CryptoAuth.c 43 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  14. */
  15. #include "crypto/CryptoAuth_pvt.h"
  16. #include "crypto/AddressCalc.h"
  17. #include "crypto/ReplayProtector.h"
  18. #include "crypto/random/Random.h"
  19. #include "benc/Dict.h"
  20. #include "benc/List.h"
  21. #include "benc/String.h"
  22. #include "util/log/Log.h"
  23. #include "memory/Allocator.h"
  24. #include "util/Assert.h"
  25. #include "util/AddrTools.h"
  26. #include "util/Bits.h"
  27. #include "util/Defined.h"
  28. #include "util/Endian.h"
  29. #include "util/Hex.h"
  30. #include "util/events/Time.h"
  31. #include "wire/Error.h"
  32. #include "wire/Headers.h"
  33. #include "wire/Message.h"
  34. #include "crypto_box_curve25519xsalsa20poly1305.h"
  35. #include "crypto_hash_sha256.h"
  36. #include "crypto_scalarmult_curve25519.h"
  37. #include <stdint.h>
  38. #include <stdbool.h>
  39. #define USE_RES __attribute__ ((warn_unused_result))
  40. static inline void printHexKey(uint8_t output[65], uint8_t key[32])
  41. {
  42. if (key) {
  43. Hex_encode(output, 65, key, 32);
  44. } else {
  45. Bits_memcpyConst(output, "NULL", 5);
  46. }
  47. }
  48. static inline void printHexPubKey(uint8_t output[65], uint8_t privateKey[32])
  49. {
  50. if (privateKey) {
  51. uint8_t publicKey[32];
  52. crypto_scalarmult_curve25519_base(publicKey, privateKey);
  53. printHexKey(output, publicKey);
  54. } else {
  55. printHexKey(output, NULL);
  56. }
  57. }
  58. /**
  59. * Get a shared secret.
  60. *
  61. * @param outputSecret an array to place the shared secret in.
  62. * @param myPrivateKey
  63. * @param herPublicKey
  64. * @param logger
  65. * @param passwordHash a 32 byte value known to both ends, this must be provably pseudorandom
  66. * the first 32 bytes of a sha256 output from hashing a password is ok,
  67. * whatever she happens to send me in the Auth field is NOT ok.
  68. * If this field is null, the secret will be generated without the password.
  69. */
  70. static inline void getSharedSecret(uint8_t outputSecret[32],
  71. uint8_t myPrivateKey[32],
  72. uint8_t herPublicKey[32],
  73. uint8_t passwordHash[32],
  74. struct Log* logger)
  75. {
  76. if (passwordHash == NULL) {
  77. crypto_box_curve25519xsalsa20poly1305_beforenm(outputSecret, herPublicKey, myPrivateKey);
  78. } else {
  79. union {
  80. struct {
  81. uint8_t key[32];
  82. uint8_t passwd[32];
  83. } components;
  84. uint8_t bytes[64];
  85. } buff;
  86. crypto_scalarmult_curve25519(buff.components.key, myPrivateKey, herPublicKey);
  87. Bits_memcpyConst(buff.components.passwd, passwordHash, 32);
  88. crypto_hash_sha256(outputSecret, buff.bytes, 64);
  89. }
  90. if (Defined(Log_KEYS)) {
  91. uint8_t myPublicKeyHex[65];
  92. printHexPubKey(myPublicKeyHex, myPrivateKey);
  93. uint8_t herPublicKeyHex[65];
  94. printHexKey(herPublicKeyHex, herPublicKey);
  95. uint8_t passwordHashHex[65];
  96. printHexKey(passwordHashHex, passwordHash);
  97. uint8_t outputSecretHex[65] = "NULL";
  98. printHexKey(outputSecretHex, outputSecret);
  99. Log_keys(logger,
  100. "Generated a shared secret:\n"
  101. " myPublicKey=%s\n"
  102. " herPublicKey=%s\n"
  103. " passwordHash=%s\n"
  104. " outputSecret=%s\n",
  105. myPublicKeyHex, herPublicKeyHex, passwordHashHex, outputSecretHex);
  106. }
  107. }
  108. static inline void hashPassword_sha256(struct CryptoAuth_Auth* auth, const String* password)
  109. {
  110. uint8_t tempBuff[32];
  111. crypto_hash_sha256(auth->secret, (uint8_t*) password->bytes, password->len);
  112. crypto_hash_sha256(tempBuff, auth->secret, 32);
  113. Bits_memcpyConst(auth->challenge.bytes, tempBuff, CryptoHeader_Challenge_SIZE);
  114. CryptoHeader_setAuthChallengeDerivations(&auth->challenge, 0);
  115. auth->challenge.challenge.type = 1;
  116. }
  117. static inline uint8_t* hashPassword(struct CryptoAuth_Auth* auth,
  118. const String* password,
  119. const uint8_t authType)
  120. {
  121. switch (authType) {
  122. case 1:
  123. hashPassword_sha256(auth, password);
  124. break;
  125. default:
  126. Assert_true(!"Unsupported auth type.");
  127. };
  128. return auth->secret;
  129. }
  130. /**
  131. * Search the authorized passwords for one matching this auth header.
  132. *
  133. * @param auth the auth header.
  134. * @param context the CryptoAuth engine to search in.
  135. * @return an Auth struct with a if one is found, otherwise NULL.
  136. */
  137. static inline struct CryptoAuth_Auth* getAuth(union CryptoHeader_Challenge auth,
  138. struct CryptoAuth_pvt* context)
  139. {
  140. if (auth.challenge.type != 1) {
  141. return NULL;
  142. }
  143. for (uint32_t i = 0; i < context->passwordCount; i++) {
  144. if (Bits_memcmp(auth.bytes, &context->passwords[i], CryptoHeader_Challenge_KEYSIZE) == 0) {
  145. return &context->passwords[i];
  146. }
  147. }
  148. Log_debug(context->logger, "Got unrecognized auth, password count = [%d]",
  149. context->passwordCount);
  150. return NULL;
  151. }
  152. static inline void getPasswordHash_typeOne(uint8_t output[32],
  153. uint16_t derivations,
  154. struct CryptoAuth_Auth* auth)
  155. {
  156. Bits_memcpyConst(output, auth->secret, 32);
  157. if (derivations) {
  158. union {
  159. uint8_t bytes[2];
  160. uint8_t asShort;
  161. } deriv = { .asShort = derivations };
  162. output[0] ^= deriv.bytes[0];
  163. output[1] ^= deriv.bytes[1];
  164. crypto_hash_sha256(output, output, 32);
  165. }
  166. }
  167. static inline uint8_t* tryAuth(union CryptoHeader* cauth,
  168. uint8_t hashOutput[32],
  169. struct CryptoAuth_Session_pvt* session,
  170. struct CryptoAuth_Auth** retAuth)
  171. {
  172. struct CryptoAuth_Auth* auth = getAuth(cauth->handshake.auth, session->context);
  173. if (auth != NULL) {
  174. uint16_t deriv = CryptoHeader_getAuthChallengeDerivations(&cauth->handshake.auth);
  175. getPasswordHash_typeOne(hashOutput, deriv, auth);
  176. if (deriv == 0) {
  177. *retAuth = auth;
  178. }
  179. return hashOutput;
  180. }
  181. return NULL;
  182. }
  183. /**
  184. * Decrypt and authenticate.
  185. *
  186. * @param nonce a 24 byte number, may be random, cannot repeat.
  187. * @param msg a message to encipher and authenticate.
  188. * @param secret a shared secret.
  189. * @return 0 if decryption is succeddful, otherwise -1.
  190. */
  191. static inline USE_RES int decryptRndNonce(uint8_t nonce[24],
  192. struct Message* msg,
  193. uint8_t secret[32])
  194. {
  195. if (msg->length < 16) {
  196. return -1;
  197. }
  198. Assert_true(msg->padding >= 16);
  199. uint8_t* startAt = msg->bytes - 16;
  200. uint8_t paddingSpace[16];
  201. Bits_memcpyConst(paddingSpace, startAt, 16);
  202. Bits_memset(startAt, 0, 16);
  203. if (!Defined(NSA_APPROVED)) {
  204. if (crypto_box_curve25519xsalsa20poly1305_open_afternm(
  205. startAt, startAt, msg->length + 16, nonce, secret) != 0)
  206. {
  207. return -1;
  208. }
  209. }
  210. Bits_memcpyConst(startAt, paddingSpace, 16);
  211. Message_shift(msg, -16, NULL);
  212. return 0;
  213. }
  214. /**
  215. * Encrypt and authenticate.
  216. * Shifts the message by 16 bytes.
  217. *
  218. * @param nonce a 24 byte number, may be random, cannot repeat.
  219. * @param msg a message to encipher and authenticate.
  220. * @param secret a shared secret.
  221. */
  222. static inline void encryptRndNonce(uint8_t nonce[24],
  223. struct Message* msg,
  224. uint8_t secret[32])
  225. {
  226. Assert_true(msg->padding >= 32);
  227. uint8_t* startAt = msg->bytes - 32;
  228. // This function trashes 16 bytes of the padding so we will put it back
  229. uint8_t paddingSpace[16];
  230. Bits_memcpyConst(paddingSpace, startAt, 16);
  231. Bits_memset(startAt, 0, 32);
  232. if (!Defined(NSA_APPROVED)) {
  233. crypto_box_curve25519xsalsa20poly1305_afternm(
  234. startAt, startAt, msg->length + 32, nonce, secret);
  235. }
  236. Bits_memcpyConst(startAt, paddingSpace, 16);
  237. Message_shift(msg, 16, NULL);
  238. }
  239. /**
  240. * Decrypt a packet.
  241. *
  242. * @param nonce a counter.
  243. * @param msg the message to decrypt, decrypted in place.
  244. * @param secret the shared secret.
  245. * @param isInitiator true if we started the connection.
  246. */
  247. static inline USE_RES int decrypt(uint32_t nonce,
  248. struct Message* msg,
  249. uint8_t secret[32],
  250. bool isInitiator)
  251. {
  252. union {
  253. uint32_t ints[2];
  254. uint8_t bytes[24];
  255. } nonceAs = { .ints = {0, 0} };
  256. nonceAs.ints[!isInitiator] = Endian_hostToLittleEndian32(nonce);
  257. return decryptRndNonce(nonceAs.bytes, msg, secret);
  258. }
  259. /**
  260. * Encrypt a packet.
  261. *
  262. * @param nonce a counter.
  263. * @param msg the message to decrypt, decrypted in place.
  264. * @param secret the shared secret.
  265. * @param isInitiator true if we started the connection.
  266. */
  267. static inline void encrypt(uint32_t nonce,
  268. struct Message* msg,
  269. uint8_t secret[32],
  270. bool isInitiator)
  271. {
  272. union {
  273. uint32_t ints[2];
  274. uint8_t bytes[24];
  275. } nonceAs = { .ints = {0, 0} };
  276. nonceAs.ints[isInitiator] = Endian_hostToLittleEndian32(nonce);
  277. encryptRndNonce(nonceAs.bytes, msg, secret);
  278. }
  279. static inline bool knowHerKey(struct CryptoAuth_Session_pvt* session)
  280. {
  281. return !Bits_isZero(session->pub.herPublicKey, 32);
  282. }
  283. static void getIp6(struct CryptoAuth_Session_pvt* session, uint8_t* addr)
  284. {
  285. if (knowHerKey(session)) {
  286. uint8_t ip6[16];
  287. AddressCalc_addressForPublicKey(ip6, session->pub.herPublicKey);
  288. AddrTools_printIp(addr, ip6);
  289. }
  290. }
  291. #define cryptoAuthDebug(wrapper, format, ...) \
  292. { \
  293. uint8_t addr[40] = "unknown"; \
  294. getIp6((session), addr); \
  295. Log_debug((session)->context->logger, \
  296. "%p %s [%s]: " format, (void*)(session), (session)->name, addr, __VA_ARGS__); \
  297. }
  298. #define cryptoAuthDebug0(wrapper, format) \
  299. cryptoAuthDebug(session, format "%s", "")
  300. static void reset(struct CryptoAuth_Session_pvt* session)
  301. {
  302. session->nextNonce = 0;
  303. session->isInitiator = false;
  304. Bits_memset(session->ourTempPrivKey, 0, 32);
  305. Bits_memset(session->ourTempPubKey, 0, 32);
  306. Bits_memset(session->herTempPubKey, 0, 32);
  307. Bits_memset(session->sharedSecret, 0, 32);
  308. session->established = false;
  309. Bits_memset(&session->pub.replayProtector, 0, sizeof(struct ReplayProtector));
  310. }
  311. static void resetIfTimeout(struct CryptoAuth_Session_pvt* session)
  312. {
  313. if (session->nextNonce == 1) {
  314. // Lets not reset the session, we just sent one or more hello packets and
  315. // have not received a response, if they respond after we reset then we'll
  316. // be in a tough state.
  317. return;
  318. }
  319. uint64_t nowSecs = Time_currentTimeSeconds(session->context->eventBase);
  320. if (nowSecs - session->timeOfLastPacket > session->context->pub.resetAfterInactivitySeconds) {
  321. cryptoAuthDebug(session, "No traffic in [%d] seconds, resetting connection.",
  322. (int) (nowSecs - session->timeOfLastPacket));
  323. session->timeOfLastPacket = nowSecs;
  324. reset(session);
  325. }
  326. }
  327. static void encryptHandshake(struct Message* message,
  328. struct CryptoAuth_Session_pvt* session,
  329. int setupMessage)
  330. {
  331. Message_shift(message, sizeof(union CryptoHeader), NULL);
  332. union CryptoHeader* header = (union CryptoHeader*) message->bytes;
  333. // garbage the auth challenge and set the nonce which follows it
  334. Random_bytes(session->context->rand, (uint8_t*) &header->handshake.auth,
  335. sizeof(union CryptoHeader_Challenge) + 24);
  336. // set the permanent key
  337. Bits_memcpyConst(&header->handshake.publicKey, session->context->pub.publicKey, 32);
  338. Assert_true(knowHerKey(session));
  339. uint8_t calculatedIp6[16];
  340. AddressCalc_addressForPublicKey(calculatedIp6, session->pub.herPublicKey);
  341. if (!Bits_isZero(session->pub.herIp6, 16)) {
  342. // If someone starts a CA session and then discovers the key later and memcpy's it into the
  343. // result of getHerPublicKey() then we want to make sure they didn't memcpy in an invalid
  344. // key.
  345. Assert_true(!Bits_memcmp(session->pub.herIp6, calculatedIp6, 16));
  346. }
  347. // Password auth
  348. uint8_t* passwordHash = NULL;
  349. struct CryptoAuth_Auth auth;
  350. if (session->password != NULL) {
  351. passwordHash = hashPassword(&auth, session->password, session->authType);
  352. Bits_memcpyConst(header->handshake.auth.bytes,
  353. &auth.challenge,
  354. sizeof(union CryptoHeader_Challenge));
  355. }
  356. header->handshake.auth.challenge.type = session->authType;
  357. // Packet authentication option is deprecated, it must always be enabled.
  358. CryptoHeader_setPacketAuthRequired(&header->handshake.auth, 1);
  359. header->handshake.auth.challenge.additional = 0;
  360. // Set the session state
  361. header->nonce = Endian_hostToBigEndian32(session->nextNonce);
  362. if (session->nextNonce == 0 || session->nextNonce == 2) {
  363. // If we're sending a hello or a key
  364. // Here we make up a temp keypair
  365. Random_bytes(session->context->rand, session->ourTempPrivKey, 32);
  366. crypto_scalarmult_curve25519_base(session->ourTempPubKey, session->ourTempPrivKey);
  367. if (Defined(Log_KEYS)) {
  368. uint8_t tempPrivateKeyHex[65];
  369. Hex_encode(tempPrivateKeyHex, 65, session->ourTempPrivKey, 32);
  370. uint8_t tempPubKeyHex[65];
  371. Hex_encode(tempPubKeyHex, 65, session->ourTempPubKey, 32);
  372. Log_keys(session->context->logger, "Generating temporary keypair\n"
  373. " myTempPrivateKey=%s\n"
  374. " myTempPublicKey=%s\n",
  375. tempPrivateKeyHex, tempPubKeyHex);
  376. }
  377. }
  378. Bits_memcpyConst(header->handshake.encryptedTempKey, session->ourTempPubKey, 32);
  379. if (Defined(Log_KEYS)) {
  380. uint8_t tempKeyHex[65];
  381. Hex_encode(tempKeyHex, 65, header->handshake.encryptedTempKey, 32);
  382. Log_keys(session->context->logger,
  383. "Wrapping temp public key:\n"
  384. " %s\n",
  385. tempKeyHex);
  386. }
  387. cryptoAuthDebug(session, "Sending %s%s packet",
  388. ((session->nextNonce & 1) ? "repeat " : ""),
  389. ((session->nextNonce < 2) ? "hello" : "key"));
  390. uint8_t sharedSecret[32];
  391. if (session->nextNonce < 2) {
  392. getSharedSecret(sharedSecret,
  393. session->context->privateKey,
  394. session->pub.herPublicKey,
  395. passwordHash,
  396. session->context->logger);
  397. session->isInitiator = true;
  398. Assert_true(session->nextNonce <= 1);
  399. session->nextNonce = 1;
  400. } else {
  401. // Handshake2
  402. // herTempPubKey was set by decryptHandshake()
  403. Assert_ifParanoid(!Bits_isZero(session->herTempPubKey, 32));
  404. getSharedSecret(sharedSecret,
  405. session->context->privateKey,
  406. session->herTempPubKey,
  407. passwordHash,
  408. session->context->logger);
  409. Assert_true(session->nextNonce <= 3);
  410. session->nextNonce = 3;
  411. if (Defined(Log_KEYS)) {
  412. uint8_t tempKeyHex[65];
  413. Hex_encode(tempKeyHex, 65, session->herTempPubKey, 32);
  414. Log_keys(session->context->logger,
  415. "Using their temp public key:\n"
  416. " %s\n",
  417. tempKeyHex);
  418. }
  419. }
  420. // Shift message over the encryptedTempKey field.
  421. Message_shift(message, 32 - CryptoHeader_SIZE, NULL);
  422. encryptRndNonce(header->handshake.nonce, message, sharedSecret);
  423. if (Defined(Log_KEYS)) {
  424. uint8_t sharedSecretHex[65];
  425. printHexKey(sharedSecretHex, sharedSecret);
  426. uint8_t nonceHex[49];
  427. Hex_encode(nonceHex, 49, header->handshake.nonce, 24);
  428. uint8_t cipherHex[65];
  429. printHexKey(cipherHex, message->bytes);
  430. Log_keys(session->context->logger,
  431. "Encrypting message with:\n"
  432. " nonce: %s\n"
  433. " secret: %s\n"
  434. " cipher: %s\n",
  435. nonceHex, sharedSecretHex, cipherHex);
  436. }
  437. // Shift it back -- encryptRndNonce adds 16 bytes of authenticator.
  438. Message_shift(message, CryptoHeader_SIZE - 32 - 16, NULL);
  439. }
  440. /** @return 0 on success, -1 otherwise. */
  441. int CryptoAuth_encrypt(struct CryptoAuth_Session* sessionPub, struct Message* msg)
  442. {
  443. struct CryptoAuth_Session_pvt* session =
  444. Identity_check((struct CryptoAuth_Session_pvt*) sessionPub);
  445. // If there has been no incoming traffic for a while, reset the connection to state 0.
  446. // This will prevent "connection in bad state" situations from lasting forever.
  447. // this will reset the session if it has timed out.
  448. resetIfTimeout(session);
  449. // If the nonce wraps, start over.
  450. if (session->nextNonce >= 0xfffffff0) {
  451. reset(session);
  452. }
  453. Assert_true(!((uintptr_t)msg->bytes % 4) || !"alignment fault");
  454. // nextNonce 0: sending hello, we are initiating connection.
  455. // nextNonce 1: sending another hello, nothing received yet.
  456. // nextNonce 2: sending key, hello received.
  457. // nextNonce 3: sending key again, no data packet recieved yet.
  458. // nextNonce >3: handshake complete
  459. //
  460. // if it's a blind handshake, every message will be empty and nextNonce will remain
  461. // zero until the first message is received back.
  462. if (session->nextNonce < 5) {
  463. if (session->nextNonce < 4) {
  464. encryptHandshake(msg, session, 0);
  465. return 0;
  466. } else {
  467. cryptoAuthDebug0(session, "Doing final step to send message. nonce=4");
  468. Assert_ifParanoid(!Bits_isZero(session->ourTempPrivKey, 32));
  469. Assert_ifParanoid(!Bits_isZero(session->herTempPubKey, 32));
  470. getSharedSecret(session->sharedSecret,
  471. session->ourTempPrivKey,
  472. session->herTempPubKey,
  473. NULL,
  474. session->context->logger);
  475. }
  476. }
  477. Assert_true(msg->length > 0 && "Empty packet during handshake");
  478. Assert_true(msg->padding >= 36 || !"not enough padding");
  479. encrypt(session->nextNonce, msg, session->sharedSecret, session->isInitiator);
  480. Message_push32(msg, session->nextNonce, NULL);
  481. session->nextNonce++;
  482. return 0;
  483. }
  484. /** Call the external interface and tell it that a message has been received. */
  485. static inline void updateTime(struct CryptoAuth_Session_pvt* session, struct Message* message)
  486. {
  487. session->timeOfLastPacket = Time_currentTimeSeconds(session->context->eventBase);
  488. }
  489. static inline USE_RES bool decryptMessage(struct CryptoAuth_Session_pvt* session,
  490. uint32_t nonce,
  491. struct Message* content,
  492. uint8_t secret[32])
  493. {
  494. // Decrypt with authentication and replay prevention.
  495. if (decrypt(nonce, content, secret, session->isInitiator)) {
  496. cryptoAuthDebug0(session, "DROP authenticated decryption failed");
  497. return false;
  498. }
  499. if (!ReplayProtector_checkNonce(nonce, &session->pub.replayProtector)) {
  500. cryptoAuthDebug(session, "DROP nonce checking failed nonce=[%u]", nonce);
  501. return false;
  502. }
  503. return true;
  504. }
  505. static bool ip6MatchesKey(uint8_t ip6[16], uint8_t key[32])
  506. {
  507. uint8_t calculatedIp6[16];
  508. AddressCalc_addressForPublicKey(calculatedIp6, key);
  509. return !Bits_memcmp(ip6, calculatedIp6, 16);
  510. }
  511. static USE_RES int decryptHandshake(struct CryptoAuth_Session_pvt* session,
  512. const uint32_t nonce,
  513. struct Message* message,
  514. union CryptoHeader* header)
  515. {
  516. if (message->length < CryptoHeader_SIZE) {
  517. cryptoAuthDebug0(session, "DROP runt");
  518. return -1;
  519. }
  520. // handshake
  521. // nextNonce 0: recieving hello.
  522. // nextNonce 1: recieving key, we sent hello.
  523. // nextNonce 2: recieving first data packet or duplicate hello.
  524. // nextNonce 3: recieving first data packet.
  525. // nextNonce >3: handshake complete
  526. if (knowHerKey(session)) {
  527. if (Bits_memcmp(session->pub.herPublicKey, header->handshake.publicKey, 32)) {
  528. cryptoAuthDebug0(session, "DROP a packet with different public key than this session");
  529. return -1;
  530. }
  531. } else if (Bits_isZero(session->pub.herIp6, 16)) {
  532. // ok fallthrough
  533. } else if (!ip6MatchesKey(session->pub.herIp6, header->handshake.publicKey)) {
  534. cryptoAuthDebug0(session, "DROP packet with public key not matching ip6 for session");
  535. return -1;
  536. }
  537. String* user = NULL;
  538. struct CryptoAuth_Auth* auth = NULL;
  539. uint8_t passwordHashStore[32];
  540. uint8_t* passwordHash = tryAuth(header, passwordHashStore, session, &auth);
  541. uint8_t* restrictedToip6 = NULL;
  542. if (auth) {
  543. user = auth->user;
  544. if (auth->restrictedToip6) {
  545. restrictedToip6 = auth->restrictedToip6;
  546. if (!ip6MatchesKey(auth->restrictedToip6, header->handshake.publicKey)) {
  547. cryptoAuthDebug0(session, "DROP packet with key not matching restrictedToip6");
  548. return -1;
  549. }
  550. }
  551. }
  552. if (session->requireAuth && !user) {
  553. cryptoAuthDebug0(session, "DROP message because auth was not given");
  554. return -1;
  555. }
  556. if (passwordHash == NULL && header->handshake.auth.challenge.type != 0) {
  557. cryptoAuthDebug0(session, "DROP message with unrecognized authenticator");
  558. return -1;
  559. }
  560. // What the nextNonce will become if this packet is valid.
  561. uint32_t nextNonce;
  562. // The secret for decrypting this message.
  563. uint8_t sharedSecret[32];
  564. uint8_t* herPermKey = NULL;
  565. if (nonce < 2) {
  566. if (nonce == 0) {
  567. cryptoAuthDebug(session, "Received a hello packet, using auth: %d",
  568. (passwordHash != NULL));
  569. } else {
  570. cryptoAuthDebug0(session, "Received a repeat hello packet");
  571. }
  572. // Decrypt message with perminent keys.
  573. if (!knowHerKey(session) || session->nextNonce == 0) {
  574. herPermKey = header->handshake.publicKey;
  575. if (Defined(Log_DEBUG) && Bits_isZero(header->handshake.publicKey, 32)) {
  576. cryptoAuthDebug0(session, "Node sent public key of ZERO!");
  577. }
  578. } else {
  579. herPermKey = session->pub.herPublicKey;
  580. if (Bits_memcmp(header->handshake.publicKey, herPermKey, 32)) {
  581. cryptoAuthDebug0(session, "DROP packet contains different perminent key");
  582. return -1;
  583. }
  584. }
  585. getSharedSecret(sharedSecret,
  586. session->context->privateKey,
  587. herPermKey,
  588. passwordHash,
  589. session->context->logger);
  590. nextNonce = 2;
  591. } else {
  592. if (nonce == 2) {
  593. cryptoAuthDebug0(session, "Received a key packet");
  594. } else if (nonce == 3) {
  595. cryptoAuthDebug0(session, "Received a repeat key packet");
  596. } else {
  597. cryptoAuthDebug(session, "Received a packet of unknown type! nonce=%u", nonce);
  598. }
  599. if (Bits_memcmp(header->handshake.publicKey, session->pub.herPublicKey, 32)) {
  600. cryptoAuthDebug0(session, "DROP packet contains different perminent key");
  601. return -1;
  602. }
  603. if (!session->isInitiator) {
  604. cryptoAuthDebug0(session, "DROP a stray key packet");
  605. return -1;
  606. }
  607. // We sent the hello, this is a key
  608. getSharedSecret(sharedSecret,
  609. session->ourTempPrivKey,
  610. session->pub.herPublicKey,
  611. passwordHash,
  612. session->context->logger);
  613. nextNonce = 4;
  614. }
  615. // Shift it on top of the authenticator before the encrypted public key
  616. Message_shift(message, 48 - CryptoHeader_SIZE, NULL);
  617. if (Defined(Log_KEYS)) {
  618. uint8_t sharedSecretHex[65];
  619. printHexKey(sharedSecretHex, sharedSecret);
  620. uint8_t nonceHex[49];
  621. Hex_encode(nonceHex, 49, header->handshake.nonce, 24);
  622. uint8_t cipherHex[65];
  623. printHexKey(cipherHex, message->bytes);
  624. Log_keys(session->context->logger,
  625. "Decrypting message with:\n"
  626. " nonce: %s\n"
  627. " secret: %s\n"
  628. " cipher: %s\n",
  629. nonceHex, sharedSecretHex, cipherHex);
  630. }
  631. // Decrypt her temp public key and the message.
  632. if (decryptRndNonce(header->handshake.nonce, message, sharedSecret)) {
  633. // just in case
  634. Bits_memset(header, 0, CryptoHeader_SIZE);
  635. cryptoAuthDebug(session, "DROP message with nonce [%d], decryption failed", nonce);
  636. return -1;
  637. }
  638. if (Bits_isZero(header->handshake.encryptedTempKey, 32)) {
  639. // we need to reject 0 public keys outright because they will be confused with "unknown"
  640. return -1;
  641. }
  642. if (Defined(Log_KEYS)) {
  643. uint8_t tempKeyHex[65];
  644. Hex_encode(tempKeyHex, 65, header->handshake.encryptedTempKey, 32);
  645. Log_keys(session->context->logger,
  646. "Unwrapping temp public key:\n"
  647. " %s\n",
  648. tempKeyHex);
  649. }
  650. Message_shift(message, -32, NULL);
  651. // Post-decryption checking
  652. if (nonce == 0) {
  653. // A new hello packet
  654. if (!Bits_memcmp(session->herTempPubKey, header->handshake.encryptedTempKey, 32)) {
  655. // possible replay attack or duped packet
  656. cryptoAuthDebug0(session, "DROP dupe hello packet with same temp key");
  657. return -1;
  658. }
  659. } else if (nonce == 2 && session->nextNonce >= 4) {
  660. // we accept a new key packet and let it change the session since the other end might have
  661. // killed off the session while it was in the midst of setting up.
  662. if (!Bits_memcmp(session->herTempPubKey, header->handshake.encryptedTempKey, 32)) {
  663. Assert_true(!Bits_isZero(session->herTempPubKey, 32));
  664. cryptoAuthDebug0(session, "DROP dupe key packet with same temp key");
  665. return -1;
  666. }
  667. } else if (nonce == 3 && session->nextNonce >= 4) {
  668. // Got a repeat key packet, make sure the temp key is the same as the one we know.
  669. if (Bits_memcmp(session->herTempPubKey, header->handshake.encryptedTempKey, 32)) {
  670. Assert_true(!Bits_isZero(session->herTempPubKey, 32));
  671. cryptoAuthDebug0(session, "DROP repeat key packet with different temp key");
  672. return -1;
  673. }
  674. }
  675. // If Alice sent a hello packet then Bob sent a hello packet and they crossed on the wire,
  676. // somebody has to yield and the other has to stand firm otherwise they will either deadlock
  677. // each believing their hello packet is superior or they will livelock, each switching to the
  678. // other's session and never synchronizing.
  679. // In this event whoever has the lower permanent public key wins.
  680. // If we receive a (possibly repeat) key packet
  681. if (nextNonce == 4) {
  682. if (session->nextNonce <= 4) {
  683. // and have not yet begun sending "run" data
  684. Assert_true(session->nextNonce <= nextNonce);
  685. session->nextNonce = nextNonce;
  686. session->pub.userName = user;
  687. Bits_memcpyConst(session->herTempPubKey, header->handshake.encryptedTempKey, 32);
  688. } else {
  689. // It's a (possibly repeat) key packet and we have begun sending run data.
  690. // We will change the shared secret to the one specified in the new key packet but
  691. // intentionally avoid de-incrementing the nonce just in case
  692. getSharedSecret(session->sharedSecret,
  693. session->ourTempPrivKey,
  694. header->handshake.encryptedTempKey,
  695. NULL,
  696. session->context->logger);
  697. cryptoAuthDebug0(session, "New key packet but we are already sending data");
  698. }
  699. } else if (nextNonce != 2) {
  700. Assert_true(!"should never happen");
  701. } else if (!session->isInitiator || session->established) {
  702. // This is a hello packet and we are either in ESTABLISHED state or we are
  703. // not the initiator of the connection.
  704. // If the case is that we are in ESTABLISHED state, the other side tore down the session
  705. // and we have not so lets tear it down.
  706. // If we are not in ESTABLISHED state then we don't allow resetting of the session unless
  707. // they are the sender of the hello packet or their permanent public key is lower.
  708. // this is a tie-breaker in case hello packets cross on the wire.
  709. if (session->established) {
  710. reset(session);
  711. }
  712. // We got a (possibly repeat) hello packet and we have not sent any hello packet,
  713. // new session.
  714. if (session->nextNonce == 3) {
  715. // We sent a key packet so the next packet is a repeat key but we got another hello
  716. // We'll just keep steaming along sending repeat key packets
  717. nextNonce = 3;
  718. }
  719. Assert_true(session->nextNonce <= nextNonce);
  720. session->nextNonce = nextNonce;
  721. session->pub.userName = user;
  722. if (restrictedToip6) {
  723. Bits_memcpyConst(session->pub.herIp6, restrictedToip6, 16);
  724. }
  725. Bits_memcpyConst(session->herTempPubKey, header->handshake.encryptedTempKey, 32);
  726. } else if (Bits_memcmp(header->handshake.publicKey, session->context->pub.publicKey, 32) < 0) {
  727. // It's a hello and we are the initiator but their permant public key is numerically lower
  728. // than ours, this is so that in the event of two hello packets crossing on the wire, the
  729. // nodes will agree on who is the initiator.
  730. cryptoAuthDebug0(session, "Incoming hello from node with lower key, resetting");
  731. reset(session);
  732. Assert_true(session->nextNonce <= nextNonce);
  733. session->nextNonce = nextNonce;
  734. session->pub.userName = user;
  735. if (restrictedToip6) {
  736. Bits_memcpyConst(session->pub.herIp6, restrictedToip6, 16);
  737. }
  738. Bits_memcpyConst(session->herTempPubKey, header->handshake.encryptedTempKey, 32);
  739. } else {
  740. cryptoAuthDebug0(session, "Incoming hello from node with higher key, not resetting");
  741. }
  742. if (herPermKey && herPermKey != session->pub.herPublicKey) {
  743. Bits_memcpyConst(session->pub.herPublicKey, herPermKey, 32);
  744. }
  745. Bits_memset(&session->pub.replayProtector, 0, sizeof(struct ReplayProtector));
  746. return 0;
  747. }
  748. /** @return 0 on success, -1 otherwise. */
  749. int CryptoAuth_decrypt(struct CryptoAuth_Session* sessionPub, struct Message* msg)
  750. {
  751. struct CryptoAuth_Session_pvt* session =
  752. Identity_check((struct CryptoAuth_Session_pvt*) sessionPub);
  753. union CryptoHeader* header = (union CryptoHeader*) msg->bytes;
  754. if (msg->length < 20) {
  755. cryptoAuthDebug0(session, "DROP runt");
  756. return -1;
  757. }
  758. Assert_true(msg->padding >= 12 || "need at least 12 bytes of padding in incoming message");
  759. Assert_true(!((uintptr_t)msg->bytes % 4) || !"alignment fault");
  760. Assert_true(!(msg->capacity % 4) || !"length fault");
  761. Message_shift(msg, -4, NULL);
  762. uint32_t nonce = Endian_bigEndianToHost32(header->nonce);
  763. if (!session->established) {
  764. if (nonce > 3 && nonce != UINT32_MAX) {
  765. if (session->nextNonce < 3) {
  766. // This is impossible because we have not exchanged hello and key messages.
  767. cryptoAuthDebug0(session, "DROP Received a run message to an un-setup session");
  768. return -1;
  769. }
  770. cryptoAuthDebug(session, "Trying final handshake step, nonce=%u\n", nonce);
  771. uint8_t secret[32];
  772. Assert_ifParanoid(!Bits_isZero(session->ourTempPrivKey, 32));
  773. Assert_ifParanoid(!Bits_isZero(session->herTempPubKey, 32));
  774. getSharedSecret(secret,
  775. session->ourTempPrivKey,
  776. session->herTempPubKey,
  777. NULL,
  778. session->context->logger);
  779. // We'll optimistically advance the nextNonce value because decryptMessage()
  780. // passes the message on to the upper level and if this message causes a
  781. // response, we want the CA to be in ESTABLISHED state.
  782. // if the decryptMessage() call fails, we CryptoAuth_reset() it back.
  783. session->nextNonce += 3;
  784. if (decryptMessage(session, nonce, msg, secret)) {
  785. cryptoAuthDebug0(session, "Final handshake step succeeded");
  786. Bits_memcpyConst(session->sharedSecret, secret, 32);
  787. // Now we're in run mode, no more handshake packets will be accepted
  788. Bits_memset(session->ourTempPrivKey, 0, 32);
  789. Bits_memset(session->ourTempPubKey, 0, 32);
  790. Bits_memset(session->herTempPubKey, 0, 32);
  791. session->established = true;
  792. updateTime(session, msg);
  793. return 0;
  794. }
  795. reset(session);
  796. cryptoAuthDebug0(session, "DROP Final handshake step failed");
  797. return -1;
  798. }
  799. Message_shift(msg, 4, NULL);
  800. return decryptHandshake(session, nonce, msg, header);
  801. } else if (nonce > 3 && nonce != UINT32_MAX) {
  802. Assert_ifParanoid(!Bits_isZero(session->sharedSecret, 32));
  803. if (decryptMessage(session, nonce, msg, session->sharedSecret)) {
  804. updateTime(session, msg);
  805. return 0;
  806. } else {
  807. cryptoAuthDebug0(session, "DROP Failed to decrypt message");
  808. return -1;
  809. }
  810. } else if (nonce < 2) {
  811. cryptoAuthDebug(session, "hello packet during established session nonce=[%d]", nonce);
  812. Message_shift(msg, 4, NULL);
  813. return decryptHandshake(session, nonce, msg, header);
  814. } else {
  815. // setup keys are already zeroed, not much we can do here.
  816. cryptoAuthDebug(session, "DROP key packet during established session nonce=[%d]", nonce);
  817. return -1;
  818. }
  819. Assert_true(0);
  820. }
  821. /////////////////////////////////////////////////////////////////////////////////////////////////
  822. struct CryptoAuth* CryptoAuth_new(struct Allocator* allocator,
  823. const uint8_t* privateKey,
  824. struct EventBase* eventBase,
  825. struct Log* logger,
  826. struct Random* rand)
  827. {
  828. struct CryptoAuth_pvt* ca = Allocator_calloc(allocator, sizeof(struct CryptoAuth_pvt), 1);
  829. Identity_set(ca);
  830. ca->allocator = allocator;
  831. ca->passwords = Allocator_calloc(allocator, sizeof(struct CryptoAuth_Auth), 232);
  832. ca->passwordCount = 0;
  833. ca->passwordCapacity = 232;
  834. ca->eventBase = eventBase;
  835. ca->logger = logger;
  836. ca->pub.resetAfterInactivitySeconds = CryptoAuth_DEFAULT_RESET_AFTER_INACTIVITY_SECONDS;
  837. ca->rand = rand;
  838. if (privateKey != NULL) {
  839. Bits_memcpyConst(ca->privateKey, privateKey, 32);
  840. } else {
  841. Random_bytes(rand, ca->privateKey, 32);
  842. }
  843. crypto_scalarmult_curve25519_base(ca->pub.publicKey, ca->privateKey);
  844. if (Defined(Log_KEYS)) {
  845. uint8_t publicKeyHex[65];
  846. printHexKey(publicKeyHex, ca->pub.publicKey);
  847. uint8_t privateKeyHex[65];
  848. printHexKey(privateKeyHex, ca->privateKey);
  849. Log_keys(logger,
  850. "Initialized CryptoAuth:\n myPrivateKey=%s\n myPublicKey=%s\n",
  851. privateKeyHex,
  852. publicKeyHex);
  853. }
  854. return &ca->pub;
  855. }
  856. int32_t CryptoAuth_addUser(String* password,
  857. uint8_t authType,
  858. String* user,
  859. struct CryptoAuth* ca)
  860. {
  861. return CryptoAuth_addUser_ipv6(password, authType, user, NULL, ca);
  862. }
  863. int32_t CryptoAuth_addUser_ipv6(String* password,
  864. uint8_t authType,
  865. String* user,
  866. String* ipv6,
  867. struct CryptoAuth* ca)
  868. {
  869. struct CryptoAuth_pvt* context = Identity_check((struct CryptoAuth_pvt*) ca);
  870. if (authType != 1) {
  871. return CryptoAuth_addUser_INVALID_AUTHTYPE;
  872. }
  873. if (context->passwordCount == context->passwordCapacity) {
  874. // TODO(cjd): realloc password space and increase buffer.
  875. return CryptoAuth_addUser_OUT_OF_SPACE;
  876. }
  877. struct CryptoAuth_Auth a;
  878. hashPassword_sha256(&a, password);
  879. for (uint32_t i = 0; i < context->passwordCount; i++) {
  880. if (!Bits_memcmp(a.secret, context->passwords[i].secret, 32) ||
  881. String_equals(user, context->passwords[i].user)) {
  882. return CryptoAuth_addUser_DUPLICATE;
  883. }
  884. }
  885. a.user = String_new(user->bytes, context->allocator);
  886. if (ipv6) {
  887. a.restrictedToip6 = Allocator_malloc(context->allocator, 16);
  888. if (AddrTools_parseIp(a.restrictedToip6,ipv6->bytes) < 0) {
  889. Log_debug(context->logger, "Ipv6 parsing error!");
  890. return CryptoAuth_addUser_INVALID_IP;
  891. }
  892. } else {
  893. a.restrictedToip6 = NULL;
  894. }
  895. Bits_memcpyConst(&context->passwords[context->passwordCount],
  896. &a,
  897. sizeof(struct CryptoAuth_Auth));
  898. context->passwordCount++;
  899. return 0;
  900. }
  901. int CryptoAuth_removeUsers(struct CryptoAuth* context, String* user)
  902. {
  903. struct CryptoAuth_pvt* ctx = Identity_check((struct CryptoAuth_pvt*) context);
  904. if (!user) {
  905. int count = ctx->passwordCount;
  906. Log_debug(ctx->logger, "Flushing [%d] users", count);
  907. ctx->passwordCount = 0;
  908. return count;
  909. }
  910. int count = 0;
  911. int i = 0;
  912. while (i < (int)ctx->passwordCount) {
  913. if (String_equals(ctx->passwords[i].user, user)) {
  914. Bits_memcpyConst(&ctx->passwords[i],
  915. &ctx->passwords[ctx->passwordCount--],
  916. sizeof(struct CryptoAuth_Auth));
  917. count++;
  918. } else {
  919. i++;
  920. }
  921. }
  922. Log_debug(ctx->logger, "Removing [%d] user(s) identified by [%s]", count, user->bytes);
  923. return count;
  924. }
  925. List* CryptoAuth_getUsers(struct CryptoAuth* context, struct Allocator* alloc)
  926. {
  927. struct CryptoAuth_pvt* ctx = Identity_check((struct CryptoAuth_pvt*) context);
  928. uint32_t count = ctx->passwordCount;
  929. List* users = List_new(alloc);
  930. for (uint32_t i = 0; i < count; i++) {
  931. List_addString(users, String_clone(ctx->passwords[i].user, alloc), alloc);
  932. }
  933. return users;
  934. }
  935. struct CryptoAuth_Session* CryptoAuth_newSession(struct CryptoAuth* ca,
  936. struct Allocator* alloc,
  937. const uint8_t herPublicKey[32],
  938. const uint8_t herIp6[16],
  939. const bool requireAuth,
  940. char* name)
  941. {
  942. struct CryptoAuth_pvt* context = Identity_check((struct CryptoAuth_pvt*) ca);
  943. struct CryptoAuth_Session_pvt* session =
  944. Allocator_calloc(alloc, sizeof(struct CryptoAuth_Session_pvt), 1);
  945. Identity_set(session);
  946. session->context = context;
  947. session->requireAuth = requireAuth;
  948. session->name = name;
  949. session->timeOfLastPacket = Time_currentTimeSeconds(context->eventBase);
  950. session->alloc = alloc;
  951. if (herPublicKey != NULL) {
  952. Bits_memcpyConst(session->pub.herPublicKey, herPublicKey, 32);
  953. uint8_t calculatedIp6[16];
  954. AddressCalc_addressForPublicKey(calculatedIp6, herPublicKey);
  955. Bits_memcpyConst(session->pub.herIp6, calculatedIp6, 16);
  956. if (herIp6 != NULL) {
  957. Assert_true(!Bits_memcmp(calculatedIp6, herIp6, 16));
  958. }
  959. } else if (herIp6) {
  960. Bits_memcpyConst(session->pub.herIp6, herIp6, 16);
  961. }
  962. return &session->pub;
  963. }
  964. void CryptoAuth_setAuth(const String* password,
  965. const uint8_t authType,
  966. struct CryptoAuth_Session* caSession)
  967. {
  968. struct CryptoAuth_Session_pvt* session =
  969. Identity_check((struct CryptoAuth_Session_pvt*)caSession);
  970. if (!password && (session->password || session->authType)) {
  971. session->password = NULL;
  972. session->authType = 0;
  973. } else if (!session->password || !String_equals(session->password, password)) {
  974. session->password = String_clone(password, session->alloc);
  975. session->authType = authType;
  976. } else if (authType != session->authType) {
  977. session->authType = authType;
  978. } else {
  979. return;
  980. }
  981. reset(session);
  982. }
  983. int CryptoAuth_getState(struct CryptoAuth_Session* caSession)
  984. {
  985. struct CryptoAuth_Session_pvt* session =
  986. Identity_check((struct CryptoAuth_Session_pvt*)caSession);
  987. switch (session->nextNonce) {
  988. case 0:
  989. return CryptoAuth_NEW;
  990. case 1: // Sent a hello, waiting for the key
  991. return CryptoAuth_HANDSHAKE1;
  992. case 2: // Received a hello, sent a key packet.
  993. case 3: // Received a hello, sent multiple key packets.
  994. return CryptoAuth_HANDSHAKE2;
  995. case 4:
  996. // state 4 = waiting for first data packet to prove the handshake succeeded.
  997. // At this point you have sent a challenge and received a response so it is safe
  998. // to assume you are not being hit with replay packets.
  999. //
  1000. // Sent a hello, received one or more keys, waiting for data.
  1001. // In this state data packets will be sent but no data packets have yet been received.
  1002. return CryptoAuth_HANDSHAKE3;
  1003. default:
  1004. // Received data.
  1005. return (session->established) ? CryptoAuth_ESTABLISHED : CryptoAuth_HANDSHAKE3;
  1006. }
  1007. }
  1008. void CryptoAuth_resetIfTimeout(struct CryptoAuth_Session* caSession)
  1009. {
  1010. struct CryptoAuth_Session_pvt* session =
  1011. Identity_check((struct CryptoAuth_Session_pvt*)caSession);
  1012. resetIfTimeout(session);
  1013. }
  1014. void CryptoAuth_reset(struct CryptoAuth_Session* caSession)
  1015. {
  1016. struct CryptoAuth_Session_pvt* session =
  1017. Identity_check((struct CryptoAuth_Session_pvt*)caSession);
  1018. reset(session);
  1019. }
  1020. // For testing:
  1021. void CryptoAuth_encryptRndNonce(uint8_t nonce[24], struct Message* msg, uint8_t secret[32])
  1022. {
  1023. encryptRndNonce(nonce, msg, secret);
  1024. }
  1025. int CryptoAuth_decryptRndNonce(uint8_t nonce[24], struct Message* msg, uint8_t secret[32])
  1026. {
  1027. return decryptRndNonce(nonce, msg, secret);
  1028. }