/* -*-c-*-
*
- * $Id: tripe.h,v 1.16 2003/07/13 11:19:49 mdw Exp $
+ * $Id: tripe.h,v 1.19 2004/04/08 01:36:17 mdw Exp $
*
* Main header file for TrIPE
*
* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
-/*----- Revision history --------------------------------------------------*
- *
- * $Log: tripe.h,v $
- * Revision 1.16 2003/07/13 11:19:49 mdw
- * Incopatible protocol fix! Include message type code under MAC tag to prevent
- * cut-and-paste from key-exchange messages to general packet transport.
- *
- * Revision 1.15 2003/05/16 12:09:03 mdw
- * Allow binding to a chosen address.
- *
- * Revision 1.14 2003/04/06 10:36:33 mdw
- * Rearrange so as not to include Linux headers unless we need to.
- *
- * Revision 1.13 2003/04/06 10:26:35 mdw
- * Report peer name on decrypt errors.
- *
- * Revision 1.12 2003/04/06 10:25:17 mdw
- * Support Linux TUN/TAP device. Fix some bugs.
- *
- * Revision 1.11 2002/01/13 14:57:42 mdw
- * Fix crap typo.
- *
- * Revision 1.10 2002/01/13 14:54:58 mdw
- * Provide MGF macros.
- *
- * Revision 1.9 2001/06/22 19:40:36 mdw
- * Support expiry of other peers' public keys.
- *
- * Revision 1.8 2001/06/19 22:10:57 mdw
- * Some more constants for the algorithms. Document the packet format
- * change for non-malleability. Moved @buf@ definitions to separate header
- * file.
- *
- * Revision 1.7 2001/03/03 12:07:08 mdw
- * Rename word get and put functions now that there's 16-bit support.
- *
- * Revision 1.6 2001/02/19 19:11:09 mdw
- * Output buffering on admin connections.
- *
- * Revision 1.5 2001/02/16 21:41:43 mdw
- * Major changes. See source files for details.
- *
- * Revision 1.4 2001/02/05 19:56:37 mdw
- * Sequence number protection, and BSD tunnels.
- *
- * Revision 1.3 2001/02/04 01:17:55 mdw
- * Create a configuration header file to tidy up command lines.
- *
- * Revision 1.2 2001/02/03 22:40:29 mdw
- * Put timer information into the entropy pool when packets are received
- * and on similar events. Reseed the generator on the interval timer.
- *
- * Revision 1.1 2001/02/03 20:26:37 mdw
- * Initial checkin.
- *
- */
-
#ifndef TRIPE_H
#define TRIPE_H
#include <mLib/sub.h>
#include <mLib/trace.h>
+#include <catacomb/buf.h>
+
#include <catacomb/gcipher.h>
#include <catacomb/gmac.h>
#include <catacomb/grand.h>
#include <catacomb/rand.h>
#include <catacomb/mp.h>
-#include <catacomb/mpmont.h>
#include <catacomb/mprand.h>
#include <catacomb/dh.h>
+#include <catacomb/ec.h>
+#include <catacomb/ec-keys.h>
+#include <catacomb/group.h>
-#include "buf.h"
+#include "tripe-protocol.h"
#include "util.h"
#undef sun
#define PKBUFSZ 65536
-/*----- TrIPE protocol ----------------------------------------------------*/
-
-/* --- TrIPE message format --- *
- *
- * A packet begins with a single-byte message type. The top four bits are a
- * category code used to send the message to the right general place in the
- * code; the bottom bits identify the actual message type.
- */
-
-#define MSG_CATMASK 0xf0
-#define MSG_TYPEMASK 0x0f
-
-/* --- Encrypted message packets --- *
- *
- * Messages of category @MSG_PACKET@ contain encrypted network packets. The
- * message content is a symmetric-encrypted block (see below). Reception of
- * a packet encrypted under a new key implicitly permits that key to be used
- * to send further packets.
- *
- * The only packet type accepted is zero.
- *
- * Packets may be encrypted under any live keyset, but should use the most
- * recent one.
- */
-
-#define MSG_PACKET 0x00
-
-/* --- Key exchange packets --- */
-
-#define MSG_KEYEXCH 0x10
-
-#define KX_PRECHAL 0u
-#define KX_COOKIE 1u
-#define KX_CHAL 2u
-#define KX_REPLY 3u
-#define KX_SWITCH 4u
-#define KX_SWITCHOK 5u
-#define KX_NMSG 6u
-
-/* --- Symmetric encryption and keysets --- *
- *
- * Packets consist of an 80-bit MAC, a 32-bit sequence number, and the
- * encrypted payload.
- *
- * The plaintext is encrypted using Blowfish in CBC mode with ciphertext
- * stealing (as described in [Schneier]. The initialization vector is
- * selected randomly, and prepended to the actual ciphertext.
- *
- * The MAC is computed using the HMAC construction with RIPEMD160 over the
- * sequence number and the ciphertext (with IV); the first 80 bits of the
- * output are used. (This is the minimum allowed by the draft FIPS for HMAC,
- * and the recommended truncation.)
- *
- * A keyset consists of
- *
- * * an integrity (MAC) key;
- * * a confidentiality (encryption) key; and
- * * a sequence numbering space
- *
- * in each direction. The packets sent by a host encrypted under a
- * particular keyset are assigned consecutive sequence numbers starting from
- * zero. The receiving host must ensure that it only accepts each packet at
- * most once. It should maintain a window of sequence numbers: packets with
- * numbers beyond the end of the window are accepted and cause the window to
- * be advanced; packets with numbers before the start of the window are
- * rejected; packets with numbers which appear within the window are accepted
- * only if the number has not been seen before.
- *
- * When a host sends a @KX_SWITCH@ or @KX_SWITCHOK@ message, it installs the
- * newly-negotiated keyset in a `listen-only' state: it may not send a packet
- * encrypted under the keyset until either it has received a @KX_SWITCH@ or
- * @KX_SWITCHOK@ message, or a @MSG_PACKET@ encrypted under the keyset, from
- * its peer.
- */
-
/*----- Cipher selections -------------------------------------------------*/
#include <catacomb/blowfish.h>
typedef struct kxchal {
struct keyexch *kx; /* Pointer back to key exchange */
- mp *c; /* Responder's challenge */
- mp *r; /* My reply to the challenge */
+ ge *c; /* Responder's challenge */
+ ge *r; /* My reply to the challenge */
keyset *ks; /* Pointer to temporary keyset */
unsigned f; /* Various useful flags */
sel_timer t; /* Response timer for challenge */
unsigned f; /* Various useful flags */
unsigned s; /* Current state in exchange */
sel_timer t; /* Timer for next exchange */
- dh_pub kpub; /* Peer's public key */
+ ge *kpub; /* Peer's public key */
time_t texp_kpub; /* Expiry time for public key */
mp *alpha; /* My temporary secret */
- mp *c; /* My challenge */
- mp *rx; /* The expected response */
+ ge *c; /* My challenge */
+ ge *rx; /* The expected response */
unsigned nr; /* Number of extant responses */
time_t t_valid; /* When this exchange goes bad */
octet hc[HASHSZ]; /* Hash of my challenge */
/*----- Global variables --------------------------------------------------*/
extern sel_state sel; /* Global I/O event state */
-extern dh_priv kpriv; /* Our private key */
-extern mpmont mg; /* Montgomery context for DH group */
+extern group *gg; /* The group we work in */
+extern mp *kpriv; /* Our private key */
extern octet buf_i[PKBUFSZ], buf_o[PKBUFSZ], buf_t[PKBUFSZ];
#ifndef NTRACE
/* --- @km_getpubkey@ --- *
*
* Arguments: @const char *tag@ = public key tag to load
- * @dh_pub *kpub@ = where to put the public key
+ * @ge *kpub@ = where to put the public key
* @time_t *t_exp@ = where to put the expiry time
*
* Returns: Zero if OK, nonzero if it failed.
* Use: Fetches a public key from the keyring.
*/
-extern int km_getpubkey(const char */*tag*/, dh_pub */*kpub*/,
+extern int km_getpubkey(const char */*tag*/, ge */*kpub*/,
time_t */*t_exp*/);
/*----- Key exchange ------------------------------------------------------*/
extern const char *mpstr(mp */*m*/);
+/* --- @gestr@ --- *
+ *
+ * Arguments: @group *g@ = a group
+ * @ge *x@ = a group element
+ *
+ * Returns: A pointer to the element's textual representation.
+ *
+ * Use: Converts a group element to a string. Corrupts
+ * @buf_t@.
+ */
+
+extern const char *gestr(group */*g*/, ge */*x*/);
+
/* --- @timestr@ --- *
*
* Arguments: @time_t t@ = a time to convert
~mdw / tripe / blobdiff