9 extern cvar_t crypto_developer;
10 extern cvar_t crypto_aeslevel;
11 #define ENCRYPTION_REQUIRED (crypto_aeslevel.integer >= 3)
13 extern int crypto_keyfp_recommended_length; // applies to LOCAL IDs, and to ALL keys
15 #define CRYPTO_HEADERSIZE 31
16 // AES case causes 16 to 31 bytes overhead
17 // SHA256 case causes 16 bytes overhead as we truncate to 128bit
24 unsigned char dhkey[DHKEY_SIZE]; // shared key, not NUL terminated
25 char client_idfp[FP64_SIZE+1];
26 char client_keyfp[FP64_SIZE+1];
27 qbool client_issigned;
28 char server_idfp[FP64_SIZE+1];
29 char server_keyfp[FP64_SIZE+1];
30 qbool server_issigned;
37 void Crypto_Init(void);
38 void Crypto_Init_Commands(void);
39 void Crypto_LoadKeys(void); // NOTE: when this is called, the SV_LockThreadMutex MUST be active
40 void Crypto_Shutdown(void);
41 qbool Crypto_Available(void);
42 void sha256(unsigned char *out, const unsigned char *in, int n); // may ONLY be called if Crypto_Available()
43 const void *Crypto_EncryptPacket(crypto_t *crypto, const void *data_src, size_t len_src, void *data_dst, size_t *len_dst, size_t len);
44 const void *Crypto_DecryptPacket(crypto_t *crypto, const void *data_src, size_t len_src, void *data_dst, size_t *len_dst, size_t len);
45 #define CRYPTO_NOMATCH 0 // process as usual (packet was not used)
46 #define CRYPTO_MATCH 1 // process as usual (packet was used)
47 #define CRYPTO_DISCARD 2 // discard this packet
48 #define CRYPTO_REPLACE 3 // make the buffer the current packet
49 int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out, size_t *len_out, lhnetaddress_t *peeraddress);
50 int Crypto_ServerParsePacket(const char *data_in, size_t len_in, char *data_out, size_t *len_out, lhnetaddress_t *peeraddress);
52 // if len_out is nonzero, the packet is to be sent to the client
54 qbool Crypto_ServerAppendToChallenge(const char *data_in, size_t len_in, char *data_out, size_t *len_out, size_t maxlen);
55 crypto_t *Crypto_ServerGetInstance(lhnetaddress_t *peeraddress);
56 qbool Crypto_FinishInstance(crypto_t *out, crypto_t *in); // also clears allocated memory, and frees the instance received by ServerGetInstance
57 const char *Crypto_GetInfoResponseDataString(void);
59 // retrieves a host key for an address (can be exposed to menuqc, or used by the engine to look up stored keys e.g. for server bookmarking)
60 // pointers may be NULL
61 qbool Crypto_RetrieveHostKey(lhnetaddress_t *peeraddress, int *keyid, char *keyfp, size_t keyfplen, char *idfp, size_t idfplen, int *aeslevel, qbool *issigned);
62 int Crypto_RetrieveLocalKey(int keyid, char *keyfp, size_t keyfplen, char *idfp, size_t idfplen, qbool *issigned); // return value: -1 if more to come, +1 if valid, 0 if end of list
64 size_t Crypto_SignData(const void *data, size_t datasize, int keyid, void *signed_data, size_t signed_size);
65 size_t Crypto_SignDataDetached(const void *data, size_t datasize, int keyid, void *signed_data, size_t signed_size);
72 // < accept (or: reject)
75 // < challenge SP <challenge> NUL vlen <size> d0pk <fingerprints I can auth to> NUL NUL <other fingerprints I accept>
78 // d0pk\cnt\0\challenge\<challenge>\aeslevel\<level> NUL <serverfp> NUL <clientfp>
80 // check if client would get accepted; if not, do "reject" now
81 // require non-control packets to be encrypted require non-control packets to be encrypted
82 // do not send anything yet do not send anything yet
83 // RESET to serverfp RESET to serverfp
84 // d0_blind_id_authenticate_with_private_id_start() = 1
85 // < d0pk\cnt\1\aes\<aesenabled> NUL *startdata*
86 // d0_blind_id_authenticate_with_private_id_challenge() = 1
87 // d0pk\cnt\2 NUL *challengedata* >
88 // d0_blind_id_authenticate_with_private_id_response() = 0
89 // < d0pk\cnt\3 NUL *responsedata*
90 // d0_blind_id_authenticate_with_private_id_verify() = 1
91 // store server's fingerprint NOW
92 // d0_blind_id_sessionkey_public_id() = 1 d0_blind_id_sessionkey_public_id() = 1
94 // IF clientfp AND NOT serverfp:
95 // RESET to clientfp RESET to clientfp
96 // d0_blind_id_authenticate_with_private_id_start() = 1
97 // d0pk\cnt\0\challenge\<challenge>\aeslevel\<level> NUL NUL <clientfp> NUL *startdata*
99 // check if client would get accepted; if not, do "reject" now
100 // require non-control packets to be encrypted require non-control packets to be encrypted
101 // d0_blind_id_authenticate_with_private_id_challenge() = 1
102 // < d0pk\cnt\5\aes\<aesenabled> NUL *challengedata*
104 // IF clientfp AND serverfp:
105 // RESET to clientfp RESET to clientfp
106 // d0_blind_id_authenticate_with_private_id_start() = 1
107 // d0pk\cnt\4 NUL *startdata* >
108 // d0_blind_id_authenticate_with_private_id_challenge() = 1
109 // < d0pk\cnt\5 NUL *challengedata*
112 // d0_blind_id_authenticate_with_private_id_response() = 0
113 // d0pk\cnt\6 NUL *responsedata* >
114 // d0_blind_id_authenticate_with_private_id_verify() = 1
115 // store client's fingerprint NOW
116 // d0_blind_id_sessionkey_public_id() = 1 d0_blind_id_sessionkey_public_id() = 1
117 // note: the ... is the "connect" message, except without the challenge. Reinterpret as regular connect message on server side
119 // enforce encrypted transmission (key is XOR of the two DH keys)
122 // < challenge (mere sync message)
125 // < accept (ALWAYS accept if connection is encrypted, ignore challenge as it had been checked before)
127 // commence with ingame protocol
131 // getchallenge NUL d0_blind_id: reply with challenge with added fingerprints
132 // cnt=0: IF server will auth, cnt=1, ELSE cnt=5
135 // cnt=6: send "challenge"
137 // challenge with added fingerprints: cnt=0; if client will auth but not server, append client auth start
139 // cnt=3: IF client will auth, cnt=4, ELSE rewrite as "challenge"
140 // cnt=5: cnt=6, server will continue by sending "challenge" (let's avoid sending two packets as response to one)
142 // accept empty "challenge", and challenge-less connect in case crypto protocol has executed and finished
143 // statusResponse and infoResponse get an added d0_blind_id key that lists
144 // the keys the server can auth with and to in key@ca SPACE key@ca notation
145 // any d0pk\ message has an appended "id" parameter; messages with an unexpected "id" are ignored to prevent errors from multiple concurrent auth runs
148 // comparison to OTR:
150 // - authentication: yes
151 // - deniability: no (attacker requires the temporary session key to prove you
152 // have sent a specific message, the private key itself does not suffice), no
153 // measures are taken to provide forgeability to even provide deniability
154 // against an attacker who knows the temporary session key, as using CTR mode
155 // for the encryption - which, together with deriving the MAC key from the
156 // encryption key, and MACing the ciphertexts instead of the plaintexts,
157 // would provide forgeability and thus deniability - requires longer
158 // encrypted packets and deniability was not a goal of this, as we may e.g.
159 // reserve the right to capture packet dumps + extra state info to prove a
160 // client/server has sent specific packets to prove cheating)
161 // - perfect forward secrecy: yes (session key is derived via DH key exchange)