From 383a9d7197f7a2c86d1f4267789ea3599314baf8 Mon Sep 17 00:00:00 2001 Message-Id: <383a9d7197f7a2c86d1f4267789ea3599314baf8.1715010048.git.mdw@distorted.org.uk> From: Mark Wooding Date: Sat, 20 Dec 2008 11:39:33 +0000 Subject: [PATCH] server/keyset.c, server/keymgmt.c: Variable data limits. Organization: Straylight/Edgeware From: Mark Wooding The old static data volume limit isn't acceptable when trying to keep up with LANs (e.g., wireless LANs) or other fast networks. This change configures a variable volume limit based on the width of the underlying block cipher. (That means it doesn't do anything sensible with stream ciphers, but as currently implemented in Catacomb they're a bad idea anyway.) --- server/keymgmt.c | 8 +++++++- server/keyset.c | 15 +++------------ server/tripe.h | 3 ++- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/server/keymgmt.c b/server/keymgmt.c index 601f42ed..ce0d4561 100644 --- a/server/keymgmt.c +++ b/server/keymgmt.c @@ -247,7 +247,8 @@ static const char *algs_check(algswitch *a, const group *g) /* --- Derive the key sizes --- * * * Must ensure that we have non-empty keys. This isn't ideal, but it - * provides a handy sanity check. + * provides a handy sanity check. Also must be based on a 64- or 128-bit + * block cipher or we can't do the data expiry properly. */ a->hashsz = a->h->hashsz; @@ -256,6 +257,11 @@ static const char *algs_check(algswitch *a, const group *g) if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0) return ("no key size found for MAC"); + /* --- Derive the data limit --- */ + + if (a->c->blksz < 16) a->expsz = MEG(64); + else a->expsz = MEG(2048); + /* --- Ensure that the tag size is sane --- */ if (a->tagsz > a->m->hashsz) return ("tag length too large"); diff --git a/server/keyset.c b/server/keyset.c index 9dd17fac..99fad2f5 100644 --- a/server/keyset.c +++ b/server/keyset.c @@ -30,18 +30,8 @@ /*----- Tunable parameters ------------------------------------------------*/ -/* --- Note on size limits --- * - * - * For a 64-bit block cipher (e.g., Blowfish), the probability of a collision - * occurring after 32 MB is less than %$2^{-21}$%, and the probability of a - * collision occurring after 64 MB is less than %$2^{-19}$%. These could be - * adjusted dependent on the encryption scheme, but it's too much pain. - */ - #define T_EXP MIN(60) /* Expiry time for a key */ #define T_REGEN MIN(45) /* Regeneration time for a key */ -#define SZ_EXP MEG(64) /* Expiry data size for a key */ -#define SZ_REGEN MEG(32) /* Data size threshold for regen */ /*----- Handy macros ------------------------------------------------------*/ @@ -153,7 +143,7 @@ static int doencrypt(keyset *ks, unsigned ty, buf *b, buf *bb) nsz = osz - sz; else nsz = 0; - if (osz >= SZ_REGEN && nsz < SZ_REGEN) { + if (osz >= ks->sz_regen && ks->sz_regen > nsz) { T( trace(T_KEYSET, "keyset: keyset %u data regen limit exceeded -- " "forcing exchange", ks->seq); ) rc = KSERR_REGEN; @@ -357,7 +347,8 @@ keyset *ks_gen(const void *k, size_t x, size_t y, size_t z, peer *p) T( ks->seq = seq++; ) ks->ref = 1; ks->t_exp = now + T_EXP; - ks->sz_exp = SZ_EXP; + ks->sz_exp = algs.expsz; + ks->sz_regen = algs.expsz/2; ks->oseq = 0; seq_reset(&ks->iseq); ks->next = 0; diff --git a/server/tripe.h b/server/tripe.h index 47c8cf0f..71c6023e 100644 --- a/server/tripe.h +++ b/server/tripe.h @@ -144,6 +144,7 @@ typedef struct algswitch { const gcmac *m; /* Message authentication code */ size_t hashsz; /* Hash output size */ size_t tagsz; /* Length to truncate MAC tags */ + size_t expsz; /* Size of data to process */ size_t cksz, mksz; /* Key lengths for @c@ and @m@ */ } algswitch; @@ -204,7 +205,7 @@ typedef struct keyset { unsigned ref; /* Reference count for keyset */ struct peer *p; /* Pointer to peer structure */ time_t t_exp; /* Expiry time for this keyset */ - unsigned long sz_exp; /* Data limit for the keyset */ + unsigned long sz_exp, sz_regen; /* Data limits for the keyset */ T( unsigned seq; ) /* Sequence number for tracing */ unsigned f; /* Various useful flags */ gcipher *cin, *cout; /* Keyset ciphers for encryption */ -- [mdw]