1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 static cstring_t state_name(uint32_t state)
95 case 0: return "STOP";
97 case 2: return "RESOLVE";
98 case 3: return "SENTMSG1";
99 case 4: return "SENTMSG2";
100 case 5: return "SENTMSG3";
101 case 6: return "SENTMSG4";
102 case 7: return "SENTMSG5";
103 case 8: return "WAIT";
104 default: return "*bad state*";
110 #define LOG_UNEXPECTED 0x00000001
111 #define LOG_SETUP_INIT 0x00000002
112 #define LOG_SETUP_TIMEOUT 0x00000004
113 #define LOG_ACTIVATE_KEY 0x00000008
114 #define LOG_TIMEOUT_KEY 0x00000010
115 #define LOG_SEC 0x00000020
116 #define LOG_STATE 0x00000040
117 #define LOG_DROP 0x00000080
118 #define LOG_DUMP 0x00000100
119 #define LOG_ERROR 0x00000400
120 #define LOG_PEER_ADDRS 0x00000800
122 static struct flagstr log_event_table[]={
123 { "unexpected", LOG_UNEXPECTED },
124 { "setup-init", LOG_SETUP_INIT },
125 { "setup-timeout", LOG_SETUP_TIMEOUT },
126 { "activate-key", LOG_ACTIVATE_KEY },
127 { "timeout-key", LOG_TIMEOUT_KEY },
128 { "security", LOG_SEC },
129 { "state-change", LOG_STATE },
130 { "packet-drop", LOG_DROP },
131 { "dump-packets", LOG_DUMP },
132 { "errors", LOG_ERROR },
133 { "peer-addrs", LOG_PEER_ADDRS },
134 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
135 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
136 { "all", 0xffffffff },
141 /***** TRANSPORT PEERS declarations *****/
143 /* Details of "mobile peer" semantics:
145 - We record mobile_peers_max peer address/port numbers ("peers")
146 for key setup, and separately mobile_peers_max for data
147 transfer. If these lists fill up, we retain the newest peers.
148 (For non-mobile peers we only record one of each.)
150 - Outgoing packets are sent to every recorded peer in the
153 - Data transfer peers are straightforward: whenever we successfully
154 process a data packet, we record the peer. Also, whenever we
155 successfully complete a key setup, we merge the key setup
156 peers into the data transfer peers.
158 (For "non-mobile" peers we simply copy the peer used for
159 successful key setup, and don't change the peer otherwise.)
161 - Key setup peers are slightly more complicated.
163 Whenever we receive and successfully process a key exchange
164 packet, we record the peer.
166 Whenever we try to initiate a key setup, we copy the list of data
167 transfer peers and use it for key setup. But we also look to see
168 if the config supplies an address and port number and if so we
169 add that as a key setup peer (possibly evicting one of the data
170 transfer peers we just copied).
172 (For "non-mobile" peers, if we if we have a configured peer
173 address and port, we always use that; otherwise if we have a
174 current data peer address we use that; otherwise we do not
175 attempt to initiate a key setup for lack of a peer address.)
177 "Record the peer" means
178 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
179 2. add the peer of the just received packet to the applicable list
180 (possibly evicting older entries)
181 NB that we do not expire peers until an incoming packet arrives.
185 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
189 struct comm_addr addr;
193 /* configuration information */
194 /* runtime information */
196 transport_peer peers[MAX_MOBILE_PEERS_MAX];
199 static void transport_peers_clear(struct site *st, transport_peers *peers);
200 static int transport_peers_valid(transport_peers *peers);
201 static void transport_peers_copy(struct site *st, transport_peers *dst,
202 const transport_peers *src);
204 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
205 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
206 static bool_t transport_compute_setupinit_peers(struct site *st,
207 const struct comm_addr *configured_addr /* 0 if none or not found */);
208 static void transport_record_peer(struct site *st, transport_peers *peers,
209 const struct comm_addr *addr, const char *m);
211 static void transport_xmit(struct site *st, transport_peers *peers,
212 struct buffer_if *buf, bool_t candebug);
214 /***** END of transport peers declarations *****/
218 struct transform_inst_if *transform;
219 uint64_t key_timeout; /* End of life of current key */
220 uint32_t remote_session_id;
226 /* configuration information */
229 bool_t peer_mobile; /* Mobile client support */
230 int32_t transport_peers_max;
231 string_t tunname; /* localname<->remotename by default, used in logs */
232 string_t address; /* DNS name for bootstrapping, optional */
233 int remoteport; /* Port for bootstrapping, optional */
234 struct netlink_if *netlink;
235 struct comm_if **comms;
237 struct resolver_if *resolver;
239 struct random_if *random;
240 struct rsaprivkey_if *privkey;
241 struct rsapubkey_if *pubkey;
242 struct transform_if **transforms;
245 struct hash_if *hash;
247 uint32_t index; /* Index of this site */
248 uint32_t local_capabilities;
249 int32_t setup_retries; /* How many times to send setup packets */
250 int32_t setup_retry_interval; /* Initial timeout for setup packets */
251 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
252 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
253 int32_t key_lifetime; /* How long a key lasts once set up */
254 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
255 after this time, initiate a new
258 bool_t setup_priority; /* Do we have precedence if both sites emit
259 message 1 simultaneously? */
262 /* runtime information */
264 uint64_t now; /* Most recently seen time */
266 /* The currently established session */
267 struct data_key current;
268 struct data_key auxiliary_key;
269 bool_t auxiliary_is_new;
270 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
271 uint64_t auxiliary_renegotiate_key_time;
272 transport_peers peers; /* Current address(es) of peer for data traffic */
274 /* The current key setup protocol exchange. We can only be
275 involved in one of these at a time. There's a potential for
276 denial of service here (the attacker keeps sending a setup
277 packet; we keep trying to continue the exchange, and have to
278 timeout before we can listen for another setup packet); perhaps
279 we should keep a list of 'bad' sources for setup packets. */
280 uint32_t remote_capabilities;
281 struct transform_if *chosen_transform;
282 uint32_t setup_session_id;
283 transport_peers setup_peers;
284 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
285 uint8_t remoteN[NONCELEN];
286 struct buffer_if buffer; /* Current outgoing key exchange packet */
287 struct buffer_if scratch;
288 int32_t retries; /* Number of retries remaining */
289 uint64_t timeout; /* Timeout for current state */
291 uint8_t *sharedsecret;
292 uint32_t sharedsecretlen, sharedsecretallocd;
293 struct transform_inst_if *new_transform; /* For key setup/verify */
296 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
298 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
306 if (event&st->log_events) {
308 case LOG_UNEXPECTED: class=M_INFO; break;
309 case LOG_SETUP_INIT: class=M_INFO; break;
310 case LOG_SETUP_TIMEOUT: class=M_NOTICE; break;
311 case LOG_ACTIVATE_KEY: class=M_INFO; break;
312 case LOG_TIMEOUT_KEY: class=M_INFO; break;
313 case LOG_SEC: class=M_SECURITY; break;
314 case LOG_STATE: class=M_DEBUG; break;
315 case LOG_DROP: class=M_DEBUG; break;
316 case LOG_DUMP: class=M_DEBUG; break;
317 case LOG_ERROR: class=M_ERR; break;
318 case LOG_PEER_ADDRS: class=M_DEBUG; break;
319 default: class=M_ERR; break;
322 vsnprintf(buf,sizeof(buf),msg,ap);
323 slilog(st->log,class,"%s: %s",st->tunname,buf);
328 static void set_link_quality(struct site *st);
329 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
330 static void delete_one_key(struct site *st, struct data_key *key,
331 const char *reason /* may be 0 meaning don't log*/,
332 const char *which /* ignored if !reasonn */,
333 uint32_t loglevel /* ignored if !reasonn */);
334 static bool_t initiate_key_setup(struct site *st, cstring_t reason);
335 static void enter_state_run(struct site *st);
336 static bool_t enter_state_resolve(struct site *st);
337 static bool_t enter_new_state(struct site *st,uint32_t next);
338 static void enter_state_wait(struct site *st);
339 static void activate_new_key(struct site *st);
341 static bool_t is_transform_valid(struct transform_inst_if *transform)
343 return transform && transform->valid(transform->st);
346 static bool_t current_valid(struct site *st)
348 return is_transform_valid(st->current.transform);
351 #define DEFINE_CALL_TRANSFORM(fwdrev) \
352 static int call_transform_##fwdrev(struct site *st, \
353 struct transform_inst_if *transform, \
354 struct buffer_if *buf, \
355 const char **errmsg) \
357 if (!is_transform_valid(transform)) { \
358 *errmsg="transform not set up"; \
361 return transform->fwdrev(transform->st,buf,errmsg); \
364 DEFINE_CALL_TRANSFORM(forwards)
365 DEFINE_CALL_TRANSFORM(reverse)
367 static void dispose_transform(struct transform_inst_if **transform_var)
369 struct transform_inst_if *transform=*transform_var;
371 transform->delkey(transform->st);
372 transform->destroy(transform->st);
377 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
378 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
379 #define CHECK_TYPE(b,t) do { uint32_t type; \
380 CHECK_AVAIL((b),4); \
381 type=buf_unprepend_uint32((b)); \
382 if (type!=(t)) return False; } while(0)
387 struct buffer_if extrainfo;
394 struct parsedname remote;
395 struct parsedname local;
396 uint32_t remote_capabilities;
397 int capab_transformnum;
407 static void set_new_transform(struct site *st, char *pk)
409 /* Make room for the shared key */
410 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
411 assert(st->sharedsecretlen);
412 if (st->sharedsecretlen > st->sharedsecretallocd) {
413 st->sharedsecretallocd=st->sharedsecretlen;
414 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
416 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
418 /* Generate the shared key */
419 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
420 st->sharedsecret,st->sharedsecretlen);
422 /* Set up the transform */
423 struct transform_if *generator=st->chosen_transform;
424 struct transform_inst_if *generated=generator->create(generator->st);
425 generated->setkey(generated->st,st->sharedsecret,
426 st->sharedsecretlen,st->setup_priority);
427 dispose_transform(&st->new_transform);
428 st->new_transform=generated;
430 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
431 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
432 st->chosen_transform->capab_transformnum,
433 st->local_capabilities, st->remote_capabilities);
437 int32_t lenpos, afternul;
439 static void append_string_xinfo_start(struct buffer_if *buf,
440 struct xinfoadd *xia,
442 /* Helps construct one of the names with additional info as found
443 * in MSG1..4. Call this function first, then append all the
444 * desired extra info (not including the nul byte) to the buffer,
445 * then call append_string_xinfo_done. */
447 xia->lenpos = buf->size;
448 buf_append_string(buf,str);
449 buf_append_uint8(buf,0);
450 xia->afternul = buf->size;
452 static void append_string_xinfo_done(struct buffer_if *buf,
453 struct xinfoadd *xia)
455 /* we just need to adjust the string length */
456 if (buf->size == xia->afternul) {
457 /* no extra info, strip the nul too */
458 buf_unappend_uint8(buf);
460 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
464 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
465 out using a transform of config data supplied by netlink */
466 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
472 st->retries=st->setup_retries;
473 BUF_ALLOC(&st->buffer,what);
474 buffer_init(&st->buffer,0);
475 buf_append_uint32(&st->buffer,
476 (type==LABEL_MSG1?0:st->setup_session_id));
477 buf_append_uint32(&st->buffer,st->index);
478 buf_append_uint32(&st->buffer,type);
481 append_string_xinfo_start(&st->buffer,&xia,st->localname);
482 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
483 buf_append_uint32(&st->buffer,st->local_capabilities);
485 append_string_xinfo_done(&st->buffer,&xia);
487 buf_append_string(&st->buffer,st->remotename);
488 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
489 if (type==LABEL_MSG1) return True;
490 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
491 if (type==LABEL_MSG2) return True;
493 if (hacky_par_mid_failnow()) return False;
495 if (type==LABEL_MSG3BIS)
496 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
498 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
499 buf_append_string(&st->buffer,dhpub);
501 hash=safe_malloc(st->hash->len, "generate_msg");
502 hst=st->hash->init();
503 st->hash->update(hst,st->buffer.start,st->buffer.size);
504 st->hash->final(hst,hash);
505 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
506 buf_append_string(&st->buffer,sig);
512 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
515 nm->len=buf_unprepend_uint16(msg);
516 CHECK_AVAIL(msg,nm->len);
517 nm->name=buf_unprepend(msg,nm->len);
518 uint8_t *nul=memchr(nm->name,0,nm->len);
520 buffer_readonly_view(&nm->extrainfo,0,0);
522 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
523 nm->len=nul-nm->name;
528 static bool_t unpick_msg(struct site *st, uint32_t type,
529 struct buffer_if *msg, struct msg *m)
531 m->capab_transformnum=-1;
532 m->hashstart=msg->start;
534 m->dest=buf_unprepend_uint32(msg);
536 m->source=buf_unprepend_uint32(msg);
537 CHECK_TYPE(msg,type);
538 if (!unpick_name(msg,&m->remote)) return False;
539 m->remote_capabilities=0;
540 if (m->remote.extrainfo.size) {
541 CHECK_AVAIL(&m->remote.extrainfo,4);
542 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
544 if (!unpick_name(msg,&m->local)) return False;
545 CHECK_AVAIL(msg,NONCELEN);
546 m->nR=buf_unprepend(msg,NONCELEN);
547 if (type==LABEL_MSG1) {
551 CHECK_AVAIL(msg,NONCELEN);
552 m->nL=buf_unprepend(msg,NONCELEN);
553 if (type==LABEL_MSG2) {
557 if (type==LABEL_MSG3BIS) {
559 m->capab_transformnum = buf_unprepend_uint8(msg);
561 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
564 m->pklen=buf_unprepend_uint16(msg);
565 CHECK_AVAIL(msg,m->pklen);
566 m->pk=buf_unprepend(msg,m->pklen);
567 m->hashlen=msg->start-m->hashstart;
569 m->siglen=buf_unprepend_uint16(msg);
570 CHECK_AVAIL(msg,m->siglen);
571 m->sig=buf_unprepend(msg,m->siglen);
576 static bool_t name_matches(const struct parsedname *nm, const char *expected)
578 int expected_len=strlen(expected);
580 nm->len == expected_len &&
581 !memcmp(nm->name, expected, expected_len);
584 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
587 if (type==LABEL_MSG1) return True;
589 /* Check that the site names and our nonce have been sent
590 back correctly, and then store our peer's nonce. */
591 if (!name_matches(&m->remote,st->remotename)) {
592 *error="wrong remote site name";
595 if (!name_matches(&m->local,st->localname)) {
596 *error="wrong local site name";
599 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
600 *error="wrong locally-generated nonce";
603 if (type==LABEL_MSG2) return True;
604 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
605 *error="wrong remotely-generated nonce";
608 /* MSG3 has complicated rules about capabilities, which are
609 * handled in process_msg3. */
610 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
611 if (m->remote_capabilities!=st->remote_capabilities) {
612 *error="remote capabilities changed";
615 if (type==LABEL_MSG4) return True;
616 *error="unknown message type";
620 static bool_t generate_msg1(struct site *st)
622 st->random->generate(st->random->st,NONCELEN,st->localN);
623 return generate_msg(st,LABEL_MSG1,"site:MSG1");
626 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
627 const struct comm_addr *src, struct msg *m)
629 /* We've already determined we're in an appropriate state to
630 process an incoming MSG1, and that the MSG1 has correct values
633 transport_record_peer(st,&st->setup_peers,src,"msg1");
634 st->setup_session_id=m->source;
635 st->remote_capabilities=m->remote_capabilities;
636 memcpy(st->remoteN,m->nR,NONCELEN);
640 static bool_t generate_msg2(struct site *st)
642 st->random->generate(st->random->st,NONCELEN,st->localN);
643 return generate_msg(st,LABEL_MSG2,"site:MSG2");
646 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
647 const struct comm_addr *src)
652 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
653 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
654 slog(st,LOG_SEC,"msg2: %s",err);
657 st->setup_session_id=m.source;
658 st->remote_capabilities=m.remote_capabilities;
660 /* Select the transform to use */
662 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
663 if (!remote_transforms)
664 /* old secnets only had this one transform */
665 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
667 struct transform_if *ti;
669 for (i=0; i<st->ntransforms; i++) {
670 ti=st->transforms[i];
671 if ((1UL << ti->capab_transformnum) & remote_transforms)
672 goto transform_found;
674 slog(st,LOG_ERROR,"no transforms in common"
675 " (us %#"PRIx32"; them: %#"PRIx32")",
676 st->local_capabilities & CAPAB_TRANSFORM_MASK,
680 st->chosen_transform=ti;
682 memcpy(st->remoteN,m.nR,NONCELEN);
686 static bool_t generate_msg3(struct site *st)
688 /* Now we have our nonce and their nonce. Think of a secret key,
689 and create message number 3. */
690 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
691 return generate_msg(st,
692 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
693 ? LABEL_MSG3BIS : LABEL_MSG3),
697 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
698 const struct comm_addr *src, uint32_t msgtype)
705 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
707 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
708 if (!check_msg(st,msgtype,&m,&err)) {
709 slog(st,LOG_SEC,"msg3: %s",err);
712 uint32_t capab_adv_late = m.remote_capabilities
713 & ~st->remote_capabilities & CAPAB_EARLY;
714 if (capab_adv_late) {
715 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
716 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
717 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
720 st->remote_capabilities|=m.remote_capabilities;
722 struct transform_if *ti;
724 for (i=0; i<st->ntransforms; i++) {
725 ti=st->transforms[i];
726 if (ti->capab_transformnum == m.capab_transformnum)
727 goto transform_found;
729 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
730 m.capab_transformnum);
733 st->chosen_transform=ti;
735 /* Check signature and store g^x mod m */
736 hash=safe_malloc(st->hash->len, "process_msg3");
737 hst=st->hash->init();
738 st->hash->update(hst,m.hashstart,m.hashlen);
739 st->hash->final(hst,hash);
740 /* Terminate signature with a '0' - cheating, but should be ok */
742 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m.sig)) {
743 slog(st,LOG_SEC,"msg3 signature failed check!");
749 /* Terminate their DH public key with a '0' */
751 /* Invent our DH secret key */
752 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
754 /* Generate the shared key and set up the transform */
755 set_new_transform(st,m.pk);
760 static bool_t generate_msg4(struct site *st)
762 /* We have both nonces, their public key and our private key. Generate
763 our public key, sign it and send it to them. */
764 return generate_msg(st,LABEL_MSG4,"site:MSG4");
767 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
768 const struct comm_addr *src)
775 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
776 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
777 slog(st,LOG_SEC,"msg4: %s",err);
781 /* Check signature and store g^x mod m */
782 hash=safe_malloc(st->hash->len, "process_msg4");
783 hst=st->hash->init();
784 st->hash->update(hst,m.hashstart,m.hashlen);
785 st->hash->final(hst,hash);
786 /* Terminate signature with a '0' - cheating, but should be ok */
788 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m.sig)) {
789 slog(st,LOG_SEC,"msg4 signature failed check!");
795 /* Terminate their DH public key with a '0' */
798 /* Generate the shared key and set up the transform */
799 set_new_transform(st,m.pk);
810 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
814 m->dest=buf_unprepend_uint32(msg0);
816 m->source=buf_unprepend_uint32(msg0);
818 m->type=buf_unprepend_uint32(msg0);
820 /* Leaves transformed part of buffer untouched */
823 static bool_t generate_msg5(struct site *st)
825 cstring_t transform_err;
827 BUF_ALLOC(&st->buffer,"site:MSG5");
828 /* We are going to add four words to the message */
829 buffer_init(&st->buffer,st->new_transform->max_start_pad+(4*4));
830 /* Give the netlink code an opportunity to put its own stuff in the
831 message (configuration information, etc.) */
832 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
833 if (call_transform_forwards(st,st->new_transform,
834 &st->buffer,&transform_err))
836 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
837 buf_prepend_uint32(&st->buffer,st->index);
838 buf_prepend_uint32(&st->buffer,st->setup_session_id);
840 st->retries=st->setup_retries;
844 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
845 const struct comm_addr *src,
846 struct transform_inst_if *transform)
849 cstring_t transform_err;
851 if (!unpick_msg0(st,msg5,&m)) return False;
853 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
854 /* There's a problem */
855 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
858 /* Buffer should now contain untransformed PING packet data */
860 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
861 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
864 /* Older versions of secnet used to write some config data here
865 * which we ignore. So we don't CHECK_EMPTY */
869 static void create_msg6(struct site *st, struct transform_inst_if *transform,
872 cstring_t transform_err;
874 BUF_ALLOC(&st->buffer,"site:MSG6");
875 /* We are going to add four words to the message */
876 buffer_init(&st->buffer,transform->max_start_pad+(4*4));
877 /* Give the netlink code an opportunity to put its own stuff in the
878 message (configuration information, etc.) */
879 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
880 int problem = call_transform_forwards(st,transform,
881 &st->buffer,&transform_err);
883 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
884 buf_prepend_uint32(&st->buffer,st->index);
885 buf_prepend_uint32(&st->buffer,session_id);
888 static bool_t generate_msg6(struct site *st)
890 if (!is_transform_valid(st->new_transform))
892 create_msg6(st,st->new_transform,st->setup_session_id);
893 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
897 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
898 const struct comm_addr *src)
901 cstring_t transform_err;
903 if (!unpick_msg0(st,msg6,&m)) return False;
905 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
906 /* There's a problem */
907 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
910 /* Buffer should now contain untransformed PING packet data */
912 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
913 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
916 /* Older versions of secnet used to write some config data here
917 * which we ignore. So we don't CHECK_EMPTY */
921 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
922 const struct comm_addr *src)
924 cstring_t transform_err, auxkey_err, newkey_err="n/a";
928 if (!unpick_msg0(st,msg0,&m)) return False;
930 /* Keep a copy so we can try decrypting it with multiple keys */
931 buffer_copy(&st->scratch, msg0);
933 problem = call_transform_reverse(st,st->current.transform,
934 msg0,&transform_err);
936 if (!st->auxiliary_is_new)
937 delete_one_key(st,&st->auxiliary_key,
938 "peer has used new key","auxiliary key",LOG_SEC);
944 buffer_copy(msg0, &st->scratch);
945 problem = call_transform_reverse(st,st->auxiliary_key.transform,
948 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
949 if (st->auxiliary_is_new) {
950 /* We previously timed out in state SENTMSG5 but it turns
951 * out that our peer did in fact get our MSG5 and is
952 * using the new key. So we should switch to it too. */
953 /* This is a bit like activate_new_key. */
956 st->current=st->auxiliary_key;
959 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
960 "previous key",LOG_SEC);
961 st->auxiliary_is_new=0;
962 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
969 if (st->state==SITE_SENTMSG5) {
970 buffer_copy(msg0, &st->scratch);
971 problem = call_transform_reverse(st,st->new_transform,
974 /* It looks like we didn't get the peer's MSG6 */
975 /* This is like a cut-down enter_new_state(SITE_RUN) */
976 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
977 BUF_FREE(&st->buffer);
979 activate_new_key(st);
980 return True; /* do process the data in this packet */
986 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
987 transform_err,auxkey_err,newkey_err);
988 initiate_key_setup(st,"incoming message would not decrypt");
989 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
993 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
997 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
998 const struct comm_addr *src)
1002 if (!decrypt_msg0(st,msg0,src))
1005 CHECK_AVAIL(msg0,4);
1006 type=buf_unprepend_uint32(msg0);
1009 /* We must forget about the current session. */
1010 delete_keys(st,"request from peer",LOG_SEC);
1013 /* Deliver to netlink layer */
1014 st->netlink->deliver(st->netlink->st,msg0);
1015 transport_data_msgok(st,src);
1016 /* See whether we should start negotiating a new key */
1017 if (st->now > st->renegotiate_key_time)
1018 initiate_key_setup(st,"incoming packet in renegotiation window");
1021 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1028 static void dump_packet(struct site *st, struct buffer_if *buf,
1029 const struct comm_addr *addr, bool_t incoming)
1031 uint32_t dest=get_uint32(buf->start);
1032 uint32_t source=get_uint32(buf->start+4);
1033 uint32_t msgtype=get_uint32(buf->start+8);
1035 if (st->log_events & LOG_DUMP)
1036 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1037 st->tunname,incoming?"incoming":"outgoing",
1038 dest,source,msgtype);
1041 static uint32_t site_status(void *st)
1046 static bool_t send_msg(struct site *st)
1048 if (st->retries>0) {
1049 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1050 st->timeout=st->now+st->setup_retry_interval;
1053 } else if (st->state==SITE_SENTMSG5) {
1054 slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
1055 /* We stash the key we have produced, in case it turns out that
1056 * our peer did see our MSG5 after all and starts using it. */
1057 /* This is a bit like some of activate_new_key */
1058 struct transform_inst_if *t;
1059 t=st->auxiliary_key.transform;
1060 st->auxiliary_key.transform=st->new_transform;
1061 st->new_transform=t;
1062 dispose_transform(&st->new_transform);
1064 st->auxiliary_is_new=1;
1065 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1066 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1067 st->auxiliary_key.remote_session_id=st->setup_session_id;
1069 enter_state_wait(st);
1072 slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
1073 "(in state %s)",state_name(st->state));
1074 enter_state_wait(st);
1079 static void site_resolve_callback(void *sst, struct in_addr *address)
1081 struct site *st=sst;
1082 struct comm_addr ca_buf, *ca_use;
1084 if (st->state!=SITE_RESOLVE) {
1085 slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
1090 ca_buf.comm=st->comms[0];
1091 ca_buf.sin.sin_family=AF_INET;
1092 ca_buf.sin.sin_port=htons(st->remoteport);
1093 ca_buf.sin.sin_addr=*address;
1096 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1099 if (transport_compute_setupinit_peers(st,ca_use)) {
1100 enter_new_state(st,SITE_SENTMSG1);
1102 /* Can't figure out who to try to to talk to */
1103 slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
1104 enter_state_run(st);
1108 static bool_t initiate_key_setup(struct site *st, cstring_t reason)
1110 if (st->state!=SITE_RUN) return False;
1111 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1113 slog(st,LOG_SETUP_INIT,"resolving peer address");
1114 return enter_state_resolve(st);
1115 } else if (transport_compute_setupinit_peers(st,0)) {
1116 return enter_new_state(st,SITE_SENTMSG1);
1118 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1122 static void activate_new_key(struct site *st)
1124 struct transform_inst_if *t;
1126 /* We have three transform instances, which we swap between old,
1128 t=st->auxiliary_key.transform;
1129 st->auxiliary_key.transform=st->current.transform;
1130 st->current.transform=st->new_transform;
1131 st->new_transform=t;
1132 dispose_transform(&st->new_transform);
1135 st->auxiliary_is_new=0;
1136 st->auxiliary_key.key_timeout=st->current.key_timeout;
1137 st->current.key_timeout=st->now+st->key_lifetime;
1138 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1139 transport_peers_copy(st,&st->peers,&st->setup_peers);
1140 st->current.remote_session_id=st->setup_session_id;
1142 slog(st,LOG_ACTIVATE_KEY,"new key activated");
1143 enter_state_run(st);
1146 static void delete_one_key(struct site *st, struct data_key *key,
1147 cstring_t reason, cstring_t which, uint32_t loglevel)
1149 if (!is_transform_valid(key->transform)) return;
1150 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1151 dispose_transform(&key->transform);
1155 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1157 if (current_valid(st)) {
1158 slog(st,loglevel,"session closed (%s)",reason);
1160 delete_one_key(st,&st->current,0,0,0);
1161 set_link_quality(st);
1163 delete_one_key(st,&st->auxiliary_key,0,0,0);
1166 static void state_assert(struct site *st, bool_t ok)
1168 if (!ok) fatal("site:state_assert");
1171 static void enter_state_stop(struct site *st)
1173 st->state=SITE_STOP;
1175 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1176 dispose_transform(&st->new_transform);
1179 static void set_link_quality(struct site *st)
1182 if (current_valid(st))
1183 quality=LINK_QUALITY_UP;
1184 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1185 quality=LINK_QUALITY_DOWN;
1186 else if (st->address)
1187 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1188 else if (transport_peers_valid(&st->peers))
1189 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1191 quality=LINK_QUALITY_DOWN;
1193 st->netlink->set_quality(st->netlink->st,quality);
1196 static void enter_state_run(struct site *st)
1198 slog(st,LOG_STATE,"entering state RUN");
1202 st->setup_session_id=0;
1203 transport_peers_clear(st,&st->setup_peers);
1204 memset(st->localN,0,NONCELEN);
1205 memset(st->remoteN,0,NONCELEN);
1206 dispose_transform(&st->new_transform);
1207 memset(st->dhsecret,0,st->dh->len);
1208 memset(st->sharedsecret,0,st->sharedsecretlen);
1209 set_link_quality(st);
1212 static bool_t enter_state_resolve(struct site *st)
1214 state_assert(st,st->state==SITE_RUN);
1215 slog(st,LOG_STATE,"entering state RESOLVE");
1216 st->state=SITE_RESOLVE;
1217 st->resolver->request(st->resolver->st,st->address,
1218 site_resolve_callback,st);
1222 static bool_t enter_new_state(struct site *st, uint32_t next)
1224 bool_t (*gen)(struct site *st);
1227 slog(st,LOG_STATE,"entering state %s",state_name(next));
1230 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1234 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1235 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1239 state_assert(st,st->state==SITE_SENTMSG1);
1240 BUF_FREE(&st->buffer);
1244 state_assert(st,st->state==SITE_SENTMSG2);
1245 BUF_FREE(&st->buffer);
1249 state_assert(st,st->state==SITE_SENTMSG3);
1250 BUF_FREE(&st->buffer);
1254 state_assert(st,st->state==SITE_SENTMSG4);
1255 BUF_FREE(&st->buffer);
1260 fatal("enter_new_state(%s): invalid new state",state_name(next));
1264 if (hacky_par_start_failnow()) return False;
1266 r= gen(st) && send_msg(st);
1269 st->setup_retries, st->setup_retry_interval,
1274 if (next==SITE_RUN) {
1275 BUF_FREE(&st->buffer); /* Never reused */
1276 st->timeout=0; /* Never retransmit */
1277 activate_new_key(st);
1281 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1282 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1283 in either state, and enter_state_wait() will
1285 enter_state_wait(st);
1289 /* msg7 tells our peer that we're about to forget our key */
1290 static bool_t send_msg7(struct site *st, cstring_t reason)
1292 cstring_t transform_err;
1294 if (current_valid(st) && st->buffer.free
1295 && transport_peers_valid(&st->peers)) {
1296 BUF_ALLOC(&st->buffer,"site:MSG7");
1297 buffer_init(&st->buffer,st->current.transform->max_start_pad+(4*3));
1298 buf_append_uint32(&st->buffer,LABEL_MSG7);
1299 buf_append_string(&st->buffer,reason);
1300 if (call_transform_forwards(st, st->current.transform,
1301 &st->buffer, &transform_err))
1303 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1304 buf_prepend_uint32(&st->buffer,st->index);
1305 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1306 transport_xmit(st,&st->peers,&st->buffer,True);
1307 BUF_FREE(&st->buffer);
1314 /* We go into this state if our peer becomes uncommunicative. Similar to
1315 the "stop" state, we forget all session keys for a while, before
1316 re-entering the "run" state. */
1317 static void enter_state_wait(struct site *st)
1319 slog(st,LOG_STATE,"entering state WAIT");
1320 st->timeout=st->now+st->wait_timeout;
1321 st->state=SITE_WAIT;
1322 set_link_quality(st);
1323 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1324 /* XXX Erase keys etc. */
1327 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1330 int64_t offset=timeout-*now;
1331 if (offset<0) offset=0;
1332 if (offset>INT_MAX) offset=INT_MAX;
1333 if (*timeout_io<0 || offset<*timeout_io)
1338 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1341 struct site *st=sst;
1343 *nfds_io=0; /* We don't use any file descriptors */
1346 /* Work out when our next timeout is. The earlier of 'timeout' or
1347 'current.key_timeout'. A stored value of '0' indicates no timeout
1349 site_settimeout(st->timeout, timeout_io);
1350 site_settimeout(st->current.key_timeout, timeout_io);
1351 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1353 return 0; /* success */
1356 static void check_expiry(struct site *st, struct data_key *key,
1359 if (key->key_timeout && *now>key->key_timeout) {
1360 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1364 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1365 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1367 struct site *st=sst;
1370 if (st->timeout && *now>st->timeout) {
1372 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1373 if (!hacky_par_start_failnow())
1375 } else if (st->state==SITE_WAIT) {
1376 enter_state_run(st);
1378 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1382 check_expiry(st,&st->current,"current key");
1383 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1386 /* This function is called by the netlink device to deliver packets
1387 intended for the remote network. The packet is in "raw" wire
1388 format, but is guaranteed to be word-aligned. */
1389 static void site_outgoing(void *sst, struct buffer_if *buf)
1391 struct site *st=sst;
1392 cstring_t transform_err;
1394 if (st->state==SITE_STOP) {
1399 /* In all other states we consider delivering the packet if we have
1400 a valid key and a valid address to send it to. */
1401 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1402 /* Transform it and send it */
1404 buf_prepend_uint32(buf,LABEL_MSG9);
1405 if (call_transform_forwards(st, st->current.transform,
1406 buf, &transform_err))
1408 buf_prepend_uint32(buf,LABEL_MSG0);
1409 buf_prepend_uint32(buf,st->index);
1410 buf_prepend_uint32(buf,st->current.remote_session_id);
1411 transport_xmit(st,&st->peers,buf,False);
1418 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1420 initiate_key_setup(st,"outgoing packet");
1423 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1424 uint32_t type, struct msg *m)
1425 /* For packets which are identified by the local and remote names.
1426 * If it has our name and our peer's name in it it's for us. */
1428 struct buffer_if buf[1];
1429 buffer_readonly_clone(buf,buf_in);
1430 return unpick_msg(st,type,buf,m)
1431 && name_matches(&m->remote,st->remotename)
1432 && name_matches(&m->local,st->localname);
1435 /* This function is called by the communication device to deliver
1436 packets from our peers. */
1437 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1438 const struct comm_addr *source)
1440 struct site *st=sst;
1442 if (buf->size < 12) return False;
1444 uint32_t dest=get_uint32(buf->start);
1445 uint32_t msgtype=get_uint32(buf->start+8);
1446 struct msg named_msg;
1448 if (msgtype==LABEL_MSG1) {
1449 if (!named_for_us(st,buf,msgtype,&named_msg))
1451 /* It's a MSG1 addressed to us. Decide what to do about it. */
1452 dump_packet(st,buf,source,True);
1453 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1454 st->state==SITE_WAIT) {
1455 /* We should definitely process it */
1456 if (process_msg1(st,buf,source,&named_msg)) {
1457 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1458 enter_new_state(st,SITE_SENTMSG2);
1460 slog(st,LOG_ERROR,"failed to process incoming msg1");
1464 } else if (st->state==SITE_SENTMSG1) {
1465 /* We've just sent a message 1! They may have crossed on
1466 the wire. If we have priority then we ignore the
1467 incoming one, otherwise we process it as usual. */
1468 if (st->setup_priority) {
1470 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1471 "priority => ignore incoming msg1");
1474 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1475 "priority => use incoming msg1");
1476 if (process_msg1(st,buf,source,&named_msg)) {
1477 BUF_FREE(&st->buffer); /* Free our old message 1 */
1478 enter_new_state(st,SITE_SENTMSG2);
1480 slog(st,LOG_ERROR,"failed to process an incoming "
1481 "crossed msg1 (we have low priority)");
1487 /* The message 1 was received at an unexpected stage of the
1488 key setup. XXX POLICY - what do we do? */
1489 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1493 if (dest==st->index) {
1494 /* Explicitly addressed to us */
1495 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1498 /* If the source is our current peer then initiate a key setup,
1499 because our peer's forgotten the key */
1500 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1501 initiate_key_setup(st,"received a NAK");
1503 slog(st,LOG_SEC,"bad incoming NAK");
1507 process_msg0(st,buf,source);
1510 /* Setup packet: should not have been explicitly addressed
1512 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1515 /* Setup packet: expected only in state SENTMSG1 */
1516 if (st->state!=SITE_SENTMSG1) {
1517 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1518 } else if (process_msg2(st,buf,source)) {
1519 transport_setup_msgok(st,source);
1520 enter_new_state(st,SITE_SENTMSG3);
1522 slog(st,LOG_SEC,"invalid MSG2");
1527 /* Setup packet: expected only in state SENTMSG2 */
1528 if (st->state!=SITE_SENTMSG2) {
1529 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1530 } else if (process_msg3(st,buf,source,msgtype)) {
1531 transport_setup_msgok(st,source);
1532 enter_new_state(st,SITE_SENTMSG4);
1534 slog(st,LOG_SEC,"invalid MSG3");
1538 /* Setup packet: expected only in state SENTMSG3 */
1539 if (st->state!=SITE_SENTMSG3) {
1540 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1541 } else if (process_msg4(st,buf,source)) {
1542 transport_setup_msgok(st,source);
1543 enter_new_state(st,SITE_SENTMSG5);
1545 slog(st,LOG_SEC,"invalid MSG4");
1549 /* Setup packet: expected only in state SENTMSG4 */
1550 /* (may turn up in state RUN if our return MSG6 was lost
1551 and the new key has already been activated. In that
1552 case we discard it. The peer will realise that we
1553 are using the new key when they see our data packets.
1554 Until then the peer's data packets to us get discarded. */
1555 if (st->state==SITE_SENTMSG4) {
1556 if (process_msg5(st,buf,source,st->new_transform)) {
1557 transport_setup_msgok(st,source);
1558 enter_new_state(st,SITE_RUN);
1560 slog(st,LOG_SEC,"invalid MSG5");
1562 } else if (st->state==SITE_RUN) {
1563 if (process_msg5(st,buf,source,st->current.transform)) {
1564 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1565 transport_setup_msgok(st,source);
1566 create_msg6(st,st->current.transform,
1567 st->current.remote_session_id);
1568 transport_xmit(st,&st->peers,&st->buffer,True);
1569 BUF_FREE(&st->buffer);
1571 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1574 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1578 /* Setup packet: expected only in state SENTMSG5 */
1579 if (st->state!=SITE_SENTMSG5) {
1580 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1581 } else if (process_msg6(st,buf,source)) {
1582 BUF_FREE(&st->buffer); /* Free message 5 */
1583 transport_setup_msgok(st,source);
1584 activate_new_key(st);
1586 slog(st,LOG_SEC,"invalid MSG6");
1590 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1601 static void site_control(void *vst, bool_t run)
1603 struct site *st=vst;
1604 if (run) enter_state_run(st);
1605 else enter_state_stop(st);
1608 static void site_phase_hook(void *sst, uint32_t newphase)
1610 struct site *st=sst;
1612 /* The program is shutting down; tell our peer */
1613 send_msg7(st,"shutting down");
1616 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1619 static uint32_t index_sequence;
1625 st=safe_malloc(sizeof(*st),"site_apply");
1627 st->cl.description="site";
1628 st->cl.type=CL_SITE;
1630 st->cl.interface=&st->ops;
1632 st->ops.control=site_control;
1633 st->ops.status=site_status;
1635 /* First parameter must be a dict */
1636 item=list_elem(args,0);
1637 if (!item || item->type!=t_dict)
1638 cfgfatal(loc,"site","parameter must be a dictionary\n");
1640 dict=item->data.dict;
1641 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1642 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1644 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1645 bool_t local_mobile=
1646 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1648 /* Sanity check (which also allows the 'sites' file to include
1649 site() closures for all sites including our own): refuse to
1650 talk to ourselves */
1651 if (strcmp(st->localname,st->remotename)==0) {
1652 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1654 if (st->peer_mobile != local_mobile)
1655 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1656 " but our local-mobile=%d\n",
1657 st->localname, st->peer_mobile, local_mobile);
1661 if (st->peer_mobile && local_mobile) {
1662 Message(M_WARNING,"site %s: site is mobile but so are we"
1663 " -> ignoring this site\n", st->remotename);
1668 assert(index_sequence < 0xffffffffUL);
1669 st->index = ++index_sequence;
1670 st->local_capabilities = 0;
1671 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1673 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1674 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1675 if (!things##_cfg) \
1676 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1677 st->nthings=list_length(things##_cfg); \
1678 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1679 assert(st->nthings); \
1680 for (i=0; i<st->nthings; i++) { \
1681 item_t *item=list_elem(things##_cfg,i); \
1682 if (item->type!=t_closure) \
1683 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1684 closure_t *cl=item->data.closure; \
1685 if (cl->type!=CL_TYPE) \
1686 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1687 st->things[i]=cl->interface; \
1691 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1693 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1694 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1695 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1697 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1698 st->address=dict_read_string(dict, "address", False, "site", loc);
1700 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1701 else st->remoteport=0;
1702 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1704 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1706 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1707 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1709 #define DEFAULT(D) (st->peer_mobile || local_mobile \
1710 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1711 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1713 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1714 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1715 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1716 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1718 st->mobile_peer_expiry= dict_read_number(
1719 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1721 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1722 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1723 if (st->transport_peers_max<1 ||
1724 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1725 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1726 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1729 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1730 st->key_renegotiate_time=st->key_lifetime/2;
1732 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1733 st->key_renegotiate_time=dict_read_number(
1734 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1735 if (st->key_renegotiate_time > st->key_lifetime) {
1736 cfgfatal(loc,"site",
1737 "renegotiate-time must be less than key-lifetime\n");
1740 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1741 log_event_table,"site");
1743 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1745 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1747 /* The information we expect to see in incoming messages of type 1 */
1748 /* fixme: lots of unchecked overflows here, but the results are only
1749 corrupted packets rather than undefined behaviour */
1750 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1752 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1754 buffer_new(&st->scratch,0);
1755 BUF_ALLOC(&st->scratch,"site:scratch");
1757 /* We are interested in poll(), but only for timeouts. We don't have
1758 any fds of our own. */
1759 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1762 st->remote_capabilities=0;
1763 st->chosen_transform=0;
1764 st->current.key_timeout=0;
1765 st->auxiliary_key.key_timeout=0;
1766 transport_peers_clear(st,&st->peers);
1767 transport_peers_clear(st,&st->setup_peers);
1768 /* XXX mlock these */
1769 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1770 st->sharedsecretlen=st->sharedsecretallocd=0;
1773 /* We need to compute some properties of our comms and transports */
1774 #define COMPUTE_WORST(things,pad) \
1775 int things##_worst_##pad=0; \
1776 for (i=0; i<st->n##things; i++) { \
1777 int thispad=st->things[i]->pad; \
1778 if (thispad > things##_worst_##pad) \
1779 things##_worst_##pad=thispad; \
1781 COMPUTE_WORST(comms,min_start_pad)
1782 COMPUTE_WORST(transforms,max_start_pad)
1784 for (i=0; i<st->ntransforms; i++) {
1785 struct transform_if *ti=st->transforms[i];
1786 uint32_t capbit = 1UL << ti->capab_transformnum;
1787 if (st->local_capabilities & capbit)
1788 slog(st,LOG_ERROR,"transformnum capability bit"
1789 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1790 st->local_capabilities |= capbit;
1793 /* We need to register the remote networks with the netlink device */
1794 st->netlink->reg(st->netlink->st, site_outgoing, st,
1795 transforms_worst_max_start_pad+(4*4)+
1796 comms_worst_min_start_pad);
1798 for (i=0; i<st->ncomms; i++)
1799 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1801 st->current.transform=0;
1802 st->auxiliary_key.transform=0;
1803 st->new_transform=0;
1804 st->auxiliary_is_new=0;
1806 enter_state_stop(st);
1808 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
1810 return new_closure(&st->cl);
1813 void site_module(dict_t *dict)
1815 add_closure(dict,"site",site_apply);
1819 /***** TRANSPORT PEERS definitions *****/
1821 static void transport_peers_debug(struct site *st, transport_peers *dst,
1822 const char *didwhat,
1823 int nargs, const struct comm_addr *args,
1828 if (!(st->log_events & LOG_PEER_ADDRS))
1829 return; /* an optimisation */
1831 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
1832 (dst==&st->peers ? "data" :
1833 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
1834 didwhat, nargs, dst->npeers);
1836 for (i=0, argp=(void*)args;
1838 i++, (argp+=stride?stride:sizeof(*args))) {
1839 const struct comm_addr *ca=(void*)argp;
1840 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
1841 i, ca->comm->addr_to_string(ca->comm->st,ca));
1843 for (i=0; i<dst->npeers; i++) {
1844 struct timeval diff;
1845 timersub(tv_now,&dst->peers[i].last,&diff);
1846 const struct comm_addr *ca=&dst->peers[i].addr;
1847 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
1848 i, ca->comm->addr_to_string(ca->comm->st,ca),
1849 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
1853 static int transport_peer_compar(const void *av, const void *bv) {
1854 const transport_peer *a=av;
1855 const transport_peer *b=bv;
1856 /* put most recent first in the array */
1857 if (timercmp(&a->last, &b->last, <)) return +1;
1858 if (timercmp(&a->last, &b->last, >)) return -11;
1862 static void transport_peers_expire(struct site *st, transport_peers *peers) {
1863 /* peers must be sorted first */
1864 int previous_peers=peers->npeers;
1865 struct timeval oldest;
1866 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
1867 oldest.tv_usec = tv_now->tv_usec;
1868 while (peers->npeers>1 &&
1869 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
1871 if (peers->npeers != previous_peers)
1872 transport_peers_debug(st,peers,"expire", 0,0,0);
1875 static void transport_record_peer(struct site *st, transport_peers *peers,
1876 const struct comm_addr *addr, const char *m) {
1877 int slot, changed=0;
1879 for (slot=0; slot<peers->npeers; slot++)
1880 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
1884 if (peers->npeers==st->transport_peers_max)
1885 slot=st->transport_peers_max;
1887 slot=peers->npeers++;
1890 peers->peers[slot].addr=*addr;
1891 peers->peers[slot].last=*tv_now;
1893 if (peers->npeers>1)
1894 qsort(peers->peers, peers->npeers,
1895 sizeof(*peers->peers), transport_peer_compar);
1897 if (changed || peers->npeers!=1)
1898 transport_peers_debug(st,peers,m, 1,addr,0);
1899 transport_peers_expire(st, peers);
1902 static bool_t transport_compute_setupinit_peers(struct site *st,
1903 const struct comm_addr *configured_addr /* 0 if none or not found */) {
1905 if (!configured_addr && !transport_peers_valid(&st->peers))
1908 slog(st,LOG_SETUP_INIT,
1909 (!configured_addr ? "using only %d old peer address(es)"
1910 : "using configured address, and/or perhaps %d old peer address(es)"),
1913 /* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
1914 * have transport_peers_max==1. The effect is that this code
1915 * always uses the configured address if supplied, or otherwise
1916 * the existing data peer if one exists; this is as desired. */
1918 transport_peers_copy(st,&st->setup_peers,&st->peers);
1920 if (configured_addr)
1921 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
1923 assert(transport_peers_valid(&st->setup_peers));
1927 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
1928 if (st->peer_mobile)
1929 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
1931 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
1932 if (st->peer_mobile)
1933 transport_record_peer(st,&st->peers,a,"datamsg");
1936 static int transport_peers_valid(transport_peers *peers) {
1937 return peers->npeers;
1939 static void transport_peers_clear(struct site *st, transport_peers *peers) {
1941 transport_peers_debug(st,peers,"clear",0,0,0);
1943 static void transport_peers_copy(struct site *st, transport_peers *dst,
1944 const transport_peers *src) {
1945 dst->npeers=src->npeers;
1946 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
1947 transport_peers_debug(st,dst,"copy",
1948 src->npeers, &src->peers->addr, sizeof(*src->peers));
1951 void transport_xmit(struct site *st, transport_peers *peers,
1952 struct buffer_if *buf, bool_t candebug) {
1954 transport_peers_expire(st, peers);
1955 for (slot=0; slot<peers->npeers; slot++) {
1956 transport_peer *peer=&peers->peers[slot];
1958 dump_packet(st, buf, &peer->addr, False);
1959 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
1963 /***** END of transport peers declarations *****/