Moved all CryptoAuth related headers into wire/CryptoHeader

admin/angel/Core.c

@@ -72,6 +72,7 @@
 #include "util/version/Version.h"
 #include "interface/SessionManager_admin.h"
 #include "wire/SwitchHeader.h"
+#include "wire/CryptoHeader.h"
 
 #include <crypto_scalarmult_curve25519.h>
 
@@ -104,9 +105,9 @@
     + 4 /* Nonce */ \
     + 16 /* Poly1305 authenticator */ \
     + SwitchHeader_SIZE \
-    + Headers_CryptoAuth_SIZE \
+    + CryptoHeader_SIZE \
     + Headers_IP6Header_SIZE \
-    + Headers_CryptoAuth_SIZE \
+    + CryptoHeader_SIZE \
 )
 
 /** The default MTU, assuming the external MTU is 1492 (common for PPPoE DSL) */
@@ -114,7 +115,7 @@
     1492 \
   - WORST_CASE_OVERHEAD \
   + Headers_IP6Header_SIZE /* The OS subtracts the IP6 header. */ \
-  + Headers_CryptoAuth_SIZE /* Linux won't let set the MTU below 1280.
+  + CryptoHeader_SIZE /* Linux won't let set the MTU below 1280.
   TODO(cjd): make sure we never hand off to a node for which the CA session is expired. */ \
 )
 

crypto/CryptoAuth.c

@@ -125,8 +125,8 @@ static inline void hashPassword_sha256(struct CryptoAuth_Auth* auth, const Strin
     uint8_t tempBuff[32];
     crypto_hash_sha256(auth->secret, (uint8_t*) password->bytes, password->len);
     crypto_hash_sha256(tempBuff, auth->secret, 32);
-    Bits_memcpyConst(auth->challenge.bytes, tempBuff, Headers_AuthChallenge_SIZE);
-    Headers_setAuthChallengeDerivations(&auth->challenge, 0);
+    Bits_memcpyConst(auth->challenge.bytes, tempBuff, CryptoHeader_Challenge_SIZE);
+    CryptoHeader_setAuthChallengeDerivations(&auth->challenge, 0);
     auth->challenge.challenge.type = 1;
 }
 
@@ -151,14 +151,14 @@ static inline uint8_t* hashPassword(struct CryptoAuth_Auth* auth,
  * @param context the CryptoAuth engine to search in.
  * @return an Auth struct with a if one is found, otherwise NULL.
  */
-static inline struct CryptoAuth_Auth* getAuth(union Headers_AuthChallenge auth,
+static inline struct CryptoAuth_Auth* getAuth(union CryptoHeader_Challenge auth,
                                               struct CryptoAuth_pvt* context)
 {
     if (auth.challenge.type != 1) {
         return NULL;
     }
     for (uint32_t i = 0; i < context->passwordCount; i++) {
-        if (Bits_memcmp(auth.bytes, &context->passwords[i], Headers_AuthChallenge_KEYSIZE) == 0) {
+        if (Bits_memcmp(auth.bytes, &context->passwords[i], CryptoHeader_Challenge_KEYSIZE) == 0) {
             return &context->passwords[i];
         }
     }
@@ -185,14 +185,14 @@ static inline void getPasswordHash_typeOne(uint8_t output[32],
     }
 }
 
-static inline uint8_t* tryAuth(union Headers_CryptoAuth* cauth,
+static inline uint8_t* tryAuth(union CryptoHeader* cauth,
                                uint8_t hashOutput[32],
                                struct CryptoAuth_Wrapper* wrapper,
                                struct CryptoAuth_Auth** retAuth)
 {
     struct CryptoAuth_Auth* auth = getAuth(cauth->handshake.auth, wrapper->context);
     if (auth != NULL) {
-        uint16_t deriv = Headers_getAuthChallengeDerivations(&cauth->handshake.auth);
+        uint16_t deriv = CryptoHeader_getAuthChallengeDerivations(&cauth->handshake.auth);
         getPasswordHash_typeOne(hashOutput, deriv, auth);
         if (deriv == 0) {
             *retAuth = auth;
@@ -305,7 +305,7 @@ static inline void encrypt(uint32_t nonce,
 
 static inline void setRequiredPadding(struct CryptoAuth_Wrapper* wrapper)
 {
-    uint32_t padding = (wrapper->nextNonce < 4) ? 36 : sizeof(union Headers_CryptoAuth) + 32;
+    uint32_t padding = (wrapper->nextNonce < 4) ? 36 : sizeof(union CryptoHeader) + 32;
     wrapper->externalInterface.requiredPadding =
         wrapper->wrappedInterface->requiredPadding + padding;
     wrapper->externalInterface.maxMessageLength =
@@ -357,10 +357,10 @@ static void reset(struct CryptoAuth_Wrapper* wrapper)
  */
 static uint8_t genReverseHandshake(struct Message* message,
                                    struct CryptoAuth_Wrapper* wrapper,
-                                   union Headers_CryptoAuth* header)
+                                   union CryptoHeader* header)
 {
     reset(wrapper);
-    Message_shift(message, -Headers_CryptoAuth_SIZE, NULL);
+    Message_shift(message, -CryptoHeader_SIZE, NULL);
 
     // Buffer the packet so it can be sent ASAP
     if (wrapper->bufferedMessage != NULL) {
@@ -375,17 +375,17 @@ static uint8_t genReverseHandshake(struct Message* message,
     wrapper->bufferedMessage = Message_clone(message, bmalloc);
     Assert_ifParanoid(wrapper->nextNonce == 0);
 
-    Message_shift(message, Headers_CryptoAuth_SIZE, NULL);
-    header = (union Headers_CryptoAuth*) message->bytes;
+    Message_shift(message, CryptoHeader_SIZE, NULL);
+    header = (union CryptoHeader*) message->bytes;
     header->nonce = UINT32_MAX;
-    message->length = Headers_CryptoAuth_SIZE;
+    message->length = CryptoHeader_SIZE;
 
     // sessionState must be 0, auth and 24 byte nonce are garbaged and public key is set
     // now garbage the authenticator and the encrypted key which are not used.
     Random_bytes(wrapper->context->rand, (uint8_t*) &header->handshake.authenticator, 48);
 
     // This is a special packet which the user should never see.
-    Headers_setSetupPacket(&header->handshake.auth, 1);
+    CryptoHeader_setSetupPacket(&header->handshake.auth, 1);
 
     return wrapper->wrappedInterface->sendMessage(message, wrapper->wrappedInterface);
 }
@@ -396,13 +396,13 @@ static uint8_t encryptHandshake(struct Message* message,
                                 struct CryptoAuth_Wrapper* wrapper,
                                 int setupMessage)
 {
-    Message_shift(message, sizeof(union Headers_CryptoAuth), NULL);
+    Message_shift(message, sizeof(union CryptoHeader), NULL);
 
-    union Headers_CryptoAuth* header = (union Headers_CryptoAuth*) message->bytes;
+    union CryptoHeader* header = (union CryptoHeader*) message->bytes;
 
     // garbage the auth challenge and set the nonce which follows it
     Random_bytes(wrapper->context->rand, (uint8_t*) &header->handshake.auth,
-                 sizeof(union Headers_AuthChallenge) + 24);
+                 sizeof(union CryptoHeader_Challenge) + 24);
 
     // set the permanent key
     Bits_memcpyConst(&header->handshake.publicKey, wrapper->context->pub.publicKey, 32);
@@ -456,15 +456,15 @@ static uint8_t encryptHandshake(struct Message* message,
         passwordHash = hashPassword(&auth, wrapper->password, wrapper->authType);
         Bits_memcpyConst(header->handshake.auth.bytes,
                          &auth.challenge,
-                         sizeof(union Headers_AuthChallenge));
+                         sizeof(union CryptoHeader_Challenge));
     }
     header->handshake.auth.challenge.type = wrapper->authType;
 
     // Packet authentication option is deprecated, it must always be enabled.
-    Headers_setPacketAuthRequired(&header->handshake.auth, 1);
+    CryptoHeader_setPacketAuthRequired(&header->handshake.auth, 1);
 
     // This is a special packet which the user should never see.
-    Headers_setSetupPacket(&header->handshake.auth, setupMessage);
+    CryptoHeader_setSetupPacket(&header->handshake.auth, setupMessage);
 
     // Set the session state
     uint32_t sessionState_be = Endian_hostToBigEndian32(wrapper->nextNonce);
@@ -539,7 +539,7 @@ static uint8_t encryptHandshake(struct Message* message,
     }
 
     // Shift message over the encryptedTempKey field.
-    Message_shift(message, 32 - Headers_CryptoAuth_SIZE, NULL);
+    Message_shift(message, 32 - CryptoHeader_SIZE, NULL);
 
     encryptRndNonce(header->handshake.nonce, message, sharedSecret);
 
@@ -559,7 +559,7 @@ static uint8_t encryptHandshake(struct Message* message,
     #endif
 
     // Shift it back -- encryptRndNonce adds 16 bytes of authenticator.
-    Message_shift(message, Headers_CryptoAuth_SIZE - 32 - 16, NULL);
+    Message_shift(message, CryptoHeader_SIZE - 32 - 16, NULL);
 
     return wrapper->wrappedInterface->sendMessage(message, wrapper->wrappedInterface);
 }
@@ -576,7 +576,7 @@ static inline uint8_t encryptMessage(struct Message* message,
 
     Message_shift(message, 4, NULL);
 
-    union Headers_CryptoAuth* header = (union Headers_CryptoAuth*) message->bytes;
+    union CryptoHeader* header = (union CryptoHeader*) message->bytes;
     header->nonce = Endian_hostToBigEndian32(wrapper->nextNonce);
     wrapper->nextNonce++;
 
@@ -665,9 +665,9 @@ static inline bool decryptMessage(struct CryptoAuth_Wrapper* wrapper,
 static uint8_t decryptHandshake(struct CryptoAuth_Wrapper* wrapper,
                                 const uint32_t nonce,
                                 struct Message* message,
-                                union Headers_CryptoAuth* header)
+                                union CryptoHeader* header)
 {
-    if (message->length < Headers_CryptoAuth_SIZE) {
+    if (message->length < CryptoHeader_SIZE) {
         cryptoAuthDebug0(wrapper, "DROP runt");
         return Error_UNDERSIZE_MESSAGE;
     }
@@ -701,7 +701,7 @@ static uint8_t decryptHandshake(struct CryptoAuth_Wrapper* wrapper,
         if (!knowHerKey(wrapper)) {
             Bits_memcpyConst(wrapper->herPerminentPubKey, header->handshake.publicKey, 32);
         }
-        Message_shift(message, -Headers_CryptoAuth_SIZE, NULL);
+        Message_shift(message, -CryptoHeader_SIZE, NULL);
         message->length = 0;
         reset(wrapper);
         wrapper->user = NULL;
@@ -791,7 +791,7 @@ static uint8_t decryptHandshake(struct CryptoAuth_Wrapper* wrapper,
     }
 
     // Shift it on top of the authenticator before the encrypted public key
-    Message_shift(message, 48 - Headers_CryptoAuth_SIZE, NULL);
+    Message_shift(message, 48 - CryptoHeader_SIZE, NULL);
 
     #ifdef Log_KEYS
         uint8_t sharedSecretHex[65];
@@ -811,7 +811,7 @@ static uint8_t decryptHandshake(struct CryptoAuth_Wrapper* wrapper,
     // Decrypt her temp public key and the message.
     if (decryptRndNonce(header->handshake.nonce, message, sharedSecret) != 0) {
         // just in case
-        Bits_memset(header, 0, Headers_CryptoAuth_SIZE);
+        Bits_memset(header, 0, CryptoHeader_SIZE);
         cryptoAuthDebug(wrapper, "DROP message with nonce [%d], decryption failed", nonce);
         return Error_AUTHENTICATION;
     }
@@ -947,7 +947,7 @@ static uint8_t decryptHandshake(struct CryptoAuth_Wrapper* wrapper,
         Allocator_free(bm->alloc);
     }
 
-    if (message->length == 0 && Headers_isSetupPacket(&header->handshake.auth)) {
+    if (message->length == 0 && CryptoHeader_isSetupPacket(&header->handshake.auth)) {
         return Error_NONE;
     }
 
@@ -962,7 +962,7 @@ static uint8_t receiveMessage(struct Message* received, struct Interface* interf
     struct CryptoAuth_Wrapper* wrapper =
         Identity_check((struct CryptoAuth_Wrapper*) interface->receiverContext);
 
-    union Headers_CryptoAuth* header = (union Headers_CryptoAuth*) received->bytes;
+    union CryptoHeader* header = (union CryptoHeader*) received->bytes;
 
     if (received->length < 20) {
         cryptoAuthDebug0(wrapper, "DROP runt");

crypto/CryptoAuth_pvt.h

@@ -21,14 +21,14 @@
 #include "util/log/Log.h"
 #include "memory/Allocator.h"
 #include "util/events/EventBase.h"
-#include "wire/Headers.h"
+#include "wire/CryptoHeader.h"
 #include "wire/Message.h"
 #include "util/Identity.h"
 
 #include <stdint.h>
 
 struct CryptoAuth_Auth {
-    union Headers_AuthChallenge challenge;
+    union CryptoHeader_Challenge challenge;
 
     uint8_t secret[32];
 

crypto/test/CryptoAuth_unit_test.c

@@ -145,11 +145,11 @@ static void testHello(uint8_t* password, uint8_t* expectedOutput)
     struct CryptoAuth_Wrapper* wrapper =
         setUp(NULL, (uint8_t*) "wxyzabcdefghijklmnopqrstuv987654", password, &outMessage);
 
-    uint8_t msgBuff[Headers_CryptoAuth_SIZE + 12];
+    uint8_t msgBuff[CryptoHeader_SIZE + 12];
     struct Message msg = {
         .length = 12,
-        .padding = Headers_CryptoAuth_SIZE,
-        .bytes = msgBuff + Headers_CryptoAuth_SIZE
+        .padding = CryptoHeader_SIZE,
+        .bytes = msgBuff + CryptoHeader_SIZE
     };
     Bits_memcpyConst(msg.bytes, hello, 12);
     CryptoAuth_encryptHandshake(&msg, wrapper, 0);
@@ -240,11 +240,11 @@ static void repeatHello()
     Bits_memcpyConst(wrapper.herPerminentPubKey, publicKey, 32);
 
     uint8_t* hello = (uint8_t*) "Hello World";
-    uint8_t msgBuff[Headers_CryptoAuth_SIZE + 12];
+    uint8_t msgBuff[CryptoHeader_SIZE + 12];
     struct Message msg = {
         .length = 12,
-        .padding = Headers_CryptoAuth_SIZE,
-        .bytes = msgBuff + Headers_CryptoAuth_SIZE
+        .padding = CryptoHeader_SIZE,
+        .bytes = msgBuff + CryptoHeader_SIZE
     };
     struct Message msg2;
     Bits_memcpyConst(&msg2, &msg, sizeof(struct Message));

net/Ducttape.c

@@ -41,6 +41,7 @@
 #include "wire/Control.h"
 #include "wire/Error.h"
 #include "wire/Headers.h"
+#include "wire/CryptoHeader.h"
 #include "wire/Ethernet.h"
 
 #include <stdint.h>
@@ -94,7 +95,7 @@ static inline uint8_t sendToRouter(struct Message* message,
         //Log_debug(context->logger, "Sending receive handle under CryptoAuth");
         Message_push(message, &session->receiveHandle_be, 4, NULL);
 
-        safeDistance += Headers_CryptoAuth_SIZE;
+        safeDistance += CryptoHeader_SIZE;
     } else {
         // 16 for the authenticator, 4 for the nonce and 4 for the handle
         safeDistance += 24;
@@ -537,9 +538,9 @@ static inline uint8_t incomingFromTun(struct Message* message,
     CryptoAuth_resetIfTimeout(session->internal);
     if (CryptoAuth_getState(session->internal) < CryptoAuth_HANDSHAKE3) {
         // shift, copy, shift because shifting asserts that there is enough buffer space.
-        Message_shift(message, Headers_CryptoAuth_SIZE + 4, NULL);
+        Message_shift(message, CryptoHeader_SIZE + 4, NULL);
         Bits_memcpyConst(message->bytes, header, Headers_IP6Header_SIZE);
-        Message_shift(message, -(Headers_IP6Header_SIZE + Headers_CryptoAuth_SIZE + 4), NULL);
+        Message_shift(message, -(Headers_IP6Header_SIZE + CryptoHeader_SIZE + 4), NULL);
         // now push the receive handle *under* the CA header.
         Message_push(message, &session->receiveHandle_be, 4, NULL);
         debugHandles0(context->logger, session, "layer3 sending start message");
@@ -1149,8 +1150,8 @@ static uint8_t incomingFromSwitch(struct Message* message, struct Interface* swi
         } else {
             Log_debug(context->logger, "Got message with unrecognized handle");
         }
-    } else if (message->length >= Headers_CryptoAuth_SIZE) {
-        union Headers_CryptoAuth* caHeader = (union Headers_CryptoAuth*) message->bytes;
+    } else if (message->length >= CryptoHeader_SIZE) {
+        union CryptoHeader* caHeader = (union CryptoHeader*) message->bytes;
         uint8_t ip6[16];
         uint8_t* herKey = caHeader->handshake.publicKey;
         AddressCalc_addressForPublicKey(ip6, herKey);

wire/CryptoHeader.h

@@ -0,0 +1,237 @@
+/* vim: set expandtab ts=4 sw=4: */
+/*
+ * You may redistribute this program and/or modify it under the terms of
+ * the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef CryptoHeader_H
+#define CryptoHeader_H
+
+#include "util/Assert.h"
+#include "util/Endian.h"
+
+#include <stdint.h>
+
+/**
+ * Header for nodes authenticating to one another.
+ *
+ *                       1               2               3
+ *       0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    0 |   Auth Type   |                                               |
+ *      +-+-+-+-+-+-+-+-+           Hash Code                           +
+ *    4 |                                                               |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    8 |A|        Derivations          |S|         Additional          |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * If the 'A' bit is set, the packets in the connection are to be authenticated with Poly1305.
+ * The Auth Type and Hash Code combined make a lookup key which can be used to scan a hashtable
+ * to see if the given password is known. It can be thought of as the "username" although it is
+ * a derivative of the password.
+ * The number of derivations represents how many times the hash of the password has been hashed
+ * again. Assuming Alice and Bob have a secure shared secret and Bob and Charlie have a secure
+ * shared secret, Bob can provide Charlie with a hash of his password with Alice which will allow
+ * Charlie to then establish a secure connection with Alice, without relying exclusively on
+ * asymmetrical cryptography.
+ *
+ * If the packet has 0 length and the 'S' bit is set then the packet is only intended for helping
+ * to setup the Cryptoauth session and should be dropped rather than being passed to the user.
+ */
+union CryptoHeader_Challenge
+{
+    struct {
+        uint8_t type;
+        uint8_t lookup[7];
+
+        /**
+         * High 1 bit is whether to require poly1305 packet authentication.
+         * low 15 bits is number of derivations.
+         */
+        uint16_t requirePacketAuthAndDerivationCount;
+
+        uint16_t additional;
+    } challenge;
+    uint8_t bytes[12];
+    uint32_t ints[3];
+};
+/** Total size of the auth structure. */
+#define CryptoHeader_Challenge_SIZE 12
+Assert_compileTime(sizeof(union CryptoHeader_Challenge) == CryptoHeader_Challenge_SIZE);
+
+/** The number of bytes from the beginning which identify the auth for looking up the secret. */
+#define CryptoHeader_Challenge_KEYSIZE 8
+
+static inline int CryptoHeader_isSetupPacket(union CryptoHeader_Challenge* ac)
+{
+    return ac->challenge.additional & Endian_hostToBigEndian16(1<<15);
+}
+
+static inline void CryptoHeader_setPacketAuthRequired(union CryptoHeader_Challenge* ac,
+                                                 int require)
+{
+    if (require) {
+        ac->challenge.requirePacketAuthAndDerivationCount |=
+            Endian_hostToBigEndian16(1<<15);
+    } else {
+        ac->challenge.requirePacketAuthAndDerivationCount &=
+            Endian_hostToBigEndian16(~(1<<15));
+    }
+}
+
+static inline void CryptoHeader_setSetupPacket(union CryptoHeader_Challenge* ac, int empty)
+{
+    if (empty) {
+        ac->challenge.additional |= Endian_hostToBigEndian16(1<<15);
+    } else {
+        ac->challenge.additional &= Endian_hostToBigEndian16(~(1<<15));
+    }
+}
+
+static inline uint16_t CryptoHeader_getAuthChallengeDerivations(union CryptoHeader_Challenge* ac)
+{
+    return Endian_bigEndianToHost16(ac->challenge.requirePacketAuthAndDerivationCount)
+        & (((uint16_t)~0)>>1);
+}
+
+static inline void CryptoHeader_setAuthChallengeDerivations(union CryptoHeader_Challenge* ac,
+                                                            uint16_t derivations)
+{
+    ac->challenge.requirePacketAuthAndDerivationCount &=
+        Endian_hostToBigEndian16(1<<15);
+    ac->challenge.requirePacketAuthAndDerivationCount |=
+        Endian_hostToBigEndian16(derivations & ~(1<<15));
+}
+
+/**
+ * This is a handshake header packet, there are 2 required to begin an encrypted connection.
+ *
+ *                       1               2               3
+ *       0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    0 |                         Session State                         |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    4 |                                                               |
+ *      +                                                               +
+ *    8 |                         Auth Challenge                        |
+ *      +                                                               +
+ *   12 |                                                               |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   16 |                                                               |
+ *      +                                                               +
+ *   20 |                                                               |
+ *      +                                                               +
+ *   24 |                                                               |
+ *      +                         Random Nonce                          +
+ *   28 |                                                               |
+ *      +                                                               +
+ *   32 |                                                               |
+ *      +                                                               +
+ *   36 |                                                               |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   40 |                                                               |
+ *      +                                                               +
+ *   44 |                                                               |
+ *      +                                                               +
+ *   48 |                                                               |
+ *      +                                                               +
+ *   52 |                                                               |
+ *      +                     Permanent Public Key                      +
+ *   56 |                                                               |
+ *      +                                                               +
+ *   60 |                                                               |
+ *      +                                                               +
+ *   64 |                                                               |
+ *      +                                                               +
+ *   68 |                                                               |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   72 |                                                               |
+ *      +                                                               +
+ *   76 |                                                               |
+ *      +                     Poly1305 Authenticator                    +
+ *   80 |                                                               |
+ *      +                                                               +
+ *   84 |                                                               |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   88 |                                                               |
+ *      +                                                               +
+ *   92 |                                                               |
+ *      +                                                               +
+ *   96 |                                                               |
+ *      +                                                               +
+ *  100 |                                                               |
+ *      +          Encrypted/Authenticated Temporary Public Key         +
+ *  104 |                                                               |
+ *      +                                                               +
+ *  108 |                                                               |
+ *      +                                                               +
+ *  112 |                                                               |
+ *      +                                                               +
+ *  116 |                                                               |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      |                                                               |
+ *      +        Variable Length Encrypted/Authenticated Content        +
+ *      |                                                               |
+ *
+ * If "Session State" is equal to the bitwise complement of zero, the sender is requesting
+ * that the recipient begin a connection with him, this is done in cases when the initiator
+ * of the connection does not know the key for the recipient. If the entire header is not
+ * present the recipient MUST drop the packet silently, the only field which is read in the
+ * packet is the "Permanent Public Key" field, all others SHOULD be ignored, specifically,
+ * content MUST not be passed on because it cannot be authenticated. The recipient of such a
+ * packet SHOULD send back a "hello" packet if there is no established connection.
+ * If there is already a connection over the interface, the recipient SHOULD NOT respond
+ * but MAY allow the connection to time out faster.
+ *
+ * If the "Session State" field is equal to the one or two, the packet is a "hello" packet.
+ * or a repeated hello packet. If no connection is present, one should be established and the
+ * recipient MAY send a "key" packet in response but it is RECOMMENDED that he wait until
+ * he has data to send first. A node who has sent a hello packet and gotten no response and
+ * now wishes to send more data MUST send that data as more (repeat) hello packets.
+ *
+ * If the "Session State" field is equal to two or three, the packet is a "key" packet.
+ * Key packets are responses to hello packets. Once a node receives a key packet it may begin
+ * sending data packets. A node who has received a hello packet, sent a key packet and gotten
+ * no further response who now wishes to send more data MUST send that data as more (repeat)
+ * key packets.
+ */
+union CryptoHeader
+{
+    uint32_t nonce;
+
+    struct {
+        /**
+         * Numbers one through three are interpreted as handshake packets, UINT32_MAX is
+         * a connectToMe packet and anything else is a nonce in a traffic packet.
+         */
+        uint32_t handshakeStage;
+
+        /** Used for authenticating routers to one another. */
+        union CryptoHeader_Challenge auth;
+
+        /** Random nonce for the handshake. */
+        uint8_t nonce[24];
+
+        /** This node's permanent public key. */
+        uint8_t publicKey[32];
+
+        /** This is filled in when the tempKey is encrypted. */
+        uint8_t authenticator[16];
+
+        /** The public key to use for this session, encrypted with the private key. */
+        uint8_t encryptedTempKey[32];
+    } handshake;
+};
+#define CryptoHeader_SIZE 120
+Assert_compileTime(sizeof(union CryptoHeader) == CryptoHeader_SIZE);
+
+
+#endif

wire/Headers.h

@@ -20,224 +20,6 @@
 
 #include <stdint.h>
 
-/**
- * Header for nodes authenticating to one another.
- *
- *                       1               2               3
- *       0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    0 |   Auth Type   |                                               |
- *      +-+-+-+-+-+-+-+-+           Hash Code                           +
- *    4 |                                                               |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    8 |A|        Derivations          |S|         Additional          |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *
- * If the 'A' bit is set, the packets in the connection are to be authenticated with Poly1305.
- * The Auth Type and Hash Code combined make a lookup key which can be used to scan a hashtable
- * to see if the given password is known. It can be thought of as the "username" although it is
- * a derivative of the password.
- * The number of derivations represents how many times the hash of the password has been hashed
- * again. Assuming Alice and Bob have a secure shared secret and Bob and Charlie have a secure
- * shared secret, Bob can provide Charlie with a hash of his password with Alice which will allow
- * Charlie to then establish a secure connection with Alice, without relying exclusively on
- * asymmetrical cryptography.
- *
- * If the packet has 0 length and the 'S' bit is set then the packet is only intended for helping
- * to setup the Cryptoauth session and should be dropped rather than being passed to the user.
- */
-union Headers_AuthChallenge
-{
-    struct {
-        uint8_t type;
-        uint8_t lookup[7];
-
-        /**
-         * High 1 bit is whether to require poly1305 packet authentication.
-         * low 15 bits is number of derivations.
-         */
-        uint16_t requirePacketAuthAndDerivationCount;
-
-        uint16_t additional;
-    } challenge;
-    uint8_t bytes[12];
-    uint32_t ints[3];
-};
-/** Total size of the auth structure. */
-#define Headers_AuthChallenge_SIZE 12
-Assert_compileTime(sizeof(union Headers_AuthChallenge) == Headers_AuthChallenge_SIZE);
-
-/** The number of bytes from the beginning which identify the auth for looking up the secret. */
-#define Headers_AuthChallenge_KEYSIZE 8
-
-static inline int Headers_isPacketAuthRequired(union Headers_AuthChallenge* ac)
-{
-    return ac->challenge.requirePacketAuthAndDerivationCount & Endian_hostToBigEndian16(1<<15);
-}
-
-static inline int Headers_isSetupPacket(union Headers_AuthChallenge* ac)
-{
-    return ac->challenge.additional & Endian_hostToBigEndian16(1<<15);
-}
-
-static inline void Headers_setPacketAuthRequired(union Headers_AuthChallenge* ac,
-                                                 int require)
-{
-    if (require) {
-        ac->challenge.requirePacketAuthAndDerivationCount |=
-            Endian_hostToBigEndian16(1<<15);
-    } else {
-        ac->challenge.requirePacketAuthAndDerivationCount &=
-            Endian_hostToBigEndian16(~(1<<15));
-    }
-}
-
-static inline void Headers_setSetupPacket(union Headers_AuthChallenge* ac, int empty)
-{
-    if (empty) {
-        ac->challenge.additional |= Endian_hostToBigEndian16(1<<15);
-    } else {
-        ac->challenge.additional &= Endian_hostToBigEndian16(~(1<<15));
-    }
-}
-
-static inline uint16_t Headers_getAuthChallengeDerivations(union Headers_AuthChallenge* ac)
-{
-    return Endian_hostToBigEndian16(ac->challenge.requirePacketAuthAndDerivationCount)
-        & (((uint16_t)~0)>>1);
-}
-
-static inline void Headers_setAuthChallengeDerivations(union Headers_AuthChallenge* ac,
-                                                       uint16_t derivations)
-{
-    ac->challenge.requirePacketAuthAndDerivationCount &=
-        Endian_hostToBigEndian16(1<<15);
-    ac->challenge.requirePacketAuthAndDerivationCount |=
-        Endian_hostToBigEndian16(derivations & ~(1<<15));
-}
-
-/**
- * This is a handshake header packet, there are 2 required to begin an encrypted connection.
- *
- *                       1               2               3
- *       0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    0 |                         Session State                         |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    4 |                                                               |
- *      +                                                               +
- *    8 |                         Auth Challenge                        |
- *      +                                                               +
- *   12 |                                                               |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *   16 |                                                               |
- *      +                                                               +
- *   20 |                                                               |
- *      +                                                               +
- *   24 |                                                               |
- *      +                         Random Nonce                          +
- *   28 |                                                               |
- *      +                                                               +
- *   32 |                                                               |
- *      +                                                               +
- *   36 |                                                               |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *   40 |                                                               |
- *      +                                                               +
- *   44 |                                                               |
- *      +                                                               +
- *   48 |                                                               |
- *      +                                                               +
- *   52 |                                                               |
- *      +                     Permanent Public Key                      +
- *   56 |                                                               |
- *      +                                                               +
- *   60 |                                                               |
- *      +                                                               +
- *   64 |                                                               |
- *      +                                                               +
- *   68 |                                                               |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *   72 |                                                               |
- *      +                                                               +
- *   76 |                                                               |
- *      +                     Poly1305 Authenticator                    +
- *   80 |                                                               |
- *      +                                                               +
- *   84 |                                                               |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *   88 |                                                               |
- *      +                                                               +
- *   92 |                                                               |
- *      +                                                               +
- *   96 |                                                               |
- *      +                                                               +
- *  100 |                                                               |
- *      +          Encrypted/Authenticated Temporary Public Key         +
- *  104 |                                                               |
- *      +                                                               +
- *  108 |                                                               |
- *      +                                                               +
- *  112 |                                                               |
- *      +                                                               +
- *  116 |                                                               |
- *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *      |                                                               |
- *      +        Variable Length Encrypted/Authenticated Content        +
- *      |                                                               |
- *
- * If "Session State" is equal to the bitwise complement of zero, the sender is requesting
- * that the recipient begin a connection with him, this is done in cases when the initiator
- * of the connection does not know the key for the recipient. If the entire header is not
- * present the recipient MUST drop the packet silently, the only field which is read in the
- * packet is the "Permanent Public Key" field, all others SHOULD be ignored, specifically,
- * content MUST not be passed on because it cannot be authenticated. The recipient of such a
- * packet SHOULD send back a "hello" packet if there is no established connection.
- * If there is already a connection over the interface, the recipient SHOULD NOT respond
- * but MAY allow the connection to time out faster.
- *
- * If the "Session State" field is equal to the one or two, the packet is a "hello" packet.
- * or a repeated hello packet. If no connection is present, one should be established and the
- * recipient MAY send a "key" packet in response but it is RECOMMENDED that he wait until
- * he has data to send first. A node who has sent a hello packet and gotten no response and
- * now wishes to send more data MUST send that data as more (repeat) hello packets.
- *
- * If the "Session State" field is equal to two or three, the packet is a "key" packet.
- * Key packets are responses to hello packets. Once a node receives a key packet it may begin
- * sending data packets. A node who has received a hello packet, sent a key packet and gotten
- * no further response who now wishes to send more data MUST send that data as more (repeat)
- * key packets.
- */
-union Headers_CryptoAuth
-{
-    uint32_t nonce;
-
-    struct {
-        /**
-         * Numbers one through three are interpreted as handshake packets, UINT32_MAX is
-         * a connectToMe packet and anything else is a nonce in a traffic packet.
-         */
-        uint32_t handshakeStage;
-
-        /** Used for authenticating routers to one another. */
-        union Headers_AuthChallenge auth;
-
-        /** Random nonce for the handshake. */
-        uint8_t nonce[24];
-
-        /** This node's permanent public key. */
-        uint8_t publicKey[32];
-
-        /** This is filled in when the tempKey is encrypted. */
-        uint8_t authenticator[16];
-
-        /** The public key to use for this session, encrypted with the private key. */
-        uint8_t encryptedTempKey[32];
-    } handshake;
-};
-#define Headers_CryptoAuth_SIZE 120
-Assert_compileTime(sizeof(union Headers_CryptoAuth) == Headers_CryptoAuth_SIZE);
-
 struct Headers_IP6Header
 {
     uint16_t versionClassAndFlowLabel;