X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=site.c;h=72cee24fc8d094d791a5ed8dab4b17ae71224671;hb=503cd8a1792a51fea0cb1d474e646cb6978633ff;hp=640ca68ba57ebb4ef4aa18ee0d4ee0939e142507;hpb=9a9fc107975ef7a673856cdf0fda6e157f2227b3;p=secnet.git diff --git a/site.c b/site.c index 640ca68..72cee24 100644 --- a/site.c +++ b/site.c @@ -662,10 +662,7 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what, struct xinfoadd xia; append_string_xinfo_start(&st->buffer,&xia,st->localname); - if ((st->local_capabilities & st->early_capabilities) || - (type != LABEL_MSG1)) { - buf_append_uint32(&st->buffer,st->local_capabilities); - } + buf_append_uint32(&st->buffer,st->local_capabilities); if (type_is_msg34(type)) { buf_append_uint16(&st->buffer,st->mtu_target); } @@ -710,6 +707,8 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what, return False; privkey_found: + slog(st,LOG_SIGKEYS,"using private key #%d " SIGKEYID_PR_FMT, + ki, SIGKEYID_PR_VAL(prompt->pubkeys_accepted[ki])); buf_append_uint8(&st->buffer,ki); } @@ -928,24 +927,6 @@ static void peerkeys_maybe_incorporate(struct site *st, const char *file, static void peerkeys_check_for_update(struct site *st) { - /* peerkeys files - * - * live file, loaded on startup, updated by secnet - * (only). * in-memory peerkeys_current is kept - * synced with this file - * - * ~update update file from config manager, checked before - * every key exchange. config manager must rename - * this file into place; it will be renamed and - * then removed by secnet. - * - * ~proc update file being processed by secnet. - * only secnet may write or remove. - * - * ~incoming update file from peer, being received by secnet - * may be incomplete, unverified, or even malicious - * only secnet may write or remove. - */ if (!st->peerkeys_path) return; pathprefix_template_setsuffix(&st->peerkeys_tmpl,"~proc"); @@ -973,7 +954,7 @@ static void peerkeys_check_for_update(struct site *st) int r=rename(inputp,oursp); if (r) { - slog(st,LOG_ERROR,"failed to claim key update file %s as %s: %s\n", + slog(st,LOG_ERROR,"failed to claim key update file %s as %s: %s", inputp,oursp,strerror(errno)); return; } @@ -1105,9 +1086,14 @@ static bool_t process_msg3_msg4(struct site *st, struct msg *m) if (!pubkey->check(pubkey->st, m->hashstart,m->hashlen, &m->sig)) { - slog(st,LOG_SEC,"msg3/msg4 signature failed check!"); + slog(st,LOG_SEC,"msg3/msg4 signature failed check!" + " (key #%d " SIGKEYID_PR_FMT ")", + ki, SIGKEYID_PR_VAL(&st->peerkeys_kex->keys[ki].id)); return False; } + slog(st,LOG_SIGKEYS,"verified peer signature with key #%d " + SIGKEYID_PR_FMT, ki, + SIGKEYID_PR_VAL(&st->peerkeys_kex->keys[ki].id)); st->remote_adv_mtu=m->remote_mtu; @@ -2328,17 +2314,6 @@ static void site_childpersist_clearkeys(void *sst, uint32_t newphase) crypto operations, but that's a task for another day. */ } -static void setup_sethash(struct site *st, dict_t *dict, - struct hash_if **hash, struct cloc loc, - sig_sethash_fn *sethash, void *sigkey_st) { - if (!*hash) *hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc); - sethash(sigkey_st,*hash); -} -#define SETUP_SETHASH(k) do{ \ - if ((k)->sethash) \ - setup_sethash(st,dict, &hash,loc, (k)->sethash,(k)->st); \ -}while(0) - static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, list_t *args) { @@ -2367,9 +2342,19 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, cfgfatal(loc,"site","parameter must be a dictionary\n"); dict=item->data.dict; + st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc); + st->log_events=string_list_to_word(dict_lookup(dict,"log-events"), + log_event_table,"site"); + st->localname=dict_read_string(dict, "local-name", True, "site", loc); st->remotename=dict_read_string(dict, "name", True, "site", loc); + st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5, + "site_apply"); + sprintf(st->tunname,"%s<->%s",st->localname,st->remotename); + + /* Now slog is working */ + st->keepalive=dict_read_bool(dict,"keepalive",False,"site",loc,False); st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False); @@ -2431,16 +2416,12 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, } st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc); - st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc); st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc); - struct hash_if *hash=0; - st->privkeys=find_cl_if(dict,"key-cache",CL_PRIVCACHE,False,"site",loc); if (!st->privkeys) { st->privkey_fixed= find_cl_if(dict,"local-key",CL_SIGPRIVKEY,True,"site",loc); - SETUP_SETHASH(st->privkey_fixed); } struct sigpubkey_if *fixed_pubkey @@ -2457,7 +2438,6 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, } } else { assert(fixed_pubkey); - SETUP_SETHASH(fixed_pubkey); NEW(st->peerkeys_current); st->peerkeys_current->refcount=1; st->peerkeys_current->nkeys=1; @@ -2510,16 +2490,9 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, "renegotiate-time must be less than key-lifetime\n"); } - st->log_events=string_list_to_word(dict_lookup(dict,"log-events"), - log_event_table,"site"); - st->resolving_count=0; st->allow_send_prod=0; - st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5, - "site_apply"); - sprintf(st->tunname,"%s<->%s",st->localname,st->remotename); - /* The information we expect to see in incoming messages of type 1 */ /* fixme: lots of unchecked overflows here, but the results are only corrupted packets rather than undefined behaviour */ @@ -2626,6 +2599,8 @@ static void transport_peers_debug(struct site *st, transport_peers *dst, static void transport_peers_expire(struct site *st, transport_peers *peers) { /* peers must be sorted first */ + if (st->local_mobile) return; + int previous_peers=peers->npeers; struct timeval oldest; oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;