5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Header files ------------------------------------------------------*/
33 /*----- Brief protocol overview -------------------------------------------*
35 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
36 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
37 * application of the symmetric packet protocol to a message; let
38 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
39 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
40 * be Bob's public key.
42 * At the beginning of the session, Alice chooses
44 * %$\rho_A \inr \{0, \ldots q - 1\}$%
48 * %$r_A = g^{\rho_A}$% Alice's challenge
49 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
50 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
51 * Alice's challenge check value
52 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
53 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
54 * Alice and Bob's shared secret key
55 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
56 * Alice's switch request value
57 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
58 * Alice's switch confirm value
60 * The messages are then:
62 * %$\cookie{kx-pre-challenge}, r_A$%
63 * Initial greeting. In state @KXS_CHAL@.
65 * %$\cookie{kx-cookie}, r_A, c_B$%
66 * My table is full but I got your message.
68 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
69 * Here's a full challenge for you to answer.
71 * %$\cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha))$%
72 * Challenge accpeted: here's the answer. Commit to my challenge. Move
75 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
76 * Reply received: here's my reply. Committed; send data; move to
79 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
80 * Switch received. Committed; send data; move to @KXS_SWITCH@.
83 /*----- Tunable parameters ------------------------------------------------*/
85 #define T_VALID MIN(2) /* Challenge validity period */
86 #define T_RETRY SEC(10) /* Challenge retransmit interval */
88 #define VALIDP(kx, now) ((now) < (kx)->t_valid)
90 /*----- Static tables -----------------------------------------------------*/
92 static const char *const pkname
[] = {
93 "pre-challenge", "cookie", "challenge",
94 "reply", "switch-rq", "switch-ok"
97 /*----- Various utilities -------------------------------------------------*/
101 * Arguments: @ghash *h@ = pointer to hash context
102 * @ge *x@ = pointer to group element
106 * Use: Adds the hash of a group element to the context. Corrupts
110 static void hashge(ghash
*h
, ge
*x
)
113 buf_init(&b
, buf_t
, sizeof(buf_t
));
116 GH_HASH(h
, BBASE(&b
), BLEN(&b
));
119 /* --- @mpencrypt@, @mpdecrypt@ --- *
121 * Arguments: @mp *d@ = the destination integer
122 * @mp *x@ = the plaintext/ciphertext integer
123 * @size_t sz@ = the expected size of the plaintext
124 * @const octet *k@ = pointer to key material
126 * Returns: The encrypted/decrypted integer.
128 * Use: Encrypts (or decrypts) a multiprecision integer. In fact,
129 * the title is a bit of a misnomer: we actually compute
130 * %$x \xor H(k)$%, so it's a random oracle thing rather than an
134 static mp
*mpencrypt(mp
*d
, mp
*x
, size_t sz
, const octet
*k
)
138 mgf
= GC_INIT(algs
.mgf
, k
, algs
.hashsz
);
139 mp_storeb(x
, buf_t
, sz
);
140 GC_ENCRYPT(mgf
, buf_t
, buf_t
, sz
);
142 return (mp_loadb(d
, buf_t
, sz
));
145 static mp
*mpdecrypt(mp
*d
, mp
*x
, size_t sz
, const octet
*k
)
149 mgf
= GC_INIT(algs
.mgf
, k
, algs
.hashsz
);
150 mp_storeb(x
, buf_t
, sz
);
151 GC_DECRYPT(mgf
, buf_t
, buf_t
, sz
);
153 return (mp_loadb(d
, buf_t
, sz
));
158 * Arguments: @struct timeval *tv@ = the current time
159 * @void *v@ = pointer to key exchange context
163 * Use: Acts when the key exchange timer goes off.
166 static void timer(struct timeval
*tv
, void *v
)
170 T( trace(T_KEYEXCH
, "keyexch: timer has popped"); )
174 /* --- @settimer@ --- *
176 * Arguments: @keyexch *kx@ = pointer to key exchange context
177 * @time_t t@ = when to set the timer for
181 * Use: Sets the timer for the next key exchange attempt.
184 static void settimer(keyexch
*kx
, time_t t
)
187 if (kx
->f
& KXF_TIMER
)
191 sel_addtimer(&sel
, &kx
->t
, &tv
, timer
, kx
);
195 /*----- Challenge management ----------------------------------------------*/
197 /* --- Notes on challenge management --- *
199 * We may get multiple different replies to our key exchange; some will be
200 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
201 * received will be added to the table and given a full response. After
202 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
203 * our existing challenge, followed by a hash of the sender's challenge. We
204 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
205 * properly-formed cookies are assigned a table slot: if none is spare, a
206 * used slot is randomly selected and destroyed. A cookie always receives a
210 /* --- @kxc_destroy@ --- *
212 * Arguments: @kxchal *kxc@ = pointer to the challenge block
216 * Use: Disposes of a challenge block.
219 static void kxc_destroy(kxchal
*kxc
)
221 if (kxc
->f
& KXF_TIMER
)
222 sel_rmtimer(&kxc
->t
);
223 G_DESTROY(gg
, kxc
->c
);
224 if (kxc
->r
) G_DESTROY(gg
, kxc
->r
);
230 /* --- @kxc_stoptimer@ --- *
232 * Arguments: @kxchal *kxc@ = pointer to the challenge block
236 * Use: Stops the challenge's retry timer from sending messages.
237 * Useful when the state machine is in the endgame of the
241 static void kxc_stoptimer(kxchal
*kxc
)
243 if (kxc
->f
& KXF_TIMER
)
244 sel_rmtimer(&kxc
->t
);
245 kxc
->f
&= ~KXF_TIMER
;
248 /* --- @kxc_new@ --- *
250 * Arguments: @keyexch *kx@ = pointer to key exchange block
252 * Returns: A pointer to the challenge block.
254 * Use: Returns a pointer to a new challenge block to fill in.
257 static kxchal
*kxc_new(keyexch
*kx
)
262 /* --- If we're over reply threshold, discard one at random --- */
264 if (kx
->nr
< KX_NCHAL
)
267 i
= rand_global
.ops
->range(&rand_global
, KX_NCHAL
);
268 kxc_destroy(kx
->r
[i
]);
271 /* --- Fill in the new structure --- */
273 kxc
= CREATE(kxchal
);
274 kxc
->c
= G_CREATE(gg
);
284 /* --- @kxc_bychal@ --- *
286 * Arguments: @keyexch *kx@ = pointer to key exchange block
287 * @ge *c@ = challenge from remote host
289 * Returns: Pointer to the challenge block, or null.
291 * Use: Finds a challenge block, given its challenge.
294 static kxchal
*kxc_bychal(keyexch
*kx
, ge
*c
)
298 for (i
= 0; i
< kx
->nr
; i
++) {
299 if (G_EQ(gg
, c
, kx
->r
[i
]->c
))
305 /* --- @kxc_byhc@ --- *
307 * Arguments: @keyexch *kx@ = pointer to key exchange block
308 * @const octet *hc@ = challenge hash from remote host
310 * Returns: Pointer to the challenge block, or null.
312 * Use: Finds a challenge block, given a hash of its challenge.
315 static kxchal
*kxc_byhc(keyexch
*kx
, const octet
*hc
)
319 for (i
= 0; i
< kx
->nr
; i
++) {
320 if (memcmp(hc
, kx
->r
[i
]->hc
, algs
.hashsz
) == 0)
326 /* --- @kxc_answer@ --- *
328 * Arguments: @keyexch *kx@ = pointer to key exchange block
329 * @kxchal *kxc@ = pointer to challenge block
333 * Use: Sends a reply to the remote host, according to the data in
334 * this challenge block.
337 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
);
339 static void kxc_timer(struct timeval
*tv
, void *v
)
342 kxc
->f
&= ~KXF_TIMER
;
343 kxc_answer(kxc
->kx
, kxc
);
346 static void kxc_answer(keyexch
*kx
, kxchal
*kxc
)
348 stats
*st
= p_stats(kx
->p
);
349 buf
*b
= p_txstart(kx
->p
, MSG_KEYEXCH
| (kxc
->r ? KX_REPLY
: KX_CHAL
));
353 /* --- Build the reply packet --- */
356 G_TOBUF(gg
, b
, kx
->c
);
358 buf_put(b
, kx
->hc
, algs
.hashsz
);
359 buf_put(b
, kxc
->hc
, algs
.hashsz
);
360 buf_putmp(b
, kxc
->ck
);
362 /* --- Maybe send an actual reply, if we have one --- */
365 T( trace(T_KEYEXCH
, "keyexch: resending challenge to `%s'",
368 T( trace(T_KEYEXCH
, "keyexch: sending reply to `%s'", p_name(kx
->p
)); )
369 buf_init(&bb
, buf_i
, sizeof(buf_i
));
370 G_TOBUF(gg
, &bb
, kxc
->r
);
372 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_REPLY
, &bb
, b
);
375 /* --- Update the statistics --- */
379 st
->sz_kxout
+= BLEN(b
);
383 /* --- Schedule another resend --- */
385 if (kxc
->f
& KXF_TIMER
)
386 sel_rmtimer(&kxc
->t
);
387 gettimeofday(&tv
, 0);
388 tv
.tv_sec
+= T_RETRY
;
389 sel_addtimer(&sel
, &kxc
->t
, &tv
, kxc_timer
, kxc
);
393 /*----- Individual message handlers ---------------------------------------*/
395 /* --- @getreply@ --- *
397 * Arguments: @keyexch *kx@ = pointer to key exchange context
398 * @ge *c@ = a challenge
399 * @mp *ck@ = the supplied expected-reply check value
401 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
403 * Use: Computes replies to challenges.
406 static ge
*getreply(keyexch
*kx
, ge
*c
, mp
*ck
)
408 ge
*r
= G_CREATE(gg
);
409 ge
*y
= G_CREATE(gg
);
415 G_EXP(gg
, r
, c
, kpriv
);
417 HASH_STRING(h
, "tripe-expected-reply");
423 a
= mpdecrypt(MP_NEW
, ck
, mp_octets(gg
->r
), hh
);
424 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
425 trace(T_CRYPTO
, "crypto: computed reply = %s", gestr(gg
, r
));
426 trace_block(T_CRYPTO
, "crypto: computed reply hash", hh
, algs
.hashsz
);
427 trace(T_CRYPTO
, "crypto: recovered log = %s", mpstr(a
));
430 G_EXP(gg
, y
, gg
->g
, a
);
433 a_warn("KX", "?PEER", kx
->p
, "bad-expected-reply-log", A_END
);
434 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
435 trace(T_CRYPTO
, "crypto: computed challenge = %s", gestr(gg
, y
));
445 /* --- @dochallenge@ --- *
447 * Arguments: @keyexch *kx@ = pointer to key exchange block
448 * @unsigned msg@ = message code for the packet
449 * @buf *b@ = buffer containing the packet
451 * Returns: Zero if OK, nonzero if the packet was rejected.
453 * Use: Processes a packet containing a challenge.
456 static int dochallenge(keyexch
*kx
, unsigned msg
, buf
*b
)
458 ge
*c
= G_CREATE(gg
);
464 /* --- Ensure that we're in a sensible state --- */
466 if (kx
->s
!= KXS_CHAL
) {
467 a_warn("KX", "?PEER", kx
->p
, "unexpected", "%s", pkname
[msg
], A_END
);
471 /* --- Unpack the packet --- */
473 if (G_FROMBUF(gg
, b
, c
) ||
474 (msg
>= KX_COOKIE
&& (hc
= buf_get(b
, algs
.hashsz
)) == 0) ||
475 (msg
>= KX_CHAL
&& (ck
= buf_getmp(b
)) == 0) ||
477 a_warn("KX", "?PEER", kx
->p
, "invalid", "%s", pkname
[msg
], A_END
);
481 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
482 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, c
));
483 if (hc
) trace_block(T_CRYPTO
, "crypto: cookie", hc
, algs
.hashsz
);
484 if (ck
) trace(T_CRYPTO
, "crypto: check value = %s", mpstr(ck
));
487 /* --- First, handle a bare challenge --- *
489 * If the table is heavily loaded, just emit a cookie and return.
492 if (!hc
&& kx
->nr
>= KX_THRESH
) {
493 T( trace(T_KEYEXCH
, "keyexch: too many challenges -- sending cookie"); )
494 a_warn("KX", "?PEER", p_name
, "sending-cookie", A_END
);
495 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_COOKIE
);
496 G_TOBUF(gg
, b
, kx
->c
);
498 HASH_STRING(h
, "tripe-cookie");
500 GH_DONE(h
, buf_get(b
, algs
.hashsz
));
506 /* --- Discard a packet with an invalid cookie --- */
508 if (hc
&& memcmp(hc
, kx
->hc
, algs
.hashsz
) != 0) {
509 a_warn("KX", "?PEER", "incorrect", "cookie", A_END
);
513 /* --- Find a challenge block for this packet --- *
515 * If there isn't one already, create a new one.
518 if ((kxc
= kxc_bychal(kx
, c
)) == 0) {
522 /* --- Be careful here --- *
524 * If this is a full challenge, and it's the first time I've seen it, I
525 * want to be able to throw it away before committing a table entry to
532 if ((r
= getreply(kx
, c
, ck
)) == 0)
537 kxc
->c
= G_CREATE(gg
);
538 G_COPY(gg
, kxc
->c
, c
);
540 /* --- Work out the cookie for this challenge --- */
543 HASH_STRING(h
, "tripe-cookie");
548 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
549 trace_block(T_CRYPTO
, "crypto: computed cookie", kxc
->hc
, algs
.hashsz
);
552 /* --- Compute the expected-reply hash --- */
555 HASH_STRING(h
, "tripe-expected-reply");
560 kxc
->ck
= mpencrypt(MP_NEW
, kx
->alpha
, mp_octets(gg
->r
), hc
);
561 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
562 trace_block(T_CRYPTO
, "crypto: expected-reply hash", hc
, algs
.hashsz
);
563 trace(T_CRYPTO
, "crypto: my reply check = %s", mpstr(kxc
->ck
));
567 /* --- Work out the shared key --- */
570 G_EXP(gg
, r
, c
, kx
->alpha
);
571 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
572 trace(T_CRYPTO
, "crypto: shared secret = %s", gestr(gg
, r
));
575 /* --- Compute the switch messages --- */
577 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-request");
578 hashge(h
, kx
->c
); hashge(h
, kxc
->c
);
579 GH_DONE(h
, kxc
->hswrq_out
); GH_DESTROY(h
);
580 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-confirm");
581 hashge(h
, kx
->c
); hashge(h
, kxc
->c
);
582 GH_DONE(h
, kxc
->hswok_out
); GH_DESTROY(h
);
584 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-request");
585 hashge(h
, kxc
->c
); hashge(h
, kx
->c
);
586 GH_DONE(h
, kxc
->hswrq_in
); GH_DESTROY(h
);
587 h
= GH_INIT(algs
.h
); HASH_STRING(h
, "tripe-switch-confirm");
588 hashge(h
, kxc
->c
); hashge(h
, kx
->c
);
589 GH_DONE(h
, kxc
->hswok_in
); GH_DESTROY(h
);
591 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
592 trace_block(T_CRYPTO
, "crypto: outbound switch request",
593 kxc
->hswrq_out
, algs
.hashsz
);
594 trace_block(T_CRYPTO
, "crypto: outbound switch confirm",
595 kxc
->hswok_out
, algs
.hashsz
);
596 trace_block(T_CRYPTO
, "crypto: inbound switch request",
597 kxc
->hswrq_in
, algs
.hashsz
);
598 trace_block(T_CRYPTO
, "crypto: inbound switch confirm",
599 kxc
->hswok_in
, algs
.hashsz
);
602 /* --- Create a new symmetric keyset --- */
604 buf_init(b
, buf_o
, sizeof(buf_o
));
605 G_TOBUF(gg
, b
, kx
->c
); x
= BLEN(b
);
606 G_TOBUF(gg
, b
, kxc
->c
); y
= BLEN(b
);
607 G_TOBUF(gg
, b
, r
); z
= BLEN(b
);
610 kxc
->ks
= ks_gen(BBASE(b
), x
, y
, z
, kx
->p
);
614 /* --- Answer the challenge if we need to --- */
618 if ((r
= getreply(kx
, c
, ck
)) == 0)
625 /* --- Tidy up and go home --- */
638 /* --- @resend@ --- *
640 * Arguments: @keyexch *kx@ = pointer to key exchange context
644 * Use: Sends the next message for a key exchange.
647 static void resend(keyexch
*kx
)
651 stats
*st
= p_stats(kx
->p
);
656 T( trace(T_KEYEXCH
, "keyexch: sending prechallenge to `%s'",
658 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_PRECHAL
);
659 G_TOBUF(gg
, b
, kx
->c
);
662 T( trace(T_KEYEXCH
, "keyexch: sending switch request to `%s'",
665 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCH
);
666 buf_put(b
, kx
->hc
, algs
.hashsz
);
667 buf_put(b
, kxc
->hc
, algs
.hashsz
);
668 buf_init(&bb
, buf_i
, sizeof(buf_i
));
669 G_TOBUF(gg
, &bb
, kxc
->r
);
670 buf_put(&bb
, kxc
->hswrq_out
, algs
.hashsz
);
672 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCH
, &bb
, b
);
675 T( trace(T_KEYEXCH
, "keyexch: sending switch confirmation to `%s'",
678 b
= p_txstart(kx
->p
, MSG_KEYEXCH
| KX_SWITCHOK
);
679 buf_init(&bb
, buf_i
, sizeof(buf_i
));
680 buf_put(&bb
, kxc
->hswok_out
, algs
.hashsz
);
682 ks_encrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCHOK
, &bb
, b
);
690 st
->sz_kxout
+= BLEN(b
);
694 if (kx
->s
< KXS_SWITCH
)
695 settimer(kx
, time(0) + T_RETRY
);
698 /* --- @matchreply@ --- *
700 * Arguments: @keyexch *kx@ = pointer to key exchange context
701 * @unsigned ty@ = type of incoming message
702 * @const octet *hc_in@ = a hash of his challenge
703 * @const octet *hc_out@ = a hash of my challenge (cookie)
704 * @mp *ck@ = his expected-reply hash (optional)
705 * @buf *b@ = encrypted remainder of the packet
707 * Returns: A pointer to the challenge block if OK, or null on failure.
709 * Use: Checks a reply or switch packet, ensuring that its contents
710 * are sensible and correct. If they are, @*b@ is set to point
711 * to the remainder of the encrypted data, and the correct
712 * challenge is returned.
715 static kxchal
*matchreply(keyexch
*kx
, unsigned ty
, const octet
*hc_in
,
716 const octet
*hc_out
, mp
*ck
, buf
*b
)
722 /* --- Check the plaintext portions of the data --- */
724 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
725 trace_block(T_CRYPTO
, "crypto: challenge", hc_in
, algs
.hashsz
);
726 trace_block(T_CRYPTO
, "crypto: cookie", hc_out
, algs
.hashsz
);
727 if (ck
) trace(T_CRYPTO
, "crypto: check value = %s", mpstr(ck
));
729 if (memcmp(hc_out
, kx
->hc
, algs
.hashsz
) != 0) {
730 a_warn("KX", "?PEER", kx
->p
, "incorrect", "cookie", A_END
);
733 if ((kxc
= kxc_byhc(kx
, hc_in
)) == 0) {
734 a_warn("KX", "?PEER", kx
->p
, "unknown-challenge", A_END
);
738 /* --- Maybe compute a reply for the challenge --- */
742 a_warn("KX", "?PEER", kx
->p
, "unexpected", "switch-rq", A_END
);
745 if ((r
= getreply(kx
, kxc
->c
, ck
)) == 0)
751 /* --- Decrypt the rest of the packet --- */
753 buf_init(&bb
, buf_o
, sizeof(buf_o
));
754 if (ks_decrypt(kxc
->ks
, ty
, b
, &bb
)) {
755 a_warn("KX", "?PEER", kx
->p
, "decrypt-failed", "reply", A_END
);
758 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
760 if (G_FROMBUF(gg
, b
, r
)) {
761 a_warn("KX", "?PEER", kx
->p
, "invalid", "reply", A_END
);
764 IF_TRACING(T_KEYEXCH
, IF_TRACING(T_CRYPTO
, {
765 trace(T_CRYPTO
, "crypto: reply = %s", gestr(gg
, r
));
767 if (!G_EQ(gg
, r
, kx
->rx
)) {
768 a_warn("KX", "?PEER", kx
->p
, "incorrect", "reply", A_END
);
778 if (r
) G_DESTROY(gg
, r
);
782 /* --- @commit@ --- *
784 * Arguments: @keyexch *kx@ = pointer to key exchange context
785 * @kxchal *kxc@ = pointer to challenge to commit to
789 * Use: Commits to a particular challenge as being the `right' one,
790 * since a reply has arrived for it.
793 static void commit(keyexch
*kx
, kxchal
*kxc
)
797 for (i
= 0; i
< kx
->nr
; i
++) {
799 kxc_destroy(kx
->r
[i
]);
804 ksl_link(kx
->ks
, kxc
->ks
);
807 /* --- @doreply@ --- *
809 * Arguments: @keyexch *kx@ = pointer to key exchange context
810 * @buf *b@ = buffer containing packet
812 * Returns: Zero if OK, nonzero if the packet was rejected.
814 * Use: Handles a reply packet. This doesn't handle the various
815 * switch packets: they're rather too different.
818 static int doreply(keyexch
*kx
, buf
*b
)
820 const octet
*hc_in
, *hc_out
;
824 if (kx
->s
!= KXS_CHAL
&& kx
->s
!= KXS_COMMIT
) {
825 a_warn("KX", "?PEER", kx
->p
, "unexpected", "reply", A_END
);
828 if ((hc_in
= buf_get(b
, algs
.hashsz
)) == 0 ||
829 (hc_out
= buf_get(b
, algs
.hashsz
)) == 0 ||
830 (ck
= buf_getmp(b
)) == 0) {
831 a_warn("KX", "?PEER", kx
->p
, "invalid", "reply", A_END
);
834 if ((kxc
= matchreply(kx
, MSG_KEYEXCH
| KX_REPLY
,
835 hc_in
, hc_out
, ck
, b
)) == 0)
838 a_warn("KX", "?PEER", kx
->p
, "invalid", "reply", A_END
);
841 if (kx
->s
== KXS_CHAL
) {
853 /* --- @kxfinish@ --- *
855 * Arguments: @keyexch *kx@ = pointer to key exchange block
859 * Use: Sets everything up following a successful key exchange.
862 static void kxfinish(keyexch
*kx
)
864 kxchal
*kxc
= kx
->r
[0];
865 ks_activate(kxc
->ks
);
866 settimer(kx
, ks_tregen(kxc
->ks
));
868 a_notify("KXDONE", "?PEER", kx
->p
, A_END
);
869 p_stats(kx
->p
)->t_kx
= time(0);
872 /* --- @doswitch@ --- *
874 * Arguments: @keyexch *kx@ = pointer to key exchange block
875 * @buf *b@ = pointer to buffer containing packet
877 * Returns: Zero if OK, nonzero if the packet was rejected.
879 * Use: Handles a reply with a switch request bolted onto it.
882 static int doswitch(keyexch
*kx
, buf
*b
)
884 const octet
*hc_in
, *hc_out
, *hswrq
;
887 if ((hc_in
= buf_get(b
, algs
.hashsz
)) == 0 ||
888 (hc_out
= buf_get(b
, algs
.hashsz
)) == 0) {
889 a_warn("KX", "?PEER", kx
->p
, "invalid", "switch-rq", A_END
);
892 if ((kxc
= matchreply(kx
, MSG_KEYEXCH
| KX_SWITCH
,
893 hc_in
, hc_out
, 0, b
)) == 0)
895 if ((hswrq
= buf_get(b
, algs
.hashsz
)) == 0 || BLEFT(b
)) {
896 a_warn("KX", "?PEER", "invalid", "switch-rq", A_END
);
899 IF_TRACING(T_KEYEXCH
, {
900 trace_block(T_CRYPTO
, "crypto: switch request hash", hswrq
, algs
.hashsz
);
902 if (memcmp(hswrq
, kxc
->hswrq_in
, algs
.hashsz
) != 0) {
903 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-rq", A_END
);
920 /* --- @doswitchok@ --- *
922 * Arguments: @keyexch *kx@ = pointer to key exchange block
923 * @buf *b@ = pointer to buffer containing packet
925 * Returns: Zero if OK, nonzero if the packet was rejected.
927 * Use: Handles a reply with a switch request bolted onto it.
930 static int doswitchok(keyexch
*kx
, buf
*b
)
936 if (kx
->s
< KXS_COMMIT
) {
937 a_warn("KX", "?PEER", kx
->p
, "unexpected", "switch-ok", A_END
);
941 buf_init(&bb
, buf_o
, sizeof(buf_o
));
942 if (ks_decrypt(kxc
->ks
, MSG_KEYEXCH
| KX_SWITCHOK
, b
, &bb
)) {
943 a_warn("KX", "?PEER", kx
->p
, "decrypt-failed", "switch-ok", A_END
);
946 buf_init(b
, BBASE(&bb
), BLEN(&bb
));
947 if ((hswok
= buf_get(b
, algs
.hashsz
)) == 0 || BLEFT(b
)) {
948 a_warn("KX", "?PEER", "invalid", "switch-ok", A_END
);
951 IF_TRACING(T_KEYEXCH
, {
952 trace_block(T_CRYPTO
, "crypto: switch confirmation hash",
955 if (memcmp(hswok
, kxc
->hswok_in
, algs
.hashsz
) != 0) {
956 a_warn("KX", "?PEER", kx
->p
, "incorrect", "switch-ok", A_END
);
959 if (kx
->s
< KXS_SWITCH
)
967 /*----- Main code ---------------------------------------------------------*/
971 * Arguments: @keyexch *kx@ = pointer to key exchange context
975 * Use: Stops a key exchange dead in its tracks. Throws away all of
976 * the context information. The context is left in an
977 * inconsistent state. The only functions which understand this
978 * state are @kx_free@ and @kx_init@ (which cause it internally
979 * it), and @start@ (which expects it to be the prevailing
983 static void stop(keyexch
*kx
)
987 if (kx
->f
& KXF_DEAD
)
990 if (kx
->f
& KXF_TIMER
)
992 for (i
= 0; i
< kx
->nr
; i
++)
993 kxc_destroy(kx
->r
[i
]);
995 G_DESTROY(gg
, kx
->c
);
996 G_DESTROY(gg
, kx
->rx
);
1002 /* --- @start@ --- *
1004 * Arguments: @keyexch *kx@ = pointer to key exchange context
1005 * @time_t now@ = the current time
1009 * Use: Starts a new key exchange with the peer. The context must be
1010 * in the bizarre state left by @stop@ or @kx_init@.
1013 static void start(keyexch
*kx
, time_t now
)
1017 assert(kx
->f
& KXF_DEAD
);
1021 kx
->alpha
= mprand_range(MP_NEW
, gg
->r
, &rand_global
, 0);
1022 kx
->c
= G_CREATE(gg
); G_EXP(gg
, kx
->c
, gg
->g
, kx
->alpha
);
1023 kx
->rx
= G_CREATE(gg
); G_EXP(gg
, kx
->rx
, kx
->kpub
, kx
->alpha
);
1025 kx
->t_valid
= now
+ T_VALID
;
1027 h
= GH_INIT(algs
.h
);
1028 HASH_STRING(h
, "tripe-cookie");
1033 IF_TRACING(T_KEYEXCH
, {
1034 trace(T_KEYEXCH
, "keyexch: creating new challenge");
1035 IF_TRACING(T_CRYPTO
, {
1036 trace(T_CRYPTO
, "crypto: secret = %s", mpstr(kx
->alpha
));
1037 trace(T_CRYPTO
, "crypto: challenge = %s", gestr(gg
, kx
->c
));
1038 trace(T_CRYPTO
, "crypto: expected response = %s", gestr(gg
, kx
->rx
));
1039 trace_block(T_CRYPTO
, "crypto: challenge cookie", kx
->hc
, algs
.hashsz
);
1044 /* --- @checkpub@ --- *
1046 * Arguments: @keyexch *kx@ = pointer to key exchange context
1048 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1050 * Use: Deactivates the key-exchange until the peer acquires a new
1054 static int checkpub(keyexch
*kx
)
1057 if (kx
->f
& KXF_DEAD
)
1060 if (KEY_EXPIRED(now
, kx
->texp_kpub
)) {
1062 a_warn("KX", "?PEER", kx
->p
, "public-key-expired", A_END
);
1063 G_COPY(gg
, kx
->kpub
, gg
->i
);
1064 kx
->f
&= ~KXF_PUBKEY
;
1070 /* --- @kx_start@ --- *
1072 * Arguments: @keyexch *kx@ = pointer to key exchange context
1073 * @int forcep@ = nonzero to ignore the quiet timer
1077 * Use: Stimulates a key exchange. If a key exchage is in progress,
1078 * a new challenge is sent (unless the quiet timer forbids
1079 * this); if no exchange is in progress, one is commenced.
1082 void kx_start(keyexch
*kx
, int forcep
)
1084 time_t now
= time(0);
1088 if (forcep
|| !VALIDP(kx
, now
)) {
1091 a_notify("KXSTART", "?PEER", kx
->p
, A_END
);
1096 /* --- @kx_message@ --- *
1098 * Arguments: @keyexch *kx@ = pointer to key exchange context
1099 * @unsigned msg@ = the message code
1100 * @buf *b@ = pointer to buffer containing the packet
1104 * Use: Reads a packet containing key exchange messages and handles
1108 void kx_message(keyexch
*kx
, unsigned msg
, buf
*b
)
1110 time_t now
= time(0);
1111 stats
*st
= p_stats(kx
->p
);
1118 if (!VALIDP(kx
, now
)) {
1123 T( trace(T_KEYEXCH
, "keyexch: processing %s packet from `%s'",
1124 msg
< KX_NMSG ? pkname
[msg
] : "unknown", p_name(kx
->p
)); )
1130 rc
= dochallenge(kx
, msg
, b
);
1133 rc
= doreply(kx
, b
);
1136 rc
= doswitch(kx
, b
);
1139 rc
= doswitchok(kx
, b
);
1142 a_warn("KX", "?PEER", kx
->p
, "unknown-message", "0x%02x", msg
, A_END
);
1155 /* --- @kx_free@ --- *
1157 * Arguments: @keyexch *kx@ = pointer to key exchange context
1161 * Use: Frees everything in a key exchange context.
1164 void kx_free(keyexch
*kx
)
1167 G_DESTROY(gg
, kx
->kpub
);
1170 /* --- @kx_newkeys@ --- *
1172 * Arguments: @keyexch *kx@ = pointer to key exchange context
1176 * Use: Informs the key exchange module that its keys may have
1177 * changed. If fetching the new keys fails, the peer will be
1178 * destroyed, we log messages and struggle along with the old
1182 void kx_newkeys(keyexch
*kx
)
1184 if (km_getpubkey(p_name(kx
->p
), kx
->kpub
, &kx
->texp_kpub
))
1186 kx
->f
|= KXF_PUBKEY
;
1187 if ((kx
->f
& KXF_DEAD
) || kx
->s
!= KXS_SWITCH
) {
1188 T( trace(T_KEYEXCH
, "keyexch: restarting key negotiation with `%s'",
1196 /* --- @kx_init@ --- *
1198 * Arguments: @keyexch *kx@ = pointer to key exchange context
1199 * @peer *p@ = pointer to peer context
1200 * @keyset **ks@ = pointer to keyset list
1202 * Returns: Zero if OK, nonzero if it failed.
1204 * Use: Initializes a key exchange module. The module currently
1205 * contains no keys, and will attempt to initiate a key
1209 int kx_init(keyexch
*kx
, peer
*p
, keyset
**ks
)
1213 kx
->kpub
= G_CREATE(gg
);
1214 if (km_getpubkey(p_name(p
), kx
->kpub
, &kx
->texp_kpub
)) {
1215 G_DESTROY(gg
, kx
->kpub
);
1218 kx
->f
= KXF_DEAD
| KXF_PUBKEY
;
1221 /* Don't notify here: the ADD message hasn't gone out yet. */
1225 /*----- That's all, folks -------------------------------------------------*/