*
* This file is part of Trivial IP Encryption (TrIPE).
*
- * TrIPE is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
+ * TrIPE is free software: you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at your
+ * option) any later version.
*
- * TrIPE is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * TrIPE is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
*
* You should have received a copy of the GNU General Public License
- * along with TrIPE; if not, write to the Free Software Foundation,
- * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
*/
/*----- Header files ------------------------------------------------------*/
static void rs_reset(retry *rs) { rs->t = 0; }
+/* --- @notice_message@ --- *
+ *
+ * Arguments: @keyexch *kx@ = pointer to key-exchange block
+ *
+ * Returns: Zero if OK; @-1@ if the public key is in a bad state.
+ *
+ * Use: Updates the key-exchange state following a received message.
+ * Specifically, if there's no currently active key-exchange in
+ * progress, and we're not in the cooling-off period, then
+ * commence a new one; reset the retry timers; and if we're
+ * corked then pop the cork so that we can reply.
+ */
+
+static int checkpub(keyexch *kx);
+static void stop(keyexch *kx);
+static void start(keyexch *kx, time_t now);
+
+static int notice_message(keyexch *kx)
+{
+ struct timeval now, tv;
+
+ gettimeofday(&now, 0);
+ rs_reset(&kx->rs);
+ if (kx->f & KXF_CORK) {
+ start(kx, now.tv_sec);
+ rs_time(&kx->rs, &tv, &now);
+ settimer(kx, &tv);
+ a_notify("KXSTART", "?PEER", kx->p, A_END);
+ }
+ if (checkpub(kx)) return (-1);
+ if (!VALIDP(kx, now.tv_sec)) {
+ stop(kx);
+ start(kx, now.tv_sec);
+ }
+ return (0);
+}
+
+/* --- @update_stats_tx@, @update_stats_rx@ --- *
+ *
+ * Arguments: @keyexch *kx@ = pointer to key-exchange block
+ * @int ok@ = nonzero if the message was valid (for @rx@)
+ * @size_t sz@ = size of sent message
+ *
+ * Returns: ---
+ *
+ * Use: Records that a key-exchange message was sent to, or received
+ * from, the peer.
+ */
+
+static void update_stats_tx(keyexch *kx, size_t sz)
+ { stats *st = p_stats(kx->p); st->n_kxout++; st->sz_kxout += sz; }
+
+static void update_stats_rx(keyexch *kx, int ok, size_t sz)
+{
+ stats *st = p_stats(kx->p);
+
+ if (!ok) st->n_reject++;
+ else { st->n_kxin++; st->sz_kxin += sz; }
+}
+
/*----- Challenge management ----------------------------------------------*/
/* --- Notes on challenge management --- *
static void kxc_answer(keyexch *kx, kxchal *kxc)
{
- stats *st = p_stats(kx->p);
buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
const dhgrp *g = kx->kpriv->grp;
struct timeval tv;
/* --- Update the statistics --- */
if (BOK(b)) {
- st->n_kxout++;
- st->sz_kxout += BLEN(b);
+ update_stats_tx(kx, BLEN(b));
p_txend(kx->p);
}
static int doprechallenge(keyexch *kx, buf *b)
{
- stats *st = p_stats(kx->p);
const dhgrp *g = kx->kpriv->grp;
dhge *C = 0;
ghash *h;
hashge(h, g, C);
sendchallenge(kx, b, C, GH_DONE(h, 0));
GH_DESTROY(h);
- st->n_kxout++;
- st->sz_kxout += BLEN(b);
+ update_stats_tx(kx, BLEN(b));
p_txend(kx->p);
/* --- Done --- */
dhge *C = 0;
dhge *R = 0;
dhge *CC = 0;
+ deriveargs a;
const octet *hc, *ck;
- size_t x, y, z;
dhsc *c = 0;
kxchal *kxc;
ghash *h = 0;
/* --- Create a new symmetric keyset --- */
- buf_init(&bb, buf_o, sizeof(buf_o));
- g->ops->stge(g, &bb, kx->C, DHFMT_HASH); x = BLEN(&bb);
- g->ops->stge(g, &bb, kxc->C, DHFMT_HASH); y = BLEN(&bb);
- g->ops->stge(g, &bb, R, DHFMT_HASH); z = BLEN(&bb);
+ buf_init(&bb, buf_o, sizeof(buf_o)); a.k = BBASE(&bb);
+ g->ops->stge(g, &bb, kx->C, DHFMT_HASH); a.x = BLEN(&bb);
+ g->ops->stge(g, &bb, kxc->C, DHFMT_HASH); a.y = BLEN(&bb);
+ g->ops->stge(g, &bb, R, DHFMT_HASH); a.z = BLEN(&bb);
assert(BOK(&bb));
- kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
+ kxc->ks = ks_gen(&a, kx->p);
}
if (C) g->ops->freege(g, C);
{
kxchal *kxc;
buf bb;
- stats *st = p_stats(kx->p);
struct timeval tv;
const dhgrp *g = kx->kpriv->grp;
buf *b;
}
if (BOK(b)) {
- st->n_kxout++;
- st->sz_kxout += BLEN(b);
+ update_stats_tx(kx, BLEN(b));
p_txend(kx->p);
}
/* --- @kx_message@ --- *
*
* Arguments: @keyexch *kx@ = pointer to key exchange context
+ * @const addr *a@ = sender's IP address and port
* @unsigned msg@ = the message code
* @buf *b@ = pointer to buffer containing the packet
*
- * Returns: ---
+ * Returns: Nonzero if the sender's address was unknown.
*
* Use: Reads a packet containing key exchange messages and handles
* it.
*/
-void kx_message(keyexch *kx, unsigned msg, buf *b)
+int kx_message(keyexch *kx, const addr *a, unsigned msg, buf *b)
{
- struct timeval now, tv;
- stats *st = p_stats(kx->p);
size_t sz = BSZ(b);
int rc;
- gettimeofday(&now, 0);
- rs_reset(&kx->rs);
- if (kx->f & KXF_CORK) {
- start(kx, now.tv_sec);
- rs_time(&kx->rs, &tv, &now);
- settimer(kx, &tv);
- a_notify("KXSTART", "?PEER", kx->p, A_END);
- }
-
- if (checkpub(kx))
- return;
+ T( trace(T_KEYEXCH, "keyexch: processing %s packet from %c%s%c",
+ msg < KX_NMSG ? pkname[msg] : "unknown",
+ kx ? '`' : '<', kx ? p_name(kx->p) : "nil", kx ? '\'' : '>'); )
- if (!VALIDP(kx, now.tv_sec)) {
- stop(kx);
- start(kx, now.tv_sec);
- }
- T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
- msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
+ if (!kx) return (-1);
+ if (notice_message(kx)) return (0);
switch (msg) {
- case KX_PRECHAL:
- rc = doprechallenge(kx, b);
- break;
- case KX_CHAL:
- rc = dochallenge(kx, b);
- break;
- case KX_REPLY:
- rc = doreply(kx, b);
- break;
- case KX_SWITCH:
- rc = doswitch(kx, b);
- break;
- case KX_SWITCHOK:
- rc = doswitchok(kx, b);
- break;
+ case KX_PRECHAL: rc = doprechallenge(kx, b); break;
+ case KX_CHAL: rc = dochallenge(kx, b); break;
+ case KX_REPLY: rc = doreply(kx, b); break;
+ case KX_SWITCH: rc = doswitch(kx, b); break;
+ case KX_SWITCHOK: rc = doswitchok(kx, b); break;
default:
a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
rc = -1;
break;
}
- if (rc)
- st->n_reject++;
- else {
- st->n_kxin++;
- st->sz_kxin += sz;
- }
+ update_stats_rx(kx, !rc, sz);
+ return (0);
}
/* --- @kx_free@ --- *
}
}
-/* --- @kx_init@ --- *
+/* --- @kx_setup@ --- *
*
* Arguments: @keyexch *kx@ = pointer to key exchange context
* @peer *p@ = pointer to peer context
* exchange.
*/
-int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
+int kx_setup(keyexch *kx, peer *p, keyset **ks, unsigned f)
{
if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
~mdw / tripe / blobdiff