[tripe] / server / keyexch.c

/* -*-c-*-
 *
 * Key exchange protocol
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 3 of the License, or (at your
 * option) any later version.
 *
 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Brief protocol overview -------------------------------------------*
 *
 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
 * application of the symmetric packet protocol to a message; let
 * %$H(\cdot)$% be the random oracle.  Let $\alpha \inr \{0,\ldots,q - 1\}$%
 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
 * be Bob's public key.
 *
 * At the beginning of the session, Alice chooses
 *
 *   %$\rho_A \inr \{0, \ldots q - 1\}$%
 *
 * We also have:
 *
 * %$r_A = g^{\rho_A}$%			Alice's challenge
 * %$c_A = H(\cookie{cookie}, r_A)$%	Alice's cookie
 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
 *					Alice's challenge check value
 * %$r_B^\alpha = a^{\rho_B}$%		Alice's reply
 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
 *					Alice and Bob's shared secret key
 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
 *					Alice's switch request value
 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
 *					Alice's switch confirm value
 *
 * The messages are then:
 *
 * %$\cookie{kx-pre-challenge}, r_A$%
 *	Initial greeting.  In state @KXS_CHAL@.
 *
 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
 *	Here's a full challenge for you to answer.
 *
 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
 *	Challenge accpeted: here's the answer.  Commit to my challenge.  Move
 *	to @KXS_COMMIT@.
 *
 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
 *	Reply received: here's my reply.  Committed; send data; move to
 *	@KXS_SWITCH@.
 *
 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
 *	Switch received.  Committed; send data; move to @KXS_SWITCH@.
 *
 * %$\cookie{kx-token-request}, u, E_L(n)$%
 *	%$L = H(u, u^\alpha)$%, and %$n$% is a string of the form
 *	`[PEER.]KEYTAG'.  Expect %$\cookie{kx-token}$% by return.
 *
 * %$\cookie{kx-token}, v, E_{L'}(t)$%
 *	%$L' = H(v, v^\alpha)$%, and %$t$% is a token associated with %$n$%
 *	(see %$\cookie{kx-token-request}$% above).
 *
 * %$\cookie{kx-knock}, u, E_L(n, t), r_A$%
 *	%$L$%, %$n$% and %$t$% are as %$\cookie{kx-token}$% and
 *	%$\cookie{kx-token-request}$%; %$r_A$% is as in
 *	%$\cookie{kx-pre-challenge}$%.  If the token %$t$% doesn't match
 *	%$n$%, then warn and discard.  If a peer named PEER (or KEYTAG)
 *	exists then proceed as for %$\cookie{kx-pre-challenge}$%.  Otherwise
 *	issue a notification `NOTE KNOCK PEER ADDR...' and discard.
 */

/*----- Static tables -----------------------------------------------------*/

static const char *const pkname[] = {
  "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok",
  "token-rq", "token", "knock"
};

/*----- Various utilities -------------------------------------------------*/

/* --- @VALIDP@ --- *
 *
 * Arguments:	@const keyexch *kx@ = key exchange state
 *		@time_t now@ = current time in seconds
 *
 * Returns:	Whether the challenge in the key-exchange state is still
 *		valid or should be regenerated.
 */

#define VALIDP(kx, now) ((now) < (kx)->t_valid)

/* --- @hashge@ --- *
 *
 * Arguments:	@ghash *h@ = pointer to hash context
 *		@const dhgrp *g@ = pointer to group
 *		@const dhge *Y@ = pointer to group element
 *
 * Returns:	---
 *
 * Use:		Adds the hash of a group element to the context.  Corrupts
 *		@buf_t@.
 */

static void hashge(ghash *h, const dhgrp *g, const dhge *Y)
{
  buf b;

  buf_init(&b, buf_t, sizeof(buf_t));
  g->ops->stge(g, &b, Y, DHFMT_HASH);
  assert(BOK(&b));
  GH_HASH(h, BBASE(&b), BLEN(&b));
}

/* --- @mpmask@ --- *
 *
 * Arguments:	@buf *b@ = output buffer
 *		@const dhgrp *g@ = the group
 *		@const dhsc *x@ = the plaintext scalar
 *		@size_t n@ = the expected size of the plaintext
 *		@gcipher *mgfc@ = mask-generating function to use
 *		@const octet *k@ = pointer to key material
 *		@size_t ksz@ = size of the key
 *
 * Returns:	---
 *
 * Use:		Masks a scalar: returns %$x \xor H(k)$%, so it's a random
 *		oracle thing rather than an encryption thing.  Breaks the
 *		output buffer on error.
 */

static void mpmask(buf *b, const dhgrp *g, const dhsc *x, size_t n,
		   const gccipher *mgfc, const octet *k, size_t ksz)
{
  gcipher *mgf;
  octet *p;

  if ((p = buf_get(b, n)) == 0) return;
  mgf = GC_INIT(mgfc, k, ksz);
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace(T_CRYPTO, "crypto: masking scalar = %s", g->ops->scstr(g, x));
    trace_block(T_CRYPTO, "crypto: masking key", k, ksz);
  }))
  if (g->ops->stsc(g, buf_t, n, x)) { buf_break(b); return; }
  GC_ENCRYPT(mgf, buf_t, p, n);
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace_block(T_CRYPTO, "crypto: scalar plaintext", buf_t, n);
    trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
  }))
  GC_DESTROY(mgf);
}

/* --- @mpunmask@ --- *
 *
 * Arguments:	@const dhgrp *g@ = the group
 *		@const octet *p@ = pointer to the ciphertext
 *		@size_t n@ = the size of the ciphertext
 *		@gcipher *mgfc@ = mask-generating function to use
 *		@const octet *k@ = pointer to key material
 *		@size_t ksz@ = size of the key
 *
 * Returns:	The decrypted scalar, or null.
 *
 * Use:		Unmasks a scalar.
 */

static dhsc *mpunmask(const dhgrp *g, const octet *p, size_t n,
		      const gccipher *mgfc, const octet *k, size_t ksz)
{
  gcipher *mgf;
  dhsc *x;

  mgf = GC_INIT(mgfc, k, ksz);
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace_block(T_CRYPTO, "crypto: unmasking key", k, ksz);
    trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
  }))
  GC_DECRYPT(mgf, p, buf_t, n);
  x = g->ops->ldsc(g, buf_t, n);
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace_block(T_CRYPTO, "crypto: scalar plaintext", buf_t, n);
    trace(T_CRYPTO, "crypto: unmasked scalar = %s",
	  x ? g->ops->scstr(g, x) : "<failed>");
  }))
  GC_DESTROY(mgf);
  return (x);
}

/* --- @hashcheck@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key-exchange block
 *		@const dhge *K@ = sender's public key
 *		@const dhge *CC@ = receiver's challenge
 *		@const dhge *C@ = sender's challenge
 *		@const dhge *Y@ = reply to sender's challenge
 *
 * Returns:	Pointer to the hash value (in @buf_t@)
 *
 * Use:		Computes the check-value hash, used to mask or unmask
 *		indices to prove the validity of challenges.  This computes
 *		the masking key used in challenge check values.  This is
 *		really the heart of the whole thing, since it ensures that
 *		the scalar can be recovered from the history of hashing
 *		queries, which gives us (a) a proof that the authentication
 *		process is zero-knowledge, and (b) a proof that the whole
 *		key-exchange is deniable.
 */

static const octet *hashcheck(keyexch *kx, const dhge *K,
			      const dhge *CC, const dhge *C, const dhge *Y)
{
  ghash *h = GH_INIT(kx->kpriv->algs.h);
  const dhgrp *g = kx->kpriv->grp;

  HASH_STRING(h, "tripe-expected-reply");
  hashge(h, g, K);
  hashge(h, g, CC);
  hashge(h, g, C);
  hashge(h, g, Y);
  GH_DONE(h, buf_t);
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace(T_CRYPTO, "crypto: computing challenge check hash");
    trace(T_CRYPTO, "crypto: public key = %s", g->ops->gestr(g, K));
    trace(T_CRYPTO, "crypto: receiver challenge = %s", g->ops->gestr(g, CC));
    trace(T_CRYPTO, "crypto: sender challenge = %s", g->ops->gestr(g, C));
    trace(T_CRYPTO, "crypto: sender reply = %s", g->ops->gestr(g, Y));
    trace_block(T_CRYPTO, "crypto: hash output", buf_t, kx->kpriv->algs.hashsz);
  }))
  GH_DESTROY(h);
  return (buf_t);
}

/* --- @sendchallenge@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@buf *b@ = output buffer for challenge
 *		@const dhge *C@ = peer's actual challenge
 *		@const octet *hc@ = peer's challenge cookie
 *
 * Returns:	---
 *
 * Use:		Writes a full challenge to the message buffer.
 */

static void sendchallenge(keyexch *kx, buf *b,
			  const dhge *C, const octet *hc)
{
  const dhgrp *g = kx->kpriv->grp;
  g->ops->stge(g, b, kx->C, DHFMT_VAR);
  buf_put(b, hc, kx->kpriv->algs.hashsz);
  mpmask(b, g, kx->a, g->scsz, kx->kpriv->algs.mgf,
	 hashcheck(kx, kx->kpriv->K, C, kx->C, kx->RX),
	 kx->kpriv->algs.hashsz);
}

/* --- @timer@ --- *
 *
 * Arguments:	@struct timeval *tv@ = the current time
 *		@void *v@ = pointer to key exchange context
 *
 * Returns:	---
 *
 * Use:		Acts when the key exchange timer goes off.
 */

static void timer(struct timeval *tv, void *v)
{
  keyexch *kx = v;
  kx->f &= ~KXF_TIMER;
  T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
  kx_start(kx, 0);
}

/* --- @settimer@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@struct timeval *tv@ = when to set the timer for
 *
 * Returns:	---
 *
 * Use:		Sets the timer for the next key exchange attempt.
 */

static void settimer(keyexch *kx, struct timeval *tv)
{
  if (kx->f & KXF_TIMER) sel_rmtimer(&kx->t);
  sel_addtimer(&sel, &kx->t, tv, timer, kx);
  kx->f |= KXF_TIMER;
}

/* --- @f2tv@ --- *
 *
 * Arguments:	@struct timeval *tv@ = where to write the timeval
 *		@double t@ = a time as a floating point number
 *
 * Returns:	---
 *
 * Use:		Converts a floating-point time into a timeval.
 */

static void f2tv(struct timeval *tv, double t)
{
  tv->tv_sec = t;
  tv->tv_usec = (t - tv->tv_sec)*MILLION;
}

/* --- @wobble@ --- *
 *
 * Arguments:	@double t@ = a time interval
 *
 * Returns:	The same time interval, with a random error applied.
 */

static double wobble(double t)
{
  uint32 r = rand_global.ops->word(&rand_global);
  double w = (r/F_2P32) - 0.5;
  return (t + t*w*T_WOBBLE);
}

/* --- @rs_time@ --- *
 *
 * Arguments:	@retry *rs@ = current retry state
 *		@struct timeval *tv@ = where to write the result
 *		@const struct timeval *now@ = current time, or null
 *
 * Returns:	---
 *
 * Use:		Computes a time at which to retry sending a key-exchange
 *		packet.  This algorithm is subject to change, but it's
 *		currently a capped exponential backoff, slightly randomized
 *		to try to keep clients from hammering a server that's only
 *		just woken up.
 *
 *		If @now@ is null then the function works out the time for
 *		itself.
 */

static void rs_time(retry *rs, struct timeval *tv, const struct timeval *now)
{
  double t;
  struct timeval rtv;

  if (!rs->t)
    t = SEC(2);
  else {
    t = (rs->t * 5)/4;
    if (t > MIN(5)) t = MIN(5);
  }
  rs->t = t;

  if (!now) {
    now = tv;
    gettimeofday(tv, 0);
  }
  f2tv(&rtv, wobble(t));
  TV_ADD(tv, now, &rtv);
}

/* --- @retry_reset@ --- *
 *
 * Arguments:	@retry *rs@ = retry state
 *
 * Returns:	--
 *
 * Use:		Resets a retry state to indicate that progress has been
 *		made.  Also useful for initializing the state in the first
 *		place.
 */

static void rs_reset(retry *rs) { rs->t = 0; }

/* --- @notice_message@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key-exchange block
 *
 * Returns:	Zero if OK; @-1@ if the public key is in a bad state.
 *
 * Use:		Updates the key-exchange state following a received message.
 *		Specifically, if there's no currently active key-exchange in
 *		progress, and we're not in the cooling-off period, then
 *		commence a new one; reset the retry timers; and if we're
 *		corked then pop the cork so that we can reply.
 */

static int checkpub(keyexch *kx);
static void stop(keyexch *kx);
static void start(keyexch *kx, time_t now);

static int notice_message(keyexch *kx)
{
  struct timeval now, tv;

  gettimeofday(&now, 0);
  rs_reset(&kx->rs);
  if (kx->f & KXF_CORK) {
    start(kx, now.tv_sec);
    rs_time(&kx->rs, &tv, &now);
    settimer(kx, &tv);
    a_notify("KXSTART", "?PEER", kx->p, A_END);
  }
  if (checkpub(kx)) return (-1);
  if (!VALIDP(kx, now.tv_sec)) {
    stop(kx);
    start(kx, now.tv_sec);
  }
  return (0);
}

/* --- @update_stats_tx@, @update_stats_rx@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key-exchange block
 *		@int ok@ = nonzero if the message was valid (for @rx@)
 *		@size_t sz@ = size of sent message
 *
 * Returns:	---
 *
 * Use:		Records that a key-exchange message was sent to, or received
 *		from, the peer.
 */

static void update_stats_tx(keyexch *kx, size_t sz)
  { stats *st = p_stats(kx->p); st->n_kxout++; st->sz_kxout += sz; }

static void update_stats_rx(keyexch *kx, int ok, size_t sz)
{
  stats *st = p_stats(kx->p);

  if (!ok) st->n_reject++;
  else { st->n_kxin++; st->sz_kxin += sz; }
}

/*----- Challenge management ----------------------------------------------*/

/* --- Notes on challenge management --- *
 *
 * We may get multiple different replies to our key exchange; some will be
 * correct, some inserted by attackers.  Up until @KX_THRESH@, all challenges
 * received will be added to the table and given a full response.  After
 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
 * our existing challenge, followed by a hash of the sender's challenge.  We
 * do %%\emph{not}%% give a bare challenge a reply slot at this stage.  All
 * properly-formed cookies are assigned a table slot: if none is spare, a
 * used slot is randomly selected and destroyed.  A cookie always receives a
 * full reply.
 */

/* --- @kxc_destroy@ --- *
 *
 * Arguments:	@kxchal *kxc@ = pointer to the challenge block
 *
 * Returns:	---
 *
 * Use:		Disposes of a challenge block.
 */

static void kxc_destroy(kxchal *kxc)
{
  const dhgrp *g = kxc->kx->kpriv->grp;
  if (kxc->f & KXF_TIMER)
    sel_rmtimer(&kxc->t);
  g->ops->freege(g, kxc->C);
  g->ops->freege(g, kxc->R);
  ks_drop(kxc->ks);
  DESTROY(kxc);
}

/* --- @kxc_stoptimer@ --- *
 *
 * Arguments:	@kxchal *kxc@ = pointer to the challenge block
 *
 * Returns:	---
 *
 * Use:		Stops the challenge's retry timer from sending messages.
 *		Useful when the state machine is in the endgame of the
 *		exchange.
 */

static void kxc_stoptimer(kxchal *kxc)
{
  if (kxc->f & KXF_TIMER)
    sel_rmtimer(&kxc->t);
  kxc->f &= ~KXF_TIMER;
}

/* --- @kxc_new@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *
 * Returns:	A pointer to the challenge block.
 *
 * Use:		Returns a pointer to a new challenge block to fill in.
 *		In particular, the @c@ and @r@ members are left
 *		uninitialized.
 */

static kxchal *kxc_new(keyexch *kx)
{
  kxchal *kxc;
  unsigned i;

  /* --- If we're over reply threshold, discard one at random --- */

  if (kx->nr < KX_NCHAL)
    i = kx->nr++;
  else {
    i = rand_global.ops->range(&rand_global, KX_NCHAL);
    kxc_destroy(kx->r[i]);
  }

  /* --- Fill in the new structure --- */

  kxc = CREATE(kxchal);
  kxc->ks = 0;
  kxc->kx = kx;
  kxc->f = 0;
  kx->r[i] = kxc;
  rs_reset(&kxc->rs);
  return (kxc);
}

/* --- @kxc_bychal@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@const dhge *C@ = challenge from remote host
 *
 * Returns:	Pointer to the challenge block, or null.
 *
 * Use:		Finds a challenge block, given its challenge.
 */

static kxchal *kxc_bychal(keyexch *kx, const dhge *C)
{
  const dhgrp *g = kx->kpriv->grp;
  unsigned i;

  for (i = 0; i < kx->nr; i++) {
    if (g->ops->eq(g, C, kx->r[i]->C))
      return (kx->r[i]);
  }
  return (0);
}

/* --- @kxc_byhc@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@const octet *hc@ = challenge hash from remote host
 *
 * Returns:	Pointer to the challenge block, or null.
 *
 * Use:		Finds a challenge block, given a hash of its challenge.
 */

static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
{
  unsigned i;

  for (i = 0; i < kx->nr; i++) {
    if (memcmp(hc, kx->r[i]->hc, kx->kpriv->algs.hashsz) == 0)
      return (kx->r[i]);
  }
  return (0);
}

/* --- @kxc_answer@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@kxchal *kxc@ = pointer to challenge block
 *
 * Returns:	---
 *
 * Use:		Sends a reply to the remote host, according to the data in
 *		this challenge block.
 */

static void kxc_answer(keyexch *kx, kxchal *kxc);

static void kxc_timer(struct timeval *tv, void *v)
{
  kxchal *kxc = v;
  kxc->f &= ~KXF_TIMER;
  kxc_answer(kxc->kx, kxc);
}

static void kxc_answer(keyexch *kx, kxchal *kxc)
{
  buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
  const dhgrp *g = kx->kpriv->grp;
  struct timeval tv;
  buf bb;

  /* --- Build the reply packet --- */

  T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
  sendchallenge(kx, b, kxc->C, kxc->hc);
  buf_init(&bb, buf_i, sizeof(buf_i));
  g->ops->stge(g, &bb, kxc->R, DHFMT_STD);
  buf_flip(&bb);
  ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);

  /* --- Update the statistics --- */

  if (BOK(b)) {
    update_stats_tx(kx, BLEN(b));
    p_txend(kx->p);
  }

  /* --- Schedule another resend --- */

  if (kxc->f & KXF_TIMER)
    sel_rmtimer(&kxc->t);
  gettimeofday(&tv, 0);
  rs_time(&kxc->rs, &tv, &tv);
  sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
  kxc->f |= KXF_TIMER;
}

/*----- Individual message handlers ---------------------------------------*/

static ratelim unauth_limit;

/* --- @dotokenrq@ --- *
 *
 * Arguments:	@const addr *a@ = sender's address
 *		@buf *b@ = buffer containing the packet
 *
 * Returns:	---
 *
 * Use:		Processes a token-request message.
 */

static void dotokenrq(const addr *a, buf *b)
{
  uint32 id;
  kdata *kpriv = 0, *kpub = 0;
  char *pname;
  const char *tag;
  size_t sz;
  buf bb, bbb;

  /* --- Check if we're in danger of overloading --- */

  if (ratelim_withdraw(&unauth_limit, 1)) goto done;

  /* --- Start building the reply --- */

  buf_init(&bbb, buf_o, sizeof(buf_o));
  buf_putu8(&bbb, MSG_KEYEXCH | KX_TOKEN);

  /* --- Fetch and copy the challenge string --- */

  if (buf_getbuf16(b, &bb)) goto done;
  buf_putmem16(&bbb, BBASE(&bb), BSZ(&bb));

  /* --- Make our own challenge for the response --- */

  buf_init(&bb, buf_t, sizeof(buf_t));
  c_new(0, 0, &bb); assert(BOK(&bb)); buf_putbuf16(&bbb, &bb);

  /* --- Figure out which private key I'm supposed to use --- */

  if (buf_getu32(b, &id)) goto done;
  if ((kpriv = km_findprivbyid(id)) == 0) goto done;

  /* --- Decrypt the message --- */

  buf_init(&bb, buf_t, sizeof(buf_t));
  if (ies_decrypt(kpriv, MSG_KEYEXCH | KX_TOKENRQ, b, &bb) || BLEFT(b))
    goto done;

  /* --- Parse the token request and find the sender's public key --- */

  assert(BOK(&bb)); buf_flip(&bb);
  if ((pname = buf_getmem16(&bb, &sz)) == 0 || memchr(pname, 0, sz))
    goto done;
  assert(sz < sizeof(buf_t) - ((const octet *)pname - buf_t));
  pname[sz] = 0;
  if ((tag = strchr(pname, '.')) != 0) tag++;
  else tag = pname;
  if ((kpub = km_findpub(tag)) == 0) goto done;

  /* --- Build and encrypt the token --- */

  buf_init(&bb, buf_i, sizeof(buf_i));
  c_new(pname, sz, &bb);
  assert(BOK(&bb)); buf_flip(&bb);
  if (ies_encrypt(kpub, MSG_KEYEXCH | KX_TOKEN, &bb, &bbb)) goto done;
  assert(BOK(&bbb));

  /* --- Send the response -- or at least give it a try --- */

  p_txaddr(a, BBASE(&bbb), BLEN(&bbb));

  /* --- All done --- */

done:
  if (kpriv) km_unref(kpriv);
  if (kpub) km_unref(kpub);
}

/* --- @dotoken@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@buf *b@ = buffer containing the packet
 *
 * Returns:	Zero if OK, nonzero of the packet was rejected.
 *
 * Use:		Processes a token message.
 */

static int dotoken(keyexch *kx, buf *b)
{
  buf bb;
  buf *bbb;
  const dhgrp *g = kx->kpriv->grp;
  octet *p;
  size_t sz;

  /* --- Make sure this is a sensible message to have received --- */

  if (!kx->p->spec.knock) return (-1);

  /* --- First, collect and verify our challenge --- */

  if (buf_getbuf16(b, &bb) || c_check(0, 0, &bb) || BLEFT(&bb)) return (-1);

  /* --- Start building the knock message from here --- */

  bbb = p_txstart(kx->p, MSG_KEYEXCH | KX_KNOCK);

  /* --- Copy the peer's challenge --- */

  if (buf_getbuf16(b, &bb)) return (-1);
  buf_putmem16(bbb, BBASE(&bb), BSZ(&bb));

  /* --- Add the key indicator --- */

  buf_putu32(bbb, kx->kpub->id);

  /* --- Building the knock payload --- */

  buf_init(&bb, buf_t, sizeof(buf_t));
  buf_putstr16(&bb, kx->p->spec.knock);
  sz = BLEN(&bb)%64; if (sz) sz = 64 - sz;
  if (ies_decrypt(kx->kpriv, MSG_KEYEXCH | KX_TOKEN, b, &bb)) return (-1);
  p = buf_get(&bb, sz); assert(p); memset(p, 0, sz);
  assert(BOK(&bb)); buf_flip(&bb);
  if (ies_encrypt(kx->kpub, MSG_KEYEXCH | KX_KNOCK, &bb, bbb)) return (-1);

  /* --- Finally, the pre-challenge group element --- */

  g->ops->stge(g, bbb, kx->C, DHFMT_VAR);

  /* --- And we're done --- */

  if (BBAD(bbb)) return (-1);
  update_stats_tx(kx, BLEN(bbb));
  p_txend(kx->p);
  return (0);
}

/* --- @doprechallenge@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@buf *b@ = buffer containing the packet
 *
 * Returns:	Zero if OK, nonzero of the packet was rejected.
 *
 * Use:		Processes a pre-challenge message.
 */

static int doprechallenge(keyexch *kx, buf *b)
{
  const dhgrp *g = kx->kpriv->grp;
  dhge *C = 0;
  ghash *h;

  /* --- Ensure that we're in a sensible state --- */

  if (kx->s != KXS_CHAL) {
    a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
    goto bad;
  }

  /* --- Unpack the packet --- */

  if ((C = g->ops->ldge(g, b, DHFMT_VAR)) == 0 || BLEFT(b))
    goto bad;

  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace(T_CRYPTO, "crypto: challenge = %s", g->ops->gestr(g, C));
  }))

  /* --- Send out a full challenge by return --- */

  b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
  h = GH_INIT(kx->kpriv->algs.h);
  HASH_STRING(h, "tripe-cookie");
  hashge(h, g, C);
  sendchallenge(kx, b, C, GH_DONE(h, 0));
  GH_DESTROY(h);
  update_stats_tx(kx, BLEN(b));
  p_txend(kx->p);

  /* --- Done --- */

  g->ops->freege(g, C);
  return (0);

bad:
  if (C) g->ops->freege(g, C);
  return (-1);
}

/* --- @doknock@ --- *
 *
 * Arguments:	@const addr *a@ = sender's address
 *		@buf *b@ = buffer containing the packet
 *
 * Returns:	---
 *
 * Use:		Processes a knock message.
 */

static void doknock(const addr *a, buf *b)
{
  keyexch *kx;
  peer *p;
  uint32 id;
  kdata *kpriv = 0;
  char *pname;
  size_t sz, msgsz = BLEN(b);
  buf bb;
  int rc;

  /* --- Read and check the challenge --- */

  buf_getbuf16(b, &bb);
  if (c_check(0, 0, &bb)) goto done;

  /* --- Figure out which private key I'm supposed to use --- */

  if (buf_getu32(b, &id)) goto done;
  if ((kpriv = km_findprivbyid(id)) == 0) goto done;

  /* --- Decrypt and check the peer's name against the token --- */

  buf_init(&bb, buf_t, sizeof(buf_t));
  if (ies_decrypt(kpriv, MSG_KEYEXCH | KX_KNOCK, b, &bb)) goto done;
  assert(BOK(&bb)); buf_flip(&bb);
  if ((pname = buf_getmem16(&bb, &sz)) == 0 ||
      memchr(pname, 0, sz) ||
      c_check(pname, sz, &bb))
    goto done;
  assert(sz < sizeof(buf_t) - ((const octet *)pname - buf_t));
  pname[sz] = 0;

  /* --- If we can't find the peer, then issue a notification --- */

  if ((p = p_find(pname)) == 0) {
    a_notify("KNOCK", "%s", pname, "?ADDR", a, A_END);
    goto done;
  }

  /* --- Update the peer's address --- */

  kx = &p->kx;
  p_updateaddr(kx->p, a);

  /* --- Now treat the remainder of the message as a pre-challenge --- */

  notice_message(kx);
  rc = doprechallenge(kx, b);
  update_stats_rx(kx, !rc, msgsz);

  /* --- All done: clean up --- */

done:
  if (kpriv) km_unref(kpriv);
}

/* --- @respond@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@unsigned msg@ = message code for this packet
 *		@buf *b@ = buffer containing the packet
 *
 * Returns:	Key-exchange challenge block, or null.
 *
 * Use:		Computes a response for the given challenge, entering it into
 *		a challenge block and so on.
 */

static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
{
  const dhgrp *g = kx->kpriv->grp;
  const algswitch *algs = &kx->kpriv->algs;
  size_t ixsz = g->scsz;
  dhge *C = 0;
  dhge *R = 0;
  dhge *CC = 0;
  deriveargs a;
  const octet *hc, *ck;
  dhsc *c = 0;
  kxchal *kxc;
  ghash *h = 0;
  buf bb;
  int ok;

  /* --- Unpack the packet --- */

  if ((C = g->ops->ldge(g, b, DHFMT_VAR)) == 0 ||
      (hc = buf_get(b, algs->hashsz)) == 0 ||
      (ck = buf_get(b, ixsz)) == 0) {
    a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
    goto bad;
  }
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace(T_CRYPTO, "crypto: challenge = %s", g->ops->gestr(g, C));
    trace_block(T_CRYPTO, "crypto: cookie", hc, algs->hashsz);
    trace_block(T_CRYPTO, "crypto: check-value", ck, ixsz);
  }))

  /* --- Discard a packet with an invalid cookie --- */

  if (hc && memcmp(hc, kx->hc, algs->hashsz) != 0) {
    a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
    goto bad;
  }

  /* --- Recover the check value and verify it --- *
   *
   * To avoid recomputation on replays, we store a hash of the `right'
   * value.  The `correct' value is unique, so this is right.
   *
   * This will also find a challenge block and, if necessary, populate it.
   */

  if ((kxc = kxc_bychal(kx, C)) != 0) {
    h = GH_INIT(algs->h);
    HASH_STRING(h, "tripe-check-hash");
    GH_HASH(h, ck, ixsz);
    ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs->hashsz);
    GH_DESTROY(h);
    if (!ok) goto badcheck;
  } else {

    /* --- Compute the reply, and check the magic --- */

    R = g->ops->mul(g, kx->kpriv->k, C);
    if ((c = mpunmask(g, ck, ixsz, algs->mgf,
		      hashcheck(kx, kx->kpub->K, kx->C, C, R),
		      algs->hashsz)) == 0)
      goto badcheck;
    IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
      trace(T_CRYPTO, "crypto: computed reply = %s", g->ops->gestr(g, R));
      trace(T_CRYPTO, "crypto: recovered log = %s", g->ops->scstr(g, c));
    }))
    CC = g->ops->mul(g, c, 0);
    if (!g->ops->eq(g, CC, C)) goto badcheck;

    /* --- Fill in a new challenge block --- */

    kxc = kxc_new(kx);
    kxc->C = C; C = 0;
    kxc->R = R; R = 0;

    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash");
    GH_HASH(h, ck, ixsz);
    GH_DONE(h, kxc->ck); GH_DESTROY(h);

    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-cookie");
    hashge(h, g, kxc->C);
    GH_DONE(h, kxc->hc); GH_DESTROY(h);

    IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
      trace_block(T_CRYPTO, "crypto: computed cookie",
		  kxc->hc, algs->hashsz);
    }))

    /* --- Work out the shared key --- */

    R = g->ops->mul(g, kx->a, kxc->C);
    IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
      trace(T_CRYPTO, "crypto: shared secret = %s", g->ops->gestr(g, R));
    }))

    /* --- Compute the switch messages --- */

    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request");
    hashge(h, g, kx->C); hashge(h, g, kxc->C);
    GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm");
    hashge(h, g, kx->C); hashge(h, g, kxc->C);
    GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);

    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request");
    hashge(h, g, kxc->C); hashge(h, g, kx->C);
    GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm");
    hashge(h, g, kxc->C); hashge(h, g, kx->C);
    GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);

    IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
      trace_block(T_CRYPTO, "crypto: outbound switch request",
		  kxc->hswrq_out, algs->hashsz);
      trace_block(T_CRYPTO, "crypto: outbound switch confirm",
		  kxc->hswok_out, algs->hashsz);
      trace_block(T_CRYPTO, "crypto: inbound switch request",
		  kxc->hswrq_in, algs->hashsz);
      trace_block(T_CRYPTO, "crypto: inbound switch confirm",
		  kxc->hswok_in, algs->hashsz);
    }))

    /* --- Create a new symmetric keyset --- */

    buf_init(&bb, buf_o, sizeof(buf_o)); a.k = BBASE(&bb);
    g->ops->stge(g, &bb, kx->C, DHFMT_HASH); a.x = BLEN(&bb);
    g->ops->stge(g, &bb, kxc->C, DHFMT_HASH); a.y = BLEN(&bb);
    g->ops->stge(g, &bb, R, DHFMT_HASH); a.z = BLEN(&bb);
    assert(BOK(&bb));

    kxc->ks = ks_gen(&a, kx->p);
  }

  if (C) g->ops->freege(g, C);
  if (CC) g->ops->freege(g, CC);
  if (R) g->ops->freege(g, R);
  if (c) g->ops->freesc(g, c);
  return (kxc);

badcheck:
  a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
  goto bad;
bad:
  if (C) g->ops->freege(g, C);
  if (CC) g->ops->freege(g, CC);
  if (R) g->ops->freege(g, R);
  if (c) g->ops->freesc(g, c);
  return (0);
}

/* --- @dochallenge@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@unsigned msg@ = message code for the packet
 *		@buf *b@ = buffer containing the packet
 *
 * Returns:	Zero if OK, nonzero if the packet was rejected.
 *
 * Use:		Processes a packet containing a challenge.
 */

static int dochallenge(keyexch *kx, buf *b)
{
  kxchal *kxc;

  if (kx->s != KXS_CHAL) {
    a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
    goto bad;
  }
  if ((kxc = respond(kx, KX_CHAL, b)) == 0)
    goto bad;
  if (BLEFT(b)) {
    a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
    goto bad;
  }
  kxc_answer(kx, kxc);
  return (0);

bad:
  return (-1);
}

/* --- @resend@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *
 * Returns:	---
 *
 * Use:		Sends the next message for a key exchange.
 */

static void resend(keyexch *kx)
{
  kxchal *kxc;
  buf bb;
  struct timeval tv;
  const dhgrp *g = kx->kpriv->grp;
  octet *p;
  size_t sz;
  buf *b;

  switch (kx->s) {
    case KXS_CHAL:
      if (!kx->p->spec.knock) {
	T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
		 p_name(kx->p)); )
	b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
	g->ops->stge(g, b, kx->C, DHFMT_VAR);
      } else {
	T( trace(T_KEYEXCH, "keyexch: sending token-request to `%s'",
		 p_name(kx->p)); )
	b = p_txstart(kx->p, MSG_KEYEXCH | KX_TOKENRQ);

	buf_init(&bb, buf_t, sizeof(buf_t));
	c_new(0, 0, &bb); assert(BOK(&bb)); buf_putbuf16(b, &bb);

	buf_putu32(b, kx->kpub->id);

	buf_init(&bb, buf_t, sizeof(buf_t));
	buf_putstr16(&bb, kx->p->spec.knock);
	sz = BLEN(&bb)%64; if (sz) sz = 64 - sz;
	p = buf_get(&bb, sz); assert(p); memset(p, 0, sz);
	assert(BOK(&bb)); buf_flip(&bb);
	if (ies_encrypt(kx->kpub, MSG_KEYEXCH | KX_TOKENRQ, &bb, b))
	  buf_break(b);
      }
      break;
    case KXS_COMMIT:
      T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
	       p_name(kx->p)); )
      kxc = kx->r[0];
      b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
      buf_put(b, kx->hc, kx->kpriv->algs.hashsz);
      buf_put(b, kxc->hc, kx->kpriv->algs.hashsz);
      buf_init(&bb, buf_i, sizeof(buf_i));
      g->ops->stge(g, &bb, kxc->R, DHFMT_STD);
      buf_put(&bb, kxc->hswrq_out, kx->kpriv->algs.hashsz);
      buf_flip(&bb);
      ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
      break;
    case KXS_SWITCH:
      T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
	       p_name(kx->p)); )
      kxc = kx->r[0];
      b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
      buf_init(&bb, buf_i, sizeof(buf_i));
      buf_put(&bb, kxc->hswok_out, kx->kpriv->algs.hashsz);
      buf_flip(&bb);
      ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
      break;
    default:
      abort();
  }

  if (BOK(b)) {
    update_stats_tx(kx, BLEN(b));
    p_txend(kx->p);
  }

  if (kx->s < KXS_SWITCH) {
    rs_time(&kx->rs, &tv, 0);
    settimer(kx, &tv);
  }
}

/* --- @decryptrest@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@kxchal *kxc@ = pointer to challenge block
 *		@unsigned msg@ = type of incoming message
 *		@buf *b@ = encrypted remainder of the packet
 *
 * Returns:	Zero if OK, nonzero on some kind of error.
 *
 * Use:		Decrypts the remainder of the packet, and points @b@ at the
 *		recovered plaintext.
 */

static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
{
  buf bb;

  buf_init(&bb, buf_o, sizeof(buf_o));
  if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
    a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
    return (-1);
  }
  if (!BOK(&bb)) return (-1);
  buf_init(b, BBASE(&bb), BLEN(&bb));
  return (0);
}

/* --- @checkresponse@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@unsigned msg@ = type of incoming message
 *		@buf *b@ = decrypted remainder of the packet
 *
 * Returns:	Zero if OK, nonzero on some kind of error.
 *
 * Use:		Checks a reply or switch packet, ensuring that its response
 *		is correct.
 */

static int checkresponse(keyexch *kx, unsigned msg, buf *b)
{
  const dhgrp *g = kx->kpriv->grp;
  dhge *R;

  if ((R = g->ops->ldge(g, b, DHFMT_STD)) == 0) {
    a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
    goto bad;
  }
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace(T_CRYPTO, "crypto: reply = %s", g->ops->gestr(g, R));
  }))
  if (!g->ops->eq(g, R, kx->RX)) {
    a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
    goto bad;
  }

  g->ops->freege(g, R);
  return (0);

bad:
  if (R) g->ops->freege(g, R);
  return (-1);
}

/* --- @commit@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@kxchal *kxc@ = pointer to challenge to commit to
 *
 * Returns:	---
 *
 * Use:		Commits to a particular challenge as being the `right' one,
 *		since a reply has arrived for it.
 */

static void commit(keyexch *kx, kxchal *kxc)
{
  unsigned i;

  for (i = 0; i < kx->nr; i++) {
    if (kx->r[i] != kxc)
      kxc_destroy(kx->r[i]);
  }
  kx->r[0] = kxc;
  kx->nr = 1;
  kxc_stoptimer(kxc);
  ksl_link(kx->ks, kxc->ks);
}

/* --- @doreply@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@buf *b@ = buffer containing packet
 *
 * Returns:	Zero if OK, nonzero if the packet was rejected.
 *
 * Use:		Handles a reply packet.  This doesn't handle the various
 *		switch packets: they're rather too different.
 */

static int doreply(keyexch *kx, buf *b)
{
  kxchal *kxc;

  if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
    a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
    goto bad;
  }
  if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
      decryptrest(kx, kxc, KX_REPLY, b) ||
      checkresponse(kx, KX_REPLY, b))
    goto bad;
  if (BLEFT(b)) {
    a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
    goto bad;
  }
  if (kx->s == KXS_CHAL) {
    commit(kx, kxc);
    kx->s = KXS_COMMIT;
  }
  resend(kx);
  return (0);

bad:
  return (-1);
}

/* --- @kxfinish@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *
 * Returns:	---
 *
 * Use:		Sets everything up following a successful key exchange.
 */

static void kxfinish(keyexch *kx)
{
  kxchal *kxc = kx->r[0];
  struct timeval now, tv;

  ks_activate(kxc->ks);
  gettimeofday(&now, 0);
  f2tv(&tv, wobble(T_REGEN));
  TV_ADD(&tv, &now, &tv);
  settimer(kx, &tv);
  kx->s = KXS_SWITCH;
  a_notify("KXDONE", "?PEER", kx->p, A_END);
  p_stats(kx->p)->t_kx = time(0);
}

/* --- @doswitch@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@buf *b@ = pointer to buffer containing packet
 *
 * Returns:	Zero if OK, nonzero if the packet was rejected.
 *
 * Use:		Handles a reply with a switch request bolted onto it.
 */

static int doswitch(keyexch *kx, buf *b)
{
  size_t hsz = kx->kpriv->algs.hashsz;
  const octet *hc_in, *hc_out, *hswrq;
  kxchal *kxc;

  if ((hc_in = buf_get(b, hsz)) == 0 ||
      (hc_out = buf_get(b, hsz)) == 0) {
    a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
    goto bad;
  }
  IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
    trace_block(T_CRYPTO, "crypto: challenge", hc_in, hsz);
    trace_block(T_CRYPTO, "crypto: cookie", hc_out, hsz);
  }))
  if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
      memcmp(hc_out, kx->hc, hsz) != 0) {
    a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
    goto bad;
  }
  if (decryptrest(kx, kxc, KX_SWITCH, b) ||
      checkresponse(kx, KX_SWITCH, b))
    goto bad;
  if ((hswrq = buf_get(b, hsz)) == 0 || BLEFT(b)) {
    a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
    goto bad;
  }
  IF_TRACING(T_KEYEXCH, {
    trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, hsz);
  })
  if (memcmp(hswrq, kxc->hswrq_in, hsz) != 0) {
    a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
    goto bad;
  }
  if (kx->s == KXS_CHAL)
    commit(kx, kxc);
  if (kx->s < KXS_SWITCH)
    kxfinish(kx);
  resend(kx);
  return (0);

bad:
  return (-1);
}

/* --- @doswitchok@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange block
 *		@buf *b@ = pointer to buffer containing packet
 *
 * Returns:	Zero if OK, nonzero if the packet was rejected.
 *
 * Use:		Handles a reply with a switch request bolted onto it.
 */

static int doswitchok(keyexch *kx, buf *b)
{
  size_t hsz = kx->kpriv->algs.hashsz;
  const octet *hswok;
  kxchal *kxc;
  buf bb;

  if (kx->s < KXS_COMMIT) {
    a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
    goto bad;
  }
  kxc = kx->r[0];
  buf_init(&bb, buf_o, sizeof(buf_o));
  if (decryptrest(kx, kxc, KX_SWITCHOK, b))
    goto bad;
  if ((hswok = buf_get(b, hsz)) == 0 || BLEFT(b)) {
    a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
    goto bad;
  }
  IF_TRACING(T_KEYEXCH, {
    trace_block(T_CRYPTO, "crypto: switch confirmation hash",
		hswok, hsz);
  })
  if (memcmp(hswok, kxc->hswok_in, hsz) != 0) {
    a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
    goto bad;
  }
  if (kx->s < KXS_SWITCH)
    kxfinish(kx);
  return (0);

bad:
  return (-1);
}

/*----- Main code ---------------------------------------------------------*/

/* --- @stop@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *
 * Returns:	---
 *
 * Use:		Stops a key exchange dead in its tracks.  Throws away all of
 *		the context information.  The context is left in an
 *		inconsistent state.  The only functions which understand this
 *		state are @kx_free@ and @kx_init@ (which cause it internally
 *		it), and @start@ (which expects it to be the prevailing
 *		state).
 */

static void stop(keyexch *kx)
{
  const dhgrp *g = kx->kpriv->grp;
  unsigned i;

  if (kx->f & KXF_DEAD)
    return;

  if (kx->f & KXF_TIMER)
    sel_rmtimer(&kx->t);
  for (i = 0; i < kx->nr; i++)
    kxc_destroy(kx->r[i]);
  g->ops->freesc(g, kx->a);
  g->ops->freege(g, kx->C);
  g->ops->freege(g, kx->RX);
  kx->t_valid = 0;
  kx->f |= KXF_DEAD;
  kx->f &= ~KXF_TIMER;
}

/* --- @start@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@time_t now@ = the current time
 *
 * Returns:	---
 *
 * Use:		Starts a new key exchange with the peer.  The context must be
 *		in the bizarre state left by @stop@ or @kx_init@.
 */

static void start(keyexch *kx, time_t now)
{
  algswitch *algs = &kx->kpriv->algs;
  const dhgrp *g = kx->kpriv->grp;
  ghash *h;

  assert(kx->f & KXF_DEAD);

  kx->f &= ~(KXF_DEAD | KXF_CORK);
  kx->nr = 0;
  kx->a = g->ops->randsc(g);
  kx->C = g->ops->mul(g, kx->a, 0);
  kx->RX = g->ops->mul(g, kx->a, kx->kpub->K);
  kx->s = KXS_CHAL;
  kx->t_valid = now + T_VALID;

  h = GH_INIT(algs->h);
  HASH_STRING(h, "tripe-cookie");
  hashge(h, g, kx->C);
  GH_DONE(h, kx->hc);
  GH_DESTROY(h);

  IF_TRACING(T_KEYEXCH, {
    trace(T_KEYEXCH, "keyexch: creating new challenge");
    IF_TRACING(T_CRYPTO, {
      trace(T_CRYPTO, "crypto: secret = %s", g->ops->scstr(g, kx->a));
      trace(T_CRYPTO, "crypto: challenge = %s", g->ops->gestr(g, kx->C));
      trace(T_CRYPTO, "crypto: expected response = %s",
	    g->ops->gestr(g, kx->RX));
      trace_block(T_CRYPTO, "crypto: challenge cookie",
		  kx->hc, algs->hashsz);
    })
  })
}

/* --- @checkpub@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *
 * Returns:	Zero if OK, nonzero if the peer's public key has expired.
 *
 * Use:		Deactivates the key-exchange until the peer acquires a new
 *		public key.
 */

static int checkpub(keyexch *kx)
{
  time_t now;
  unsigned f = 0;

  if (kx->f & KXF_DEAD)
    return (-1);
  now = time(0);
  if (KEY_EXPIRED(now, kx->kpriv->t_exp)) f |= 1;
  if (KEY_EXPIRED(now, kx->kpub->t_exp)) f |= 2;
  if (f) {
    stop(kx);
    if (f & 1) a_warn("KX", "?PEER", kx->p, "private-key-expired", A_END);
    if (f & 2) a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
    kx->f &= ~KXF_PUBKEY;
    return (-1);
  }
  return (0);
}

/* --- @kx_start@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@int forcep@ = nonzero to ignore the quiet timer
 *
 * Returns:	---
 *
 * Use:		Stimulates a key exchange.  If a key exchage is in progress,
 *		a new challenge is sent (unless the quiet timer forbids
 *		this); if no exchange is in progress, one is commenced.
 */

void kx_start(keyexch *kx, int forcep)
{
  time_t now = time(0);

  if (checkpub(kx))
    return;
  if (forcep || !VALIDP(kx, now)) {
    stop(kx);
    start(kx, now);
    a_notify("KXSTART", "?PEER", kx->p, A_END);
  }
  resend(kx);
}

/* --- @kx_message@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@const addr *a@ = sender's IP address and port
 *		@unsigned msg@ = the message code
 *		@buf *b@ = pointer to buffer containing the packet
 *
 * Returns:	Nonzero if the sender's address was unknown.
 *
 * Use:		Reads a packet containing key exchange messages and handles
 *		it.
 */

int kx_message(keyexch *kx, const addr *a, unsigned msg, buf *b)
{
  size_t sz = BSZ(b);
  int rc;

  T( trace(T_KEYEXCH, "keyexch: processing %s packet from %c%s%c",
	   msg < KX_NMSG ? pkname[msg] : "unknown",
	   kx ? '`' : '<', kx ? p_name(kx->p) : "nil", kx ? '\'' : '>'); )

  switch (msg) {
    case KX_TOKENRQ: dotokenrq(a, b); return (0);
    case KX_KNOCK: doknock(a, b); return (0);
  }

  if (!kx) return (-1);
  if (notice_message(kx)) return (0);

  switch (msg) {
    case KX_TOKEN: rc = dotoken(kx, b); break;
    case KX_PRECHAL: rc = doprechallenge(kx, b); break;
    case KX_CHAL: rc = dochallenge(kx, b); break;
    case KX_REPLY: rc = doreply(kx, b); break;
    case KX_SWITCH: rc = doswitch(kx, b); break;
    case KX_SWITCHOK: rc = doswitchok(kx, b); break;
    default:
      a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
      rc = -1;
      break;
  }

  update_stats_rx(kx, !rc, sz);
  return (0);
}

/* --- @kx_free@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *
 * Returns:	---
 *
 * Use:		Frees everything in a key exchange context.
 */

void kx_free(keyexch *kx)
{
  stop(kx);
  km_unref(kx->kpub);
  km_unref(kx->kpriv);
}

/* --- @kx_newkeys@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *
 * Returns:	---
 *
 * Use:		Informs the key exchange module that its keys may have
 *		changed.  If fetching the new keys fails, the peer will be
 *		destroyed, we log messages and struggle along with the old
 *		keys.
 */

void kx_newkeys(keyexch *kx)
{
  kdata *kpriv, *kpub;
  unsigned i;
  int switchp;
  time_t now = time(0);

  T( trace(T_KEYEXCH, "keyexch: checking new keys for `%s'",
	   p_name(kx->p)); )

  /* --- Find out whether we can use new keys --- *
   *
   * Try each available combination of new and old, public and private,
   * except both old (which is status quo anyway).  The selection is encoded
   * in @i@, with bit 0 for the private key and bit 1 for public key; a set
   * bit means to use the old value, and a clear bit means to use the new
   * one.
   *
   * This means that we currently prefer `old private and new public' over
   * `new private and old public'.  I'm not sure which way round this should
   * actually be.
   */

  for (i = 0; i < 3; i++) {

    /* --- Select the keys we're going to examine --- *
     *
     * If we're meant to have a new key and don't, then skip this
     * combination.
     */

    T( trace(T_KEYEXCH, "keyexch: checking %s private, %s public",
	     i & 1 ? "old" : "new", i & 2 ? "old" : "new"); )

    if (i & 1) kpriv = kx->kpriv;
    else if (kx->kpriv->kn->kd != kx->kpriv) kpriv = kx->kpriv->kn->kd;
    else {
      T( trace(T_KEYEXCH, "keyexch: private key unchanged, skipping"); )
      continue;
    }

    if (i & 2) kpub = kx->kpub;
    else if (kx->kpub->kn->kd != kx->kpub) kpub = kx->kpub->kn->kd;
    else {
      T( trace(T_KEYEXCH, "keyexch: public key unchanged, skipping"); )
      continue;
    }

    /* --- Skip if either key is expired --- *
     *
     * We're not going to get far with expired keys, and this simplifies the
     * logic below.
     */

    if (KEY_EXPIRED(now, kx->kpriv->t_exp) ||
	KEY_EXPIRED(now, kx->kpub->t_exp)) {
      T( trace(T_KEYEXCH, "keyexch: %s expired, skipping",
	       !KEY_EXPIRED(now, kx->kpriv->t_exp) ? "public key" :
	       !KEY_EXPIRED(now, kx->kpub->t_exp) ? "private key" :
	       "both keys"); )
      continue;
    }

    /* --- If the groups don't match then we can't use this pair --- */

    if (!km_samealgsp(kpriv, kpub)) {
      T( trace(T_KEYEXCH, "keyexch: peer `%s' group mismatch; "
	       "%s priv `%s' and %s pub `%s'", p_name(kx->p),
	       i & 1 ? "old" : "new", km_tag(kx->kpriv),
	       i & 2 ? "old" : "new", km_tag(kx->kpub)); )
      continue;
    }
    goto newkeys;
  }
  T( trace(T_KEYEXCH, "keyexch: peer `%s' continuing with old keys",
	   p_name(kx->p)); )
  return;

  /* --- We've chosen new keys --- *
   *
   * Switch the new ones into place.  Neither of the keys we're switching to
   * is expired (we checked that above), so we should just crank everything
   * up.
   *
   * A complication arises: we don't really want to force a new key exchange
   * unless we have to.  If the group is unchanged, and we're currently
   * running OK, then we should just let things lie.
   */

newkeys:
  switchp = ((kx->f & KXF_DEAD) ||
	     kx->s != KXS_SWITCH ||
	     kpriv->grp->ops != kx->kpriv->grp->ops ||
	     !kpriv->grp->ops->samegrpp(kpriv->grp, kx->kpriv->grp));

  T( trace(T_KEYEXCH, "keyexch: peer `%s' adopting "
	   "%s priv `%s' and %s pub `%s'; %sforcing exchange", p_name(kx->p),
	   i & 1 ? "old" : "new", km_tag(kx->kpriv),
	   i & 2 ? "old" : "new", km_tag(kx->kpub),
	   switchp ? "" : "not "); )

  if (switchp) stop(kx);
  km_ref(kpriv); km_unref(kx->kpriv); kx->kpriv = kpriv;
  km_ref(kpub);  km_unref(kx->kpub);  kx->kpub  = kpub;
  kx->f |= KXF_PUBKEY;
  if (switchp) {
    T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
	     p_name(kx->p)); )
    start(kx, time(0));
    resend(kx);
  }
}

/* --- @kx_setup@ --- *
 *
 * Arguments:	@keyexch *kx@ = pointer to key exchange context
 *		@peer *p@ = pointer to peer context
 *		@keyset **ks@ = pointer to keyset list
 *		@unsigned f@ = various useful flags
 *
 * Returns:	Zero if OK, nonzero if it failed.
 *
 * Use:		Initializes a key exchange module.  The module currently
 *		contains no keys, and will attempt to initiate a key
 *		exchange.
 */

int kx_setup(keyexch *kx, peer *p, keyset **ks, unsigned f)
{
  if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
  if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
  if (!km_samealgsp(kx->kpriv, kx->kpub)) {
    a_warn("KX", "?PEER", p, "group-mismatch",
	   "local-private-key", "%s", p_privtag(p),
	   "peer-public-key", "%s", p_tag(p),
	   A_END);
    goto fail_2;
  }

  kx->ks = ks;
  kx->p = p;
  kx->f = KXF_DEAD | KXF_PUBKEY | f;
  rs_reset(&kx->rs);
  if (!(kx->f & KXF_CORK)) {
    start(kx, time(0));
    resend(kx);
    /* Don't notify here: the ADD message hasn't gone out yet. */
  }
  return (0);

fail_2:
  km_unref(kx->kpub);
fail_1:
  km_unref(kx->kpriv);
fail_0:
  return (-1);
}

/* --- @kx_init@ --- *
 *
 * Arguments:	---
 *
 * Returns:	---
 *
 * Use:		Initializes the key-exchange logic.
 */

void kx_init(void)
  { ratelim_init(&unauth_limit, 20, 500); }

/*----- That's all, folks -------------------------------------------------*/