/* vim: set expandtab ts=4 sw=4: */
/*
* You may redistribute this program and/or modify it under the terms of
* the GNU General Public License as published by the Free Software Foundation,
* either version 3 of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
#ifndef CryptoHeader_H
#define CryptoHeader_H
#include "util/Assert.h"
#include "util/Endian.h"
#include
/**
* Header for nodes authenticating to one another.
*
* 1 2 3
* 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 0 | Auth Type | |
* +-+-+-+-+-+-+-+-+ Hash Code +
* 4 | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 8 |A| Derivations |S| Additional |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*
* If the 'A' bit is set, the packets in the connection are to be authenticated with Poly1305.
* The Auth Type and Hash Code combined make a lookup key which can be used to scan a hashtable
* to see if the given password is known. It can be thought of as the "username" although it is
* a derivative of the password.
* The number of derivations represents how many times the hash of the password has been hashed
* again. Assuming Alice and Bob have a secure shared secret and Bob and Charlie have a secure
* shared secret, Bob can provide Charlie with a hash of his password with Alice which will allow
* Charlie to then establish a secure connection with Alice, without relying exclusively on
* asymmetrical cryptography.
*
* If the packet has 0 length and the 'S' bit is set then the packet is only intended for helping
* to setup the Cryptoauth session and should be dropped rather than being passed to the user.
*/
union CryptoHeader_Challenge
{
struct {
uint8_t type;
uint8_t lookup[7];
/**
* High 1 bit is whether to require poly1305 packet authentication.
* low 15 bits is number of derivations.
*/
uint16_t requirePacketAuthAndDerivationCount;
uint16_t additional;
} challenge;
uint8_t bytes[12];
uint32_t ints[3];
};
/** Total size of the auth structure. */
#define CryptoHeader_Challenge_SIZE 12
Assert_compileTime(sizeof(union CryptoHeader_Challenge) == CryptoHeader_Challenge_SIZE);
/** The number of bytes from the beginning which identify the auth for looking up the secret. */
#define CryptoHeader_Challenge_KEYSIZE 8
static inline int CryptoHeader_isSetupPacket(union CryptoHeader_Challenge* ac)
{
return ac->challenge.additional & Endian_hostToBigEndian16(1<<15);
}
static inline void CryptoHeader_setPacketAuthRequired(union CryptoHeader_Challenge* ac,
int require)
{
if (require) {
ac->challenge.requirePacketAuthAndDerivationCount |=
Endian_hostToBigEndian16(1<<15);
} else {
ac->challenge.requirePacketAuthAndDerivationCount &=
Endian_hostToBigEndian16(~(1<<15));
}
}
static inline void CryptoHeader_setSetupPacket(union CryptoHeader_Challenge* ac, int empty)
{
if (empty) {
ac->challenge.additional |= Endian_hostToBigEndian16(1<<15);
} else {
ac->challenge.additional &= Endian_hostToBigEndian16(~(1<<15));
}
}
static inline uint16_t CryptoHeader_getAuthChallengeDerivations(union CryptoHeader_Challenge* ac)
{
return Endian_bigEndianToHost16(ac->challenge.requirePacketAuthAndDerivationCount)
& (((uint16_t)~0)>>1);
}
static inline void CryptoHeader_setAuthChallengeDerivations(union CryptoHeader_Challenge* ac,
uint16_t derivations)
{
ac->challenge.requirePacketAuthAndDerivationCount &=
Endian_hostToBigEndian16(1<<15);
ac->challenge.requirePacketAuthAndDerivationCount |=
Endian_hostToBigEndian16(derivations & ~(1<<15));
}
/**
* This is a handshake header packet, there are 2 required to begin an encrypted connection.
*
* 1 2 3
* 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 0 | Session State |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 4 | |
* + +
* 8 | Auth Challenge |
* + +
* 12 | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 16 | |
* + +
* 20 | |
* + +
* 24 | |
* + Random Nonce +
* 28 | |
* + +
* 32 | |
* + +
* 36 | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 40 | |
* + +
* 44 | |
* + +
* 48 | |
* + +
* 52 | |
* + Permanent Public Key +
* 56 | |
* + +
* 60 | |
* + +
* 64 | |
* + +
* 68 | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 72 | |
* + +
* 76 | |
* + Poly1305 Authenticator +
* 80 | |
* + +
* 84 | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* 88 | |
* + +
* 92 | |
* + +
* 96 | |
* + +
* 100 | |
* + Encrypted/Authenticated Temporary Public Key +
* 104 | |
* + +
* 108 | |
* + +
* 112 | |
* + +
* 116 | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* + Variable Length Encrypted/Authenticated Content +
* | |
*
* If "Session State" is equal to the bitwise complement of zero, the sender is requesting
* that the recipient begin a connection with him, this is done in cases when the initiator
* of the connection does not know the key for the recipient. If the entire header is not
* present the recipient MUST drop the packet silently, the only field which is read in the
* packet is the "Permanent Public Key" field, all others SHOULD be ignored, specifically,
* content MUST not be passed on because it cannot be authenticated. The recipient of such a
* packet SHOULD send back a "hello" packet if there is no established connection.
* If there is already a connection over the interface, the recipient SHOULD NOT respond
* but MAY allow the connection to time out faster.
*
* If the "Session State" field is equal to the one or two, the packet is a "hello" packet.
* or a repeated hello packet. If no connection is present, one should be established and the
* recipient MAY send a "key" packet in response but it is RECOMMENDED that he wait until
* he has data to send first. A node who has sent a hello packet and gotten no response and
* now wishes to send more data MUST send that data as more (repeat) hello packets.
*
* If the "Session State" field is equal to two or three, the packet is a "key" packet.
* Key packets are responses to hello packets. Once a node receives a key packet it may begin
* sending data packets. A node who has received a hello packet, sent a key packet and gotten
* no further response who now wishes to send more data MUST send that data as more (repeat)
* key packets.
*/
union CryptoHeader
{
uint32_t nonce;
struct {
/**
* Numbers one through three are interpreted as handshake packets, UINT32_MAX is
* a connectToMe packet and anything else is a nonce in a traffic packet.
*/
uint32_t handshakeStage;
/** Used for authenticating routers to one another. */
union CryptoHeader_Challenge auth;
/** Random nonce for the handshake. */
uint8_t nonce[24];
/** This node's permanent public key. */
uint8_t publicKey[32];
/** This is filled in when the tempKey is encrypted. */
uint8_t authenticator[16];
/** The public key to use for this session, encrypted with the private key. */
uint8_t encryptedTempKey[32];
} handshake;
};
#define CryptoHeader_SIZE 120
Assert_compileTime(sizeof(union CryptoHeader) == CryptoHeader_SIZE);
#endif