X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/53a941d3f97a50964587c6e9533b1e43e74a57a8..8187950bc47575533beff8a9492c1c2f5e08cba3:/server/keyexch.c diff --git a/server/keyexch.c b/server/keyexch.c index df70774d..d26ac787 100644 --- a/server/keyexch.c +++ b/server/keyexch.c @@ -75,25 +75,29 @@ * Switch received. Committed; send data; move to @KXS_SWITCH@. */ -/*----- Tunable parameters ------------------------------------------------*/ - -#define T_VALID MIN(2) /* Challenge validity period */ -#define T_RETRY SEC(10) /* Challenge retransmit interval */ - -#define VALIDP(kx, now) ((now) < (kx)->t_valid) - /*----- Static tables -----------------------------------------------------*/ static const char *const pkname[] = { - "pre-challenge", "cookie", "challenge", - "reply", "switch-rq", "switch-ok" + "pre-challenge", "challenge", "reply", "switch-rq", "switch-ok" }; /*----- Various utilities -------------------------------------------------*/ +/* --- @VALIDP@ --- * + * + * Arguments: @const keyexch *kx@ = key exchange state + * @time_t now@ = current time in seconds + * + * Returns: Whether the challenge in the key-exchange state is still + * valid or should be regenerated. + */ + +#define VALIDP(kx, now) ((now) < (kx)->t_valid) + /* --- @hashge@ --- * * * Arguments: @ghash *h@ = pointer to hash context + * @group *g@ = pointer to group * @ge *x@ = pointer to group element * * Returns: --- @@ -102,11 +106,12 @@ static const char *const pkname[] = { * @buf_t@. */ -static void hashge(ghash *h, ge *x) +static void hashge(ghash *h, group *g, ge *x) { buf b; + buf_init(&b, buf_t, sizeof(buf_t)); - G_TOBUF(gg, &b, x); + G_TOBUF(g, &b, x); assert(BOK(&b)); GH_HASH(h, BBASE(&b), BLEN(&b)); } @@ -116,6 +121,7 @@ static void hashge(ghash *h, ge *x) * Arguments: @buf *b@ = output buffer * @mp *x@ = the plaintext integer * @size_t n@ = the expected size of the plaintext + * @gcipher *mgfc@ = mask-generating function to use * @const octet *k@ = pointer to key material * @size_t ksz@ = size of the key * @@ -125,23 +131,24 @@ static void hashge(ghash *h, ge *x) * it's a random oracle thing rather than an encryption thing. */ -static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz) +static octet *mpmask(buf *b, mp *x, size_t n, + const gccipher *mgfc, const octet *k, size_t ksz) { gcipher *mgf; octet *p; if ((p = buf_get(b, n)) == 0) return (0); - mgf = GC_INIT(algs.mgf, k, ksz); + mgf = GC_INIT(mgfc, k, ksz); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "masking index = %s", mpstr(x)); - trace_block(T_CRYPTO, "masking key", k, ksz); + trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x)); + trace_block(T_CRYPTO, "crypto: masking key", k, ksz); })) mp_storeb(x, buf_t, n); GC_ENCRYPT(mgf, buf_t, p, n); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace_block(T_CRYPTO, "index plaintext", buf_t, n); - trace_block(T_CRYPTO, "masked ciphertext", p, n); + trace_block(T_CRYPTO, "crypto: index plaintext", buf_t, n); + trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n); })) GC_DESTROY(mgf); return (p); @@ -152,6 +159,7 @@ static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz) * Arguments: @mp *d@ = the output integer * @const octet *p@ = pointer to the ciphertext * @size_t n@ = the size of the ciphertext + * @gcipher *mgfc@ = mask-generating function to use * @const octet *k@ = pointer to key material * @size_t ksz@ = size of the key * @@ -161,20 +169,20 @@ static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz) */ static mp *mpunmask(mp *d, const octet *p, size_t n, - const octet *k, size_t ksz) + const gccipher *mgfc, const octet *k, size_t ksz) { gcipher *mgf; - mgf = GC_INIT(algs.mgf, k, ksz); + mgf = GC_INIT(mgfc, k, ksz); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace_block(T_CRYPTO, "unmasking key", k, ksz); - trace_block(T_CRYPTO, "masked ciphertext", p, n); + trace_block(T_CRYPTO, "crypto: unmasking key", k, ksz); + trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n); })) GC_DECRYPT(mgf, p, buf_t, n); d = mp_loadb(d, buf_t, n); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace_block(T_CRYPTO, "index plaintext", buf_t, n); - trace(T_CRYPTO, "unmasked index = %s", mpstr(d)); + trace_block(T_CRYPTO, "crypto: index plaintext", buf_t, n); + trace(T_CRYPTO, "crypto: unmasked index = %s", mpstr(d)); })) GC_DESTROY(mgf); return (d); @@ -182,7 +190,8 @@ static mp *mpunmask(mp *d, const octet *p, size_t n, /* --- @hashcheck@ --- * * - * Arguments: @ge *kpub@ = sender's public key + * Arguments: @keyexch *kx@ = pointer to key-exchange block + * @ge *kpub@ = sender's public key * @ge *cc@ = receiver's challenge * @ge *c@ = sender's challenge * @ge *y@ = reply to sender's challenge @@ -199,23 +208,24 @@ static mp *mpunmask(mp *d, const octet *p, size_t n, * key-exchange is deniable. */ -static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y) +static const octet *hashcheck(keyexch *kx, ge *kpub, ge *cc, ge *c, ge *y) { - ghash *h = GH_INIT(algs.h); + ghash *h = GH_INIT(kx->kpriv->algs.h); + group *g = kx->kpriv->g; HASH_STRING(h, "tripe-expected-reply"); - hashge(h, kpub); - hashge(h, cc); - hashge(h, c); - hashge(h, y); + hashge(h, g, kpub); + hashge(h, g, cc); + hashge(h, g, c); + hashge(h, g, y); GH_DONE(h, buf_t); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "computing challenge check hash"); - trace(T_CRYPTO, "public key = %s", gestr(gg, kpub)); - trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc)); - trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c)); - trace(T_CRYPTO, "sender reply = %s", gestr(gg, y)); - trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz); + trace(T_CRYPTO, "crypto: computing challenge check hash"); + trace(T_CRYPTO, "crypto: public key = %s", gestr(g, kpub)); + trace(T_CRYPTO, "crypto: receiver challenge = %s", gestr(g, cc)); + trace(T_CRYPTO, "crypto: sender challenge = %s", gestr(g, c)); + trace(T_CRYPTO, "crypto: sender reply = %s", gestr(g, y)); + trace_block(T_CRYPTO, "crypto: hash output", buf_t, kx->kpriv->algs.hashsz); })) GH_DESTROY(h); return (buf_t); @@ -235,10 +245,11 @@ static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y) static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc) { - G_TOBUF(gg, b, kx->c); - buf_put(b, hc, algs.hashsz); - mpmask(b, kx->alpha, indexsz, - hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz); + G_TOBUF(kx->kpriv->g, b, kx->c); + buf_put(b, hc, kx->kpriv->algs.hashsz); + mpmask(b, kx->alpha, kx->kpriv->indexsz, kx->kpriv->algs.mgf, + hashcheck(kx, kx->kpriv->kpub, c, kx->c, kx->rx), + kx->kpriv->algs.hashsz); } /* --- @timer@ --- * @@ -262,24 +273,102 @@ static void timer(struct timeval *tv, void *v) /* --- @settimer@ --- * * * Arguments: @keyexch *kx@ = pointer to key exchange context - * @time_t t@ = when to set the timer for + * @struct timeval *tv@ = when to set the timer for * * Returns: --- * * Use: Sets the timer for the next key exchange attempt. */ -static void settimer(keyexch *kx, time_t t) +static void settimer(keyexch *kx, struct timeval *tv) { - struct timeval tv; - if (kx->f & KXF_TIMER) - sel_rmtimer(&kx->t); - tv.tv_sec = t; - tv.tv_usec = 0; - sel_addtimer(&sel, &kx->t, &tv, timer, kx); + if (kx->f & KXF_TIMER) sel_rmtimer(&kx->t); + sel_addtimer(&sel, &kx->t, tv, timer, kx); kx->f |= KXF_TIMER; } +/* --- @f2tv@ --- * + * + * Arguments: @struct timeval *tv@ = where to write the timeval + * @double t@ = a time as a floating point number + * + * Returns: --- + * + * Use: Converts a floating-point time into a timeval. + */ + +static void f2tv(struct timeval *tv, double t) +{ + tv->tv_sec = t; + tv->tv_usec = (t - tv->tv_sec)*MILLION; +} + +/* --- @wobble@ --- * + * + * Arguments: @double t@ = a time interval + * + * Returns: The same time interval, with a random error applied. + */ + +static double wobble(double t) +{ + uint32 r = rand_global.ops->word(&rand_global); + double w = (r/F_2P32) - 0.5; + return (t + t*w*T_WOBBLE); +} + +/* --- @rs_time@ --- * + * + * Arguments: @retry *rs@ = current retry state + * @struct timeval *tv@ = where to write the result + * @const struct timeval *now@ = current time, or null + * + * Returns: --- + * + * Use: Computes a time at which to retry sending a key-exchange + * packet. This algorithm is subject to change, but it's + * currently a capped exponential backoff, slightly randomized + * to try to keep clients from hammering a server that's only + * just woken up. + * + * If @now@ is null then the function works out the time for + * itself. + */ + +static void rs_time(retry *rs, struct timeval *tv, const struct timeval *now) +{ + double t; + struct timeval rtv; + + if (!rs->t) + t = SEC(2); + else { + t = (rs->t * 5)/4; + if (t > MIN(5)) t = MIN(5); + } + rs->t = t; + + if (!now) { + now = tv; + gettimeofday(tv, 0); + } + f2tv(&rtv, wobble(t)); + TV_ADD(tv, now, &rtv); +} + +/* --- @retry_reset@ --- * + * + * Arguments: @retry *rs@ = retry state + * + * Returns: -- + * + * Use: Resets a retry state to indicate that progress has been + * made. Also useful for initializing the state in the first + * place. + */ + +static void rs_reset(retry *rs) { rs->t = 0; } + /*----- Challenge management ----------------------------------------------*/ /* --- Notes on challenge management --- * @@ -308,8 +397,8 @@ static void kxc_destroy(kxchal *kxc) { if (kxc->f & KXF_TIMER) sel_rmtimer(&kxc->t); - G_DESTROY(gg, kxc->c); - G_DESTROY(gg, kxc->r); + G_DESTROY(kxc->kx->kpriv->g, kxc->c); + G_DESTROY(kxc->kx->kpriv->g, kxc->r); ks_drop(kxc->ks); DESTROY(kxc); } @@ -358,12 +447,13 @@ static kxchal *kxc_new(keyexch *kx) /* --- Fill in the new structure --- */ kxc = CREATE(kxchal); - kxc->c = G_CREATE(gg); - kxc->r = G_CREATE(gg); + kxc->c = G_CREATE(kx->kpriv->g); + kxc->r = G_CREATE(kx->kpriv->g); kxc->ks = 0; kxc->kx = kx; kxc->f = 0; kx->r[i] = kxc; + rs_reset(&kxc->rs); return (kxc); } @@ -382,7 +472,7 @@ static kxchal *kxc_bychal(keyexch *kx, ge *c) unsigned i; for (i = 0; i < kx->nr; i++) { - if (G_EQ(gg, c, kx->r[i]->c)) + if (G_EQ(kx->kpriv->g, c, kx->r[i]->c)) return (kx->r[i]); } return (0); @@ -403,7 +493,7 @@ static kxchal *kxc_byhc(keyexch *kx, const octet *hc) unsigned i; for (i = 0; i < kx->nr; i++) { - if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0) + if (memcmp(hc, kx->r[i]->hc, kx->kpriv->algs.hashsz) == 0) return (kx->r[i]); } return (0); @@ -441,7 +531,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc) T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); ) sendchallenge(kx, b, kxc->c, kxc->hc); buf_init(&bb, buf_i, sizeof(buf_i)); - G_TORAW(gg, &bb, kxc->r); + G_TORAW(kx->kpriv->g, &bb, kxc->r); buf_flip(&bb); ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b); @@ -458,7 +548,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc) if (kxc->f & KXF_TIMER) sel_rmtimer(&kxc->t); gettimeofday(&tv, 0); - tv.tv_sec += T_RETRY; + rs_time(&kxc->rs, &tv, &tv); sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc); kxc->f |= KXF_TIMER; } @@ -478,7 +568,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc) static int doprechallenge(keyexch *kx, buf *b) { stats *st = p_stats(kx->p); - ge *c = G_CREATE(gg); + ge *c = G_CREATE(kx->kpriv->g); ghash *h; /* --- Ensure that we're in a sensible state --- */ @@ -490,19 +580,19 @@ static int doprechallenge(keyexch *kx, buf *b) /* --- Unpack the packet --- */ - if (G_FROMBUF(gg, b, c) || BLEFT(b)) + if (G_FROMBUF(kx->kpriv->g, b, c) || BLEFT(b)) goto bad; IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c)); + trace(T_CRYPTO, "crypto: challenge = %s", gestr(kx->kpriv->g, c)); })) /* --- Send out a full challenge by return --- */ b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL); - h = GH_INIT(algs.h); + h = GH_INIT(kx->kpriv->algs.h); HASH_STRING(h, "tripe-cookie"); - hashge(h, c); + hashge(h, kx->kpriv->g, c); sendchallenge(kx, b, c, GH_DONE(h, 0)); GH_DESTROY(h); st->n_kxout++; @@ -511,11 +601,11 @@ static int doprechallenge(keyexch *kx, buf *b) /* --- Done --- */ - G_DESTROY(gg, c); + G_DESTROY(kx->kpriv->g, c); return (0); bad: - if (c) G_DESTROY(gg, c); + if (c) G_DESTROY(kx->kpriv->g, c); return (-1); } @@ -533,9 +623,12 @@ bad: static kxchal *respond(keyexch *kx, unsigned msg, buf *b) { - ge *c = G_CREATE(gg); - ge *r = G_CREATE(gg); - ge *cc = G_CREATE(gg); + group *g = kx->kpriv->g; + const algswitch *algs = &kx->kpriv->algs; + size_t ixsz = kx->kpriv->indexsz; + ge *c = G_CREATE(g); + ge *r = G_CREATE(g); + ge *cc = G_CREATE(g); const octet *hc, *ck; size_t x, y, z; mp *cv = 0; @@ -546,21 +639,21 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b) /* --- Unpack the packet --- */ - if (G_FROMBUF(gg, b, c) || - (hc = buf_get(b, algs.hashsz)) == 0 || - (ck = buf_get(b, indexsz)) == 0) { + if (G_FROMBUF(g, b, c) || + (hc = buf_get(b, algs->hashsz)) == 0 || + (ck = buf_get(b, ixsz)) == 0) { a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END); goto bad; } IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c)); - trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz); - trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz); + trace(T_CRYPTO, "crypto: challenge = %s", gestr(g, c)); + trace_block(T_CRYPTO, "crypto: cookie", hc, algs->hashsz); + trace_block(T_CRYPTO, "crypto: check-value", ck, ixsz); })) /* --- Discard a packet with an invalid cookie --- */ - if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) { + if (hc && memcmp(hc, kx->hc, algs->hashsz) != 0) { a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END); goto bad; } @@ -574,97 +667,96 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b) */ if ((kxc = kxc_bychal(kx, c)) != 0) { - h = GH_INIT(algs.h); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash"); - GH_HASH(h, ck, indexsz); - ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz); + GH_HASH(h, ck, ixsz); + ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs->hashsz); GH_DESTROY(h); if (!ok) goto badcheck; } else { /* --- Compute the reply, and check the magic --- */ - G_EXP(gg, r, c, kpriv); - cv = mpunmask(MP_NEW, ck, indexsz, - hashcheck(kx->kpub, kx->c, c, r), algs.hashsz); + G_EXP(g, r, c, kx->kpriv->kpriv); + cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf, + hashcheck(kx, kx->kpub->kpub, kx->c, c, r), + algs->hashsz); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r)); + trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r)); trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv)); })) - if (MP_CMP(cv, >, gg->r) || - (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc))) + if (MP_CMP(cv, >, g->r) || + (G_EXP(g, cc, g->g, cv), + !G_EQ(g, c, cc))) goto badcheck; /* --- Fill in a new challenge block --- */ kxc = kxc_new(kx); - G_COPY(gg, kxc->c, c); - G_COPY(gg, kxc->r, r); + G_COPY(g, kxc->c, c); + G_COPY(g, kxc->r, r); - h = GH_INIT(algs.h); - HASH_STRING(h, "tripe-check-hash"); - GH_HASH(h, ck, indexsz); - GH_DONE(h, kxc->hc); - GH_DESTROY(h); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash"); + GH_HASH(h, ck, ixsz); + GH_DONE(h, kxc->ck); GH_DESTROY(h); - h = GH_INIT(algs.h); - HASH_STRING(h, "tripe-cookie"); - hashge(h, kxc->c); - GH_DONE(h, kxc->hc); - GH_DESTROY(h); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-cookie"); + hashge(h, g, kxc->c); + GH_DONE(h, kxc->hc); GH_DESTROY(h); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz); + trace_block(T_CRYPTO, "crypto: computed cookie", + kxc->hc, algs->hashsz); })) /* --- Work out the shared key --- */ - G_EXP(gg, r, c, kx->alpha); + G_EXP(g, r, c, kx->alpha); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r)); + trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r)); })) /* --- Compute the switch messages --- */ - h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request"); - hashge(h, kx->c); hashge(h, kxc->c); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request"); + hashge(h, g, kx->c); hashge(h, g, kxc->c); GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h); - h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm"); - hashge(h, kx->c); hashge(h, kxc->c); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm"); + hashge(h, g, kx->c); hashge(h, g, kxc->c); GH_DONE(h, kxc->hswok_out); GH_DESTROY(h); - h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request"); - hashge(h, kxc->c); hashge(h, kx->c); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request"); + hashge(h, g, kxc->c); hashge(h, g, kx->c); GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h); - h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm"); - hashge(h, kxc->c); hashge(h, kx->c); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm"); + hashge(h, g, kxc->c); hashge(h, g, kx->c); GH_DONE(h, kxc->hswok_in); GH_DESTROY(h); IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { trace_block(T_CRYPTO, "crypto: outbound switch request", - kxc->hswrq_out, algs.hashsz); + kxc->hswrq_out, algs->hashsz); trace_block(T_CRYPTO, "crypto: outbound switch confirm", - kxc->hswok_out, algs.hashsz); + kxc->hswok_out, algs->hashsz); trace_block(T_CRYPTO, "crypto: inbound switch request", - kxc->hswrq_in, algs.hashsz); + kxc->hswrq_in, algs->hashsz); trace_block(T_CRYPTO, "crypto: inbound switch confirm", - kxc->hswok_in, algs.hashsz); + kxc->hswok_in, algs->hashsz); })) /* --- Create a new symmetric keyset --- */ buf_init(&bb, buf_o, sizeof(buf_o)); - G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb); - G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb); - G_TOBUF(gg, &bb, r); z = BLEN(&bb); + G_TOBUF(g, &bb, kx->c); x = BLEN(&bb); + G_TOBUF(g, &bb, kxc->c); y = BLEN(&bb); + G_TOBUF(g, &bb, r); z = BLEN(&bb); assert(BOK(&bb)); kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p); } - G_DESTROY(gg, c); - G_DESTROY(gg, cc); - G_DESTROY(gg, r); + G_DESTROY(g, c); + G_DESTROY(g, cc); + G_DESTROY(g, r); mp_drop(cv); return (kxc); @@ -672,9 +764,9 @@ badcheck: a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END); goto bad; bad: - G_DESTROY(gg, c); - G_DESTROY(gg, cc); - G_DESTROY(gg, r); + G_DESTROY(g, c); + G_DESTROY(g, cc); + G_DESTROY(g, r); mp_drop(cv); return (0); } @@ -725,6 +817,7 @@ static void resend(keyexch *kx) kxchal *kxc; buf bb; stats *st = p_stats(kx->p); + struct timeval tv; buf *b; switch (kx->s) { @@ -732,18 +825,18 @@ static void resend(keyexch *kx) T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'", p_name(kx->p)); ) b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL); - G_TOBUF(gg, b, kx->c); + G_TOBUF(kx->kpriv->g, b, kx->c); break; case KXS_COMMIT: T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'", p_name(kx->p)); ) kxc = kx->r[0]; b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH); - buf_put(b, kx->hc, algs.hashsz); - buf_put(b, kxc->hc, algs.hashsz); + buf_put(b, kx->hc, kx->kpriv->algs.hashsz); + buf_put(b, kxc->hc, kx->kpriv->algs.hashsz); buf_init(&bb, buf_i, sizeof(buf_i)); - G_TORAW(gg, &bb, kxc->r); - buf_put(&bb, kxc->hswrq_out, algs.hashsz); + G_TORAW(kx->kpriv->g, &bb, kxc->r); + buf_put(&bb, kxc->hswrq_out, kx->kpriv->algs.hashsz); buf_flip(&bb); ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b); break; @@ -753,7 +846,7 @@ static void resend(keyexch *kx) kxc = kx->r[0]; b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK); buf_init(&bb, buf_i, sizeof(buf_i)); - buf_put(&bb, kxc->hswok_out, algs.hashsz); + buf_put(&bb, kxc->hswok_out, kx->kpriv->algs.hashsz); buf_flip(&bb); ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b); break; @@ -767,8 +860,10 @@ static void resend(keyexch *kx) p_txend(kx->p); } - if (kx->s < KXS_SWITCH) - settimer(kx, time(0) + T_RETRY); + if (kx->s < KXS_SWITCH) { + rs_time(&kx->rs, &tv, 0); + settimer(kx, &tv); + } } /* --- @decryptrest@ --- * @@ -793,6 +888,7 @@ static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b) a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END); return (-1); } + if (!BOK(&bb)) return (-1); buf_init(b, BBASE(&bb), BLEN(&bb)); return (0); } @@ -811,25 +907,26 @@ static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b) static int checkresponse(keyexch *kx, unsigned msg, buf *b) { - ge *r = G_CREATE(gg); + group *g = kx->kpriv->g; + ge *r = G_CREATE(g); - if (G_FROMRAW(gg, b, r)) { + if (G_FROMRAW(g, b, r)) { a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END); goto bad; } IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r)); + trace(T_CRYPTO, "crypto: reply = %s", gestr(g, r)); })) - if (!G_EQ(gg, r, kx->rx)) { + if (!G_EQ(g, r, kx->rx)) { a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END); goto bad; } - G_DESTROY(gg, r); + G_DESTROY(g, r); return (0); bad: - G_DESTROY(gg, r); + G_DESTROY(g, r); return (-1); } @@ -908,8 +1005,13 @@ bad: static void kxfinish(keyexch *kx) { kxchal *kxc = kx->r[0]; + struct timeval now, tv; + ks_activate(kxc->ks); - settimer(kx, ks_tregen(kxc->ks)); + gettimeofday(&now, 0); + f2tv(&tv, wobble(T_REGEN)); + TV_ADD(&tv, &now, &tv); + settimer(kx, &tv); kx->s = KXS_SWITCH; a_notify("KXDONE", "?PEER", kx->p, A_END); p_stats(kx->p)->t_kx = time(0); @@ -927,34 +1029,35 @@ static void kxfinish(keyexch *kx) static int doswitch(keyexch *kx, buf *b) { + size_t hsz = kx->kpriv->algs.hashsz; const octet *hc_in, *hc_out, *hswrq; kxchal *kxc; - if ((hc_in = buf_get(b, algs.hashsz)) == 0 || - (hc_out = buf_get(b, algs.hashsz)) == 0) { + if ((hc_in = buf_get(b, hsz)) == 0 || + (hc_out = buf_get(b, hsz)) == 0) { a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END); goto bad; } IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, { - trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz); - trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz); + trace_block(T_CRYPTO, "crypto: challenge", hc_in, hsz); + trace_block(T_CRYPTO, "crypto: cookie", hc_out, hsz); })) if ((kxc = kxc_byhc(kx, hc_in)) == 0 || - memcmp(hc_out, kx->hc, algs.hashsz) != 0) { + memcmp(hc_out, kx->hc, hsz) != 0) { a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END); goto bad; } if (decryptrest(kx, kxc, KX_SWITCH, b) || checkresponse(kx, KX_SWITCH, b)) goto bad; - if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) { + if ((hswrq = buf_get(b, hsz)) == 0 || BLEFT(b)) { a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END); goto bad; } IF_TRACING(T_KEYEXCH, { - trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz); + trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, hsz); }) - if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) { + if (memcmp(hswrq, kxc->hswrq_in, hsz) != 0) { a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END); goto bad; } @@ -981,6 +1084,7 @@ bad: static int doswitchok(keyexch *kx, buf *b) { + size_t hsz = kx->kpriv->algs.hashsz; const octet *hswok; kxchal *kxc; buf bb; @@ -993,15 +1097,15 @@ static int doswitchok(keyexch *kx, buf *b) buf_init(&bb, buf_o, sizeof(buf_o)); if (decryptrest(kx, kxc, KX_SWITCHOK, b)) goto bad; - if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) { + if ((hswok = buf_get(b, hsz)) == 0 || BLEFT(b)) { a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END); goto bad; } IF_TRACING(T_KEYEXCH, { trace_block(T_CRYPTO, "crypto: switch confirmation hash", - hswok, algs.hashsz); + hswok, hsz); }) - if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) { + if (memcmp(hswok, kxc->hswok_in, hsz) != 0) { a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END); goto bad; } @@ -1041,8 +1145,8 @@ static void stop(keyexch *kx) for (i = 0; i < kx->nr; i++) kxc_destroy(kx->r[i]); mp_drop(kx->alpha); - G_DESTROY(gg, kx->c); - G_DESTROY(gg, kx->rx); + G_DESTROY(kx->kpriv->g, kx->c); + G_DESTROY(kx->kpriv->g, kx->rx); kx->t_valid = 0; kx->f |= KXF_DEAD; kx->f &= ~KXF_TIMER; @@ -1061,21 +1165,23 @@ static void stop(keyexch *kx) static void start(keyexch *kx, time_t now) { + algswitch *algs = &kx->kpriv->algs; + group *g = kx->kpriv->g; ghash *h; assert(kx->f & KXF_DEAD); - kx->f &= ~KXF_DEAD; + kx->f &= ~(KXF_DEAD | KXF_CORK); kx->nr = 0; - kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0); - kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha); - kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha); + kx->alpha = mprand_range(MP_NEW, g->r, &rand_global, 0); + kx->c = G_CREATE(g); G_EXP(g, kx->c, g->g, kx->alpha); + kx->rx = G_CREATE(g); G_EXP(g, kx->rx, kx->kpub->kpub, kx->alpha); kx->s = KXS_CHAL; kx->t_valid = now + T_VALID; - h = GH_INIT(algs.h); + h = GH_INIT(algs->h); HASH_STRING(h, "tripe-cookie"); - hashge(h, kx->c); + hashge(h, g, kx->c); GH_DONE(h, kx->hc); GH_DESTROY(h); @@ -1083,9 +1189,10 @@ static void start(keyexch *kx, time_t now) trace(T_KEYEXCH, "keyexch: creating new challenge"); IF_TRACING(T_CRYPTO, { trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha)); - trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c)); - trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx)); - trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz); + trace(T_CRYPTO, "crypto: challenge = %s", gestr(g, kx->c)); + trace(T_CRYPTO, "crypto: expected response = %s", gestr(g, kx->rx)); + trace_block(T_CRYPTO, "crypto: challenge cookie", + kx->hc, algs->hashsz); }) }) } @@ -1103,13 +1210,17 @@ static void start(keyexch *kx, time_t now) static int checkpub(keyexch *kx) { time_t now; + unsigned f = 0; + if (kx->f & KXF_DEAD) return (-1); now = time(0); - if (KEY_EXPIRED(now, kx->texp_kpub)) { + if (KEY_EXPIRED(now, kx->kpriv->t_exp)) f |= 1; + if (KEY_EXPIRED(now, kx->kpub->t_exp)) f |= 2; + if (f) { stop(kx); - a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END); - G_COPY(gg, kx->kpub, gg->i); + if (f & 1) a_warn("KX", "?PEER", kx->p, "private-key-expired", A_END); + if (f & 2) a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END); kx->f &= ~KXF_PUBKEY; return (-1); } @@ -1156,19 +1267,27 @@ void kx_start(keyexch *kx, int forcep) void kx_message(keyexch *kx, unsigned msg, buf *b) { - time_t now = time(0); + struct timeval now, tv; stats *st = p_stats(kx->p); size_t sz = BSZ(b); int rc; + gettimeofday(&now, 0); + rs_reset(&kx->rs); + if (kx->f & KXF_CORK) { + start(kx, now.tv_sec); + rs_time(&kx->rs, &tv, &now); + settimer(kx, &tv); + a_notify("KXSTART", A_END); + } + if (checkpub(kx)) return; - if (!VALIDP(kx, now)) { + if (!VALIDP(kx, now.tv_sec)) { stop(kx); - start(kx, now); + start(kx, now.tv_sec); } - T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'", msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); ) @@ -1214,7 +1333,8 @@ void kx_message(keyexch *kx, unsigned msg, buf *b) void kx_free(keyexch *kx) { stop(kx); - G_DESTROY(gg, kx->kpub); + km_unref(kx->kpub); + km_unref(kx->kpriv); } /* --- @kx_newkeys@ --- * @@ -1231,13 +1351,111 @@ void kx_free(keyexch *kx) void kx_newkeys(keyexch *kx) { - if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub)) - return; + kdata *kpriv, *kpub; + unsigned i; + int switchp; + time_t now = time(0); + + T( trace(T_KEYEXCH, "keyexch: checking new keys for `%s'", + p_name(kx->p)); ) + + /* --- Find out whether we can use new keys --- * + * + * Try each available combination of new and old, public and private, + * except both old (which is status quo anyway). The selection is encoded + * in @i@, with bit 0 for the private key and bit 1 for public key; a set + * bit means to use the old value, and a clear bit means to use the new + * one. + * + * This means that we currently prefer `old private and new public' over + * `new private and old public'. I'm not sure which way round this should + * actually be. + */ + + for (i = 0; i < 3; i++) { + + /* --- Select the keys we're going to examine --- * + * + * If we're meant to have a new key and don't, then skip this + * combination. + */ + + T( trace(T_KEYEXCH, "keyexch: checking %s private, %s public", + i & 1 ? "old" : "new", i & 2 ? "old" : "new"); ) + + if (i & 1) kpriv = kx->kpriv; + else if (kx->kpriv->kn->kd != kx->kpriv) kpriv = kx->kpriv->kn->kd; + else { + T( trace(T_KEYEXCH, "keyexch: private key unchanged, skipping"); ) + continue; + } + + if (i & 2) kpub = kx->kpub; + else if (kx->kpub->kn->kd != kx->kpub) kpub = kx->kpub->kn->kd; + else { + T( trace(T_KEYEXCH, "keyexch: public key unchanged, skipping"); ) + continue; + } + + /* --- Skip if either key is expired --- * + * + * We're not going to get far with expired keys, and this simplifies the + * logic below. + */ + + if (KEY_EXPIRED(now, kx->kpriv->t_exp) || + KEY_EXPIRED(now, kx->kpub->t_exp)) { + T( trace(T_KEYEXCH, "keyexch: %s expired, skipping", + !KEY_EXPIRED(now, kx->kpriv->t_exp) ? "public key" : + !KEY_EXPIRED(now, kx->kpub->t_exp) ? "private key" : + "both keys"); ) + continue; + } + + /* --- If the groups don't match then we can't use this pair --- */ + + if (!km_samealgsp(kpriv, kpub)) { + T( trace(T_KEYEXCH, "keyexch: peer `%s' group mismatch; " + "%s priv `%s' and %s pub `%s'", p_name(kx->p), + i & 1 ? "old" : "new", km_tag(kx->kpriv), + i & 2 ? "old" : "new", km_tag(kx->kpub)); ) + continue; + } + goto newkeys; + } + T( trace(T_KEYEXCH, "keyexch: peer `%s' continuing with old keys", + p_name(kx->p)); ) + return; + + /* --- We've chosen new keys --- * + * + * Switch the new ones into place. Neither of the keys we're switching to + * is expired (we checked that above), so we should just crank everything + * up. + * + * A complication arises: we don't really want to force a new key exchange + * unless we have to. If the group is unchanged, and we're currently + * running OK, then we should just let things lie. + */ + +newkeys: + switchp = ((kx->f & KXF_DEAD) || + kx->s != KXS_SWITCH || + !group_samep(kx->kpriv->g, kpriv->g)); + + T( trace(T_KEYEXCH, "keyexch: peer `%s' adopting " + "%s priv `%s' and %s pub `%s'; %sforcing exchange", p_name(kx->p), + i & 1 ? "old" : "new", km_tag(kx->kpriv), + i & 2 ? "old" : "new", km_tag(kx->kpub), + switchp ? "" : "not "); ) + + if (switchp) stop(kx); + km_ref(kpriv); km_unref(kx->kpriv); kx->kpriv = kpriv; + km_ref(kpub); km_unref(kx->kpub); kx->kpub = kpub; kx->f |= KXF_PUBKEY; - if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) { + if (switchp) { T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'", p_name(kx->p)); ) - stop(kx); start(kx, time(0)); resend(kx); } @@ -1248,6 +1466,7 @@ void kx_newkeys(keyexch *kx) * Arguments: @keyexch *kx@ = pointer to key exchange context * @peer *p@ = pointer to peer context * @keyset **ks@ = pointer to keyset list + * @unsigned f@ = various useful flags * * Returns: Zero if OK, nonzero if it failed. * @@ -1256,20 +1475,35 @@ void kx_newkeys(keyexch *kx) * exchange. */ -int kx_init(keyexch *kx, peer *p, keyset **ks) +int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f) { + if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0; + if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1; + if (!group_samep(kx->kpriv->g, kx->kpub->g)) { + a_warn("KX", "?PEER", kx->p, "group-mismatch", + "local-private-key", "%s", p_privtag(p), + "peer-public-key", "%s", p_tag(p), + A_END); + goto fail_2; + } + kx->ks = ks; kx->p = p; - kx->kpub = G_CREATE(gg); - if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) { - G_DESTROY(gg, kx->kpub); - return (-1); + kx->f = KXF_DEAD | KXF_PUBKEY | f; + rs_reset(&kx->rs); + if (!(kx->f & KXF_CORK)) { + start(kx, time(0)); + resend(kx); + /* Don't notify here: the ADD message hasn't gone out yet. */ } - kx->f = KXF_DEAD | KXF_PUBKEY; - start(kx, time(0)); - resend(kx); - /* Don't notify here: the ADD message hasn't gone out yet. */ return (0); + +fail_2: + km_unref(kx->kpub); +fail_1: + km_unref(kx->kpriv); +fail_0: + return (-1); } /*----- That's all, folks -------------------------------------------------*/