1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 int32_t site_max_start_pad = 4*4;
94 static cstring_t state_name(uint32_t state)
97 case 0: return "STOP";
99 case 2: return "RESOLVE";
100 case 3: return "SENTMSG1";
101 case 4: return "SENTMSG2";
102 case 5: return "SENTMSG3";
103 case 6: return "SENTMSG4";
104 case 7: return "SENTMSG5";
105 case 8: return "WAIT";
106 default: return "*bad state*";
112 #define LOG_UNEXPECTED 0x00000001
113 #define LOG_SETUP_INIT 0x00000002
114 #define LOG_SETUP_TIMEOUT 0x00000004
115 #define LOG_ACTIVATE_KEY 0x00000008
116 #define LOG_TIMEOUT_KEY 0x00000010
117 #define LOG_SEC 0x00000020
118 #define LOG_STATE 0x00000040
119 #define LOG_DROP 0x00000080
120 #define LOG_DUMP 0x00000100
121 #define LOG_ERROR 0x00000400
122 #define LOG_PEER_ADDRS 0x00000800
124 static struct flagstr log_event_table[]={
125 { "unexpected", LOG_UNEXPECTED },
126 { "setup-init", LOG_SETUP_INIT },
127 { "setup-timeout", LOG_SETUP_TIMEOUT },
128 { "activate-key", LOG_ACTIVATE_KEY },
129 { "timeout-key", LOG_TIMEOUT_KEY },
130 { "security", LOG_SEC },
131 { "state-change", LOG_STATE },
132 { "packet-drop", LOG_DROP },
133 { "dump-packets", LOG_DUMP },
134 { "errors", LOG_ERROR },
135 { "peer-addrs", LOG_PEER_ADDRS },
136 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
137 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
138 { "all", 0xffffffff },
143 /***** TRANSPORT PEERS declarations *****/
145 /* Details of "mobile peer" semantics:
147 - We record mobile_peers_max peer address/port numbers ("peers")
148 for key setup, and separately mobile_peers_max for data
149 transfer. If these lists fill up, we retain the newest peers.
150 (For non-mobile peers we only record one of each.)
152 - Outgoing packets are sent to every recorded peer in the
155 - Data transfer peers are straightforward: whenever we successfully
156 process a data packet, we record the peer. Also, whenever we
157 successfully complete a key setup, we merge the key setup
158 peers into the data transfer peers.
160 (For "non-mobile" peers we simply copy the peer used for
161 successful key setup, and don't change the peer otherwise.)
163 - Key setup peers are slightly more complicated.
165 Whenever we receive and successfully process a key exchange
166 packet, we record the peer.
168 Whenever we try to initiate a key setup, we copy the list of data
169 transfer peers and use it for key setup. But we also look to see
170 if the config supplies an address and port number and if so we
171 add that as a key setup peer (possibly evicting one of the data
172 transfer peers we just copied).
174 (For "non-mobile" peers, if we if we have a configured peer
175 address and port, we always use that; otherwise if we have a
176 current data peer address we use that; otherwise we do not
177 attempt to initiate a key setup for lack of a peer address.)
179 "Record the peer" means
180 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
181 2. add the peer of the just received packet to the applicable list
182 (possibly evicting older entries)
183 NB that we do not expire peers until an incoming packet arrives.
187 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
191 struct comm_addr addr;
195 /* configuration information */
196 /* runtime information */
198 transport_peer peers[MAX_MOBILE_PEERS_MAX];
201 static void transport_peers_clear(struct site *st, transport_peers *peers);
202 static int transport_peers_valid(transport_peers *peers);
203 static void transport_peers_copy(struct site *st, transport_peers *dst,
204 const transport_peers *src);
206 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
207 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
208 static bool_t transport_compute_setupinit_peers(struct site *st,
209 const struct comm_addr *configured_addr /* 0 if none or not found */,
210 const struct comm_addr *prod_hint_addr /* 0 if none */);
211 static void transport_record_peer(struct site *st, transport_peers *peers,
212 const struct comm_addr *addr, const char *m);
214 static void transport_xmit(struct site *st, transport_peers *peers,
215 struct buffer_if *buf, bool_t candebug);
217 /***** END of transport peers declarations *****/
221 struct transform_inst_if *transform;
222 uint64_t key_timeout; /* End of life of current key */
223 uint32_t remote_session_id;
229 /* configuration information */
232 bool_t peer_mobile; /* Mobile client support */
233 int32_t transport_peers_max;
234 string_t tunname; /* localname<->remotename by default, used in logs */
235 string_t address; /* DNS name for bootstrapping, optional */
236 int remoteport; /* Port for bootstrapping, optional */
238 struct netlink_if *netlink;
239 struct comm_if **comms;
241 struct resolver_if *resolver;
243 struct random_if *random;
244 struct rsaprivkey_if *privkey;
245 struct rsapubkey_if *pubkey;
246 struct transform_if **transforms;
249 struct hash_if *hash;
251 uint32_t index; /* Index of this site */
252 uint32_t local_capabilities;
253 int32_t setup_retries; /* How many times to send setup packets */
254 int32_t setup_retry_interval; /* Initial timeout for setup packets */
255 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
256 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
257 int32_t key_lifetime; /* How long a key lasts once set up */
258 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
259 after this time, initiate a new
262 bool_t setup_priority; /* Do we have precedence if both sites emit
263 message 1 simultaneously? */
266 /* runtime information */
268 uint64_t now; /* Most recently seen time */
269 bool_t allow_send_prod;
271 /* The currently established session */
272 struct data_key current;
273 struct data_key auxiliary_key;
274 bool_t auxiliary_is_new;
275 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
276 uint64_t auxiliary_renegotiate_key_time;
277 transport_peers peers; /* Current address(es) of peer for data traffic */
279 /* The current key setup protocol exchange. We can only be
280 involved in one of these at a time. There's a potential for
281 denial of service here (the attacker keeps sending a setup
282 packet; we keep trying to continue the exchange, and have to
283 timeout before we can listen for another setup packet); perhaps
284 we should keep a list of 'bad' sources for setup packets. */
285 uint32_t remote_capabilities;
286 uint16_t remote_adv_mtu;
287 struct transform_if *chosen_transform;
288 uint32_t setup_session_id;
289 transport_peers setup_peers;
290 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
291 uint8_t remoteN[NONCELEN];
292 struct buffer_if buffer; /* Current outgoing key exchange packet */
293 struct buffer_if scratch;
294 int32_t retries; /* Number of retries remaining */
295 uint64_t timeout; /* Timeout for current state */
297 uint8_t *sharedsecret;
298 uint32_t sharedsecretlen, sharedsecretallocd;
299 struct transform_inst_if *new_transform; /* For key setup/verify */
302 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
304 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
312 if (event&st->log_events) {
314 case LOG_UNEXPECTED: class=M_INFO; break;
315 case LOG_SETUP_INIT: class=M_INFO; break;
316 case LOG_SETUP_TIMEOUT: class=M_NOTICE; break;
317 case LOG_ACTIVATE_KEY: class=M_INFO; break;
318 case LOG_TIMEOUT_KEY: class=M_INFO; break;
319 case LOG_SEC: class=M_SECURITY; break;
320 case LOG_STATE: class=M_DEBUG; break;
321 case LOG_DROP: class=M_DEBUG; break;
322 case LOG_DUMP: class=M_DEBUG; break;
323 case LOG_ERROR: class=M_ERR; break;
324 case LOG_PEER_ADDRS: class=M_DEBUG; break;
325 default: class=M_ERR; break;
328 vsnprintf(buf,sizeof(buf),msg,ap);
329 slilog(st->log,class,"%s: %s",st->tunname,buf);
334 static void set_link_quality(struct site *st);
335 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
336 static void delete_one_key(struct site *st, struct data_key *key,
337 const char *reason /* may be 0 meaning don't log*/,
338 const char *which /* ignored if !reasonn */,
339 uint32_t loglevel /* ignored if !reasonn */);
340 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
341 const struct comm_addr *prod_hint);
342 static void enter_state_run(struct site *st);
343 static bool_t enter_state_resolve(struct site *st);
344 static bool_t enter_new_state(struct site *st,uint32_t next);
345 static void enter_state_wait(struct site *st);
346 static void activate_new_key(struct site *st);
348 static bool_t is_transform_valid(struct transform_inst_if *transform)
350 return transform && transform->valid(transform->st);
353 static bool_t current_valid(struct site *st)
355 return is_transform_valid(st->current.transform);
358 #define DEFINE_CALL_TRANSFORM(fwdrev) \
359 static int call_transform_##fwdrev(struct site *st, \
360 struct transform_inst_if *transform, \
361 struct buffer_if *buf, \
362 const char **errmsg) \
364 if (!is_transform_valid(transform)) { \
365 *errmsg="transform not set up"; \
368 return transform->fwdrev(transform->st,buf,errmsg); \
371 DEFINE_CALL_TRANSFORM(forwards)
372 DEFINE_CALL_TRANSFORM(reverse)
374 static void dispose_transform(struct transform_inst_if **transform_var)
376 struct transform_inst_if *transform=*transform_var;
378 transform->delkey(transform->st);
379 transform->destroy(transform->st);
384 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
385 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
386 #define CHECK_TYPE(b,t) do { uint32_t type; \
387 CHECK_AVAIL((b),4); \
388 type=buf_unprepend_uint32((b)); \
389 if (type!=(t)) return False; } while(0)
391 static _Bool type_is_msg34(uint32_t type)
394 type == LABEL_MSG3 ||
395 type == LABEL_MSG3BIS ||
402 struct buffer_if extrainfo;
409 struct parsedname remote;
410 struct parsedname local;
411 uint32_t remote_capabilities;
413 int capab_transformnum;
423 static void set_new_transform(struct site *st, char *pk)
425 /* Make room for the shared key */
426 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
427 assert(st->sharedsecretlen);
428 if (st->sharedsecretlen > st->sharedsecretallocd) {
429 st->sharedsecretallocd=st->sharedsecretlen;
430 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
432 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
434 /* Generate the shared key */
435 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
436 st->sharedsecret,st->sharedsecretlen);
438 /* Set up the transform */
439 struct transform_if *generator=st->chosen_transform;
440 struct transform_inst_if *generated=generator->create(generator->st);
441 generated->setkey(generated->st,st->sharedsecret,
442 st->sharedsecretlen,st->setup_priority);
443 dispose_transform(&st->new_transform);
444 st->new_transform=generated;
446 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
447 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
448 st->chosen_transform->capab_transformnum,
449 st->local_capabilities, st->remote_capabilities);
453 int32_t lenpos, afternul;
455 static void append_string_xinfo_start(struct buffer_if *buf,
456 struct xinfoadd *xia,
458 /* Helps construct one of the names with additional info as found
459 * in MSG1..4. Call this function first, then append all the
460 * desired extra info (not including the nul byte) to the buffer,
461 * then call append_string_xinfo_done. */
463 xia->lenpos = buf->size;
464 buf_append_string(buf,str);
465 buf_append_uint8(buf,0);
466 xia->afternul = buf->size;
468 static void append_string_xinfo_done(struct buffer_if *buf,
469 struct xinfoadd *xia)
471 /* we just need to adjust the string length */
472 if (buf->size == xia->afternul) {
473 /* no extra info, strip the nul too */
474 buf_unappend_uint8(buf);
476 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
480 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
481 out using a transform of config data supplied by netlink */
482 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
488 st->retries=st->setup_retries;
489 BUF_ALLOC(&st->buffer,what);
490 buffer_init(&st->buffer,0);
491 buf_append_uint32(&st->buffer,
492 (type==LABEL_MSG1?0:st->setup_session_id));
493 buf_append_uint32(&st->buffer,st->index);
494 buf_append_uint32(&st->buffer,type);
497 append_string_xinfo_start(&st->buffer,&xia,st->localname);
498 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
499 buf_append_uint32(&st->buffer,st->local_capabilities);
501 if (type_is_msg34(type)) {
502 buf_append_uint16(&st->buffer,st->mtu_target);
504 append_string_xinfo_done(&st->buffer,&xia);
506 buf_append_string(&st->buffer,st->remotename);
507 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
508 if (type==LABEL_MSG1) return True;
509 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
510 if (type==LABEL_MSG2) return True;
512 if (hacky_par_mid_failnow()) return False;
514 if (type==LABEL_MSG3BIS)
515 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
517 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
518 buf_append_string(&st->buffer,dhpub);
520 hash=safe_malloc(st->hash->len, "generate_msg");
521 hst=st->hash->init();
522 st->hash->update(hst,st->buffer.start,st->buffer.size);
523 st->hash->final(hst,hash);
524 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
525 buf_append_string(&st->buffer,sig);
531 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
534 nm->len=buf_unprepend_uint16(msg);
535 CHECK_AVAIL(msg,nm->len);
536 nm->name=buf_unprepend(msg,nm->len);
537 uint8_t *nul=memchr(nm->name,0,nm->len);
539 buffer_readonly_view(&nm->extrainfo,0,0);
541 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
542 nm->len=nul-nm->name;
547 static bool_t unpick_msg(struct site *st, uint32_t type,
548 struct buffer_if *msg, struct msg *m)
550 m->capab_transformnum=-1;
551 m->hashstart=msg->start;
553 m->dest=buf_unprepend_uint32(msg);
555 m->source=buf_unprepend_uint32(msg);
556 CHECK_TYPE(msg,type);
557 if (!unpick_name(msg,&m->remote)) return False;
558 m->remote_capabilities=0;
560 if (m->remote.extrainfo.size) {
561 CHECK_AVAIL(&m->remote.extrainfo,4);
562 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
564 if (type_is_msg34(type) && m->remote.extrainfo.size) {
565 CHECK_AVAIL(&m->remote.extrainfo,2);
566 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
568 if (!unpick_name(msg,&m->local)) return False;
569 if (type==LABEL_PROD) {
573 CHECK_AVAIL(msg,NONCELEN);
574 m->nR=buf_unprepend(msg,NONCELEN);
575 if (type==LABEL_MSG1) {
579 CHECK_AVAIL(msg,NONCELEN);
580 m->nL=buf_unprepend(msg,NONCELEN);
581 if (type==LABEL_MSG2) {
585 if (type==LABEL_MSG3BIS) {
587 m->capab_transformnum = buf_unprepend_uint8(msg);
589 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
592 m->pklen=buf_unprepend_uint16(msg);
593 CHECK_AVAIL(msg,m->pklen);
594 m->pk=buf_unprepend(msg,m->pklen);
595 m->hashlen=msg->start-m->hashstart;
597 m->siglen=buf_unprepend_uint16(msg);
598 CHECK_AVAIL(msg,m->siglen);
599 m->sig=buf_unprepend(msg,m->siglen);
604 static bool_t name_matches(const struct parsedname *nm, const char *expected)
606 int expected_len=strlen(expected);
608 nm->len == expected_len &&
609 !memcmp(nm->name, expected, expected_len);
612 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
615 if (type==LABEL_MSG1) return True;
617 /* Check that the site names and our nonce have been sent
618 back correctly, and then store our peer's nonce. */
619 if (!name_matches(&m->remote,st->remotename)) {
620 *error="wrong remote site name";
623 if (!name_matches(&m->local,st->localname)) {
624 *error="wrong local site name";
627 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
628 *error="wrong locally-generated nonce";
631 if (type==LABEL_MSG2) return True;
632 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
633 *error="wrong remotely-generated nonce";
636 /* MSG3 has complicated rules about capabilities, which are
637 * handled in process_msg3. */
638 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
639 if (m->remote_capabilities!=st->remote_capabilities) {
640 *error="remote capabilities changed";
643 if (type==LABEL_MSG4) return True;
644 *error="unknown message type";
648 static bool_t generate_msg1(struct site *st)
650 st->random->generate(st->random->st,NONCELEN,st->localN);
651 return generate_msg(st,LABEL_MSG1,"site:MSG1");
654 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
655 const struct comm_addr *src, struct msg *m)
657 /* We've already determined we're in an appropriate state to
658 process an incoming MSG1, and that the MSG1 has correct values
661 transport_record_peer(st,&st->setup_peers,src,"msg1");
662 st->setup_session_id=m->source;
663 st->remote_capabilities=m->remote_capabilities;
664 memcpy(st->remoteN,m->nR,NONCELEN);
668 static bool_t generate_msg2(struct site *st)
670 st->random->generate(st->random->st,NONCELEN,st->localN);
671 return generate_msg(st,LABEL_MSG2,"site:MSG2");
674 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
675 const struct comm_addr *src)
680 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
681 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
682 slog(st,LOG_SEC,"msg2: %s",err);
685 st->setup_session_id=m.source;
686 st->remote_capabilities=m.remote_capabilities;
688 /* Select the transform to use */
690 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
691 if (!remote_transforms)
692 /* old secnets only had this one transform */
693 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
695 struct transform_if *ti;
697 for (i=0; i<st->ntransforms; i++) {
698 ti=st->transforms[i];
699 if ((1UL << ti->capab_transformnum) & remote_transforms)
700 goto transform_found;
702 slog(st,LOG_ERROR,"no transforms in common"
703 " (us %#"PRIx32"; them: %#"PRIx32")",
704 st->local_capabilities & CAPAB_TRANSFORM_MASK,
708 st->chosen_transform=ti;
710 memcpy(st->remoteN,m.nR,NONCELEN);
714 static bool_t generate_msg3(struct site *st)
716 /* Now we have our nonce and their nonce. Think of a secret key,
717 and create message number 3. */
718 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
719 return generate_msg(st,
720 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
721 ? LABEL_MSG3BIS : LABEL_MSG3),
725 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
730 /* Check signature and store g^x mod m */
731 hash=safe_malloc(st->hash->len, "process_msg3_msg4");
732 hst=st->hash->init();
733 st->hash->update(hst,m->hashstart,m->hashlen);
734 st->hash->final(hst,hash);
735 /* Terminate signature with a '0' - cheating, but should be ok */
737 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) {
738 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
744 st->remote_adv_mtu=m->remote_mtu;
749 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
750 const struct comm_addr *src, uint32_t msgtype)
755 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
757 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
758 if (!check_msg(st,msgtype,&m,&err)) {
759 slog(st,LOG_SEC,"msg3: %s",err);
762 uint32_t capab_adv_late = m.remote_capabilities
763 & ~st->remote_capabilities & CAPAB_EARLY;
764 if (capab_adv_late) {
765 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
766 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
767 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
770 st->remote_capabilities|=m.remote_capabilities;
772 struct transform_if *ti;
774 for (i=0; i<st->ntransforms; i++) {
775 ti=st->transforms[i];
776 if (ti->capab_transformnum == m.capab_transformnum)
777 goto transform_found;
779 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
780 m.capab_transformnum);
783 st->chosen_transform=ti;
785 if (!process_msg3_msg4(st,&m))
788 /* Terminate their DH public key with a '0' */
790 /* Invent our DH secret key */
791 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
793 /* Generate the shared key and set up the transform */
794 set_new_transform(st,m.pk);
799 static bool_t generate_msg4(struct site *st)
801 /* We have both nonces, their public key and our private key. Generate
802 our public key, sign it and send it to them. */
803 return generate_msg(st,LABEL_MSG4,"site:MSG4");
806 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
807 const struct comm_addr *src)
812 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
813 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
814 slog(st,LOG_SEC,"msg4: %s",err);
818 if (!process_msg3_msg4(st,&m))
821 /* Terminate their DH public key with a '0' */
824 /* Generate the shared key and set up the transform */
825 set_new_transform(st,m.pk);
836 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
840 m->dest=buf_unprepend_uint32(msg0);
842 m->source=buf_unprepend_uint32(msg0);
844 m->type=buf_unprepend_uint32(msg0);
846 /* Leaves transformed part of buffer untouched */
849 static bool_t generate_msg5(struct site *st)
851 cstring_t transform_err;
853 BUF_ALLOC(&st->buffer,"site:MSG5");
854 /* We are going to add four words to the message */
855 buffer_init(&st->buffer,calculate_max_start_pad());
856 /* Give the netlink code an opportunity to put its own stuff in the
857 message (configuration information, etc.) */
858 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
859 if (call_transform_forwards(st,st->new_transform,
860 &st->buffer,&transform_err))
862 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
863 buf_prepend_uint32(&st->buffer,st->index);
864 buf_prepend_uint32(&st->buffer,st->setup_session_id);
866 st->retries=st->setup_retries;
870 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
871 const struct comm_addr *src,
872 struct transform_inst_if *transform)
875 cstring_t transform_err;
877 if (!unpick_msg0(st,msg5,&m)) return False;
879 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
880 /* There's a problem */
881 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
884 /* Buffer should now contain untransformed PING packet data */
886 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
887 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
890 /* Older versions of secnet used to write some config data here
891 * which we ignore. So we don't CHECK_EMPTY */
895 static void create_msg6(struct site *st, struct transform_inst_if *transform,
898 cstring_t transform_err;
900 BUF_ALLOC(&st->buffer,"site:MSG6");
901 /* We are going to add four words to the message */
902 buffer_init(&st->buffer,calculate_max_start_pad());
903 /* Give the netlink code an opportunity to put its own stuff in the
904 message (configuration information, etc.) */
905 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
906 int problem = call_transform_forwards(st,transform,
907 &st->buffer,&transform_err);
909 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
910 buf_prepend_uint32(&st->buffer,st->index);
911 buf_prepend_uint32(&st->buffer,session_id);
914 static bool_t generate_msg6(struct site *st)
916 if (!is_transform_valid(st->new_transform))
918 create_msg6(st,st->new_transform,st->setup_session_id);
919 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
923 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
924 const struct comm_addr *src)
927 cstring_t transform_err;
929 if (!unpick_msg0(st,msg6,&m)) return False;
931 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
932 /* There's a problem */
933 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
936 /* Buffer should now contain untransformed PING packet data */
938 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
939 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
942 /* Older versions of secnet used to write some config data here
943 * which we ignore. So we don't CHECK_EMPTY */
947 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
948 const struct comm_addr *src)
950 cstring_t transform_err, auxkey_err, newkey_err="n/a";
954 if (!unpick_msg0(st,msg0,&m)) return False;
956 /* Keep a copy so we can try decrypting it with multiple keys */
957 buffer_copy(&st->scratch, msg0);
959 problem = call_transform_reverse(st,st->current.transform,
960 msg0,&transform_err);
962 if (!st->auxiliary_is_new)
963 delete_one_key(st,&st->auxiliary_key,
964 "peer has used new key","auxiliary key",LOG_SEC);
970 buffer_copy(msg0, &st->scratch);
971 problem = call_transform_reverse(st,st->auxiliary_key.transform,
974 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
975 if (st->auxiliary_is_new) {
976 /* We previously timed out in state SENTMSG5 but it turns
977 * out that our peer did in fact get our MSG5 and is
978 * using the new key. So we should switch to it too. */
979 /* This is a bit like activate_new_key. */
982 st->current=st->auxiliary_key;
985 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
986 "previous key",LOG_SEC);
987 st->auxiliary_is_new=0;
988 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
995 if (st->state==SITE_SENTMSG5) {
996 buffer_copy(msg0, &st->scratch);
997 problem = call_transform_reverse(st,st->new_transform,
1000 /* It looks like we didn't get the peer's MSG6 */
1001 /* This is like a cut-down enter_new_state(SITE_RUN) */
1002 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1003 BUF_FREE(&st->buffer);
1005 activate_new_key(st);
1006 return True; /* do process the data in this packet */
1012 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1013 transform_err,auxkey_err,newkey_err);
1014 initiate_key_setup(st,"incoming message would not decrypt",0);
1015 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1019 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
1023 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1024 const struct comm_addr *src)
1028 if (!decrypt_msg0(st,msg0,src))
1031 CHECK_AVAIL(msg0,4);
1032 type=buf_unprepend_uint32(msg0);
1035 /* We must forget about the current session. */
1036 delete_keys(st,"request from peer",LOG_SEC);
1039 /* Deliver to netlink layer */
1040 st->netlink->deliver(st->netlink->st,msg0);
1041 transport_data_msgok(st,src);
1042 /* See whether we should start negotiating a new key */
1043 if (st->now > st->renegotiate_key_time)
1044 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1047 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1054 static void dump_packet(struct site *st, struct buffer_if *buf,
1055 const struct comm_addr *addr, bool_t incoming)
1057 uint32_t dest=get_uint32(buf->start);
1058 uint32_t source=get_uint32(buf->start+4);
1059 uint32_t msgtype=get_uint32(buf->start+8);
1061 if (st->log_events & LOG_DUMP)
1062 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1063 st->tunname,incoming?"incoming":"outgoing",
1064 dest,source,msgtype);
1067 static uint32_t site_status(void *st)
1072 static bool_t send_msg(struct site *st)
1074 if (st->retries>0) {
1075 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1076 st->timeout=st->now+st->setup_retry_interval;
1079 } else if (st->state==SITE_SENTMSG5) {
1080 slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
1081 /* We stash the key we have produced, in case it turns out that
1082 * our peer did see our MSG5 after all and starts using it. */
1083 /* This is a bit like some of activate_new_key */
1084 struct transform_inst_if *t;
1085 t=st->auxiliary_key.transform;
1086 st->auxiliary_key.transform=st->new_transform;
1087 st->new_transform=t;
1088 dispose_transform(&st->new_transform);
1090 st->auxiliary_is_new=1;
1091 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1092 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1093 st->auxiliary_key.remote_session_id=st->setup_session_id;
1095 enter_state_wait(st);
1098 slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
1099 "(in state %s)",state_name(st->state));
1100 enter_state_wait(st);
1105 static void site_resolve_callback(void *sst, struct in_addr *address)
1107 struct site *st=sst;
1108 struct comm_addr ca_buf, *ca_use;
1110 if (st->state!=SITE_RESOLVE) {
1111 slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
1116 ca_buf.comm=st->comms[0];
1117 ca_buf.sin.sin_family=AF_INET;
1118 ca_buf.sin.sin_port=htons(st->remoteport);
1119 ca_buf.sin.sin_addr=*address;
1122 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1125 if (transport_compute_setupinit_peers(st,ca_use,0)) {
1126 enter_new_state(st,SITE_SENTMSG1);
1128 /* Can't figure out who to try to to talk to */
1129 slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
1130 enter_state_run(st);
1134 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1135 const struct comm_addr *prod_hint)
1137 if (st->state!=SITE_RUN) return False;
1138 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1140 slog(st,LOG_SETUP_INIT,"resolving peer address");
1141 return enter_state_resolve(st);
1142 } else if (transport_compute_setupinit_peers(st,0,prod_hint)) {
1143 return enter_new_state(st,SITE_SENTMSG1);
1145 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1149 static void activate_new_key(struct site *st)
1151 struct transform_inst_if *t;
1153 /* We have three transform instances, which we swap between old,
1155 t=st->auxiliary_key.transform;
1156 st->auxiliary_key.transform=st->current.transform;
1157 st->current.transform=st->new_transform;
1158 st->new_transform=t;
1159 dispose_transform(&st->new_transform);
1162 st->auxiliary_is_new=0;
1163 st->auxiliary_key.key_timeout=st->current.key_timeout;
1164 st->current.key_timeout=st->now+st->key_lifetime;
1165 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1166 transport_peers_copy(st,&st->peers,&st->setup_peers);
1167 st->current.remote_session_id=st->setup_session_id;
1169 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1170 * But their mtu be unspecified, in which case we just use ours. */
1171 uint32_t intersite_mtu=
1172 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1173 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1175 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1176 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1177 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1178 enter_state_run(st);
1181 static void delete_one_key(struct site *st, struct data_key *key,
1182 cstring_t reason, cstring_t which, uint32_t loglevel)
1184 if (!is_transform_valid(key->transform)) return;
1185 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1186 dispose_transform(&key->transform);
1190 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1192 if (current_valid(st)) {
1193 slog(st,loglevel,"session closed (%s)",reason);
1195 delete_one_key(st,&st->current,0,0,0);
1196 set_link_quality(st);
1198 delete_one_key(st,&st->auxiliary_key,0,0,0);
1201 static void state_assert(struct site *st, bool_t ok)
1203 if (!ok) fatal("site:state_assert");
1206 static void enter_state_stop(struct site *st)
1208 st->state=SITE_STOP;
1210 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1211 dispose_transform(&st->new_transform);
1214 static void set_link_quality(struct site *st)
1217 if (current_valid(st))
1218 quality=LINK_QUALITY_UP;
1219 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1220 quality=LINK_QUALITY_DOWN;
1221 else if (st->address)
1222 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1223 else if (transport_peers_valid(&st->peers))
1224 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1226 quality=LINK_QUALITY_DOWN;
1228 st->netlink->set_quality(st->netlink->st,quality);
1231 static void enter_state_run(struct site *st)
1233 slog(st,LOG_STATE,"entering state RUN");
1237 st->setup_session_id=0;
1238 transport_peers_clear(st,&st->setup_peers);
1239 memset(st->localN,0,NONCELEN);
1240 memset(st->remoteN,0,NONCELEN);
1241 dispose_transform(&st->new_transform);
1242 memset(st->dhsecret,0,st->dh->len);
1243 memset(st->sharedsecret,0,st->sharedsecretlen);
1244 set_link_quality(st);
1247 static bool_t enter_state_resolve(struct site *st)
1249 state_assert(st,st->state==SITE_RUN);
1250 slog(st,LOG_STATE,"entering state RESOLVE");
1251 st->state=SITE_RESOLVE;
1252 st->resolver->request(st->resolver->st,st->address,
1253 site_resolve_callback,st);
1257 static bool_t enter_new_state(struct site *st, uint32_t next)
1259 bool_t (*gen)(struct site *st);
1262 slog(st,LOG_STATE,"entering state %s",state_name(next));
1265 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1269 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1270 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1274 state_assert(st,st->state==SITE_SENTMSG1);
1275 BUF_FREE(&st->buffer);
1279 state_assert(st,st->state==SITE_SENTMSG2);
1280 BUF_FREE(&st->buffer);
1284 state_assert(st,st->state==SITE_SENTMSG3);
1285 BUF_FREE(&st->buffer);
1289 state_assert(st,st->state==SITE_SENTMSG4);
1290 BUF_FREE(&st->buffer);
1295 fatal("enter_new_state(%s): invalid new state",state_name(next));
1299 if (hacky_par_start_failnow()) return False;
1301 r= gen(st) && send_msg(st);
1304 st->setup_retries, st->setup_retry_interval,
1309 if (next==SITE_RUN) {
1310 BUF_FREE(&st->buffer); /* Never reused */
1311 st->timeout=0; /* Never retransmit */
1312 activate_new_key(st);
1316 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1317 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1318 in either state, and enter_state_wait() will
1320 enter_state_wait(st);
1324 /* msg7 tells our peer that we're about to forget our key */
1325 static bool_t send_msg7(struct site *st, cstring_t reason)
1327 cstring_t transform_err;
1329 if (current_valid(st) && st->buffer.free
1330 && transport_peers_valid(&st->peers)) {
1331 BUF_ALLOC(&st->buffer,"site:MSG7");
1332 buffer_init(&st->buffer,calculate_max_start_pad());
1333 buf_append_uint32(&st->buffer,LABEL_MSG7);
1334 buf_append_string(&st->buffer,reason);
1335 if (call_transform_forwards(st, st->current.transform,
1336 &st->buffer, &transform_err))
1338 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1339 buf_prepend_uint32(&st->buffer,st->index);
1340 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1341 transport_xmit(st,&st->peers,&st->buffer,True);
1342 BUF_FREE(&st->buffer);
1349 /* We go into this state if our peer becomes uncommunicative. Similar to
1350 the "stop" state, we forget all session keys for a while, before
1351 re-entering the "run" state. */
1352 static void enter_state_wait(struct site *st)
1354 slog(st,LOG_STATE,"entering state WAIT");
1355 st->timeout=st->now+st->wait_timeout;
1356 st->state=SITE_WAIT;
1357 set_link_quality(st);
1358 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1359 /* XXX Erase keys etc. */
1362 static void generate_prod(struct site *st, struct buffer_if *buf)
1365 buf_append_uint32(buf,0);
1366 buf_append_uint32(buf,0);
1367 buf_append_uint32(buf,LABEL_PROD);
1368 buf_append_string(buf,st->localname);
1369 buf_append_string(buf,st->remotename);
1372 static void generate_send_prod(struct site *st,
1373 const struct comm_addr *source)
1375 if (!st->allow_send_prod) return; /* too soon */
1376 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1377 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1379 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1380 st->allow_send_prod=0;
1381 generate_prod(st,&st->scratch);
1382 dump_packet(st,&st->scratch,source,False);
1383 source->comm->sendmsg(source->comm->st, &st->scratch, source);
1386 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1389 int64_t offset=timeout-*now;
1390 if (offset<0) offset=0;
1391 if (offset>INT_MAX) offset=INT_MAX;
1392 if (*timeout_io<0 || offset<*timeout_io)
1397 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1400 struct site *st=sst;
1402 *nfds_io=0; /* We don't use any file descriptors */
1405 /* Work out when our next timeout is. The earlier of 'timeout' or
1406 'current.key_timeout'. A stored value of '0' indicates no timeout
1408 site_settimeout(st->timeout, timeout_io);
1409 site_settimeout(st->current.key_timeout, timeout_io);
1410 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1412 return 0; /* success */
1415 static void check_expiry(struct site *st, struct data_key *key,
1418 if (key->key_timeout && *now>key->key_timeout) {
1419 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1423 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1424 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1426 struct site *st=sst;
1429 if (st->timeout && *now>st->timeout) {
1431 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1432 if (!hacky_par_start_failnow())
1434 } else if (st->state==SITE_WAIT) {
1435 enter_state_run(st);
1437 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1441 check_expiry(st,&st->current,"current key");
1442 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1445 /* This function is called by the netlink device to deliver packets
1446 intended for the remote network. The packet is in "raw" wire
1447 format, but is guaranteed to be word-aligned. */
1448 static void site_outgoing(void *sst, struct buffer_if *buf)
1450 struct site *st=sst;
1451 cstring_t transform_err;
1453 if (st->state==SITE_STOP) {
1458 st->allow_send_prod=1;
1460 /* In all other states we consider delivering the packet if we have
1461 a valid key and a valid address to send it to. */
1462 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1463 /* Transform it and send it */
1465 buf_prepend_uint32(buf,LABEL_MSG9);
1466 if (call_transform_forwards(st, st->current.transform,
1467 buf, &transform_err))
1469 buf_prepend_uint32(buf,LABEL_MSG0);
1470 buf_prepend_uint32(buf,st->index);
1471 buf_prepend_uint32(buf,st->current.remote_session_id);
1472 transport_xmit(st,&st->peers,buf,False);
1479 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1481 initiate_key_setup(st,"outgoing packet",0);
1484 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1485 uint32_t type, struct msg *m)
1486 /* For packets which are identified by the local and remote names.
1487 * If it has our name and our peer's name in it it's for us. */
1489 struct buffer_if buf[1];
1490 buffer_readonly_clone(buf,buf_in);
1491 return unpick_msg(st,type,buf,m)
1492 && name_matches(&m->remote,st->remotename)
1493 && name_matches(&m->local,st->localname);
1496 /* This function is called by the communication device to deliver
1497 packets from our peers.
1498 It should return True if the packet is recognised as being for
1499 this current site instance (and should therefore not be processed
1500 by other sites), even if the packet was otherwise ignored. */
1501 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1502 const struct comm_addr *source)
1504 struct site *st=sst;
1506 if (buf->size < 12) return False;
1508 uint32_t dest=get_uint32(buf->start);
1509 uint32_t msgtype=get_uint32(buf->start+8);
1510 struct msg named_msg;
1512 if (msgtype==LABEL_MSG1) {
1513 if (!named_for_us(st,buf,msgtype,&named_msg))
1515 /* It's a MSG1 addressed to us. Decide what to do about it. */
1516 dump_packet(st,buf,source,True);
1517 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1518 st->state==SITE_WAIT) {
1519 /* We should definitely process it */
1520 if (process_msg1(st,buf,source,&named_msg)) {
1521 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1522 enter_new_state(st,SITE_SENTMSG2);
1524 slog(st,LOG_ERROR,"failed to process incoming msg1");
1528 } else if (st->state==SITE_SENTMSG1) {
1529 /* We've just sent a message 1! They may have crossed on
1530 the wire. If we have priority then we ignore the
1531 incoming one, otherwise we process it as usual. */
1532 if (st->setup_priority) {
1534 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1535 "priority => ignore incoming msg1");
1538 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1539 "priority => use incoming msg1");
1540 if (process_msg1(st,buf,source,&named_msg)) {
1541 BUF_FREE(&st->buffer); /* Free our old message 1 */
1542 enter_new_state(st,SITE_SENTMSG2);
1544 slog(st,LOG_ERROR,"failed to process an incoming "
1545 "crossed msg1 (we have low priority)");
1551 /* The message 1 was received at an unexpected stage of the
1552 key setup. XXX POLICY - what do we do? */
1553 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1557 if (msgtype==LABEL_PROD) {
1558 if (!named_for_us(st,buf,msgtype,&named_msg))
1560 dump_packet(st,buf,source,True);
1561 if (st->state!=SITE_RUN) {
1562 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1563 } else if (current_valid(st)) {
1564 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1566 initiate_key_setup(st,"peer sent PROD packet",source);
1571 if (dest==st->index) {
1572 /* Explicitly addressed to us */
1573 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1576 /* If the source is our current peer then initiate a key setup,
1577 because our peer's forgotten the key */
1578 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1580 initiated = initiate_key_setup(st,"received a NAK",0);
1581 if (!initiated) generate_send_prod(st,source);
1583 slog(st,LOG_SEC,"bad incoming NAK");
1587 process_msg0(st,buf,source);
1590 /* Setup packet: should not have been explicitly addressed
1592 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1595 /* Setup packet: expected only in state SENTMSG1 */
1596 if (st->state!=SITE_SENTMSG1) {
1597 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1598 } else if (process_msg2(st,buf,source)) {
1599 transport_setup_msgok(st,source);
1600 enter_new_state(st,SITE_SENTMSG3);
1602 slog(st,LOG_SEC,"invalid MSG2");
1607 /* Setup packet: expected only in state SENTMSG2 */
1608 if (st->state!=SITE_SENTMSG2) {
1609 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1610 } else if (process_msg3(st,buf,source,msgtype)) {
1611 transport_setup_msgok(st,source);
1612 enter_new_state(st,SITE_SENTMSG4);
1614 slog(st,LOG_SEC,"invalid MSG3");
1618 /* Setup packet: expected only in state SENTMSG3 */
1619 if (st->state!=SITE_SENTMSG3) {
1620 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1621 } else if (process_msg4(st,buf,source)) {
1622 transport_setup_msgok(st,source);
1623 enter_new_state(st,SITE_SENTMSG5);
1625 slog(st,LOG_SEC,"invalid MSG4");
1629 /* Setup packet: expected only in state SENTMSG4 */
1630 /* (may turn up in state RUN if our return MSG6 was lost
1631 and the new key has already been activated. In that
1632 case we discard it. The peer will realise that we
1633 are using the new key when they see our data packets.
1634 Until then the peer's data packets to us get discarded. */
1635 if (st->state==SITE_SENTMSG4) {
1636 if (process_msg5(st,buf,source,st->new_transform)) {
1637 transport_setup_msgok(st,source);
1638 enter_new_state(st,SITE_RUN);
1640 slog(st,LOG_SEC,"invalid MSG5");
1642 } else if (st->state==SITE_RUN) {
1643 if (process_msg5(st,buf,source,st->current.transform)) {
1644 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1645 transport_setup_msgok(st,source);
1646 create_msg6(st,st->current.transform,
1647 st->current.remote_session_id);
1648 transport_xmit(st,&st->peers,&st->buffer,True);
1649 BUF_FREE(&st->buffer);
1651 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1654 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1658 /* Setup packet: expected only in state SENTMSG5 */
1659 if (st->state!=SITE_SENTMSG5) {
1660 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1661 } else if (process_msg6(st,buf,source)) {
1662 BUF_FREE(&st->buffer); /* Free message 5 */
1663 transport_setup_msgok(st,source);
1664 activate_new_key(st);
1666 slog(st,LOG_SEC,"invalid MSG6");
1670 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1681 static void site_control(void *vst, bool_t run)
1683 struct site *st=vst;
1684 if (run) enter_state_run(st);
1685 else enter_state_stop(st);
1688 static void site_phase_hook(void *sst, uint32_t newphase)
1690 struct site *st=sst;
1692 /* The program is shutting down; tell our peer */
1693 send_msg7(st,"shutting down");
1696 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1699 static uint32_t index_sequence;
1705 st=safe_malloc(sizeof(*st),"site_apply");
1707 st->cl.description="site";
1708 st->cl.type=CL_SITE;
1710 st->cl.interface=&st->ops;
1712 st->ops.control=site_control;
1713 st->ops.status=site_status;
1715 /* First parameter must be a dict */
1716 item=list_elem(args,0);
1717 if (!item || item->type!=t_dict)
1718 cfgfatal(loc,"site","parameter must be a dictionary\n");
1720 dict=item->data.dict;
1721 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1722 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1724 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1725 bool_t local_mobile=
1726 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1728 /* Sanity check (which also allows the 'sites' file to include
1729 site() closures for all sites including our own): refuse to
1730 talk to ourselves */
1731 if (strcmp(st->localname,st->remotename)==0) {
1732 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1734 if (st->peer_mobile != local_mobile)
1735 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1736 " but our local-mobile=%d\n",
1737 st->localname, st->peer_mobile, local_mobile);
1741 if (st->peer_mobile && local_mobile) {
1742 Message(M_WARNING,"site %s: site is mobile but so are we"
1743 " -> ignoring this site\n", st->remotename);
1748 assert(index_sequence < 0xffffffffUL);
1749 st->index = ++index_sequence;
1750 st->local_capabilities = 0;
1751 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1753 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1754 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1755 if (!things##_cfg) \
1756 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1757 st->nthings=list_length(things##_cfg); \
1758 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1759 assert(st->nthings); \
1760 for (i=0; i<st->nthings; i++) { \
1761 item_t *item=list_elem(things##_cfg,i); \
1762 if (item->type!=t_closure) \
1763 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1764 closure_t *cl=item->data.closure; \
1765 if (cl->type!=CL_TYPE) \
1766 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1767 st->things[i]=cl->interface; \
1771 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1773 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1774 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1775 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1777 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1778 st->address=dict_read_string(dict, "address", False, "site", loc);
1780 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1781 else st->remoteport=0;
1782 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1784 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1786 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1787 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1789 #define DEFAULT(D) (st->peer_mobile || local_mobile \
1790 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1791 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1793 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1794 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1795 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1796 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1797 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
1799 st->mobile_peer_expiry= dict_read_number(
1800 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1802 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1803 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1804 if (st->transport_peers_max<1 ||
1805 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1806 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1807 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1810 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1811 st->key_renegotiate_time=st->key_lifetime/2;
1813 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1814 st->key_renegotiate_time=dict_read_number(
1815 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1816 if (st->key_renegotiate_time > st->key_lifetime) {
1817 cfgfatal(loc,"site",
1818 "renegotiate-time must be less than key-lifetime\n");
1821 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1822 log_event_table,"site");
1824 st->allow_send_prod=0;
1826 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1828 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1830 /* The information we expect to see in incoming messages of type 1 */
1831 /* fixme: lots of unchecked overflows here, but the results are only
1832 corrupted packets rather than undefined behaviour */
1833 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1835 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1837 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
1838 BUF_ALLOC(&st->scratch,"site:scratch");
1840 /* We are interested in poll(), but only for timeouts. We don't have
1841 any fds of our own. */
1842 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1845 st->remote_capabilities=0;
1846 st->chosen_transform=0;
1847 st->current.key_timeout=0;
1848 st->auxiliary_key.key_timeout=0;
1849 transport_peers_clear(st,&st->peers);
1850 transport_peers_clear(st,&st->setup_peers);
1851 /* XXX mlock these */
1852 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1853 st->sharedsecretlen=st->sharedsecretallocd=0;
1856 for (i=0; i<st->ntransforms; i++) {
1857 struct transform_if *ti=st->transforms[i];
1858 uint32_t capbit = 1UL << ti->capab_transformnum;
1859 if (st->local_capabilities & capbit)
1860 slog(st,LOG_ERROR,"transformnum capability bit"
1861 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1862 st->local_capabilities |= capbit;
1865 /* We need to register the remote networks with the netlink device */
1866 uint32_t netlink_mtu; /* local virtual interface mtu */
1867 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
1868 if (!st->mtu_target)
1869 st->mtu_target=netlink_mtu;
1871 for (i=0; i<st->ncomms; i++)
1872 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1874 st->current.transform=0;
1875 st->auxiliary_key.transform=0;
1876 st->new_transform=0;
1877 st->auxiliary_is_new=0;
1879 enter_state_stop(st);
1881 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
1883 return new_closure(&st->cl);
1886 void site_module(dict_t *dict)
1888 add_closure(dict,"site",site_apply);
1892 /***** TRANSPORT PEERS definitions *****/
1894 static void transport_peers_debug(struct site *st, transport_peers *dst,
1895 const char *didwhat,
1896 int nargs, const struct comm_addr *args,
1901 if (!(st->log_events & LOG_PEER_ADDRS))
1902 return; /* an optimisation */
1904 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
1905 (dst==&st->peers ? "data" :
1906 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
1907 didwhat, nargs, dst->npeers);
1909 for (i=0, argp=(void*)args;
1911 i++, (argp+=stride?stride:sizeof(*args))) {
1912 const struct comm_addr *ca=(void*)argp;
1913 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
1914 i, ca->comm->addr_to_string(ca->comm->st,ca));
1916 for (i=0; i<dst->npeers; i++) {
1917 struct timeval diff;
1918 timersub(tv_now,&dst->peers[i].last,&diff);
1919 const struct comm_addr *ca=&dst->peers[i].addr;
1920 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
1921 i, ca->comm->addr_to_string(ca->comm->st,ca),
1922 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
1926 static int transport_peer_compar(const void *av, const void *bv) {
1927 const transport_peer *a=av;
1928 const transport_peer *b=bv;
1929 /* put most recent first in the array */
1930 if (timercmp(&a->last, &b->last, <)) return +1;
1931 if (timercmp(&a->last, &b->last, >)) return -11;
1935 static void transport_peers_expire(struct site *st, transport_peers *peers) {
1936 /* peers must be sorted first */
1937 int previous_peers=peers->npeers;
1938 struct timeval oldest;
1939 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
1940 oldest.tv_usec = tv_now->tv_usec;
1941 while (peers->npeers>1 &&
1942 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
1944 if (peers->npeers != previous_peers)
1945 transport_peers_debug(st,peers,"expire", 0,0,0);
1948 static void transport_record_peer(struct site *st, transport_peers *peers,
1949 const struct comm_addr *addr, const char *m) {
1950 int slot, changed=0;
1952 for (slot=0; slot<peers->npeers; slot++)
1953 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
1957 if (peers->npeers==st->transport_peers_max)
1958 slot=st->transport_peers_max;
1960 slot=peers->npeers++;
1963 peers->peers[slot].addr=*addr;
1964 peers->peers[slot].last=*tv_now;
1966 if (peers->npeers>1)
1967 qsort(peers->peers, peers->npeers,
1968 sizeof(*peers->peers), transport_peer_compar);
1970 if (changed || peers->npeers!=1)
1971 transport_peers_debug(st,peers,m, 1,addr,0);
1972 transport_peers_expire(st, peers);
1975 static bool_t transport_compute_setupinit_peers(struct site *st,
1976 const struct comm_addr *configured_addr /* 0 if none or not found */,
1977 const struct comm_addr *prod_hint_addr /* 0 if none */) {
1979 if (!configured_addr && !prod_hint_addr &&
1980 !transport_peers_valid(&st->peers))
1983 slog(st,LOG_SETUP_INIT,
1984 "using:%s%s %d old peer address(es)",
1985 configured_addr ? " configured address;" : "",
1986 prod_hint_addr ? " PROD hint address;" : "",
1989 /* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
1990 * have transport_peers_max==1. The effect is that this code
1991 * always uses the configured address if supplied, or otherwise
1992 * the address of the incoming PROD, or the existing data peer if
1993 * one exists; this is as desired. */
1995 transport_peers_copy(st,&st->setup_peers,&st->peers);
1998 transport_record_peer(st,&st->setup_peers,prod_hint_addr,"prod");
2000 if (configured_addr)
2001 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
2003 assert(transport_peers_valid(&st->setup_peers));
2007 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2008 if (st->peer_mobile)
2009 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
2011 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2012 if (st->peer_mobile)
2013 transport_record_peer(st,&st->peers,a,"datamsg");
2016 static int transport_peers_valid(transport_peers *peers) {
2017 return peers->npeers;
2019 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2021 transport_peers_debug(st,peers,"clear",0,0,0);
2023 static void transport_peers_copy(struct site *st, transport_peers *dst,
2024 const transport_peers *src) {
2025 dst->npeers=src->npeers;
2026 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
2027 transport_peers_debug(st,dst,"copy",
2028 src->npeers, &src->peers->addr, sizeof(*src->peers));
2031 void transport_xmit(struct site *st, transport_peers *peers,
2032 struct buffer_if *buf, bool_t candebug) {
2034 transport_peers_expire(st, peers);
2035 for (slot=0; slot<peers->npeers; slot++) {
2036 transport_peer *peer=&peers->peers[slot];
2038 dump_packet(st, buf, &peer->addr, False);
2039 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
2043 /***** END of transport peers declarations *****/