1 /* site.c - manage communication with a remote network site */
4 * This file is part of secnet.
5 * See README for full list of copyright holders.
7 * secnet is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * secnet is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * version 3 along with secnet; if not, see
19 * https://www.gnu.org/licenses/gpl.html.
22 /* The 'site' code doesn't know anything about the structure of the
23 packets it's transmitting. In fact, under the new netlink
24 configuration scheme it doesn't need to know anything at all about
25 IP addresses, except how to contact its peer. This means it could
26 potentially be used to tunnel other protocols too (IPv6, IPX, plain
27 old Ethernet frames) if appropriate netlink code can be written
28 (and that ought not to be too hard, eg. using the TUN/TAP device to
29 pretend to be an Ethernet interface). */
31 /* At some point in the future the netlink code will be asked for
32 configuration information to go in the PING/PONG packets at the end
33 of the key exchange. */
40 #include <sys/socket.h>
44 #include "unaligned.h"
47 #define SETUP_BUFFER_LEN 2048
49 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
50 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
51 #define DEFAULT_SETUP_RETRIES 5
52 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
53 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
55 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
56 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
57 #define DEFAULT_MOBILE_SETUP_RETRIES 30
58 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
59 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
61 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
63 /* Each site can be in one of several possible states. */
66 SITE_STOP - nothing is allowed to happen; tunnel is down;
67 all session keys have been erased
68 -> SITE_RUN upon external instruction
69 SITE_RUN - site up, maybe with valid key
70 -> SITE_RESOLVE upon outgoing packet and no valid key
71 we start name resolution for the other end of the tunnel
72 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
73 we send an appropriate message 2
74 SITE_RESOLVE - waiting for name resolution
75 -> SITE_SENTMSG1 upon successful resolution
76 we send an appropriate message 1
77 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
78 we abort resolution and
79 -> SITE_WAIT on timeout or resolution failure
81 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
82 -> SITE_SENTMSG3 upon valid incoming message 2
83 -> SITE_WAIT on timeout
85 -> SITE_SENTMSG4 upon valid incoming message 3
86 -> SITE_WAIT on timeout
88 -> SITE_SENTMSG5 upon valid incoming message 4
89 -> SITE_WAIT on timeout
91 -> SITE_RUN upon valid incoming message 5
92 -> SITE_WAIT on timeout
94 -> SITE_RUN upon valid incoming message 6
95 -> SITE_WAIT on timeout
96 SITE_WAIT - failed to establish key; do nothing for a while
97 -> SITE_RUN on timeout
102 #define SITE_RESOLVE 2
103 #define SITE_SENTMSG1 3
104 #define SITE_SENTMSG2 4
105 #define SITE_SENTMSG3 5
106 #define SITE_SENTMSG4 6
107 #define SITE_SENTMSG5 7
110 #define CASES_MSG3_KNOWN LABEL_MSG3: case LABEL_MSG3BIS
112 int32_t site_max_start_pad = 4*4;
114 static cstring_t state_name(uint32_t state)
117 case 0: return "STOP";
118 case 1: return "RUN";
119 case 2: return "RESOLVE";
120 case 3: return "SENTMSG1";
121 case 4: return "SENTMSG2";
122 case 5: return "SENTMSG3";
123 case 6: return "SENTMSG4";
124 case 7: return "SENTMSG5";
125 case 8: return "WAIT";
126 default: return "*bad state*";
132 #define LOG_UNEXPECTED 0x00000001
133 #define LOG_SETUP_INIT 0x00000002
134 #define LOG_SETUP_TIMEOUT 0x00000004
135 #define LOG_ACTIVATE_KEY 0x00000008
136 #define LOG_TIMEOUT_KEY 0x00000010
137 #define LOG_SEC 0x00000020
138 #define LOG_STATE 0x00000040
139 #define LOG_DROP 0x00000080
140 #define LOG_DUMP 0x00000100
141 #define LOG_ERROR 0x00000400
142 #define LOG_PEER_ADDRS 0x00000800
144 static struct flagstr log_event_table[]={
145 { "unexpected", LOG_UNEXPECTED },
146 { "setup-init", LOG_SETUP_INIT },
147 { "setup-timeout", LOG_SETUP_TIMEOUT },
148 { "activate-key", LOG_ACTIVATE_KEY },
149 { "timeout-key", LOG_TIMEOUT_KEY },
150 { "security", LOG_SEC },
151 { "state-change", LOG_STATE },
152 { "packet-drop", LOG_DROP },
153 { "dump-packets", LOG_DUMP },
154 { "errors", LOG_ERROR },
155 { "peer-addrs", LOG_PEER_ADDRS },
156 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
157 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
158 { "all", 0xffffffff },
163 /***** TRANSPORT PEERS declarations *****/
165 /* Details of "mobile peer" semantics:
167 - We use the same data structure for the different configurations,
168 but manage it with different algorithms.
170 - We record up to mobile_peers_max peer address/port numbers
171 ("peers") for key setup, and separately up to mobile_peers_max
174 - In general, we make a new set of addrs (see below) when we start
175 a new key exchange; the key setup addrs become the data transport
176 addrs when key setup complets.
178 If our peer is mobile:
180 - We send to all recent addresses of incoming packets, plus
181 initially all configured addresses (which we also expire).
183 - So, we record addrs of good incoming packets, as follows:
184 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
185 2. add the peer of the just received packet to the applicable list
186 (possibly evicting the oldest entries to make room)
187 NB that we do not expire peers until an incoming packet arrives.
189 - If the peer has a configured address or name, we record them the
190 same way, but only as a result of our own initiation of key
191 setup. (We might evict some incoming packet addrs to make room.)
193 - The default number of addrs to keep is 3, or 4 if we have a
194 configured name or address. That's space for two configured
195 addresses (one IPv6 and one IPv4), plus two received addresses.
197 - Outgoing packets are sent to every recorded address in the
198 applicable list. Any unsupported[1] addresses are deleted from
199 the list right away. (This should only happen to configured
200 addresses, of course, but there is no need to check that.)
202 - When we successfully complete a key setup, we merge the key setup
203 peers into the data transfer peers.
205 [1] An unsupported address is one for whose AF we don't have a
206 socket (perhaps because we got EAFNOSUPPORT or some such) or for
207 which sendto gives ENETUNREACH.
209 If neither end is mobile:
211 - When peer initiated the key exchange, we use the incoming packet
214 - When we initiate the key exchange, we try configured addresses
215 until we get one which isn't unsupported then fixate on that.
217 - When we complete a key setup, we replace the data transport peers
218 with those from the key setup.
222 - We can't tell when local network setup changes so we can't cache
223 the unsupported addrs and completely remove the spurious calls to
224 sendto, but we can optimise things a bit by deprioritising addrs
225 which seem to be unsupported.
227 - Use only configured addresses. (Except, that if our peer
228 initiated a key exchange we use the incoming packet address until
229 our name resolution completes.)
231 - When we send a packet, try each address in turn; if addr
232 supported, put that address to the end of the list for future
233 packets, and go onto the next address.
235 - When we complete a key setup, we replace the data transport peers
236 with those from the key setup.
242 struct comm_addr addr;
246 /* configuration information */
247 /* runtime information */
249 transport_peer peers[MAX_PEER_ADDRS];
252 /* Basic operations on transport peer address sets */
253 static void transport_peers_clear(struct site *st, transport_peers *peers);
254 static int transport_peers_valid(transport_peers *peers);
255 static void transport_peers_copy(struct site *st, transport_peers *dst,
256 const transport_peers *src);
258 /* Record address of incoming setup packet; resp. data packet. */
259 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
260 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
262 /* Initialise the setup addresses. Called before we send the first
263 * packet in a key exchange. If we are the initiator, as a result of
264 * resolve completing (or being determined not to be relevant) or an
265 * incoming PROD; if we are the responder, as a result of the MSG1. */
266 static bool_t transport_compute_setupinit_peers(struct site *st,
267 const struct comm_addr *configured_addrs /* 0 if none or not found */,
268 int n_configured_addrs /* 0 if none or not found */,
269 const struct comm_addr *incoming_packet_addr /* 0 if none */);
271 /* Called if we are the responder in a key setup, when the resolve
272 * completes. transport_compute_setupinit_peers will hvae been called
273 * earlier. If _complete is called, we are still doing the key setup
274 * (and we should use the new values for both the rest of the key
275 * setup and the ongoing data exchange); if _tardy is called, the key
276 * setup is done (either completed or not) and only the data peers are
278 static void transport_resolve_complete(struct site *st,
279 const struct comm_addr *addrs, int naddrs);
280 static void transport_resolve_complete_tardy(struct site *st,
281 const struct comm_addr *addrs, int naddrs);
283 static void transport_xmit(struct site *st, transport_peers *peers,
284 struct buffer_if *buf, bool_t candebug);
286 /***** END of transport peers declarations *****/
290 struct transform_inst_if *transform;
291 uint64_t key_timeout; /* End of life of current key */
292 uint32_t remote_session_id;
298 /* configuration information */
302 bool_t local_mobile, peer_mobile; /* Mobile client support */
303 int32_t transport_peers_max;
304 string_t tunname; /* localname<->remotename by default, used in logs */
305 cstring_t *addresses; /* DNS name or address(es) for bootstrapping, optional */
306 int remoteport; /* Port for bootstrapping, optional */
308 struct netlink_if *netlink;
309 struct comm_if **comms;
310 struct comm_clientinfo **commclientinfos;
312 struct resolver_if *resolver;
314 struct random_if *random;
315 struct rsaprivkey_if *privkey;
316 struct rsapubkey_if *pubkey;
317 struct transform_if **transforms;
320 struct hash_if *hash;
322 uint32_t index; /* Index of this site */
323 uint32_t early_capabilities;
324 uint32_t local_capabilities;
325 int32_t setup_retries; /* How many times to send setup packets */
326 int32_t setup_retry_interval; /* Initial timeout for setup packets */
327 int32_t wait_timeout_mean; /* How long to wait if setup unsuccessful */
328 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
329 int32_t key_lifetime; /* How long a key lasts once set up */
330 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
331 after this time, initiate a new
334 bool_t our_name_later; /* our name > peer name */
337 /* runtime information */
339 uint64_t now; /* Most recently seen time */
340 bool_t allow_send_prod;
341 bool_t msg1_crossed_logged;
343 int resolving_n_results_all;
344 int resolving_n_results_stored;
345 struct comm_addr resolving_results[MAX_PEER_ADDRS];
347 /* The currently established session */
348 struct data_key current;
349 struct data_key auxiliary_key;
350 bool_t auxiliary_is_new;
351 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
352 uint64_t auxiliary_renegotiate_key_time;
353 transport_peers peers; /* Current address(es) of peer for data traffic */
355 /* The current key setup protocol exchange. We can only be
356 involved in one of these at a time. There's a potential for
357 denial of service here (the attacker keeps sending a setup
358 packet; we keep trying to continue the exchange, and have to
359 timeout before we can listen for another setup packet); perhaps
360 we should keep a list of 'bad' sources for setup packets. */
361 uint32_t remote_capabilities;
362 uint16_t remote_adv_mtu;
363 struct transform_if *chosen_transform;
364 uint32_t setup_session_id;
365 transport_peers setup_peers;
366 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
367 uint8_t remoteN[NONCELEN];
368 struct buffer_if buffer; /* Current outgoing key exchange packet */
369 struct buffer_if scratch;
370 int32_t retries; /* Number of retries remaining */
371 uint64_t timeout; /* Timeout for current state */
373 uint8_t *sharedsecret;
374 uint32_t sharedsecretlen, sharedsecretallocd;
375 struct transform_inst_if *new_transform; /* For key setup/verify */
378 static uint32_t event_log_priority(struct site *st, uint32_t event)
380 if (!(event&st->log_events))
383 case LOG_UNEXPECTED: return M_INFO;
384 case LOG_SETUP_INIT: return M_INFO;
385 case LOG_SETUP_TIMEOUT: return M_NOTICE;
386 case LOG_ACTIVATE_KEY: return M_INFO;
387 case LOG_TIMEOUT_KEY: return M_INFO;
388 case LOG_SEC: return M_SECURITY;
389 case LOG_STATE: return M_DEBUG;
390 case LOG_DROP: return M_DEBUG;
391 case LOG_DUMP: return M_DEBUG;
392 case LOG_ERROR: return M_ERR;
393 case LOG_PEER_ADDRS: return M_DEBUG;
394 default: return M_ERR;
398 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
400 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
404 class=event_log_priority(st, event);
406 slilog_part(st->log,class,"%s: ",st->tunname);
407 vslilog_part(st->log,class,msg,ap);
408 slilog_part(st->log,class,"\n");
412 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
414 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
418 vslog(st,event,msg,ap);
422 static void logtimeout(struct site *st, const char *fmt, ...)
424 static void logtimeout(struct site *st, const char *fmt, ...)
426 uint32_t class=event_log_priority(st,LOG_SETUP_TIMEOUT);
433 slilog_part(st->log,class,"%s: ",st->tunname);
434 vslilog_part(st->log,class,fmt,ap);
438 for (i=0, delim=" (tried ";
439 i<st->setup_peers.npeers;
441 transport_peer *peer=&st->setup_peers.peers[i];
442 const char *s=comm_addr_to_string(&peer->addr);
443 slilog_part(st->log,class,"%s%s",delim,s);
446 slilog_part(st->log,class,")\n");
450 static void set_link_quality(struct site *st);
451 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
452 static void delete_one_key(struct site *st, struct data_key *key,
453 const char *reason /* may be 0 meaning don't log*/,
454 const char *which /* ignored if !reasonn */,
455 uint32_t loglevel /* ignored if !reasonn */);
456 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
457 const struct comm_addr *prod_hint);
458 static void enter_state_run(struct site *st);
459 static bool_t enter_state_resolve(struct site *st);
460 static void decrement_resolving_count(struct site *st, int by);
461 static bool_t enter_new_state(struct site *st,uint32_t next);
462 static void enter_state_wait(struct site *st);
463 static void activate_new_key(struct site *st);
465 static bool_t is_transform_valid(struct transform_inst_if *transform)
467 return transform && transform->valid(transform->st);
470 static bool_t current_valid(struct site *st)
472 return is_transform_valid(st->current.transform);
475 #define DEFINE_CALL_TRANSFORM(fwdrev) \
476 static transform_apply_return \
477 call_transform_##fwdrev(struct site *st, \
478 struct transform_inst_if *transform, \
479 struct buffer_if *buf, \
480 const char **errmsg) \
482 if (!is_transform_valid(transform)) { \
483 *errmsg="transform not set up"; \
484 return transform_apply_err; \
486 return transform->fwdrev(transform->st,buf,errmsg); \
489 DEFINE_CALL_TRANSFORM(forwards)
490 DEFINE_CALL_TRANSFORM(reverse)
492 static void dispose_transform(struct transform_inst_if **transform_var)
494 struct transform_inst_if *transform=*transform_var;
496 transform->delkey(transform->st);
497 transform->destroy(transform->st);
502 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
503 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
504 #define CHECK_TYPE(b,t) do { uint32_t type; \
505 CHECK_AVAIL((b),4); \
506 type=buf_unprepend_uint32((b)); \
507 if (type!=(t)) return False; } while(0)
509 static _Bool type_is_msg34(uint32_t type)
512 case CASES_MSG3_KNOWN: case LABEL_MSG4: return True;
513 default: return False;
520 struct buffer_if extrainfo;
527 struct parsedname remote;
528 struct parsedname local;
529 uint32_t remote_capabilities;
531 int capab_transformnum;
541 static int32_t wait_timeout(struct site *st) {
542 int32_t t = st->wait_timeout_mean;
545 st->random->generate(st->random->st,sizeof(factor),&factor);
546 t += (t / 256) * factor;
551 static _Bool set_new_transform(struct site *st, char *pk)
555 /* Make room for the shared key */
556 st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
557 assert(st->sharedsecretlen);
558 if (st->sharedsecretlen > st->sharedsecretallocd) {
559 st->sharedsecretallocd=st->sharedsecretlen;
560 st->sharedsecret=safe_realloc_ary(st->sharedsecret,1,
561 st->sharedsecretallocd,
562 "site:sharedsecret");
565 /* Generate the shared key */
566 st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
567 st->sharedsecret,st->sharedsecretlen);
569 /* Set up the transform */
570 struct transform_if *generator=st->chosen_transform;
571 struct transform_inst_if *generated=generator->create(generator->st);
572 ok = generated->setkey(generated->st,st->sharedsecret,
573 st->sharedsecretlen,st->our_name_later);
575 dispose_transform(&st->new_transform);
576 if (!ok) return False;
577 st->new_transform=generated;
579 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
580 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
581 st->chosen_transform->capab_bit,
582 st->local_capabilities, st->remote_capabilities);
587 int32_t lenpos, afternul;
589 static void append_string_xinfo_start(struct buffer_if *buf,
590 struct xinfoadd *xia,
592 /* Helps construct one of the names with additional info as found
593 * in MSG1..4. Call this function first, then append all the
594 * desired extra info (not including the nul byte) to the buffer,
595 * then call append_string_xinfo_done. */
597 xia->lenpos = buf->size;
598 buf_append_string(buf,str);
599 buf_append_uint8(buf,0);
600 xia->afternul = buf->size;
602 static void append_string_xinfo_done(struct buffer_if *buf,
603 struct xinfoadd *xia)
605 /* we just need to adjust the string length */
606 if (buf->size == xia->afternul) {
607 /* no extra info, strip the nul too */
608 buf_unappend_uint8(buf);
610 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
614 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
615 out using a transform of config data supplied by netlink */
616 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
623 st->retries=st->setup_retries;
624 BUF_ALLOC(&st->buffer,what);
625 buffer_init(&st->buffer,0);
626 buf_append_uint32(&st->buffer,
627 (type==LABEL_MSG1?0:st->setup_session_id));
628 buf_append_uint32(&st->buffer,st->index);
629 buf_append_uint32(&st->buffer,type);
632 append_string_xinfo_start(&st->buffer,&xia,st->localname);
633 if ((st->local_capabilities & st->early_capabilities) ||
634 (type != LABEL_MSG1)) {
635 buf_append_uint32(&st->buffer,st->local_capabilities);
637 if (type_is_msg34(type)) {
638 buf_append_uint16(&st->buffer,st->mtu_target);
640 append_string_xinfo_done(&st->buffer,&xia);
642 buf_append_string(&st->buffer,st->remotename);
643 BUF_ADD_OBJ(append,&st->buffer,st->localN);
644 if (type==LABEL_MSG1) return True;
645 BUF_ADD_OBJ(append,&st->buffer,st->remoteN);
646 if (type==LABEL_MSG2) return True;
648 if (hacky_par_mid_failnow()) return False;
650 if (MSGMAJOR(type) == 3) do {
651 minor = MSGMINOR(type);
652 if (minor < 1) break;
653 buf_append_uint8(&st->buffer,st->chosen_transform->capab_bit);
656 dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
657 buf_append_string(&st->buffer,dhpub);
659 hash=safe_malloc(st->hash->len, "generate_msg");
660 hst=st->hash->init();
661 st->hash->update(hst,st->buffer.start,st->buffer.size);
662 st->hash->final(hst,hash);
663 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
664 buf_append_string(&st->buffer,sig);
670 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
673 nm->len=buf_unprepend_uint16(msg);
674 CHECK_AVAIL(msg,nm->len);
675 nm->name=buf_unprepend(msg,nm->len);
676 uint8_t *nul=memchr(nm->name,0,nm->len);
678 buffer_readonly_view(&nm->extrainfo,0,0);
680 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
681 nm->len=nul-nm->name;
686 static bool_t unpick_msg(struct site *st, uint32_t type,
687 struct buffer_if *msg, struct msg *m)
691 m->capab_transformnum=-1;
692 m->hashstart=msg->start;
694 m->dest=buf_unprepend_uint32(msg);
696 m->source=buf_unprepend_uint32(msg);
697 CHECK_TYPE(msg,type);
698 if (!unpick_name(msg,&m->remote)) return False;
699 m->remote_capabilities=0;
701 if (m->remote.extrainfo.size) {
702 CHECK_AVAIL(&m->remote.extrainfo,4);
703 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
705 if (type_is_msg34(type) && m->remote.extrainfo.size) {
706 CHECK_AVAIL(&m->remote.extrainfo,2);
707 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
709 if (!unpick_name(msg,&m->local)) return False;
710 if (type==LABEL_PROD) {
714 CHECK_AVAIL(msg,NONCELEN);
715 m->nR=buf_unprepend(msg,NONCELEN);
716 if (type==LABEL_MSG1) {
720 CHECK_AVAIL(msg,NONCELEN);
721 m->nL=buf_unprepend(msg,NONCELEN);
722 if (type==LABEL_MSG2) {
726 if (MSGMAJOR(type) == 3) do {
727 minor = MSGMINOR(type);
728 #define MAYBE_READ_CAP(minminor, kind, dflt) do { \
729 if (minor < (minminor)) \
730 m->capab_##kind##num = (dflt); \
732 CHECK_AVAIL(msg, 1); \
733 m->capab_##kind##num = buf_unprepend_uint8(msg); \
736 MAYBE_READ_CAP(1, transform, CAPAB_BIT_ANCIENTTRANSFORM);
737 #undef MAYBE_READ_CAP
740 m->pklen=buf_unprepend_uint16(msg);
741 CHECK_AVAIL(msg,m->pklen);
742 m->pk=buf_unprepend(msg,m->pklen);
743 m->hashlen=msg->start-m->hashstart;
745 m->siglen=buf_unprepend_uint16(msg);
746 CHECK_AVAIL(msg,m->siglen);
747 m->sig=buf_unprepend(msg,m->siglen);
750 /* In `process_msg3_msg4' below, we assume that we can write a nul
751 * terminator following the signature. Make sure there's enough space.
753 if (msg->start >= msg->base + msg->alloclen)
759 static bool_t name_matches(const struct parsedname *nm, const char *expected)
761 int expected_len=strlen(expected);
763 nm->len == expected_len &&
764 !memcmp(nm->name, expected, expected_len);
767 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
770 if (type==LABEL_MSG1) return True;
772 /* Check that the site names and our nonce have been sent
773 back correctly, and then store our peer's nonce. */
774 if (!name_matches(&m->remote,st->remotename)) {
775 *error="wrong remote site name";
778 if (!name_matches(&m->local,st->localname)) {
779 *error="wrong local site name";
782 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
783 *error="wrong locally-generated nonce";
786 if (type==LABEL_MSG2) return True;
787 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)) {
788 *error="wrong remotely-generated nonce";
791 /* MSG3 has complicated rules about capabilities, which are
792 * handled in process_msg3. */
793 if (MSGMAJOR(type) == 3) return True;
794 if (m->remote_capabilities!=st->remote_capabilities) {
795 *error="remote capabilities changed";
798 if (type==LABEL_MSG4) return True;
799 *error="unknown message type";
803 static bool_t generate_msg1(struct site *st)
805 st->random->generate(st->random->st,NONCELEN,st->localN);
806 return generate_msg(st,LABEL_MSG1,"site:MSG1");
809 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
810 const struct comm_addr *src, struct msg *m)
812 /* We've already determined we're in an appropriate state to
813 process an incoming MSG1, and that the MSG1 has correct values
816 st->setup_session_id=m->source;
817 st->remote_capabilities=m->remote_capabilities;
818 memcpy(st->remoteN,m->nR,NONCELEN);
822 static bool_t generate_msg2(struct site *st)
824 st->random->generate(st->random->st,NONCELEN,st->localN);
825 return generate_msg(st,LABEL_MSG2,"site:MSG2");
828 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
829 const struct comm_addr *src)
834 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
835 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
836 slog(st,LOG_SEC,"msg2: %s",err);
839 st->setup_session_id=m.source;
840 st->remote_capabilities=m.remote_capabilities;
842 /* Select the transform to use */
844 uint32_t remote_crypto_caps = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
845 if (!remote_crypto_caps)
846 /* old secnets only had this one transform */
847 remote_crypto_caps = 1UL << CAPAB_BIT_ANCIENTTRANSFORM;
849 #define CHOOSE_CRYPTO(kind, whats) do { \
850 struct kind##_if *iface; \
851 uint32_t bit, ours = 0; \
853 for (i= 0; i < st->n##kind##s; i++) { \
854 iface=st->kind##s[i]; \
855 bit = 1UL << iface->capab_bit; \
856 if (bit & remote_crypto_caps) goto kind##_found; \
859 slog(st,LOG_ERROR,"no " whats " in common" \
860 " (us %#"PRIx32"; them: %#"PRIx32")", \
861 st->local_capabilities & ours, remote_crypto_caps); \
864 st->chosen_##kind = iface; \
867 CHOOSE_CRYPTO(transform, "transforms");
871 memcpy(st->remoteN,m.nR,NONCELEN);
875 static bool_t generate_msg3(struct site *st)
877 /* Now we have our nonce and their nonce. Think of a secret key,
878 and create message number 3. */
879 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
880 return generate_msg(st,
881 (st->remote_capabilities & CAPAB_TRANSFORM_MASK)
887 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
892 /* Check signature and store g^x mod m */
893 hash=safe_malloc(st->hash->len, "process_msg3_msg4");
894 hst=st->hash->init();
895 st->hash->update(hst,m->hashstart,m->hashlen);
896 st->hash->final(hst,hash);
897 /* Terminate signature with a '0' - already checked that this will fit */
899 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) {
900 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
906 st->remote_adv_mtu=m->remote_mtu;
911 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
912 const struct comm_addr *src, uint32_t msgtype)
918 case CASES_MSG3_KNOWN: break;
922 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
923 if (!check_msg(st,msgtype,&m,&err)) {
924 slog(st,LOG_SEC,"msg3: %s",err);
927 uint32_t capab_adv_late = m.remote_capabilities
928 & ~st->remote_capabilities & st->early_capabilities;
929 if (capab_adv_late) {
930 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
931 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
932 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
936 #define CHOSE_CRYPTO(kind, what) do { \
937 struct kind##_if *iface; \
939 for (i=0; i<st->n##kind##s; i++) { \
940 iface=st->kind##s[i]; \
941 if (iface->capab_bit == m.capab_##kind##num) \
944 slog(st,LOG_SEC,"peer chose unknown-to-us " what " %d!", \
945 m.capab_##kind##num); \
948 st->chosen_##kind=iface; \
951 CHOSE_CRYPTO(transform, "transform");
955 if (!process_msg3_msg4(st,&m))
958 /* Update our idea of the remote site's capabilities, now that we've
959 * verified that its message was authentic.
961 * Our previous idea of the remote site's capabilities came from the
962 * unauthenticated MSG1. We've already checked that this new message
963 * doesn't change any of the bits we relied upon in the past, but it may
964 * also have set additional capability bits. We simply throw those away
965 * now, and use the authentic capabilities from this MSG3. */
966 st->remote_capabilities=m.remote_capabilities;
968 /* Terminate their DH public key with a '0' */
970 /* Invent our DH secret key */
971 st->random->generate(st->random->st,st->dh->len,st->dhsecret);
973 /* Generate the shared key and set up the transform */
974 if (!set_new_transform(st,m.pk)) return False;
979 static bool_t generate_msg4(struct site *st)
981 /* We have both nonces, their public key and our private key. Generate
982 our public key, sign it and send it to them. */
983 return generate_msg(st,LABEL_MSG4,"site:MSG4");
986 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
987 const struct comm_addr *src)
992 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
993 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
994 slog(st,LOG_SEC,"msg4: %s",err);
998 if (!process_msg3_msg4(st,&m))
1001 /* Terminate their DH public key with a '0' */
1004 /* Generate the shared key and set up the transform */
1005 if (!set_new_transform(st,m.pk)) return False;
1016 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
1019 CHECK_AVAIL(msg0,4);
1020 m->dest=buf_unprepend_uint32(msg0);
1021 CHECK_AVAIL(msg0,4);
1022 m->source=buf_unprepend_uint32(msg0);
1023 CHECK_AVAIL(msg0,4);
1024 m->type=buf_unprepend_uint32(msg0);
1026 /* Leaves transformed part of buffer untouched */
1029 static bool_t generate_msg5(struct site *st)
1031 cstring_t transform_err;
1033 BUF_ALLOC(&st->buffer,"site:MSG5");
1034 /* We are going to add four words to the message */
1035 buffer_init(&st->buffer,calculate_max_start_pad());
1036 /* Give the netlink code an opportunity to put its own stuff in the
1037 message (configuration information, etc.) */
1038 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
1039 if (call_transform_forwards(st,st->new_transform,
1040 &st->buffer,&transform_err))
1042 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
1043 buf_prepend_uint32(&st->buffer,st->index);
1044 buf_prepend_uint32(&st->buffer,st->setup_session_id);
1046 st->retries=st->setup_retries;
1050 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
1051 const struct comm_addr *src,
1052 struct transform_inst_if *transform)
1055 cstring_t transform_err;
1057 if (!unpick_msg0(st,msg5,&m)) return False;
1059 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
1060 /* There's a problem */
1061 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
1064 /* Buffer should now contain untransformed PING packet data */
1065 CHECK_AVAIL(msg5,4);
1066 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
1067 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
1070 /* Older versions of secnet used to write some config data here
1071 * which we ignore. So we don't CHECK_EMPTY */
1075 static void create_msg6(struct site *st, struct transform_inst_if *transform,
1076 uint32_t session_id)
1078 cstring_t transform_err;
1080 BUF_ALLOC(&st->buffer,"site:MSG6");
1081 /* We are going to add four words to the message */
1082 buffer_init(&st->buffer,calculate_max_start_pad());
1083 /* Give the netlink code an opportunity to put its own stuff in the
1084 message (configuration information, etc.) */
1085 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
1086 transform_apply_return problem =
1087 call_transform_forwards(st,transform,
1088 &st->buffer,&transform_err);
1090 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
1091 buf_prepend_uint32(&st->buffer,st->index);
1092 buf_prepend_uint32(&st->buffer,session_id);
1095 static bool_t generate_msg6(struct site *st)
1097 if (!is_transform_valid(st->new_transform))
1099 create_msg6(st,st->new_transform,st->setup_session_id);
1100 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
1104 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
1105 const struct comm_addr *src)
1108 cstring_t transform_err;
1110 if (!unpick_msg0(st,msg6,&m)) return False;
1112 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
1113 /* There's a problem */
1114 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
1117 /* Buffer should now contain untransformed PING packet data */
1118 CHECK_AVAIL(msg6,4);
1119 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
1120 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
1123 /* Older versions of secnet used to write some config data here
1124 * which we ignore. So we don't CHECK_EMPTY */
1128 static transform_apply_return
1129 decrypt_msg0(struct site *st, struct buffer_if *msg0,
1130 const struct comm_addr *src)
1132 cstring_t transform_err, auxkey_err, newkey_err="n/a";
1134 transform_apply_return problem;
1136 if (!unpick_msg0(st,msg0,&m)) return False;
1138 /* Keep a copy so we can try decrypting it with multiple keys */
1139 buffer_copy(&st->scratch, msg0);
1141 problem = call_transform_reverse(st,st->current.transform,
1142 msg0,&transform_err);
1144 if (!st->auxiliary_is_new)
1145 delete_one_key(st,&st->auxiliary_key,
1146 "peer has used new key","auxiliary key",LOG_SEC);
1149 if (transform_apply_return_badseq(problem))
1152 buffer_copy(msg0, &st->scratch);
1153 problem = call_transform_reverse(st,st->auxiliary_key.transform,
1156 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
1157 if (st->auxiliary_is_new) {
1158 /* We previously timed out in state SENTMSG5 but it turns
1159 * out that our peer did in fact get our MSG5 and is
1160 * using the new key. So we should switch to it too. */
1161 /* This is a bit like activate_new_key. */
1164 st->current=st->auxiliary_key;
1165 st->auxiliary_key=t;
1167 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
1168 "previous key",LOG_SEC);
1169 st->auxiliary_is_new=0;
1170 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
1174 if (transform_apply_return_badseq(problem))
1177 if (st->state==SITE_SENTMSG5) {
1178 buffer_copy(msg0, &st->scratch);
1179 problem = call_transform_reverse(st,st->new_transform,
1182 /* It looks like we didn't get the peer's MSG6 */
1183 /* This is like a cut-down enter_new_state(SITE_RUN) */
1184 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1185 BUF_FREE(&st->buffer);
1187 activate_new_key(st);
1188 return 0; /* do process the data in this packet */
1190 if (transform_apply_return_badseq(problem))
1194 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1195 transform_err,auxkey_err,newkey_err);
1196 initiate_key_setup(st,"incoming message would not decrypt",0);
1197 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1202 slog(st,LOG_DROP,"transform: %s (bad seq.)",transform_err);
1207 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1208 const struct comm_addr *src)
1211 transform_apply_return problem;
1213 problem = decrypt_msg0(st,msg0,src);
1214 if (problem==transform_apply_seqdupe) {
1215 /* We recently received another copy of this packet, maybe due
1216 * to polypath. That's not a problem; indeed, for the
1217 * purposes of transport address management it is a success.
1218 * But we don't want to process the packet. */
1219 transport_data_msgok(st,src);
1225 CHECK_AVAIL(msg0,4);
1226 type=buf_unprepend_uint32(msg0);
1229 /* We must forget about the current session. */
1230 delete_keys(st,"request from peer",LOG_SEC);
1231 /* probably, the peer is shutting down, and this is going to fail,
1232 * but we need to be trying to bring the link up again */
1234 initiate_key_setup(st,"peer requested key teardown",0);
1237 /* Deliver to netlink layer */
1238 st->netlink->deliver(st->netlink->st,msg0);
1239 transport_data_msgok(st,src);
1240 /* See whether we should start negotiating a new key */
1241 if (st->now > st->renegotiate_key_time)
1242 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1245 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1252 static void dump_packet(struct site *st, struct buffer_if *buf,
1253 const struct comm_addr *addr, bool_t incoming,
1256 uint32_t dest=get_uint32(buf->start);
1257 uint32_t source=get_uint32(buf->start+4);
1258 uint32_t msgtype=get_uint32(buf->start+8);
1260 if (st->log_events & LOG_DUMP)
1261 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x: %s%s",
1262 st->tunname,incoming?"incoming":"outgoing",
1263 dest,source,msgtype,comm_addr_to_string(addr),
1267 static bool_t comm_addr_sendmsg(struct site *st,
1268 const struct comm_addr *dest,
1269 struct buffer_if *buf)
1272 struct comm_clientinfo *commclientinfo = 0;
1274 for (i=0; i < st->ncomms; i++) {
1275 if (st->comms[i] == dest->comm) {
1276 commclientinfo = st->commclientinfos[i];
1280 return dest->comm->sendmsg(dest->comm->st, buf, dest, commclientinfo);
1283 static uint32_t site_status(void *st)
1288 static bool_t send_msg(struct site *st)
1290 if (st->retries>0) {
1291 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1292 st->timeout=st->now+st->setup_retry_interval;
1295 } else if (st->state==SITE_SENTMSG5) {
1296 logtimeout(st,"timed out sending MSG5, stashing new key");
1297 /* We stash the key we have produced, in case it turns out that
1298 * our peer did see our MSG5 after all and starts using it. */
1299 /* This is a bit like some of activate_new_key */
1300 struct transform_inst_if *t;
1301 t=st->auxiliary_key.transform;
1302 st->auxiliary_key.transform=st->new_transform;
1303 st->new_transform=t;
1304 dispose_transform(&st->new_transform);
1306 st->auxiliary_is_new=1;
1307 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1308 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1309 st->auxiliary_key.remote_session_id=st->setup_session_id;
1311 enter_state_wait(st);
1314 logtimeout(st,"timed out sending key setup packet "
1315 "(in state %s)",state_name(st->state));
1316 enter_state_wait(st);
1321 static void site_resolve_callback(void *sst, const struct comm_addr *addrs,
1322 int stored_naddrs, int all_naddrs,
1323 const char *address, const char *failwhy)
1325 struct site *st=sst;
1327 if (!stored_naddrs) {
1328 slog(st,LOG_ERROR,"resolution of %s failed: %s",address,failwhy);
1330 slog(st,LOG_PEER_ADDRS,"resolution of %s completed, %d addrs, eg: %s",
1331 address, all_naddrs, comm_addr_to_string(&addrs[0]));;
1333 int space=st->transport_peers_max-st->resolving_n_results_stored;
1334 int n_tocopy=MIN(stored_naddrs,space);
1335 COPY_ARRAY(st->resolving_results + st->resolving_n_results_stored,
1338 st->resolving_n_results_stored += n_tocopy;
1339 st->resolving_n_results_all += all_naddrs;
1342 decrement_resolving_count(st,1);
1345 static void decrement_resolving_count(struct site *st, int by)
1347 assert(st->resolving_count>0);
1348 st->resolving_count-=by;
1350 if (st->resolving_count)
1353 /* OK, we are done with them all. Handle combined results. */
1355 const struct comm_addr *addrs=st->resolving_results;
1356 int naddrs=st->resolving_n_results_stored;
1357 assert(naddrs<=st->transport_peers_max);
1360 if (naddrs != st->resolving_n_results_all) {
1361 slog(st,LOG_SETUP_INIT,"resolution of supplied addresses/names"
1362 " yielded too many results (%d > %d), some ignored",
1363 st->resolving_n_results_all, naddrs);
1365 slog(st,LOG_STATE,"resolution completed, %d addrs, eg: %s",
1366 naddrs, iaddr_to_string(&addrs[0].ia));;
1369 switch (st->state) {
1371 if (transport_compute_setupinit_peers(st,addrs,naddrs,0)) {
1372 enter_new_state(st,SITE_SENTMSG1);
1374 /* Can't figure out who to try to to talk to */
1375 slog(st,LOG_SETUP_INIT,
1376 "key exchange failed: cannot find peer address");
1377 enter_state_run(st);
1380 case SITE_SENTMSG1: case SITE_SENTMSG2:
1381 case SITE_SENTMSG3: case SITE_SENTMSG4:
1384 /* We start using the address immediately for data too.
1385 * It's best to store it in st->peers now because we might
1386 * go via SENTMSG5, WAIT, and a MSG0, straight into using
1387 * the new key (without updating the data peer addrs). */
1388 transport_resolve_complete(st,addrs,naddrs);
1389 } else if (st->local_mobile) {
1390 /* We can't let this rest because we may have a peer
1391 * address which will break in the future. */
1392 slog(st,LOG_SETUP_INIT,"resolution failed: "
1393 "abandoning key exchange");
1394 enter_state_wait(st);
1396 slog(st,LOG_SETUP_INIT,"resolution failed: "
1397 " continuing to use source address of peer's packets"
1398 " for key exchange and ultimately data");
1403 slog(st,LOG_SETUP_INIT,"resolution completed tardily,"
1404 " updating peer address(es)");
1405 transport_resolve_complete_tardy(st,addrs,naddrs);
1406 } else if (st->local_mobile) {
1407 /* Not very good. We should queue (another) renegotiation
1408 * so that we can update the peer address. */
1409 st->key_renegotiate_time=st->now+wait_timeout(st);
1411 slog(st,LOG_SETUP_INIT,"resolution failed: "
1412 " continuing to use source address of peer's packets");
1422 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1423 const struct comm_addr *prod_hint)
1425 /* Reentrancy hazard: can call enter_new_state/enter_state_* */
1426 if (st->state!=SITE_RUN) return False;
1427 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1428 if (st->addresses) {
1429 slog(st,LOG_SETUP_INIT,"resolving peer address(es)");
1430 return enter_state_resolve(st);
1431 } else if (transport_compute_setupinit_peers(st,0,0,prod_hint)) {
1432 return enter_new_state(st,SITE_SENTMSG1);
1434 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1438 static void activate_new_key(struct site *st)
1440 struct transform_inst_if *t;
1442 /* We have three transform instances, which we swap between old,
1444 t=st->auxiliary_key.transform;
1445 st->auxiliary_key.transform=st->current.transform;
1446 st->current.transform=st->new_transform;
1447 st->new_transform=t;
1448 dispose_transform(&st->new_transform);
1451 st->auxiliary_is_new=0;
1452 st->auxiliary_key.key_timeout=st->current.key_timeout;
1453 st->current.key_timeout=st->now+st->key_lifetime;
1454 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1455 transport_peers_copy(st,&st->peers,&st->setup_peers);
1456 st->current.remote_session_id=st->setup_session_id;
1458 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1459 * But their mtu be unspecified, in which case we just use ours. */
1460 uint32_t intersite_mtu=
1461 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1462 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1464 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1465 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1466 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1467 enter_state_run(st);
1470 static void delete_one_key(struct site *st, struct data_key *key,
1471 cstring_t reason, cstring_t which, uint32_t loglevel)
1473 if (!is_transform_valid(key->transform)) return;
1474 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1475 dispose_transform(&key->transform);
1479 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1481 if (current_valid(st)) {
1482 slog(st,loglevel,"session closed (%s)",reason);
1484 delete_one_key(st,&st->current,0,0,0);
1485 set_link_quality(st);
1487 delete_one_key(st,&st->auxiliary_key,0,0,0);
1490 static void state_assert(struct site *st, bool_t ok)
1492 if (!ok) fatal("site:state_assert");
1495 static void enter_state_stop(struct site *st)
1497 st->state=SITE_STOP;
1499 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1500 dispose_transform(&st->new_transform);
1503 static void set_link_quality(struct site *st)
1506 if (current_valid(st))
1507 quality=LINK_QUALITY_UP;
1508 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1509 quality=LINK_QUALITY_DOWN;
1510 else if (st->addresses)
1511 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1512 else if (transport_peers_valid(&st->peers))
1513 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1515 quality=LINK_QUALITY_DOWN;
1517 st->netlink->set_quality(st->netlink->st,quality);
1520 static void enter_state_run(struct site *st)
1522 slog(st,LOG_STATE,"entering state RUN%s",
1523 current_valid(st) ? " (keyed)" : " (unkeyed)");
1527 st->setup_session_id=0;
1528 transport_peers_clear(st,&st->setup_peers);
1529 FILLZERO(st->localN);
1530 FILLZERO(st->remoteN);
1531 dispose_transform(&st->new_transform);
1532 memset(st->dhsecret,0,st->dh->len);
1533 if (st->sharedsecret) memset(st->sharedsecret,0,st->sharedsecretlen);
1534 set_link_quality(st);
1536 if (st->keepalive && !current_valid(st))
1537 initiate_key_setup(st, "keepalive", 0);
1540 static bool_t ensure_resolving(struct site *st)
1542 /* Reentrancy hazard: may call site_resolve_callback and hence
1543 * enter_new_state, enter_state_* and generate_msg*. */
1544 if (st->resolving_count)
1547 assert(st->addresses);
1549 /* resolver->request might reentrantly call site_resolve_callback
1550 * which will decrement st->resolving, so we need to increment it
1551 * twice beforehand to prevent decrement from thinking we're
1552 * finished, and decrement it ourselves. Alternatively if
1553 * everything fails then there are no callbacks due and we simply
1554 * set it to 0 and return false.. */
1555 st->resolving_n_results_stored=0;
1556 st->resolving_n_results_all=0;
1557 st->resolving_count+=2;
1558 const char **addrp=st->addresses;
1559 const char *address;
1561 for (; (address=*addrp++); ) {
1562 bool_t ok = st->resolver->request(st->resolver->st,address,
1563 st->remoteport,st->comms[0],
1564 site_resolve_callback,st);
1566 st->resolving_count++;
1570 st->resolving_count=0;
1573 decrement_resolving_count(st,2);
1577 static bool_t enter_state_resolve(struct site *st)
1579 /* Reentrancy hazard! See ensure_resolving. */
1580 state_assert(st,st->state==SITE_RUN);
1581 slog(st,LOG_STATE,"entering state RESOLVE");
1582 st->state=SITE_RESOLVE;
1583 return ensure_resolving(st);
1586 static bool_t enter_new_state(struct site *st, uint32_t next)
1588 bool_t (*gen)(struct site *st);
1591 slog(st,LOG_STATE,"entering state %s",state_name(next));
1594 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1596 st->msg1_crossed_logged = False;
1599 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1600 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1604 state_assert(st,st->state==SITE_SENTMSG1);
1605 BUF_FREE(&st->buffer);
1609 state_assert(st,st->state==SITE_SENTMSG2);
1610 BUF_FREE(&st->buffer);
1614 state_assert(st,st->state==SITE_SENTMSG3);
1615 BUF_FREE(&st->buffer);
1619 state_assert(st,st->state==SITE_SENTMSG4);
1620 BUF_FREE(&st->buffer);
1625 fatal("enter_new_state(%s): invalid new state",state_name(next));
1629 if (hacky_par_start_failnow()) return False;
1631 r= gen(st) && send_msg(st);
1634 st->setup_retries, st->setup_retry_interval,
1639 if (next==SITE_RUN) {
1640 BUF_FREE(&st->buffer); /* Never reused */
1641 st->timeout=0; /* Never retransmit */
1642 activate_new_key(st);
1646 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1647 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1648 in either state, and enter_state_wait() will
1650 enter_state_wait(st);
1654 /* msg7 tells our peer that we're about to forget our key */
1655 static bool_t send_msg7(struct site *st, cstring_t reason)
1657 cstring_t transform_err;
1659 if (current_valid(st) && st->buffer.free
1660 && transport_peers_valid(&st->peers)) {
1661 BUF_ALLOC(&st->buffer,"site:MSG7");
1662 buffer_init(&st->buffer,calculate_max_start_pad());
1663 buf_append_uint32(&st->buffer,LABEL_MSG7);
1664 buf_append_string(&st->buffer,reason);
1665 if (call_transform_forwards(st, st->current.transform,
1666 &st->buffer, &transform_err))
1668 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1669 buf_prepend_uint32(&st->buffer,st->index);
1670 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1671 transport_xmit(st,&st->peers,&st->buffer,True);
1672 BUF_FREE(&st->buffer);
1679 /* We go into this state if our peer becomes uncommunicative. Similar to
1680 the "stop" state, we forget all session keys for a while, before
1681 re-entering the "run" state. */
1682 static void enter_state_wait(struct site *st)
1684 slog(st,LOG_STATE,"entering state WAIT");
1685 st->timeout=st->now+wait_timeout(st);
1686 st->state=SITE_WAIT;
1687 set_link_quality(st);
1688 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1689 /* XXX Erase keys etc. */
1692 static void generate_prod(struct site *st, struct buffer_if *buf)
1695 buf_append_uint32(buf,0);
1696 buf_append_uint32(buf,0);
1697 buf_append_uint32(buf,LABEL_PROD);
1698 buf_append_string(buf,st->localname);
1699 buf_append_string(buf,st->remotename);
1702 static void generate_send_prod(struct site *st,
1703 const struct comm_addr *source)
1705 if (!st->allow_send_prod) return; /* too soon */
1706 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1707 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1709 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1710 st->allow_send_prod=0;
1711 generate_prod(st,&st->scratch);
1712 bool_t ok = comm_addr_sendmsg(st, source, &st->scratch);
1713 dump_packet(st,&st->scratch,source,False,ok);
1716 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1719 int64_t offset=timeout-*now;
1720 if (offset<0) offset=0;
1721 if (offset>INT_MAX) offset=INT_MAX;
1722 if (*timeout_io<0 || offset<*timeout_io)
1727 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1730 struct site *st=sst;
1732 BEFOREPOLL_WANT_FDS(0); /* We don't use any file descriptors */
1735 /* Work out when our next timeout is. The earlier of 'timeout' or
1736 'current.key_timeout'. A stored value of '0' indicates no timeout
1738 site_settimeout(st->timeout, timeout_io);
1739 site_settimeout(st->current.key_timeout, timeout_io);
1740 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1742 return 0; /* success */
1745 static void check_expiry(struct site *st, struct data_key *key,
1748 if (key->key_timeout && *now>key->key_timeout) {
1749 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1753 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1754 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1756 struct site *st=sst;
1759 if (st->timeout && *now>st->timeout) {
1761 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1762 if (!hacky_par_start_failnow())
1764 } else if (st->state==SITE_WAIT) {
1765 enter_state_run(st);
1767 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1771 check_expiry(st,&st->current,"current key");
1772 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1775 /* This function is called by the netlink device to deliver packets
1776 intended for the remote network. The packet is in "raw" wire
1777 format, but is guaranteed to be word-aligned. */
1778 static void site_outgoing(void *sst, struct buffer_if *buf)
1780 struct site *st=sst;
1781 cstring_t transform_err;
1783 if (st->state==SITE_STOP) {
1788 st->allow_send_prod=1;
1790 /* In all other states we consider delivering the packet if we have
1791 a valid key and a valid address to send it to. */
1792 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1793 /* Transform it and send it */
1795 buf_prepend_uint32(buf,LABEL_MSG9);
1796 if (call_transform_forwards(st, st->current.transform,
1797 buf, &transform_err))
1799 buf_prepend_uint32(buf,LABEL_MSG0);
1800 buf_prepend_uint32(buf,st->index);
1801 buf_prepend_uint32(buf,st->current.remote_session_id);
1802 transport_xmit(st,&st->peers,buf,False);
1809 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1811 initiate_key_setup(st,"outgoing packet",0);
1814 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1815 uint32_t type, struct msg *m)
1816 /* For packets which are identified by the local and remote names.
1817 * If it has our name and our peer's name in it it's for us. */
1819 struct buffer_if buf[1];
1820 buffer_readonly_clone(buf,buf_in);
1821 return unpick_msg(st,type,buf,m)
1822 && name_matches(&m->remote,st->remotename)
1823 && name_matches(&m->local,st->localname);
1826 static bool_t we_have_priority(struct site *st, const struct msg *m) {
1827 if (st->local_capabilities & m->remote_capabilities &
1828 CAPAB_PRIORITY_MOBILE) {
1829 if (st->local_mobile) return True;
1830 if (st-> peer_mobile) return False;
1832 return st->our_name_later;
1835 static bool_t setup_late_msg_ok(struct site *st,
1836 const struct buffer_if *buf_in,
1838 const struct comm_addr *source) {
1839 /* For setup packets which seem from their type like they are
1840 * late. Maybe they came via a different path. All we do is make
1841 * a note of the sending address, iff they look like they are part
1842 * of the current key setup attempt. */
1844 if (!named_for_us(st,buf_in,msgtype,&m))
1845 /* named_for_us calls unpick_msg which gets the nonces */
1847 if (!consttime_memeq(m.nR,st->remoteN,NONCELEN) ||
1848 !consttime_memeq(m.nL,st->localN, NONCELEN))
1849 /* spoof ? from stale run ? who knows */
1851 transport_setup_msgok(st,source);
1855 /* This function is called by the communication device to deliver
1856 packets from our peers.
1857 It should return True if the packet is recognised as being for
1858 this current site instance (and should therefore not be processed
1859 by other sites), even if the packet was otherwise ignored. */
1860 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1861 const struct comm_addr *source)
1863 struct site *st=sst;
1865 if (buf->size < 12) return False;
1867 uint32_t dest=get_uint32(buf->start);
1868 uint32_t msgtype=get_uint32(buf->start+8);
1869 struct msg named_msg;
1871 if (msgtype==LABEL_MSG1) {
1872 if (!named_for_us(st,buf,msgtype,&named_msg))
1874 /* It's a MSG1 addressed to us. Decide what to do about it. */
1875 dump_packet(st,buf,source,True,True);
1876 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1877 st->state==SITE_WAIT) {
1878 /* We should definitely process it */
1879 transport_compute_setupinit_peers(st,0,0,source);
1880 if (process_msg1(st,buf,source,&named_msg)) {
1881 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1882 bool_t entered=enter_new_state(st,SITE_SENTMSG2);
1883 if (entered && st->addresses && st->local_mobile)
1884 /* We must do this as the very last thing, because
1885 the resolver callback might reenter us. */
1886 ensure_resolving(st);
1888 slog(st,LOG_ERROR,"failed to process incoming msg1");
1892 } else if (st->state==SITE_SENTMSG1) {
1893 /* We've just sent a message 1! They may have crossed on
1894 the wire. If we have priority then we ignore the
1895 incoming one, otherwise we process it as usual. */
1896 if (we_have_priority(st,&named_msg)) {
1898 if (!st->msg1_crossed_logged++)
1899 slog(st,LOG_SETUP_INIT,"crossed msg1s; we are higher "
1900 "priority => ignore incoming msg1");
1903 slog(st,LOG_SETUP_INIT,"crossed msg1s; we are lower "
1904 "priority => use incoming msg1");
1905 if (process_msg1(st,buf,source,&named_msg)) {
1906 BUF_FREE(&st->buffer); /* Free our old message 1 */
1907 transport_setup_msgok(st,source);
1908 enter_new_state(st,SITE_SENTMSG2);
1910 slog(st,LOG_ERROR,"failed to process an incoming "
1911 "crossed msg1 (we have low priority)");
1916 } else if (st->state==SITE_SENTMSG2 ||
1917 st->state==SITE_SENTMSG4) {
1918 if (consttime_memeq(named_msg.nR,st->remoteN,NONCELEN)) {
1919 /* We are ahead in the protocol, but that msg1 had the
1920 * peer's nonce so presumably it is from this key
1921 * exchange run, via a slower route */
1922 transport_setup_msgok(st,source);
1924 slog(st,LOG_UNEXPECTED,"competing incoming message 1");
1929 /* The message 1 was received at an unexpected stage of the
1930 key setup. Well, they lost the race. */
1931 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1935 if (msgtype==LABEL_PROD) {
1936 if (!named_for_us(st,buf,msgtype,&named_msg))
1938 dump_packet(st,buf,source,True,True);
1939 if (st->state!=SITE_RUN) {
1940 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1941 } else if (current_valid(st)) {
1942 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1944 initiate_key_setup(st,"peer sent PROD packet",source);
1949 if (dest==st->index) {
1950 /* Explicitly addressed to us */
1951 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True,True);
1954 /* If the source is our current peer then initiate a key setup,
1955 because our peer's forgotten the key */
1956 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1958 initiated = initiate_key_setup(st,"received a NAK",source);
1959 if (!initiated) generate_send_prod(st,source);
1961 slog(st,LOG_SEC,"bad incoming NAK");
1965 process_msg0(st,buf,source);
1968 /* Setup packet: should not have been explicitly addressed
1970 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1973 /* Setup packet: expected only in state SENTMSG1 */
1974 if (st->state!=SITE_SENTMSG1) {
1975 if ((st->state==SITE_SENTMSG3 ||
1976 st->state==SITE_SENTMSG5) &&
1977 setup_late_msg_ok(st,buf,msgtype,source))
1979 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
1980 } else if (process_msg2(st,buf,source)) {
1981 transport_setup_msgok(st,source);
1982 enter_new_state(st,SITE_SENTMSG3);
1984 slog(st,LOG_SEC,"invalid MSG2");
1987 case CASES_MSG3_KNOWN:
1988 /* Setup packet: expected only in state SENTMSG2 */
1989 if (st->state!=SITE_SENTMSG2) {
1990 if ((st->state==SITE_SENTMSG4) &&
1991 setup_late_msg_ok(st,buf,msgtype,source))
1993 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
1994 } else if (process_msg3(st,buf,source,msgtype)) {
1995 transport_setup_msgok(st,source);
1996 enter_new_state(st,SITE_SENTMSG4);
1998 slog(st,LOG_SEC,"invalid MSG3");
2002 /* Setup packet: expected only in state SENTMSG3 */
2003 if (st->state!=SITE_SENTMSG3) {
2004 if ((st->state==SITE_SENTMSG5) &&
2005 setup_late_msg_ok(st,buf,msgtype,source))
2007 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
2008 } else if (process_msg4(st,buf,source)) {
2009 transport_setup_msgok(st,source);
2010 enter_new_state(st,SITE_SENTMSG5);
2012 slog(st,LOG_SEC,"invalid MSG4");
2016 /* Setup packet: expected only in state SENTMSG4 */
2017 /* (may turn up in state RUN if our return MSG6 was lost
2018 and the new key has already been activated. In that
2019 case we discard it. The peer will realise that we
2020 are using the new key when they see our data packets.
2021 Until then the peer's data packets to us get discarded. */
2022 if (st->state==SITE_SENTMSG4) {
2023 if (process_msg5(st,buf,source,st->new_transform)) {
2024 transport_setup_msgok(st,source);
2025 enter_new_state(st,SITE_RUN);
2027 slog(st,LOG_SEC,"invalid MSG5");
2029 } else if (st->state==SITE_RUN) {
2030 if (process_msg5(st,buf,source,st->current.transform)) {
2031 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
2032 transport_setup_msgok(st,source);
2033 create_msg6(st,st->current.transform,
2034 st->current.remote_session_id);
2035 transport_xmit(st,&st->peers,&st->buffer,True);
2036 BUF_FREE(&st->buffer);
2038 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
2041 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
2045 /* Setup packet: expected only in state SENTMSG5 */
2046 if (st->state!=SITE_SENTMSG5) {
2047 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
2048 } else if (process_msg6(st,buf,source)) {
2049 BUF_FREE(&st->buffer); /* Free message 5 */
2050 transport_setup_msgok(st,source);
2051 activate_new_key(st);
2053 slog(st,LOG_SEC,"invalid MSG6");
2057 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
2068 static void site_control(void *vst, bool_t run)
2070 struct site *st=vst;
2071 if (run) enter_state_run(st);
2072 else enter_state_stop(st);
2075 static void site_phase_hook(void *sst, uint32_t newphase)
2077 struct site *st=sst;
2079 /* The program is shutting down; tell our peer */
2080 send_msg7(st,"shutting down");
2083 static void site_childpersist_clearkeys(void *sst, uint32_t newphase)
2085 struct site *st=sst;
2086 dispose_transform(&st->current.transform);
2087 dispose_transform(&st->auxiliary_key.transform);
2088 dispose_transform(&st->new_transform);
2089 /* Not much point overwiting the signing key, since we loaded it
2090 from disk, and it is only valid prospectively if at all,
2092 /* XXX it would be best to overwrite the DH state, because that
2093 _is_ relevant to forward secrecy. However we have no
2094 convenient interface for doing that and in practice gmp has
2095 probably dribbled droppings all over the malloc arena. A good
2096 way to fix this would be to have a privsep child for asymmetric
2097 crypto operations, but that's a task for another day. */
2100 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
2103 static uint32_t index_sequence;
2111 st->cl.description="site";
2112 st->cl.type=CL_SITE;
2114 st->cl.interface=&st->ops;
2116 st->ops.control=site_control;
2117 st->ops.status=site_status;
2119 /* First parameter must be a dict */
2120 item=list_elem(args,0);
2121 if (!item || item->type!=t_dict)
2122 cfgfatal(loc,"site","parameter must be a dictionary\n");
2124 dict=item->data.dict;
2125 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
2126 st->remotename=dict_read_string(dict, "name", True, "site", loc);
2128 st->keepalive=dict_read_bool(dict,"keepalive",False,"site",loc,False);
2130 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
2132 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
2134 /* Sanity check (which also allows the 'sites' file to include
2135 site() closures for all sites including our own): refuse to
2136 talk to ourselves */
2137 if (strcmp(st->localname,st->remotename)==0) {
2138 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
2140 if (st->peer_mobile != st->local_mobile)
2141 cfgfatal(loc,"site","site %s's peer-mobile=%d"
2142 " but our local-mobile=%d\n",
2143 st->localname, st->peer_mobile, st->local_mobile);
2147 if (st->peer_mobile && st->local_mobile) {
2148 Message(M_WARNING,"site %s: site is mobile but so are we"
2149 " -> ignoring this site\n", st->remotename);
2154 assert(index_sequence < 0xffffffffUL);
2155 st->index = ++index_sequence;
2156 st->local_capabilities = 0;
2157 st->early_capabilities = CAPAB_PRIORITY_MOBILE;
2158 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
2160 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
2161 list_t *things##_cfg=dict_lookup(dict,dictkey); \
2162 if (!things##_cfg) \
2163 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
2164 st->nthings=list_length(things##_cfg); \
2165 NEW_ARY(st->things,st->nthings); \
2166 assert(st->nthings); \
2167 for (i=0; i<st->nthings; i++) { \
2168 item_t *item=list_elem(things##_cfg,i); \
2169 if (item->type!=t_closure) \
2170 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
2171 closure_t *cl=item->data.closure; \
2172 if (cl->type!=CL_TYPE) \
2173 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
2174 st->things[i]=cl->interface; \
2178 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
2180 NEW_ARY(st->commclientinfos, st->ncomms);
2181 dict_t *comminfo = dict_read_dict(dict,"comm-info",False,"site",loc);
2182 for (i=0; i<st->ncomms; i++) {
2183 st->commclientinfos[i] =
2185 st->comms[i]->clientinfo(st->comms[i],comminfo,loc);
2188 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
2189 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
2190 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
2192 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
2193 st->addresses=dict_read_string_array(dict,"address",False,"site",loc,0);
2195 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
2196 else st->remoteport=0;
2197 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
2199 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
2201 st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
2202 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
2204 #define DEFAULT(D) (st->peer_mobile || st->local_mobile \
2205 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
2206 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
2208 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
2209 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
2210 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
2211 st->wait_timeout_mean= CFG_NUMBER("wait-time", WAIT_TIME);
2212 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
2214 st->mobile_peer_expiry= dict_read_number(
2215 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
2217 const char *peerskey= st->peer_mobile
2218 ? "mobile-peers-max" : "static-peers-max";
2219 st->transport_peers_max= dict_read_number(
2220 dict,peerskey,False,"site",loc, st->addresses ? 4 : 3);
2221 if (st->transport_peers_max<1 ||
2222 st->transport_peers_max>MAX_PEER_ADDRS) {
2223 cfgfatal(loc,"site", "%s must be in range 1.."
2224 STRING(MAX_PEER_ADDRS) "\n", peerskey);
2227 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
2228 st->key_renegotiate_time=st->key_lifetime/2;
2230 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
2231 st->key_renegotiate_time=dict_read_number(
2232 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
2233 if (st->key_renegotiate_time > st->key_lifetime) {
2234 cfgfatal(loc,"site",
2235 "renegotiate-time must be less than key-lifetime\n");
2238 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
2239 log_event_table,"site");
2241 st->resolving_count=0;
2242 st->allow_send_prod=0;
2244 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
2246 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
2248 /* The information we expect to see in incoming messages of type 1 */
2249 /* fixme: lots of unchecked overflows here, but the results are only
2250 corrupted packets rather than undefined behaviour */
2251 st->our_name_later=(strcmp(st->localname,st->remotename)>0);
2253 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
2255 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
2256 BUF_ALLOC(&st->scratch,"site:scratch");
2258 /* We are interested in poll(), but only for timeouts. We don't have
2259 any fds of our own. */
2260 register_for_poll(st, site_beforepoll, site_afterpoll, "site");
2263 st->remote_capabilities=0;
2264 st->chosen_transform=0;
2265 st->current.key_timeout=0;
2266 st->auxiliary_key.key_timeout=0;
2267 transport_peers_clear(st,&st->peers);
2268 transport_peers_clear(st,&st->setup_peers);
2269 /* XXX mlock these */
2270 st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
2271 st->sharedsecretlen=st->sharedsecretallocd=0;
2274 #define SET_CAPBIT(bit) do { \
2275 uint32_t capflag = 1UL << (bit); \
2276 if (st->local_capabilities & capflag) \
2277 slog(st,LOG_ERROR,"capability bit" \
2278 " %d (%#"PRIx32") reused", (bit), capflag); \
2279 st->local_capabilities |= capflag; \
2282 for (i=0; i<st->ntransforms; i++)
2283 SET_CAPBIT(st->transforms[i]->capab_bit);
2287 if (st->local_mobile || st->peer_mobile)
2288 st->local_capabilities |= CAPAB_PRIORITY_MOBILE;
2290 /* We need to register the remote networks with the netlink device */
2291 uint32_t netlink_mtu; /* local virtual interface mtu */
2292 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
2293 if (!st->mtu_target)
2294 st->mtu_target=netlink_mtu;
2296 for (i=0; i<st->ncomms; i++)
2297 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
2299 st->current.transform=0;
2300 st->auxiliary_key.transform=0;
2301 st->new_transform=0;
2302 st->auxiliary_is_new=0;
2304 enter_state_stop(st);
2306 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
2307 add_hook(PHASE_CHILDPERSIST,site_childpersist_clearkeys,st);
2309 return new_closure(&st->cl);
2312 void site_module(dict_t *dict)
2314 add_closure(dict,"site",site_apply);
2318 /***** TRANSPORT PEERS definitions *****/
2320 static void transport_peers_debug(struct site *st, transport_peers *dst,
2321 const char *didwhat,
2322 int nargs, const struct comm_addr *args,
2327 if (!(st->log_events & LOG_PEER_ADDRS))
2328 return; /* an optimisation */
2330 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
2331 (dst==&st->peers ? "data" :
2332 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
2333 didwhat, nargs, dst->npeers);
2335 for (i=0, argp=(void*)args;
2337 i++, (argp+=stride?stride:sizeof(*args))) {
2338 const struct comm_addr *ca=(void*)argp;
2339 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
2340 i, comm_addr_to_string(ca));
2342 for (i=0; i<dst->npeers; i++) {
2343 struct timeval diff;
2344 timersub(tv_now,&dst->peers[i].last,&diff);
2345 const struct comm_addr *ca=&dst->peers[i].addr;
2346 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
2347 i, comm_addr_to_string(ca),
2348 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
2352 static void transport_peers_expire(struct site *st, transport_peers *peers) {
2353 /* peers must be sorted first */
2354 int previous_peers=peers->npeers;
2355 struct timeval oldest;
2356 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
2357 oldest.tv_usec = tv_now->tv_usec;
2358 while (peers->npeers>1 &&
2359 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
2361 if (peers->npeers != previous_peers)
2362 transport_peers_debug(st,peers,"expire", 0,0,0);
2365 static bool_t transport_peer_record_one(struct site *st, transport_peers *peers,
2366 const struct comm_addr *ca,
2367 const struct timeval *tv) {
2368 /* returns false if output is full */
2371 if (peers->npeers >= st->transport_peers_max)
2374 for (search=0; search<peers->npeers; search++)
2375 if (comm_addr_equal(&peers->peers[search].addr, ca))
2378 peers->peers[peers->npeers].addr = *ca;
2379 peers->peers[peers->npeers].last = *tv;
2384 static void transport_record_peers(struct site *st, transport_peers *peers,
2385 const struct comm_addr *addrs, int naddrs,
2387 /* We add addrs into peers. The new entries end up at the front
2388 * and displace entries towards the end (perhaps even off the
2389 * end). Any existing matching entries are moved up to the front.
2391 * Caller must first call transport_peers_expire. */
2394 /* avoids debug for uninteresting updates */
2396 for (i=0; i<peers->npeers; i++) {
2397 if (comm_addr_equal(&addrs[0], &peers->peers[i].addr)) {
2398 memmove(peers->peers+1, peers->peers,
2399 sizeof(peers->peers[0]) * i);
2400 peers->peers[0].addr = addrs[0];
2401 peers->peers[0].last = *tv_now;
2407 int old_npeers=peers->npeers;
2408 transport_peer old_peers[old_npeers];
2409 COPY_ARRAY(old_peers,peers->peers,old_npeers);
2413 for (i=0; i<naddrs; i++) {
2414 if (!transport_peer_record_one(st,peers, &addrs[i], tv_now))
2417 for (i=0; i<old_npeers; i++) {
2418 const transport_peer *old=&old_peers[i];
2419 if (!transport_peer_record_one(st,peers, &old->addr, &old->last))
2423 transport_peers_debug(st,peers,m, naddrs,addrs,0);
2426 static void transport_expire_record_peers(struct site *st,
2427 transport_peers *peers,
2428 const struct comm_addr *addrs,
2429 int naddrs, const char *m) {
2430 /* Convenience function */
2431 transport_peers_expire(st,peers);
2432 transport_record_peers(st,peers,addrs,naddrs,m);
2435 static bool_t transport_compute_setupinit_peers(struct site *st,
2436 const struct comm_addr *configured_addrs /* 0 if none or not found */,
2437 int n_configured_addrs /* 0 if none or not found */,
2438 const struct comm_addr *incoming_packet_addr /* 0 if none */) {
2439 if (!n_configured_addrs && !incoming_packet_addr &&
2440 !transport_peers_valid(&st->peers))
2443 slog(st,LOG_SETUP_INIT,
2444 "using: %d configured addr(s);%s %d old peer addrs(es)",
2446 incoming_packet_addr ? " incoming packet address;" : "",
2449 /* Non-mobile peers try addresses until one is plausible. The
2450 * effect is that this code always tries first the configured
2451 * address if supplied, or otherwise the address of the incoming
2452 * PROD, or finally the existing data peer if one exists; this is
2455 transport_peers_copy(st,&st->setup_peers,&st->peers);
2456 transport_peers_expire(st,&st->setup_peers);
2458 if (incoming_packet_addr)
2459 transport_record_peers(st,&st->setup_peers,
2460 incoming_packet_addr,1, "incoming");
2462 if (n_configured_addrs)
2463 transport_record_peers(st,&st->setup_peers,
2464 configured_addrs,n_configured_addrs, "setupinit");
2466 assert(transport_peers_valid(&st->setup_peers));
2470 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2471 if (st->peer_mobile)
2472 transport_expire_record_peers(st,&st->setup_peers,a,1,"setupmsg");
2474 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2475 if (st->peer_mobile)
2476 transport_expire_record_peers(st,&st->peers,a,1,"datamsg");
2479 static int transport_peers_valid(transport_peers *peers) {
2480 return peers->npeers;
2482 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2484 transport_peers_debug(st,peers,"clear",0,0,0);
2486 static void transport_peers_copy(struct site *st, transport_peers *dst,
2487 const transport_peers *src) {
2488 dst->npeers=src->npeers;
2489 COPY_ARRAY(dst->peers, src->peers, dst->npeers);
2490 transport_peers_debug(st,dst,"copy",
2491 src->npeers, &src->peers->addr, sizeof(*src->peers));
2494 static void transport_resolve_complete(struct site *st,
2495 const struct comm_addr *addrs,
2497 transport_expire_record_peers(st,&st->peers,addrs,naddrs,
2499 transport_expire_record_peers(st,&st->setup_peers,addrs,naddrs,
2503 static void transport_resolve_complete_tardy(struct site *st,
2504 const struct comm_addr *addrs,
2506 transport_expire_record_peers(st,&st->peers,addrs,naddrs,
2507 "resolved tardily");
2510 static void transport_peers__copy_by_mask(transport_peer *out, int *nout_io,
2512 const transport_peers *inp) {
2513 /* out and in->peers may be the same region, or nonoverlapping */
2514 const transport_peer *in=inp->peers;
2516 for (slot=0; slot<inp->npeers; slot++) {
2517 if (!(mask & (1U << slot)))
2519 if (!(out==in && slot==*nout_io))
2520 COPY_OBJ(out[*nout_io], in[slot]);
2525 void transport_xmit(struct site *st, transport_peers *peers,
2526 struct buffer_if *buf, bool_t candebug) {
2528 transport_peers_expire(st, peers);
2529 unsigned failed=0; /* bitmask */
2530 assert(MAX_PEER_ADDRS < sizeof(unsigned)*CHAR_BIT);
2533 for (slot=0; slot<peers->npeers; slot++) {
2534 transport_peer *peer=&peers->peers[slot];
2535 bool_t ok = comm_addr_sendmsg(st, &peer->addr, buf);
2537 dump_packet(st, buf, &peer->addr, False, ok);
2539 failed |= 1U << slot;
2542 if (ok && !st->peer_mobile)
2545 /* Now we need to demote/delete failing addrs: if we are mobile we
2546 * merely demote them; otherwise we delete them. */
2547 if (st->local_mobile) {
2548 unsigned expected = ((1U << nfailed)-1) << (peers->npeers-nfailed);
2549 /* `expected' has all the failures at the end already */
2550 if (failed != expected) {
2552 transport_peer failedpeers[nfailed];
2553 transport_peers__copy_by_mask(failedpeers, &fslot, failed,peers);
2554 assert(fslot == nfailed);
2556 transport_peers__copy_by_mask(peers->peers,&wslot,~failed,peers);
2557 assert(wslot+nfailed == peers->npeers);
2558 COPY_ARRAY(peers->peers+wslot, failedpeers, nfailed);
2559 transport_peers_debug(st,peers,"mobile failure reorder",0,0,0);
2562 if (failed && peers->npeers > 1) {
2564 transport_peers__copy_by_mask(peers->peers,&wslot,~failed,peers);
2565 peers->npeers=wslot;
2566 transport_peers_debug(st,peers,"non-mobile failure cleanup",0,0,0);
2571 /***** END of transport peers declarations *****/
~ianmdlvl / secnet.git / blob