X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=blobdiff_plain;f=site.c;h=2e8335ae634bb297035f2761f0ec6a4ecb06810e;hp=a91c1be963567c2d732e22f8fa7e4e09a144e810;hb=1737eeef9bc4aec1b4d7baa220ce48238b498006;hpb=1d38856958136dc28a9d16f58a55f75867cdc57d diff --git a/site.c b/site.c index a91c1be..2e8335a 100644 --- a/site.c +++ b/site.c @@ -266,7 +266,10 @@ struct site { /* The currently established session */ struct data_key current; + struct data_key auxiliary_key; + bool_t auxiliary_is_new; uint64_t renegotiate_key_time; /* When we can negotiate a new key */ + uint64_t auxiliary_renegotiate_key_time; transport_peers peers; /* Current address(es) of peer for data traffic */ /* The current key setup protocol exchange. We can only be @@ -285,6 +288,7 @@ struct site { uint64_t timeout; /* Timeout for current state */ uint8_t *dhsecret; uint8_t *sharedsecret; + uint32_t sharedsecretlen; struct transform_inst_if *new_transform; /* For key setup/verify */ }; @@ -343,14 +347,19 @@ static bool_t current_valid(struct site *st) type=buf_unprepend_uint32((b)); \ if (type!=(t)) return False; } while(0) +struct parsedname { + int32_t len; + uint8_t *name; + int32_t extrainfo_len; + uint8_t *extrainfo; +}; + struct msg { uint8_t *hashstart; uint32_t dest; uint32_t source; - int32_t remlen; - uint8_t *remote; - int32_t loclen; - uint8_t *local; + struct parsedname remote; + struct parsedname local; uint8_t *nR; uint8_t *nL; int32_t pklen; @@ -398,6 +407,24 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what) return True; } +static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm) +{ + CHECK_AVAIL(msg,2); + nm->len=buf_unprepend_uint16(msg); + CHECK_AVAIL(msg,nm->len); + nm->name=buf_unprepend(msg,nm->len); + uint8_t *nul=memchr(nm->name,0,nm->len); + if (!nul) { + nm->extrainfo_len=0; + nm->extrainfo=0; + } else { + nm->extrainfo=nul+1; + nm->extrainfo_len=msg->start-nm->extrainfo; + nm->len=nul-nm->name; + } + return True; +} + static bool_t unpick_msg(struct site *st, uint32_t type, struct buffer_if *msg, struct msg *m) { @@ -407,14 +434,8 @@ static bool_t unpick_msg(struct site *st, uint32_t type, CHECK_AVAIL(msg,4); m->source=buf_unprepend_uint32(msg); CHECK_TYPE(msg,type); - CHECK_AVAIL(msg,2); - m->remlen=buf_unprepend_uint16(msg); - CHECK_AVAIL(msg,m->remlen); - m->remote=buf_unprepend(msg,m->remlen); - CHECK_AVAIL(msg,2); - m->loclen=buf_unprepend_uint16(msg); - CHECK_AVAIL(msg,m->loclen); - m->local=buf_unprepend(msg,m->loclen); + if (!unpick_name(msg,&m->remote)) return False; + if (!unpick_name(msg,&m->local)) return False; CHECK_AVAIL(msg,NONCELEN); m->nR=buf_unprepend(msg,NONCELEN); if (type==LABEL_MSG1) { @@ -440,6 +461,14 @@ static bool_t unpick_msg(struct site *st, uint32_t type, return True; } +static bool_t name_matches(const struct parsedname *nm, const char *expected) +{ + int expected_len=strlen(expected); + return + nm->len == expected_len && + !memcmp(nm->name, expected, expected_len); +} + static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, cstring_t *error) { @@ -447,11 +476,11 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, /* Check that the site names and our nonce have been sent back correctly, and then store our peer's nonce. */ - if (memcmp(m->remote,st->remotename,strlen(st->remotename)!=0)) { + if (!name_matches(&m->remote,st->remotename)) { *error="wrong remote site name"; return False; } - if (memcmp(m->local,st->localname,strlen(st->localname)!=0)) { + if (!name_matches(&m->local,st->localname)) { *error="wrong local site name"; return False; } @@ -460,7 +489,7 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, return False; } if (type==LABEL_MSG2) return True; - if (memcmp(m->nR,st->remoteN,NONCELEN)!=0) { + if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) { *error="wrong remotely-generated nonce"; return False; } @@ -558,11 +587,11 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, /* Generate the shared key */ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk, - st->sharedsecret,st->transform->keylen); + st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->transform->keylen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -606,10 +635,10 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4, m.pk[m.pklen]=0; /* Generate the shared key */ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk, - st->sharedsecret,st->transform->keylen); + st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->transform->keylen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -727,9 +756,10 @@ static bool_t process_msg6(struct site *st, struct buffer_if *msg6, return True; } -static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) +static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, + const struct comm_addr *src) { - cstring_t transform_err, newkey_err="n/a"; + cstring_t transform_err, auxkey_err, newkey_err="n/a"; struct msg0 m; uint32_t problem; @@ -740,17 +770,45 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) problem = st->current.transform->reverse(st->current.transform->st, msg0,&transform_err); - if (!problem) return True; - - if (problem==2) { - slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err); - return False; + if (!problem) { + if (!st->auxiliary_is_new) + delete_one_key(st,&st->auxiliary_key, + "peer has used new key","auxiliary key",LOG_SEC); + return True; + } + if (problem==2) + goto skew; + + buffer_copy(msg0, &st->scratch); + problem = st->auxiliary_key.transform->reverse + (st->auxiliary_key.transform->st,msg0,&auxkey_err); + if (problem==0) { + slog(st,LOG_DROP,"processing packet which uses auxiliary key"); + if (st->auxiliary_is_new) { + /* We previously timed out in state SENTMSG5 but it turns + * out that our peer did in fact get our MSG5 and is + * using the new key. So we should switch to it too. */ + /* This is a bit like activate_new_key. */ + struct data_key t; + t=st->current; + st->current=st->auxiliary_key; + st->auxiliary_key=t; + + delete_one_key(st,&st->auxiliary_key,"peer has used new key", + "previous key",LOG_SEC); + st->auxiliary_is_new=0; + st->renegotiate_key_time=st->auxiliary_renegotiate_key_time; + } + return True; } + if (problem==2) + goto skew; if (st->state==SITE_SENTMSG5) { buffer_copy(msg0, &st->scratch); - if (!st->new_transform->reverse(st->new_transform->st, - msg0,&newkey_err)) { + problem = st->new_transform->reverse(st->new_transform->st, + msg0,&newkey_err); + if (!problem) { /* It looks like we didn't get the peer's MSG6 */ /* This is like a cut-down enter_new_state(SITE_RUN) */ slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)"); @@ -759,10 +817,18 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) activate_new_key(st); return True; /* do process the data in this packet */ } + if (problem==2) + goto skew; } - slog(st,LOG_SEC,"transform: %s (new: %s)",transform_err,newkey_err); + slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)", + transform_err,auxkey_err,newkey_err); initiate_key_setup(st,"incoming message would not decrypt"); + send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt"); + return False; + + skew: + slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err); return False; } @@ -771,7 +837,7 @@ static bool_t process_msg0(struct site *st, struct buffer_if *msg0, { uint32_t type; - if (!decrypt_msg0(st,msg0)) + if (!decrypt_msg0(st,msg0,src)) return False; CHECK_AVAIL(msg0,4); @@ -822,6 +888,24 @@ static bool_t send_msg(struct site *st) st->timeout=st->now+st->setup_retry_interval; st->retries--; return True; + } else if (st->state==SITE_SENTMSG5) { + slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key"); + /* We stash the key we have produced, in case it turns out that + * our peer did see our MSG5 after all and starts using it. */ + /* This is a bit like some of activate_new_key */ + struct transform_inst_if *t; + t=st->auxiliary_key.transform; + st->auxiliary_key.transform=st->new_transform; + st->new_transform=t; + + t->delkey(t->st); + st->auxiliary_is_new=1; + st->auxiliary_key.key_timeout=st->now+st->key_lifetime; + st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time; + st->auxiliary_key.remote_session_id=st->setup_session_id; + + enter_state_wait(st); + return False; } else { slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet " "(in state %s)",state_name(st->state)); @@ -877,14 +961,17 @@ static void activate_new_key(struct site *st) { struct transform_inst_if *t; - /* We have two transform instances, which we swap between active - and setup */ - t=st->current.transform; + /* We have three transform instances, which we swap between old, + active and setup */ + t=st->auxiliary_key.transform; + st->auxiliary_key.transform=st->current.transform; st->current.transform=st->new_transform; st->new_transform=t; t->delkey(t->st); st->timeout=0; + st->auxiliary_is_new=0; + st->auxiliary_key.key_timeout=st->current.key_timeout; st->current.key_timeout=st->now+st->key_lifetime; st->renegotiate_key_time=st->now+st->key_renegotiate_time; transport_peers_copy(st,&st->peers,&st->setup_peers); @@ -911,6 +998,7 @@ static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel) delete_one_key(st,&st->current,0,0,0); set_link_quality(st); } + delete_one_key(st,&st->auxiliary_key,0,0,0); } static void state_assert(struct site *st, bool_t ok) @@ -955,7 +1043,7 @@ static void enter_state_run(struct site *st) memset(st->remoteN,0,NONCELEN); st->new_transform->delkey(st->new_transform->st); memset(st->dhsecret,0,st->dh->len); - memset(st->sharedsecret,0,st->transform->keylen); + memset(st->sharedsecret,0,st->sharedsecretlen); set_link_quality(st); } @@ -1096,6 +1184,7 @@ static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io, active. */ site_settimeout(st->timeout, timeout_io); site_settimeout(st->current.key_timeout, timeout_io); + site_settimeout(st->auxiliary_key.key_timeout, timeout_io); return 0; /* success */ } @@ -1127,6 +1216,7 @@ static void site_afterpoll(void *sst, struct pollfd *fds, int nfds) } } check_expiry(st,&st->current,"current key"); + check_expiry(st,&st->auxiliary_key,"auxiliary key"); } /* This function is called by the netlink device to deliver packets @@ -1229,7 +1319,7 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, uint32_t msgtype=ntohl(get_uint32(buf->start+8)); if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True); switch (msgtype) { - case 0: /* NAK */ + case LABEL_NAK: /* If the source is our current peer then initiate a key setup, because our peer's forgotten the key */ if (get_uint32(buf->start+4)==st->current.remote_session_id) { @@ -1496,11 +1586,13 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, st->timeout=0; st->current.key_timeout=0; + st->auxiliary_key.key_timeout=0; transport_peers_clear(st,&st->peers); transport_peers_clear(st,&st->setup_peers); /* XXX mlock these */ st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret"); - st->sharedsecret=safe_malloc(st->transform->keylen,"site:sharedsecret"); + st->sharedsecretlen=st->transform->keylen?:st->dh->ceil_len; + st->sharedsecret=safe_malloc(st->sharedsecretlen,"site:sharedsecret"); /* We need to compute some properties of our comms */ #define COMPUTE_WORST(pad) \ @@ -1523,7 +1615,9 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming); st->current.transform=st->transform->create(st->transform->st); + st->auxiliary_key.transform=st->transform->create(st->transform->st); st->new_transform=st->transform->create(st->transform->st); + st->auxiliary_is_new=0; enter_state_stop(st);