chiark / gitweb /
~mdw / tripe / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
server/tests.at: Test key exchange and retransmit with a flaky network.
[tripe] / server / keyexch.c
CommitLineData
410c8acf 1/* -*-c-*-
410c8acf 2 *
3 * Key exchange protocol
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
e04c2d50 8/*----- Licensing notice --------------------------------------------------*
410c8acf 9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
e04c2d50 16 *
410c8acf 17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
e04c2d50 21 *
410c8acf 22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
410c8acf 27/*----- Header files ------------------------------------------------------*/
28
29#include "tripe.h"
30
737cc271 31/*----- Brief protocol overview -------------------------------------------*
32 *
33 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
34 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
35 * application of the symmetric packet protocol to a message; let
36 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
37 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
38 * be Bob's public key.
39 *
40 * At the beginning of the session, Alice chooses
41 *
42 * %$\rho_A \inr \{0, \ldots q - 1\}$%
43 *
44 * We also have:
45 *
46 * %$r_A = g^{\rho_A}$% Alice's challenge
47 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
9317aa92 48 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
e04c2d50 49 * Alice's challenge check value
737cc271 50 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
51 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
e04c2d50 52 * Alice and Bob's shared secret key
737cc271 53 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
e04c2d50 54 * Alice's switch request value
737cc271 55 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
e04c2d50 56 * Alice's switch confirm value
737cc271 57 *
58 * The messages are then:
59 *
60 * %$\cookie{kx-pre-challenge}, r_A$%
61 * Initial greeting. In state @KXS_CHAL@.
62 *
737cc271 63 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
64 * Here's a full challenge for you to answer.
65 *
28461f0e 66 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
737cc271 67 * Challenge accpeted: here's the answer. Commit to my challenge. Move
68 * to @KXS_COMMIT@.
69 *
3cdc3f3a 70 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
737cc271 71 * Reply received: here's my reply. Committed; send data; move to
72 * @KXS_SWITCH@.
73 *
74 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
75 * Switch received. Committed; send data; move to @KXS_SWITCH@.
e04c2d50 76 */
737cc271 77
3cdc3f3a 78/*----- Static tables -----------------------------------------------------*/
79
80static const char *const pkname[] = {
c3c51798 81 "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok"
3cdc3f3a 82};
0617b6e7 83
84/*----- Various utilities -------------------------------------------------*/
410c8acf 85
e9fac70c
MW		 86/* --- @VALIDP@ --- *
87 *
88 * Arguments: @const keyexch *kx@ = key exchange state
89 * @time_t now@ = current time in seconds
90 *
91 * Returns: Whether the challenge in the key-exchange state is still
92 * valid or should be regenerated.
93 */
94
95#define VALIDP(kx, now) ((now) < (kx)->t_valid)
96
52c03a2a 97/* --- @hashge@ --- *
410c8acf 98 *
b5c45da1 99 * Arguments: @ghash *h@ = pointer to hash context
52c03a2a 100 * @ge *x@ = pointer to group element
410c8acf 101 *
102 * Returns: ---
103 *
52c03a2a 104 * Use: Adds the hash of a group element to the context. Corrupts
105 * @buf_t@.
410c8acf 106 */
107
b5c45da1 108static void hashge(ghash *h, ge *x)
410c8acf 109{
110 buf b;
0617b6e7 111 buf_init(&b, buf_t, sizeof(buf_t));
52c03a2a 112 G_TOBUF(gg, &b, x);
410c8acf 113 assert(BOK(&b));
b5c45da1 114 GH_HASH(h, BBASE(&b), BLEN(&b));
410c8acf 115}
116
de7bd20b 117/* --- @mpmask@ --- *
5d418e24 118 *
de7bd20b
MW		 119 * Arguments: @buf *b@ = output buffer
120 * @mp *x@ = the plaintext integer
121 * @size_t n@ = the expected size of the plaintext
5d418e24 122 * @const octet *k@ = pointer to key material
de7bd20b 123 * @size_t ksz@ = size of the key
5d418e24 124 *
de7bd20b 125 * Returns: Pointer to the output.
5d418e24 126 *
de7bd20b
MW		 127 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
128 * it's a random oracle thing rather than an encryption thing.
5d418e24 129 */
130
de7bd20b 131static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
5d418e24 132{
b5c45da1 133 gcipher *mgf;
de7bd20b 134 octet *p;
5d418e24 135
de7bd20b
MW		 136 if ((p = buf_get(b, n)) == 0)
137 return (0);
138 mgf = GC_INIT(algs.mgf, k, ksz);
139 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
140 trace(T_CRYPTO, "masking index = %s", mpstr(x));
141 trace_block(T_CRYPTO, "masking key", k, ksz);
142 }))
143 mp_storeb(x, buf_t, n);
144 GC_ENCRYPT(mgf, buf_t, p, n);
145 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
146 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
147 trace_block(T_CRYPTO, "masked ciphertext", p, n);
148 }))
b5c45da1 149 GC_DESTROY(mgf);
de7bd20b 150 return (p);
b5c45da1 151}
152
de7bd20b
MW		 153/* --- @mpunmask@ --- *
154 *
155 * Arguments: @mp *d@ = the output integer
156 * @const octet *p@ = pointer to the ciphertext
157 * @size_t n@ = the size of the ciphertext
158 * @const octet *k@ = pointer to key material
159 * @size_t ksz@ = size of the key
160 *
161 * Returns: The decrypted integer, or null.
162 *
163 * Use: Unmasks a multiprecision integer.
164 */
165
166static mp *mpunmask(mp *d, const octet *p, size_t n,
167 const octet *k, size_t ksz)
b5c45da1 168{
169 gcipher *mgf;
170
de7bd20b
MW		 171 mgf = GC_INIT(algs.mgf, k, ksz);
172 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
173 trace_block(T_CRYPTO, "unmasking key", k, ksz);
174 trace_block(T_CRYPTO, "masked ciphertext", p, n);
175 }))
176 GC_DECRYPT(mgf, p, buf_t, n);
177 d = mp_loadb(d, buf_t, n);
178 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
179 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
180 trace(T_CRYPTO, "unmasked index = %s", mpstr(d));
181 }))
b5c45da1 182 GC_DESTROY(mgf);
de7bd20b
MW		 183 return (d);
184}
185
186/* --- @hashcheck@ --- *
187 *
188 * Arguments: @ge *kpub@ = sender's public key
189 * @ge *cc@ = receiver's challenge
190 * @ge *c@ = sender's challenge
191 * @ge *y@ = reply to sender's challenge
192 *
193 * Returns: Pointer to the hash value (in @buf_t@)
194 *
195 * Use: Computes the check-value hash, used to mask or unmask
196 * indices to prove the validity of challenges. This computes
197 * the masking key used in challenge check values. This is
198 * really the heart of the whole thing, since it ensures that
199 * the index can be recovered from the history of hashing
200 * queries, which gives us (a) a proof that the authentication
201 * process is zero-knowledge, and (b) a proof that the whole
202 * key-exchange is deniable.
203 */
204
205static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
206{
207 ghash *h = GH_INIT(algs.h);
208
209 HASH_STRING(h, "tripe-expected-reply");
210 hashge(h, kpub);
211 hashge(h, cc);
212 hashge(h, c);
213 hashge(h, y);
214 GH_DONE(h, buf_t);
215 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
216 trace(T_CRYPTO, "computing challenge check hash");
217 trace(T_CRYPTO, "public key = %s", gestr(gg, kpub));
218 trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc));
219 trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c));
220 trace(T_CRYPTO, "sender reply = %s", gestr(gg, y));
221 trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz);
222 }))
223 GH_DESTROY(h);
224 return (buf_t);
225}
226
227/* --- @sendchallenge@ --- *
228 *
229 * Arguments: @keyexch *kx@ = pointer to key exchange block
230 * @buf *b@ = output buffer for challenge
231 * @ge *c@ = peer's actual challenge
232 * @const octet *hc@ = peer's challenge cookie
233 *
234 * Returns: ---
235 *
236 * Use: Writes a full challenge to the message buffer.
237 */
238
239static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
240{
241 G_TOBUF(gg, b, kx->c);
242 buf_put(b, hc, algs.hashsz);
243 mpmask(b, kx->alpha, indexsz,
244 hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz);
5d418e24 245}
246
410c8acf 247/* --- @timer@ --- *
248 *
249 * Arguments: @struct timeval *tv@ = the current time
250 * @void *v@ = pointer to key exchange context
251 *
252 * Returns: ---
253 *
254 * Use: Acts when the key exchange timer goes off.
255 */
256
257static void timer(struct timeval *tv, void *v)
258{
259 keyexch *kx = v;
260 kx->f &= ~KXF_TIMER;
261 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
de014da6 262 kx_start(kx, 0);
410c8acf 263}
264
265/* --- @settimer@ --- *
266 *
267 * Arguments: @keyexch *kx@ = pointer to key exchange context
ff143952 268 * @struct timeval *tv@ = when to set the timer for
410c8acf 269 *
270 * Returns: ---
271 *
272 * Use: Sets the timer for the next key exchange attempt.
273 */
274
ff143952 275static void settimer(keyexch *kx, struct timeval *tv)
410c8acf 276{
ff143952
MW		 277 if (kx->f & KXF_TIMER) sel_rmtimer(&kx->t);
278 sel_addtimer(&sel, &kx->t, tv, timer, kx);
410c8acf 279 kx->f |= KXF_TIMER;
280}
281
a06d57a3
MW		 282/* --- @f2tv@ --- *
283 *
284 * Arguments: @struct timeval *tv@ = where to write the timeval
285 * @double t@ = a time as a floating point number
286 *
287 * Returns: ---
288 *
289 * Use: Converts a floating-point time into a timeval.
290 */
291
292static void f2tv(struct timeval *tv, double t)
293{
294 tv->tv_sec = t;
295 tv->tv_usec = (t - tv->tv_sec)*MILLION;
296}
297
298/* --- @wobble@ --- *
299 *
300 * Arguments: @double t@ = a time interval
301 *
302 * Returns: The same time interval, with a random error applied.
303 */
304
305static double wobble(double t)
306{
307 uint32 r = rand_global.ops->word(&rand_global);
308 double w = (r/F_2P32) - 0.5;
309 return (t + t*w*T_WOBBLE);
310}
311
312/* --- @rs_time@ --- *
313 *
314 * Arguments: @retry *rs@ = current retry state
315 * @struct timeval *tv@ = where to write the result
316 * @const struct timeval *now@ = current time, or null
317 *
318 * Returns: ---
319 *
320 * Use: Computes a time at which to retry sending a key-exchange
321 * packet. This algorithm is subject to change, but it's
322 * currently a capped exponential backoff, slightly randomized
323 * to try to keep clients from hammering a server that's only
324 * just woken up.
325 *
326 * If @now@ is null then the function works out the time for
327 * itself.
328 */
329
330static void rs_time(retry *rs, struct timeval *tv, const struct timeval *now)
331{
332 double t;
333 struct timeval rtv;
334
335 if (!rs->t)
336 t = SEC(2);
337 else {
338 t = (rs->t * 5)/4;
339 if (t > MIN(5)) t = MIN(5);
340 }
341 rs->t = t;
342
343 if (!now) {
344 now = tv;
345 gettimeofday(tv, 0);
346 }
347 f2tv(&rtv, wobble(t));
348 TV_ADD(tv, now, &rtv);
349}
350
351/* --- @retry_reset@ --- *
352 *
353 * Arguments: @retry *rs@ = retry state
354 *
355 * Returns: --
356 *
357 * Use: Resets a retry state to indicate that progress has been
358 * made. Also useful for initializing the state in the first
359 * place.
360 */
361
362static void rs_reset(retry *rs) { rs->t = 0; }
363
0617b6e7 364/*----- Challenge management ----------------------------------------------*/
365
366/* --- Notes on challenge management --- *
410c8acf 367 *
0617b6e7 368 * We may get multiple different replies to our key exchange; some will be
369 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
370 * received will be added to the table and given a full response. After
371 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
372 * our existing challenge, followed by a hash of the sender's challenge. We
373 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
374 * properly-formed cookies are assigned a table slot: if none is spare, a
375 * used slot is randomly selected and destroyed. A cookie always receives a
376 * full reply.
377 */
378
379/* --- @kxc_destroy@ --- *
380 *
381 * Arguments: @kxchal *kxc@ = pointer to the challenge block
410c8acf 382 *
383 * Returns: ---
384 *
0617b6e7 385 * Use: Disposes of a challenge block.
410c8acf 386 */
387
0617b6e7 388static void kxc_destroy(kxchal *kxc)
410c8acf 389{
0617b6e7 390 if (kxc->f & KXF_TIMER)
391 sel_rmtimer(&kxc->t);
52c03a2a 392 G_DESTROY(gg, kxc->c);
de7bd20b 393 G_DESTROY(gg, kxc->r);
0617b6e7 394 ks_drop(kxc->ks);
395 DESTROY(kxc);
396}
410c8acf 397
0617b6e7 398/* --- @kxc_stoptimer@ --- *
399 *
400 * Arguments: @kxchal *kxc@ = pointer to the challenge block
401 *
402 * Returns: ---
403 *
404 * Use: Stops the challenge's retry timer from sending messages.
405 * Useful when the state machine is in the endgame of the
406 * exchange.
407 */
410c8acf 408
0617b6e7 409static void kxc_stoptimer(kxchal *kxc)
410{
411 if (kxc->f & KXF_TIMER)
412 sel_rmtimer(&kxc->t);
2de0ad0f 413 kxc->f &= ~KXF_TIMER;
0617b6e7 414}
410c8acf 415
0617b6e7 416/* --- @kxc_new@ --- *
417 *
418 * Arguments: @keyexch *kx@ = pointer to key exchange block
0617b6e7 419 *
420 * Returns: A pointer to the challenge block.
421 *
422 * Use: Returns a pointer to a new challenge block to fill in.
423 */
410c8acf 424
0617b6e7 425static kxchal *kxc_new(keyexch *kx)
426{
427 kxchal *kxc;
428 unsigned i;
429
430 /* --- If we're over reply threshold, discard one at random --- */
431
432 if (kx->nr < KX_NCHAL)
433 i = kx->nr++;
434 else {
435 i = rand_global.ops->range(&rand_global, KX_NCHAL);
436 kxc_destroy(kx->r[i]);
410c8acf 437 }
438
0617b6e7 439 /* --- Fill in the new structure --- */
410c8acf 440
0617b6e7 441 kxc = CREATE(kxchal);
52c03a2a 442 kxc->c = G_CREATE(gg);
de7bd20b 443 kxc->r = G_CREATE(gg);
0617b6e7 444 kxc->ks = 0;
445 kxc->kx = kx;
446 kxc->f = 0;
447 kx->r[i] = kxc;
a06d57a3 448 rs_reset(&kxc->rs);
0617b6e7 449 return (kxc);
450}
410c8acf 451
0617b6e7 452/* --- @kxc_bychal@ --- *
453 *
454 * Arguments: @keyexch *kx@ = pointer to key exchange block
52c03a2a 455 * @ge *c@ = challenge from remote host
0617b6e7 456 *
457 * Returns: Pointer to the challenge block, or null.
458 *
459 * Use: Finds a challenge block, given its challenge.
460 */
461
52c03a2a 462static kxchal *kxc_bychal(keyexch *kx, ge *c)
0617b6e7 463{
464 unsigned i;
465
466 for (i = 0; i < kx->nr; i++) {
52c03a2a 467 if (G_EQ(gg, c, kx->r[i]->c))
0617b6e7 468 return (kx->r[i]);
469 }
470 return (0);
471}
472
473/* --- @kxc_byhc@ --- *
474 *
475 * Arguments: @keyexch *kx@ = pointer to key exchange block
476 * @const octet *hc@ = challenge hash from remote host
477 *
478 * Returns: Pointer to the challenge block, or null.
479 *
480 * Use: Finds a challenge block, given a hash of its challenge.
481 */
410c8acf 482
0617b6e7 483static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
484{
485 unsigned i;
486
487 for (i = 0; i < kx->nr; i++) {
b5c45da1 488 if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
0617b6e7 489 return (kx->r[i]);
410c8acf 490 }
0617b6e7 491 return (0);
492}
493
494/* --- @kxc_answer@ --- *
495 *
496 * Arguments: @keyexch *kx@ = pointer to key exchange block
497 * @kxchal *kxc@ = pointer to challenge block
498 *
499 * Returns: ---
500 *
501 * Use: Sends a reply to the remote host, according to the data in
502 * this challenge block.
503 */
504
505static void kxc_answer(keyexch *kx, kxchal *kxc);
506
507static void kxc_timer(struct timeval *tv, void *v)
508{
509 kxchal *kxc = v;
510 kxc->f &= ~KXF_TIMER;
511 kxc_answer(kxc->kx, kxc);
512}
513
514static void kxc_answer(keyexch *kx, kxchal *kxc)
515{
516 stats *st = p_stats(kx->p);
de7bd20b 517 buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
0617b6e7 518 struct timeval tv;
519 buf bb;
520
521 /* --- Build the reply packet --- */
522
de7bd20b
MW		 523 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
524 sendchallenge(kx, b, kxc->c, kxc->hc);
525 buf_init(&bb, buf_i, sizeof(buf_i));
526 G_TORAW(gg, &bb, kxc->r);
527 buf_flip(&bb);
528 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
0617b6e7 529
530 /* --- Update the statistics --- */
531
532 if (BOK(b)) {
533 st->n_kxout++;
534 st->sz_kxout += BLEN(b);
535 p_txend(kx->p);
536 }
537
538 /* --- Schedule another resend --- */
539
540 if (kxc->f & KXF_TIMER)
541 sel_rmtimer(&kxc->t);
542 gettimeofday(&tv, 0);
a06d57a3 543 rs_time(&kxc->rs, &tv, &tv);
0617b6e7 544 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
545 kxc->f |= KXF_TIMER;
546}
547
548/*----- Individual message handlers ---------------------------------------*/
549
de7bd20b 550/* --- @doprechallenge@ --- *
0617b6e7 551 *
de7bd20b
MW		 552 * Arguments: @keyexch *kx@ = pointer to key exchange block
553 * @buf *b@ = buffer containing the packet
0617b6e7 554 *
de7bd20b 555 * Returns: Zero if OK, nonzero of the packet was rejected.
0617b6e7 556 *
de7bd20b 557 * Use: Processes a pre-challenge message.
0617b6e7 558 */
559
de7bd20b 560static int doprechallenge(keyexch *kx, buf *b)
0617b6e7 561{
de7bd20b
MW		 562 stats *st = p_stats(kx->p);
563 ge *c = G_CREATE(gg);
b5c45da1 564 ghash *h;
0617b6e7 565
de7bd20b
MW		 566 /* --- Ensure that we're in a sensible state --- */
567
568 if (kx->s != KXS_CHAL) {
569 a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
570 goto bad;
571 }
572
573 /* --- Unpack the packet --- */
574
575 if (G_FROMBUF(gg, b, c) || BLEFT(b))
576 goto bad;
b5c45da1 577
0617b6e7 578 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
de7bd20b 579 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
0617b6e7 580 }))
de7bd20b
MW		 581
582 /* --- Send out a full challenge by return --- */
583
584 b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
585 h = GH_INIT(algs.h);
586 HASH_STRING(h, "tripe-cookie");
587 hashge(h, c);
588 sendchallenge(kx, b, c, GH_DONE(h, 0));
b5c45da1 589 GH_DESTROY(h);
de7bd20b
MW		 590 st->n_kxout++;
591 st->sz_kxout += BLEN(b);
592 p_txend(kx->p);
593
594 /* --- Done --- */
595
596 G_DESTROY(gg, c);
597 return (0);
598
599bad:
600 if (c) G_DESTROY(gg, c);
601 return (-1);
0617b6e7 602}
603
de7bd20b 604/* --- @respond@ --- *
0617b6e7 605 *
606 * Arguments: @keyexch *kx@ = pointer to key exchange block
de7bd20b 607 * @unsigned msg@ = message code for this packet
0617b6e7 608 * @buf *b@ = buffer containing the packet
609 *
de7bd20b 610 * Returns: Key-exchange challenge block, or null.
0617b6e7 611 *
de7bd20b
MW		 612 * Use: Computes a response for the given challenge, entering it into
613 * a challenge block and so on.
0617b6e7 614 */
615
de7bd20b 616static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
0617b6e7 617{
52c03a2a 618 ge *c = G_CREATE(gg);
de7bd20b
MW		 619 ge *r = G_CREATE(gg);
620 ge *cc = G_CREATE(gg);
621 const octet *hc, *ck;
622 size_t x, y, z;
623 mp *cv = 0;
0617b6e7 624 kxchal *kxc;
de7bd20b
MW		 625 ghash *h = 0;
626 buf bb;
627 int ok;
0617b6e7 628
629 /* --- Unpack the packet --- */
630
52c03a2a 631 if (G_FROMBUF(gg, b, c) ||
de7bd20b
MW		 632 (hc = buf_get(b, algs.hashsz)) == 0 ||
633 (ck = buf_get(b, indexsz)) == 0) {
f43df819 634 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 635 goto bad;
636 }
0617b6e7 637 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 638 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
de7bd20b
MW		 639 trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
640 trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz);
0617b6e7 641 }))
642
0617b6e7 643 /* --- Discard a packet with an invalid cookie --- */
644
b5c45da1 645 if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
5ac9463b 646 a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
0617b6e7 647 goto bad;
648 }
649
de7bd20b
MW		 650 /* --- Recover the check value and verify it --- *
651 *
652 * To avoid recomputation on replays, we store a hash of the `right'
653 * value. The `correct' value is unique, so this is right.
410c8acf 654 *
de7bd20b 655 * This will also find a challenge block and, if necessary, populate it.
410c8acf 656 */
657
de7bd20b
MW		 658 if ((kxc = kxc_bychal(kx, c)) != 0) {
659 h = GH_INIT(algs.h);
660 HASH_STRING(h, "tripe-check-hash");
661 GH_HASH(h, ck, indexsz);
662 ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz);
663 GH_DESTROY(h);
664 if (!ok) goto badcheck;
665 } else {
666
667 /* --- Compute the reply, and check the magic --- */
668
669 G_EXP(gg, r, c, kpriv);
670 cv = mpunmask(MP_NEW, ck, indexsz,
671 hashcheck(kx->kpub, kx->c, c, r), algs.hashsz);
672 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
673 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
674 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
675 }))
676 if (MP_CMP(cv, >, gg->r) ||
677 (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc)))
678 goto badcheck;
679
680 /* --- Fill in a new challenge block --- */
e04c2d50 681
de7bd20b 682 kxc = kxc_new(kx);
52c03a2a 683 G_COPY(gg, kxc->c, c);
de7bd20b 684 G_COPY(gg, kxc->r, r);
0617b6e7 685
de7bd20b
MW		 686 h = GH_INIT(algs.h);
687 HASH_STRING(h, "tripe-check-hash");
688 GH_HASH(h, ck, indexsz);
5fb10b44 689 GH_DONE(h, kxc->ck);
de7bd20b 690 GH_DESTROY(h);
0617b6e7 691
b5c45da1 692 h = GH_INIT(algs.h);
693 HASH_STRING(h, "tripe-cookie");
694 hashge(h, kxc->c);
695 GH_DONE(h, kxc->hc);
696 GH_DESTROY(h);
697
698 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
699 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
700 }))
0617b6e7 701
0617b6e7 702 /* --- Work out the shared key --- */
703
52c03a2a 704 G_EXP(gg, r, c, kx->alpha);
b5c45da1 705 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
706 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
707 }))
0617b6e7 708
709 /* --- Compute the switch messages --- */
710
b5c45da1 711 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
712 hashge(h, kx->c); hashge(h, kxc->c);
713 GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
714 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
715 hashge(h, kx->c); hashge(h, kxc->c);
716 GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
0617b6e7 717
b5c45da1 718 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
719 hashge(h, kxc->c); hashge(h, kx->c);
720 GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
721 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
722 hashge(h, kxc->c); hashge(h, kx->c);
723 GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
0617b6e7 724
725 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
0617b6e7 726 trace_block(T_CRYPTO, "crypto: outbound switch request",
b5c45da1 727 kxc->hswrq_out, algs.hashsz);
0617b6e7 728 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
b5c45da1 729 kxc->hswok_out, algs.hashsz);
0617b6e7 730 trace_block(T_CRYPTO, "crypto: inbound switch request",
b5c45da1 731 kxc->hswrq_in, algs.hashsz);
0617b6e7 732 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
b5c45da1 733 kxc->hswok_in, algs.hashsz);
0617b6e7 734 }))
735
736 /* --- Create a new symmetric keyset --- */
737
de7bd20b
MW		 738 buf_init(&bb, buf_o, sizeof(buf_o));
739 G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb);
740 G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb);
741 G_TOBUF(gg, &bb, r); z = BLEN(&bb);
742 assert(BOK(&bb));
0617b6e7 743
de7bd20b 744 kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
410c8acf 745 }
746
de7bd20b
MW		 747 G_DESTROY(gg, c);
748 G_DESTROY(gg, cc);
749 G_DESTROY(gg, r);
750 mp_drop(cv);
751 return (kxc);
410c8acf 752
de7bd20b
MW		 753badcheck:
754 a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
755 goto bad;
756bad:
757 G_DESTROY(gg, c);
758 G_DESTROY(gg, cc);
759 G_DESTROY(gg, r);
760 mp_drop(cv);
e04c2d50 761 return (0);
de7bd20b 762}
0617b6e7 763
de7bd20b
MW		 764/* --- @dochallenge@ --- *
765 *
766 * Arguments: @keyexch *kx@ = pointer to key exchange block
767 * @unsigned msg@ = message code for the packet
768 * @buf *b@ = buffer containing the packet
769 *
770 * Returns: Zero if OK, nonzero if the packet was rejected.
771 *
772 * Use: Processes a packet containing a challenge.
773 */
0617b6e7 774
de7bd20b
MW		 775static int dochallenge(keyexch *kx, buf *b)
776{
777 kxchal *kxc;
0617b6e7 778
de7bd20b
MW		 779 if (kx->s != KXS_CHAL) {
780 a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
781 goto bad;
782 }
783 if ((kxc = respond(kx, KX_CHAL, b)) == 0)
784 goto bad;
785 if (BLEFT(b)) {
786 a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
787 goto bad;
788 }
789 kxc_answer(kx, kxc);
0617b6e7 790 return (0);
791
792bad:
0617b6e7 793 return (-1);
410c8acf 794}
795
0617b6e7 796/* --- @resend@ --- *
410c8acf 797 *
798 * Arguments: @keyexch *kx@ = pointer to key exchange context
410c8acf 799 *
800 * Returns: ---
801 *
0617b6e7 802 * Use: Sends the next message for a key exchange.
410c8acf 803 */
804
0617b6e7 805static void resend(keyexch *kx)
410c8acf 806{
0617b6e7 807 kxchal *kxc;
808 buf bb;
809 stats *st = p_stats(kx->p);
ff143952 810 struct timeval tv;
410c8acf 811 buf *b;
812
0617b6e7 813 switch (kx->s) {
814 case KXS_CHAL:
00e64b67 815 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
816 p_name(kx->p)); )
0617b6e7 817 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
52c03a2a 818 G_TOBUF(gg, b, kx->c);
0617b6e7 819 break;
820 case KXS_COMMIT:
00e64b67 821 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
822 p_name(kx->p)); )
0617b6e7 823 kxc = kx->r[0];
824 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
b5c45da1 825 buf_put(b, kx->hc, algs.hashsz);
826 buf_put(b, kxc->hc, algs.hashsz);
0617b6e7 827 buf_init(&bb, buf_i, sizeof(buf_i));
de7bd20b 828 G_TORAW(gg, &bb, kxc->r);
b5c45da1 829 buf_put(&bb, kxc->hswrq_out, algs.hashsz);
0617b6e7 830 buf_flip(&bb);
7ed14135 831 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
0617b6e7 832 break;
833 case KXS_SWITCH:
00e64b67 834 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
0617b6e7 835 p_name(kx->p)); )
836 kxc = kx->r[0];
837 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
838 buf_init(&bb, buf_i, sizeof(buf_i));
b5c45da1 839 buf_put(&bb, kxc->hswok_out, algs.hashsz);
0617b6e7 840 buf_flip(&bb);
7ed14135 841 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
0617b6e7 842 break;
843 default:
844 abort();
410c8acf 845 }
0617b6e7 846
847 if (BOK(b)) {
848 st->n_kxout++;
849 st->sz_kxout += BLEN(b);
850 p_txend(kx->p);
851 }
852
ff143952 853 if (kx->s < KXS_SWITCH) {
a06d57a3 854 rs_time(&kx->rs, &tv, 0);
ff143952
MW		 855 settimer(kx, &tv);
856 }
410c8acf 857}
858
de7bd20b 859/* --- @decryptrest@ --- *
0617b6e7 860 *
861 * Arguments: @keyexch *kx@ = pointer to key exchange context
de7bd20b
MW		 862 * @kxchal *kxc@ = pointer to challenge block
863 * @unsigned msg@ = type of incoming message
0617b6e7 864 * @buf *b@ = encrypted remainder of the packet
865 *
de7bd20b 866 * Returns: Zero if OK, nonzero on some kind of error.
0617b6e7 867 *
de7bd20b
MW		 868 * Use: Decrypts the remainder of the packet, and points @b@ at the
869 * recovered plaintext.
0617b6e7 870 */
871
de7bd20b 872static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
410c8acf 873{
0617b6e7 874 buf bb;
0617b6e7 875
de7bd20b
MW		 876 buf_init(&bb, buf_o, sizeof(buf_o));
877 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
878 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
879 return (-1);
0617b6e7 880 }
12a26b8b 881 if (!BOK(&bb)) return (-1);
de7bd20b
MW		 882 buf_init(b, BBASE(&bb), BLEN(&bb));
883 return (0);
884}
410c8acf 885
de7bd20b
MW		 886/* --- @checkresponse@ --- *
887 *
888 * Arguments: @keyexch *kx@ = pointer to key exchange context
889 * @unsigned msg@ = type of incoming message
890 * @buf *b@ = decrypted remainder of the packet
891 *
892 * Returns: Zero if OK, nonzero on some kind of error.
893 *
894 * Use: Checks a reply or switch packet, ensuring that its response
895 * is correct.
896 */
0617b6e7 897
de7bd20b
MW		 898static int checkresponse(keyexch *kx, unsigned msg, buf *b)
899{
900 ge *r = G_CREATE(gg);
0617b6e7 901
5251b2e9 902 if (G_FROMRAW(gg, b, r)) {
de7bd20b 903 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
0617b6e7 904 goto bad;
905 }
906 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
52c03a2a 907 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
0617b6e7 908 }))
52c03a2a 909 if (!G_EQ(gg, r, kx->rx)) {
de7bd20b 910 a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
0617b6e7 911 goto bad;
912 }
913
52c03a2a 914 G_DESTROY(gg, r);
de7bd20b 915 return (0);
0617b6e7 916
917bad:
de7bd20b
MW		 918 G_DESTROY(gg, r);
919 return (-1);
410c8acf 920}
921
0617b6e7 922/* --- @commit@ --- *
410c8acf 923 *
924 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 925 * @kxchal *kxc@ = pointer to challenge to commit to
410c8acf 926 *
927 * Returns: ---
928 *
0617b6e7 929 * Use: Commits to a particular challenge as being the `right' one,
930 * since a reply has arrived for it.
410c8acf 931 */
932
0617b6e7 933static void commit(keyexch *kx, kxchal *kxc)
410c8acf 934{
0617b6e7 935 unsigned i;
410c8acf 936
0617b6e7 937 for (i = 0; i < kx->nr; i++) {
938 if (kx->r[i] != kxc)
939 kxc_destroy(kx->r[i]);
940 }
941 kx->r[0] = kxc;
942 kx->nr = 1;
943 kxc_stoptimer(kxc);
e04c2d50 944 ksl_link(kx->ks, kxc->ks);
410c8acf 945}
946
0617b6e7 947/* --- @doreply@ --- *
410c8acf 948 *
949 * Arguments: @keyexch *kx@ = pointer to key exchange context
0617b6e7 950 * @buf *b@ = buffer containing packet
410c8acf 951 *
0617b6e7 952 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 953 *
0617b6e7 954 * Use: Handles a reply packet. This doesn't handle the various
955 * switch packets: they're rather too different.
410c8acf 956 */
957
0617b6e7 958static int doreply(keyexch *kx, buf *b)
410c8acf 959{
0617b6e7 960 kxchal *kxc;
961
962 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
f43df819 963 a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
0617b6e7 964 goto bad;
965 }
de7bd20b
MW		 966 if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
967 decryptrest(kx, kxc, KX_REPLY, b) ||
968 checkresponse(kx, KX_REPLY, b))
0617b6e7 969 goto bad;
970 if (BLEFT(b)) {
f43df819 971 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
0617b6e7 972 goto bad;
e04c2d50 973 }
0617b6e7 974 if (kx->s == KXS_CHAL) {
975 commit(kx, kxc);
976 kx->s = KXS_COMMIT;
977 }
978 resend(kx);
979 return (0);
980
981bad:
982 return (-1);
410c8acf 983}
984
3cdc3f3a 985/* --- @kxfinish@ --- *
986 *
987 * Arguments: @keyexch *kx@ = pointer to key exchange block
988 *
989 * Returns: ---
990 *
991 * Use: Sets everything up following a successful key exchange.
992 */
993
994static void kxfinish(keyexch *kx)
995{
996 kxchal *kxc = kx->r[0];
a06d57a3 997 struct timeval now, tv;
ff143952 998
3cdc3f3a 999 ks_activate(kxc->ks);
a06d57a3
MW		 1000 gettimeofday(&now, 0);
1001 f2tv(&tv, wobble(T_REGEN));
1002 TV_ADD(&tv, &now, &tv);
ff143952 1003 settimer(kx, &tv);
3cdc3f3a 1004 kx->s = KXS_SWITCH;
f43df819 1005 a_notify("KXDONE", "?PEER", kx->p, A_END);
3cdc3f3a 1006 p_stats(kx->p)->t_kx = time(0);
1007}
1008
0617b6e7 1009/* --- @doswitch@ --- *
410c8acf 1010 *
0617b6e7 1011 * Arguments: @keyexch *kx@ = pointer to key exchange block
1012 * @buf *b@ = pointer to buffer containing packet
410c8acf 1013 *
0617b6e7 1014 * Returns: Zero if OK, nonzero if the packet was rejected.
410c8acf 1015 *
0617b6e7 1016 * Use: Handles a reply with a switch request bolted onto it.
410c8acf 1017 */
1018
0617b6e7 1019static int doswitch(keyexch *kx, buf *b)
410c8acf 1020{
0617b6e7 1021 const octet *hc_in, *hc_out, *hswrq;
1022 kxchal *kxc;
410c8acf 1023
b5c45da1 1024 if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
1025 (hc_out = buf_get(b, algs.hashsz)) == 0) {
f43df819 1026 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 1027 goto bad;
410c8acf 1028 }
de7bd20b
MW		 1029 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
1030 trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
1031 trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
1032 }))
1033 if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
1034 memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
1035 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
1036 goto bad;
1037 }
1038 if (decryptrest(kx, kxc, KX_SWITCH, b) ||
1039 checkresponse(kx, KX_SWITCH, b))
0617b6e7 1040 goto bad;
b5c45da1 1041 if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
5ac9463b 1042 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
0617b6e7 1043 goto bad;
1044 }
1045 IF_TRACING(T_KEYEXCH, {
b5c45da1 1046 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
0617b6e7 1047 })
b5c45da1 1048 if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
f43df819 1049 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
0617b6e7 1050 goto bad;
1051 }
de7bd20b
MW		 1052 if (kx->s == KXS_CHAL)
1053 commit(kx, kxc);
1054 if (kx->s < KXS_SWITCH)
1055 kxfinish(kx);
0617b6e7 1056 resend(kx);
1057 return (0);
1058
1059bad:
1060 return (-1);
410c8acf 1061}
1062
0617b6e7 1063/* --- @doswitchok@ --- *
1064 *
1065 * Arguments: @keyexch *kx@ = pointer to key exchange block
1066 * @buf *b@ = pointer to buffer containing packet
1067 *
1068 * Returns: Zero if OK, nonzero if the packet was rejected.
1069 *
1070 * Use: Handles a reply with a switch request bolted onto it.
1071 */
1072
1073static int doswitchok(keyexch *kx, buf *b)
410c8acf 1074{
0617b6e7 1075 const octet *hswok;
1076 kxchal *kxc;
1077 buf bb;
410c8acf 1078
0617b6e7 1079 if (kx->s < KXS_COMMIT) {
f43df819 1080 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
0617b6e7 1081 goto bad;
410c8acf 1082 }
0617b6e7 1083 kxc = kx->r[0];
1084 buf_init(&bb, buf_o, sizeof(buf_o));
de7bd20b 1085 if (decryptrest(kx, kxc, KX_SWITCHOK, b))
0617b6e7 1086 goto bad;
b5c45da1 1087 if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
5ac9463b 1088 a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
0617b6e7 1089 goto bad;
1090 }
1091 IF_TRACING(T_KEYEXCH, {
b5c45da1 1092 trace_block(T_CRYPTO, "crypto: switch confirmation hash",
1093 hswok, algs.hashsz);
0617b6e7 1094 })
b5c45da1 1095 if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
f43df819 1096 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
0617b6e7 1097 goto bad;
1098 }
3cdc3f3a 1099 if (kx->s < KXS_SWITCH)
1100 kxfinish(kx);
0617b6e7 1101 return (0);
1102
1103bad:
e04c2d50 1104 return (-1);
0617b6e7 1105}
1106
1107/*----- Main code ---------------------------------------------------------*/
1108
1109/* --- @stop@ --- *
1110 *
1111 * Arguments: @keyexch *kx@ = pointer to key exchange context
1112 *
1113 * Returns: ---
1114 *
1115 * Use: Stops a key exchange dead in its tracks. Throws away all of
1116 * the context information. The context is left in an
1117 * inconsistent state. The only functions which understand this
1118 * state are @kx_free@ and @kx_init@ (which cause it internally
1119 * it), and @start@ (which expects it to be the prevailing
1120 * state).
1121 */
1122
1123static void stop(keyexch *kx)
1124{
1125 unsigned i;
1126
00e64b67 1127 if (kx->f & KXF_DEAD)
1128 return;
1129
0617b6e7 1130 if (kx->f & KXF_TIMER)
1131 sel_rmtimer(&kx->t);
1132 for (i = 0; i < kx->nr; i++)
1133 kxc_destroy(kx->r[i]);
1134 mp_drop(kx->alpha);
52c03a2a 1135 G_DESTROY(gg, kx->c);
1136 G_DESTROY(gg, kx->rx);
00e64b67 1137 kx->t_valid = 0;
1138 kx->f |= KXF_DEAD;
1139 kx->f &= ~KXF_TIMER;
0617b6e7 1140}
1141
1142/* --- @start@ --- *
1143 *
1144 * Arguments: @keyexch *kx@ = pointer to key exchange context
1145 * @time_t now@ = the current time
1146 *
1147 * Returns: ---
1148 *
1149 * Use: Starts a new key exchange with the peer. The context must be
1150 * in the bizarre state left by @stop@ or @kx_init@.
1151 */
1152
1153static void start(keyexch *kx, time_t now)
1154{
b5c45da1 1155 ghash *h;
0617b6e7 1156
00e64b67 1157 assert(kx->f & KXF_DEAD);
1158
010e6f63 1159 kx->f &= ~(KXF_DEAD | KXF_CORK);
0617b6e7 1160 kx->nr = 0;
52c03a2a 1161 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
1162 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
1163 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
0617b6e7 1164 kx->s = KXS_CHAL;
1165 kx->t_valid = now + T_VALID;
1166
b5c45da1 1167 h = GH_INIT(algs.h);
1168 HASH_STRING(h, "tripe-cookie");
1169 hashge(h, kx->c);
1170 GH_DONE(h, kx->hc);
1171 GH_DESTROY(h);
0617b6e7 1172
1173 IF_TRACING(T_KEYEXCH, {
1174 trace(T_KEYEXCH, "keyexch: creating new challenge");
1175 IF_TRACING(T_CRYPTO, {
1176 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
52c03a2a 1177 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
1178 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
b5c45da1 1179 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
0617b6e7 1180 })
1181 })
410c8acf 1182}
1183
00e64b67 1184/* --- @checkpub@ --- *
1185 *
1186 * Arguments: @keyexch *kx@ = pointer to key exchange context
1187 *
1188 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1189 *
1190 * Use: Deactivates the key-exchange until the peer acquires a new
1191 * public key.
1192 */
1193
1194static int checkpub(keyexch *kx)
1195{
1196 time_t now;
1197 if (kx->f & KXF_DEAD)
1198 return (-1);
1199 now = time(0);
1200 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1201 stop(kx);
f43df819 1202 a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
52c03a2a 1203 G_COPY(gg, kx->kpub, gg->i);
00e64b67 1204 kx->f &= ~KXF_PUBKEY;
1205 return (-1);
1206 }
1207 return (0);
1208}
1209
0617b6e7 1210/* --- @kx_start@ --- *
410c8acf 1211 *
1212 * Arguments: @keyexch *kx@ = pointer to key exchange context
de014da6 1213 * @int forcep@ = nonzero to ignore the quiet timer
410c8acf 1214 *
1215 * Returns: ---
1216 *
0617b6e7 1217 * Use: Stimulates a key exchange. If a key exchage is in progress,
1218 * a new challenge is sent (unless the quiet timer forbids
1219 * this); if no exchange is in progress, one is commenced.
410c8acf 1220 */
1221
de014da6 1222void kx_start(keyexch *kx, int forcep)
410c8acf 1223{
1224 time_t now = time(0);
410c8acf 1225
00e64b67 1226 if (checkpub(kx))
1227 return;
de014da6 1228 if (forcep || !VALIDP(kx, now)) {
0617b6e7 1229 stop(kx);
1230 start(kx, now);
f43df819 1231 a_notify("KXSTART", "?PEER", kx->p, A_END);
410c8acf 1232 }
0617b6e7 1233 resend(kx);
1234}
1235
1236/* --- @kx_message@ --- *
1237 *
1238 * Arguments: @keyexch *kx@ = pointer to key exchange context
1239 * @unsigned msg@ = the message code
1240 * @buf *b@ = pointer to buffer containing the packet
1241 *
1242 * Returns: ---
1243 *
1244 * Use: Reads a packet containing key exchange messages and handles
1245 * it.
1246 */
1247
1248void kx_message(keyexch *kx, unsigned msg, buf *b)
1249{
ff143952 1250 struct timeval now, tv;
0617b6e7 1251 stats *st = p_stats(kx->p);
1252 size_t sz = BSZ(b);
1253 int rc;
1254
ff143952 1255 gettimeofday(&now, 0);
a06d57a3 1256 rs_reset(&kx->rs);
010e6f63 1257 if (kx->f & KXF_CORK) {
ff143952 1258 start(kx, now.tv_sec);
a06d57a3 1259 rs_time(&kx->rs, &tv, &now);
ff143952 1260 settimer(kx, &tv);
010e6f63
MW		 1261 a_notify("KXSTART", A_END);
1262 }
1263
00e64b67 1264 if (checkpub(kx))
1265 return;
1266
ff143952 1267 if (!VALIDP(kx, now.tv_sec)) {
0617b6e7 1268 stop(kx);
ff143952 1269 start(kx, now.tv_sec);
410c8acf 1270 }
0617b6e7 1271 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1272 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1273
1274 switch (msg) {
1275 case KX_PRECHAL:
de7bd20b
MW		 1276 rc = doprechallenge(kx, b);
1277 break;
0617b6e7 1278 case KX_CHAL:
de7bd20b 1279 rc = dochallenge(kx, b);
0617b6e7 1280 break;
1281 case KX_REPLY:
1282 rc = doreply(kx, b);
1283 break;
1284 case KX_SWITCH:
1285 rc = doswitch(kx, b);
1286 break;
1287 case KX_SWITCHOK:
1288 rc = doswitchok(kx, b);
1289 break;
1290 default:
f43df819 1291 a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
0617b6e7 1292 rc = -1;
1293 break;
410c8acf 1294 }
410c8acf 1295
0617b6e7 1296 if (rc)
1297 st->n_reject++;
1298 else {
1299 st->n_kxin++;
1300 st->sz_kxin += sz;
1301 }
410c8acf 1302}
1303
1304/* --- @kx_free@ --- *
1305 *
1306 * Arguments: @keyexch *kx@ = pointer to key exchange context
1307 *
1308 * Returns: ---
1309 *
1310 * Use: Frees everything in a key exchange context.
1311 */
1312
1313void kx_free(keyexch *kx)
1314{
0617b6e7 1315 stop(kx);
52c03a2a 1316 G_DESTROY(gg, kx->kpub);
410c8acf 1317}
1318
1319/* --- @kx_newkeys@ --- *
1320 *
1321 * Arguments: @keyexch *kx@ = pointer to key exchange context
1322 *
1323 * Returns: ---
1324 *
1325 * Use: Informs the key exchange module that its keys may have
1326 * changed. If fetching the new keys fails, the peer will be
1327 * destroyed, we log messages and struggle along with the old
1328 * keys.
1329 */
1330
1331void kx_newkeys(keyexch *kx)
1332{
48b84569 1333 if (km_getpubkey(p_tag(kx->p), kx->kpub, &kx->texp_kpub))
410c8acf 1334 return;
00e64b67 1335 kx->f |= KXF_PUBKEY;
1336 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
410c8acf 1337 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1338 p_name(kx->p)); )
00e64b67 1339 stop(kx);
1340 start(kx, time(0));
1341 resend(kx);
410c8acf 1342 }
1343}
1344
1345/* --- @kx_init@ --- *
1346 *
1347 * Arguments: @keyexch *kx@ = pointer to key exchange context
1348 * @peer *p@ = pointer to peer context
1349 * @keyset **ks@ = pointer to keyset list
010e6f63 1350 * @unsigned f@ = various useful flags
410c8acf 1351 *
1352 * Returns: Zero if OK, nonzero if it failed.
1353 *
1354 * Use: Initializes a key exchange module. The module currently
1355 * contains no keys, and will attempt to initiate a key
1356 * exchange.
1357 */
1358
010e6f63 1359int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
410c8acf 1360{
1361 kx->ks = ks;
1362 kx->p = p;
52c03a2a 1363 kx->kpub = G_CREATE(gg);
48b84569 1364 if (km_getpubkey(p_tag(p), kx->kpub, &kx->texp_kpub)) {
52c03a2a 1365 G_DESTROY(gg, kx->kpub);
410c8acf 1366 return (-1);
52c03a2a 1367 }
010e6f63 1368 kx->f = KXF_DEAD | KXF_PUBKEY | f;
a06d57a3 1369 rs_reset(&kx->rs);
010e6f63
MW		 1370 if (!(kx->f & KXF_CORK)) {
1371 start(kx, time(0));
1372 resend(kx);
1373 /* Don't notify here: the ADD message hasn't gone out yet. */
1374 }
410c8acf 1375 return (0);
1376}
1377
1378/*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN