X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=site.c;h=a6fa9dafc2b13955b728932056fde6ea52f2ec3b;hb=136740e64e3fedcd725490c2f80d0906de515197;hp=4358cad32f3f102829675b6f70e6c238619659fa;hpb=02b0959b82910224e40025e06c01b59b65340c93;p=secnet.git

diff --git a/site.c b/site.c
index 4358cad..a6fa9da 100644
--- a/site.c
+++ b/site.c
@@ -267,7 +267,9 @@ struct site {
     /* The currently established session */
     struct data_key current;
     struct data_key auxiliary_key;
+    bool_t auxiliary_is_new;
     uint64_t renegotiate_key_time; /* When we can negotiate a new key */
+    uint64_t auxiliary_renegotiate_key_time;
     transport_peers peers; /* Current address(es) of peer for data traffic */
 
     /* The current key setup protocol exchange.  We can only be
@@ -286,6 +288,7 @@ struct site {
     uint64_t timeout; /* Timeout for current state */
     uint8_t *dhsecret;
     uint8_t *sharedsecret;
+    uint32_t sharedsecretlen;
     struct transform_inst_if *new_transform; /* For key setup/verify */
 };
 
@@ -461,7 +464,7 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
 	return False;
     }
     if (type==LABEL_MSG2) return True;
-    if (memcmp(m->nR,st->remoteN,NONCELEN)!=0) {
+    if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
 	*error="wrong remotely-generated nonce";
 	return False;
     }
@@ -559,11 +562,11 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
 
     /* Generate the shared key */
     st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk,
-		       st->sharedsecret,st->transform->keylen);
+		       st->sharedsecret,st->sharedsecretlen);
 
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
-			      st->transform->keylen);
+			      st->sharedsecretlen,st->setup_priority);
 
     return True;
 }
@@ -607,10 +610,10 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
     m.pk[m.pklen]=0;
     /* Generate the shared key */
     st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk,
-		       st->sharedsecret,st->transform->keylen);
+		       st->sharedsecret,st->sharedsecretlen);
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
-			      st->transform->keylen);
+			      st->sharedsecretlen,st->setup_priority);
 
     return True;
 }
@@ -742,8 +745,9 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0)
     problem = st->current.transform->reverse(st->current.transform->st,
 					     msg0,&transform_err);
     if (!problem) {
-	delete_one_key(st,&st->auxiliary_key,
-		       "peer has used new key","auxiliary key",LOG_SEC);
+	if (!st->auxiliary_is_new)
+	    delete_one_key(st,&st->auxiliary_key,
+			   "peer has used new key","auxiliary key",LOG_SEC);
 	return True;
     }
 
@@ -757,6 +761,21 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0)
 	(st->auxiliary_key.transform->st,msg0,&auxkey_err);
     if (problem==0) {
 	slog(st,LOG_DROP,"processing packet which uses auxiliary key");
+	if (st->auxiliary_is_new) {
+	    /* We previously timed out in state SENTMSG5 but it turns
+	     * out that our peer did in fact get our MSG5 and is
+	     * using the new key.  So we should switch to it too. */
+	    /* This is a bit like activate_new_key. */
+	    struct data_key t;
+	    t=st->current;
+	    st->current=st->auxiliary_key;
+	    st->auxiliary_key=t;
+
+	    delete_one_key(st,&st->auxiliary_key,"peer has used new key",
+			   "previous key",LOG_SEC);
+	    st->auxiliary_is_new=0;
+	    st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
+	}
 	return True;
     }
 
@@ -836,6 +855,24 @@ static bool_t send_msg(struct site *st)
 	st->timeout=st->now+st->setup_retry_interval;
 	st->retries--;
 	return True;
+    } else if (st->state==SITE_SENTMSG5) {
+	slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
+	/* We stash the key we have produced, in case it turns out that
+	 * our peer did see our MSG5 after all and starts using it. */
+	/* This is a bit like some of activate_new_key */
+	struct transform_inst_if *t;
+	t=st->auxiliary_key.transform;
+	st->auxiliary_key.transform=st->new_transform;
+	st->new_transform=t;
+
+	t->delkey(t->st);
+	st->auxiliary_is_new=1;
+	st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
+	st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
+	st->auxiliary_key.remote_session_id=st->setup_session_id;
+
+	enter_state_wait(st);
+	return False;
     } else {
 	slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
 	    "(in state %s)",state_name(st->state));
@@ -900,6 +937,7 @@ static void activate_new_key(struct site *st)
 
     t->delkey(t->st);
     st->timeout=0;
+    st->auxiliary_is_new=0;
     st->auxiliary_key.key_timeout=st->current.key_timeout;
     st->current.key_timeout=st->now+st->key_lifetime;
     st->renegotiate_key_time=st->now+st->key_renegotiate_time;
@@ -972,7 +1010,7 @@ static void enter_state_run(struct site *st)
     memset(st->remoteN,0,NONCELEN);
     st->new_transform->delkey(st->new_transform->st);
     memset(st->dhsecret,0,st->dh->len);
-    memset(st->sharedsecret,0,st->transform->keylen);
+    memset(st->sharedsecret,0,st->sharedsecretlen);
     set_link_quality(st);
 }
 
@@ -1248,7 +1286,7 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf,
 	uint32_t msgtype=ntohl(get_uint32(buf->start+8));
 	if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
 	switch (msgtype) {
-	case 0: /* NAK */
+	case LABEL_NAK:
 	    /* If the source is our current peer then initiate a key setup,
 	       because our peer's forgotten the key */
 	    if (get_uint32(buf->start+4)==st->current.remote_session_id) {
@@ -1520,7 +1558,8 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
     transport_peers_clear(st,&st->setup_peers);
     /* XXX mlock these */
     st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
-    st->sharedsecret=safe_malloc(st->transform->keylen,"site:sharedsecret");
+    st->sharedsecretlen=st->transform->keylen?:st->dh->ceil_len;
+    st->sharedsecret=safe_malloc(st->sharedsecretlen,"site:sharedsecret");
 
     /* We need to compute some properties of our comms */
 #define COMPUTE_WORST(pad)			\
@@ -1545,6 +1584,7 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
     st->current.transform=st->transform->create(st->transform->st);
     st->auxiliary_key.transform=st->transform->create(st->transform->st);
     st->new_transform=st->transform->create(st->transform->st);
+    st->auxiliary_is_new=0;
 
     enter_state_stop(st);