Fix engine not starting on Windows if linked against SDL > 2.0.5

[xonotic/darkplaces.git] / crypto.c

diff --git a/crypto.c b/crypto.c
index 8428c6784c483e44e6070b286e334734e9490ec2..05d763d6cdc673f82603f4639549ccbe5f8ede87 100644 (file)
--- a/crypto.c
+++ b/crypto.c
@@ -7,16 +7,21 @@
 #include "libcurl.h"
 
 cvar_t crypto_developer = {CVAR_SAVE, "crypto_developer", "0", "print extra info about crypto handshake"};
+cvar_t crypto_aeslevel = {CVAR_SAVE, "crypto_aeslevel", "1", "whether to support AES encryption in authenticated connections (0 = no, 1 = supported, 2 = requested, 3 = required)"};
+
 cvar_t crypto_servercpupercent = {CVAR_SAVE, "crypto_servercpupercent", "10", "allowed crypto CPU load in percent for server operation (0 = no limit, faster)"};
 cvar_t crypto_servercpumaxtime = {CVAR_SAVE, "crypto_servercpumaxtime", "0.01", "maximum allowed crypto CPU time per frame (0 = no limit)"};
 cvar_t crypto_servercpudebug = {CVAR_SAVE, "crypto_servercpudebug", "0", "print statistics about time usage by crypto"};
 static double crypto_servercpu_accumulator = 0;
 static double crypto_servercpu_lastrealtime = 0;
-cvar_t crypto_aeslevel = {CVAR_SAVE, "crypto_aeslevel", "1", "whether to support AES encryption in authenticated connections (0 = no, 1 = supported, 2 = requested, 3 = required)"};
+
+extern cvar_t net_sourceaddresscheck;
+
 int crypto_keyfp_recommended_length;
 static const char *crypto_idstring = NULL;
 static char crypto_idstring_buf[512];
 
+
 #define PROTOCOL_D0_BLIND_ID FOURCC_D0PK
 #define PROTOCOL_VLEN (('v' << 0) | ('l' << 8) | ('e' << 16) | ('n' << 24))
 
@@ -489,6 +494,7 @@ typedef struct
        char challenge[2048];
        char wantserver_idfp[FP64_SIZE+1];
        qboolean wantserver_aes;
+       qboolean wantserver_issigned;
        int cdata_id;
 }
 crypto_data_t;
@@ -556,6 +562,7 @@ typedef struct crypto_storedhostkey_s
        int keyid;
        char idfp[FP64_SIZE+1];
        int aeslevel;
+       qboolean issigned;
 }
 crypto_storedhostkey_t;
 static crypto_storedhostkey_t *crypto_storedhostkey_hashtable[CRYPTO_HOSTKEY_HASHSIZE];
@@ -612,6 +619,7 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
        int keyid;
        char idfp[FP64_SIZE+1];
        int aeslevel;
+       qboolean issigned;
 
        if(!d0_blind_id_dll)
                return;
@@ -626,10 +634,12 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
                ++keystring;
 
        keyid = -1;
+       issigned = false;
        while(*keystring && keyid < 0)
        {
                // id@key
                const char *idstart, *idend, *keystart, *keyend;
+               qboolean thisissigned = true;
                ++keystring; // skip the space
                idstart = keystring;
                while(*keystring && *keystring != ' ' && *keystring != '@')
@@ -643,14 +653,23 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
                        ++keystring;
                keyend = keystring;
 
+               if (keystart[0] == '~')
+               {
+                       thisissigned = false;
+                       ++keystart;
+               }
+
                if(idend - idstart == FP64_SIZE && keyend - keystart == FP64_SIZE)
                {
-                       for(keyid = MAX_PUBKEYS - 1; keyid >= 0; --keyid)
-                               if(pubkeys[keyid])
-                                       if(!memcmp(pubkeys_fp64[keyid], keystart, FP64_SIZE))
+                       int thiskeyid;
+                       for(thiskeyid = MAX_PUBKEYS - 1; thiskeyid >= 0; --thiskeyid)
+                               if(pubkeys[thiskeyid])
+                                       if(!memcmp(pubkeys_fp64[thiskeyid], keystart, FP64_SIZE))
                                        {
                                                memcpy(idfp, idstart, FP64_SIZE);
                                                idfp[FP64_SIZE] = 0;
+                                               keyid = thiskeyid;
+                                               issigned = thisissigned;
                                                break;
                                        }
                        // If this failed, keyid will be -1.
@@ -672,8 +691,11 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
                                Con_Printf("Server %s tried to change the host key to a value not in the host cache. Connecting to it will fail. To accept the new host key, do crypto_hostkey_clear %s\n", buf, buf);
                        if(hk->aeslevel > aeslevel)
                                Con_Printf("Server %s tried to reduce encryption status, not accepted. Connecting to it will fail. To accept, do crypto_hostkey_clear %s\n", buf, buf);
+                       if(hk->issigned > issigned)
+                               Con_Printf("Server %s tried to reduce signature status, not accepted. Connecting to it will fail. To accept, do crypto_hostkey_clear %s\n", buf, buf);
                }
                hk->aeslevel = max(aeslevel, hk->aeslevel);
+               hk->issigned = issigned;
                return;
        }
 
@@ -684,10 +706,11 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
        memcpy(hk->idfp, idfp, FP64_SIZE+1);
        hk->next = crypto_storedhostkey_hashtable[hashindex];
        hk->aeslevel = aeslevel;
+       hk->issigned = issigned;
        crypto_storedhostkey_hashtable[hashindex] = hk;
 }
 
-qboolean Crypto_RetrieveHostKey(lhnetaddress_t *peeraddress, int *keyid, char *keyfp, size_t keyfplen, char *idfp, size_t idfplen, int *aeslevel)
+qboolean Crypto_RetrieveHostKey(lhnetaddress_t *peeraddress, int *keyid, char *keyfp, size_t keyfplen, char *idfp, size_t idfplen, int *aeslevel, qboolean *issigned)
 {
        char buf[128];
        int hashindex;
@@ -711,6 +734,8 @@ qboolean Crypto_RetrieveHostKey(lhnetaddress_t *peeraddress, int *keyid, char *k
                strlcpy(idfp, hk->idfp, idfplen);
        if(aeslevel)
                *aeslevel = hk->aeslevel;
+       if(issigned)
+               *issigned = hk->issigned;
 
        return true;
 }
@@ -793,6 +818,19 @@ static qboolean Crypto_SavePubKeyTextFile(int i)
        return true;
 }
 
+static void Crypto_BuildIdString(void)
+{
+       int i;
+       char vabuf[1024];
+
+       crypto_idstring = NULL;
+       dpsnprintf(crypto_idstring_buf, sizeof(crypto_idstring_buf), "%d", d0_rijndael_dll ? crypto_aeslevel.integer : 0);
+       for (i = 0; i < MAX_PUBKEYS; ++i)
+               if (pubkeys[i])
+                       strlcat(crypto_idstring_buf, va(vabuf, sizeof(vabuf), " %s@%s%s", pubkeys_priv_fp64[i], pubkeys_havesig[i] ? "" : "~", pubkeys_fp64[i]), sizeof(crypto_idstring_buf));
+       crypto_idstring = crypto_idstring_buf;
+}
+
 void Crypto_LoadKeys(void)
 {
        char buf[8192];
@@ -814,8 +852,6 @@ void Crypto_LoadKeys(void)
        //   PUBLIC KEYS to accept (including modulus)
        //   PRIVATE KEY of user
 
-       crypto_idstring = NULL;
-       dpsnprintf(crypto_idstring_buf, sizeof(crypto_idstring_buf), "%d", d0_rijndael_dll ? crypto_aeslevel.integer : 0);
        for(i = 0; i < MAX_PUBKEYS; ++i)
        {
                memset(pubkeys_fp64[i], 0, sizeof(pubkeys_fp64[i]));
@@ -845,12 +881,10 @@ void Crypto_LoadKeys(void)
                                                        if(qd0_blind_id_verify_private_id(pubkeys[i]) && qd0_blind_id_verify_public_id(pubkeys[i], &status))
                                                        {
                                                                pubkeys_havepriv[i] = true;
-                                                               strlcat(crypto_idstring_buf, va(vabuf, sizeof(vabuf), " %s@%s", pubkeys_priv_fp64[i], pubkeys_fp64[i]), sizeof(crypto_idstring_buf));
+                                                               pubkeys_havesig[i] = status;
 
                                                                // verify the key we just got (just in case)
-                                                               if(status)
-                                                                       pubkeys_havesig[i] = true;
-                                                               else
+                                                               if(!status)
                                                                        Con_Printf("NOTE: this ID has not yet been signed!\n");
 
                                                                Crypto_SavePubKeyTextFile(i);
@@ -879,9 +913,9 @@ void Crypto_LoadKeys(void)
                        }
                }
        }
-       crypto_idstring = crypto_idstring_buf;
 
        keygen_i = -1;
+       Crypto_BuildIdString();
        Crypto_BuildChallengeAppend();
 
        // find a good prefix length for all the keys we know (yes, algorithm is not perfect yet, may yield too long prefix length)
@@ -1153,6 +1187,8 @@ static void Crypto_KeyGen_Finished(int code, size_t length_received, unsigned ch
 
        Con_Printf("Saved to key_%d.d0si%s\n", keygen_i, sessionid.string);
 
+       Crypto_BuildIdString();
+
        keygen_i = -1;
        SV_UnlockThreadMutex();
 }
@@ -1691,12 +1727,12 @@ static int Crypto_ServerParsePacket_Internal(const char *data_in, size_t len_in,
                        return CRYPTO_NOMATCH; // will be later accepted if encryption was set up
                // validate the challenge
                for (i = 0;i < MAX_CHALLENGES;i++)
-                       if(challenge[i].time > 0)
-                               if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address) && !strcmp(challenge[i].string, s))
+                       if(challenges[i].time > 0)
+                               if (!LHNETADDRESS_Compare(peeraddress, &challenges[i].address) && !strcmp(challenges[i].string, s))
                                        break;
                // if the challenge is not recognized, drop the packet
                if (i == MAX_CHALLENGES) // challenge mismatch is silent
-                       return CRYPTO_DISCARD; // pre-challenge: rather be silent
+                       return Crypto_SoftServerError(data_out, len_out, "missing challenge in connect");
 
                crypto = Crypto_ServerFindInstance(peeraddress, false);
                if(!crypto || !crypto->authenticated)
@@ -1711,23 +1747,23 @@ static int Crypto_ServerParsePacket_Internal(const char *data_in, size_t len_in,
                id = (cnt ? atoi(cnt) : -1);
                cnt = InfoString_GetValue(string + 4, "cnt", infostringvalue, sizeof(infostringvalue));
                if(!cnt)
-                       return CRYPTO_DISCARD; // pre-challenge: rather be silent
+                       return Crypto_SoftServerError(data_out, len_out, "missing cnt in d0pk");
                GetUntilNul(&data_in, &len_in);
                if(!data_in)
-                       return CRYPTO_DISCARD; // pre-challenge: rather be silent
+                       return Crypto_SoftServerError(data_out, len_out, "missing appended data in d0pk");
                if(!strcmp(cnt, "0"))
                {
                        int i;
                        if (!(s = InfoString_GetValue(string + 4, "challenge", infostringvalue, sizeof(infostringvalue))))
-                               return CRYPTO_DISCARD; // pre-challenge: rather be silent
+                               return Crypto_SoftServerError(data_out, len_out, "missing challenge in d0pk\\0");
                        // validate the challenge
                        for (i = 0;i < MAX_CHALLENGES;i++)
-                               if(challenge[i].time > 0)
-                                       if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address) && !strcmp(challenge[i].string, s))
+                               if(challenges[i].time > 0)
+                                       if (!LHNETADDRESS_Compare(peeraddress, &challenges[i].address) && !strcmp(challenges[i].string, s))
                                                break;
                        // if the challenge is not recognized, drop the packet
-                       if (i == MAX_CHALLENGES) // challenge mismatch is silent
-                               return CRYPTO_DISCARD; // pre-challenge: rather be silent
+                       if (i == MAX_CHALLENGES)
+                               return Crypto_SoftServerError(data_out, len_out, "invalid challenge in d0pk\\0");
 
                        if (!(s = InfoString_GetValue(string + 4, "aeslevel", infostringvalue, sizeof(infostringvalue))))
                                aeslevel = 0; // not supported
@@ -1802,6 +1838,7 @@ static int Crypto_ServerParsePacket_Internal(const char *data_in, size_t len_in,
                                // I am the server, and my key is ok... so let's set server_keyfp and server_idfp
                                strlcpy(crypto->server_keyfp, pubkeys_fp64[CDATA->s], sizeof(crypto->server_keyfp));
                                strlcpy(crypto->server_idfp, pubkeys_priv_fp64[CDATA->s], sizeof(crypto->server_idfp));
+                               crypto->server_issigned = pubkeys_havesig[CDATA->s];
 
                                if(!CDATA->id)
                                        CDATA->id = qd0_blind_id_new();
@@ -1942,10 +1979,9 @@ static int Crypto_ServerParsePacket_Internal(const char *data_in, size_t len_in,
                                CLEAR_CDATA;
                                return Crypto_ServerError(data_out, len_out, "d0_blind_id_authenticate_with_private_id_verify failed (authentication error)", "Authentication error");
                        }
-                       if(status)
-                               strlcpy(crypto->client_keyfp, pubkeys_fp64[CDATA->c], sizeof(crypto->client_keyfp));
-                       else
-                               crypto->client_keyfp[0] = 0;
+                       strlcpy(crypto->client_keyfp, pubkeys_fp64[CDATA->c], sizeof(crypto->client_keyfp));
+                       crypto->client_issigned = status;
+
                        memset(crypto->client_idfp, 0, sizeof(crypto->client_idfp));
                        fpbuflen = FP64_SIZE;
                        if(!qd0_blind_id_fingerprint64_public_id(CDATA->id, crypto->client_idfp, &fpbuflen))
@@ -2044,7 +2080,7 @@ static int Crypto_ClientError(char *data_out, size_t *len_out, const char *msg)
 static int Crypto_SoftClientError(char *data_out, size_t *len_out, const char *msg)
 {
        *len_out = 0;
-       Con_Printf("%s\n", msg);
+       Con_DPrintf("%s\n", msg);
        return CRYPTO_DISCARD;
 }
 
@@ -2068,7 +2104,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
        if (len_in == 6 && !memcmp(string, "accept", 6) && cls.connect_trying && d0_rijndael_dll)
        {
                int wantserverid = -1;
-               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL);
+               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL, NULL);
                if(!crypto || !crypto->authenticated) // we ALSO get here if we are using an encrypted connection, so let's rule this out
                {
                        if(wantserverid >= 0)
@@ -2081,7 +2117,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
        else if (len_in >= 1 && string[0] == 'j' && cls.connect_trying && d0_rijndael_dll)
        {
                int wantserverid = -1;
-               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL);
+               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL, NULL);
                //if(!crypto || !crypto->authenticated)
                {
                        if(wantserverid >= 0)
@@ -2096,14 +2132,14 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                int wantserverid = -1;
 
                // these three are harmless
-               if(string[4] == CCREP_SERVER_INFO)
+               if((unsigned char) string[4] == CCREP_SERVER_INFO)
                        return CRYPTO_NOMATCH;
-               if(string[4] == CCREP_PLAYER_INFO)
+               if((unsigned char) string[4] == CCREP_PLAYER_INFO)
                        return CRYPTO_NOMATCH;
-               if(string[4] == CCREP_RULE_INFO)
+               if((unsigned char) string[4] == CCREP_RULE_INFO)
                        return CRYPTO_NOMATCH;
 
-               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL);
+               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL, NULL);
                //if(!crypto || !crypto->authenticated)
                {
                        if(wantserverid >= 0)
@@ -2152,11 +2188,16 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                qboolean server_can_auth = true;
                char wantserver_idfp[FP64_SIZE+1];
                int wantserver_aeslevel = 0;
+               qboolean wantserver_issigned = false;
+
+               // Must check the source IP here, if we want to prevent other servers' replies from falsely advancing the crypto state, preventing successful connect to the real server.
+               if (net_sourceaddresscheck.integer && LHNETADDRESS_Compare(peeraddress, &cls.connect_address))
+                       return Crypto_SoftClientError(data_out, len_out, "challenge message from wrong server");
 
                // if we have a stored host key for the server, assume serverid to already be selected!
                // (the loop will refuse to overwrite this one then)
                wantserver_idfp[0] = 0;
-               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, wantserver_idfp, sizeof(wantserver_idfp), &wantserver_aeslevel);
+               Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, wantserver_idfp, sizeof(wantserver_idfp), &wantserver_aeslevel, &wantserver_issigned);
                // requirement: wantserver_idfp is a full ID if wantserverid set
 
                // if we leave, we have to consider the connection
@@ -2169,7 +2210,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                GetUntilNul(&data_in, &len_in);
                if(!data_in)
                        return (wantserverid >= 0) ? Crypto_ClientError(data_out, len_out, "Server tried an unauthenticated connection even though a host key is present") :
-                               (d0_rijndael_dll && crypto_aeslevel.integer >= 3) ? Crypto_ServerError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)", NULL) :
+                               (d0_rijndael_dll && crypto_aeslevel.integer >= 3) ? Crypto_ClientError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)") :
                                CRYPTO_NOMATCH;
 
                // FTEQW extension protocol
@@ -2205,7 +2246,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
 
                if(!vlen_blind_id_ptr)
                        return (wantserverid >= 0) ? Crypto_ClientError(data_out, len_out, "Server tried an unauthenticated connection even though authentication is required") :
-                               (d0_rijndael_dll && crypto_aeslevel.integer >= 3) ? Crypto_ServerError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)", NULL) :
+                               (d0_rijndael_dll && crypto_aeslevel.integer >= 3) ? Crypto_ClientError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)") :
                                CRYPTO_NOMATCH;
 
                data_in = vlen_blind_id_ptr;
@@ -2262,6 +2303,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                        crypto->server_keyfp[0] = 0;
                        crypto->server_idfp[0] = 0;
                        memcpy(CDATA->wantserver_idfp, wantserver_idfp, sizeof(crypto->server_idfp));
+                       CDATA->wantserver_issigned = wantserver_issigned;
 
                        if(CDATA->wantserver_idfp[0]) // if we know a host key, honor its encryption setting
                        switch(bound(0, d0_rijndael_dll ? crypto_aeslevel.integer : 0, 3))
@@ -2269,7 +2311,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                                default: // dummy, never happens, but to make gcc happy...
                                case 0:
                                        if(wantserver_aeslevel >= 3)
-                                               return Crypto_ServerError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)", NULL);
+                                               return Crypto_ClientError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)");
                                        CDATA->wantserver_aes = false;
                                        break;
                                case 1:
@@ -2280,7 +2322,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                                        break;
                                case 3:
                                        if(wantserver_aeslevel <= 0)
-                                               return Crypto_ServerError(data_out, len_out, "This server requires encryption to be supported (crypto_aeslevel >= 1, and d0_rijndael library must be present)", NULL);
+                                               return Crypto_ClientError(data_out, len_out, "This server requires encryption to be supported (crypto_aeslevel >= 1, and d0_rijndael library must be present)");
                                        CDATA->wantserver_aes = true;
                                        break;
                        }
@@ -2296,6 +2338,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                                // I am the client, and my key is ok... so let's set client_keyfp and client_idfp
                                strlcpy(crypto->client_keyfp, pubkeys_fp64[CDATA->c], sizeof(crypto->client_keyfp));
                                strlcpy(crypto->client_idfp, pubkeys_priv_fp64[CDATA->c], sizeof(crypto->client_idfp));
+                               crypto->client_issigned = pubkeys_havesig[CDATA->c];
                        }
 
                        if(serverid >= 0)
@@ -2339,7 +2382,6 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                                data_out_p += *len_out;
                                *len_out = data_out_p - data_out;
                        }
-
                        return CRYPTO_DISCARD;
                }
                else
@@ -2347,7 +2389,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                        if(wantserver_idfp[0]) // if we know a host key, honor its encryption setting
                        if(wantserver_aeslevel >= 3)
                                return Crypto_ClientError(data_out, len_out, "Server insists on encryption, but neither can authenticate to the other");
-                       return (d0_rijndael_dll && crypto_aeslevel.integer >= 3) ? Crypto_ServerError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)", NULL) :
+                       return (d0_rijndael_dll && crypto_aeslevel.integer >= 3) ? Crypto_ClientError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)") :
                                CRYPTO_NOMATCH;
                }
        }
@@ -2355,6 +2397,11 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
        {
                const char *cnt;
                int id;
+
+               // Must check the source IP here, if we want to prevent other servers' replies from falsely advancing the crypto state, preventing successful connect to the real server.
+               if (net_sourceaddresscheck.integer && LHNETADDRESS_Compare(peeraddress, &cls.connect_address))
+                       return Crypto_SoftClientError(data_out, len_out, "d0pk\\ message from wrong server");
+
                cnt = InfoString_GetValue(string + 4, "id", infostringvalue, sizeof(infostringvalue));
                id = (cnt ? atoi(cnt) : -1);
                cnt = InfoString_GetValue(string + 4, "cnt", infostringvalue, sizeof(infostringvalue));
@@ -2368,7 +2415,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                {
                        if(id >= 0)
                                if(CDATA->cdata_id != id)
-                                       return Crypto_SoftServerError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\id\\%d when expecting %d", id, CDATA->cdata_id));
+                                       return Crypto_SoftClientError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\id\\%d when expecting %d", id, CDATA->cdata_id));
                        if(CDATA->next_step != 1)
                                return Crypto_SoftClientError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\cnt\\%s when expecting %d", cnt, CDATA->next_step));
 
@@ -2417,7 +2464,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
 
                        if(id >= 0)
                                if(CDATA->cdata_id != id)
-                                       return Crypto_SoftServerError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\id\\%d when expecting %d", id, CDATA->cdata_id));
+                                       return Crypto_SoftClientError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\id\\%d when expecting %d", id, CDATA->cdata_id));
                        if(CDATA->next_step != 3)
                                return Crypto_SoftClientError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\cnt\\%s when expecting %d", cnt, CDATA->next_step));
 
@@ -2428,10 +2475,15 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                                CLEAR_CDATA;
                                return Crypto_ClientError(data_out, len_out, "d0_blind_id_authenticate_with_private_id_verify failed (server authentication error)");
                        }
-                       if(status)
-                               strlcpy(crypto->server_keyfp, pubkeys_fp64[CDATA->s], sizeof(crypto->server_keyfp));
-                       else
-                               crypto->server_keyfp[0] = 0;
+
+                       strlcpy(crypto->server_keyfp, pubkeys_fp64[CDATA->s], sizeof(crypto->server_keyfp));
+                       if (!status && CDATA->wantserver_issigned)
+                       {
+                               CLEAR_CDATA;
+                               return Crypto_ClientError(data_out, len_out, "Stored host key requires a valid signature, but server did not provide any");
+                       }
+                       crypto->server_issigned = status;
+
                        memset(crypto->server_idfp, 0, sizeof(crypto->server_idfp));
                        fpbuflen = FP64_SIZE;
                        if(!qd0_blind_id_fingerprint64_public_id(CDATA->id, crypto->server_idfp, &fpbuflen))
@@ -2453,7 +2505,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
                        }
 
                        // cache the server key
-                       Crypto_StoreHostKey(&cls.connect_address, va(vabuf, sizeof(vabuf), "%d %s@%s", crypto->use_aes ? 1 : 0, crypto->server_idfp, pubkeys_fp64[CDATA->s]), false);
+                       Crypto_StoreHostKey(&cls.connect_address, va(vabuf, sizeof(vabuf), "%d %s@%s%s", crypto->use_aes ? 1 : 0, crypto->server_idfp, crypto->server_issigned ? "" : "~", pubkeys_fp64[CDATA->s]), false);
 
                        if(CDATA->c >= 0)
                        {
@@ -2494,7 +2546,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
 
                        if(id >= 0)
                                if(CDATA->cdata_id != id)
-                                       return Crypto_SoftServerError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\id\\%d when expecting %d", id, CDATA->cdata_id));
+                                       return Crypto_SoftClientError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\id\\%d when expecting %d", id, CDATA->cdata_id));
                        if(CDATA->next_step != 5)
                                return Crypto_SoftClientError(data_out, len_out, va(vabuf, sizeof(vabuf), "Got d0pk\\cnt\\%s when expecting %d", cnt, CDATA->next_step));