1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 static cstring_t state_name(uint32_t state)
95 case 0: return "STOP";
97 case 2: return "RESOLVE";
98 case 3: return "SENTMSG1";
99 case 4: return "SENTMSG2";
100 case 5: return "SENTMSG3";
101 case 6: return "SENTMSG4";
102 case 7: return "SENTMSG5";
103 case 8: return "WAIT";
104 default: return "*bad state*";
110 #define LOG_UNEXPECTED 0x00000001
111 #define LOG_SETUP_INIT 0x00000002
112 #define LOG_SETUP_TIMEOUT 0x00000004
113 #define LOG_ACTIVATE_KEY 0x00000008
114 #define LOG_TIMEOUT_KEY 0x00000010
115 #define LOG_SEC 0x00000020
116 #define LOG_STATE 0x00000040
117 #define LOG_DROP 0x00000080
118 #define LOG_DUMP 0x00000100
119 #define LOG_ERROR 0x00000400
120 #define LOG_PEER_ADDRS 0x00000800
122 static struct flagstr log_event_table[]={
123 { "unexpected", LOG_UNEXPECTED },
124 { "setup-init", LOG_SETUP_INIT },
125 { "setup-timeout", LOG_SETUP_TIMEOUT },
126 { "activate-key", LOG_ACTIVATE_KEY },
127 { "timeout-key", LOG_TIMEOUT_KEY },
128 { "security", LOG_SEC },
129 { "state-change", LOG_STATE },
130 { "packet-drop", LOG_DROP },
131 { "dump-packets", LOG_DUMP },
132 { "errors", LOG_ERROR },
133 { "peer-addrs", LOG_PEER_ADDRS },
134 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
135 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
136 { "all", 0xffffffff },
141 /***** TRANSPORT PEERS declarations *****/
143 /* Details of "mobile peer" semantics:
145 - We record mobile_peers_max peer address/port numbers ("peers")
146 for key setup, and separately mobile_peers_max for data
147 transfer. If these lists fill up, we retain the newest peers.
148 (For non-mobile peers we only record one of each.)
150 - Outgoing packets are sent to every recorded peer in the
153 - Data transfer peers are straightforward: whenever we successfully
154 process a data packet, we record the peer. Also, whenever we
155 successfully complete a key setup, we merge the key setup
156 peers into the data transfer peers.
158 (For "non-mobile" peers we simply copy the peer used for
159 successful key setup, and don't change the peer otherwise.)
161 - Key setup peers are slightly more complicated.
163 Whenever we receive and successfully process a key exchange
164 packet, we record the peer.
166 Whenever we try to initiate a key setup, we copy the list of data
167 transfer peers and use it for key setup. But we also look to see
168 if the config supplies an address and port number and if so we
169 add that as a key setup peer (possibly evicting one of the data
170 transfer peers we just copied).
172 (For "non-mobile" peers, if we if we have a configured peer
173 address and port, we always use that; otherwise if we have a
174 current data peer address we use that; otherwise we do not
175 attempt to initiate a key setup for lack of a peer address.)
177 "Record the peer" means
178 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
179 2. add the peer of the just received packet to the applicable list
180 (possibly evicting older entries)
181 NB that we do not expire peers until an incoming packet arrives.
185 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
189 struct comm_addr addr;
193 /* configuration information */
194 /* runtime information */
196 transport_peer peers[MAX_MOBILE_PEERS_MAX];
199 static void transport_peers_clear(struct site *st, transport_peers *peers);
200 static int transport_peers_valid(transport_peers *peers);
201 static void transport_peers_copy(struct site *st, transport_peers *dst,
202 const transport_peers *src);
204 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
205 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
206 static bool_t transport_compute_setupinit_peers(struct site *st,
207 const struct comm_addr *configured_addr /* 0 if none or not found */);
208 static void transport_record_peer(struct site *st, transport_peers *peers,
209 const struct comm_addr *addr, const char *m);
211 static void transport_xmit(struct site *st, transport_peers *peers,
212 struct buffer_if *buf, bool_t candebug);
214 /***** END of transport peers declarations *****/
218 struct transform_inst_if *transform;
219 uint64_t key_timeout; /* End of life of current key */
220 uint32_t remote_session_id;
226 /* configuration information */
229 bool_t peer_mobile; /* Mobile client support */
230 int32_t transport_peers_max;
231 string_t tunname; /* localname<->remotename by default, used in logs */
232 string_t address; /* DNS name for bootstrapping, optional */
233 int remoteport; /* Port for bootstrapping, optional */
234 struct netlink_if *netlink;
235 struct comm_if **comms;
237 struct resolver_if *resolver;
239 struct random_if *random;
240 struct rsaprivkey_if *privkey;
241 struct rsapubkey_if *pubkey;
242 struct transform_if **transforms;
245 struct hash_if *hash;
247 uint32_t index; /* Index of this site */
248 uint32_t local_capabilities;
249 int32_t setup_retries; /* How many times to send setup packets */
250 int32_t setup_retry_interval; /* Initial timeout for setup packets */
251 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
252 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
253 int32_t key_lifetime; /* How long a key lasts once set up */
254 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
255 after this time, initiate a new
258 bool_t setup_priority; /* Do we have precedence if both sites emit
259 message 1 simultaneously? */
262 /* runtime information */
264 uint64_t now; /* Most recently seen time */
266 /* The currently established session */
267 struct data_key current;
268 struct data_key auxiliary_key;
269 bool_t auxiliary_is_new;
270 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
271 uint64_t auxiliary_renegotiate_key_time;
272 transport_peers peers; /* Current address(es) of peer for data traffic */
274 /* The current key setup protocol exchange. We can only be
275 involved in one of these at a time. There's a potential for
276 denial of service here (the attacker keeps sending a setup
277 packet; we keep trying to continue the exchange, and have to
278 timeout before we can listen for another setup packet); perhaps
279 we should keep a list of 'bad' sources for setup packets. */
280 uint32_t remote_capabilities;
281 struct transform_if *chosen_transform;
282 uint32_t setup_session_id;
283 transport_peers setup_peers;
284 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
285 uint8_t remoteN[NONCELEN];
286 struct buffer_if buffer; /* Current outgoing key exchange packet */
287 struct buffer_if scratch;
288 int32_t retries; /* Number of retries remaining */
289 uint64_t timeout; /* Timeout for current state */
291 uint8_t *sharedsecret;
292 uint32_t sharedsecretlen, sharedsecretallocd;
293 struct transform_inst_if *new_transform; /* For key setup/verify */
296 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
304 if (event&st->log_events) {
306 case LOG_UNEXPECTED: class=M_INFO; break;
307 case LOG_SETUP_INIT: class=M_INFO; break;
308 case LOG_SETUP_TIMEOUT: class=M_NOTICE; break;
309 case LOG_ACTIVATE_KEY: class=M_INFO; break;
310 case LOG_TIMEOUT_KEY: class=M_INFO; break;
311 case LOG_SEC: class=M_SECURITY; break;
312 case LOG_STATE: class=M_DEBUG; break;
313 case LOG_DROP: class=M_DEBUG; break;
314 case LOG_DUMP: class=M_DEBUG; break;
315 case LOG_ERROR: class=M_ERR; break;
316 case LOG_PEER_ADDRS: class=M_DEBUG; break;
317 default: class=M_ERR; break;
320 vsnprintf(buf,sizeof(buf),msg,ap);
321 st->log->log(st->log->st,class,"%s: %s",st->tunname,buf);
326 static void set_link_quality(struct site *st);
327 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
328 static void delete_one_key(struct site *st, struct data_key *key,
329 const char *reason /* may be 0 meaning don't log*/,
330 const char *which /* ignored if !reasonn */,
331 uint32_t loglevel /* ignored if !reasonn */);
332 static bool_t initiate_key_setup(struct site *st, cstring_t reason);
333 static void enter_state_run(struct site *st);
334 static bool_t enter_state_resolve(struct site *st);
335 static bool_t enter_new_state(struct site *st,uint32_t next);
336 static void enter_state_wait(struct site *st);
337 static void activate_new_key(struct site *st);
339 static bool_t is_transform_valid(struct transform_inst_if *transform)
341 return transform && transform->valid(transform->st);
344 static bool_t current_valid(struct site *st)
346 return is_transform_valid(st->current.transform);
349 #define DEFINE_CALL_TRANSFORM(fwdrev) \
350 static int call_transform_##fwdrev(struct site *st, \
351 struct transform_inst_if *transform, \
352 struct buffer_if *buf, \
353 const char **errmsg) \
355 if (!is_transform_valid(transform)) { \
356 *errmsg="transform not set up"; \
359 return transform->fwdrev(transform->st,buf,errmsg); \
362 DEFINE_CALL_TRANSFORM(forwards)
363 DEFINE_CALL_TRANSFORM(reverse)
365 static void dispose_transform(struct transform_inst_if **transform_var)
367 struct transform_inst_if *transform=*transform_var;
369 transform->delkey(transform->st);
370 transform->destroy(transform->st);
375 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
376 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
377 #define CHECK_TYPE(b,t) do { uint32_t type; \
378 CHECK_AVAIL((b),4); \
379 type=buf_unprepend_uint32((b)); \
380 if (type!=(t)) return False; } while(0)
385 struct buffer_if extrainfo;
392 struct parsedname remote;
393 struct parsedname local;
394 uint32_t remote_capabilities;
395 int capab_transformnum;
405 static void set_new_transform(struct site *st, char *pk)
407 /* Make room for the shared key */
408 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
409 assert(st->sharedsecretlen);
410 if (st->sharedsecretlen > st->sharedsecretallocd) {
411 st->sharedsecretallocd=st->sharedsecretlen;
412 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
414 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
416 /* Generate the shared key */
417 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
418 st->sharedsecret,st->sharedsecretlen);
420 /* Set up the transform */
421 struct transform_if *generator=st->chosen_transform;
422 struct transform_inst_if *generated=generator->create(generator->st);
423 generated->setkey(generated->st,st->sharedsecret,
424 st->sharedsecretlen,st->setup_priority);
425 dispose_transform(&st->new_transform);
426 st->new_transform=generated;
428 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
429 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
430 st->chosen_transform->capab_transformnum,
431 st->local_capabilities, st->remote_capabilities);
435 int32_t lenpos, afternul;
437 static void append_string_xinfo_start(struct buffer_if *buf,
438 struct xinfoadd *xia,
440 /* Helps construct one of the names with additional info as found
441 * in MSG1..4. Call this function first, then append all the
442 * desired extra info (not including the nul byte) to the buffer,
443 * then call append_string_xinfo_done. */
445 xia->lenpos = buf->size;
446 buf_append_string(buf,str);
447 buf_append_uint8(buf,0);
448 xia->afternul = buf->size;
450 static void append_string_xinfo_done(struct buffer_if *buf,
451 struct xinfoadd *xia)
453 /* we just need to adjust the string length */
454 if (buf->size == xia->afternul) {
455 /* no extra info, strip the nul too */
456 buf_unappend_uint8(buf);
458 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
462 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
463 out using a transform of config data supplied by netlink */
464 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
470 st->retries=st->setup_retries;
471 BUF_ALLOC(&st->buffer,what);
472 buffer_init(&st->buffer,0);
473 buf_append_uint32(&st->buffer,
474 (type==LABEL_MSG1?0:st->setup_session_id));
475 buf_append_uint32(&st->buffer,st->index);
476 buf_append_uint32(&st->buffer,type);
479 append_string_xinfo_start(&st->buffer,&xia,st->localname);
480 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
481 buf_append_uint32(&st->buffer,st->local_capabilities);
483 append_string_xinfo_done(&st->buffer,&xia);
485 buf_append_string(&st->buffer,st->remotename);
486 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
487 if (type==LABEL_MSG1) return True;
488 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
489 if (type==LABEL_MSG2) return True;
491 if (hacky_par_mid_failnow()) return False;
493 if (type==LABEL_MSG3BIS)
494 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
496 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
497 buf_append_string(&st->buffer,dhpub);
499 hash=safe_malloc(st->hash->len, "generate_msg");
500 hst=st->hash->init();
501 st->hash->update(hst,st->buffer.start,st->buffer.size);
502 st->hash->final(hst,hash);
503 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
504 buf_append_string(&st->buffer,sig);
510 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
513 nm->len=buf_unprepend_uint16(msg);
514 CHECK_AVAIL(msg,nm->len);
515 nm->name=buf_unprepend(msg,nm->len);
516 uint8_t *nul=memchr(nm->name,0,nm->len);
518 buffer_readonly_view(&nm->extrainfo,0,0);
520 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
521 nm->len=nul-nm->name;
526 static bool_t unpick_msg(struct site *st, uint32_t type,
527 struct buffer_if *msg, struct msg *m)
529 m->capab_transformnum=-1;
530 m->hashstart=msg->start;
532 m->dest=buf_unprepend_uint32(msg);
534 m->source=buf_unprepend_uint32(msg);
535 CHECK_TYPE(msg,type);
536 if (!unpick_name(msg,&m->remote)) return False;
537 m->remote_capabilities=0;
538 if (m->remote.extrainfo.size) {
539 CHECK_AVAIL(&m->remote.extrainfo,4);
540 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
542 if (!unpick_name(msg,&m->local)) return False;
543 CHECK_AVAIL(msg,NONCELEN);
544 m->nR=buf_unprepend(msg,NONCELEN);
545 if (type==LABEL_MSG1) {
549 CHECK_AVAIL(msg,NONCELEN);
550 m->nL=buf_unprepend(msg,NONCELEN);
551 if (type==LABEL_MSG2) {
555 if (type==LABEL_MSG3BIS) {
557 m->capab_transformnum = buf_unprepend_uint8(msg);
559 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
562 m->pklen=buf_unprepend_uint16(msg);
563 CHECK_AVAIL(msg,m->pklen);
564 m->pk=buf_unprepend(msg,m->pklen);
565 m->hashlen=msg->start-m->hashstart;
567 m->siglen=buf_unprepend_uint16(msg);
568 CHECK_AVAIL(msg,m->siglen);
569 m->sig=buf_unprepend(msg,m->siglen);
574 static bool_t name_matches(const struct parsedname *nm, const char *expected)
576 int expected_len=strlen(expected);
578 nm->len == expected_len &&
579 !memcmp(nm->name, expected, expected_len);
582 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
585 if (type==LABEL_MSG1) return True;
587 /* Check that the site names and our nonce have been sent
588 back correctly, and then store our peer's nonce. */
589 if (!name_matches(&m->remote,st->remotename)) {
590 *error="wrong remote site name";
593 if (!name_matches(&m->local,st->localname)) {
594 *error="wrong local site name";
597 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
598 *error="wrong locally-generated nonce";
601 if (type==LABEL_MSG2) return True;
602 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
603 *error="wrong remotely-generated nonce";
606 /* MSG3 has complicated rules about capabilities, which are
607 * handled in process_msg3. */
608 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
609 if (m->remote_capabilities!=st->remote_capabilities) {
610 *error="remote capabilities changed";
613 if (type==LABEL_MSG4) return True;
614 *error="unknown message type";
618 static bool_t generate_msg1(struct site *st)
620 st->random->generate(st->random->st,NONCELEN,st->localN);
621 return generate_msg(st,LABEL_MSG1,"site:MSG1");
624 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
625 const struct comm_addr *src, struct msg *m)
627 /* We've already determined we're in an appropriate state to
628 process an incoming MSG1, and that the MSG1 has correct values
631 transport_record_peer(st,&st->setup_peers,src,"msg1");
632 st->setup_session_id=m->source;
633 st->remote_capabilities=m->remote_capabilities;
634 memcpy(st->remoteN,m->nR,NONCELEN);
638 static bool_t generate_msg2(struct site *st)
640 st->random->generate(st->random->st,NONCELEN,st->localN);
641 return generate_msg(st,LABEL_MSG2,"site:MSG2");
644 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
645 const struct comm_addr *src)
650 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
651 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
652 slog(st,LOG_SEC,"msg2: %s",err);
655 st->setup_session_id=m.source;
656 st->remote_capabilities=m.remote_capabilities;
658 /* Select the transform to use */
660 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
661 if (!remote_transforms)
662 /* old secnets only had this one transform */
663 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
665 struct transform_if *ti;
667 for (i=0; i<st->ntransforms; i++) {
668 ti=st->transforms[i];
669 if ((1UL << ti->capab_transformnum) & remote_transforms)
670 goto transform_found;
672 slog(st,LOG_ERROR,"no transforms in common"
673 " (us %#"PRIx32"; them: %#"PRIx32")",
674 st->local_capabilities & CAPAB_TRANSFORM_MASK,
678 st->chosen_transform=ti;
680 memcpy(st->remoteN,m.nR,NONCELEN);
684 static bool_t generate_msg3(struct site *st)
686 /* Now we have our nonce and their nonce. Think of a secret key,
687 and create message number 3. */
688 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
689 return generate_msg(st,
690 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
691 ? LABEL_MSG3BIS : LABEL_MSG3),
695 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
696 const struct comm_addr *src, uint32_t msgtype)
703 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
705 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
706 if (!check_msg(st,msgtype,&m,&err)) {
707 slog(st,LOG_SEC,"msg3: %s",err);
710 uint32_t capab_adv_late = m.remote_capabilities
711 & ~st->remote_capabilities & CAPAB_EARLY;
712 if (capab_adv_late) {
713 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
714 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
715 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
718 st->remote_capabilities|=m.remote_capabilities;
720 struct transform_if *ti;
722 for (i=0; i<st->ntransforms; i++) {
723 ti=st->transforms[i];
724 if (ti->capab_transformnum == m.capab_transformnum)
725 goto transform_found;
727 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
728 m.capab_transformnum);
731 st->chosen_transform=ti;
733 /* Check signature and store g^x mod m */
734 hash=safe_malloc(st->hash->len, "process_msg3");
735 hst=st->hash->init();
736 st->hash->update(hst,m.hashstart,m.hashlen);
737 st->hash->final(hst,hash);
738 /* Terminate signature with a '0' - cheating, but should be ok */
740 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m.sig)) {
741 slog(st,LOG_SEC,"msg3 signature failed check!");
747 /* Terminate their DH public key with a '0' */
749 /* Invent our DH secret key */
750 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
752 /* Generate the shared key and set up the transform */
753 set_new_transform(st,m.pk);
758 static bool_t generate_msg4(struct site *st)
760 /* We have both nonces, their public key and our private key. Generate
761 our public key, sign it and send it to them. */
762 return generate_msg(st,LABEL_MSG4,"site:MSG4");
765 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
766 const struct comm_addr *src)
773 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
774 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
775 slog(st,LOG_SEC,"msg4: %s",err);
779 /* Check signature and store g^x mod m */
780 hash=safe_malloc(st->hash->len, "process_msg4");
781 hst=st->hash->init();
782 st->hash->update(hst,m.hashstart,m.hashlen);
783 st->hash->final(hst,hash);
784 /* Terminate signature with a '0' - cheating, but should be ok */
786 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m.sig)) {
787 slog(st,LOG_SEC,"msg4 signature failed check!");
793 /* Terminate their DH public key with a '0' */
796 /* Generate the shared key and set up the transform */
797 set_new_transform(st,m.pk);
808 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
812 m->dest=buf_unprepend_uint32(msg0);
814 m->source=buf_unprepend_uint32(msg0);
816 m->type=buf_unprepend_uint32(msg0);
818 /* Leaves transformed part of buffer untouched */
821 static bool_t generate_msg5(struct site *st)
823 cstring_t transform_err;
825 BUF_ALLOC(&st->buffer,"site:MSG5");
826 /* We are going to add four words to the message */
827 buffer_init(&st->buffer,st->new_transform->max_start_pad+(4*4));
828 /* Give the netlink code an opportunity to put its own stuff in the
829 message (configuration information, etc.) */
830 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
831 if (call_transform_forwards(st,st->new_transform,
832 &st->buffer,&transform_err))
834 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
835 buf_prepend_uint32(&st->buffer,st->index);
836 buf_prepend_uint32(&st->buffer,st->setup_session_id);
838 st->retries=st->setup_retries;
842 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
843 const struct comm_addr *src,
844 struct transform_inst_if *transform)
847 cstring_t transform_err;
849 if (!unpick_msg0(st,msg5,&m)) return False;
851 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
852 /* There's a problem */
853 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
856 /* Buffer should now contain untransformed PING packet data */
858 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
859 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
862 /* Older versions of secnet used to write some config data here
863 * which we ignore. So we don't CHECK_EMPTY */
867 static void create_msg6(struct site *st, struct transform_inst_if *transform,
870 cstring_t transform_err;
872 BUF_ALLOC(&st->buffer,"site:MSG6");
873 /* We are going to add four words to the message */
874 buffer_init(&st->buffer,transform->max_start_pad+(4*4));
875 /* Give the netlink code an opportunity to put its own stuff in the
876 message (configuration information, etc.) */
877 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
878 int problem = call_transform_forwards(st,transform,
879 &st->buffer,&transform_err);
881 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
882 buf_prepend_uint32(&st->buffer,st->index);
883 buf_prepend_uint32(&st->buffer,session_id);
886 static bool_t generate_msg6(struct site *st)
888 if (!is_transform_valid(st->new_transform))
890 create_msg6(st,st->new_transform,st->setup_session_id);
891 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
895 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
896 const struct comm_addr *src)
899 cstring_t transform_err;
901 if (!unpick_msg0(st,msg6,&m)) return False;
903 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
904 /* There's a problem */
905 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
908 /* Buffer should now contain untransformed PING packet data */
910 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
911 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
914 /* Older versions of secnet used to write some config data here
915 * which we ignore. So we don't CHECK_EMPTY */
919 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
920 const struct comm_addr *src)
922 cstring_t transform_err, auxkey_err, newkey_err="n/a";
926 if (!unpick_msg0(st,msg0,&m)) return False;
928 /* Keep a copy so we can try decrypting it with multiple keys */
929 buffer_copy(&st->scratch, msg0);
931 problem = call_transform_reverse(st,st->current.transform,
932 msg0,&transform_err);
934 if (!st->auxiliary_is_new)
935 delete_one_key(st,&st->auxiliary_key,
936 "peer has used new key","auxiliary key",LOG_SEC);
942 buffer_copy(msg0, &st->scratch);
943 problem = call_transform_reverse(st,st->auxiliary_key.transform,
946 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
947 if (st->auxiliary_is_new) {
948 /* We previously timed out in state SENTMSG5 but it turns
949 * out that our peer did in fact get our MSG5 and is
950 * using the new key. So we should switch to it too. */
951 /* This is a bit like activate_new_key. */
954 st->current=st->auxiliary_key;
957 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
958 "previous key",LOG_SEC);
959 st->auxiliary_is_new=0;
960 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
967 if (st->state==SITE_SENTMSG5) {
968 buffer_copy(msg0, &st->scratch);
969 problem = call_transform_reverse(st,st->new_transform,
972 /* It looks like we didn't get the peer's MSG6 */
973 /* This is like a cut-down enter_new_state(SITE_RUN) */
974 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
975 BUF_FREE(&st->buffer);
977 activate_new_key(st);
978 return True; /* do process the data in this packet */
984 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
985 transform_err,auxkey_err,newkey_err);
986 initiate_key_setup(st,"incoming message would not decrypt");
987 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
991 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
995 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
996 const struct comm_addr *src)
1000 if (!decrypt_msg0(st,msg0,src))
1003 CHECK_AVAIL(msg0,4);
1004 type=buf_unprepend_uint32(msg0);
1007 /* We must forget about the current session. */
1008 delete_keys(st,"request from peer",LOG_SEC);
1011 /* Deliver to netlink layer */
1012 st->netlink->deliver(st->netlink->st,msg0);
1013 transport_data_msgok(st,src);
1014 /* See whether we should start negotiating a new key */
1015 if (st->now > st->renegotiate_key_time)
1016 initiate_key_setup(st,"incoming packet in renegotiation window");
1019 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1026 static void dump_packet(struct site *st, struct buffer_if *buf,
1027 const struct comm_addr *addr, bool_t incoming)
1029 uint32_t dest=get_uint32(buf->start);
1030 uint32_t source=get_uint32(buf->start+4);
1031 uint32_t msgtype=get_uint32(buf->start+8);
1033 if (st->log_events & LOG_DUMP)
1034 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1035 st->tunname,incoming?"incoming":"outgoing",
1036 dest,source,msgtype);
1039 static uint32_t site_status(void *st)
1044 static bool_t send_msg(struct site *st)
1046 if (st->retries>0) {
1047 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1048 st->timeout=st->now+st->setup_retry_interval;
1051 } else if (st->state==SITE_SENTMSG5) {
1052 slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
1053 /* We stash the key we have produced, in case it turns out that
1054 * our peer did see our MSG5 after all and starts using it. */
1055 /* This is a bit like some of activate_new_key */
1056 struct transform_inst_if *t;
1057 t=st->auxiliary_key.transform;
1058 st->auxiliary_key.transform=st->new_transform;
1059 st->new_transform=t;
1060 dispose_transform(&st->new_transform);
1062 st->auxiliary_is_new=1;
1063 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1064 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1065 st->auxiliary_key.remote_session_id=st->setup_session_id;
1067 enter_state_wait(st);
1070 slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
1071 "(in state %s)",state_name(st->state));
1072 enter_state_wait(st);
1077 static void site_resolve_callback(void *sst, struct in_addr *address)
1079 struct site *st=sst;
1080 struct comm_addr ca_buf, *ca_use;
1082 if (st->state!=SITE_RESOLVE) {
1083 slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
1088 ca_buf.comm=st->comms[0];
1089 ca_buf.sin.sin_family=AF_INET;
1090 ca_buf.sin.sin_port=htons(st->remoteport);
1091 ca_buf.sin.sin_addr=*address;
1094 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1097 if (transport_compute_setupinit_peers(st,ca_use)) {
1098 enter_new_state(st,SITE_SENTMSG1);
1100 /* Can't figure out who to try to to talk to */
1101 slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
1102 enter_state_run(st);
1106 static bool_t initiate_key_setup(struct site *st, cstring_t reason)
1108 if (st->state!=SITE_RUN) return False;
1109 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1111 slog(st,LOG_SETUP_INIT,"resolving peer address");
1112 return enter_state_resolve(st);
1113 } else if (transport_compute_setupinit_peers(st,0)) {
1114 return enter_new_state(st,SITE_SENTMSG1);
1116 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1120 static void activate_new_key(struct site *st)
1122 struct transform_inst_if *t;
1124 /* We have three transform instances, which we swap between old,
1126 t=st->auxiliary_key.transform;
1127 st->auxiliary_key.transform=st->current.transform;
1128 st->current.transform=st->new_transform;
1129 st->new_transform=t;
1130 dispose_transform(&st->new_transform);
1133 st->auxiliary_is_new=0;
1134 st->auxiliary_key.key_timeout=st->current.key_timeout;
1135 st->current.key_timeout=st->now+st->key_lifetime;
1136 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1137 transport_peers_copy(st,&st->peers,&st->setup_peers);
1138 st->current.remote_session_id=st->setup_session_id;
1140 slog(st,LOG_ACTIVATE_KEY,"new key activated");
1141 enter_state_run(st);
1144 static void delete_one_key(struct site *st, struct data_key *key,
1145 cstring_t reason, cstring_t which, uint32_t loglevel)
1147 if (!is_transform_valid(key->transform)) return;
1148 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1149 dispose_transform(&key->transform);
1153 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1155 if (current_valid(st)) {
1156 slog(st,loglevel,"session closed (%s)",reason);
1158 delete_one_key(st,&st->current,0,0,0);
1159 set_link_quality(st);
1161 delete_one_key(st,&st->auxiliary_key,0,0,0);
1164 static void state_assert(struct site *st, bool_t ok)
1166 if (!ok) fatal("site:state_assert");
1169 static void enter_state_stop(struct site *st)
1171 st->state=SITE_STOP;
1173 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1174 dispose_transform(&st->new_transform);
1177 static void set_link_quality(struct site *st)
1180 if (current_valid(st))
1181 quality=LINK_QUALITY_UP;
1182 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1183 quality=LINK_QUALITY_DOWN;
1184 else if (st->address)
1185 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1186 else if (transport_peers_valid(&st->peers))
1187 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1189 quality=LINK_QUALITY_DOWN;
1191 st->netlink->set_quality(st->netlink->st,quality);
1194 static void enter_state_run(struct site *st)
1196 slog(st,LOG_STATE,"entering state RUN");
1200 st->setup_session_id=0;
1201 transport_peers_clear(st,&st->setup_peers);
1202 memset(st->localN,0,NONCELEN);
1203 memset(st->remoteN,0,NONCELEN);
1204 dispose_transform(&st->new_transform);
1205 memset(st->dhsecret,0,st->dh->len);
1206 memset(st->sharedsecret,0,st->sharedsecretlen);
1207 set_link_quality(st);
1210 static bool_t enter_state_resolve(struct site *st)
1212 state_assert(st,st->state==SITE_RUN);
1213 slog(st,LOG_STATE,"entering state RESOLVE");
1214 st->state=SITE_RESOLVE;
1215 st->resolver->request(st->resolver->st,st->address,
1216 site_resolve_callback,st);
1220 static bool_t enter_new_state(struct site *st, uint32_t next)
1222 bool_t (*gen)(struct site *st);
1225 slog(st,LOG_STATE,"entering state %s",state_name(next));
1228 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1232 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1233 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1237 state_assert(st,st->state==SITE_SENTMSG1);
1238 BUF_FREE(&st->buffer);
1242 state_assert(st,st->state==SITE_SENTMSG2);
1243 BUF_FREE(&st->buffer);
1247 state_assert(st,st->state==SITE_SENTMSG3);
1248 BUF_FREE(&st->buffer);
1252 state_assert(st,st->state==SITE_SENTMSG4);
1253 BUF_FREE(&st->buffer);
1258 fatal("enter_new_state(%s): invalid new state",state_name(next));
1262 if (hacky_par_start_failnow()) return False;
1264 r= gen(st) && send_msg(st);
1267 st->setup_retries, st->setup_retry_interval,
1272 if (next==SITE_RUN) {
1273 BUF_FREE(&st->buffer); /* Never reused */
1274 st->timeout=0; /* Never retransmit */
1275 activate_new_key(st);
1279 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1280 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1281 in either state, and enter_state_wait() will
1283 enter_state_wait(st);
1287 /* msg7 tells our peer that we're about to forget our key */
1288 static bool_t send_msg7(struct site *st, cstring_t reason)
1290 cstring_t transform_err;
1292 if (current_valid(st) && st->buffer.free
1293 && transport_peers_valid(&st->peers)) {
1294 BUF_ALLOC(&st->buffer,"site:MSG7");
1295 buffer_init(&st->buffer,st->current.transform->max_start_pad+(4*3));
1296 buf_append_uint32(&st->buffer,LABEL_MSG7);
1297 buf_append_string(&st->buffer,reason);
1298 if (call_transform_forwards(st, st->current.transform,
1299 &st->buffer, &transform_err))
1301 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1302 buf_prepend_uint32(&st->buffer,st->index);
1303 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1304 transport_xmit(st,&st->peers,&st->buffer,True);
1305 BUF_FREE(&st->buffer);
1312 /* We go into this state if our peer becomes uncommunicative. Similar to
1313 the "stop" state, we forget all session keys for a while, before
1314 re-entering the "run" state. */
1315 static void enter_state_wait(struct site *st)
1317 slog(st,LOG_STATE,"entering state WAIT");
1318 st->timeout=st->now+st->wait_timeout;
1319 st->state=SITE_WAIT;
1320 set_link_quality(st);
1321 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1322 /* XXX Erase keys etc. */
1325 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1328 int64_t offset=timeout-*now;
1329 if (offset<0) offset=0;
1330 if (offset>INT_MAX) offset=INT_MAX;
1331 if (*timeout_io<0 || offset<*timeout_io)
1336 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1339 struct site *st=sst;
1341 *nfds_io=0; /* We don't use any file descriptors */
1344 /* Work out when our next timeout is. The earlier of 'timeout' or
1345 'current.key_timeout'. A stored value of '0' indicates no timeout
1347 site_settimeout(st->timeout, timeout_io);
1348 site_settimeout(st->current.key_timeout, timeout_io);
1349 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1351 return 0; /* success */
1354 static void check_expiry(struct site *st, struct data_key *key,
1357 if (key->key_timeout && *now>key->key_timeout) {
1358 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1362 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1363 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1365 struct site *st=sst;
1368 if (st->timeout && *now>st->timeout) {
1370 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1371 if (!hacky_par_start_failnow())
1373 } else if (st->state==SITE_WAIT) {
1374 enter_state_run(st);
1376 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1380 check_expiry(st,&st->current,"current key");
1381 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1384 /* This function is called by the netlink device to deliver packets
1385 intended for the remote network. The packet is in "raw" wire
1386 format, but is guaranteed to be word-aligned. */
1387 static void site_outgoing(void *sst, struct buffer_if *buf)
1389 struct site *st=sst;
1390 cstring_t transform_err;
1392 if (st->state==SITE_STOP) {
1397 /* In all other states we consider delivering the packet if we have
1398 a valid key and a valid address to send it to. */
1399 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1400 /* Transform it and send it */
1402 buf_prepend_uint32(buf,LABEL_MSG9);
1403 if (call_transform_forwards(st, st->current.transform,
1404 buf, &transform_err))
1406 buf_prepend_uint32(buf,LABEL_MSG0);
1407 buf_prepend_uint32(buf,st->index);
1408 buf_prepend_uint32(buf,st->current.remote_session_id);
1409 transport_xmit(st,&st->peers,buf,False);
1416 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1418 initiate_key_setup(st,"outgoing packet");
1421 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1422 uint32_t type, struct msg *m)
1423 /* For packets which are identified by the local and remote names.
1424 * If it has our name and our peer's name in it it's for us. */
1426 struct buffer_if buf[1];
1427 buffer_readonly_clone(buf,buf_in);
1428 return unpick_msg(st,type,buf,m)
1429 && name_matches(&m->remote,st->remotename)
1430 && name_matches(&m->local,st->localname);
1433 /* This function is called by the communication device to deliver
1434 packets from our peers. */
1435 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1436 const struct comm_addr *source)
1438 struct site *st=sst;
1440 if (buf->size < 12) return False;
1442 uint32_t dest=get_uint32(buf->start);
1443 uint32_t msgtype=get_uint32(buf->start+8);
1444 struct msg named_msg;
1446 if (msgtype==LABEL_MSG1) {
1447 if (!named_for_us(st,buf,msgtype,&named_msg))
1449 /* It's a MSG1 addressed to us. Decide what to do about it. */
1450 dump_packet(st,buf,source,True);
1451 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1452 st->state==SITE_WAIT) {
1453 /* We should definitely process it */
1454 if (process_msg1(st,buf,source,&named_msg)) {
1455 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1456 enter_new_state(st,SITE_SENTMSG2);
1458 slog(st,LOG_ERROR,"failed to process incoming msg1");
1462 } else if (st->state==SITE_SENTMSG1) {
1463 /* We've just sent a message 1! They may have crossed on
1464 the wire. If we have priority then we ignore the
1465 incoming one, otherwise we process it as usual. */
1466 if (st->setup_priority) {
1468 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1469 "priority => ignore incoming msg1");
1472 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1473 "priority => use incoming msg1");
1474 if (process_msg1(st,buf,source,&named_msg)) {
1475 BUF_FREE(&st->buffer); /* Free our old message 1 */
1476 enter_new_state(st,SITE_SENTMSG2);
1478 slog(st,LOG_ERROR,"failed to process an incoming "
1479 "crossed msg1 (we have low priority)");
1485 /* The message 1 was received at an unexpected stage of the
1486 key setup. XXX POLICY - what do we do? */
1487 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1491 if (dest==st->index) {
1492 /* Explicitly addressed to us */
1493 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1496 /* If the source is our current peer then initiate a key setup,
1497 because our peer's forgotten the key */
1498 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1499 initiate_key_setup(st,"received a NAK");
1501 slog(st,LOG_SEC,"bad incoming NAK");
1505 process_msg0(st,buf,source);
1508 /* Setup packet: should not have been explicitly addressed
1510 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1513 /* Setup packet: expected only in state SENTMSG1 */
1514 if (st->state!=SITE_SENTMSG1) {
1515 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1516 } else if (process_msg2(st,buf,source)) {
1517 transport_setup_msgok(st,source);
1518 enter_new_state(st,SITE_SENTMSG3);
1520 slog(st,LOG_SEC,"invalid MSG2");
1525 /* Setup packet: expected only in state SENTMSG2 */
1526 if (st->state!=SITE_SENTMSG2) {
1527 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1528 } else if (process_msg3(st,buf,source,msgtype)) {
1529 transport_setup_msgok(st,source);
1530 enter_new_state(st,SITE_SENTMSG4);
1532 slog(st,LOG_SEC,"invalid MSG3");
1536 /* Setup packet: expected only in state SENTMSG3 */
1537 if (st->state!=SITE_SENTMSG3) {
1538 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1539 } else if (process_msg4(st,buf,source)) {
1540 transport_setup_msgok(st,source);
1541 enter_new_state(st,SITE_SENTMSG5);
1543 slog(st,LOG_SEC,"invalid MSG4");
1547 /* Setup packet: expected only in state SENTMSG4 */
1548 /* (may turn up in state RUN if our return MSG6 was lost
1549 and the new key has already been activated. In that
1550 case we discard it. The peer will realise that we
1551 are using the new key when they see our data packets.
1552 Until then the peer's data packets to us get discarded. */
1553 if (st->state==SITE_SENTMSG4) {
1554 if (process_msg5(st,buf,source,st->new_transform)) {
1555 transport_setup_msgok(st,source);
1556 enter_new_state(st,SITE_RUN);
1558 slog(st,LOG_SEC,"invalid MSG5");
1560 } else if (st->state==SITE_RUN) {
1561 if (process_msg5(st,buf,source,st->current.transform)) {
1562 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1563 transport_setup_msgok(st,source);
1564 create_msg6(st,st->current.transform,
1565 st->current.remote_session_id);
1566 transport_xmit(st,&st->peers,&st->buffer,True);
1567 BUF_FREE(&st->buffer);
1569 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1572 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1576 /* Setup packet: expected only in state SENTMSG5 */
1577 if (st->state!=SITE_SENTMSG5) {
1578 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1579 } else if (process_msg6(st,buf,source)) {
1580 BUF_FREE(&st->buffer); /* Free message 5 */
1581 transport_setup_msgok(st,source);
1582 activate_new_key(st);
1584 slog(st,LOG_SEC,"invalid MSG6");
1588 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1599 static void site_control(void *vst, bool_t run)
1601 struct site *st=vst;
1602 if (run) enter_state_run(st);
1603 else enter_state_stop(st);
1606 static void site_phase_hook(void *sst, uint32_t newphase)
1608 struct site *st=sst;
1610 /* The program is shutting down; tell our peer */
1611 send_msg7(st,"shutting down");
1614 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1617 static uint32_t index_sequence;
1623 st=safe_malloc(sizeof(*st),"site_apply");
1625 st->cl.description="site";
1626 st->cl.type=CL_SITE;
1628 st->cl.interface=&st->ops;
1630 st->ops.control=site_control;
1631 st->ops.status=site_status;
1633 /* First parameter must be a dict */
1634 item=list_elem(args,0);
1635 if (!item || item->type!=t_dict)
1636 cfgfatal(loc,"site","parameter must be a dictionary\n");
1638 dict=item->data.dict;
1639 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1640 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1642 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1643 bool_t local_mobile=
1644 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1646 /* Sanity check (which also allows the 'sites' file to include
1647 site() closures for all sites including our own): refuse to
1648 talk to ourselves */
1649 if (strcmp(st->localname,st->remotename)==0) {
1650 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1652 if (st->peer_mobile != local_mobile)
1653 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1654 " but our local-mobile=%d\n",
1655 st->localname, st->peer_mobile, local_mobile);
1659 if (st->peer_mobile && local_mobile) {
1660 Message(M_WARNING,"site %s: site is mobile but so are we"
1661 " -> ignoring this site\n", st->remotename);
1666 assert(index_sequence < 0xffffffffUL);
1667 st->index = ++index_sequence;
1668 st->local_capabilities = 0;
1669 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1671 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1672 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1673 if (!things##_cfg) \
1674 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1675 st->nthings=list_length(things##_cfg); \
1676 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1677 assert(st->nthings); \
1678 for (i=0; i<st->nthings; i++) { \
1679 item_t *item=list_elem(things##_cfg,i); \
1680 if (item->type!=t_closure) \
1681 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1682 closure_t *cl=item->data.closure; \
1683 if (cl->type!=CL_TYPE) \
1684 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1685 st->things[i]=cl->interface; \
1689 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1691 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1692 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1693 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1695 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1696 st->address=dict_read_string(dict, "address", False, "site", loc);
1698 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1699 else st->remoteport=0;
1700 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1702 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1704 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1705 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1707 #define DEFAULT(D) (st->peer_mobile || local_mobile \
1708 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1709 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1711 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1712 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1713 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1714 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1716 st->mobile_peer_expiry= dict_read_number(
1717 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1719 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1720 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1721 if (st->transport_peers_max<1 ||
1722 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1723 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1724 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1727 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1728 st->key_renegotiate_time=st->key_lifetime/2;
1730 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1731 st->key_renegotiate_time=dict_read_number(
1732 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1733 if (st->key_renegotiate_time > st->key_lifetime) {
1734 cfgfatal(loc,"site",
1735 "renegotiate-time must be less than key-lifetime\n");
1738 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1739 log_event_table,"site");
1741 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1743 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1745 /* The information we expect to see in incoming messages of type 1 */
1746 /* fixme: lots of unchecked overflows here, but the results are only
1747 corrupted packets rather than undefined behaviour */
1748 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1750 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1752 buffer_new(&st->scratch,0);
1753 BUF_ALLOC(&st->scratch,"site:scratch");
1755 /* We are interested in poll(), but only for timeouts. We don't have
1756 any fds of our own. */
1757 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1760 st->remote_capabilities=0;
1761 st->chosen_transform=0;
1762 st->current.key_timeout=0;
1763 st->auxiliary_key.key_timeout=0;
1764 transport_peers_clear(st,&st->peers);
1765 transport_peers_clear(st,&st->setup_peers);
1766 /* XXX mlock these */
1767 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1768 st->sharedsecretlen=st->sharedsecretallocd=0;
1771 /* We need to compute some properties of our comms and transports */
1772 #define COMPUTE_WORST(things,pad) \
1773 int things##_worst_##pad=0; \
1774 for (i=0; i<st->n##things; i++) { \
1775 int thispad=st->things[i]->pad; \
1776 if (thispad > things##_worst_##pad) \
1777 things##_worst_##pad=thispad; \
1779 COMPUTE_WORST(comms,min_start_pad)
1780 COMPUTE_WORST(transforms,max_start_pad)
1782 for (i=0; i<st->ntransforms; i++) {
1783 struct transform_if *ti=st->transforms[i];
1784 uint32_t capbit = 1UL << ti->capab_transformnum;
1785 if (st->local_capabilities & capbit)
1786 slog(st,LOG_ERROR,"transformnum capability bit"
1787 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1788 st->local_capabilities |= capbit;
1791 /* We need to register the remote networks with the netlink device */
1792 st->netlink->reg(st->netlink->st, site_outgoing, st,
1793 transforms_worst_max_start_pad+(4*4)+
1794 comms_worst_min_start_pad);
1796 for (i=0; i<st->ncomms; i++)
1797 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1799 st->current.transform=0;
1800 st->auxiliary_key.transform=0;
1801 st->new_transform=0;
1802 st->auxiliary_is_new=0;
1804 enter_state_stop(st);
1806 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
1808 return new_closure(&st->cl);
1811 void site_module(dict_t *dict)
1813 add_closure(dict,"site",site_apply);
1817 /***** TRANSPORT PEERS definitions *****/
1819 static void transport_peers_debug(struct site *st, transport_peers *dst,
1820 const char *didwhat,
1821 int nargs, const struct comm_addr *args,
1826 if (!(st->log_events & LOG_PEER_ADDRS))
1827 return; /* an optimisation */
1829 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
1830 (dst==&st->peers ? "data" :
1831 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
1832 didwhat, nargs, dst->npeers);
1834 for (i=0, argp=(void*)args;
1836 i++, (argp+=stride?stride:sizeof(*args))) {
1837 const struct comm_addr *ca=(void*)argp;
1838 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
1839 i, ca->comm->addr_to_string(ca->comm->st,ca));
1841 for (i=0; i<dst->npeers; i++) {
1842 struct timeval diff;
1843 timersub(tv_now,&dst->peers[i].last,&diff);
1844 const struct comm_addr *ca=&dst->peers[i].addr;
1845 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
1846 i, ca->comm->addr_to_string(ca->comm->st,ca),
1847 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
1851 static int transport_peer_compar(const void *av, const void *bv) {
1852 const transport_peer *a=av;
1853 const transport_peer *b=bv;
1854 /* put most recent first in the array */
1855 if (timercmp(&a->last, &b->last, <)) return +1;
1856 if (timercmp(&a->last, &b->last, >)) return -11;
1860 static void transport_peers_expire(struct site *st, transport_peers *peers) {
1861 /* peers must be sorted first */
1862 int previous_peers=peers->npeers;
1863 struct timeval oldest;
1864 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
1865 oldest.tv_usec = tv_now->tv_usec;
1866 while (peers->npeers>1 &&
1867 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
1869 if (peers->npeers != previous_peers)
1870 transport_peers_debug(st,peers,"expire", 0,0,0);
1873 static void transport_record_peer(struct site *st, transport_peers *peers,
1874 const struct comm_addr *addr, const char *m) {
1875 int slot, changed=0;
1877 for (slot=0; slot<peers->npeers; slot++)
1878 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
1882 if (peers->npeers==st->transport_peers_max)
1883 slot=st->transport_peers_max;
1885 slot=peers->npeers++;
1888 peers->peers[slot].addr=*addr;
1889 peers->peers[slot].last=*tv_now;
1891 if (peers->npeers>1)
1892 qsort(peers->peers, peers->npeers,
1893 sizeof(*peers->peers), transport_peer_compar);
1895 if (changed || peers->npeers!=1)
1896 transport_peers_debug(st,peers,m, 1,addr,0);
1897 transport_peers_expire(st, peers);
1900 static bool_t transport_compute_setupinit_peers(struct site *st,
1901 const struct comm_addr *configured_addr /* 0 if none or not found */) {
1903 if (!configured_addr && !transport_peers_valid(&st->peers))
1906 slog(st,LOG_SETUP_INIT,
1907 (!configured_addr ? "using only %d old peer address(es)"
1908 : "using configured address, and/or perhaps %d old peer address(es)"),
1911 /* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
1912 * have transport_peers_max==1. The effect is that this code
1913 * always uses the configured address if supplied, or otherwise
1914 * the existing data peer if one exists; this is as desired. */
1916 transport_peers_copy(st,&st->setup_peers,&st->peers);
1918 if (configured_addr)
1919 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
1921 assert(transport_peers_valid(&st->setup_peers));
1925 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
1926 if (st->peer_mobile)
1927 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
1929 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
1930 if (st->peer_mobile)
1931 transport_record_peer(st,&st->peers,a,"datamsg");
1934 static int transport_peers_valid(transport_peers *peers) {
1935 return peers->npeers;
1937 static void transport_peers_clear(struct site *st, transport_peers *peers) {
1939 transport_peers_debug(st,peers,"clear",0,0,0);
1941 static void transport_peers_copy(struct site *st, transport_peers *dst,
1942 const transport_peers *src) {
1943 dst->npeers=src->npeers;
1944 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
1945 transport_peers_debug(st,dst,"copy",
1946 src->npeers, &src->peers->addr, sizeof(*src->peers));
1949 void transport_xmit(struct site *st, transport_peers *peers,
1950 struct buffer_if *buf, bool_t candebug) {
1952 transport_peers_expire(st, peers);
1953 for (slot=0; slot<peers->npeers; slot++) {
1954 transport_peer *peer=&peers->peers[slot];
1956 dump_packet(st, buf, &peer->addr, False);
1957 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
1961 /***** END of transport peers declarations *****/
~ian / secnet.git / blob