X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=site.c;h=49e04cfb31481110b6ab46b07d9104491976c231;hp=0e2c43a2ce215720603ae084669ba66ead51a004;hb=30834eab2fc4a8d2063025948dc575682844ddbc;hpb=4ac8a7d28bb43e846430ae4c46fe83109c1161bf

diff --git a/site.c b/site.c
index 0e2c43a..49e04cf 100644
--- a/site.c
+++ b/site.c
@@ -207,7 +207,11 @@ static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
 static bool_t transport_compute_setupinit_peers(struct site *st,
         const struct comm_addr *configured_addr /* 0 if none or not found */,
-        const struct comm_addr *prod_hint_addr /* 0 if none */);
+        const struct comm_addr *incoming_packet_addr /* 0 if none */);
+static void transport_resolve_complete(struct site *st,
+                                      const struct comm_addr *a);
+static void transport_resolve_complete_tardy(struct site *st,
+					     const struct comm_addr *ca_use);
 static void transport_record_peer(struct site *st, transport_peers *peers,
 				  const struct comm_addr *addr, const char *m);
 
@@ -699,7 +703,6 @@ static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
        process an incoming MSG1, and that the MSG1 has correct values
        of A and B. */
 
-    transport_record_peer(st,&st->setup_peers,src,"msg1");
     st->setup_session_id=m->source;
     st->remote_capabilities=m->remote_capabilities;
     memcpy(st->remoteN,m->nR,NONCELEN);
@@ -1150,10 +1153,6 @@ static void site_resolve_callback(void *sst, struct in_addr *address)
 
     st->resolving=False;
 
-    if (st->state!=SITE_RESOLVE) {
-	slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
-	return;
-    }
     if (address) {
 	FILLZERO(ca_buf);
 	ca_buf.comm=st->comms[0];
@@ -1167,12 +1166,59 @@ static void site_resolve_callback(void *sst, struct in_addr *address)
 	slog(st,LOG_ERROR,"resolution of %s failed",st->address);
 	ca_use=0;
     }
-    if (transport_compute_setupinit_peers(st,ca_use,0)) {
-	enter_new_state(st,SITE_SENTMSG1);
-    } else {
-	/* Can't figure out who to try to to talk to */
-	slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
-	enter_state_run(st);
+
+    switch (st->state) {
+    case SITE_RESOLVE:
+        if (transport_compute_setupinit_peers(st,ca_use,0)) {
+	    enter_new_state(st,SITE_SENTMSG1);
+	} else {
+	    /* Can't figure out who to try to to talk to */
+	    slog(st,LOG_SETUP_INIT,
+		 "key exchange failed: cannot find peer address");
+	    enter_state_run(st);
+	}
+	break;
+    case SITE_SENTMSG1: case SITE_SENTMSG2:
+    case SITE_SENTMSG3: case SITE_SENTMSG4:
+    case SITE_SENTMSG5:
+	if (ca_use) {
+	    /* We start using the address immediately for data too.
+	     * It's best to store it in st->peers now because we might
+	     * go via SENTMSG5, WAIT, and a MSG0, straight into using
+	     * the new key (without updating the data peer addrs). */
+	    transport_resolve_complete(st,ca_use);
+	} else if (st->local_mobile) {
+	    /* We can't let this rest because we may have a peer
+	     * address which will break in the future. */
+	    slog(st,LOG_SETUP_INIT,"resolution of %s failed: "
+		 "abandoning key exchange",st->address);
+	    enter_state_wait(st);
+	} else {
+	    slog(st,LOG_SETUP_INIT,"resolution of %s failed: "
+		 " continuing to use source address of peer's packets"
+		 " for key exchange and ultimately data",
+		 st->address);
+	}
+	break;
+    case SITE_RUN:
+	if (ca_use) {
+	    slog(st,LOG_SETUP_INIT,"resolution of %s completed tardily,"
+		 " updating peer address(es)",st->address);
+	    transport_resolve_complete_tardy(st,ca_use);
+	} else if (st->local_mobile) {
+	    /* Not very good.  We should queue (another) renegotiation
+	     * so that we can update the peer address. */
+	    st->key_renegotiate_time=st->now+st->wait_timeout;
+	} else {
+	    slog(st,LOG_SETUP_INIT,"resolution of %s failed: "
+		 " continuing to use source address of peer's packets",
+		 st->address);
+	}
+	break;
+    case SITE_WAIT:
+    case SITE_STOP:
+	/* oh well */
+	break;
     }
 }
 
@@ -1584,9 +1630,14 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf,
 	if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
 	    st->state==SITE_WAIT) {
 	    /* We should definitely process it */
+	    transport_compute_setupinit_peers(st,0,source);
 	    if (process_msg1(st,buf,source,&named_msg)) {
 		slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
-		enter_new_state(st,SITE_SENTMSG2);
+		bool_t entered=enter_new_state(st,SITE_SENTMSG2);
+		if (entered && st->address && st->local_mobile)
+		    /* We must do this as the very last thing, because
+		       the resolver callback might reenter us. */
+		    ensure_resolving(st);
 	    } else {
 		slog(st,LOG_ERROR,"failed to process incoming msg1");
 	    }
@@ -1606,6 +1657,7 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf,
 		     "priority => use incoming msg1");
 		if (process_msg1(st,buf,source,&named_msg)) {
 		    BUF_FREE(&st->buffer); /* Free our old message 1 */
+		    transport_setup_msgok(st,source);
 		    enter_new_state(st,SITE_SENTMSG2);
 		} else {
 		    slog(st,LOG_ERROR,"failed to process an incoming "
@@ -2042,16 +2094,16 @@ static void transport_record_peer(struct site *st, transport_peers *peers,
 
 static bool_t transport_compute_setupinit_peers(struct site *st,
         const struct comm_addr *configured_addr /* 0 if none or not found */,
-        const struct comm_addr *prod_hint_addr /* 0 if none */) {
+        const struct comm_addr *incoming_packet_addr /* 0 if none */) {
 
-    if (!configured_addr && !prod_hint_addr &&
+    if (!configured_addr && !incoming_packet_addr &&
 	!transport_peers_valid(&st->peers))
 	return False;
 
     slog(st,LOG_SETUP_INIT,
 	 "using:%s%s %d old peer address(es)",
 	 configured_addr ? " configured address;" : "",
-	 prod_hint_addr ? " PROD hint address;" : "",
+	 incoming_packet_addr ? " incoming packet address;" : "",
 	 st->peers.npeers);
 
     /* Non-mobile peers have st->peers.npeers==0 or ==1, since they
@@ -2062,8 +2114,9 @@ static bool_t transport_compute_setupinit_peers(struct site *st,
 
     transport_peers_copy(st,&st->setup_peers,&st->peers);
 
-    if (prod_hint_addr)
-	transport_record_peer(st,&st->setup_peers,prod_hint_addr,"prod");
+    if (incoming_packet_addr)
+	transport_record_peer(st,&st->setup_peers,incoming_packet_addr,
+			      "incoming");
 
     if (configured_addr)
 	transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
@@ -2096,6 +2149,17 @@ static void transport_peers_copy(struct site *st, transport_peers *dst,
 			  src->npeers, &src->peers->addr, sizeof(*src->peers));
 }
 
+static void transport_resolve_complete(struct site *st,
+				       const struct comm_addr *ca_use) {
+    transport_record_peer(st,&st->peers,ca_use,"resolved data");
+    transport_record_peer(st,&st->setup_peers,ca_use,"resolved setup");
+}
+
+static void transport_resolve_complete_tardy(struct site *st,
+					     const struct comm_addr *ca_use) {
+    transport_record_peer(st,&st->peers,ca_use,"resolved tardily");
+}
+
 void transport_xmit(struct site *st, transport_peers *peers,
 		    struct buffer_if *buf, bool_t candebug) {
     int slot;