~mdw / tripe / blame
| Commit | Line | Data |
|---|---|---|
| 165db1a8 | 1 | /* -*-c-*- |
| 2 | * | |
| 0ba8de86 | 3 | * $Id$ |
| 165db1a8 | 4 | * |
| 5 | * Protocol definition for TrIPE | |
| 6 | * | |
| 7 | * (c) 2003 Straylight/Edgeware | |
| 8 | */ | |
| 9 | ||
| e04c2d50 | 10 | /*----- Licensing notice --------------------------------------------------* |
| 165db1a8 | 11 | * |
| 12 | * This file is part of Trivial IP Encryption (TrIPE). | |
| 13 | * | |
| 14 | * TrIPE is free software; you can redistribute it and/or modify | |
| 15 | * it under the terms of the GNU General Public License as published by | |
| 16 | * the Free Software Foundation; either version 2 of the License, or | |
| 17 | * (at your option) any later version. | |
| e04c2d50 | 18 | * |
| 165db1a8 | 19 | * TrIPE is distributed in the hope that it will be useful, |
| 20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 22 | * GNU General Public License for more details. | |
| e04c2d50 | 23 | * |
| 165db1a8 | 24 | * You should have received a copy of the GNU General Public License |
| 25 | * along with TrIPE; if not, write to the Free Software Foundation, | |
| 26 | * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
| 27 | */ | |
| 28 | ||
| 165db1a8 | 29 | #ifndef TRIPE_PROTOCOL_H |
| 30 | #define TRIPE_PROTOCOL_H | |
| 31 | ||
| 32 | /*----- TrIPE protocol ----------------------------------------------------*/ | |
| 33 | ||
| 165efde7 MW |
34 | #define TRIPE_PORT 4070 /* Assigned by IANA */ |
| 35 | ||
| 165db1a8 | 36 | /* --- TrIPE message format --- * |
| 37 | * | |
| 38 | * A packet begins with a single-byte message type. The top four bits are a | |
| 39 | * category code used to send the message to the right general place in the | |
| 40 | * code; the bottom bits identify the actual message type. | |
| 41 | */ | |
| 42 | ||
| 43 | #define MSG_CATMASK 0xf0 | |
| 44 | #define MSG_TYPEMASK 0x0f | |
| 45 | ||
| 46 | /* --- Encrypted message packets --- * | |
| 47 | * | |
| 48 | * Messages of category @MSG_PACKET@ contain encrypted network packets. The | |
| 49 | * message content is a symmetric-encrypted block (see below). Reception of | |
| 50 | * a packet encrypted under a new key implicitly permits that key to be used | |
| 51 | * to send further packets. | |
| 52 | * | |
| 53 | * The only packet type accepted is zero. | |
| 54 | * | |
| 55 | * Packets may be encrypted under any live keyset, but should use the most | |
| 56 | * recent one. | |
| 57 | */ | |
| 58 | ||
| 59 | #define MSG_PACKET 0x00 | |
| 60 | ||
| 61 | /* --- Key exchange packets --- */ | |
| 62 | ||
| 63 | #define MSG_KEYEXCH 0x10 | |
| 64 | ||
| 65 | #define KX_PRECHAL 0u | |
| de7bd20b MW |
66 | #define KX_CHAL 1u |
| 67 | #define KX_REPLY 2u | |
| 68 | #define KX_SWITCH 3u | |
| 69 | #define KX_SWITCHOK 4u | |
| 70 | #define KX_NMSG 5u | |
| 165db1a8 | 71 | |
| 0ba8de86 | 72 | /* --- Miscellaneous packets --- */ |
| 73 | ||
| 74 | #define MSG_MISC 0x20 | |
| 75 | ||
| 76 | #define MISC_NOP 0u /* Do nothing; ignore me */ | |
| 77 | #define MISC_PING 1u /* Transport-level ping */ | |
| 78 | #define MISC_PONG 2u /* Transport-level ping response */ | |
| 79 | #define MISC_EPING 3u /* Encrypted ping */ | |
| 80 | #define MISC_EPONG 4u /* Encrypted ping response */ | |
| 37941236 | 81 | #define MISC_GREET 5u /* A greeting from a NATed peer */ |
| 0ba8de86 | 82 | |
| 165db1a8 | 83 | /* --- Symmetric encryption and keysets --- * |
| 84 | * | |
| 85 | * Packets consist of an 80-bit MAC, a 32-bit sequence number, and the | |
| 86 | * encrypted payload. | |
| 87 | * | |
| 88 | * The plaintext is encrypted using Blowfish in CBC mode with ciphertext | |
| 0ba8de86 | 89 | * stealing (as described in [Schneier]). The initialization vector is |
| 165db1a8 | 90 | * selected randomly, and prepended to the actual ciphertext. |
| 91 | * | |
| 92 | * The MAC is computed using the HMAC construction with RIPEMD160 over the | |
| 93 | * sequence number and the ciphertext (with IV); the first 80 bits of the | |
| 94 | * output are used. (This is the minimum allowed by the draft FIPS for HMAC, | |
| 95 | * and the recommended truncation.) | |
| 96 | * | |
| 97 | * A keyset consists of | |
| 98 | * | |
| 99 | * * an integrity (MAC) key; | |
| 100 | * * a confidentiality (encryption) key; and | |
| 101 | * * a sequence numbering space | |
| 102 | * | |
| 103 | * in each direction. The packets sent by a host encrypted under a | |
| 104 | * particular keyset are assigned consecutive sequence numbers starting from | |
| 105 | * zero. The receiving host must ensure that it only accepts each packet at | |
| 106 | * most once. It should maintain a window of sequence numbers: packets with | |
| 107 | * numbers beyond the end of the window are accepted and cause the window to | |
| 108 | * be advanced; packets with numbers before the start of the window are | |
| 109 | * rejected; packets with numbers which appear within the window are accepted | |
| 110 | * only if the number has not been seen before. | |
| 111 | * | |
| 112 | * When a host sends a @KX_SWITCH@ or @KX_SWITCHOK@ message, it installs the | |
| 113 | * newly-negotiated keyset in a `listen-only' state: it may not send a packet | |
| 114 | * encrypted under the keyset until either it has received a @KX_SWITCH@ or | |
| 115 | * @KX_SWITCHOK@ message, or a @MSG_PACKET@ encrypted under the keyset, from | |
| 116 | * its peer. | |
| 117 | */ | |
| 118 | ||
| 119 | /*----- That's all, folks -------------------------------------------------*/ | |
| 120 | ||
| 121 | #endif |