X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/02b0959b82910224e40025e06c01b59b65340c93..ddc1d9e0ad064de11d8bd735f7c86ab56555330e:/site.c diff --git a/site.c b/site.c index 4358cad..8fa4c11 100644 --- a/site.c +++ b/site.c @@ -267,7 +267,9 @@ struct site { /* The currently established session */ struct data_key current; struct data_key auxiliary_key; + bool_t auxiliary_is_new; uint64_t renegotiate_key_time; /* When we can negotiate a new key */ + uint64_t auxiliary_renegotiate_key_time; transport_peers peers; /* Current address(es) of peer for data traffic */ /* The current key setup protocol exchange. We can only be @@ -286,6 +288,7 @@ struct site { uint64_t timeout; /* Timeout for current state */ uint8_t *dhsecret; uint8_t *sharedsecret; + uint32_t sharedsecretlen; struct transform_inst_if *new_transform; /* For key setup/verify */ }; @@ -461,7 +464,7 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, return False; } if (type==LABEL_MSG2) return True; - if (memcmp(m->nR,st->remoteN,NONCELEN)!=0) { + if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) { *error="wrong remotely-generated nonce"; return False; } @@ -559,11 +562,11 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, /* Generate the shared key */ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk, - st->sharedsecret,st->transform->keylen); + st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->transform->keylen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -607,10 +610,10 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4, m.pk[m.pklen]=0; /* Generate the shared key */ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk, - st->sharedsecret,st->transform->keylen); + st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->transform->keylen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -728,7 +731,8 @@ static bool_t process_msg6(struct site *st, struct buffer_if *msg6, return True; } -static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) +static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, + const struct comm_addr *src) { cstring_t transform_err, auxkey_err, newkey_err="n/a"; struct msg0 m; @@ -742,28 +746,44 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) problem = st->current.transform->reverse(st->current.transform->st, msg0,&transform_err); if (!problem) { - delete_one_key(st,&st->auxiliary_key, - "peer has used new key","auxiliary key",LOG_SEC); + if (!st->auxiliary_is_new) + delete_one_key(st,&st->auxiliary_key, + "peer has used new key","auxiliary key",LOG_SEC); return True; } - - if (problem==2) { - slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err); - return False; - } + if (problem==2) + goto skew; buffer_copy(msg0, &st->scratch); problem = st->auxiliary_key.transform->reverse (st->auxiliary_key.transform->st,msg0,&auxkey_err); if (problem==0) { slog(st,LOG_DROP,"processing packet which uses auxiliary key"); + if (st->auxiliary_is_new) { + /* We previously timed out in state SENTMSG5 but it turns + * out that our peer did in fact get our MSG5 and is + * using the new key. So we should switch to it too. */ + /* This is a bit like activate_new_key. */ + struct data_key t; + t=st->current; + st->current=st->auxiliary_key; + st->auxiliary_key=t; + + delete_one_key(st,&st->auxiliary_key,"peer has used new key", + "previous key",LOG_SEC); + st->auxiliary_is_new=0; + st->renegotiate_key_time=st->auxiliary_renegotiate_key_time; + } return True; } + if (problem==2) + goto skew; if (st->state==SITE_SENTMSG5) { buffer_copy(msg0, &st->scratch); - if (!st->new_transform->reverse(st->new_transform->st, - msg0,&newkey_err)) { + problem = st->new_transform->reverse(st->new_transform->st, + msg0,&newkey_err); + if (!problem) { /* It looks like we didn't get the peer's MSG6 */ /* This is like a cut-down enter_new_state(SITE_RUN) */ slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)"); @@ -772,11 +792,18 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) activate_new_key(st); return True; /* do process the data in this packet */ } + if (problem==2) + goto skew; } slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)", transform_err,auxkey_err,newkey_err); initiate_key_setup(st,"incoming message would not decrypt"); + send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt"); + return False; + + skew: + slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err); return False; } @@ -785,7 +812,7 @@ static bool_t process_msg0(struct site *st, struct buffer_if *msg0, { uint32_t type; - if (!decrypt_msg0(st,msg0)) + if (!decrypt_msg0(st,msg0,src)) return False; CHECK_AVAIL(msg0,4); @@ -836,6 +863,24 @@ static bool_t send_msg(struct site *st) st->timeout=st->now+st->setup_retry_interval; st->retries--; return True; + } else if (st->state==SITE_SENTMSG5) { + slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key"); + /* We stash the key we have produced, in case it turns out that + * our peer did see our MSG5 after all and starts using it. */ + /* This is a bit like some of activate_new_key */ + struct transform_inst_if *t; + t=st->auxiliary_key.transform; + st->auxiliary_key.transform=st->new_transform; + st->new_transform=t; + + t->delkey(t->st); + st->auxiliary_is_new=1; + st->auxiliary_key.key_timeout=st->now+st->key_lifetime; + st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time; + st->auxiliary_key.remote_session_id=st->setup_session_id; + + enter_state_wait(st); + return False; } else { slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet " "(in state %s)",state_name(st->state)); @@ -900,6 +945,7 @@ static void activate_new_key(struct site *st) t->delkey(t->st); st->timeout=0; + st->auxiliary_is_new=0; st->auxiliary_key.key_timeout=st->current.key_timeout; st->current.key_timeout=st->now+st->key_lifetime; st->renegotiate_key_time=st->now+st->key_renegotiate_time; @@ -972,7 +1018,7 @@ static void enter_state_run(struct site *st) memset(st->remoteN,0,NONCELEN); st->new_transform->delkey(st->new_transform->st); memset(st->dhsecret,0,st->dh->len); - memset(st->sharedsecret,0,st->transform->keylen); + memset(st->sharedsecret,0,st->sharedsecretlen); set_link_quality(st); } @@ -1248,7 +1294,7 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, uint32_t msgtype=ntohl(get_uint32(buf->start+8)); if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True); switch (msgtype) { - case 0: /* NAK */ + case LABEL_NAK: /* If the source is our current peer then initiate a key setup, because our peer's forgotten the key */ if (get_uint32(buf->start+4)==st->current.remote_session_id) { @@ -1520,7 +1566,8 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, transport_peers_clear(st,&st->setup_peers); /* XXX mlock these */ st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret"); - st->sharedsecret=safe_malloc(st->transform->keylen,"site:sharedsecret"); + st->sharedsecretlen=st->transform->keylen?:st->dh->ceil_len; + st->sharedsecret=safe_malloc(st->sharedsecretlen,"site:sharedsecret"); /* We need to compute some properties of our comms */ #define COMPUTE_WORST(pad) \ @@ -1545,6 +1592,7 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, st->current.transform=st->transform->create(st->transform->st); st->auxiliary_key.transform=st->transform->create(st->transform->st); st->new_transform=st->transform->create(st->transform->st); + st->auxiliary_is_new=0; enter_state_stop(st);