#include <mLib/versioncmp.h>
#include <catacomb/buf.h>
+#include <catacomb/ct.h>
#include <catacomb/gcipher.h>
#include <catacomb/gmac.h>
#define SEC(n) (n##u)
#define MIN(n) (n##u * 60u)
+#define F_2P32 (65536.0*65536.0)
#define MEG(n) (n##ul * 1024ul * 1024ul)
+/* --- Timing parameters --- */
+
+#define T_EXP MIN(60) /* Expiry time for a key */
+#define T_REGEN MIN(40) /* Regeneration time for a key */
+
+#define T_VALID SEC(20) /* Challenge validity period */
+#define T_RETRYMIN SEC(2) /* Minimum retry interval */
+#define T_RETRYMAX MIN(5) /* Maximum retry interval */
+#define T_RETRYGROW (5.0/4.0) /* Retry interval growth factor */
+
+#define T_WOBBLE (1.0/3.0) /* Relative timer randomness */
+
/* --- Other things --- */
#define PKBUFSZ 65536
/*----- Cipher selections -------------------------------------------------*/
-typedef struct algswitch {
- const gccipher *c; /* Symmetric encryption scheme */
+typedef struct keyset keyset;
+typedef struct algswitch algswitch;
+typedef struct admin admin;
+
+typedef struct bulkalgs {
+ const struct bulkops *ops;
+} bulkalgs;
+
+typedef struct bulkctx {
+ const struct bulkops *ops;
+} bulkctx;
+
+typedef struct bulkchal {
+ const struct bulkops *ops;
+ size_t tagsz;
+} bulkchal;
+
+struct rawkey;
+
+typedef struct bulkops {
+ const char *name;
+
+ bulkalgs *(*getalgs)(const algswitch */*asw*/, dstr */*e*/,
+ key_file */*kf*/, key */*k*/);
+ /* Determine algorithms to use and return a @bulkalgs@ object
+ * representing the decision. On error, write tokens to @e@ and
+ * return null.
+ */
+
+ T( void (*tracealgs)(const bulkalgs */*a*/); )
+ /* Write trace information about the algorithm selection. */
+
+ int (*checkalgs)(bulkalgs */*a*/, const algswitch */*asw*/, dstr */*e*/);
+ /* Check that the algorithms in @a@ and @asw@ are acceptable. On
+ * error, write tokens to @e@ and return @-1@; otherwise return zero.
+ */
+
+ int (*samealgsp)(const bulkalgs */*a*/, const bulkalgs */*aa*/);
+ /* If @a@ and @aa@ represent the same algorithm selection, return
+ * nonzero; if not, return zero.
+ */
+
+ void (*alginfo)(const bulkalgs */*a*/, admin */*adm*/);
+ /* Report on the algorithm selection to an admin client: call
+ * @a_info@ with appropriate key-value pairs.
+ */
+
+ size_t (*overhead)(const bulkalgs */*a*/);
+ /* Return the per-packet overhead of the bulk transform, in bytes. */
+
+ size_t (*expsz)(const bulkalgs */*a*/);
+ /* Return the total size limit for the bulk transform, in bytes,
+ * after which the keys must no longer be used.
+ */
+
+ bulkctx *(*genkeys)(const bulkalgs */*a*/, const struct rawkey */*rk*/);
+ /* Generate session keys and construct and return an appropriate
+ * context for using them, by calling @ks_derive@.
+ */
+
+ bulkchal *(*genchal)(const bulkalgs */*a*/);
+ /* Construct and return a challenge issuing and verification
+ * context with a fresh random key.
+ */
+
+ void (*freealgs)(bulkalgs */*a*/);
+ /* Release an algorithm selection object. (Associated bulk
+ * encryption contexts and challenge contexts may still exist and
+ * must remain valid.)
+ */
+
+ int (*encrypt)(bulkctx */*bc*/, unsigned /*ty*/,
+ buf */*b*/, buf */*bb*/, uint32 /*seq*/);
+ /* Encrypt the packet in @b@, with type @ty@ (which doesn't need
+ * encoding separately) and sequence number @seq@ (which must be
+ * recoverable by @decrypt@), and write the result to @bb@. On
+ * error, return a @KSERR_...@ code and/or break the output buffer.
+ */
+
+ int (*decrypt)(bulkctx */*bc*/, unsigned /*ty*/,
+ buf */*b*/, buf */*bb*/, uint32 */*seq*/);
+ /* Decrypt the packet in @b@, with type @ty@, writing the result to
+ * @bb@ and storing the incoming (claimed) sequence number in @seq@.
+ * On error, return a @KSERR_...@ code.
+ */
+
+ void (*freectx)(bulkctx */*a*/);
+ /* Release a bulk encryption context and the resources it holds. */
+
+ int (*chaltag)(bulkchal */*bc*/, const void */*m*/, size_t /*msz*/,
+ void */*t*/);
+ /* Calculate a tag for the challenge in @m@, @msz@, and write it to
+ * @t@. Return @-1@ on error, zero on success.
+ */
+
+ int (*chalvrf)(bulkchal */*bc*/, const void */*m*/, size_t /*msz*/,
+ const void */*t*/);
+ /* Check the tag @t@ on @m@, @msz@: return zero if the tag is OK,
+ * nonzero if it's bad.
+ */
+
+ void (*freechal)(bulkchal */*bc*/);
+ /* Release a challenge context and the resources it holds. */
+
+} bulkops;
+
+struct algswitch {
+ const gchash *h; size_t hashsz; /* Hash function */
const gccipher *mgf; /* Mask-generation function */
- const gchash *h; /* Hash function */
- const gcmac *m; /* Message authentication code */
- size_t hashsz; /* Hash output size */
- size_t tagsz; /* Length to truncate MAC tags */
- size_t expsz; /* Size of data to process */
- size_t cksz, mksz; /* Key lengths for @c@ and @m@ */
-} algswitch;
+ bulkalgs *bulk; /* Bulk crypto algorithms */
+};
typedef struct kdata {
unsigned ref; /* Reference counter */
#define HASH_STRING(h, s) GH_HASH((h), (s), sizeof(s))
+extern const bulkops bulktab[];
+
/*----- Data structures ---------------------------------------------------*/
/* --- Socket addresses --- *
* expiry.
*/
-typedef struct keyset {
+enum { DIR_IN, DIR_OUT, NDIR };
+
+struct keyset {
struct keyset *next; /* Next active keyset in the list */
unsigned ref; /* Reference count for keyset */
struct peer *p; /* Pointer to peer structure */
unsigned long sz_exp, sz_regen; /* Data limits for the keyset */
T( unsigned seq; ) /* Sequence number for tracing */
unsigned f; /* Various useful flags */
- gcipher *cin, *cout; /* Keyset ciphers for encryption */
- size_t tagsz; /* Length to truncate MAC tags */
- gmac *min, *mout; /* Keyset MACs for integrity */
+ bulkctx *bulk; /* Bulk crypto transform */
uint32 oseq; /* Outbound sequence number */
seqwin iseq; /* Inbound sequence number */
-} keyset;
+};
#define KSF_LISTEN 1u /* Don't encrypt packets yet */
#define KSF_LINK 2u /* Key is in a linked list */
* Clive Jones.
*/
+typedef struct retry {
+ double t; /* Current retry time */
+} retry;
+
#define KX_NCHAL 16u
typedef struct kxchal {
keyset *ks; /* Pointer to temporary keyset */
unsigned f; /* Various useful flags */
sel_timer t; /* Response timer for challenge */
+ retry rs; /* Retry state */
octet hc[MAXHASHSZ]; /* Hash of his challenge */
octet ck[MAXHASHSZ]; /* His magical check value */
octet hswrq_in[MAXHASHSZ]; /* Inbound switch request message */
unsigned f; /* Various useful flags */
unsigned s; /* Current state in exchange */
sel_timer t; /* Timer for next exchange */
+ retry rs; /* Retry state */
mp *alpha; /* My temporary secret */
ge *c; /* My challenge */
ge *rx; /* The expected response */
typedef struct peerspec {
char *name; /* Peer's name */
+ char *privtag; /* Private key tag */
char *tag; /* Public key tag */
const tunnel_ops *tops; /* Tunnel operations */
unsigned long t_ka; /* Keep alive interval */
admin_jobentry *v; /* And the big array of entries */
} admin_jobtable;
-typedef struct admin {
+struct admin {
struct admin *next, *prev; /* Links to next and previous */
unsigned f; /* Various useful flags */
unsigned ref; /* Reference counter */
admin_jobtable j; /* Table of outstanding jobs */
selbuf b; /* Line buffer for commands */
sel_file w; /* Selector for write buffering */
-} admin;
+};
#define AF_DEAD 1u /* Destroy this admin block */
#define AF_CLOSE 2u /* Client closed connection */
/*----- Other macros ------------------------------------------------------*/
-#define TIMER noise_timer(RAND_GLOBAL)
+#define QUICKRAND \
+ do { rand_quick(RAND_GLOBAL); noise_timer(RAND_GLOBAL); } while (0)
/*----- Key management ----------------------------------------------------*/
extern void ks_drop(keyset */*ks*/);
+/* --- @ks_derivekey@ --- *
+ *
+ * Arguments: @octet *k@ = pointer to an output buffer of at least
+ * @MAXHASHSZ@ bytes
+ * @size_t ksz@ = actual size wanted (for tracing)
+ * @const struct rawkey *rk@ = a raw key, as passed into
+ * @genkeys@
+ * @int dir@ = direction for the key (@DIR_IN@ or @DIR_OUT@)
+ * @const char *what@ = label for the key (input to derivation)
+ *
+ * Returns: ---
+ *
+ * Use: Derives a session key, for use on incoming or outgoing data.
+ * This function is part of a private protocol between @ks_gen@
+ * and the bulk crypto transform @genkeys@ operation.
+ */
+
+extern void ks_derivekey(octet */*k*/, size_t /*ksz*/,
+ const struct rawkey */*rk*/,
+ int /*dir*/, const char */*what*/);
+
/* --- @ks_gen@ --- *
*
* Arguments: @const void *k@ = pointer to key material
size_t /*x*/, size_t /*y*/, size_t /*z*/,
peer */*p*/);
-/* --- @ks_tregen@ --- *
- *
- * Arguments: @keyset *ks@ = pointer to a keyset
- *
- * Returns: The time at which moves ought to be made to replace this key.
- */
-
-extern time_t ks_tregen(keyset */*ks*/);
-
/* --- @ks_activate@ --- *
*
* Arguments: @keyset *ks@ = pointer to a keyset
* ought to be replaced' notification is only ever given once
* for each key. Also note that this call forces a keyset to be
* used even if it's marked as not for data output.
+ *
+ * The encryption transform is permitted to corrupt @buf_u@ for
+ * its own purposes. Neither the source nor destination should
+ * be within @buf_u@; and callers mustn't expect anything stored
+ * in @buf_u@ to still
*/
extern int ks_encrypt(keyset */*ks*/, unsigned /*ty*/,
* Use: Attempts to decrypt a message using a given key. Note that
* requesting decryption with a key directly won't clear a
* marking that it's not for encryption.
+ *
+ * The decryption transform is permitted to corrupt @buf_u@ for
+ * its own purposes. Neither the source nor destination should
+ * be within @buf_u@; and callers mustn't expect anything stored
+ * in @buf_u@ to still
*/
extern int ks_decrypt(keyset */*ks*/, unsigned /*ty*/,
*
* Arguments: @dstr *d@ = where to leave the formatted message
* @const char *fmt@ = pointer to format string
- * @va_list ap@ = arguments in list
+ * @va_list *ap@ = arguments in list
*
* Returns: ---
*
* * "[!]..." ... -- @dstr_putf@-like string as single token
*/
-extern void a_vformat(dstr */*d*/, const char */*fmt*/, va_list /*ap*/);
+extern void a_vformat(dstr */*d*/, const char */*fmt*/, va_list */*ap*/);
/* --- @a_format@ --- *
*
* presentation.
*/
-extern void a_format(dstr */*d*/, const char */*fmt*/, ...);
+extern void EXECL_LIKE(0) a_format(dstr */*d*/, const char */*fmt*/, ...);
+
+/* --- @a_info@ --- *
+ *
+ * Arguments: @admin *a@ = connection
+ * @const char *fmt@ = format string
+ * @...@ = other arguments
+ *
+ * Returns: ---
+ *
+ * Use: Report information to an admin client.
+ */
+
+extern void EXECL_LIKE(0) a_info(admin */*a*/, const char */*fmt*/, ...);
/* --- @a_warn@ --- *
*
* Use: Informs all admin connections of a warning.
*/
-extern void a_warn(const char */*fmt*/, ...);
+extern void EXECL_LIKE(0) a_warn(const char */*fmt*/, ...);
/* --- @a_notify@ --- *
*
* Use: Sends a notification to interested admin connections.
*/
-extern void a_notify(const char */*fmt*/, ...);
+extern void EXECL_LIKE(0) a_notify(const char */*fmt*/, ...);
/* --- @a_create@ --- *
*
* Use: Writes a trace message.
*/
-T( extern void ps_trace(unsigned /*mask*/, const char */*fmt*/, ...); )
+T( extern void PRINTF_LIKE(2, 3)
+ ps_trace(unsigned /*mask*/, const char */*fmt*/, ...); )
/* --- @ps_warn@ --- *
*
* Use: Writes a warning message.
*/
-extern void ps_warn(const char */*fmt*/, ...);
+extern void PRINTF_LIKE(1, 2) ps_warn(const char */*fmt*/, ...);
/* --- @ps_tunfd@ --- *
*
extern const char *p_tag(peer */*p*/);
+/* --- @p_privtag@ --- *
+ *
+ * Arguments: @peer *p@ = pointer to a peer block
+ *
+ * Returns: A pointer to the peer's private key tag.
+ */
+
+extern const char *p_privtag(peer */*p*/);
+
/* --- @p_spec@ --- *
*
* Arguments: @peer *p@ = pointer to a peer block