3 * $Id: keyexch.c,v 1.11 2004/04/03 12:35:13 mdw Exp $
5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Revision history --------------------------------------------------*
32 * Revision 1.11 2004/04/03 12:35:13 mdw
33 * Support elliptic curve key exchange.
35 * Revision 1.10 2003/10/15 09:29:38 mdw
36 * Cosmetic fix to changelog comment.
38 * Revision 1.9 2003/07/13 11:53:14 mdw
39 * Add protocol commentary.
41 * Revision 1.8 2003/07/13 11:19:49 mdw
42 * Incompatible protocol fix! Include message type code under MAC tag to
43 * prevent cut-and-paste from key-exchange messages to general packet
46 * Revision 1.7 2003/05/17 11:01:28 mdw
47 * Handle flags on challenge timers correctly to prevent confusing the event
50 * Revision 1.6 2003/04/06 10:26:35 mdw
51 * Report peer name on decrypt errors.
53 * Revision 1.5 2002/01/13 14:54:40 mdw
54 * Patch up zero-knowledge property by passing an encrypted log with a
55 * challenge, so that the prover can verify that the challenge is good.
57 * Revision 1.4 2001/06/22 19:40:36 mdw
58 * Support expiry of other peers' public keys.
60 * Revision 1.3 2001/06/19 22:07:09 mdw
63 * Revision 1.2 2001/02/16 21:24:27 mdw
64 * Rewrite for new key exchange protocol.
66 * Revision 1.1 2001/02/03 20:26:37 mdw
71 /*----- Header files ------------------------------------------------------*/
75 /*----- Brief protocol overview -------------------------------------------*
77 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
78 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
79 * application of the symmetric packet protocol to a message; let
80 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
81 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
82 * be Bob's public key.
84 * At the beginning of the session, Alice chooses
86 * %$\rho_A \inr \{0, \ldots q - 1\}$%
90 * %$r_A = g^{\rho_A}$% Alice's challenge
91 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
92 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})$%
93 * Alice's challenge check value
94 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
95 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
96 * Alice and Bob's shared secret key
97 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
98 * Alice's switch request value
99 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
100 * Alice's switch confirm value
102 * The messages are then:
104 * %$\cookie{kx-pre-challenge}, r_A$%
105 * Initial greeting. In state @KXS_CHAL@.
107 * %$\cookie{kx-cookie}, r_A, c_B$%
108 * My table is full but I got your message.
110 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
111 * Here's a full challenge for you to answer.
113 * %$\cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha))$%
114 * Challenge accpeted: here's the answer. Commit to my challenge. Move
117 * %$\cookie{kx-switch}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
118 * Reply received: here's my reply. Committed; send data; move to
121 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
122 * Switch received. Committed; send data; move to @KXS_SWITCH@.
125 /*----- Tunable parameters ------------------------------------------------*/
127 #define T_VALID MIN(2) /* Challenge validity period */
128 #define T_RETRY SEC(10) /* Challenge retransmit interval */
130 #define ISVALID(kx, now) ((now) < (kx)->t_valid)
132 /*----- Various utilities -------------------------------------------------*/
134 /* --- @hashge@ --- *
136 * Arguments: @HASH_CTX *r@ = pointer to hash context
137 * @ge *x@ = pointer to group element
141 * Use: Adds the hash of a group element to the context. Corrupts
145 static void hashge(HASH_CTX *r, ge *x)
148 buf_init(&b, buf_t, sizeof(buf_t));
151 HASH(r, BBASE(&b), BLEN(&b));
154 /* --- @mpcrypt@ --- *
156 * Arguments: @mp *d@ = the destination integer
157 * @mp *x@ = the plaintext/ciphertext integer
158 * @size_t sz@ = the expected size of the plaintext
159 * @const octet *k@ = pointer to key material
160 * @size_t ksz@ = size of the key
162 * Returns: The encrypted/decrypted integer.
164 * Use: Encrypts (or decrypts) a multiprecision integer. In fact,
165 * the title is a bit of a misnomer: we actually compute
166 * %$x \xor H(k)$%, so it's a random oracle thing rather than an
170 static mp *mpcrypt(mp *d, mp *x, size_t sz, const octet *k, size_t ksz)
174 MGF_INIT(&m, k, ksz, 0);
175 mp_storeb(x, buf_t, sz);
176 MGF_CRYPT(&m, buf_t, buf_t, sz);
177 return (mp_loadb(d, buf_t, sz));
182 * Arguments: @struct timeval *tv@ = the current time
183 * @void *v@ = pointer to key exchange context
187 * Use: Acts when the key exchange timer goes off.
190 static void timer(struct timeval *tv, void *v)
194 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
198 /* --- @settimer@ --- *
200 * Arguments: @keyexch *kx@ = pointer to key exchange context
201 * @time_t t@ = when to set the timer for
205 * Use: Sets the timer for the next key exchange attempt.
208 static void settimer(keyexch *kx, time_t t)
211 if (kx->f & KXF_TIMER)
215 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
219 /*----- Challenge management ----------------------------------------------*/
221 /* --- Notes on challenge management --- *
223 * We may get multiple different replies to our key exchange; some will be
224 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
225 * received will be added to the table and given a full response. After
226 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
227 * our existing challenge, followed by a hash of the sender's challenge. We
228 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
229 * properly-formed cookies are assigned a table slot: if none is spare, a
230 * used slot is randomly selected and destroyed. A cookie always receives a
234 /* --- @kxc_destroy@ --- *
236 * Arguments: @kxchal *kxc@ = pointer to the challenge block
240 * Use: Disposes of a challenge block.
243 static void kxc_destroy(kxchal *kxc)
245 if (kxc->f & KXF_TIMER)
246 sel_rmtimer(&kxc->t);
247 G_DESTROY(gg, kxc->c);
248 if (kxc->r) G_DESTROY(gg, kxc->r);
254 /* --- @kxc_stoptimer@ --- *
256 * Arguments: @kxchal *kxc@ = pointer to the challenge block
260 * Use: Stops the challenge's retry timer from sending messages.
261 * Useful when the state machine is in the endgame of the
265 static void kxc_stoptimer(kxchal *kxc)
267 if (kxc->f & KXF_TIMER)
268 sel_rmtimer(&kxc->t);
269 kxc->f &= ~KXF_TIMER;
272 /* --- @kxc_new@ --- *
274 * Arguments: @keyexch *kx@ = pointer to key exchange block
276 * Returns: A pointer to the challenge block.
278 * Use: Returns a pointer to a new challenge block to fill in.
281 static kxchal *kxc_new(keyexch *kx)
286 /* --- If we're over reply threshold, discard one at random --- */
288 if (kx->nr < KX_NCHAL)
291 i = rand_global.ops->range(&rand_global, KX_NCHAL);
292 kxc_destroy(kx->r[i]);
295 /* --- Fill in the new structure --- */
297 kxc = CREATE(kxchal);
298 kxc->c = G_CREATE(gg);
308 /* --- @kxc_bychal@ --- *
310 * Arguments: @keyexch *kx@ = pointer to key exchange block
311 * @ge *c@ = challenge from remote host
313 * Returns: Pointer to the challenge block, or null.
315 * Use: Finds a challenge block, given its challenge.
318 static kxchal *kxc_bychal(keyexch *kx, ge *c)
322 for (i = 0; i < kx->nr; i++) {
323 if (G_EQ(gg, c, kx->r[i]->c))
329 /* --- @kxc_byhc@ --- *
331 * Arguments: @keyexch *kx@ = pointer to key exchange block
332 * @const octet *hc@ = challenge hash from remote host
334 * Returns: Pointer to the challenge block, or null.
336 * Use: Finds a challenge block, given a hash of its challenge.
339 static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
343 for (i = 0; i < kx->nr; i++) {
344 if (memcmp(hc, kx->r[i]->hc, HASHSZ) == 0)
350 /* --- @kxc_answer@ --- *
352 * Arguments: @keyexch *kx@ = pointer to key exchange block
353 * @kxchal *kxc@ = pointer to challenge block
357 * Use: Sends a reply to the remote host, according to the data in
358 * this challenge block.
361 static void kxc_answer(keyexch *kx, kxchal *kxc);
363 static void kxc_timer(struct timeval *tv, void *v)
366 kxc->f &= ~KXF_TIMER;
367 kxc_answer(kxc->kx, kxc);
370 static void kxc_answer(keyexch *kx, kxchal *kxc)
372 stats *st = p_stats(kx->p);
373 buf *b = p_txstart(kx->p, MSG_KEYEXCH | (kxc->r ? KX_REPLY : KX_CHAL));
377 /* --- Build the reply packet --- */
380 G_TOBUF(gg, b, kx->c);
382 buf_put(b, kx->hc, HASHSZ);
383 buf_put(b, kxc->hc, HASHSZ);
384 buf_putmp(b, kxc->ck);
386 /* --- Maybe send an actual reply, if we have one --- */
389 T( trace(T_KEYEXCH, "keyexch: resending challenge to `%s'",
392 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
393 buf_init(&bb, buf_i, sizeof(buf_i));
394 G_TOBUF(gg, &bb, kxc->r);
396 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
399 /* --- Update the statistics --- */
403 st->sz_kxout += BLEN(b);
407 /* --- Schedule another resend --- */
409 if (kxc->f & KXF_TIMER)
410 sel_rmtimer(&kxc->t);
411 gettimeofday(&tv, 0);
412 tv.tv_sec += T_RETRY;
413 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
417 /*----- Individual message handlers ---------------------------------------*/
419 /* --- @getreply@ --- *
421 * Arguments: @keyexch *kx@ = pointer to key exchange context
422 * @ge *c@ = a challenge
423 * @mp *ck@ = the supplied expected-reply check value
425 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
427 * Use: Computes replies to challenges.
430 static ge *getreply(keyexch *kx, ge *c, mp *ck)
432 ge *r = G_CREATE(gg);
433 ge *y = G_CREATE(gg);
439 G_EXP(gg, r, c, kpriv);
441 HASH_STRING(&h, "tripe-expected-reply");
447 a = mpcrypt(MP_NEW, ck, mp_octets(gg->r), buf, sizeof(buf));
448 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
449 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
450 trace_block(T_CRYPTO, "crypto: computed reply hash", buf, HASHSZ);
451 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
453 G_EXP(gg, y, gg->g, a);
456 a_warn("invalid expected-reply check from `%s'", p_name(kx->p));
457 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
458 trace(T_CRYPTO, "crypto: computed challenge = %s", gestr(gg, y));
468 /* --- @dochallenge@ --- *
470 * Arguments: @keyexch *kx@ = pointer to key exchange block
471 * @unsigned msg@ = message code for the packet
472 * @buf *b@ = buffer containing the packet
474 * Returns: Zero if OK, nonzero if the packet was rejected.
476 * Use: Processes a packet containing a challenge.
479 static int dochallenge(keyexch *kx, unsigned msg, buf *b)
481 ge *c = G_CREATE(gg);
488 /* --- Ensure that we're in a sensible state --- */
490 if (kx->s != KXS_CHAL) {
491 a_warn("unexpected challenge from `%s'", p_name(kx->p));
495 /* --- Unpack the packet --- */
497 if (G_FROMBUF(gg, b, c) ||
498 (msg >= KX_COOKIE && (hc = buf_get(b, HASHSZ)) == 0) ||
499 (msg >= KX_CHAL && (ck = buf_getmp(b)) == 0) ||
501 a_warn("malformed packet from `%s'", p_name(kx->p));
505 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
506 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
507 if (hc) trace_block(T_CRYPTO, "crypto: cookie", hc, HASHSZ);
508 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
511 /* --- First, handle a bare challenge --- *
513 * If the table is heavily loaded, just emit a cookie and return.
516 if (!hc && kx->nr >= KX_THRESH) {
517 T( trace(T_KEYEXCH, "keyexch: too many challenges -- sending cookie"); )
518 b = p_txstart(kx->p, MSG_KEYEXCH | KX_COOKIE);
519 G_TOBUF(gg, b, kx->c);
521 HASH_STRING(&h, "tripe-cookie");
523 HASH_DONE(&h, buf_get(b, HASHSZ));
528 /* --- Discard a packet with an invalid cookie --- */
530 if (hc && memcmp(hc, kx->hc, HASHSZ) != 0) {
531 a_warn("incorrect cookie from `%s'", p_name(kx->p));
535 /* --- Find a challenge block for this packet --- *
537 * If there isn't one already, create a new one.
540 if ((kxc = kxc_bychal(kx, c)) == 0) {
544 /* --- Be careful here --- *
546 * If this is a full challenge, and it's the first time I've seen it, I
547 * want to be able to throw it away before committing a table entry to
554 if ((r = getreply(kx, c, ck)) == 0)
559 kxc->c = G_CREATE(gg);
560 G_COPY(gg, kxc->c, c);
562 /* --- Work out the cookie for this challenge --- */
565 HASH_STRING(&h, "tripe-cookie");
567 HASH_DONE(&h, kxc->hc);
569 /* --- Compute the expected-reply hash --- */
572 HASH_STRING(&h, "tripe-expected-reply");
577 kxc->ck = mpcrypt(MP_NEW, kx->alpha, mp_octets(gg->r),
580 /* --- Work out the shared key --- */
583 G_EXP(gg, r, c, kx->alpha);
585 /* --- Compute the switch messages --- */
587 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-request");
588 hashge(&h, kx->c); hashge(&h, kxc->c);
589 HASH_DONE(&h, kxc->hswrq_out);
590 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-confirm");
591 hashge(&h, kx->c); hashge(&h, kxc->c);
592 HASH_DONE(&h, kxc->hswok_out);
594 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-request");
595 hashge(&h, kxc->c); hashge(&h, kx->c);
596 HASH_DONE(&h, kxc->hswrq_in);
597 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-confirm");
598 hashge(&h, kxc->c); hashge(&h, kx->c);
599 HASH_DONE(&h, kxc->hswok_in);
601 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
602 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, HASHSZ);
603 trace_block(T_CRYPTO, "crypto: expected-reply hash",
605 trace(T_CRYPTO, "crypto: my reply check = %s", mpstr(kxc->ck));
606 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
607 trace_block(T_CRYPTO, "crypto: outbound switch request",
608 kxc->hswrq_out, HASHSZ);
609 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
610 kxc->hswok_out, HASHSZ);
611 trace_block(T_CRYPTO, "crypto: inbound switch request",
612 kxc->hswrq_in, HASHSZ);
613 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
614 kxc->hswok_in, HASHSZ);
617 /* --- Create a new symmetric keyset --- */
619 buf_init(b, buf_o, sizeof(buf_o));
620 G_TOBUF(gg, b, kx->c); x = BLEN(b);
621 G_TOBUF(gg, b, kxc->c); y = BLEN(b);
622 G_TOBUF(gg, b, r); z = BLEN(b);
625 kxc->ks = ks_gen(BBASE(b), x, y, z, kx->p);
629 /* --- Answer the challenge if we need to --- */
633 if ((r = getreply(kx, c, ck)) == 0)
640 /* --- Tidy up and go home --- */
653 /* --- @resend@ --- *
655 * Arguments: @keyexch *kx@ = pointer to key exchange context
659 * Use: Sends the next message for a key exchange.
662 static void resend(keyexch *kx)
666 stats *st = p_stats(kx->p);
671 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
673 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
674 G_TOBUF(gg, b, kx->c);
677 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
680 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
681 buf_put(b, kx->hc, HASHSZ);
682 buf_put(b, kxc->hc, HASHSZ);
683 buf_init(&bb, buf_i, sizeof(buf_i));
684 G_TOBUF(gg, &bb, kxc->r);
685 buf_put(&bb, kxc->hswrq_out, HASHSZ);
687 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
690 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
693 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
694 buf_init(&bb, buf_i, sizeof(buf_i));
695 buf_put(&bb, kxc->hswok_out, HASHSZ);
697 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
705 st->sz_kxout += BLEN(b);
709 if (kx->s < KXS_SWITCH)
710 settimer(kx, time(0) + T_RETRY);
713 /* --- @matchreply@ --- *
715 * Arguments: @keyexch *kx@ = pointer to key exchange context
716 * @unsigned ty@ = type of incoming message
717 * @const octet *hc_in@ = a hash of his challenge
718 * @const octet *hc_out@ = a hash of my challenge (cookie)
719 * @mp *ck@ = his expected-reply hash (optional)
720 * @buf *b@ = encrypted remainder of the packet
722 * Returns: A pointer to the challenge block if OK, or null on failure.
724 * Use: Checks a reply or switch packet, ensuring that its contents
725 * are sensible and correct. If they are, @*b@ is set to point
726 * to the remainder of the encrypted data, and the correct
727 * challenge is returned.
730 static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
731 const octet *hc_out, mp *ck, buf *b)
737 /* --- Check the plaintext portions of the data --- */
739 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
740 trace_block(T_CRYPTO, "crypto: challenge", hc_in, HASHSZ);
741 trace_block(T_CRYPTO, "crypto: cookie", hc_out, HASHSZ);
742 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
744 if (memcmp(hc_out, kx->hc, HASHSZ) != 0) {
745 a_warn("incorrect cookie from `%s'", p_name(kx->p));
748 if ((kxc = kxc_byhc(kx, hc_in)) == 0) {
749 a_warn("received reply for unknown challenge from `%s'", p_name(kx->p));
753 /* --- Maybe compute a reply for the challenge --- */
757 a_warn("unexpected switch request from `%s'", p_name(kx->p));
760 if ((r = getreply(kx, kxc->c, ck)) == 0)
766 /* --- Decrypt the rest of the packet --- */
768 buf_init(&bb, buf_o, sizeof(buf_o));
769 if (ks_decrypt(kxc->ks, ty, b, &bb)) {
770 a_warn("failed to decrypt reply from `%s'", p_name(kx->p));
773 buf_init(b, BBASE(&bb), BLEN(&bb));
775 if (G_FROMBUF(gg, b, r)) {
776 a_warn("invalid reply packet from `%s'", p_name(kx->p));
779 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
780 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
782 if (!G_EQ(gg, r, kx->rx)) {
783 a_warn("incorrect reply from `%s'", p_name(kx->p));
793 if (r) G_DESTROY(gg, r);
797 /* --- @commit@ --- *
799 * Arguments: @keyexch *kx@ = pointer to key exchange context
800 * @kxchal *kxc@ = pointer to challenge to commit to
804 * Use: Commits to a particular challenge as being the `right' one,
805 * since a reply has arrived for it.
808 static void commit(keyexch *kx, kxchal *kxc)
812 for (i = 0; i < kx->nr; i++) {
814 kxc_destroy(kx->r[i]);
819 ksl_link(kx->ks, kxc->ks);
822 /* --- @doreply@ --- *
824 * Arguments: @keyexch *kx@ = pointer to key exchange context
825 * @buf *b@ = buffer containing packet
827 * Returns: Zero if OK, nonzero if the packet was rejected.
829 * Use: Handles a reply packet. This doesn't handle the various
830 * switch packets: they're rather too different.
833 static int doreply(keyexch *kx, buf *b)
835 const octet *hc_in, *hc_out;
839 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
840 a_warn("unexpected reply from `%s'", p_name(kx->p));
843 if ((hc_in = buf_get(b, HASHSZ)) == 0 ||
844 (hc_out = buf_get(b, HASHSZ)) == 0 ||
845 (ck = buf_getmp(b)) == 0) {
846 a_warn("invalid reply packet from `%s'", p_name(kx->p));
849 if ((kxc = matchreply(kx, MSG_KEYEXCH | KX_REPLY,
850 hc_in, hc_out, ck, b)) == 0)
853 a_warn("invalid reply packet from `%s'", p_name(kx->p));
856 if (kx->s == KXS_CHAL) {
868 /* --- @doswitch@ --- *
870 * Arguments: @keyexch *kx@ = pointer to key exchange block
871 * @buf *b@ = pointer to buffer containing packet
873 * Returns: Zero if OK, nonzero if the packet was rejected.
875 * Use: Handles a reply with a switch request bolted onto it.
878 static int doswitch(keyexch *kx, buf *b)
880 const octet *hc_in, *hc_out, *hswrq;
883 if ((hc_in = buf_get(b, HASHSZ)) == 0 ||
884 (hc_out = buf_get(b, HASHSZ)) == 0) {
885 a_warn("invalid switch request from `%s'", p_name(kx->p));
888 if ((kxc = matchreply(kx, MSG_KEYEXCH | KX_SWITCH,
889 hc_in, hc_out, 0, b)) == 0)
891 if ((hswrq = buf_get(b, HASHSZ)) == 0 || BLEFT(b)) {
892 a_warn("invalid switch request from `%s'", p_name(kx->p));
895 IF_TRACING(T_KEYEXCH, {
896 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, HASHSZ);
898 if (memcmp(hswrq, kxc->hswrq_in, HASHSZ) != 0) {
899 a_warn("incorrect switch request hash from `%s'", p_name(kx->p));
906 ks_activate(kxc->ks);
907 settimer(kx, ks_tregen(kxc->ks));
918 /* --- @doswitchok@ --- *
920 * Arguments: @keyexch *kx@ = pointer to key exchange block
921 * @buf *b@ = pointer to buffer containing packet
923 * Returns: Zero if OK, nonzero if the packet was rejected.
925 * Use: Handles a reply with a switch request bolted onto it.
928 static int doswitchok(keyexch *kx, buf *b)
934 if (kx->s < KXS_COMMIT) {
935 a_warn("unexpected switch confirmation from `%s'", p_name(kx->p));
939 buf_init(&bb, buf_o, sizeof(buf_o));
940 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, b, &bb)) {
941 a_warn("failed to decrypt switch confirmation from `%s'", p_name(kx->p));
944 buf_init(b, BBASE(&bb), BLEN(&bb));
945 if ((hswok = buf_get(b, HASHSZ)) == 0 || BLEFT(b)) {
946 a_warn("invalid switch confirmation from `%s'", p_name(kx->p));
949 IF_TRACING(T_KEYEXCH, {
950 trace_block(T_CRYPTO, "crypto: switch confirmation hash", hswok, HASHSZ);
952 if (memcmp(hswok, kxc->hswok_in, HASHSZ) != 0) {
953 a_warn("incorrect switch confirmation hash from `%s'", p_name(kx->p));
956 if (kx->s < KXS_SWITCH) {
957 ks_activate(kxc->ks);
958 settimer(kx, ks_tregen(kxc->ks));
967 /*----- Main code ---------------------------------------------------------*/
971 * Arguments: @keyexch *kx@ = pointer to key exchange context
975 * Use: Stops a key exchange dead in its tracks. Throws away all of
976 * the context information. The context is left in an
977 * inconsistent state. The only functions which understand this
978 * state are @kx_free@ and @kx_init@ (which cause it internally
979 * it), and @start@ (which expects it to be the prevailing
983 static void stop(keyexch *kx)
987 if (kx->f & KXF_DEAD)
990 if (kx->f & KXF_TIMER)
992 for (i = 0; i < kx->nr; i++)
993 kxc_destroy(kx->r[i]);
995 G_DESTROY(gg, kx->c);
996 G_DESTROY(gg, kx->rx);
1002 /* --- @start@ --- *
1004 * Arguments: @keyexch *kx@ = pointer to key exchange context
1005 * @time_t now@ = the current time
1009 * Use: Starts a new key exchange with the peer. The context must be
1010 * in the bizarre state left by @stop@ or @kx_init@.
1013 static void start(keyexch *kx, time_t now)
1017 assert(kx->f & KXF_DEAD);
1021 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
1022 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
1023 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
1025 kx->t_valid = now + T_VALID;
1028 HASH_STRING(&h, "tripe-cookie");
1030 HASH_DONE(&h, kx->hc);
1032 IF_TRACING(T_KEYEXCH, {
1033 trace(T_KEYEXCH, "keyexch: creating new challenge");
1034 IF_TRACING(T_CRYPTO, {
1035 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
1036 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
1037 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
1038 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, HASHSZ);
1043 /* --- @checkpub@ --- *
1045 * Arguments: @keyexch *kx@ = pointer to key exchange context
1047 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1049 * Use: Deactivates the key-exchange until the peer acquires a new
1053 static int checkpub(keyexch *kx)
1056 if (kx->f & KXF_DEAD)
1059 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1061 a_warn("public key for `%s' has expired", p_name(kx->p));
1062 G_COPY(gg, kx->kpub, gg->i);
1063 kx->f &= ~KXF_PUBKEY;
1069 /* --- @kx_start@ --- *
1071 * Arguments: @keyexch *kx@ = pointer to key exchange context
1075 * Use: Stimulates a key exchange. If a key exchage is in progress,
1076 * a new challenge is sent (unless the quiet timer forbids
1077 * this); if no exchange is in progress, one is commenced.
1080 void kx_start(keyexch *kx)
1082 time_t now = time(0);
1086 if (!ISVALID(kx, now)) {
1093 /* --- @kx_message@ --- *
1095 * Arguments: @keyexch *kx@ = pointer to key exchange context
1096 * @unsigned msg@ = the message code
1097 * @buf *b@ = pointer to buffer containing the packet
1101 * Use: Reads a packet containing key exchange messages and handles
1105 void kx_message(keyexch *kx, unsigned msg, buf *b)
1107 time_t now = time(0);
1108 stats *st = p_stats(kx->p);
1113 static const char *const pkname[] = {
1114 "prechallenge", "cookie", "challenge",
1115 "reply", "switch request", "switch confirmation"
1122 if (!ISVALID(kx, now)) {
1127 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1128 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1134 rc = dochallenge(kx, msg, b);
1137 rc = doreply(kx, b);
1140 rc = doswitch(kx, b);
1143 rc = doswitchok(kx, b);
1146 a_warn("unexpected key exchange message type %u from `%p'",
1160 /* --- @kx_free@ --- *
1162 * Arguments: @keyexch *kx@ = pointer to key exchange context
1166 * Use: Frees everything in a key exchange context.
1169 void kx_free(keyexch *kx)
1172 G_DESTROY(gg, kx->kpub);
1175 /* --- @kx_newkeys@ --- *
1177 * Arguments: @keyexch *kx@ = pointer to key exchange context
1181 * Use: Informs the key exchange module that its keys may have
1182 * changed. If fetching the new keys fails, the peer will be
1183 * destroyed, we log messages and struggle along with the old
1187 void kx_newkeys(keyexch *kx)
1189 if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
1191 kx->f |= KXF_PUBKEY;
1192 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
1193 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1201 /* --- @kx_init@ --- *
1203 * Arguments: @keyexch *kx@ = pointer to key exchange context
1204 * @peer *p@ = pointer to peer context
1205 * @keyset **ks@ = pointer to keyset list
1207 * Returns: Zero if OK, nonzero if it failed.
1209 * Use: Initializes a key exchange module. The module currently
1210 * contains no keys, and will attempt to initiate a key
1214 int kx_init(keyexch *kx, peer *p, keyset **ks)
1218 kx->kpub = G_CREATE(gg);
1219 if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
1220 G_DESTROY(gg, kx->kpub);
1223 kx->f = KXF_DEAD | KXF_PUBKEY;
1229 /*----- That's all, folks -------------------------------------------------*/