From 65a7ad467798161a10b53674f0c2f6c0c3994354 Mon Sep 17 00:00:00 2001 From: Marc Schoolderman Date: Thu, 16 Nov 2023 18:08:04 +0100 Subject: [PATCH] make sure code is untouched in non-nts-pool mode --- ntp-proto/src/nts_record.rs | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/ntp-proto/src/nts_record.rs b/ntp-proto/src/nts_record.rs index 36e89cc39..a976dd18f 100644 --- a/ntp-proto/src/nts_record.rs +++ b/ntp-proto/src/nts_record.rs @@ -229,7 +229,8 @@ impl NtsRecord { pub fn client_key_exchange_records_fixed( c2s: Vec, s2c: Vec, - ) -> [NtsRecord; if cfg!(feature = "ntpv5") { 5 } else { 4 }] { + ) -> [NtsRecord; 3 + cfg!(feature = "ntpv5") as usize + cfg!(feature = "nts-pool") as usize] + { [ #[cfg(feature = "ntpv5")] NtsRecord::DraftId { @@ -249,6 +250,7 @@ impl NtsRecord { .map(|algorithm| *algorithm as u16) .collect(), }, + #[cfg(feature = "nts-pool")] NtsRecord::FixedKeyRequest { c2s, s2c }, NtsRecord::EndOfMessage, ] @@ -1136,6 +1138,7 @@ struct ServerKeyExchangeData { struct KeyMethod { algorithm: AeadAlgorithm, /// By default, perform key extraction to acquire the c2s and s2c keys; otherwise, use the fixed keys. + #[cfg(feature = "nts-pool")] fixed_keys: Option, } @@ -1173,13 +1176,11 @@ impl KeyExchangeServerDecoder { #[cfg(feature = "nts-pool")] let fixed_keys = state.fixed_key_request; - #[cfg(not(feature = "nts-pool"))] - let fixed_keys = None; - let algorithm = state.algorithm; KeyMethod { algorithm, + #[cfg(feature = "nts-pool")] fixed_keys, } }; @@ -1397,30 +1398,33 @@ impl KeyExchangeServer { let protocol = result.protocol; let algorithm = key_method.algorithm; - tracing::debug!( - ?algorithm, - "{}", - if key_method.fixed_keys.is_none() { - "selected AEAD algorithm for key extraction" - } else { - "using fixed keys with AEAD algorithm" - } - ); + tracing::debug!(?algorithm, "selected AEAD algorithm",); + #[cfg(feature = "nts-pool")] let keys = if let Some(keys) = key_method.fixed_keys { if self.privileged_connection { + tracing::debug!("using fixed keys for AEAD algorithm"); algorithm .try_into_nts_keys(keys) .ok_or(KeyExchangeError::InvalidFixedKeyLength) } else { + tracing::debug!("refused fixed key request due to improper authorization"); Err(KeyExchangeError::UnrecognizedCriticalRecord) } } else { + tracing::debug!( + "using AEAD keys extracted from TLS connection" + ); algorithm .extract_nts_keys(protocol, &self.tls_connection) .map_err(KeyExchangeError::Tls) }; + #[cfg(not(feature = "nts-pool"))] + let keys = algorithm + .extract_nts_keys(protocol, &self.tls_connection) + .map_err(KeyExchangeError::Tls); + let send_response = || -> Result<(), KeyExchangeError> { self.send_response(protocol, algorithm, keys?) .map_err(KeyExchangeError::Io) @@ -1474,11 +1478,10 @@ impl KeyExchangeServer { .find(|&allowed_cert| allowed_cert == cert) }) .is_some(); - #[cfg(not(feature = "nts-pool"))] - let privileged_connection = false; Ok(Self { tls_connection, + #[cfg(feature = "nts-pool")] privileged_connection, decoder: Some(KeyExchangeServerDecoder::new()), keyset,