Support ECDH key exchange.
REQ_KEY requests have an extra field indicating key exchange version. If it is present and > 0, the sender supports ECDH. If the receiver also does, then it will generate a new keypair and sends the public key in a ANS_KEY request with "ECDH:" prefixed. The ans_key_h() function will compute the shared secret, which, at the moment,is used as is to set the cipher and HMAC keys. However, this must be changed to use a proper KDF. In the future, the ECDH key exchange must also be signed.
This commit is contained in:
Guus Sliepen
parent
ee8a214318
commit
8dfa072733
3 changed files with 122 additions and 14 deletions
|
|
@ -25,6 +25,7 @@
|
|||
#include "cipher.h"
|
||||
#include "connection.h"
|
||||
#include "digest.h"
|
||||
#include "ecdh.h"
|
||||
#include "subnet.h"
|
||||
|
||||
typedef struct node_status_t {
|
||||
|
|
@ -34,7 +35,8 @@ typedef struct node_status_t {
|
|||
unsigned int visited:1; /* 1 if this node has been visited by one of the graph algorithms */
|
||||
unsigned int reachable:1; /* 1 if this node is reachable in the graph */
|
||||
unsigned int indirect:1; /* 1 if this node is not directly reachable by us */
|
||||
unsigned int unused:26;
|
||||
unsigned int ecdh:1; /* 1 if this node supports ECDH key exchange */
|
||||
unsigned int unused:25;
|
||||
} node_status_t;
|
||||
|
||||
typedef struct node_t {
|
||||
|
|
@ -47,6 +49,8 @@ typedef struct node_t {
|
|||
node_status_t status;
|
||||
time_t last_req_key;
|
||||
|
||||
ecdh_t ecdh; /* State for ECDH key exchange */
|
||||
|
||||
cipher_t incipher; /* Cipher for UDP packets */
|
||||
digest_t indigest; /* Digest for UDP packets */
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue