~mdw / tripe / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Expunge revision histories in files.
[tripe] / keyexch.c
CommitLineData
410c8acf 1/* -*-c-*-
2 *
b4e56668 3 * $Id: keyexch.c,v 1.12 2004/04/08 01:36:17 mdw Exp $
410c8acf 4 *
5 * Key exchange protocol
6 *
7 * (c) 2001 Straylight/Edgeware
8 */
9
10/*----- Licensing notice --------------------------------------------------*
11 *
12 * This file is part of Trivial IP Encryption (TrIPE).
13 *
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 */
28
410c8acf 29/*----- Header files ------------------------------------------------------*/
30
31#include "tripe.h"
32
737cc271 33/*----- Brief protocol overview -------------------------------------------*
34 *
35 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
36 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
37 * application of the symmetric packet protocol to a message; let
38 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
39 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
40 * be Bob's public key.
41 *
42 * At the beginning of the session, Alice chooses
43 *
44 * %$\rho_A \inr \{0, \ldots q - 1\}$%
45 *
46 * We also have:
47 *
48 * %$r_A = g^{\rho_A}$% Alice's challenge
49 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
50 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
51 * Alice's challenge check value
52 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
53 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
54 * Alice and Bob's shared secret key
55 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
56 * Alice's switch request value
57 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
58 * Alice's switch confirm value
59 *
60 * The messages are then:
61 *
62 * %$\cookie{kx-pre-challenge}, r_A$%
63 * Initial greeting. In state @KXS_CHAL@.
64 *
65 * %$\cookie{kx-cookie}, r_A, c_B$%
66 * My table is full but I got your message.
67 *
68 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
69 * Here's a full challenge for you to answer.
70 *
71 * %$\cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha))$%
72 * Challenge accpeted: here's the answer. Commit to my challenge. Move
73 * to @KXS_COMMIT@.
74 *
75 * %$\cookie{kx-switch}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
76 * Reply received: here's my reply. Committed; send data; move to
77 * @KXS_SWITCH@.
78 *
79 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
80 * Switch received. Committed; send data; move to @KXS_SWITCH@.
81 */
82
410c8acf 83/*----- Tunable parameters ------------------------------------------------*/
84
2de0ad0f 85#define T_VALID MIN(2) /* Challenge validity period */
86#define T_RETRY SEC(10) /* Challenge retransmit interval */
410c8acf 87
0617b6e7 88#define ISVALID(kx, now) ((now) < (kx)->t_valid)
89
90/*----- Various utilities -------------------------------------------------*/
410c8acf 91
52c03a2a 92/* --- @hashge@ --- *
410c8acf 93 *
0617b6e7 94 * Arguments: @HASH_CTX *r@ = pointer to hash context
52c03a2a 95 * @ge *x@ = pointer to group element
410c8acf 96 *
97 * Returns: ---
98 *
52c03a2a 99 * Use: Adds the hash of a group element to the context. Corrupts
100 * @buf_t@.
410c8acf 101 */
102
52c03a2a 103static void hashge(HASH_CTX *r, ge *x)
410c8acf 104{
105 buf b;
0617b6e7 106 buf_init(&b, buf_t, sizeof(buf_t));
52c03a2a 107 G_TOBUF(gg, &b, x);
410c8acf 108 assert(BOK(&b));
0617b6e7 109 HASH(r, BBASE(&b), BLEN(&b));
410c8acf 110}
111
5d418e24 112/* --- @mpcrypt@ --- *
113 *
114 * Arguments: @mp *d@ = the destination integer
115 * @mp *x@ = the plaintext/ciphertext integer
116 * @size_t sz@ = the expected size of the plaintext
117 * @const octet *k@ = pointer to key material
118 * @size_t ksz@ = size of the key
119 *
120 * Returns: The encrypted/decrypted integer.
121 *
52c03a2a 122 * Use: Encrypts (or decrypts) a multiprecision integer. In fact,
123 * the title is a bit of a misnomer: we actually compute
124 * %$x \xor H(k)$%, so it's a random oracle thing rather than an
125 * encryption thing.
5d418e24 126 */
127
128static mp *mpcrypt(mp *d, mp *x, size_t sz, const octet *k, size_t ksz)
129{
130 MGF_CTX m;
131
132 MGF_INIT(&m, k, ksz, 0);
133 mp_storeb(x, buf_t, sz);
134 MGF_CRYPT(&m, buf_t, buf_t, sz);
135 return (mp_loadb(d, buf_t, sz));
136}
137
410c8acf 138/* --- @timer@ --- *
139 *
140 * Arguments: @struct timeval *tv@ = the current time
141 * @void *v@ = pointer to key exchange context
142 *
143 * Returns: ---
144 *
145 * Use: Acts when the key exchange timer goes off.
146 */
147
148static void timer(struct timeval *tv, void *v)
149{
150 keyexch *kx = v;
151 kx->f &= ~KXF_TIMER;
152 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
153 kx_start(kx);
154}
155
156/* --- @settimer@ --- *
157 *
158 * Arguments: @keyexch *kx@ = pointer to key exchange context
159 * @time_t t@ = when to set the timer for
160 *
161 * Returns: ---
162 *
163 * Use: Sets the timer for the next key exchange attempt.
164 */
165
166static void settimer(keyexch *kx, time_t t)
167{
168 struct timeval tv;
169 if (kx->f & KXF_TIMER)
170 sel_rmtimer(&kx->t);
171 tv.tv_sec = t;
172 tv.tv_usec = 0;
173 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
174 kx->f |= KXF_TIMER;
175}
176
0617b6e7 177/*----- Challenge management ----------------------------------------------*/
178
179/* --- Notes on challenge management --- *
410c8acf 180 *
0617b6e7 181 * We may get multiple different replies to our key exchange; some will be
182 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
183 * received will be added to the table and given a full response. After
184 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
185 * our existing challenge, followed by a hash of the sender's challenge. We
186 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
187 * properly-formed cookies are assigned a table slot: if none is spare, a
188 * used slot is randomly selected and destroyed. A cookie always receives a
189 * full reply.
190 */
191
192/* --- @kxc_destroy@ --- *
193 *
194 * Arguments: @kxchal *kxc@ = pointer to the challenge block
410c8acf 195 *
196 * Returns: ---
197 *
0617b6e7 198 * Use: Disposes of a challenge block.
410c8acf 199 */
200
0617b6e7 201static void kxc_destroy(kxchal *kxc)
410c8acf 202{
0617b6e7 203 if (kxc->f & KXF_TIMER)
204 sel_rmtimer(&kxc->t);
52c03a2a 205 G_DESTROY(gg, kxc->c);
206 if (kxc->r) G_DESTROY(gg, kxc->r);
5d418e24 207 mp_drop(kxc->ck);
0617b6e7 208 ks_drop(kxc->ks);
209 DESTROY(kxc);
210}
410c8acf 211
0617b6e7 212/* --- @kxc_stoptimer@ --- *
213 *
214 * Arguments: @kxchal *kxc@ = pointer to the challenge block
215 *
216 * Returns: ---
217 *
218 * Use: Stops the challenge's retry timer from sending messages.
219 * Useful when the state machine is in the endgame of the
220 * exchange.
221 */
410c8acf 222
0617b6e7 223static void kxc_stoptimer(kxchal *kxc)
224{
225 if (kxc->f & KXF_TIMER)
226 sel_rmtimer(&kxc->t);
2de0ad0f 227 kxc->f &= ~KXF_TIMER;
0617b6e7 228}
410c8acf 229
0617b6e7 230/* --- @kxc_new@ --- *
231 *
232 * Arguments: @keyexch *kx@ = pointer to key exchange block
0617b6e7 233 *
234 * Returns: A pointer to the challenge block.
235 *
236 * Use: Returns a pointer to a new challenge block to fill in.
237 */
410c8acf 238
0617b6e7 239static kxchal *kxc_new(keyexch *kx)
240{
241 kxchal *kxc;
242 unsigned i;
243
244 /* --- If we're over reply threshold, discard one at random --- */
245
246 if (kx->nr < KX_NCHAL)
247 i = kx->nr++;
248 else {
249 i = rand_global.ops->range(&rand_global, KX_NCHAL);
250 kxc_destroy(kx->r[i]);
410c8acf 251 }
252
0617b6e7 253 /* --- Fill in the new structure --- */
410c8acf 254
0617b6e7 255 kxc = CREATE(kxchal);
52c03a2a 256 kxc->c = G_CREATE(gg);
0617b6e7 257 kxc->r = 0;
52c03a2a 258 kxc->ck = MP_NEW;
0617b6e7 259 kxc->ks = 0;
260 kxc->kx = kx;
261 kxc->f = 0;
262 kx->r[i] = kxc;
263 return (kxc);
264}
410c8acf 265
0617b6e7 266/* --- @kxc_bychal@ --- *
267 *
268 * Arguments: @keyexch *kx@ = pointer to key exchange block
52c03a2a 269 * @ge *c@ = challenge from remote host
0617b6e7 270 *
271 * Returns: Pointer to the challenge block, or null.
272 *
273 * Use: Finds a challenge block, given its challenge.
274 */
275
52c03a2a 276static kxchal *kxc_bychal(keyexch *kx, ge *c)
0617b6e7 277{
278 unsigned i;
279
280 for (i = 0; i < kx->nr; i++) {
52c03a2a 281 if (G_EQ(gg, c, kx->r[i]->c))
0617b6e7 282 return (kx->r[i]);
283 }
284 return (0);
285}
286
287/* --- @kxc_byhc@ --- *
288 *
289 * Arguments: @keyexch *kx@ = pointer to key exchange block
290 * @const octet *hc@ = challenge hash from remote host
291 *
292 * Returns: Pointer to the challenge block, or null.
293 *
294 * Use: Finds a challenge block, given a hash of its challenge.
295 */
410c8acf 296
0617b6e7 297static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
298{
299 unsigned i;
300
301 for (i = 0; i < kx->nr; i++) {
302 if (memcmp(hc, kx->r[i]->hc, HASHSZ) == 0)
303 return (kx->r[i]);
410c8acf 304 }
0617b6e7 305 return (0);
306}
307
308/* --- @kxc_answer@ --- *
309 *
310 * Arguments: @keyexch *kx@ = pointer to key exchange block
311 * @kxchal *kxc@ = pointer to challenge block
312 *
313 * Returns: ---
314 *
315 * Use: Sends a reply to the remote host, according to the data in
316 * this challenge block.
317 */
318
319static void kxc_answer(keyexch *kx, kxchal *kxc);
320
321static void kxc_timer(struct timeval *tv, void *v)
322{
323 kxchal *kxc = v;
324 kxc->f &= ~KXF_TIMER;
325 kxc_answer(kxc->kx, kxc);
326}
327
328static void kxc_answer(keyexch *kx, kxchal *kxc)
329{
330 stats *st = p_stats(kx->p);
331 buf *b = p_txstart(kx->p, MSG_KEYEXCH | (kxc->r ? KX_REPLY : KX_CHAL));
332 struct timeval tv;
333 buf bb;
334
335 /* --- Build the reply packet --- */
336
337 if (!kxc->r)
52c03a2a 338 G_TOBUF(gg, b, kx->c);
0617b6e7 339 else
340 buf_put(b, kx->hc, HASHSZ);
341 buf_put(b, kxc->hc, HASHSZ);
5d418e24 342 buf_putmp(b, kxc->ck);
0617b6e7 343
344 /* --- Maybe send an actual reply, if we have one --- */
410c8acf 345
0617b6e7 346 if (!kxc->r) {
347 T( trace(T_KEYEXCH, "keyexch: resending challenge to `%s'",
348 p_name(kx->p)); )
349 } else {
350 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
351 buf_init(&bb, buf_i, sizeof(buf_i));
52c03a2a 352 G_TOBUF(gg, &bb, kxc->r);
0617b6e7 353 buf_flip(&bb);
7ed14135 354 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
0617b6e7 355 }
356
357 /* --- Update the statistics --- */
358
359 if (BOK(b)) {
360 st->n_kxout++;
361 st->sz_kxout += BLEN(b);
362 p_txend(kx->p);
363 }
364
365 /* --- Schedule another resend --- */
366
367 if (kxc->f & KXF_TIMER)
368 sel_rmtimer(&kxc->t);
369 gettimeofday(&tv, 0);
370 tv.tv_sec += T_RETRY;
371 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
372 kxc->f |= KXF_TIMER;
373}
374
375/*----- Individual message handlers ---------------------------------------*/
376
377/* --- @getreply@ --- *
378 *
379 * Arguments: @keyexch *kx@ = pointer to key exchange context
52c03a2a 380 * @ge *c@ = a challenge
5d418e24 381 * @mp *ck@ = the supplied expected-reply check value
0617b6e7 382 *
383 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
384 *
385 * Use: Computes replies to challenges.
386 */
387
52c03a2a 388static ge *getreply(keyexch *kx, ge *c, mp *ck)
0617b6e7 389{
52c03a2a 390 ge *r = G_CREATE(gg);
391 ge *y = G_CREATE(gg);
392 mp *a = MP_NEW;
0617b6e7 393 HASH_CTX h;
5d418e24 394 octet buf[HASHSZ];
395 int ok;
0617b6e7 396
52c03a2a 397 G_EXP(gg, r, c, kpriv);
0617b6e7 398 HASH_INIT(&h);
399 HASH_STRING(&h, "tripe-expected-reply");
52c03a2a 400 hashge(&h, c);
401 hashge(&h, kx->c);
402 hashge(&h, r);
0617b6e7 403 HASH_DONE(&h, buf);
5d418e24 404
52c03a2a 405 a = mpcrypt(MP_NEW, ck, mp_octets(gg->r), buf, sizeof(buf));
0617b6e7 406 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 407 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
0617b6e7 408 trace_block(T_CRYPTO, "crypto: computed reply hash", buf, HASHSZ);
5d418e24 409 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
0617b6e7 410 }))
52c03a2a 411 G_EXP(gg, y, gg->g, a);
412 ok = G_EQ(gg, y, c);
5d418e24 413 if (!ok) {
414 a_warn("invalid expected-reply check from `%s'", p_name(kx->p));
415 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 416 trace(T_CRYPTO, "crypto: computed challenge = %s", gestr(gg, y));
5d418e24 417 }))
52c03a2a 418 G_DESTROY(gg, r);
419 r = 0;
0617b6e7 420 }
5d418e24 421 mp_drop(a);
52c03a2a 422 G_DESTROY(gg, y);
423 return (r);
0617b6e7 424}
425
426/* --- @dochallenge@ --- *
427 *
428 * Arguments: @keyexch *kx@ = pointer to key exchange block
429 * @unsigned msg@ = message code for the packet
430 * @buf *b@ = buffer containing the packet
431 *
432 * Returns: Zero if OK, nonzero if the packet was rejected.
433 *
434 * Use: Processes a packet containing a challenge.
435 */
436
437static int dochallenge(keyexch *kx, unsigned msg, buf *b)
438{
52c03a2a 439 ge *c = G_CREATE(gg);
440 mp *ck = MP_NEW;
5d418e24 441 const octet *hc = 0;
0617b6e7 442 kxchal *kxc;
443 HASH_CTX h;
5d418e24 444 octet buf[HASHSZ];
0617b6e7 445
446 /* --- Ensure that we're in a sensible state --- */
447
448 if (kx->s != KXS_CHAL) {
449 a_warn("unexpected challenge from `%s'", p_name(kx->p));
450 goto bad;
451 }
452
453 /* --- Unpack the packet --- */
454
52c03a2a 455 if (G_FROMBUF(gg, b, c) ||
0617b6e7 456 (msg >= KX_COOKIE && (hc = buf_get(b, HASHSZ)) == 0) ||
5d418e24 457 (msg >= KX_CHAL && (ck = buf_getmp(b)) == 0) ||
0617b6e7 458 BLEFT(b)) {
459 a_warn("malformed packet from `%s'", p_name(kx->p));
460 goto bad;
461 }
462
463 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 464 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
0617b6e7 465 if (hc) trace_block(T_CRYPTO, "crypto: cookie", hc, HASHSZ);
5d418e24 466 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
0617b6e7 467 }))
468
469 /* --- First, handle a bare challenge --- *
470 *
471 * If the table is heavily loaded, just emit a cookie and return.
472 */
473
474 if (!hc && kx->nr >= KX_THRESH) {
475 T( trace(T_KEYEXCH, "keyexch: too many challenges -- sending cookie"); )
476 b = p_txstart(kx->p, MSG_KEYEXCH | KX_COOKIE);
52c03a2a 477 G_TOBUF(gg, b, kx->c);
0617b6e7 478 HASH_INIT(&h);
479 HASH_STRING(&h, "tripe-cookie");
52c03a2a 480 hashge(&h, c);
0617b6e7 481 HASH_DONE(&h, buf_get(b, HASHSZ));
482 p_txend(kx->p);
483 goto tidy;
484 }
485
486 /* --- Discard a packet with an invalid cookie --- */
487
488 if (hc && memcmp(hc, kx->hc, HASHSZ) != 0) {
489 a_warn("incorrect cookie from `%s'", p_name(kx->p));
490 goto bad;
491 }
492
493 /* --- Find a challenge block for this packet --- *
410c8acf 494 *
0617b6e7 495 * If there isn't one already, create a new one.
410c8acf 496 */
497
0617b6e7 498 if ((kxc = kxc_bychal(kx, c)) == 0) {
499 size_t x, y, z;
52c03a2a 500 ge *r;
0617b6e7 501
502 /* --- Be careful here --- *
503 *
504 * If this is a full challenge, and it's the first time I've seen it, I
505 * want to be able to throw it away before committing a table entry to
506 * it.
507 */
508
5d418e24 509 if (!ck)
0617b6e7 510 kxc = kxc_new(kx);
511 else {
5d418e24 512 if ((r = getreply(kx, c, ck)) == 0)
0617b6e7 513 goto bad;
514 kxc = kxc_new(kx);
515 kxc->r = r;
410c8acf 516 }
52c03a2a 517 kxc->c = G_CREATE(gg);
518 G_COPY(gg, kxc->c, c);
0617b6e7 519
520 /* --- Work out the cookie for this challenge --- */
521
522 HASH_INIT(&h);
523 HASH_STRING(&h, "tripe-cookie");
52c03a2a 524 hashge(&h, kxc->c);
0617b6e7 525 HASH_DONE(&h, kxc->hc);
526
527 /* --- Compute the expected-reply hash --- */
528
529 HASH_INIT(&h);
530 HASH_STRING(&h, "tripe-expected-reply");
52c03a2a 531 hashge(&h, kx->c);
532 hashge(&h, kxc->c);
533 hashge(&h, kx->rx);
5d418e24 534 HASH_DONE(&h, buf);
52c03a2a 535 kxc->ck = mpcrypt(MP_NEW, kx->alpha, mp_octets(gg->r),
5d418e24 536 buf, sizeof(buf));
0617b6e7 537
538 /* --- Work out the shared key --- */
539
52c03a2a 540 r = G_CREATE(gg);
541 G_EXP(gg, r, c, kx->alpha);
0617b6e7 542
543 /* --- Compute the switch messages --- */
544
545 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-request");
52c03a2a 546 hashge(&h, kx->c); hashge(&h, kxc->c);
0617b6e7 547 HASH_DONE(&h, kxc->hswrq_out);
548 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-confirm");
52c03a2a 549 hashge(&h, kx->c); hashge(&h, kxc->c);
0617b6e7 550 HASH_DONE(&h, kxc->hswok_out);
551
552 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-request");
52c03a2a 553 hashge(&h, kxc->c); hashge(&h, kx->c);
0617b6e7 554 HASH_DONE(&h, kxc->hswrq_in);
555 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-confirm");
52c03a2a 556 hashge(&h, kxc->c); hashge(&h, kx->c);
0617b6e7 557 HASH_DONE(&h, kxc->hswok_in);
558
559 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
560 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, HASHSZ);
5d418e24 561 trace_block(T_CRYPTO, "crypto: expected-reply hash",
562 buf, HASHSZ);
563 trace(T_CRYPTO, "crypto: my reply check = %s", mpstr(kxc->ck));
52c03a2a 564 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
0617b6e7 565 trace_block(T_CRYPTO, "crypto: outbound switch request",
566 kxc->hswrq_out, HASHSZ);
567 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
568 kxc->hswok_out, HASHSZ);
569 trace_block(T_CRYPTO, "crypto: inbound switch request",
570 kxc->hswrq_in, HASHSZ);
571 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
572 kxc->hswok_in, HASHSZ);
573 }))
574
575 /* --- Create a new symmetric keyset --- */
576
577 buf_init(b, buf_o, sizeof(buf_o));
52c03a2a 578 G_TOBUF(gg, b, kx->c); x = BLEN(b);
579 G_TOBUF(gg, b, kxc->c); y = BLEN(b);
580 G_TOBUF(gg, b, r); z = BLEN(b);
0617b6e7 581 assert(BOK(b));
582
9466fafa 583 kxc->ks = ks_gen(BBASE(b), x, y, z, kx->p);
52c03a2a 584 G_DESTROY(gg, r);
410c8acf 585 }
586
0617b6e7 587 /* --- Answer the challenge if we need to --- */
410c8acf 588
5d418e24 589 if (ck && !kxc->r) {
52c03a2a 590 ge *r;
5d418e24 591 if ((r = getreply(kx, c, ck)) == 0)
0617b6e7 592 goto bad;
593 kxc->r = r;
410c8acf 594 }
0617b6e7 595
596 kxc_answer(kx, kxc);
597
598 /* --- Tidy up and go home --- */
599
600tidy:
52c03a2a 601 G_DESTROY(gg, c);
5d418e24 602 mp_drop(ck);
0617b6e7 603 return (0);
604
605bad:
52c03a2a 606 G_DESTROY(gg, c);
5d418e24 607 mp_drop(ck);
0617b6e7 608 return (-1);
410c8acf 609}
610
0617b6e7 611/* --- @resend@ --- *
410c8acf 612 *
613 * Arguments: @keyexch *kx@ = pointer to key exchange context
410c8acf 614 *
615 * Returns: ---
616 *
0617b6e7 617 * Use: Sends the next message for a key exchange.
410c8acf 618 */
619
0617b6e7 620static void resend(keyexch *kx)
410c8acf 621{
0617b6e7 622 kxchal *kxc;
623 buf bb;
624 stats *st = p_stats(kx->p);
410c8acf 625 buf *b;
626
0617b6e7 627 switch (kx->s) {
628 case KXS_CHAL:
00e64b67 629 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
630 p_name(kx->p)); )
0617b6e7 631 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
52c03a2a 632 G_TOBUF(gg, b, kx->c);
0617b6e7 633 break;
634 case KXS_COMMIT:
00e64b67 635 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
636 p_name(kx->p)); )
0617b6e7 637 kxc = kx->r[0];
638 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
639 buf_put(b, kx->hc, HASHSZ);
640 buf_put(b, kxc->hc, HASHSZ);
641 buf_init(&bb, buf_i, sizeof(buf_i));
52c03a2a 642 G_TOBUF(gg, &bb, kxc->r);
0617b6e7 643 buf_put(&bb, kxc->hswrq_out, HASHSZ);
644 buf_flip(&bb);
7ed14135 645 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
0617b6e7 646 break;
647 case KXS_SWITCH:
00e64b67 648 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
0617b6e7 649 p_name(kx->p)); )
650 kxc = kx->r[0];
651 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
652 buf_init(&bb, buf_i, sizeof(buf_i));
653 buf_put(&bb, kxc->hswok_out, HASHSZ);
654 buf_flip(&bb);
7ed14135 655 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
0617b6e7 656 break;
657 default:
658 abort();
410c8acf 659 }
0617b6e7 660
661 if (BOK(b)) {
662 st->n_kxout++;
663 st->sz_kxout += BLEN(b);
664 p_txend(kx->p);
665 }
666
667 if (kx->s < KXS_SWITCH)
668 settimer(kx, time(0) + T_RETRY);
410c8acf 669}
670
0617b6e7 671/* --- @matchreply@ --- *
672 *
673 * Arguments: @keyexch *kx@ = pointer to key exchange context
7ed14135 674 * @unsigned ty@ = type of incoming message
0617b6e7 675 * @const octet *hc_in@ = a hash of his challenge
676 * @const octet *hc_out@ = a hash of my challenge (cookie)
5d418e24 677 * @mp *ck@ = his expected-reply hash (optional)
0617b6e7 678 * @buf *b@ = encrypted remainder of the packet
679 *
680 * Returns: A pointer to the challenge block if OK, or null on failure.
681 *
682 * Use: Checks a reply or switch packet, ensuring that its contents
683 * are sensible and correct. If they are, @*b@ is set to point
684 * to the remainder of the encrypted data, and the correct
685 * challenge is returned.
686 */
687
7ed14135 688static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
5d418e24 689 const octet *hc_out, mp *ck, buf *b)
410c8acf 690{
0617b6e7 691 kxchal *kxc;
692 buf bb;
52c03a2a 693 ge *r = 0;
0617b6e7 694
695 /* --- Check the plaintext portions of the data --- */
696
697 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
698 trace_block(T_CRYPTO, "crypto: challenge", hc_in, HASHSZ);
699 trace_block(T_CRYPTO, "crypto: cookie", hc_out, HASHSZ);
5d418e24 700 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
0617b6e7 701 }))
702 if (memcmp(hc_out, kx->hc, HASHSZ) != 0) {
703 a_warn("incorrect cookie from `%s'", p_name(kx->p));
704 goto bad;
705 }
706 if ((kxc = kxc_byhc(kx, hc_in)) == 0) {
707 a_warn("received reply for unknown challenge from `%s'", p_name(kx->p));
708 goto bad;
709 }
410c8acf 710
0617b6e7 711 /* --- Maybe compute a reply for the challenge --- */
712
713 if (!kxc->r) {
5d418e24 714 if (!ck) {
0617b6e7 715 a_warn("unexpected switch request from `%s'", p_name(kx->p));
716 goto bad;
717 }
5d418e24 718 if ((r = getreply(kx, kxc->c, ck)) == 0)
0617b6e7 719 goto bad;
720 kxc->r = r;
721 r = 0;
722 }
723
724 /* --- Decrypt the rest of the packet --- */
725
726 buf_init(&bb, buf_o, sizeof(buf_o));
7ed14135 727 if (ks_decrypt(kxc->ks, ty, b, &bb)) {
0617b6e7 728 a_warn("failed to decrypt reply from `%s'", p_name(kx->p));
729 goto bad;
410c8acf 730 }
0617b6e7 731 buf_init(b, BBASE(&bb), BLEN(&bb));
52c03a2a 732 r = G_CREATE(gg);
733 if (G_FROMBUF(gg, b, r)) {
0617b6e7 734 a_warn("invalid reply packet from `%s'", p_name(kx->p));
735 goto bad;
736 }
737 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 738 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
0617b6e7 739 }))
52c03a2a 740 if (!G_EQ(gg, r, kx->rx)) {
0617b6e7 741 a_warn("incorrect reply from `%s'", p_name(kx->p));
742 goto bad;
743 }
744
745 /* --- Done --- */
746
52c03a2a 747 G_DESTROY(gg, r);
0617b6e7 748 return (kxc);
749
750bad:
52c03a2a 751 if (r) G_DESTROY(gg, r);
0617b6e7 752 return (0);
410c8acf 753}
754
0617b6e7 755/* --- @commit@ --- *
410c8acf 756 *
757 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 758 * @kxchal *kxc@ = pointer to challenge to commit to
410c8acf 759 *
760 * Returns: ---
761 *
0617b6e7 762 * Use: Commits to a particular challenge as being the `right' one,
763 * since a reply has arrived for it.
410c8acf 764 */
765
0617b6e7 766static void commit(keyexch *kx, kxchal *kxc)
410c8acf 767{
0617b6e7 768 unsigned i;
410c8acf 769
0617b6e7 770 for (i = 0; i < kx->nr; i++) {
771 if (kx->r[i] != kxc)
772 kxc_destroy(kx->r[i]);
773 }
774 kx->r[0] = kxc;
775 kx->nr = 1;
776 kxc_stoptimer(kxc);
777 ksl_link(kx->ks, kxc->ks);
410c8acf 778}
779
0617b6e7 780/* --- @doreply@ --- *
410c8acf 781 *
782 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 783 * @buf *b@ = buffer containing packet
410c8acf 784 *
0617b6e7 785 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 786 *
0617b6e7 787 * Use: Handles a reply packet. This doesn't handle the various
788 * switch packets: they're rather too different.
410c8acf 789 */
790
0617b6e7 791static int doreply(keyexch *kx, buf *b)
410c8acf 792{
5d418e24 793 const octet *hc_in, *hc_out;
794 mp *ck = 0;
0617b6e7 795 kxchal *kxc;
796
797 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
798 a_warn("unexpected reply from `%s'", p_name(kx->p));
799 goto bad;
800 }
801 if ((hc_in = buf_get(b, HASHSZ)) == 0 ||
802 (hc_out = buf_get(b, HASHSZ)) == 0 ||
5d418e24 803 (ck = buf_getmp(b)) == 0) {
0617b6e7 804 a_warn("invalid reply packet from `%s'", p_name(kx->p));
805 goto bad;
806 }
7ed14135 807 if ((kxc = matchreply(kx, MSG_KEYEXCH | KX_REPLY,
808 hc_in, hc_out, ck, b)) == 0)
0617b6e7 809 goto bad;
810 if (BLEFT(b)) {
811 a_warn("invalid reply packet from `%s'", p_name(kx->p));
812 goto bad;
813 }
814 if (kx->s == KXS_CHAL) {
815 commit(kx, kxc);
816 kx->s = KXS_COMMIT;
817 }
818 resend(kx);
819 return (0);
820
821bad:
5d418e24 822 mp_drop(ck);
0617b6e7 823 return (-1);
410c8acf 824}
825
0617b6e7 826/* --- @doswitch@ --- *
410c8acf 827 *
0617b6e7 828 * Arguments: @keyexch *kx@ = pointer to key exchange block
829 * @buf *b@ = pointer to buffer containing packet
410c8acf 830 *
0617b6e7 831 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 832 *
0617b6e7 833 * Use: Handles a reply with a switch request bolted onto it.
410c8acf 834 */
835
0617b6e7 836static int doswitch(keyexch *kx, buf *b)
410c8acf 837{
0617b6e7 838 const octet *hc_in, *hc_out, *hswrq;
839 kxchal *kxc;
410c8acf 840
0617b6e7 841 if ((hc_in = buf_get(b, HASHSZ)) == 0 ||
842 (hc_out = buf_get(b, HASHSZ)) == 0) {
843 a_warn("invalid switch request from `%s'", p_name(kx->p));
844 goto bad;
410c8acf 845 }
7ed14135 846 if ((kxc = matchreply(kx, MSG_KEYEXCH | KX_SWITCH,
847 hc_in, hc_out, 0, b)) == 0)
0617b6e7 848 goto bad;
849 if ((hswrq = buf_get(b, HASHSZ)) == 0 || BLEFT(b)) {
850 a_warn("invalid switch request from `%s'", p_name(kx->p));
851 goto bad;
852 }
853 IF_TRACING(T_KEYEXCH, {
854 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, HASHSZ);
855 })
856 if (memcmp(hswrq, kxc->hswrq_in, HASHSZ) != 0) {
857 a_warn("incorrect switch request hash from `%s'", p_name(kx->p));
858 goto bad;
859 }
860 switch (kx->s) {
861 case KXS_CHAL:
862 commit(kx, kxc);
863 case KXS_COMMIT:
864 ks_activate(kxc->ks);
865 settimer(kx, ks_tregen(kxc->ks));
866 kx->s = KXS_SWITCH;
867 break;
868 }
869 resend(kx);
870 return (0);
871
872bad:
873 return (-1);
410c8acf 874}
875
0617b6e7 876/* --- @doswitchok@ --- *
877 *
878 * Arguments: @keyexch *kx@ = pointer to key exchange block
879 * @buf *b@ = pointer to buffer containing packet
880 *
881 * Returns: Zero if OK, nonzero if the packet was rejected.
882 *
883 * Use: Handles a reply with a switch request bolted onto it.
884 */
885
886static int doswitchok(keyexch *kx, buf *b)
410c8acf 887{
0617b6e7 888 const octet *hswok;
889 kxchal *kxc;
890 buf bb;
410c8acf 891
0617b6e7 892 if (kx->s < KXS_COMMIT) {
893 a_warn("unexpected switch confirmation from `%s'", p_name(kx->p));
894 goto bad;
410c8acf 895 }
0617b6e7 896 kxc = kx->r[0];
897 buf_init(&bb, buf_o, sizeof(buf_o));
7ed14135 898 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, b, &bb)) {
0617b6e7 899 a_warn("failed to decrypt switch confirmation from `%s'", p_name(kx->p));
900 goto bad;
901 }
902 buf_init(b, BBASE(&bb), BLEN(&bb));
903 if ((hswok = buf_get(b, HASHSZ)) == 0 || BLEFT(b)) {
904 a_warn("invalid switch confirmation from `%s'", p_name(kx->p));
905 goto bad;
906 }
907 IF_TRACING(T_KEYEXCH, {
908 trace_block(T_CRYPTO, "crypto: switch confirmation hash", hswok, HASHSZ);
909 })
910 if (memcmp(hswok, kxc->hswok_in, HASHSZ) != 0) {
911 a_warn("incorrect switch confirmation hash from `%s'", p_name(kx->p));
912 goto bad;
913 }
914 if (kx->s < KXS_SWITCH) {
915 ks_activate(kxc->ks);
916 settimer(kx, ks_tregen(kxc->ks));
917 kx->s = KXS_SWITCH;
918 }
919 return (0);
920
921bad:
922 return (-1);
923}
924
925/*----- Main code ---------------------------------------------------------*/
926
927/* --- @stop@ --- *
928 *
929 * Arguments: @keyexch *kx@ = pointer to key exchange context
930 *
931 * Returns: ---
932 *
933 * Use: Stops a key exchange dead in its tracks. Throws away all of
934 * the context information. The context is left in an
935 * inconsistent state. The only functions which understand this
936 * state are @kx_free@ and @kx_init@ (which cause it internally
937 * it), and @start@ (which expects it to be the prevailing
938 * state).
939 */
940
941static void stop(keyexch *kx)
942{
943 unsigned i;
944
00e64b67 945 if (kx->f & KXF_DEAD)
946 return;
947
0617b6e7 948 if (kx->f & KXF_TIMER)
949 sel_rmtimer(&kx->t);
950 for (i = 0; i < kx->nr; i++)
951 kxc_destroy(kx->r[i]);
952 mp_drop(kx->alpha);
52c03a2a 953 G_DESTROY(gg, kx->c);
954 G_DESTROY(gg, kx->rx);
00e64b67 955 kx->t_valid = 0;
956 kx->f |= KXF_DEAD;
957 kx->f &= ~KXF_TIMER;
0617b6e7 958}
959
960/* --- @start@ --- *
961 *
962 * Arguments: @keyexch *kx@ = pointer to key exchange context
963 * @time_t now@ = the current time
964 *
965 * Returns: ---
966 *
967 * Use: Starts a new key exchange with the peer. The context must be
968 * in the bizarre state left by @stop@ or @kx_init@.
969 */
970
971static void start(keyexch *kx, time_t now)
972{
973 HASH_CTX h;
974
00e64b67 975 assert(kx->f & KXF_DEAD);
976
977 kx->f &= ~KXF_DEAD;
0617b6e7 978 kx->nr = 0;
52c03a2a 979 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
980 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
981 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
0617b6e7 982 kx->s = KXS_CHAL;
983 kx->t_valid = now + T_VALID;
984
985 HASH_INIT(&h);
986 HASH_STRING(&h, "tripe-cookie");
52c03a2a 987 hashge(&h, kx->c);
0617b6e7 988 HASH_DONE(&h, kx->hc);
989
990 IF_TRACING(T_KEYEXCH, {
991 trace(T_KEYEXCH, "keyexch: creating new challenge");
992 IF_TRACING(T_CRYPTO, {
993 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
52c03a2a 994 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
995 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
0617b6e7 996 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, HASHSZ);
997 })
998 })
410c8acf 999}
1000
00e64b67 1001/* --- @checkpub@ --- *
1002 *
1003 * Arguments: @keyexch *kx@ = pointer to key exchange context
1004 *
1005 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1006 *
1007 * Use: Deactivates the key-exchange until the peer acquires a new
1008 * public key.
1009 */
1010
1011static int checkpub(keyexch *kx)
1012{
1013 time_t now;
1014 if (kx->f & KXF_DEAD)
1015 return (-1);
1016 now = time(0);
1017 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1018 stop(kx);
1019 a_warn("public key for `%s' has expired", p_name(kx->p));
52c03a2a 1020 G_COPY(gg, kx->kpub, gg->i);
00e64b67 1021 kx->f &= ~KXF_PUBKEY;
1022 return (-1);
1023 }
1024 return (0);
1025}
1026
0617b6e7 1027/* --- @kx_start@ --- *
410c8acf 1028 *
1029 * Arguments: @keyexch *kx@ = pointer to key exchange context
410c8acf 1030 *
1031 * Returns: ---
1032 *
0617b6e7 1033 * Use: Stimulates a key exchange. If a key exchage is in progress,
1034 * a new challenge is sent (unless the quiet timer forbids
1035 * this); if no exchange is in progress, one is commenced.
410c8acf 1036 */
1037
0617b6e7 1038void kx_start(keyexch *kx)
410c8acf 1039{
1040 time_t now = time(0);
410c8acf 1041
00e64b67 1042 if (checkpub(kx))
1043 return;
0617b6e7 1044 if (!ISVALID(kx, now)) {
1045 stop(kx);
1046 start(kx, now);
410c8acf 1047 }
0617b6e7 1048 resend(kx);
1049}
1050
1051/* --- @kx_message@ --- *
1052 *
1053 * Arguments: @keyexch *kx@ = pointer to key exchange context
1054 * @unsigned msg@ = the message code
1055 * @buf *b@ = pointer to buffer containing the packet
1056 *
1057 * Returns: ---
1058 *
1059 * Use: Reads a packet containing key exchange messages and handles
1060 * it.
1061 */
1062
1063void kx_message(keyexch *kx, unsigned msg, buf *b)
1064{
1065 time_t now = time(0);
1066 stats *st = p_stats(kx->p);
1067 size_t sz = BSZ(b);
1068 int rc;
1069
1070#ifndef NTRACE
1071 static const char *const pkname[] = {
1072 "prechallenge", "cookie", "challenge",
1073 "reply", "switch request", "switch confirmation"
1074 };
1075#endif
1076
00e64b67 1077 if (checkpub(kx))
1078 return;
1079
0617b6e7 1080 if (!ISVALID(kx, now)) {
1081 stop(kx);
1082 start(kx, now);
410c8acf 1083 }
0617b6e7 1084
1085 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1086 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1087
1088 switch (msg) {
1089 case KX_PRECHAL:
1090 case KX_COOKIE:
1091 case KX_CHAL:
1092 rc = dochallenge(kx, msg, b);
1093 break;
1094 case KX_REPLY:
1095 rc = doreply(kx, b);
1096 break;
1097 case KX_SWITCH:
1098 rc = doswitch(kx, b);
1099 break;
1100 case KX_SWITCHOK:
1101 rc = doswitchok(kx, b);
1102 break;
1103 default:
1104 a_warn("unexpected key exchange message type %u from `%p'",
1105 p_name(kx->p));
1106 rc = -1;
1107 break;
410c8acf 1108 }
410c8acf 1109
0617b6e7 1110 if (rc)
1111 st->n_reject++;
1112 else {
1113 st->n_kxin++;
1114 st->sz_kxin += sz;
1115 }
410c8acf 1116}
1117
1118/* --- @kx_free@ --- *
1119 *
1120 * Arguments: @keyexch *kx@ = pointer to key exchange context
1121 *
1122 * Returns: ---
1123 *
1124 * Use: Frees everything in a key exchange context.
1125 */
1126
1127void kx_free(keyexch *kx)
1128{
0617b6e7 1129 stop(kx);
52c03a2a 1130 G_DESTROY(gg, kx->kpub);
410c8acf 1131}
1132
1133/* --- @kx_newkeys@ --- *
1134 *
1135 * Arguments: @keyexch *kx@ = pointer to key exchange context
1136 *
1137 * Returns: ---
1138 *
1139 * Use: Informs the key exchange module that its keys may have
1140 * changed. If fetching the new keys fails, the peer will be
1141 * destroyed, we log messages and struggle along with the old
1142 * keys.
1143 */
1144
1145void kx_newkeys(keyexch *kx)
1146{
52c03a2a 1147 if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
410c8acf 1148 return;
00e64b67 1149 kx->f |= KXF_PUBKEY;
1150 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
410c8acf 1151 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1152 p_name(kx->p)); )
00e64b67 1153 stop(kx);
1154 start(kx, time(0));
1155 resend(kx);
410c8acf 1156 }
1157}
1158
1159/* --- @kx_init@ --- *
1160 *
1161 * Arguments: @keyexch *kx@ = pointer to key exchange context
1162 * @peer *p@ = pointer to peer context
1163 * @keyset **ks@ = pointer to keyset list
1164 *
1165 * Returns: Zero if OK, nonzero if it failed.
1166 *
1167 * Use: Initializes a key exchange module. The module currently
1168 * contains no keys, and will attempt to initiate a key
1169 * exchange.
1170 */
1171
1172int kx_init(keyexch *kx, peer *p, keyset **ks)
1173{
1174 kx->ks = ks;
1175 kx->p = p;
52c03a2a 1176 kx->kpub = G_CREATE(gg);
1177 if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
1178 G_DESTROY(gg, kx->kpub);
410c8acf 1179 return (-1);
52c03a2a 1180 }
00e64b67 1181 kx->f = KXF_DEAD | KXF_PUBKEY;
0617b6e7 1182 start(kx, time(0));
1183 resend(kx);
410c8acf 1184 return (0);
1185}
1186
1187/*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN