1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 int32_t site_max_start_pad = 4*4;
94 static cstring_t state_name(uint32_t state)
97 case 0: return "STOP";
99 case 2: return "RESOLVE";
100 case 3: return "SENTMSG1";
101 case 4: return "SENTMSG2";
102 case 5: return "SENTMSG3";
103 case 6: return "SENTMSG4";
104 case 7: return "SENTMSG5";
105 case 8: return "WAIT";
106 default: return "*bad state*";
112 #define LOG_UNEXPECTED 0x00000001
113 #define LOG_SETUP_INIT 0x00000002
114 #define LOG_SETUP_TIMEOUT 0x00000004
115 #define LOG_ACTIVATE_KEY 0x00000008
116 #define LOG_TIMEOUT_KEY 0x00000010
117 #define LOG_SEC 0x00000020
118 #define LOG_STATE 0x00000040
119 #define LOG_DROP 0x00000080
120 #define LOG_DUMP 0x00000100
121 #define LOG_ERROR 0x00000400
122 #define LOG_PEER_ADDRS 0x00000800
124 static struct flagstr log_event_table[]={
125 { "unexpected", LOG_UNEXPECTED },
126 { "setup-init", LOG_SETUP_INIT },
127 { "setup-timeout", LOG_SETUP_TIMEOUT },
128 { "activate-key", LOG_ACTIVATE_KEY },
129 { "timeout-key", LOG_TIMEOUT_KEY },
130 { "security", LOG_SEC },
131 { "state-change", LOG_STATE },
132 { "packet-drop", LOG_DROP },
133 { "dump-packets", LOG_DUMP },
134 { "errors", LOG_ERROR },
135 { "peer-addrs", LOG_PEER_ADDRS },
136 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
137 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
138 { "all", 0xffffffff },
143 /***** TRANSPORT PEERS declarations *****/
145 /* Details of "mobile peer" semantics:
147 - We record mobile_peers_max peer address/port numbers ("peers")
148 for key setup, and separately mobile_peers_max for data
149 transfer. If these lists fill up, we retain the newest peers.
150 (For non-mobile peers we only record one of each.)
152 - Outgoing packets are sent to every recorded peer in the
155 - Data transfer peers are straightforward: whenever we successfully
156 process a data packet, we record the peer. Also, whenever we
157 successfully complete a key setup, we merge the key setup
158 peers into the data transfer peers.
160 (For "non-mobile" peers we simply copy the peer used for
161 successful key setup, and don't change the peer otherwise.)
163 - Key setup peers are slightly more complicated.
165 Whenever we receive and successfully process a key exchange
166 packet, we record the peer.
168 Whenever we try to initiate a key setup, we copy the list of data
169 transfer peers and use it for key setup. But we also look to see
170 if the config supplies an address and port number and if so we
171 add that as a key setup peer (possibly evicting one of the data
172 transfer peers we just copied).
174 (For "non-mobile" peers, if we if we have a configured peer
175 address and port, we always use that; otherwise if we have a
176 current data peer address we use that; otherwise we do not
177 attempt to initiate a key setup for lack of a peer address.)
179 "Record the peer" means
180 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
181 2. add the peer of the just received packet to the applicable list
182 (possibly evicting older entries)
183 NB that we do not expire peers until an incoming packet arrives.
187 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
191 struct comm_addr addr;
195 /* configuration information */
196 /* runtime information */
198 transport_peer peers[MAX_MOBILE_PEERS_MAX];
201 static void transport_peers_clear(struct site *st, transport_peers *peers);
202 static int transport_peers_valid(transport_peers *peers);
203 static void transport_peers_copy(struct site *st, transport_peers *dst,
204 const transport_peers *src);
206 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
207 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
208 static bool_t transport_compute_setupinit_peers(struct site *st,
209 const struct comm_addr *configured_addr /* 0 if none or not found */,
210 const struct comm_addr *incoming_packet_addr /* 0 if none */);
211 static void transport_resolve_complete(struct site *st,
212 const struct comm_addr *a);
213 static void transport_resolve_complete_tardy(struct site *st,
214 const struct comm_addr *ca_use);
215 static void transport_record_peer(struct site *st, transport_peers *peers,
216 const struct comm_addr *addr, const char *m);
218 static void transport_xmit(struct site *st, transport_peers *peers,
219 struct buffer_if *buf, bool_t candebug);
221 /***** END of transport peers declarations *****/
225 struct transform_inst_if *transform;
226 uint64_t key_timeout; /* End of life of current key */
227 uint32_t remote_session_id;
233 /* configuration information */
236 bool_t local_mobile, peer_mobile; /* Mobile client support */
237 int32_t transport_peers_max;
238 string_t tunname; /* localname<->remotename by default, used in logs */
239 string_t address; /* DNS name for bootstrapping, optional */
240 int remoteport; /* Port for bootstrapping, optional */
242 struct netlink_if *netlink;
243 struct comm_if **comms;
245 struct resolver_if *resolver;
247 struct random_if *random;
248 struct rsaprivkey_if *privkey;
249 struct rsapubkey_if *pubkey;
250 struct transform_if **transforms;
253 struct hash_if *hash;
255 uint32_t index; /* Index of this site */
256 uint32_t local_capabilities;
257 int32_t setup_retries; /* How many times to send setup packets */
258 int32_t setup_retry_interval; /* Initial timeout for setup packets */
259 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
260 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
261 int32_t key_lifetime; /* How long a key lasts once set up */
262 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
263 after this time, initiate a new
266 bool_t setup_priority; /* Do we have precedence if both sites emit
267 message 1 simultaneously? */
270 /* runtime information */
272 uint64_t now; /* Most recently seen time */
273 bool_t allow_send_prod;
276 /* The currently established session */
277 struct data_key current;
278 struct data_key auxiliary_key;
279 bool_t auxiliary_is_new;
280 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
281 uint64_t auxiliary_renegotiate_key_time;
282 transport_peers peers; /* Current address(es) of peer for data traffic */
284 /* The current key setup protocol exchange. We can only be
285 involved in one of these at a time. There's a potential for
286 denial of service here (the attacker keeps sending a setup
287 packet; we keep trying to continue the exchange, and have to
288 timeout before we can listen for another setup packet); perhaps
289 we should keep a list of 'bad' sources for setup packets. */
290 uint32_t remote_capabilities;
291 uint16_t remote_adv_mtu;
292 struct transform_if *chosen_transform;
293 uint32_t setup_session_id;
294 transport_peers setup_peers;
295 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
296 uint8_t remoteN[NONCELEN];
297 struct buffer_if buffer; /* Current outgoing key exchange packet */
298 struct buffer_if scratch;
299 int32_t retries; /* Number of retries remaining */
300 uint64_t timeout; /* Timeout for current state */
302 uint8_t *sharedsecret;
303 uint32_t sharedsecretlen, sharedsecretallocd;
304 struct transform_inst_if *new_transform; /* For key setup/verify */
307 static uint32_t event_log_priority(struct site *st, uint32_t event)
309 if (!(event&st->log_events))
312 case LOG_UNEXPECTED: return M_INFO;
313 case LOG_SETUP_INIT: return M_INFO;
314 case LOG_SETUP_TIMEOUT: return M_NOTICE;
315 case LOG_ACTIVATE_KEY: return M_INFO;
316 case LOG_TIMEOUT_KEY: return M_INFO;
317 case LOG_SEC: return M_SECURITY;
318 case LOG_STATE: return M_DEBUG;
319 case LOG_DROP: return M_DEBUG;
320 case LOG_DUMP: return M_DEBUG;
321 case LOG_ERROR: return M_ERR;
322 case LOG_PEER_ADDRS: return M_DEBUG;
323 default: return M_ERR;
327 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
329 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
333 class=event_log_priority(st, event);
335 slilog_part(st->log,class,"%s: ",st->tunname);
336 vslilog_part(st->log,class,msg,ap);
337 slilog_part(st->log,class,"\n");
341 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
343 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
347 vslog(st,event,msg,ap);
351 static void logtimeout(struct site *st, const char *fmt, ...)
353 static void logtimeout(struct site *st, const char *fmt, ...)
355 uint32_t class=event_log_priority(st,LOG_SETUP_TIMEOUT);
362 slilog_part(st->log,class,"%s: ",st->tunname);
363 vslilog_part(st->log,class,fmt,ap);
367 for (i=0, delim=" (tried ";
368 i<st->setup_peers.npeers;
370 transport_peer *peer=&st->setup_peers.peers[i];
371 const char *s=comm_addr_to_string(&peer->addr);
372 slilog_part(st->log,class,"%s%s",delim,s);
375 slilog_part(st->log,class,")\n");
379 static void set_link_quality(struct site *st);
380 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
381 static void delete_one_key(struct site *st, struct data_key *key,
382 const char *reason /* may be 0 meaning don't log*/,
383 const char *which /* ignored if !reasonn */,
384 uint32_t loglevel /* ignored if !reasonn */);
385 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
386 const struct comm_addr *prod_hint);
387 static void enter_state_run(struct site *st);
388 static bool_t enter_state_resolve(struct site *st);
389 static bool_t enter_new_state(struct site *st,uint32_t next);
390 static void enter_state_wait(struct site *st);
391 static void activate_new_key(struct site *st);
393 static bool_t is_transform_valid(struct transform_inst_if *transform)
395 return transform && transform->valid(transform->st);
398 static bool_t current_valid(struct site *st)
400 return is_transform_valid(st->current.transform);
403 #define DEFINE_CALL_TRANSFORM(fwdrev) \
404 static int call_transform_##fwdrev(struct site *st, \
405 struct transform_inst_if *transform, \
406 struct buffer_if *buf, \
407 const char **errmsg) \
409 if (!is_transform_valid(transform)) { \
410 *errmsg="transform not set up"; \
413 return transform->fwdrev(transform->st,buf,errmsg); \
416 DEFINE_CALL_TRANSFORM(forwards)
417 DEFINE_CALL_TRANSFORM(reverse)
419 static void dispose_transform(struct transform_inst_if **transform_var)
421 struct transform_inst_if *transform=*transform_var;
423 transform->delkey(transform->st);
424 transform->destroy(transform->st);
429 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
430 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
431 #define CHECK_TYPE(b,t) do { uint32_t type; \
432 CHECK_AVAIL((b),4); \
433 type=buf_unprepend_uint32((b)); \
434 if (type!=(t)) return False; } while(0)
436 static _Bool type_is_msg34(uint32_t type)
439 type == LABEL_MSG3 ||
440 type == LABEL_MSG3BIS ||
447 struct buffer_if extrainfo;
454 struct parsedname remote;
455 struct parsedname local;
456 uint32_t remote_capabilities;
458 int capab_transformnum;
468 static void set_new_transform(struct site *st, char *pk)
470 /* Make room for the shared key */
471 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
472 assert(st->sharedsecretlen);
473 if (st->sharedsecretlen > st->sharedsecretallocd) {
474 st->sharedsecretallocd=st->sharedsecretlen;
475 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
477 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
479 /* Generate the shared key */
480 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
481 st->sharedsecret,st->sharedsecretlen);
483 /* Set up the transform */
484 struct transform_if *generator=st->chosen_transform;
485 struct transform_inst_if *generated=generator->create(generator->st);
486 generated->setkey(generated->st,st->sharedsecret,
487 st->sharedsecretlen,st->setup_priority);
488 dispose_transform(&st->new_transform);
489 st->new_transform=generated;
491 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
492 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
493 st->chosen_transform->capab_transformnum,
494 st->local_capabilities, st->remote_capabilities);
498 int32_t lenpos, afternul;
500 static void append_string_xinfo_start(struct buffer_if *buf,
501 struct xinfoadd *xia,
503 /* Helps construct one of the names with additional info as found
504 * in MSG1..4. Call this function first, then append all the
505 * desired extra info (not including the nul byte) to the buffer,
506 * then call append_string_xinfo_done. */
508 xia->lenpos = buf->size;
509 buf_append_string(buf,str);
510 buf_append_uint8(buf,0);
511 xia->afternul = buf->size;
513 static void append_string_xinfo_done(struct buffer_if *buf,
514 struct xinfoadd *xia)
516 /* we just need to adjust the string length */
517 if (buf->size == xia->afternul) {
518 /* no extra info, strip the nul too */
519 buf_unappend_uint8(buf);
521 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
525 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
526 out using a transform of config data supplied by netlink */
527 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
533 st->retries=st->setup_retries;
534 BUF_ALLOC(&st->buffer,what);
535 buffer_init(&st->buffer,0);
536 buf_append_uint32(&st->buffer,
537 (type==LABEL_MSG1?0:st->setup_session_id));
538 buf_append_uint32(&st->buffer,st->index);
539 buf_append_uint32(&st->buffer,type);
542 append_string_xinfo_start(&st->buffer,&xia,st->localname);
543 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
544 buf_append_uint32(&st->buffer,st->local_capabilities);
546 if (type_is_msg34(type)) {
547 buf_append_uint16(&st->buffer,st->mtu_target);
549 append_string_xinfo_done(&st->buffer,&xia);
551 buf_append_string(&st->buffer,st->remotename);
552 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
553 if (type==LABEL_MSG1) return True;
554 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
555 if (type==LABEL_MSG2) return True;
557 if (hacky_par_mid_failnow()) return False;
559 if (type==LABEL_MSG3BIS)
560 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
562 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
563 buf_append_string(&st->buffer,dhpub);
565 hash=safe_malloc(st->hash->len, "generate_msg");
566 hst=st->hash->init();
567 st->hash->update(hst,st->buffer.start,st->buffer.size);
568 st->hash->final(hst,hash);
569 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
570 buf_append_string(&st->buffer,sig);
576 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
579 nm->len=buf_unprepend_uint16(msg);
580 CHECK_AVAIL(msg,nm->len);
581 nm->name=buf_unprepend(msg,nm->len);
582 uint8_t *nul=memchr(nm->name,0,nm->len);
584 buffer_readonly_view(&nm->extrainfo,0,0);
586 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
587 nm->len=nul-nm->name;
592 static bool_t unpick_msg(struct site *st, uint32_t type,
593 struct buffer_if *msg, struct msg *m)
595 m->capab_transformnum=-1;
596 m->hashstart=msg->start;
598 m->dest=buf_unprepend_uint32(msg);
600 m->source=buf_unprepend_uint32(msg);
601 CHECK_TYPE(msg,type);
602 if (!unpick_name(msg,&m->remote)) return False;
603 m->remote_capabilities=0;
605 if (m->remote.extrainfo.size) {
606 CHECK_AVAIL(&m->remote.extrainfo,4);
607 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
609 if (type_is_msg34(type) && m->remote.extrainfo.size) {
610 CHECK_AVAIL(&m->remote.extrainfo,2);
611 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
613 if (!unpick_name(msg,&m->local)) return False;
614 if (type==LABEL_PROD) {
618 CHECK_AVAIL(msg,NONCELEN);
619 m->nR=buf_unprepend(msg,NONCELEN);
620 if (type==LABEL_MSG1) {
624 CHECK_AVAIL(msg,NONCELEN);
625 m->nL=buf_unprepend(msg,NONCELEN);
626 if (type==LABEL_MSG2) {
630 if (type==LABEL_MSG3BIS) {
632 m->capab_transformnum = buf_unprepend_uint8(msg);
634 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
637 m->pklen=buf_unprepend_uint16(msg);
638 CHECK_AVAIL(msg,m->pklen);
639 m->pk=buf_unprepend(msg,m->pklen);
640 m->hashlen=msg->start-m->hashstart;
642 m->siglen=buf_unprepend_uint16(msg);
643 CHECK_AVAIL(msg,m->siglen);
644 m->sig=buf_unprepend(msg,m->siglen);
649 static bool_t name_matches(const struct parsedname *nm, const char *expected)
651 int expected_len=strlen(expected);
653 nm->len == expected_len &&
654 !memcmp(nm->name, expected, expected_len);
657 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
660 if (type==LABEL_MSG1) return True;
662 /* Check that the site names and our nonce have been sent
663 back correctly, and then store our peer's nonce. */
664 if (!name_matches(&m->remote,st->remotename)) {
665 *error="wrong remote site name";
668 if (!name_matches(&m->local,st->localname)) {
669 *error="wrong local site name";
672 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
673 *error="wrong locally-generated nonce";
676 if (type==LABEL_MSG2) return True;
677 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
678 *error="wrong remotely-generated nonce";
681 /* MSG3 has complicated rules about capabilities, which are
682 * handled in process_msg3. */
683 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
684 if (m->remote_capabilities!=st->remote_capabilities) {
685 *error="remote capabilities changed";
688 if (type==LABEL_MSG4) return True;
689 *error="unknown message type";
693 static bool_t generate_msg1(struct site *st)
695 st->random->generate(st->random->st,NONCELEN,st->localN);
696 return generate_msg(st,LABEL_MSG1,"site:MSG1");
699 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
700 const struct comm_addr *src, struct msg *m)
702 /* We've already determined we're in an appropriate state to
703 process an incoming MSG1, and that the MSG1 has correct values
706 st->setup_session_id=m->source;
707 st->remote_capabilities=m->remote_capabilities;
708 memcpy(st->remoteN,m->nR,NONCELEN);
712 static bool_t generate_msg2(struct site *st)
714 st->random->generate(st->random->st,NONCELEN,st->localN);
715 return generate_msg(st,LABEL_MSG2,"site:MSG2");
718 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
719 const struct comm_addr *src)
724 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
725 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
726 slog(st,LOG_SEC,"msg2: %s",err);
729 st->setup_session_id=m.source;
730 st->remote_capabilities=m.remote_capabilities;
732 /* Select the transform to use */
734 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
735 if (!remote_transforms)
736 /* old secnets only had this one transform */
737 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
739 struct transform_if *ti;
741 for (i=0; i<st->ntransforms; i++) {
742 ti=st->transforms[i];
743 if ((1UL << ti->capab_transformnum) & remote_transforms)
744 goto transform_found;
746 slog(st,LOG_ERROR,"no transforms in common"
747 " (us %#"PRIx32"; them: %#"PRIx32")",
748 st->local_capabilities & CAPAB_TRANSFORM_MASK,
752 st->chosen_transform=ti;
754 memcpy(st->remoteN,m.nR,NONCELEN);
758 static bool_t generate_msg3(struct site *st)
760 /* Now we have our nonce and their nonce. Think of a secret key,
761 and create message number 3. */
762 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
763 return generate_msg(st,
764 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
765 ? LABEL_MSG3BIS : LABEL_MSG3),
769 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
774 /* Check signature and store g^x mod m */
775 hash=safe_malloc(st->hash->len, "process_msg3_msg4");
776 hst=st->hash->init();
777 st->hash->update(hst,m->hashstart,m->hashlen);
778 st->hash->final(hst,hash);
779 /* Terminate signature with a '0' - cheating, but should be ok */
781 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) {
782 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
788 st->remote_adv_mtu=m->remote_mtu;
793 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
794 const struct comm_addr *src, uint32_t msgtype)
799 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
801 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
802 if (!check_msg(st,msgtype,&m,&err)) {
803 slog(st,LOG_SEC,"msg3: %s",err);
806 uint32_t capab_adv_late = m.remote_capabilities
807 & ~st->remote_capabilities & CAPAB_EARLY;
808 if (capab_adv_late) {
809 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
810 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
811 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
814 st->remote_capabilities|=m.remote_capabilities;
816 struct transform_if *ti;
818 for (i=0; i<st->ntransforms; i++) {
819 ti=st->transforms[i];
820 if (ti->capab_transformnum == m.capab_transformnum)
821 goto transform_found;
823 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
824 m.capab_transformnum);
827 st->chosen_transform=ti;
829 if (!process_msg3_msg4(st,&m))
832 /* Terminate their DH public key with a '0' */
834 /* Invent our DH secret key */
835 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
837 /* Generate the shared key and set up the transform */
838 set_new_transform(st,m.pk);
843 static bool_t generate_msg4(struct site *st)
845 /* We have both nonces, their public key and our private key. Generate
846 our public key, sign it and send it to them. */
847 return generate_msg(st,LABEL_MSG4,"site:MSG4");
850 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
851 const struct comm_addr *src)
856 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
857 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
858 slog(st,LOG_SEC,"msg4: %s",err);
862 if (!process_msg3_msg4(st,&m))
865 /* Terminate their DH public key with a '0' */
868 /* Generate the shared key and set up the transform */
869 set_new_transform(st,m.pk);
880 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
884 m->dest=buf_unprepend_uint32(msg0);
886 m->source=buf_unprepend_uint32(msg0);
888 m->type=buf_unprepend_uint32(msg0);
890 /* Leaves transformed part of buffer untouched */
893 static bool_t generate_msg5(struct site *st)
895 cstring_t transform_err;
897 BUF_ALLOC(&st->buffer,"site:MSG5");
898 /* We are going to add four words to the message */
899 buffer_init(&st->buffer,calculate_max_start_pad());
900 /* Give the netlink code an opportunity to put its own stuff in the
901 message (configuration information, etc.) */
902 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
903 if (call_transform_forwards(st,st->new_transform,
904 &st->buffer,&transform_err))
906 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
907 buf_prepend_uint32(&st->buffer,st->index);
908 buf_prepend_uint32(&st->buffer,st->setup_session_id);
910 st->retries=st->setup_retries;
914 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
915 const struct comm_addr *src,
916 struct transform_inst_if *transform)
919 cstring_t transform_err;
921 if (!unpick_msg0(st,msg5,&m)) return False;
923 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
924 /* There's a problem */
925 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
928 /* Buffer should now contain untransformed PING packet data */
930 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
931 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
934 /* Older versions of secnet used to write some config data here
935 * which we ignore. So we don't CHECK_EMPTY */
939 static void create_msg6(struct site *st, struct transform_inst_if *transform,
942 cstring_t transform_err;
944 BUF_ALLOC(&st->buffer,"site:MSG6");
945 /* We are going to add four words to the message */
946 buffer_init(&st->buffer,calculate_max_start_pad());
947 /* Give the netlink code an opportunity to put its own stuff in the
948 message (configuration information, etc.) */
949 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
950 int problem = call_transform_forwards(st,transform,
951 &st->buffer,&transform_err);
953 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
954 buf_prepend_uint32(&st->buffer,st->index);
955 buf_prepend_uint32(&st->buffer,session_id);
958 static bool_t generate_msg6(struct site *st)
960 if (!is_transform_valid(st->new_transform))
962 create_msg6(st,st->new_transform,st->setup_session_id);
963 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
967 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
968 const struct comm_addr *src)
971 cstring_t transform_err;
973 if (!unpick_msg0(st,msg6,&m)) return False;
975 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
976 /* There's a problem */
977 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
980 /* Buffer should now contain untransformed PING packet data */
982 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
983 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
986 /* Older versions of secnet used to write some config data here
987 * which we ignore. So we don't CHECK_EMPTY */
991 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
992 const struct comm_addr *src)
994 cstring_t transform_err, auxkey_err, newkey_err="n/a";
998 if (!unpick_msg0(st,msg0,&m)) return False;
1000 /* Keep a copy so we can try decrypting it with multiple keys */
1001 buffer_copy(&st->scratch, msg0);
1003 problem = call_transform_reverse(st,st->current.transform,
1004 msg0,&transform_err);
1006 if (!st->auxiliary_is_new)
1007 delete_one_key(st,&st->auxiliary_key,
1008 "peer has used new key","auxiliary key",LOG_SEC);
1014 buffer_copy(msg0, &st->scratch);
1015 problem = call_transform_reverse(st,st->auxiliary_key.transform,
1018 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
1019 if (st->auxiliary_is_new) {
1020 /* We previously timed out in state SENTMSG5 but it turns
1021 * out that our peer did in fact get our MSG5 and is
1022 * using the new key. So we should switch to it too. */
1023 /* This is a bit like activate_new_key. */
1026 st->current=st->auxiliary_key;
1027 st->auxiliary_key=t;
1029 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
1030 "previous key",LOG_SEC);
1031 st->auxiliary_is_new=0;
1032 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
1039 if (st->state==SITE_SENTMSG5) {
1040 buffer_copy(msg0, &st->scratch);
1041 problem = call_transform_reverse(st,st->new_transform,
1044 /* It looks like we didn't get the peer's MSG6 */
1045 /* This is like a cut-down enter_new_state(SITE_RUN) */
1046 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1047 BUF_FREE(&st->buffer);
1049 activate_new_key(st);
1050 return True; /* do process the data in this packet */
1056 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1057 transform_err,auxkey_err,newkey_err);
1058 initiate_key_setup(st,"incoming message would not decrypt",0);
1059 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1063 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
1067 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1068 const struct comm_addr *src)
1072 if (!decrypt_msg0(st,msg0,src))
1075 CHECK_AVAIL(msg0,4);
1076 type=buf_unprepend_uint32(msg0);
1079 /* We must forget about the current session. */
1080 delete_keys(st,"request from peer",LOG_SEC);
1083 /* Deliver to netlink layer */
1084 st->netlink->deliver(st->netlink->st,msg0);
1085 transport_data_msgok(st,src);
1086 /* See whether we should start negotiating a new key */
1087 if (st->now > st->renegotiate_key_time)
1088 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1091 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1098 static void dump_packet(struct site *st, struct buffer_if *buf,
1099 const struct comm_addr *addr, bool_t incoming)
1101 uint32_t dest=get_uint32(buf->start);
1102 uint32_t source=get_uint32(buf->start+4);
1103 uint32_t msgtype=get_uint32(buf->start+8);
1105 if (st->log_events & LOG_DUMP)
1106 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1107 st->tunname,incoming?"incoming":"outgoing",
1108 dest,source,msgtype);
1111 static uint32_t site_status(void *st)
1116 static bool_t send_msg(struct site *st)
1118 if (st->retries>0) {
1119 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1120 st->timeout=st->now+st->setup_retry_interval;
1123 } else if (st->state==SITE_SENTMSG5) {
1124 logtimeout(st,"timed out sending MSG5, stashing new key");
1125 /* We stash the key we have produced, in case it turns out that
1126 * our peer did see our MSG5 after all and starts using it. */
1127 /* This is a bit like some of activate_new_key */
1128 struct transform_inst_if *t;
1129 t=st->auxiliary_key.transform;
1130 st->auxiliary_key.transform=st->new_transform;
1131 st->new_transform=t;
1132 dispose_transform(&st->new_transform);
1134 st->auxiliary_is_new=1;
1135 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1136 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1137 st->auxiliary_key.remote_session_id=st->setup_session_id;
1139 enter_state_wait(st);
1142 logtimeout(st,"timed out sending key setup packet "
1143 "(in state %s)",state_name(st->state));
1144 enter_state_wait(st);
1149 static void site_resolve_callback(void *sst, struct in_addr *address)
1151 struct site *st=sst;
1152 struct comm_addr ca_buf, *ca_use;
1154 st->resolving=False;
1158 ca_buf.comm=st->comms[0];
1159 ca_buf.sin.sin_family=AF_INET;
1160 ca_buf.sin.sin_port=htons(st->remoteport);
1161 ca_buf.sin.sin_addr=*address;
1163 slog(st,LOG_STATE,"resolution of %s completed: %s",
1164 st->address, comm_addr_to_string(ca_use));;
1166 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1170 switch (st->state) {
1172 if (transport_compute_setupinit_peers(st,ca_use,0)) {
1173 enter_new_state(st,SITE_SENTMSG1);
1175 /* Can't figure out who to try to to talk to */
1176 slog(st,LOG_SETUP_INIT,
1177 "key exchange failed: cannot find peer address");
1178 enter_state_run(st);
1181 case SITE_SENTMSG1: case SITE_SENTMSG2:
1182 case SITE_SENTMSG3: case SITE_SENTMSG4:
1185 /* We start using the address immediately for data too.
1186 * It's best to store it in st->peers now because we might
1187 * go via SENTMSG5, WAIT, and a MSG0, straight into using
1188 * the new key (without updating the data peer addrs). */
1189 transport_resolve_complete(st,ca_use);
1190 } else if (st->local_mobile) {
1191 /* We can't let this rest because we may have a peer
1192 * address which will break in the future. */
1193 slog(st,LOG_SETUP_INIT,"resolution of %s failed: "
1194 "abandoning key exchange",st->address);
1195 enter_state_wait(st);
1197 slog(st,LOG_SETUP_INIT,"resolution of %s failed: "
1198 " continuing to use source address of peer's packets"
1199 " for key exchange and ultimately data",
1205 slog(st,LOG_SETUP_INIT,"resolution of %s completed tardily,"
1206 " updating peer address(es)",st->address);
1207 transport_resolve_complete_tardy(st,ca_use);
1208 } else if (st->local_mobile) {
1209 /* Not very good. We should queue (another) renegotiation
1210 * so that we can update the peer address. */
1211 st->key_renegotiate_time=st->now+st->wait_timeout;
1213 slog(st,LOG_SETUP_INIT,"resolution of %s failed: "
1214 " continuing to use source address of peer's packets",
1225 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1226 const struct comm_addr *prod_hint)
1228 /* Reentrancy hazard: can call enter_new_state/enter_state_* */
1229 if (st->state!=SITE_RUN) return False;
1230 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1232 slog(st,LOG_SETUP_INIT,"resolving peer address");
1233 return enter_state_resolve(st);
1234 } else if (transport_compute_setupinit_peers(st,0,prod_hint)) {
1235 return enter_new_state(st,SITE_SENTMSG1);
1237 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1241 static void activate_new_key(struct site *st)
1243 struct transform_inst_if *t;
1245 /* We have three transform instances, which we swap between old,
1247 t=st->auxiliary_key.transform;
1248 st->auxiliary_key.transform=st->current.transform;
1249 st->current.transform=st->new_transform;
1250 st->new_transform=t;
1251 dispose_transform(&st->new_transform);
1254 st->auxiliary_is_new=0;
1255 st->auxiliary_key.key_timeout=st->current.key_timeout;
1256 st->current.key_timeout=st->now+st->key_lifetime;
1257 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1258 transport_peers_copy(st,&st->peers,&st->setup_peers);
1259 st->current.remote_session_id=st->setup_session_id;
1261 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1262 * But their mtu be unspecified, in which case we just use ours. */
1263 uint32_t intersite_mtu=
1264 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1265 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1267 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1268 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1269 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1270 enter_state_run(st);
1273 static void delete_one_key(struct site *st, struct data_key *key,
1274 cstring_t reason, cstring_t which, uint32_t loglevel)
1276 if (!is_transform_valid(key->transform)) return;
1277 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1278 dispose_transform(&key->transform);
1282 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1284 if (current_valid(st)) {
1285 slog(st,loglevel,"session closed (%s)",reason);
1287 delete_one_key(st,&st->current,0,0,0);
1288 set_link_quality(st);
1290 delete_one_key(st,&st->auxiliary_key,0,0,0);
1293 static void state_assert(struct site *st, bool_t ok)
1295 if (!ok) fatal("site:state_assert");
1298 static void enter_state_stop(struct site *st)
1300 st->state=SITE_STOP;
1302 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1303 dispose_transform(&st->new_transform);
1306 static void set_link_quality(struct site *st)
1309 if (current_valid(st))
1310 quality=LINK_QUALITY_UP;
1311 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1312 quality=LINK_QUALITY_DOWN;
1313 else if (st->address)
1314 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1315 else if (transport_peers_valid(&st->peers))
1316 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1318 quality=LINK_QUALITY_DOWN;
1320 st->netlink->set_quality(st->netlink->st,quality);
1323 static void enter_state_run(struct site *st)
1325 slog(st,LOG_STATE,"entering state RUN");
1329 st->setup_session_id=0;
1330 transport_peers_clear(st,&st->setup_peers);
1331 memset(st->localN,0,NONCELEN);
1332 memset(st->remoteN,0,NONCELEN);
1333 dispose_transform(&st->new_transform);
1334 memset(st->dhsecret,0,st->dh->len);
1335 memset(st->sharedsecret,0,st->sharedsecretlen);
1336 set_link_quality(st);
1339 static bool_t ensure_resolving(struct site *st)
1341 /* Reentrancy hazard: may call site_resolve_callback and hence
1342 * enter_new_state, enter_state_* and generate_msg*. */
1346 assert(st->address);
1348 /* resolver->request might reentrantly call site_resolve_callback
1349 * which will clear st->resolving, so we need to set it beforehand
1350 * rather than afterwards; also, it might return False, in which
1351 * case we have to clear ->resolving again. */
1353 bool_t ok = st->resolver->request(st->resolver->st,st->address,
1354 site_resolve_callback,st);
1356 st->resolving=False;
1361 static bool_t enter_state_resolve(struct site *st)
1363 /* Reentrancy hazard! See ensure_resolving. */
1364 state_assert(st,st->state==SITE_RUN);
1365 slog(st,LOG_STATE,"entering state RESOLVE");
1366 st->state=SITE_RESOLVE;
1367 return ensure_resolving(st);
1370 static bool_t enter_new_state(struct site *st, uint32_t next)
1372 bool_t (*gen)(struct site *st);
1375 slog(st,LOG_STATE,"entering state %s",state_name(next));
1378 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1382 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1383 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1387 state_assert(st,st->state==SITE_SENTMSG1);
1388 BUF_FREE(&st->buffer);
1392 state_assert(st,st->state==SITE_SENTMSG2);
1393 BUF_FREE(&st->buffer);
1397 state_assert(st,st->state==SITE_SENTMSG3);
1398 BUF_FREE(&st->buffer);
1402 state_assert(st,st->state==SITE_SENTMSG4);
1403 BUF_FREE(&st->buffer);
1408 fatal("enter_new_state(%s): invalid new state",state_name(next));
1412 if (hacky_par_start_failnow()) return False;
1414 r= gen(st) && send_msg(st);
1417 st->setup_retries, st->setup_retry_interval,
1422 if (next==SITE_RUN) {
1423 BUF_FREE(&st->buffer); /* Never reused */
1424 st->timeout=0; /* Never retransmit */
1425 activate_new_key(st);
1429 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1430 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1431 in either state, and enter_state_wait() will
1433 enter_state_wait(st);
1437 /* msg7 tells our peer that we're about to forget our key */
1438 static bool_t send_msg7(struct site *st, cstring_t reason)
1440 cstring_t transform_err;
1442 if (current_valid(st) && st->buffer.free
1443 && transport_peers_valid(&st->peers)) {
1444 BUF_ALLOC(&st->buffer,"site:MSG7");
1445 buffer_init(&st->buffer,calculate_max_start_pad());
1446 buf_append_uint32(&st->buffer,LABEL_MSG7);
1447 buf_append_string(&st->buffer,reason);
1448 if (call_transform_forwards(st, st->current.transform,
1449 &st->buffer, &transform_err))
1451 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1452 buf_prepend_uint32(&st->buffer,st->index);
1453 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1454 transport_xmit(st,&st->peers,&st->buffer,True);
1455 BUF_FREE(&st->buffer);
1462 /* We go into this state if our peer becomes uncommunicative. Similar to
1463 the "stop" state, we forget all session keys for a while, before
1464 re-entering the "run" state. */
1465 static void enter_state_wait(struct site *st)
1467 slog(st,LOG_STATE,"entering state WAIT");
1468 st->timeout=st->now+st->wait_timeout;
1469 st->state=SITE_WAIT;
1470 set_link_quality(st);
1471 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1472 /* XXX Erase keys etc. */
1475 static void generate_prod(struct site *st, struct buffer_if *buf)
1478 buf_append_uint32(buf,0);
1479 buf_append_uint32(buf,0);
1480 buf_append_uint32(buf,LABEL_PROD);
1481 buf_append_string(buf,st->localname);
1482 buf_append_string(buf,st->remotename);
1485 static void generate_send_prod(struct site *st,
1486 const struct comm_addr *source)
1488 if (!st->allow_send_prod) return; /* too soon */
1489 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1490 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1492 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1493 st->allow_send_prod=0;
1494 generate_prod(st,&st->scratch);
1495 dump_packet(st,&st->scratch,source,False);
1496 source->comm->sendmsg(source->comm->st, &st->scratch, source);
1499 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1502 int64_t offset=timeout-*now;
1503 if (offset<0) offset=0;
1504 if (offset>INT_MAX) offset=INT_MAX;
1505 if (*timeout_io<0 || offset<*timeout_io)
1510 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1513 struct site *st=sst;
1515 *nfds_io=0; /* We don't use any file descriptors */
1518 /* Work out when our next timeout is. The earlier of 'timeout' or
1519 'current.key_timeout'. A stored value of '0' indicates no timeout
1521 site_settimeout(st->timeout, timeout_io);
1522 site_settimeout(st->current.key_timeout, timeout_io);
1523 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1525 return 0; /* success */
1528 static void check_expiry(struct site *st, struct data_key *key,
1531 if (key->key_timeout && *now>key->key_timeout) {
1532 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1536 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1537 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1539 struct site *st=sst;
1542 if (st->timeout && *now>st->timeout) {
1544 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1545 if (!hacky_par_start_failnow())
1547 } else if (st->state==SITE_WAIT) {
1548 enter_state_run(st);
1550 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1554 check_expiry(st,&st->current,"current key");
1555 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1558 /* This function is called by the netlink device to deliver packets
1559 intended for the remote network. The packet is in "raw" wire
1560 format, but is guaranteed to be word-aligned. */
1561 static void site_outgoing(void *sst, struct buffer_if *buf)
1563 struct site *st=sst;
1564 cstring_t transform_err;
1566 if (st->state==SITE_STOP) {
1571 st->allow_send_prod=1;
1573 /* In all other states we consider delivering the packet if we have
1574 a valid key and a valid address to send it to. */
1575 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1576 /* Transform it and send it */
1578 buf_prepend_uint32(buf,LABEL_MSG9);
1579 if (call_transform_forwards(st, st->current.transform,
1580 buf, &transform_err))
1582 buf_prepend_uint32(buf,LABEL_MSG0);
1583 buf_prepend_uint32(buf,st->index);
1584 buf_prepend_uint32(buf,st->current.remote_session_id);
1585 transport_xmit(st,&st->peers,buf,False);
1592 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1594 initiate_key_setup(st,"outgoing packet",0);
1597 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1598 uint32_t type, struct msg *m)
1599 /* For packets which are identified by the local and remote names.
1600 * If it has our name and our peer's name in it it's for us. */
1602 struct buffer_if buf[1];
1603 buffer_readonly_clone(buf,buf_in);
1604 return unpick_msg(st,type,buf,m)
1605 && name_matches(&m->remote,st->remotename)
1606 && name_matches(&m->local,st->localname);
1609 /* This function is called by the communication device to deliver
1610 packets from our peers.
1611 It should return True if the packet is recognised as being for
1612 this current site instance (and should therefore not be processed
1613 by other sites), even if the packet was otherwise ignored. */
1614 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1615 const struct comm_addr *source)
1617 struct site *st=sst;
1619 if (buf->size < 12) return False;
1621 uint32_t dest=get_uint32(buf->start);
1622 uint32_t msgtype=get_uint32(buf->start+8);
1623 struct msg named_msg;
1625 if (msgtype==LABEL_MSG1) {
1626 if (!named_for_us(st,buf,msgtype,&named_msg))
1628 /* It's a MSG1 addressed to us. Decide what to do about it. */
1629 dump_packet(st,buf,source,True);
1630 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1631 st->state==SITE_WAIT) {
1632 /* We should definitely process it */
1633 transport_compute_setupinit_peers(st,0,source);
1634 if (process_msg1(st,buf,source,&named_msg)) {
1635 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1636 bool_t entered=enter_new_state(st,SITE_SENTMSG2);
1637 if (entered && st->address && st->local_mobile)
1638 /* We must do this as the very last thing, because
1639 the resolver callback might reenter us. */
1640 ensure_resolving(st);
1642 slog(st,LOG_ERROR,"failed to process incoming msg1");
1646 } else if (st->state==SITE_SENTMSG1) {
1647 /* We've just sent a message 1! They may have crossed on
1648 the wire. If we have priority then we ignore the
1649 incoming one, otherwise we process it as usual. */
1650 if (st->setup_priority) {
1652 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1653 "priority => ignore incoming msg1");
1656 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1657 "priority => use incoming msg1");
1658 if (process_msg1(st,buf,source,&named_msg)) {
1659 BUF_FREE(&st->buffer); /* Free our old message 1 */
1660 transport_setup_msgok(st,source);
1661 enter_new_state(st,SITE_SENTMSG2);
1663 slog(st,LOG_ERROR,"failed to process an incoming "
1664 "crossed msg1 (we have low priority)");
1670 /* The message 1 was received at an unexpected stage of the
1671 key setup. XXX POLICY - what do we do? */
1672 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1676 if (msgtype==LABEL_PROD) {
1677 if (!named_for_us(st,buf,msgtype,&named_msg))
1679 dump_packet(st,buf,source,True);
1680 if (st->state!=SITE_RUN) {
1681 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1682 } else if (current_valid(st)) {
1683 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1685 initiate_key_setup(st,"peer sent PROD packet",source);
1690 if (dest==st->index) {
1691 /* Explicitly addressed to us */
1692 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1695 /* If the source is our current peer then initiate a key setup,
1696 because our peer's forgotten the key */
1697 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1699 initiated = initiate_key_setup(st,"received a NAK",source);
1700 if (!initiated) generate_send_prod(st,source);
1702 slog(st,LOG_SEC,"bad incoming NAK");
1706 process_msg0(st,buf,source);
1709 /* Setup packet: should not have been explicitly addressed
1711 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1714 /* Setup packet: expected only in state SENTMSG1 */
1715 if (st->state!=SITE_SENTMSG1) {
1716 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1717 } else if (process_msg2(st,buf,source)) {
1718 transport_setup_msgok(st,source);
1719 enter_new_state(st,SITE_SENTMSG3);
1721 slog(st,LOG_SEC,"invalid MSG2");
1726 /* Setup packet: expected only in state SENTMSG2 */
1727 if (st->state!=SITE_SENTMSG2) {
1728 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1729 } else if (process_msg3(st,buf,source,msgtype)) {
1730 transport_setup_msgok(st,source);
1731 enter_new_state(st,SITE_SENTMSG4);
1733 slog(st,LOG_SEC,"invalid MSG3");
1737 /* Setup packet: expected only in state SENTMSG3 */
1738 if (st->state!=SITE_SENTMSG3) {
1739 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1740 } else if (process_msg4(st,buf,source)) {
1741 transport_setup_msgok(st,source);
1742 enter_new_state(st,SITE_SENTMSG5);
1744 slog(st,LOG_SEC,"invalid MSG4");
1748 /* Setup packet: expected only in state SENTMSG4 */
1749 /* (may turn up in state RUN if our return MSG6 was lost
1750 and the new key has already been activated. In that
1751 case we discard it. The peer will realise that we
1752 are using the new key when they see our data packets.
1753 Until then the peer's data packets to us get discarded. */
1754 if (st->state==SITE_SENTMSG4) {
1755 if (process_msg5(st,buf,source,st->new_transform)) {
1756 transport_setup_msgok(st,source);
1757 enter_new_state(st,SITE_RUN);
1759 slog(st,LOG_SEC,"invalid MSG5");
1761 } else if (st->state==SITE_RUN) {
1762 if (process_msg5(st,buf,source,st->current.transform)) {
1763 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1764 transport_setup_msgok(st,source);
1765 create_msg6(st,st->current.transform,
1766 st->current.remote_session_id);
1767 transport_xmit(st,&st->peers,&st->buffer,True);
1768 BUF_FREE(&st->buffer);
1770 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1773 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1777 /* Setup packet: expected only in state SENTMSG5 */
1778 if (st->state!=SITE_SENTMSG5) {
1779 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1780 } else if (process_msg6(st,buf,source)) {
1781 BUF_FREE(&st->buffer); /* Free message 5 */
1782 transport_setup_msgok(st,source);
1783 activate_new_key(st);
1785 slog(st,LOG_SEC,"invalid MSG6");
1789 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1800 static void site_control(void *vst, bool_t run)
1802 struct site *st=vst;
1803 if (run) enter_state_run(st);
1804 else enter_state_stop(st);
1807 static void site_phase_hook(void *sst, uint32_t newphase)
1809 struct site *st=sst;
1811 /* The program is shutting down; tell our peer */
1812 send_msg7(st,"shutting down");
1815 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1818 static uint32_t index_sequence;
1824 st=safe_malloc(sizeof(*st),"site_apply");
1826 st->cl.description="site";
1827 st->cl.type=CL_SITE;
1829 st->cl.interface=&st->ops;
1831 st->ops.control=site_control;
1832 st->ops.status=site_status;
1834 /* First parameter must be a dict */
1835 item=list_elem(args,0);
1836 if (!item || item->type!=t_dict)
1837 cfgfatal(loc,"site","parameter must be a dictionary\n");
1839 dict=item->data.dict;
1840 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1841 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1843 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1845 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1847 /* Sanity check (which also allows the 'sites' file to include
1848 site() closures for all sites including our own): refuse to
1849 talk to ourselves */
1850 if (strcmp(st->localname,st->remotename)==0) {
1851 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1853 if (st->peer_mobile != st->local_mobile)
1854 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1855 " but our local-mobile=%d\n",
1856 st->localname, st->peer_mobile, st->local_mobile);
1860 if (st->peer_mobile && st->local_mobile) {
1861 Message(M_WARNING,"site %s: site is mobile but so are we"
1862 " -> ignoring this site\n", st->remotename);
1867 assert(index_sequence < 0xffffffffUL);
1868 st->index = ++index_sequence;
1869 st->local_capabilities = 0;
1870 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1872 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1873 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1874 if (!things##_cfg) \
1875 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1876 st->nthings=list_length(things##_cfg); \
1877 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1878 assert(st->nthings); \
1879 for (i=0; i<st->nthings; i++) { \
1880 item_t *item=list_elem(things##_cfg,i); \
1881 if (item->type!=t_closure) \
1882 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1883 closure_t *cl=item->data.closure; \
1884 if (cl->type!=CL_TYPE) \
1885 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1886 st->things[i]=cl->interface; \
1890 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1892 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1893 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1894 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1896 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1897 st->address=dict_read_string(dict, "address", False, "site", loc);
1899 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1900 else st->remoteport=0;
1901 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1903 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1905 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1906 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1908 #define DEFAULT(D) (st->peer_mobile || st->local_mobile \
1909 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1910 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1912 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1913 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1914 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1915 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1916 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
1918 st->mobile_peer_expiry= dict_read_number(
1919 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1921 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1922 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1923 if (st->transport_peers_max<1 ||
1924 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1925 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1926 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1929 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1930 st->key_renegotiate_time=st->key_lifetime/2;
1932 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1933 st->key_renegotiate_time=dict_read_number(
1934 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1935 if (st->key_renegotiate_time > st->key_lifetime) {
1936 cfgfatal(loc,"site",
1937 "renegotiate-time must be less than key-lifetime\n");
1940 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1941 log_event_table,"site");
1943 st->resolving=False;
1944 st->allow_send_prod=0;
1946 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1948 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1950 /* The information we expect to see in incoming messages of type 1 */
1951 /* fixme: lots of unchecked overflows here, but the results are only
1952 corrupted packets rather than undefined behaviour */
1953 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1955 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1957 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
1958 BUF_ALLOC(&st->scratch,"site:scratch");
1960 /* We are interested in poll(), but only for timeouts. We don't have
1961 any fds of our own. */
1962 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1965 st->remote_capabilities=0;
1966 st->chosen_transform=0;
1967 st->current.key_timeout=0;
1968 st->auxiliary_key.key_timeout=0;
1969 transport_peers_clear(st,&st->peers);
1970 transport_peers_clear(st,&st->setup_peers);
1971 /* XXX mlock these */
1972 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1973 st->sharedsecretlen=st->sharedsecretallocd=0;
1976 for (i=0; i<st->ntransforms; i++) {
1977 struct transform_if *ti=st->transforms[i];
1978 uint32_t capbit = 1UL << ti->capab_transformnum;
1979 if (st->local_capabilities & capbit)
1980 slog(st,LOG_ERROR,"transformnum capability bit"
1981 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1982 st->local_capabilities |= capbit;
1985 /* We need to register the remote networks with the netlink device */
1986 uint32_t netlink_mtu; /* local virtual interface mtu */
1987 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
1988 if (!st->mtu_target)
1989 st->mtu_target=netlink_mtu;
1991 for (i=0; i<st->ncomms; i++)
1992 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1994 st->current.transform=0;
1995 st->auxiliary_key.transform=0;
1996 st->new_transform=0;
1997 st->auxiliary_is_new=0;
1999 enter_state_stop(st);
2001 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
2003 return new_closure(&st->cl);
2006 void site_module(dict_t *dict)
2008 add_closure(dict,"site",site_apply);
2012 /***** TRANSPORT PEERS definitions *****/
2014 static void transport_peers_debug(struct site *st, transport_peers *dst,
2015 const char *didwhat,
2016 int nargs, const struct comm_addr *args,
2021 if (!(st->log_events & LOG_PEER_ADDRS))
2022 return; /* an optimisation */
2024 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
2025 (dst==&st->peers ? "data" :
2026 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
2027 didwhat, nargs, dst->npeers);
2029 for (i=0, argp=(void*)args;
2031 i++, (argp+=stride?stride:sizeof(*args))) {
2032 const struct comm_addr *ca=(void*)argp;
2033 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
2034 i, comm_addr_to_string(ca));
2036 for (i=0; i<dst->npeers; i++) {
2037 struct timeval diff;
2038 timersub(tv_now,&dst->peers[i].last,&diff);
2039 const struct comm_addr *ca=&dst->peers[i].addr;
2040 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
2041 i, comm_addr_to_string(ca),
2042 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
2046 static int transport_peer_compar(const void *av, const void *bv) {
2047 const transport_peer *a=av;
2048 const transport_peer *b=bv;
2049 /* put most recent first in the array */
2050 if (timercmp(&a->last, &b->last, <)) return +1;
2051 if (timercmp(&a->last, &b->last, >)) return -11;
2055 static void transport_peers_expire(struct site *st, transport_peers *peers) {
2056 /* peers must be sorted first */
2057 int previous_peers=peers->npeers;
2058 struct timeval oldest;
2059 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
2060 oldest.tv_usec = tv_now->tv_usec;
2061 while (peers->npeers>1 &&
2062 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
2064 if (peers->npeers != previous_peers)
2065 transport_peers_debug(st,peers,"expire", 0,0,0);
2068 static void transport_record_peer(struct site *st, transport_peers *peers,
2069 const struct comm_addr *addr, const char *m) {
2070 int slot, changed=0;
2072 for (slot=0; slot<peers->npeers; slot++)
2073 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
2077 if (peers->npeers==st->transport_peers_max)
2078 slot=st->transport_peers_max-1;
2080 slot=peers->npeers++;
2083 peers->peers[slot].addr=*addr;
2084 peers->peers[slot].last=*tv_now;
2086 if (peers->npeers>1)
2087 qsort(peers->peers, peers->npeers,
2088 sizeof(*peers->peers), transport_peer_compar);
2090 if (changed || peers->npeers!=1)
2091 transport_peers_debug(st,peers,m, 1,addr,0);
2092 transport_peers_expire(st, peers);
2095 static bool_t transport_compute_setupinit_peers(struct site *st,
2096 const struct comm_addr *configured_addr /* 0 if none or not found */,
2097 const struct comm_addr *incoming_packet_addr /* 0 if none */) {
2099 if (!configured_addr && !incoming_packet_addr &&
2100 !transport_peers_valid(&st->peers))
2103 slog(st,LOG_SETUP_INIT,
2104 "using:%s%s %d old peer address(es)",
2105 configured_addr ? " configured address;" : "",
2106 incoming_packet_addr ? " incoming packet address;" : "",
2109 /* Non-mobile peers have st->peers.npeers==0 or ==1, since they
2110 * have transport_peers_max==1. The effect is that this code
2111 * always uses the configured address if supplied, or otherwise
2112 * the address of the incoming PROD, or the existing data peer if
2113 * one exists; this is as desired. */
2115 transport_peers_copy(st,&st->setup_peers,&st->peers);
2117 if (incoming_packet_addr)
2118 transport_record_peer(st,&st->setup_peers,incoming_packet_addr,
2121 if (configured_addr)
2122 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
2124 assert(transport_peers_valid(&st->setup_peers));
2128 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2129 if (st->peer_mobile)
2130 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
2132 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2133 if (st->peer_mobile)
2134 transport_record_peer(st,&st->peers,a,"datamsg");
2137 static int transport_peers_valid(transport_peers *peers) {
2138 return peers->npeers;
2140 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2142 transport_peers_debug(st,peers,"clear",0,0,0);
2144 static void transport_peers_copy(struct site *st, transport_peers *dst,
2145 const transport_peers *src) {
2146 dst->npeers=src->npeers;
2147 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
2148 transport_peers_debug(st,dst,"copy",
2149 src->npeers, &src->peers->addr, sizeof(*src->peers));
2152 static void transport_resolve_complete(struct site *st,
2153 const struct comm_addr *ca_use) {
2154 transport_record_peer(st,&st->peers,ca_use,"resolved data");
2155 transport_record_peer(st,&st->setup_peers,ca_use,"resolved setup");
2158 static void transport_resolve_complete_tardy(struct site *st,
2159 const struct comm_addr *ca_use) {
2160 transport_record_peer(st,&st->peers,ca_use,"resolved tardily");
2163 void transport_xmit(struct site *st, transport_peers *peers,
2164 struct buffer_if *buf, bool_t candebug) {
2166 transport_peers_expire(st, peers);
2167 for (slot=0; slot<peers->npeers; slot++) {
2168 transport_peer *peer=&peers->peers[slot];
2170 dump_packet(st, buf, &peer->addr, False);
2171 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
2175 /***** END of transport peers declarations *****/