3 * $Id: keyexch.c,v 1.4 2001/06/22 19:40:36 mdw Exp $
5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Revision history --------------------------------------------------*
32 * Revision 1.4 2001/06/22 19:40:36 mdw
33 * Support expiry of other peers' public keys.
35 * Revision 1.3 2001/06/19 22:07:09 mdw
38 * Revision 1.2 2001/02/16 21:24:27 mdw
39 * Rewrite for new key exchange protocol.
41 * Revision 1.1 2001/02/03 20:26:37 mdw
46 /*----- Header files ------------------------------------------------------*/
50 /*----- Tunable parameters ------------------------------------------------*/
52 #define T_VALID MIN(2)
53 #define T_RETRY SEC(10)
55 #define ISVALID(kx, now) ((now) < (kx)->t_valid)
57 /*----- Various utilities -------------------------------------------------*/
61 * Arguments: @HASH_CTX *r@ = pointer to hash context
62 * @mp *m@ = pointer to multiprecision integer
66 * Use: Adds the hash of a multiprecision integer to the context.
70 static void hashmp(HASH_CTX
*r
, mp
*m
)
73 buf_init(&b
, buf_t
, sizeof(buf_t
));
76 HASH(r
, BBASE(&b
), BLEN(&b
));
81 * Arguments: @struct timeval *tv@ = the current time
82 * @void *v@ = pointer to key exchange context
86 * Use: Acts when the key exchange timer goes off.
89 static void timer(struct timeval
*tv
, void *v
)
93 T( trace(T_KEYEXCH
, "keyexch: timer has popped"); )
97 /* --- @settimer@ --- *
99 * Arguments: @keyexch *kx@ = pointer to key exchange context
100 * @time_t t@ = when to set the timer for
104 * Use: Sets the timer for the next key exchange attempt.
107 static void settimer(keyexch
*kx
, time_t t
)
110 if (kx
->f
& KXF_TIMER
)
114 sel_addtimer(&sel
, &kx
->t
, &tv
, timer
, kx
);
118 /*----- Challenge management ----------------------------------------------*/
120 /* --- Notes on challenge management --- *
122 * We may get multiple different replies to our key exchange; some will be
123 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
124 * received will be added to the table and given a full response. After
125 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
126 * our existing challenge, followed by a hash of the sender's challenge. We
127 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
128 * properly-formed cookies are assigned a table slot: if none is spare, a
129 * used slot is randomly selected and destroyed. A cookie always receives a
133 /* --- @kxc_destroy@ --- *
135 * Arguments: @kxchal *kxc@ = pointer to the challenge block
139 * Use: Disposes of a challenge block.
142 static void kxc_destroy(kxchal
*kxc
)
144 if (kxc
->f
& KXF_TIMER
)
145 sel_rmtimer(&kxc
->t
);
152 /* --- @kxc_stoptimer@ --- *
154 * Arguments: @kxchal *kxc@ = pointer to the challenge block
158 * Use: Stops the challenge's retry timer from sending messages.
159 * Useful when the state machine is in the endgame of the
163 static void kxc_stoptimer(kxchal
*kxc
)
165 if (kxc
->f
& KXF_TIMER
)
166 sel_rmtimer(&kxc
->t
);
169 /* --- @kxc_new@ --- *
171 * Arguments: @keyexch *kx@ = pointer to key exchange block
173 * Returns: A pointer to the challenge block.
175 * Use: Returns a pointer to a new challenge block to fill in.
178 static kxchal
*kxc_new(keyexch
*kx
)
183 /* --- If we're over reply threshold, discard one at random --- */
185 if (kx
->nr
< KX_NCHAL
)
188 i
= rand_global
.ops
->range(&rand_global
, KX_NCHAL
);
189 kxc_destroy(kx
->r
[i
]);
192 /* --- Fill in the new structure --- */
194 kxc
= CREATE(kxchal
);
204 /* --- @kxc_bychal@ --- *
206 * Arguments: @keyexch *kx@ = pointer to key exchange block
207 * @mp *c@ = challenge from remote host
209 * Returns: Pointer to the challenge block, or null.
211 * Use: Finds a challenge block, given its challenge.
214 static kxchal
*kxc_bychal(keyexch
*kx
, mp
*c
)
218 for (i
= 0; i
< kx
->nr
; i
++) {
219 if (MP_EQ(c
, kx
->r
[i
]->c
))
225 /* --- @kxc_byhc@ --- *
227 * Arguments: @keyexch *kx@ = pointer to key exchange block
228 * @const octet *hc@ = challenge hash from remote host
230 * Returns: Pointer to the challenge block, or null.
232 * Use: Finds a challenge block, given a hash of its challenge.
235 static kxchal
*kxc_byhc(keyexch
*kx
, const octet
*hc
)
239 for (i
= 0; i
< kx
->nr
; i
++) {
240 if (memcmp(hc
, kx
->r
[i
]->hc
, HASHSZ
) == 0)
246 /* --- @kxc_answer@ --- *
248 * Arguments: @keyexch *kx@ = pointer to key exchange block
249 * @kxchal *kxc@ = pointer to challenge block
253 * Use: Sends a reply to the remote host, according to the data in
254 * this challenge block.
257 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
);
259 static void kxc_timer(struct timeval
*tv
, void *v
)
262 kxc
->f
&= ~KXF_TIMER
;
263 kxc_answer(kxc
->kx
, kxc
);
266 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
)
268 stats
*st
= p_stats(kx
->p
);
269 buf
*b
= p_txstart(kx
->p
, MSG_KEYEXCH
| (kxc
->r ? KX_REPLY
: KX_CHAL
));
273 /* --- Build the reply packet --- */
278 buf_put(b
, kx
->hc
, HASHSZ
);
279 buf_put(b
, kxc
->hc
, HASHSZ
);
280 buf_put(b
, kxc
->hrx
, HASHSZ
);
282 /* --- Maybe send an actual reply, if we have one --- */
285 T( trace(T_KEYEXCH
, "keyexch: resending challenge to `%s'",
288 T( trace(T_KEYEXCH
, "keyexch: sending reply to `%s'", p_name(kx
->p
)); )
289 buf_init(&bb
, buf_i
, sizeof(buf_i
));
290 buf_putmp(&bb
, kxc
->r
);
292 ks_encrypt(kxc
->ks
, &bb
, b
);
295 /* --- Update the statistics --- */
299 st
->sz_kxout
+= BLEN(b
);
303 /* --- Schedule another resend --- */
305 if (kxc
->f
& KXF_TIMER
)
306 sel_rmtimer(&kxc
->t
);
307 gettimeofday(&tv
, 0);
308 tv
.tv_sec
+= T_RETRY
;
309 sel_addtimer(&sel
, &kxc
->t
, &tv
, kxc_timer
, kxc
);
313 /*----- Individual message handlers ---------------------------------------*/
315 /* --- @getreply@ --- *
317 * Arguments: @keyexch *kx@ = pointer to key exchange context
318 * @mp *c@ = a challenge
319 * @const octet *hrx@ = the supplied expected-reply hash
321 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
323 * Use: Computes replies to challenges.
326 static mp
*getreply(keyexch
*kx
, mp
*c
, const octet
*hrx
)
328 mp
*r
= mpmont_exp(&mg
, MP_NEW
, c
, kpriv
.x
);
333 HASH_STRING(&h
, "tripe-expected-reply");
338 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
339 trace(T_CRYPTO
, "crypto: computed reply = %s", mpstr(r
));
340 trace_block(T_CRYPTO
, "crypto: computed reply hash", buf
, HASHSZ
);
342 if (memcmp(buf
, hrx
, HASHSZ
) != 0) {
343 a_warn("invalid expected-reply hash from `%s'", p_name(kx
->p
));
350 /* --- @dochallenge@ --- *
352 * Arguments: @keyexch *kx@ = pointer to key exchange block
353 * @unsigned msg@ = message code for the packet
354 * @buf *b@ = buffer containing the packet
356 * Returns: Zero if OK, nonzero if the packet was rejected.
358 * Use: Processes a packet containing a challenge.
361 static int dochallenge(keyexch
*kx
, unsigned msg
, buf
*b
)
364 const octet
*hc
= 0, *hrx
= 0;
368 /* --- Ensure that we're in a sensible state --- */
370 if (kx
->s
!= KXS_CHAL
) {
371 a_warn("unexpected challenge from `%s'", p_name(kx
->p
));
375 /* --- Unpack the packet --- */
377 if ((c
= buf_getmp(b
)) == 0 ||
378 (msg
>= KX_COOKIE
&& (hc
= buf_get(b
, HASHSZ
)) == 0) ||
379 (msg
>= KX_CHAL
&& (hrx
= buf_get(b
, HASHSZ
)) == 0) ||
381 a_warn("malformed packet from `%s'", p_name(kx
->p
));
385 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
386 trace(T_CRYPTO
, "crypto: challenge = %s", mpstr(c
));
387 if (hc
) trace_block(T_CRYPTO
, "crypto: cookie", hc
, HASHSZ
);
388 if (hrx
) trace_block(T_CRYPTO
, "crypto: response hash", hrx
, HASHSZ
);
391 /* --- First, handle a bare challenge --- *
393 * If the table is heavily loaded, just emit a cookie and return.
396 if (!hc
&& kx
->nr
>= KX_THRESH
) {
397 T( trace(T_KEYEXCH
, "keyexch: too many challenges -- sending cookie"); )
398 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_COOKIE
);
401 HASH_STRING(&h
, "tripe-cookie");
403 HASH_DONE(&h
, buf_get(b
, HASHSZ
));
408 /* --- Discard a packet with an invalid cookie --- */
410 if (hc
&& memcmp(hc
, kx
->hc
, HASHSZ
) != 0) {
411 a_warn("incorrect cookie from `%s'", p_name(kx
->p
));
415 /* --- Find a challenge block for this packet --- *
417 * If there isn't one already, create a new one.
420 if ((kxc
= kxc_bychal(kx
, c
)) == 0) {
424 /* --- Be careful here --- *
426 * If this is a full challenge, and it's the first time I've seen it, I
427 * want to be able to throw it away before committing a table entry to
434 if ((r
= getreply(kx
, c
, hrx
)) == 0)
441 /* --- Work out the cookie for this challenge --- */
444 HASH_STRING(&h
, "tripe-cookie");
446 HASH_DONE(&h
, kxc
->hc
);
448 /* --- Compute the expected-reply hash --- */
451 HASH_STRING(&h
, "tripe-expected-reply");
455 HASH_DONE(&h
, kxc
->hrx
);
457 /* --- Work out the shared key --- */
459 r
= mpmont_exp(&mg
, MP_NEW
, c
, kx
->alpha
);
461 /* --- Compute the switch messages --- */
463 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-request");
464 hashmp(&h
, kx
->c
); hashmp(&h
, kxc
->c
);
465 HASH_DONE(&h
, kxc
->hswrq_out
);
466 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-confirm");
467 hashmp(&h
, kx
->c
); hashmp(&h
, kxc
->c
);
468 HASH_DONE(&h
, kxc
->hswok_out
);
470 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-request");
471 hashmp(&h
, kxc
->c
); hashmp(&h
, kx
->c
);
472 HASH_DONE(&h
, kxc
->hswrq_in
);
473 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-confirm");
474 hashmp(&h
, kxc
->c
); hashmp(&h
, kx
->c
);
475 HASH_DONE(&h
, kxc
->hswok_in
);
477 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
478 trace_block(T_CRYPTO
, "crypto: computed cookie", kxc
->hc
, HASHSZ
);
479 trace_block(T_CRYPTO
, "crypto: my reply hash", kxc
->hrx
, HASHSZ
);
480 trace(T_CRYPTO
, "crypto: shared secret = %s", mpstr(r
));
481 trace_block(T_CRYPTO
, "crypto: outbound switch request",
482 kxc
->hswrq_out
, HASHSZ
);
483 trace_block(T_CRYPTO
, "crypto: outbound switch confirm",
484 kxc
->hswok_out
, HASHSZ
);
485 trace_block(T_CRYPTO
, "crypto: inbound switch request",
486 kxc
->hswrq_in
, HASHSZ
);
487 trace_block(T_CRYPTO
, "crypto: inbound switch confirm",
488 kxc
->hswok_in
, HASHSZ
);
491 /* --- Create a new symmetric keyset --- */
493 buf_init(b
, buf_o
, sizeof(buf_o
));
494 buf_putmp(b
, kx
->c
); x
= BLEN(b
);
495 buf_putmp(b
, kxc
->c
); y
= BLEN(b
);
496 buf_putmp(b
, r
); z
= BLEN(b
);
499 kxc
->ks
= ks_gen(BBASE(b
), x
, y
, z
);
503 /* --- Answer the challenge if we need to --- */
505 if (hrx
&& !kxc
->r
) {
507 if ((r
= getreply(kx
, c
, hrx
)) == 0)
514 /* --- Tidy up and go home --- */
525 /* --- @resend@ --- *
527 * Arguments: @keyexch *kx@ = pointer to key exchange context
531 * Use: Sends the next message for a key exchange.
534 static void resend(keyexch
*kx
)
538 stats
*st
= p_stats(kx
->p
);
543 T( trace(T_KEYEXCH
, "keyexch: sending prechallenge to `%s'",
545 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_PRECHAL
);
549 T( trace(T_KEYEXCH
, "keyexch: sending switch request to `%s'",
552 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCH
);
553 buf_put(b
, kx
->hc
, HASHSZ
);
554 buf_put(b
, kxc
->hc
, HASHSZ
);
555 buf_init(&bb
, buf_i
, sizeof(buf_i
));
556 buf_putmp(&bb
, kxc
->r
);
557 buf_put(&bb
, kxc
->hswrq_out
, HASHSZ
);
559 ks_encrypt(kxc
->ks
, &bb
, b
);
562 T( trace(T_KEYEXCH
, "keyexch: sending switch confirmation to `%s'",
565 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCHOK
);
566 buf_init(&bb
, buf_i
, sizeof(buf_i
));
567 buf_put(&bb
, kxc
->hswok_out
, HASHSZ
);
569 ks_encrypt(kxc
->ks
, &bb
, b
);
577 st
->sz_kxout
+= BLEN(b
);
581 if (kx
->s
< KXS_SWITCH
)
582 settimer(kx
, time(0) + T_RETRY
);
585 /* --- @matchreply@ --- *
587 * Arguments: @keyexch *kx@ = pointer to key exchange context
588 * @const octet *hc_in@ = a hash of his challenge
589 * @const octet *hc_out@ = a hash of my challenge (cookie)
590 * @const octet *krx@ = his expected-reply hash (optional)
591 * @buf *b@ = encrypted remainder of the packet
593 * Returns: A pointer to the challenge block if OK, or null on failure.
595 * Use: Checks a reply or switch packet, ensuring that its contents
596 * are sensible and correct. If they are, @*b@ is set to point
597 * to the remainder of the encrypted data, and the correct
598 * challenge is returned.
601 static kxchal
*matchreply(keyexch
*kx
, const octet
*hc_in
,
602 const octet
*hc_out
, const octet
*hrx
, buf
*b
)
608 /* --- Check the plaintext portions of the data --- */
610 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
611 trace_block(T_CRYPTO
, "crypto: challenge", hc_in
, HASHSZ
);
612 trace_block(T_CRYPTO
, "crypto: cookie", hc_out
, HASHSZ
);
613 if (hrx
) trace_block(T_CRYPTO
, "crypto: response hash", hrx
, HASHSZ
);
615 if (memcmp(hc_out
, kx
->hc
, HASHSZ
) != 0) {
616 a_warn("incorrect cookie from `%s'", p_name(kx
->p
));
619 if ((kxc
= kxc_byhc(kx
, hc_in
)) == 0) {
620 a_warn("received reply for unknown challenge from `%s'", p_name(kx
->p
));
624 /* --- Maybe compute a reply for the challenge --- */
628 a_warn("unexpected switch request from `%s'", p_name(kx
->p
));
631 if ((r
= getreply(kx
, kxc
->c
, hrx
)) == 0)
637 /* --- Decrypt the rest of the packet --- */
639 buf_init(&bb
, buf_o
, sizeof(buf_o
));
640 if (ks_decrypt(kxc
->ks
, b
, &bb
)) {
641 a_warn("failed to decrypt reply from `%s'", p_name(kx
->p
));
644 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
645 if ((r
= buf_getmp(b
)) == 0) {
646 a_warn("invalid reply packet from `%s'", p_name(kx
->p
));
649 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
650 trace(T_CRYPTO
, "crypto: reply = %s", mpstr(r
));
652 if (!mp_eq(r
, kx
->rx
)) {
653 a_warn("incorrect reply from `%s'", p_name(kx
->p
));
667 /* --- @commit@ --- *
669 * Arguments: @keyexch *kx@ = pointer to key exchange context
670 * @kxchal *kxc@ = pointer to challenge to commit to
674 * Use: Commits to a particular challenge as being the `right' one,
675 * since a reply has arrived for it.
678 static void commit(keyexch
*kx
, kxchal
*kxc
)
682 for (i
= 0; i
< kx
->nr
; i
++) {
684 kxc_destroy(kx
->r
[i
]);
689 ksl_link(kx
->ks
, kxc
->ks
);
692 /* --- @doreply@ --- *
694 * Arguments: @keyexch *kx@ = pointer to key exchange context
695 * @buf *b@ = buffer containing packet
697 * Returns: Zero if OK, nonzero if the packet was rejected.
699 * Use: Handles a reply packet. This doesn't handle the various
700 * switch packets: they're rather too different.
703 static int doreply(keyexch
*kx
, buf
*b
)
705 const octet
*hc_in
, *hc_out
, *hrx
;
708 if (kx
->s
!= KXS_CHAL
&& kx
->s
!= KXS_COMMIT
) {
709 a_warn("unexpected reply from `%s'", p_name(kx
->p
));
712 if ((hc_in
= buf_get(b
, HASHSZ
)) == 0 ||
713 (hc_out
= buf_get(b
, HASHSZ
)) == 0 ||
714 (hrx
= buf_get(b
, HASHSZ
)) == 0) {
715 a_warn("invalid reply packet from `%s'", p_name(kx
->p
));
718 if ((kxc
= matchreply(kx
, hc_in
, hc_out
, hrx
, b
)) == 0)
721 a_warn("invalid reply packet from `%s'", p_name(kx
->p
));
724 if (kx
->s
== KXS_CHAL
) {
735 /* --- @doswitch@ --- *
737 * Arguments: @keyexch *kx@ = pointer to key exchange block
738 * @buf *b@ = pointer to buffer containing packet
740 * Returns: Zero if OK, nonzero if the packet was rejected.
742 * Use: Handles a reply with a switch request bolted onto it.
745 static int doswitch(keyexch
*kx
, buf
*b
)
747 const octet
*hc_in
, *hc_out
, *hswrq
;
750 if ((hc_in
= buf_get(b
, HASHSZ
)) == 0 ||
751 (hc_out
= buf_get(b
, HASHSZ
)) == 0) {
752 a_warn("invalid switch request from `%s'", p_name(kx
->p
));
755 if ((kxc
= matchreply(kx
, hc_in
, hc_out
, 0, b
)) == 0)
757 if ((hswrq
= buf_get(b
, HASHSZ
)) == 0 || BLEFT(b
)) {
758 a_warn("invalid switch request from `%s'", p_name(kx
->p
));
761 IF_TRACING(T_KEYEXCH
, {
762 trace_block(T_CRYPTO
, "crypto: switch request hash", hswrq
, HASHSZ
);
764 if (memcmp(hswrq
, kxc
->hswrq_in
, HASHSZ
) != 0) {
765 a_warn("incorrect switch request hash from `%s'", p_name(kx
->p
));
772 ks_activate(kxc
->ks
);
773 settimer(kx
, ks_tregen(kxc
->ks
));
784 /* --- @doswitchok@ --- *
786 * Arguments: @keyexch *kx@ = pointer to key exchange block
787 * @buf *b@ = pointer to buffer containing packet
789 * Returns: Zero if OK, nonzero if the packet was rejected.
791 * Use: Handles a reply with a switch request bolted onto it.
794 static int doswitchok(keyexch
*kx
, buf
*b
)
800 if (kx
->s
< KXS_COMMIT
) {
801 a_warn("unexpected switch confirmation from `%s'", p_name(kx
->p
));
805 buf_init(&bb
, buf_o
, sizeof(buf_o
));
806 if (ks_decrypt(kxc
->ks
, b
, &bb
)) {
807 a_warn("failed to decrypt switch confirmation from `%s'", p_name(kx
->p
));
810 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
811 if ((hswok
= buf_get(b
, HASHSZ
)) == 0 || BLEFT(b
)) {
812 a_warn("invalid switch confirmation from `%s'", p_name(kx
->p
));
815 IF_TRACING(T_KEYEXCH
, {
816 trace_block(T_CRYPTO
, "crypto: switch confirmation hash", hswok
, HASHSZ
);
818 if (memcmp(hswok
, kxc
->hswok_in
, HASHSZ
) != 0) {
819 a_warn("incorrect switch confirmation hash from `%s'", p_name(kx
->p
));
822 if (kx
->s
< KXS_SWITCH
) {
823 ks_activate(kxc
->ks
);
824 settimer(kx
, ks_tregen(kxc
->ks
));
833 /*----- Main code ---------------------------------------------------------*/
837 * Arguments: @keyexch *kx@ = pointer to key exchange context
841 * Use: Stops a key exchange dead in its tracks. Throws away all of
842 * the context information. The context is left in an
843 * inconsistent state. The only functions which understand this
844 * state are @kx_free@ and @kx_init@ (which cause it internally
845 * it), and @start@ (which expects it to be the prevailing
849 static void stop(keyexch
*kx
)
853 if (kx
->f
& KXF_DEAD
)
856 if (kx
->f
& KXF_TIMER
)
858 for (i
= 0; i
< kx
->nr
; i
++)
859 kxc_destroy(kx
->r
[i
]);
870 * Arguments: @keyexch *kx@ = pointer to key exchange context
871 * @time_t now@ = the current time
875 * Use: Starts a new key exchange with the peer. The context must be
876 * in the bizarre state left by @stop@ or @kx_init@.
879 static void start(keyexch
*kx
, time_t now
)
883 assert(kx
->f
& KXF_DEAD
);
887 kx
->alpha
= mprand_range(MP_NEW
, kpriv
.dp
.q
, &rand_global
, 0);
888 kx
->c
= mpmont_exp(&mg
, MP_NEW
, kpriv
.dp
.g
, kx
->alpha
);
889 kx
->rx
= mpmont_exp(&mg
, MP_NEW
, kx
->kpub
.y
, kx
->alpha
);
891 kx
->t_valid
= now
+ T_VALID
;
894 HASH_STRING(&h
, "tripe-cookie");
896 HASH_DONE(&h
, kx
->hc
);
898 IF_TRACING(T_KEYEXCH
, {
899 trace(T_KEYEXCH
, "keyexch: creating new challenge");
900 IF_TRACING(T_CRYPTO
, {
901 trace(T_CRYPTO
, "crypto: secret = %s", mpstr(kx
->alpha
));
902 trace(T_CRYPTO
, "crypto: challenge = %s", mpstr(kx
->c
));
903 trace(T_CRYPTO
, "crypto: expected response = %s", mpstr(kx
->rx
));
904 trace_block(T_CRYPTO
, "crypto: challenge cookie", kx
->hc
, HASHSZ
);
909 /* --- @checkpub@ --- *
911 * Arguments: @keyexch *kx@ = pointer to key exchange context
913 * Returns: Zero if OK, nonzero if the peer's public key has expired.
915 * Use: Deactivates the key-exchange until the peer acquires a new
919 static int checkpub(keyexch
*kx
)
922 if (kx
->f
& KXF_DEAD
)
925 if (KEY_EXPIRED(now
, kx
->texp_kpub
)) {
927 a_warn("public key for `%s' has expired", p_name(kx
->p
));
928 dh_pubfree(&kx
->kpub
);
929 kx
->f
&= ~KXF_PUBKEY
;
935 /* --- @kx_start@ --- *
937 * Arguments: @keyexch *kx@ = pointer to key exchange context
941 * Use: Stimulates a key exchange. If a key exchage is in progress,
942 * a new challenge is sent (unless the quiet timer forbids
943 * this); if no exchange is in progress, one is commenced.
946 void kx_start(keyexch
*kx
)
948 time_t now
= time(0);
952 if (!ISVALID(kx
, now
)) {
959 /* --- @kx_message@ --- *
961 * Arguments: @keyexch *kx@ = pointer to key exchange context
962 * @unsigned msg@ = the message code
963 * @buf *b@ = pointer to buffer containing the packet
967 * Use: Reads a packet containing key exchange messages and handles
971 void kx_message(keyexch
*kx
, unsigned msg
, buf
*b
)
973 time_t now
= time(0);
974 stats
*st
= p_stats(kx
->p
);
979 static const char *const pkname
[] = {
980 "prechallenge", "cookie", "challenge",
981 "reply", "switch request", "switch confirmation"
988 if (!ISVALID(kx
, now
)) {
993 T( trace(T_KEYEXCH
, "keyexch: processing %s packet from `%s'",
994 msg
< KX_NMSG ? pkname
[msg
] : "unknown", p_name(kx
->p
)); )
1000 rc
= dochallenge(kx
, msg
, b
);
1003 rc
= doreply(kx
, b
);
1006 rc
= doswitch(kx
, b
);
1009 rc
= doswitchok(kx
, b
);
1012 a_warn("unexpected key exchange message type %u from `%p'",
1026 /* --- @kx_free@ --- *
1028 * Arguments: @keyexch *kx@ = pointer to key exchange context
1032 * Use: Frees everything in a key exchange context.
1035 void kx_free(keyexch
*kx
)
1038 if (kx
->f
& KXF_PUBKEY
)
1039 dh_pubfree(&kx
->kpub
);
1042 /* --- @kx_newkeys@ --- *
1044 * Arguments: @keyexch *kx@ = pointer to key exchange context
1048 * Use: Informs the key exchange module that its keys may have
1049 * changed. If fetching the new keys fails, the peer will be
1050 * destroyed, we log messages and struggle along with the old
1054 void kx_newkeys(keyexch
*kx
)
1058 if (km_getpubkey(p_name(kx
->p
), &dp
, &kx
->texp_kpub
))
1060 if (kx
->f
& KXF_PUBKEY
)
1061 dh_pubfree(&kx
->kpub
);
1063 kx
->f
|= KXF_PUBKEY
;
1064 if ((kx
->f
& KXF_DEAD
) || kx
->s
!= KXS_SWITCH
) {
1065 T( trace(T_KEYEXCH
, "keyexch: restarting key negotiation with `%s'",
1073 /* --- @kx_init@ --- *
1075 * Arguments: @keyexch *kx@ = pointer to key exchange context
1076 * @peer *p@ = pointer to peer context
1077 * @keyset **ks@ = pointer to keyset list
1079 * Returns: Zero if OK, nonzero if it failed.
1081 * Use: Initializes a key exchange module. The module currently
1082 * contains no keys, and will attempt to initiate a key
1086 int kx_init(keyexch
*kx
, peer
*p
, keyset
**ks
)
1090 if (km_getpubkey(p_name(p
), &kx
->kpub
, &kx
->texp_kpub
))
1092 kx
->f
= KXF_DEAD
| KXF_PUBKEY
;
1098 /*----- That's all, folks -------------------------------------------------*/