From: Mark Wooding Date: Thu, 28 Apr 2022 15:22:01 +0000 (+0100) Subject: Merge remote-tracking branch 'origin/mdw/master.found-crybaby' X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/commitdiff_plain/5891679d126ad426ed4250aeec75901bc854bf41?hp=65f2f4747511fb39ccb0c8893ccd728baceaf081 Merge remote-tracking branch 'origin/mdw/found-crybaby' * origin/mdw/master.found-crybaby: server/bulkcrypto.c: Document the procedures for producing challenges. server/chal.c: Add a missing blank line. server/tripe-admin.5.in: Place the blame correctly for a couple of errors. svc/connect.8.in: Fix message formatting. server/tripe-admin.5.in: Remove incorrect blame on Catacomb. server/tripe-admin.5.in: Improve some clumsy wording. server/tripe-admin.5.in: Add cross-reference for ECODE and MESSAGE. server/tripe-admin.5.in: Add missing origin-command notes to errors. server/tripe-admin.5.in: Use gender-neutral pronouns. server/bulkcrypto.c: Fix description comment for AEAD schemes. py/tripe.py.in: Raise an error if a command token contains a newline. --- diff --git a/py/tripe.py.in b/py/tripe.py.in index a9be6687..db194e29 100644 --- a/py/tripe.py.in +++ b/py/tripe.py.in @@ -446,6 +446,9 @@ class TripeCommand (object): def __init__(me, words): """Make a new command consisting of the given list of WORDS.""" + for word in words: + if '\n' in word: + raise TripeInternalError("command word contains newline") me.words = words class TripeSynchronousCommand (TripeCommand): diff --git a/server/bulkcrypto.c b/server/bulkcrypto.c index 4c6be323..f4d37c16 100644 --- a/server/bulkcrypto.c +++ b/server/bulkcrypto.c @@ -303,6 +303,14 @@ static void gencomp_freechal(bulkchal *bc) * * Decryption: checks the overall size, verifies the tag, then decrypts the * ciphertext and extracts the sequence number. + * + * Challenge tags are calculated by applying the MAC to the sequence number + * and message, concatenated as follows. + * + * +--------+---...---+ + * | seq | m | + * +--------+---...---+ + * 32 msz */ typedef struct v0_algs { @@ -538,6 +546,14 @@ static int v0_decrypt(bulkctx *bbc, unsigned ty, * | tag | seq | ciphertext | * +---...---+------+------...------+ * tagsz 32 sz + * + * Challenge tags are calculated by applying the MAC to the sequence number + * and message, concatenated as follows. + * + * +--------+---...---+ + * | seq | m | + * +--------+---...---+ + * 32 msz */ typedef struct iiv_algs { @@ -816,17 +832,18 @@ static int iiv_decrypt(bulkctx *bbc, unsigned ty, /*----- The AEAD transform ------------------------------------------------* * - * This transform uses a general authenticated encryption scheme (the - * additional data isn't necessary). Good options include - * `chacha20-poly1305' or `rijndael-ocb3'. + * This transform uses a general authenticated encryption scheme. Processing + * additional authenticated data isn't needed for encrypting messages, but it + * is required for challenge generation. Good options include `chacha20- + * poly1305' or `rijndael-ocb3'; alas, `salsa20-naclbox' isn't acceptable. * * To be acceptable, the scheme must accept at least a 40-bit nonce. (All of - * Catacomb's current AEAD schemes are suitable.) The low 32 bits are the - * sequence number. The type is written to the next 8--32 bytes: if the - * nonce size is 64 bits or more (preferred, for compatibility reasons) then - * the type is written as 32 bits, and the remaining space is padded with - * zero bytes; otherwise, the type is right-aligned in the remaining space. - * Both fields are big-endian. + * Catacomb's current AEAD schemes are suitable in this respect.) The low 32 + * bits are the sequence number. The type is written to the next 8--32 + * bytes: if the nonce size is 64 bits or more (preferred, for compatibility + * reasons) then the type is written as 32 bits, and the remaining space is + * padded with zero bytes; otherwise, the type is right-aligned in the + * remaining space. Both fields are big-endian. * * +--------+--+ * | seq |ty| @@ -855,6 +872,14 @@ static int iiv_decrypt(bulkctx *bbc, unsigned ty, * +---...---+--------+------...------+ * tagsz 32 sz * + * Challenge tags are calculated by encrypting the message, using the + * sequence number as a nonce (as a big-endian integer, padding with leading + * zeroes as needed to fill the space), and discarding the ciphertext. + * + * +---...---+--------+ +-----...------+ + * | 0 | seq | | message | + * +---...---+--------+ +-----...------+ + * nsz - 32 32 msz */ #define AEAD_NONCEMAX 64 @@ -1207,6 +1232,21 @@ static int aead_decrypt(bulkctx *bbc, unsigned ty, * Note that there is no need to authenticate the type separately, since it * was used to select the cipher nonce, and hence the Poly1305 key. The * Poly1305 tag length is fixed. + * + * Challenge formation is rather tricky. We can't use Poly1305 directly + * because we need a random mask. So we proceed as follows. The challenge + * generator has a Salsa20 or ChaCha key. The sequence number is used as the + * Salsa20 message number/nonce, padded at the start with zeroes to form, + * effectively, a 64-bit big-endian integer. + * + * +--------+--------+ + * | 0 | seq | + * +--------+--------+ + * 32 32 + * + * 256 bits (32 bytes) of keystream are generated and used as a Poly1305 hash + * key r and mask s. These are then used to hash the message, and the + * resulting tag is the challenge. */ typedef struct naclbox_algs { diff --git a/server/chal.c b/server/chal.c index 68d7f048..0208e68f 100644 --- a/server/chal.c +++ b/server/chal.c @@ -47,6 +47,7 @@ static seqwin iseq; static void c_genkey(void) { bulkalgs *bulk = master->algs.bulk; + if (bchal && bchal->ops == bulk->ops && oseq < 0x07ffffff) return; if (bchal) bchal->ops->freechal(bchal); bchal = bulk->ops->genchal(bulk); diff --git a/server/tripe-admin.5.in b/server/tripe-admin.5.in index ba29f123..e637650a 100644 --- a/server/tripe-admin.5.in +++ b/server/tripe-admin.5.in @@ -1064,7 +1064,9 @@ string was invalid. of arguments was wrong. .SP .BI "bad-time-spec " token -The +(For commands accepting a +.I time +argument.) The .I token is not a valid time interval specification. Acceptable time specifications are nonnegative integers followed optionally by @@ -1090,6 +1092,12 @@ An unknown watch option was requested. .BR DAEMON .) An error occurred during the attempt to become a daemon, as reported by .IR message . +See +.B WARNINGS +below for the meanings of +.I ecode +and +.IR message . .SP .BI "disabled-address-family " afam (For @@ -1133,6 +1141,8 @@ There is already a peer named .IR peer . .SP .B "ping-send-failed" +(For +.BR EPING .) The attempt to send a ping packet failed, probably due to lack of encryption keys. .SP @@ -1443,7 +1453,7 @@ command or in greeting packets. .SP .B "CHAL impossible-challenge" The server hasn't issued any challenges yet. Quite how anyone else -thought he could make one up is hard to imagine. +thought they could make one up is hard to imagine. .SP .B "CHAL incorrect-tag" Challenge received contained the wrong authentication data. It might be @@ -1506,8 +1516,9 @@ implementation of HMAC for the selected hash function .BI "KEYMGMT " which "-keyring " file " key " tag " unknown-bulk-transform " bulk The key specifies the use of an unknown bulk-crypto transform .IR bulk . -Maybe the key was generated wrongly, or maybe the version of Catacomb -installed is too old. +Maybe the key was generated wrongly, or maybe the version of +.BR tripe (8) +is too old. .SP .BI "KEYMGMT " which "-keyring " file " key " tag " unknown-cipher " cipher The key specifies the use of an unknown symmetric encryption algorithm @@ -1544,7 +1555,9 @@ version of Catacomb installed is too old. The key specifies the use of an unknown serialization format .I ser for hashing group elements. Maybe the key was generated wrongly, or -maybe the version of Catacomb installed is too old. +maybe the version of +.BR tripe (8) +is too old. .SP .BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "no-aad" The key specifies the use of an authenticated encryption scheme @@ -1566,10 +1579,9 @@ use the .B naclbox bulk transform rather than .B aead -for these -(or switch to the IETF +for these, or switch to one of the IETF .IB cipher -poly1305 -schemes instead). +schemes instead. .SP .BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonce-too-small" The key specifies the use of an authenticated encryption scheme diff --git a/svc/connect.8.in b/svc/connect.8.in index 1e4e2d25..abfefad4 100644 --- a/svc/connect.8.in +++ b/svc/connect.8.in @@ -810,7 +810,7 @@ consecutive attempts time out, the .B connect service will take further action. .SP -.B "USER connect reconnecting " peer +.BI "USER connect reconnecting " peer The dynamically connected .I peer seems to be unresponsive. The