chiark / gitweb /
server/tun-slip.c: Fix signed/unsigned char mismatch.
[tripe] / server / keyexch.c
CommitLineData
410c8acf 1/* -*-c-*-
2 *
410c8acf 3 * Key exchange protocol
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
e04c2d50 8/*----- Licensing notice --------------------------------------------------*
410c8acf 9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
e04c2d50 16 *
410c8acf 17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
e04c2d50 21 *
410c8acf 22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
410c8acf 27/*----- Header files ------------------------------------------------------*/
28
29#include "tripe.h"
30
737cc271 31/*----- Brief protocol overview -------------------------------------------*
32 *
33 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
34 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
35 * application of the symmetric packet protocol to a message; let
36 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
37 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
38 * be Bob's public key.
39 *
40 * At the beginning of the session, Alice chooses
41 *
42 * %$\rho_A \inr \{0, \ldots q - 1\}$%
43 *
44 * We also have:
45 *
46 * %$r_A = g^{\rho_A}$% Alice's challenge
47 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
9317aa92 48 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
e04c2d50 49 * Alice's challenge check value
737cc271 50 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
51 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
e04c2d50 52 * Alice and Bob's shared secret key
737cc271 53 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
e04c2d50 54 * Alice's switch request value
737cc271 55 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
e04c2d50 56 * Alice's switch confirm value
737cc271 57 *
58 * The messages are then:
59 *
60 * %$\cookie{kx-pre-challenge}, r_A$%
61 * Initial greeting. In state @KXS_CHAL@.
62 *
737cc271 63 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
64 * Here's a full challenge for you to answer.
65 *
28461f0e 66 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
737cc271 67 * Challenge accpeted: here's the answer. Commit to my challenge. Move
68 * to @KXS_COMMIT@.
69 *
3cdc3f3a 70 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
737cc271 71 * Reply received: here's my reply. Committed; send data; move to
72 * @KXS_SWITCH@.
73 *
74 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
75 * Switch received. Committed; send data; move to @KXS_SWITCH@.
e04c2d50 76 */
737cc271 77
3cdc3f3a 78/*----- Static tables -----------------------------------------------------*/
79
80static const char *const pkname[] = {
c3c51798 81 "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok"
3cdc3f3a 82};
0617b6e7 83
84/*----- Various utilities -------------------------------------------------*/
410c8acf 85
e9fac70c
MW
86/* --- @VALIDP@ --- *
87 *
88 * Arguments: @const keyexch *kx@ = key exchange state
89 * @time_t now@ = current time in seconds
90 *
91 * Returns: Whether the challenge in the key-exchange state is still
92 * valid or should be regenerated.
93 */
94
95#define VALIDP(kx, now) ((now) < (kx)->t_valid)
96
52c03a2a 97/* --- @hashge@ --- *
410c8acf 98 *
b5c45da1 99 * Arguments: @ghash *h@ = pointer to hash context
35c8b547 100 * @group *g@ = pointer to group
52c03a2a 101 * @ge *x@ = pointer to group element
410c8acf 102 *
103 * Returns: ---
104 *
52c03a2a 105 * Use: Adds the hash of a group element to the context. Corrupts
106 * @buf_t@.
410c8acf 107 */
108
35c8b547 109static void hashge(ghash *h, group *g, ge *x)
410c8acf 110{
111 buf b;
35c8b547 112
0617b6e7 113 buf_init(&b, buf_t, sizeof(buf_t));
35c8b547 114 G_TOBUF(g, &b, x);
410c8acf 115 assert(BOK(&b));
b5c45da1 116 GH_HASH(h, BBASE(&b), BLEN(&b));
410c8acf 117}
118
de7bd20b 119/* --- @mpmask@ --- *
5d418e24 120 *
de7bd20b
MW
121 * Arguments: @buf *b@ = output buffer
122 * @mp *x@ = the plaintext integer
123 * @size_t n@ = the expected size of the plaintext
35c8b547 124 * @gcipher *mgfc@ = mask-generating function to use
5d418e24 125 * @const octet *k@ = pointer to key material
de7bd20b 126 * @size_t ksz@ = size of the key
5d418e24 127 *
de7bd20b 128 * Returns: Pointer to the output.
5d418e24 129 *
de7bd20b
MW
130 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
131 * it's a random oracle thing rather than an encryption thing.
5d418e24 132 */
133
35c8b547
MW
134static octet *mpmask(buf *b, mp *x, size_t n,
135 const gccipher *mgfc, const octet *k, size_t ksz)
5d418e24 136{
b5c45da1 137 gcipher *mgf;
de7bd20b 138 octet *p;
5d418e24 139
de7bd20b
MW
140 if ((p = buf_get(b, n)) == 0)
141 return (0);
35c8b547 142 mgf = GC_INIT(mgfc, k, ksz);
de7bd20b 143 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
61682d34
MW
144 trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x));
145 trace_block(T_CRYPTO, "crypto: masking key", k, ksz);
de7bd20b
MW
146 }))
147 mp_storeb(x, buf_t, n);
148 GC_ENCRYPT(mgf, buf_t, p, n);
149 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
61682d34
MW
150 trace_block(T_CRYPTO, "crypto: index plaintext", buf_t, n);
151 trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
de7bd20b 152 }))
b5c45da1 153 GC_DESTROY(mgf);
de7bd20b 154 return (p);
b5c45da1 155}
156
de7bd20b
MW
157/* --- @mpunmask@ --- *
158 *
159 * Arguments: @mp *d@ = the output integer
160 * @const octet *p@ = pointer to the ciphertext
161 * @size_t n@ = the size of the ciphertext
35c8b547 162 * @gcipher *mgfc@ = mask-generating function to use
de7bd20b
MW
163 * @const octet *k@ = pointer to key material
164 * @size_t ksz@ = size of the key
165 *
166 * Returns: The decrypted integer, or null.
167 *
168 * Use: Unmasks a multiprecision integer.
169 */
170
171static mp *mpunmask(mp *d, const octet *p, size_t n,
35c8b547 172 const gccipher *mgfc, const octet *k, size_t ksz)
b5c45da1 173{
174 gcipher *mgf;
175
35c8b547 176 mgf = GC_INIT(mgfc, k, ksz);
de7bd20b 177 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
61682d34
MW
178 trace_block(T_CRYPTO, "crypto: unmasking key", k, ksz);
179 trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
de7bd20b
MW
180 }))
181 GC_DECRYPT(mgf, p, buf_t, n);
182 d = mp_loadb(d, buf_t, n);
183 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
61682d34
MW
184 trace_block(T_CRYPTO, "crypto: index plaintext", buf_t, n);
185 trace(T_CRYPTO, "crypto: unmasked index = %s", mpstr(d));
de7bd20b 186 }))
b5c45da1 187 GC_DESTROY(mgf);
de7bd20b
MW
188 return (d);
189}
190
191/* --- @hashcheck@ --- *
192 *
35c8b547
MW
193 * Arguments: @keyexch *kx@ = pointer to key-exchange block
194 * @ge *kpub@ = sender's public key
de7bd20b
MW
195 * @ge *cc@ = receiver's challenge
196 * @ge *c@ = sender's challenge
197 * @ge *y@ = reply to sender's challenge
198 *
199 * Returns: Pointer to the hash value (in @buf_t@)
200 *
201 * Use: Computes the check-value hash, used to mask or unmask
202 * indices to prove the validity of challenges. This computes
203 * the masking key used in challenge check values. This is
204 * really the heart of the whole thing, since it ensures that
205 * the index can be recovered from the history of hashing
206 * queries, which gives us (a) a proof that the authentication
207 * process is zero-knowledge, and (b) a proof that the whole
208 * key-exchange is deniable.
209 */
210
35c8b547 211static const octet *hashcheck(keyexch *kx, ge *kpub, ge *cc, ge *c, ge *y)
de7bd20b 212{
35c8b547
MW
213 ghash *h = GH_INIT(kx->kpriv->algs.h);
214 group *g = kx->kpriv->g;
de7bd20b
MW
215
216 HASH_STRING(h, "tripe-expected-reply");
35c8b547
MW
217 hashge(h, g, kpub);
218 hashge(h, g, cc);
219 hashge(h, g, c);
220 hashge(h, g, y);
de7bd20b
MW
221 GH_DONE(h, buf_t);
222 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
61682d34 223 trace(T_CRYPTO, "crypto: computing challenge check hash");
35c8b547
MW
224 trace(T_CRYPTO, "crypto: public key = %s", gestr(g, kpub));
225 trace(T_CRYPTO, "crypto: receiver challenge = %s", gestr(g, cc));
226 trace(T_CRYPTO, "crypto: sender challenge = %s", gestr(g, c));
227 trace(T_CRYPTO, "crypto: sender reply = %s", gestr(g, y));
228 trace_block(T_CRYPTO, "crypto: hash output", buf_t, kx->kpriv->algs.hashsz);
de7bd20b
MW
229 }))
230 GH_DESTROY(h);
231 return (buf_t);
232}
233
234/* --- @sendchallenge@ --- *
235 *
236 * Arguments: @keyexch *kx@ = pointer to key exchange block
237 * @buf *b@ = output buffer for challenge
238 * @ge *c@ = peer's actual challenge
239 * @const octet *hc@ = peer's challenge cookie
240 *
241 * Returns: ---
242 *
243 * Use: Writes a full challenge to the message buffer.
244 */
245
246static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
247{
35c8b547
MW
248 G_TOBUF(kx->kpriv->g, b, kx->c);
249 buf_put(b, hc, kx->kpriv->algs.hashsz);
250 mpmask(b, kx->alpha, kx->kpriv->indexsz, kx->kpriv->algs.mgf,
251 hashcheck(kx, kx->kpriv->kpub, c, kx->c, kx->rx),
252 kx->kpriv->algs.hashsz);
5d418e24 253}
254
410c8acf 255/* --- @timer@ --- *
256 *
257 * Arguments: @struct timeval *tv@ = the current time
258 * @void *v@ = pointer to key exchange context
259 *
260 * Returns: ---
261 *
262 * Use: Acts when the key exchange timer goes off.
263 */
264
265static void timer(struct timeval *tv, void *v)
266{
267 keyexch *kx = v;
268 kx->f &= ~KXF_TIMER;
269 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
de014da6 270 kx_start(kx, 0);
410c8acf 271}
272
273/* --- @settimer@ --- *
274 *
275 * Arguments: @keyexch *kx@ = pointer to key exchange context
ff143952 276 * @struct timeval *tv@ = when to set the timer for
410c8acf 277 *
278 * Returns: ---
279 *
280 * Use: Sets the timer for the next key exchange attempt.
281 */
282
ff143952 283static void settimer(keyexch *kx, struct timeval *tv)
410c8acf 284{
ff143952
MW
285 if (kx->f & KXF_TIMER) sel_rmtimer(&kx->t);
286 sel_addtimer(&sel, &kx->t, tv, timer, kx);
410c8acf 287 kx->f |= KXF_TIMER;
288}
289
a06d57a3
MW
290/* --- @f2tv@ --- *
291 *
292 * Arguments: @struct timeval *tv@ = where to write the timeval
293 * @double t@ = a time as a floating point number
294 *
295 * Returns: ---
296 *
297 * Use: Converts a floating-point time into a timeval.
298 */
299
300static void f2tv(struct timeval *tv, double t)
301{
302 tv->tv_sec = t;
303 tv->tv_usec = (t - tv->tv_sec)*MILLION;
304}
305
306/* --- @wobble@ --- *
307 *
308 * Arguments: @double t@ = a time interval
309 *
310 * Returns: The same time interval, with a random error applied.
311 */
312
313static double wobble(double t)
314{
315 uint32 r = rand_global.ops->word(&rand_global);
316 double w = (r/F_2P32) - 0.5;
317 return (t + t*w*T_WOBBLE);
318}
319
320/* --- @rs_time@ --- *
321 *
322 * Arguments: @retry *rs@ = current retry state
323 * @struct timeval *tv@ = where to write the result
324 * @const struct timeval *now@ = current time, or null
325 *
326 * Returns: ---
327 *
328 * Use: Computes a time at which to retry sending a key-exchange
329 * packet. This algorithm is subject to change, but it's
330 * currently a capped exponential backoff, slightly randomized
331 * to try to keep clients from hammering a server that's only
332 * just woken up.
333 *
334 * If @now@ is null then the function works out the time for
335 * itself.
336 */
337
338static void rs_time(retry *rs, struct timeval *tv, const struct timeval *now)
339{
340 double t;
341 struct timeval rtv;
342
343 if (!rs->t)
344 t = SEC(2);
345 else {
346 t = (rs->t * 5)/4;
347 if (t > MIN(5)) t = MIN(5);
348 }
349 rs->t = t;
350
351 if (!now) {
352 now = tv;
353 gettimeofday(tv, 0);
354 }
355 f2tv(&rtv, wobble(t));
356 TV_ADD(tv, now, &rtv);
357}
358
359/* --- @retry_reset@ --- *
360 *
361 * Arguments: @retry *rs@ = retry state
362 *
363 * Returns: --
364 *
365 * Use: Resets a retry state to indicate that progress has been
366 * made. Also useful for initializing the state in the first
367 * place.
368 */
369
370static void rs_reset(retry *rs) { rs->t = 0; }
371
0617b6e7 372/*----- Challenge management ----------------------------------------------*/
373
374/* --- Notes on challenge management --- *
410c8acf 375 *
0617b6e7 376 * We may get multiple different replies to our key exchange; some will be
377 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
378 * received will be added to the table and given a full response. After
379 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
380 * our existing challenge, followed by a hash of the sender's challenge. We
381 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
382 * properly-formed cookies are assigned a table slot: if none is spare, a
383 * used slot is randomly selected and destroyed. A cookie always receives a
384 * full reply.
385 */
386
387/* --- @kxc_destroy@ --- *
388 *
389 * Arguments: @kxchal *kxc@ = pointer to the challenge block
410c8acf 390 *
391 * Returns: ---
392 *
0617b6e7 393 * Use: Disposes of a challenge block.
410c8acf 394 */
395
0617b6e7 396static void kxc_destroy(kxchal *kxc)
410c8acf 397{
0617b6e7 398 if (kxc->f & KXF_TIMER)
399 sel_rmtimer(&kxc->t);
35c8b547
MW
400 G_DESTROY(kxc->kx->kpriv->g, kxc->c);
401 G_DESTROY(kxc->kx->kpriv->g, kxc->r);
0617b6e7 402 ks_drop(kxc->ks);
403 DESTROY(kxc);
404}
410c8acf 405
0617b6e7 406/* --- @kxc_stoptimer@ --- *
407 *
408 * Arguments: @kxchal *kxc@ = pointer to the challenge block
409 *
410 * Returns: ---
411 *
412 * Use: Stops the challenge's retry timer from sending messages.
413 * Useful when the state machine is in the endgame of the
414 * exchange.
415 */
410c8acf 416
0617b6e7 417static void kxc_stoptimer(kxchal *kxc)
418{
419 if (kxc->f & KXF_TIMER)
420 sel_rmtimer(&kxc->t);
2de0ad0f 421 kxc->f &= ~KXF_TIMER;
0617b6e7 422}
410c8acf 423
0617b6e7 424/* --- @kxc_new@ --- *
425 *
426 * Arguments: @keyexch *kx@ = pointer to key exchange block
0617b6e7 427 *
428 * Returns: A pointer to the challenge block.
429 *
430 * Use: Returns a pointer to a new challenge block to fill in.
431 */
410c8acf 432
0617b6e7 433static kxchal *kxc_new(keyexch *kx)
434{
435 kxchal *kxc;
436 unsigned i;
437
438 /* --- If we're over reply threshold, discard one at random --- */
439
440 if (kx->nr < KX_NCHAL)
441 i = kx->nr++;
442 else {
443 i = rand_global.ops->range(&rand_global, KX_NCHAL);
444 kxc_destroy(kx->r[i]);
410c8acf 445 }
446
0617b6e7 447 /* --- Fill in the new structure --- */
410c8acf 448
0617b6e7 449 kxc = CREATE(kxchal);
35c8b547
MW
450 kxc->c = G_CREATE(kx->kpriv->g);
451 kxc->r = G_CREATE(kx->kpriv->g);
0617b6e7 452 kxc->ks = 0;
453 kxc->kx = kx;
454 kxc->f = 0;
455 kx->r[i] = kxc;
a06d57a3 456 rs_reset(&kxc->rs);
0617b6e7 457 return (kxc);
458}
410c8acf 459
0617b6e7 460/* --- @kxc_bychal@ --- *
461 *
462 * Arguments: @keyexch *kx@ = pointer to key exchange block
52c03a2a 463 * @ge *c@ = challenge from remote host
0617b6e7 464 *
465 * Returns: Pointer to the challenge block, or null.
466 *
467 * Use: Finds a challenge block, given its challenge.
468 */
469
52c03a2a 470static kxchal *kxc_bychal(keyexch *kx, ge *c)
0617b6e7 471{
472 unsigned i;
473
474 for (i = 0; i < kx->nr; i++) {
35c8b547 475 if (G_EQ(kx->kpriv->g, c, kx->r[i]->c))
0617b6e7 476 return (kx->r[i]);
477 }
478 return (0);
479}
480
481/* --- @kxc_byhc@ --- *
482 *
483 * Arguments: @keyexch *kx@ = pointer to key exchange block
484 * @const octet *hc@ = challenge hash from remote host
485 *
486 * Returns: Pointer to the challenge block, or null.
487 *
488 * Use: Finds a challenge block, given a hash of its challenge.
489 */
410c8acf 490
0617b6e7 491static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
492{
493 unsigned i;
494
495 for (i = 0; i < kx->nr; i++) {
35c8b547 496 if (memcmp(hc, kx->r[i]->hc, kx->kpriv->algs.hashsz) == 0)
0617b6e7 497 return (kx->r[i]);
410c8acf 498 }
0617b6e7 499 return (0);
500}
501
502/* --- @kxc_answer@ --- *
503 *
504 * Arguments: @keyexch *kx@ = pointer to key exchange block
505 * @kxchal *kxc@ = pointer to challenge block
506 *
507 * Returns: ---
508 *
509 * Use: Sends a reply to the remote host, according to the data in
510 * this challenge block.
511 */
512
513static void kxc_answer(keyexch *kx, kxchal *kxc);
514
515static void kxc_timer(struct timeval *tv, void *v)
516{
517 kxchal *kxc = v;
518 kxc->f &= ~KXF_TIMER;
519 kxc_answer(kxc->kx, kxc);
520}
521
522static void kxc_answer(keyexch *kx, kxchal *kxc)
523{
524 stats *st = p_stats(kx->p);
de7bd20b 525 buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
0617b6e7 526 struct timeval tv;
527 buf bb;
528
529 /* --- Build the reply packet --- */
530
de7bd20b
MW
531 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
532 sendchallenge(kx, b, kxc->c, kxc->hc);
533 buf_init(&bb, buf_i, sizeof(buf_i));
35c8b547 534 G_TORAW(kx->kpriv->g, &bb, kxc->r);
de7bd20b
MW
535 buf_flip(&bb);
536 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
0617b6e7 537
538 /* --- Update the statistics --- */
539
540 if (BOK(b)) {
541 st->n_kxout++;
542 st->sz_kxout += BLEN(b);
543 p_txend(kx->p);
544 }
545
546 /* --- Schedule another resend --- */
547
548 if (kxc->f & KXF_TIMER)
549 sel_rmtimer(&kxc->t);
550 gettimeofday(&tv, 0);
a06d57a3 551 rs_time(&kxc->rs, &tv, &tv);
0617b6e7 552 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
553 kxc->f |= KXF_TIMER;
554}
555
556/*----- Individual message handlers ---------------------------------------*/
557
de7bd20b 558/* --- @doprechallenge@ --- *
0617b6e7 559 *
de7bd20b
MW
560 * Arguments: @keyexch *kx@ = pointer to key exchange block
561 * @buf *b@ = buffer containing the packet
0617b6e7 562 *
de7bd20b 563 * Returns: Zero if OK, nonzero of the packet was rejected.
0617b6e7 564 *
de7bd20b 565 * Use: Processes a pre-challenge message.
0617b6e7 566 */
567
de7bd20b 568static int doprechallenge(keyexch *kx, buf *b)
0617b6e7 569{
de7bd20b 570 stats *st = p_stats(kx->p);
35c8b547 571 ge *c = G_CREATE(kx->kpriv->g);
b5c45da1 572 ghash *h;
0617b6e7 573
de7bd20b
MW
574 /* --- Ensure that we're in a sensible state --- */
575
576 if (kx->s != KXS_CHAL) {
577 a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
578 goto bad;
579 }
580
581 /* --- Unpack the packet --- */
582
35c8b547 583 if (G_FROMBUF(kx->kpriv->g, b, c) || BLEFT(b))
de7bd20b 584 goto bad;
b5c45da1 585
0617b6e7 586 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547 587 trace(T_CRYPTO, "crypto: challenge = %s", gestr(kx->kpriv->g, c));
0617b6e7 588 }))
de7bd20b
MW
589
590 /* --- Send out a full challenge by return --- */
591
592 b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
35c8b547 593 h = GH_INIT(kx->kpriv->algs.h);
de7bd20b 594 HASH_STRING(h, "tripe-cookie");
35c8b547 595 hashge(h, kx->kpriv->g, c);
de7bd20b 596 sendchallenge(kx, b, c, GH_DONE(h, 0));
b5c45da1 597 GH_DESTROY(h);
de7bd20b
MW
598 st->n_kxout++;
599 st->sz_kxout += BLEN(b);
600 p_txend(kx->p);
601
602 /* --- Done --- */
603
35c8b547 604 G_DESTROY(kx->kpriv->g, c);
de7bd20b
MW
605 return (0);
606
607bad:
35c8b547 608 if (c) G_DESTROY(kx->kpriv->g, c);
de7bd20b 609 return (-1);
0617b6e7 610}
611
de7bd20b 612/* --- @respond@ --- *
0617b6e7 613 *
614 * Arguments: @keyexch *kx@ = pointer to key exchange block
de7bd20b 615 * @unsigned msg@ = message code for this packet
0617b6e7 616 * @buf *b@ = buffer containing the packet
617 *
de7bd20b 618 * Returns: Key-exchange challenge block, or null.
0617b6e7 619 *
de7bd20b
MW
620 * Use: Computes a response for the given challenge, entering it into
621 * a challenge block and so on.
0617b6e7 622 */
623
de7bd20b 624static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
0617b6e7 625{
35c8b547
MW
626 group *g = kx->kpriv->g;
627 const algswitch *algs = &kx->kpriv->algs;
628 size_t ixsz = kx->kpriv->indexsz;
629 ge *c = G_CREATE(g);
630 ge *r = G_CREATE(g);
631 ge *cc = G_CREATE(g);
de7bd20b
MW
632 const octet *hc, *ck;
633 size_t x, y, z;
634 mp *cv = 0;
0617b6e7 635 kxchal *kxc;
de7bd20b
MW
636 ghash *h = 0;
637 buf bb;
638 int ok;
0617b6e7 639
640 /* --- Unpack the packet --- */
641
35c8b547
MW
642 if (G_FROMBUF(g, b, c) ||
643 (hc = buf_get(b, algs->hashsz)) == 0 ||
644 (ck = buf_get(b, ixsz)) == 0) {
f43df819 645 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 646 goto bad;
647 }
0617b6e7 648 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547
MW
649 trace(T_CRYPTO, "crypto: challenge = %s", gestr(g, c));
650 trace_block(T_CRYPTO, "crypto: cookie", hc, algs->hashsz);
651 trace_block(T_CRYPTO, "crypto: check-value", ck, ixsz);
0617b6e7 652 }))
653
0617b6e7 654 /* --- Discard a packet with an invalid cookie --- */
655
35c8b547 656 if (hc && memcmp(hc, kx->hc, algs->hashsz) != 0) {
5ac9463b 657 a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
0617b6e7 658 goto bad;
659 }
660
de7bd20b
MW
661 /* --- Recover the check value and verify it --- *
662 *
663 * To avoid recomputation on replays, we store a hash of the `right'
664 * value. The `correct' value is unique, so this is right.
410c8acf 665 *
de7bd20b 666 * This will also find a challenge block and, if necessary, populate it.
410c8acf 667 */
668
de7bd20b 669 if ((kxc = kxc_bychal(kx, c)) != 0) {
35c8b547 670 h = GH_INIT(algs->h);
de7bd20b 671 HASH_STRING(h, "tripe-check-hash");
35c8b547
MW
672 GH_HASH(h, ck, ixsz);
673 ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs->hashsz);
de7bd20b
MW
674 GH_DESTROY(h);
675 if (!ok) goto badcheck;
676 } else {
677
678 /* --- Compute the reply, and check the magic --- */
679
35c8b547
MW
680 G_EXP(g, r, c, kx->kpriv->kpriv);
681 cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
682 hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
683 algs->hashsz);
de7bd20b 684 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547 685 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r));
de7bd20b
MW
686 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
687 }))
35c8b547
MW
688 if (MP_CMP(cv, >, g->r) ||
689 (G_EXP(g, cc, g->g, cv),
690 !G_EQ(g, c, cc)))
de7bd20b
MW
691 goto badcheck;
692
693 /* --- Fill in a new challenge block --- */
e04c2d50 694
de7bd20b 695 kxc = kxc_new(kx);
35c8b547
MW
696 G_COPY(g, kxc->c, c);
697 G_COPY(g, kxc->r, r);
0617b6e7 698
35c8b547
MW
699 h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash");
700 GH_HASH(h, ck, ixsz);
701 GH_DONE(h, kxc->ck); GH_DESTROY(h);
0617b6e7 702
35c8b547
MW
703 h = GH_INIT(algs->h); HASH_STRING(h, "tripe-cookie");
704 hashge(h, g, kxc->c);
705 GH_DONE(h, kxc->hc); GH_DESTROY(h);
b5c45da1 706
707 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547
MW
708 trace_block(T_CRYPTO, "crypto: computed cookie",
709 kxc->hc, algs->hashsz);
b5c45da1 710 }))
0617b6e7 711
0617b6e7 712 /* --- Work out the shared key --- */
713
35c8b547 714 G_EXP(g, r, c, kx->alpha);
b5c45da1 715 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547 716 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r));
b5c45da1 717 }))
0617b6e7 718
719 /* --- Compute the switch messages --- */
720
35c8b547
MW
721 h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request");
722 hashge(h, g, kx->c); hashge(h, g, kxc->c);
b5c45da1 723 GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
35c8b547
MW
724 h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm");
725 hashge(h, g, kx->c); hashge(h, g, kxc->c);
b5c45da1 726 GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
0617b6e7 727
35c8b547
MW
728 h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request");
729 hashge(h, g, kxc->c); hashge(h, g, kx->c);
b5c45da1 730 GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
35c8b547
MW
731 h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm");
732 hashge(h, g, kxc->c); hashge(h, g, kx->c);
b5c45da1 733 GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
0617b6e7 734
735 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
0617b6e7 736 trace_block(T_CRYPTO, "crypto: outbound switch request",
35c8b547 737 kxc->hswrq_out, algs->hashsz);
0617b6e7 738 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
35c8b547 739 kxc->hswok_out, algs->hashsz);
0617b6e7 740 trace_block(T_CRYPTO, "crypto: inbound switch request",
35c8b547 741 kxc->hswrq_in, algs->hashsz);
0617b6e7 742 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
35c8b547 743 kxc->hswok_in, algs->hashsz);
0617b6e7 744 }))
745
746 /* --- Create a new symmetric keyset --- */
747
de7bd20b 748 buf_init(&bb, buf_o, sizeof(buf_o));
35c8b547
MW
749 G_TOBUF(g, &bb, kx->c); x = BLEN(&bb);
750 G_TOBUF(g, &bb, kxc->c); y = BLEN(&bb);
751 G_TOBUF(g, &bb, r); z = BLEN(&bb);
de7bd20b 752 assert(BOK(&bb));
0617b6e7 753
de7bd20b 754 kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
410c8acf 755 }
756
35c8b547
MW
757 G_DESTROY(g, c);
758 G_DESTROY(g, cc);
759 G_DESTROY(g, r);
de7bd20b
MW
760 mp_drop(cv);
761 return (kxc);
410c8acf 762
de7bd20b
MW
763badcheck:
764 a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
765 goto bad;
766bad:
35c8b547
MW
767 G_DESTROY(g, c);
768 G_DESTROY(g, cc);
769 G_DESTROY(g, r);
de7bd20b 770 mp_drop(cv);
e04c2d50 771 return (0);
de7bd20b 772}
0617b6e7 773
de7bd20b
MW
774/* --- @dochallenge@ --- *
775 *
776 * Arguments: @keyexch *kx@ = pointer to key exchange block
777 * @unsigned msg@ = message code for the packet
778 * @buf *b@ = buffer containing the packet
779 *
780 * Returns: Zero if OK, nonzero if the packet was rejected.
781 *
782 * Use: Processes a packet containing a challenge.
783 */
0617b6e7 784
de7bd20b
MW
785static int dochallenge(keyexch *kx, buf *b)
786{
787 kxchal *kxc;
0617b6e7 788
de7bd20b
MW
789 if (kx->s != KXS_CHAL) {
790 a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
791 goto bad;
792 }
793 if ((kxc = respond(kx, KX_CHAL, b)) == 0)
794 goto bad;
795 if (BLEFT(b)) {
796 a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
797 goto bad;
798 }
799 kxc_answer(kx, kxc);
0617b6e7 800 return (0);
801
802bad:
0617b6e7 803 return (-1);
410c8acf 804}
805
0617b6e7 806/* --- @resend@ --- *
410c8acf 807 *
808 * Arguments: @keyexch *kx@ = pointer to key exchange context
410c8acf 809 *
810 * Returns: ---
811 *
0617b6e7 812 * Use: Sends the next message for a key exchange.
410c8acf 813 */
814
0617b6e7 815static void resend(keyexch *kx)
410c8acf 816{
0617b6e7 817 kxchal *kxc;
818 buf bb;
819 stats *st = p_stats(kx->p);
ff143952 820 struct timeval tv;
410c8acf 821 buf *b;
822
0617b6e7 823 switch (kx->s) {
824 case KXS_CHAL:
00e64b67 825 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
826 p_name(kx->p)); )
0617b6e7 827 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
35c8b547 828 G_TOBUF(kx->kpriv->g, b, kx->c);
0617b6e7 829 break;
830 case KXS_COMMIT:
00e64b67 831 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
832 p_name(kx->p)); )
0617b6e7 833 kxc = kx->r[0];
834 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
35c8b547
MW
835 buf_put(b, kx->hc, kx->kpriv->algs.hashsz);
836 buf_put(b, kxc->hc, kx->kpriv->algs.hashsz);
0617b6e7 837 buf_init(&bb, buf_i, sizeof(buf_i));
35c8b547
MW
838 G_TORAW(kx->kpriv->g, &bb, kxc->r);
839 buf_put(&bb, kxc->hswrq_out, kx->kpriv->algs.hashsz);
0617b6e7 840 buf_flip(&bb);
7ed14135 841 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
0617b6e7 842 break;
843 case KXS_SWITCH:
00e64b67 844 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
0617b6e7 845 p_name(kx->p)); )
846 kxc = kx->r[0];
847 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
848 buf_init(&bb, buf_i, sizeof(buf_i));
35c8b547 849 buf_put(&bb, kxc->hswok_out, kx->kpriv->algs.hashsz);
0617b6e7 850 buf_flip(&bb);
7ed14135 851 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
0617b6e7 852 break;
853 default:
854 abort();
410c8acf 855 }
0617b6e7 856
857 if (BOK(b)) {
858 st->n_kxout++;
859 st->sz_kxout += BLEN(b);
860 p_txend(kx->p);
861 }
862
ff143952 863 if (kx->s < KXS_SWITCH) {
a06d57a3 864 rs_time(&kx->rs, &tv, 0);
ff143952
MW
865 settimer(kx, &tv);
866 }
410c8acf 867}
868
de7bd20b 869/* --- @decryptrest@ --- *
0617b6e7 870 *
871 * Arguments: @keyexch *kx@ = pointer to key exchange context
de7bd20b
MW
872 * @kxchal *kxc@ = pointer to challenge block
873 * @unsigned msg@ = type of incoming message
0617b6e7 874 * @buf *b@ = encrypted remainder of the packet
875 *
de7bd20b 876 * Returns: Zero if OK, nonzero on some kind of error.
0617b6e7 877 *
de7bd20b
MW
878 * Use: Decrypts the remainder of the packet, and points @b@ at the
879 * recovered plaintext.
0617b6e7 880 */
881
de7bd20b 882static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
410c8acf 883{
0617b6e7 884 buf bb;
0617b6e7 885
de7bd20b
MW
886 buf_init(&bb, buf_o, sizeof(buf_o));
887 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
888 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
889 return (-1);
0617b6e7 890 }
12a26b8b 891 if (!BOK(&bb)) return (-1);
de7bd20b
MW
892 buf_init(b, BBASE(&bb), BLEN(&bb));
893 return (0);
894}
410c8acf 895
de7bd20b
MW
896/* --- @checkresponse@ --- *
897 *
898 * Arguments: @keyexch *kx@ = pointer to key exchange context
899 * @unsigned msg@ = type of incoming message
900 * @buf *b@ = decrypted remainder of the packet
901 *
902 * Returns: Zero if OK, nonzero on some kind of error.
903 *
904 * Use: Checks a reply or switch packet, ensuring that its response
905 * is correct.
906 */
0617b6e7 907
de7bd20b
MW
908static int checkresponse(keyexch *kx, unsigned msg, buf *b)
909{
35c8b547
MW
910 group *g = kx->kpriv->g;
911 ge *r = G_CREATE(g);
0617b6e7 912
35c8b547 913 if (G_FROMRAW(g, b, r)) {
de7bd20b 914 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 915 goto bad;
916 }
917 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547 918 trace(T_CRYPTO, "crypto: reply = %s", gestr(g, r));
0617b6e7 919 }))
35c8b547 920 if (!G_EQ(g, r, kx->rx)) {
de7bd20b 921 a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
0617b6e7 922 goto bad;
923 }
924
35c8b547 925 G_DESTROY(g, r);
de7bd20b 926 return (0);
0617b6e7 927
928bad:
35c8b547 929 G_DESTROY(g, r);
de7bd20b 930 return (-1);
410c8acf 931}
932
0617b6e7 933/* --- @commit@ --- *
410c8acf 934 *
935 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 936 * @kxchal *kxc@ = pointer to challenge to commit to
410c8acf 937 *
938 * Returns: ---
939 *
0617b6e7 940 * Use: Commits to a particular challenge as being the `right' one,
941 * since a reply has arrived for it.
410c8acf 942 */
943
0617b6e7 944static void commit(keyexch *kx, kxchal *kxc)
410c8acf 945{
0617b6e7 946 unsigned i;
410c8acf 947
0617b6e7 948 for (i = 0; i < kx->nr; i++) {
949 if (kx->r[i] != kxc)
950 kxc_destroy(kx->r[i]);
951 }
952 kx->r[0] = kxc;
953 kx->nr = 1;
954 kxc_stoptimer(kxc);
e04c2d50 955 ksl_link(kx->ks, kxc->ks);
410c8acf 956}
957
0617b6e7 958/* --- @doreply@ --- *
410c8acf 959 *
960 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 961 * @buf *b@ = buffer containing packet
410c8acf 962 *
0617b6e7 963 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 964 *
0617b6e7 965 * Use: Handles a reply packet. This doesn't handle the various
966 * switch packets: they're rather too different.
410c8acf 967 */
968
0617b6e7 969static int doreply(keyexch *kx, buf *b)
410c8acf 970{
0617b6e7 971 kxchal *kxc;
972
973 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
f43df819 974 a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
0617b6e7 975 goto bad;
976 }
de7bd20b
MW
977 if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
978 decryptrest(kx, kxc, KX_REPLY, b) ||
979 checkresponse(kx, KX_REPLY, b))
0617b6e7 980 goto bad;
981 if (BLEFT(b)) {
f43df819 982 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
0617b6e7 983 goto bad;
e04c2d50 984 }
0617b6e7 985 if (kx->s == KXS_CHAL) {
986 commit(kx, kxc);
987 kx->s = KXS_COMMIT;
988 }
989 resend(kx);
990 return (0);
991
992bad:
993 return (-1);
410c8acf 994}
995
3cdc3f3a 996/* --- @kxfinish@ --- *
997 *
998 * Arguments: @keyexch *kx@ = pointer to key exchange block
999 *
1000 * Returns: ---
1001 *
1002 * Use: Sets everything up following a successful key exchange.
1003 */
1004
1005static void kxfinish(keyexch *kx)
1006{
1007 kxchal *kxc = kx->r[0];
a06d57a3 1008 struct timeval now, tv;
ff143952 1009
3cdc3f3a 1010 ks_activate(kxc->ks);
a06d57a3
MW
1011 gettimeofday(&now, 0);
1012 f2tv(&tv, wobble(T_REGEN));
1013 TV_ADD(&tv, &now, &tv);
ff143952 1014 settimer(kx, &tv);
3cdc3f3a 1015 kx->s = KXS_SWITCH;
f43df819 1016 a_notify("KXDONE", "?PEER", kx->p, A_END);
3cdc3f3a 1017 p_stats(kx->p)->t_kx = time(0);
1018}
1019
0617b6e7 1020/* --- @doswitch@ --- *
410c8acf 1021 *
0617b6e7 1022 * Arguments: @keyexch *kx@ = pointer to key exchange block
1023 * @buf *b@ = pointer to buffer containing packet
410c8acf 1024 *
0617b6e7 1025 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 1026 *
0617b6e7 1027 * Use: Handles a reply with a switch request bolted onto it.
410c8acf 1028 */
1029
0617b6e7 1030static int doswitch(keyexch *kx, buf *b)
410c8acf 1031{
35c8b547 1032 size_t hsz = kx->kpriv->algs.hashsz;
0617b6e7 1033 const octet *hc_in, *hc_out, *hswrq;
1034 kxchal *kxc;
410c8acf 1035
35c8b547
MW
1036 if ((hc_in = buf_get(b, hsz)) == 0 ||
1037 (hc_out = buf_get(b, hsz)) == 0) {
f43df819 1038 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 1039 goto bad;
410c8acf 1040 }
de7bd20b 1041 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
35c8b547
MW
1042 trace_block(T_CRYPTO, "crypto: challenge", hc_in, hsz);
1043 trace_block(T_CRYPTO, "crypto: cookie", hc_out, hsz);
de7bd20b
MW
1044 }))
1045 if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
35c8b547 1046 memcmp(hc_out, kx->hc, hsz) != 0) {
de7bd20b
MW
1047 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
1048 goto bad;
1049 }
1050 if (decryptrest(kx, kxc, KX_SWITCH, b) ||
1051 checkresponse(kx, KX_SWITCH, b))
0617b6e7 1052 goto bad;
35c8b547 1053 if ((hswrq = buf_get(b, hsz)) == 0 || BLEFT(b)) {
5ac9463b 1054 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 1055 goto bad;
1056 }
1057 IF_TRACING(T_KEYEXCH, {
35c8b547 1058 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, hsz);
0617b6e7 1059 })
35c8b547 1060 if (memcmp(hswrq, kxc->hswrq_in, hsz) != 0) {
f43df819 1061 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
0617b6e7 1062 goto bad;
1063 }
de7bd20b
MW
1064 if (kx->s == KXS_CHAL)
1065 commit(kx, kxc);
1066 if (kx->s < KXS_SWITCH)
1067 kxfinish(kx);
0617b6e7 1068 resend(kx);
1069 return (0);
1070
1071bad:
1072 return (-1);
410c8acf 1073}
1074
0617b6e7 1075/* --- @doswitchok@ --- *
1076 *
1077 * Arguments: @keyexch *kx@ = pointer to key exchange block
1078 * @buf *b@ = pointer to buffer containing packet
1079 *
1080 * Returns: Zero if OK, nonzero if the packet was rejected.
1081 *
1082 * Use: Handles a reply with a switch request bolted onto it.
1083 */
1084
1085static int doswitchok(keyexch *kx, buf *b)
410c8acf 1086{
35c8b547 1087 size_t hsz = kx->kpriv->algs.hashsz;
0617b6e7 1088 const octet *hswok;
1089 kxchal *kxc;
1090 buf bb;
410c8acf 1091
0617b6e7 1092 if (kx->s < KXS_COMMIT) {
f43df819 1093 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
0617b6e7 1094 goto bad;
410c8acf 1095 }
0617b6e7 1096 kxc = kx->r[0];
1097 buf_init(&bb, buf_o, sizeof(buf_o));
de7bd20b 1098 if (decryptrest(kx, kxc, KX_SWITCHOK, b))
0617b6e7 1099 goto bad;
35c8b547 1100 if ((hswok = buf_get(b, hsz)) == 0 || BLEFT(b)) {
5ac9463b 1101 a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
0617b6e7 1102 goto bad;
1103 }
1104 IF_TRACING(T_KEYEXCH, {
b5c45da1 1105 trace_block(T_CRYPTO, "crypto: switch confirmation hash",
35c8b547 1106 hswok, hsz);
0617b6e7 1107 })
35c8b547 1108 if (memcmp(hswok, kxc->hswok_in, hsz) != 0) {
f43df819 1109 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
0617b6e7 1110 goto bad;
1111 }
3cdc3f3a 1112 if (kx->s < KXS_SWITCH)
1113 kxfinish(kx);
0617b6e7 1114 return (0);
1115
1116bad:
e04c2d50 1117 return (-1);
0617b6e7 1118}
1119
1120/*----- Main code ---------------------------------------------------------*/
1121
1122/* --- @stop@ --- *
1123 *
1124 * Arguments: @keyexch *kx@ = pointer to key exchange context
1125 *
1126 * Returns: ---
1127 *
1128 * Use: Stops a key exchange dead in its tracks. Throws away all of
1129 * the context information. The context is left in an
1130 * inconsistent state. The only functions which understand this
1131 * state are @kx_free@ and @kx_init@ (which cause it internally
1132 * it), and @start@ (which expects it to be the prevailing
1133 * state).
1134 */
1135
1136static void stop(keyexch *kx)
1137{
1138 unsigned i;
1139
00e64b67 1140 if (kx->f & KXF_DEAD)
1141 return;
1142
0617b6e7 1143 if (kx->f & KXF_TIMER)
1144 sel_rmtimer(&kx->t);
1145 for (i = 0; i < kx->nr; i++)
1146 kxc_destroy(kx->r[i]);
1147 mp_drop(kx->alpha);
35c8b547
MW
1148 G_DESTROY(kx->kpriv->g, kx->c);
1149 G_DESTROY(kx->kpriv->g, kx->rx);
00e64b67 1150 kx->t_valid = 0;
1151 kx->f |= KXF_DEAD;
1152 kx->f &= ~KXF_TIMER;
0617b6e7 1153}
1154
1155/* --- @start@ --- *
1156 *
1157 * Arguments: @keyexch *kx@ = pointer to key exchange context
1158 * @time_t now@ = the current time
1159 *
1160 * Returns: ---
1161 *
1162 * Use: Starts a new key exchange with the peer. The context must be
1163 * in the bizarre state left by @stop@ or @kx_init@.
1164 */
1165
1166static void start(keyexch *kx, time_t now)
1167{
35c8b547
MW
1168 algswitch *algs = &kx->kpriv->algs;
1169 group *g = kx->kpriv->g;
b5c45da1 1170 ghash *h;
0617b6e7 1171
00e64b67 1172 assert(kx->f & KXF_DEAD);
1173
010e6f63 1174 kx->f &= ~(KXF_DEAD | KXF_CORK);
0617b6e7 1175 kx->nr = 0;
35c8b547
MW
1176 kx->alpha = mprand_range(MP_NEW, g->r, &rand_global, 0);
1177 kx->c = G_CREATE(g); G_EXP(g, kx->c, g->g, kx->alpha);
1178 kx->rx = G_CREATE(g); G_EXP(g, kx->rx, kx->kpub->kpub, kx->alpha);
0617b6e7 1179 kx->s = KXS_CHAL;
1180 kx->t_valid = now + T_VALID;
1181
35c8b547 1182 h = GH_INIT(algs->h);
b5c45da1 1183 HASH_STRING(h, "tripe-cookie");
35c8b547 1184 hashge(h, g, kx->c);
b5c45da1 1185 GH_DONE(h, kx->hc);
1186 GH_DESTROY(h);
0617b6e7 1187
1188 IF_TRACING(T_KEYEXCH, {
1189 trace(T_KEYEXCH, "keyexch: creating new challenge");
1190 IF_TRACING(T_CRYPTO, {
1191 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
35c8b547
MW
1192 trace(T_CRYPTO, "crypto: challenge = %s", gestr(g, kx->c));
1193 trace(T_CRYPTO, "crypto: expected response = %s", gestr(g, kx->rx));
1194 trace_block(T_CRYPTO, "crypto: challenge cookie",
1195 kx->hc, algs->hashsz);
0617b6e7 1196 })
1197 })
410c8acf 1198}
1199
00e64b67 1200/* --- @checkpub@ --- *
1201 *
1202 * Arguments: @keyexch *kx@ = pointer to key exchange context
1203 *
1204 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1205 *
1206 * Use: Deactivates the key-exchange until the peer acquires a new
1207 * public key.
1208 */
1209
1210static int checkpub(keyexch *kx)
1211{
1212 time_t now;
35c8b547
MW
1213 unsigned f = 0;
1214
00e64b67 1215 if (kx->f & KXF_DEAD)
1216 return (-1);
1217 now = time(0);
35c8b547
MW
1218 if (KEY_EXPIRED(now, kx->kpriv->t_exp)) f |= 1;
1219 if (KEY_EXPIRED(now, kx->kpub->t_exp)) f |= 2;
1220 if (f) {
00e64b67 1221 stop(kx);
35c8b547
MW
1222 if (f & 1) a_warn("KX", "?PEER", kx->p, "private-key-expired", A_END);
1223 if (f & 2) a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
00e64b67 1224 kx->f &= ~KXF_PUBKEY;
1225 return (-1);
1226 }
1227 return (0);
1228}
1229
0617b6e7 1230/* --- @kx_start@ --- *
410c8acf 1231 *
1232 * Arguments: @keyexch *kx@ = pointer to key exchange context
de014da6 1233 * @int forcep@ = nonzero to ignore the quiet timer
410c8acf 1234 *
1235 * Returns: ---
1236 *
0617b6e7 1237 * Use: Stimulates a key exchange. If a key exchage is in progress,
1238 * a new challenge is sent (unless the quiet timer forbids
1239 * this); if no exchange is in progress, one is commenced.
410c8acf 1240 */
1241
de014da6 1242void kx_start(keyexch *kx, int forcep)
410c8acf 1243{
1244 time_t now = time(0);
410c8acf 1245
00e64b67 1246 if (checkpub(kx))
1247 return;
de014da6 1248 if (forcep || !VALIDP(kx, now)) {
0617b6e7 1249 stop(kx);
1250 start(kx, now);
f43df819 1251 a_notify("KXSTART", "?PEER", kx->p, A_END);
410c8acf 1252 }
0617b6e7 1253 resend(kx);
1254}
1255
1256/* --- @kx_message@ --- *
1257 *
1258 * Arguments: @keyexch *kx@ = pointer to key exchange context
1259 * @unsigned msg@ = the message code
1260 * @buf *b@ = pointer to buffer containing the packet
1261 *
1262 * Returns: ---
1263 *
1264 * Use: Reads a packet containing key exchange messages and handles
1265 * it.
1266 */
1267
1268void kx_message(keyexch *kx, unsigned msg, buf *b)
1269{
ff143952 1270 struct timeval now, tv;
0617b6e7 1271 stats *st = p_stats(kx->p);
1272 size_t sz = BSZ(b);
1273 int rc;
1274
ff143952 1275 gettimeofday(&now, 0);
a06d57a3 1276 rs_reset(&kx->rs);
010e6f63 1277 if (kx->f & KXF_CORK) {
ff143952 1278 start(kx, now.tv_sec);
a06d57a3 1279 rs_time(&kx->rs, &tv, &now);
ff143952 1280 settimer(kx, &tv);
010e6f63
MW
1281 a_notify("KXSTART", A_END);
1282 }
1283
00e64b67 1284 if (checkpub(kx))
1285 return;
1286
ff143952 1287 if (!VALIDP(kx, now.tv_sec)) {
0617b6e7 1288 stop(kx);
ff143952 1289 start(kx, now.tv_sec);
410c8acf 1290 }
0617b6e7 1291 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1292 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1293
1294 switch (msg) {
1295 case KX_PRECHAL:
de7bd20b
MW
1296 rc = doprechallenge(kx, b);
1297 break;
0617b6e7 1298 case KX_CHAL:
de7bd20b 1299 rc = dochallenge(kx, b);
0617b6e7 1300 break;
1301 case KX_REPLY:
1302 rc = doreply(kx, b);
1303 break;
1304 case KX_SWITCH:
1305 rc = doswitch(kx, b);
1306 break;
1307 case KX_SWITCHOK:
1308 rc = doswitchok(kx, b);
1309 break;
1310 default:
f43df819 1311 a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
0617b6e7 1312 rc = -1;
1313 break;
410c8acf 1314 }
410c8acf 1315
0617b6e7 1316 if (rc)
1317 st->n_reject++;
1318 else {
1319 st->n_kxin++;
1320 st->sz_kxin += sz;
1321 }
410c8acf 1322}
1323
1324/* --- @kx_free@ --- *
1325 *
1326 * Arguments: @keyexch *kx@ = pointer to key exchange context
1327 *
1328 * Returns: ---
1329 *
1330 * Use: Frees everything in a key exchange context.
1331 */
1332
1333void kx_free(keyexch *kx)
1334{
0617b6e7 1335 stop(kx);
35c8b547
MW
1336 km_unref(kx->kpub);
1337 km_unref(kx->kpriv);
410c8acf 1338}
1339
1340/* --- @kx_newkeys@ --- *
1341 *
1342 * Arguments: @keyexch *kx@ = pointer to key exchange context
1343 *
1344 * Returns: ---
1345 *
1346 * Use: Informs the key exchange module that its keys may have
1347 * changed. If fetching the new keys fails, the peer will be
1348 * destroyed, we log messages and struggle along with the old
1349 * keys.
1350 */
1351
1352void kx_newkeys(keyexch *kx)
1353{
35c8b547
MW
1354 kdata *kpriv, *kpub;
1355 unsigned i;
1356 int switchp;
1357 time_t now = time(0);
1358
1359 T( trace(T_KEYEXCH, "keyexch: checking new keys for `%s'",
1360 p_name(kx->p)); )
1361
1362 /* --- Find out whether we can use new keys --- *
1363 *
1364 * Try each available combination of new and old, public and private,
1365 * except both old (which is status quo anyway). The selection is encoded
1366 * in @i@, with bit 0 for the private key and bit 1 for public key; a set
1367 * bit means to use the old value, and a clear bit means to use the new
1368 * one.
1369 *
1370 * This means that we currently prefer `old private and new public' over
1371 * `new private and old public'. I'm not sure which way round this should
1372 * actually be.
1373 */
1374
1375 for (i = 0; i < 3; i++) {
1376
1377 /* --- Select the keys we're going to examine --- *
1378 *
1379 * If we're meant to have a new key and don't, then skip this
1380 * combination.
1381 */
1382
1383 T( trace(T_KEYEXCH, "keyexch: checking %s private, %s public",
1384 i & 1 ? "old" : "new", i & 2 ? "old" : "new"); )
1385
1386 if (i & 1) kpriv = kx->kpriv;
1387 else if (kx->kpriv->kn->kd != kx->kpriv) kpriv = kx->kpriv->kn->kd;
1388 else {
1389 T( trace(T_KEYEXCH, "keyexch: private key unchanged, skipping"); )
1390 continue;
1391 }
1392
1393 if (i & 2) kpub = kx->kpub;
1394 else if (kx->kpub->kn->kd != kx->kpub) kpub = kx->kpub->kn->kd;
1395 else {
1396 T( trace(T_KEYEXCH, "keyexch: public key unchanged, skipping"); )
1397 continue;
1398 }
1399
1400 /* --- Skip if either key is expired --- *
1401 *
1402 * We're not going to get far with expired keys, and this simplifies the
1403 * logic below.
1404 */
1405
1406 if (KEY_EXPIRED(now, kx->kpriv->t_exp) ||
1407 KEY_EXPIRED(now, kx->kpub->t_exp)) {
1408 T( trace(T_KEYEXCH, "keyexch: %s expired, skipping",
1409 !KEY_EXPIRED(now, kx->kpriv->t_exp) ? "public key" :
1410 !KEY_EXPIRED(now, kx->kpub->t_exp) ? "private key" :
1411 "both keys"); )
1412 continue;
1413 }
1414
1415 /* --- If the groups don't match then we can't use this pair --- */
1416
1417 if (!km_samealgsp(kpriv, kpub)) {
1418 T( trace(T_KEYEXCH, "keyexch: peer `%s' group mismatch; "
1419 "%s priv `%s' and %s pub `%s'", p_name(kx->p),
1420 i & 1 ? "old" : "new", km_tag(kx->kpriv),
1421 i & 2 ? "old" : "new", km_tag(kx->kpub)); )
1422 continue;
1423 }
1424 goto newkeys;
1425 }
1426 T( trace(T_KEYEXCH, "keyexch: peer `%s' continuing with old keys",
1427 p_name(kx->p)); )
1428 return;
1429
1430 /* --- We've chosen new keys --- *
1431 *
1432 * Switch the new ones into place. Neither of the keys we're switching to
1433 * is expired (we checked that above), so we should just crank everything
1434 * up.
1435 *
1436 * A complication arises: we don't really want to force a new key exchange
1437 * unless we have to. If the group is unchanged, and we're currently
1438 * running OK, then we should just let things lie.
1439 */
1440
1441newkeys:
1442 switchp = ((kx->f & KXF_DEAD) ||
1443 kx->s != KXS_SWITCH ||
1444 !group_samep(kx->kpriv->g, kpriv->g));
1445
1446 T( trace(T_KEYEXCH, "keyexch: peer `%s' adopting "
1447 "%s priv `%s' and %s pub `%s'; %sforcing exchange", p_name(kx->p),
1448 i & 1 ? "old" : "new", km_tag(kx->kpriv),
1449 i & 2 ? "old" : "new", km_tag(kx->kpub),
1450 switchp ? "" : "not "); )
1451
1452 if (switchp) stop(kx);
1453 km_ref(kpriv); km_unref(kx->kpriv); kx->kpriv = kpriv;
1454 km_ref(kpub); km_unref(kx->kpub); kx->kpub = kpub;
00e64b67 1455 kx->f |= KXF_PUBKEY;
35c8b547 1456 if (switchp) {
410c8acf 1457 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1458 p_name(kx->p)); )
00e64b67 1459 start(kx, time(0));
1460 resend(kx);
410c8acf 1461 }
1462}
1463
1464/* --- @kx_init@ --- *
1465 *
1466 * Arguments: @keyexch *kx@ = pointer to key exchange context
1467 * @peer *p@ = pointer to peer context
1468 * @keyset **ks@ = pointer to keyset list
010e6f63 1469 * @unsigned f@ = various useful flags
410c8acf 1470 *
1471 * Returns: Zero if OK, nonzero if it failed.
1472 *
1473 * Use: Initializes a key exchange module. The module currently
1474 * contains no keys, and will attempt to initiate a key
1475 * exchange.
1476 */
1477
010e6f63 1478int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
410c8acf 1479{
fe2a5dcf 1480 if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
35c8b547 1481 if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
fe2a5dcf
MW
1482 if (!group_samep(kx->kpriv->g, kx->kpub->g)) {
1483 a_warn("KX", "?PEER", kx->p, "group-mismatch",
1484 "local-private-key", "%s", p_privtag(p),
35c8b547
MW
1485 "peer-public-key", "%s", p_tag(p),
1486 A_END);
1487 goto fail_2;
1488 }
1489
410c8acf 1490 kx->ks = ks;
1491 kx->p = p;
010e6f63 1492 kx->f = KXF_DEAD | KXF_PUBKEY | f;
a06d57a3 1493 rs_reset(&kx->rs);
010e6f63
MW
1494 if (!(kx->f & KXF_CORK)) {
1495 start(kx, time(0));
1496 resend(kx);
1497 /* Don't notify here: the ADD message hasn't gone out yet. */
1498 }
410c8acf 1499 return (0);
35c8b547
MW
1500
1501fail_2:
1502 km_unref(kx->kpub);
1503fail_1:
1504 km_unref(kx->kpriv);
1505fail_0:
1506 return (-1);
410c8acf 1507}
1508
1509/*----- That's all, folks -------------------------------------------------*/