#define SETUP_BUFFER_LEN 2048
-#define DEFAULT_KEY_LIFETIME 3600000 /* One hour */
-#define DEFAULT_KEY_RENEGOTIATE_GAP 300000 /* Five minutes */
+#define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
+#define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
#define DEFAULT_SETUP_RETRIES 5
-#define DEFAULT_SETUP_TIMEOUT 2000
-#define DEFAULT_WAIT_TIME 20000
+#define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
+#define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
/* Each site can be in one of several possible states. */
uint32_t index; /* Index of this site */
int32_t setup_retries; /* How many times to send setup packets */
- int32_t setup_timeout; /* Initial timeout for setup packets */
+ int32_t setup_retry_interval; /* Initial timeout for setup packets */
int32_t wait_timeout; /* How long to wait if setup unsuccessful */
int32_t key_lifetime; /* How long a key lasts once set up */
int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
bool_t current_valid;
uint64_t current_key_timeout; /* End of life of current key */
uint64_t renegotiate_key_time; /* When we can negotiate a new key */
- struct sockaddr_in peer; /* Current address of peer */
+ struct comm_addr peer; /* Current address of peer */
bool_t peer_valid; /* Peer address becomes invalid when key times out,
but only if we have a DNS name for our peer */
timeout before we can listen for another setup packet); perhaps
we should keep a list of 'bad' sources for setup packets. */
uint32_t setup_session_id;
- struct sockaddr_in setup_peer;
+ struct comm_addr setup_peer;
uint8_t localN[NONCELEN]; /* Nonces for key exchange */
uint8_t remoteN[NONCELEN];
struct buffer_if buffer; /* Current outgoing key exchange packet */
}
static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg m;
}
static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg m;
cstring_t err;
}
static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg m;
uint8_t *hash;
}
static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg m;
uint8_t *hash;
}
static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg0 m;
cstring_t transform_err;
}
static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg0 m;
cstring_t transform_err;
}
static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
- struct sockaddr_in *src)
+ const struct comm_addr *src)
{
struct msg0 m;
cstring_t transform_err;
/* We must forget about the current session. */
delete_key(st,"request from peer",LOG_SEC);
return True;
- break;
case LABEL_MSG9:
/* Deliver to netlink layer */
st->netlink->deliver(st->netlink->st,msg0);
+ /* See whether we should start negotiating a new key */
+ if (st->now > st->renegotiate_key_time)
+ initiate_key_setup(st,"incoming packet in renegotiation window");
return True;
- break;
default:
slog(st,LOG_SEC,"incoming encrypted message of type %08x "
"(unknown)",type);
}
static void dump_packet(struct site *st, struct buffer_if *buf,
- struct sockaddr_in *addr, bool_t incoming)
+ const struct comm_addr *addr, bool_t incoming)
{
uint32_t dest=ntohl(*(uint32_t *)buf->start);
uint32_t source=ntohl(*(uint32_t *)(buf->start+4));
if (st->retries>0) {
dump_packet(st,&st->buffer,&st->setup_peer,False);
st->comm->sendmsg(st->comm->st,&st->buffer,&st->setup_peer);
- st->timeout=st->now+st->setup_timeout;
+ st->timeout=st->now+st->setup_retry_interval;
st->retries--;
return True;
} else {
}
if (address) {
memset(&st->setup_peer,0,sizeof(st->setup_peer));
- st->setup_peer.sin_family=AF_INET;
- st->setup_peer.sin_port=htons(st->remoteport);
- st->setup_peer.sin_addr=*address;
+ st->setup_peer.comm=st->comm;
+ st->setup_peer.sin.sin_family=AF_INET;
+ st->setup_peer.sin.sin_port=htons(st->remoteport);
+ st->setup_peer.sin.sin_addr=*address;
enter_new_state(st,SITE_SENTMSG1);
} else {
/* Resolution failed */
r= gen(st) && send_msg(st);
hacky_par_end(&r,
- st->setup_retries, st->setup_timeout,
+ st->setup_retries, st->setup_retry_interval,
send_msg, st);
if (r) {
buf_prepend_uint32(&st->buffer,LABEL_MSG0);
buf_prepend_uint32(&st->buffer,st->index);
buf_prepend_uint32(&st->buffer,st->remote_session_id);
+ dump_packet(st,&st->buffer,&st->peer,False);
st->comm->sendmsg(st->comm->st,&st->buffer,&st->peer);
BUF_FREE(&st->buffer);
return True;
st->comm->sendmsg(st->comm->st,buf,&st->peer);
}
BUF_FREE(buf);
- /* See whether we should start negotiating a new key */
- if (st->now > st->renegotiate_key_time)
- initiate_key_setup(st,"outgoing packet in renegotiation window");
return;
}
/* This function is called by the communication device to deliver
packets from our peers. */
static bool_t site_incoming(void *sst, struct buffer_if *buf,
- struct sockaddr_in *source)
+ const struct comm_addr *source)
{
struct site *st=sst;
uint32_t dest=ntohl(*(uint32_t *)buf->start);
st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
- st->key_lifetime=dict_read_number(
- dict,"key-lifetime",False,"site",loc,DEFAULT_KEY_LIFETIME);
- st->setup_retries=dict_read_number(
- dict,"setup-retries",False,"site",loc,DEFAULT_SETUP_RETRIES);
- st->setup_timeout=dict_read_number(
- dict,"setup-timeout",False,"site",loc,DEFAULT_SETUP_TIMEOUT);
- st->wait_timeout=dict_read_number(
- dict,"wait-time",False,"site",loc,DEFAULT_WAIT_TIME);
+#define DEFAULT(D) DEFAULT_##D
+#define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
+
+ st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
+ st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
+ st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
+ st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
- if (st->key_lifetime < DEFAULT_KEY_RENEGOTIATE_GAP*2)
+ if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
st->key_renegotiate_time=st->key_lifetime/2;
else
- st->key_renegotiate_time=st->key_lifetime-DEFAULT_KEY_RENEGOTIATE_GAP;
+ st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
st->key_renegotiate_time=dict_read_number(
dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
if (st->key_renegotiate_time > st->key_lifetime) {
~ian / secnet.git / blobdiff