X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=site.c;h=37968896ccb50f1d07370a7ff582d1697a158327;hb=1b8af2f7f86131a5364f2270865895ea597c591e;hp=bdc948a06dac5c896fb4fba3a1490ff140249a24;hpb=52ba8d4ede86d35c68fa4674c457df835be935e8;p=secnet.git diff --git a/site.c b/site.c index bdc948a..3796889 100644 --- a/site.c +++ b/site.c @@ -396,15 +396,23 @@ static uint32_t event_log_priority(struct site *st, uint32_t event) } } +static uint32_t slog_start(struct site *st, uint32_t event) +{ + uint32_t class=event_log_priority(st, event); + if (class) { + slilog_part(st->log,class,"%s: ",st->tunname); + } + return class; +} + static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap) FORMAT(printf,3,0); static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap) { uint32_t class; - class=event_log_priority(st, event); + class=slog_start(st,event); if (class) { - slilog_part(st->log,class,"%s: ",st->tunname); vslilog_part(st->log,class,msg,ap); slilog_part(st->log,class,"\n"); } @@ -615,7 +623,9 @@ static void append_string_xinfo_done(struct buffer_if *buf, /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside out using a transform of config data supplied by netlink */ -static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what) +static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what, + const struct msg *prompt + /* may be 0 for MSG1 */) { string_t dhpub; unsigned minor; @@ -796,10 +806,16 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, return False; } -static bool_t generate_msg1(struct site *st) +static bool_t kex_init(struct site *st) { st->random->generate(st->random->st,NONCELEN,st->localN); - return generate_msg(st,LABEL_MSG1,"site:MSG1"); + return True; +} + +static bool_t generate_msg1(struct site *st, const struct msg *prompt_maybe_0) +{ + return + generate_msg(st,LABEL_MSG1,"site:MSG1",prompt_maybe_0); } static bool_t process_msg1(struct site *st, struct buffer_if *msg1, @@ -816,10 +832,11 @@ static bool_t process_msg1(struct site *st, struct buffer_if *msg1, return True; } -static bool_t generate_msg2(struct site *st) +static bool_t generate_msg2(struct site *st, + const struct msg *prompt_may_be_null) { - st->random->generate(st->random->st,NONCELEN,st->localN); - return generate_msg(st,LABEL_MSG2,"site:MSG2"); + return + generate_msg(st,LABEL_MSG2,"site:MSG2",prompt_may_be_null); } static bool_t process_msg2(struct site *st, struct buffer_if *msg2, @@ -869,7 +886,7 @@ kind##_found: \ return True; } -static bool_t generate_msg3(struct site *st) +static bool_t generate_msg3(struct site *st, const struct msg *prompt) { /* Now we have our nonce and their nonce. Think of a secret key, and create message number 3. */ @@ -878,7 +895,7 @@ static bool_t generate_msg3(struct site *st) (st->remote_capabilities & CAPAB_TRANSFORM_MASK) ? LABEL_MSG3BIS : LABEL_MSG3, - "site:MSG3"); + "site:MSG3",prompt); } static bool_t process_msg3_msg4(struct site *st, struct msg *m) @@ -964,11 +981,11 @@ kind##_found: \ return True; } -static bool_t generate_msg4(struct site *st) +static bool_t generate_msg4(struct site *st, const struct msg *prompt) { /* We have both nonces, their public key and our private key. Generate our public key, sign it and send it to them. */ - return generate_msg(st,LABEL_MSG4,"site:MSG4"); + return generate_msg(st,LABEL_MSG4,"site:MSG4",prompt); } static bool_t process_msg4(struct site *st, struct buffer_if *msg4, @@ -1014,7 +1031,7 @@ static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0, /* Leaves transformed part of buffer untouched */ } -static bool_t generate_msg5(struct site *st) +static bool_t generate_msg5(struct site *st, const struct msg *prompt) { cstring_t transform_err; @@ -1080,7 +1097,7 @@ static void create_msg6(struct site *st, struct transform_inst_if *transform, buf_prepend_uint32(&st->buffer,session_id); } -static bool_t generate_msg6(struct site *st) +static bool_t generate_msg6(struct site *st, const struct msg *prompt) { if (!is_transform_valid(st->new_transform)) return False; @@ -1575,19 +1592,21 @@ static bool_t enter_new_state(struct site *st, uint32_t next, const struct msg *prompt /* may be 0 for SENTMSG1 */) { - bool_t (*gen)(struct site *st, struct msg *prompt); + bool_t (*gen)(struct site *st, const struct msg *prompt); int r; slog(st,LOG_STATE,"entering state %s",state_name(next)); switch(next) { case SITE_SENTMSG1: state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE); + if (!kex_init(st)) return False; gen=generate_msg1; st->msg1_crossed_logged = False; break; case SITE_SENTMSG2: state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE || st->state==SITE_SENTMSG1 || st->state==SITE_WAIT); + if (!kex_init(st)) return False; gen=generate_msg2; break; case SITE_SENTMSG3: @@ -1618,7 +1637,7 @@ static bool_t enter_new_state(struct site *st, uint32_t next, if (hacky_par_start_failnow()) return False; - r= gen(st) && send_msg(st); + r= gen(st,prompt) && send_msg(st); hacky_par_end(&r, st->setup_retries, st->setup_retry_interval, @@ -1802,15 +1821,31 @@ static void site_outgoing(void *sst, struct buffer_if *buf) } static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in, - uint32_t type, struct msg *m) + uint32_t type, struct msg *m, + struct priomsg *whynot) /* For packets which are identified by the local and remote names. * If it has our name and our peer's name in it it's for us. */ { struct buffer_if buf[1]; buffer_readonly_clone(buf,buf_in); - return unpick_msg(st,type,buf,m) - && name_matches(&m->remote,st->remotename) - && name_matches(&m->local,st->localname); + + if (!unpick_msg(st,type,buf,m)) { + priomsg_update_fixed(whynot, comm_notify_whynot_unpick, "malformed"); + return False; + } +#define NAME_MATCHES(lr) \ + if (!name_matches(&m->lr, st->lr##name)) { \ + if (priomsg_update_fixed(whynot, comm_notify_whynot_name_##lr, \ + "unknown " #lr " name: ")) { \ + truncmsg_add_packet_string(&whynot->m, m->lr.len, m->lr.name); \ + } \ + return False; \ + } + NAME_MATCHES(remote); + NAME_MATCHES(local ); +#undef NAME_MATCHES + + return True; } static bool_t we_have_priority(struct site *st, const struct msg *m) { @@ -1831,7 +1866,7 @@ static bool_t setup_late_msg_ok(struct site *st, * late. Maybe they came via a different path. All we do is make * a note of the sending address, iff they look like they are part * of the current key setup attempt. */ - if (!named_for_us(st,buf_in,msgtype,m)) + if (!named_for_us(st,buf_in,msgtype,m,0)) /* named_for_us calls unpick_msg which gets the nonces */ return False; if (!consttime_memeq(m->nR,st->remoteN,NONCELEN) || @@ -1848,7 +1883,8 @@ static bool_t setup_late_msg_ok(struct site *st, this current site instance (and should therefore not be processed by other sites), even if the packet was otherwise ignored. */ static bool_t site_incoming(void *sst, struct buffer_if *buf, - const struct comm_addr *source) + const struct comm_addr *source, + struct priomsg *whynot) { struct site *st=sst; @@ -1860,7 +1896,7 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, /* initialised by named_for_us, or process_msgN for N!=1 */ if (msgtype==LABEL_MSG1) { - if (!named_for_us(st,buf,msgtype,&msg)) + if (!named_for_us(st,buf,msgtype,&msg,whynot)) return False; /* It's a MSG1 addressed to us. Decide what to do about it. */ dump_packet(st,buf,source,True,True); @@ -1924,7 +1960,7 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, return True; } if (msgtype==LABEL_PROD) { - if (!named_for_us(st,buf,msgtype,&msg)) + if (!named_for_us(st,buf,msgtype,&msg,whynot)) return False; dump_packet(st,buf,source,True,True); if (st->state!=SITE_RUN) { @@ -2053,6 +2089,8 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, return True; } + priomsg_update_fixed(whynot, comm_notify_whynot_general, + "not MSG1 or PROD; unknown dest index"); return False; }