struct dh_if *dh;
struct hash_if *hash;
- uint32_t setup_retries; /* How many times to send setup packets */
- uint32_t setup_timeout; /* Initial timeout for setup packets */
- uint32_t wait_timeout; /* How long to wait if setup unsuccessful */
- uint32_t key_lifetime; /* How long a key lasts once set up */
- uint32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
+ int32_t setup_retries; /* How many times to send setup packets */
+ int32_t setup_timeout; /* Initial timeout for setup packets */
+ int32_t wait_timeout; /* How long to wait if setup unsuccessful */
+ int32_t key_lifetime; /* How long a key lasts once set up */
+ int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
after this time, initiate a new
key exchange */
bool_t keepalive; /* Send keepalives to detect peer failure (not yet
implemented) */
uint8_t *setupsig; /* Expected signature of incoming MSG1 packets */
- uint32_t setupsiglen; /* Allows us to discard packets quickly if
- they are not for us */
+ int32_t setupsiglen; /* Allows us to discard packets quickly if
+ they are not for us */
bool_t setup_priority; /* Do we have precedence if both sites emit
message 1 simultaneously? */
uint32_t log_events;
uint8_t localN[NONCELEN]; /* Nonces for key exchange */
uint8_t remoteN[NONCELEN];
struct buffer_if buffer; /* Current outgoing key exchange packet */
- uint32_t retries; /* Number of retries remaining */
+ int32_t retries; /* Number of retries remaining */
uint64_t timeout; /* Timeout for current state */
uint8_t *dhsecret;
uint8_t *sharedsecret;
static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
{
va_list ap;
- uint8_t buf[240];
+ char buf[240];
uint32_t class;
va_start(ap,msg);
default: class=M_ERR; break;
}
- vsnprintf(buf,240,msg,ap);
+ vsnprintf(buf,sizeof(buf),msg,ap);
st->log->log(st->log->st,class,"%s: %s",st->tunname,buf);
}
va_end(ap);
uint8_t *hashstart;
uint32_t dest;
uint32_t source;
- uint32_t remlen;
+ int32_t remlen;
uint8_t *remote;
- uint32_t loclen;
+ int32_t loclen;
uint8_t *local;
uint8_t *nR;
uint8_t *nL;
- uint32_t pklen;
+ int32_t pklen;
uint8_t *pk;
- uint32_t hashlen;
- uint32_t siglen;
+ int32_t hashlen;
+ int32_t siglen;
uint8_t *sig;
};
uint32_t msgtype=ntohl(*(uint32_t *)(buf->start+8));
if (st->log_events & LOG_DUMP)
- log(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
- st->tunname,incoming?"incoming":"outgoing",
- dest,source,msgtype);
+ slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
+ st->tunname,incoming?"incoming":"outgoing",
+ dest,source,msgtype);
}
static uint32_t site_status(void *st)
/* XXX Erase keys etc. */
}
-static inline void site_settimeout(uint64_t timeout, uint64_t *now,
- int *timeout_io)
+static inline void site_settimeout(uint64_t timeout, int *timeout_io)
{
if (timeout) {
- uint64_t offset=timeout-*now;
+ int64_t offset=timeout-*now;
+ if (offset<0) offset=0;
if (offset>INT_MAX) offset=INT_MAX;
if (*timeout_io<0 || offset<*timeout_io)
*timeout_io=offset;
}
static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
- int *timeout_io, const struct timeval *tv_now,
- uint64_t *now)
+ int *timeout_io)
{
struct site *st=sst;
/* Work out when our next timeout is. The earlier of 'timeout' or
'current_key_timeout'. A stored value of '0' indicates no timeout
active. */
- site_settimeout(st->timeout, now, timeout_io);
- site_settimeout(st->current_key_timeout, now, timeout_io);
+ site_settimeout(st->timeout, timeout_io);
+ site_settimeout(st->current_key_timeout, timeout_io);
return 0; /* success */
}
/* NB site_afterpoll will be called before site_beforepoll is ever called */
-static void site_afterpoll(void *sst, struct pollfd *fds, int nfds,
- const struct timeval *tv_now, uint64_t *now)
+static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
{
struct site *st=sst;
st->key_lifetime=dict_read_number(
dict,"key-lifetime",False,"site",loc,DEFAULT_KEY_LIFETIME);
- if (st->key_lifetime < DEFAULT_KEY_RENEGOTIATE_GAP)
- st->key_renegotiate_time=st->key_lifetime/2;
- else
- st->key_renegotiate_time=st->key_lifetime-DEFAULT_KEY_RENEGOTIATE_GAP;
st->setup_retries=dict_read_number(
dict,"setup-retries",False,"site",loc,DEFAULT_SETUP_RETRIES);
st->setup_timeout=dict_read_number(
dict,"setup-timeout",False,"site",loc,DEFAULT_SETUP_TIMEOUT);
st->wait_timeout=dict_read_number(
dict,"wait-time",False,"site",loc,DEFAULT_WAIT_TIME);
+
+ if (st->key_lifetime < DEFAULT_KEY_RENEGOTIATE_GAP*2)
+ st->key_renegotiate_time=st->key_lifetime/2;
+ else
+ st->key_renegotiate_time=st->key_lifetime-DEFAULT_KEY_RENEGOTIATE_GAP;
st->key_renegotiate_time=dict_read_number(
- dict,"renegotiate-time",False,"site",loc,st->key_lifetime);
+ dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
if (st->key_renegotiate_time > st->key_lifetime) {
cfgfatal(loc,"site",
"renegotiate-time must be less than key-lifetime\n");
sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
/* The information we expect to see in incoming messages of type 1 */
+ /* fixme: lots of unchecked overflows here, but the results are only
+ corrupted packets rather than undefined behaviour */
st->setupsiglen=strlen(st->remotename)+strlen(st->localname)+8;
st->setupsig=safe_malloc(st->setupsiglen,"site_apply");
put_uint32(st->setupsig+0,LABEL_MSG1);
return new_closure(&st->cl);
}
-init_module site_module;
void site_module(dict_t *dict)
{
add_closure(dict,"site",site_apply);
~ian / secnet.git / blobdiff