nts: add support for encrypting cookies with AES-128-GCM-SIV

If AES-128-GCM-SIV is available on the server, use it for encryption of
cookies. This makes them shorter by 4 bytes due to shorter nonce and it
might also improve the server performance.

After server upgrade and restart with ntsdumpdir, the switch will happen
on the second rotation of the server key. Clients should accept shorter
cookies without restarting NTS-KE. The first response will have extra
padding in the authenticator field to make the length symmetric.

diff --git a/nts_ke_server.c b/nts_ke_server.c
index aadb15f88dcfd5555ca6b9eda32a70f0cd5e7ef9..2fd576d717c1b36904a2c6484df30aa2ce80d687 100644 (file)
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -47,8 +47,7 @@
 
 #define SERVER_TIMEOUT 2.0
 
-#define SERVER_COOKIE_SIV AEAD_AES_SIV_CMAC_256
-#define SERVER_COOKIE_NONCE_LENGTH 16
+#define MAX_COOKIE_NONCE_LENGTH 16
 
 #define KEY_ID_INDEX_BITS 2
 #define MAX_SERVER_KEYS (1U << KEY_ID_INDEX_BITS)
@@ -61,17 +60,19 @@
 
 typedef struct {
   uint32_t key_id;
-  unsigned char nonce[SERVER_COOKIE_NONCE_LENGTH];
 } ServerCookieHeader;
 
 typedef struct {
   uint32_t id;
   unsigned char key[SIV_MAX_KEY_LENGTH];
+  SIV_Algorithm siv_algorithm;
   SIV_Instance siv;
+  int nonce_length;
 } ServerKey;
 
 typedef struct {
   uint32_t key_id;
+  uint32_t siv_algorithm;
   unsigned char key[SIV_MAX_KEY_LENGTH];
   IPAddr client_addr;
   uint16_t client_port;
@@ -148,6 +149,23 @@ handle_client(int sock_fd, IPSockAddr *addr)
 
 /* ================================================== */
 
+static void
+update_key_siv(ServerKey *key, SIV_Algorithm algorithm)
+{
+  if (!key->siv || key->siv_algorithm != algorithm) {
+    if (key->siv)
+      SIV_DestroyInstance(key->siv);
+    key->siv_algorithm = algorithm;
+    key->siv = SIV_CreateInstance(algorithm);
+    key->nonce_length = MIN(SIV_GetMaxNonceLength(key->siv), MAX_COOKIE_NONCE_LENGTH);
+  }
+
+  if (!key->siv || !SIV_SetKey(key->siv, key->key, SIV_GetKeyLength(key->siv_algorithm)))
+    LOG_FATAL("Could not set SIV key");
+}
+
+/* ================================================== */
+
 static void
 handle_helper_request(int fd, int event, void *arg)
 {
@@ -189,8 +207,7 @@ handle_helper_request(int fd, int event, void *arg)
   UTI_IPNetworkToHost(&req->client_addr, &client_addr.ip_addr);
   client_addr.port = ntohs(req->client_port);
 
-  if (!SIV_SetKey(key->siv, key->key, SIV_GetKeyLength(SERVER_COOKIE_SIV)))
-    LOG_FATAL("Could not set SIV key");
+  update_key_siv(key, ntohl(req->siv_algorithm));
 
   if (!handle_client(sock_fd, &client_addr)) {
     SCK_CloseSocket(sock_fd);
@@ -240,6 +257,7 @@ accept_connection(int listening_fd, int event, void *arg)
 
     /* Include the current server key and client address in the request */
     req.key_id = htonl(server_keys[current_server_key].id);
+    req.siv_algorithm = htonl(server_keys[current_server_key].siv_algorithm);
     assert(sizeof (req.key) == sizeof (server_keys[current_server_key].key));
     memcpy(req.key, server_keys[current_server_key].key, sizeof (req.key));
     UTI_IPHostToNetwork(&addr.ip_addr, &req.client_addr);
@@ -471,29 +489,37 @@ handle_message(void *arg)
 static void
 generate_key(int index)
 {
+  SIV_Algorithm algorithm;
   ServerKey *key;
   int key_length;
 
   if (index < 0 || index >= MAX_SERVER_KEYS)
     assert(0);
 
+  /* Prefer AES-128-GCM-SIV if available.  Note that if older keys loaded
+     from ntsdumpdir use a different algorithm, responding to NTP requests
+     with cookies encrypted with those keys will not work if the new algorithm
+     produces longer cookies (i.e. response would be longer than request).
+     Switching from AES-SIV-CMAC-256 to AES-128-GCM-SIV is ok. */
+  algorithm = SIV_GetKeyLength(AEAD_AES_128_GCM_SIV) > 0 ?
+              AEAD_AES_128_GCM_SIV : AEAD_AES_SIV_CMAC_256;
+
   key = &server_keys[index];
-  key_length = SIV_GetKeyLength(SERVER_COOKIE_SIV);
+
+  key_length = SIV_GetKeyLength(algorithm);
   if (key_length > sizeof (key->key))
     assert(0);
 
   UTI_GetRandomBytesUrandom(key->key, key_length);
-
-  if (!key->siv || !SIV_SetKey(key->siv, key->key, key_length))
-    LOG_FATAL("Could not set SIV key");
-
   UTI_GetRandomBytes(&key->id, sizeof (key->id));
 
   /* Encode the index in the lowest bits of the ID */
   key->id &= -1U << KEY_ID_INDEX_BITS;
   key->id |= index;
 
-  DEBUG_LOG("Generated server key %"PRIX32, key->id);
+  update_key_siv(key, algorithm);
+
+  DEBUG_LOG("Generated key %"PRIX32" (%d)", key->id, (int)key->siv_algorithm);
 
   last_server_key_ts = SCH_GetLastEventMonoTime();
 }
@@ -521,16 +547,18 @@ save_keys(void)
   if (!f)
     return;
 
-  key_length = SIV_GetKeyLength(SERVER_COOKIE_SIV);
+  key_length = SIV_GetKeyLength(server_keys[0].siv_algorithm);
   last_key_age = SCH_GetLastEventMonoTime() - last_server_key_ts;
 
-  if (fprintf(f, "%s%d %.1f\n", DUMP_IDENTIFIER, SERVER_COOKIE_SIV, last_key_age) < 0)
+  if (fprintf(f, "%s%d %.1f\n", DUMP_IDENTIFIER, (int)server_keys[0].siv_algorithm,
+              last_key_age) < 0)
     goto error;
 
   for (i = 0; i < MAX_SERVER_KEYS; i++) {
     index = (current_server_key + i + 1 + FUTURE_KEYS) % MAX_SERVER_KEYS;
 
     if (key_length > sizeof (server_keys[index].key) ||
+        server_keys[index].siv_algorithm != server_keys[0].siv_algorithm ||
         !UTI_BytesToHex(server_keys[index].key, key_length, buf, sizeof (buf)) ||
         fprintf(f, "%08"PRIX32" %s\n", server_keys[index].id, buf) < 0)
       goto error;
@@ -578,11 +606,11 @@ load_keys(void)
 
   if (!fgets(line, sizeof (line), f) || strcmp(line, DUMP_IDENTIFIER) != 0 ||
       !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 2 ||
-        sscanf(words[0], "%d", &algorithm) != 1 || algorithm != SERVER_COOKIE_SIV ||
+        sscanf(words[0], "%d", &algorithm) != 1 || SIV_GetKeyLength(algorithm) <= 0 ||
         sscanf(words[1], "%lf", &key_age) != 1)
     goto error;
 
-  key_length = SIV_GetKeyLength(SERVER_COOKIE_SIV);
+  key_length = SIV_GetKeyLength(algorithm);
   last_server_key_ts = SCH_GetLastEventMonoTime() - MAX(key_age, 0.0);
 
   for (i = 0; i < MAX_SERVER_KEYS && fgets(line, sizeof (line), f); i++) {
@@ -599,10 +627,9 @@ load_keys(void)
     assert(sizeof (server_keys[index].key) == sizeof (key));
     memcpy(server_keys[index].key, key, key_length);
 
-    if (!SIV_SetKey(server_keys[index].siv, server_keys[index].key, key_length))
-      LOG_FATAL("Could not set SIV key");
+    update_key_siv(&server_keys[index], algorithm);
 
-    DEBUG_LOG("Loaded key %"PRIX32, id);
+    DEBUG_LOG("Loaded key %"PRIX32" (%d)", id, (int)algorithm);
 
     current_server_key = (index + MAX_SERVER_KEYS - FUTURE_KEYS) % MAX_SERVER_KEYS;
   }
@@ -761,7 +788,7 @@ NKS_Initialise(void)
   /* Generate random keys, even if they will be replaced by reloaded keys,
      or unused (in the helper) */
   for (i = 0; i < MAX_SERVER_KEYS; i++) {
-    server_keys[i].siv = SIV_CreateInstance(SERVER_COOKIE_SIV);
+    server_keys[i].siv = NULL;
     generate_key(i);
   }
 
@@ -854,7 +881,7 @@ NKS_ReloadKeys(void)
 int
 NKS_GenerateCookie(NKE_Context *context, NKE_Cookie *cookie)
 {
-  unsigned char plaintext[2 * NKE_MAX_KEY_LENGTH], *ciphertext;
+  unsigned char *nonce, plaintext[2 * NKE_MAX_KEY_LENGTH], *ciphertext;
   int plaintext_length, tag_length;
   ServerCookieHeader *header;
   ServerKey *key;
@@ -879,7 +906,11 @@ NKS_GenerateCookie(NKE_Context *context, NKE_Cookie *cookie)
   header = (ServerCookieHeader *)cookie->cookie;
 
   header->key_id = htonl(key->id);
-  UTI_GetRandomBytes(header->nonce, sizeof (header->nonce));
+
+  nonce = cookie->cookie + sizeof (*header);
+  if (key->nonce_length > sizeof (cookie->cookie) - sizeof (*header))
+    assert(0);
+  UTI_GetRandomBytes(nonce, key->nonce_length);
 
   plaintext_length = context->c2s.length + context->s2c.length;
   assert(plaintext_length <= sizeof (plaintext));
@@ -887,11 +918,11 @@ NKS_GenerateCookie(NKE_Context *context, NKE_Cookie *cookie)
   memcpy(plaintext + context->c2s.length, context->s2c.key, context->s2c.length);
 
   tag_length = SIV_GetTagLength(key->siv);
-  cookie->length = sizeof (*header) + plaintext_length + tag_length;
+  cookie->length = sizeof (*header) + key->nonce_length + plaintext_length + tag_length;
   assert(cookie->length <= sizeof (cookie->cookie));
-  ciphertext = cookie->cookie + sizeof (*header);
+  ciphertext = cookie->cookie + sizeof (*header) + key->nonce_length;
 
-  if (!SIV_Encrypt(key->siv, header->nonce, sizeof (header->nonce),
+  if (!SIV_Encrypt(key->siv, nonce, key->nonce_length,
                    "", 0,
                    plaintext, plaintext_length,
                    ciphertext, plaintext_length + tag_length)) {
@@ -907,7 +938,7 @@ NKS_GenerateCookie(NKE_Context *context, NKE_Cookie *cookie)
 int
 NKS_DecodeCookie(NKE_Cookie *cookie, NKE_Context *context)
 {
-  unsigned char plaintext[2 * NKE_MAX_KEY_LENGTH], *ciphertext;
+  unsigned char *nonce, plaintext[2 * NKE_MAX_KEY_LENGTH], *ciphertext;
   int ciphertext_length, plaintext_length, tag_length;
   ServerCookieHeader *header;
   ServerKey *key;
@@ -924,8 +955,6 @@ NKS_DecodeCookie(NKE_Cookie *cookie, NKE_Context *context)
   }
 
   header = (ServerCookieHeader *)cookie->cookie;
-  ciphertext = cookie->cookie + sizeof (*header);
-  ciphertext_length = cookie->length - sizeof (*header);
 
   key_id = ntohl(header->key_id);
   key = &server_keys[key_id % MAX_SERVER_KEYS];
@@ -935,18 +964,23 @@ NKS_DecodeCookie(NKE_Cookie *cookie, NKE_Context *context)
   }
 
   tag_length = SIV_GetTagLength(key->siv);
-  if (tag_length >= ciphertext_length) {
+
+  if (cookie->length <= (int)sizeof (*header) + key->nonce_length + tag_length) {
     DEBUG_LOG("Invalid cookie length");
     return 0;
   }
 
+  nonce = cookie->cookie + sizeof (*header);
+  ciphertext = cookie->cookie + sizeof (*header) + key->nonce_length;
+  ciphertext_length = cookie->length - sizeof (*header) - key->nonce_length;
   plaintext_length = ciphertext_length - tag_length;
+
   if (plaintext_length > sizeof (plaintext) || plaintext_length % 2 != 0) {
     DEBUG_LOG("Invalid cookie length");
     return 0;
   }
 
-  if (!SIV_Decrypt(key->siv, header->nonce, sizeof (header->nonce),
+  if (!SIV_Decrypt(key->siv, nonce, key->nonce_length,
                    "", 0,
                    ciphertext, ciphertext_length,
                    plaintext, plaintext_length)) {