chiark / gitweb /
server/peer.c, server/keyset.c: Fix key renegotiation behaviour.
[tripe] / server / keyexch.c
CommitLineData
410c8acf 1/* -*-c-*-
2 *
410c8acf 3 * Key exchange protocol
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
e04c2d50 8/*----- Licensing notice --------------------------------------------------*
410c8acf 9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
e04c2d50 16 *
410c8acf 17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
e04c2d50 21 *
410c8acf 22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
410c8acf 27/*----- Header files ------------------------------------------------------*/
28
29#include "tripe.h"
30
737cc271 31/*----- Brief protocol overview -------------------------------------------*
32 *
33 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
34 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
35 * application of the symmetric packet protocol to a message; let
36 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
37 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
38 * be Bob's public key.
39 *
40 * At the beginning of the session, Alice chooses
41 *
42 * %$\rho_A \inr \{0, \ldots q - 1\}$%
43 *
44 * We also have:
45 *
46 * %$r_A = g^{\rho_A}$% Alice's challenge
47 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
9317aa92 48 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
e04c2d50 49 * Alice's challenge check value
737cc271 50 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
51 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
e04c2d50 52 * Alice and Bob's shared secret key
737cc271 53 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
e04c2d50 54 * Alice's switch request value
737cc271 55 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
e04c2d50 56 * Alice's switch confirm value
737cc271 57 *
58 * The messages are then:
59 *
60 * %$\cookie{kx-pre-challenge}, r_A$%
61 * Initial greeting. In state @KXS_CHAL@.
62 *
737cc271 63 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
64 * Here's a full challenge for you to answer.
65 *
28461f0e 66 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
737cc271 67 * Challenge accpeted: here's the answer. Commit to my challenge. Move
68 * to @KXS_COMMIT@.
69 *
3cdc3f3a 70 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
737cc271 71 * Reply received: here's my reply. Committed; send data; move to
72 * @KXS_SWITCH@.
73 *
74 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
75 * Switch received. Committed; send data; move to @KXS_SWITCH@.
e04c2d50 76 */
737cc271 77
410c8acf 78/*----- Tunable parameters ------------------------------------------------*/
79
56516aeb 80#define T_VALID SEC(20) /* Challenge validity period */
2de0ad0f 81#define T_RETRY SEC(10) /* Challenge retransmit interval */
410c8acf 82
3cdc3f3a 83#define VALIDP(kx, now) ((now) < (kx)->t_valid)
84
85/*----- Static tables -----------------------------------------------------*/
86
87static const char *const pkname[] = {
c3c51798 88 "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok"
3cdc3f3a 89};
0617b6e7 90
91/*----- Various utilities -------------------------------------------------*/
410c8acf 92
52c03a2a 93/* --- @hashge@ --- *
410c8acf 94 *
b5c45da1 95 * Arguments: @ghash *h@ = pointer to hash context
52c03a2a 96 * @ge *x@ = pointer to group element
410c8acf 97 *
98 * Returns: ---
99 *
52c03a2a 100 * Use: Adds the hash of a group element to the context. Corrupts
101 * @buf_t@.
410c8acf 102 */
103
b5c45da1 104static void hashge(ghash *h, ge *x)
410c8acf 105{
106 buf b;
0617b6e7 107 buf_init(&b, buf_t, sizeof(buf_t));
52c03a2a 108 G_TOBUF(gg, &b, x);
410c8acf 109 assert(BOK(&b));
b5c45da1 110 GH_HASH(h, BBASE(&b), BLEN(&b));
410c8acf 111}
112
de7bd20b 113/* --- @mpmask@ --- *
5d418e24 114 *
de7bd20b
MW
115 * Arguments: @buf *b@ = output buffer
116 * @mp *x@ = the plaintext integer
117 * @size_t n@ = the expected size of the plaintext
5d418e24 118 * @const octet *k@ = pointer to key material
de7bd20b 119 * @size_t ksz@ = size of the key
5d418e24 120 *
de7bd20b 121 * Returns: Pointer to the output.
5d418e24 122 *
de7bd20b
MW
123 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
124 * it's a random oracle thing rather than an encryption thing.
5d418e24 125 */
126
de7bd20b 127static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
5d418e24 128{
b5c45da1 129 gcipher *mgf;
de7bd20b 130 octet *p;
5d418e24 131
de7bd20b
MW
132 if ((p = buf_get(b, n)) == 0)
133 return (0);
134 mgf = GC_INIT(algs.mgf, k, ksz);
135 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
136 trace(T_CRYPTO, "masking index = %s", mpstr(x));
137 trace_block(T_CRYPTO, "masking key", k, ksz);
138 }))
139 mp_storeb(x, buf_t, n);
140 GC_ENCRYPT(mgf, buf_t, p, n);
141 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
142 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
143 trace_block(T_CRYPTO, "masked ciphertext", p, n);
144 }))
b5c45da1 145 GC_DESTROY(mgf);
de7bd20b 146 return (p);
b5c45da1 147}
148
de7bd20b
MW
149/* --- @mpunmask@ --- *
150 *
151 * Arguments: @mp *d@ = the output integer
152 * @const octet *p@ = pointer to the ciphertext
153 * @size_t n@ = the size of the ciphertext
154 * @const octet *k@ = pointer to key material
155 * @size_t ksz@ = size of the key
156 *
157 * Returns: The decrypted integer, or null.
158 *
159 * Use: Unmasks a multiprecision integer.
160 */
161
162static mp *mpunmask(mp *d, const octet *p, size_t n,
163 const octet *k, size_t ksz)
b5c45da1 164{
165 gcipher *mgf;
166
de7bd20b
MW
167 mgf = GC_INIT(algs.mgf, k, ksz);
168 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
169 trace_block(T_CRYPTO, "unmasking key", k, ksz);
170 trace_block(T_CRYPTO, "masked ciphertext", p, n);
171 }))
172 GC_DECRYPT(mgf, p, buf_t, n);
173 d = mp_loadb(d, buf_t, n);
174 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
175 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
176 trace(T_CRYPTO, "unmasked index = %s", mpstr(d));
177 }))
b5c45da1 178 GC_DESTROY(mgf);
de7bd20b
MW
179 return (d);
180}
181
182/* --- @hashcheck@ --- *
183 *
184 * Arguments: @ge *kpub@ = sender's public key
185 * @ge *cc@ = receiver's challenge
186 * @ge *c@ = sender's challenge
187 * @ge *y@ = reply to sender's challenge
188 *
189 * Returns: Pointer to the hash value (in @buf_t@)
190 *
191 * Use: Computes the check-value hash, used to mask or unmask
192 * indices to prove the validity of challenges. This computes
193 * the masking key used in challenge check values. This is
194 * really the heart of the whole thing, since it ensures that
195 * the index can be recovered from the history of hashing
196 * queries, which gives us (a) a proof that the authentication
197 * process is zero-knowledge, and (b) a proof that the whole
198 * key-exchange is deniable.
199 */
200
201static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
202{
203 ghash *h = GH_INIT(algs.h);
204
205 HASH_STRING(h, "tripe-expected-reply");
206 hashge(h, kpub);
207 hashge(h, cc);
208 hashge(h, c);
209 hashge(h, y);
210 GH_DONE(h, buf_t);
211 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
212 trace(T_CRYPTO, "computing challenge check hash");
213 trace(T_CRYPTO, "public key = %s", gestr(gg, kpub));
214 trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc));
215 trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c));
216 trace(T_CRYPTO, "sender reply = %s", gestr(gg, y));
217 trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz);
218 }))
219 GH_DESTROY(h);
220 return (buf_t);
221}
222
223/* --- @sendchallenge@ --- *
224 *
225 * Arguments: @keyexch *kx@ = pointer to key exchange block
226 * @buf *b@ = output buffer for challenge
227 * @ge *c@ = peer's actual challenge
228 * @const octet *hc@ = peer's challenge cookie
229 *
230 * Returns: ---
231 *
232 * Use: Writes a full challenge to the message buffer.
233 */
234
235static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
236{
237 G_TOBUF(gg, b, kx->c);
238 buf_put(b, hc, algs.hashsz);
239 mpmask(b, kx->alpha, indexsz,
240 hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz);
5d418e24 241}
242
410c8acf 243/* --- @timer@ --- *
244 *
245 * Arguments: @struct timeval *tv@ = the current time
246 * @void *v@ = pointer to key exchange context
247 *
248 * Returns: ---
249 *
250 * Use: Acts when the key exchange timer goes off.
251 */
252
253static void timer(struct timeval *tv, void *v)
254{
255 keyexch *kx = v;
256 kx->f &= ~KXF_TIMER;
257 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
de014da6 258 kx_start(kx, 0);
410c8acf 259}
260
261/* --- @settimer@ --- *
262 *
263 * Arguments: @keyexch *kx@ = pointer to key exchange context
264 * @time_t t@ = when to set the timer for
265 *
266 * Returns: ---
267 *
268 * Use: Sets the timer for the next key exchange attempt.
269 */
270
271static void settimer(keyexch *kx, time_t t)
272{
273 struct timeval tv;
274 if (kx->f & KXF_TIMER)
275 sel_rmtimer(&kx->t);
276 tv.tv_sec = t;
277 tv.tv_usec = 0;
278 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
279 kx->f |= KXF_TIMER;
280}
281
0617b6e7 282/*----- Challenge management ----------------------------------------------*/
283
284/* --- Notes on challenge management --- *
410c8acf 285 *
0617b6e7 286 * We may get multiple different replies to our key exchange; some will be
287 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
288 * received will be added to the table and given a full response. After
289 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
290 * our existing challenge, followed by a hash of the sender's challenge. We
291 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
292 * properly-formed cookies are assigned a table slot: if none is spare, a
293 * used slot is randomly selected and destroyed. A cookie always receives a
294 * full reply.
295 */
296
297/* --- @kxc_destroy@ --- *
298 *
299 * Arguments: @kxchal *kxc@ = pointer to the challenge block
410c8acf 300 *
301 * Returns: ---
302 *
0617b6e7 303 * Use: Disposes of a challenge block.
410c8acf 304 */
305
0617b6e7 306static void kxc_destroy(kxchal *kxc)
410c8acf 307{
0617b6e7 308 if (kxc->f & KXF_TIMER)
309 sel_rmtimer(&kxc->t);
52c03a2a 310 G_DESTROY(gg, kxc->c);
de7bd20b 311 G_DESTROY(gg, kxc->r);
0617b6e7 312 ks_drop(kxc->ks);
313 DESTROY(kxc);
314}
410c8acf 315
0617b6e7 316/* --- @kxc_stoptimer@ --- *
317 *
318 * Arguments: @kxchal *kxc@ = pointer to the challenge block
319 *
320 * Returns: ---
321 *
322 * Use: Stops the challenge's retry timer from sending messages.
323 * Useful when the state machine is in the endgame of the
324 * exchange.
325 */
410c8acf 326
0617b6e7 327static void kxc_stoptimer(kxchal *kxc)
328{
329 if (kxc->f & KXF_TIMER)
330 sel_rmtimer(&kxc->t);
2de0ad0f 331 kxc->f &= ~KXF_TIMER;
0617b6e7 332}
410c8acf 333
0617b6e7 334/* --- @kxc_new@ --- *
335 *
336 * Arguments: @keyexch *kx@ = pointer to key exchange block
0617b6e7 337 *
338 * Returns: A pointer to the challenge block.
339 *
340 * Use: Returns a pointer to a new challenge block to fill in.
341 */
410c8acf 342
0617b6e7 343static kxchal *kxc_new(keyexch *kx)
344{
345 kxchal *kxc;
346 unsigned i;
347
348 /* --- If we're over reply threshold, discard one at random --- */
349
350 if (kx->nr < KX_NCHAL)
351 i = kx->nr++;
352 else {
353 i = rand_global.ops->range(&rand_global, KX_NCHAL);
354 kxc_destroy(kx->r[i]);
410c8acf 355 }
356
0617b6e7 357 /* --- Fill in the new structure --- */
410c8acf 358
0617b6e7 359 kxc = CREATE(kxchal);
52c03a2a 360 kxc->c = G_CREATE(gg);
de7bd20b 361 kxc->r = G_CREATE(gg);
0617b6e7 362 kxc->ks = 0;
363 kxc->kx = kx;
364 kxc->f = 0;
365 kx->r[i] = kxc;
366 return (kxc);
367}
410c8acf 368
0617b6e7 369/* --- @kxc_bychal@ --- *
370 *
371 * Arguments: @keyexch *kx@ = pointer to key exchange block
52c03a2a 372 * @ge *c@ = challenge from remote host
0617b6e7 373 *
374 * Returns: Pointer to the challenge block, or null.
375 *
376 * Use: Finds a challenge block, given its challenge.
377 */
378
52c03a2a 379static kxchal *kxc_bychal(keyexch *kx, ge *c)
0617b6e7 380{
381 unsigned i;
382
383 for (i = 0; i < kx->nr; i++) {
52c03a2a 384 if (G_EQ(gg, c, kx->r[i]->c))
0617b6e7 385 return (kx->r[i]);
386 }
387 return (0);
388}
389
390/* --- @kxc_byhc@ --- *
391 *
392 * Arguments: @keyexch *kx@ = pointer to key exchange block
393 * @const octet *hc@ = challenge hash from remote host
394 *
395 * Returns: Pointer to the challenge block, or null.
396 *
397 * Use: Finds a challenge block, given a hash of its challenge.
398 */
410c8acf 399
0617b6e7 400static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
401{
402 unsigned i;
403
404 for (i = 0; i < kx->nr; i++) {
b5c45da1 405 if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
0617b6e7 406 return (kx->r[i]);
410c8acf 407 }
0617b6e7 408 return (0);
409}
410
411/* --- @kxc_answer@ --- *
412 *
413 * Arguments: @keyexch *kx@ = pointer to key exchange block
414 * @kxchal *kxc@ = pointer to challenge block
415 *
416 * Returns: ---
417 *
418 * Use: Sends a reply to the remote host, according to the data in
419 * this challenge block.
420 */
421
422static void kxc_answer(keyexch *kx, kxchal *kxc);
423
424static void kxc_timer(struct timeval *tv, void *v)
425{
426 kxchal *kxc = v;
427 kxc->f &= ~KXF_TIMER;
428 kxc_answer(kxc->kx, kxc);
429}
430
431static void kxc_answer(keyexch *kx, kxchal *kxc)
432{
433 stats *st = p_stats(kx->p);
de7bd20b 434 buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
0617b6e7 435 struct timeval tv;
436 buf bb;
437
438 /* --- Build the reply packet --- */
439
de7bd20b
MW
440 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
441 sendchallenge(kx, b, kxc->c, kxc->hc);
442 buf_init(&bb, buf_i, sizeof(buf_i));
443 G_TORAW(gg, &bb, kxc->r);
444 buf_flip(&bb);
445 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
0617b6e7 446
447 /* --- Update the statistics --- */
448
449 if (BOK(b)) {
450 st->n_kxout++;
451 st->sz_kxout += BLEN(b);
452 p_txend(kx->p);
453 }
454
455 /* --- Schedule another resend --- */
456
457 if (kxc->f & KXF_TIMER)
458 sel_rmtimer(&kxc->t);
459 gettimeofday(&tv, 0);
460 tv.tv_sec += T_RETRY;
461 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
462 kxc->f |= KXF_TIMER;
463}
464
465/*----- Individual message handlers ---------------------------------------*/
466
de7bd20b 467/* --- @doprechallenge@ --- *
0617b6e7 468 *
de7bd20b
MW
469 * Arguments: @keyexch *kx@ = pointer to key exchange block
470 * @buf *b@ = buffer containing the packet
0617b6e7 471 *
de7bd20b 472 * Returns: Zero if OK, nonzero of the packet was rejected.
0617b6e7 473 *
de7bd20b 474 * Use: Processes a pre-challenge message.
0617b6e7 475 */
476
de7bd20b 477static int doprechallenge(keyexch *kx, buf *b)
0617b6e7 478{
de7bd20b
MW
479 stats *st = p_stats(kx->p);
480 ge *c = G_CREATE(gg);
b5c45da1 481 ghash *h;
0617b6e7 482
de7bd20b
MW
483 /* --- Ensure that we're in a sensible state --- */
484
485 if (kx->s != KXS_CHAL) {
486 a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
487 goto bad;
488 }
489
490 /* --- Unpack the packet --- */
491
492 if (G_FROMBUF(gg, b, c) || BLEFT(b))
493 goto bad;
b5c45da1 494
0617b6e7 495 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
de7bd20b 496 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
0617b6e7 497 }))
de7bd20b
MW
498
499 /* --- Send out a full challenge by return --- */
500
501 b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
502 h = GH_INIT(algs.h);
503 HASH_STRING(h, "tripe-cookie");
504 hashge(h, c);
505 sendchallenge(kx, b, c, GH_DONE(h, 0));
b5c45da1 506 GH_DESTROY(h);
de7bd20b
MW
507 st->n_kxout++;
508 st->sz_kxout += BLEN(b);
509 p_txend(kx->p);
510
511 /* --- Done --- */
512
513 G_DESTROY(gg, c);
514 return (0);
515
516bad:
517 if (c) G_DESTROY(gg, c);
518 return (-1);
0617b6e7 519}
520
de7bd20b 521/* --- @respond@ --- *
0617b6e7 522 *
523 * Arguments: @keyexch *kx@ = pointer to key exchange block
de7bd20b 524 * @unsigned msg@ = message code for this packet
0617b6e7 525 * @buf *b@ = buffer containing the packet
526 *
de7bd20b 527 * Returns: Key-exchange challenge block, or null.
0617b6e7 528 *
de7bd20b
MW
529 * Use: Computes a response for the given challenge, entering it into
530 * a challenge block and so on.
0617b6e7 531 */
532
de7bd20b 533static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
0617b6e7 534{
52c03a2a 535 ge *c = G_CREATE(gg);
de7bd20b
MW
536 ge *r = G_CREATE(gg);
537 ge *cc = G_CREATE(gg);
538 const octet *hc, *ck;
539 size_t x, y, z;
540 mp *cv = 0;
0617b6e7 541 kxchal *kxc;
de7bd20b
MW
542 ghash *h = 0;
543 buf bb;
544 int ok;
0617b6e7 545
546 /* --- Unpack the packet --- */
547
52c03a2a 548 if (G_FROMBUF(gg, b, c) ||
de7bd20b
MW
549 (hc = buf_get(b, algs.hashsz)) == 0 ||
550 (ck = buf_get(b, indexsz)) == 0) {
f43df819 551 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 552 goto bad;
553 }
0617b6e7 554 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 555 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
de7bd20b
MW
556 trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
557 trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz);
0617b6e7 558 }))
559
0617b6e7 560 /* --- Discard a packet with an invalid cookie --- */
561
b5c45da1 562 if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
5ac9463b 563 a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
0617b6e7 564 goto bad;
565 }
566
de7bd20b
MW
567 /* --- Recover the check value and verify it --- *
568 *
569 * To avoid recomputation on replays, we store a hash of the `right'
570 * value. The `correct' value is unique, so this is right.
410c8acf 571 *
de7bd20b 572 * This will also find a challenge block and, if necessary, populate it.
410c8acf 573 */
574
de7bd20b
MW
575 if ((kxc = kxc_bychal(kx, c)) != 0) {
576 h = GH_INIT(algs.h);
577 HASH_STRING(h, "tripe-check-hash");
578 GH_HASH(h, ck, indexsz);
579 ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz);
580 GH_DESTROY(h);
581 if (!ok) goto badcheck;
582 } else {
583
584 /* --- Compute the reply, and check the magic --- */
585
586 G_EXP(gg, r, c, kpriv);
587 cv = mpunmask(MP_NEW, ck, indexsz,
588 hashcheck(kx->kpub, kx->c, c, r), algs.hashsz);
589 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
590 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
591 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
592 }))
593 if (MP_CMP(cv, >, gg->r) ||
594 (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc)))
595 goto badcheck;
596
597 /* --- Fill in a new challenge block --- */
e04c2d50 598
de7bd20b 599 kxc = kxc_new(kx);
52c03a2a 600 G_COPY(gg, kxc->c, c);
de7bd20b 601 G_COPY(gg, kxc->r, r);
0617b6e7 602
de7bd20b
MW
603 h = GH_INIT(algs.h);
604 HASH_STRING(h, "tripe-check-hash");
605 GH_HASH(h, ck, indexsz);
5fb10b44 606 GH_DONE(h, kxc->ck);
de7bd20b 607 GH_DESTROY(h);
0617b6e7 608
b5c45da1 609 h = GH_INIT(algs.h);
610 HASH_STRING(h, "tripe-cookie");
611 hashge(h, kxc->c);
612 GH_DONE(h, kxc->hc);
613 GH_DESTROY(h);
614
615 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
616 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
617 }))
0617b6e7 618
0617b6e7 619 /* --- Work out the shared key --- */
620
52c03a2a 621 G_EXP(gg, r, c, kx->alpha);
b5c45da1 622 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
623 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
624 }))
0617b6e7 625
626 /* --- Compute the switch messages --- */
627
b5c45da1 628 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
629 hashge(h, kx->c); hashge(h, kxc->c);
630 GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
631 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
632 hashge(h, kx->c); hashge(h, kxc->c);
633 GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
0617b6e7 634
b5c45da1 635 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
636 hashge(h, kxc->c); hashge(h, kx->c);
637 GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
638 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
639 hashge(h, kxc->c); hashge(h, kx->c);
640 GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
0617b6e7 641
642 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
0617b6e7 643 trace_block(T_CRYPTO, "crypto: outbound switch request",
b5c45da1 644 kxc->hswrq_out, algs.hashsz);
0617b6e7 645 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
b5c45da1 646 kxc->hswok_out, algs.hashsz);
0617b6e7 647 trace_block(T_CRYPTO, "crypto: inbound switch request",
b5c45da1 648 kxc->hswrq_in, algs.hashsz);
0617b6e7 649 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
b5c45da1 650 kxc->hswok_in, algs.hashsz);
0617b6e7 651 }))
652
653 /* --- Create a new symmetric keyset --- */
654
de7bd20b
MW
655 buf_init(&bb, buf_o, sizeof(buf_o));
656 G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb);
657 G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb);
658 G_TOBUF(gg, &bb, r); z = BLEN(&bb);
659 assert(BOK(&bb));
0617b6e7 660
de7bd20b 661 kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
410c8acf 662 }
663
de7bd20b
MW
664 G_DESTROY(gg, c);
665 G_DESTROY(gg, cc);
666 G_DESTROY(gg, r);
667 mp_drop(cv);
668 return (kxc);
410c8acf 669
de7bd20b
MW
670badcheck:
671 a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
672 goto bad;
673bad:
674 G_DESTROY(gg, c);
675 G_DESTROY(gg, cc);
676 G_DESTROY(gg, r);
677 mp_drop(cv);
e04c2d50 678 return (0);
de7bd20b 679}
0617b6e7 680
de7bd20b
MW
681/* --- @dochallenge@ --- *
682 *
683 * Arguments: @keyexch *kx@ = pointer to key exchange block
684 * @unsigned msg@ = message code for the packet
685 * @buf *b@ = buffer containing the packet
686 *
687 * Returns: Zero if OK, nonzero if the packet was rejected.
688 *
689 * Use: Processes a packet containing a challenge.
690 */
0617b6e7 691
de7bd20b
MW
692static int dochallenge(keyexch *kx, buf *b)
693{
694 kxchal *kxc;
0617b6e7 695
de7bd20b
MW
696 if (kx->s != KXS_CHAL) {
697 a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
698 goto bad;
699 }
700 if ((kxc = respond(kx, KX_CHAL, b)) == 0)
701 goto bad;
702 if (BLEFT(b)) {
703 a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
704 goto bad;
705 }
706 kxc_answer(kx, kxc);
0617b6e7 707 return (0);
708
709bad:
0617b6e7 710 return (-1);
410c8acf 711}
712
0617b6e7 713/* --- @resend@ --- *
410c8acf 714 *
715 * Arguments: @keyexch *kx@ = pointer to key exchange context
410c8acf 716 *
717 * Returns: ---
718 *
0617b6e7 719 * Use: Sends the next message for a key exchange.
410c8acf 720 */
721
0617b6e7 722static void resend(keyexch *kx)
410c8acf 723{
0617b6e7 724 kxchal *kxc;
725 buf bb;
726 stats *st = p_stats(kx->p);
410c8acf 727 buf *b;
728
0617b6e7 729 switch (kx->s) {
730 case KXS_CHAL:
00e64b67 731 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
732 p_name(kx->p)); )
0617b6e7 733 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
52c03a2a 734 G_TOBUF(gg, b, kx->c);
0617b6e7 735 break;
736 case KXS_COMMIT:
00e64b67 737 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
738 p_name(kx->p)); )
0617b6e7 739 kxc = kx->r[0];
740 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
b5c45da1 741 buf_put(b, kx->hc, algs.hashsz);
742 buf_put(b, kxc->hc, algs.hashsz);
0617b6e7 743 buf_init(&bb, buf_i, sizeof(buf_i));
de7bd20b 744 G_TORAW(gg, &bb, kxc->r);
b5c45da1 745 buf_put(&bb, kxc->hswrq_out, algs.hashsz);
0617b6e7 746 buf_flip(&bb);
7ed14135 747 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
0617b6e7 748 break;
749 case KXS_SWITCH:
00e64b67 750 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
0617b6e7 751 p_name(kx->p)); )
752 kxc = kx->r[0];
753 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
754 buf_init(&bb, buf_i, sizeof(buf_i));
b5c45da1 755 buf_put(&bb, kxc->hswok_out, algs.hashsz);
0617b6e7 756 buf_flip(&bb);
7ed14135 757 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
0617b6e7 758 break;
759 default:
760 abort();
410c8acf 761 }
0617b6e7 762
763 if (BOK(b)) {
764 st->n_kxout++;
765 st->sz_kxout += BLEN(b);
766 p_txend(kx->p);
767 }
768
769 if (kx->s < KXS_SWITCH)
770 settimer(kx, time(0) + T_RETRY);
410c8acf 771}
772
de7bd20b 773/* --- @decryptrest@ --- *
0617b6e7 774 *
775 * Arguments: @keyexch *kx@ = pointer to key exchange context
de7bd20b
MW
776 * @kxchal *kxc@ = pointer to challenge block
777 * @unsigned msg@ = type of incoming message
0617b6e7 778 * @buf *b@ = encrypted remainder of the packet
779 *
de7bd20b 780 * Returns: Zero if OK, nonzero on some kind of error.
0617b6e7 781 *
de7bd20b
MW
782 * Use: Decrypts the remainder of the packet, and points @b@ at the
783 * recovered plaintext.
0617b6e7 784 */
785
de7bd20b 786static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
410c8acf 787{
0617b6e7 788 buf bb;
0617b6e7 789
de7bd20b
MW
790 buf_init(&bb, buf_o, sizeof(buf_o));
791 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
792 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
793 return (-1);
0617b6e7 794 }
de7bd20b
MW
795 buf_init(b, BBASE(&bb), BLEN(&bb));
796 return (0);
797}
410c8acf 798
de7bd20b
MW
799/* --- @checkresponse@ --- *
800 *
801 * Arguments: @keyexch *kx@ = pointer to key exchange context
802 * @unsigned msg@ = type of incoming message
803 * @buf *b@ = decrypted remainder of the packet
804 *
805 * Returns: Zero if OK, nonzero on some kind of error.
806 *
807 * Use: Checks a reply or switch packet, ensuring that its response
808 * is correct.
809 */
0617b6e7 810
de7bd20b
MW
811static int checkresponse(keyexch *kx, unsigned msg, buf *b)
812{
813 ge *r = G_CREATE(gg);
0617b6e7 814
5251b2e9 815 if (G_FROMRAW(gg, b, r)) {
de7bd20b 816 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 817 goto bad;
818 }
819 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 820 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
0617b6e7 821 }))
52c03a2a 822 if (!G_EQ(gg, r, kx->rx)) {
de7bd20b 823 a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
0617b6e7 824 goto bad;
825 }
826
52c03a2a 827 G_DESTROY(gg, r);
de7bd20b 828 return (0);
0617b6e7 829
830bad:
de7bd20b
MW
831 G_DESTROY(gg, r);
832 return (-1);
410c8acf 833}
834
0617b6e7 835/* --- @commit@ --- *
410c8acf 836 *
837 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 838 * @kxchal *kxc@ = pointer to challenge to commit to
410c8acf 839 *
840 * Returns: ---
841 *
0617b6e7 842 * Use: Commits to a particular challenge as being the `right' one,
843 * since a reply has arrived for it.
410c8acf 844 */
845
0617b6e7 846static void commit(keyexch *kx, kxchal *kxc)
410c8acf 847{
0617b6e7 848 unsigned i;
410c8acf 849
0617b6e7 850 for (i = 0; i < kx->nr; i++) {
851 if (kx->r[i] != kxc)
852 kxc_destroy(kx->r[i]);
853 }
854 kx->r[0] = kxc;
855 kx->nr = 1;
856 kxc_stoptimer(kxc);
e04c2d50 857 ksl_link(kx->ks, kxc->ks);
410c8acf 858}
859
0617b6e7 860/* --- @doreply@ --- *
410c8acf 861 *
862 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 863 * @buf *b@ = buffer containing packet
410c8acf 864 *
0617b6e7 865 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 866 *
0617b6e7 867 * Use: Handles a reply packet. This doesn't handle the various
868 * switch packets: they're rather too different.
410c8acf 869 */
870
0617b6e7 871static int doreply(keyexch *kx, buf *b)
410c8acf 872{
0617b6e7 873 kxchal *kxc;
874
875 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
f43df819 876 a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
0617b6e7 877 goto bad;
878 }
de7bd20b
MW
879 if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
880 decryptrest(kx, kxc, KX_REPLY, b) ||
881 checkresponse(kx, KX_REPLY, b))
0617b6e7 882 goto bad;
883 if (BLEFT(b)) {
f43df819 884 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
0617b6e7 885 goto bad;
e04c2d50 886 }
0617b6e7 887 if (kx->s == KXS_CHAL) {
888 commit(kx, kxc);
889 kx->s = KXS_COMMIT;
890 }
891 resend(kx);
892 return (0);
893
894bad:
895 return (-1);
410c8acf 896}
897
3cdc3f3a 898/* --- @kxfinish@ --- *
899 *
900 * Arguments: @keyexch *kx@ = pointer to key exchange block
901 *
902 * Returns: ---
903 *
904 * Use: Sets everything up following a successful key exchange.
905 */
906
907static void kxfinish(keyexch *kx)
908{
909 kxchal *kxc = kx->r[0];
910 ks_activate(kxc->ks);
911 settimer(kx, ks_tregen(kxc->ks));
912 kx->s = KXS_SWITCH;
f43df819 913 a_notify("KXDONE", "?PEER", kx->p, A_END);
3cdc3f3a 914 p_stats(kx->p)->t_kx = time(0);
915}
916
0617b6e7 917/* --- @doswitch@ --- *
410c8acf 918 *
0617b6e7 919 * Arguments: @keyexch *kx@ = pointer to key exchange block
920 * @buf *b@ = pointer to buffer containing packet
410c8acf 921 *
0617b6e7 922 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 923 *
0617b6e7 924 * Use: Handles a reply with a switch request bolted onto it.
410c8acf 925 */
926
0617b6e7 927static int doswitch(keyexch *kx, buf *b)
410c8acf 928{
0617b6e7 929 const octet *hc_in, *hc_out, *hswrq;
930 kxchal *kxc;
410c8acf 931
b5c45da1 932 if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
933 (hc_out = buf_get(b, algs.hashsz)) == 0) {
f43df819 934 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 935 goto bad;
410c8acf 936 }
de7bd20b
MW
937 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
938 trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
939 trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
940 }))
941 if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
942 memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
943 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
944 goto bad;
945 }
946 if (decryptrest(kx, kxc, KX_SWITCH, b) ||
947 checkresponse(kx, KX_SWITCH, b))
0617b6e7 948 goto bad;
b5c45da1 949 if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
5ac9463b 950 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 951 goto bad;
952 }
953 IF_TRACING(T_KEYEXCH, {
b5c45da1 954 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
0617b6e7 955 })
b5c45da1 956 if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
f43df819 957 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
0617b6e7 958 goto bad;
959 }
de7bd20b
MW
960 if (kx->s == KXS_CHAL)
961 commit(kx, kxc);
962 if (kx->s < KXS_SWITCH)
963 kxfinish(kx);
0617b6e7 964 resend(kx);
965 return (0);
966
967bad:
968 return (-1);
410c8acf 969}
970
0617b6e7 971/* --- @doswitchok@ --- *
972 *
973 * Arguments: @keyexch *kx@ = pointer to key exchange block
974 * @buf *b@ = pointer to buffer containing packet
975 *
976 * Returns: Zero if OK, nonzero if the packet was rejected.
977 *
978 * Use: Handles a reply with a switch request bolted onto it.
979 */
980
981static int doswitchok(keyexch *kx, buf *b)
410c8acf 982{
0617b6e7 983 const octet *hswok;
984 kxchal *kxc;
985 buf bb;
410c8acf 986
0617b6e7 987 if (kx->s < KXS_COMMIT) {
f43df819 988 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
0617b6e7 989 goto bad;
410c8acf 990 }
0617b6e7 991 kxc = kx->r[0];
992 buf_init(&bb, buf_o, sizeof(buf_o));
de7bd20b 993 if (decryptrest(kx, kxc, KX_SWITCHOK, b))
0617b6e7 994 goto bad;
b5c45da1 995 if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
5ac9463b 996 a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
0617b6e7 997 goto bad;
998 }
999 IF_TRACING(T_KEYEXCH, {
b5c45da1 1000 trace_block(T_CRYPTO, "crypto: switch confirmation hash",
1001 hswok, algs.hashsz);
0617b6e7 1002 })
b5c45da1 1003 if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
f43df819 1004 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
0617b6e7 1005 goto bad;
1006 }
3cdc3f3a 1007 if (kx->s < KXS_SWITCH)
1008 kxfinish(kx);
0617b6e7 1009 return (0);
1010
1011bad:
e04c2d50 1012 return (-1);
0617b6e7 1013}
1014
1015/*----- Main code ---------------------------------------------------------*/
1016
1017/* --- @stop@ --- *
1018 *
1019 * Arguments: @keyexch *kx@ = pointer to key exchange context
1020 *
1021 * Returns: ---
1022 *
1023 * Use: Stops a key exchange dead in its tracks. Throws away all of
1024 * the context information. The context is left in an
1025 * inconsistent state. The only functions which understand this
1026 * state are @kx_free@ and @kx_init@ (which cause it internally
1027 * it), and @start@ (which expects it to be the prevailing
1028 * state).
1029 */
1030
1031static void stop(keyexch *kx)
1032{
1033 unsigned i;
1034
00e64b67 1035 if (kx->f & KXF_DEAD)
1036 return;
1037
0617b6e7 1038 if (kx->f & KXF_TIMER)
1039 sel_rmtimer(&kx->t);
1040 for (i = 0; i < kx->nr; i++)
1041 kxc_destroy(kx->r[i]);
1042 mp_drop(kx->alpha);
52c03a2a 1043 G_DESTROY(gg, kx->c);
1044 G_DESTROY(gg, kx->rx);
00e64b67 1045 kx->t_valid = 0;
1046 kx->f |= KXF_DEAD;
1047 kx->f &= ~KXF_TIMER;
0617b6e7 1048}
1049
1050/* --- @start@ --- *
1051 *
1052 * Arguments: @keyexch *kx@ = pointer to key exchange context
1053 * @time_t now@ = the current time
1054 *
1055 * Returns: ---
1056 *
1057 * Use: Starts a new key exchange with the peer. The context must be
1058 * in the bizarre state left by @stop@ or @kx_init@.
1059 */
1060
1061static void start(keyexch *kx, time_t now)
1062{
b5c45da1 1063 ghash *h;
0617b6e7 1064
00e64b67 1065 assert(kx->f & KXF_DEAD);
1066
010e6f63 1067 kx->f &= ~(KXF_DEAD | KXF_CORK);
0617b6e7 1068 kx->nr = 0;
52c03a2a 1069 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
1070 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
1071 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
0617b6e7 1072 kx->s = KXS_CHAL;
1073 kx->t_valid = now + T_VALID;
1074
b5c45da1 1075 h = GH_INIT(algs.h);
1076 HASH_STRING(h, "tripe-cookie");
1077 hashge(h, kx->c);
1078 GH_DONE(h, kx->hc);
1079 GH_DESTROY(h);
0617b6e7 1080
1081 IF_TRACING(T_KEYEXCH, {
1082 trace(T_KEYEXCH, "keyexch: creating new challenge");
1083 IF_TRACING(T_CRYPTO, {
1084 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
52c03a2a 1085 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
1086 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
b5c45da1 1087 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
0617b6e7 1088 })
1089 })
410c8acf 1090}
1091
00e64b67 1092/* --- @checkpub@ --- *
1093 *
1094 * Arguments: @keyexch *kx@ = pointer to key exchange context
1095 *
1096 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1097 *
1098 * Use: Deactivates the key-exchange until the peer acquires a new
1099 * public key.
1100 */
1101
1102static int checkpub(keyexch *kx)
1103{
1104 time_t now;
1105 if (kx->f & KXF_DEAD)
1106 return (-1);
1107 now = time(0);
1108 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1109 stop(kx);
f43df819 1110 a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
52c03a2a 1111 G_COPY(gg, kx->kpub, gg->i);
00e64b67 1112 kx->f &= ~KXF_PUBKEY;
1113 return (-1);
1114 }
1115 return (0);
1116}
1117
0617b6e7 1118/* --- @kx_start@ --- *
410c8acf 1119 *
1120 * Arguments: @keyexch *kx@ = pointer to key exchange context
de014da6 1121 * @int forcep@ = nonzero to ignore the quiet timer
410c8acf 1122 *
1123 * Returns: ---
1124 *
0617b6e7 1125 * Use: Stimulates a key exchange. If a key exchage is in progress,
1126 * a new challenge is sent (unless the quiet timer forbids
1127 * this); if no exchange is in progress, one is commenced.
410c8acf 1128 */
1129
de014da6 1130void kx_start(keyexch *kx, int forcep)
410c8acf 1131{
1132 time_t now = time(0);
410c8acf 1133
00e64b67 1134 if (checkpub(kx))
1135 return;
de014da6 1136 if (forcep || !VALIDP(kx, now)) {
0617b6e7 1137 stop(kx);
1138 start(kx, now);
f43df819 1139 a_notify("KXSTART", "?PEER", kx->p, A_END);
410c8acf 1140 }
0617b6e7 1141 resend(kx);
1142}
1143
1144/* --- @kx_message@ --- *
1145 *
1146 * Arguments: @keyexch *kx@ = pointer to key exchange context
1147 * @unsigned msg@ = the message code
1148 * @buf *b@ = pointer to buffer containing the packet
1149 *
1150 * Returns: ---
1151 *
1152 * Use: Reads a packet containing key exchange messages and handles
1153 * it.
1154 */
1155
1156void kx_message(keyexch *kx, unsigned msg, buf *b)
1157{
1158 time_t now = time(0);
1159 stats *st = p_stats(kx->p);
1160 size_t sz = BSZ(b);
1161 int rc;
1162
010e6f63
MW
1163 if (kx->f & KXF_CORK) {
1164 start(kx, now);
1165 settimer(kx, now + T_RETRY);
1166 a_notify("KXSTART", A_END);
1167 }
1168
00e64b67 1169 if (checkpub(kx))
1170 return;
1171
3cdc3f3a 1172 if (!VALIDP(kx, now)) {
0617b6e7 1173 stop(kx);
1174 start(kx, now);
410c8acf 1175 }
0617b6e7 1176 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1177 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1178
1179 switch (msg) {
1180 case KX_PRECHAL:
de7bd20b
MW
1181 rc = doprechallenge(kx, b);
1182 break;
0617b6e7 1183 case KX_CHAL:
de7bd20b 1184 rc = dochallenge(kx, b);
0617b6e7 1185 break;
1186 case KX_REPLY:
1187 rc = doreply(kx, b);
1188 break;
1189 case KX_SWITCH:
1190 rc = doswitch(kx, b);
1191 break;
1192 case KX_SWITCHOK:
1193 rc = doswitchok(kx, b);
1194 break;
1195 default:
f43df819 1196 a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
0617b6e7 1197 rc = -1;
1198 break;
410c8acf 1199 }
410c8acf 1200
0617b6e7 1201 if (rc)
1202 st->n_reject++;
1203 else {
1204 st->n_kxin++;
1205 st->sz_kxin += sz;
1206 }
410c8acf 1207}
1208
1209/* --- @kx_free@ --- *
1210 *
1211 * Arguments: @keyexch *kx@ = pointer to key exchange context
1212 *
1213 * Returns: ---
1214 *
1215 * Use: Frees everything in a key exchange context.
1216 */
1217
1218void kx_free(keyexch *kx)
1219{
0617b6e7 1220 stop(kx);
52c03a2a 1221 G_DESTROY(gg, kx->kpub);
410c8acf 1222}
1223
1224/* --- @kx_newkeys@ --- *
1225 *
1226 * Arguments: @keyexch *kx@ = pointer to key exchange context
1227 *
1228 * Returns: ---
1229 *
1230 * Use: Informs the key exchange module that its keys may have
1231 * changed. If fetching the new keys fails, the peer will be
1232 * destroyed, we log messages and struggle along with the old
1233 * keys.
1234 */
1235
1236void kx_newkeys(keyexch *kx)
1237{
52c03a2a 1238 if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
410c8acf 1239 return;
00e64b67 1240 kx->f |= KXF_PUBKEY;
1241 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
410c8acf 1242 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1243 p_name(kx->p)); )
00e64b67 1244 stop(kx);
1245 start(kx, time(0));
1246 resend(kx);
410c8acf 1247 }
1248}
1249
1250/* --- @kx_init@ --- *
1251 *
1252 * Arguments: @keyexch *kx@ = pointer to key exchange context
1253 * @peer *p@ = pointer to peer context
1254 * @keyset **ks@ = pointer to keyset list
010e6f63 1255 * @unsigned f@ = various useful flags
410c8acf 1256 *
1257 * Returns: Zero if OK, nonzero if it failed.
1258 *
1259 * Use: Initializes a key exchange module. The module currently
1260 * contains no keys, and will attempt to initiate a key
1261 * exchange.
1262 */
1263
010e6f63 1264int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
410c8acf 1265{
1266 kx->ks = ks;
1267 kx->p = p;
52c03a2a 1268 kx->kpub = G_CREATE(gg);
1269 if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
1270 G_DESTROY(gg, kx->kpub);
410c8acf 1271 return (-1);
52c03a2a 1272 }
010e6f63
MW
1273 kx->f = KXF_DEAD | KXF_PUBKEY | f;
1274 if (!(kx->f & KXF_CORK)) {
1275 start(kx, time(0));
1276 resend(kx);
1277 /* Don't notify here: the ADD message hasn't gone out yet. */
1278 }
410c8acf 1279 return (0);
1280}
1281
1282/*----- That's all, folks -------------------------------------------------*/