1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 int32_t site_max_start_pad = 4*4;
94 static cstring_t state_name(uint32_t state)
97 case 0: return "STOP";
99 case 2: return "RESOLVE";
100 case 3: return "SENTMSG1";
101 case 4: return "SENTMSG2";
102 case 5: return "SENTMSG3";
103 case 6: return "SENTMSG4";
104 case 7: return "SENTMSG5";
105 case 8: return "WAIT";
106 default: return "*bad state*";
112 #define LOG_UNEXPECTED 0x00000001
113 #define LOG_SETUP_INIT 0x00000002
114 #define LOG_SETUP_TIMEOUT 0x00000004
115 #define LOG_ACTIVATE_KEY 0x00000008
116 #define LOG_TIMEOUT_KEY 0x00000010
117 #define LOG_SEC 0x00000020
118 #define LOG_STATE 0x00000040
119 #define LOG_DROP 0x00000080
120 #define LOG_DUMP 0x00000100
121 #define LOG_ERROR 0x00000400
122 #define LOG_PEER_ADDRS 0x00000800
124 static struct flagstr log_event_table[]={
125 { "unexpected", LOG_UNEXPECTED },
126 { "setup-init", LOG_SETUP_INIT },
127 { "setup-timeout", LOG_SETUP_TIMEOUT },
128 { "activate-key", LOG_ACTIVATE_KEY },
129 { "timeout-key", LOG_TIMEOUT_KEY },
130 { "security", LOG_SEC },
131 { "state-change", LOG_STATE },
132 { "packet-drop", LOG_DROP },
133 { "dump-packets", LOG_DUMP },
134 { "errors", LOG_ERROR },
135 { "peer-addrs", LOG_PEER_ADDRS },
136 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
137 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
138 { "all", 0xffffffff },
143 /***** TRANSPORT PEERS declarations *****/
145 /* Details of "mobile peer" semantics:
147 - We record mobile_peers_max peer address/port numbers ("peers")
148 for key setup, and separately mobile_peers_max for data
149 transfer. If these lists fill up, we retain the newest peers.
150 (For non-mobile peers we only record one of each.)
152 - Outgoing packets are sent to every recorded peer in the
155 - Data transfer peers are straightforward: whenever we successfully
156 process a data packet, we record the peer. Also, whenever we
157 successfully complete a key setup, we merge the key setup
158 peers into the data transfer peers.
160 (For "non-mobile" peers we simply copy the peer used for
161 successful key setup, and don't change the peer otherwise.)
163 - Key setup peers are slightly more complicated.
165 Whenever we receive and successfully process a key exchange
166 packet, we record the peer.
168 Whenever we try to initiate a key setup, we copy the list of data
169 transfer peers and use it for key setup. But we also look to see
170 if the config supplies an address and port number and if so we
171 add that as a key setup peer (possibly evicting one of the data
172 transfer peers we just copied).
174 (For "non-mobile" peers, if we if we have a configured peer
175 address and port, we always use that; otherwise if we have a
176 current data peer address we use that; otherwise we do not
177 attempt to initiate a key setup for lack of a peer address.)
179 "Record the peer" means
180 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
181 2. add the peer of the just received packet to the applicable list
182 (possibly evicting older entries)
183 NB that we do not expire peers until an incoming packet arrives.
187 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
191 struct comm_addr addr;
195 /* configuration information */
196 /* runtime information */
198 transport_peer peers[MAX_MOBILE_PEERS_MAX];
201 static void transport_peers_clear(struct site *st, transport_peers *peers);
202 static int transport_peers_valid(transport_peers *peers);
203 static void transport_peers_copy(struct site *st, transport_peers *dst,
204 const transport_peers *src);
206 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
207 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
208 static bool_t transport_compute_setupinit_peers(struct site *st,
209 const struct comm_addr *configured_addr /* 0 if none or not found */,
210 const struct comm_addr *prod_hint_addr /* 0 if none */);
211 static void transport_record_peer(struct site *st, transport_peers *peers,
212 const struct comm_addr *addr, const char *m);
214 static void transport_xmit(struct site *st, transport_peers *peers,
215 struct buffer_if *buf, bool_t candebug);
217 /***** END of transport peers declarations *****/
221 struct transform_inst_if *transform;
222 uint64_t key_timeout; /* End of life of current key */
223 uint32_t remote_session_id;
229 /* configuration information */
232 bool_t peer_mobile; /* Mobile client support */
233 int32_t transport_peers_max;
234 string_t tunname; /* localname<->remotename by default, used in logs */
235 string_t address; /* DNS name for bootstrapping, optional */
236 int remoteport; /* Port for bootstrapping, optional */
238 struct netlink_if *netlink;
239 struct comm_if **comms;
241 struct resolver_if *resolver;
243 struct random_if *random;
244 struct rsaprivkey_if *privkey;
245 struct rsapubkey_if *pubkey;
246 struct transform_if **transforms;
249 struct hash_if *hash;
251 uint32_t index; /* Index of this site */
252 uint32_t local_capabilities;
253 int32_t setup_retries; /* How many times to send setup packets */
254 int32_t setup_retry_interval; /* Initial timeout for setup packets */
255 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
256 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
257 int32_t key_lifetime; /* How long a key lasts once set up */
258 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
259 after this time, initiate a new
262 bool_t setup_priority; /* Do we have precedence if both sites emit
263 message 1 simultaneously? */
266 /* runtime information */
268 uint64_t now; /* Most recently seen time */
269 bool_t allow_send_prod;
271 /* The currently established session */
272 struct data_key current;
273 struct data_key auxiliary_key;
274 bool_t auxiliary_is_new;
275 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
276 uint64_t auxiliary_renegotiate_key_time;
277 transport_peers peers; /* Current address(es) of peer for data traffic */
279 /* The current key setup protocol exchange. We can only be
280 involved in one of these at a time. There's a potential for
281 denial of service here (the attacker keeps sending a setup
282 packet; we keep trying to continue the exchange, and have to
283 timeout before we can listen for another setup packet); perhaps
284 we should keep a list of 'bad' sources for setup packets. */
285 uint32_t remote_capabilities;
286 uint16_t remote_adv_mtu;
287 struct transform_if *chosen_transform;
288 uint32_t setup_session_id;
289 transport_peers setup_peers;
290 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
291 uint8_t remoteN[NONCELEN];
292 struct buffer_if buffer; /* Current outgoing key exchange packet */
293 struct buffer_if scratch;
294 int32_t retries; /* Number of retries remaining */
295 uint64_t timeout; /* Timeout for current state */
297 uint8_t *sharedsecret;
298 uint32_t sharedsecretlen, sharedsecretallocd;
299 struct transform_inst_if *new_transform; /* For key setup/verify */
302 static uint32_t event_log_priority(struct site *st, uint32_t event)
304 if (!(event&st->log_events))
307 case LOG_UNEXPECTED: return M_INFO;
308 case LOG_SETUP_INIT: return M_INFO;
309 case LOG_SETUP_TIMEOUT: return M_NOTICE;
310 case LOG_ACTIVATE_KEY: return M_INFO;
311 case LOG_TIMEOUT_KEY: return M_INFO;
312 case LOG_SEC: return M_SECURITY;
313 case LOG_STATE: return M_DEBUG;
314 case LOG_DROP: return M_DEBUG;
315 case LOG_DUMP: return M_DEBUG;
316 case LOG_ERROR: return M_ERR;
317 case LOG_PEER_ADDRS: return M_DEBUG;
318 default: return M_ERR;
322 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
324 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
329 class=event_log_priority(st, event);
332 slilog_part(st->log,class,"%s: ",st->tunname);
333 vslilog_part(st->log,class,msg,ap);
334 slilog_part(st->log,class,"\n");
339 static void set_link_quality(struct site *st);
340 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
341 static void delete_one_key(struct site *st, struct data_key *key,
342 const char *reason /* may be 0 meaning don't log*/,
343 const char *which /* ignored if !reasonn */,
344 uint32_t loglevel /* ignored if !reasonn */);
345 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
346 const struct comm_addr *prod_hint);
347 static void enter_state_run(struct site *st);
348 static bool_t enter_state_resolve(struct site *st);
349 static bool_t enter_new_state(struct site *st,uint32_t next);
350 static void enter_state_wait(struct site *st);
351 static void activate_new_key(struct site *st);
353 static bool_t is_transform_valid(struct transform_inst_if *transform)
355 return transform && transform->valid(transform->st);
358 static bool_t current_valid(struct site *st)
360 return is_transform_valid(st->current.transform);
363 #define DEFINE_CALL_TRANSFORM(fwdrev) \
364 static int call_transform_##fwdrev(struct site *st, \
365 struct transform_inst_if *transform, \
366 struct buffer_if *buf, \
367 const char **errmsg) \
369 if (!is_transform_valid(transform)) { \
370 *errmsg="transform not set up"; \
373 return transform->fwdrev(transform->st,buf,errmsg); \
376 DEFINE_CALL_TRANSFORM(forwards)
377 DEFINE_CALL_TRANSFORM(reverse)
379 static void dispose_transform(struct transform_inst_if **transform_var)
381 struct transform_inst_if *transform=*transform_var;
383 transform->delkey(transform->st);
384 transform->destroy(transform->st);
389 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
390 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
391 #define CHECK_TYPE(b,t) do { uint32_t type; \
392 CHECK_AVAIL((b),4); \
393 type=buf_unprepend_uint32((b)); \
394 if (type!=(t)) return False; } while(0)
396 static _Bool type_is_msg34(uint32_t type)
399 type == LABEL_MSG3 ||
400 type == LABEL_MSG3BIS ||
407 struct buffer_if extrainfo;
414 struct parsedname remote;
415 struct parsedname local;
416 uint32_t remote_capabilities;
418 int capab_transformnum;
428 static void set_new_transform(struct site *st, char *pk)
430 /* Make room for the shared key */
431 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
432 assert(st->sharedsecretlen);
433 if (st->sharedsecretlen > st->sharedsecretallocd) {
434 st->sharedsecretallocd=st->sharedsecretlen;
435 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
437 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
439 /* Generate the shared key */
440 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
441 st->sharedsecret,st->sharedsecretlen);
443 /* Set up the transform */
444 struct transform_if *generator=st->chosen_transform;
445 struct transform_inst_if *generated=generator->create(generator->st);
446 generated->setkey(generated->st,st->sharedsecret,
447 st->sharedsecretlen,st->setup_priority);
448 dispose_transform(&st->new_transform);
449 st->new_transform=generated;
451 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
452 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
453 st->chosen_transform->capab_transformnum,
454 st->local_capabilities, st->remote_capabilities);
458 int32_t lenpos, afternul;
460 static void append_string_xinfo_start(struct buffer_if *buf,
461 struct xinfoadd *xia,
463 /* Helps construct one of the names with additional info as found
464 * in MSG1..4. Call this function first, then append all the
465 * desired extra info (not including the nul byte) to the buffer,
466 * then call append_string_xinfo_done. */
468 xia->lenpos = buf->size;
469 buf_append_string(buf,str);
470 buf_append_uint8(buf,0);
471 xia->afternul = buf->size;
473 static void append_string_xinfo_done(struct buffer_if *buf,
474 struct xinfoadd *xia)
476 /* we just need to adjust the string length */
477 if (buf->size == xia->afternul) {
478 /* no extra info, strip the nul too */
479 buf_unappend_uint8(buf);
481 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
485 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
486 out using a transform of config data supplied by netlink */
487 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
493 st->retries=st->setup_retries;
494 BUF_ALLOC(&st->buffer,what);
495 buffer_init(&st->buffer,0);
496 buf_append_uint32(&st->buffer,
497 (type==LABEL_MSG1?0:st->setup_session_id));
498 buf_append_uint32(&st->buffer,st->index);
499 buf_append_uint32(&st->buffer,type);
502 append_string_xinfo_start(&st->buffer,&xia,st->localname);
503 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
504 buf_append_uint32(&st->buffer,st->local_capabilities);
506 if (type_is_msg34(type)) {
507 buf_append_uint16(&st->buffer,st->mtu_target);
509 append_string_xinfo_done(&st->buffer,&xia);
511 buf_append_string(&st->buffer,st->remotename);
512 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
513 if (type==LABEL_MSG1) return True;
514 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
515 if (type==LABEL_MSG2) return True;
517 if (hacky_par_mid_failnow()) return False;
519 if (type==LABEL_MSG3BIS)
520 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
522 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
523 buf_append_string(&st->buffer,dhpub);
525 hash=safe_malloc(st->hash->len, "generate_msg");
526 hst=st->hash->init();
527 st->hash->update(hst,st->buffer.start,st->buffer.size);
528 st->hash->final(hst,hash);
529 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
530 buf_append_string(&st->buffer,sig);
536 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
539 nm->len=buf_unprepend_uint16(msg);
540 CHECK_AVAIL(msg,nm->len);
541 nm->name=buf_unprepend(msg,nm->len);
542 uint8_t *nul=memchr(nm->name,0,nm->len);
544 buffer_readonly_view(&nm->extrainfo,0,0);
546 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
547 nm->len=nul-nm->name;
552 static bool_t unpick_msg(struct site *st, uint32_t type,
553 struct buffer_if *msg, struct msg *m)
555 m->capab_transformnum=-1;
556 m->hashstart=msg->start;
558 m->dest=buf_unprepend_uint32(msg);
560 m->source=buf_unprepend_uint32(msg);
561 CHECK_TYPE(msg,type);
562 if (!unpick_name(msg,&m->remote)) return False;
563 m->remote_capabilities=0;
565 if (m->remote.extrainfo.size) {
566 CHECK_AVAIL(&m->remote.extrainfo,4);
567 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
569 if (type_is_msg34(type) && m->remote.extrainfo.size) {
570 CHECK_AVAIL(&m->remote.extrainfo,2);
571 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
573 if (!unpick_name(msg,&m->local)) return False;
574 if (type==LABEL_PROD) {
578 CHECK_AVAIL(msg,NONCELEN);
579 m->nR=buf_unprepend(msg,NONCELEN);
580 if (type==LABEL_MSG1) {
584 CHECK_AVAIL(msg,NONCELEN);
585 m->nL=buf_unprepend(msg,NONCELEN);
586 if (type==LABEL_MSG2) {
590 if (type==LABEL_MSG3BIS) {
592 m->capab_transformnum = buf_unprepend_uint8(msg);
594 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
597 m->pklen=buf_unprepend_uint16(msg);
598 CHECK_AVAIL(msg,m->pklen);
599 m->pk=buf_unprepend(msg,m->pklen);
600 m->hashlen=msg->start-m->hashstart;
602 m->siglen=buf_unprepend_uint16(msg);
603 CHECK_AVAIL(msg,m->siglen);
604 m->sig=buf_unprepend(msg,m->siglen);
609 static bool_t name_matches(const struct parsedname *nm, const char *expected)
611 int expected_len=strlen(expected);
613 nm->len == expected_len &&
614 !memcmp(nm->name, expected, expected_len);
617 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
620 if (type==LABEL_MSG1) return True;
622 /* Check that the site names and our nonce have been sent
623 back correctly, and then store our peer's nonce. */
624 if (!name_matches(&m->remote,st->remotename)) {
625 *error="wrong remote site name";
628 if (!name_matches(&m->local,st->localname)) {
629 *error="wrong local site name";
632 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
633 *error="wrong locally-generated nonce";
636 if (type==LABEL_MSG2) return True;
637 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
638 *error="wrong remotely-generated nonce";
641 /* MSG3 has complicated rules about capabilities, which are
642 * handled in process_msg3. */
643 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
644 if (m->remote_capabilities!=st->remote_capabilities) {
645 *error="remote capabilities changed";
648 if (type==LABEL_MSG4) return True;
649 *error="unknown message type";
653 static bool_t generate_msg1(struct site *st)
655 st->random->generate(st->random->st,NONCELEN,st->localN);
656 return generate_msg(st,LABEL_MSG1,"site:MSG1");
659 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
660 const struct comm_addr *src, struct msg *m)
662 /* We've already determined we're in an appropriate state to
663 process an incoming MSG1, and that the MSG1 has correct values
666 transport_record_peer(st,&st->setup_peers,src,"msg1");
667 st->setup_session_id=m->source;
668 st->remote_capabilities=m->remote_capabilities;
669 memcpy(st->remoteN,m->nR,NONCELEN);
673 static bool_t generate_msg2(struct site *st)
675 st->random->generate(st->random->st,NONCELEN,st->localN);
676 return generate_msg(st,LABEL_MSG2,"site:MSG2");
679 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
680 const struct comm_addr *src)
685 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
686 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
687 slog(st,LOG_SEC,"msg2: %s",err);
690 st->setup_session_id=m.source;
691 st->remote_capabilities=m.remote_capabilities;
693 /* Select the transform to use */
695 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
696 if (!remote_transforms)
697 /* old secnets only had this one transform */
698 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
700 struct transform_if *ti;
702 for (i=0; i<st->ntransforms; i++) {
703 ti=st->transforms[i];
704 if ((1UL << ti->capab_transformnum) & remote_transforms)
705 goto transform_found;
707 slog(st,LOG_ERROR,"no transforms in common"
708 " (us %#"PRIx32"; them: %#"PRIx32")",
709 st->local_capabilities & CAPAB_TRANSFORM_MASK,
713 st->chosen_transform=ti;
715 memcpy(st->remoteN,m.nR,NONCELEN);
719 static bool_t generate_msg3(struct site *st)
721 /* Now we have our nonce and their nonce. Think of a secret key,
722 and create message number 3. */
723 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
724 return generate_msg(st,
725 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
726 ? LABEL_MSG3BIS : LABEL_MSG3),
730 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
735 /* Check signature and store g^x mod m */
736 hash=safe_malloc(st->hash->len, "process_msg3_msg4");
737 hst=st->hash->init();
738 st->hash->update(hst,m->hashstart,m->hashlen);
739 st->hash->final(hst,hash);
740 /* Terminate signature with a '0' - cheating, but should be ok */
742 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) {
743 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
749 st->remote_adv_mtu=m->remote_mtu;
754 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
755 const struct comm_addr *src, uint32_t msgtype)
760 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
762 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
763 if (!check_msg(st,msgtype,&m,&err)) {
764 slog(st,LOG_SEC,"msg3: %s",err);
767 uint32_t capab_adv_late = m.remote_capabilities
768 & ~st->remote_capabilities & CAPAB_EARLY;
769 if (capab_adv_late) {
770 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
771 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
772 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
775 st->remote_capabilities|=m.remote_capabilities;
777 struct transform_if *ti;
779 for (i=0; i<st->ntransforms; i++) {
780 ti=st->transforms[i];
781 if (ti->capab_transformnum == m.capab_transformnum)
782 goto transform_found;
784 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
785 m.capab_transformnum);
788 st->chosen_transform=ti;
790 if (!process_msg3_msg4(st,&m))
793 /* Terminate their DH public key with a '0' */
795 /* Invent our DH secret key */
796 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
798 /* Generate the shared key and set up the transform */
799 set_new_transform(st,m.pk);
804 static bool_t generate_msg4(struct site *st)
806 /* We have both nonces, their public key and our private key. Generate
807 our public key, sign it and send it to them. */
808 return generate_msg(st,LABEL_MSG4,"site:MSG4");
811 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
812 const struct comm_addr *src)
817 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
818 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
819 slog(st,LOG_SEC,"msg4: %s",err);
823 if (!process_msg3_msg4(st,&m))
826 /* Terminate their DH public key with a '0' */
829 /* Generate the shared key and set up the transform */
830 set_new_transform(st,m.pk);
841 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
845 m->dest=buf_unprepend_uint32(msg0);
847 m->source=buf_unprepend_uint32(msg0);
849 m->type=buf_unprepend_uint32(msg0);
851 /* Leaves transformed part of buffer untouched */
854 static bool_t generate_msg5(struct site *st)
856 cstring_t transform_err;
858 BUF_ALLOC(&st->buffer,"site:MSG5");
859 /* We are going to add four words to the message */
860 buffer_init(&st->buffer,calculate_max_start_pad());
861 /* Give the netlink code an opportunity to put its own stuff in the
862 message (configuration information, etc.) */
863 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
864 if (call_transform_forwards(st,st->new_transform,
865 &st->buffer,&transform_err))
867 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
868 buf_prepend_uint32(&st->buffer,st->index);
869 buf_prepend_uint32(&st->buffer,st->setup_session_id);
871 st->retries=st->setup_retries;
875 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
876 const struct comm_addr *src,
877 struct transform_inst_if *transform)
880 cstring_t transform_err;
882 if (!unpick_msg0(st,msg5,&m)) return False;
884 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
885 /* There's a problem */
886 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
889 /* Buffer should now contain untransformed PING packet data */
891 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
892 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
895 /* Older versions of secnet used to write some config data here
896 * which we ignore. So we don't CHECK_EMPTY */
900 static void create_msg6(struct site *st, struct transform_inst_if *transform,
903 cstring_t transform_err;
905 BUF_ALLOC(&st->buffer,"site:MSG6");
906 /* We are going to add four words to the message */
907 buffer_init(&st->buffer,calculate_max_start_pad());
908 /* Give the netlink code an opportunity to put its own stuff in the
909 message (configuration information, etc.) */
910 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
911 int problem = call_transform_forwards(st,transform,
912 &st->buffer,&transform_err);
914 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
915 buf_prepend_uint32(&st->buffer,st->index);
916 buf_prepend_uint32(&st->buffer,session_id);
919 static bool_t generate_msg6(struct site *st)
921 if (!is_transform_valid(st->new_transform))
923 create_msg6(st,st->new_transform,st->setup_session_id);
924 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
928 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
929 const struct comm_addr *src)
932 cstring_t transform_err;
934 if (!unpick_msg0(st,msg6,&m)) return False;
936 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
937 /* There's a problem */
938 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
941 /* Buffer should now contain untransformed PING packet data */
943 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
944 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
947 /* Older versions of secnet used to write some config data here
948 * which we ignore. So we don't CHECK_EMPTY */
952 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
953 const struct comm_addr *src)
955 cstring_t transform_err, auxkey_err, newkey_err="n/a";
959 if (!unpick_msg0(st,msg0,&m)) return False;
961 /* Keep a copy so we can try decrypting it with multiple keys */
962 buffer_copy(&st->scratch, msg0);
964 problem = call_transform_reverse(st,st->current.transform,
965 msg0,&transform_err);
967 if (!st->auxiliary_is_new)
968 delete_one_key(st,&st->auxiliary_key,
969 "peer has used new key","auxiliary key",LOG_SEC);
975 buffer_copy(msg0, &st->scratch);
976 problem = call_transform_reverse(st,st->auxiliary_key.transform,
979 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
980 if (st->auxiliary_is_new) {
981 /* We previously timed out in state SENTMSG5 but it turns
982 * out that our peer did in fact get our MSG5 and is
983 * using the new key. So we should switch to it too. */
984 /* This is a bit like activate_new_key. */
987 st->current=st->auxiliary_key;
990 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
991 "previous key",LOG_SEC);
992 st->auxiliary_is_new=0;
993 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
1000 if (st->state==SITE_SENTMSG5) {
1001 buffer_copy(msg0, &st->scratch);
1002 problem = call_transform_reverse(st,st->new_transform,
1005 /* It looks like we didn't get the peer's MSG6 */
1006 /* This is like a cut-down enter_new_state(SITE_RUN) */
1007 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1008 BUF_FREE(&st->buffer);
1010 activate_new_key(st);
1011 return True; /* do process the data in this packet */
1017 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1018 transform_err,auxkey_err,newkey_err);
1019 initiate_key_setup(st,"incoming message would not decrypt",0);
1020 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1024 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
1028 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1029 const struct comm_addr *src)
1033 if (!decrypt_msg0(st,msg0,src))
1036 CHECK_AVAIL(msg0,4);
1037 type=buf_unprepend_uint32(msg0);
1040 /* We must forget about the current session. */
1041 delete_keys(st,"request from peer",LOG_SEC);
1044 /* Deliver to netlink layer */
1045 st->netlink->deliver(st->netlink->st,msg0);
1046 transport_data_msgok(st,src);
1047 /* See whether we should start negotiating a new key */
1048 if (st->now > st->renegotiate_key_time)
1049 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1052 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1059 static void dump_packet(struct site *st, struct buffer_if *buf,
1060 const struct comm_addr *addr, bool_t incoming)
1062 uint32_t dest=get_uint32(buf->start);
1063 uint32_t source=get_uint32(buf->start+4);
1064 uint32_t msgtype=get_uint32(buf->start+8);
1066 if (st->log_events & LOG_DUMP)
1067 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1068 st->tunname,incoming?"incoming":"outgoing",
1069 dest,source,msgtype);
1072 static uint32_t site_status(void *st)
1077 static bool_t send_msg(struct site *st)
1079 if (st->retries>0) {
1080 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1081 st->timeout=st->now+st->setup_retry_interval;
1084 } else if (st->state==SITE_SENTMSG5) {
1085 slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
1086 /* We stash the key we have produced, in case it turns out that
1087 * our peer did see our MSG5 after all and starts using it. */
1088 /* This is a bit like some of activate_new_key */
1089 struct transform_inst_if *t;
1090 t=st->auxiliary_key.transform;
1091 st->auxiliary_key.transform=st->new_transform;
1092 st->new_transform=t;
1093 dispose_transform(&st->new_transform);
1095 st->auxiliary_is_new=1;
1096 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1097 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1098 st->auxiliary_key.remote_session_id=st->setup_session_id;
1100 enter_state_wait(st);
1103 slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
1104 "(in state %s)",state_name(st->state));
1105 enter_state_wait(st);
1110 static void site_resolve_callback(void *sst, struct in_addr *address)
1112 struct site *st=sst;
1113 struct comm_addr ca_buf, *ca_use;
1115 if (st->state!=SITE_RESOLVE) {
1116 slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
1121 ca_buf.comm=st->comms[0];
1122 ca_buf.sin.sin_family=AF_INET;
1123 ca_buf.sin.sin_port=htons(st->remoteport);
1124 ca_buf.sin.sin_addr=*address;
1127 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1130 if (transport_compute_setupinit_peers(st,ca_use,0)) {
1131 enter_new_state(st,SITE_SENTMSG1);
1133 /* Can't figure out who to try to to talk to */
1134 slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
1135 enter_state_run(st);
1139 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1140 const struct comm_addr *prod_hint)
1142 if (st->state!=SITE_RUN) return False;
1143 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1145 slog(st,LOG_SETUP_INIT,"resolving peer address");
1146 return enter_state_resolve(st);
1147 } else if (transport_compute_setupinit_peers(st,0,prod_hint)) {
1148 return enter_new_state(st,SITE_SENTMSG1);
1150 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1154 static void activate_new_key(struct site *st)
1156 struct transform_inst_if *t;
1158 /* We have three transform instances, which we swap between old,
1160 t=st->auxiliary_key.transform;
1161 st->auxiliary_key.transform=st->current.transform;
1162 st->current.transform=st->new_transform;
1163 st->new_transform=t;
1164 dispose_transform(&st->new_transform);
1167 st->auxiliary_is_new=0;
1168 st->auxiliary_key.key_timeout=st->current.key_timeout;
1169 st->current.key_timeout=st->now+st->key_lifetime;
1170 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1171 transport_peers_copy(st,&st->peers,&st->setup_peers);
1172 st->current.remote_session_id=st->setup_session_id;
1174 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1175 * But their mtu be unspecified, in which case we just use ours. */
1176 uint32_t intersite_mtu=
1177 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1178 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1180 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1181 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1182 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1183 enter_state_run(st);
1186 static void delete_one_key(struct site *st, struct data_key *key,
1187 cstring_t reason, cstring_t which, uint32_t loglevel)
1189 if (!is_transform_valid(key->transform)) return;
1190 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1191 dispose_transform(&key->transform);
1195 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1197 if (current_valid(st)) {
1198 slog(st,loglevel,"session closed (%s)",reason);
1200 delete_one_key(st,&st->current,0,0,0);
1201 set_link_quality(st);
1203 delete_one_key(st,&st->auxiliary_key,0,0,0);
1206 static void state_assert(struct site *st, bool_t ok)
1208 if (!ok) fatal("site:state_assert");
1211 static void enter_state_stop(struct site *st)
1213 st->state=SITE_STOP;
1215 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1216 dispose_transform(&st->new_transform);
1219 static void set_link_quality(struct site *st)
1222 if (current_valid(st))
1223 quality=LINK_QUALITY_UP;
1224 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1225 quality=LINK_QUALITY_DOWN;
1226 else if (st->address)
1227 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1228 else if (transport_peers_valid(&st->peers))
1229 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1231 quality=LINK_QUALITY_DOWN;
1233 st->netlink->set_quality(st->netlink->st,quality);
1236 static void enter_state_run(struct site *st)
1238 slog(st,LOG_STATE,"entering state RUN");
1242 st->setup_session_id=0;
1243 transport_peers_clear(st,&st->setup_peers);
1244 memset(st->localN,0,NONCELEN);
1245 memset(st->remoteN,0,NONCELEN);
1246 dispose_transform(&st->new_transform);
1247 memset(st->dhsecret,0,st->dh->len);
1248 memset(st->sharedsecret,0,st->sharedsecretlen);
1249 set_link_quality(st);
1252 static bool_t enter_state_resolve(struct site *st)
1254 state_assert(st,st->state==SITE_RUN);
1255 slog(st,LOG_STATE,"entering state RESOLVE");
1256 st->state=SITE_RESOLVE;
1257 st->resolver->request(st->resolver->st,st->address,
1258 site_resolve_callback,st);
1262 static bool_t enter_new_state(struct site *st, uint32_t next)
1264 bool_t (*gen)(struct site *st);
1267 slog(st,LOG_STATE,"entering state %s",state_name(next));
1270 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1274 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1275 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1279 state_assert(st,st->state==SITE_SENTMSG1);
1280 BUF_FREE(&st->buffer);
1284 state_assert(st,st->state==SITE_SENTMSG2);
1285 BUF_FREE(&st->buffer);
1289 state_assert(st,st->state==SITE_SENTMSG3);
1290 BUF_FREE(&st->buffer);
1294 state_assert(st,st->state==SITE_SENTMSG4);
1295 BUF_FREE(&st->buffer);
1300 fatal("enter_new_state(%s): invalid new state",state_name(next));
1304 if (hacky_par_start_failnow()) return False;
1306 r= gen(st) && send_msg(st);
1309 st->setup_retries, st->setup_retry_interval,
1314 if (next==SITE_RUN) {
1315 BUF_FREE(&st->buffer); /* Never reused */
1316 st->timeout=0; /* Never retransmit */
1317 activate_new_key(st);
1321 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1322 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1323 in either state, and enter_state_wait() will
1325 enter_state_wait(st);
1329 /* msg7 tells our peer that we're about to forget our key */
1330 static bool_t send_msg7(struct site *st, cstring_t reason)
1332 cstring_t transform_err;
1334 if (current_valid(st) && st->buffer.free
1335 && transport_peers_valid(&st->peers)) {
1336 BUF_ALLOC(&st->buffer,"site:MSG7");
1337 buffer_init(&st->buffer,calculate_max_start_pad());
1338 buf_append_uint32(&st->buffer,LABEL_MSG7);
1339 buf_append_string(&st->buffer,reason);
1340 if (call_transform_forwards(st, st->current.transform,
1341 &st->buffer, &transform_err))
1343 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1344 buf_prepend_uint32(&st->buffer,st->index);
1345 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1346 transport_xmit(st,&st->peers,&st->buffer,True);
1347 BUF_FREE(&st->buffer);
1354 /* We go into this state if our peer becomes uncommunicative. Similar to
1355 the "stop" state, we forget all session keys for a while, before
1356 re-entering the "run" state. */
1357 static void enter_state_wait(struct site *st)
1359 slog(st,LOG_STATE,"entering state WAIT");
1360 st->timeout=st->now+st->wait_timeout;
1361 st->state=SITE_WAIT;
1362 set_link_quality(st);
1363 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1364 /* XXX Erase keys etc. */
1367 static void generate_prod(struct site *st, struct buffer_if *buf)
1370 buf_append_uint32(buf,0);
1371 buf_append_uint32(buf,0);
1372 buf_append_uint32(buf,LABEL_PROD);
1373 buf_append_string(buf,st->localname);
1374 buf_append_string(buf,st->remotename);
1377 static void generate_send_prod(struct site *st,
1378 const struct comm_addr *source)
1380 if (!st->allow_send_prod) return; /* too soon */
1381 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1382 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1384 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1385 st->allow_send_prod=0;
1386 generate_prod(st,&st->scratch);
1387 dump_packet(st,&st->scratch,source,False);
1388 source->comm->sendmsg(source->comm->st, &st->scratch, source);
1391 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1394 int64_t offset=timeout-*now;
1395 if (offset<0) offset=0;
1396 if (offset>INT_MAX) offset=INT_MAX;
1397 if (*timeout_io<0 || offset<*timeout_io)
1402 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1405 struct site *st=sst;
1407 *nfds_io=0; /* We don't use any file descriptors */
1410 /* Work out when our next timeout is. The earlier of 'timeout' or
1411 'current.key_timeout'. A stored value of '0' indicates no timeout
1413 site_settimeout(st->timeout, timeout_io);
1414 site_settimeout(st->current.key_timeout, timeout_io);
1415 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1417 return 0; /* success */
1420 static void check_expiry(struct site *st, struct data_key *key,
1423 if (key->key_timeout && *now>key->key_timeout) {
1424 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1428 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1429 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1431 struct site *st=sst;
1434 if (st->timeout && *now>st->timeout) {
1436 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1437 if (!hacky_par_start_failnow())
1439 } else if (st->state==SITE_WAIT) {
1440 enter_state_run(st);
1442 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1446 check_expiry(st,&st->current,"current key");
1447 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1450 /* This function is called by the netlink device to deliver packets
1451 intended for the remote network. The packet is in "raw" wire
1452 format, but is guaranteed to be word-aligned. */
1453 static void site_outgoing(void *sst, struct buffer_if *buf)
1455 struct site *st=sst;
1456 cstring_t transform_err;
1458 if (st->state==SITE_STOP) {
1463 st->allow_send_prod=1;
1465 /* In all other states we consider delivering the packet if we have
1466 a valid key and a valid address to send it to. */
1467 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1468 /* Transform it and send it */
1470 buf_prepend_uint32(buf,LABEL_MSG9);
1471 if (call_transform_forwards(st, st->current.transform,
1472 buf, &transform_err))
1474 buf_prepend_uint32(buf,LABEL_MSG0);
1475 buf_prepend_uint32(buf,st->index);
1476 buf_prepend_uint32(buf,st->current.remote_session_id);
1477 transport_xmit(st,&st->peers,buf,False);
1484 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1486 initiate_key_setup(st,"outgoing packet",0);
1489 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1490 uint32_t type, struct msg *m)
1491 /* For packets which are identified by the local and remote names.
1492 * If it has our name and our peer's name in it it's for us. */
1494 struct buffer_if buf[1];
1495 buffer_readonly_clone(buf,buf_in);
1496 return unpick_msg(st,type,buf,m)
1497 && name_matches(&m->remote,st->remotename)
1498 && name_matches(&m->local,st->localname);
1501 /* This function is called by the communication device to deliver
1502 packets from our peers.
1503 It should return True if the packet is recognised as being for
1504 this current site instance (and should therefore not be processed
1505 by other sites), even if the packet was otherwise ignored. */
1506 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1507 const struct comm_addr *source)
1509 struct site *st=sst;
1511 if (buf->size < 12) return False;
1513 uint32_t dest=get_uint32(buf->start);
1514 uint32_t msgtype=get_uint32(buf->start+8);
1515 struct msg named_msg;
1517 if (msgtype==LABEL_MSG1) {
1518 if (!named_for_us(st,buf,msgtype,&named_msg))
1520 /* It's a MSG1 addressed to us. Decide what to do about it. */
1521 dump_packet(st,buf,source,True);
1522 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1523 st->state==SITE_WAIT) {
1524 /* We should definitely process it */
1525 if (process_msg1(st,buf,source,&named_msg)) {
1526 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1527 enter_new_state(st,SITE_SENTMSG2);
1529 slog(st,LOG_ERROR,"failed to process incoming msg1");
1533 } else if (st->state==SITE_SENTMSG1) {
1534 /* We've just sent a message 1! They may have crossed on
1535 the wire. If we have priority then we ignore the
1536 incoming one, otherwise we process it as usual. */
1537 if (st->setup_priority) {
1539 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1540 "priority => ignore incoming msg1");
1543 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1544 "priority => use incoming msg1");
1545 if (process_msg1(st,buf,source,&named_msg)) {
1546 BUF_FREE(&st->buffer); /* Free our old message 1 */
1547 enter_new_state(st,SITE_SENTMSG2);
1549 slog(st,LOG_ERROR,"failed to process an incoming "
1550 "crossed msg1 (we have low priority)");
1556 /* The message 1 was received at an unexpected stage of the
1557 key setup. XXX POLICY - what do we do? */
1558 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1562 if (msgtype==LABEL_PROD) {
1563 if (!named_for_us(st,buf,msgtype,&named_msg))
1565 dump_packet(st,buf,source,True);
1566 if (st->state!=SITE_RUN) {
1567 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1568 } else if (current_valid(st)) {
1569 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1571 initiate_key_setup(st,"peer sent PROD packet",source);
1576 if (dest==st->index) {
1577 /* Explicitly addressed to us */
1578 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1581 /* If the source is our current peer then initiate a key setup,
1582 because our peer's forgotten the key */
1583 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1585 initiated = initiate_key_setup(st,"received a NAK",0);
1586 if (!initiated) generate_send_prod(st,source);
1588 slog(st,LOG_SEC,"bad incoming NAK");
1592 process_msg0(st,buf,source);
1595 /* Setup packet: should not have been explicitly addressed
1597 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1600 /* Setup packet: expected only in state SENTMSG1 */
1601 if (st->state!=SITE_SENTMSG1) {
1602 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1603 } else if (process_msg2(st,buf,source)) {
1604 transport_setup_msgok(st,source);
1605 enter_new_state(st,SITE_SENTMSG3);
1607 slog(st,LOG_SEC,"invalid MSG2");
1612 /* Setup packet: expected only in state SENTMSG2 */
1613 if (st->state!=SITE_SENTMSG2) {
1614 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1615 } else if (process_msg3(st,buf,source,msgtype)) {
1616 transport_setup_msgok(st,source);
1617 enter_new_state(st,SITE_SENTMSG4);
1619 slog(st,LOG_SEC,"invalid MSG3");
1623 /* Setup packet: expected only in state SENTMSG3 */
1624 if (st->state!=SITE_SENTMSG3) {
1625 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1626 } else if (process_msg4(st,buf,source)) {
1627 transport_setup_msgok(st,source);
1628 enter_new_state(st,SITE_SENTMSG5);
1630 slog(st,LOG_SEC,"invalid MSG4");
1634 /* Setup packet: expected only in state SENTMSG4 */
1635 /* (may turn up in state RUN if our return MSG6 was lost
1636 and the new key has already been activated. In that
1637 case we discard it. The peer will realise that we
1638 are using the new key when they see our data packets.
1639 Until then the peer's data packets to us get discarded. */
1640 if (st->state==SITE_SENTMSG4) {
1641 if (process_msg5(st,buf,source,st->new_transform)) {
1642 transport_setup_msgok(st,source);
1643 enter_new_state(st,SITE_RUN);
1645 slog(st,LOG_SEC,"invalid MSG5");
1647 } else if (st->state==SITE_RUN) {
1648 if (process_msg5(st,buf,source,st->current.transform)) {
1649 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1650 transport_setup_msgok(st,source);
1651 create_msg6(st,st->current.transform,
1652 st->current.remote_session_id);
1653 transport_xmit(st,&st->peers,&st->buffer,True);
1654 BUF_FREE(&st->buffer);
1656 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1659 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1663 /* Setup packet: expected only in state SENTMSG5 */
1664 if (st->state!=SITE_SENTMSG5) {
1665 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1666 } else if (process_msg6(st,buf,source)) {
1667 BUF_FREE(&st->buffer); /* Free message 5 */
1668 transport_setup_msgok(st,source);
1669 activate_new_key(st);
1671 slog(st,LOG_SEC,"invalid MSG6");
1675 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1686 static void site_control(void *vst, bool_t run)
1688 struct site *st=vst;
1689 if (run) enter_state_run(st);
1690 else enter_state_stop(st);
1693 static void site_phase_hook(void *sst, uint32_t newphase)
1695 struct site *st=sst;
1697 /* The program is shutting down; tell our peer */
1698 send_msg7(st,"shutting down");
1701 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1704 static uint32_t index_sequence;
1710 st=safe_malloc(sizeof(*st),"site_apply");
1712 st->cl.description="site";
1713 st->cl.type=CL_SITE;
1715 st->cl.interface=&st->ops;
1717 st->ops.control=site_control;
1718 st->ops.status=site_status;
1720 /* First parameter must be a dict */
1721 item=list_elem(args,0);
1722 if (!item || item->type!=t_dict)
1723 cfgfatal(loc,"site","parameter must be a dictionary\n");
1725 dict=item->data.dict;
1726 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1727 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1729 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1730 bool_t local_mobile=
1731 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1733 /* Sanity check (which also allows the 'sites' file to include
1734 site() closures for all sites including our own): refuse to
1735 talk to ourselves */
1736 if (strcmp(st->localname,st->remotename)==0) {
1737 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1739 if (st->peer_mobile != local_mobile)
1740 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1741 " but our local-mobile=%d\n",
1742 st->localname, st->peer_mobile, local_mobile);
1746 if (st->peer_mobile && local_mobile) {
1747 Message(M_WARNING,"site %s: site is mobile but so are we"
1748 " -> ignoring this site\n", st->remotename);
1753 assert(index_sequence < 0xffffffffUL);
1754 st->index = ++index_sequence;
1755 st->local_capabilities = 0;
1756 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1758 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1759 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1760 if (!things##_cfg) \
1761 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1762 st->nthings=list_length(things##_cfg); \
1763 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1764 assert(st->nthings); \
1765 for (i=0; i<st->nthings; i++) { \
1766 item_t *item=list_elem(things##_cfg,i); \
1767 if (item->type!=t_closure) \
1768 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1769 closure_t *cl=item->data.closure; \
1770 if (cl->type!=CL_TYPE) \
1771 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1772 st->things[i]=cl->interface; \
1776 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1778 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1779 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1780 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1782 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1783 st->address=dict_read_string(dict, "address", False, "site", loc);
1785 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1786 else st->remoteport=0;
1787 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1789 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1791 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1792 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1794 #define DEFAULT(D) (st->peer_mobile || local_mobile \
1795 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1796 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1798 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1799 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1800 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1801 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1802 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
1804 st->mobile_peer_expiry= dict_read_number(
1805 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1807 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1808 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1809 if (st->transport_peers_max<1 ||
1810 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1811 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1812 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1815 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1816 st->key_renegotiate_time=st->key_lifetime/2;
1818 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1819 st->key_renegotiate_time=dict_read_number(
1820 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1821 if (st->key_renegotiate_time > st->key_lifetime) {
1822 cfgfatal(loc,"site",
1823 "renegotiate-time must be less than key-lifetime\n");
1826 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1827 log_event_table,"site");
1829 st->allow_send_prod=0;
1831 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1833 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1835 /* The information we expect to see in incoming messages of type 1 */
1836 /* fixme: lots of unchecked overflows here, but the results are only
1837 corrupted packets rather than undefined behaviour */
1838 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1840 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1842 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
1843 BUF_ALLOC(&st->scratch,"site:scratch");
1845 /* We are interested in poll(), but only for timeouts. We don't have
1846 any fds of our own. */
1847 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1850 st->remote_capabilities=0;
1851 st->chosen_transform=0;
1852 st->current.key_timeout=0;
1853 st->auxiliary_key.key_timeout=0;
1854 transport_peers_clear(st,&st->peers);
1855 transport_peers_clear(st,&st->setup_peers);
1856 /* XXX mlock these */
1857 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1858 st->sharedsecretlen=st->sharedsecretallocd=0;
1861 for (i=0; i<st->ntransforms; i++) {
1862 struct transform_if *ti=st->transforms[i];
1863 uint32_t capbit = 1UL << ti->capab_transformnum;
1864 if (st->local_capabilities & capbit)
1865 slog(st,LOG_ERROR,"transformnum capability bit"
1866 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1867 st->local_capabilities |= capbit;
1870 /* We need to register the remote networks with the netlink device */
1871 uint32_t netlink_mtu; /* local virtual interface mtu */
1872 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
1873 if (!st->mtu_target)
1874 st->mtu_target=netlink_mtu;
1876 for (i=0; i<st->ncomms; i++)
1877 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1879 st->current.transform=0;
1880 st->auxiliary_key.transform=0;
1881 st->new_transform=0;
1882 st->auxiliary_is_new=0;
1884 enter_state_stop(st);
1886 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
1888 return new_closure(&st->cl);
1891 void site_module(dict_t *dict)
1893 add_closure(dict,"site",site_apply);
1897 /***** TRANSPORT PEERS definitions *****/
1899 static void transport_peers_debug(struct site *st, transport_peers *dst,
1900 const char *didwhat,
1901 int nargs, const struct comm_addr *args,
1906 if (!(st->log_events & LOG_PEER_ADDRS))
1907 return; /* an optimisation */
1909 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
1910 (dst==&st->peers ? "data" :
1911 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
1912 didwhat, nargs, dst->npeers);
1914 for (i=0, argp=(void*)args;
1916 i++, (argp+=stride?stride:sizeof(*args))) {
1917 const struct comm_addr *ca=(void*)argp;
1918 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
1919 i, ca->comm->addr_to_string(ca->comm->st,ca));
1921 for (i=0; i<dst->npeers; i++) {
1922 struct timeval diff;
1923 timersub(tv_now,&dst->peers[i].last,&diff);
1924 const struct comm_addr *ca=&dst->peers[i].addr;
1925 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
1926 i, ca->comm->addr_to_string(ca->comm->st,ca),
1927 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
1931 static int transport_peer_compar(const void *av, const void *bv) {
1932 const transport_peer *a=av;
1933 const transport_peer *b=bv;
1934 /* put most recent first in the array */
1935 if (timercmp(&a->last, &b->last, <)) return +1;
1936 if (timercmp(&a->last, &b->last, >)) return -11;
1940 static void transport_peers_expire(struct site *st, transport_peers *peers) {
1941 /* peers must be sorted first */
1942 int previous_peers=peers->npeers;
1943 struct timeval oldest;
1944 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
1945 oldest.tv_usec = tv_now->tv_usec;
1946 while (peers->npeers>1 &&
1947 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
1949 if (peers->npeers != previous_peers)
1950 transport_peers_debug(st,peers,"expire", 0,0,0);
1953 static void transport_record_peer(struct site *st, transport_peers *peers,
1954 const struct comm_addr *addr, const char *m) {
1955 int slot, changed=0;
1957 for (slot=0; slot<peers->npeers; slot++)
1958 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
1962 if (peers->npeers==st->transport_peers_max)
1963 slot=st->transport_peers_max-1;
1965 slot=peers->npeers++;
1968 peers->peers[slot].addr=*addr;
1969 peers->peers[slot].last=*tv_now;
1971 if (peers->npeers>1)
1972 qsort(peers->peers, peers->npeers,
1973 sizeof(*peers->peers), transport_peer_compar);
1975 if (changed || peers->npeers!=1)
1976 transport_peers_debug(st,peers,m, 1,addr,0);
1977 transport_peers_expire(st, peers);
1980 static bool_t transport_compute_setupinit_peers(struct site *st,
1981 const struct comm_addr *configured_addr /* 0 if none or not found */,
1982 const struct comm_addr *prod_hint_addr /* 0 if none */) {
1984 if (!configured_addr && !prod_hint_addr &&
1985 !transport_peers_valid(&st->peers))
1988 slog(st,LOG_SETUP_INIT,
1989 "using:%s%s %d old peer address(es)",
1990 configured_addr ? " configured address;" : "",
1991 prod_hint_addr ? " PROD hint address;" : "",
1994 /* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
1995 * have transport_peers_max==1. The effect is that this code
1996 * always uses the configured address if supplied, or otherwise
1997 * the address of the incoming PROD, or the existing data peer if
1998 * one exists; this is as desired. */
2000 transport_peers_copy(st,&st->setup_peers,&st->peers);
2003 transport_record_peer(st,&st->setup_peers,prod_hint_addr,"prod");
2005 if (configured_addr)
2006 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
2008 assert(transport_peers_valid(&st->setup_peers));
2012 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2013 if (st->peer_mobile)
2014 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
2016 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2017 if (st->peer_mobile)
2018 transport_record_peer(st,&st->peers,a,"datamsg");
2021 static int transport_peers_valid(transport_peers *peers) {
2022 return peers->npeers;
2024 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2026 transport_peers_debug(st,peers,"clear",0,0,0);
2028 static void transport_peers_copy(struct site *st, transport_peers *dst,
2029 const transport_peers *src) {
2030 dst->npeers=src->npeers;
2031 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
2032 transport_peers_debug(st,dst,"copy",
2033 src->npeers, &src->peers->addr, sizeof(*src->peers));
2036 void transport_xmit(struct site *st, transport_peers *peers,
2037 struct buffer_if *buf, bool_t candebug) {
2039 transport_peers_expire(st, peers);
2040 for (slot=0; slot<peers->npeers; slot++) {
2041 transport_peer *peer=&peers->peers[slot];
2043 dump_packet(st, buf, &peer->addr, False);
2044 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
2048 /***** END of transport peers declarations *****/