This commit fixes the timestamp issues in public key tests.

In order to do this, the ability to disable timestamp verification is
enabled. Furthermore, pubkey mode can be modified to decrypt topic
messages IF the client does not hold a public key for that identifier.

This option should be avoided where possible.

Author: diagprov

README.md

@@ -31,7 +31,8 @@ key management framework for MQTT and other publish-subscribe protocols.
                         const uint8_t *message,
                         size_t message_len,
                         const char *topic_name,
-                        e4storage *storage);` - this function takes a message 
+                        e4storage *storage,
+                        const uint32_t proto_opts);` - this function takes a message 
    to be protected and a "topic" for which it should be protected and returns 
    ciphertext that can be sent using your messaging layer.
  * `int e4c_unprotect_message(uint8_t *message,
@@ -40,7 +41,8 @@ key management framework for MQTT and other publish-subscribe protocols.
                           const uint8_t *ciphertext,
                           size_t ciphertext_len,
                           const char *topic_name,
-                          e4storage *storage);`
+                          e4storage *storage,
+                          const uint32_t proto_opts);`
     This function performs the reverse of the protect function. 
 
 We talk of message *protection* instead of just *encryption* because the 

include/e4/e4.h

@@ -95,6 +95,19 @@ struct _e4storage;
  defines. */
 typedef struct _e4storage e4storage;
 
+/* Options bits for e4c crypto functions: */
+
+/* Disable checks on message timestamp within acceptable window 
+ * Packet timestamps are still covered by authenticated encryption, 
+ * but older messages are allowed */
+#define E4_OPTION_IGNORE_TIMESTAMP         0x01
+/* Disable failure if we do not have a client public key to validate 
+ * signatures. Corrupt signatures will ALWAYS fail, this is only 
+ * for the case where too many clients exist for us to store all of 
+ * their keys. */
+#define E4_OPTION_IGNORE_MISSING_PUBKEY    0x02
+
+
 /* e4c_protect_message produces a protected message for onwards
    transmission. 
 
@@ -126,7 +139,8 @@ int e4c_protect_message(uint8_t *ciphertext,
                         const uint8_t *message,
                         size_t message_len,
                         const char *topic_name,
-                        e4storage *storage);
+                        e4storage *storage,
+                        const uint32_t proto_opts);
 
 /* e4c_unprotect_message retrieves and authenticates a message that was 
 encrypted by E4.
@@ -158,8 +172,8 @@ int e4c_unprotect_message(uint8_t *message,
                           const uint8_t *ciphertext,
                           size_t ciphertext_len,
                           const char *topic_name,
-                          e4storage *storage
-                          );
+                          e4storage *storage,
+                          const uint32_t proto_opts);
 
 
 /* the e4storage type pre-defined above implements these API calls */

src/e4pkcclient.c

@@ -47,7 +47,8 @@ int e4c_protect_message(uint8_t *cptr,
                         const uint8_t *mptr,
                         size_t mlen,
                         const char *topic,
-                        e4storage *storage)
+                        e4storage *storage,
+                        const uint32_t proto_opts)
 {
     int i = 0;
     size_t clen_siv = 0;
@@ -140,7 +141,8 @@ int e4c_unprotect_message(uint8_t *mptr,
                           const uint8_t *cptr,
                           size_t clen,
                           const char *topic,
-                          e4storage *storage)
+                          e4storage *storage,
+                          const uint32_t proto_opts)
 {
     uint8_t control = 0;
     int j = 0, r = 0;
@@ -152,9 +154,9 @@ int e4c_unprotect_message(uint8_t *mptr,
     size_t sivpayloadlen = 0;
 
 #ifndef __AVR__
-    /*uint64_t secs1970;
+    uint64_t secs1970;
 
-    secs1970 = (uint64_t)time(NULL); / this system has a RTC */
+    secs1970 = (uint64_t)time(NULL); /* this system has a RTC */
 #endif
 
     if (cptr == NULL ||
@@ -225,27 +227,31 @@ int e4c_unprotect_message(uint8_t *mptr,
         if (i >= 0)
         {
             e4c_getdevicekey(sender_pk, storage, i);
-        }
-        else
-        {
-            /* TODO: policies to not validate sigs if key not found
-               due to storage constraints.
-
-               NOTE: this MUST NOT be conflated with signature verif
-               failure. If signatures fail to verify we will _always_
-               reject the message.
-             */
-
-            return E4_ERROR_DEVICEPK_MISSING;
-        }
-
-        /* check signature attached to end */
-        signverifresult = ed25519_verify(&cptr[clen-E4_PK_EDDSA_SIG_LEN],
+        
+            /* check signature attached to end */
+            signverifresult = ed25519_verify(&cptr[clen-E4_PK_EDDSA_SIG_LEN],
                 cptr, clen-E4_PK_EDDSA_SIG_LEN, sender_pk);
 
-        if (signverifresult != 1)
+            if (signverifresult != 1)
+            {
+                return E4_ERROR_PK_SIGVERIF_FAILED;
+            }
+        }
+        else
         {
-            return E4_ERROR_PK_SIGVERIF_FAILED;
+            /* NOTE: given the limited storage capacity of 
+             * client devices, it might be acceptable to decrypt topic messages 
+             * even when we do not have the public key of the sending client.
+             * If E4_OPTION_IGNORE_MISSING_PUBKEY is set, the client has 
+             * asked for this behaviour. If not, we should return an error.
+             *
+             * THIS IS NOT THE SAME as disabling signature validation. IF we 
+             * have a key at all for a client, signature verification 
+             * must succeed. This option is a get-out for when we cannot 
+             * store keys due to storage constraints */
+            if ( !(proto_opts & E4_OPTION_IGNORE_MISSING_PUBKEY) ) {
+                return E4_ERROR_DEVICEPK_MISSING;
+            }
         }
 
         /* find the topic key and set it */
@@ -299,31 +305,33 @@ int e4c_unprotect_message(uint8_t *mptr,
 
 
     /* Since AVR has no real time clock, time is initially unknown. */
-    /*if (secs1970 < 946684800)
+    if (secs1970 < 946684800)
     {
-        /.* calibrate message if this is a control message 
+        /* calibrate message if this is a control message */ 
         if (control) {
             secs1970 = tstamp;
         }
     }
     else
     {
 
-        if (tstamp >= secs1970)
-        {
-            if (tstamp - secs1970 > E4C_TIME_FUTURE)
+        if (!(proto_opts & E4_OPTION_IGNORE_TIMESTAMP )) {   
+            if (tstamp >= secs1970)
             {
-                return E4_ERROR_TIMESTAMP_IN_FUTURE;
+                if (tstamp - secs1970 > E4C_TIME_FUTURE)
+                {
+                    return E4_ERROR_TIMESTAMP_IN_FUTURE;
+                }
             }
-        }
-        else
-        {
-            if (secs1970 - tstamp > E4C_TIME_TOO_OLD)
+            else
             {
-                return E4_ERROR_TIMESTAMP_TOO_OLD;
+                if (secs1970 - tstamp > E4C_TIME_TOO_OLD)
+                {
+                    return E4_ERROR_TIMESTAMP_TOO_OLD;
+                }
             }
         }
-    }*/
+    }
 
     /* if not control channel, we can exit now; no command to process. */
     if (!(control)) return E4_RESULT_OK;

src/e4symclient.c

@@ -43,7 +43,8 @@ int e4c_protect_message(uint8_t *cptr,
                         const uint8_t *mptr,
                         size_t mlen,
                         const char *topic,
-                        e4storage *storage)
+                        e4storage *storage,
+                        const uint32_t proto_opts)
 {
     int i = 0;
     uint8_t key[E4_KEY_LEN];
@@ -112,7 +113,8 @@ int e4c_unprotect_message(uint8_t *mptr,
                           const uint8_t *cptr,
                           size_t clen,
                           const char *topic,
-                          e4storage *storage)
+                          e4storage *storage,
+                          const uint32_t proto_opts)
 {
     uint8_t control = 0;
     int i = 0, j = 0, r = 0;
@@ -190,19 +192,20 @@ int e4c_unprotect_message(uint8_t *mptr,
     }
     else
     {
-
-        if (tstamp >= secs1970)
-        {
-            if (tstamp - secs1970 > E4C_TIME_FUTURE)
+        if (!(proto_opts & E4_OPTION_IGNORE_TIMESTAMP )) {   
+            if (tstamp >= secs1970)
             {
-                return E4_ERROR_TIMESTAMP_IN_FUTURE;
+                if (tstamp - secs1970 > E4C_TIME_FUTURE)
+                {
+                    return E4_ERROR_TIMESTAMP_IN_FUTURE;
+                }
             }
-        }
-        else
-        {
-            if (secs1970 - tstamp > E4C_TIME_TOO_OLD)
+            else
             {
-                return E4_ERROR_TIMESTAMP_TOO_OLD;
+                if (secs1970 - tstamp > E4C_TIME_TOO_OLD)
+                {
+                    return E4_ERROR_TIMESTAMP_TOO_OLD;
+                }
             }
         }
     }

test/pubkey/pubkey_e4cmd_test.c

@@ -102,7 +102,8 @@ int main(int argc, char** argv, char** envp) {
                           pkkat[i].cmd_resettopics,
                           pkkat[i].cmd_resettopics_len,
                           ctrltopic,
-                          &store);
+                          &store,
+                          E4_OPTION_IGNORE_TIMESTAMP);
 
         if ( e4retcode != E4_RESULT_OK_CONTROL ) {
             printf("Failed: e4c_unprotect_message returned error code other than 'this is a command'\n");
@@ -120,7 +121,8 @@ int main(int argc, char** argv, char** envp) {
                           pkkat[i].cmd_settopickey,
                           pkkat[i].cmd_settopickey_len,
                           ctrltopic,
-                          &store);
+                          &store,
+                          E4_OPTION_IGNORE_TIMESTAMP);
 
         if ( e4retcode != E4_RESULT_OK_CONTROL ) {
             printf("Failed: e4c_unprotect_message returned error code other than 'this is a command'\n");
@@ -138,7 +140,8 @@ int main(int argc, char** argv, char** envp) {
                           pkkat[i].cmd_removetopic,
                           pkkat[i].cmd_removetopic_len,
                           ctrltopic,
-                          &store);
+                          &store,
+                          E4_OPTION_IGNORE_TIMESTAMP);
 
         if ( e4retcode != E4_RESULT_OK_CONTROL ) {
             printf("Failed: e4c_unprotect_message returned error code other than 'this is a command'\n");
@@ -156,7 +159,8 @@ int main(int argc, char** argv, char** envp) {
                           pkkat[i].cmd_resetpubkeys,
                           pkkat[i].cmd_resetpubkeys_len,
                           ctrltopic,
-                          &store);
+                          &store,
+                          E4_OPTION_IGNORE_TIMESTAMP);
 
         if ( e4retcode != E4_RESULT_OK_CONTROL ) {
             printf("Failed: e4c_unprotect_message returned error code other than 'this is a command'\n");
@@ -174,7 +178,8 @@ int main(int argc, char** argv, char** envp) {
                           pkkat[i].cmd_setpubkey,
                           pkkat[i].cmd_setpubkey_len,
                           ctrltopic,
-                          &store);
+                          &store, 
+                          E4_OPTION_IGNORE_TIMESTAMP);
 
         if ( e4retcode != E4_RESULT_OK_CONTROL ) {
             printf("Failed: e4c_unprotect_message returned error code other than 'this is a command'\n");
@@ -192,7 +197,8 @@ int main(int argc, char** argv, char** envp) {
                           pkkat[i].cmd_removepubkey,
                           pkkat[i].cmd_removepubkey_len,
                           ctrltopic,
-                          &store);
+                          &store, 
+                          E4_OPTION_IGNORE_TIMESTAMP);
 
         if ( e4retcode != E4_RESULT_OK_CONTROL ) {
             printf("Failed: e4c_unprotect_message returned error code other than 'this is a command'\n");

test/symkey/symkey_file.c

@@ -146,7 +146,7 @@ int main(int argc, char** argv, char** envp) {
         }
 
         e4retcode = e4c_protect_message(ciphertext_buffer, PT_MAX+E4_MSGHDR_LEN, &ciphertext_len,
-            plaintext_buffer, PT_MAX, topicname, &store);
+            plaintext_buffer, PT_MAX, topicname, &store, 0);
 
         if (e4retcode != E4_RESULT_OK) {
             returncode = 12;
@@ -164,7 +164,7 @@ int main(int argc, char** argv, char** envp) {
            get rid of this functionality and leave it to the user. For now, 
            we fix it by passing the correct length of the recovered buffer. */
         e4retcode = e4c_unprotect_message(recovered_buffer, PT_MAX+1, &recovered_len,
-            ciphertext_buffer, PT_MAX+E4_MSGHDR_LEN, topicname, &store);
+            ciphertext_buffer, PT_MAX+E4_MSGHDR_LEN, topicname, &store, 0);
 
         if (e4retcode != E4_RESULT_OK) {
             returncode = 13;