5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Header files ------------------------------------------------------*/
33 /*----- Brief protocol overview -------------------------------------------*
35 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
36 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
37 * application of the symmetric packet protocol to a message; let
38 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
39 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
40 * be Bob's public key.
42 * At the beginning of the session, Alice chooses
44 * %$\rho_A \inr \{0, \ldots q - 1\}$%
48 * %$r_A = g^{\rho_A}$% Alice's challenge
49 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
50 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
51 * Alice's challenge check value
52 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
53 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
54 * Alice and Bob's shared secret key
55 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
56 * Alice's switch request value
57 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
58 * Alice's switch confirm value
60 * The messages are then:
62 * %$\cookie{kx-pre-challenge}, r_A$%
63 * Initial greeting. In state @KXS_CHAL@.
65 * %$\cookie{kx-cookie}, r_A, c_B$%
66 * My table is full but I got your message.
68 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
69 * Here's a full challenge for you to answer.
71 * %$\cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha))$%
72 * Challenge accpeted: here's the answer. Commit to my challenge. Move
75 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
76 * Reply received: here's my reply. Committed; send data; move to
79 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
80 * Switch received. Committed; send data; move to @KXS_SWITCH@.
83 /*----- Tunable parameters ------------------------------------------------*/
85 #define T_VALID MIN(2) /* Challenge validity period */
86 #define T_RETRY SEC(10) /* Challenge retransmit interval */
88 #define VALIDP(kx, now) ((now) < (kx)->t_valid)
90 /*----- Static tables -----------------------------------------------------*/
92 static const char *const pkname[] = {
93 "pre-challenge", "cookie", "challenge",
94 "reply", "switch-rq", "switch-ok"
97 /*----- Various utilities -------------------------------------------------*/
101 * Arguments: @ghash *h@ = pointer to hash context
102 * @ge *x@ = pointer to group element
106 * Use: Adds the hash of a group element to the context. Corrupts
110 static void hashge(ghash *h, ge *x)
113 buf_init(&b, buf_t, sizeof(buf_t));
116 GH_HASH(h, BBASE(&b), BLEN(&b));
119 /* --- @mpencrypt@, @mpdecrypt@ --- *
121 * Arguments: @mp *d@ = the destination integer
122 * @mp *x@ = the plaintext/ciphertext integer
123 * @size_t sz@ = the expected size of the plaintext
124 * @const octet *k@ = pointer to key material
126 * Returns: The encrypted/decrypted integer.
128 * Use: Encrypts (or decrypts) a multiprecision integer. In fact,
129 * the title is a bit of a misnomer: we actually compute
130 * %$x \xor H(k)$%, so it's a random oracle thing rather than an
134 static mp *mpencrypt(mp *d, mp *x, size_t sz, const octet *k)
138 mgf = GC_INIT(algs.mgf, k, algs.hashsz);
139 mp_storeb(x, buf_t, sz);
140 GC_ENCRYPT(mgf, buf_t, buf_t, sz);
142 return (mp_loadb(d, buf_t, sz));
145 static mp *mpdecrypt(mp *d, mp *x, size_t sz, const octet *k)
149 mgf = GC_INIT(algs.mgf, k, algs.hashsz);
150 mp_storeb(x, buf_t, sz);
151 GC_DECRYPT(mgf, buf_t, buf_t, sz);
153 return (mp_loadb(d, buf_t, sz));
158 * Arguments: @struct timeval *tv@ = the current time
159 * @void *v@ = pointer to key exchange context
163 * Use: Acts when the key exchange timer goes off.
166 static void timer(struct timeval *tv, void *v)
170 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
174 /* --- @settimer@ --- *
176 * Arguments: @keyexch *kx@ = pointer to key exchange context
177 * @time_t t@ = when to set the timer for
181 * Use: Sets the timer for the next key exchange attempt.
184 static void settimer(keyexch *kx, time_t t)
187 if (kx->f & KXF_TIMER)
191 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
195 /*----- Challenge management ----------------------------------------------*/
197 /* --- Notes on challenge management --- *
199 * We may get multiple different replies to our key exchange; some will be
200 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
201 * received will be added to the table and given a full response. After
202 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
203 * our existing challenge, followed by a hash of the sender's challenge. We
204 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
205 * properly-formed cookies are assigned a table slot: if none is spare, a
206 * used slot is randomly selected and destroyed. A cookie always receives a
210 /* --- @kxc_destroy@ --- *
212 * Arguments: @kxchal *kxc@ = pointer to the challenge block
216 * Use: Disposes of a challenge block.
219 static void kxc_destroy(kxchal *kxc)
221 if (kxc->f & KXF_TIMER)
222 sel_rmtimer(&kxc->t);
223 G_DESTROY(gg, kxc->c);
224 if (kxc->r) G_DESTROY(gg, kxc->r);
230 /* --- @kxc_stoptimer@ --- *
232 * Arguments: @kxchal *kxc@ = pointer to the challenge block
236 * Use: Stops the challenge's retry timer from sending messages.
237 * Useful when the state machine is in the endgame of the
241 static void kxc_stoptimer(kxchal *kxc)
243 if (kxc->f & KXF_TIMER)
244 sel_rmtimer(&kxc->t);
245 kxc->f &= ~KXF_TIMER;
248 /* --- @kxc_new@ --- *
250 * Arguments: @keyexch *kx@ = pointer to key exchange block
252 * Returns: A pointer to the challenge block.
254 * Use: Returns a pointer to a new challenge block to fill in.
257 static kxchal *kxc_new(keyexch *kx)
262 /* --- If we're over reply threshold, discard one at random --- */
264 if (kx->nr < KX_NCHAL)
267 i = rand_global.ops->range(&rand_global, KX_NCHAL);
268 kxc_destroy(kx->r[i]);
271 /* --- Fill in the new structure --- */
273 kxc = CREATE(kxchal);
274 kxc->c = G_CREATE(gg);
284 /* --- @kxc_bychal@ --- *
286 * Arguments: @keyexch *kx@ = pointer to key exchange block
287 * @ge *c@ = challenge from remote host
289 * Returns: Pointer to the challenge block, or null.
291 * Use: Finds a challenge block, given its challenge.
294 static kxchal *kxc_bychal(keyexch *kx, ge *c)
298 for (i = 0; i < kx->nr; i++) {
299 if (G_EQ(gg, c, kx->r[i]->c))
305 /* --- @kxc_byhc@ --- *
307 * Arguments: @keyexch *kx@ = pointer to key exchange block
308 * @const octet *hc@ = challenge hash from remote host
310 * Returns: Pointer to the challenge block, or null.
312 * Use: Finds a challenge block, given a hash of its challenge.
315 static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
319 for (i = 0; i < kx->nr; i++) {
320 if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
326 /* --- @kxc_answer@ --- *
328 * Arguments: @keyexch *kx@ = pointer to key exchange block
329 * @kxchal *kxc@ = pointer to challenge block
333 * Use: Sends a reply to the remote host, according to the data in
334 * this challenge block.
337 static void kxc_answer(keyexch *kx, kxchal *kxc);
339 static void kxc_timer(struct timeval *tv, void *v)
342 kxc->f &= ~KXF_TIMER;
343 kxc_answer(kxc->kx, kxc);
346 static void kxc_answer(keyexch *kx, kxchal *kxc)
348 stats *st = p_stats(kx->p);
349 buf *b = p_txstart(kx->p, MSG_KEYEXCH | (kxc->r ? KX_REPLY : KX_CHAL));
353 /* --- Build the reply packet --- */
356 G_TOBUF(gg, b, kx->c);
358 buf_put(b, kx->hc, algs.hashsz);
359 buf_put(b, kxc->hc, algs.hashsz);
360 buf_putmp(b, kxc->ck);
362 /* --- Maybe send an actual reply, if we have one --- */
365 T( trace(T_KEYEXCH, "keyexch: resending challenge to `%s'",
368 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
369 buf_init(&bb, buf_i, sizeof(buf_i));
370 G_TORAW(gg, &bb, kxc->r);
372 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
375 /* --- Update the statistics --- */
379 st->sz_kxout += BLEN(b);
383 /* --- Schedule another resend --- */
385 if (kxc->f & KXF_TIMER)
386 sel_rmtimer(&kxc->t);
387 gettimeofday(&tv, 0);
388 tv.tv_sec += T_RETRY;
389 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
393 /*----- Individual message handlers ---------------------------------------*/
395 /* --- @getreply@ --- *
397 * Arguments: @keyexch *kx@ = pointer to key exchange context
398 * @ge *c@ = a challenge
399 * @mp *ck@ = the supplied expected-reply check value
401 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
403 * Use: Computes replies to challenges.
406 static ge *getreply(keyexch *kx, ge *c, mp *ck)
408 ge *r = G_CREATE(gg);
409 ge *y = G_CREATE(gg);
415 G_EXP(gg, r, c, kpriv);
417 HASH_STRING(h, "tripe-expected-reply");
424 a = mpdecrypt(MP_NEW, ck, mp_octets(gg->r), hh);
425 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
426 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
427 trace_block(T_CRYPTO, "crypto: computed reply hash", hh, algs.hashsz);
428 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
431 if (MP_CMP(a, >=, gg->r))
434 G_EXP(gg, y, gg->g, a);
438 a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
439 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
440 trace(T_CRYPTO, "crypto: computed challenge = %s", gestr(gg, y));
450 /* --- @dochallenge@ --- *
452 * Arguments: @keyexch *kx@ = pointer to key exchange block
453 * @unsigned msg@ = message code for the packet
454 * @buf *b@ = buffer containing the packet
456 * Returns: Zero if OK, nonzero if the packet was rejected.
458 * Use: Processes a packet containing a challenge.
461 static int dochallenge(keyexch *kx, unsigned msg, buf *b)
463 ge *c = G_CREATE(gg);
469 /* --- Ensure that we're in a sensible state --- */
471 if (kx->s != KXS_CHAL) {
472 a_warn("KX", "?PEER", kx->p, "unexpected", "%s", pkname[msg], A_END);
476 /* --- Unpack the packet --- */
478 if (G_FROMBUF(gg, b, c) ||
479 (msg >= KX_COOKIE && (hc = buf_get(b, algs.hashsz)) == 0) ||
480 (msg >= KX_CHAL && (ck = buf_getmp(b)) == 0) ||
482 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
486 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
487 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
488 if (hc) trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
489 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
492 /* --- First, handle a bare challenge --- *
494 * If the table is heavily loaded, just emit a cookie and return.
497 if (!hc && kx->nr >= KX_THRESH) {
498 T( trace(T_KEYEXCH, "keyexch: too many challenges -- sending cookie"); )
499 a_warn("KX", "?PEER", p_name, "sending-cookie", A_END);
500 b = p_txstart(kx->p, MSG_KEYEXCH | KX_COOKIE);
501 G_TOBUF(gg, b, kx->c);
503 HASH_STRING(h, "tripe-cookie");
505 GH_DONE(h, buf_get(b, algs.hashsz));
511 /* --- Discard a packet with an invalid cookie --- */
513 if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
514 a_warn("KX", "?PEER", "incorrect", "cookie", A_END);
518 /* --- Find a challenge block for this packet --- *
520 * If there isn't one already, create a new one.
523 if ((kxc = kxc_bychal(kx, c)) == 0) {
527 /* --- Be careful here --- *
529 * If this is a full challenge, and it's the first time I've seen it, I
530 * want to be able to throw it away before committing a table entry to
537 if ((r = getreply(kx, c, ck)) == 0)
542 kxc->c = G_CREATE(gg);
543 G_COPY(gg, kxc->c, c);
545 /* --- Work out the cookie for this challenge --- */
548 HASH_STRING(h, "tripe-cookie");
553 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
554 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
557 /* --- Compute the expected-reply hash --- */
560 HASH_STRING(h, "tripe-expected-reply");
566 kxc->ck = mpencrypt(MP_NEW, kx->alpha, mp_octets(gg->r), hc);
567 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
568 trace_block(T_CRYPTO, "crypto: expected-reply hash", hc, algs.hashsz);
569 trace(T_CRYPTO, "crypto: my reply check = %s", mpstr(kxc->ck));
573 /* --- Work out the shared key --- */
576 G_EXP(gg, r, c, kx->alpha);
577 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
578 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
581 /* --- Compute the switch messages --- */
583 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
584 hashge(h, kx->c); hashge(h, kxc->c);
585 GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
586 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
587 hashge(h, kx->c); hashge(h, kxc->c);
588 GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
590 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
591 hashge(h, kxc->c); hashge(h, kx->c);
592 GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
593 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
594 hashge(h, kxc->c); hashge(h, kx->c);
595 GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
597 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
598 trace_block(T_CRYPTO, "crypto: outbound switch request",
599 kxc->hswrq_out, algs.hashsz);
600 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
601 kxc->hswok_out, algs.hashsz);
602 trace_block(T_CRYPTO, "crypto: inbound switch request",
603 kxc->hswrq_in, algs.hashsz);
604 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
605 kxc->hswok_in, algs.hashsz);
608 /* --- Create a new symmetric keyset --- */
610 buf_init(b, buf_o, sizeof(buf_o));
611 G_TOBUF(gg, b, kx->c); x = BLEN(b);
612 G_TOBUF(gg, b, kxc->c); y = BLEN(b);
613 G_TOBUF(gg, b, r); z = BLEN(b);
616 kxc->ks = ks_gen(BBASE(b), x, y, z, kx->p);
620 /* --- Answer the challenge if we need to --- */
624 if ((r = getreply(kx, c, ck)) == 0)
631 /* --- Tidy up and go home --- */
644 /* --- @resend@ --- *
646 * Arguments: @keyexch *kx@ = pointer to key exchange context
650 * Use: Sends the next message for a key exchange.
653 static void resend(keyexch *kx)
657 stats *st = p_stats(kx->p);
662 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
664 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
665 G_TOBUF(gg, b, kx->c);
668 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
671 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
672 buf_put(b, kx->hc, algs.hashsz);
673 buf_put(b, kxc->hc, algs.hashsz);
674 buf_init(&bb, buf_i, sizeof(buf_i));
675 G_TOBUF(gg, &bb, kxc->r);
676 buf_put(&bb, kxc->hswrq_out, algs.hashsz);
678 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
681 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
684 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
685 buf_init(&bb, buf_i, sizeof(buf_i));
686 buf_put(&bb, kxc->hswok_out, algs.hashsz);
688 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
696 st->sz_kxout += BLEN(b);
700 if (kx->s < KXS_SWITCH)
701 settimer(kx, time(0) + T_RETRY);
704 /* --- @matchreply@ --- *
706 * Arguments: @keyexch *kx@ = pointer to key exchange context
707 * @unsigned ty@ = type of incoming message
708 * @const octet *hc_in@ = a hash of his challenge
709 * @const octet *hc_out@ = a hash of my challenge (cookie)
710 * @mp *ck@ = his expected-reply hash (optional)
711 * @buf *b@ = encrypted remainder of the packet
713 * Returns: A pointer to the challenge block if OK, or null on failure.
715 * Use: Checks a reply or switch packet, ensuring that its contents
716 * are sensible and correct. If they are, @*b@ is set to point
717 * to the remainder of the encrypted data, and the correct
718 * challenge is returned.
721 static kxchal *matchreply(keyexch *kx, unsigned ty, const octet *hc_in,
722 const octet *hc_out, mp *ck, buf *b)
728 /* --- Check the plaintext portions of the data --- */
730 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
731 trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
732 trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
733 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
735 if (memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
736 a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
739 if ((kxc = kxc_byhc(kx, hc_in)) == 0) {
740 a_warn("KX", "?PEER", kx->p, "unknown-challenge", A_END);
744 /* --- Maybe compute a reply for the challenge --- */
748 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-rq", A_END);
751 if ((r = getreply(kx, kxc->c, ck)) == 0)
757 /* --- Decrypt the rest of the packet --- */
759 buf_init(&bb, buf_o, sizeof(buf_o));
760 if (ks_decrypt(kxc->ks, ty, b, &bb)) {
761 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "reply", A_END);
764 buf_init(b, BBASE(&bb), BLEN(&bb));
766 if (G_FROMRAW(gg, b, r)) {
767 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
770 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
771 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
773 if (!G_EQ(gg, r, kx->rx)) {
774 a_warn("KX", "?PEER", kx->p, "incorrect", "reply", A_END);
784 if (r) G_DESTROY(gg, r);
788 /* --- @commit@ --- *
790 * Arguments: @keyexch *kx@ = pointer to key exchange context
791 * @kxchal *kxc@ = pointer to challenge to commit to
795 * Use: Commits to a particular challenge as being the `right' one,
796 * since a reply has arrived for it.
799 static void commit(keyexch *kx, kxchal *kxc)
803 for (i = 0; i < kx->nr; i++) {
805 kxc_destroy(kx->r[i]);
810 ksl_link(kx->ks, kxc->ks);
813 /* --- @doreply@ --- *
815 * Arguments: @keyexch *kx@ = pointer to key exchange context
816 * @buf *b@ = buffer containing packet
818 * Returns: Zero if OK, nonzero if the packet was rejected.
820 * Use: Handles a reply packet. This doesn't handle the various
821 * switch packets: they're rather too different.
824 static int doreply(keyexch *kx, buf *b)
826 const octet *hc_in, *hc_out;
830 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
831 a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
834 if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
835 (hc_out = buf_get(b, algs.hashsz)) == 0 ||
836 (ck = buf_getmp(b)) == 0) {
837 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
840 if ((kxc = matchreply(kx, MSG_KEYEXCH | KX_REPLY,
841 hc_in, hc_out, ck, b)) == 0)
844 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
847 if (kx->s == KXS_CHAL) {
859 /* --- @kxfinish@ --- *
861 * Arguments: @keyexch *kx@ = pointer to key exchange block
865 * Use: Sets everything up following a successful key exchange.
868 static void kxfinish(keyexch *kx)
870 kxchal *kxc = kx->r[0];
871 ks_activate(kxc->ks);
872 settimer(kx, ks_tregen(kxc->ks));
874 a_notify("KXDONE", "?PEER", kx->p, A_END);
875 p_stats(kx->p)->t_kx = time(0);
878 /* --- @doswitch@ --- *
880 * Arguments: @keyexch *kx@ = pointer to key exchange block
881 * @buf *b@ = pointer to buffer containing packet
883 * Returns: Zero if OK, nonzero if the packet was rejected.
885 * Use: Handles a reply with a switch request bolted onto it.
888 static int doswitch(keyexch *kx, buf *b)
890 const octet *hc_in, *hc_out, *hswrq;
893 if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
894 (hc_out = buf_get(b, algs.hashsz)) == 0) {
895 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
898 if ((kxc = matchreply(kx, MSG_KEYEXCH | KX_SWITCH,
899 hc_in, hc_out, 0, b)) == 0)
901 if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
902 a_warn("KX", "?PEER", "invalid", "switch-rq", A_END);
905 IF_TRACING(T_KEYEXCH, {
906 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
908 if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
909 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
926 /* --- @doswitchok@ --- *
928 * Arguments: @keyexch *kx@ = pointer to key exchange block
929 * @buf *b@ = pointer to buffer containing packet
931 * Returns: Zero if OK, nonzero if the packet was rejected.
933 * Use: Handles a reply with a switch request bolted onto it.
936 static int doswitchok(keyexch *kx, buf *b)
942 if (kx->s < KXS_COMMIT) {
943 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
947 buf_init(&bb, buf_o, sizeof(buf_o));
948 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, b, &bb)) {
949 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "switch-ok", A_END);
952 buf_init(b, BBASE(&bb), BLEN(&bb));
953 if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
954 a_warn("KX", "?PEER", "invalid", "switch-ok", A_END);
957 IF_TRACING(T_KEYEXCH, {
958 trace_block(T_CRYPTO, "crypto: switch confirmation hash",
961 if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
962 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
965 if (kx->s < KXS_SWITCH)
973 /*----- Main code ---------------------------------------------------------*/
977 * Arguments: @keyexch *kx@ = pointer to key exchange context
981 * Use: Stops a key exchange dead in its tracks. Throws away all of
982 * the context information. The context is left in an
983 * inconsistent state. The only functions which understand this
984 * state are @kx_free@ and @kx_init@ (which cause it internally
985 * it), and @start@ (which expects it to be the prevailing
989 static void stop(keyexch *kx)
993 if (kx->f & KXF_DEAD)
996 if (kx->f & KXF_TIMER)
998 for (i = 0; i < kx->nr; i++)
999 kxc_destroy(kx->r[i]);
1001 G_DESTROY(gg, kx->c);
1002 G_DESTROY(gg, kx->rx);
1005 kx->f &= ~KXF_TIMER;
1008 /* --- @start@ --- *
1010 * Arguments: @keyexch *kx@ = pointer to key exchange context
1011 * @time_t now@ = the current time
1015 * Use: Starts a new key exchange with the peer. The context must be
1016 * in the bizarre state left by @stop@ or @kx_init@.
1019 static void start(keyexch *kx, time_t now)
1023 assert(kx->f & KXF_DEAD);
1027 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
1028 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
1029 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
1031 kx->t_valid = now + T_VALID;
1033 h = GH_INIT(algs.h);
1034 HASH_STRING(h, "tripe-cookie");
1039 IF_TRACING(T_KEYEXCH, {
1040 trace(T_KEYEXCH, "keyexch: creating new challenge");
1041 IF_TRACING(T_CRYPTO, {
1042 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
1043 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
1044 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
1045 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
1050 /* --- @checkpub@ --- *
1052 * Arguments: @keyexch *kx@ = pointer to key exchange context
1054 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1056 * Use: Deactivates the key-exchange until the peer acquires a new
1060 static int checkpub(keyexch *kx)
1063 if (kx->f & KXF_DEAD)
1066 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1068 a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
1069 G_COPY(gg, kx->kpub, gg->i);
1070 kx->f &= ~KXF_PUBKEY;
1076 /* --- @kx_start@ --- *
1078 * Arguments: @keyexch *kx@ = pointer to key exchange context
1079 * @int forcep@ = nonzero to ignore the quiet timer
1083 * Use: Stimulates a key exchange. If a key exchage is in progress,
1084 * a new challenge is sent (unless the quiet timer forbids
1085 * this); if no exchange is in progress, one is commenced.
1088 void kx_start(keyexch *kx, int forcep)
1090 time_t now = time(0);
1094 if (forcep || !VALIDP(kx, now)) {
1097 a_notify("KXSTART", "?PEER", kx->p, A_END);
1102 /* --- @kx_message@ --- *
1104 * Arguments: @keyexch *kx@ = pointer to key exchange context
1105 * @unsigned msg@ = the message code
1106 * @buf *b@ = pointer to buffer containing the packet
1110 * Use: Reads a packet containing key exchange messages and handles
1114 void kx_message(keyexch *kx, unsigned msg, buf *b)
1116 time_t now = time(0);
1117 stats *st = p_stats(kx->p);
1124 if (!VALIDP(kx, now)) {
1129 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1130 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1136 rc = dochallenge(kx, msg, b);
1139 rc = doreply(kx, b);
1142 rc = doswitch(kx, b);
1145 rc = doswitchok(kx, b);
1148 a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
1161 /* --- @kx_free@ --- *
1163 * Arguments: @keyexch *kx@ = pointer to key exchange context
1167 * Use: Frees everything in a key exchange context.
1170 void kx_free(keyexch *kx)
1173 G_DESTROY(gg, kx->kpub);
1176 /* --- @kx_newkeys@ --- *
1178 * Arguments: @keyexch *kx@ = pointer to key exchange context
1182 * Use: Informs the key exchange module that its keys may have
1183 * changed. If fetching the new keys fails, the peer will be
1184 * destroyed, we log messages and struggle along with the old
1188 void kx_newkeys(keyexch *kx)
1190 if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
1192 kx->f |= KXF_PUBKEY;
1193 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
1194 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1202 /* --- @kx_init@ --- *
1204 * Arguments: @keyexch *kx@ = pointer to key exchange context
1205 * @peer *p@ = pointer to peer context
1206 * @keyset **ks@ = pointer to keyset list
1208 * Returns: Zero if OK, nonzero if it failed.
1210 * Use: Initializes a key exchange module. The module currently
1211 * contains no keys, and will attempt to initiate a key
1215 int kx_init(keyexch *kx, peer *p, keyset **ks)
1219 kx->kpub = G_CREATE(gg);
1220 if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
1221 G_DESTROY(gg, kx->kpub);
1224 kx->f = KXF_DEAD | KXF_PUBKEY;
1227 /* Don't notify here: the ADD message hasn't gone out yet. */
1231 /*----- That's all, folks -------------------------------------------------*/