5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Header files ------------------------------------------------------*/
33 /*----- Brief protocol overview -------------------------------------------*
35 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
36 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
37 * application of the symmetric packet protocol to a message; let
38 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
39 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
40 * be Bob's public key.
42 * At the beginning of the session, Alice chooses
44 * %$\rho_A \inr \{0, \ldots q - 1\}$%
48 * %$r_A = g^{\rho_A}$% Alice's challenge
49 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
50 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
51 * Alice's challenge check value
52 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
53 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
54 * Alice and Bob's shared secret key
55 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
56 * Alice's switch request value
57 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
58 * Alice's switch confirm value
60 * The messages are then:
62 * %$\cookie{kx-pre-challenge}, r_A$%
63 * Initial greeting. In state @KXS_CHAL@.
65 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
66 * Here's a full challenge for you to answer.
68 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
69 * Challenge accpeted: here's the answer. Commit to my challenge. Move
72 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
73 * Reply received: here's my reply. Committed; send data; move to
76 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
77 * Switch received. Committed; send data; move to @KXS_SWITCH@.
80 /*----- Tunable parameters ------------------------------------------------*/
82 #define T_VALID MIN(2) /* Challenge validity period */
83 #define T_RETRY SEC(10) /* Challenge retransmit interval */
85 #define VALIDP(kx, now) ((now) < (kx)->t_valid)
87 /*----- Static tables -----------------------------------------------------*/
89 static const char *const pkname
[] = {
90 "pre-challenge", "cookie", "challenge",
91 "reply", "switch-rq", "switch-ok"
94 /*----- Various utilities -------------------------------------------------*/
98 * Arguments: @ghash *h@ = pointer to hash context
99 * @ge *x@ = pointer to group element
103 * Use: Adds the hash of a group element to the context. Corrupts
107 static void hashge(ghash
*h
, ge
*x
)
110 buf_init(&b
, buf_t
, sizeof(buf_t
));
113 GH_HASH(h
, BBASE(&b
), BLEN(&b
));
116 /* --- @mpmask@ --- *
118 * Arguments: @buf *b@ = output buffer
119 * @mp *x@ = the plaintext integer
120 * @size_t n@ = the expected size of the plaintext
121 * @const octet *k@ = pointer to key material
122 * @size_t ksz@ = size of the key
124 * Returns: Pointer to the output.
126 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
127 * it's a random oracle thing rather than an encryption thing.
130 static octet
*mpmask(buf
*b
, mp
*x
, size_t n
, const octet
*k
, size_t ksz
)
135 if ((p
= buf_get(b
, n
)) == 0)
137 mgf
= GC_INIT(algs
.mgf
, k
, ksz
);
138 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
139 trace(T_CRYPTO
, "masking index = %s", mpstr(x
));
140 trace_block(T_CRYPTO
, "masking key", k
, ksz
);
142 mp_storeb(x
, buf_t
, n
);
143 GC_ENCRYPT(mgf
, buf_t
, p
, n
);
144 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
145 trace_block(T_CRYPTO
, "index plaintext", buf_t
, n
);
146 trace_block(T_CRYPTO
, "masked ciphertext", p
, n
);
152 /* --- @mpunmask@ --- *
154 * Arguments: @mp *d@ = the output integer
155 * @const octet *p@ = pointer to the ciphertext
156 * @size_t n@ = the size of the ciphertext
157 * @const octet *k@ = pointer to key material
158 * @size_t ksz@ = size of the key
160 * Returns: The decrypted integer, or null.
162 * Use: Unmasks a multiprecision integer.
165 static mp
*mpunmask(mp
*d
, const octet
*p
, size_t n
,
166 const octet
*k
, size_t ksz
)
170 mgf
= GC_INIT(algs
.mgf
, k
, ksz
);
171 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
172 trace_block(T_CRYPTO
, "unmasking key", k
, ksz
);
173 trace_block(T_CRYPTO
, "masked ciphertext", p
, n
);
175 GC_DECRYPT(mgf
, p
, buf_t
, n
);
176 d
= mp_loadb(d
, buf_t
, n
);
177 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
178 trace_block(T_CRYPTO
, "index plaintext", buf_t
, n
);
179 trace(T_CRYPTO
, "unmasked index = %s", mpstr(d
));
185 /* --- @hashcheck@ --- *
187 * Arguments: @ge *kpub@ = sender's public key
188 * @ge *cc@ = receiver's challenge
189 * @ge *c@ = sender's challenge
190 * @ge *y@ = reply to sender's challenge
192 * Returns: Pointer to the hash value (in @buf_t@)
194 * Use: Computes the check-value hash, used to mask or unmask
195 * indices to prove the validity of challenges. This computes
196 * the masking key used in challenge check values. This is
197 * really the heart of the whole thing, since it ensures that
198 * the index can be recovered from the history of hashing
199 * queries, which gives us (a) a proof that the authentication
200 * process is zero-knowledge, and (b) a proof that the whole
201 * key-exchange is deniable.
204 static const octet
*hashcheck(ge
*kpub
, ge
*cc
, ge
*c
, ge
*y
)
206 ghash
*h
= GH_INIT(algs
.h
);
208 HASH_STRING(h
, "tripe-expected-reply");
214 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
215 trace(T_CRYPTO
, "computing challenge check hash");
216 trace(T_CRYPTO
, "public key = %s", gestr(gg
, kpub
));
217 trace(T_CRYPTO
, "receiver challenge = %s", gestr(gg
, cc
));
218 trace(T_CRYPTO
, "sender challenge = %s", gestr(gg
, c
));
219 trace(T_CRYPTO
, "sender reply = %s", gestr(gg
, y
));
220 trace_block(T_CRYPTO
, "hash output", buf_t
, algs
.hashsz
);
226 /* --- @sendchallenge@ --- *
228 * Arguments: @keyexch *kx@ = pointer to key exchange block
229 * @buf *b@ = output buffer for challenge
230 * @ge *c@ = peer's actual challenge
231 * @const octet *hc@ = peer's challenge cookie
235 * Use: Writes a full challenge to the message buffer.
238 static void sendchallenge(keyexch
*kx
, buf
*b
, ge
*c
, const octet
*hc
)
240 G_TOBUF(gg
, b
, kx
->c
);
241 buf_put(b
, hc
, algs
.hashsz
);
242 mpmask(b
, kx
->alpha
, indexsz
,
243 hashcheck(kpub
, c
, kx
->c
, kx
->rx
), algs
.hashsz
);
248 * Arguments: @struct timeval *tv@ = the current time
249 * @void *v@ = pointer to key exchange context
253 * Use: Acts when the key exchange timer goes off.
256 static void timer(struct timeval
*tv
, void *v
)
260 T( trace(T_KEYEXCH
, "keyexch: timer has popped"); )
264 /* --- @settimer@ --- *
266 * Arguments: @keyexch *kx@ = pointer to key exchange context
267 * @time_t t@ = when to set the timer for
271 * Use: Sets the timer for the next key exchange attempt.
274 static void settimer(keyexch
*kx
, time_t t
)
277 if (kx
->f
& KXF_TIMER
)
281 sel_addtimer(&sel
, &kx
->t
, &tv
, timer
, kx
);
285 /*----- Challenge management ----------------------------------------------*/
287 /* --- Notes on challenge management --- *
289 * We may get multiple different replies to our key exchange; some will be
290 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
291 * received will be added to the table and given a full response. After
292 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
293 * our existing challenge, followed by a hash of the sender's challenge. We
294 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
295 * properly-formed cookies are assigned a table slot: if none is spare, a
296 * used slot is randomly selected and destroyed. A cookie always receives a
300 /* --- @kxc_destroy@ --- *
302 * Arguments: @kxchal *kxc@ = pointer to the challenge block
306 * Use: Disposes of a challenge block.
309 static void kxc_destroy(kxchal
*kxc
)
311 if (kxc
->f
& KXF_TIMER
)
312 sel_rmtimer(&kxc
->t
);
313 G_DESTROY(gg
, kxc
->c
);
314 G_DESTROY(gg
, kxc
->r
);
319 /* --- @kxc_stoptimer@ --- *
321 * Arguments: @kxchal *kxc@ = pointer to the challenge block
325 * Use: Stops the challenge's retry timer from sending messages.
326 * Useful when the state machine is in the endgame of the
330 static void kxc_stoptimer(kxchal
*kxc
)
332 if (kxc
->f
& KXF_TIMER
)
333 sel_rmtimer(&kxc
->t
);
334 kxc
->f
&= ~KXF_TIMER
;
337 /* --- @kxc_new@ --- *
339 * Arguments: @keyexch *kx@ = pointer to key exchange block
341 * Returns: A pointer to the challenge block.
343 * Use: Returns a pointer to a new challenge block to fill in.
346 static kxchal
*kxc_new(keyexch
*kx
)
351 /* --- If we're over reply threshold, discard one at random --- */
353 if (kx
->nr
< KX_NCHAL
)
356 i
= rand_global
.ops
->range(&rand_global
, KX_NCHAL
);
357 kxc_destroy(kx
->r
[i
]);
360 /* --- Fill in the new structure --- */
362 kxc
= CREATE(kxchal
);
363 kxc
->c
= G_CREATE(gg
);
364 kxc
->r
= G_CREATE(gg
);
372 /* --- @kxc_bychal@ --- *
374 * Arguments: @keyexch *kx@ = pointer to key exchange block
375 * @ge *c@ = challenge from remote host
377 * Returns: Pointer to the challenge block, or null.
379 * Use: Finds a challenge block, given its challenge.
382 static kxchal
*kxc_bychal(keyexch
*kx
, ge
*c
)
386 for (i
= 0; i
< kx
->nr
; i
++) {
387 if (G_EQ(gg
, c
, kx
->r
[i
]->c
))
393 /* --- @kxc_byhc@ --- *
395 * Arguments: @keyexch *kx@ = pointer to key exchange block
396 * @const octet *hc@ = challenge hash from remote host
398 * Returns: Pointer to the challenge block, or null.
400 * Use: Finds a challenge block, given a hash of its challenge.
403 static kxchal
*kxc_byhc(keyexch
*kx
, const octet
*hc
)
407 for (i
= 0; i
< kx
->nr
; i
++) {
408 if (memcmp(hc
, kx
->r
[i
]->hc
, algs
.hashsz
) == 0)
414 /* --- @kxc_answer@ --- *
416 * Arguments: @keyexch *kx@ = pointer to key exchange block
417 * @kxchal *kxc@ = pointer to challenge block
421 * Use: Sends a reply to the remote host, according to the data in
422 * this challenge block.
425 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
);
427 static void kxc_timer(struct timeval
*tv
, void *v
)
430 kxc
->f
&= ~KXF_TIMER
;
431 kxc_answer(kxc
->kx
, kxc
);
434 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
)
436 stats
*st
= p_stats(kx
->p
);
437 buf
*b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_REPLY
);
441 /* --- Build the reply packet --- */
443 T( trace(T_KEYEXCH
, "keyexch: sending reply to `%s'", p_name(kx
->p
)); )
444 sendchallenge(kx
, b
, kxc
->c
, kxc
->hc
);
445 buf_init(&bb
, buf_i
, sizeof(buf_i
));
446 G_TORAW(gg
, &bb
, kxc
->r
);
448 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_REPLY
, &bb
, b
);
450 /* --- Update the statistics --- */
454 st
->sz_kxout
+= BLEN(b
);
458 /* --- Schedule another resend --- */
460 if (kxc
->f
& KXF_TIMER
)
461 sel_rmtimer(&kxc
->t
);
462 gettimeofday(&tv
, 0);
463 tv
.tv_sec
+= T_RETRY
;
464 sel_addtimer(&sel
, &kxc
->t
, &tv
, kxc_timer
, kxc
);
468 /*----- Individual message handlers ---------------------------------------*/
470 /* --- @doprechallenge@ --- *
472 * Arguments: @keyexch *kx@ = pointer to key exchange block
473 * @buf *b@ = buffer containing the packet
475 * Returns: Zero if OK, nonzero of the packet was rejected.
477 * Use: Processes a pre-challenge message.
480 static int doprechallenge(keyexch
*kx
, buf
*b
)
482 stats
*st
= p_stats(kx
->p
);
483 ge
*c
= G_CREATE(gg
);
486 /* --- Ensure that we're in a sensible state --- */
488 if (kx
->s
!= KXS_CHAL
) {
489 a_warn("KX", "?PEER", kx
->p
, "unexpected", "pre-challenge", A_END
);
493 /* --- Unpack the packet --- */
495 if (G_FROMBUF(gg
, b
, c
) || BLEFT(b
))
498 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
499 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, c
));
502 /* --- Send out a full challenge by return --- */
504 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_CHAL
);
506 HASH_STRING(h
, "tripe-cookie");
508 sendchallenge(kx
, b
, c
, GH_DONE(h
, 0));
511 st
->sz_kxout
+= BLEN(b
);
520 if (c
) G_DESTROY(gg
, c
);
524 /* --- @respond@ --- *
526 * Arguments: @keyexch *kx@ = pointer to key exchange block
527 * @unsigned msg@ = message code for this packet
528 * @buf *b@ = buffer containing the packet
530 * Returns: Key-exchange challenge block, or null.
532 * Use: Computes a response for the given challenge, entering it into
533 * a challenge block and so on.
536 static kxchal
*respond(keyexch
*kx
, unsigned msg
, buf
*b
)
538 ge
*c
= G_CREATE(gg
);
539 ge
*r
= G_CREATE(gg
);
540 ge
*cc
= G_CREATE(gg
);
541 const octet
*hc
, *ck
;
549 /* --- Unpack the packet --- */
551 if (G_FROMBUF(gg
, b
, c
) ||
552 (hc
= buf_get(b
, algs
.hashsz
)) == 0 ||
553 (ck
= buf_get(b
, indexsz
)) == 0) {
554 a_warn("KX", "?PEER", kx
->p
, "invalid", "%s", pkname
[msg
], A_END
);
557 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
558 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, c
));
559 trace_block(T_CRYPTO
, "crypto: cookie", hc
, algs
.hashsz
);
560 trace_block(T_CRYPTO
, "crypto: check-value", ck
, indexsz
);
563 /* --- Discard a packet with an invalid cookie --- */
565 if (hc
&& memcmp(hc
, kx
->hc
, algs
.hashsz
) != 0) {
566 a_warn("KX", "?PEER", kx
->p
, "incorrect", "cookie", A_END
);
570 /* --- Recover the check value and verify it --- *
572 * To avoid recomputation on replays, we store a hash of the `right'
573 * value. The `correct' value is unique, so this is right.
575 * This will also find a challenge block and, if necessary, populate it.
578 if ((kxc
= kxc_bychal(kx
, c
)) != 0) {
580 HASH_STRING(h
, "tripe-check-hash");
581 GH_HASH(h
, ck
, indexsz
);
582 ok
= !memcmp(kxc
->ck
, GH_DONE(h
, 0), algs
.hashsz
);
584 if (!ok
) goto badcheck
;
587 /* --- Compute the reply, and check the magic --- */
589 G_EXP(gg
, r
, c
, kpriv
);
590 cv
= mpunmask(MP_NEW
, ck
, indexsz
,
591 hashcheck(kx
->kpub
, kx
->c
, c
, r
), algs
.hashsz
);
592 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
593 trace(T_CRYPTO
, "crypto: computed reply = %s", gestr(gg
, r
));
594 trace(T_CRYPTO
, "crypto: recovered log = %s", mpstr(cv
));
596 if (MP_CMP(cv
, >, gg
->r
) ||
597 (G_EXP(gg
, cc
, gg
->g
, cv
), !G_EQ(gg
, c
, cc
)))
600 /* --- Fill in a new challenge block --- */
603 G_COPY(gg
, kxc
->c
, c
);
604 G_COPY(gg
, kxc
->r
, r
);
607 HASH_STRING(h
, "tripe-check-hash");
608 GH_HASH(h
, ck
, indexsz
);
613 HASH_STRING(h
, "tripe-cookie");
618 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
619 trace_block(T_CRYPTO
, "crypto: computed cookie", kxc
->hc
, algs
.hashsz
);
622 /* --- Work out the shared key --- */
624 G_EXP(gg
, r
, c
, kx
->alpha
);
625 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
626 trace(T_CRYPTO
, "crypto: shared secret = %s", gestr(gg
, r
));
629 /* --- Compute the switch messages --- */
631 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-request");
632 hashge(h
, kx
->c
); hashge(h
, kxc
->c
);
633 GH_DONE(h
, kxc
->hswrq_out
); GH_DESTROY(h
);
634 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-confirm");
635 hashge(h
, kx
->c
); hashge(h
, kxc
->c
);
636 GH_DONE(h
, kxc
->hswok_out
); GH_DESTROY(h
);
638 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-request");
639 hashge(h
, kxc
->c
); hashge(h
, kx
->c
);
640 GH_DONE(h
, kxc
->hswrq_in
); GH_DESTROY(h
);
641 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-confirm");
642 hashge(h
, kxc
->c
); hashge(h
, kx
->c
);
643 GH_DONE(h
, kxc
->hswok_in
); GH_DESTROY(h
);
645 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
646 trace_block(T_CRYPTO
, "crypto: outbound switch request",
647 kxc
->hswrq_out
, algs
.hashsz
);
648 trace_block(T_CRYPTO
, "crypto: outbound switch confirm",
649 kxc
->hswok_out
, algs
.hashsz
);
650 trace_block(T_CRYPTO
, "crypto: inbound switch request",
651 kxc
->hswrq_in
, algs
.hashsz
);
652 trace_block(T_CRYPTO
, "crypto: inbound switch confirm",
653 kxc
->hswok_in
, algs
.hashsz
);
656 /* --- Create a new symmetric keyset --- */
658 buf_init(&bb
, buf_o
, sizeof(buf_o
));
659 G_TOBUF(gg
, &bb
, kx
->c
); x
= BLEN(&bb
);
660 G_TOBUF(gg
, &bb
, kxc
->c
); y
= BLEN(&bb
);
661 G_TOBUF(gg
, &bb
, r
); z
= BLEN(&bb
);
664 kxc
->ks
= ks_gen(BBASE(&bb
), x
, y
, z
, kx
->p
);
674 a_warn("KX", "?PEER", kx
->p
, "bad-expected-reply-log", A_END
);
684 /* --- @dochallenge@ --- *
686 * Arguments: @keyexch *kx@ = pointer to key exchange block
687 * @unsigned msg@ = message code for the packet
688 * @buf *b@ = buffer containing the packet
690 * Returns: Zero if OK, nonzero if the packet was rejected.
692 * Use: Processes a packet containing a challenge.
695 static int dochallenge(keyexch
*kx
, buf
*b
)
699 if (kx
->s
!= KXS_CHAL
) {
700 a_warn("KX", "?PEER", kx
->p
, "unexpected", "challenge", A_END
);
703 if ((kxc
= respond(kx
, KX_CHAL
, b
)) == 0)
706 a_warn("KX", "?PEER", kx
->p
, "invalid", "challenge", A_END
);
716 /* --- @resend@ --- *
718 * Arguments: @keyexch *kx@ = pointer to key exchange context
722 * Use: Sends the next message for a key exchange.
725 static void resend(keyexch
*kx
)
729 stats
*st
= p_stats(kx
->p
);
734 T( trace(T_KEYEXCH
, "keyexch: sending prechallenge to `%s'",
736 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_PRECHAL
);
737 G_TOBUF(gg
, b
, kx
->c
);
740 T( trace(T_KEYEXCH
, "keyexch: sending switch request to `%s'",
743 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCH
);
744 buf_put(b
, kx
->hc
, algs
.hashsz
);
745 buf_put(b
, kxc
->hc
, algs
.hashsz
);
746 buf_init(&bb
, buf_i
, sizeof(buf_i
));
747 G_TORAW(gg
, &bb
, kxc
->r
);
748 buf_put(&bb
, kxc
->hswrq_out
, algs
.hashsz
);
750 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCH
, &bb
, b
);
753 T( trace(T_KEYEXCH
, "keyexch: sending switch confirmation to `%s'",
756 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCHOK
);
757 buf_init(&bb
, buf_i
, sizeof(buf_i
));
758 buf_put(&bb
, kxc
->hswok_out
, algs
.hashsz
);
760 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCHOK
, &bb
, b
);
768 st
->sz_kxout
+= BLEN(b
);
772 if (kx
->s
< KXS_SWITCH
)
773 settimer(kx
, time(0) + T_RETRY
);
776 /* --- @decryptrest@ --- *
778 * Arguments: @keyexch *kx@ = pointer to key exchange context
779 * @kxchal *kxc@ = pointer to challenge block
780 * @unsigned msg@ = type of incoming message
781 * @buf *b@ = encrypted remainder of the packet
783 * Returns: Zero if OK, nonzero on some kind of error.
785 * Use: Decrypts the remainder of the packet, and points @b@ at the
786 * recovered plaintext.
789 static int decryptrest(keyexch
*kx
, kxchal
*kxc
, unsigned msg
, buf
*b
)
793 buf_init(&bb
, buf_o
, sizeof(buf_o
));
794 if (ks_decrypt(kxc
->ks
, MSG_KEYEXCH
| msg
, b
, &bb
)) {
795 a_warn("KX", "?PEER", kx
->p
, "decrypt-failed", "%s", pkname
[msg
], A_END
);
798 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
802 /* --- @checkresponse@ --- *
804 * Arguments: @keyexch *kx@ = pointer to key exchange context
805 * @unsigned msg@ = type of incoming message
806 * @buf *b@ = decrypted remainder of the packet
808 * Returns: Zero if OK, nonzero on some kind of error.
810 * Use: Checks a reply or switch packet, ensuring that its response
814 static int checkresponse(keyexch
*kx
, unsigned msg
, buf
*b
)
816 ge
*r
= G_CREATE(gg
);
818 if (G_FROMRAW(gg
, b
, r
)) {
819 a_warn("KX", "?PEER", kx
->p
, "invalid", "%s", pkname
[msg
], A_END
);
822 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
823 trace(T_CRYPTO
, "crypto: reply = %s", gestr(gg
, r
));
825 if (!G_EQ(gg
, r
, kx
->rx
)) {
826 a_warn("KX", "?PEER", kx
->p
, "incorrect", "response", A_END
);
838 /* --- @commit@ --- *
840 * Arguments: @keyexch *kx@ = pointer to key exchange context
841 * @kxchal *kxc@ = pointer to challenge to commit to
845 * Use: Commits to a particular challenge as being the `right' one,
846 * since a reply has arrived for it.
849 static void commit(keyexch
*kx
, kxchal
*kxc
)
853 for (i
= 0; i
< kx
->nr
; i
++) {
855 kxc_destroy(kx
->r
[i
]);
860 ksl_link(kx
->ks
, kxc
->ks
);
863 /* --- @doreply@ --- *
865 * Arguments: @keyexch *kx@ = pointer to key exchange context
866 * @buf *b@ = buffer containing packet
868 * Returns: Zero if OK, nonzero if the packet was rejected.
870 * Use: Handles a reply packet. This doesn't handle the various
871 * switch packets: they're rather too different.
874 static int doreply(keyexch
*kx
, buf
*b
)
878 if (kx
->s
!= KXS_CHAL
&& kx
->s
!= KXS_COMMIT
) {
879 a_warn("KX", "?PEER", kx
->p
, "unexpected", "reply", A_END
);
882 if ((kxc
= respond(kx
, KX_REPLY
, b
)) == 0 ||
883 decryptrest(kx
, kxc
, KX_REPLY
, b
) ||
884 checkresponse(kx
, KX_REPLY
, b
))
887 a_warn("KX", "?PEER", kx
->p
, "invalid", "reply", A_END
);
890 if (kx
->s
== KXS_CHAL
) {
901 /* --- @kxfinish@ --- *
903 * Arguments: @keyexch *kx@ = pointer to key exchange block
907 * Use: Sets everything up following a successful key exchange.
910 static void kxfinish(keyexch
*kx
)
912 kxchal
*kxc
= kx
->r
[0];
913 ks_activate(kxc
->ks
);
914 settimer(kx
, ks_tregen(kxc
->ks
));
916 a_notify("KXDONE", "?PEER", kx
->p
, A_END
);
917 p_stats(kx
->p
)->t_kx
= time(0);
920 /* --- @doswitch@ --- *
922 * Arguments: @keyexch *kx@ = pointer to key exchange block
923 * @buf *b@ = pointer to buffer containing packet
925 * Returns: Zero if OK, nonzero if the packet was rejected.
927 * Use: Handles a reply with a switch request bolted onto it.
930 static int doswitch(keyexch
*kx
, buf
*b
)
932 const octet
*hc_in
, *hc_out
, *hswrq
;
935 if ((hc_in
= buf_get(b
, algs
.hashsz
)) == 0 ||
936 (hc_out
= buf_get(b
, algs
.hashsz
)) == 0) {
937 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-rq", A_END
);
940 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
941 trace_block(T_CRYPTO
, "crypto: challenge", hc_in
, algs
.hashsz
);
942 trace_block(T_CRYPTO
, "crypto: cookie", hc_out
, algs
.hashsz
);
944 if ((kxc
= kxc_byhc(kx
, hc_in
)) == 0 ||
945 memcmp(hc_out
, kx
->hc
, algs
.hashsz
) != 0) {
946 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-rq", A_END
);
949 if (decryptrest(kx
, kxc
, KX_SWITCH
, b
) ||
950 checkresponse(kx
, KX_SWITCH
, b
))
952 if ((hswrq
= buf_get(b
, algs
.hashsz
)) == 0 || BLEFT(b
)) {
953 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-rq", A_END
);
956 IF_TRACING(T_KEYEXCH
, {
957 trace_block(T_CRYPTO
, "crypto: switch request hash", hswrq
, algs
.hashsz
);
959 if (memcmp(hswrq
, kxc
->hswrq_in
, algs
.hashsz
) != 0) {
960 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-rq", A_END
);
963 if (kx
->s
== KXS_CHAL
)
965 if (kx
->s
< KXS_SWITCH
)
974 /* --- @doswitchok@ --- *
976 * Arguments: @keyexch *kx@ = pointer to key exchange block
977 * @buf *b@ = pointer to buffer containing packet
979 * Returns: Zero if OK, nonzero if the packet was rejected.
981 * Use: Handles a reply with a switch request bolted onto it.
984 static int doswitchok(keyexch
*kx
, buf
*b
)
990 if (kx
->s
< KXS_COMMIT
) {
991 a_warn("KX", "?PEER", kx
->p
, "unexpected", "switch-ok", A_END
);
995 buf_init(&bb
, buf_o
, sizeof(buf_o
));
996 if (decryptrest(kx
, kxc
, KX_SWITCHOK
, b
))
998 if ((hswok
= buf_get(b
, algs
.hashsz
)) == 0 || BLEFT(b
)) {
999 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-ok", A_END
);
1002 IF_TRACING(T_KEYEXCH
, {
1003 trace_block(T_CRYPTO
, "crypto: switch confirmation hash",
1004 hswok
, algs
.hashsz
);
1006 if (memcmp(hswok
, kxc
->hswok_in
, algs
.hashsz
) != 0) {
1007 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-ok", A_END
);
1010 if (kx
->s
< KXS_SWITCH
)
1018 /*----- Main code ---------------------------------------------------------*/
1022 * Arguments: @keyexch *kx@ = pointer to key exchange context
1026 * Use: Stops a key exchange dead in its tracks. Throws away all of
1027 * the context information. The context is left in an
1028 * inconsistent state. The only functions which understand this
1029 * state are @kx_free@ and @kx_init@ (which cause it internally
1030 * it), and @start@ (which expects it to be the prevailing
1034 static void stop(keyexch
*kx
)
1038 if (kx
->f
& KXF_DEAD
)
1041 if (kx
->f
& KXF_TIMER
)
1042 sel_rmtimer(&kx
->t
);
1043 for (i
= 0; i
< kx
->nr
; i
++)
1044 kxc_destroy(kx
->r
[i
]);
1046 G_DESTROY(gg
, kx
->c
);
1047 G_DESTROY(gg
, kx
->rx
);
1050 kx
->f
&= ~KXF_TIMER
;
1053 /* --- @start@ --- *
1055 * Arguments: @keyexch *kx@ = pointer to key exchange context
1056 * @time_t now@ = the current time
1060 * Use: Starts a new key exchange with the peer. The context must be
1061 * in the bizarre state left by @stop@ or @kx_init@.
1064 static void start(keyexch
*kx
, time_t now
)
1068 assert(kx
->f
& KXF_DEAD
);
1072 kx
->alpha
= mprand_range(MP_NEW
, gg
->r
, &rand_global
, 0);
1073 kx
->c
= G_CREATE(gg
); G_EXP(gg
, kx
->c
, gg
->g
, kx
->alpha
);
1074 kx
->rx
= G_CREATE(gg
); G_EXP(gg
, kx
->rx
, kx
->kpub
, kx
->alpha
);
1076 kx
->t_valid
= now
+ T_VALID
;
1078 h
= GH_INIT(algs
.h
);
1079 HASH_STRING(h
, "tripe-cookie");
1084 IF_TRACING(T_KEYEXCH
, {
1085 trace(T_KEYEXCH
, "keyexch: creating new challenge");
1086 IF_TRACING(T_CRYPTO
, {
1087 trace(T_CRYPTO
, "crypto: secret = %s", mpstr(kx
->alpha
));
1088 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, kx
->c
));
1089 trace(T_CRYPTO
, "crypto: expected response = %s", gestr(gg
, kx
->rx
));
1090 trace_block(T_CRYPTO
, "crypto: challenge cookie", kx
->hc
, algs
.hashsz
);
1095 /* --- @checkpub@ --- *
1097 * Arguments: @keyexch *kx@ = pointer to key exchange context
1099 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1101 * Use: Deactivates the key-exchange until the peer acquires a new
1105 static int checkpub(keyexch
*kx
)
1108 if (kx
->f
& KXF_DEAD
)
1111 if (KEY_EXPIRED(now
, kx
->texp_kpub
)) {
1113 a_warn("KX", "?PEER", kx
->p
, "public-key-expired", A_END
);
1114 G_COPY(gg
, kx
->kpub
, gg
->i
);
1115 kx
->f
&= ~KXF_PUBKEY
;
1121 /* --- @kx_start@ --- *
1123 * Arguments: @keyexch *kx@ = pointer to key exchange context
1124 * @int forcep@ = nonzero to ignore the quiet timer
1128 * Use: Stimulates a key exchange. If a key exchage is in progress,
1129 * a new challenge is sent (unless the quiet timer forbids
1130 * this); if no exchange is in progress, one is commenced.
1133 void kx_start(keyexch
*kx
, int forcep
)
1135 time_t now
= time(0);
1139 if (forcep
|| !VALIDP(kx
, now
)) {
1142 a_notify("KXSTART", "?PEER", kx
->p
, A_END
);
1147 /* --- @kx_message@ --- *
1149 * Arguments: @keyexch *kx@ = pointer to key exchange context
1150 * @unsigned msg@ = the message code
1151 * @buf *b@ = pointer to buffer containing the packet
1155 * Use: Reads a packet containing key exchange messages and handles
1159 void kx_message(keyexch
*kx
, unsigned msg
, buf
*b
)
1161 time_t now
= time(0);
1162 stats
*st
= p_stats(kx
->p
);
1169 if (!VALIDP(kx
, now
)) {
1174 T( trace(T_KEYEXCH
, "keyexch: processing %s packet from `%s'",
1175 msg
< KX_NMSG ? pkname
[msg
] : "unknown", p_name(kx
->p
)); )
1179 rc
= doprechallenge(kx
, b
);
1182 rc
= dochallenge(kx
, b
);
1185 rc
= doreply(kx
, b
);
1188 rc
= doswitch(kx
, b
);
1191 rc
= doswitchok(kx
, b
);
1194 a_warn("KX", "?PEER", kx
->p
, "unknown-message", "0x%02x", msg
, A_END
);
1207 /* --- @kx_free@ --- *
1209 * Arguments: @keyexch *kx@ = pointer to key exchange context
1213 * Use: Frees everything in a key exchange context.
1216 void kx_free(keyexch
*kx
)
1219 G_DESTROY(gg
, kx
->kpub
);
1222 /* --- @kx_newkeys@ --- *
1224 * Arguments: @keyexch *kx@ = pointer to key exchange context
1228 * Use: Informs the key exchange module that its keys may have
1229 * changed. If fetching the new keys fails, the peer will be
1230 * destroyed, we log messages and struggle along with the old
1234 void kx_newkeys(keyexch
*kx
)
1236 if (km_getpubkey(p_name(kx
->p
), kx
->kpub
, &kx
->texp_kpub
))
1238 kx
->f
|= KXF_PUBKEY
;
1239 if ((kx
->f
& KXF_DEAD
) || kx
->s
!= KXS_SWITCH
) {
1240 T( trace(T_KEYEXCH
, "keyexch: restarting key negotiation with `%s'",
1248 /* --- @kx_init@ --- *
1250 * Arguments: @keyexch *kx@ = pointer to key exchange context
1251 * @peer *p@ = pointer to peer context
1252 * @keyset **ks@ = pointer to keyset list
1254 * Returns: Zero if OK, nonzero if it failed.
1256 * Use: Initializes a key exchange module. The module currently
1257 * contains no keys, and will attempt to initiate a key
1261 int kx_init(keyexch
*kx
, peer
*p
, keyset
**ks
)
1265 kx
->kpub
= G_CREATE(gg
);
1266 if (km_getpubkey(p_name(p
), kx
->kpub
, &kx
->texp_kpub
)) {
1267 G_DESTROY(gg
, kx
->kpub
);
1270 kx
->f
= KXF_DEAD
| KXF_PUBKEY
;
1273 /* Don't notify here: the ADD message hasn't gone out yet. */
1277 /*----- That's all, folks -------------------------------------------------*/