buffer_init(&st->buffer,st->transform->max_start_pad+(4*4));
/* Give the netlink code an opportunity to put its own stuff in the
message (configuration information, etc.) */
- st->netlink->output_config(st->netlink->st,&st->buffer);
buf_prepend_uint32(&st->buffer,LABEL_MSG5);
st->new_transform->forwards(st->new_transform->st,&st->buffer,
&transform_err);
slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
return False;
}
- if (!st->netlink->check_config(st->netlink->st,msg5)) {
- slog(st,LOG_SEC,"MSG5/PING packet contained bad netlink config");
- return False;
- }
- CHECK_EMPTY(msg5);
+ /* Older versions of secnet used to write some config data here
+ * which we ignore. So we don't CHECK_EMPTY */
return True;
}
buffer_init(&st->buffer,st->transform->max_start_pad+(4*4));
/* Give the netlink code an opportunity to put its own stuff in the
message (configuration information, etc.) */
- st->netlink->output_config(st->netlink->st,&st->buffer);
buf_prepend_uint32(&st->buffer,LABEL_MSG6);
st->new_transform->forwards(st->new_transform->st,&st->buffer,
&transform_err);
slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
return False;
}
- if (!st->netlink->check_config(st->netlink->st,msg6)) {
- slog(st,LOG_SEC,"MSG6/PONG packet contained bad netlink config");
+ /* Older versions of secnet used to write some config data here
+ * which we ignore. So we don't CHECK_EMPTY */
+ return True;
+}
+
+static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0)
+{
+ cstring_t transform_err;
+ struct msg0 m;
+ uint32_t problem;
+
+ if (!unpick_msg0(st,msg0,&m)) return False;
+
+ problem = st->current_transform->reverse(st->current_transform->st,
+ msg0,&transform_err);
+ if (!problem) return True;
+
+ if (problem==2) {
+ slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
return False;
}
- CHECK_EMPTY(msg6);
- return True;
+
+ slog(st,LOG_SEC,"transform: %s",transform_err);
+ initiate_key_setup(st,"incoming message would not decrypt");
+ return False;
}
static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
const struct comm_addr *src)
{
- struct msg0 m;
- cstring_t transform_err;
uint32_t type;
- if (!st->current_valid) {
- slog(st,LOG_DROP,"incoming message but no current key -> dropping");
- return initiate_key_setup(st,"incoming message but no current key");
- }
-
- if (!unpick_msg0(st,msg0,&m)) return False;
+ if (!decrypt_msg0(st,msg0))
+ return False;
- if (st->current_transform->reverse(st->current_transform->st,
- msg0,&transform_err)) {
- /* There's a problem */
- slog(st,LOG_SEC,"transform: %s",transform_err);
- return initiate_key_setup(st,"incoming message would not decrypt");
- }
CHECK_AVAIL(msg0,4);
type=buf_unprepend_uint32(msg0);
switch(type) {
st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
list_t *comms_cfg=dict_lookup(dict,"comm");
- if (!comms_cfg) cfgfatal(loc,"site","closure list \"comm\" not found");
+ if (!comms_cfg) cfgfatal(loc,"site","closure list \"comm\" not found\n");
st->ncomms=list_length(comms_cfg);
st->comms=safe_malloc_ary(sizeof(*st->comms),st->ncomms,"comms");
assert(st->ncomms);
for (i=0; i<st->ncomms; i++) {
item_t *item=list_elem(comms_cfg,i);
- if (item->type!=t_closure) cfgfatal(loc,"site","comm is not a closure");
+ if (item->type!=t_closure)
+ cfgfatal(loc,"site","comm is not a closure\n");
closure_t *cl=item->data.closure;
- if (cl->type!=CL_COMM) cfgfatal(loc,"site","comm closure wrong type");
+ if (cl->type!=CL_COMM) cfgfatal(loc,"site","comm closure wrong type\n");
st->comms[i]=cl->interface;
}
dst->npeers=src->npeers;
memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
transport_peers_debug(st,dst,"copy",
- src->npeers, &src->peers->addr, sizeof(src->peers));
+ src->npeers, &src->peers->addr, sizeof(*src->peers));
}
void transport_xmit(struct site *st, transport_peers *peers,