3 * $Id: keyexch.c,v 1.5 2002/01/13 14:54:40 mdw Exp $
5 * Key exchange protocol
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Revision history --------------------------------------------------*
32 * Revision 1.5 2002/01/13 14:54:40 mdw
33 * Patch up zero-knowledge property by passing an encrypted log with a
34 * challenge, so that the prover can verify that the challenge is good.
36 * Revision 1.4 2001/06/22 19:40:36 mdw
37 * Support expiry of other peers' public keys.
39 * Revision 1.3 2001/06/19 22:07:09 mdw
42 * Revision 1.2 2001/02/16 21:24:27 mdw
43 * Rewrite for new key exchange protocol.
45 * Revision 1.1 2001/02/03 20:26:37 mdw
50 /*----- Header files ------------------------------------------------------*/
54 /*----- Tunable parameters ------------------------------------------------*/
56 #define T_VALID MIN(2)
57 #define T_RETRY SEC(10)
59 #define ISVALID(kx, now) ((now) < (kx)->t_valid)
61 /*----- Various utilities -------------------------------------------------*/
65 * Arguments: @HASH_CTX *r@ = pointer to hash context
66 * @mp *m@ = pointer to multiprecision integer
70 * Use: Adds the hash of a multiprecision integer to the context.
74 static void hashmp(HASH_CTX *r, mp *m)
77 buf_init(&b, buf_t, sizeof(buf_t));
80 HASH(r, BBASE(&b), BLEN(&b));
83 /* --- @mpcrypt@ --- *
85 * Arguments: @mp *d@ = the destination integer
86 * @mp *x@ = the plaintext/ciphertext integer
87 * @size_t sz@ = the expected size of the plaintext
88 * @const octet *k@ = pointer to key material
89 * @size_t ksz@ = size of the key
91 * Returns: The encrypted/decrypted integer.
93 * Use: Encrypts (or decrypts) a multiprecision integer using another
94 * multiprecision integer as the key. This is a slightly grotty
95 * way to do this, but it's easier than the alternatives.
98 static mp *mpcrypt(mp *d, mp *x, size_t sz, const octet *k, size_t ksz)
102 MGF_INIT(&m, k, ksz, 0);
103 mp_storeb(x, buf_t, sz);
104 MGF_CRYPT(&m, buf_t, buf_t, sz);
105 return (mp_loadb(d, buf_t, sz));
110 * Arguments: @struct timeval *tv@ = the current time
111 * @void *v@ = pointer to key exchange context
115 * Use: Acts when the key exchange timer goes off.
118 static void timer(struct timeval *tv, void *v)
122 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
126 /* --- @settimer@ --- *
128 * Arguments: @keyexch *kx@ = pointer to key exchange context
129 * @time_t t@ = when to set the timer for
133 * Use: Sets the timer for the next key exchange attempt.
136 static void settimer(keyexch *kx, time_t t)
139 if (kx->f & KXF_TIMER)
143 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
147 /*----- Challenge management ----------------------------------------------*/
149 /* --- Notes on challenge management --- *
151 * We may get multiple different replies to our key exchange; some will be
152 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
153 * received will be added to the table and given a full response. After
154 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
155 * our existing challenge, followed by a hash of the sender's challenge. We
156 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
157 * properly-formed cookies are assigned a table slot: if none is spare, a
158 * used slot is randomly selected and destroyed. A cookie always receives a
162 /* --- @kxc_destroy@ --- *
164 * Arguments: @kxchal *kxc@ = pointer to the challenge block
168 * Use: Disposes of a challenge block.
171 static void kxc_destroy(kxchal *kxc)
173 if (kxc->f & KXF_TIMER)
174 sel_rmtimer(&kxc->t);
182 /* --- @kxc_stoptimer@ --- *
184 * Arguments: @kxchal *kxc@ = pointer to the challenge block
188 * Use: Stops the challenge's retry timer from sending messages.
189 * Useful when the state machine is in the endgame of the
193 static void kxc_stoptimer(kxchal *kxc)
195 if (kxc->f & KXF_TIMER)
196 sel_rmtimer(&kxc->t);
199 /* --- @kxc_new@ --- *
201 * Arguments: @keyexch *kx@ = pointer to key exchange block
203 * Returns: A pointer to the challenge block.
205 * Use: Returns a pointer to a new challenge block to fill in.
208 static kxchal *kxc_new(keyexch *kx)
213 /* --- If we're over reply threshold, discard one at random --- */
215 if (kx->nr < KX_NCHAL)
218 i = rand_global.ops->range(&rand_global, KX_NCHAL);
219 kxc_destroy(kx->r[i]);
222 /* --- Fill in the new structure --- */
224 kxc = CREATE(kxchal);
235 /* --- @kxc_bychal@ --- *
237 * Arguments: @keyexch *kx@ = pointer to key exchange block
238 * @mp *c@ = challenge from remote host
240 * Returns: Pointer to the challenge block, or null.
242 * Use: Finds a challenge block, given its challenge.
245 static kxchal *kxc_bychal(keyexch *kx, mp *c)
249 for (i = 0; i < kx->nr; i++) {
250 if (MP_EQ(c, kx->r[i]->c))
256 /* --- @kxc_byhc@ --- *
258 * Arguments: @keyexch *kx@ = pointer to key exchange block
259 * @const octet *hc@ = challenge hash from remote host
261 * Returns: Pointer to the challenge block, or null.
263 * Use: Finds a challenge block, given a hash of its challenge.
266 static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
270 for (i = 0; i < kx->nr; i++) {
271 if (memcmp(hc, kx->r[i]->hc, HASHSZ) == 0)
277 /* --- @kxc_answer@ --- *
279 * Arguments: @keyexch *kx@ = pointer to key exchange block
280 * @kxchal *kxc@ = pointer to challenge block
284 * Use: Sends a reply to the remote host, according to the data in
285 * this challenge block.
288 static void kxc_answer(keyexch *kx, kxchal *kxc);
290 static void kxc_timer(struct timeval *tv, void *v)
293 kxc->f &= ~KXF_TIMER;
294 kxc_answer(kxc->kx, kxc);
297 static void kxc_answer(keyexch *kx, kxchal *kxc)
299 stats *st = p_stats(kx->p);
300 buf *b = p_txstart(kx->p, MSG_KEYEXCH | (kxc->r ? KX_REPLY : KX_CHAL));
304 /* --- Build the reply packet --- */
309 buf_put(b, kx->hc, HASHSZ);
310 buf_put(b, kxc->hc, HASHSZ);
311 buf_putmp(b, kxc->ck);
313 /* --- Maybe send an actual reply, if we have one --- */
316 T( trace(T_KEYEXCH, "keyexch: resending challenge to `%s'",
319 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
320 buf_init(&bb, buf_i, sizeof(buf_i));
321 buf_putmp(&bb, kxc->r);
323 ks_encrypt(kxc->ks, &bb, b);
326 /* --- Update the statistics --- */
330 st->sz_kxout += BLEN(b);
334 /* --- Schedule another resend --- */
336 if (kxc->f & KXF_TIMER)
337 sel_rmtimer(&kxc->t);
338 gettimeofday(&tv, 0);
339 tv.tv_sec += T_RETRY;
340 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
344 /*----- Individual message handlers ---------------------------------------*/
346 /* --- @getreply@ --- *
348 * Arguments: @keyexch *kx@ = pointer to key exchange context
349 * @mp *c@ = a challenge
350 * @mp *ck@ = the supplied expected-reply check value
352 * Returns: A pointer to the reply, or null if the reply-hash was wrong.
354 * Use: Computes replies to challenges.
357 static mp *getreply(keyexch *kx, mp *c, mp *ck)
359 mp *r = mpmont_exp(&mg, MP_NEW, c, kpriv.x);
366 HASH_STRING(&h, "tripe-expected-reply");
372 a = mpcrypt(MP_NEW, ck, mp_octets(kpriv.dp.q), buf, sizeof(buf));
373 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
374 trace(T_CRYPTO, "crypto: computed reply = %s", mpstr(r));
375 trace_block(T_CRYPTO, "crypto: computed reply hash", buf, HASHSZ);
376 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(a));
378 a = mpmont_exp(&mg, a, kpriv.dp.g, a);
381 a_warn("invalid expected-reply check from `%s'", p_name(kx->p));
382 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
383 trace(T_CRYPTO, "crypto: computed challenge = %s", mpstr(a));
391 /* --- @dochallenge@ --- *
393 * Arguments: @keyexch *kx@ = pointer to key exchange block
394 * @unsigned msg@ = message code for the packet
395 * @buf *b@ = buffer containing the packet
397 * Returns: Zero if OK, nonzero if the packet was rejected.
399 * Use: Processes a packet containing a challenge.
402 static int dochallenge(keyexch *kx, unsigned msg, buf *b)
410 /* --- Ensure that we're in a sensible state --- */
412 if (kx->s != KXS_CHAL) {
413 a_warn("unexpected challenge from `%s'", p_name(kx->p));
417 /* --- Unpack the packet --- */
419 if ((c = buf_getmp(b)) == 0 ||
420 (msg >= KX_COOKIE && (hc = buf_get(b, HASHSZ)) == 0) ||
421 (msg >= KX_CHAL && (ck = buf_getmp(b)) == 0) ||
423 a_warn("malformed packet from `%s'", p_name(kx->p));
427 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
428 trace(T_CRYPTO, "crypto: challenge = %s", mpstr(c));
429 if (hc) trace_block(T_CRYPTO, "crypto: cookie", hc, HASHSZ);
430 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
433 /* --- First, handle a bare challenge --- *
435 * If the table is heavily loaded, just emit a cookie and return.
438 if (!hc && kx->nr >= KX_THRESH) {
439 T( trace(T_KEYEXCH, "keyexch: too many challenges -- sending cookie"); )
440 b = p_txstart(kx->p, MSG_KEYEXCH | KX_COOKIE);
443 HASH_STRING(&h, "tripe-cookie");
445 HASH_DONE(&h, buf_get(b, HASHSZ));
450 /* --- Discard a packet with an invalid cookie --- */
452 if (hc && memcmp(hc, kx->hc, HASHSZ) != 0) {
453 a_warn("incorrect cookie from `%s'", p_name(kx->p));
457 /* --- Find a challenge block for this packet --- *
459 * If there isn't one already, create a new one.
462 if ((kxc = kxc_bychal(kx, c)) == 0) {
466 /* --- Be careful here --- *
468 * If this is a full challenge, and it's the first time I've seen it, I
469 * want to be able to throw it away before committing a table entry to
476 if ((r = getreply(kx, c, ck)) == 0)
483 /* --- Work out the cookie for this challenge --- */
486 HASH_STRING(&h, "tripe-cookie");
488 HASH_DONE(&h, kxc->hc);
490 /* --- Compute the expected-reply hash --- */
493 HASH_STRING(&h, "tripe-expected-reply");
498 kxc->ck = mpcrypt(MP_NEW, kx->alpha, mp_octets(kpriv.dp.q),
501 /* --- Work out the shared key --- */
503 trace(T_CRYPTO, "debug: c = %s", mpstr(c));
504 trace(T_CRYPTO, "debug: alpha = %s", mpstr(kx->alpha));
505 r = mpmont_exp(&mg, MP_NEW, c, kx->alpha);
506 trace(T_CRYPTO, "debug: r = %s", mpstr(r));
508 /* --- Compute the switch messages --- */
510 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-request");
511 hashmp(&h, kx->c); hashmp(&h, kxc->c);
512 HASH_DONE(&h, kxc->hswrq_out);
513 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-confirm");
514 hashmp(&h, kx->c); hashmp(&h, kxc->c);
515 HASH_DONE(&h, kxc->hswok_out);
517 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-request");
518 hashmp(&h, kxc->c); hashmp(&h, kx->c);
519 HASH_DONE(&h, kxc->hswrq_in);
520 HASH_INIT(&h); HASH_STRING(&h, "tripe-switch-confirm");
521 hashmp(&h, kxc->c); hashmp(&h, kx->c);
522 HASH_DONE(&h, kxc->hswok_in);
524 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
525 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, HASHSZ);
526 trace_block(T_CRYPTO, "crypto: expected-reply hash",
528 trace(T_CRYPTO, "crypto: my reply check = %s", mpstr(kxc->ck));
529 trace(T_CRYPTO, "crypto: shared secret = %s", mpstr(r));
530 trace_block(T_CRYPTO, "crypto: outbound switch request",
531 kxc->hswrq_out, HASHSZ);
532 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
533 kxc->hswok_out, HASHSZ);
534 trace_block(T_CRYPTO, "crypto: inbound switch request",
535 kxc->hswrq_in, HASHSZ);
536 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
537 kxc->hswok_in, HASHSZ);
540 /* --- Create a new symmetric keyset --- */
542 buf_init(b, buf_o, sizeof(buf_o));
543 buf_putmp(b, kx->c); x = BLEN(b);
544 buf_putmp(b, kxc->c); y = BLEN(b);
545 buf_putmp(b, r); z = BLEN(b);
548 kxc->ks = ks_gen(BBASE(b), x, y, z);
552 /* --- Answer the challenge if we need to --- */
556 if ((r = getreply(kx, c, ck)) == 0)
563 /* --- Tidy up and go home --- */
576 /* --- @resend@ --- *
578 * Arguments: @keyexch *kx@ = pointer to key exchange context
582 * Use: Sends the next message for a key exchange.
585 static void resend(keyexch *kx)
589 stats *st = p_stats(kx->p);
594 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
596 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
600 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
603 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
604 buf_put(b, kx->hc, HASHSZ);
605 buf_put(b, kxc->hc, HASHSZ);
606 buf_init(&bb, buf_i, sizeof(buf_i));
607 buf_putmp(&bb, kxc->r);
608 buf_put(&bb, kxc->hswrq_out, HASHSZ);
610 ks_encrypt(kxc->ks, &bb, b);
613 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
616 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
617 buf_init(&bb, buf_i, sizeof(buf_i));
618 buf_put(&bb, kxc->hswok_out, HASHSZ);
620 ks_encrypt(kxc->ks, &bb, b);
628 st->sz_kxout += BLEN(b);
632 if (kx->s < KXS_SWITCH)
633 settimer(kx, time(0) + T_RETRY);
636 /* --- @matchreply@ --- *
638 * Arguments: @keyexch *kx@ = pointer to key exchange context
639 * @const octet *hc_in@ = a hash of his challenge
640 * @const octet *hc_out@ = a hash of my challenge (cookie)
641 * @mp *ck@ = his expected-reply hash (optional)
642 * @buf *b@ = encrypted remainder of the packet
644 * Returns: A pointer to the challenge block if OK, or null on failure.
646 * Use: Checks a reply or switch packet, ensuring that its contents
647 * are sensible and correct. If they are, @*b@ is set to point
648 * to the remainder of the encrypted data, and the correct
649 * challenge is returned.
652 static kxchal *matchreply(keyexch *kx, const octet *hc_in,
653 const octet *hc_out, mp *ck, buf *b)
659 /* --- Check the plaintext portions of the data --- */
661 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
662 trace_block(T_CRYPTO, "crypto: challenge", hc_in, HASHSZ);
663 trace_block(T_CRYPTO, "crypto: cookie", hc_out, HASHSZ);
664 if (ck) trace(T_CRYPTO, "crypto: check value = %s", mpstr(ck));
666 if (memcmp(hc_out, kx->hc, HASHSZ) != 0) {
667 a_warn("incorrect cookie from `%s'", p_name(kx->p));
670 if ((kxc = kxc_byhc(kx, hc_in)) == 0) {
671 a_warn("received reply for unknown challenge from `%s'", p_name(kx->p));
675 /* --- Maybe compute a reply for the challenge --- */
679 a_warn("unexpected switch request from `%s'", p_name(kx->p));
682 if ((r = getreply(kx, kxc->c, ck)) == 0)
688 /* --- Decrypt the rest of the packet --- */
690 buf_init(&bb, buf_o, sizeof(buf_o));
691 if (ks_decrypt(kxc->ks, b, &bb)) {
692 a_warn("failed to decrypt reply from `%s'", p_name(kx->p));
695 buf_init(b, BBASE(&bb), BLEN(&bb));
696 if ((r = buf_getmp(b)) == 0) {
697 a_warn("invalid reply packet from `%s'", p_name(kx->p));
700 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
701 trace(T_CRYPTO, "crypto: reply = %s", mpstr(r));
703 if (!mp_eq(r, kx->rx)) {
704 a_warn("incorrect reply from `%s'", p_name(kx->p));
718 /* --- @commit@ --- *
720 * Arguments: @keyexch *kx@ = pointer to key exchange context
721 * @kxchal *kxc@ = pointer to challenge to commit to
725 * Use: Commits to a particular challenge as being the `right' one,
726 * since a reply has arrived for it.
729 static void commit(keyexch *kx, kxchal *kxc)
733 for (i = 0; i < kx->nr; i++) {
735 kxc_destroy(kx->r[i]);
740 ksl_link(kx->ks, kxc->ks);
743 /* --- @doreply@ --- *
745 * Arguments: @keyexch *kx@ = pointer to key exchange context
746 * @buf *b@ = buffer containing packet
748 * Returns: Zero if OK, nonzero if the packet was rejected.
750 * Use: Handles a reply packet. This doesn't handle the various
751 * switch packets: they're rather too different.
754 static int doreply(keyexch *kx, buf *b)
756 const octet *hc_in, *hc_out;
760 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
761 a_warn("unexpected reply from `%s'", p_name(kx->p));
764 if ((hc_in = buf_get(b, HASHSZ)) == 0 ||
765 (hc_out = buf_get(b, HASHSZ)) == 0 ||
766 (ck = buf_getmp(b)) == 0) {
767 a_warn("invalid reply packet from `%s'", p_name(kx->p));
770 if ((kxc = matchreply(kx, hc_in, hc_out, ck, b)) == 0)
773 a_warn("invalid reply packet from `%s'", p_name(kx->p));
776 if (kx->s == KXS_CHAL) {
788 /* --- @doswitch@ --- *
790 * Arguments: @keyexch *kx@ = pointer to key exchange block
791 * @buf *b@ = pointer to buffer containing packet
793 * Returns: Zero if OK, nonzero if the packet was rejected.
795 * Use: Handles a reply with a switch request bolted onto it.
798 static int doswitch(keyexch *kx, buf *b)
800 const octet *hc_in, *hc_out, *hswrq;
803 if ((hc_in = buf_get(b, HASHSZ)) == 0 ||
804 (hc_out = buf_get(b, HASHSZ)) == 0) {
805 a_warn("invalid switch request from `%s'", p_name(kx->p));
808 if ((kxc = matchreply(kx, hc_in, hc_out, 0, b)) == 0)
810 if ((hswrq = buf_get(b, HASHSZ)) == 0 || BLEFT(b)) {
811 a_warn("invalid switch request from `%s'", p_name(kx->p));
814 IF_TRACING(T_KEYEXCH, {
815 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, HASHSZ);
817 if (memcmp(hswrq, kxc->hswrq_in, HASHSZ) != 0) {
818 a_warn("incorrect switch request hash from `%s'", p_name(kx->p));
825 ks_activate(kxc->ks);
826 settimer(kx, ks_tregen(kxc->ks));
837 /* --- @doswitchok@ --- *
839 * Arguments: @keyexch *kx@ = pointer to key exchange block
840 * @buf *b@ = pointer to buffer containing packet
842 * Returns: Zero if OK, nonzero if the packet was rejected.
844 * Use: Handles a reply with a switch request bolted onto it.
847 static int doswitchok(keyexch *kx, buf *b)
853 if (kx->s < KXS_COMMIT) {
854 a_warn("unexpected switch confirmation from `%s'", p_name(kx->p));
858 buf_init(&bb, buf_o, sizeof(buf_o));
859 if (ks_decrypt(kxc->ks, b, &bb)) {
860 a_warn("failed to decrypt switch confirmation from `%s'", p_name(kx->p));
863 buf_init(b, BBASE(&bb), BLEN(&bb));
864 if ((hswok = buf_get(b, HASHSZ)) == 0 || BLEFT(b)) {
865 a_warn("invalid switch confirmation from `%s'", p_name(kx->p));
868 IF_TRACING(T_KEYEXCH, {
869 trace_block(T_CRYPTO, "crypto: switch confirmation hash", hswok, HASHSZ);
871 if (memcmp(hswok, kxc->hswok_in, HASHSZ) != 0) {
872 a_warn("incorrect switch confirmation hash from `%s'", p_name(kx->p));
875 if (kx->s < KXS_SWITCH) {
876 ks_activate(kxc->ks);
877 settimer(kx, ks_tregen(kxc->ks));
886 /*----- Main code ---------------------------------------------------------*/
890 * Arguments: @keyexch *kx@ = pointer to key exchange context
894 * Use: Stops a key exchange dead in its tracks. Throws away all of
895 * the context information. The context is left in an
896 * inconsistent state. The only functions which understand this
897 * state are @kx_free@ and @kx_init@ (which cause it internally
898 * it), and @start@ (which expects it to be the prevailing
902 static void stop(keyexch *kx)
906 if (kx->f & KXF_DEAD)
909 if (kx->f & KXF_TIMER)
911 for (i = 0; i < kx->nr; i++)
912 kxc_destroy(kx->r[i]);
923 * Arguments: @keyexch *kx@ = pointer to key exchange context
924 * @time_t now@ = the current time
928 * Use: Starts a new key exchange with the peer. The context must be
929 * in the bizarre state left by @stop@ or @kx_init@.
932 static void start(keyexch *kx, time_t now)
936 assert(kx->f & KXF_DEAD);
940 kx->alpha = mprand_range(MP_NEW, kpriv.dp.q, &rand_global, 0);
941 kx->c = mpmont_exp(&mg, MP_NEW, kpriv.dp.g, kx->alpha);
942 kx->rx = mpmont_exp(&mg, MP_NEW, kx->kpub.y, kx->alpha);
944 kx->t_valid = now + T_VALID;
947 HASH_STRING(&h, "tripe-cookie");
949 HASH_DONE(&h, kx->hc);
951 IF_TRACING(T_KEYEXCH, {
952 trace(T_KEYEXCH, "keyexch: creating new challenge");
953 IF_TRACING(T_CRYPTO, {
954 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
955 trace(T_CRYPTO, "crypto: challenge = %s", mpstr(kx->c));
956 trace(T_CRYPTO, "crypto: expected response = %s", mpstr(kx->rx));
957 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, HASHSZ);
962 /* --- @checkpub@ --- *
964 * Arguments: @keyexch *kx@ = pointer to key exchange context
966 * Returns: Zero if OK, nonzero if the peer's public key has expired.
968 * Use: Deactivates the key-exchange until the peer acquires a new
972 static int checkpub(keyexch *kx)
975 if (kx->f & KXF_DEAD)
978 if (KEY_EXPIRED(now, kx->texp_kpub)) {
980 a_warn("public key for `%s' has expired", p_name(kx->p));
981 dh_pubfree(&kx->kpub);
982 kx->f &= ~KXF_PUBKEY;
988 /* --- @kx_start@ --- *
990 * Arguments: @keyexch *kx@ = pointer to key exchange context
994 * Use: Stimulates a key exchange. If a key exchage is in progress,
995 * a new challenge is sent (unless the quiet timer forbids
996 * this); if no exchange is in progress, one is commenced.
999 void kx_start(keyexch *kx)
1001 time_t now = time(0);
1005 if (!ISVALID(kx, now)) {
1012 /* --- @kx_message@ --- *
1014 * Arguments: @keyexch *kx@ = pointer to key exchange context
1015 * @unsigned msg@ = the message code
1016 * @buf *b@ = pointer to buffer containing the packet
1020 * Use: Reads a packet containing key exchange messages and handles
1024 void kx_message(keyexch *kx, unsigned msg, buf *b)
1026 time_t now = time(0);
1027 stats *st = p_stats(kx->p);
1032 static const char *const pkname[] = {
1033 "prechallenge", "cookie", "challenge",
1034 "reply", "switch request", "switch confirmation"
1041 if (!ISVALID(kx, now)) {
1046 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1047 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1053 rc = dochallenge(kx, msg, b);
1056 rc = doreply(kx, b);
1059 rc = doswitch(kx, b);
1062 rc = doswitchok(kx, b);
1065 a_warn("unexpected key exchange message type %u from `%p'",
1079 /* --- @kx_free@ --- *
1081 * Arguments: @keyexch *kx@ = pointer to key exchange context
1085 * Use: Frees everything in a key exchange context.
1088 void kx_free(keyexch *kx)
1091 if (kx->f & KXF_PUBKEY)
1092 dh_pubfree(&kx->kpub);
1095 /* --- @kx_newkeys@ --- *
1097 * Arguments: @keyexch *kx@ = pointer to key exchange context
1101 * Use: Informs the key exchange module that its keys may have
1102 * changed. If fetching the new keys fails, the peer will be
1103 * destroyed, we log messages and struggle along with the old
1107 void kx_newkeys(keyexch *kx)
1111 if (km_getpubkey(p_name(kx->p), &dp, &kx->texp_kpub))
1113 if (kx->f & KXF_PUBKEY)
1114 dh_pubfree(&kx->kpub);
1116 kx->f |= KXF_PUBKEY;
1117 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
1118 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1126 /* --- @kx_init@ --- *
1128 * Arguments: @keyexch *kx@ = pointer to key exchange context
1129 * @peer *p@ = pointer to peer context
1130 * @keyset **ks@ = pointer to keyset list
1132 * Returns: Zero if OK, nonzero if it failed.
1134 * Use: Initializes a key exchange module. The module currently
1135 * contains no keys, and will attempt to initiate a key
1139 int kx_init(keyexch *kx, peer *p, keyset **ks)
1143 if (km_getpubkey(p_name(p), &kx->kpub, &kx->texp_kpub))
1145 kx->f = KXF_DEAD | KXF_PUBKEY;
1151 /*----- That's all, folks -------------------------------------------------*/