X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=site.c;h=5d2f519e482b8bbcc0fc299a33f3d40a10569a23;hb=4bc0381500403be5f3e40bc39f65a2d8fb75cf19;hp=e37c73bee2728f8b3dbe336beedefac8f871f20d;hpb=ee7555831b2219ee5febaf63c2a69189d58664cd;p=secnet.git diff --git a/site.c b/site.c index e37c73b..5d2f519 100644 --- a/site.c +++ b/site.c @@ -711,6 +711,8 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what, return False; privkey_found: + slog(st,LOG_SIGKEYS,"using private key #%d " SIGKEYID_PR_FMT, + ki, SIGKEYID_PR_VAL(prompt->pubkeys_accepted[ki])); buf_append_uint8(&st->buffer,ki); } @@ -903,7 +905,7 @@ static void peerkeys_maybe_incorporate(struct site *st, const char *file, int logcl_enoent) { struct peer_keyset *atsuffix= - keyset_load(file,&st->scratch,st->log,logcl_enoent); + keyset_load(file,&st->scratch,st->log,logcl_enoent,st->defhash); if (!atsuffix) return; if (st->peerkeys_current && @@ -929,118 +931,6 @@ static void peerkeys_maybe_incorporate(struct site *st, const char *file, static void peerkeys_check_for_update(struct site *st) { - /* peerkeys files - * - * live file, loaded on startup, updated by secnet - * (only). * in-memory peerkeys_current is kept - * synced with this file - * - * ~update update file from config manager, checked before - * every key exchange. config manager must rename - * this file into place; it will be renamed and - * then removed by secnet. - * - * ~proc update file being processed by secnet. - * only secnet may write or remove. - * - * ~incoming update file from peer, being received by secnet - * may be incomplete, unverified, or even malicious - * only secnet may write or remove. - * - * ~tmp update file from config manager, only mss may - * write or rename - * - * secnet discards updates that are not more recent than (by - * serial) the live file. But it may not process updates - * immediately. - * - * The implied keyset to be used is MAX(live, proc, update). - * - * secnet does: - * check live vs proc, either mv proc live or rm proc - * if proc doesn't exist, mv update proc - * - * make-secnet-sites does: - * write: rename something onto update - * read: read update,proc,live in that order and take max - * - * We support only one concurrent secnet, one concurrent - * writing make-secnet-sites, and any number of readers. - * We want to maintain a live file at all times as that - * is what secnet actually reads at startup and uses. - * - * Proof that this is sound: - * Let us regard update,proc,live as i=0,1,2 - * Files contain public key sets and are manipulated as - * a whole, and we may regard key sets with the same - * serial as equivalent. - * We talk below about reading as if it were atomic. - * Actually the atomic operation is open(2); the - * reading gets whatever that name refers to. So - * we can model this as an atomic read. - * secnet eventually moves all data into the live file - * or deletes it, so there should be no indefinitely - * stale data; informally this means we can disregard - * the possibility of very old serials and regard - * serials as fully ordered. (We don't bother with - * a formal proof of this property.) - * Consequently we will only think about the serial - * and not the contents. We treat absent files as - * minimal (we will write -1 for convenience although - * we don't mean a numerical value). We write S(i). - * - * Invariant 1 for secnet's transformations is as follows: - * Each file S(i) is only reduced (to S'(i)) if for some j S'(j) - * >= S(i), with S'(j) either being >= S(i) beforehand, or - * updated atomically together with S(i). - * - * Proof of invariant 1 for the secnet operations: - * (a) check live vs proc, proc>live, mv: - * j=2, i=1; S'(i)=-1, so S(i) is being reduced. S'(j) is - * equal to S(i), and the rename is atomic [1], so S'(j) and - * S'(i) are updated simultaneously. S(j) is being - * increased. (There are no hazards from concurrent writers; - * only we ourselves (secnet) write to live or proc.) - * (b) check live vs proc, proc<=live, rm: - * j=2, i=1; S'(i)=-1, so S(i) is being reduced. But - * S(j) is >= $(i) throughout. (Again, no concurrent - * writer hazards.) - * (c) mv update proc (when proc does not exist): - * j=1, i=0; S(i) is being reduced to -1. But simultaneously - * S(j) is being increased to the old S(i). Our precondition - * (proc not existing) is not subject to a concurrent writer - * hazards because only we write to proc; our action is - * atomic and takes whatever update is available (if any). - * - * Proof of soundness for the mss reading operation: - * Let M be MAX(\forall S) at the point where mss reads update. - * Invariant 2: when mss reads S(k), MAX(K, S(k)..S(2)) >= M, - * where K is the max S it has seen so far. Clearly this is - * true for k=0 (with K==-1). secnet's operations never break - * this invariant because if any S() is reduced, another one - * counted must be increased. mss's step operation - * updates K with S(k), so MAX(K', S(k+1)..)=MAX(K, S(k)..), - * and updates k to k+1, preserving the invariant. - * At the end we have k=3 and K=>M. Since secnet never - * invents serials, K=M in the absence of an mss update - * with a bigger S. - * - * Consideration of the mss update operation: - * Successive serials from sites file updates etc. are supposed - * to be increasing. When this is true, M is increased. A - * concurrent reading mss which makes its first read after the - * update will get the new data (by the proofs above). This - * seems to be the required property. - * - * QED. - * - * [1] From "Base Specifications issue 7", - * 2.9.7 Thread Interactions with Regular File Operations - * All of the following functions shall be atomic with respect to - * each other in the effects specified in POSIX.1-2017 when they - * operate on regular files or symbolic links: - * ... rename ... open ... - */ if (!st->peerkeys_path) return; pathprefix_template_setsuffix(&st->peerkeys_tmpl,"~proc"); @@ -1200,9 +1090,14 @@ static bool_t process_msg3_msg4(struct site *st, struct msg *m) if (!pubkey->check(pubkey->st, m->hashstart,m->hashlen, &m->sig)) { - slog(st,LOG_SEC,"msg3/msg4 signature failed check!"); + slog(st,LOG_SEC,"msg3/msg4 signature failed check!" + " (key #%d " SIGKEYID_PR_FMT ")", + ki, SIGKEYID_PR_VAL(&st->peerkeys_kex->keys[ki].id)); return False; } + slog(st,LOG_SIGKEYS,"verified peer signature with key #%d " + SIGKEYID_PR_FMT, ki, + SIGKEYID_PR_VAL(&st->peerkeys_kex->keys[ki].id)); st->remote_adv_mtu=m->remote_mtu; @@ -2547,7 +2442,8 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, pathprefix_template_init(&st->peerkeys_tmpl,st->peerkeys_path, PEERKEYS_SUFFIX_MAXLEN + 1 /* nul */); st->peerkeys_current=keyset_load(st->peerkeys_path, - &st->scratch,st->log,M_ERR); + &st->scratch,st->log,M_ERR, + st->defhash); if (fixed_pubkey) { fixed_pubkey->dispose(fixed_pubkey->st); }