1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 int32_t site_max_start_pad = 4*4;
94 static cstring_t state_name(uint32_t state)
97 case 0: return "STOP";
99 case 2: return "RESOLVE";
100 case 3: return "SENTMSG1";
101 case 4: return "SENTMSG2";
102 case 5: return "SENTMSG3";
103 case 6: return "SENTMSG4";
104 case 7: return "SENTMSG5";
105 case 8: return "WAIT";
106 default: return "*bad state*";
112 #define LOG_UNEXPECTED 0x00000001
113 #define LOG_SETUP_INIT 0x00000002
114 #define LOG_SETUP_TIMEOUT 0x00000004
115 #define LOG_ACTIVATE_KEY 0x00000008
116 #define LOG_TIMEOUT_KEY 0x00000010
117 #define LOG_SEC 0x00000020
118 #define LOG_STATE 0x00000040
119 #define LOG_DROP 0x00000080
120 #define LOG_DUMP 0x00000100
121 #define LOG_ERROR 0x00000400
122 #define LOG_PEER_ADDRS 0x00000800
124 static struct flagstr log_event_table[]={
125 { "unexpected", LOG_UNEXPECTED },
126 { "setup-init", LOG_SETUP_INIT },
127 { "setup-timeout", LOG_SETUP_TIMEOUT },
128 { "activate-key", LOG_ACTIVATE_KEY },
129 { "timeout-key", LOG_TIMEOUT_KEY },
130 { "security", LOG_SEC },
131 { "state-change", LOG_STATE },
132 { "packet-drop", LOG_DROP },
133 { "dump-packets", LOG_DUMP },
134 { "errors", LOG_ERROR },
135 { "peer-addrs", LOG_PEER_ADDRS },
136 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
137 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
138 { "all", 0xffffffff },
143 /***** TRANSPORT PEERS declarations *****/
145 /* Details of "mobile peer" semantics:
147 - We record mobile_peers_max peer address/port numbers ("peers")
148 for key setup, and separately mobile_peers_max for data
149 transfer. If these lists fill up, we retain the newest peers.
150 (For non-mobile peers we only record one of each.)
152 - Outgoing packets are sent to every recorded peer in the
155 - Data transfer peers are straightforward: whenever we successfully
156 process a data packet, we record the peer. Also, whenever we
157 successfully complete a key setup, we merge the key setup
158 peers into the data transfer peers.
160 (For "non-mobile" peers we simply copy the peer used for
161 successful key setup, and don't change the peer otherwise.)
163 - Key setup peers are slightly more complicated.
165 Whenever we receive and successfully process a key exchange
166 packet, we record the peer.
168 Whenever we try to initiate a key setup, we copy the list of data
169 transfer peers and use it for key setup. But we also look to see
170 if the config supplies an address and port number and if so we
171 add that as a key setup peer (possibly evicting one of the data
172 transfer peers we just copied).
174 (For "non-mobile" peers, if we if we have a configured peer
175 address and port, we always use that; otherwise if we have a
176 current data peer address we use that; otherwise we do not
177 attempt to initiate a key setup for lack of a peer address.)
179 "Record the peer" means
180 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
181 2. add the peer of the just received packet to the applicable list
182 (possibly evicting older entries)
183 NB that we do not expire peers until an incoming packet arrives.
187 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
191 struct comm_addr addr;
195 /* configuration information */
196 /* runtime information */
198 transport_peer peers[MAX_MOBILE_PEERS_MAX];
201 static void transport_peers_clear(struct site *st, transport_peers *peers);
202 static int transport_peers_valid(transport_peers *peers);
203 static void transport_peers_copy(struct site *st, transport_peers *dst,
204 const transport_peers *src);
206 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
207 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
208 static bool_t transport_compute_setupinit_peers(struct site *st,
209 const struct comm_addr *configured_addr /* 0 if none or not found */);
210 static void transport_record_peer(struct site *st, transport_peers *peers,
211 const struct comm_addr *addr, const char *m);
213 static void transport_xmit(struct site *st, transport_peers *peers,
214 struct buffer_if *buf, bool_t candebug);
216 /***** END of transport peers declarations *****/
220 struct transform_inst_if *transform;
221 uint64_t key_timeout; /* End of life of current key */
222 uint32_t remote_session_id;
228 /* configuration information */
231 bool_t peer_mobile; /* Mobile client support */
232 int32_t transport_peers_max;
233 string_t tunname; /* localname<->remotename by default, used in logs */
234 string_t address; /* DNS name for bootstrapping, optional */
235 int remoteport; /* Port for bootstrapping, optional */
236 struct netlink_if *netlink;
237 struct comm_if **comms;
239 struct resolver_if *resolver;
241 struct random_if *random;
242 struct rsaprivkey_if *privkey;
243 struct rsapubkey_if *pubkey;
244 struct transform_if **transforms;
247 struct hash_if *hash;
249 uint32_t index; /* Index of this site */
250 uint32_t local_capabilities;
251 int32_t setup_retries; /* How many times to send setup packets */
252 int32_t setup_retry_interval; /* Initial timeout for setup packets */
253 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
254 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
255 int32_t key_lifetime; /* How long a key lasts once set up */
256 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
257 after this time, initiate a new
260 bool_t setup_priority; /* Do we have precedence if both sites emit
261 message 1 simultaneously? */
264 /* runtime information */
266 uint64_t now; /* Most recently seen time */
268 /* The currently established session */
269 struct data_key current;
270 struct data_key auxiliary_key;
271 bool_t auxiliary_is_new;
272 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
273 uint64_t auxiliary_renegotiate_key_time;
274 transport_peers peers; /* Current address(es) of peer for data traffic */
276 /* The current key setup protocol exchange. We can only be
277 involved in one of these at a time. There's a potential for
278 denial of service here (the attacker keeps sending a setup
279 packet; we keep trying to continue the exchange, and have to
280 timeout before we can listen for another setup packet); perhaps
281 we should keep a list of 'bad' sources for setup packets. */
282 uint32_t remote_capabilities;
283 struct transform_if *chosen_transform;
284 uint32_t setup_session_id;
285 transport_peers setup_peers;
286 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
287 uint8_t remoteN[NONCELEN];
288 struct buffer_if buffer; /* Current outgoing key exchange packet */
289 struct buffer_if scratch;
290 int32_t retries; /* Number of retries remaining */
291 uint64_t timeout; /* Timeout for current state */
293 uint8_t *sharedsecret;
294 uint32_t sharedsecretlen, sharedsecretallocd;
295 struct transform_inst_if *new_transform; /* For key setup/verify */
298 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
300 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
308 if (event&st->log_events) {
310 case LOG_UNEXPECTED: class=M_INFO; break;
311 case LOG_SETUP_INIT: class=M_INFO; break;
312 case LOG_SETUP_TIMEOUT: class=M_NOTICE; break;
313 case LOG_ACTIVATE_KEY: class=M_INFO; break;
314 case LOG_TIMEOUT_KEY: class=M_INFO; break;
315 case LOG_SEC: class=M_SECURITY; break;
316 case LOG_STATE: class=M_DEBUG; break;
317 case LOG_DROP: class=M_DEBUG; break;
318 case LOG_DUMP: class=M_DEBUG; break;
319 case LOG_ERROR: class=M_ERR; break;
320 case LOG_PEER_ADDRS: class=M_DEBUG; break;
321 default: class=M_ERR; break;
324 vsnprintf(buf,sizeof(buf),msg,ap);
325 slilog(st->log,class,"%s: %s",st->tunname,buf);
330 static void set_link_quality(struct site *st);
331 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
332 static void delete_one_key(struct site *st, struct data_key *key,
333 const char *reason /* may be 0 meaning don't log*/,
334 const char *which /* ignored if !reasonn */,
335 uint32_t loglevel /* ignored if !reasonn */);
336 static bool_t initiate_key_setup(struct site *st, cstring_t reason);
337 static void enter_state_run(struct site *st);
338 static bool_t enter_state_resolve(struct site *st);
339 static bool_t enter_new_state(struct site *st,uint32_t next);
340 static void enter_state_wait(struct site *st);
341 static void activate_new_key(struct site *st);
343 static bool_t is_transform_valid(struct transform_inst_if *transform)
345 return transform && transform->valid(transform->st);
348 static bool_t current_valid(struct site *st)
350 return is_transform_valid(st->current.transform);
353 #define DEFINE_CALL_TRANSFORM(fwdrev) \
354 static int call_transform_##fwdrev(struct site *st, \
355 struct transform_inst_if *transform, \
356 struct buffer_if *buf, \
357 const char **errmsg) \
359 if (!is_transform_valid(transform)) { \
360 *errmsg="transform not set up"; \
363 return transform->fwdrev(transform->st,buf,errmsg); \
366 DEFINE_CALL_TRANSFORM(forwards)
367 DEFINE_CALL_TRANSFORM(reverse)
369 static void dispose_transform(struct transform_inst_if **transform_var)
371 struct transform_inst_if *transform=*transform_var;
373 transform->delkey(transform->st);
374 transform->destroy(transform->st);
379 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
380 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
381 #define CHECK_TYPE(b,t) do { uint32_t type; \
382 CHECK_AVAIL((b),4); \
383 type=buf_unprepend_uint32((b)); \
384 if (type!=(t)) return False; } while(0)
389 struct buffer_if extrainfo;
396 struct parsedname remote;
397 struct parsedname local;
398 uint32_t remote_capabilities;
399 int capab_transformnum;
409 static void set_new_transform(struct site *st, char *pk)
411 /* Make room for the shared key */
412 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
413 assert(st->sharedsecretlen);
414 if (st->sharedsecretlen > st->sharedsecretallocd) {
415 st->sharedsecretallocd=st->sharedsecretlen;
416 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
418 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
420 /* Generate the shared key */
421 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
422 st->sharedsecret,st->sharedsecretlen);
424 /* Set up the transform */
425 struct transform_if *generator=st->chosen_transform;
426 struct transform_inst_if *generated=generator->create(generator->st);
427 generated->setkey(generated->st,st->sharedsecret,
428 st->sharedsecretlen,st->setup_priority);
429 dispose_transform(&st->new_transform);
430 st->new_transform=generated;
432 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
433 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
434 st->chosen_transform->capab_transformnum,
435 st->local_capabilities, st->remote_capabilities);
439 int32_t lenpos, afternul;
441 static void append_string_xinfo_start(struct buffer_if *buf,
442 struct xinfoadd *xia,
444 /* Helps construct one of the names with additional info as found
445 * in MSG1..4. Call this function first, then append all the
446 * desired extra info (not including the nul byte) to the buffer,
447 * then call append_string_xinfo_done. */
449 xia->lenpos = buf->size;
450 buf_append_string(buf,str);
451 buf_append_uint8(buf,0);
452 xia->afternul = buf->size;
454 static void append_string_xinfo_done(struct buffer_if *buf,
455 struct xinfoadd *xia)
457 /* we just need to adjust the string length */
458 if (buf->size == xia->afternul) {
459 /* no extra info, strip the nul too */
460 buf_unappend_uint8(buf);
462 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
466 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
467 out using a transform of config data supplied by netlink */
468 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
474 st->retries=st->setup_retries;
475 BUF_ALLOC(&st->buffer,what);
476 buffer_init(&st->buffer,0);
477 buf_append_uint32(&st->buffer,
478 (type==LABEL_MSG1?0:st->setup_session_id));
479 buf_append_uint32(&st->buffer,st->index);
480 buf_append_uint32(&st->buffer,type);
483 append_string_xinfo_start(&st->buffer,&xia,st->localname);
484 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
485 buf_append_uint32(&st->buffer,st->local_capabilities);
487 append_string_xinfo_done(&st->buffer,&xia);
489 buf_append_string(&st->buffer,st->remotename);
490 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
491 if (type==LABEL_MSG1) return True;
492 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
493 if (type==LABEL_MSG2) return True;
495 if (hacky_par_mid_failnow()) return False;
497 if (type==LABEL_MSG3BIS)
498 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
500 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
501 buf_append_string(&st->buffer,dhpub);
503 hash=safe_malloc(st->hash->len, "generate_msg");
504 hst=st->hash->init();
505 st->hash->update(hst,st->buffer.start,st->buffer.size);
506 st->hash->final(hst,hash);
507 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
508 buf_append_string(&st->buffer,sig);
514 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
517 nm->len=buf_unprepend_uint16(msg);
518 CHECK_AVAIL(msg,nm->len);
519 nm->name=buf_unprepend(msg,nm->len);
520 uint8_t *nul=memchr(nm->name,0,nm->len);
522 buffer_readonly_view(&nm->extrainfo,0,0);
524 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
525 nm->len=nul-nm->name;
530 static bool_t unpick_msg(struct site *st, uint32_t type,
531 struct buffer_if *msg, struct msg *m)
533 m->capab_transformnum=-1;
534 m->hashstart=msg->start;
536 m->dest=buf_unprepend_uint32(msg);
538 m->source=buf_unprepend_uint32(msg);
539 CHECK_TYPE(msg,type);
540 if (!unpick_name(msg,&m->remote)) return False;
541 m->remote_capabilities=0;
542 if (m->remote.extrainfo.size) {
543 CHECK_AVAIL(&m->remote.extrainfo,4);
544 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
546 if (!unpick_name(msg,&m->local)) return False;
547 CHECK_AVAIL(msg,NONCELEN);
548 m->nR=buf_unprepend(msg,NONCELEN);
549 if (type==LABEL_MSG1) {
553 CHECK_AVAIL(msg,NONCELEN);
554 m->nL=buf_unprepend(msg,NONCELEN);
555 if (type==LABEL_MSG2) {
559 if (type==LABEL_MSG3BIS) {
561 m->capab_transformnum = buf_unprepend_uint8(msg);
563 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
566 m->pklen=buf_unprepend_uint16(msg);
567 CHECK_AVAIL(msg,m->pklen);
568 m->pk=buf_unprepend(msg,m->pklen);
569 m->hashlen=msg->start-m->hashstart;
571 m->siglen=buf_unprepend_uint16(msg);
572 CHECK_AVAIL(msg,m->siglen);
573 m->sig=buf_unprepend(msg,m->siglen);
578 static bool_t name_matches(const struct parsedname *nm, const char *expected)
580 int expected_len=strlen(expected);
582 nm->len == expected_len &&
583 !memcmp(nm->name, expected, expected_len);
586 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
589 if (type==LABEL_MSG1) return True;
591 /* Check that the site names and our nonce have been sent
592 back correctly, and then store our peer's nonce. */
593 if (!name_matches(&m->remote,st->remotename)) {
594 *error="wrong remote site name";
597 if (!name_matches(&m->local,st->localname)) {
598 *error="wrong local site name";
601 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
602 *error="wrong locally-generated nonce";
605 if (type==LABEL_MSG2) return True;
606 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
607 *error="wrong remotely-generated nonce";
610 /* MSG3 has complicated rules about capabilities, which are
611 * handled in process_msg3. */
612 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
613 if (m->remote_capabilities!=st->remote_capabilities) {
614 *error="remote capabilities changed";
617 if (type==LABEL_MSG4) return True;
618 *error="unknown message type";
622 static bool_t generate_msg1(struct site *st)
624 st->random->generate(st->random->st,NONCELEN,st->localN);
625 return generate_msg(st,LABEL_MSG1,"site:MSG1");
628 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
629 const struct comm_addr *src, struct msg *m)
631 /* We've already determined we're in an appropriate state to
632 process an incoming MSG1, and that the MSG1 has correct values
635 transport_record_peer(st,&st->setup_peers,src,"msg1");
636 st->setup_session_id=m->source;
637 st->remote_capabilities=m->remote_capabilities;
638 memcpy(st->remoteN,m->nR,NONCELEN);
642 static bool_t generate_msg2(struct site *st)
644 st->random->generate(st->random->st,NONCELEN,st->localN);
645 return generate_msg(st,LABEL_MSG2,"site:MSG2");
648 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
649 const struct comm_addr *src)
654 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
655 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
656 slog(st,LOG_SEC,"msg2: %s",err);
659 st->setup_session_id=m.source;
660 st->remote_capabilities=m.remote_capabilities;
662 /* Select the transform to use */
664 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
665 if (!remote_transforms)
666 /* old secnets only had this one transform */
667 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
669 struct transform_if *ti;
671 for (i=0; i<st->ntransforms; i++) {
672 ti=st->transforms[i];
673 if ((1UL << ti->capab_transformnum) & remote_transforms)
674 goto transform_found;
676 slog(st,LOG_ERROR,"no transforms in common"
677 " (us %#"PRIx32"; them: %#"PRIx32")",
678 st->local_capabilities & CAPAB_TRANSFORM_MASK,
682 st->chosen_transform=ti;
684 memcpy(st->remoteN,m.nR,NONCELEN);
688 static bool_t generate_msg3(struct site *st)
690 /* Now we have our nonce and their nonce. Think of a secret key,
691 and create message number 3. */
692 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
693 return generate_msg(st,
694 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
695 ? LABEL_MSG3BIS : LABEL_MSG3),
699 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
700 const struct comm_addr *src, uint32_t msgtype)
707 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
709 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
710 if (!check_msg(st,msgtype,&m,&err)) {
711 slog(st,LOG_SEC,"msg3: %s",err);
714 uint32_t capab_adv_late = m.remote_capabilities
715 & ~st->remote_capabilities & CAPAB_EARLY;
716 if (capab_adv_late) {
717 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
718 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
719 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
722 st->remote_capabilities|=m.remote_capabilities;
724 struct transform_if *ti;
726 for (i=0; i<st->ntransforms; i++) {
727 ti=st->transforms[i];
728 if (ti->capab_transformnum == m.capab_transformnum)
729 goto transform_found;
731 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
732 m.capab_transformnum);
735 st->chosen_transform=ti;
737 /* Check signature and store g^x mod m */
738 hash=safe_malloc(st->hash->len, "process_msg3");
739 hst=st->hash->init();
740 st->hash->update(hst,m.hashstart,m.hashlen);
741 st->hash->final(hst,hash);
742 /* Terminate signature with a '0' - cheating, but should be ok */
744 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m.sig)) {
745 slog(st,LOG_SEC,"msg3 signature failed check!");
751 /* Terminate their DH public key with a '0' */
753 /* Invent our DH secret key */
754 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
756 /* Generate the shared key and set up the transform */
757 set_new_transform(st,m.pk);
762 static bool_t generate_msg4(struct site *st)
764 /* We have both nonces, their public key and our private key. Generate
765 our public key, sign it and send it to them. */
766 return generate_msg(st,LABEL_MSG4,"site:MSG4");
769 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
770 const struct comm_addr *src)
777 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
778 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
779 slog(st,LOG_SEC,"msg4: %s",err);
783 /* Check signature and store g^x mod m */
784 hash=safe_malloc(st->hash->len, "process_msg4");
785 hst=st->hash->init();
786 st->hash->update(hst,m.hashstart,m.hashlen);
787 st->hash->final(hst,hash);
788 /* Terminate signature with a '0' - cheating, but should be ok */
790 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m.sig)) {
791 slog(st,LOG_SEC,"msg4 signature failed check!");
797 /* Terminate their DH public key with a '0' */
800 /* Generate the shared key and set up the transform */
801 set_new_transform(st,m.pk);
812 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
816 m->dest=buf_unprepend_uint32(msg0);
818 m->source=buf_unprepend_uint32(msg0);
820 m->type=buf_unprepend_uint32(msg0);
822 /* Leaves transformed part of buffer untouched */
825 static bool_t generate_msg5(struct site *st)
827 cstring_t transform_err;
829 BUF_ALLOC(&st->buffer,"site:MSG5");
830 /* We are going to add four words to the message */
831 buffer_init(&st->buffer,calculate_max_start_pad());
832 /* Give the netlink code an opportunity to put its own stuff in the
833 message (configuration information, etc.) */
834 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
835 if (call_transform_forwards(st,st->new_transform,
836 &st->buffer,&transform_err))
838 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
839 buf_prepend_uint32(&st->buffer,st->index);
840 buf_prepend_uint32(&st->buffer,st->setup_session_id);
842 st->retries=st->setup_retries;
846 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
847 const struct comm_addr *src,
848 struct transform_inst_if *transform)
851 cstring_t transform_err;
853 if (!unpick_msg0(st,msg5,&m)) return False;
855 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
856 /* There's a problem */
857 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
860 /* Buffer should now contain untransformed PING packet data */
862 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
863 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
866 /* Older versions of secnet used to write some config data here
867 * which we ignore. So we don't CHECK_EMPTY */
871 static void create_msg6(struct site *st, struct transform_inst_if *transform,
874 cstring_t transform_err;
876 BUF_ALLOC(&st->buffer,"site:MSG6");
877 /* We are going to add four words to the message */
878 buffer_init(&st->buffer,calculate_max_start_pad());
879 /* Give the netlink code an opportunity to put its own stuff in the
880 message (configuration information, etc.) */
881 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
882 int problem = call_transform_forwards(st,transform,
883 &st->buffer,&transform_err);
885 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
886 buf_prepend_uint32(&st->buffer,st->index);
887 buf_prepend_uint32(&st->buffer,session_id);
890 static bool_t generate_msg6(struct site *st)
892 if (!is_transform_valid(st->new_transform))
894 create_msg6(st,st->new_transform,st->setup_session_id);
895 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
899 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
900 const struct comm_addr *src)
903 cstring_t transform_err;
905 if (!unpick_msg0(st,msg6,&m)) return False;
907 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
908 /* There's a problem */
909 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
912 /* Buffer should now contain untransformed PING packet data */
914 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
915 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
918 /* Older versions of secnet used to write some config data here
919 * which we ignore. So we don't CHECK_EMPTY */
923 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
924 const struct comm_addr *src)
926 cstring_t transform_err, auxkey_err, newkey_err="n/a";
930 if (!unpick_msg0(st,msg0,&m)) return False;
932 /* Keep a copy so we can try decrypting it with multiple keys */
933 buffer_copy(&st->scratch, msg0);
935 problem = call_transform_reverse(st,st->current.transform,
936 msg0,&transform_err);
938 if (!st->auxiliary_is_new)
939 delete_one_key(st,&st->auxiliary_key,
940 "peer has used new key","auxiliary key",LOG_SEC);
946 buffer_copy(msg0, &st->scratch);
947 problem = call_transform_reverse(st,st->auxiliary_key.transform,
950 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
951 if (st->auxiliary_is_new) {
952 /* We previously timed out in state SENTMSG5 but it turns
953 * out that our peer did in fact get our MSG5 and is
954 * using the new key. So we should switch to it too. */
955 /* This is a bit like activate_new_key. */
958 st->current=st->auxiliary_key;
961 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
962 "previous key",LOG_SEC);
963 st->auxiliary_is_new=0;
964 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
971 if (st->state==SITE_SENTMSG5) {
972 buffer_copy(msg0, &st->scratch);
973 problem = call_transform_reverse(st,st->new_transform,
976 /* It looks like we didn't get the peer's MSG6 */
977 /* This is like a cut-down enter_new_state(SITE_RUN) */
978 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
979 BUF_FREE(&st->buffer);
981 activate_new_key(st);
982 return True; /* do process the data in this packet */
988 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
989 transform_err,auxkey_err,newkey_err);
990 initiate_key_setup(st,"incoming message would not decrypt");
991 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
995 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
999 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1000 const struct comm_addr *src)
1004 if (!decrypt_msg0(st,msg0,src))
1007 CHECK_AVAIL(msg0,4);
1008 type=buf_unprepend_uint32(msg0);
1011 /* We must forget about the current session. */
1012 delete_keys(st,"request from peer",LOG_SEC);
1015 /* Deliver to netlink layer */
1016 st->netlink->deliver(st->netlink->st,msg0);
1017 transport_data_msgok(st,src);
1018 /* See whether we should start negotiating a new key */
1019 if (st->now > st->renegotiate_key_time)
1020 initiate_key_setup(st,"incoming packet in renegotiation window");
1023 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1030 static void dump_packet(struct site *st, struct buffer_if *buf,
1031 const struct comm_addr *addr, bool_t incoming)
1033 uint32_t dest=get_uint32(buf->start);
1034 uint32_t source=get_uint32(buf->start+4);
1035 uint32_t msgtype=get_uint32(buf->start+8);
1037 if (st->log_events & LOG_DUMP)
1038 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1039 st->tunname,incoming?"incoming":"outgoing",
1040 dest,source,msgtype);
1043 static uint32_t site_status(void *st)
1048 static bool_t send_msg(struct site *st)
1050 if (st->retries>0) {
1051 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1052 st->timeout=st->now+st->setup_retry_interval;
1055 } else if (st->state==SITE_SENTMSG5) {
1056 slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
1057 /* We stash the key we have produced, in case it turns out that
1058 * our peer did see our MSG5 after all and starts using it. */
1059 /* This is a bit like some of activate_new_key */
1060 struct transform_inst_if *t;
1061 t=st->auxiliary_key.transform;
1062 st->auxiliary_key.transform=st->new_transform;
1063 st->new_transform=t;
1064 dispose_transform(&st->new_transform);
1066 st->auxiliary_is_new=1;
1067 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1068 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1069 st->auxiliary_key.remote_session_id=st->setup_session_id;
1071 enter_state_wait(st);
1074 slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
1075 "(in state %s)",state_name(st->state));
1076 enter_state_wait(st);
1081 static void site_resolve_callback(void *sst, struct in_addr *address)
1083 struct site *st=sst;
1084 struct comm_addr ca_buf, *ca_use;
1086 if (st->state!=SITE_RESOLVE) {
1087 slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
1092 ca_buf.comm=st->comms[0];
1093 ca_buf.sin.sin_family=AF_INET;
1094 ca_buf.sin.sin_port=htons(st->remoteport);
1095 ca_buf.sin.sin_addr=*address;
1098 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1101 if (transport_compute_setupinit_peers(st,ca_use)) {
1102 enter_new_state(st,SITE_SENTMSG1);
1104 /* Can't figure out who to try to to talk to */
1105 slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
1106 enter_state_run(st);
1110 static bool_t initiate_key_setup(struct site *st, cstring_t reason)
1112 if (st->state!=SITE_RUN) return False;
1113 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1115 slog(st,LOG_SETUP_INIT,"resolving peer address");
1116 return enter_state_resolve(st);
1117 } else if (transport_compute_setupinit_peers(st,0)) {
1118 return enter_new_state(st,SITE_SENTMSG1);
1120 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1124 static void activate_new_key(struct site *st)
1126 struct transform_inst_if *t;
1128 /* We have three transform instances, which we swap between old,
1130 t=st->auxiliary_key.transform;
1131 st->auxiliary_key.transform=st->current.transform;
1132 st->current.transform=st->new_transform;
1133 st->new_transform=t;
1134 dispose_transform(&st->new_transform);
1137 st->auxiliary_is_new=0;
1138 st->auxiliary_key.key_timeout=st->current.key_timeout;
1139 st->current.key_timeout=st->now+st->key_lifetime;
1140 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1141 transport_peers_copy(st,&st->peers,&st->setup_peers);
1142 st->current.remote_session_id=st->setup_session_id;
1144 slog(st,LOG_ACTIVATE_KEY,"new key activated");
1145 enter_state_run(st);
1148 static void delete_one_key(struct site *st, struct data_key *key,
1149 cstring_t reason, cstring_t which, uint32_t loglevel)
1151 if (!is_transform_valid(key->transform)) return;
1152 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1153 dispose_transform(&key->transform);
1157 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1159 if (current_valid(st)) {
1160 slog(st,loglevel,"session closed (%s)",reason);
1162 delete_one_key(st,&st->current,0,0,0);
1163 set_link_quality(st);
1165 delete_one_key(st,&st->auxiliary_key,0,0,0);
1168 static void state_assert(struct site *st, bool_t ok)
1170 if (!ok) fatal("site:state_assert");
1173 static void enter_state_stop(struct site *st)
1175 st->state=SITE_STOP;
1177 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1178 dispose_transform(&st->new_transform);
1181 static void set_link_quality(struct site *st)
1184 if (current_valid(st))
1185 quality=LINK_QUALITY_UP;
1186 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1187 quality=LINK_QUALITY_DOWN;
1188 else if (st->address)
1189 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1190 else if (transport_peers_valid(&st->peers))
1191 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1193 quality=LINK_QUALITY_DOWN;
1195 st->netlink->set_quality(st->netlink->st,quality);
1198 static void enter_state_run(struct site *st)
1200 slog(st,LOG_STATE,"entering state RUN");
1204 st->setup_session_id=0;
1205 transport_peers_clear(st,&st->setup_peers);
1206 memset(st->localN,0,NONCELEN);
1207 memset(st->remoteN,0,NONCELEN);
1208 dispose_transform(&st->new_transform);
1209 memset(st->dhsecret,0,st->dh->len);
1210 memset(st->sharedsecret,0,st->sharedsecretlen);
1211 set_link_quality(st);
1214 static bool_t enter_state_resolve(struct site *st)
1216 state_assert(st,st->state==SITE_RUN);
1217 slog(st,LOG_STATE,"entering state RESOLVE");
1218 st->state=SITE_RESOLVE;
1219 st->resolver->request(st->resolver->st,st->address,
1220 site_resolve_callback,st);
1224 static bool_t enter_new_state(struct site *st, uint32_t next)
1226 bool_t (*gen)(struct site *st);
1229 slog(st,LOG_STATE,"entering state %s",state_name(next));
1232 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1236 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1237 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1241 state_assert(st,st->state==SITE_SENTMSG1);
1242 BUF_FREE(&st->buffer);
1246 state_assert(st,st->state==SITE_SENTMSG2);
1247 BUF_FREE(&st->buffer);
1251 state_assert(st,st->state==SITE_SENTMSG3);
1252 BUF_FREE(&st->buffer);
1256 state_assert(st,st->state==SITE_SENTMSG4);
1257 BUF_FREE(&st->buffer);
1262 fatal("enter_new_state(%s): invalid new state",state_name(next));
1266 if (hacky_par_start_failnow()) return False;
1268 r= gen(st) && send_msg(st);
1271 st->setup_retries, st->setup_retry_interval,
1276 if (next==SITE_RUN) {
1277 BUF_FREE(&st->buffer); /* Never reused */
1278 st->timeout=0; /* Never retransmit */
1279 activate_new_key(st);
1283 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1284 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1285 in either state, and enter_state_wait() will
1287 enter_state_wait(st);
1291 /* msg7 tells our peer that we're about to forget our key */
1292 static bool_t send_msg7(struct site *st, cstring_t reason)
1294 cstring_t transform_err;
1296 if (current_valid(st) && st->buffer.free
1297 && transport_peers_valid(&st->peers)) {
1298 BUF_ALLOC(&st->buffer,"site:MSG7");
1299 buffer_init(&st->buffer,calculate_max_start_pad());
1300 buf_append_uint32(&st->buffer,LABEL_MSG7);
1301 buf_append_string(&st->buffer,reason);
1302 if (call_transform_forwards(st, st->current.transform,
1303 &st->buffer, &transform_err))
1305 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1306 buf_prepend_uint32(&st->buffer,st->index);
1307 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1308 transport_xmit(st,&st->peers,&st->buffer,True);
1309 BUF_FREE(&st->buffer);
1316 /* We go into this state if our peer becomes uncommunicative. Similar to
1317 the "stop" state, we forget all session keys for a while, before
1318 re-entering the "run" state. */
1319 static void enter_state_wait(struct site *st)
1321 slog(st,LOG_STATE,"entering state WAIT");
1322 st->timeout=st->now+st->wait_timeout;
1323 st->state=SITE_WAIT;
1324 set_link_quality(st);
1325 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1326 /* XXX Erase keys etc. */
1329 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1332 int64_t offset=timeout-*now;
1333 if (offset<0) offset=0;
1334 if (offset>INT_MAX) offset=INT_MAX;
1335 if (*timeout_io<0 || offset<*timeout_io)
1340 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1343 struct site *st=sst;
1345 *nfds_io=0; /* We don't use any file descriptors */
1348 /* Work out when our next timeout is. The earlier of 'timeout' or
1349 'current.key_timeout'. A stored value of '0' indicates no timeout
1351 site_settimeout(st->timeout, timeout_io);
1352 site_settimeout(st->current.key_timeout, timeout_io);
1353 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1355 return 0; /* success */
1358 static void check_expiry(struct site *st, struct data_key *key,
1361 if (key->key_timeout && *now>key->key_timeout) {
1362 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1366 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1367 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1369 struct site *st=sst;
1372 if (st->timeout && *now>st->timeout) {
1374 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1375 if (!hacky_par_start_failnow())
1377 } else if (st->state==SITE_WAIT) {
1378 enter_state_run(st);
1380 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1384 check_expiry(st,&st->current,"current key");
1385 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1388 /* This function is called by the netlink device to deliver packets
1389 intended for the remote network. The packet is in "raw" wire
1390 format, but is guaranteed to be word-aligned. */
1391 static void site_outgoing(void *sst, struct buffer_if *buf)
1393 struct site *st=sst;
1394 cstring_t transform_err;
1396 if (st->state==SITE_STOP) {
1401 /* In all other states we consider delivering the packet if we have
1402 a valid key and a valid address to send it to. */
1403 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1404 /* Transform it and send it */
1406 buf_prepend_uint32(buf,LABEL_MSG9);
1407 if (call_transform_forwards(st, st->current.transform,
1408 buf, &transform_err))
1410 buf_prepend_uint32(buf,LABEL_MSG0);
1411 buf_prepend_uint32(buf,st->index);
1412 buf_prepend_uint32(buf,st->current.remote_session_id);
1413 transport_xmit(st,&st->peers,buf,False);
1420 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1422 initiate_key_setup(st,"outgoing packet");
1425 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1426 uint32_t type, struct msg *m)
1427 /* For packets which are identified by the local and remote names.
1428 * If it has our name and our peer's name in it it's for us. */
1430 struct buffer_if buf[1];
1431 buffer_readonly_clone(buf,buf_in);
1432 return unpick_msg(st,type,buf,m)
1433 && name_matches(&m->remote,st->remotename)
1434 && name_matches(&m->local,st->localname);
1437 /* This function is called by the communication device to deliver
1438 packets from our peers. */
1439 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1440 const struct comm_addr *source)
1442 struct site *st=sst;
1444 if (buf->size < 12) return False;
1446 uint32_t dest=get_uint32(buf->start);
1447 uint32_t msgtype=get_uint32(buf->start+8);
1448 struct msg named_msg;
1450 if (msgtype==LABEL_MSG1) {
1451 if (!named_for_us(st,buf,msgtype,&named_msg))
1453 /* It's a MSG1 addressed to us. Decide what to do about it. */
1454 dump_packet(st,buf,source,True);
1455 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1456 st->state==SITE_WAIT) {
1457 /* We should definitely process it */
1458 if (process_msg1(st,buf,source,&named_msg)) {
1459 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1460 enter_new_state(st,SITE_SENTMSG2);
1462 slog(st,LOG_ERROR,"failed to process incoming msg1");
1466 } else if (st->state==SITE_SENTMSG1) {
1467 /* We've just sent a message 1! They may have crossed on
1468 the wire. If we have priority then we ignore the
1469 incoming one, otherwise we process it as usual. */
1470 if (st->setup_priority) {
1472 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1473 "priority => ignore incoming msg1");
1476 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1477 "priority => use incoming msg1");
1478 if (process_msg1(st,buf,source,&named_msg)) {
1479 BUF_FREE(&st->buffer); /* Free our old message 1 */
1480 enter_new_state(st,SITE_SENTMSG2);
1482 slog(st,LOG_ERROR,"failed to process an incoming "
1483 "crossed msg1 (we have low priority)");
1489 /* The message 1 was received at an unexpected stage of the
1490 key setup. XXX POLICY - what do we do? */
1491 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1495 if (dest==st->index) {
1496 /* Explicitly addressed to us */
1497 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1500 /* If the source is our current peer then initiate a key setup,
1501 because our peer's forgotten the key */
1502 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1503 initiate_key_setup(st,"received a NAK");
1505 slog(st,LOG_SEC,"bad incoming NAK");
1509 process_msg0(st,buf,source);
1512 /* Setup packet: should not have been explicitly addressed
1514 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1517 /* Setup packet: expected only in state SENTMSG1 */
1518 if (st->state!=SITE_SENTMSG1) {
1519 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1520 } else if (process_msg2(st,buf,source)) {
1521 transport_setup_msgok(st,source);
1522 enter_new_state(st,SITE_SENTMSG3);
1524 slog(st,LOG_SEC,"invalid MSG2");
1529 /* Setup packet: expected only in state SENTMSG2 */
1530 if (st->state!=SITE_SENTMSG2) {
1531 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1532 } else if (process_msg3(st,buf,source,msgtype)) {
1533 transport_setup_msgok(st,source);
1534 enter_new_state(st,SITE_SENTMSG4);
1536 slog(st,LOG_SEC,"invalid MSG3");
1540 /* Setup packet: expected only in state SENTMSG3 */
1541 if (st->state!=SITE_SENTMSG3) {
1542 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1543 } else if (process_msg4(st,buf,source)) {
1544 transport_setup_msgok(st,source);
1545 enter_new_state(st,SITE_SENTMSG5);
1547 slog(st,LOG_SEC,"invalid MSG4");
1551 /* Setup packet: expected only in state SENTMSG4 */
1552 /* (may turn up in state RUN if our return MSG6 was lost
1553 and the new key has already been activated. In that
1554 case we discard it. The peer will realise that we
1555 are using the new key when they see our data packets.
1556 Until then the peer's data packets to us get discarded. */
1557 if (st->state==SITE_SENTMSG4) {
1558 if (process_msg5(st,buf,source,st->new_transform)) {
1559 transport_setup_msgok(st,source);
1560 enter_new_state(st,SITE_RUN);
1562 slog(st,LOG_SEC,"invalid MSG5");
1564 } else if (st->state==SITE_RUN) {
1565 if (process_msg5(st,buf,source,st->current.transform)) {
1566 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1567 transport_setup_msgok(st,source);
1568 create_msg6(st,st->current.transform,
1569 st->current.remote_session_id);
1570 transport_xmit(st,&st->peers,&st->buffer,True);
1571 BUF_FREE(&st->buffer);
1573 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1576 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1580 /* Setup packet: expected only in state SENTMSG5 */
1581 if (st->state!=SITE_SENTMSG5) {
1582 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1583 } else if (process_msg6(st,buf,source)) {
1584 BUF_FREE(&st->buffer); /* Free message 5 */
1585 transport_setup_msgok(st,source);
1586 activate_new_key(st);
1588 slog(st,LOG_SEC,"invalid MSG6");
1592 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1603 static void site_control(void *vst, bool_t run)
1605 struct site *st=vst;
1606 if (run) enter_state_run(st);
1607 else enter_state_stop(st);
1610 static void site_phase_hook(void *sst, uint32_t newphase)
1612 struct site *st=sst;
1614 /* The program is shutting down; tell our peer */
1615 send_msg7(st,"shutting down");
1618 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1621 static uint32_t index_sequence;
1627 st=safe_malloc(sizeof(*st),"site_apply");
1629 st->cl.description="site";
1630 st->cl.type=CL_SITE;
1632 st->cl.interface=&st->ops;
1634 st->ops.control=site_control;
1635 st->ops.status=site_status;
1637 /* First parameter must be a dict */
1638 item=list_elem(args,0);
1639 if (!item || item->type!=t_dict)
1640 cfgfatal(loc,"site","parameter must be a dictionary\n");
1642 dict=item->data.dict;
1643 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1644 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1646 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1647 bool_t local_mobile=
1648 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1650 /* Sanity check (which also allows the 'sites' file to include
1651 site() closures for all sites including our own): refuse to
1652 talk to ourselves */
1653 if (strcmp(st->localname,st->remotename)==0) {
1654 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1656 if (st->peer_mobile != local_mobile)
1657 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1658 " but our local-mobile=%d\n",
1659 st->localname, st->peer_mobile, local_mobile);
1663 if (st->peer_mobile && local_mobile) {
1664 Message(M_WARNING,"site %s: site is mobile but so are we"
1665 " -> ignoring this site\n", st->remotename);
1670 assert(index_sequence < 0xffffffffUL);
1671 st->index = ++index_sequence;
1672 st->local_capabilities = 0;
1673 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1675 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1676 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1677 if (!things##_cfg) \
1678 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1679 st->nthings=list_length(things##_cfg); \
1680 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1681 assert(st->nthings); \
1682 for (i=0; i<st->nthings; i++) { \
1683 item_t *item=list_elem(things##_cfg,i); \
1684 if (item->type!=t_closure) \
1685 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1686 closure_t *cl=item->data.closure; \
1687 if (cl->type!=CL_TYPE) \
1688 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1689 st->things[i]=cl->interface; \
1693 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1695 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1696 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1697 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1699 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1700 st->address=dict_read_string(dict, "address", False, "site", loc);
1702 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1703 else st->remoteport=0;
1704 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1706 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1708 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1709 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1711 #define DEFAULT(D) (st->peer_mobile || local_mobile \
1712 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1713 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1715 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1716 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1717 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1718 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1720 st->mobile_peer_expiry= dict_read_number(
1721 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1723 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1724 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1725 if (st->transport_peers_max<1 ||
1726 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1727 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1728 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1731 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1732 st->key_renegotiate_time=st->key_lifetime/2;
1734 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1735 st->key_renegotiate_time=dict_read_number(
1736 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1737 if (st->key_renegotiate_time > st->key_lifetime) {
1738 cfgfatal(loc,"site",
1739 "renegotiate-time must be less than key-lifetime\n");
1742 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1743 log_event_table,"site");
1745 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1747 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1749 /* The information we expect to see in incoming messages of type 1 */
1750 /* fixme: lots of unchecked overflows here, but the results are only
1751 corrupted packets rather than undefined behaviour */
1752 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1754 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1756 buffer_new(&st->scratch,0);
1757 BUF_ALLOC(&st->scratch,"site:scratch");
1759 /* We are interested in poll(), but only for timeouts. We don't have
1760 any fds of our own. */
1761 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1764 st->remote_capabilities=0;
1765 st->chosen_transform=0;
1766 st->current.key_timeout=0;
1767 st->auxiliary_key.key_timeout=0;
1768 transport_peers_clear(st,&st->peers);
1769 transport_peers_clear(st,&st->setup_peers);
1770 /* XXX mlock these */
1771 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1772 st->sharedsecretlen=st->sharedsecretallocd=0;
1775 for (i=0; i<st->ntransforms; i++) {
1776 struct transform_if *ti=st->transforms[i];
1777 uint32_t capbit = 1UL << ti->capab_transformnum;
1778 if (st->local_capabilities & capbit)
1779 slog(st,LOG_ERROR,"transformnum capability bit"
1780 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1781 st->local_capabilities |= capbit;
1784 /* We need to register the remote networks with the netlink device */
1785 st->netlink->reg(st->netlink->st, site_outgoing, st);
1787 for (i=0; i<st->ncomms; i++)
1788 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1790 st->current.transform=0;
1791 st->auxiliary_key.transform=0;
1792 st->new_transform=0;
1793 st->auxiliary_is_new=0;
1795 enter_state_stop(st);
1797 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
1799 return new_closure(&st->cl);
1802 void site_module(dict_t *dict)
1804 add_closure(dict,"site",site_apply);
1808 /***** TRANSPORT PEERS definitions *****/
1810 static void transport_peers_debug(struct site *st, transport_peers *dst,
1811 const char *didwhat,
1812 int nargs, const struct comm_addr *args,
1817 if (!(st->log_events & LOG_PEER_ADDRS))
1818 return; /* an optimisation */
1820 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
1821 (dst==&st->peers ? "data" :
1822 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
1823 didwhat, nargs, dst->npeers);
1825 for (i=0, argp=(void*)args;
1827 i++, (argp+=stride?stride:sizeof(*args))) {
1828 const struct comm_addr *ca=(void*)argp;
1829 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
1830 i, ca->comm->addr_to_string(ca->comm->st,ca));
1832 for (i=0; i<dst->npeers; i++) {
1833 struct timeval diff;
1834 timersub(tv_now,&dst->peers[i].last,&diff);
1835 const struct comm_addr *ca=&dst->peers[i].addr;
1836 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
1837 i, ca->comm->addr_to_string(ca->comm->st,ca),
1838 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
1842 static int transport_peer_compar(const void *av, const void *bv) {
1843 const transport_peer *a=av;
1844 const transport_peer *b=bv;
1845 /* put most recent first in the array */
1846 if (timercmp(&a->last, &b->last, <)) return +1;
1847 if (timercmp(&a->last, &b->last, >)) return -11;
1851 static void transport_peers_expire(struct site *st, transport_peers *peers) {
1852 /* peers must be sorted first */
1853 int previous_peers=peers->npeers;
1854 struct timeval oldest;
1855 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
1856 oldest.tv_usec = tv_now->tv_usec;
1857 while (peers->npeers>1 &&
1858 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
1860 if (peers->npeers != previous_peers)
1861 transport_peers_debug(st,peers,"expire", 0,0,0);
1864 static void transport_record_peer(struct site *st, transport_peers *peers,
1865 const struct comm_addr *addr, const char *m) {
1866 int slot, changed=0;
1868 for (slot=0; slot<peers->npeers; slot++)
1869 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
1873 if (peers->npeers==st->transport_peers_max)
1874 slot=st->transport_peers_max;
1876 slot=peers->npeers++;
1879 peers->peers[slot].addr=*addr;
1880 peers->peers[slot].last=*tv_now;
1882 if (peers->npeers>1)
1883 qsort(peers->peers, peers->npeers,
1884 sizeof(*peers->peers), transport_peer_compar);
1886 if (changed || peers->npeers!=1)
1887 transport_peers_debug(st,peers,m, 1,addr,0);
1888 transport_peers_expire(st, peers);
1891 static bool_t transport_compute_setupinit_peers(struct site *st,
1892 const struct comm_addr *configured_addr /* 0 if none or not found */) {
1894 if (!configured_addr && !transport_peers_valid(&st->peers))
1897 slog(st,LOG_SETUP_INIT,
1898 (!configured_addr ? "using only %d old peer address(es)"
1899 : "using configured address, and/or perhaps %d old peer address(es)"),
1902 /* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
1903 * have transport_peers_max==1. The effect is that this code
1904 * always uses the configured address if supplied, or otherwise
1905 * the existing data peer if one exists; this is as desired. */
1907 transport_peers_copy(st,&st->setup_peers,&st->peers);
1909 if (configured_addr)
1910 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
1912 assert(transport_peers_valid(&st->setup_peers));
1916 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
1917 if (st->peer_mobile)
1918 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
1920 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
1921 if (st->peer_mobile)
1922 transport_record_peer(st,&st->peers,a,"datamsg");
1925 static int transport_peers_valid(transport_peers *peers) {
1926 return peers->npeers;
1928 static void transport_peers_clear(struct site *st, transport_peers *peers) {
1930 transport_peers_debug(st,peers,"clear",0,0,0);
1932 static void transport_peers_copy(struct site *st, transport_peers *dst,
1933 const transport_peers *src) {
1934 dst->npeers=src->npeers;
1935 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
1936 transport_peers_debug(st,dst,"copy",
1937 src->npeers, &src->peers->addr, sizeof(*src->peers));
1940 void transport_xmit(struct site *st, transport_peers *peers,
1941 struct buffer_if *buf, bool_t candebug) {
1943 transport_peers_expire(st, peers);
1944 for (slot=0; slot<peers->npeers; slot++) {
1945 transport_peer *peer=&peers->peers[slot];
1947 dump_packet(st, buf, &peer->addr, False);
1948 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
1952 /***** END of transport peers declarations *****/