1 /* site.c - manage communication with a remote network site */
4 * This file is part of secnet.
5 * See README for full list of copyright holders.
7 * secnet is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * secnet is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * version 3 along with secnet; if not, see
19 * https://www.gnu.org/licenses/gpl.html.
22 /* The 'site' code doesn't know anything about the structure of the
23 packets it's transmitting. In fact, under the new netlink
24 configuration scheme it doesn't need to know anything at all about
25 IP addresses, except how to contact its peer. This means it could
26 potentially be used to tunnel other protocols too (IPv6, IPX, plain
27 old Ethernet frames) if appropriate netlink code can be written
28 (and that ought not to be too hard, eg. using the TUN/TAP device to
29 pretend to be an Ethernet interface). */
31 /* At some point in the future the netlink code will be asked for
32 configuration information to go in the PING/PONG packets at the end
33 of the key exchange. */
40 #include <sys/socket.h>
44 #include "unaligned.h"
47 #define SETUP_BUFFER_LEN 2048
49 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
50 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
51 #define DEFAULT_SETUP_RETRIES 5
52 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
53 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
55 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
56 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
57 #define DEFAULT_MOBILE_SETUP_RETRIES 30
58 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
59 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
61 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
63 /* Each site can be in one of several possible states. */
66 SITE_STOP - nothing is allowed to happen; tunnel is down;
67 all session keys have been erased
68 -> SITE_RUN upon external instruction
69 SITE_RUN - site up, maybe with valid key
70 -> SITE_RESOLVE upon outgoing packet and no valid key
71 we start name resolution for the other end of the tunnel
72 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
73 we send an appropriate message 2
74 SITE_RESOLVE - waiting for name resolution
75 -> SITE_SENTMSG1 upon successful resolution
76 we send an appropriate message 1
77 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
78 we abort resolution and
79 -> SITE_WAIT on timeout or resolution failure
81 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
82 -> SITE_SENTMSG3 upon valid incoming message 2
83 -> SITE_WAIT on timeout
85 -> SITE_SENTMSG4 upon valid incoming message 3
86 -> SITE_WAIT on timeout
88 -> SITE_SENTMSG5 upon valid incoming message 4
89 -> SITE_WAIT on timeout
91 -> SITE_RUN upon valid incoming message 5
92 -> SITE_WAIT on timeout
94 -> SITE_RUN upon valid incoming message 6
95 -> SITE_WAIT on timeout
96 SITE_WAIT - failed to establish key; do nothing for a while
97 -> SITE_RUN on timeout
102 #define SITE_RESOLVE 2
103 #define SITE_SENTMSG1 3
104 #define SITE_SENTMSG2 4
105 #define SITE_SENTMSG3 5
106 #define SITE_SENTMSG4 6
107 #define SITE_SENTMSG5 7
110 #define CASES_MSG3_KNOWN LABEL_MSG3: case LABEL_MSG3BIS
114 int32_t site_max_start_pad = 4*4;
116 static cstring_t state_name(uint32_t state)
119 case 0: return "STOP";
120 case 1: return "RUN";
121 case 2: return "RESOLVE";
122 case 3: return "SENTMSG1";
123 case 4: return "SENTMSG2";
124 case 5: return "SENTMSG3";
125 case 6: return "SENTMSG4";
126 case 7: return "SENTMSG5";
127 case 8: return "WAIT";
128 default: return "*bad state*";
134 #define LOG_UNEXPECTED 0x00000001
135 #define LOG_SETUP_INIT 0x00000002
136 #define LOG_SETUP_TIMEOUT 0x00000004
137 #define LOG_ACTIVATE_KEY 0x00000008
138 #define LOG_TIMEOUT_KEY 0x00000010
139 #define LOG_SEC 0x00000020
140 #define LOG_STATE 0x00000040
141 #define LOG_DROP 0x00000080
142 #define LOG_DUMP 0x00000100
143 #define LOG_ERROR 0x00000400
144 #define LOG_PEER_ADDRS 0x00000800
145 #define LOG_SIGKEYS 0x00001000
147 static struct flagstr log_event_table[]={
148 { "unexpected", LOG_UNEXPECTED },
149 { "setup-init", LOG_SETUP_INIT },
150 { "setup-timeout", LOG_SETUP_TIMEOUT },
151 { "activate-key", LOG_ACTIVATE_KEY },
152 { "timeout-key", LOG_TIMEOUT_KEY },
153 { "security", LOG_SEC },
154 { "state-change", LOG_STATE },
155 { "packet-drop", LOG_DROP },
156 { "dump-packets", LOG_DUMP },
157 { "errors", LOG_ERROR },
158 { "peer-addrs", LOG_PEER_ADDRS },
159 { "sigkeys", LOG_SIGKEYS },
160 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
161 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR|LOG_SIGKEYS },
162 { "all", 0xffffffff },
167 /***** TRANSPORT PEERS declarations *****/
169 /* Details of "mobile peer" semantics:
171 - We use the same data structure for the different configurations,
172 but manage it with different algorithms.
174 - We record up to mobile_peers_max peer address/port numbers
175 ("peers") for key setup, and separately up to mobile_peers_max
178 - In general, we make a new set of addrs (see below) when we start
179 a new key exchange; the key setup addrs become the data transport
180 addrs when key setup complets.
182 If our peer is mobile:
184 - We send to all recent addresses of incoming packets, plus
185 initially all configured addresses (which we also expire).
187 - So, we record addrs of good incoming packets, as follows:
188 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
189 2. add the peer of the just received packet to the applicable list
190 (possibly evicting the oldest entries to make room)
191 NB that we do not expire peers until an incoming packet arrives.
193 - If the peer has a configured address or name, we record them the
194 same way, but only as a result of our own initiation of key
195 setup. (We might evict some incoming packet addrs to make room.)
197 - The default number of addrs to keep is 3, or 4 if we have a
198 configured name or address. That's space for two configured
199 addresses (one IPv6 and one IPv4), plus two received addresses.
201 - Outgoing packets are sent to every recorded address in the
202 applicable list. Any unsupported[1] addresses are deleted from
203 the list right away. (This should only happen to configured
204 addresses, of course, but there is no need to check that.)
206 - When we successfully complete a key setup, we merge the key setup
207 peers into the data transfer peers.
209 [1] An unsupported address is one for whose AF we don't have a
210 socket (perhaps because we got EAFNOSUPPORT or some such) or for
211 which sendto gives ENETUNREACH.
213 If neither end is mobile:
215 - When peer initiated the key exchange, we use the incoming packet
218 - When we initiate the key exchange, we try configured addresses
219 until we get one which isn't unsupported then fixate on that.
221 - When we complete a key setup, we replace the data transport peers
222 with those from the key setup.
226 - We can't tell when local network setup changes so we can't cache
227 the unsupported addrs and completely remove the spurious calls to
228 sendto, but we can optimise things a bit by deprioritising addrs
229 which seem to be unsupported.
231 - Use only configured addresses. (Except, that if our peer
232 initiated a key exchange we use the incoming packet address until
233 our name resolution completes.)
235 - When we send a packet, try each address in turn; if addr
236 supported, put that address to the end of the list for future
237 packets, and go onto the next address.
239 - When we complete a key setup, we replace the data transport peers
240 with those from the key setup.
246 struct comm_addr addr;
250 /* configuration information */
251 /* runtime information */
253 transport_peer peers[MAX_PEER_ADDRS];
256 /* Basic operations on transport peer address sets */
257 static void transport_peers_clear(struct site *st, transport_peers *peers);
258 static int transport_peers_valid(transport_peers *peers);
259 static void transport_peers_copy(struct site *st, transport_peers *dst,
260 const transport_peers *src);
262 /* Record address of incoming setup packet; resp. data packet. */
263 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
264 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
266 /* Initialise the setup addresses. Called before we send the first
267 * packet in a key exchange. If we are the initiator, as a result of
268 * resolve completing (or being determined not to be relevant) or an
269 * incoming PROD; if we are the responder, as a result of the MSG1. */
270 static bool_t transport_compute_setupinit_peers(struct site *st,
271 const struct comm_addr *configured_addrs /* 0 if none or not found */,
272 int n_configured_addrs /* 0 if none or not found */,
273 const struct comm_addr *incoming_packet_addr /* 0 if none */);
275 /* Called if we are the responder in a key setup, when the resolve
276 * completes. transport_compute_setupinit_peers will hvae been called
277 * earlier. If _complete is called, we are still doing the key setup
278 * (and we should use the new values for both the rest of the key
279 * setup and the ongoing data exchange); if _tardy is called, the key
280 * setup is done (either completed or not) and only the data peers are
282 static void transport_resolve_complete(struct site *st,
283 const struct comm_addr *addrs, int naddrs);
284 static void transport_resolve_complete_tardy(struct site *st,
285 const struct comm_addr *addrs, int naddrs);
287 static void transport_xmit(struct site *st, transport_peers *peers,
288 struct buffer_if *buf, bool_t candebug);
290 /***** END of transport peers declarations *****/
294 struct transform_inst_if *transform;
295 uint64_t key_timeout; /* End of life of current key */
296 uint32_t remote_session_id;
302 /* configuration information */
306 bool_t local_mobile, peer_mobile; /* Mobile client support */
307 int32_t transport_peers_max;
308 string_t tunname; /* localname<->remotename by default, used in logs */
309 cstring_t *addresses; /* DNS name or address(es) for bootstrapping, optional */
310 int remoteport; /* Port for bootstrapping, optional */
312 struct netlink_if *netlink;
313 struct comm_if **comms;
314 struct comm_clientinfo **commclientinfos;
316 struct resolver_if *resolver;
318 struct random_if *random;
319 struct sigprivkey_if *privkey;
320 struct sigpubkey_if *pubkey;
321 struct transform_if **transforms;
325 uint32_t index; /* Index of this site */
326 uint32_t early_capabilities;
327 uint32_t local_capabilities;
328 int32_t setup_retries; /* How many times to send setup packets */
329 int32_t setup_retry_interval; /* Initial timeout for setup packets */
330 int32_t wait_timeout_mean; /* How long to wait if setup unsuccessful */
331 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
332 int32_t key_lifetime; /* How long a key lasts once set up */
333 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
334 after this time, initiate a new
337 bool_t our_name_later; /* our name > peer name */
340 /* runtime information */
342 uint64_t now; /* Most recently seen time */
343 bool_t allow_send_prod;
344 bool_t msg1_crossed_logged;
346 int resolving_n_results_all;
347 int resolving_n_results_stored;
348 struct comm_addr resolving_results[MAX_PEER_ADDRS];
350 /* The currently established session */
351 struct data_key current;
352 struct data_key auxiliary_key;
353 bool_t auxiliary_is_new;
354 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
355 uint64_t auxiliary_renegotiate_key_time;
356 transport_peers peers; /* Current address(es) of peer for data traffic */
358 /* The current key setup protocol exchange. We can only be
359 involved in one of these at a time. There's a potential for
360 denial of service here (the attacker keeps sending a setup
361 packet; we keep trying to continue the exchange, and have to
362 timeout before we can listen for another setup packet); perhaps
363 we should keep a list of 'bad' sources for setup packets. */
364 uint32_t remote_capabilities;
365 uint16_t remote_adv_mtu;
366 struct transform_if *chosen_transform;
367 uint32_t setup_session_id;
368 transport_peers setup_peers;
369 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
370 uint8_t remoteN[NONCELEN];
371 struct buffer_if buffer; /* Current outgoing key exchange packet */
372 struct buffer_if scratch;
373 int32_t retries; /* Number of retries remaining */
374 uint64_t timeout; /* Timeout for current state */
376 uint8_t *sharedsecret;
377 uint32_t sharedsecretlen, sharedsecretallocd;
378 struct transform_inst_if *new_transform; /* For key setup/verify */
381 static uint32_t event_log_priority(struct site *st, uint32_t event)
383 if (!(event&st->log_events))
386 case LOG_UNEXPECTED: return M_INFO;
387 case LOG_SETUP_INIT: return M_INFO;
388 case LOG_SETUP_TIMEOUT: return M_NOTICE;
389 case LOG_ACTIVATE_KEY: return M_INFO;
390 case LOG_TIMEOUT_KEY: return M_INFO;
391 case LOG_SEC: return M_SECURITY;
392 case LOG_STATE: return M_DEBUG;
393 case LOG_DROP: return M_DEBUG;
394 case LOG_DUMP: return M_DEBUG;
395 case LOG_ERROR: return M_ERR;
396 case LOG_PEER_ADDRS: return M_DEBUG;
397 case LOG_SIGKEYS: return M_INFO;
398 default: return M_ERR;
402 static uint32_t slog_start(struct site *st, uint32_t event)
404 uint32_t class=event_log_priority(st, event);
406 slilog_part(st->log,class,"%s: ",st->tunname);
411 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
413 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
417 class=slog_start(st,event);
419 vslilog_part(st->log,class,msg,ap);
420 slilog_part(st->log,class,"\n");
424 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
426 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
430 vslog(st,event,msg,ap);
434 static void logtimeout(struct site *st, const char *fmt, ...)
436 static void logtimeout(struct site *st, const char *fmt, ...)
438 uint32_t class=event_log_priority(st,LOG_SETUP_TIMEOUT);
445 slilog_part(st->log,class,"%s: ",st->tunname);
446 vslilog_part(st->log,class,fmt,ap);
450 for (i=0, delim=" (tried ";
451 i<st->setup_peers.npeers;
453 transport_peer *peer=&st->setup_peers.peers[i];
454 const char *s=comm_addr_to_string(&peer->addr);
455 slilog_part(st->log,class,"%s%s",delim,s);
458 slilog_part(st->log,class,")\n");
462 static void set_link_quality(struct site *st);
463 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
464 static void delete_one_key(struct site *st, struct data_key *key,
465 const char *reason /* may be 0 meaning don't log*/,
466 const char *which /* ignored if !reasonn */,
467 uint32_t loglevel /* ignored if !reasonn */);
468 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
469 const struct comm_addr *prod_hint);
470 static void enter_state_run(struct site *st);
471 static bool_t enter_state_resolve(struct site *st);
472 static void decrement_resolving_count(struct site *st, int by);
473 static bool_t enter_new_state(struct site *st,uint32_t next,
474 const struct msg *prompt
475 /* may be 0 for SENTMSG1 */);
476 static void enter_state_wait(struct site *st);
477 static void activate_new_key(struct site *st);
479 static bool_t is_transform_valid(struct transform_inst_if *transform)
481 return transform && transform->valid(transform->st);
484 static bool_t current_valid(struct site *st)
486 return is_transform_valid(st->current.transform);
489 #define DEFINE_CALL_TRANSFORM(fwdrev) \
490 static transform_apply_return \
491 call_transform_##fwdrev(struct site *st, \
492 struct transform_inst_if *transform, \
493 struct buffer_if *buf, \
494 const char **errmsg) \
496 if (!is_transform_valid(transform)) { \
497 *errmsg="transform not set up"; \
498 return transform_apply_err; \
500 return transform->fwdrev(transform->st,buf,errmsg); \
503 DEFINE_CALL_TRANSFORM(forwards)
504 DEFINE_CALL_TRANSFORM(reverse)
506 static void dispose_transform(struct transform_inst_if **transform_var)
508 struct transform_inst_if *transform=*transform_var;
510 transform->delkey(transform->st);
511 transform->destroy(transform->st);
516 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
517 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
518 #define CHECK_TYPE(b,t) do { uint32_t type; \
519 CHECK_AVAIL((b),4); \
520 type=buf_unprepend_uint32((b)); \
521 if (type!=(t)) return False; } while(0)
523 static _Bool type_is_msg34(uint32_t type)
526 case CASES_MSG3_KNOWN: case LABEL_MSG4: return True;
527 default: return False;
534 struct buffer_if extrainfo;
541 struct parsedname remote;
542 struct parsedname local;
543 uint32_t remote_capabilities;
545 int capab_transformnum;
551 struct alg_msg_data sig;
554 static int32_t wait_timeout(struct site *st) {
555 int32_t t = st->wait_timeout_mean;
558 st->random->generate(st->random->st,sizeof(factor),&factor);
559 t += (t / 256) * factor;
564 static _Bool set_new_transform(struct site *st, char *pk)
568 /* Make room for the shared key */
569 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
570 assert(st->sharedsecretlen);
571 if (st->sharedsecretlen > st->sharedsecretallocd) {
572 st->sharedsecretallocd=st->sharedsecretlen;
573 st->sharedsecret=safe_realloc_ary(st->sharedsecret,1,
574 st->sharedsecretallocd,
575 "site:sharedsecret");
578 /* Generate the shared key */
579 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
580 st->sharedsecret,st->sharedsecretlen);
582 /* Set up the transform */
583 struct transform_if *generator=st->chosen_transform;
584 struct transform_inst_if *generated=generator->create(generator->st);
585 ok = generated->setkey(generated->st,st->sharedsecret,
586 st->sharedsecretlen,st->our_name_later);
588 dispose_transform(&st->new_transform);
589 if (!ok) return False;
590 st->new_transform=generated;
592 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
593 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
594 st->chosen_transform->capab_bit,
595 st->local_capabilities, st->remote_capabilities);
600 int32_t lenpos, afternul;
602 static void append_string_xinfo_start(struct buffer_if *buf,
603 struct xinfoadd *xia,
605 /* Helps construct one of the names with additional info as found
606 * in MSG1..4. Call this function first, then append all the
607 * desired extra info (not including the nul byte) to the buffer,
608 * then call append_string_xinfo_done. */
610 xia->lenpos = buf->size;
611 buf_append_string(buf,str);
612 buf_append_uint8(buf,0);
613 xia->afternul = buf->size;
615 static void append_string_xinfo_done(struct buffer_if *buf,
616 struct xinfoadd *xia)
618 /* we just need to adjust the string length */
619 if (buf->size == xia->afternul) {
620 /* no extra info, strip the nul too */
621 buf_unappend_uint8(buf);
623 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
627 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
628 out using a transform of config data supplied by netlink */
629 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what,
630 const struct msg *prompt
631 /* may be 0 for MSG1 */)
636 st->retries=st->setup_retries;
637 BUF_ALLOC(&st->buffer,what);
638 buffer_init(&st->buffer,0);
639 buf_append_uint32(&st->buffer,
640 (type==LABEL_MSG1?0:st->setup_session_id));
641 buf_append_uint32(&st->buffer,st->index);
642 buf_append_uint32(&st->buffer,type);
645 append_string_xinfo_start(&st->buffer,&xia,st->localname);
646 if ((st->local_capabilities & st->early_capabilities) ||
647 (type != LABEL_MSG1)) {
648 buf_append_uint32(&st->buffer,st->local_capabilities);
650 if (type_is_msg34(type)) {
651 buf_append_uint16(&st->buffer,st->mtu_target);
653 struct sigprivkey_if *privkey=st->privkey;
654 append_string_xinfo_done(&st->buffer,&xia);
656 buf_append_string(&st->buffer,st->remotename);
657 BUF_ADD_OBJ(append,&st->buffer,st->localN);
658 if (type==LABEL_MSG1) return True;
659 BUF_ADD_OBJ(append,&st->buffer,st->remoteN);
660 if (type==LABEL_MSG2) return True;
662 if (hacky_par_mid_failnow()) return False;
664 if (MSGMAJOR(type) == 3) do {
665 minor = MSGMINOR(type);
666 if (minor < 1) break;
667 buf_append_uint8(&st->buffer,st->chosen_transform->capab_bit);
670 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
671 buf_append_string(&st->buffer,dhpub);
674 bool_t ok=privkey->sign(privkey->st,
685 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
688 nm->len=buf_unprepend_uint16(msg);
689 CHECK_AVAIL(msg,nm->len);
690 nm->name=buf_unprepend(msg,nm->len);
691 uint8_t *nul=memchr(nm->name,0,nm->len);
693 buffer_readonly_view(&nm->extrainfo,0,0);
695 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
696 nm->len=nul-nm->name;
701 static bool_t unpick_msg(struct site *st, uint32_t type,
702 struct buffer_if *msg, struct msg *m)
706 m->capab_transformnum=-1;
707 m->hashstart=msg->start;
709 m->dest=buf_unprepend_uint32(msg);
711 m->source=buf_unprepend_uint32(msg);
712 CHECK_TYPE(msg,type);
713 if (!unpick_name(msg,&m->remote)) return False;
714 m->remote_capabilities=0;
716 if (m->remote.extrainfo.size) {
717 CHECK_AVAIL(&m->remote.extrainfo,4);
718 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
720 if (type_is_msg34(type) && m->remote.extrainfo.size) {
721 CHECK_AVAIL(&m->remote.extrainfo,2);
722 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
724 if (!unpick_name(msg,&m->local)) return False;
725 if (type==LABEL_PROD) {
729 CHECK_AVAIL(msg,NONCELEN);
730 m->nR=buf_unprepend(msg,NONCELEN);
731 if (type==LABEL_MSG1) {
735 CHECK_AVAIL(msg,NONCELEN);
736 m->nL=buf_unprepend(msg,NONCELEN);
737 if (type==LABEL_MSG2) {
741 if (MSGMAJOR(type) == 3) do {
742 minor = MSGMINOR(type);
743 #define MAYBE_READ_CAP(minminor, kind, dflt) do { \
744 if (minor < (minminor)) \
745 m->capab_##kind##num = (dflt); \
747 CHECK_AVAIL(msg, 1); \
748 m->capab_##kind##num = buf_unprepend_uint8(msg); \
751 MAYBE_READ_CAP(1, transform, CAPAB_BIT_ANCIENTTRANSFORM);
752 #undef MAYBE_READ_CAP
755 m->pklen=buf_unprepend_uint16(msg);
756 CHECK_AVAIL(msg,m->pklen);
757 m->pk=buf_unprepend(msg,m->pklen);
758 m->hashlen=msg->start-m->hashstart;
759 struct sigpubkey_if *pubkey=st->pubkey;
761 if (!pubkey->unpick(pubkey->st,msg,&m->sig)) {
770 static bool_t name_matches(const struct parsedname *nm, const char *expected)
772 int expected_len=strlen(expected);
774 nm->len == expected_len &&
775 !memcmp(nm->name, expected, expected_len);
778 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
781 if (type==LABEL_MSG1) return True;
783 /* Check that the site names and our nonce have been sent
784 back correctly, and then store our peer's nonce. */
785 if (!name_matches(&m->remote,st->remotename)) {
786 *error="wrong remote site name";
789 if (!name_matches(&m->local,st->localname)) {
790 *error="wrong local site name";
793 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
794 *error="wrong locally-generated nonce";
797 if (type==LABEL_MSG2) return True;
798 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)) {
799 *error="wrong remotely-generated nonce";
802 /* MSG3 has complicated rules about capabilities, which are
803 * handled in process_msg3. */
804 if (MSGMAJOR(type) == 3) return True;
805 if (m->remote_capabilities!=st->remote_capabilities) {
806 *error="remote capabilities changed";
809 if (type==LABEL_MSG4) return True;
810 *error="unknown message type";
814 static bool_t kex_init(struct site *st)
816 st->random->generate(st->random->st,NONCELEN,st->localN);
820 static bool_t generate_msg1(struct site *st, const struct msg *prompt_maybe_0)
823 generate_msg(st,LABEL_MSG1,"site:MSG1",prompt_maybe_0);
826 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
827 const struct comm_addr *src,
830 /* We've already determined we're in an appropriate state to
831 process an incoming MSG1, and that the MSG1 has correct values
834 st->setup_session_id=m->source;
835 st->remote_capabilities=m->remote_capabilities;
836 memcpy(st->remoteN,m->nR,NONCELEN);
840 static bool_t generate_msg2(struct site *st,
841 const struct msg *prompt_may_be_null)
844 generate_msg(st,LABEL_MSG2,"site:MSG2",prompt_may_be_null);
847 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
848 const struct comm_addr *src,
849 struct msg *m /* returned */)
853 if (!unpick_msg(st,LABEL_MSG2,msg2,m)) return False;
854 if (!check_msg(st,LABEL_MSG2,m,&err)) {
855 slog(st,LOG_SEC,"msg2: %s",err);
858 st->setup_session_id=m->source;
859 st->remote_capabilities=m->remote_capabilities;
861 /* Select the transform to use */
863 uint32_t remote_crypto_caps = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
864 if (!remote_crypto_caps)
865 /* old secnets only had this one transform */
866 remote_crypto_caps = 1UL << CAPAB_BIT_ANCIENTTRANSFORM;
868 #define CHOOSE_CRYPTO(kind, whats) do { \
869 struct kind##_if *iface; \
870 uint32_t bit, ours = 0; \
872 for (i= 0; i < st->n##kind##s; i++) { \
873 iface=st->kind##s[i]; \
874 bit = 1UL << iface->capab_bit; \
875 if (bit & remote_crypto_caps) goto kind##_found; \
878 slog(st,LOG_ERROR,"no " whats " in common" \
879 " (us %#"PRIx32"; them: %#"PRIx32")", \
880 st->local_capabilities & ours, remote_crypto_caps); \
883 st->chosen_##kind = iface; \
886 CHOOSE_CRYPTO(transform, "transforms");
890 memcpy(st->remoteN,m->nR,NONCELEN);
894 static bool_t generate_msg3(struct site *st, const struct msg *prompt)
896 /* Now we have our nonce and their nonce. Think of a secret key,
897 and create message number 3. */
898 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
899 return generate_msg(st,
900 (st->remote_capabilities & CAPAB_TRANSFORM_MASK)
906 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
908 struct sigpubkey_if *pubkey=st->pubkey;
910 /* Check signature and store g^x mod m */
911 if (!pubkey->check(pubkey->st,
912 m->hashstart,m->hashlen,
914 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
918 st->remote_adv_mtu=m->remote_mtu;
923 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
924 const struct comm_addr *src, uint32_t msgtype,
925 struct msg *m /* returned */)
930 case CASES_MSG3_KNOWN: break;
934 if (!unpick_msg(st,msgtype,msg3,m)) return False;
935 if (!check_msg(st,msgtype,m,&err)) {
936 slog(st,LOG_SEC,"msg3: %s",err);
939 uint32_t capab_adv_late = m->remote_capabilities
940 & ~st->remote_capabilities & st->early_capabilities;
941 if (capab_adv_late) {
942 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
943 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
944 capab_adv_late, st->remote_capabilities, m->remote_capabilities);
948 #define CHOSE_CRYPTO(kind, what) do { \
949 struct kind##_if *iface; \
951 for (i=0; i<st->n##kind##s; i++) { \
952 iface=st->kind##s[i]; \
953 if (iface->capab_bit == m->capab_##kind##num) \
956 slog(st,LOG_SEC,"peer chose unknown-to-us " what " %d!", \
957 m->capab_##kind##num); \
960 st->chosen_##kind=iface; \
963 CHOSE_CRYPTO(transform, "transform");
967 if (!process_msg3_msg4(st,m))
970 /* Update our idea of the remote site's capabilities, now that we've
971 * verified that its message was authentic.
973 * Our previous idea of the remote site's capabilities came from the
974 * unauthenticated MSG1. We've already checked that this new message
975 * doesn't change any of the bits we relied upon in the past, but it may
976 * also have set additional capability bits. We simply throw those away
977 * now, and use the authentic capabilities from this MSG3. */
978 st->remote_capabilities=m->remote_capabilities;
980 /* Terminate their DH public key with a '0' */
982 /* Invent our DH secret key */
983 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
985 /* Generate the shared key and set up the transform */
986 if (!set_new_transform(st,m->pk)) return False;
991 static bool_t generate_msg4(struct site *st, const struct msg *prompt)
993 /* We have both nonces, their public key and our private key. Generate
994 our public key, sign it and send it to them. */
995 return generate_msg(st,LABEL_MSG4,"site:MSG4",prompt);
998 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
999 const struct comm_addr *src,
1000 struct msg *m /* returned */)
1004 if (!unpick_msg(st,LABEL_MSG4,msg4,m)) return False;
1005 if (!check_msg(st,LABEL_MSG4,m,&err)) {
1006 slog(st,LOG_SEC,"msg4: %s",err);
1010 if (!process_msg3_msg4(st,m))
1013 /* Terminate their DH public key with a '0' */
1016 /* Generate the shared key and set up the transform */
1017 if (!set_new_transform(st,m->pk)) return False;
1028 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
1031 CHECK_AVAIL(msg0,4);
1032 m->dest=buf_unprepend_uint32(msg0);
1033 CHECK_AVAIL(msg0,4);
1034 m->source=buf_unprepend_uint32(msg0);
1035 CHECK_AVAIL(msg0,4);
1036 m->type=buf_unprepend_uint32(msg0);
1038 /* Leaves transformed part of buffer untouched */
1041 static bool_t generate_msg5(struct site *st, const struct msg *prompt)
1043 cstring_t transform_err;
1045 BUF_ALLOC(&st->buffer,"site:MSG5");
1046 /* We are going to add four words to the message */
1047 buffer_init(&st->buffer,calculate_max_start_pad());
1048 /* Give the netlink code an opportunity to put its own stuff in the
1049 message (configuration information, etc.) */
1050 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
1051 if (call_transform_forwards(st,st->new_transform,
1052 &st->buffer,&transform_err))
1054 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
1055 buf_prepend_uint32(&st->buffer,st->index);
1056 buf_prepend_uint32(&st->buffer,st->setup_session_id);
1058 st->retries=st->setup_retries;
1062 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
1063 const struct comm_addr *src,
1064 struct transform_inst_if *transform)
1067 cstring_t transform_err;
1069 if (!unpick_msg0(st,msg5,&m)) return False;
1071 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
1072 /* There's a problem */
1073 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
1076 /* Buffer should now contain untransformed PING packet data */
1077 CHECK_AVAIL(msg5,4);
1078 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
1079 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
1082 /* Older versions of secnet used to write some config data here
1083 * which we ignore. So we don't CHECK_EMPTY */
1087 static void create_msg6(struct site *st, struct transform_inst_if *transform,
1088 uint32_t session_id)
1090 cstring_t transform_err;
1092 BUF_ALLOC(&st->buffer,"site:MSG6");
1093 /* We are going to add four words to the message */
1094 buffer_init(&st->buffer,calculate_max_start_pad());
1095 /* Give the netlink code an opportunity to put its own stuff in the
1096 message (configuration information, etc.) */
1097 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
1098 transform_apply_return problem =
1099 call_transform_forwards(st,transform,
1100 &st->buffer,&transform_err);
1102 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
1103 buf_prepend_uint32(&st->buffer,st->index);
1104 buf_prepend_uint32(&st->buffer,session_id);
1107 static bool_t generate_msg6(struct site *st, const struct msg *prompt)
1109 if (!is_transform_valid(st->new_transform))
1111 create_msg6(st,st->new_transform,st->setup_session_id);
1112 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
1116 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
1117 const struct comm_addr *src)
1120 cstring_t transform_err;
1122 if (!unpick_msg0(st,msg6,&m)) return False;
1124 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
1125 /* There's a problem */
1126 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
1129 /* Buffer should now contain untransformed PING packet data */
1130 CHECK_AVAIL(msg6,4);
1131 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
1132 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
1135 /* Older versions of secnet used to write some config data here
1136 * which we ignore. So we don't CHECK_EMPTY */
1140 static transform_apply_return
1141 decrypt_msg0(struct site *st, struct buffer_if *msg0,
1142 const struct comm_addr *src)
1144 cstring_t transform_err, auxkey_err, newkey_err="n/a";
1146 transform_apply_return problem;
1148 if (!unpick_msg0(st,msg0,&m)) return False;
1150 /* Keep a copy so we can try decrypting it with multiple keys */
1151 buffer_copy(&st->scratch, msg0);
1153 problem = call_transform_reverse(st,st->current.transform,
1154 msg0,&transform_err);
1156 if (!st->auxiliary_is_new)
1157 delete_one_key(st,&st->auxiliary_key,
1158 "peer has used new key","auxiliary key",LOG_SEC);
1161 if (transform_apply_return_badseq(problem))
1164 buffer_copy(msg0, &st->scratch);
1165 problem = call_transform_reverse(st,st->auxiliary_key.transform,
1168 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
1169 if (st->auxiliary_is_new) {
1170 /* We previously timed out in state SENTMSG5 but it turns
1171 * out that our peer did in fact get our MSG5 and is
1172 * using the new key. So we should switch to it too. */
1173 /* This is a bit like activate_new_key. */
1176 st->current=st->auxiliary_key;
1177 st->auxiliary_key=t;
1179 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
1180 "previous key",LOG_SEC);
1181 st->auxiliary_is_new=0;
1182 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
1186 if (transform_apply_return_badseq(problem))
1189 if (st->state==SITE_SENTMSG5) {
1190 buffer_copy(msg0, &st->scratch);
1191 problem = call_transform_reverse(st,st->new_transform,
1194 /* It looks like we didn't get the peer's MSG6 */
1195 /* This is like a cut-down enter_new_state(SITE_RUN) */
1196 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1197 BUF_FREE(&st->buffer);
1199 activate_new_key(st);
1200 return 0; /* do process the data in this packet */
1202 if (transform_apply_return_badseq(problem))
1206 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1207 transform_err,auxkey_err,newkey_err);
1208 initiate_key_setup(st,"incoming message would not decrypt",0);
1209 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1214 slog(st,LOG_DROP,"transform: %s (bad seq.)",transform_err);
1219 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1220 const struct comm_addr *src)
1223 transform_apply_return problem;
1225 problem = decrypt_msg0(st,msg0,src);
1226 if (problem==transform_apply_seqdupe) {
1227 /* We recently received another copy of this packet, maybe due
1228 * to polypath. That's not a problem; indeed, for the
1229 * purposes of transport address management it is a success.
1230 * But we don't want to process the packet. */
1231 transport_data_msgok(st,src);
1237 CHECK_AVAIL(msg0,4);
1238 type=buf_unprepend_uint32(msg0);
1241 /* We must forget about the current session. */
1242 delete_keys(st,"request from peer",LOG_SEC);
1243 /* probably, the peer is shutting down, and this is going to fail,
1244 * but we need to be trying to bring the link up again */
1246 initiate_key_setup(st,"peer requested key teardown",0);
1249 /* Deliver to netlink layer */
1250 st->netlink->deliver(st->netlink->st,msg0);
1251 transport_data_msgok(st,src);
1252 /* See whether we should start negotiating a new key */
1253 if (st->now > st->renegotiate_key_time)
1254 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1257 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1264 static void dump_packet(struct site *st, struct buffer_if *buf,
1265 const struct comm_addr *addr, bool_t incoming,
1268 uint32_t dest=get_uint32(buf->start);
1269 uint32_t source=get_uint32(buf->start+4);
1270 uint32_t msgtype=get_uint32(buf->start+8);
1272 if (st->log_events & LOG_DUMP)
1273 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x: %s%s",
1274 st->tunname,incoming?"incoming":"outgoing",
1275 dest,source,msgtype,comm_addr_to_string(addr),
1279 static bool_t comm_addr_sendmsg(struct site *st,
1280 const struct comm_addr *dest,
1281 struct buffer_if *buf)
1284 struct comm_clientinfo *commclientinfo = 0;
1286 for (i=0; i < st->ncomms; i++) {
1287 if (st->comms[i] == dest->comm) {
1288 commclientinfo = st->commclientinfos[i];
1292 return dest->comm->sendmsg(dest->comm->st, buf, dest, commclientinfo);
1295 static uint32_t site_status(void *st)
1300 static bool_t send_msg(struct site *st)
1302 if (st->retries>0) {
1303 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1304 st->timeout=st->now+st->setup_retry_interval;
1307 } else if (st->state==SITE_SENTMSG5) {
1308 logtimeout(st,"timed out sending MSG5, stashing new key");
1309 /* We stash the key we have produced, in case it turns out that
1310 * our peer did see our MSG5 after all and starts using it. */
1311 /* This is a bit like some of activate_new_key */
1312 struct transform_inst_if *t;
1313 t=st->auxiliary_key.transform;
1314 st->auxiliary_key.transform=st->new_transform;
1315 st->new_transform=t;
1316 dispose_transform(&st->new_transform);
1318 st->auxiliary_is_new=1;
1319 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1320 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1321 st->auxiliary_key.remote_session_id=st->setup_session_id;
1323 enter_state_wait(st);
1326 logtimeout(st,"timed out sending key setup packet "
1327 "(in state %s)",state_name(st->state));
1328 enter_state_wait(st);
1333 static void site_resolve_callback(void *sst, const struct comm_addr *addrs,
1334 int stored_naddrs, int all_naddrs,
1335 const char *address, const char *failwhy)
1337 struct site *st=sst;
1339 if (!stored_naddrs) {
1340 slog(st,LOG_ERROR,"resolution of %s failed: %s",address,failwhy);
1342 slog(st,LOG_PEER_ADDRS,"resolution of %s completed, %d addrs, eg: %s",
1343 address, all_naddrs, comm_addr_to_string(&addrs[0]));;
1345 int space=st->transport_peers_max-st->resolving_n_results_stored;
1346 int n_tocopy=MIN(stored_naddrs,space);
1347 COPY_ARRAY(st->resolving_results + st->resolving_n_results_stored,
1350 st->resolving_n_results_stored += n_tocopy;
1351 st->resolving_n_results_all += all_naddrs;
1354 decrement_resolving_count(st,1);
1357 static void decrement_resolving_count(struct site *st, int by)
1359 assert(st->resolving_count>0);
1360 st->resolving_count-=by;
1362 if (st->resolving_count)
1365 /* OK, we are done with them all. Handle combined results. */
1367 const struct comm_addr *addrs=st->resolving_results;
1368 int naddrs=st->resolving_n_results_stored;
1369 assert(naddrs<=st->transport_peers_max);
1372 if (naddrs != st->resolving_n_results_all) {
1373 slog(st,LOG_SETUP_INIT,"resolution of supplied addresses/names"
1374 " yielded too many results (%d > %d), some ignored",
1375 st->resolving_n_results_all, naddrs);
1377 slog(st,LOG_STATE,"resolution completed, %d addrs, eg: %s",
1378 naddrs, iaddr_to_string(&addrs[0].ia));;
1381 switch (st->state) {
1383 if (transport_compute_setupinit_peers(st,addrs,naddrs,0)) {
1384 enter_new_state(st,SITE_SENTMSG1,0);
1386 /* Can't figure out who to try to to talk to */
1387 slog(st,LOG_SETUP_INIT,
1388 "key exchange failed: cannot find peer address");
1389 enter_state_run(st);
1392 case SITE_SENTMSG1: case SITE_SENTMSG2:
1393 case SITE_SENTMSG3: case SITE_SENTMSG4:
1396 /* We start using the address immediately for data too.
1397 * It's best to store it in st->peers now because we might
1398 * go via SENTMSG5, WAIT, and a MSG0, straight into using
1399 * the new key (without updating the data peer addrs). */
1400 transport_resolve_complete(st,addrs,naddrs);
1401 } else if (st->local_mobile) {
1402 /* We can't let this rest because we may have a peer
1403 * address which will break in the future. */
1404 slog(st,LOG_SETUP_INIT,"resolution failed: "
1405 "abandoning key exchange");
1406 enter_state_wait(st);
1408 slog(st,LOG_SETUP_INIT,"resolution failed: "
1409 " continuing to use source address of peer's packets"
1410 " for key exchange and ultimately data");
1415 slog(st,LOG_SETUP_INIT,"resolution completed tardily,"
1416 " updating peer address(es)");
1417 transport_resolve_complete_tardy(st,addrs,naddrs);
1418 } else if (st->local_mobile) {
1419 /* Not very good. We should queue (another) renegotiation
1420 * so that we can update the peer address. */
1421 st->key_renegotiate_time=st->now+wait_timeout(st);
1423 slog(st,LOG_SETUP_INIT,"resolution failed: "
1424 " continuing to use source address of peer's packets");
1434 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1435 const struct comm_addr *prod_hint)
1437 /* Reentrancy hazard: can call enter_new_state/enter_state_* */
1438 if (st->state!=SITE_RUN) return False;
1439 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1440 if (st->addresses) {
1441 slog(st,LOG_SETUP_INIT,"resolving peer address(es)");
1442 return enter_state_resolve(st);
1443 } else if (transport_compute_setupinit_peers(st,0,0,prod_hint)) {
1444 return enter_new_state(st,SITE_SENTMSG1,0);
1446 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1450 static void activate_new_key(struct site *st)
1452 struct transform_inst_if *t;
1454 /* We have three transform instances, which we swap between old,
1456 t=st->auxiliary_key.transform;
1457 st->auxiliary_key.transform=st->current.transform;
1458 st->current.transform=st->new_transform;
1459 st->new_transform=t;
1460 dispose_transform(&st->new_transform);
1463 st->auxiliary_is_new=0;
1464 st->auxiliary_key.key_timeout=st->current.key_timeout;
1465 st->current.key_timeout=st->now+st->key_lifetime;
1466 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1467 transport_peers_copy(st,&st->peers,&st->setup_peers);
1468 st->current.remote_session_id=st->setup_session_id;
1470 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1471 * But their mtu be unspecified, in which case we just use ours. */
1472 uint32_t intersite_mtu=
1473 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1474 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1476 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1477 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1478 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1479 enter_state_run(st);
1482 static void delete_one_key(struct site *st, struct data_key *key,
1483 cstring_t reason, cstring_t which, uint32_t loglevel)
1485 if (!is_transform_valid(key->transform)) return;
1486 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1487 dispose_transform(&key->transform);
1491 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1493 if (current_valid(st)) {
1494 slog(st,loglevel,"session closed (%s)",reason);
1496 delete_one_key(st,&st->current,0,0,0);
1497 set_link_quality(st);
1499 delete_one_key(st,&st->auxiliary_key,0,0,0);
1502 static void state_assert(struct site *st, bool_t ok)
1504 if (!ok) fatal("site:state_assert");
1507 static void enter_state_stop(struct site *st)
1509 st->state=SITE_STOP;
1511 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1512 dispose_transform(&st->new_transform);
1515 static void set_link_quality(struct site *st)
1518 if (current_valid(st))
1519 quality=LINK_QUALITY_UP;
1520 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1521 quality=LINK_QUALITY_DOWN;
1522 else if (st->addresses)
1523 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1524 else if (transport_peers_valid(&st->peers))
1525 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1527 quality=LINK_QUALITY_DOWN;
1529 st->netlink->set_quality(st->netlink->st,quality);
1532 static void enter_state_run(struct site *st)
1534 slog(st,LOG_STATE,"entering state RUN%s",
1535 current_valid(st) ? " (keyed)" : " (unkeyed)");
1539 st->setup_session_id=0;
1540 transport_peers_clear(st,&st->setup_peers);
1541 FILLZERO(st->localN);
1542 FILLZERO(st->remoteN);
1543 dispose_transform(&st->new_transform);
1544 memset(st->dhsecret,0,st->dh->len);
1545 if (st->sharedsecret) memset(st->sharedsecret,0,st->sharedsecretlen);
1546 set_link_quality(st);
1548 if (st->keepalive && !current_valid(st))
1549 initiate_key_setup(st, "keepalive", 0);
1552 static bool_t ensure_resolving(struct site *st)
1554 /* Reentrancy hazard: may call site_resolve_callback and hence
1555 * enter_new_state, enter_state_* and generate_msg*. */
1556 if (st->resolving_count)
1559 assert(st->addresses);
1561 /* resolver->request might reentrantly call site_resolve_callback
1562 * which will decrement st->resolving, so we need to increment it
1563 * twice beforehand to prevent decrement from thinking we're
1564 * finished, and decrement it ourselves. Alternatively if
1565 * everything fails then there are no callbacks due and we simply
1566 * set it to 0 and return false.. */
1567 st->resolving_n_results_stored=0;
1568 st->resolving_n_results_all=0;
1569 st->resolving_count+=2;
1570 const char **addrp=st->addresses;
1571 const char *address;
1573 for (; (address=*addrp++); ) {
1574 bool_t ok = st->resolver->request(st->resolver->st,address,
1575 st->remoteport,st->comms[0],
1576 site_resolve_callback,st);
1578 st->resolving_count++;
1582 st->resolving_count=0;
1585 decrement_resolving_count(st,2);
1589 static bool_t enter_state_resolve(struct site *st)
1591 /* Reentrancy hazard! See ensure_resolving. */
1592 state_assert(st,st->state==SITE_RUN);
1593 slog(st,LOG_STATE,"entering state RESOLVE");
1594 st->state=SITE_RESOLVE;
1595 return ensure_resolving(st);
1598 static bool_t enter_new_state(struct site *st, uint32_t next,
1599 const struct msg *prompt
1600 /* may be 0 for SENTMSG1 */)
1602 bool_t (*gen)(struct site *st, const struct msg *prompt);
1605 slog(st,LOG_STATE,"entering state %s",state_name(next));
1608 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1609 if (!kex_init(st)) return False;
1611 st->msg1_crossed_logged = False;
1614 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1615 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1616 if (!kex_init(st)) return False;
1620 state_assert(st,st->state==SITE_SENTMSG1);
1621 BUF_FREE(&st->buffer);
1625 state_assert(st,st->state==SITE_SENTMSG2);
1626 BUF_FREE(&st->buffer);
1630 state_assert(st,st->state==SITE_SENTMSG3);
1631 BUF_FREE(&st->buffer);
1635 state_assert(st,st->state==SITE_SENTMSG4);
1636 BUF_FREE(&st->buffer);
1641 fatal("enter_new_state(%s): invalid new state",state_name(next));
1645 if (hacky_par_start_failnow()) return False;
1647 r= gen(st,prompt) && send_msg(st);
1650 st->setup_retries, st->setup_retry_interval,
1655 if (next==SITE_RUN) {
1656 BUF_FREE(&st->buffer); /* Never reused */
1657 st->timeout=0; /* Never retransmit */
1658 activate_new_key(st);
1662 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1663 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1664 in either state, and enter_state_wait() will
1666 enter_state_wait(st);
1670 /* msg7 tells our peer that we're about to forget our key */
1671 static bool_t send_msg7(struct site *st, cstring_t reason)
1673 cstring_t transform_err;
1675 if (current_valid(st) && st->buffer.free
1676 && transport_peers_valid(&st->peers)) {
1677 BUF_ALLOC(&st->buffer,"site:MSG7");
1678 buffer_init(&st->buffer,calculate_max_start_pad());
1679 buf_append_uint32(&st->buffer,LABEL_MSG7);
1680 buf_append_string(&st->buffer,reason);
1681 if (call_transform_forwards(st, st->current.transform,
1682 &st->buffer, &transform_err))
1684 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1685 buf_prepend_uint32(&st->buffer,st->index);
1686 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1687 transport_xmit(st,&st->peers,&st->buffer,True);
1688 BUF_FREE(&st->buffer);
1695 /* We go into this state if our peer becomes uncommunicative. Similar to
1696 the "stop" state, we forget all session keys for a while, before
1697 re-entering the "run" state. */
1698 static void enter_state_wait(struct site *st)
1700 slog(st,LOG_STATE,"entering state WAIT");
1701 st->timeout=st->now+wait_timeout(st);
1702 st->state=SITE_WAIT;
1703 set_link_quality(st);
1704 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1705 /* XXX Erase keys etc. */
1708 static void generate_prod(struct site *st, struct buffer_if *buf)
1711 buf_append_uint32(buf,0);
1712 buf_append_uint32(buf,0);
1713 buf_append_uint32(buf,LABEL_PROD);
1714 buf_append_string(buf,st->localname);
1715 buf_append_string(buf,st->remotename);
1718 static void generate_send_prod(struct site *st,
1719 const struct comm_addr *source)
1721 if (!st->allow_send_prod) return; /* too soon */
1722 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1723 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1725 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1726 st->allow_send_prod=0;
1727 generate_prod(st,&st->scratch);
1728 bool_t ok = comm_addr_sendmsg(st, source, &st->scratch);
1729 dump_packet(st,&st->scratch,source,False,ok);
1732 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1735 int64_t offset=timeout-*now;
1736 if (offset<0) offset=0;
1737 if (offset>INT_MAX) offset=INT_MAX;
1738 if (*timeout_io<0 || offset<*timeout_io)
1743 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1746 struct site *st=sst;
1748 BEFOREPOLL_WANT_FDS(0); /* We don't use any file descriptors */
1751 /* Work out when our next timeout is. The earlier of 'timeout' or
1752 'current.key_timeout'. A stored value of '0' indicates no timeout
1754 site_settimeout(st->timeout, timeout_io);
1755 site_settimeout(st->current.key_timeout, timeout_io);
1756 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1758 return 0; /* success */
1761 static void check_expiry(struct site *st, struct data_key *key,
1764 if (key->key_timeout && *now>key->key_timeout) {
1765 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1769 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1770 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1772 struct site *st=sst;
1775 if (st->timeout && *now>st->timeout) {
1777 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1778 if (!hacky_par_start_failnow())
1780 } else if (st->state==SITE_WAIT) {
1781 enter_state_run(st);
1783 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1787 check_expiry(st,&st->current,"current key");
1788 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1791 /* This function is called by the netlink device to deliver packets
1792 intended for the remote network. The packet is in "raw" wire
1793 format, but is guaranteed to be word-aligned. */
1794 static void site_outgoing(void *sst, struct buffer_if *buf)
1796 struct site *st=sst;
1797 cstring_t transform_err;
1799 if (st->state==SITE_STOP) {
1804 st->allow_send_prod=1;
1806 /* In all other states we consider delivering the packet if we have
1807 a valid key and a valid address to send it to. */
1808 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1809 /* Transform it and send it */
1811 buf_prepend_uint32(buf,LABEL_MSG9);
1812 if (call_transform_forwards(st, st->current.transform,
1813 buf, &transform_err))
1815 buf_prepend_uint32(buf,LABEL_MSG0);
1816 buf_prepend_uint32(buf,st->index);
1817 buf_prepend_uint32(buf,st->current.remote_session_id);
1818 transport_xmit(st,&st->peers,buf,False);
1825 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1827 initiate_key_setup(st,"outgoing packet",0);
1830 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1831 uint32_t type, struct msg *m,
1832 struct priomsg *whynot)
1833 /* For packets which are identified by the local and remote names.
1834 * If it has our name and our peer's name in it it's for us. */
1836 struct buffer_if buf[1];
1837 buffer_readonly_clone(buf,buf_in);
1839 if (!unpick_msg(st,type,buf,m)) {
1840 priomsg_update_fixed(whynot, comm_notify_whynot_unpick, "malformed");
1843 #define NAME_MATCHES(lr) \
1844 if (!name_matches(&m->lr, st->lr##name)) { \
1845 if (priomsg_update_fixed(whynot, comm_notify_whynot_name_##lr, \
1846 "unknown " #lr " name: ")) { \
1847 truncmsg_add_packet_string(&whynot->m, m->lr.len, m->lr.name); \
1851 NAME_MATCHES(remote);
1852 NAME_MATCHES(local );
1858 static bool_t we_have_priority(struct site *st, const struct msg *m) {
1859 if (st->local_capabilities & m->remote_capabilities &
1860 CAPAB_PRIORITY_MOBILE) {
1861 if (st->local_mobile) return True;
1862 if (st-> peer_mobile) return False;
1864 return st->our_name_later;
1867 static bool_t setup_late_msg_ok(struct site *st,
1868 const struct buffer_if *buf_in,
1870 const struct comm_addr *source,
1871 struct msg *m /* returned */) {
1872 /* For setup packets which seem from their type like they are
1873 * late. Maybe they came via a different path. All we do is make
1874 * a note of the sending address, iff they look like they are part
1875 * of the current key setup attempt. */
1876 if (!named_for_us(st,buf_in,msgtype,m,0))
1877 /* named_for_us calls unpick_msg which gets the nonces */
1879 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN) ||
1880 !consttime_memeq(m->nL,st->localN, NONCELEN))
1881 /* spoof ? from stale run ? who knows */
1883 transport_setup_msgok(st,source);
1887 /* This function is called by the communication device to deliver
1888 packets from our peers.
1889 It should return True if the packet is recognised as being for
1890 this current site instance (and should therefore not be processed
1891 by other sites), even if the packet was otherwise ignored. */
1892 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1893 const struct comm_addr *source,
1894 struct priomsg *whynot)
1896 struct site *st=sst;
1898 if (buf->size < 12) return False;
1900 uint32_t dest=get_uint32(buf->start);
1901 uint32_t msgtype=get_uint32(buf->start+8);
1903 /* initialised by named_for_us, or process_msgN for N!=1 */
1905 if (msgtype==LABEL_MSG1) {
1906 if (!named_for_us(st,buf,msgtype,&msg,whynot))
1908 /* It's a MSG1 addressed to us. Decide what to do about it. */
1909 dump_packet(st,buf,source,True,True);
1910 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1911 st->state==SITE_WAIT) {
1912 /* We should definitely process it */
1913 transport_compute_setupinit_peers(st,0,0,source);
1914 if (process_msg1(st,buf,source,&msg)) {
1915 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1916 bool_t entered=enter_new_state(st,SITE_SENTMSG2,&msg);
1917 if (entered && st->addresses && st->local_mobile)
1918 /* We must do this as the very last thing, because
1919 the resolver callback might reenter us. */
1920 ensure_resolving(st);
1922 slog(st,LOG_ERROR,"failed to process incoming msg1");
1926 } else if (st->state==SITE_SENTMSG1) {
1927 /* We've just sent a message 1! They may have crossed on
1928 the wire. If we have priority then we ignore the
1929 incoming one, otherwise we process it as usual. */
1930 if (we_have_priority(st,&msg)) {
1932 if (!st->msg1_crossed_logged++)
1933 slog(st,LOG_SETUP_INIT,"crossed msg1s; we are higher "
1934 "priority => ignore incoming msg1");
1937 slog(st,LOG_SETUP_INIT,"crossed msg1s; we are lower "
1938 "priority => use incoming msg1");
1939 if (process_msg1(st,buf,source,&msg)) {
1940 BUF_FREE(&st->buffer); /* Free our old message 1 */
1941 transport_setup_msgok(st,source);
1942 enter_new_state(st,SITE_SENTMSG2,&msg);
1944 slog(st,LOG_ERROR,"failed to process an incoming "
1945 "crossed msg1 (we have low priority)");
1950 } else if (st->state==SITE_SENTMSG2 ||
1951 st->state==SITE_SENTMSG4) {
1952 if (consttime_memeq(msg.nR,st->remoteN,NONCELEN)) {
1953 /* We are ahead in the protocol, but that msg1 had the
1954 * peer's nonce so presumably it is from this key
1955 * exchange run, via a slower route */
1956 transport_setup_msgok(st,source);
1958 slog(st,LOG_UNEXPECTED,"competing incoming message 1");
1963 /* The message 1 was received at an unexpected stage of the
1964 key setup. Well, they lost the race. */
1965 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1969 if (msgtype==LABEL_PROD) {
1970 if (!named_for_us(st,buf,msgtype,&msg,whynot))
1972 dump_packet(st,buf,source,True,True);
1973 if (st->state!=SITE_RUN) {
1974 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1975 } else if (current_valid(st)) {
1976 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1978 initiate_key_setup(st,"peer sent PROD packet",source);
1983 if (dest==st->index) {
1984 /* Explicitly addressed to us */
1985 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True,True);
1988 /* If the source is our current peer then initiate a key setup,
1989 because our peer's forgotten the key */
1990 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1992 initiated = initiate_key_setup(st,"received a NAK",source);
1993 if (!initiated) generate_send_prod(st,source);
1995 slog(st,LOG_SEC,"bad incoming NAK");
1999 process_msg0(st,buf,source);
2002 /* Setup packet: should not have been explicitly addressed
2004 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
2007 /* Setup packet: expected only in state SENTMSG1 */
2008 if (st->state!=SITE_SENTMSG1) {
2009 if ((st->state==SITE_SENTMSG3 ||
2010 st->state==SITE_SENTMSG5) &&
2011 setup_late_msg_ok(st,buf,msgtype,source,&msg))
2013 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
2014 } else if (process_msg2(st,buf,source,&msg)) {
2015 transport_setup_msgok(st,source);
2016 enter_new_state(st,SITE_SENTMSG3,&msg);
2018 slog(st,LOG_SEC,"invalid MSG2");
2021 case CASES_MSG3_KNOWN:
2022 /* Setup packet: expected only in state SENTMSG2 */
2023 if (st->state!=SITE_SENTMSG2) {
2024 if ((st->state==SITE_SENTMSG4) &&
2025 setup_late_msg_ok(st,buf,msgtype,source,&msg))
2027 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
2028 } else if (process_msg3(st,buf,source,msgtype,&msg)) {
2029 transport_setup_msgok(st,source);
2030 enter_new_state(st,SITE_SENTMSG4,&msg);
2032 slog(st,LOG_SEC,"invalid MSG3");
2036 /* Setup packet: expected only in state SENTMSG3 */
2037 if (st->state!=SITE_SENTMSG3) {
2038 if ((st->state==SITE_SENTMSG5) &&
2039 setup_late_msg_ok(st,buf,msgtype,source,&msg))
2041 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
2042 } else if (process_msg4(st,buf,source,&msg)) {
2043 transport_setup_msgok(st,source);
2044 enter_new_state(st,SITE_SENTMSG5,&msg);
2046 slog(st,LOG_SEC,"invalid MSG4");
2050 /* Setup packet: expected only in state SENTMSG4 */
2051 /* (may turn up in state RUN if our return MSG6 was lost
2052 and the new key has already been activated. In that
2053 case we discard it. The peer will realise that we
2054 are using the new key when they see our data packets.
2055 Until then the peer's data packets to us get discarded. */
2056 if (st->state==SITE_SENTMSG4) {
2057 if (process_msg5(st,buf,source,st->new_transform)) {
2058 transport_setup_msgok(st,source);
2059 enter_new_state(st,SITE_RUN,&msg);
2061 slog(st,LOG_SEC,"invalid MSG5");
2063 } else if (st->state==SITE_RUN) {
2064 if (process_msg5(st,buf,source,st->current.transform)) {
2065 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
2066 transport_setup_msgok(st,source);
2067 create_msg6(st,st->current.transform,
2068 st->current.remote_session_id);
2069 transport_xmit(st,&st->peers,&st->buffer,True);
2070 BUF_FREE(&st->buffer);
2072 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
2075 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
2079 /* Setup packet: expected only in state SENTMSG5 */
2080 if (st->state!=SITE_SENTMSG5) {
2081 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
2082 } else if (process_msg6(st,buf,source)) {
2083 BUF_FREE(&st->buffer); /* Free message 5 */
2084 transport_setup_msgok(st,source);
2085 activate_new_key(st);
2087 slog(st,LOG_SEC,"invalid MSG6");
2091 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
2099 priomsg_update_fixed(whynot, comm_notify_whynot_general,
2100 "not MSG1 or PROD; unknown dest index");
2104 static void site_control(void *vst, bool_t run)
2106 struct site *st=vst;
2107 if (run) enter_state_run(st);
2108 else enter_state_stop(st);
2111 static void site_phase_hook(void *sst, uint32_t newphase)
2113 struct site *st=sst;
2115 /* The program is shutting down; tell our peer */
2116 send_msg7(st,"shutting down");
2119 static void site_childpersist_clearkeys(void *sst, uint32_t newphase)
2121 struct site *st=sst;
2122 dispose_transform(&st->current.transform);
2123 dispose_transform(&st->auxiliary_key.transform);
2124 dispose_transform(&st->new_transform);
2125 /* Not much point overwiting the signing key, since we loaded it
2126 from disk, and it is only valid prospectively if at all,
2128 /* XXX it would be best to overwrite the DH state, because that
2129 _is_ relevant to forward secrecy. However we have no
2130 convenient interface for doing that and in practice gmp has
2131 probably dribbled droppings all over the malloc arena. A good
2132 way to fix this would be to have a privsep child for asymmetric
2133 crypto operations, but that's a task for another day. */
2136 static void setup_sethash(struct site *st, dict_t *dict,
2137 struct hash_if **hash, struct cloc loc,
2138 sig_sethash_fn *sethash, void *sigkey_st) {
2139 if (!*hash) *hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
2140 sethash(sigkey_st,*hash);
2142 #define SETUP_SETHASH(k) do{ \
2144 setup_sethash(st,dict, &hash,loc, (k)->sethash,(k)->st); \
2147 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
2150 static uint32_t index_sequence;
2158 st->cl.description="site";
2159 st->cl.type=CL_SITE;
2161 st->cl.interface=&st->ops;
2163 st->ops.control=site_control;
2164 st->ops.status=site_status;
2166 /* First parameter must be a dict */
2167 item=list_elem(args,0);
2168 if (!item || item->type!=t_dict)
2169 cfgfatal(loc,"site","parameter must be a dictionary\n");
2171 dict=item->data.dict;
2172 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
2173 st->remotename=dict_read_string(dict, "name", True, "site", loc);
2175 st->keepalive=dict_read_bool(dict,"keepalive",False,"site",loc,False);
2177 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
2179 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
2181 /* Sanity check (which also allows the 'sites' file to include
2182 site() closures for all sites including our own): refuse to
2183 talk to ourselves */
2184 if (strcmp(st->localname,st->remotename)==0) {
2185 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
2187 if (st->peer_mobile != st->local_mobile)
2188 cfgfatal(loc,"site","site %s's peer-mobile=%d"
2189 " but our local-mobile=%d\n",
2190 st->localname, st->peer_mobile, st->local_mobile);
2194 if (st->peer_mobile && st->local_mobile) {
2195 Message(M_WARNING,"site %s: site is mobile but so are we"
2196 " -> ignoring this site\n", st->remotename);
2201 assert(index_sequence < 0xffffffffUL);
2202 st->index = ++index_sequence;
2203 st->local_capabilities = 0;
2204 st->early_capabilities = CAPAB_PRIORITY_MOBILE;
2205 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
2207 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
2208 list_t *things##_cfg=dict_lookup(dict,dictkey); \
2209 if (!things##_cfg) \
2210 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
2211 st->nthings=list_length(things##_cfg); \
2212 NEW_ARY(st->things,st->nthings); \
2213 assert(st->nthings); \
2214 for (i=0; i<st->nthings; i++) { \
2215 item_t *item=list_elem(things##_cfg,i); \
2216 if (item->type!=t_closure) \
2217 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
2218 closure_t *cl=item->data.closure; \
2219 if (cl->type!=CL_TYPE) \
2220 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
2221 st->things[i]=cl->interface; \
2225 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
2227 NEW_ARY(st->commclientinfos, st->ncomms);
2228 dict_t *comminfo = dict_read_dict(dict,"comm-info",False,"site",loc);
2229 for (i=0; i<st->ncomms; i++) {
2230 st->commclientinfos[i] =
2232 st->comms[i]->clientinfo(st->comms[i],comminfo,loc);
2235 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
2236 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
2237 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
2239 struct hash_if *hash=0;
2240 st->privkey=find_cl_if(dict,"local-key",CL_SIGPRIVKEY,True,"site",loc);
2241 st->addresses=dict_read_string_array(dict,"address",False,"site",loc,0);
2243 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
2244 else st->remoteport=0;
2245 st->pubkey=find_cl_if(dict,"key",CL_SIGPUBKEY,True,"site",loc);
2247 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
2249 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
2251 SETUP_SETHASH(st->privkey);
2252 SETUP_SETHASH(st->pubkey);
2254 #define DEFAULT(D) (st->peer_mobile || st->local_mobile \
2255 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
2256 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
2258 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
2259 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
2260 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
2261 st->wait_timeout_mean= CFG_NUMBER("wait-time", WAIT_TIME);
2262 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
2264 st->mobile_peer_expiry= dict_read_number(
2265 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
2267 const char *peerskey= st->peer_mobile
2268 ? "mobile-peers-max" : "static-peers-max";
2269 st->transport_peers_max= dict_read_number(
2270 dict,peerskey,False,"site",loc, st->addresses ? 4 : 3);
2271 if (st->transport_peers_max<1 ||
2272 st->transport_peers_max>MAX_PEER_ADDRS) {
2273 cfgfatal(loc,"site", "%s must be in range 1.."
2274 STRING(MAX_PEER_ADDRS) "\n", peerskey);
2277 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
2278 st->key_renegotiate_time=st->key_lifetime/2;
2280 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
2281 st->key_renegotiate_time=dict_read_number(
2282 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
2283 if (st->key_renegotiate_time > st->key_lifetime) {
2284 cfgfatal(loc,"site",
2285 "renegotiate-time must be less than key-lifetime\n");
2288 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
2289 log_event_table,"site");
2291 st->resolving_count=0;
2292 st->allow_send_prod=0;
2294 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
2296 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
2298 /* The information we expect to see in incoming messages of type 1 */
2299 /* fixme: lots of unchecked overflows here, but the results are only
2300 corrupted packets rather than undefined behaviour */
2301 st->our_name_later=(strcmp(st->localname,st->remotename)>0);
2303 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
2305 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
2306 BUF_ALLOC(&st->scratch,"site:scratch");
2308 /* We are interested in poll(), but only for timeouts. We don't have
2309 any fds of our own. */
2310 register_for_poll(st, site_beforepoll, site_afterpoll, "site");
2313 st->remote_capabilities=0;
2314 st->chosen_transform=0;
2315 st->current.key_timeout=0;
2316 st->auxiliary_key.key_timeout=0;
2317 transport_peers_clear(st,&st->peers);
2318 transport_peers_clear(st,&st->setup_peers);
2319 /* XXX mlock these */
2320 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
2321 st->sharedsecretlen=st->sharedsecretallocd=0;
2324 #define SET_CAPBIT(bit) do { \
2325 uint32_t capflag = 1UL << (bit); \
2326 if (st->local_capabilities & capflag) \
2327 slog(st,LOG_ERROR,"capability bit" \
2328 " %d (%#"PRIx32") reused", (bit), capflag); \
2329 st->local_capabilities |= capflag; \
2332 for (i=0; i<st->ntransforms; i++)
2333 SET_CAPBIT(st->transforms[i]->capab_bit);
2337 if (st->local_mobile || st->peer_mobile)
2338 st->local_capabilities |= CAPAB_PRIORITY_MOBILE;
2340 /* We need to register the remote networks with the netlink device */
2341 uint32_t netlink_mtu; /* local virtual interface mtu */
2342 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
2343 if (!st->mtu_target)
2344 st->mtu_target=netlink_mtu;
2346 for (i=0; i<st->ncomms; i++)
2347 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
2349 st->current.transform=0;
2350 st->auxiliary_key.transform=0;
2351 st->new_transform=0;
2352 st->auxiliary_is_new=0;
2354 enter_state_stop(st);
2356 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
2357 add_hook(PHASE_CHILDPERSIST,site_childpersist_clearkeys,st);
2359 return new_closure(&st->cl);
2362 void site_module(dict_t *dict)
2364 add_closure(dict,"site",site_apply);
2368 /***** TRANSPORT PEERS definitions *****/
2370 static void transport_peers_debug(struct site *st, transport_peers *dst,
2371 const char *didwhat,
2372 int nargs, const struct comm_addr *args,
2377 if (!(st->log_events & LOG_PEER_ADDRS))
2378 return; /* an optimisation */
2380 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
2381 (dst==&st->peers ? "data" :
2382 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
2383 didwhat, nargs, dst->npeers);
2385 for (i=0, argp=(void*)args;
2387 i++, (argp+=stride?stride:sizeof(*args))) {
2388 const struct comm_addr *ca=(void*)argp;
2389 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
2390 i, comm_addr_to_string(ca));
2392 for (i=0; i<dst->npeers; i++) {
2393 struct timeval diff;
2394 timersub(tv_now,&dst->peers[i].last,&diff);
2395 const struct comm_addr *ca=&dst->peers[i].addr;
2396 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
2397 i, comm_addr_to_string(ca),
2398 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
2402 static void transport_peers_expire(struct site *st, transport_peers *peers) {
2403 /* peers must be sorted first */
2404 int previous_peers=peers->npeers;
2405 struct timeval oldest;
2406 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
2407 oldest.tv_usec = tv_now->tv_usec;
2408 while (peers->npeers>1 &&
2409 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
2411 if (peers->npeers != previous_peers)
2412 transport_peers_debug(st,peers,"expire", 0,0,0);
2415 static bool_t transport_peer_record_one(struct site *st, transport_peers *peers,
2416 const struct comm_addr *ca,
2417 const struct timeval *tv) {
2418 /* returns false if output is full */
2421 if (peers->npeers >= st->transport_peers_max)
2424 for (search=0; search<peers->npeers; search++)
2425 if (comm_addr_equal(&peers->peers[search].addr, ca))
2428 peers->peers[peers->npeers].addr = *ca;
2429 peers->peers[peers->npeers].last = *tv;
2434 static void transport_record_peers(struct site *st, transport_peers *peers,
2435 const struct comm_addr *addrs, int naddrs,
2437 /* We add addrs into peers. The new entries end up at the front
2438 * and displace entries towards the end (perhaps even off the
2439 * end). Any existing matching entries are moved up to the front.
2441 * Caller must first call transport_peers_expire. */
2444 /* avoids debug for uninteresting updates */
2446 for (i=0; i<peers->npeers; i++) {
2447 if (comm_addr_equal(&addrs[0], &peers->peers[i].addr)) {
2448 memmove(peers->peers+1, peers->peers,
2449 sizeof(peers->peers[0]) * i);
2450 peers->peers[0].addr = addrs[0];
2451 peers->peers[0].last = *tv_now;
2457 int old_npeers=peers->npeers;
2458 transport_peer old_peers[old_npeers];
2459 COPY_ARRAY(old_peers,peers->peers,old_npeers);
2463 for (i=0; i<naddrs; i++) {
2464 if (!transport_peer_record_one(st,peers, &addrs[i], tv_now))
2467 for (i=0; i<old_npeers; i++) {
2468 const transport_peer *old=&old_peers[i];
2469 if (!transport_peer_record_one(st,peers, &old->addr, &old->last))
2473 transport_peers_debug(st,peers,m, naddrs,addrs,0);
2476 static void transport_expire_record_peers(struct site *st,
2477 transport_peers *peers,
2478 const struct comm_addr *addrs,
2479 int naddrs, const char *m) {
2480 /* Convenience function */
2481 transport_peers_expire(st,peers);
2482 transport_record_peers(st,peers,addrs,naddrs,m);
2485 static bool_t transport_compute_setupinit_peers(struct site *st,
2486 const struct comm_addr *configured_addrs /* 0 if none or not found */,
2487 int n_configured_addrs /* 0 if none or not found */,
2488 const struct comm_addr *incoming_packet_addr /* 0 if none */) {
2489 if (!n_configured_addrs && !incoming_packet_addr &&
2490 !transport_peers_valid(&st->peers))
2493 slog(st,LOG_SETUP_INIT,
2494 "using: %d configured addr(s);%s %d old peer addrs(es)",
2496 incoming_packet_addr ? " incoming packet address;" : "",
2499 /* Non-mobile peers try addresses until one is plausible. The
2500 * effect is that this code always tries first the configured
2501 * address if supplied, or otherwise the address of the incoming
2502 * PROD, or finally the existing data peer if one exists; this is
2505 transport_peers_copy(st,&st->setup_peers,&st->peers);
2506 transport_peers_expire(st,&st->setup_peers);
2508 if (incoming_packet_addr)
2509 transport_record_peers(st,&st->setup_peers,
2510 incoming_packet_addr,1, "incoming");
2512 if (n_configured_addrs)
2513 transport_record_peers(st,&st->setup_peers,
2514 configured_addrs,n_configured_addrs, "setupinit");
2516 assert(transport_peers_valid(&st->setup_peers));
2520 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2521 if (st->peer_mobile)
2522 transport_expire_record_peers(st,&st->setup_peers,a,1,"setupmsg");
2524 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2525 if (st->peer_mobile)
2526 transport_expire_record_peers(st,&st->peers,a,1,"datamsg");
2529 static int transport_peers_valid(transport_peers *peers) {
2530 return peers->npeers;
2532 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2534 transport_peers_debug(st,peers,"clear",0,0,0);
2536 static void transport_peers_copy(struct site *st, transport_peers *dst,
2537 const transport_peers *src) {
2538 dst->npeers=src->npeers;
2539 COPY_ARRAY(dst->peers, src->peers, dst->npeers);
2540 transport_peers_debug(st,dst,"copy",
2541 src->npeers, &src->peers->addr, sizeof(*src->peers));
2544 static void transport_resolve_complete(struct site *st,
2545 const struct comm_addr *addrs,
2547 transport_expire_record_peers(st,&st->peers,addrs,naddrs,
2549 transport_expire_record_peers(st,&st->setup_peers,addrs,naddrs,
2553 static void transport_resolve_complete_tardy(struct site *st,
2554 const struct comm_addr *addrs,
2556 transport_expire_record_peers(st,&st->peers,addrs,naddrs,
2557 "resolved tardily");
2560 static void transport_peers__copy_by_mask(transport_peer *out, int *nout_io,
2562 const transport_peers *inp) {
2563 /* out and in->peers may be the same region, or nonoverlapping */
2564 const transport_peer *in=inp->peers;
2566 for (slot=0; slot<inp->npeers; slot++) {
2567 if (!(mask & (1U << slot)))
2569 if (!(out==in && slot==*nout_io))
2570 COPY_OBJ(out[*nout_io], in[slot]);
2575 void transport_xmit(struct site *st, transport_peers *peers,
2576 struct buffer_if *buf, bool_t candebug) {
2578 transport_peers_expire(st, peers);
2579 unsigned failed=0; /* bitmask */
2580 assert(MAX_PEER_ADDRS < sizeof(unsigned)*CHAR_BIT);
2583 for (slot=0; slot<peers->npeers; slot++) {
2584 transport_peer *peer=&peers->peers[slot];
2585 bool_t ok = comm_addr_sendmsg(st, &peer->addr, buf);
2587 dump_packet(st, buf, &peer->addr, False, ok);
2589 failed |= 1U << slot;
2592 if (ok && !st->peer_mobile)
2595 /* Now we need to demote/delete failing addrs: if we are mobile we
2596 * merely demote them; otherwise we delete them. */
2597 if (st->local_mobile) {
2598 unsigned expected = ((1U << nfailed)-1) << (peers->npeers-nfailed);
2599 /* `expected' has all the failures at the end already */
2600 if (failed != expected) {
2602 transport_peer failedpeers[nfailed];
2603 transport_peers__copy_by_mask(failedpeers, &fslot, failed,peers);
2604 assert(fslot == nfailed);
2606 transport_peers__copy_by_mask(peers->peers,&wslot,~failed,peers);
2607 assert(wslot+nfailed == peers->npeers);
2608 COPY_ARRAY(peers->peers+wslot, failedpeers, nfailed);
2609 transport_peers_debug(st,peers,"mobile failure reorder",0,0,0);
2612 if (failed && peers->npeers > 1) {
2614 transport_peers__copy_by_mask(peers->peers,&wslot,~failed,peers);
2615 peers->npeers=wslot;
2616 transport_peers_debug(st,peers,"non-mobile failure cleanup",0,0,0);
2621 /***** END of transport peers declarations *****/