chiark / gitweb /
server/{keyexch.c,keyset.c}: Move timing parameters to tripe.h.
[tripe] / server / keyexch.c
CommitLineData
410c8acf 1/* -*-c-*-
2 *
410c8acf 3 * Key exchange protocol
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
e04c2d50 8/*----- Licensing notice --------------------------------------------------*
410c8acf 9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
e04c2d50 16 *
410c8acf 17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
e04c2d50 21 *
410c8acf 22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
410c8acf 27/*----- Header files ------------------------------------------------------*/
28
29#include "tripe.h"
30
737cc271 31/*----- Brief protocol overview -------------------------------------------*
32 *
33 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
34 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
35 * application of the symmetric packet protocol to a message; let
36 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
37 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
38 * be Bob's public key.
39 *
40 * At the beginning of the session, Alice chooses
41 *
42 * %$\rho_A \inr \{0, \ldots q - 1\}$%
43 *
44 * We also have:
45 *
46 * %$r_A = g^{\rho_A}$% Alice's challenge
47 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
9317aa92 48 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
e04c2d50 49 * Alice's challenge check value
737cc271 50 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
51 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
e04c2d50 52 * Alice and Bob's shared secret key
737cc271 53 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
e04c2d50 54 * Alice's switch request value
737cc271 55 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
e04c2d50 56 * Alice's switch confirm value
737cc271 57 *
58 * The messages are then:
59 *
60 * %$\cookie{kx-pre-challenge}, r_A$%
61 * Initial greeting. In state @KXS_CHAL@.
62 *
737cc271 63 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
64 * Here's a full challenge for you to answer.
65 *
28461f0e 66 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
737cc271 67 * Challenge accpeted: here's the answer. Commit to my challenge. Move
68 * to @KXS_COMMIT@.
69 *
3cdc3f3a 70 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
737cc271 71 * Reply received: here's my reply. Committed; send data; move to
72 * @KXS_SWITCH@.
73 *
74 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
75 * Switch received. Committed; send data; move to @KXS_SWITCH@.
e04c2d50 76 */
737cc271 77
3cdc3f3a 78/*----- Static tables -----------------------------------------------------*/
79
80static const char *const pkname[] = {
c3c51798 81 "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok"
3cdc3f3a 82};
0617b6e7 83
84/*----- Various utilities -------------------------------------------------*/
410c8acf 85
e9fac70c
MW
86/* --- @VALIDP@ --- *
87 *
88 * Arguments: @const keyexch *kx@ = key exchange state
89 * @time_t now@ = current time in seconds
90 *
91 * Returns: Whether the challenge in the key-exchange state is still
92 * valid or should be regenerated.
93 */
94
95#define VALIDP(kx, now) ((now) < (kx)->t_valid)
96
52c03a2a 97/* --- @hashge@ --- *
410c8acf 98 *
b5c45da1 99 * Arguments: @ghash *h@ = pointer to hash context
52c03a2a 100 * @ge *x@ = pointer to group element
410c8acf 101 *
102 * Returns: ---
103 *
52c03a2a 104 * Use: Adds the hash of a group element to the context. Corrupts
105 * @buf_t@.
410c8acf 106 */
107
b5c45da1 108static void hashge(ghash *h, ge *x)
410c8acf 109{
110 buf b;
0617b6e7 111 buf_init(&b, buf_t, sizeof(buf_t));
52c03a2a 112 G_TOBUF(gg, &b, x);
410c8acf 113 assert(BOK(&b));
b5c45da1 114 GH_HASH(h, BBASE(&b), BLEN(&b));
410c8acf 115}
116
de7bd20b 117/* --- @mpmask@ --- *
5d418e24 118 *
de7bd20b
MW
119 * Arguments: @buf *b@ = output buffer
120 * @mp *x@ = the plaintext integer
121 * @size_t n@ = the expected size of the plaintext
5d418e24 122 * @const octet *k@ = pointer to key material
de7bd20b 123 * @size_t ksz@ = size of the key
5d418e24 124 *
de7bd20b 125 * Returns: Pointer to the output.
5d418e24 126 *
de7bd20b
MW
127 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
128 * it's a random oracle thing rather than an encryption thing.
5d418e24 129 */
130
de7bd20b 131static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
5d418e24 132{
b5c45da1 133 gcipher *mgf;
de7bd20b 134 octet *p;
5d418e24 135
de7bd20b
MW
136 if ((p = buf_get(b, n)) == 0)
137 return (0);
138 mgf = GC_INIT(algs.mgf, k, ksz);
139 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
140 trace(T_CRYPTO, "masking index = %s", mpstr(x));
141 trace_block(T_CRYPTO, "masking key", k, ksz);
142 }))
143 mp_storeb(x, buf_t, n);
144 GC_ENCRYPT(mgf, buf_t, p, n);
145 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
146 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
147 trace_block(T_CRYPTO, "masked ciphertext", p, n);
148 }))
b5c45da1 149 GC_DESTROY(mgf);
de7bd20b 150 return (p);
b5c45da1 151}
152
de7bd20b
MW
153/* --- @mpunmask@ --- *
154 *
155 * Arguments: @mp *d@ = the output integer
156 * @const octet *p@ = pointer to the ciphertext
157 * @size_t n@ = the size of the ciphertext
158 * @const octet *k@ = pointer to key material
159 * @size_t ksz@ = size of the key
160 *
161 * Returns: The decrypted integer, or null.
162 *
163 * Use: Unmasks a multiprecision integer.
164 */
165
166static mp *mpunmask(mp *d, const octet *p, size_t n,
167 const octet *k, size_t ksz)
b5c45da1 168{
169 gcipher *mgf;
170
de7bd20b
MW
171 mgf = GC_INIT(algs.mgf, k, ksz);
172 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
173 trace_block(T_CRYPTO, "unmasking key", k, ksz);
174 trace_block(T_CRYPTO, "masked ciphertext", p, n);
175 }))
176 GC_DECRYPT(mgf, p, buf_t, n);
177 d = mp_loadb(d, buf_t, n);
178 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
179 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
180 trace(T_CRYPTO, "unmasked index = %s", mpstr(d));
181 }))
b5c45da1 182 GC_DESTROY(mgf);
de7bd20b
MW
183 return (d);
184}
185
186/* --- @hashcheck@ --- *
187 *
188 * Arguments: @ge *kpub@ = sender's public key
189 * @ge *cc@ = receiver's challenge
190 * @ge *c@ = sender's challenge
191 * @ge *y@ = reply to sender's challenge
192 *
193 * Returns: Pointer to the hash value (in @buf_t@)
194 *
195 * Use: Computes the check-value hash, used to mask or unmask
196 * indices to prove the validity of challenges. This computes
197 * the masking key used in challenge check values. This is
198 * really the heart of the whole thing, since it ensures that
199 * the index can be recovered from the history of hashing
200 * queries, which gives us (a) a proof that the authentication
201 * process is zero-knowledge, and (b) a proof that the whole
202 * key-exchange is deniable.
203 */
204
205static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
206{
207 ghash *h = GH_INIT(algs.h);
208
209 HASH_STRING(h, "tripe-expected-reply");
210 hashge(h, kpub);
211 hashge(h, cc);
212 hashge(h, c);
213 hashge(h, y);
214 GH_DONE(h, buf_t);
215 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
216 trace(T_CRYPTO, "computing challenge check hash");
217 trace(T_CRYPTO, "public key = %s", gestr(gg, kpub));
218 trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc));
219 trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c));
220 trace(T_CRYPTO, "sender reply = %s", gestr(gg, y));
221 trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz);
222 }))
223 GH_DESTROY(h);
224 return (buf_t);
225}
226
227/* --- @sendchallenge@ --- *
228 *
229 * Arguments: @keyexch *kx@ = pointer to key exchange block
230 * @buf *b@ = output buffer for challenge
231 * @ge *c@ = peer's actual challenge
232 * @const octet *hc@ = peer's challenge cookie
233 *
234 * Returns: ---
235 *
236 * Use: Writes a full challenge to the message buffer.
237 */
238
239static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
240{
241 G_TOBUF(gg, b, kx->c);
242 buf_put(b, hc, algs.hashsz);
243 mpmask(b, kx->alpha, indexsz,
244 hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz);
5d418e24 245}
246
410c8acf 247/* --- @timer@ --- *
248 *
249 * Arguments: @struct timeval *tv@ = the current time
250 * @void *v@ = pointer to key exchange context
251 *
252 * Returns: ---
253 *
254 * Use: Acts when the key exchange timer goes off.
255 */
256
257static void timer(struct timeval *tv, void *v)
258{
259 keyexch *kx = v;
260 kx->f &= ~KXF_TIMER;
261 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
de014da6 262 kx_start(kx, 0);
410c8acf 263}
264
265/* --- @settimer@ --- *
266 *
267 * Arguments: @keyexch *kx@ = pointer to key exchange context
268 * @time_t t@ = when to set the timer for
269 *
270 * Returns: ---
271 *
272 * Use: Sets the timer for the next key exchange attempt.
273 */
274
275static void settimer(keyexch *kx, time_t t)
276{
277 struct timeval tv;
278 if (kx->f & KXF_TIMER)
279 sel_rmtimer(&kx->t);
280 tv.tv_sec = t;
281 tv.tv_usec = 0;
282 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
283 kx->f |= KXF_TIMER;
284}
285
0617b6e7 286/*----- Challenge management ----------------------------------------------*/
287
288/* --- Notes on challenge management --- *
410c8acf 289 *
0617b6e7 290 * We may get multiple different replies to our key exchange; some will be
291 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
292 * received will be added to the table and given a full response. After
293 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
294 * our existing challenge, followed by a hash of the sender's challenge. We
295 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
296 * properly-formed cookies are assigned a table slot: if none is spare, a
297 * used slot is randomly selected and destroyed. A cookie always receives a
298 * full reply.
299 */
300
301/* --- @kxc_destroy@ --- *
302 *
303 * Arguments: @kxchal *kxc@ = pointer to the challenge block
410c8acf 304 *
305 * Returns: ---
306 *
0617b6e7 307 * Use: Disposes of a challenge block.
410c8acf 308 */
309
0617b6e7 310static void kxc_destroy(kxchal *kxc)
410c8acf 311{
0617b6e7 312 if (kxc->f & KXF_TIMER)
313 sel_rmtimer(&kxc->t);
52c03a2a 314 G_DESTROY(gg, kxc->c);
de7bd20b 315 G_DESTROY(gg, kxc->r);
0617b6e7 316 ks_drop(kxc->ks);
317 DESTROY(kxc);
318}
410c8acf 319
0617b6e7 320/* --- @kxc_stoptimer@ --- *
321 *
322 * Arguments: @kxchal *kxc@ = pointer to the challenge block
323 *
324 * Returns: ---
325 *
326 * Use: Stops the challenge's retry timer from sending messages.
327 * Useful when the state machine is in the endgame of the
328 * exchange.
329 */
410c8acf 330
0617b6e7 331static void kxc_stoptimer(kxchal *kxc)
332{
333 if (kxc->f & KXF_TIMER)
334 sel_rmtimer(&kxc->t);
2de0ad0f 335 kxc->f &= ~KXF_TIMER;
0617b6e7 336}
410c8acf 337
0617b6e7 338/* --- @kxc_new@ --- *
339 *
340 * Arguments: @keyexch *kx@ = pointer to key exchange block
0617b6e7 341 *
342 * Returns: A pointer to the challenge block.
343 *
344 * Use: Returns a pointer to a new challenge block to fill in.
345 */
410c8acf 346
0617b6e7 347static kxchal *kxc_new(keyexch *kx)
348{
349 kxchal *kxc;
350 unsigned i;
351
352 /* --- If we're over reply threshold, discard one at random --- */
353
354 if (kx->nr < KX_NCHAL)
355 i = kx->nr++;
356 else {
357 i = rand_global.ops->range(&rand_global, KX_NCHAL);
358 kxc_destroy(kx->r[i]);
410c8acf 359 }
360
0617b6e7 361 /* --- Fill in the new structure --- */
410c8acf 362
0617b6e7 363 kxc = CREATE(kxchal);
52c03a2a 364 kxc->c = G_CREATE(gg);
de7bd20b 365 kxc->r = G_CREATE(gg);
0617b6e7 366 kxc->ks = 0;
367 kxc->kx = kx;
368 kxc->f = 0;
369 kx->r[i] = kxc;
370 return (kxc);
371}
410c8acf 372
0617b6e7 373/* --- @kxc_bychal@ --- *
374 *
375 * Arguments: @keyexch *kx@ = pointer to key exchange block
52c03a2a 376 * @ge *c@ = challenge from remote host
0617b6e7 377 *
378 * Returns: Pointer to the challenge block, or null.
379 *
380 * Use: Finds a challenge block, given its challenge.
381 */
382
52c03a2a 383static kxchal *kxc_bychal(keyexch *kx, ge *c)
0617b6e7 384{
385 unsigned i;
386
387 for (i = 0; i < kx->nr; i++) {
52c03a2a 388 if (G_EQ(gg, c, kx->r[i]->c))
0617b6e7 389 return (kx->r[i]);
390 }
391 return (0);
392}
393
394/* --- @kxc_byhc@ --- *
395 *
396 * Arguments: @keyexch *kx@ = pointer to key exchange block
397 * @const octet *hc@ = challenge hash from remote host
398 *
399 * Returns: Pointer to the challenge block, or null.
400 *
401 * Use: Finds a challenge block, given a hash of its challenge.
402 */
410c8acf 403
0617b6e7 404static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
405{
406 unsigned i;
407
408 for (i = 0; i < kx->nr; i++) {
b5c45da1 409 if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
0617b6e7 410 return (kx->r[i]);
410c8acf 411 }
0617b6e7 412 return (0);
413}
414
415/* --- @kxc_answer@ --- *
416 *
417 * Arguments: @keyexch *kx@ = pointer to key exchange block
418 * @kxchal *kxc@ = pointer to challenge block
419 *
420 * Returns: ---
421 *
422 * Use: Sends a reply to the remote host, according to the data in
423 * this challenge block.
424 */
425
426static void kxc_answer(keyexch *kx, kxchal *kxc);
427
428static void kxc_timer(struct timeval *tv, void *v)
429{
430 kxchal *kxc = v;
431 kxc->f &= ~KXF_TIMER;
432 kxc_answer(kxc->kx, kxc);
433}
434
435static void kxc_answer(keyexch *kx, kxchal *kxc)
436{
437 stats *st = p_stats(kx->p);
de7bd20b 438 buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
0617b6e7 439 struct timeval tv;
440 buf bb;
441
442 /* --- Build the reply packet --- */
443
de7bd20b
MW
444 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
445 sendchallenge(kx, b, kxc->c, kxc->hc);
446 buf_init(&bb, buf_i, sizeof(buf_i));
447 G_TORAW(gg, &bb, kxc->r);
448 buf_flip(&bb);
449 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
0617b6e7 450
451 /* --- Update the statistics --- */
452
453 if (BOK(b)) {
454 st->n_kxout++;
455 st->sz_kxout += BLEN(b);
456 p_txend(kx->p);
457 }
458
459 /* --- Schedule another resend --- */
460
461 if (kxc->f & KXF_TIMER)
462 sel_rmtimer(&kxc->t);
463 gettimeofday(&tv, 0);
464 tv.tv_sec += T_RETRY;
465 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
466 kxc->f |= KXF_TIMER;
467}
468
469/*----- Individual message handlers ---------------------------------------*/
470
de7bd20b 471/* --- @doprechallenge@ --- *
0617b6e7 472 *
de7bd20b
MW
473 * Arguments: @keyexch *kx@ = pointer to key exchange block
474 * @buf *b@ = buffer containing the packet
0617b6e7 475 *
de7bd20b 476 * Returns: Zero if OK, nonzero of the packet was rejected.
0617b6e7 477 *
de7bd20b 478 * Use: Processes a pre-challenge message.
0617b6e7 479 */
480
de7bd20b 481static int doprechallenge(keyexch *kx, buf *b)
0617b6e7 482{
de7bd20b
MW
483 stats *st = p_stats(kx->p);
484 ge *c = G_CREATE(gg);
b5c45da1 485 ghash *h;
0617b6e7 486
de7bd20b
MW
487 /* --- Ensure that we're in a sensible state --- */
488
489 if (kx->s != KXS_CHAL) {
490 a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
491 goto bad;
492 }
493
494 /* --- Unpack the packet --- */
495
496 if (G_FROMBUF(gg, b, c) || BLEFT(b))
497 goto bad;
b5c45da1 498
0617b6e7 499 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
de7bd20b 500 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
0617b6e7 501 }))
de7bd20b
MW
502
503 /* --- Send out a full challenge by return --- */
504
505 b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
506 h = GH_INIT(algs.h);
507 HASH_STRING(h, "tripe-cookie");
508 hashge(h, c);
509 sendchallenge(kx, b, c, GH_DONE(h, 0));
b5c45da1 510 GH_DESTROY(h);
de7bd20b
MW
511 st->n_kxout++;
512 st->sz_kxout += BLEN(b);
513 p_txend(kx->p);
514
515 /* --- Done --- */
516
517 G_DESTROY(gg, c);
518 return (0);
519
520bad:
521 if (c) G_DESTROY(gg, c);
522 return (-1);
0617b6e7 523}
524
de7bd20b 525/* --- @respond@ --- *
0617b6e7 526 *
527 * Arguments: @keyexch *kx@ = pointer to key exchange block
de7bd20b 528 * @unsigned msg@ = message code for this packet
0617b6e7 529 * @buf *b@ = buffer containing the packet
530 *
de7bd20b 531 * Returns: Key-exchange challenge block, or null.
0617b6e7 532 *
de7bd20b
MW
533 * Use: Computes a response for the given challenge, entering it into
534 * a challenge block and so on.
0617b6e7 535 */
536
de7bd20b 537static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
0617b6e7 538{
52c03a2a 539 ge *c = G_CREATE(gg);
de7bd20b
MW
540 ge *r = G_CREATE(gg);
541 ge *cc = G_CREATE(gg);
542 const octet *hc, *ck;
543 size_t x, y, z;
544 mp *cv = 0;
0617b6e7 545 kxchal *kxc;
de7bd20b
MW
546 ghash *h = 0;
547 buf bb;
548 int ok;
0617b6e7 549
550 /* --- Unpack the packet --- */
551
52c03a2a 552 if (G_FROMBUF(gg, b, c) ||
de7bd20b
MW
553 (hc = buf_get(b, algs.hashsz)) == 0 ||
554 (ck = buf_get(b, indexsz)) == 0) {
f43df819 555 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 556 goto bad;
557 }
0617b6e7 558 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 559 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
de7bd20b
MW
560 trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
561 trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz);
0617b6e7 562 }))
563
0617b6e7 564 /* --- Discard a packet with an invalid cookie --- */
565
b5c45da1 566 if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
5ac9463b 567 a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
0617b6e7 568 goto bad;
569 }
570
de7bd20b
MW
571 /* --- Recover the check value and verify it --- *
572 *
573 * To avoid recomputation on replays, we store a hash of the `right'
574 * value. The `correct' value is unique, so this is right.
410c8acf 575 *
de7bd20b 576 * This will also find a challenge block and, if necessary, populate it.
410c8acf 577 */
578
de7bd20b
MW
579 if ((kxc = kxc_bychal(kx, c)) != 0) {
580 h = GH_INIT(algs.h);
581 HASH_STRING(h, "tripe-check-hash");
582 GH_HASH(h, ck, indexsz);
583 ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz);
584 GH_DESTROY(h);
585 if (!ok) goto badcheck;
586 } else {
587
588 /* --- Compute the reply, and check the magic --- */
589
590 G_EXP(gg, r, c, kpriv);
591 cv = mpunmask(MP_NEW, ck, indexsz,
592 hashcheck(kx->kpub, kx->c, c, r), algs.hashsz);
593 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
594 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
595 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
596 }))
597 if (MP_CMP(cv, >, gg->r) ||
598 (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc)))
599 goto badcheck;
600
601 /* --- Fill in a new challenge block --- */
e04c2d50 602
de7bd20b 603 kxc = kxc_new(kx);
52c03a2a 604 G_COPY(gg, kxc->c, c);
de7bd20b 605 G_COPY(gg, kxc->r, r);
0617b6e7 606
de7bd20b
MW
607 h = GH_INIT(algs.h);
608 HASH_STRING(h, "tripe-check-hash");
609 GH_HASH(h, ck, indexsz);
5fb10b44 610 GH_DONE(h, kxc->ck);
de7bd20b 611 GH_DESTROY(h);
0617b6e7 612
b5c45da1 613 h = GH_INIT(algs.h);
614 HASH_STRING(h, "tripe-cookie");
615 hashge(h, kxc->c);
616 GH_DONE(h, kxc->hc);
617 GH_DESTROY(h);
618
619 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
620 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
621 }))
0617b6e7 622
0617b6e7 623 /* --- Work out the shared key --- */
624
52c03a2a 625 G_EXP(gg, r, c, kx->alpha);
b5c45da1 626 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
627 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
628 }))
0617b6e7 629
630 /* --- Compute the switch messages --- */
631
b5c45da1 632 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
633 hashge(h, kx->c); hashge(h, kxc->c);
634 GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
635 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
636 hashge(h, kx->c); hashge(h, kxc->c);
637 GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
0617b6e7 638
b5c45da1 639 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
640 hashge(h, kxc->c); hashge(h, kx->c);
641 GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
642 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
643 hashge(h, kxc->c); hashge(h, kx->c);
644 GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
0617b6e7 645
646 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
0617b6e7 647 trace_block(T_CRYPTO, "crypto: outbound switch request",
b5c45da1 648 kxc->hswrq_out, algs.hashsz);
0617b6e7 649 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
b5c45da1 650 kxc->hswok_out, algs.hashsz);
0617b6e7 651 trace_block(T_CRYPTO, "crypto: inbound switch request",
b5c45da1 652 kxc->hswrq_in, algs.hashsz);
0617b6e7 653 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
b5c45da1 654 kxc->hswok_in, algs.hashsz);
0617b6e7 655 }))
656
657 /* --- Create a new symmetric keyset --- */
658
de7bd20b
MW
659 buf_init(&bb, buf_o, sizeof(buf_o));
660 G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb);
661 G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb);
662 G_TOBUF(gg, &bb, r); z = BLEN(&bb);
663 assert(BOK(&bb));
0617b6e7 664
de7bd20b 665 kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
410c8acf 666 }
667
de7bd20b
MW
668 G_DESTROY(gg, c);
669 G_DESTROY(gg, cc);
670 G_DESTROY(gg, r);
671 mp_drop(cv);
672 return (kxc);
410c8acf 673
de7bd20b
MW
674badcheck:
675 a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
676 goto bad;
677bad:
678 G_DESTROY(gg, c);
679 G_DESTROY(gg, cc);
680 G_DESTROY(gg, r);
681 mp_drop(cv);
e04c2d50 682 return (0);
de7bd20b 683}
0617b6e7 684
de7bd20b
MW
685/* --- @dochallenge@ --- *
686 *
687 * Arguments: @keyexch *kx@ = pointer to key exchange block
688 * @unsigned msg@ = message code for the packet
689 * @buf *b@ = buffer containing the packet
690 *
691 * Returns: Zero if OK, nonzero if the packet was rejected.
692 *
693 * Use: Processes a packet containing a challenge.
694 */
0617b6e7 695
de7bd20b
MW
696static int dochallenge(keyexch *kx, buf *b)
697{
698 kxchal *kxc;
0617b6e7 699
de7bd20b
MW
700 if (kx->s != KXS_CHAL) {
701 a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
702 goto bad;
703 }
704 if ((kxc = respond(kx, KX_CHAL, b)) == 0)
705 goto bad;
706 if (BLEFT(b)) {
707 a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
708 goto bad;
709 }
710 kxc_answer(kx, kxc);
0617b6e7 711 return (0);
712
713bad:
0617b6e7 714 return (-1);
410c8acf 715}
716
0617b6e7 717/* --- @resend@ --- *
410c8acf 718 *
719 * Arguments: @keyexch *kx@ = pointer to key exchange context
410c8acf 720 *
721 * Returns: ---
722 *
0617b6e7 723 * Use: Sends the next message for a key exchange.
410c8acf 724 */
725
0617b6e7 726static void resend(keyexch *kx)
410c8acf 727{
0617b6e7 728 kxchal *kxc;
729 buf bb;
730 stats *st = p_stats(kx->p);
410c8acf 731 buf *b;
732
0617b6e7 733 switch (kx->s) {
734 case KXS_CHAL:
00e64b67 735 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
736 p_name(kx->p)); )
0617b6e7 737 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
52c03a2a 738 G_TOBUF(gg, b, kx->c);
0617b6e7 739 break;
740 case KXS_COMMIT:
00e64b67 741 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
742 p_name(kx->p)); )
0617b6e7 743 kxc = kx->r[0];
744 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
b5c45da1 745 buf_put(b, kx->hc, algs.hashsz);
746 buf_put(b, kxc->hc, algs.hashsz);
0617b6e7 747 buf_init(&bb, buf_i, sizeof(buf_i));
de7bd20b 748 G_TORAW(gg, &bb, kxc->r);
b5c45da1 749 buf_put(&bb, kxc->hswrq_out, algs.hashsz);
0617b6e7 750 buf_flip(&bb);
7ed14135 751 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
0617b6e7 752 break;
753 case KXS_SWITCH:
00e64b67 754 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
0617b6e7 755 p_name(kx->p)); )
756 kxc = kx->r[0];
757 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
758 buf_init(&bb, buf_i, sizeof(buf_i));
b5c45da1 759 buf_put(&bb, kxc->hswok_out, algs.hashsz);
0617b6e7 760 buf_flip(&bb);
7ed14135 761 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
0617b6e7 762 break;
763 default:
764 abort();
410c8acf 765 }
0617b6e7 766
767 if (BOK(b)) {
768 st->n_kxout++;
769 st->sz_kxout += BLEN(b);
770 p_txend(kx->p);
771 }
772
773 if (kx->s < KXS_SWITCH)
774 settimer(kx, time(0) + T_RETRY);
410c8acf 775}
776
de7bd20b 777/* --- @decryptrest@ --- *
0617b6e7 778 *
779 * Arguments: @keyexch *kx@ = pointer to key exchange context
de7bd20b
MW
780 * @kxchal *kxc@ = pointer to challenge block
781 * @unsigned msg@ = type of incoming message
0617b6e7 782 * @buf *b@ = encrypted remainder of the packet
783 *
de7bd20b 784 * Returns: Zero if OK, nonzero on some kind of error.
0617b6e7 785 *
de7bd20b
MW
786 * Use: Decrypts the remainder of the packet, and points @b@ at the
787 * recovered plaintext.
0617b6e7 788 */
789
de7bd20b 790static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
410c8acf 791{
0617b6e7 792 buf bb;
0617b6e7 793
de7bd20b
MW
794 buf_init(&bb, buf_o, sizeof(buf_o));
795 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
796 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
797 return (-1);
0617b6e7 798 }
12a26b8b 799 if (!BOK(&bb)) return (-1);
de7bd20b
MW
800 buf_init(b, BBASE(&bb), BLEN(&bb));
801 return (0);
802}
410c8acf 803
de7bd20b
MW
804/* --- @checkresponse@ --- *
805 *
806 * Arguments: @keyexch *kx@ = pointer to key exchange context
807 * @unsigned msg@ = type of incoming message
808 * @buf *b@ = decrypted remainder of the packet
809 *
810 * Returns: Zero if OK, nonzero on some kind of error.
811 *
812 * Use: Checks a reply or switch packet, ensuring that its response
813 * is correct.
814 */
0617b6e7 815
de7bd20b
MW
816static int checkresponse(keyexch *kx, unsigned msg, buf *b)
817{
818 ge *r = G_CREATE(gg);
0617b6e7 819
5251b2e9 820 if (G_FROMRAW(gg, b, r)) {
de7bd20b 821 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 822 goto bad;
823 }
824 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 825 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
0617b6e7 826 }))
52c03a2a 827 if (!G_EQ(gg, r, kx->rx)) {
de7bd20b 828 a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
0617b6e7 829 goto bad;
830 }
831
52c03a2a 832 G_DESTROY(gg, r);
de7bd20b 833 return (0);
0617b6e7 834
835bad:
de7bd20b
MW
836 G_DESTROY(gg, r);
837 return (-1);
410c8acf 838}
839
0617b6e7 840/* --- @commit@ --- *
410c8acf 841 *
842 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 843 * @kxchal *kxc@ = pointer to challenge to commit to
410c8acf 844 *
845 * Returns: ---
846 *
0617b6e7 847 * Use: Commits to a particular challenge as being the `right' one,
848 * since a reply has arrived for it.
410c8acf 849 */
850
0617b6e7 851static void commit(keyexch *kx, kxchal *kxc)
410c8acf 852{
0617b6e7 853 unsigned i;
410c8acf 854
0617b6e7 855 for (i = 0; i < kx->nr; i++) {
856 if (kx->r[i] != kxc)
857 kxc_destroy(kx->r[i]);
858 }
859 kx->r[0] = kxc;
860 kx->nr = 1;
861 kxc_stoptimer(kxc);
e04c2d50 862 ksl_link(kx->ks, kxc->ks);
410c8acf 863}
864
0617b6e7 865/* --- @doreply@ --- *
410c8acf 866 *
867 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 868 * @buf *b@ = buffer containing packet
410c8acf 869 *
0617b6e7 870 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 871 *
0617b6e7 872 * Use: Handles a reply packet. This doesn't handle the various
873 * switch packets: they're rather too different.
410c8acf 874 */
875
0617b6e7 876static int doreply(keyexch *kx, buf *b)
410c8acf 877{
0617b6e7 878 kxchal *kxc;
879
880 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
f43df819 881 a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
0617b6e7 882 goto bad;
883 }
de7bd20b
MW
884 if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
885 decryptrest(kx, kxc, KX_REPLY, b) ||
886 checkresponse(kx, KX_REPLY, b))
0617b6e7 887 goto bad;
888 if (BLEFT(b)) {
f43df819 889 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
0617b6e7 890 goto bad;
e04c2d50 891 }
0617b6e7 892 if (kx->s == KXS_CHAL) {
893 commit(kx, kxc);
894 kx->s = KXS_COMMIT;
895 }
896 resend(kx);
897 return (0);
898
899bad:
900 return (-1);
410c8acf 901}
902
3cdc3f3a 903/* --- @kxfinish@ --- *
904 *
905 * Arguments: @keyexch *kx@ = pointer to key exchange block
906 *
907 * Returns: ---
908 *
909 * Use: Sets everything up following a successful key exchange.
910 */
911
912static void kxfinish(keyexch *kx)
913{
914 kxchal *kxc = kx->r[0];
915 ks_activate(kxc->ks);
916 settimer(kx, ks_tregen(kxc->ks));
917 kx->s = KXS_SWITCH;
f43df819 918 a_notify("KXDONE", "?PEER", kx->p, A_END);
3cdc3f3a 919 p_stats(kx->p)->t_kx = time(0);
920}
921
0617b6e7 922/* --- @doswitch@ --- *
410c8acf 923 *
0617b6e7 924 * Arguments: @keyexch *kx@ = pointer to key exchange block
925 * @buf *b@ = pointer to buffer containing packet
410c8acf 926 *
0617b6e7 927 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 928 *
0617b6e7 929 * Use: Handles a reply with a switch request bolted onto it.
410c8acf 930 */
931
0617b6e7 932static int doswitch(keyexch *kx, buf *b)
410c8acf 933{
0617b6e7 934 const octet *hc_in, *hc_out, *hswrq;
935 kxchal *kxc;
410c8acf 936
b5c45da1 937 if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
938 (hc_out = buf_get(b, algs.hashsz)) == 0) {
f43df819 939 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 940 goto bad;
410c8acf 941 }
de7bd20b
MW
942 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
943 trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
944 trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
945 }))
946 if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
947 memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
948 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
949 goto bad;
950 }
951 if (decryptrest(kx, kxc, KX_SWITCH, b) ||
952 checkresponse(kx, KX_SWITCH, b))
0617b6e7 953 goto bad;
b5c45da1 954 if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
5ac9463b 955 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 956 goto bad;
957 }
958 IF_TRACING(T_KEYEXCH, {
b5c45da1 959 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
0617b6e7 960 })
b5c45da1 961 if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
f43df819 962 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
0617b6e7 963 goto bad;
964 }
de7bd20b
MW
965 if (kx->s == KXS_CHAL)
966 commit(kx, kxc);
967 if (kx->s < KXS_SWITCH)
968 kxfinish(kx);
0617b6e7 969 resend(kx);
970 return (0);
971
972bad:
973 return (-1);
410c8acf 974}
975
0617b6e7 976/* --- @doswitchok@ --- *
977 *
978 * Arguments: @keyexch *kx@ = pointer to key exchange block
979 * @buf *b@ = pointer to buffer containing packet
980 *
981 * Returns: Zero if OK, nonzero if the packet was rejected.
982 *
983 * Use: Handles a reply with a switch request bolted onto it.
984 */
985
986static int doswitchok(keyexch *kx, buf *b)
410c8acf 987{
0617b6e7 988 const octet *hswok;
989 kxchal *kxc;
990 buf bb;
410c8acf 991
0617b6e7 992 if (kx->s < KXS_COMMIT) {
f43df819 993 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
0617b6e7 994 goto bad;
410c8acf 995 }
0617b6e7 996 kxc = kx->r[0];
997 buf_init(&bb, buf_o, sizeof(buf_o));
de7bd20b 998 if (decryptrest(kx, kxc, KX_SWITCHOK, b))
0617b6e7 999 goto bad;
b5c45da1 1000 if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
5ac9463b 1001 a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
0617b6e7 1002 goto bad;
1003 }
1004 IF_TRACING(T_KEYEXCH, {
b5c45da1 1005 trace_block(T_CRYPTO, "crypto: switch confirmation hash",
1006 hswok, algs.hashsz);
0617b6e7 1007 })
b5c45da1 1008 if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
f43df819 1009 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
0617b6e7 1010 goto bad;
1011 }
3cdc3f3a 1012 if (kx->s < KXS_SWITCH)
1013 kxfinish(kx);
0617b6e7 1014 return (0);
1015
1016bad:
e04c2d50 1017 return (-1);
0617b6e7 1018}
1019
1020/*----- Main code ---------------------------------------------------------*/
1021
1022/* --- @stop@ --- *
1023 *
1024 * Arguments: @keyexch *kx@ = pointer to key exchange context
1025 *
1026 * Returns: ---
1027 *
1028 * Use: Stops a key exchange dead in its tracks. Throws away all of
1029 * the context information. The context is left in an
1030 * inconsistent state. The only functions which understand this
1031 * state are @kx_free@ and @kx_init@ (which cause it internally
1032 * it), and @start@ (which expects it to be the prevailing
1033 * state).
1034 */
1035
1036static void stop(keyexch *kx)
1037{
1038 unsigned i;
1039
00e64b67 1040 if (kx->f & KXF_DEAD)
1041 return;
1042
0617b6e7 1043 if (kx->f & KXF_TIMER)
1044 sel_rmtimer(&kx->t);
1045 for (i = 0; i < kx->nr; i++)
1046 kxc_destroy(kx->r[i]);
1047 mp_drop(kx->alpha);
52c03a2a 1048 G_DESTROY(gg, kx->c);
1049 G_DESTROY(gg, kx->rx);
00e64b67 1050 kx->t_valid = 0;
1051 kx->f |= KXF_DEAD;
1052 kx->f &= ~KXF_TIMER;
0617b6e7 1053}
1054
1055/* --- @start@ --- *
1056 *
1057 * Arguments: @keyexch *kx@ = pointer to key exchange context
1058 * @time_t now@ = the current time
1059 *
1060 * Returns: ---
1061 *
1062 * Use: Starts a new key exchange with the peer. The context must be
1063 * in the bizarre state left by @stop@ or @kx_init@.
1064 */
1065
1066static void start(keyexch *kx, time_t now)
1067{
b5c45da1 1068 ghash *h;
0617b6e7 1069
00e64b67 1070 assert(kx->f & KXF_DEAD);
1071
010e6f63 1072 kx->f &= ~(KXF_DEAD | KXF_CORK);
0617b6e7 1073 kx->nr = 0;
52c03a2a 1074 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
1075 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
1076 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
0617b6e7 1077 kx->s = KXS_CHAL;
1078 kx->t_valid = now + T_VALID;
1079
b5c45da1 1080 h = GH_INIT(algs.h);
1081 HASH_STRING(h, "tripe-cookie");
1082 hashge(h, kx->c);
1083 GH_DONE(h, kx->hc);
1084 GH_DESTROY(h);
0617b6e7 1085
1086 IF_TRACING(T_KEYEXCH, {
1087 trace(T_KEYEXCH, "keyexch: creating new challenge");
1088 IF_TRACING(T_CRYPTO, {
1089 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
52c03a2a 1090 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
1091 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
b5c45da1 1092 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
0617b6e7 1093 })
1094 })
410c8acf 1095}
1096
00e64b67 1097/* --- @checkpub@ --- *
1098 *
1099 * Arguments: @keyexch *kx@ = pointer to key exchange context
1100 *
1101 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1102 *
1103 * Use: Deactivates the key-exchange until the peer acquires a new
1104 * public key.
1105 */
1106
1107static int checkpub(keyexch *kx)
1108{
1109 time_t now;
1110 if (kx->f & KXF_DEAD)
1111 return (-1);
1112 now = time(0);
1113 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1114 stop(kx);
f43df819 1115 a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
52c03a2a 1116 G_COPY(gg, kx->kpub, gg->i);
00e64b67 1117 kx->f &= ~KXF_PUBKEY;
1118 return (-1);
1119 }
1120 return (0);
1121}
1122
0617b6e7 1123/* --- @kx_start@ --- *
410c8acf 1124 *
1125 * Arguments: @keyexch *kx@ = pointer to key exchange context
de014da6 1126 * @int forcep@ = nonzero to ignore the quiet timer
410c8acf 1127 *
1128 * Returns: ---
1129 *
0617b6e7 1130 * Use: Stimulates a key exchange. If a key exchage is in progress,
1131 * a new challenge is sent (unless the quiet timer forbids
1132 * this); if no exchange is in progress, one is commenced.
410c8acf 1133 */
1134
de014da6 1135void kx_start(keyexch *kx, int forcep)
410c8acf 1136{
1137 time_t now = time(0);
410c8acf 1138
00e64b67 1139 if (checkpub(kx))
1140 return;
de014da6 1141 if (forcep || !VALIDP(kx, now)) {
0617b6e7 1142 stop(kx);
1143 start(kx, now);
f43df819 1144 a_notify("KXSTART", "?PEER", kx->p, A_END);
410c8acf 1145 }
0617b6e7 1146 resend(kx);
1147}
1148
1149/* --- @kx_message@ --- *
1150 *
1151 * Arguments: @keyexch *kx@ = pointer to key exchange context
1152 * @unsigned msg@ = the message code
1153 * @buf *b@ = pointer to buffer containing the packet
1154 *
1155 * Returns: ---
1156 *
1157 * Use: Reads a packet containing key exchange messages and handles
1158 * it.
1159 */
1160
1161void kx_message(keyexch *kx, unsigned msg, buf *b)
1162{
1163 time_t now = time(0);
1164 stats *st = p_stats(kx->p);
1165 size_t sz = BSZ(b);
1166 int rc;
1167
010e6f63
MW
1168 if (kx->f & KXF_CORK) {
1169 start(kx, now);
1170 settimer(kx, now + T_RETRY);
1171 a_notify("KXSTART", A_END);
1172 }
1173
00e64b67 1174 if (checkpub(kx))
1175 return;
1176
3cdc3f3a 1177 if (!VALIDP(kx, now)) {
0617b6e7 1178 stop(kx);
1179 start(kx, now);
410c8acf 1180 }
0617b6e7 1181 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1182 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1183
1184 switch (msg) {
1185 case KX_PRECHAL:
de7bd20b
MW
1186 rc = doprechallenge(kx, b);
1187 break;
0617b6e7 1188 case KX_CHAL:
de7bd20b 1189 rc = dochallenge(kx, b);
0617b6e7 1190 break;
1191 case KX_REPLY:
1192 rc = doreply(kx, b);
1193 break;
1194 case KX_SWITCH:
1195 rc = doswitch(kx, b);
1196 break;
1197 case KX_SWITCHOK:
1198 rc = doswitchok(kx, b);
1199 break;
1200 default:
f43df819 1201 a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
0617b6e7 1202 rc = -1;
1203 break;
410c8acf 1204 }
410c8acf 1205
0617b6e7 1206 if (rc)
1207 st->n_reject++;
1208 else {
1209 st->n_kxin++;
1210 st->sz_kxin += sz;
1211 }
410c8acf 1212}
1213
1214/* --- @kx_free@ --- *
1215 *
1216 * Arguments: @keyexch *kx@ = pointer to key exchange context
1217 *
1218 * Returns: ---
1219 *
1220 * Use: Frees everything in a key exchange context.
1221 */
1222
1223void kx_free(keyexch *kx)
1224{
0617b6e7 1225 stop(kx);
52c03a2a 1226 G_DESTROY(gg, kx->kpub);
410c8acf 1227}
1228
1229/* --- @kx_newkeys@ --- *
1230 *
1231 * Arguments: @keyexch *kx@ = pointer to key exchange context
1232 *
1233 * Returns: ---
1234 *
1235 * Use: Informs the key exchange module that its keys may have
1236 * changed. If fetching the new keys fails, the peer will be
1237 * destroyed, we log messages and struggle along with the old
1238 * keys.
1239 */
1240
1241void kx_newkeys(keyexch *kx)
1242{
48b84569 1243 if (km_getpubkey(p_tag(kx->p), kx->kpub, &kx->texp_kpub))
410c8acf 1244 return;
00e64b67 1245 kx->f |= KXF_PUBKEY;
1246 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
410c8acf 1247 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1248 p_name(kx->p)); )
00e64b67 1249 stop(kx);
1250 start(kx, time(0));
1251 resend(kx);
410c8acf 1252 }
1253}
1254
1255/* --- @kx_init@ --- *
1256 *
1257 * Arguments: @keyexch *kx@ = pointer to key exchange context
1258 * @peer *p@ = pointer to peer context
1259 * @keyset **ks@ = pointer to keyset list
010e6f63 1260 * @unsigned f@ = various useful flags
410c8acf 1261 *
1262 * Returns: Zero if OK, nonzero if it failed.
1263 *
1264 * Use: Initializes a key exchange module. The module currently
1265 * contains no keys, and will attempt to initiate a key
1266 * exchange.
1267 */
1268
010e6f63 1269int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
410c8acf 1270{
1271 kx->ks = ks;
1272 kx->p = p;
52c03a2a 1273 kx->kpub = G_CREATE(gg);
48b84569 1274 if (km_getpubkey(p_tag(p), kx->kpub, &kx->texp_kpub)) {
52c03a2a 1275 G_DESTROY(gg, kx->kpub);
410c8acf 1276 return (-1);
52c03a2a 1277 }
010e6f63
MW
1278 kx->f = KXF_DEAD | KXF_PUBKEY | f;
1279 if (!(kx->f & KXF_CORK)) {
1280 start(kx, time(0));
1281 resend(kx);
1282 /* Don't notify here: the ADD message hasn't gone out yet. */
1283 }
410c8acf 1284 return (0);
1285}
1286
1287/*----- That's all, folks -------------------------------------------------*/