| 1 | /* Magic numbers used within secnet */ |
| 2 | /* |
| 3 | * This file is part of secnet. |
| 4 | * See README for full list of copyright holders. |
| 5 | * |
| 6 | * secnet is free software; you can redistribute it and/or modify it |
| 7 | * under the terms of the GNU General Public License as published by |
| 8 | * the Free Software Foundation; either version 3 of the License, or |
| 9 | * (at your option) any later version. |
| 10 | * |
| 11 | * secnet is distributed in the hope that it will be useful, but |
| 12 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 14 | * General Public License for more details. |
| 15 | * |
| 16 | * You should have received a copy of the GNU General Public License |
| 17 | * version 3 along with secnet; if not, see |
| 18 | * https://www.gnu.org/licenses/gpl.html. |
| 19 | */ |
| 20 | |
| 21 | #ifndef magic_h |
| 22 | #define magic_h |
| 23 | |
| 24 | /* Encode a pair of 16 bit major and minor codes as a single 32-bit label. |
| 25 | * The encoding is strange for historical reasons. Suppose that the nibbles |
| 26 | * of the major number are (from high to low) a, b, c, d, and the minor |
| 27 | * number has nibbles w, x, y, z. (Here, a, b, c, d are variables, not hex |
| 28 | * digits.) We scramble them to form a message label as follows. |
| 29 | * |
| 30 | * 0 d 0 d 0 d 0 d |
| 31 | * 0 0 0 a b c 0 0 |
| 32 | * z 0 0 0 0 0 z 0 |
| 33 | * w x y 0 0 0 0 0 |
| 34 | * --------------- |
| 35 | * f g h i j k l m |
| 36 | * |
| 37 | * and calculate the nibbles f, g, ..., m of the message label (higher |
| 38 | * significance on the left) by XORing the columns. It can be shown that |
| 39 | * this is invertible using linear algebra in GF(16), but but it's easier to |
| 40 | * notice that d = m, z = l, c = k XOR d, b = j, a = i XOR d, y = h, |
| 41 | * x = g XOR d, and w = f XOR z. |
| 42 | * |
| 43 | * Encoding in the forward direction, from a major/minor pair to a label, is |
| 44 | * (almost?) always done on constants, so its performance is fairly |
| 45 | * unimportant. There is a compatibility constraint on the patterns produced |
| 46 | * with a = b = c = w = x = y = 0. Subject to that, I wanted to find an |
| 47 | * invertible GF(16)-linear transformation which would let me recover the |
| 48 | * major and minor numbers with relatively little calculation. |
| 49 | */ |
| 50 | |
| 51 | #define MSGCODE(major, minor) \ |
| 52 | ((((uint32_t)(major)&0x0000000fu) << 0) ^ \ |
| 53 | (((uint32_t)(major)&0x0000000fu) << 8) ^ \ |
| 54 | (((uint32_t)(major)&0x0000000fu) << 16) ^ \ |
| 55 | (((uint32_t)(major)&0x0000000fu) << 24) ^ \ |
| 56 | (((uint32_t)(major)&0x0000fff0u) << 4) ^ \ |
| 57 | (((uint32_t)(minor)&0x0000000fu) << 4) ^ \ |
| 58 | (((uint32_t)(minor)&0x0000000fu) << 28) ^ \ |
| 59 | (((uint32_t)(minor)&0x0000fff0u) << 16)) |
| 60 | |
| 61 | /* Extract major and minor codes from a 32-bit message label. */ |
| 62 | #define MSGMAJOR(label) \ |
| 63 | ((((uint32_t)(label)&0x0000000fu) << 0) ^ \ |
| 64 | (((uint32_t)(label)&0x0000000fu) << 4) ^ \ |
| 65 | (((uint32_t)(label)&0x0000000fu) << 12) ^ \ |
| 66 | (((uint32_t)(label)&0x000fff00u) >> 4)) |
| 67 | #define MSGMINOR(label) \ |
| 68 | ((((uint32_t)(label)&0x000000ffu) << 8) ^ \ |
| 69 | (((uint32_t)(label)&0x000000f0u) >> 4) ^ \ |
| 70 | (((uint32_t)(label)&0xfff00000u) >> 16)) |
| 71 | |
| 72 | #define LABEL_NAK MSGCODE( 0, 0) |
| 73 | #define LABEL_MSG0 MSGCODE(0x2020, 0) /* ! */ |
| 74 | #define LABEL_MSG1 MSGCODE( 1, 0) |
| 75 | #define LABEL_MSG2 MSGCODE( 2, 0) |
| 76 | #define LABEL_MSG3 MSGCODE( 3, 0) |
| 77 | #define LABEL_MSG3BIS MSGCODE( 3, 1) |
| 78 | #define LABEL_MSG3TER MSGCODE( 3, 2) |
| 79 | #define LABEL_MSG4 MSGCODE( 4, 0) |
| 80 | #define LABEL_MSG5 MSGCODE( 5, 0) |
| 81 | #define LABEL_MSG6 MSGCODE( 6, 0) |
| 82 | #define LABEL_MSG7 MSGCODE( 7, 0) |
| 83 | #define LABEL_MSG8 MSGCODE( 8, 0) |
| 84 | #define LABEL_MSG9 MSGCODE( 9, 0) |
| 85 | #define LABEL_PROD MSGCODE( 10, 0) |
| 86 | |
| 87 | /* |
| 88 | * The capability mask is a set of bits, one for each optional feature |
| 89 | * supported. The capability numbers for transforms are set in the |
| 90 | * configuration (and should correspond between the two sites), although |
| 91 | * there are sensible defaults. |
| 92 | * |
| 93 | * Advertising a nonzero capability mask promises that the receiver |
| 94 | * understands LABEL_MSG3BIS messages, which contain an additional byte |
| 95 | * specifying the transform capability number actually chosen by the MSG3 |
| 96 | * sender. |
| 97 | * |
| 98 | * Aside from that, an empty bitmask is treated the same as |
| 99 | * 1u<<CAPAB_BIT_ANCIENTTRANSFORM |
| 100 | */ |
| 101 | |
| 102 | /* uses of the 32-bit capability bitmap */ |
| 103 | #define CAPAB_INEXPLICIT_TRANSFORM_MASK 0x0000ffff /* DH group implicit */ |
| 104 | #define CAPAB_EXPLICIT_TRANSFORM_DH 0x00008000 /* Explicit xform and DH */ |
| 105 | #define CAPAB_PRIORITY_MOBILE 0x80000000 /* mobile site has MSG1 priority */ |
| 106 | /* remaining bits are unused */ |
| 107 | |
| 108 | /* bit indices, 0 is ls bit */ |
| 109 | #define CAPAB_BIT_USER_MIN 0 |
| 110 | #define CAPAB_BIT_USER_MAX 7 |
| 111 | #define CAPAB_BIT_SERPENT256CBC 8 |
| 112 | #define CAPAB_BIT_EAXSERPENT 9 |
| 113 | #define CAPAB_BIT_TRADZP 10 |
| 114 | #define CAPAB_BIT_X25519 11 |
| 115 | #define CAPAB_BIT_X448 12 |
| 116 | #define CAPAB_BIT_EXPLICIT_TRANSFORM_DH 15 |
| 117 | #define CAPAB_BIT_MAX 31 |
| 118 | |
| 119 | #define CAPAB_BIT_ANCIENTTRANSFORM CAPAB_BIT_SERPENT256CBC |
| 120 | |
| 121 | #endif /* magic_h */ |