3 * $Id: keyexch.c,v 1.8 2003/07/13 11:19:49 mdw Exp $
5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Revision history --------------------------------------------------*
32 * Revision 1.8 2003/07/13 11:19:49 mdw
33 * Incopatible protocol fix! Include message type code under MAC tag to prevent
34 * cut-and-paste from key-exchange messages to general packet transport.
36 * Revision 1.7 2003/05/17 11:01:28 mdw
37 * Handle flags on challenge timers correctly to prevent confusing the event
40 * Revision 1.6 2003/04/06 10:26:35 mdw
41 * Report peer name on decrypt errors.
43 * Revision 1.5 2002/01/13 14:54:40 mdw
44 * Patch up zero-knowledge property by passing an encrypted log with a
45 * challenge, so that the prover can verify that the challenge is good.
47 * Revision 1.4 2001/06/22 19:40:36 mdw
48 * Support expiry of other peers' public keys.
50 * Revision 1.3 2001/06/19 22:07:09 mdw
53 * Revision 1.2 2001/02/16 21:24:27 mdw
54 * Rewrite for new key exchange protocol.
56 * Revision 1.1 2001/02/03 20:26:37 mdw
61 /*----- Header files ------------------------------------------------------*/
65 /*----- Tunable parameters ------------------------------------------------*/
67 #define T_VALID MIN(2) /* Challenge validity period */
68 #define T_RETRY SEC(10) /* Challenge retransmit interval */
70 #define ISVALID(kx, now) ((now) < (kx)->t_valid)
72 /*----- Various utilities -------------------------------------------------*/
76 * Arguments: @HASH_CTX *r@ = pointer to hash context
77 * @mp *m@ = pointer to multiprecision integer
81 * Use: Adds the hash of a multiprecision integer to the context.
85 static void hashmp(HASH_CTX
*r
, mp
*m
)
88 buf_init(&b
, buf_t
, sizeof(buf_t
));
91 HASH(r
, BBASE(&b
), BLEN(&b
));
94 /* --- @mpcrypt@ --- *
96 * Arguments: @mp *d@ = the destination integer
97 * @mp *x@ = the plaintext/ciphertext integer
98 * @size_t sz@ = the expected size of the plaintext
99 * @const octet *k@ = pointer to key material
100 * @size_t ksz@ = size of the key
102 * Returns: The encrypted/decrypted integer.
104 * Use: Encrypts (or decrypts) a multiprecision integer using another
105 * multiprecision integer as the key. This is a slightly grotty
106 * way to do this, but it's easier than the alternatives.
109 static mp
*mpcrypt(mp
*d
, mp
*x
, size_t sz
, const octet
*k
, size_t ksz
)
113 MGF_INIT(&m
, k
, ksz
, 0);
114 mp_storeb(x
, buf_t
, sz
);
115 MGF_CRYPT(&m
, buf_t
, buf_t
, sz
);
116 return (mp_loadb(d
, buf_t
, sz
));
121 * Arguments: @struct timeval *tv@ = the current time
122 * @void *v@ = pointer to key exchange context
126 * Use: Acts when the key exchange timer goes off.
129 static void timer(struct timeval
*tv
, void *v
)
133 T( trace(T_KEYEXCH
, "keyexch: timer has popped"); )
137 /* --- @settimer@ --- *
139 * Arguments: @keyexch *kx@ = pointer to key exchange context
140 * @time_t t@ = when to set the timer for
144 * Use: Sets the timer for the next key exchange attempt.
147 static void settimer(keyexch
*kx
, time_t t
)
150 if (kx
->f
& KXF_TIMER
)
154 sel_addtimer(&sel
, &kx
->t
, &tv
, timer
, kx
);
158 /*----- Challenge management ----------------------------------------------*/
160 /* --- Notes on challenge management --- *
162 * We may get multiple different replies to our key exchange; some will be
163 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
164 * received will be added to the table and given a full response. After
165 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
166 * our existing challenge, followed by a hash of the sender's challenge. We
167 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
168 * properly-formed cookies are assigned a table slot: if none is spare, a
169 * used slot is randomly selected and destroyed. A cookie always receives a
173 /* --- @kxc_destroy@ --- *
175 * Arguments: @kxchal *kxc@ = pointer to the challenge block
179 * Use: Disposes of a challenge block.
182 static void kxc_destroy(kxchal
*kxc
)
184 if (kxc
->f
& KXF_TIMER
)
185 sel_rmtimer(&kxc
->t
);
193 /* --- @kxc_stoptimer@ --- *
195 * Arguments: @kxchal *kxc@ = pointer to the challenge block
199 * Use: Stops the challenge's retry timer from sending messages.
200 * Useful when the state machine is in the endgame of the
204 static void kxc_stoptimer(kxchal
*kxc
)
206 if (kxc
->f
& KXF_TIMER
)
207 sel_rmtimer(&kxc
->t
);
208 kxc
->f
&= ~KXF_TIMER
;
211 /* --- @kxc_new@ --- *
213 * Arguments: @keyexch *kx@ = pointer to key exchange block
215 * Returns: A pointer to the challenge block.
217 * Use: Returns a pointer to a new challenge block to fill in.
220 static kxchal
*kxc_new(keyexch
*kx
)
225 /* --- If we're over reply threshold, discard one at random --- */
227 if (kx
->nr
< KX_NCHAL
)
230 i
= rand_global
.ops
->range(&rand_global
, KX_NCHAL
);
231 kxc_destroy(kx
->r
[i
]);
234 /* --- Fill in the new structure --- */
236 kxc
= CREATE(kxchal
);
247 /* --- @kxc_bychal@ --- *
249 * Arguments: @keyexch *kx@ = pointer to key exchange block
250 * @mp *c@ = challenge from remote host
252 * Returns: Pointer to the challenge block, or null.
254 * Use: Finds a challenge block, given its challenge.
257 static kxchal
*kxc_bychal(keyexch
*kx
, mp
*c
)
261 for (i
= 0; i
< kx
->nr
; i
++) {
262 if (MP_EQ(c
, kx
->r
[i
]->c
))
268 /* --- @kxc_byhc@ --- *
270 * Arguments: @keyexch *kx@ = pointer to key exchange block
271 * @const octet *hc@ = challenge hash from remote host
273 * Returns: Pointer to the challenge block, or null.
275 * Use: Finds a challenge block, given a hash of its challenge.
278 static kxchal
*kxc_byhc(keyexch
*kx
, const octet
*hc
)
282 for (i
= 0; i
< kx
->nr
; i
++) {
283 if (memcmp(hc
, kx
->r
[i
]->hc
, HASHSZ
) == 0)
289 /* --- @kxc_answer@ --- *
291 * Arguments: @keyexch *kx@ = pointer to key exchange block
292 * @kxchal *kxc@ = pointer to challenge block
296 * Use: Sends a reply to the remote host, according to the data in
297 * this challenge block.
300 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
);
302 static void kxc_timer(struct timeval
*tv
, void *v
)
305 kxc
->f
&= ~KXF_TIMER
;
306 kxc_answer(kxc
->kx
, kxc
);
309 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
)
311 stats
*st
= p_stats(kx
->p
);
312 buf
*b
= p_txstart(kx
->p
, MSG_KEYEXCH
| (kxc
->r ? KX_REPLY
: KX_CHAL
));
316 /* --- Build the reply packet --- */
321 buf_put(b
, kx
->hc
, HASHSZ
);
322 buf_put(b
, kxc
->hc
, HASHSZ
);
323 buf_putmp(b
, kxc
->ck
);
325 /* --- Maybe send an actual reply, if we have one --- */
328 T( trace(T_KEYEXCH
, "keyexch: resending challenge to `%s'",
331 T( trace(T_KEYEXCH
, "keyexch: sending reply to `%s'", p_name(kx
->p
)); )
332 buf_init(&bb
, buf_i
, sizeof(buf_i
));
333 buf_putmp(&bb
, kxc
->r
);
335 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_REPLY
, &bb
, b
);
338 /* --- Update the statistics --- */
342 st
->sz_kxout
+= BLEN(b
);
346 /* --- Schedule another resend --- */
348 if (kxc
->f
& KXF_TIMER
)
349 sel_rmtimer(&kxc
->t
);
350 gettimeofday(&tv
, 0);
351 tv
.tv_sec
+= T_RETRY
;
352 sel_addtimer(&sel
, &kxc
->t
, &tv
, kxc_timer
, kxc
);
356 /*----- Individual message handlers ---------------------------------------*/
358 /* --- @getreply@ --- *
360 * Arguments: @keyexch *kx@ = pointer to key exchange context
361 * @mp *c@ = a challenge
362 * @mp *ck@ = the supplied expected-reply check value
364 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
366 * Use: Computes replies to challenges.
369 static mp
*getreply(keyexch
*kx
, mp
*c
, mp
*ck
)
371 mp
*r
= mpmont_exp(&mg
, MP_NEW
, c
, kpriv
.x
);
378 HASH_STRING(&h
, "tripe-expected-reply");
384 a
= mpcrypt(MP_NEW
, ck
, mp_octets(kpriv
.dp
.q
), buf
, sizeof(buf
));
385 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
386 trace(T_CRYPTO
, "crypto: computed reply = %s", mpstr(r
));
387 trace_block(T_CRYPTO
, "crypto: computed reply hash", buf
, HASHSZ
);
388 trace(T_CRYPTO
, "crypto: recovered log = %s", mpstr(a
));
390 a
= mpmont_exp(&mg
, a
, kpriv
.dp
.g
, a
);
393 a_warn("invalid expected-reply check from `%s'", p_name(kx
->p
));
394 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
395 trace(T_CRYPTO
, "crypto: computed challenge = %s", mpstr(a
));
403 /* --- @dochallenge@ --- *
405 * Arguments: @keyexch *kx@ = pointer to key exchange block
406 * @unsigned msg@ = message code for the packet
407 * @buf *b@ = buffer containing the packet
409 * Returns: Zero if OK, nonzero if the packet was rejected.
411 * Use: Processes a packet containing a challenge.
414 static int dochallenge(keyexch
*kx
, unsigned msg
, buf
*b
)
422 /* --- Ensure that we're in a sensible state --- */
424 if (kx
->s
!= KXS_CHAL
) {
425 a_warn("unexpected challenge from `%s'", p_name(kx
->p
));
429 /* --- Unpack the packet --- */
431 if ((c
= buf_getmp(b
)) == 0 ||
432 (msg
>= KX_COOKIE
&& (hc
= buf_get(b
, HASHSZ
)) == 0) ||
433 (msg
>= KX_CHAL
&& (ck
= buf_getmp(b
)) == 0) ||
435 a_warn("malformed packet from `%s'", p_name(kx
->p
));
439 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
440 trace(T_CRYPTO
, "crypto: challenge = %s", mpstr(c
));
441 if (hc
) trace_block(T_CRYPTO
, "crypto: cookie", hc
, HASHSZ
);
442 if (ck
) trace(T_CRYPTO
, "crypto: check value = %s", mpstr(ck
));
445 /* --- First, handle a bare challenge --- *
447 * If the table is heavily loaded, just emit a cookie and return.
450 if (!hc
&& kx
->nr
>= KX_THRESH
) {
451 T( trace(T_KEYEXCH
, "keyexch: too many challenges -- sending cookie"); )
452 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_COOKIE
);
455 HASH_STRING(&h
, "tripe-cookie");
457 HASH_DONE(&h
, buf_get(b
, HASHSZ
));
462 /* --- Discard a packet with an invalid cookie --- */
464 if (hc
&& memcmp(hc
, kx
->hc
, HASHSZ
) != 0) {
465 a_warn("incorrect cookie from `%s'", p_name(kx
->p
));
469 /* --- Find a challenge block for this packet --- *
471 * If there isn't one already, create a new one.
474 if ((kxc
= kxc_bychal(kx
, c
)) == 0) {
478 /* --- Be careful here --- *
480 * If this is a full challenge, and it's the first time I've seen it, I
481 * want to be able to throw it away before committing a table entry to
488 if ((r
= getreply(kx
, c
, ck
)) == 0)
495 /* --- Work out the cookie for this challenge --- */
498 HASH_STRING(&h
, "tripe-cookie");
500 HASH_DONE(&h
, kxc
->hc
);
502 /* --- Compute the expected-reply hash --- */
505 HASH_STRING(&h
, "tripe-expected-reply");
510 kxc
->ck
= mpcrypt(MP_NEW
, kx
->alpha
, mp_octets(kpriv
.dp
.q
),
513 /* --- Work out the shared key --- */
515 trace(T_CRYPTO
, "debug: c = %s", mpstr(c
));
516 trace(T_CRYPTO
, "debug: alpha = %s", mpstr(kx
->alpha
));
517 r
= mpmont_exp(&mg
, MP_NEW
, c
, kx
->alpha
);
518 trace(T_CRYPTO
, "debug: r = %s", mpstr(r
));
520 /* --- Compute the switch messages --- */
522 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-request");
523 hashmp(&h
, kx
->c
); hashmp(&h
, kxc
->c
);
524 HASH_DONE(&h
, kxc
->hswrq_out
);
525 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-confirm");
526 hashmp(&h
, kx
->c
); hashmp(&h
, kxc
->c
);
527 HASH_DONE(&h
, kxc
->hswok_out
);
529 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-request");
530 hashmp(&h
, kxc
->c
); hashmp(&h
, kx
->c
);
531 HASH_DONE(&h
, kxc
->hswrq_in
);
532 HASH_INIT(&h
); HASH_STRING(&h
, "tripe-switch-confirm");
533 hashmp(&h
, kxc
->c
); hashmp(&h
, kx
->c
);
534 HASH_DONE(&h
, kxc
->hswok_in
);
536 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
537 trace_block(T_CRYPTO
, "crypto: computed cookie", kxc
->hc
, HASHSZ
);
538 trace_block(T_CRYPTO
, "crypto: expected-reply hash",
540 trace(T_CRYPTO
, "crypto: my reply check = %s", mpstr(kxc
->ck
));
541 trace(T_CRYPTO
, "crypto: shared secret = %s", mpstr(r
));
542 trace_block(T_CRYPTO
, "crypto: outbound switch request",
543 kxc
->hswrq_out
, HASHSZ
);
544 trace_block(T_CRYPTO
, "crypto: outbound switch confirm",
545 kxc
->hswok_out
, HASHSZ
);
546 trace_block(T_CRYPTO
, "crypto: inbound switch request",
547 kxc
->hswrq_in
, HASHSZ
);
548 trace_block(T_CRYPTO
, "crypto: inbound switch confirm",
549 kxc
->hswok_in
, HASHSZ
);
552 /* --- Create a new symmetric keyset --- */
554 buf_init(b
, buf_o
, sizeof(buf_o
));
555 buf_putmp(b
, kx
->c
); x
= BLEN(b
);
556 buf_putmp(b
, kxc
->c
); y
= BLEN(b
);
557 buf_putmp(b
, r
); z
= BLEN(b
);
560 kxc
->ks
= ks_gen(BBASE(b
), x
, y
, z
, kx
->p
);
564 /* --- Answer the challenge if we need to --- */
568 if ((r
= getreply(kx
, c
, ck
)) == 0)
575 /* --- Tidy up and go home --- */
588 /* --- @resend@ --- *
590 * Arguments: @keyexch *kx@ = pointer to key exchange context
594 * Use: Sends the next message for a key exchange.
597 static void resend(keyexch
*kx
)
601 stats
*st
= p_stats(kx
->p
);
606 T( trace(T_KEYEXCH
, "keyexch: sending prechallenge to `%s'",
608 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_PRECHAL
);
612 T( trace(T_KEYEXCH
, "keyexch: sending switch request to `%s'",
615 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCH
);
616 buf_put(b
, kx
->hc
, HASHSZ
);
617 buf_put(b
, kxc
->hc
, HASHSZ
);
618 buf_init(&bb
, buf_i
, sizeof(buf_i
));
619 buf_putmp(&bb
, kxc
->r
);
620 buf_put(&bb
, kxc
->hswrq_out
, HASHSZ
);
622 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCH
, &bb
, b
);
625 T( trace(T_KEYEXCH
, "keyexch: sending switch confirmation to `%s'",
628 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCHOK
);
629 buf_init(&bb
, buf_i
, sizeof(buf_i
));
630 buf_put(&bb
, kxc
->hswok_out
, HASHSZ
);
632 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCHOK
, &bb
, b
);
640 st
->sz_kxout
+= BLEN(b
);
644 if (kx
->s
< KXS_SWITCH
)
645 settimer(kx
, time(0) + T_RETRY
);
648 /* --- @matchreply@ --- *
650 * Arguments: @keyexch *kx@ = pointer to key exchange context
651 * @unsigned ty@ = type of incoming message
652 * @const octet *hc_in@ = a hash of his challenge
653 * @const octet *hc_out@ = a hash of my challenge (cookie)
654 * @mp *ck@ = his expected-reply hash (optional)
655 * @buf *b@ = encrypted remainder of the packet
657 * Returns: A pointer to the challenge block if OK, or null on failure.
659 * Use: Checks a reply or switch packet, ensuring that its contents
660 * are sensible and correct. If they are, @*b@ is set to point
661 * to the remainder of the encrypted data, and the correct
662 * challenge is returned.
665 static kxchal
*matchreply(keyexch
*kx
, unsigned ty
, const octet
*hc_in
,
666 const octet
*hc_out
, mp
*ck
, buf
*b
)
672 /* --- Check the plaintext portions of the data --- */
674 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
675 trace_block(T_CRYPTO
, "crypto: challenge", hc_in
, HASHSZ
);
676 trace_block(T_CRYPTO
, "crypto: cookie", hc_out
, HASHSZ
);
677 if (ck
) trace(T_CRYPTO
, "crypto: check value = %s", mpstr(ck
));
679 if (memcmp(hc_out
, kx
->hc
, HASHSZ
) != 0) {
680 a_warn("incorrect cookie from `%s'", p_name(kx
->p
));
683 if ((kxc
= kxc_byhc(kx
, hc_in
)) == 0) {
684 a_warn("received reply for unknown challenge from `%s'", p_name(kx
->p
));
688 /* --- Maybe compute a reply for the challenge --- */
692 a_warn("unexpected switch request from `%s'", p_name(kx
->p
));
695 if ((r
= getreply(kx
, kxc
->c
, ck
)) == 0)
701 /* --- Decrypt the rest of the packet --- */
703 buf_init(&bb
, buf_o
, sizeof(buf_o
));
704 if (ks_decrypt(kxc
->ks
, ty
, b
, &bb
)) {
705 a_warn("failed to decrypt reply from `%s'", p_name(kx
->p
));
708 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
709 if ((r
= buf_getmp(b
)) == 0) {
710 a_warn("invalid reply packet from `%s'", p_name(kx
->p
));
713 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
714 trace(T_CRYPTO
, "crypto: reply = %s", mpstr(r
));
716 if (!mp_eq(r
, kx
->rx
)) {
717 a_warn("incorrect reply from `%s'", p_name(kx
->p
));
731 /* --- @commit@ --- *
733 * Arguments: @keyexch *kx@ = pointer to key exchange context
734 * @kxchal *kxc@ = pointer to challenge to commit to
738 * Use: Commits to a particular challenge as being the `right' one,
739 * since a reply has arrived for it.
742 static void commit(keyexch
*kx
, kxchal
*kxc
)
746 for (i
= 0; i
< kx
->nr
; i
++) {
748 kxc_destroy(kx
->r
[i
]);
753 ksl_link(kx
->ks
, kxc
->ks
);
756 /* --- @doreply@ --- *
758 * Arguments: @keyexch *kx@ = pointer to key exchange context
759 * @buf *b@ = buffer containing packet
761 * Returns: Zero if OK, nonzero if the packet was rejected.
763 * Use: Handles a reply packet. This doesn't handle the various
764 * switch packets: they're rather too different.
767 static int doreply(keyexch
*kx
, buf
*b
)
769 const octet
*hc_in
, *hc_out
;
773 if (kx
->s
!= KXS_CHAL
&& kx
->s
!= KXS_COMMIT
) {
774 a_warn("unexpected reply from `%s'", p_name(kx
->p
));
777 if ((hc_in
= buf_get(b
, HASHSZ
)) == 0 ||
778 (hc_out
= buf_get(b
, HASHSZ
)) == 0 ||
779 (ck
= buf_getmp(b
)) == 0) {
780 a_warn("invalid reply packet from `%s'", p_name(kx
->p
));
783 if ((kxc
= matchreply(kx
, MSG_KEYEXCH
| KX_REPLY
,
784 hc_in
, hc_out
, ck
, b
)) == 0)
787 a_warn("invalid reply packet from `%s'", p_name(kx
->p
));
790 if (kx
->s
== KXS_CHAL
) {
802 /* --- @doswitch@ --- *
804 * Arguments: @keyexch *kx@ = pointer to key exchange block
805 * @buf *b@ = pointer to buffer containing packet
807 * Returns: Zero if OK, nonzero if the packet was rejected.
809 * Use: Handles a reply with a switch request bolted onto it.
812 static int doswitch(keyexch
*kx
, buf
*b
)
814 const octet
*hc_in
, *hc_out
, *hswrq
;
817 if ((hc_in
= buf_get(b
, HASHSZ
)) == 0 ||
818 (hc_out
= buf_get(b
, HASHSZ
)) == 0) {
819 a_warn("invalid switch request from `%s'", p_name(kx
->p
));
822 if ((kxc
= matchreply(kx
, MSG_KEYEXCH
| KX_SWITCH
,
823 hc_in
, hc_out
, 0, b
)) == 0)
825 if ((hswrq
= buf_get(b
, HASHSZ
)) == 0 || BLEFT(b
)) {
826 a_warn("invalid switch request from `%s'", p_name(kx
->p
));
829 IF_TRACING(T_KEYEXCH
, {
830 trace_block(T_CRYPTO
, "crypto: switch request hash", hswrq
, HASHSZ
);
832 if (memcmp(hswrq
, kxc
->hswrq_in
, HASHSZ
) != 0) {
833 a_warn("incorrect switch request hash from `%s'", p_name(kx
->p
));
840 ks_activate(kxc
->ks
);
841 settimer(kx
, ks_tregen(kxc
->ks
));
852 /* --- @doswitchok@ --- *
854 * Arguments: @keyexch *kx@ = pointer to key exchange block
855 * @buf *b@ = pointer to buffer containing packet
857 * Returns: Zero if OK, nonzero if the packet was rejected.
859 * Use: Handles a reply with a switch request bolted onto it.
862 static int doswitchok(keyexch
*kx
, buf
*b
)
868 if (kx
->s
< KXS_COMMIT
) {
869 a_warn("unexpected switch confirmation from `%s'", p_name(kx
->p
));
873 buf_init(&bb
, buf_o
, sizeof(buf_o
));
874 if (ks_decrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCHOK
, b
, &bb
)) {
875 a_warn("failed to decrypt switch confirmation from `%s'", p_name(kx
->p
));
878 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
879 if ((hswok
= buf_get(b
, HASHSZ
)) == 0 || BLEFT(b
)) {
880 a_warn("invalid switch confirmation from `%s'", p_name(kx
->p
));
883 IF_TRACING(T_KEYEXCH
, {
884 trace_block(T_CRYPTO
, "crypto: switch confirmation hash", hswok
, HASHSZ
);
886 if (memcmp(hswok
, kxc
->hswok_in
, HASHSZ
) != 0) {
887 a_warn("incorrect switch confirmation hash from `%s'", p_name(kx
->p
));
890 if (kx
->s
< KXS_SWITCH
) {
891 ks_activate(kxc
->ks
);
892 settimer(kx
, ks_tregen(kxc
->ks
));
901 /*----- Main code ---------------------------------------------------------*/
905 * Arguments: @keyexch *kx@ = pointer to key exchange context
909 * Use: Stops a key exchange dead in its tracks. Throws away all of
910 * the context information. The context is left in an
911 * inconsistent state. The only functions which understand this
912 * state are @kx_free@ and @kx_init@ (which cause it internally
913 * it), and @start@ (which expects it to be the prevailing
917 static void stop(keyexch
*kx
)
921 if (kx
->f
& KXF_DEAD
)
924 if (kx
->f
& KXF_TIMER
)
926 for (i
= 0; i
< kx
->nr
; i
++)
927 kxc_destroy(kx
->r
[i
]);
938 * Arguments: @keyexch *kx@ = pointer to key exchange context
939 * @time_t now@ = the current time
943 * Use: Starts a new key exchange with the peer. The context must be
944 * in the bizarre state left by @stop@ or @kx_init@.
947 static void start(keyexch
*kx
, time_t now
)
951 assert(kx
->f
& KXF_DEAD
);
955 kx
->alpha
= mprand_range(MP_NEW
, kpriv
.dp
.q
, &rand_global
, 0);
956 kx
->c
= mpmont_exp(&mg
, MP_NEW
, kpriv
.dp
.g
, kx
->alpha
);
957 kx
->rx
= mpmont_exp(&mg
, MP_NEW
, kx
->kpub
.y
, kx
->alpha
);
959 kx
->t_valid
= now
+ T_VALID
;
962 HASH_STRING(&h
, "tripe-cookie");
964 HASH_DONE(&h
, kx
->hc
);
966 IF_TRACING(T_KEYEXCH
, {
967 trace(T_KEYEXCH
, "keyexch: creating new challenge");
968 IF_TRACING(T_CRYPTO
, {
969 trace(T_CRYPTO
, "crypto: secret = %s", mpstr(kx
->alpha
));
970 trace(T_CRYPTO
, "crypto: challenge = %s", mpstr(kx
->c
));
971 trace(T_CRYPTO
, "crypto: expected response = %s", mpstr(kx
->rx
));
972 trace_block(T_CRYPTO
, "crypto: challenge cookie", kx
->hc
, HASHSZ
);
977 /* --- @checkpub@ --- *
979 * Arguments: @keyexch *kx@ = pointer to key exchange context
981 * Returns: Zero if OK, nonzero if the peer's public key has expired.
983 * Use: Deactivates the key-exchange until the peer acquires a new
987 static int checkpub(keyexch
*kx
)
990 if (kx
->f
& KXF_DEAD
)
993 if (KEY_EXPIRED(now
, kx
->texp_kpub
)) {
995 a_warn("public key for `%s' has expired", p_name(kx
->p
));
996 dh_pubfree(&kx
->kpub
);
997 kx
->f
&= ~KXF_PUBKEY
;
1003 /* --- @kx_start@ --- *
1005 * Arguments: @keyexch *kx@ = pointer to key exchange context
1009 * Use: Stimulates a key exchange. If a key exchage is in progress,
1010 * a new challenge is sent (unless the quiet timer forbids
1011 * this); if no exchange is in progress, one is commenced.
1014 void kx_start(keyexch
*kx
)
1016 time_t now
= time(0);
1020 if (!ISVALID(kx
, now
)) {
1027 /* --- @kx_message@ --- *
1029 * Arguments: @keyexch *kx@ = pointer to key exchange context
1030 * @unsigned msg@ = the message code
1031 * @buf *b@ = pointer to buffer containing the packet
1035 * Use: Reads a packet containing key exchange messages and handles
1039 void kx_message(keyexch
*kx
, unsigned msg
, buf
*b
)
1041 time_t now
= time(0);
1042 stats
*st
= p_stats(kx
->p
);
1047 static const char *const pkname
[] = {
1048 "prechallenge", "cookie", "challenge",
1049 "reply", "switch request", "switch confirmation"
1056 if (!ISVALID(kx
, now
)) {
1061 T( trace(T_KEYEXCH
, "keyexch: processing %s packet from `%s'",
1062 msg
< KX_NMSG ? pkname
[msg
] : "unknown", p_name(kx
->p
)); )
1068 rc
= dochallenge(kx
, msg
, b
);
1071 rc
= doreply(kx
, b
);
1074 rc
= doswitch(kx
, b
);
1077 rc
= doswitchok(kx
, b
);
1080 a_warn("unexpected key exchange message type %u from `%p'",
1094 /* --- @kx_free@ --- *
1096 * Arguments: @keyexch *kx@ = pointer to key exchange context
1100 * Use: Frees everything in a key exchange context.
1103 void kx_free(keyexch
*kx
)
1106 if (kx
->f
& KXF_PUBKEY
)
1107 dh_pubfree(&kx
->kpub
);
1110 /* --- @kx_newkeys@ --- *
1112 * Arguments: @keyexch *kx@ = pointer to key exchange context
1116 * Use: Informs the key exchange module that its keys may have
1117 * changed. If fetching the new keys fails, the peer will be
1118 * destroyed, we log messages and struggle along with the old
1122 void kx_newkeys(keyexch
*kx
)
1126 if (km_getpubkey(p_name(kx
->p
), &dp
, &kx
->texp_kpub
))
1128 if (kx
->f
& KXF_PUBKEY
)
1129 dh_pubfree(&kx
->kpub
);
1131 kx
->f
|= KXF_PUBKEY
;
1132 if ((kx
->f
& KXF_DEAD
) || kx
->s
!= KXS_SWITCH
) {
1133 T( trace(T_KEYEXCH
, "keyexch: restarting key negotiation with `%s'",
1141 /* --- @kx_init@ --- *
1143 * Arguments: @keyexch *kx@ = pointer to key exchange context
1144 * @peer *p@ = pointer to peer context
1145 * @keyset **ks@ = pointer to keyset list
1147 * Returns: Zero if OK, nonzero if it failed.
1149 * Use: Initializes a key exchange module. The module currently
1150 * contains no keys, and will attempt to initiate a key
1154 int kx_init(keyexch
*kx
, peer
*p
, keyset
**ks
)
1158 if (km_getpubkey(p_name(p
), &kx
->kpub
, &kx
->texp_kpub
))
1160 kx
->f
= KXF_DEAD
| KXF_PUBKEY
;
1166 /*----- That's all, folks -------------------------------------------------*/