X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/5b9f3d3788bafcba79c893b1afc6a1c77bc77d20..4a3882945f605704ede113a9fe98cd19a92363a7:/server/servutil.c diff --git a/server/servutil.c b/server/servutil.c index f19ce531..703e448e 100644 --- a/server/servutil.c +++ b/server/servutil.c @@ -9,19 +9,18 @@ * * This file is part of Trivial IP Encryption (TrIPE). * - * TrIPE is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * TrIPE is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 3 of the License, or (at your + * option) any later version. * - * TrIPE is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * TrIPE is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. * * You should have received a copy of the GNU General Public License - * along with TrIPE; if not, write to the Free Software Foundation, - * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * along with TrIPE. If not, see . */ /*----- Header files ------------------------------------------------------*/ @@ -32,7 +31,232 @@ octet buf_i[PKBUFSZ], buf_o[PKBUFSZ], buf_t[PKBUFSZ], buf_u[PKBUFSZ]; -/*----- Main code ---------------------------------------------------------*/ +/*----- Sequence numbers --------------------------------------------------*/ + +/* --- @seq_reset@ --- * + * + * Arguments: @seqwin *s@ = sequence-checking window + * + * Returns: --- + * + * Use: Resets a sequence number window. + */ + +void seq_reset(seqwin *s) { s->seq = 0; s->win = 0; } + +/* --- @seq_check@ --- * + * + * Arguments: @seqwin *s@ = sequence-checking window + * @uint32 q@ = sequence number to check + * @const char *service@ = service to report message from + * + * Returns: Zero on success, nonzero if the sequence number was bad. + * + * Use: Checks a sequence number against the window, updating things + * as necessary. + */ + +int seq_check(seqwin *s, uint32 q, const char *service) +{ + uint32 qbit; + uint32 n; + + if (q < s->seq) { + a_warn(service, "replay", "old-sequence", A_END); + return (-1); + } + if (q >= s->seq + SEQ_WINSZ) { + n = q - (s->seq + SEQ_WINSZ - 1); + if (n < SEQ_WINSZ) + s->win >>= n; + else + s->win = 0; + s->seq += n; + } + qbit = 1 << (q - s->seq); + if (s->win & qbit) { + a_warn(service, "replay", "duplicated-sequence", A_END); + return (-1); + } + s->win |= qbit; + return (0); +} + +/*----- Rate limiting -----------------------------------------------------*/ + +/* --- @ratelim_init@ --- * + * + * Arguments: @ratelim *r@ = rate-limiting state to fill in + * @unsigned persec@ = credit to accumulate per second + * @unsigned max@ = maximum credit to retain + * + * Returns: --- + * + * Use: Initialize a rate-limiting state. + */ + +void ratelim_init(ratelim *r, unsigned persec, unsigned max) +{ + r->n = r->max = max; + r->persec = persec; + gettimeofday(&r->when, 0); +} + +/* --- @ratelim_withdraw@ --- * + * + * Arguments: @ratelim *r@ = rate-limiting state + * @unsigned n@ = credit to withdraw + * + * Returns: Zero if successful; @-1@ if there is unsufficient credit + * + * Use: Updates the state with any accumulated credit. Then, if + * there there are more than @n@ credits available, withdraw @n@ + * and return successfully; otherwise, report failure. + */ + +int ratelim_withdraw(ratelim *r, unsigned n) +{ + struct timeval now, delta; + unsigned long d; + + gettimeofday(&now, 0); + TV_SUB(&delta, &now, &r->when); + d = (unsigned long)r->persec*delta.tv_sec + + (unsigned long)r->persec*delta.tv_usec/MILLION; + if (d < r->max - r->n) r->n += d; + else r->n = r->max; + r->when = now; + + if (n > r->n) return (-1); + else { r->n -= n; return (0); } +} + +/*----- Crypto ------------------------------------------------------------*/ + +/* --- @ies_encrypt@ --- * + * + * Arguments: @kdata *kpub@ = recipient's public key + * @unsigned ty@ = message type octet + * @buf *b@ = input message buffer + * @buf *bb@ = output buffer for the ciphertext + * + * Returns: On error, returns a @KSERR_...@ code or breaks the buffer; + * on success, returns zero and the buffer is good. + * + * Use: Encrypts a message for a recipient, given their public key. + * This does not (by itself) provide forward secrecy or sender + * authenticity. The ciphertext is self-delimiting (unlike + * @ks_encrypt@). + */ + +int ies_encrypt(kdata *kpub, unsigned ty, buf *b, buf *bb) +{ + dhgrp *g = kpub->grp; + dhsc *u = g->ops->randsc(g); + dhge *U = g->ops->mul(g, u, 0), *Z = g->ops->mul(g, u, kpub->K); + bulkalgs *algs = kpub->algs.bulk; + octet *len; + bulkctx *bulk; + deriveargs a; + size_t n; + buf bk; + int rc = 0; + + IF_TRACING(T_CRYPTO, { + trace(T_CRYPTO, + "crypto: encrypting IES message (type 0x%02x) for recipient `%s'", + ty, kpub->tag); + trace_block(T_CRYPTO, "crypto: plaintext message", BCUR(b), BLEFT(b)); + }) + + a.hc = kpub->algs.h; a.what = "tripe:ecies-"; a.f = DF_OUT; + buf_init(&bk, buf_u, sizeof(buf_u)); a.k = BBASE(&bk); + g->ops->stge(g, &bk, U, DHFMT_HASH); a.x = a.y = BLEN(&bk); + g->ops->stge(g, &bk, Z, DHFMT_HASH); a.z = BLEN(&bk); + assert(BOK(&bk)); + T( trace_block(T_CRYPTO, "crypto: KEM clue", a.k, a.x); + trace_block(T_CRYPTO, "crypto: shared secret", a.k + a.y, a.z - a.y); ) + + len = BCUR(bb); buf_get(bb, 2); + bulk = algs->ops->genkeys(algs, &a); + bulk->ops = algs->ops; + g->ops->stge(g, bb, U, DHFMT_VAR); if (BBAD(bb)) goto end; + rc = bulk->ops->encrypt(bulk, ty, b, bb, 0); + if (rc || BBAD(bb)) goto end; + n = BCUR(bb) - len - 2; assert(n <= MASK16); STORE16(len, n); + +end: + bulk->ops->freectx(bulk); + g->ops->freesc(g, u); + g->ops->freege(g, U); + g->ops->freege(g, Z); + return (rc); +} + +/* --- @ies_decrypt@ --- * + * + * Arguments: @kdata *kpub@ = private key key + * @unsigned ty@ = message type octet + * @buf *b@ = input ciphertext buffer + * @buf *bb@ = output buffer for the message + * + * Returns: On error, returns a @KSERR_...@ code; on success, returns + * zero and the buffer is good. + * + * Use: Decrypts a message encrypted using @ies_encrypt@, given our + * private key. + */ + +int ies_decrypt(kdata *kpriv, unsigned ty, buf *b, buf *bb) +{ + dhgrp *g = kpriv->grp; + bulkalgs *algs = kpriv->algs.bulk; + bulkctx *bulk = 0; + T( const octet *m; ) + dhge *U = 0, *Z = 0; + deriveargs a; + uint32 seq; + buf bk, bc; + int rc; + + IF_TRACING(T_CRYPTO, { + trace(T_CRYPTO, + "crypto: decrypting IES message (type 0x%02x) to recipient `%s'", + ty, kpriv->tag); + trace_block(T_CRYPTO, "crypto: ciphertext message", BCUR(b), BLEFT(b)); + }) + + if (buf_getbuf16(b, &bc) || + (U = g->ops->ldge(g, &bc, DHFMT_VAR)) == 0 || + g->ops->checkge(g, U)) + { rc = KSERR_MALFORMED; goto end; } + Z = g->ops->mul(g, kpriv->k, U); + + a.hc = kpriv->algs.h; a.what = "tripe:ecies-"; a.f = DF_IN; + buf_init(&bk, buf_u, sizeof(buf_u)); a.k = BBASE(&bk); a.x = 0; + g->ops->stge(g, &bk, U, DHFMT_HASH); a.y = BLEN(&bk); + g->ops->stge(g, &bk, Z, DHFMT_HASH); a.z = BLEN(&bk); + T( trace_block(T_CRYPTO, "crypto: KEM clue", a.k + a.x, a.y - a.x); + trace_block(T_CRYPTO, "crypto: shared secret", a.k + a.y, a.z - a.y); ) + assert(BOK(&bk)); + + bulk = algs->ops->genkeys(algs, &a); + bulk->ops = algs->ops; + T( m = BCUR(bb); ) + rc = bulk->ops->decrypt(bulk, ty, &bc, bb, &seq); + if (rc) goto end; + if (seq) { rc = KSERR_SEQ; goto end; } + assert(BOK(bb)); + T( trace_block(T_CRYPTO, "crypto: decrypted message", m, BCUR(bb) - m); ) + +end: + if (bulk) bulk->ops->freectx(bulk); + g->ops->freege(g, U); + g->ops->freege(g, Z); + return (rc); +} + +/*----- Random odds and sods ----------------------------------------------*/ /* --- @timestr@ --- * * @@ -71,53 +295,76 @@ int mystrieq(const char *x, const char *y) } } -/* --- @seq_reset@ --- * +/*----- Address handling --------------------------------------------------*/ + +const struct addrfam aftab[] = { +#ifdef HAVE_LIBADNS +# define DEF(af, qf) { AF_##af, #af, adns_qf_##qf }, +#else +# define DEF(af, qf) { AF_##af, #af }, +#endif + ADDRFAM(DEF) +#undef DEF +}; + +/* --- @afix@ --- * * - * Arguments: @seqwin *s@ = sequence-checking window + * Arguments: @int af@ = an address family code * - * Returns: --- + * Returns: The index of the address family's record in @aftab@, or @-1@. + */ + +int afix(int af) +{ + int i; + + for (i = 0; i < NADDRFAM; i++) + if (af == aftab[i].af) return (i); + return (-1); +} + +/* --- @addrsz@ --- * * - * Use: Resets a sequence number window. + * Arguments: @const addr *a@ = a network address + * + * Returns: The size of the address, for passing into the sockets API. */ -void seq_reset(seqwin *s) { s->seq = 0; s->win = 0; } +socklen_t addrsz(const addr *a) +{ + switch (a->sa.sa_family) { + case AF_INET: return (sizeof(a->sin)); + case AF_INET6: return (sizeof(a->sin6)); + default: abort(); + } +} -/* --- @seq_check@ --- * +/* --- @getport@, @setport@ --- * * - * Arguments: @seqwin *s@ = sequence-checking window - * @uint32 q@ = sequence number to check - * @const char *service@ = service to report message from + * Arguments: @addr *a@ = a network address + * @unsigned port@ = port number to set * - * Returns: Zero on success, nonzero if the sequence number was bad. + * Returns: --- * - * Use: Checks a sequence number against the window, updating things - * as necessary. + * Use: Retrieves or sets the port number in an address structure. */ -int seq_check(seqwin *s, uint32 q, const char *service) +unsigned getport(addr *a) { - uint32 qbit; - uint32 n; - - if (q < s->seq) { - a_warn(service, "replay", "old-sequence", A_END); - return (-1); - } - if (q >= s->seq + SEQ_WINSZ) { - n = q - (s->seq + SEQ_WINSZ - 1); - if (n < SEQ_WINSZ) - s->win >>= n; - else - s->win = 0; - s->seq += n; + switch (a->sa.sa_family) { + case AF_INET: return (ntohs(a->sin.sin_port)); break; + case AF_INET6: return (ntohs(a->sin6.sin6_port)); break; + default: abort(); } - qbit = 1 << (q - s->seq); - if (s->win & qbit) { - a_warn(service, "replay", "duplicated-sequence", A_END); - return (-1); +} + +void setport(addr *a, unsigned port) +{ + switch (a->sa.sa_family) { + case AF_INET: a->sin.sin_port = htons(port); break; + case AF_INET6: a->sin6.sin6_port = htons(port); break; + default: abort(); } - s->win |= qbit; - return (0); } /*----- That's all, folks -------------------------------------------------*/