1 /* site.c - manage communication with a remote network site */
3 /* The 'site' code doesn't know anything about the structure of the
4 packets it's transmitting. In fact, under the new netlink
5 configuration scheme it doesn't need to know anything at all about
6 IP addresses, except how to contact its peer. This means it could
7 potentially be used to tunnel other protocols too (IPv6, IPX, plain
8 old Ethernet frames) if appropriate netlink code can be written
9 (and that ought not to be too hard, eg. using the TUN/TAP device to
10 pretend to be an Ethernet interface). */
12 /* At some point in the future the netlink code will be asked for
13 configuration information to go in the PING/PONG packets at the end
14 of the key exchange. */
21 #include <sys/socket.h>
25 #include "unaligned.h"
28 #define SETUP_BUFFER_LEN 2048
30 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
31 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
32 #define DEFAULT_SETUP_RETRIES 5
33 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
34 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
36 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
37 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
38 #define DEFAULT_MOBILE_SETUP_RETRIES 30
39 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
40 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
42 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
43 #define DEFAULT_MOBILE_PEERS_MAX 3 /* send at most this many copies (default) */
45 /* Each site can be in one of several possible states. */
48 SITE_STOP - nothing is allowed to happen; tunnel is down;
49 all session keys have been erased
50 -> SITE_RUN upon external instruction
51 SITE_RUN - site up, maybe with valid key
52 -> SITE_RESOLVE upon outgoing packet and no valid key
53 we start name resolution for the other end of the tunnel
54 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
55 we send an appropriate message 2
56 SITE_RESOLVE - waiting for name resolution
57 -> SITE_SENTMSG1 upon successful resolution
58 we send an appropriate message 1
59 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
60 we abort resolution and
61 -> SITE_WAIT on timeout or resolution failure
63 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
64 -> SITE_SENTMSG3 upon valid incoming message 2
65 -> SITE_WAIT on timeout
67 -> SITE_SENTMSG4 upon valid incoming message 3
68 -> SITE_WAIT on timeout
70 -> SITE_SENTMSG5 upon valid incoming message 4
71 -> SITE_WAIT on timeout
73 -> SITE_RUN upon valid incoming message 5
74 -> SITE_WAIT on timeout
76 -> SITE_RUN upon valid incoming message 6
77 -> SITE_WAIT on timeout
78 SITE_WAIT - failed to establish key; do nothing for a while
79 -> SITE_RUN on timeout
84 #define SITE_RESOLVE 2
85 #define SITE_SENTMSG1 3
86 #define SITE_SENTMSG2 4
87 #define SITE_SENTMSG3 5
88 #define SITE_SENTMSG4 6
89 #define SITE_SENTMSG5 7
92 int32_t site_max_start_pad = 4*4;
94 static cstring_t state_name(uint32_t state)
97 case 0: return "STOP";
99 case 2: return "RESOLVE";
100 case 3: return "SENTMSG1";
101 case 4: return "SENTMSG2";
102 case 5: return "SENTMSG3";
103 case 6: return "SENTMSG4";
104 case 7: return "SENTMSG5";
105 case 8: return "WAIT";
106 default: return "*bad state*";
112 #define LOG_UNEXPECTED 0x00000001
113 #define LOG_SETUP_INIT 0x00000002
114 #define LOG_SETUP_TIMEOUT 0x00000004
115 #define LOG_ACTIVATE_KEY 0x00000008
116 #define LOG_TIMEOUT_KEY 0x00000010
117 #define LOG_SEC 0x00000020
118 #define LOG_STATE 0x00000040
119 #define LOG_DROP 0x00000080
120 #define LOG_DUMP 0x00000100
121 #define LOG_ERROR 0x00000400
122 #define LOG_PEER_ADDRS 0x00000800
124 static struct flagstr log_event_table[]={
125 { "unexpected", LOG_UNEXPECTED },
126 { "setup-init", LOG_SETUP_INIT },
127 { "setup-timeout", LOG_SETUP_TIMEOUT },
128 { "activate-key", LOG_ACTIVATE_KEY },
129 { "timeout-key", LOG_TIMEOUT_KEY },
130 { "security", LOG_SEC },
131 { "state-change", LOG_STATE },
132 { "packet-drop", LOG_DROP },
133 { "dump-packets", LOG_DUMP },
134 { "errors", LOG_ERROR },
135 { "peer-addrs", LOG_PEER_ADDRS },
136 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
137 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
138 { "all", 0xffffffff },
143 /***** TRANSPORT PEERS declarations *****/
145 /* Details of "mobile peer" semantics:
147 - We record mobile_peers_max peer address/port numbers ("peers")
148 for key setup, and separately mobile_peers_max for data
149 transfer. If these lists fill up, we retain the newest peers.
150 (For non-mobile peers we only record one of each.)
152 - Outgoing packets are sent to every recorded peer in the
155 - Data transfer peers are straightforward: whenever we successfully
156 process a data packet, we record the peer. Also, whenever we
157 successfully complete a key setup, we merge the key setup
158 peers into the data transfer peers.
160 (For "non-mobile" peers we simply copy the peer used for
161 successful key setup, and don't change the peer otherwise.)
163 - Key setup peers are slightly more complicated.
165 Whenever we receive and successfully process a key exchange
166 packet, we record the peer.
168 Whenever we try to initiate a key setup, we copy the list of data
169 transfer peers and use it for key setup. But we also look to see
170 if the config supplies an address and port number and if so we
171 add that as a key setup peer (possibly evicting one of the data
172 transfer peers we just copied).
174 (For "non-mobile" peers, if we if we have a configured peer
175 address and port, we always use that; otherwise if we have a
176 current data peer address we use that; otherwise we do not
177 attempt to initiate a key setup for lack of a peer address.)
179 "Record the peer" means
180 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
181 2. add the peer of the just received packet to the applicable list
182 (possibly evicting older entries)
183 NB that we do not expire peers until an incoming packet arrives.
187 #define MAX_MOBILE_PEERS_MAX 5 /* send at most this many copies, compiled max */
191 struct comm_addr addr;
195 /* configuration information */
196 /* runtime information */
198 transport_peer peers[MAX_MOBILE_PEERS_MAX];
201 static void transport_peers_clear(struct site *st, transport_peers *peers);
202 static int transport_peers_valid(transport_peers *peers);
203 static void transport_peers_copy(struct site *st, transport_peers *dst,
204 const transport_peers *src);
206 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
207 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
208 static bool_t transport_compute_setupinit_peers(struct site *st,
209 const struct comm_addr *configured_addr /* 0 if none or not found */,
210 const struct comm_addr *prod_hint_addr /* 0 if none */);
211 static void transport_record_peer(struct site *st, transport_peers *peers,
212 const struct comm_addr *addr, const char *m);
214 static void transport_xmit(struct site *st, transport_peers *peers,
215 struct buffer_if *buf, bool_t candebug);
217 /***** END of transport peers declarations *****/
221 struct transform_inst_if *transform;
222 uint64_t key_timeout; /* End of life of current key */
223 uint32_t remote_session_id;
229 /* configuration information */
232 bool_t peer_mobile; /* Mobile client support */
233 int32_t transport_peers_max;
234 string_t tunname; /* localname<->remotename by default, used in logs */
235 string_t address; /* DNS name for bootstrapping, optional */
236 int remoteport; /* Port for bootstrapping, optional */
238 struct netlink_if *netlink;
239 struct comm_if **comms;
241 struct resolver_if *resolver;
243 struct random_if *random;
244 struct rsaprivkey_if *privkey;
245 struct rsapubkey_if *pubkey;
246 struct transform_if **transforms;
249 struct hash_if *hash;
251 uint32_t index; /* Index of this site */
252 uint32_t local_capabilities;
253 int32_t setup_retries; /* How many times to send setup packets */
254 int32_t setup_retry_interval; /* Initial timeout for setup packets */
255 int32_t wait_timeout; /* How long to wait if setup unsuccessful */
256 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
257 int32_t key_lifetime; /* How long a key lasts once set up */
258 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
259 after this time, initiate a new
262 bool_t setup_priority; /* Do we have precedence if both sites emit
263 message 1 simultaneously? */
266 /* runtime information */
268 uint64_t now; /* Most recently seen time */
269 bool_t allow_send_prod;
271 /* The currently established session */
272 struct data_key current;
273 struct data_key auxiliary_key;
274 bool_t auxiliary_is_new;
275 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
276 uint64_t auxiliary_renegotiate_key_time;
277 transport_peers peers; /* Current address(es) of peer for data traffic */
279 /* The current key setup protocol exchange. We can only be
280 involved in one of these at a time. There's a potential for
281 denial of service here (the attacker keeps sending a setup
282 packet; we keep trying to continue the exchange, and have to
283 timeout before we can listen for another setup packet); perhaps
284 we should keep a list of 'bad' sources for setup packets. */
285 uint32_t remote_capabilities;
286 uint16_t remote_adv_mtu;
287 struct transform_if *chosen_transform;
288 uint32_t setup_session_id;
289 transport_peers setup_peers;
290 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
291 uint8_t remoteN[NONCELEN];
292 struct buffer_if buffer; /* Current outgoing key exchange packet */
293 struct buffer_if scratch;
294 int32_t retries; /* Number of retries remaining */
295 uint64_t timeout; /* Timeout for current state */
297 uint8_t *sharedsecret;
298 uint32_t sharedsecretlen, sharedsecretallocd;
299 struct transform_inst_if *new_transform; /* For key setup/verify */
302 static uint32_t event_log_priority(struct site *st, uint32_t event)
304 if (!(event&st->log_events))
307 case LOG_UNEXPECTED: return M_INFO;
308 case LOG_SETUP_INIT: return M_INFO;
309 case LOG_SETUP_TIMEOUT: return M_NOTICE;
310 case LOG_ACTIVATE_KEY: return M_INFO;
311 case LOG_TIMEOUT_KEY: return M_INFO;
312 case LOG_SEC: return M_SECURITY;
313 case LOG_STATE: return M_DEBUG;
314 case LOG_DROP: return M_DEBUG;
315 case LOG_DUMP: return M_DEBUG;
316 case LOG_ERROR: return M_ERR;
317 case LOG_PEER_ADDRS: return M_DEBUG;
318 default: return M_ERR;
322 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
324 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
328 class=event_log_priority(st, event);
330 slilog_part(st->log,class,"%s: ",st->tunname);
331 vslilog_part(st->log,class,msg,ap);
332 slilog_part(st->log,class,"\n");
336 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
338 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
342 vslog(st,event,msg,ap);
346 static void set_link_quality(struct site *st);
347 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
348 static void delete_one_key(struct site *st, struct data_key *key,
349 const char *reason /* may be 0 meaning don't log*/,
350 const char *which /* ignored if !reasonn */,
351 uint32_t loglevel /* ignored if !reasonn */);
352 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
353 const struct comm_addr *prod_hint);
354 static void enter_state_run(struct site *st);
355 static bool_t enter_state_resolve(struct site *st);
356 static bool_t enter_new_state(struct site *st,uint32_t next);
357 static void enter_state_wait(struct site *st);
358 static void activate_new_key(struct site *st);
360 static bool_t is_transform_valid(struct transform_inst_if *transform)
362 return transform && transform->valid(transform->st);
365 static bool_t current_valid(struct site *st)
367 return is_transform_valid(st->current.transform);
370 #define DEFINE_CALL_TRANSFORM(fwdrev) \
371 static int call_transform_##fwdrev(struct site *st, \
372 struct transform_inst_if *transform, \
373 struct buffer_if *buf, \
374 const char **errmsg) \
376 if (!is_transform_valid(transform)) { \
377 *errmsg="transform not set up"; \
380 return transform->fwdrev(transform->st,buf,errmsg); \
383 DEFINE_CALL_TRANSFORM(forwards)
384 DEFINE_CALL_TRANSFORM(reverse)
386 static void dispose_transform(struct transform_inst_if **transform_var)
388 struct transform_inst_if *transform=*transform_var;
390 transform->delkey(transform->st);
391 transform->destroy(transform->st);
396 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
397 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
398 #define CHECK_TYPE(b,t) do { uint32_t type; \
399 CHECK_AVAIL((b),4); \
400 type=buf_unprepend_uint32((b)); \
401 if (type!=(t)) return False; } while(0)
403 static _Bool type_is_msg34(uint32_t type)
406 type == LABEL_MSG3 ||
407 type == LABEL_MSG3BIS ||
414 struct buffer_if extrainfo;
421 struct parsedname remote;
422 struct parsedname local;
423 uint32_t remote_capabilities;
425 int capab_transformnum;
435 static void set_new_transform(struct site *st, char *pk)
437 /* Make room for the shared key */
438 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
439 assert(st->sharedsecretlen);
440 if (st->sharedsecretlen > st->sharedsecretallocd) {
441 st->sharedsecretallocd=st->sharedsecretlen;
442 st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
444 if (!st->sharedsecret) fatal_perror("site:sharedsecret");
446 /* Generate the shared key */
447 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
448 st->sharedsecret,st->sharedsecretlen);
450 /* Set up the transform */
451 struct transform_if *generator=st->chosen_transform;
452 struct transform_inst_if *generated=generator->create(generator->st);
453 generated->setkey(generated->st,st->sharedsecret,
454 st->sharedsecretlen,st->setup_priority);
455 dispose_transform(&st->new_transform);
456 st->new_transform=generated;
458 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
459 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
460 st->chosen_transform->capab_transformnum,
461 st->local_capabilities, st->remote_capabilities);
465 int32_t lenpos, afternul;
467 static void append_string_xinfo_start(struct buffer_if *buf,
468 struct xinfoadd *xia,
470 /* Helps construct one of the names with additional info as found
471 * in MSG1..4. Call this function first, then append all the
472 * desired extra info (not including the nul byte) to the buffer,
473 * then call append_string_xinfo_done. */
475 xia->lenpos = buf->size;
476 buf_append_string(buf,str);
477 buf_append_uint8(buf,0);
478 xia->afternul = buf->size;
480 static void append_string_xinfo_done(struct buffer_if *buf,
481 struct xinfoadd *xia)
483 /* we just need to adjust the string length */
484 if (buf->size == xia->afternul) {
485 /* no extra info, strip the nul too */
486 buf_unappend_uint8(buf);
488 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
492 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
493 out using a transform of config data supplied by netlink */
494 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
500 st->retries=st->setup_retries;
501 BUF_ALLOC(&st->buffer,what);
502 buffer_init(&st->buffer,0);
503 buf_append_uint32(&st->buffer,
504 (type==LABEL_MSG1?0:st->setup_session_id));
505 buf_append_uint32(&st->buffer,st->index);
506 buf_append_uint32(&st->buffer,type);
509 append_string_xinfo_start(&st->buffer,&xia,st->localname);
510 if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) {
511 buf_append_uint32(&st->buffer,st->local_capabilities);
513 if (type_is_msg34(type)) {
514 buf_append_uint16(&st->buffer,st->mtu_target);
516 append_string_xinfo_done(&st->buffer,&xia);
518 buf_append_string(&st->buffer,st->remotename);
519 memcpy(buf_append(&st->buffer,NONCELEN),st->localN,NONCELEN);
520 if (type==LABEL_MSG1) return True;
521 memcpy(buf_append(&st->buffer,NONCELEN),st->remoteN,NONCELEN);
522 if (type==LABEL_MSG2) return True;
524 if (hacky_par_mid_failnow()) return False;
526 if (type==LABEL_MSG3BIS)
527 buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
529 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
530 buf_append_string(&st->buffer,dhpub);
532 hash=safe_malloc(st->hash->len, "generate_msg");
533 hst=st->hash->init();
534 st->hash->update(hst,st->buffer.start,st->buffer.size);
535 st->hash->final(hst,hash);
536 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
537 buf_append_string(&st->buffer,sig);
543 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
546 nm->len=buf_unprepend_uint16(msg);
547 CHECK_AVAIL(msg,nm->len);
548 nm->name=buf_unprepend(msg,nm->len);
549 uint8_t *nul=memchr(nm->name,0,nm->len);
551 buffer_readonly_view(&nm->extrainfo,0,0);
553 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
554 nm->len=nul-nm->name;
559 static bool_t unpick_msg(struct site *st, uint32_t type,
560 struct buffer_if *msg, struct msg *m)
562 m->capab_transformnum=-1;
563 m->hashstart=msg->start;
565 m->dest=buf_unprepend_uint32(msg);
567 m->source=buf_unprepend_uint32(msg);
568 CHECK_TYPE(msg,type);
569 if (!unpick_name(msg,&m->remote)) return False;
570 m->remote_capabilities=0;
572 if (m->remote.extrainfo.size) {
573 CHECK_AVAIL(&m->remote.extrainfo,4);
574 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
576 if (type_is_msg34(type) && m->remote.extrainfo.size) {
577 CHECK_AVAIL(&m->remote.extrainfo,2);
578 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
580 if (!unpick_name(msg,&m->local)) return False;
581 if (type==LABEL_PROD) {
585 CHECK_AVAIL(msg,NONCELEN);
586 m->nR=buf_unprepend(msg,NONCELEN);
587 if (type==LABEL_MSG1) {
591 CHECK_AVAIL(msg,NONCELEN);
592 m->nL=buf_unprepend(msg,NONCELEN);
593 if (type==LABEL_MSG2) {
597 if (type==LABEL_MSG3BIS) {
599 m->capab_transformnum = buf_unprepend_uint8(msg);
601 m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
604 m->pklen=buf_unprepend_uint16(msg);
605 CHECK_AVAIL(msg,m->pklen);
606 m->pk=buf_unprepend(msg,m->pklen);
607 m->hashlen=msg->start-m->hashstart;
609 m->siglen=buf_unprepend_uint16(msg);
610 CHECK_AVAIL(msg,m->siglen);
611 m->sig=buf_unprepend(msg,m->siglen);
616 static bool_t name_matches(const struct parsedname *nm, const char *expected)
618 int expected_len=strlen(expected);
620 nm->len == expected_len &&
621 !memcmp(nm->name, expected, expected_len);
624 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
627 if (type==LABEL_MSG1) return True;
629 /* Check that the site names and our nonce have been sent
630 back correctly, and then store our peer's nonce. */
631 if (!name_matches(&m->remote,st->remotename)) {
632 *error="wrong remote site name";
635 if (!name_matches(&m->local,st->localname)) {
636 *error="wrong local site name";
639 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
640 *error="wrong locally-generated nonce";
643 if (type==LABEL_MSG2) return True;
644 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) {
645 *error="wrong remotely-generated nonce";
648 /* MSG3 has complicated rules about capabilities, which are
649 * handled in process_msg3. */
650 if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
651 if (m->remote_capabilities!=st->remote_capabilities) {
652 *error="remote capabilities changed";
655 if (type==LABEL_MSG4) return True;
656 *error="unknown message type";
660 static bool_t generate_msg1(struct site *st)
662 st->random->generate(st->random->st,NONCELEN,st->localN);
663 return generate_msg(st,LABEL_MSG1,"site:MSG1");
666 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
667 const struct comm_addr *src, struct msg *m)
669 /* We've already determined we're in an appropriate state to
670 process an incoming MSG1, and that the MSG1 has correct values
673 transport_record_peer(st,&st->setup_peers,src,"msg1");
674 st->setup_session_id=m->source;
675 st->remote_capabilities=m->remote_capabilities;
676 memcpy(st->remoteN,m->nR,NONCELEN);
680 static bool_t generate_msg2(struct site *st)
682 st->random->generate(st->random->st,NONCELEN,st->localN);
683 return generate_msg(st,LABEL_MSG2,"site:MSG2");
686 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
687 const struct comm_addr *src)
692 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
693 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
694 slog(st,LOG_SEC,"msg2: %s",err);
697 st->setup_session_id=m.source;
698 st->remote_capabilities=m.remote_capabilities;
700 /* Select the transform to use */
702 uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
703 if (!remote_transforms)
704 /* old secnets only had this one transform */
705 remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
707 struct transform_if *ti;
709 for (i=0; i<st->ntransforms; i++) {
710 ti=st->transforms[i];
711 if ((1UL << ti->capab_transformnum) & remote_transforms)
712 goto transform_found;
714 slog(st,LOG_ERROR,"no transforms in common"
715 " (us %#"PRIx32"; them: %#"PRIx32")",
716 st->local_capabilities & CAPAB_TRANSFORM_MASK,
720 st->chosen_transform=ti;
722 memcpy(st->remoteN,m.nR,NONCELEN);
726 static bool_t generate_msg3(struct site *st)
728 /* Now we have our nonce and their nonce. Think of a secret key,
729 and create message number 3. */
730 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
731 return generate_msg(st,
732 (st->remote_capabilities & CAPAB_TRANSFORM_MASK
733 ? LABEL_MSG3BIS : LABEL_MSG3),
737 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
742 /* Check signature and store g^x mod m */
743 hash=safe_malloc(st->hash->len, "process_msg3_msg4");
744 hst=st->hash->init();
745 st->hash->update(hst,m->hashstart,m->hashlen);
746 st->hash->final(hst,hash);
747 /* Terminate signature with a '0' - cheating, but should be ok */
749 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) {
750 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
756 st->remote_adv_mtu=m->remote_mtu;
761 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
762 const struct comm_addr *src, uint32_t msgtype)
767 assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
769 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
770 if (!check_msg(st,msgtype,&m,&err)) {
771 slog(st,LOG_SEC,"msg3: %s",err);
774 uint32_t capab_adv_late = m.remote_capabilities
775 & ~st->remote_capabilities & CAPAB_EARLY;
776 if (capab_adv_late) {
777 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
778 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
779 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
782 st->remote_capabilities|=m.remote_capabilities;
784 struct transform_if *ti;
786 for (i=0; i<st->ntransforms; i++) {
787 ti=st->transforms[i];
788 if (ti->capab_transformnum == m.capab_transformnum)
789 goto transform_found;
791 slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
792 m.capab_transformnum);
795 st->chosen_transform=ti;
797 if (!process_msg3_msg4(st,&m))
800 /* Terminate their DH public key with a '0' */
802 /* Invent our DH secret key */
803 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
805 /* Generate the shared key and set up the transform */
806 set_new_transform(st,m.pk);
811 static bool_t generate_msg4(struct site *st)
813 /* We have both nonces, their public key and our private key. Generate
814 our public key, sign it and send it to them. */
815 return generate_msg(st,LABEL_MSG4,"site:MSG4");
818 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
819 const struct comm_addr *src)
824 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
825 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
826 slog(st,LOG_SEC,"msg4: %s",err);
830 if (!process_msg3_msg4(st,&m))
833 /* Terminate their DH public key with a '0' */
836 /* Generate the shared key and set up the transform */
837 set_new_transform(st,m.pk);
848 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
852 m->dest=buf_unprepend_uint32(msg0);
854 m->source=buf_unprepend_uint32(msg0);
856 m->type=buf_unprepend_uint32(msg0);
858 /* Leaves transformed part of buffer untouched */
861 static bool_t generate_msg5(struct site *st)
863 cstring_t transform_err;
865 BUF_ALLOC(&st->buffer,"site:MSG5");
866 /* We are going to add four words to the message */
867 buffer_init(&st->buffer,calculate_max_start_pad());
868 /* Give the netlink code an opportunity to put its own stuff in the
869 message (configuration information, etc.) */
870 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
871 if (call_transform_forwards(st,st->new_transform,
872 &st->buffer,&transform_err))
874 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
875 buf_prepend_uint32(&st->buffer,st->index);
876 buf_prepend_uint32(&st->buffer,st->setup_session_id);
878 st->retries=st->setup_retries;
882 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
883 const struct comm_addr *src,
884 struct transform_inst_if *transform)
887 cstring_t transform_err;
889 if (!unpick_msg0(st,msg5,&m)) return False;
891 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
892 /* There's a problem */
893 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
896 /* Buffer should now contain untransformed PING packet data */
898 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
899 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
902 /* Older versions of secnet used to write some config data here
903 * which we ignore. So we don't CHECK_EMPTY */
907 static void create_msg6(struct site *st, struct transform_inst_if *transform,
910 cstring_t transform_err;
912 BUF_ALLOC(&st->buffer,"site:MSG6");
913 /* We are going to add four words to the message */
914 buffer_init(&st->buffer,calculate_max_start_pad());
915 /* Give the netlink code an opportunity to put its own stuff in the
916 message (configuration information, etc.) */
917 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
918 int problem = call_transform_forwards(st,transform,
919 &st->buffer,&transform_err);
921 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
922 buf_prepend_uint32(&st->buffer,st->index);
923 buf_prepend_uint32(&st->buffer,session_id);
926 static bool_t generate_msg6(struct site *st)
928 if (!is_transform_valid(st->new_transform))
930 create_msg6(st,st->new_transform,st->setup_session_id);
931 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
935 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
936 const struct comm_addr *src)
939 cstring_t transform_err;
941 if (!unpick_msg0(st,msg6,&m)) return False;
943 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
944 /* There's a problem */
945 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
948 /* Buffer should now contain untransformed PING packet data */
950 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
951 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
954 /* Older versions of secnet used to write some config data here
955 * which we ignore. So we don't CHECK_EMPTY */
959 static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0,
960 const struct comm_addr *src)
962 cstring_t transform_err, auxkey_err, newkey_err="n/a";
966 if (!unpick_msg0(st,msg0,&m)) return False;
968 /* Keep a copy so we can try decrypting it with multiple keys */
969 buffer_copy(&st->scratch, msg0);
971 problem = call_transform_reverse(st,st->current.transform,
972 msg0,&transform_err);
974 if (!st->auxiliary_is_new)
975 delete_one_key(st,&st->auxiliary_key,
976 "peer has used new key","auxiliary key",LOG_SEC);
982 buffer_copy(msg0, &st->scratch);
983 problem = call_transform_reverse(st,st->auxiliary_key.transform,
986 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
987 if (st->auxiliary_is_new) {
988 /* We previously timed out in state SENTMSG5 but it turns
989 * out that our peer did in fact get our MSG5 and is
990 * using the new key. So we should switch to it too. */
991 /* This is a bit like activate_new_key. */
994 st->current=st->auxiliary_key;
997 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
998 "previous key",LOG_SEC);
999 st->auxiliary_is_new=0;
1000 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
1007 if (st->state==SITE_SENTMSG5) {
1008 buffer_copy(msg0, &st->scratch);
1009 problem = call_transform_reverse(st,st->new_transform,
1012 /* It looks like we didn't get the peer's MSG6 */
1013 /* This is like a cut-down enter_new_state(SITE_RUN) */
1014 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1015 BUF_FREE(&st->buffer);
1017 activate_new_key(st);
1018 return True; /* do process the data in this packet */
1024 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1025 transform_err,auxkey_err,newkey_err);
1026 initiate_key_setup(st,"incoming message would not decrypt",0);
1027 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1031 slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err);
1035 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1036 const struct comm_addr *src)
1040 if (!decrypt_msg0(st,msg0,src))
1043 CHECK_AVAIL(msg0,4);
1044 type=buf_unprepend_uint32(msg0);
1047 /* We must forget about the current session. */
1048 delete_keys(st,"request from peer",LOG_SEC);
1051 /* Deliver to netlink layer */
1052 st->netlink->deliver(st->netlink->st,msg0);
1053 transport_data_msgok(st,src);
1054 /* See whether we should start negotiating a new key */
1055 if (st->now > st->renegotiate_key_time)
1056 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1059 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1066 static void dump_packet(struct site *st, struct buffer_if *buf,
1067 const struct comm_addr *addr, bool_t incoming)
1069 uint32_t dest=get_uint32(buf->start);
1070 uint32_t source=get_uint32(buf->start+4);
1071 uint32_t msgtype=get_uint32(buf->start+8);
1073 if (st->log_events & LOG_DUMP)
1074 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:",
1075 st->tunname,incoming?"incoming":"outgoing",
1076 dest,source,msgtype);
1079 static uint32_t site_status(void *st)
1084 static bool_t send_msg(struct site *st)
1086 if (st->retries>0) {
1087 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1088 st->timeout=st->now+st->setup_retry_interval;
1091 } else if (st->state==SITE_SENTMSG5) {
1092 slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key");
1093 /* We stash the key we have produced, in case it turns out that
1094 * our peer did see our MSG5 after all and starts using it. */
1095 /* This is a bit like some of activate_new_key */
1096 struct transform_inst_if *t;
1097 t=st->auxiliary_key.transform;
1098 st->auxiliary_key.transform=st->new_transform;
1099 st->new_transform=t;
1100 dispose_transform(&st->new_transform);
1102 st->auxiliary_is_new=1;
1103 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1104 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1105 st->auxiliary_key.remote_session_id=st->setup_session_id;
1107 enter_state_wait(st);
1110 slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet "
1111 "(in state %s)",state_name(st->state));
1112 enter_state_wait(st);
1117 static void site_resolve_callback(void *sst, struct in_addr *address)
1119 struct site *st=sst;
1120 struct comm_addr ca_buf, *ca_use;
1122 if (st->state!=SITE_RESOLVE) {
1123 slog(st,LOG_UNEXPECTED,"site_resolve_callback called unexpectedly");
1128 ca_buf.comm=st->comms[0];
1129 ca_buf.sin.sin_family=AF_INET;
1130 ca_buf.sin.sin_port=htons(st->remoteport);
1131 ca_buf.sin.sin_addr=*address;
1134 slog(st,LOG_ERROR,"resolution of %s failed",st->address);
1137 if (transport_compute_setupinit_peers(st,ca_use,0)) {
1138 enter_new_state(st,SITE_SENTMSG1);
1140 /* Can't figure out who to try to to talk to */
1141 slog(st,LOG_SETUP_INIT,"key exchange failed: cannot find peer address");
1142 enter_state_run(st);
1146 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1147 const struct comm_addr *prod_hint)
1149 if (st->state!=SITE_RUN) return False;
1150 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1152 slog(st,LOG_SETUP_INIT,"resolving peer address");
1153 return enter_state_resolve(st);
1154 } else if (transport_compute_setupinit_peers(st,0,prod_hint)) {
1155 return enter_new_state(st,SITE_SENTMSG1);
1157 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1161 static void activate_new_key(struct site *st)
1163 struct transform_inst_if *t;
1165 /* We have three transform instances, which we swap between old,
1167 t=st->auxiliary_key.transform;
1168 st->auxiliary_key.transform=st->current.transform;
1169 st->current.transform=st->new_transform;
1170 st->new_transform=t;
1171 dispose_transform(&st->new_transform);
1174 st->auxiliary_is_new=0;
1175 st->auxiliary_key.key_timeout=st->current.key_timeout;
1176 st->current.key_timeout=st->now+st->key_lifetime;
1177 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1178 transport_peers_copy(st,&st->peers,&st->setup_peers);
1179 st->current.remote_session_id=st->setup_session_id;
1181 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1182 * But their mtu be unspecified, in which case we just use ours. */
1183 uint32_t intersite_mtu=
1184 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1185 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1187 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1188 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1189 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1190 enter_state_run(st);
1193 static void delete_one_key(struct site *st, struct data_key *key,
1194 cstring_t reason, cstring_t which, uint32_t loglevel)
1196 if (!is_transform_valid(key->transform)) return;
1197 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1198 dispose_transform(&key->transform);
1202 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1204 if (current_valid(st)) {
1205 slog(st,loglevel,"session closed (%s)",reason);
1207 delete_one_key(st,&st->current,0,0,0);
1208 set_link_quality(st);
1210 delete_one_key(st,&st->auxiliary_key,0,0,0);
1213 static void state_assert(struct site *st, bool_t ok)
1215 if (!ok) fatal("site:state_assert");
1218 static void enter_state_stop(struct site *st)
1220 st->state=SITE_STOP;
1222 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1223 dispose_transform(&st->new_transform);
1226 static void set_link_quality(struct site *st)
1229 if (current_valid(st))
1230 quality=LINK_QUALITY_UP;
1231 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1232 quality=LINK_QUALITY_DOWN;
1233 else if (st->address)
1234 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1235 else if (transport_peers_valid(&st->peers))
1236 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1238 quality=LINK_QUALITY_DOWN;
1240 st->netlink->set_quality(st->netlink->st,quality);
1243 static void enter_state_run(struct site *st)
1245 slog(st,LOG_STATE,"entering state RUN");
1249 st->setup_session_id=0;
1250 transport_peers_clear(st,&st->setup_peers);
1251 memset(st->localN,0,NONCELEN);
1252 memset(st->remoteN,0,NONCELEN);
1253 dispose_transform(&st->new_transform);
1254 memset(st->dhsecret,0,st->dh->len);
1255 memset(st->sharedsecret,0,st->sharedsecretlen);
1256 set_link_quality(st);
1259 static bool_t enter_state_resolve(struct site *st)
1261 state_assert(st,st->state==SITE_RUN);
1262 slog(st,LOG_STATE,"entering state RESOLVE");
1263 st->state=SITE_RESOLVE;
1264 st->resolver->request(st->resolver->st,st->address,
1265 site_resolve_callback,st);
1269 static bool_t enter_new_state(struct site *st, uint32_t next)
1271 bool_t (*gen)(struct site *st);
1274 slog(st,LOG_STATE,"entering state %s",state_name(next));
1277 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1281 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1282 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1286 state_assert(st,st->state==SITE_SENTMSG1);
1287 BUF_FREE(&st->buffer);
1291 state_assert(st,st->state==SITE_SENTMSG2);
1292 BUF_FREE(&st->buffer);
1296 state_assert(st,st->state==SITE_SENTMSG3);
1297 BUF_FREE(&st->buffer);
1301 state_assert(st,st->state==SITE_SENTMSG4);
1302 BUF_FREE(&st->buffer);
1307 fatal("enter_new_state(%s): invalid new state",state_name(next));
1311 if (hacky_par_start_failnow()) return False;
1313 r= gen(st) && send_msg(st);
1316 st->setup_retries, st->setup_retry_interval,
1321 if (next==SITE_RUN) {
1322 BUF_FREE(&st->buffer); /* Never reused */
1323 st->timeout=0; /* Never retransmit */
1324 activate_new_key(st);
1328 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1329 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1330 in either state, and enter_state_wait() will
1332 enter_state_wait(st);
1336 /* msg7 tells our peer that we're about to forget our key */
1337 static bool_t send_msg7(struct site *st, cstring_t reason)
1339 cstring_t transform_err;
1341 if (current_valid(st) && st->buffer.free
1342 && transport_peers_valid(&st->peers)) {
1343 BUF_ALLOC(&st->buffer,"site:MSG7");
1344 buffer_init(&st->buffer,calculate_max_start_pad());
1345 buf_append_uint32(&st->buffer,LABEL_MSG7);
1346 buf_append_string(&st->buffer,reason);
1347 if (call_transform_forwards(st, st->current.transform,
1348 &st->buffer, &transform_err))
1350 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1351 buf_prepend_uint32(&st->buffer,st->index);
1352 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1353 transport_xmit(st,&st->peers,&st->buffer,True);
1354 BUF_FREE(&st->buffer);
1361 /* We go into this state if our peer becomes uncommunicative. Similar to
1362 the "stop" state, we forget all session keys for a while, before
1363 re-entering the "run" state. */
1364 static void enter_state_wait(struct site *st)
1366 slog(st,LOG_STATE,"entering state WAIT");
1367 st->timeout=st->now+st->wait_timeout;
1368 st->state=SITE_WAIT;
1369 set_link_quality(st);
1370 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1371 /* XXX Erase keys etc. */
1374 static void generate_prod(struct site *st, struct buffer_if *buf)
1377 buf_append_uint32(buf,0);
1378 buf_append_uint32(buf,0);
1379 buf_append_uint32(buf,LABEL_PROD);
1380 buf_append_string(buf,st->localname);
1381 buf_append_string(buf,st->remotename);
1384 static void generate_send_prod(struct site *st,
1385 const struct comm_addr *source)
1387 if (!st->allow_send_prod) return; /* too soon */
1388 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1389 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1391 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1392 st->allow_send_prod=0;
1393 generate_prod(st,&st->scratch);
1394 dump_packet(st,&st->scratch,source,False);
1395 source->comm->sendmsg(source->comm->st, &st->scratch, source);
1398 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1401 int64_t offset=timeout-*now;
1402 if (offset<0) offset=0;
1403 if (offset>INT_MAX) offset=INT_MAX;
1404 if (*timeout_io<0 || offset<*timeout_io)
1409 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1412 struct site *st=sst;
1414 *nfds_io=0; /* We don't use any file descriptors */
1417 /* Work out when our next timeout is. The earlier of 'timeout' or
1418 'current.key_timeout'. A stored value of '0' indicates no timeout
1420 site_settimeout(st->timeout, timeout_io);
1421 site_settimeout(st->current.key_timeout, timeout_io);
1422 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1424 return 0; /* success */
1427 static void check_expiry(struct site *st, struct data_key *key,
1430 if (key->key_timeout && *now>key->key_timeout) {
1431 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1435 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1436 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1438 struct site *st=sst;
1441 if (st->timeout && *now>st->timeout) {
1443 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1444 if (!hacky_par_start_failnow())
1446 } else if (st->state==SITE_WAIT) {
1447 enter_state_run(st);
1449 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1453 check_expiry(st,&st->current,"current key");
1454 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1457 /* This function is called by the netlink device to deliver packets
1458 intended for the remote network. The packet is in "raw" wire
1459 format, but is guaranteed to be word-aligned. */
1460 static void site_outgoing(void *sst, struct buffer_if *buf)
1462 struct site *st=sst;
1463 cstring_t transform_err;
1465 if (st->state==SITE_STOP) {
1470 st->allow_send_prod=1;
1472 /* In all other states we consider delivering the packet if we have
1473 a valid key and a valid address to send it to. */
1474 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1475 /* Transform it and send it */
1477 buf_prepend_uint32(buf,LABEL_MSG9);
1478 if (call_transform_forwards(st, st->current.transform,
1479 buf, &transform_err))
1481 buf_prepend_uint32(buf,LABEL_MSG0);
1482 buf_prepend_uint32(buf,st->index);
1483 buf_prepend_uint32(buf,st->current.remote_session_id);
1484 transport_xmit(st,&st->peers,buf,False);
1491 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1493 initiate_key_setup(st,"outgoing packet",0);
1496 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1497 uint32_t type, struct msg *m)
1498 /* For packets which are identified by the local and remote names.
1499 * If it has our name and our peer's name in it it's for us. */
1501 struct buffer_if buf[1];
1502 buffer_readonly_clone(buf,buf_in);
1503 return unpick_msg(st,type,buf,m)
1504 && name_matches(&m->remote,st->remotename)
1505 && name_matches(&m->local,st->localname);
1508 /* This function is called by the communication device to deliver
1509 packets from our peers.
1510 It should return True if the packet is recognised as being for
1511 this current site instance (and should therefore not be processed
1512 by other sites), even if the packet was otherwise ignored. */
1513 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1514 const struct comm_addr *source)
1516 struct site *st=sst;
1518 if (buf->size < 12) return False;
1520 uint32_t dest=get_uint32(buf->start);
1521 uint32_t msgtype=get_uint32(buf->start+8);
1522 struct msg named_msg;
1524 if (msgtype==LABEL_MSG1) {
1525 if (!named_for_us(st,buf,msgtype,&named_msg))
1527 /* It's a MSG1 addressed to us. Decide what to do about it. */
1528 dump_packet(st,buf,source,True);
1529 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1530 st->state==SITE_WAIT) {
1531 /* We should definitely process it */
1532 if (process_msg1(st,buf,source,&named_msg)) {
1533 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1534 enter_new_state(st,SITE_SENTMSG2);
1536 slog(st,LOG_ERROR,"failed to process incoming msg1");
1540 } else if (st->state==SITE_SENTMSG1) {
1541 /* We've just sent a message 1! They may have crossed on
1542 the wire. If we have priority then we ignore the
1543 incoming one, otherwise we process it as usual. */
1544 if (st->setup_priority) {
1546 slog(st,LOG_DUMP,"crossed msg1s; we are higher "
1547 "priority => ignore incoming msg1");
1550 slog(st,LOG_DUMP,"crossed msg1s; we are lower "
1551 "priority => use incoming msg1");
1552 if (process_msg1(st,buf,source,&named_msg)) {
1553 BUF_FREE(&st->buffer); /* Free our old message 1 */
1554 enter_new_state(st,SITE_SENTMSG2);
1556 slog(st,LOG_ERROR,"failed to process an incoming "
1557 "crossed msg1 (we have low priority)");
1563 /* The message 1 was received at an unexpected stage of the
1564 key setup. XXX POLICY - what do we do? */
1565 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1569 if (msgtype==LABEL_PROD) {
1570 if (!named_for_us(st,buf,msgtype,&named_msg))
1572 dump_packet(st,buf,source,True);
1573 if (st->state!=SITE_RUN) {
1574 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1575 } else if (current_valid(st)) {
1576 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1578 initiate_key_setup(st,"peer sent PROD packet",source);
1583 if (dest==st->index) {
1584 /* Explicitly addressed to us */
1585 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
1588 /* If the source is our current peer then initiate a key setup,
1589 because our peer's forgotten the key */
1590 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1592 initiated = initiate_key_setup(st,"received a NAK",0);
1593 if (!initiated) generate_send_prod(st,source);
1595 slog(st,LOG_SEC,"bad incoming NAK");
1599 process_msg0(st,buf,source);
1602 /* Setup packet: should not have been explicitly addressed
1604 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1607 /* Setup packet: expected only in state SENTMSG1 */
1608 if (st->state!=SITE_SENTMSG1) {
1609 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1610 } else if (process_msg2(st,buf,source)) {
1611 transport_setup_msgok(st,source);
1612 enter_new_state(st,SITE_SENTMSG3);
1614 slog(st,LOG_SEC,"invalid MSG2");
1619 /* Setup packet: expected only in state SENTMSG2 */
1620 if (st->state!=SITE_SENTMSG2) {
1621 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1622 } else if (process_msg3(st,buf,source,msgtype)) {
1623 transport_setup_msgok(st,source);
1624 enter_new_state(st,SITE_SENTMSG4);
1626 slog(st,LOG_SEC,"invalid MSG3");
1630 /* Setup packet: expected only in state SENTMSG3 */
1631 if (st->state!=SITE_SENTMSG3) {
1632 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
1633 } else if (process_msg4(st,buf,source)) {
1634 transport_setup_msgok(st,source);
1635 enter_new_state(st,SITE_SENTMSG5);
1637 slog(st,LOG_SEC,"invalid MSG4");
1641 /* Setup packet: expected only in state SENTMSG4 */
1642 /* (may turn up in state RUN if our return MSG6 was lost
1643 and the new key has already been activated. In that
1644 case we discard it. The peer will realise that we
1645 are using the new key when they see our data packets.
1646 Until then the peer's data packets to us get discarded. */
1647 if (st->state==SITE_SENTMSG4) {
1648 if (process_msg5(st,buf,source,st->new_transform)) {
1649 transport_setup_msgok(st,source);
1650 enter_new_state(st,SITE_RUN);
1652 slog(st,LOG_SEC,"invalid MSG5");
1654 } else if (st->state==SITE_RUN) {
1655 if (process_msg5(st,buf,source,st->current.transform)) {
1656 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
1657 transport_setup_msgok(st,source);
1658 create_msg6(st,st->current.transform,
1659 st->current.remote_session_id);
1660 transport_xmit(st,&st->peers,&st->buffer,True);
1661 BUF_FREE(&st->buffer);
1663 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
1666 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
1670 /* Setup packet: expected only in state SENTMSG5 */
1671 if (st->state!=SITE_SENTMSG5) {
1672 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
1673 } else if (process_msg6(st,buf,source)) {
1674 BUF_FREE(&st->buffer); /* Free message 5 */
1675 transport_setup_msgok(st,source);
1676 activate_new_key(st);
1678 slog(st,LOG_SEC,"invalid MSG6");
1682 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
1693 static void site_control(void *vst, bool_t run)
1695 struct site *st=vst;
1696 if (run) enter_state_run(st);
1697 else enter_state_stop(st);
1700 static void site_phase_hook(void *sst, uint32_t newphase)
1702 struct site *st=sst;
1704 /* The program is shutting down; tell our peer */
1705 send_msg7(st,"shutting down");
1708 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
1711 static uint32_t index_sequence;
1717 st=safe_malloc(sizeof(*st),"site_apply");
1719 st->cl.description="site";
1720 st->cl.type=CL_SITE;
1722 st->cl.interface=&st->ops;
1724 st->ops.control=site_control;
1725 st->ops.status=site_status;
1727 /* First parameter must be a dict */
1728 item=list_elem(args,0);
1729 if (!item || item->type!=t_dict)
1730 cfgfatal(loc,"site","parameter must be a dictionary\n");
1732 dict=item->data.dict;
1733 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
1734 st->remotename=dict_read_string(dict, "name", True, "site", loc);
1736 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
1737 bool_t local_mobile=
1738 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
1740 /* Sanity check (which also allows the 'sites' file to include
1741 site() closures for all sites including our own): refuse to
1742 talk to ourselves */
1743 if (strcmp(st->localname,st->remotename)==0) {
1744 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
1746 if (st->peer_mobile != local_mobile)
1747 cfgfatal(loc,"site","site %s's peer-mobile=%d"
1748 " but our local-mobile=%d\n",
1749 st->localname, st->peer_mobile, local_mobile);
1753 if (st->peer_mobile && local_mobile) {
1754 Message(M_WARNING,"site %s: site is mobile but so are we"
1755 " -> ignoring this site\n", st->remotename);
1760 assert(index_sequence < 0xffffffffUL);
1761 st->index = ++index_sequence;
1762 st->local_capabilities = 0;
1763 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
1765 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
1766 list_t *things##_cfg=dict_lookup(dict,dictkey); \
1767 if (!things##_cfg) \
1768 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
1769 st->nthings=list_length(things##_cfg); \
1770 st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
1771 assert(st->nthings); \
1772 for (i=0; i<st->nthings; i++) { \
1773 item_t *item=list_elem(things##_cfg,i); \
1774 if (item->type!=t_closure) \
1775 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
1776 closure_t *cl=item->data.closure; \
1777 if (cl->type!=CL_TYPE) \
1778 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
1779 st->things[i]=cl->interface; \
1783 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
1785 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
1786 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
1787 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
1789 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
1790 st->address=dict_read_string(dict, "address", False, "site", loc);
1792 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
1793 else st->remoteport=0;
1794 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
1796 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
1798 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
1799 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
1801 #define DEFAULT(D) (st->peer_mobile || local_mobile \
1802 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
1803 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
1805 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
1806 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
1807 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
1808 st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME);
1809 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
1811 st->mobile_peer_expiry= dict_read_number(
1812 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
1814 st->transport_peers_max= !st->peer_mobile ? 1 : dict_read_number(
1815 dict,"mobile-peers-max",False,"site",loc,DEFAULT_MOBILE_PEERS_MAX);
1816 if (st->transport_peers_max<1 ||
1817 st->transport_peers_max>=MAX_MOBILE_PEERS_MAX) {
1818 cfgfatal(loc,"site","mobile-peers-max must be in range 1.."
1819 STRING(MAX_MOBILE_PEERS_MAX) "\n");
1822 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
1823 st->key_renegotiate_time=st->key_lifetime/2;
1825 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
1826 st->key_renegotiate_time=dict_read_number(
1827 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
1828 if (st->key_renegotiate_time > st->key_lifetime) {
1829 cfgfatal(loc,"site",
1830 "renegotiate-time must be less than key-lifetime\n");
1833 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
1834 log_event_table,"site");
1836 st->allow_send_prod=0;
1838 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
1840 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
1842 /* The information we expect to see in incoming messages of type 1 */
1843 /* fixme: lots of unchecked overflows here, but the results are only
1844 corrupted packets rather than undefined behaviour */
1845 st->setup_priority=(strcmp(st->localname,st->remotename)>0);
1847 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
1849 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
1850 BUF_ALLOC(&st->scratch,"site:scratch");
1852 /* We are interested in poll(), but only for timeouts. We don't have
1853 any fds of our own. */
1854 register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site");
1857 st->remote_capabilities=0;
1858 st->chosen_transform=0;
1859 st->current.key_timeout=0;
1860 st->auxiliary_key.key_timeout=0;
1861 transport_peers_clear(st,&st->peers);
1862 transport_peers_clear(st,&st->setup_peers);
1863 /* XXX mlock these */
1864 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
1865 st->sharedsecretlen=st->sharedsecretallocd=0;
1868 for (i=0; i<st->ntransforms; i++) {
1869 struct transform_if *ti=st->transforms[i];
1870 uint32_t capbit = 1UL << ti->capab_transformnum;
1871 if (st->local_capabilities & capbit)
1872 slog(st,LOG_ERROR,"transformnum capability bit"
1873 " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
1874 st->local_capabilities |= capbit;
1877 /* We need to register the remote networks with the netlink device */
1878 uint32_t netlink_mtu; /* local virtual interface mtu */
1879 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
1880 if (!st->mtu_target)
1881 st->mtu_target=netlink_mtu;
1883 for (i=0; i<st->ncomms; i++)
1884 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
1886 st->current.transform=0;
1887 st->auxiliary_key.transform=0;
1888 st->new_transform=0;
1889 st->auxiliary_is_new=0;
1891 enter_state_stop(st);
1893 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
1895 return new_closure(&st->cl);
1898 void site_module(dict_t *dict)
1900 add_closure(dict,"site",site_apply);
1904 /***** TRANSPORT PEERS definitions *****/
1906 static void transport_peers_debug(struct site *st, transport_peers *dst,
1907 const char *didwhat,
1908 int nargs, const struct comm_addr *args,
1913 if (!(st->log_events & LOG_PEER_ADDRS))
1914 return; /* an optimisation */
1916 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
1917 (dst==&st->peers ? "data" :
1918 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
1919 didwhat, nargs, dst->npeers);
1921 for (i=0, argp=(void*)args;
1923 i++, (argp+=stride?stride:sizeof(*args))) {
1924 const struct comm_addr *ca=(void*)argp;
1925 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
1926 i, ca->comm->addr_to_string(ca->comm->st,ca));
1928 for (i=0; i<dst->npeers; i++) {
1929 struct timeval diff;
1930 timersub(tv_now,&dst->peers[i].last,&diff);
1931 const struct comm_addr *ca=&dst->peers[i].addr;
1932 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
1933 i, ca->comm->addr_to_string(ca->comm->st,ca),
1934 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
1938 static int transport_peer_compar(const void *av, const void *bv) {
1939 const transport_peer *a=av;
1940 const transport_peer *b=bv;
1941 /* put most recent first in the array */
1942 if (timercmp(&a->last, &b->last, <)) return +1;
1943 if (timercmp(&a->last, &b->last, >)) return -11;
1947 static void transport_peers_expire(struct site *st, transport_peers *peers) {
1948 /* peers must be sorted first */
1949 int previous_peers=peers->npeers;
1950 struct timeval oldest;
1951 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
1952 oldest.tv_usec = tv_now->tv_usec;
1953 while (peers->npeers>1 &&
1954 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
1956 if (peers->npeers != previous_peers)
1957 transport_peers_debug(st,peers,"expire", 0,0,0);
1960 static void transport_record_peer(struct site *st, transport_peers *peers,
1961 const struct comm_addr *addr, const char *m) {
1962 int slot, changed=0;
1964 for (slot=0; slot<peers->npeers; slot++)
1965 if (!memcmp(&peers->peers[slot].addr, addr, sizeof(*addr)))
1969 if (peers->npeers==st->transport_peers_max)
1970 slot=st->transport_peers_max-1;
1972 slot=peers->npeers++;
1975 peers->peers[slot].addr=*addr;
1976 peers->peers[slot].last=*tv_now;
1978 if (peers->npeers>1)
1979 qsort(peers->peers, peers->npeers,
1980 sizeof(*peers->peers), transport_peer_compar);
1982 if (changed || peers->npeers!=1)
1983 transport_peers_debug(st,peers,m, 1,addr,0);
1984 transport_peers_expire(st, peers);
1987 static bool_t transport_compute_setupinit_peers(struct site *st,
1988 const struct comm_addr *configured_addr /* 0 if none or not found */,
1989 const struct comm_addr *prod_hint_addr /* 0 if none */) {
1991 if (!configured_addr && !prod_hint_addr &&
1992 !transport_peers_valid(&st->peers))
1995 slog(st,LOG_SETUP_INIT,
1996 "using:%s%s %d old peer address(es)",
1997 configured_addr ? " configured address;" : "",
1998 prod_hint_addr ? " PROD hint address;" : "",
2001 /* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
2002 * have transport_peers_max==1. The effect is that this code
2003 * always uses the configured address if supplied, or otherwise
2004 * the address of the incoming PROD, or the existing data peer if
2005 * one exists; this is as desired. */
2007 transport_peers_copy(st,&st->setup_peers,&st->peers);
2010 transport_record_peer(st,&st->setup_peers,prod_hint_addr,"prod");
2012 if (configured_addr)
2013 transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");
2015 assert(transport_peers_valid(&st->setup_peers));
2019 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2020 if (st->peer_mobile)
2021 transport_record_peer(st,&st->setup_peers,a,"setupmsg");
2023 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2024 if (st->peer_mobile)
2025 transport_record_peer(st,&st->peers,a,"datamsg");
2028 static int transport_peers_valid(transport_peers *peers) {
2029 return peers->npeers;
2031 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2033 transport_peers_debug(st,peers,"clear",0,0,0);
2035 static void transport_peers_copy(struct site *st, transport_peers *dst,
2036 const transport_peers *src) {
2037 dst->npeers=src->npeers;
2038 memcpy(dst->peers, src->peers, sizeof(*dst->peers) * dst->npeers);
2039 transport_peers_debug(st,dst,"copy",
2040 src->npeers, &src->peers->addr, sizeof(*src->peers));
2043 void transport_xmit(struct site *st, transport_peers *peers,
2044 struct buffer_if *buf, bool_t candebug) {
2046 transport_peers_expire(st, peers);
2047 for (slot=0; slot<peers->npeers; slot++) {
2048 transport_peer *peer=&peers->peers[slot];
2050 dump_packet(st, buf, &peer->addr, False);
2051 peer->addr.comm->sendmsg(peer->addr.comm->st, buf, &peer->addr);
2055 /***** END of transport peers declarations *****/