  The premaster secret consists of 1
byte for the client's version and the remaining 47 chosen by a secure random
number generator.  The client may also send a CLIENT_KEY message at this time.
This message is required if the server requests either RSA signatures or
simply to authenticate the client.  This messages also contains a signature
(using the client's RSA key) of the hash of:

group ID + private address + server random + client random + premaster secret

The server and each client calculates a 48 byte master secret as follows:

master_secret = PRF(pre_master_secret, "master secret",
                          server_random + client_random)[0-47]

When SHA-1 is the selected hash, the pseudo-random function (PRF) is as defined
in TLS 1.1 (RFC4346) which uses a SHA1/MD5 combination.  Otherwise, the
pseudo-random function (PRF) is as defined in TLS 1.2 (RFC5246) using the
server selected hash function.

Using the master secret, a key block is generated:

key_block = PRF(master_secret, "key expansion",
                      server_random +
                      client_random);

From the key block, the first hash_length bytes comprise the HMAC key,
the next encryption_key_length bytes comprise the session key, and the
next IV_length bytes comprise the salt from which session IVs are derived.
Currently, the HMAC key based on the master secret between the server and a
particular client is not used, but the key material is generated anyway to be
consistent with key expansion of the group key and as a hedge in case it could
be used in a future release.

After receiving the REGISTER the server sends a KEYINFO message containing
the group master key encrypted with the session key for the client, along
with a 64-bit UNIX timestamp.  A KEYINFO can contain the group key encrypted
multiple times, with each one encrypted with a different client's session
key and grouped with the IP address of the client.  The group master key
is chosen by the server.  It is 48 bytes, with the first byte being the
server version and the remaining 47 bytes chosen by a secure random number
generator.  To save bandwidth, only the 47 random bytes are encrypted.  Given
the block size of the supported cyphers of 8 or 16, this results in the
encrypted key being 48 bytes (instead of 64, if 48 bytes were encrypted).  The
other byte can be derived from the version of the KEYINFO message.

From the group master key, a key block is generated as follows:

key_block = PRF(group_master, "key expansion", server_random);

From the key block, the first hash_length bytes comprise the group HMAC key,
the next encryption_key_length bytes comprise the group session key, and the
next IV_length bytes comprise the salt from which group session IVs are
derived.

Upon receiving the KEYINFO message, the client responds with an INFO_ACK
message.  This message contains a 12 byte verify_data field constructed as
follows:

PRF(group_master, "client finished", Hash(handshake_values))[0-11]

Where Hash is the server selected hash function and handshake_values is:

group ID + private address + server random + client random +
    premaster secret + [ client_key_exponent + client_key_modulus ] +
    group_master

where client_key_exponent and client_key_modulus are the components of the
client's RSA public key, if a CLIENT_KEY message was sent.

All subsequent messages after a KEYINFO from either client or server are
encrypted using the group session key, and the whole UDP packet is signed with
either the group HMAC key or the sender's RSA key, depending on what the
server selects.  Each of these messages also contains the 64-bit UNIX timestamp
used to generate the IV for that message.  The IP address used to generate the
IV should be the same one placed in the srcaddr field.  Clients receiving a
KEYINFO message also uses the IP address from srcaddr.

A server proxy may choose to dynamically determine its destination client
proxy.  It does this by means of authenticated heartbeat messages.  The server
proxy specifies the public key fingerprint of the client proxy it wishes to
send to.  This is useful when the client proxy is NATed and its IP address
cannot be determined ahead of time, and may in fact change on the fly.

When a server proxy in this mode receives an HB_REQ message, it responds with
an HB_RESP message containing a flag indicating that authentication is
required along with a randomly chosen nonce value.  The client proxy is then
expected to sign the nonce with its public key and sends back the nonce, the
signed nonce, and its public key in another HB_REQ message.  When the server
proxy receives this message, it first checks the plaintext nonce to see if it
matches the last nonce it sent out.  If so, it verifies the client proxy's
public key fingerprint then verifies the signature.  If these checks all pass,
the server uses the incoming address of the HB_REQ as its downstream address,
and sends back an HB_RESP indicating successful authentication.  At this time
the server will randomly select a new nonce so the old one is not reused.  If 
any of the checks fail, the server proxy sends back an HB_RESP message
indicating failed authentication, and the current destination remains
unchanged.  Any future HB_REQ messages the server proxy gets from the
established downstream client proxy is automatically accepted.  Only when the
IP/port does not match will the server proxy issue a challenge.

4. Messages

4.1 Message Flow

While it would save one round trip to send a KEYINFO and FILEINFO together
with encryption enabled and only one file to send, keeping them separate
prevents eavesdroppers from determining information about the encrypted
stream, such as the number of files being sent.  See section 3.2 for more
details.

4.1.1 Announce/Register phase with encryption:

4.1.1.1 Without proxies

Server           Client
------           ------
ANNOUNCE  --->
          <---   REGISTER
          <---   CLIENT_KEY (optional)
KEYINFO   --->
          <---   INFO_ACK

4.1.1.2 With server/client proxies

Server           Server Proxy    Client Proxy         Client
------           ------------    ------------         ------
ANNOUNCE   --->           --->                 --->
                                               <---   REGISTER
                                               <---   CLIENT_KEY (optional)
           <---           <---   REGISTER
           <---           <---   CLIENT_KEY (optional)
KEYINFO    --->           --->
           <---           <---   INFO_ACK
REG_CONF   --->           --->
                                 KEYINFO       --->
                                               <---   INFO_ACK

4.1.1.3 With response proxy

Server           Response Proxy        Client
------           --------------        ------
ANNOUNCE   --->
           ------------------------>
                                <---   REGISTER
                                <---   CLIENT_KEY (optional)
           <---  REGISTER
           <---  CLIENT_KEY (optional)
KEYINFO    --->
           <---  INFO_ACK
REG_CONF   --->
                 KEYINFO         --->
                                 <---   INFO_ACK

4.1.2 Announce/Register phase without encryption

4.1.2.1 Without proxies

Server           Client
------           ------
ANNOUNCE  --->
          <---   REGISTER
REG_CONF  --->

4.1.2.2 With server/client proxies

Server           Server Proxy    Client Proxy         Client
------           ------------    ------------         ------
ANNOUNCE   --->           --->                 --->
                                               <---   REGISTER
           <---           <---   REGISTER
REG_CONF   --->           --->                 --->

4.1.2.3 With response proxy

Server           Response Proxy        Client
------           --------------        ------
ANNOUNCE   --->
           ------------------------>
                                <---   REGISTER
           <---  REGISTER
REG_CONF   --->
           ------------------------>

4.1.3 File Transfer phase:

Server           Client
------           ------
FILEINFO  --->
                 (either)
          <---   INFO_ACK
                 (or)
          <---   COMPLETE
FILESEG   --->
...
...
DONE      --->
                 (either)
          <---   STATUS
                 (or)
          <---   COMPLETE
...

4.1.4 Completion/Confirmation phase:

Server            Client
------            ------
DONE       --->
           <---   COMPLETE
DONE_CONF  --->

4.2 Message Details

All messages start with the UFTP header, followed by a message
specific header.  With the exception of an ENCRYPTED message, each message
header starts with an 8 bit function number.  This allows for determining
the message type of a decrypted message, so the message type is not
revealed in the UFTP header.


4.2.1 UFTP header

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    UFTP ID    |   Function    |         Block Size            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            Group ID                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Source Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Destination Address                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

UFTP ID: 8 bits
    Defines the version number of the protocol.  Currently 0x30.

Function: 8 bits
    The message number of the contained message.  If the message is
    encrypted, this always specifies the message number for ENCRYPTED.

Block Size: 16 bits
    The size of the entire UFTP packet in bytes, excluding this header
    (must be a multiple of 4).

Group ID: 32 bits
    A unique identifier for the current session.

Source Address: 32 bits
    The IP address of the sender.  For a server, this is the designated
    outgoing multicast address.  For a client or proxy, this is either the
    IP that matches an IP listed in an ANNOUNCE or the IP of the first
    non-loopback address.

Destination Address: 32 bits
    The IP address that this message is ultimately destined for.


4.2.2 ENCRYPTED

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Timestamp_seconds                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     Timestamp_microseconds                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Signature length        |         Payload Length        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Signature                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Encrypted Payload                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Specifies an encrypted message.  Contains a signature followed by the
encrypted message payload (which is one of the messages below).  The signature
is either an HMAC using the group key or an RSA signature using the sender's
RSA key over the whole UFTP message, depending on the signature type chosen
by the server.

Timestamp_seconds: 32 bits
    The current time expressed as seconds since the UNIX epoch of
    1/1/1970 00:00:00 UTC.

Timestamp_microseconds: 32 bits
    The microsecond portion of the current time.  This field and the above
    field are used in the calculation of the symmetric key IV for the
    encrypted payload.

Signature length: 16 bits
    The length of the signature in bytes (must be a multiple of 4).

Payload length: 16 bits
    The length of the encrypted payload in bytes (must be a multiple of 4).

Signature: varies
    The signature for this message.  It applies to the entire UFTP packet,
    including the UFTP header.  May be either an HMAC using the group hmac
    key or an RSA signature using the sender's RSA private key.

Encrypted Payload: varies
    The encrypted message, encrypted with the group symmetric key.


4.2.3 ANNOUNCE

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |     Flags     |      Destination Count        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Announce Interval        |        Status Interval        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Register Interval        |         Done Interval         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Announce Time |  Status Time  |            MTU                |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                   Private Multicast Address                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Client     |   Signature   |     Hash      |     Key       |
   | Authorization |     Type      |     Type      |     Type      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Public Key Modulus Length   |          Reserved             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     Public Key Exponent                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                     Server Random Number                      |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Modulus                       |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the server to initiate a file transfer.  Contains basic info needed by
clients to initiate a session.  For closed group membership, the list of
allowed clients is specified.  Multiple messages may be sent to accommodate the
full list of clients.  This message goes over the public multicast address.  
All subsequent server messages go over the private multicast address.  If the
server needs to resend this message under closed group membership, only
clients that did not respond are listed.

Function: 8 bits
    The message number for this message.  Always 1.

Flags: 8 bits
    0x01 - RESTART
        If set, this indicates that the session represented by this ANNOUNCE
        is a restart of a prior session.
    All other bits should be set to 0.

Destination Count: 16 bits
    The number of client IP address listed in this message.  With open group
    membership, this is always zero.  With closed group membership, this is
    always non-zero.

Announce Interval: 16 bits
    The number of milliseconds the server will wait before retransmitting an
    ANNOUNCE, REG_CONF, KEYINFO, or FILEINFO.

Status Interval: 16 bits
    The number of milliseconds the server will wait before retransmitting
    a DONE.

Register Interval: 16 bits
    The number of milliseconds the client should wait before retransmitting
    a REGISTER.

Done Interval: 16 bits
    The number of milliseconds the client should wait before retransmitting
    a COMPLETE when expecting a DONE_CONF.

Announce Time: 8 bits
    The number of seconds the server may wait for a REGISTER or INFO_ACK in
    the Announce/Register phase or an INFO_ACK in the File Info phase before
    continuing to the next phase.

Status Time: 8 bits
    The number of seconds the server may wait after sending one or more DONE
    messages before giving up on any client that haven't sent a STATUS or
    COMPLETE and continuing with the Data Transfer phase.

MTU: 16 bits
    The total size of the IP message to send as specified by the server.
    This includes the IP and UDP headers as well as the UFTP message.  Note
    that this does not account for the existence of IP header options, so
    when it's expected that IP header options may be added, this value should
    be set slightly lower than the path MTU to avoid IP packet fragmentation.

Client Authorization: 8 bits
    Specifies whether the client should send a CLIENT_KEY message in addition
    to a REGISTER when responding.  Valid values are 1 for true, 0 for false.

Signature Type: 8 bits
    Specifies the signature type number of the signature to use on encrypted
    messages.  See section 4.3 for the list of valid values.

Hash Type: 8 bits
    Specifies the hash type number of the hashing algorithm to use for HMAC
    signatures and key derivation.  See section 4.3 for the list of valid
    values.

Key Type: 8 bits
    Specifies the key type number of the symmetric encryption algorithm to
    use.  See section 4.3 for the list of valid values.

Public Key Modulus Length: 16 bits
    The length in bytes of the server's RSA public key modulus

Reserved: 8 bits
    Reserved for future use and should be set to 0.

Public Key Exponent: 32 bits
    The public key exponent of the server's RSA public key.

Server Random Number: 256 bits
    A 32-byte random number chosen by the server used to derive the master
    secret key between the server and each client.

Public Key Modulus: varies
    The public key modulus of the server's RSA public key.

Client IP Address: 32 bits each
    The IP address of one or more clients that are allowed to join under
    closed group membership.


4.2.4 REGISTER

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |                  Reserved                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Destination Count       |  Encrypted Premaster Length   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                     Client Random Number                      |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                   Encrypted Premaster Secret                  |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the client to acknowledge receipt of an ANNOUNCE.  If encryption is
requested, also contains a random number and a premaster secret key encrypted
with the server's public RSA key.

Function: 8 bits
    The message number for this message.  Always 2.

Reserved: 24 bits
    Reserved for future use and should be set to 0.

Destination Count: 16 bits
    The number of client IP address listed in this message.  For a client,
    this should always be zero.

Encrypted Premaster Length: 16 bits
    The length of the encrypted premaster secret key

Client Random Number: 256 bits
    A 32-byte random number chosen by the client used to derive the master
    secret key between the server and each client.

Encrypted Premaster Secret: varies
    The premaster secret key selected by the client, encrypted with the
    server's RSA public key

Client IP Address: 32 bits each
    The IP address of one or more clients that a proxy received a REGSITER
    from and is now relaying to the server.


4.2.5 CLIENT_KEY

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |                  Reserved                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Public Key Modulus Length   |   Signed Verify Data Length   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Exponent                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Modulus                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Signed Verify Data                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the client if the server requests client authentication, or if the
server requests RSA signatures instead of HMAC.

Function: 8 bits
    The message number for this message.  Always 3.

Reserved: 24 bits
    Reserved for future use and should be set to 0.

Public Key Modulus Length: 16 bits
    The length in bytes of the client's RSA public key modulus.

Signed Verify Data Length: 16 bits
    The length in bytes of the signed verify data field.

Public Key Exponent: 32 bits
    The public key exponent of the client's RSA public key.

Public Key Modulus: varies
    The public key modulus of the client's RSA public key.

Signed Verify Data: varies
    The signature from the client's RSA private key of verification data
    based on the hash of the cryptographic parameters exchanged to this point.


4.2.6 REG_CONF

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |    Reserved   |       Destination Count       |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the server in response to a REGISTER if there is no encryption.
Contains a list of clients that the server received a REGISTER for, and
multiple messages may be sent to accommodate the full list of clients.  Also
sent if the REGISTER came from a proxy.  This allows proxies to confirm
registrations when encryption is enabled.  The server will not resend this
message for a given client unless it receives an extra REGSITER from that
client.

Function: 8 bits
    The message number for this message.  Always 4.

Reserved: 8 bits
    Reserved for future use and should be set to 0.

Destination Count: 16 bits
    The number of client IP address listed in this message.

Client IP Address: 32 bits each
    The IP address of one or more clients that the server received a
    REGISTER for.


4.2.7 KEYINFO

            0                   1                   2                   3
            0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |    Function   |    Reserved   |  Destination  |Encrypted Group|
           |               |               |     Count     | Master Length |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                       Timestamp_seconds                       |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                     Timestamp_microseconds                    |
           +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 encrypted |                      Client IP Address                        |
   key 1   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                    Encrypted Group Master                     |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +                                                               +
           |                                                               |
           +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 encrypted |                      Client IP Address                        |
   key 2   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           :                             ....                              :
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the server in response to a REGISTER if encryption is enabled.
Contains the list of clients that the server received a REGISTER for, and
multiple message may be sent to accommodate the full list of clients.  If the
server needs to resend this message, only clients that did not respond are
listed.  Also, for each listed client, it contains the group master key
encrypted with the master secret key negotiated with that client.  If a
REGISTER is received from a proxy, KEYINFO gets sent directly to the proxy,
not the clients it serves.

Function: 8 bits
    The message number for this message.  Always 6.

Reserved: 8 bits
    Reserved for future use and should be set to 0.

Destination Count: 8 bits
    The number of encrypted key messages listed in this message.

Encrypted Group Master Length: 8 bits
    The length of the encrypted group master key in each encrypted key
    message.  Should always be 48.

Timestamp_seconds: 32 bits
    The current time expressed as seconds since the UNIX epoch of
    1/1/1970 00:00:00 UTC.

Timestamp_microseconds: 32 bits
    The microsecond portion of the current time.  This field and the above
    field are used in the calculation of the symmetric key IV for the
    encrypted group master key for each listed client.

Client IP Address: 32 bits each
    The IP address of one or more clients that the server received a
    REGISTER for.

Encrypted Group Master: 384 bits each
    The last 47 bytes of the 48 byte group master secret, encrypted using the
    master symmetric key for the prior listed client.


4.2.8 FILEINFO

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |   File Type   |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Total Blocks                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Total Sections       |       Destination Count       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           File Size                           |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           File Name                           |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the server to give information on a particular file being sent.
Contains the list of currently active clients, and multiple message may be
sent to accommodate the full list of clients.  If the server needs to resend
this message, only clients that did not respond are listed.  If encryption
is enabled, this message is encrypted and embedded within an ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 5.

File Type: 8 bits
    Specifies the type of file being sent (regular file, directory, or
    sybolic link).  See section 4.3 for the list of valid values.

File ID: 16 bits
    The identifier of the current file.  Chosen by the server sequentially
    starting at 1.

Total Blocks: 32 bits
    The number of blocks the file is broken up into.

Total Section: 16 bits
    The number of sections the blocks are grouped into.

Destination Count: 16 bits
    The number of client IP address listed in this message.

File Size: 64 bits
    The size of the file to send in bytes.

File Name: 300 bytes
    The path name of the file to send.  A slash (/) is used as a directory
    separator.  The file gets created with this path in the client's
    destination directory.

Client IP Address: 32 bits each
    The IP address of one or more active clients.


4.2.9 INFO_ACK

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |     Flags     |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Destination Count       |            Reserved           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                          Verify Data                          |
   +                                                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the client in response to a KEYINFO or a FILEINFO.  If sent in response
to KEYINFO, contains verification data based on the hash of the cryptographic
parameters exchanged to this point.  If sent in response to a FILEINFO,
contains the file ID.  If encryption is enabled, this message is encrypted
and embedded within an ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 7.

Flags: 8 bits
    0x01 - PARTIAL
        If set, this indicates that the client partially received the
        indicated file on a prior run.  Valid only in response to a FILEINFO.
    All other bits should be set to 0.

File ID: 16 bits
    If sent in response to a FILEINFO, the identifier of the current file.
    If sent in response to a KEYINFO, 0.

Destination Count: 16 bits
    The number of client IP address listed in this message.

Reserved: 16 bits
    Reserved for future use and should be set to 0.

Client IP Address: 32 bits each
    The IP address of one or more clients that a proxy received an INFO_ACK
    from and is now relaying to the server.


4.2.10 FILESEG

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |    Reserved   |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Pass     |    Reserved   |            Section            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Block Number                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the server, and contains a block of data following this header.  If
encryption is enabled, this message is encrypted and embedded within an
ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 8.

Reserved: 8 bits
    Reserved for future use and should be set to 0.

File ID: 16 bits
    The identifier of the current file.

Pass: 8 bits
    The pass number that the server is currently on.

Section: 16 bits
    The section number for this block.

Block Number: 32 bits
    The number of this block.


4.2.11 DONE

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |     Pass      |            Section            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |            File ID            |       Destination Count       |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the server at the end of a section to request NAKs.  Contains the list
of clients that the server needs status for, and multiple message may be
sent to accommodate the full list of clients.  If the server needs to resend
this message, only clients that did not respond are listed.  If encryption
is enabled, this message is encrypted and embedded within an ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 9.

Pass: 8 bits
    The pass number that the server is currently on.

Section: 16 bits
    The section number for this block.

File ID: 16 bits
    The identifier of the current file.  If zero, indicates the beginning of
    the Completion/Confirmation phase to end the session.

Destination Count: 16 bits
    The number of client IP address listed in this message.

Client IP Address: 32 bits each
    The IP address of one or more clients the server needs status for.


4.2.12 STATUS

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |   Reserved    |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Pass     |  Seq Number   |            Section            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           NAK Count                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the client in response to a DONE message.  If encryption is enabled,
this message is encrypted and embedded within an ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 10.

Reserved: 8 bits
    Reserved for future use and should be set to 0.

File ID: 16 bits
    The identifier of the current file.

Pass: 8 bits
    The pass number that the server is currently on.

Seq Number: 8 bits
    A sequence number matching this STATUS to a PRSTATUS.

Section: 16 bits
    The section number for this block.

NAK Count: 32 bits
    The total number of NAKs contained in this message.  If zero, this message
    contains only this header.  If non-zero, contains a bitmask of the NAKs
    for the given section, and this bitmask is the size of a block.


4.2.13 PRSTATUS

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |    Reserved   |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Pass     |  Seq Number   |            Section            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Destination Count       |            Reserved           |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by a client proxy along with a STATUS message.  Contains the list of
clients the most recent STATUS applies to.  If encryption is enabled, this
message is encrypted and embedded within an ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 11.

Reserved: 8 bits
    Reserved for future use and should be set to 0.

File ID: 16 bits
    The identifier of the current file.

Pass: 8 bits
    The pass number that the server is currently on.

Seq Number: 8 bits
    A sequence number matching this PRSTATUS to a STATUS.

Section: 16 bits
    The section number for this block.

Destination Count: 16 bits
    The number of client IP address listed in this message.

Reserved: 16 bits
    Reserved for future use and should be set to 0.

Client IP Address: 32 bits each
    The IP address of one or more clients that a proxy received a STATUS
    from and is now relaying to the server.


4.2.14 COMPLETE

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |     Status    |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Destination Count       |            Reserved           |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by the client in response to a DONE message when the client has received
the whole file.  May also be sent in a response to a FILEINFO if the session
is a restart session and the client received the whole file on a prior
attempt.  If encryption is enabled, this message is encrypted and
embedded within an ENCRYPTED message.  If the file ID is 0, indicating the end
of the session, all files and directories sent during the session are moved
from the the client's temp directory to the destination directory, if a temp
directory was specified.  Files within directories are moved as part of the
containing directory.

Function: 8 bits
    The message number for this message.  Always 12.

Status: 8 bits
    Specifies the status of the COMPLETE message.  When in sync mode, a status
    of COMP_STAT_NORMAL specifies that the file was a new file copied over,
    a status of COMP_STAT_SKIPPED specifies that the file was skipped because
    the incoming file was older, and a status of COMP_STAT_OVERWRITE specifies
    that the file overwrote an existing file.  when not in sync mode, the
    status is set to COMP_STAT_NORMAL if the file was sent successfully.  If
    the client rejects the file due to a pathname or filename issue,
    regardless of sync mode, the status is set to COMP_STAT_REJECTED.

File ID: 16 bits
    The identifier of the current file.

Destination Count: 16 bits
    The number of client IP address listed in this message.

Reserved: 16 bits
    Reserved for future use and should be set to 0.

Client IP Address: 32 bits each
    The IP address of one or more clients that a proxy received a COMPLETE
    from and is now relaying to the server.


4.2.15 DONE_CONF

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |    Reserved   |            File ID            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Destination Count       |            Reserved           |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   |                      Client IP Address                        |
   +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   :                             ....                              :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Send by the server in response to a COMPLETE message at the end of a session.
Contains the list of clients that have completed.  Multiple messages may be
sent to accommodate the full list of clients.  The server will not resend this
message for a given client unless it receives an extra COMPLETE from that
client.  If encryption is enabled, this message is encrypted and embedded 
within an ENCRYPTED message.

Function: 8 bits
    The message number for this message.  Always 13.

Reserved: 8 bits
    Reserved for future use and should be set to 0.

File ID: 16 bits
    The identifier of the current file.  TODO: remove this field, not needed.

Destination Count: 16 bits
    The number of client IP address listed in this message.

Reserved: 16 bits
    Reserved for future use and should be set to 0.

Client IP Address: 32 bits each
    The IP address of one or more clients that the server received a
    COMPLETE for.


4.2.16 ABORT

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |     Flags     |            Reserved           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             Host                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            Message                            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by either a client or server when an error condition occurs.  This
message may or may not be encrypted, depending on whether or not the group
master key has been negotiated.

Function: 8 bits
    The message number for this message.  Always 99.

Flags: 8 bits
    0x01 - CURRENT_FILE
        Applies only if sent to a client, and only if the Host field is zero.
        If set, specifies that all clients not actively working on the 
        current file must abort.  Clients that finished the current file do
        NOT abort and may receive the next file in the session.
    All other bits should be set to 0.

Reserved: 16 bits
    Reserved for future use and should be set to 0.

Host: 32 bits
    If sent by the server, specifies the client the server wishes to abort, or
    zero to specify that all clients must abort.  If sent by a client, this
    is set to zero.  If sent by a proxy on behalf of a client, it is set to
    the IP of the client that is aborting.  If sent by a proxy on its own
    behalf, it is set to zero.

Message: 300 bytes
    Descriptive text stating the reason for the abort.


4.2.17 HB_REQ

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |                  Reserved                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Public Key Modulus Length   |      Signed Nonce Length      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             Nonce                             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Exponent                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Modulus                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Signed Nonce                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by a proxy (usually a client proxy) to an upstream proxy for the purpose
of opening up a hole in a firewall that the upstream proxy can send through,
and revealing the proxy's NATed IP to the upstream proxy so the upstream
proxy knows where to send other requests.

Function: 8 bits
    The message number for this message.  Always 14.

Reserved: 24 bits
    Reserved for future use and should be set to 0.

Public Key Modulus Length: 16 bits
    The length in bytes of the proxy's RSA public key modulus.

Signed Nonce Length: 16 bits
    The length in bytes of the signed nonce field.

Nonce: 32 bits
    The value received from a previous HB_RESP that is to be signed.

Public Key Exponent: 32 bits
    The public key exponent of the proxy's RSA public key.

Public Key Modulus: varies
    The public key modulus of the proxy's RSA public key.

Signed Nonce: varies
    The signature from the proxy's RSA private key of the specified nonce.


4.2.18 HB_RESP

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   | Authenticated |           Reserved            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             Nonce                             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by a proxy in response to an HB_REQ message.

Function: 8 bits
    The message number for this message.  Always 15.

Authenticated: 8 bits
    Specifies the status of the HB_REQ this message is responding to.  A value
    of HB_AUTH_OK means authentication succeeded or was not required.  A value
    of HB_AUTH_CHALLENGE means expected authentication info was not specified.
    A value of HB_AUTH_FAILED means the given authentication info was invalid.

Reserved: 16 bits
    Reserved for future use and should be set to 0.

Nonce: 32 bits
    When Authenticated = HB_AUTH_CHALLENGE, the nonce value that is expected
    to be signed in an authenticated HB_REQ.


4.2.19 KEY_REQ

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |                  Reserved                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by a client to a response proxy to solicit a PROXY_KEY message.  The
client will send this message once every 5 seconds until it gets a valid
response.

Function: 8 bits
    The message number for this message.  Always 16.

Reserved: 24 bits
    Reserved for future use and should be set to 0.


4.2.20 PROXY_KEY

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Function   |                  Reserved                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Public Key Modulus Length   |      Signed Nonce Length      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             Nonce                             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Exponent                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Public Key Modulus                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Signed Nonce                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Sent by a response proxy to clients for the purpose suppying its RSA public
key.  When a client gets an ANNOUNCE directly from a server, it contains
the server's RSA public key.  The client can then use the proxy's key to
encrypt the premaster secret in the REGSITER instead of the server's key.
This message gets sent out on the first specified public multicast address
so all downstream clients be read it.  To avoid a denial of service attack,
the proxy will not send this message more than once every 5 seconds.

Function: 8 bits
    The message number for this message.  Always 17.

Reserved: 24 bits
    Reserved for future use and should be set to 0.

Public Key Modulus Length: 16 bits
    The length in bytes of the proxy's RSA public key modulus.

Signed Nonce Length: 16 bits
    The length in bytes of the signed nonce field.

Nonce: 32 bits
    A randomly chosen value that will be signed by the proxy's RSA public key.

Public Key Exponent: 32 bits
    The public key exponent of the proxy's RSA public key.

Public Key Modulus: varies
    The public key modulus of the proxy's RSA public key.

Signed Nonce: varies
    The signature from the proxy's RSA private key of the specified nonce.


4.3 Message Constants

4.3.1 Message type numbers

ANNOUNCE        1
REGISTER        2
CLIENT_KEY      3
REG_CONF        4
FILEINFO        5
KEYINFO         6
INFO_ACK        7
FILESEG         8
DONE            9
STATUS          10
PRSTATUS        11
COMPLETE        12
DONE_CONF       13
HB_REQ          14
HB_RESP         15
KEY_REQ         16
PROXY_KEY       17
ENCRYPTED       80
ABORT           99

4.3.2 Key type numbers

None            0
DES             1
Triple DES      2
AES 128         3
AES 256         4

4.3.3 Hash type numbers

None            0
MD5             1
SHA-1           2
SHA-256         3

4.3.4 Signature type numbers

None            0
HMAC            1
RSA             2

4.3.5 Heartbeat authentication codes

HB_AUTH_FAILED     0
HB_AUTH_OK         1
HB_AUTH_CHALLENGE  2

4.3.6 File types

Regular file    0
Directory       1
Symbolic Link   2

4.3.7 Completion status

COMP_STAT_NORMAL     0
COMP_STAT_SKIPPED    1
COMP_STAT_OVERWRITE  2
COMP_STAT_REJECTED   3
