3 * Key exchange protocol
5 * (c) 2001 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Brief protocol overview -------------------------------------------*
33 * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
34 * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
35 * application of the symmetric packet protocol to a message; let
36 * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
37 * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
38 * be Bob's public key.
40 * At the beginning of the session, Alice chooses
42 * %$\rho_A \inr \{0, \ldots q - 1\}$%
46 * %$r_A = g^{\rho_A}$% Alice's challenge
47 * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
48 * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
49 * Alice's challenge check value
50 * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
51 * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
52 * Alice and Bob's shared secret key
53 * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
54 * Alice's switch request value
55 * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
56 * Alice's switch confirm value
58 * The messages are then:
60 * %$\cookie{kx-pre-challenge}, r_A$%
61 * Initial greeting. In state @KXS_CHAL@.
63 * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
64 * Here's a full challenge for you to answer.
66 * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
67 * Challenge accpeted: here's the answer. Commit to my challenge. Move
70 * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
71 * Reply received: here's my reply. Committed; send data; move to
74 * %$\cookie{kx-switch-ok}, E_K(u_A))$%
75 * Switch received. Committed; send data; move to @KXS_SWITCH@.
78 /*----- Tunable parameters ------------------------------------------------*/
80 #define T_VALID MIN(2) /* Challenge validity period */
81 #define T_RETRY SEC(10) /* Challenge retransmit interval */
83 #define VALIDP(kx, now) ((now) < (kx)->t_valid)
85 /*----- Static tables -----------------------------------------------------*/
87 static const char *const pkname[] = {
88 "pre-challenge", "cookie", "challenge",
89 "reply", "switch-rq", "switch-ok"
92 /*----- Various utilities -------------------------------------------------*/
96 * Arguments: @ghash *h@ = pointer to hash context
97 * @ge *x@ = pointer to group element
101 * Use: Adds the hash of a group element to the context. Corrupts
105 static void hashge(ghash *h, ge *x)
108 buf_init(&b, buf_t, sizeof(buf_t));
111 GH_HASH(h, BBASE(&b), BLEN(&b));
114 /* --- @mpmask@ --- *
116 * Arguments: @buf *b@ = output buffer
117 * @mp *x@ = the plaintext integer
118 * @size_t n@ = the expected size of the plaintext
119 * @const octet *k@ = pointer to key material
120 * @size_t ksz@ = size of the key
122 * Returns: Pointer to the output.
124 * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
125 * it's a random oracle thing rather than an encryption thing.
128 static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
133 if ((p = buf_get(b, n)) == 0)
135 mgf = GC_INIT(algs.mgf, k, ksz);
136 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
137 trace(T_CRYPTO, "masking index = %s", mpstr(x));
138 trace_block(T_CRYPTO, "masking key", k, ksz);
140 mp_storeb(x, buf_t, n);
141 GC_ENCRYPT(mgf, buf_t, p, n);
142 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
143 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
144 trace_block(T_CRYPTO, "masked ciphertext", p, n);
150 /* --- @mpunmask@ --- *
152 * Arguments: @mp *d@ = the output integer
153 * @const octet *p@ = pointer to the ciphertext
154 * @size_t n@ = the size of the ciphertext
155 * @const octet *k@ = pointer to key material
156 * @size_t ksz@ = size of the key
158 * Returns: The decrypted integer, or null.
160 * Use: Unmasks a multiprecision integer.
163 static mp *mpunmask(mp *d, const octet *p, size_t n,
164 const octet *k, size_t ksz)
168 mgf = GC_INIT(algs.mgf, k, ksz);
169 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
170 trace_block(T_CRYPTO, "unmasking key", k, ksz);
171 trace_block(T_CRYPTO, "masked ciphertext", p, n);
173 GC_DECRYPT(mgf, p, buf_t, n);
174 d = mp_loadb(d, buf_t, n);
175 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
176 trace_block(T_CRYPTO, "index plaintext", buf_t, n);
177 trace(T_CRYPTO, "unmasked index = %s", mpstr(d));
183 /* --- @hashcheck@ --- *
185 * Arguments: @ge *kpub@ = sender's public key
186 * @ge *cc@ = receiver's challenge
187 * @ge *c@ = sender's challenge
188 * @ge *y@ = reply to sender's challenge
190 * Returns: Pointer to the hash value (in @buf_t@)
192 * Use: Computes the check-value hash, used to mask or unmask
193 * indices to prove the validity of challenges. This computes
194 * the masking key used in challenge check values. This is
195 * really the heart of the whole thing, since it ensures that
196 * the index can be recovered from the history of hashing
197 * queries, which gives us (a) a proof that the authentication
198 * process is zero-knowledge, and (b) a proof that the whole
199 * key-exchange is deniable.
202 static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
204 ghash *h = GH_INIT(algs.h);
206 HASH_STRING(h, "tripe-expected-reply");
212 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
213 trace(T_CRYPTO, "computing challenge check hash");
214 trace(T_CRYPTO, "public key = %s", gestr(gg, kpub));
215 trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc));
216 trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c));
217 trace(T_CRYPTO, "sender reply = %s", gestr(gg, y));
218 trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz);
224 /* --- @sendchallenge@ --- *
226 * Arguments: @keyexch *kx@ = pointer to key exchange block
227 * @buf *b@ = output buffer for challenge
228 * @ge *c@ = peer's actual challenge
229 * @const octet *hc@ = peer's challenge cookie
233 * Use: Writes a full challenge to the message buffer.
236 static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
238 G_TOBUF(gg, b, kx->c);
239 buf_put(b, hc, algs.hashsz);
240 mpmask(b, kx->alpha, indexsz,
241 hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz);
246 * Arguments: @struct timeval *tv@ = the current time
247 * @void *v@ = pointer to key exchange context
251 * Use: Acts when the key exchange timer goes off.
254 static void timer(struct timeval *tv, void *v)
258 T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
262 /* --- @settimer@ --- *
264 * Arguments: @keyexch *kx@ = pointer to key exchange context
265 * @time_t t@ = when to set the timer for
269 * Use: Sets the timer for the next key exchange attempt.
272 static void settimer(keyexch *kx, time_t t)
275 if (kx->f & KXF_TIMER)
279 sel_addtimer(&sel, &kx->t, &tv, timer, kx);
283 /*----- Challenge management ----------------------------------------------*/
285 /* --- Notes on challenge management --- *
287 * We may get multiple different replies to our key exchange; some will be
288 * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
289 * received will be added to the table and given a full response. After
290 * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
291 * our existing challenge, followed by a hash of the sender's challenge. We
292 * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
293 * properly-formed cookies are assigned a table slot: if none is spare, a
294 * used slot is randomly selected and destroyed. A cookie always receives a
298 /* --- @kxc_destroy@ --- *
300 * Arguments: @kxchal *kxc@ = pointer to the challenge block
304 * Use: Disposes of a challenge block.
307 static void kxc_destroy(kxchal *kxc)
309 if (kxc->f & KXF_TIMER)
310 sel_rmtimer(&kxc->t);
311 G_DESTROY(gg, kxc->c);
312 G_DESTROY(gg, kxc->r);
317 /* --- @kxc_stoptimer@ --- *
319 * Arguments: @kxchal *kxc@ = pointer to the challenge block
323 * Use: Stops the challenge's retry timer from sending messages.
324 * Useful when the state machine is in the endgame of the
328 static void kxc_stoptimer(kxchal *kxc)
330 if (kxc->f & KXF_TIMER)
331 sel_rmtimer(&kxc->t);
332 kxc->f &= ~KXF_TIMER;
335 /* --- @kxc_new@ --- *
337 * Arguments: @keyexch *kx@ = pointer to key exchange block
339 * Returns: A pointer to the challenge block.
341 * Use: Returns a pointer to a new challenge block to fill in.
344 static kxchal *kxc_new(keyexch *kx)
349 /* --- If we're over reply threshold, discard one at random --- */
351 if (kx->nr < KX_NCHAL)
354 i = rand_global.ops->range(&rand_global, KX_NCHAL);
355 kxc_destroy(kx->r[i]);
358 /* --- Fill in the new structure --- */
360 kxc = CREATE(kxchal);
361 kxc->c = G_CREATE(gg);
362 kxc->r = G_CREATE(gg);
370 /* --- @kxc_bychal@ --- *
372 * Arguments: @keyexch *kx@ = pointer to key exchange block
373 * @ge *c@ = challenge from remote host
375 * Returns: Pointer to the challenge block, or null.
377 * Use: Finds a challenge block, given its challenge.
380 static kxchal *kxc_bychal(keyexch *kx, ge *c)
384 for (i = 0; i < kx->nr; i++) {
385 if (G_EQ(gg, c, kx->r[i]->c))
391 /* --- @kxc_byhc@ --- *
393 * Arguments: @keyexch *kx@ = pointer to key exchange block
394 * @const octet *hc@ = challenge hash from remote host
396 * Returns: Pointer to the challenge block, or null.
398 * Use: Finds a challenge block, given a hash of its challenge.
401 static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
405 for (i = 0; i < kx->nr; i++) {
406 if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
412 /* --- @kxc_answer@ --- *
414 * Arguments: @keyexch *kx@ = pointer to key exchange block
415 * @kxchal *kxc@ = pointer to challenge block
419 * Use: Sends a reply to the remote host, according to the data in
420 * this challenge block.
423 static void kxc_answer(keyexch *kx, kxchal *kxc);
425 static void kxc_timer(struct timeval *tv, void *v)
428 kxc->f &= ~KXF_TIMER;
429 kxc_answer(kxc->kx, kxc);
432 static void kxc_answer(keyexch *kx, kxchal *kxc)
434 stats *st = p_stats(kx->p);
435 buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
439 /* --- Build the reply packet --- */
441 T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
442 sendchallenge(kx, b, kxc->c, kxc->hc);
443 buf_init(&bb, buf_i, sizeof(buf_i));
444 G_TORAW(gg, &bb, kxc->r);
446 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
448 /* --- Update the statistics --- */
452 st->sz_kxout += BLEN(b);
456 /* --- Schedule another resend --- */
458 if (kxc->f & KXF_TIMER)
459 sel_rmtimer(&kxc->t);
460 gettimeofday(&tv, 0);
461 tv.tv_sec += T_RETRY;
462 sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
466 /*----- Individual message handlers ---------------------------------------*/
468 /* --- @doprechallenge@ --- *
470 * Arguments: @keyexch *kx@ = pointer to key exchange block
471 * @buf *b@ = buffer containing the packet
473 * Returns: Zero if OK, nonzero of the packet was rejected.
475 * Use: Processes a pre-challenge message.
478 static int doprechallenge(keyexch *kx, buf *b)
480 stats *st = p_stats(kx->p);
481 ge *c = G_CREATE(gg);
484 /* --- Ensure that we're in a sensible state --- */
486 if (kx->s != KXS_CHAL) {
487 a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
491 /* --- Unpack the packet --- */
493 if (G_FROMBUF(gg, b, c) || BLEFT(b))
496 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
497 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
500 /* --- Send out a full challenge by return --- */
502 b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
504 HASH_STRING(h, "tripe-cookie");
506 sendchallenge(kx, b, c, GH_DONE(h, 0));
509 st->sz_kxout += BLEN(b);
518 if (c) G_DESTROY(gg, c);
522 /* --- @respond@ --- *
524 * Arguments: @keyexch *kx@ = pointer to key exchange block
525 * @unsigned msg@ = message code for this packet
526 * @buf *b@ = buffer containing the packet
528 * Returns: Key-exchange challenge block, or null.
530 * Use: Computes a response for the given challenge, entering it into
531 * a challenge block and so on.
534 static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
536 ge *c = G_CREATE(gg);
537 ge *r = G_CREATE(gg);
538 ge *cc = G_CREATE(gg);
539 const octet *hc, *ck;
547 /* --- Unpack the packet --- */
549 if (G_FROMBUF(gg, b, c) ||
550 (hc = buf_get(b, algs.hashsz)) == 0 ||
551 (ck = buf_get(b, indexsz)) == 0) {
552 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
555 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
556 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
557 trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
558 trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz);
561 /* --- Discard a packet with an invalid cookie --- */
563 if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
564 a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
568 /* --- Recover the check value and verify it --- *
570 * To avoid recomputation on replays, we store a hash of the `right'
571 * value. The `correct' value is unique, so this is right.
573 * This will also find a challenge block and, if necessary, populate it.
576 if ((kxc = kxc_bychal(kx, c)) != 0) {
578 HASH_STRING(h, "tripe-check-hash");
579 GH_HASH(h, ck, indexsz);
580 ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz);
582 if (!ok) goto badcheck;
585 /* --- Compute the reply, and check the magic --- */
587 G_EXP(gg, r, c, kpriv);
588 cv = mpunmask(MP_NEW, ck, indexsz,
589 hashcheck(kx->kpub, kx->c, c, r), algs.hashsz);
590 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
591 trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
592 trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
594 if (MP_CMP(cv, >, gg->r) ||
595 (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc)))
598 /* --- Fill in a new challenge block --- */
601 G_COPY(gg, kxc->c, c);
602 G_COPY(gg, kxc->r, r);
605 HASH_STRING(h, "tripe-check-hash");
606 GH_HASH(h, ck, indexsz);
611 HASH_STRING(h, "tripe-cookie");
616 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
617 trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
620 /* --- Work out the shared key --- */
622 G_EXP(gg, r, c, kx->alpha);
623 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
624 trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
627 /* --- Compute the switch messages --- */
629 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
630 hashge(h, kx->c); hashge(h, kxc->c);
631 GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
632 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
633 hashge(h, kx->c); hashge(h, kxc->c);
634 GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
636 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
637 hashge(h, kxc->c); hashge(h, kx->c);
638 GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
639 h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
640 hashge(h, kxc->c); hashge(h, kx->c);
641 GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
643 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
644 trace_block(T_CRYPTO, "crypto: outbound switch request",
645 kxc->hswrq_out, algs.hashsz);
646 trace_block(T_CRYPTO, "crypto: outbound switch confirm",
647 kxc->hswok_out, algs.hashsz);
648 trace_block(T_CRYPTO, "crypto: inbound switch request",
649 kxc->hswrq_in, algs.hashsz);
650 trace_block(T_CRYPTO, "crypto: inbound switch confirm",
651 kxc->hswok_in, algs.hashsz);
654 /* --- Create a new symmetric keyset --- */
656 buf_init(&bb, buf_o, sizeof(buf_o));
657 G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb);
658 G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb);
659 G_TOBUF(gg, &bb, r); z = BLEN(&bb);
662 kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
672 a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
682 /* --- @dochallenge@ --- *
684 * Arguments: @keyexch *kx@ = pointer to key exchange block
685 * @unsigned msg@ = message code for the packet
686 * @buf *b@ = buffer containing the packet
688 * Returns: Zero if OK, nonzero if the packet was rejected.
690 * Use: Processes a packet containing a challenge.
693 static int dochallenge(keyexch *kx, buf *b)
697 if (kx->s != KXS_CHAL) {
698 a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
701 if ((kxc = respond(kx, KX_CHAL, b)) == 0)
704 a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
714 /* --- @resend@ --- *
716 * Arguments: @keyexch *kx@ = pointer to key exchange context
720 * Use: Sends the next message for a key exchange.
723 static void resend(keyexch *kx)
727 stats *st = p_stats(kx->p);
732 T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
734 b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
735 G_TOBUF(gg, b, kx->c);
738 T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
741 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
742 buf_put(b, kx->hc, algs.hashsz);
743 buf_put(b, kxc->hc, algs.hashsz);
744 buf_init(&bb, buf_i, sizeof(buf_i));
745 G_TORAW(gg, &bb, kxc->r);
746 buf_put(&bb, kxc->hswrq_out, algs.hashsz);
748 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
751 T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
754 b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
755 buf_init(&bb, buf_i, sizeof(buf_i));
756 buf_put(&bb, kxc->hswok_out, algs.hashsz);
758 ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
766 st->sz_kxout += BLEN(b);
770 if (kx->s < KXS_SWITCH)
771 settimer(kx, time(0) + T_RETRY);
774 /* --- @decryptrest@ --- *
776 * Arguments: @keyexch *kx@ = pointer to key exchange context
777 * @kxchal *kxc@ = pointer to challenge block
778 * @unsigned msg@ = type of incoming message
779 * @buf *b@ = encrypted remainder of the packet
781 * Returns: Zero if OK, nonzero on some kind of error.
783 * Use: Decrypts the remainder of the packet, and points @b@ at the
784 * recovered plaintext.
787 static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
791 buf_init(&bb, buf_o, sizeof(buf_o));
792 if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
793 a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
796 buf_init(b, BBASE(&bb), BLEN(&bb));
800 /* --- @checkresponse@ --- *
802 * Arguments: @keyexch *kx@ = pointer to key exchange context
803 * @unsigned msg@ = type of incoming message
804 * @buf *b@ = decrypted remainder of the packet
806 * Returns: Zero if OK, nonzero on some kind of error.
808 * Use: Checks a reply or switch packet, ensuring that its response
812 static int checkresponse(keyexch *kx, unsigned msg, buf *b)
814 ge *r = G_CREATE(gg);
816 if (G_FROMRAW(gg, b, r)) {
817 a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
820 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
821 trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
823 if (!G_EQ(gg, r, kx->rx)) {
824 a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
836 /* --- @commit@ --- *
838 * Arguments: @keyexch *kx@ = pointer to key exchange context
839 * @kxchal *kxc@ = pointer to challenge to commit to
843 * Use: Commits to a particular challenge as being the `right' one,
844 * since a reply has arrived for it.
847 static void commit(keyexch *kx, kxchal *kxc)
851 for (i = 0; i < kx->nr; i++) {
853 kxc_destroy(kx->r[i]);
858 ksl_link(kx->ks, kxc->ks);
861 /* --- @doreply@ --- *
863 * Arguments: @keyexch *kx@ = pointer to key exchange context
864 * @buf *b@ = buffer containing packet
866 * Returns: Zero if OK, nonzero if the packet was rejected.
868 * Use: Handles a reply packet. This doesn't handle the various
869 * switch packets: they're rather too different.
872 static int doreply(keyexch *kx, buf *b)
876 if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
877 a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
880 if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
881 decryptrest(kx, kxc, KX_REPLY, b) ||
882 checkresponse(kx, KX_REPLY, b))
885 a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
888 if (kx->s == KXS_CHAL) {
899 /* --- @kxfinish@ --- *
901 * Arguments: @keyexch *kx@ = pointer to key exchange block
905 * Use: Sets everything up following a successful key exchange.
908 static void kxfinish(keyexch *kx)
910 kxchal *kxc = kx->r[0];
911 ks_activate(kxc->ks);
912 settimer(kx, ks_tregen(kxc->ks));
914 a_notify("KXDONE", "?PEER", kx->p, A_END);
915 p_stats(kx->p)->t_kx = time(0);
918 /* --- @doswitch@ --- *
920 * Arguments: @keyexch *kx@ = pointer to key exchange block
921 * @buf *b@ = pointer to buffer containing packet
923 * Returns: Zero if OK, nonzero if the packet was rejected.
925 * Use: Handles a reply with a switch request bolted onto it.
928 static int doswitch(keyexch *kx, buf *b)
930 const octet *hc_in, *hc_out, *hswrq;
933 if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
934 (hc_out = buf_get(b, algs.hashsz)) == 0) {
935 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
938 IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
939 trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
940 trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
942 if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
943 memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
944 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
947 if (decryptrest(kx, kxc, KX_SWITCH, b) ||
948 checkresponse(kx, KX_SWITCH, b))
950 if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
951 a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
954 IF_TRACING(T_KEYEXCH, {
955 trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
957 if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
958 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
961 if (kx->s == KXS_CHAL)
963 if (kx->s < KXS_SWITCH)
972 /* --- @doswitchok@ --- *
974 * Arguments: @keyexch *kx@ = pointer to key exchange block
975 * @buf *b@ = pointer to buffer containing packet
977 * Returns: Zero if OK, nonzero if the packet was rejected.
979 * Use: Handles a reply with a switch request bolted onto it.
982 static int doswitchok(keyexch *kx, buf *b)
988 if (kx->s < KXS_COMMIT) {
989 a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
993 buf_init(&bb, buf_o, sizeof(buf_o));
994 if (decryptrest(kx, kxc, KX_SWITCHOK, b))
996 if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
997 a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
1000 IF_TRACING(T_KEYEXCH, {
1001 trace_block(T_CRYPTO, "crypto: switch confirmation hash",
1002 hswok, algs.hashsz);
1004 if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
1005 a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
1008 if (kx->s < KXS_SWITCH)
1016 /*----- Main code ---------------------------------------------------------*/
1020 * Arguments: @keyexch *kx@ = pointer to key exchange context
1024 * Use: Stops a key exchange dead in its tracks. Throws away all of
1025 * the context information. The context is left in an
1026 * inconsistent state. The only functions which understand this
1027 * state are @kx_free@ and @kx_init@ (which cause it internally
1028 * it), and @start@ (which expects it to be the prevailing
1032 static void stop(keyexch *kx)
1036 if (kx->f & KXF_DEAD)
1039 if (kx->f & KXF_TIMER)
1040 sel_rmtimer(&kx->t);
1041 for (i = 0; i < kx->nr; i++)
1042 kxc_destroy(kx->r[i]);
1044 G_DESTROY(gg, kx->c);
1045 G_DESTROY(gg, kx->rx);
1048 kx->f &= ~KXF_TIMER;
1051 /* --- @start@ --- *
1053 * Arguments: @keyexch *kx@ = pointer to key exchange context
1054 * @time_t now@ = the current time
1058 * Use: Starts a new key exchange with the peer. The context must be
1059 * in the bizarre state left by @stop@ or @kx_init@.
1062 static void start(keyexch *kx, time_t now)
1066 assert(kx->f & KXF_DEAD);
1068 kx->f &= ~(KXF_DEAD | KXF_CORK);
1070 kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
1071 kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
1072 kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
1074 kx->t_valid = now + T_VALID;
1076 h = GH_INIT(algs.h);
1077 HASH_STRING(h, "tripe-cookie");
1082 IF_TRACING(T_KEYEXCH, {
1083 trace(T_KEYEXCH, "keyexch: creating new challenge");
1084 IF_TRACING(T_CRYPTO, {
1085 trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
1086 trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
1087 trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
1088 trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
1093 /* --- @checkpub@ --- *
1095 * Arguments: @keyexch *kx@ = pointer to key exchange context
1097 * Returns: Zero if OK, nonzero if the peer's public key has expired.
1099 * Use: Deactivates the key-exchange until the peer acquires a new
1103 static int checkpub(keyexch *kx)
1106 if (kx->f & KXF_DEAD)
1109 if (KEY_EXPIRED(now, kx->texp_kpub)) {
1111 a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
1112 G_COPY(gg, kx->kpub, gg->i);
1113 kx->f &= ~KXF_PUBKEY;
1119 /* --- @kx_start@ --- *
1121 * Arguments: @keyexch *kx@ = pointer to key exchange context
1122 * @int forcep@ = nonzero to ignore the quiet timer
1126 * Use: Stimulates a key exchange. If a key exchage is in progress,
1127 * a new challenge is sent (unless the quiet timer forbids
1128 * this); if no exchange is in progress, one is commenced.
1131 void kx_start(keyexch *kx, int forcep)
1133 time_t now = time(0);
1137 if (forcep || !VALIDP(kx, now)) {
1140 a_notify("KXSTART", "?PEER", kx->p, A_END);
1145 /* --- @kx_message@ --- *
1147 * Arguments: @keyexch *kx@ = pointer to key exchange context
1148 * @unsigned msg@ = the message code
1149 * @buf *b@ = pointer to buffer containing the packet
1153 * Use: Reads a packet containing key exchange messages and handles
1157 void kx_message(keyexch *kx, unsigned msg, buf *b)
1159 time_t now = time(0);
1160 stats *st = p_stats(kx->p);
1164 if (kx->f & KXF_CORK) {
1166 settimer(kx, now + T_RETRY);
1167 a_notify("KXSTART", A_END);
1173 if (!VALIDP(kx, now)) {
1177 T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
1178 msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
1182 rc = doprechallenge(kx, b);
1185 rc = dochallenge(kx, b);
1188 rc = doreply(kx, b);
1191 rc = doswitch(kx, b);
1194 rc = doswitchok(kx, b);
1197 a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
1210 /* --- @kx_free@ --- *
1212 * Arguments: @keyexch *kx@ = pointer to key exchange context
1216 * Use: Frees everything in a key exchange context.
1219 void kx_free(keyexch *kx)
1222 G_DESTROY(gg, kx->kpub);
1225 /* --- @kx_newkeys@ --- *
1227 * Arguments: @keyexch *kx@ = pointer to key exchange context
1231 * Use: Informs the key exchange module that its keys may have
1232 * changed. If fetching the new keys fails, the peer will be
1233 * destroyed, we log messages and struggle along with the old
1237 void kx_newkeys(keyexch *kx)
1239 if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
1241 kx->f |= KXF_PUBKEY;
1242 if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
1243 T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
1251 /* --- @kx_init@ --- *
1253 * Arguments: @keyexch *kx@ = pointer to key exchange context
1254 * @peer *p@ = pointer to peer context
1255 * @keyset **ks@ = pointer to keyset list
1256 * @unsigned f@ = various useful flags
1258 * Returns: Zero if OK, nonzero if it failed.
1260 * Use: Initializes a key exchange module. The module currently
1261 * contains no keys, and will attempt to initiate a key
1265 int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
1269 kx->kpub = G_CREATE(gg);
1270 if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
1271 G_DESTROY(gg, kx->kpub);
1274 kx->f = KXF_DEAD | KXF_PUBKEY | f;
1275 if (!(kx->f & KXF_CORK)) {
1278 /* Don't notify here: the ADD message hasn't gone out yet. */
1283 /*----- That's all, folks -------------------------------------------------*/