/* The currently established session */
struct data_key current;
+ struct data_key auxiliary_key;
+ bool_t auxiliary_is_new;
uint64_t renegotiate_key_time; /* When we can negotiate a new key */
+ uint64_t auxiliary_renegotiate_key_time;
transport_peers peers; /* Current address(es) of peer for data traffic */
/* The current key setup protocol exchange. We can only be
uint64_t timeout; /* Timeout for current state */
uint8_t *dhsecret;
uint8_t *sharedsecret;
+ uint32_t sharedsecretlen;
struct transform_inst_if *new_transform; /* For key setup/verify */
};
return False;
}
if (type==LABEL_MSG2) return True;
- if (memcmp(m->nR,st->remoteN,NONCELEN)!=0) {
+ if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
*error="wrong remotely-generated nonce";
return False;
}
/* Generate the shared key */
st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk,
- st->sharedsecret,st->transform->keylen);
+ st->sharedsecret,st->sharedsecretlen);
/* Set up the transform */
st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
- st->transform->keylen);
+ st->sharedsecretlen,st->setup_priority);
return True;
}
m.pk[m.pklen]=0;
/* Generate the shared key */
st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk,
- st->sharedsecret,st->transform->keylen);
+ st->sharedsecret,st->sharedsecretlen);
/* Set up the transform */
st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
- st->transform->keylen);
+ st->sharedsecretlen,st->setup_priority);
return True;
}
return True;
}
-static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0)
+static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
+ const struct comm_addr *src)
{
- cstring_t transform_err, newkey_err="n/a";
+ cstring_t transform_err, auxkey_err, newkey_err="n/a";
struct msg0 m;
uint32_t problem;
problem = st->current.transform->reverse(st->current.transform->st,
msg0,&transform_err);
- if (!problem) return True;
-
- if (problem==2) {
- slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
- return False;
+ if (!problem) {
+ if (!st->auxiliary_is_new)
+ delete_one_key(st,&st->auxiliary_key,
+ "peer has used new key","auxiliary key",LOG_SEC);
+ return True;
+ }
+ if (problem==2)
+ goto skew;
+
+ buffer_copy(msg0, &st->scratch);
+ problem = st->auxiliary_key.transform->reverse
+ (st->auxiliary_key.transform->st,msg0,&auxkey_err);
+ if (problem==0) {
+ slog(st,LOG_DROP,"processing packet which uses auxiliary key");
+ if (st->auxiliary_is_new) {
+ /* We previously timed out in state SENTMSG5 but it turns
+ * out that our peer did in fact get our MSG5 and is
+ * using the new key. So we should switch to it too. */
+ /* This is a bit like activate_new_key. */
+ struct data_key t;
+ t=st->current;
+ st->current=st->auxiliary_key;
+ st->auxiliary_key=t;
+
+ delete_one_key(st,&st->auxiliary_key,"peer has used new key",
+ "previous key",LOG_SEC);
+ st->auxiliary_is_new=0;
+ st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
+ }
+ return True;
}
+ if (problem==2)
+ goto skew;
if (st->state==SITE_SENTMSG5) {
buffer_copy(msg0, &st->scratch);
- if (!st->new_transform->reverse(st->new_transform->st,
- msg0,&newkey_err)) {
+ problem = st->new_transform->reverse(st->new_transform->st,
+ msg0,&newkey_err);
+ if (!problem) {
/* It looks like we didn't get the peer's MSG6 */
/* This is like a cut-down enter_new_state(SITE_RUN) */
slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
activate_new_key(st);
return True; /* do process the data in this packet */
}
+ if (problem==2)
+ goto skew;
}
- slog(st,LOG_SEC,"transform: %s (new: %s)",transform_err,newkey_err);
+ slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
+ transform_err,auxkey_err,newkey_err);
initiate_key_setup(st,"incoming message would not decrypt");
+ send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
+ return False;
+
+ skew:
+ slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
return False;
}
{
uint32_t type;
- if (!decrypt_msg0(st,msg0))
+ if (!decrypt_msg0(st,msg0,src))
return False;
CHECK_AVAIL(msg0,4);
st->timeout=st->now+st->setup_retry_interval;
st->retries--;
return True;
+ } else if (st->state==SITE_SENTMSG5) {
+ slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
+ /* We stash the key we have produced, in case it turns out that
+ * our peer did see our MSG5 after all and starts using it. */
+ /* This is a bit like some of activate_new_key */
+ struct transform_inst_if *t;
+ t=st->auxiliary_key.transform;
+ st->auxiliary_key.transform=st->new_transform;
+ st->new_transform=t;
+
+ t->delkey(t->st);
+ st->auxiliary_is_new=1;
+ st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
+ st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
+ st->auxiliary_key.remote_session_id=st->setup_session_id;
+
+ enter_state_wait(st);
+ return False;
} else {
slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
"(in state %s)",state_name(st->state));
{
struct transform_inst_if *t;
- /* We have two transform instances, which we swap between active
- and setup */
- t=st->current.transform;
+ /* We have three transform instances, which we swap between old,
+ active and setup */
+ t=st->auxiliary_key.transform;
+ st->auxiliary_key.transform=st->current.transform;
st->current.transform=st->new_transform;
st->new_transform=t;
t->delkey(t->st);
st->timeout=0;
+ st->auxiliary_is_new=0;
+ st->auxiliary_key.key_timeout=st->current.key_timeout;
st->current.key_timeout=st->now+st->key_lifetime;
st->renegotiate_key_time=st->now+st->key_renegotiate_time;
transport_peers_copy(st,&st->peers,&st->setup_peers);
delete_one_key(st,&st->current,0,0,0);
set_link_quality(st);
}
+ delete_one_key(st,&st->auxiliary_key,0,0,0);
}
static void state_assert(struct site *st, bool_t ok)
memset(st->remoteN,0,NONCELEN);
st->new_transform->delkey(st->new_transform->st);
memset(st->dhsecret,0,st->dh->len);
- memset(st->sharedsecret,0,st->transform->keylen);
+ memset(st->sharedsecret,0,st->sharedsecretlen);
set_link_quality(st);
}
active. */
site_settimeout(st->timeout, timeout_io);
site_settimeout(st->current.key_timeout, timeout_io);
+ site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
return 0; /* success */
}
}
}
check_expiry(st,&st->current,"current key");
+ check_expiry(st,&st->auxiliary_key,"auxiliary key");
}
/* This function is called by the netlink device to deliver packets
uint32_t msgtype=ntohl(get_uint32(buf->start+8));
if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
switch (msgtype) {
- case 0: /* NAK */
+ case LABEL_NAK:
/* If the source is our current peer then initiate a key setup,
because our peer's forgotten the key */
if (get_uint32(buf->start+4)==st->current.remote_session_id) {
st->timeout=0;
st->current.key_timeout=0;
+ st->auxiliary_key.key_timeout=0;
transport_peers_clear(st,&st->peers);
transport_peers_clear(st,&st->setup_peers);
/* XXX mlock these */
st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
- st->sharedsecret=safe_malloc(st->transform->keylen,"site:sharedsecret");
+ st->sharedsecretlen=st->transform->keylen?:st->dh->ceil_len;
+ st->sharedsecret=safe_malloc(st->sharedsecretlen,"site:sharedsecret");
/* We need to compute some properties of our comms */
#define COMPUTE_WORST(pad) \
st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
st->current.transform=st->transform->create(st->transform->st);
+ st->auxiliary_key.transform=st->transform->create(st->transform->st);
st->new_transform=st->transform->create(st->transform->st);
+ st->auxiliary_is_new=0;
enter_state_stop(st);