3 * Key exchange protocol
5 * (c) 2001 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Brief protocol overview -------------------------------------------*
33 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
34 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
35 * application of the symmetric packet protocol to a message; let
36 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
37 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
38 * be Bob's public key.
40 * At the beginning of the session, Alice chooses
42 * %$\rho_A \inr \{0, \ldots q - 1\}$%
46 * %$r_A = g^{\rho_A}$% Alice's challenge
47 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
48 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
49 * Alice's challenge check value
50 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
51 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
52 * Alice and Bob's shared secret key
53 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
54 * Alice's switch request value
55 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
56 * Alice's switch confirm value
58 * The messages are then:
60 * %$\cookie{kx-pre-challenge}, r_A$%
61 * Initial greeting. In state @KXS_CHAL@.
63 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
64 * Here's a full challenge for you to answer.
66 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
67 * Challenge accpeted: here's the answer. Commit to my challenge. Move
70 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
71 * Reply received: here's my reply. Committed; send data; move to
74 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
75 * Switch received. Committed; send data; move to @KXS_SWITCH@.
78 /*----- Static tables -----------------------------------------------------*/
80 static const char *const pkname
[] = {
81 "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok"
84 /*----- Various utilities -------------------------------------------------*/
88 * Arguments: @const keyexch *kx@ = key exchange state
89 * @time_t now@ = current time in seconds
91 * Returns: Whether the challenge in the key-exchange state is still
92 * valid or should be regenerated.
95 #define VALIDP(kx, now) ((now) < (kx)->t_valid)
99 * Arguments: @ghash *h@ = pointer to hash context
100 * @ge *x@ = pointer to group element
104 * Use: Adds the hash of a group element to the context. Corrupts
108 static void hashge(ghash
*h
, ge
*x
)
111 buf_init(&b
, buf_t
, sizeof(buf_t
));
114 GH_HASH(h
, BBASE(&b
), BLEN(&b
));
117 /* --- @mpmask@ --- *
119 * Arguments: @buf *b@ = output buffer
120 * @mp *x@ = the plaintext integer
121 * @size_t n@ = the expected size of the plaintext
122 * @const octet *k@ = pointer to key material
123 * @size_t ksz@ = size of the key
125 * Returns: Pointer to the output.
127 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
128 * it's a random oracle thing rather than an encryption thing.
131 static octet
*mpmask(buf
*b
, mp
*x
, size_t n
, const octet
*k
, size_t ksz
)
136 if ((p
= buf_get(b
, n
)) == 0)
138 mgf
= GC_INIT(algs
.mgf
, k
, ksz
);
139 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
140 trace(T_CRYPTO
, "masking index = %s", mpstr(x
));
141 trace_block(T_CRYPTO
, "masking key", k
, ksz
);
143 mp_storeb(x
, buf_t
, n
);
144 GC_ENCRYPT(mgf
, buf_t
, p
, n
);
145 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
146 trace_block(T_CRYPTO
, "index plaintext", buf_t
, n
);
147 trace_block(T_CRYPTO
, "masked ciphertext", p
, n
);
153 /* --- @mpunmask@ --- *
155 * Arguments: @mp *d@ = the output integer
156 * @const octet *p@ = pointer to the ciphertext
157 * @size_t n@ = the size of the ciphertext
158 * @const octet *k@ = pointer to key material
159 * @size_t ksz@ = size of the key
161 * Returns: The decrypted integer, or null.
163 * Use: Unmasks a multiprecision integer.
166 static mp
*mpunmask(mp
*d
, const octet
*p
, size_t n
,
167 const octet
*k
, size_t ksz
)
171 mgf
= GC_INIT(algs
.mgf
, k
, ksz
);
172 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
173 trace_block(T_CRYPTO
, "unmasking key", k
, ksz
);
174 trace_block(T_CRYPTO
, "masked ciphertext", p
, n
);
176 GC_DECRYPT(mgf
, p
, buf_t
, n
);
177 d
= mp_loadb(d
, buf_t
, n
);
178 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
179 trace_block(T_CRYPTO
, "index plaintext", buf_t
, n
);
180 trace(T_CRYPTO
, "unmasked index = %s", mpstr(d
));
186 /* --- @hashcheck@ --- *
188 * Arguments: @ge *kpub@ = sender's public key
189 * @ge *cc@ = receiver's challenge
190 * @ge *c@ = sender's challenge
191 * @ge *y@ = reply to sender's challenge
193 * Returns: Pointer to the hash value (in @buf_t@)
195 * Use: Computes the check-value hash, used to mask or unmask
196 * indices to prove the validity of challenges. This computes
197 * the masking key used in challenge check values. This is
198 * really the heart of the whole thing, since it ensures that
199 * the index can be recovered from the history of hashing
200 * queries, which gives us (a) a proof that the authentication
201 * process is zero-knowledge, and (b) a proof that the whole
202 * key-exchange is deniable.
205 static const octet
*hashcheck(ge
*kpub
, ge
*cc
, ge
*c
, ge
*y
)
207 ghash
*h
= GH_INIT(algs
.h
);
209 HASH_STRING(h
, "tripe-expected-reply");
215 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
216 trace(T_CRYPTO
, "computing challenge check hash");
217 trace(T_CRYPTO
, "public key = %s", gestr(gg
, kpub
));
218 trace(T_CRYPTO
, "receiver challenge = %s", gestr(gg
, cc
));
219 trace(T_CRYPTO
, "sender challenge = %s", gestr(gg
, c
));
220 trace(T_CRYPTO
, "sender reply = %s", gestr(gg
, y
));
221 trace_block(T_CRYPTO
, "hash output", buf_t
, algs
.hashsz
);
227 /* --- @sendchallenge@ --- *
229 * Arguments: @keyexch *kx@ = pointer to key exchange block
230 * @buf *b@ = output buffer for challenge
231 * @ge *c@ = peer's actual challenge
232 * @const octet *hc@ = peer's challenge cookie
236 * Use: Writes a full challenge to the message buffer.
239 static void sendchallenge(keyexch
*kx
, buf
*b
, ge
*c
, const octet
*hc
)
241 G_TOBUF(gg
, b
, kx
->c
);
242 buf_put(b
, hc
, algs
.hashsz
);
243 mpmask(b
, kx
->alpha
, indexsz
,
244 hashcheck(kpub
, c
, kx
->c
, kx
->rx
), algs
.hashsz
);
249 * Arguments: @struct timeval *tv@ = the current time
250 * @void *v@ = pointer to key exchange context
254 * Use: Acts when the key exchange timer goes off.
257 static void timer(struct timeval
*tv
, void *v
)
261 T( trace(T_KEYEXCH
, "keyexch: timer has popped"); )
265 /* --- @settimer@ --- *
267 * Arguments: @keyexch *kx@ = pointer to key exchange context
268 * @struct timeval *tv@ = when to set the timer for
272 * Use: Sets the timer for the next key exchange attempt.
275 static void settimer(keyexch
*kx
, struct timeval
*tv
)
277 if (kx
->f
& KXF_TIMER
) sel_rmtimer(&kx
->t
);
278 sel_addtimer(&sel
, &kx
->t
, tv
, timer
, kx
);
284 * Arguments: @struct timeval *tv@ = where to write the timeval
285 * @double t@ = a time as a floating point number
289 * Use: Converts a floating-point time into a timeval.
292 static void f2tv(struct timeval
*tv
, double t
)
295 tv
->tv_usec
= (t
- tv
->tv_sec
)*MILLION
;
298 /* --- @wobble@ --- *
300 * Arguments: @double t@ = a time interval
302 * Returns: The same time interval, with a random error applied.
305 static double wobble(double t
)
307 uint32 r
= rand_global
.ops
->word(&rand_global
);
308 double w
= (r
/F_2P32
) - 0.5;
309 return (t
+ t
*w
*T_WOBBLE
);
312 /* --- @rs_time@ --- *
314 * Arguments: @retry *rs@ = current retry state
315 * @struct timeval *tv@ = where to write the result
316 * @const struct timeval *now@ = current time, or null
320 * Use: Computes a time at which to retry sending a key-exchange
321 * packet. This algorithm is subject to change, but it's
322 * currently a capped exponential backoff, slightly randomized
323 * to try to keep clients from hammering a server that's only
326 * If @now@ is null then the function works out the time for
330 static void rs_time(retry
*rs
, struct timeval
*tv
, const struct timeval
*now
)
339 if (t
> MIN(5)) t
= MIN(5);
347 f2tv(&rtv
, wobble(t
));
348 TV_ADD(tv
, now
, &rtv
);
351 /* --- @retry_reset@ --- *
353 * Arguments: @retry *rs@ = retry state
357 * Use: Resets a retry state to indicate that progress has been
358 * made. Also useful for initializing the state in the first
362 static void rs_reset(retry
*rs
) { rs
->t
= 0; }
364 /*----- Challenge management ----------------------------------------------*/
366 /* --- Notes on challenge management --- *
368 * We may get multiple different replies to our key exchange; some will be
369 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
370 * received will be added to the table and given a full response. After
371 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
372 * our existing challenge, followed by a hash of the sender's challenge. We
373 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
374 * properly-formed cookies are assigned a table slot: if none is spare, a
375 * used slot is randomly selected and destroyed. A cookie always receives a
379 /* --- @kxc_destroy@ --- *
381 * Arguments: @kxchal *kxc@ = pointer to the challenge block
385 * Use: Disposes of a challenge block.
388 static void kxc_destroy(kxchal
*kxc
)
390 if (kxc
->f
& KXF_TIMER
)
391 sel_rmtimer(&kxc
->t
);
392 G_DESTROY(gg
, kxc
->c
);
393 G_DESTROY(gg
, kxc
->r
);
398 /* --- @kxc_stoptimer@ --- *
400 * Arguments: @kxchal *kxc@ = pointer to the challenge block
404 * Use: Stops the challenge's retry timer from sending messages.
405 * Useful when the state machine is in the endgame of the
409 static void kxc_stoptimer(kxchal
*kxc
)
411 if (kxc
->f
& KXF_TIMER
)
412 sel_rmtimer(&kxc
->t
);
413 kxc
->f
&= ~KXF_TIMER
;
416 /* --- @kxc_new@ --- *
418 * Arguments: @keyexch *kx@ = pointer to key exchange block
420 * Returns: A pointer to the challenge block.
422 * Use: Returns a pointer to a new challenge block to fill in.
425 static kxchal
*kxc_new(keyexch
*kx
)
430 /* --- If we're over reply threshold, discard one at random --- */
432 if (kx
->nr
< KX_NCHAL
)
435 i
= rand_global
.ops
->range(&rand_global
, KX_NCHAL
);
436 kxc_destroy(kx
->r
[i
]);
439 /* --- Fill in the new structure --- */
441 kxc
= CREATE(kxchal
);
442 kxc
->c
= G_CREATE(gg
);
443 kxc
->r
= G_CREATE(gg
);
452 /* --- @kxc_bychal@ --- *
454 * Arguments: @keyexch *kx@ = pointer to key exchange block
455 * @ge *c@ = challenge from remote host
457 * Returns: Pointer to the challenge block, or null.
459 * Use: Finds a challenge block, given its challenge.
462 static kxchal
*kxc_bychal(keyexch
*kx
, ge
*c
)
466 for (i
= 0; i
< kx
->nr
; i
++) {
467 if (G_EQ(gg
, c
, kx
->r
[i
]->c
))
473 /* --- @kxc_byhc@ --- *
475 * Arguments: @keyexch *kx@ = pointer to key exchange block
476 * @const octet *hc@ = challenge hash from remote host
478 * Returns: Pointer to the challenge block, or null.
480 * Use: Finds a challenge block, given a hash of its challenge.
483 static kxchal
*kxc_byhc(keyexch
*kx
, const octet
*hc
)
487 for (i
= 0; i
< kx
->nr
; i
++) {
488 if (memcmp(hc
, kx
->r
[i
]->hc
, algs
.hashsz
) == 0)
494 /* --- @kxc_answer@ --- *
496 * Arguments: @keyexch *kx@ = pointer to key exchange block
497 * @kxchal *kxc@ = pointer to challenge block
501 * Use: Sends a reply to the remote host, according to the data in
502 * this challenge block.
505 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
);
507 static void kxc_timer(struct timeval
*tv
, void *v
)
510 kxc
->f
&= ~KXF_TIMER
;
511 kxc_answer(kxc
->kx
, kxc
);
514 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
)
516 stats
*st
= p_stats(kx
->p
);
517 buf
*b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_REPLY
);
521 /* --- Build the reply packet --- */
523 T( trace(T_KEYEXCH
, "keyexch: sending reply to `%s'", p_name(kx
->p
)); )
524 sendchallenge(kx
, b
, kxc
->c
, kxc
->hc
);
525 buf_init(&bb
, buf_i
, sizeof(buf_i
));
526 G_TORAW(gg
, &bb
, kxc
->r
);
528 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_REPLY
, &bb
, b
);
530 /* --- Update the statistics --- */
534 st
->sz_kxout
+= BLEN(b
);
538 /* --- Schedule another resend --- */
540 if (kxc
->f
& KXF_TIMER
)
541 sel_rmtimer(&kxc
->t
);
542 gettimeofday(&tv
, 0);
543 rs_time(&kxc
->rs
, &tv
, &tv
);
544 sel_addtimer(&sel
, &kxc
->t
, &tv
, kxc_timer
, kxc
);
548 /*----- Individual message handlers ---------------------------------------*/
550 /* --- @doprechallenge@ --- *
552 * Arguments: @keyexch *kx@ = pointer to key exchange block
553 * @buf *b@ = buffer containing the packet
555 * Returns: Zero if OK, nonzero of the packet was rejected.
557 * Use: Processes a pre-challenge message.
560 static int doprechallenge(keyexch
*kx
, buf
*b
)
562 stats
*st
= p_stats(kx
->p
);
563 ge
*c
= G_CREATE(gg
);
566 /* --- Ensure that we're in a sensible state --- */
568 if (kx
->s
!= KXS_CHAL
) {
569 a_warn("KX", "?PEER", kx
->p
, "unexpected", "pre-challenge", A_END
);
573 /* --- Unpack the packet --- */
575 if (G_FROMBUF(gg
, b
, c
) || BLEFT(b
))
578 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
579 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, c
));
582 /* --- Send out a full challenge by return --- */
584 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_CHAL
);
586 HASH_STRING(h
, "tripe-cookie");
588 sendchallenge(kx
, b
, c
, GH_DONE(h
, 0));
591 st
->sz_kxout
+= BLEN(b
);
600 if (c
) G_DESTROY(gg
, c
);
604 /* --- @respond@ --- *
606 * Arguments: @keyexch *kx@ = pointer to key exchange block
607 * @unsigned msg@ = message code for this packet
608 * @buf *b@ = buffer containing the packet
610 * Returns: Key-exchange challenge block, or null.
612 * Use: Computes a response for the given challenge, entering it into
613 * a challenge block and so on.
616 static kxchal
*respond(keyexch
*kx
, unsigned msg
, buf
*b
)
618 ge
*c
= G_CREATE(gg
);
619 ge
*r
= G_CREATE(gg
);
620 ge
*cc
= G_CREATE(gg
);
621 const octet
*hc
, *ck
;
629 /* --- Unpack the packet --- */
631 if (G_FROMBUF(gg
, b
, c
) ||
632 (hc
= buf_get(b
, algs
.hashsz
)) == 0 ||
633 (ck
= buf_get(b
, indexsz
)) == 0) {
634 a_warn("KX", "?PEER", kx
->p
, "invalid", "%s", pkname
[msg
], A_END
);
637 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
638 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, c
));
639 trace_block(T_CRYPTO
, "crypto: cookie", hc
, algs
.hashsz
);
640 trace_block(T_CRYPTO
, "crypto: check-value", ck
, indexsz
);
643 /* --- Discard a packet with an invalid cookie --- */
645 if (hc
&& memcmp(hc
, kx
->hc
, algs
.hashsz
) != 0) {
646 a_warn("KX", "?PEER", kx
->p
, "incorrect", "cookie", A_END
);
650 /* --- Recover the check value and verify it --- *
652 * To avoid recomputation on replays, we store a hash of the `right'
653 * value. The `correct' value is unique, so this is right.
655 * This will also find a challenge block and, if necessary, populate it.
658 if ((kxc
= kxc_bychal(kx
, c
)) != 0) {
660 HASH_STRING(h
, "tripe-check-hash");
661 GH_HASH(h
, ck
, indexsz
);
662 ok
= !memcmp(kxc
->ck
, GH_DONE(h
, 0), algs
.hashsz
);
664 if (!ok
) goto badcheck
;
667 /* --- Compute the reply, and check the magic --- */
669 G_EXP(gg
, r
, c
, kpriv
);
670 cv
= mpunmask(MP_NEW
, ck
, indexsz
,
671 hashcheck(kx
->kpub
, kx
->c
, c
, r
), algs
.hashsz
);
672 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
673 trace(T_CRYPTO
, "crypto: computed reply = %s", gestr(gg
, r
));
674 trace(T_CRYPTO
, "crypto: recovered log = %s", mpstr(cv
));
676 if (MP_CMP(cv
, >, gg
->r
) ||
677 (G_EXP(gg
, cc
, gg
->g
, cv
), !G_EQ(gg
, c
, cc
)))
680 /* --- Fill in a new challenge block --- */
683 G_COPY(gg
, kxc
->c
, c
);
684 G_COPY(gg
, kxc
->r
, r
);
687 HASH_STRING(h
, "tripe-check-hash");
688 GH_HASH(h
, ck
, indexsz
);
693 HASH_STRING(h
, "tripe-cookie");
698 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
699 trace_block(T_CRYPTO
, "crypto: computed cookie", kxc
->hc
, algs
.hashsz
);
702 /* --- Work out the shared key --- */
704 G_EXP(gg
, r
, c
, kx
->alpha
);
705 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
706 trace(T_CRYPTO
, "crypto: shared secret = %s", gestr(gg
, r
));
709 /* --- Compute the switch messages --- */
711 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-request");
712 hashge(h
, kx
->c
); hashge(h
, kxc
->c
);
713 GH_DONE(h
, kxc
->hswrq_out
); GH_DESTROY(h
);
714 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-confirm");
715 hashge(h
, kx
->c
); hashge(h
, kxc
->c
);
716 GH_DONE(h
, kxc
->hswok_out
); GH_DESTROY(h
);
718 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-request");
719 hashge(h
, kxc
->c
); hashge(h
, kx
->c
);
720 GH_DONE(h
, kxc
->hswrq_in
); GH_DESTROY(h
);
721 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-confirm");
722 hashge(h
, kxc
->c
); hashge(h
, kx
->c
);
723 GH_DONE(h
, kxc
->hswok_in
); GH_DESTROY(h
);
725 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
726 trace_block(T_CRYPTO
, "crypto: outbound switch request",
727 kxc
->hswrq_out
, algs
.hashsz
);
728 trace_block(T_CRYPTO
, "crypto: outbound switch confirm",
729 kxc
->hswok_out
, algs
.hashsz
);
730 trace_block(T_CRYPTO
, "crypto: inbound switch request",
731 kxc
->hswrq_in
, algs
.hashsz
);
732 trace_block(T_CRYPTO
, "crypto: inbound switch confirm",
733 kxc
->hswok_in
, algs
.hashsz
);
736 /* --- Create a new symmetric keyset --- */
738 buf_init(&bb
, buf_o
, sizeof(buf_o
));
739 G_TOBUF(gg
, &bb
, kx
->c
); x
= BLEN(&bb
);
740 G_TOBUF(gg
, &bb
, kxc
->c
); y
= BLEN(&bb
);
741 G_TOBUF(gg
, &bb
, r
); z
= BLEN(&bb
);
744 kxc
->ks
= ks_gen(BBASE(&bb
), x
, y
, z
, kx
->p
);
754 a_warn("KX", "?PEER", kx
->p
, "bad-expected-reply-log", A_END
);
764 /* --- @dochallenge@ --- *
766 * Arguments: @keyexch *kx@ = pointer to key exchange block
767 * @unsigned msg@ = message code for the packet
768 * @buf *b@ = buffer containing the packet
770 * Returns: Zero if OK, nonzero if the packet was rejected.
772 * Use: Processes a packet containing a challenge.
775 static int dochallenge(keyexch
*kx
, buf
*b
)
779 if (kx
->s
!= KXS_CHAL
) {
780 a_warn("KX", "?PEER", kx
->p
, "unexpected", "challenge", A_END
);
783 if ((kxc
= respond(kx
, KX_CHAL
, b
)) == 0)
786 a_warn("KX", "?PEER", kx
->p
, "invalid", "challenge", A_END
);
796 /* --- @resend@ --- *
798 * Arguments: @keyexch *kx@ = pointer to key exchange context
802 * Use: Sends the next message for a key exchange.
805 static void resend(keyexch
*kx
)
809 stats
*st
= p_stats(kx
->p
);
815 T( trace(T_KEYEXCH
, "keyexch: sending prechallenge to `%s'",
817 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_PRECHAL
);
818 G_TOBUF(gg
, b
, kx
->c
);
821 T( trace(T_KEYEXCH
, "keyexch: sending switch request to `%s'",
824 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCH
);
825 buf_put(b
, kx
->hc
, algs
.hashsz
);
826 buf_put(b
, kxc
->hc
, algs
.hashsz
);
827 buf_init(&bb
, buf_i
, sizeof(buf_i
));
828 G_TORAW(gg
, &bb
, kxc
->r
);
829 buf_put(&bb
, kxc
->hswrq_out
, algs
.hashsz
);
831 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCH
, &bb
, b
);
834 T( trace(T_KEYEXCH
, "keyexch: sending switch confirmation to `%s'",
837 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCHOK
);
838 buf_init(&bb
, buf_i
, sizeof(buf_i
));
839 buf_put(&bb
, kxc
->hswok_out
, algs
.hashsz
);
841 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCHOK
, &bb
, b
);
849 st
->sz_kxout
+= BLEN(b
);
853 if (kx
->s
< KXS_SWITCH
) {
854 rs_time(&kx
->rs
, &tv
, 0);
859 /* --- @decryptrest@ --- *
861 * Arguments: @keyexch *kx@ = pointer to key exchange context
862 * @kxchal *kxc@ = pointer to challenge block
863 * @unsigned msg@ = type of incoming message
864 * @buf *b@ = encrypted remainder of the packet
866 * Returns: Zero if OK, nonzero on some kind of error.
868 * Use: Decrypts the remainder of the packet, and points @b@ at the
869 * recovered plaintext.
872 static int decryptrest(keyexch
*kx
, kxchal
*kxc
, unsigned msg
, buf
*b
)
876 buf_init(&bb
, buf_o
, sizeof(buf_o
));
877 if (ks_decrypt(kxc
->ks
, MSG_KEYEXCH
| msg
, b
, &bb
)) {
878 a_warn("KX", "?PEER", kx
->p
, "decrypt-failed", "%s", pkname
[msg
], A_END
);
881 if (!BOK(&bb
)) return (-1);
882 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
886 /* --- @checkresponse@ --- *
888 * Arguments: @keyexch *kx@ = pointer to key exchange context
889 * @unsigned msg@ = type of incoming message
890 * @buf *b@ = decrypted remainder of the packet
892 * Returns: Zero if OK, nonzero on some kind of error.
894 * Use: Checks a reply or switch packet, ensuring that its response
898 static int checkresponse(keyexch
*kx
, unsigned msg
, buf
*b
)
900 ge
*r
= G_CREATE(gg
);
902 if (G_FROMRAW(gg
, b
, r
)) {
903 a_warn("KX", "?PEER", kx
->p
, "invalid", "%s", pkname
[msg
], A_END
);
906 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
907 trace(T_CRYPTO
, "crypto: reply = %s", gestr(gg
, r
));
909 if (!G_EQ(gg
, r
, kx
->rx
)) {
910 a_warn("KX", "?PEER", kx
->p
, "incorrect", "response", A_END
);
922 /* --- @commit@ --- *
924 * Arguments: @keyexch *kx@ = pointer to key exchange context
925 * @kxchal *kxc@ = pointer to challenge to commit to
929 * Use: Commits to a particular challenge as being the `right' one,
930 * since a reply has arrived for it.
933 static void commit(keyexch
*kx
, kxchal
*kxc
)
937 for (i
= 0; i
< kx
->nr
; i
++) {
939 kxc_destroy(kx
->r
[i
]);
944 ksl_link(kx
->ks
, kxc
->ks
);
947 /* --- @doreply@ --- *
949 * Arguments: @keyexch *kx@ = pointer to key exchange context
950 * @buf *b@ = buffer containing packet
952 * Returns: Zero if OK, nonzero if the packet was rejected.
954 * Use: Handles a reply packet. This doesn't handle the various
955 * switch packets: they're rather too different.
958 static int doreply(keyexch
*kx
, buf
*b
)
962 if (kx
->s
!= KXS_CHAL
&& kx
->s
!= KXS_COMMIT
) {
963 a_warn("KX", "?PEER", kx
->p
, "unexpected", "reply", A_END
);
966 if ((kxc
= respond(kx
, KX_REPLY
, b
)) == 0 ||
967 decryptrest(kx
, kxc
, KX_REPLY
, b
) ||
968 checkresponse(kx
, KX_REPLY
, b
))
971 a_warn("KX", "?PEER", kx
->p
, "invalid", "reply", A_END
);
974 if (kx
->s
== KXS_CHAL
) {
985 /* --- @kxfinish@ --- *
987 * Arguments: @keyexch *kx@ = pointer to key exchange block
991 * Use: Sets everything up following a successful key exchange.
994 static void kxfinish(keyexch
*kx
)
996 kxchal
*kxc
= kx
->r
[0];
997 struct timeval now
, tv
;
999 ks_activate(kxc
->ks
);
1000 gettimeofday(&now
, 0);
1001 f2tv(&tv
, wobble(T_REGEN
));
1002 TV_ADD(&tv
, &now
, &tv
);
1005 a_notify("KXDONE", "?PEER", kx
->p
, A_END
);
1006 p_stats(kx
->p
)->t_kx
= time(0);
1009 /* --- @doswitch@ --- *
1011 * Arguments: @keyexch *kx@ = pointer to key exchange block
1012 * @buf *b@ = pointer to buffer containing packet
1014 * Returns: Zero if OK, nonzero if the packet was rejected.
1016 * Use: Handles a reply with a switch request bolted onto it.
1019 static int doswitch(keyexch
*kx
, buf
*b
)
1021 const octet
*hc_in
, *hc_out
, *hswrq
;
1024 if ((hc_in
= buf_get(b
, algs
.hashsz
)) == 0 ||
1025 (hc_out
= buf_get(b
, algs
.hashsz
)) == 0) {
1026 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-rq", A_END
);
1029 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
1030 trace_block(T_CRYPTO
, "crypto: challenge", hc_in
, algs
.hashsz
);
1031 trace_block(T_CRYPTO
, "crypto: cookie", hc_out
, algs
.hashsz
);
1033 if ((kxc
= kxc_byhc(kx
, hc_in
)) == 0 ||
1034 memcmp(hc_out
, kx
->hc
, algs
.hashsz
) != 0) {
1035 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-rq", A_END
);
1038 if (decryptrest(kx
, kxc
, KX_SWITCH
, b
) ||
1039 checkresponse(kx
, KX_SWITCH
, b
))
1041 if ((hswrq
= buf_get(b
, algs
.hashsz
)) == 0 || BLEFT(b
)) {
1042 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-rq", A_END
);
1045 IF_TRACING(T_KEYEXCH
, {
1046 trace_block(T_CRYPTO
, "crypto: switch request hash", hswrq
, algs
.hashsz
);
1048 if (memcmp(hswrq
, kxc
->hswrq_in
, algs
.hashsz
) != 0) {
1049 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-rq", A_END
);
1052 if (kx
->s
== KXS_CHAL
)
1054 if (kx
->s
< KXS_SWITCH
)
1063 /* --- @doswitchok@ --- *
1065 * Arguments: @keyexch *kx@ = pointer to key exchange block
1066 * @buf *b@ = pointer to buffer containing packet
1068 * Returns: Zero if OK, nonzero if the packet was rejected.
1070 * Use: Handles a reply with a switch request bolted onto it.
1073 static int doswitchok(keyexch
*kx
, buf
*b
)
1079 if (kx
->s
< KXS_COMMIT
) {
1080 a_warn("KX", "?PEER", kx
->p
, "unexpected", "switch-ok", A_END
);
1084 buf_init(&bb
, buf_o
, sizeof(buf_o
));
1085 if (decryptrest(kx
, kxc
, KX_SWITCHOK
, b
))
1087 if ((hswok
= buf_get(b
, algs
.hashsz
)) == 0 || BLEFT(b
)) {
1088 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-ok", A_END
);
1091 IF_TRACING(T_KEYEXCH
, {
1092 trace_block(T_CRYPTO
, "crypto: switch confirmation hash",
1093 hswok
, algs
.hashsz
);
1095 if (memcmp(hswok
, kxc
->hswok_in
, algs
.hashsz
) != 0) {
1096 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-ok", A_END
);
1099 if (kx
->s
< KXS_SWITCH
)
1107 /*----- Main code ---------------------------------------------------------*/
1111 * Arguments: @keyexch *kx@ = pointer to key exchange context
1115 * Use: Stops a key exchange dead in its tracks. Throws away all of
1116 * the context information. The context is left in an
1117 * inconsistent state. The only functions which understand this
1118 * state are @kx_free@ and @kx_init@ (which cause it internally
1119 * it), and @start@ (which expects it to be the prevailing
1123 static void stop(keyexch
*kx
)
1127 if (kx
->f
& KXF_DEAD
)
1130 if (kx
->f
& KXF_TIMER
)
1131 sel_rmtimer(&kx
->t
);
1132 for (i
= 0; i
< kx
->nr
; i
++)
1133 kxc_destroy(kx
->r
[i
]);
1135 G_DESTROY(gg
, kx
->c
);
1136 G_DESTROY(gg
, kx
->rx
);
1139 kx
->f
&= ~KXF_TIMER
;
1142 /* --- @start@ --- *
1144 * Arguments: @keyexch *kx@ = pointer to key exchange context
1145 * @time_t now@ = the current time
1149 * Use: Starts a new key exchange with the peer. The context must be
1150 * in the bizarre state left by @stop@ or @kx_init@.
1153 static void start(keyexch
*kx
, time_t now
)
1157 assert(kx
->f
& KXF_DEAD
);
1159 kx
->f
&= ~(KXF_DEAD
| KXF_CORK
);
1161 kx
->alpha
= mprand_range(MP_NEW
, gg
->r
, &rand_global
, 0);
1162 kx
->c
= G_CREATE(gg
); G_EXP(gg
, kx
->c
, gg
->g
, kx
->alpha
);
1163 kx
->rx
= G_CREATE(gg
); G_EXP(gg
, kx
->rx
, kx
->kpub
, kx
->alpha
);
1165 kx
->t_valid
= now
+ T_VALID
;
1167 h
= GH_INIT(algs
.h
);
1168 HASH_STRING(h
, "tripe-cookie");
1173 IF_TRACING(T_KEYEXCH
, {
1174 trace(T_KEYEXCH
, "keyexch: creating new challenge");
1175 IF_TRACING(T_CRYPTO
, {
1176 trace(T_CRYPTO
, "crypto: secret = %s", mpstr(kx
->alpha
));
1177 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, kx
->c
));
1178 trace(T_CRYPTO
, "crypto: expected response = %s", gestr(gg
, kx
->rx
));
1179 trace_block(T_CRYPTO
, "crypto: challenge cookie", kx
->hc
, algs
.hashsz
);
1184 /* --- @checkpub@ --- *
1186 * Arguments: @keyexch *kx@ = pointer to key exchange context
1188 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1190 * Use: Deactivates the key-exchange until the peer acquires a new
1194 static int checkpub(keyexch
*kx
)
1197 if (kx
->f
& KXF_DEAD
)
1200 if (KEY_EXPIRED(now
, kx
->texp_kpub
)) {
1202 a_warn("KX", "?PEER", kx
->p
, "public-key-expired", A_END
);
1203 G_COPY(gg
, kx
->kpub
, gg
->i
);
1204 kx
->f
&= ~KXF_PUBKEY
;
1210 /* --- @kx_start@ --- *
1212 * Arguments: @keyexch *kx@ = pointer to key exchange context
1213 * @int forcep@ = nonzero to ignore the quiet timer
1217 * Use: Stimulates a key exchange. If a key exchage is in progress,
1218 * a new challenge is sent (unless the quiet timer forbids
1219 * this); if no exchange is in progress, one is commenced.
1222 void kx_start(keyexch
*kx
, int forcep
)
1224 time_t now
= time(0);
1228 if (forcep
|| !VALIDP(kx
, now
)) {
1231 a_notify("KXSTART", "?PEER", kx
->p
, A_END
);
1236 /* --- @kx_message@ --- *
1238 * Arguments: @keyexch *kx@ = pointer to key exchange context
1239 * @unsigned msg@ = the message code
1240 * @buf *b@ = pointer to buffer containing the packet
1244 * Use: Reads a packet containing key exchange messages and handles
1248 void kx_message(keyexch
*kx
, unsigned msg
, buf
*b
)
1250 struct timeval now
, tv
;
1251 stats
*st
= p_stats(kx
->p
);
1255 gettimeofday(&now
, 0);
1257 if (kx
->f
& KXF_CORK
) {
1258 start(kx
, now
.tv_sec
);
1259 rs_time(&kx
->rs
, &tv
, &now
);
1261 a_notify("KXSTART", A_END
);
1267 if (!VALIDP(kx
, now
.tv_sec
)) {
1269 start(kx
, now
.tv_sec
);
1271 T( trace(T_KEYEXCH
, "keyexch: processing %s packet from `%s'",
1272 msg
< KX_NMSG ? pkname
[msg
] : "unknown", p_name(kx
->p
)); )
1276 rc
= doprechallenge(kx
, b
);
1279 rc
= dochallenge(kx
, b
);
1282 rc
= doreply(kx
, b
);
1285 rc
= doswitch(kx
, b
);
1288 rc
= doswitchok(kx
, b
);
1291 a_warn("KX", "?PEER", kx
->p
, "unknown-message", "0x%02x", msg
, A_END
);
1304 /* --- @kx_free@ --- *
1306 * Arguments: @keyexch *kx@ = pointer to key exchange context
1310 * Use: Frees everything in a key exchange context.
1313 void kx_free(keyexch
*kx
)
1316 G_DESTROY(gg
, kx
->kpub
);
1319 /* --- @kx_newkeys@ --- *
1321 * Arguments: @keyexch *kx@ = pointer to key exchange context
1325 * Use: Informs the key exchange module that its keys may have
1326 * changed. If fetching the new keys fails, the peer will be
1327 * destroyed, we log messages and struggle along with the old
1331 void kx_newkeys(keyexch
*kx
)
1333 if (km_getpubkey(p_tag(kx
->p
), kx
->kpub
, &kx
->texp_kpub
))
1335 kx
->f
|= KXF_PUBKEY
;
1336 if ((kx
->f
& KXF_DEAD
) || kx
->s
!= KXS_SWITCH
) {
1337 T( trace(T_KEYEXCH
, "keyexch: restarting key negotiation with `%s'",
1345 /* --- @kx_init@ --- *
1347 * Arguments: @keyexch *kx@ = pointer to key exchange context
1348 * @peer *p@ = pointer to peer context
1349 * @keyset **ks@ = pointer to keyset list
1350 * @unsigned f@ = various useful flags
1352 * Returns: Zero if OK, nonzero if it failed.
1354 * Use: Initializes a key exchange module. The module currently
1355 * contains no keys, and will attempt to initiate a key
1359 int kx_init(keyexch
*kx
, peer
*p
, keyset
**ks
, unsigned f
)
1363 kx
->kpub
= G_CREATE(gg
);
1364 if (km_getpubkey(p_tag(p
), kx
->kpub
, &kx
->texp_kpub
)) {
1365 G_DESTROY(gg
, kx
->kpub
);
1368 kx
->f
= KXF_DEAD
| KXF_PUBKEY
| f
;
1370 if (!(kx
->f
& KXF_CORK
)) {
1373 /* Don't notify here: the ADD message hasn't gone out yet. */
1378 /*----- That's all, folks -------------------------------------------------*/