-/* -*-c-*-
- *
- * $Id$
- *
- * Key exchange protocol
- *
- * (c) 2001 Straylight/Edgeware
- */
-
-/*----- Licensing notice --------------------------------------------------*
- *
- * This file is part of Trivial IP Encryption (TrIPE).
- *
- * TrIPE is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * TrIPE is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with TrIPE; if not, write to the Free Software Foundation,
- * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- */
-
-/*----- Header files ------------------------------------------------------*/
-
-#include "tripe.h"
-
-/*----- Brief protocol overview -------------------------------------------*
- *
- * Let %$G$% be a cyclic group; let %$g$% be a generator of %$G$%, and let
- * %$q$% be the order of %$G$%; for a key %$K$%, let %$E_K(\cdot)$% denote
- * application of the symmetric packet protocol to a message; let
- * %$H(\cdot)$% be the random oracle. Let $\alpha \inr \{0,\ldots,q - 1\}$%
- * be Alice's private key; let %$a = g^\alpha$% be her public key; let %$b$%
- * be Bob's public key.
- *
- * At the beginning of the session, Alice chooses
- *
- * %$\rho_A \inr \{0, \ldots q - 1\}$%
- *
- * We also have:
- *
- * %$r_A = g^{\rho_A}$% Alice's challenge
- * %$c_A = H(\cookie{cookie}, r_A)$% Alice's cookie
- * %$v_A = \rho_A \xor H(\cookie{expected-reply}, a, r_A, r_B, b^{\rho_A})$%
- * Alice's challenge check value
- * %$r_B^\alpha = a^{\rho_B}$% Alice's reply
- * %$K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}$%
- * Alice and Bob's shared secret key
- * %$w_A = H(\cookie{switch-request}, c_A, c_B)$%
- * Alice's switch request value
- * %$u_A = H(\cookie{switch-confirm}, c_A, c_B)$%
- * Alice's switch confirm value
- *
- * The messages are then:
- *
- * %$\cookie{kx-pre-challenge}, r_A$%
- * Initial greeting. In state @KXS_CHAL@.
- *
- * %$\cookie{kx-challenge}, r_A, c_B, v_A$%
- * Here's a full challenge for you to answer.
- *
- * %$\cookie{kx-reply}, r_A, c_B, v_A, E_K(r_B^\alpha))$%
- * Challenge accpeted: here's the answer. Commit to my challenge. Move
- * to @KXS_COMMIT@.
- *
- * %$\cookie{kx-switch-rq}, c_A, c_B, E_K(r_B^\alpha, w_A))$%
- * Reply received: here's my reply. Committed; send data; move to
- * @KXS_SWITCH@.
- *
- * %$\cookie{kx-switch-ok}, E_K(u_A))$%
- * Switch received. Committed; send data; move to @KXS_SWITCH@.
- */
-
-/*----- Tunable parameters ------------------------------------------------*/
-
-#define T_VALID MIN(2) /* Challenge validity period */
-#define T_RETRY SEC(10) /* Challenge retransmit interval */
-
-#define VALIDP(kx, now) ((now) < (kx)->t_valid)
-
-/*----- Static tables -----------------------------------------------------*/
-
-static const char *const pkname[] = {
- "pre-challenge", "cookie", "challenge",
- "reply", "switch-rq", "switch-ok"
-};
-
-/*----- Various utilities -------------------------------------------------*/
-
-/* --- @hashge@ --- *
- *
- * Arguments: @ghash *h@ = pointer to hash context
- * @ge *x@ = pointer to group element
- *
- * Returns: ---
- *
- * Use: Adds the hash of a group element to the context. Corrupts
- * @buf_t@.
- */
-
-static void hashge(ghash *h, ge *x)
-{
- buf b;
- buf_init(&b, buf_t, sizeof(buf_t));
- G_TOBUF(gg, &b, x);
- assert(BOK(&b));
- GH_HASH(h, BBASE(&b), BLEN(&b));
-}
-
-/* --- @mpmask@ --- *
- *
- * Arguments: @buf *b@ = output buffer
- * @mp *x@ = the plaintext integer
- * @size_t n@ = the expected size of the plaintext
- * @const octet *k@ = pointer to key material
- * @size_t ksz@ = size of the key
- *
- * Returns: Pointer to the output.
- *
- * Use: Masks a multiprecision integer: returns %$x \xor H(k)$%, so
- * it's a random oracle thing rather than an encryption thing.
- */
-
-static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
-{
- gcipher *mgf;
- octet *p;
-
- if ((p = buf_get(b, n)) == 0)
- return (0);
- mgf = GC_INIT(algs.mgf, k, ksz);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "masking index = %s", mpstr(x));
- trace_block(T_CRYPTO, "masking key", k, ksz);
- }))
- mp_storeb(x, buf_t, n);
- GC_ENCRYPT(mgf, buf_t, p, n);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace_block(T_CRYPTO, "index plaintext", buf_t, n);
- trace_block(T_CRYPTO, "masked ciphertext", p, n);
- }))
- GC_DESTROY(mgf);
- return (p);
-}
-
-/* --- @mpunmask@ --- *
- *
- * Arguments: @mp *d@ = the output integer
- * @const octet *p@ = pointer to the ciphertext
- * @size_t n@ = the size of the ciphertext
- * @const octet *k@ = pointer to key material
- * @size_t ksz@ = size of the key
- *
- * Returns: The decrypted integer, or null.
- *
- * Use: Unmasks a multiprecision integer.
- */
-
-static mp *mpunmask(mp *d, const octet *p, size_t n,
- const octet *k, size_t ksz)
-{
- gcipher *mgf;
-
- mgf = GC_INIT(algs.mgf, k, ksz);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace_block(T_CRYPTO, "unmasking key", k, ksz);
- trace_block(T_CRYPTO, "masked ciphertext", p, n);
- }))
- GC_DECRYPT(mgf, p, buf_t, n);
- d = mp_loadb(d, buf_t, n);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace_block(T_CRYPTO, "index plaintext", buf_t, n);
- trace(T_CRYPTO, "unmasked index = %s", mpstr(d));
- }))
- GC_DESTROY(mgf);
- return (d);
-}
-
-/* --- @hashcheck@ --- *
- *
- * Arguments: @ge *kpub@ = sender's public key
- * @ge *cc@ = receiver's challenge
- * @ge *c@ = sender's challenge
- * @ge *y@ = reply to sender's challenge
- *
- * Returns: Pointer to the hash value (in @buf_t@)
- *
- * Use: Computes the check-value hash, used to mask or unmask
- * indices to prove the validity of challenges. This computes
- * the masking key used in challenge check values. This is
- * really the heart of the whole thing, since it ensures that
- * the index can be recovered from the history of hashing
- * queries, which gives us (a) a proof that the authentication
- * process is zero-knowledge, and (b) a proof that the whole
- * key-exchange is deniable.
- */
-
-static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
-{
- ghash *h = GH_INIT(algs.h);
-
- HASH_STRING(h, "tripe-expected-reply");
- hashge(h, kpub);
- hashge(h, cc);
- hashge(h, c);
- hashge(h, y);
- GH_DONE(h, buf_t);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "computing challenge check hash");
- trace(T_CRYPTO, "public key = %s", gestr(gg, kpub));
- trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc));
- trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c));
- trace(T_CRYPTO, "sender reply = %s", gestr(gg, y));
- trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz);
- }))
- GH_DESTROY(h);
- return (buf_t);
-}
-
-/* --- @sendchallenge@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @buf *b@ = output buffer for challenge
- * @ge *c@ = peer's actual challenge
- * @const octet *hc@ = peer's challenge cookie
- *
- * Returns: ---
- *
- * Use: Writes a full challenge to the message buffer.
- */
-
-static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
-{
- G_TOBUF(gg, b, kx->c);
- buf_put(b, hc, algs.hashsz);
- mpmask(b, kx->alpha, indexsz,
- hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz);
-}
-
-/* --- @timer@ --- *
- *
- * Arguments: @struct timeval *tv@ = the current time
- * @void *v@ = pointer to key exchange context
- *
- * Returns: ---
- *
- * Use: Acts when the key exchange timer goes off.
- */
-
-static void timer(struct timeval *tv, void *v)
-{
- keyexch *kx = v;
- kx->f &= ~KXF_TIMER;
- T( trace(T_KEYEXCH, "keyexch: timer has popped"); )
- kx_start(kx, 0);
-}
-
-/* --- @settimer@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @time_t t@ = when to set the timer for
- *
- * Returns: ---
- *
- * Use: Sets the timer for the next key exchange attempt.
- */
-
-static void settimer(keyexch *kx, time_t t)
-{
- struct timeval tv;
- if (kx->f & KXF_TIMER)
- sel_rmtimer(&kx->t);
- tv.tv_sec = t;
- tv.tv_usec = 0;
- sel_addtimer(&sel, &kx->t, &tv, timer, kx);
- kx->f |= KXF_TIMER;
-}
-
-/*----- Challenge management ----------------------------------------------*/
-
-/* --- Notes on challenge management --- *
- *
- * We may get multiple different replies to our key exchange; some will be
- * correct, some inserted by attackers. Up until @KX_THRESH@, all challenges
- * received will be added to the table and given a full response. After
- * @KX_THRESH@ distinct challenges are received, we return only a `cookie':
- * our existing challenge, followed by a hash of the sender's challenge. We
- * do %%\emph{not}%% give a bare challenge a reply slot at this stage. All
- * properly-formed cookies are assigned a table slot: if none is spare, a
- * used slot is randomly selected and destroyed. A cookie always receives a
- * full reply.
- */
-
-/* --- @kxc_destroy@ --- *
- *
- * Arguments: @kxchal *kxc@ = pointer to the challenge block
- *
- * Returns: ---
- *
- * Use: Disposes of a challenge block.
- */
-
-static void kxc_destroy(kxchal *kxc)
-{
- if (kxc->f & KXF_TIMER)
- sel_rmtimer(&kxc->t);
- G_DESTROY(gg, kxc->c);
- G_DESTROY(gg, kxc->r);
- ks_drop(kxc->ks);
- DESTROY(kxc);
-}
-
-/* --- @kxc_stoptimer@ --- *
- *
- * Arguments: @kxchal *kxc@ = pointer to the challenge block
- *
- * Returns: ---
- *
- * Use: Stops the challenge's retry timer from sending messages.
- * Useful when the state machine is in the endgame of the
- * exchange.
- */
-
-static void kxc_stoptimer(kxchal *kxc)
-{
- if (kxc->f & KXF_TIMER)
- sel_rmtimer(&kxc->t);
- kxc->f &= ~KXF_TIMER;
-}
-
-/* --- @kxc_new@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- *
- * Returns: A pointer to the challenge block.
- *
- * Use: Returns a pointer to a new challenge block to fill in.
- */
-
-static kxchal *kxc_new(keyexch *kx)
-{
- kxchal *kxc;
- unsigned i;
-
- /* --- If we're over reply threshold, discard one at random --- */
-
- if (kx->nr < KX_NCHAL)
- i = kx->nr++;
- else {
- i = rand_global.ops->range(&rand_global, KX_NCHAL);
- kxc_destroy(kx->r[i]);
- }
-
- /* --- Fill in the new structure --- */
-
- kxc = CREATE(kxchal);
- kxc->c = G_CREATE(gg);
- kxc->r = G_CREATE(gg);
- kxc->ks = 0;
- kxc->kx = kx;
- kxc->f = 0;
- kx->r[i] = kxc;
- return (kxc);
-}
-
-/* --- @kxc_bychal@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @ge *c@ = challenge from remote host
- *
- * Returns: Pointer to the challenge block, or null.
- *
- * Use: Finds a challenge block, given its challenge.
- */
-
-static kxchal *kxc_bychal(keyexch *kx, ge *c)
-{
- unsigned i;
-
- for (i = 0; i < kx->nr; i++) {
- if (G_EQ(gg, c, kx->r[i]->c))
- return (kx->r[i]);
- }
- return (0);
-}
-
-/* --- @kxc_byhc@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @const octet *hc@ = challenge hash from remote host
- *
- * Returns: Pointer to the challenge block, or null.
- *
- * Use: Finds a challenge block, given a hash of its challenge.
- */
-
-static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
-{
- unsigned i;
-
- for (i = 0; i < kx->nr; i++) {
- if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
- return (kx->r[i]);
- }
- return (0);
-}
-
-/* --- @kxc_answer@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @kxchal *kxc@ = pointer to challenge block
- *
- * Returns: ---
- *
- * Use: Sends a reply to the remote host, according to the data in
- * this challenge block.
- */
-
-static void kxc_answer(keyexch *kx, kxchal *kxc);
-
-static void kxc_timer(struct timeval *tv, void *v)
-{
- kxchal *kxc = v;
- kxc->f &= ~KXF_TIMER;
- kxc_answer(kxc->kx, kxc);
-}
-
-static void kxc_answer(keyexch *kx, kxchal *kxc)
-{
- stats *st = p_stats(kx->p);
- buf *b = p_txstart(kx->p, MSG_KEYEXCH | KX_REPLY);
- struct timeval tv;
- buf bb;
-
- /* --- Build the reply packet --- */
-
- T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
- sendchallenge(kx, b, kxc->c, kxc->hc);
- buf_init(&bb, buf_i, sizeof(buf_i));
- G_TORAW(gg, &bb, kxc->r);
- buf_flip(&bb);
- ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
-
- /* --- Update the statistics --- */
-
- if (BOK(b)) {
- st->n_kxout++;
- st->sz_kxout += BLEN(b);
- p_txend(kx->p);
- }
-
- /* --- Schedule another resend --- */
-
- if (kxc->f & KXF_TIMER)
- sel_rmtimer(&kxc->t);
- gettimeofday(&tv, 0);
- tv.tv_sec += T_RETRY;
- sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
- kxc->f |= KXF_TIMER;
-}
-
-/*----- Individual message handlers ---------------------------------------*/
-
-/* --- @doprechallenge@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @buf *b@ = buffer containing the packet
- *
- * Returns: Zero if OK, nonzero of the packet was rejected.
- *
- * Use: Processes a pre-challenge message.
- */
-
-static int doprechallenge(keyexch *kx, buf *b)
-{
- stats *st = p_stats(kx->p);
- ge *c = G_CREATE(gg);
- ghash *h;
-
- /* --- Ensure that we're in a sensible state --- */
-
- if (kx->s != KXS_CHAL) {
- a_warn("KX", "?PEER", kx->p, "unexpected", "pre-challenge", A_END);
- goto bad;
- }
-
- /* --- Unpack the packet --- */
-
- if (G_FROMBUF(gg, b, c) || BLEFT(b))
- goto bad;
-
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
- }))
-
- /* --- Send out a full challenge by return --- */
-
- b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
- h = GH_INIT(algs.h);
- HASH_STRING(h, "tripe-cookie");
- hashge(h, c);
- sendchallenge(kx, b, c, GH_DONE(h, 0));
- GH_DESTROY(h);
- st->n_kxout++;
- st->sz_kxout += BLEN(b);
- p_txend(kx->p);
-
- /* --- Done --- */
-
- G_DESTROY(gg, c);
- return (0);
-
-bad:
- if (c) G_DESTROY(gg, c);
- return (-1);
-}
-
-/* --- @respond@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @unsigned msg@ = message code for this packet
- * @buf *b@ = buffer containing the packet
- *
- * Returns: Key-exchange challenge block, or null.
- *
- * Use: Computes a response for the given challenge, entering it into
- * a challenge block and so on.
- */
-
-static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
-{
- ge *c = G_CREATE(gg);
- ge *r = G_CREATE(gg);
- ge *cc = G_CREATE(gg);
- const octet *hc, *ck;
- size_t x, y, z;
- mp *cv = 0;
- kxchal *kxc;
- ghash *h = 0;
- buf bb;
- int ok;
-
- /* --- Unpack the packet --- */
-
- if (G_FROMBUF(gg, b, c) ||
- (hc = buf_get(b, algs.hashsz)) == 0 ||
- (ck = buf_get(b, indexsz)) == 0) {
- a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
- goto bad;
- }
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
- trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
- trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz);
- }))
-
- /* --- Discard a packet with an invalid cookie --- */
-
- if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
- a_warn("KX", "?PEER", "incorrect", "cookie", A_END);
- goto bad;
- }
-
- /* --- Recover the check value and verify it --- *
- *
- * To avoid recomputation on replays, we store a hash of the `right'
- * value. The `correct' value is unique, so this is right.
- *
- * This will also find a challenge block and, if necessary, populate it.
- */
-
- if ((kxc = kxc_bychal(kx, c)) != 0) {
- h = GH_INIT(algs.h);
- HASH_STRING(h, "tripe-check-hash");
- GH_HASH(h, ck, indexsz);
- ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz);
- GH_DESTROY(h);
- if (!ok) goto badcheck;
- } else {
-
- /* --- Compute the reply, and check the magic --- */
-
- G_EXP(gg, r, c, kpriv);
- cv = mpunmask(MP_NEW, ck, indexsz,
- hashcheck(kx->kpub, kx->c, c, r), algs.hashsz);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
- trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
- }))
- if (MP_CMP(cv, >, gg->r) ||
- (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc)))
- goto badcheck;
-
- /* --- Fill in a new challenge block --- */
-
- kxc = kxc_new(kx);
- G_COPY(gg, kxc->c, c);
- G_COPY(gg, kxc->r, r);
-
- h = GH_INIT(algs.h);
- HASH_STRING(h, "tripe-check-hash");
- GH_HASH(h, ck, indexsz);
- GH_DONE(h, kxc->hc);
- GH_DESTROY(h);
-
- h = GH_INIT(algs.h);
- HASH_STRING(h, "tripe-cookie");
- hashge(h, kxc->c);
- GH_DONE(h, kxc->hc);
- GH_DESTROY(h);
-
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
- }))
-
- /* --- Work out the shared key --- */
-
- G_EXP(gg, r, c, kx->alpha);
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
- }))
-
- /* --- Compute the switch messages --- */
-
- h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
- hashge(h, kx->c); hashge(h, kxc->c);
- GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
- h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
- hashge(h, kx->c); hashge(h, kxc->c);
- GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
-
- h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
- hashge(h, kxc->c); hashge(h, kx->c);
- GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
- h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
- hashge(h, kxc->c); hashge(h, kx->c);
- GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
-
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace_block(T_CRYPTO, "crypto: outbound switch request",
- kxc->hswrq_out, algs.hashsz);
- trace_block(T_CRYPTO, "crypto: outbound switch confirm",
- kxc->hswok_out, algs.hashsz);
- trace_block(T_CRYPTO, "crypto: inbound switch request",
- kxc->hswrq_in, algs.hashsz);
- trace_block(T_CRYPTO, "crypto: inbound switch confirm",
- kxc->hswok_in, algs.hashsz);
- }))
-
- /* --- Create a new symmetric keyset --- */
-
- buf_init(&bb, buf_o, sizeof(buf_o));
- G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb);
- G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb);
- G_TOBUF(gg, &bb, r); z = BLEN(&bb);
- assert(BOK(&bb));
-
- kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
- }
-
- G_DESTROY(gg, c);
- G_DESTROY(gg, cc);
- G_DESTROY(gg, r);
- mp_drop(cv);
- return (kxc);
-
-badcheck:
- a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
- goto bad;
-bad:
- G_DESTROY(gg, c);
- G_DESTROY(gg, cc);
- G_DESTROY(gg, r);
- mp_drop(cv);
- return (0);
-}
-
-/* --- @dochallenge@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @unsigned msg@ = message code for the packet
- * @buf *b@ = buffer containing the packet
- *
- * Returns: Zero if OK, nonzero if the packet was rejected.
- *
- * Use: Processes a packet containing a challenge.
- */
-
-static int dochallenge(keyexch *kx, buf *b)
-{
- kxchal *kxc;
-
- if (kx->s != KXS_CHAL) {
- a_warn("KX", "?PEER", kx->p, "unexpected", "challenge", A_END);
- goto bad;
- }
- if ((kxc = respond(kx, KX_CHAL, b)) == 0)
- goto bad;
- if (BLEFT(b)) {
- a_warn("KX", "?PEER", kx->p, "invalid", "challenge", A_END);
- goto bad;
- }
- kxc_answer(kx, kxc);
- return (0);
-
-bad:
- return (-1);
-}
-
-/* --- @resend@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- *
- * Returns: ---
- *
- * Use: Sends the next message for a key exchange.
- */
-
-static void resend(keyexch *kx)
-{
- kxchal *kxc;
- buf bb;
- stats *st = p_stats(kx->p);
- buf *b;
-
- switch (kx->s) {
- case KXS_CHAL:
- T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
- p_name(kx->p)); )
- b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
- G_TOBUF(gg, b, kx->c);
- break;
- case KXS_COMMIT:
- T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
- p_name(kx->p)); )
- kxc = kx->r[0];
- b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
- buf_put(b, kx->hc, algs.hashsz);
- buf_put(b, kxc->hc, algs.hashsz);
- buf_init(&bb, buf_i, sizeof(buf_i));
- G_TORAW(gg, &bb, kxc->r);
- buf_put(&bb, kxc->hswrq_out, algs.hashsz);
- buf_flip(&bb);
- ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
- break;
- case KXS_SWITCH:
- T( trace(T_KEYEXCH, "keyexch: sending switch confirmation to `%s'",
- p_name(kx->p)); )
- kxc = kx->r[0];
- b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
- buf_init(&bb, buf_i, sizeof(buf_i));
- buf_put(&bb, kxc->hswok_out, algs.hashsz);
- buf_flip(&bb);
- ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
- break;
- default:
- abort();
- }
-
- if (BOK(b)) {
- st->n_kxout++;
- st->sz_kxout += BLEN(b);
- p_txend(kx->p);
- }
-
- if (kx->s < KXS_SWITCH)
- settimer(kx, time(0) + T_RETRY);
-}
-
-/* --- @decryptrest@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @kxchal *kxc@ = pointer to challenge block
- * @unsigned msg@ = type of incoming message
- * @buf *b@ = encrypted remainder of the packet
- *
- * Returns: Zero if OK, nonzero on some kind of error.
- *
- * Use: Decrypts the remainder of the packet, and points @b@ at the
- * recovered plaintext.
- */
-
-static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
-{
- buf bb;
-
- buf_init(&bb, buf_o, sizeof(buf_o));
- if (ks_decrypt(kxc->ks, MSG_KEYEXCH | msg, b, &bb)) {
- a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
- return (-1);
- }
- buf_init(b, BBASE(&bb), BLEN(&bb));
- return (0);
-}
-
-/* --- @checkresponse@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @unsigned msg@ = type of incoming message
- * @buf *b@ = decrypted remainder of the packet
- *
- * Returns: Zero if OK, nonzero on some kind of error.
- *
- * Use: Checks a reply or switch packet, ensuring that its response
- * is correct.
- */
-
-static int checkresponse(keyexch *kx, unsigned msg, buf *b)
-{
- ge *r = G_CREATE(gg);
-
- if (G_FROMRAW(gg, b, r)) {
- a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
- goto bad;
- }
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
- }))
- if (!G_EQ(gg, r, kx->rx)) {
- a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
- goto bad;
- }
-
- G_DESTROY(gg, r);
- return (0);
-
-bad:
- G_DESTROY(gg, r);
- return (-1);
-}
-
-/* --- @commit@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @kxchal *kxc@ = pointer to challenge to commit to
- *
- * Returns: ---
- *
- * Use: Commits to a particular challenge as being the `right' one,
- * since a reply has arrived for it.
- */
-
-static void commit(keyexch *kx, kxchal *kxc)
-{
- unsigned i;
-
- for (i = 0; i < kx->nr; i++) {
- if (kx->r[i] != kxc)
- kxc_destroy(kx->r[i]);
- }
- kx->r[0] = kxc;
- kx->nr = 1;
- kxc_stoptimer(kxc);
- ksl_link(kx->ks, kxc->ks);
-}
-
-/* --- @doreply@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @buf *b@ = buffer containing packet
- *
- * Returns: Zero if OK, nonzero if the packet was rejected.
- *
- * Use: Handles a reply packet. This doesn't handle the various
- * switch packets: they're rather too different.
- */
-
-static int doreply(keyexch *kx, buf *b)
-{
- kxchal *kxc;
-
- if (kx->s != KXS_CHAL && kx->s != KXS_COMMIT) {
- a_warn("KX", "?PEER", kx->p, "unexpected", "reply", A_END);
- goto bad;
- }
- if ((kxc = respond(kx, KX_REPLY, b)) == 0 ||
- decryptrest(kx, kxc, KX_REPLY, b) ||
- checkresponse(kx, KX_REPLY, b))
- goto bad;
- if (BLEFT(b)) {
- a_warn("KX", "?PEER", kx->p, "invalid", "reply", A_END);
- goto bad;
- }
- if (kx->s == KXS_CHAL) {
- commit(kx, kxc);
- kx->s = KXS_COMMIT;
- }
- resend(kx);
- return (0);
-
-bad:
- return (-1);
-}
-
-/* --- @kxfinish@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- *
- * Returns: ---
- *
- * Use: Sets everything up following a successful key exchange.
- */
-
-static void kxfinish(keyexch *kx)
-{
- kxchal *kxc = kx->r[0];
- ks_activate(kxc->ks);
- settimer(kx, ks_tregen(kxc->ks));
- kx->s = KXS_SWITCH;
- a_notify("KXDONE", "?PEER", kx->p, A_END);
- p_stats(kx->p)->t_kx = time(0);
-}
-
-/* --- @doswitch@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @buf *b@ = pointer to buffer containing packet
- *
- * Returns: Zero if OK, nonzero if the packet was rejected.
- *
- * Use: Handles a reply with a switch request bolted onto it.
- */
-
-static int doswitch(keyexch *kx, buf *b)
-{
- const octet *hc_in, *hc_out, *hswrq;
- kxchal *kxc;
-
- if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
- (hc_out = buf_get(b, algs.hashsz)) == 0) {
- a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
- goto bad;
- }
- IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
- trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
- trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
- }))
- if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
- memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
- a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
- goto bad;
- }
- if (decryptrest(kx, kxc, KX_SWITCH, b) ||
- checkresponse(kx, KX_SWITCH, b))
- goto bad;
- if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
- a_warn("KX", "?PEER", "invalid", "switch-rq", A_END);
- goto bad;
- }
- IF_TRACING(T_KEYEXCH, {
- trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
- })
- if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
- a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
- goto bad;
- }
- if (kx->s == KXS_CHAL)
- commit(kx, kxc);
- if (kx->s < KXS_SWITCH)
- kxfinish(kx);
- resend(kx);
- return (0);
-
-bad:
- return (-1);
-}
-
-/* --- @doswitchok@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange block
- * @buf *b@ = pointer to buffer containing packet
- *
- * Returns: Zero if OK, nonzero if the packet was rejected.
- *
- * Use: Handles a reply with a switch request bolted onto it.
- */
-
-static int doswitchok(keyexch *kx, buf *b)
-{
- const octet *hswok;
- kxchal *kxc;
- buf bb;
-
- if (kx->s < KXS_COMMIT) {
- a_warn("KX", "?PEER", kx->p, "unexpected", "switch-ok", A_END);
- goto bad;
- }
- kxc = kx->r[0];
- buf_init(&bb, buf_o, sizeof(buf_o));
- if (decryptrest(kx, kxc, KX_SWITCHOK, b))
- goto bad;
- if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
- a_warn("KX", "?PEER", "invalid", "switch-ok", A_END);
- goto bad;
- }
- IF_TRACING(T_KEYEXCH, {
- trace_block(T_CRYPTO, "crypto: switch confirmation hash",
- hswok, algs.hashsz);
- })
- if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
- a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
- goto bad;
- }
- if (kx->s < KXS_SWITCH)
- kxfinish(kx);
- return (0);
-
-bad:
- return (-1);
-}
-
-/*----- Main code ---------------------------------------------------------*/
-
-/* --- @stop@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- *
- * Returns: ---
- *
- * Use: Stops a key exchange dead in its tracks. Throws away all of
- * the context information. The context is left in an
- * inconsistent state. The only functions which understand this
- * state are @kx_free@ and @kx_init@ (which cause it internally
- * it), and @start@ (which expects it to be the prevailing
- * state).
- */
-
-static void stop(keyexch *kx)
-{
- unsigned i;
-
- if (kx->f & KXF_DEAD)
- return;
-
- if (kx->f & KXF_TIMER)
- sel_rmtimer(&kx->t);
- for (i = 0; i < kx->nr; i++)
- kxc_destroy(kx->r[i]);
- mp_drop(kx->alpha);
- G_DESTROY(gg, kx->c);
- G_DESTROY(gg, kx->rx);
- kx->t_valid = 0;
- kx->f |= KXF_DEAD;
- kx->f &= ~KXF_TIMER;
-}
-
-/* --- @start@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @time_t now@ = the current time
- *
- * Returns: ---
- *
- * Use: Starts a new key exchange with the peer. The context must be
- * in the bizarre state left by @stop@ or @kx_init@.
- */
-
-static void start(keyexch *kx, time_t now)
-{
- ghash *h;
-
- assert(kx->f & KXF_DEAD);
-
- kx->f &= ~KXF_DEAD;
- kx->nr = 0;
- kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
- kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
- kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
- kx->s = KXS_CHAL;
- kx->t_valid = now + T_VALID;
-
- h = GH_INIT(algs.h);
- HASH_STRING(h, "tripe-cookie");
- hashge(h, kx->c);
- GH_DONE(h, kx->hc);
- GH_DESTROY(h);
-
- IF_TRACING(T_KEYEXCH, {
- trace(T_KEYEXCH, "keyexch: creating new challenge");
- IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
- trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
- trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
- trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
- })
- })
-}
-
-/* --- @checkpub@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- *
- * Returns: Zero if OK, nonzero if the peer's public key has expired.
- *
- * Use: Deactivates the key-exchange until the peer acquires a new
- * public key.
- */
-
-static int checkpub(keyexch *kx)
-{
- time_t now;
- if (kx->f & KXF_DEAD)
- return (-1);
- now = time(0);
- if (KEY_EXPIRED(now, kx->texp_kpub)) {
- stop(kx);
- a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
- G_COPY(gg, kx->kpub, gg->i);
- kx->f &= ~KXF_PUBKEY;
- return (-1);
- }
- return (0);
-}
-
-/* --- @kx_start@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @int forcep@ = nonzero to ignore the quiet timer
- *
- * Returns: ---
- *
- * Use: Stimulates a key exchange. If a key exchage is in progress,
- * a new challenge is sent (unless the quiet timer forbids
- * this); if no exchange is in progress, one is commenced.
- */
-
-void kx_start(keyexch *kx, int forcep)
-{
- time_t now = time(0);
-
- if (checkpub(kx))
- return;
- if (forcep || !VALIDP(kx, now)) {
- stop(kx);
- start(kx, now);
- a_notify("KXSTART", "?PEER", kx->p, A_END);
- }
- resend(kx);
-}
-
-/* --- @kx_message@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @unsigned msg@ = the message code
- * @buf *b@ = pointer to buffer containing the packet
- *
- * Returns: ---
- *
- * Use: Reads a packet containing key exchange messages and handles
- * it.
- */
-
-void kx_message(keyexch *kx, unsigned msg, buf *b)
-{
- time_t now = time(0);
- stats *st = p_stats(kx->p);
- size_t sz = BSZ(b);
- int rc;
-
- if (checkpub(kx))
- return;
-
- if (!VALIDP(kx, now)) {
- stop(kx);
- start(kx, now);
- }
-
- T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
- msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
-
- switch (msg) {
- case KX_PRECHAL:
- rc = doprechallenge(kx, b);
- break;
- case KX_CHAL:
- rc = dochallenge(kx, b);
- break;
- case KX_REPLY:
- rc = doreply(kx, b);
- break;
- case KX_SWITCH:
- rc = doswitch(kx, b);
- break;
- case KX_SWITCHOK:
- rc = doswitchok(kx, b);
- break;
- default:
- a_warn("KX", "?PEER", kx->p, "unknown-message", "0x%02x", msg, A_END);
- rc = -1;
- break;
- }
-
- if (rc)
- st->n_reject++;
- else {
- st->n_kxin++;
- st->sz_kxin += sz;
- }
-}
-
-/* --- @kx_free@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- *
- * Returns: ---
- *
- * Use: Frees everything in a key exchange context.
- */
-
-void kx_free(keyexch *kx)
-{
- stop(kx);
- G_DESTROY(gg, kx->kpub);
-}
-
-/* --- @kx_newkeys@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- *
- * Returns: ---
- *
- * Use: Informs the key exchange module that its keys may have
- * changed. If fetching the new keys fails, the peer will be
- * destroyed, we log messages and struggle along with the old
- * keys.
- */
-
-void kx_newkeys(keyexch *kx)
-{
- if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
- return;
- kx->f |= KXF_PUBKEY;
- if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
- T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
- p_name(kx->p)); )
- stop(kx);
- start(kx, time(0));
- resend(kx);
- }
-}
-
-/* --- @kx_init@ --- *
- *
- * Arguments: @keyexch *kx@ = pointer to key exchange context
- * @peer *p@ = pointer to peer context
- * @keyset **ks@ = pointer to keyset list
- *
- * Returns: Zero if OK, nonzero if it failed.
- *
- * Use: Initializes a key exchange module. The module currently
- * contains no keys, and will attempt to initiate a key
- * exchange.
- */
-
-int kx_init(keyexch *kx, peer *p, keyset **ks)
-{
- kx->ks = ks;
- kx->p = p;
- kx->kpub = G_CREATE(gg);
- if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
- G_DESTROY(gg, kx->kpub);
- return (-1);
- }
- kx->f = KXF_DEAD | KXF_PUBKEY;
- start(kx, time(0));
- resend(kx);
- /* Don't notify here: the ADD message hasn't gone out yet. */
- return (0);
-}
-
-/*----- That's all, folks -------------------------------------------------*/
~mdw / tripe / blobdiff