chiark - git - mdw - secnet/log

site: New PROD message

We introduce a new message PROD which requests that the peer initiate
a key exchange with us, if it doesn't already have a key.

This helps significantly reduce a possible "dead period" when one end
of a connection is restarted during key exchange. The dead period is
now limited to the time taken for the interrupted key exchange to time
out.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Use FORMAT everywhere, and fix up the errors it finds

Many printf-like variadic functions weren't properly decorated with
FORMAT annotations.  Add them everywhere.

It is not possible to annotate a function pointer type, so that
doesn't work for the function pointers in struct log_if.  However, we
have convenience wrapper functions slilog and vslilog, which are
appropriately decorated and therefore safer.  Change all call sites to
use those instead, and leave a comment.  (Rename the function pointer
variable names so that we don't miss any call sites.)

Fix the bugs that this new compiler checking reveals.  These are
nearly all in fatal error reporting, and not very scary.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: support multiple transforms

The "transform" key in site's dictionary argument can now be a list,
as well as just a single transform.

We use 16 bits of the capability mechanism to advertise the transforms
we support; the config is supposed to nominate a transform capability
number (from 0 to 15) for each transform closure - although the
default numbers are sufficient if you don't need to do parameter
rollover.

The receiver of MSG2 intersects the two bitmaps and chooses the best
transform, and states its choice in MSG3.

A protocol downgrade attack is prevented by the fact that the
capability bitmaps are advertised in the signed parts of MSG3 and
MSG4. (If the one in MSG4 doesn't match what was in MSG2, the MSG4 is
rejected and presumably the key exchange fails.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site, transform: per-transform-instance max_start_pad

Replicate the max_start_pad value from the transform interface into
the instance interface.

Use the instance's version in site.c.

While we're at it, add an assertion to confirm that the value of
max_start_pad passed to buffer_init doesn't overrun the buffer.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site, netlink: abolish max_end_pad and min_end_pad

There is much code to compute these values, but they are never used
anywhere.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: dynamically create and destroy transform instances

Rather than making three transform instances at setup time, and then
using setkey on them, we create transform instances as needed and
destroy them when we delete their keys.

This is necessary because we are going to support multiple different
kinds of transform, so each one of the three transforms might be of
different kinds (supplied by different secnet modules) at different
times.

The variables current.transform, auxiliary_key.transform and
new_transform can all be NULL now.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

transform: Provide Serpment-EAX transform

This provides an alternative to the (rather badly broken)
serpent256-cbc transform.

In this patch, there is not yet any algorith negotiation for a smooth
upgrade, nor any changes to the example configurations.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

transform: Pass a direction flag to the transform

The same transform is used for inbound and outbound packets.

The transform should know which direction these packets are flowing
in; that (a) allows a transform to reject packets which are "looping
back" so to speak, and (b) makes it easier for a transform to generate
unique nonces.

This will be used by the forthcoming EAX transform. It is combined
with the sequence number (the same values of which are used by both
ends) to make the nonce, which must be unique across the single shared
key, ie unique across both flows.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

transform: Allow DH to set the key size

It turns out that the current Serpent CBC-MAC transform takes the raw
DH shared secret, and parcels it up in byte ranges for the various
uses (some of which are published).  Well, obviously this is not a
good idea.

But also it means the interface isn't set up to allow the size of the
key data provided to the transform to be determined by the size of the
DH modulus.

Fix this latter interface problem.  Now a transform can set its keylen
to 0, meaning it will be provided with the whole of the DH private
value.

We don't use this new feature yet.  We can't make the existing
transform use it without breaking compatibility, but it will be used
by the new EAX-based transform.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

transform: split out transform-common.h

To avoid too much duplication, some boilerplate and helpful code from
transport.c is now brought out into macros in transport-common.h.

It will be reused in the later commits introducing the EAX transform.

Also, rename transform.c to transform-cbcmac.c, etc.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

EAX: provide an implementation of EAX

EAX is a reasonably well-regarded Authenticated Encryption block
cipher mode.  We intend to replace the existing CBC and CBC-MAC
transform with EAX.  EAX can be used with any block cipher, but we
will use it with Serpent.

In this patch we provide an implementation of EAX itself.

This primary consists of eax.c, the actual implementation of the EAX
mode.

To test that our implementation is correct, we use aes.[ch], which we
copied from qemu in the previous commit, to run the EAX-AES test
vectors.  These are cut-and-pasted out of the EAX paper.

(To do this we need to make aes.[ch] compile in our environment - but
the changes are minimal.  We also improve the copyright notices.)

Then for completeness we also provide a set of EAX-Serpent test
vectors and the corresponding test code.  The EAX-Serpent test vectors
were generated by this very code, so aren't independently verified.

(The implementation of what is now consttime_curious_multiply, and the
comment preeding it, were provided by Mark.  I have lightly edited it
to conform to the coding style etc. of the rest of the file.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Mark Wooding <mdw@distorted.org.uk>

crypto: Copy an AES (Rijndael) implementation into tree

We are going to want an implementation of AES so that we can run
publicly-provided test vectors of our EAX implementation.

qemu seem to have a version with a fairly convenient shape, so lift it
wholesale into our tree, from upstream qemu (their git commit
55616505876d6683130076b810a27c7889321560).

The files in this patch are _exactly_ as copied from that qemu tree,
so that we can separate out our own changes.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

crypto: Copy a SHA512 implementation into tree

We are going to want an implementation of SHA512 (initially for
hashing DH secrets into EAX keys).

Copy the version from coreutils 8.5, along with u64.h.

In this patch, we commit exactly the files from coreutils. They will
be made to compile later. Doing it this way means we can more easily
isolate changes we have to make.

Copying these files from coreutils makes secnet GPL-3+.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

serpent: const-correct

Decorate serpent_encrypt, serpent_decrypt and serpent_makekey with
appropriate consts in their arguments.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: interpret first 4 bytes of extrainfo as capabilities

Define the first four bytes of the additional data (after the nul in
site names in MSG1..4) in the sender's name field to be a capability
bitmask.  Currently no capability flags are defined.

To support this, replace extrainfo and its _len in struct parsedname
with a struct buffer_if.  We invent a new kind of buffer_if which is a
readonly view of another buffer; such a view can be initialised with
buffer_view_readonly.  This makes it convenient to parse the
extrainfo using our existing macros etc.

We record the capabilities from MSG1 or MSG3, and check that they
haven't changed when processing MSG2..4, as applicable.  (Because
older secnets don't cope with flags in MSG1, we have to define two
kinds of capability flag: ones expected to be in MSG1, and ones which
can appear later in the exchange.)

The support for "Early" capabilities is intended to be used in the
future to support algorithm agility in key exchange.

We also advertise our own capabilities (currently, all-bits-zero) in
our own messages.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: use unaligned.h's functions, not pointer cast and ntohl

Switch site.c to using unaligned.h's functions for accessing
multi-byte values inside messages.  There were a few places where this
construction was used:
   something = ntohl(*(uint32_t*)(buf->start + offset));
It is much clearer to use this equivalent construction:
   something = get_uint32(buf->start + offset);

Also the packet's message type was extracted from the message using
get_uint32 and then put through ntohl.  This is, of course, wrong.
Currently all the message type codes are palindromes, so it doesn't
matter in practice.  Fix it anyway.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Extra info in name fields for MSG1, clearer processing

We change the parsing of the names in MSG1 packets to align it with
that used for MSG2..4, abolishing the simple memcmp-based "setupsig"
arrangement.

This means that MSG1 packets, like MSG2..4, can contain extra
information in the name fields.

This results in the following table of behaviours (where "old secnet"
is the version before we introduced additional data at all):
  MSG    Sent name          Old secnet           New secnet
  1      expected           ok                   ok
  1      expected\0extra    rejected             ok, extra data
  1      expected/suffix    rejected             rejected
  1      expect             rejected             rejected
  2-4    expected           ok                   ok
  2-4    expected\0extra    ok, extra ignored    ok, extra data
  2-4    expected/suffix    wrongly accepted     rejected
  2-4    expect             read overrun         rejected

After the new secnet is widely deployed, we will be able to use the
extra data field in MSG1 for public key algorithm agility and public
key rollover.

Also, intend to introduce a new packet which (like MSG1) is addressed
by name rather than the site id; this change makes that easier too.

In detail, we:
* Make site_incoming extract the message type earlier, and use
   the message type to choose how to check the address.
* Abolish st->setupsig and st->setupsiglen;
* Break out a function named_for_us, which uses unpick_msg
   and then checks the names;
* Arrange to keep the unpicked message from named_for_us and
   reuse it in process_msg1.
* Eliminate checking dest==0 for name-addressed packets.

This last point constitutes a change to the implemented protocol.  The
old code would treat a packet as name-addressed iff the destination
"index" was zero.  However, the requirement to send a zero in this
field is not documented.  After this patch, peers which send MSG1 with
a non-zero destination index will have their messages honoured rather
than discarded.  But we do document the restriction.

There is no other significant functional implication of this last
point.  Peers which send non-MSG1s with zero destination index will
have their packets rejected both before and afterwards (although there
may be a change in whether a NAK is sent and in logging) but anyway
those peers are broken because all of our generated indexes are
nonzero.

A downside of this change is that we will now unpick an incoming MSG1
repeatedly until we find which site instance wants it.  But this
unpicking is not particularly arduous.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: fix site name checking leaving room for expansion

Previously, secnet would only check that the site names sent by the
peer had the expected site names as prefixes.  This would be a
security bug on a vpn where one site name is the prefix of another
site name.

In fact, if the peer sends a short name, secnet will suffer a buffer
read overrun and maybe crash - although this is exploitable only for
DoS at worst, and not as an information leak.

(With reasonable peers, it won't cause packets to be mishandled,
because the next field after each name string is a 16-byte integer
giving a name or public key byte count, which would have to contain a
value greater than 8000 to look like printable characters.)

Fix this bug.

However, we use this as an opportunity to provide some space (in the
signed part of MSG2..4) for future extensions.  (At present there is
nothing in the parts of MSG3 and MSG4 covered by the signature which
is not supposedly entirely fixed - apart from the amount of
zero-padding at the MS end of our DH public exponent.  This is bad
because it provides no way to do transport protocol upgrade/downgrade
negotiation without leaving open a protocol version downgrade attack.)

After this change the name fields in MSG2..4 are, following the 16-bit
length, either just the characters of the name, or the name, followed
by a nul byte, followed by zero or more bytes of additional data.

Additional data beyond what the receiver expects (which currently
means any additional data), is to be ignored.

Let us work through some examples.  Suppose the expected site name is
"expected".  Here are the behaviours in relation to various names
being transmitted in the packet.  (This applies both to the local
name, and to the remote name; "rejected" means other instances of the
protocol engine get a go, and perhaps the instance with the correct
names will accept the message.)
  MSG    Sent name          Old secnet           New secnet
  1      expected           ok                   ok
  1      expected\0extra    rejected             rejected
  1      expected/suffix    rejected             rejected
  1      expect             rejected             rejected
  2-4    expected           ok                   ok
  2-4    expected\0extra    ok, extra ignored    ok, extra data
  2-4    expected/suffix    wrongly accepted     rejected
  2-4    expect             read overrun         rejected

We will do the same for MSG1 in a later commit.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

NOTES: Remove unimplemented protocol negotiation

The protocol negotiation mechanism documented in NOTES is not
implemented. Remove it from the document.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

NOTES: Remove paragraph about slow-to-prepare messages

NOTES contained this paragraph:

  Some messages may take a long time to prepare (software modexp on slow
  machines); this is a "please wait" message to indicate that a message
  is in preparation.

This paragraph was immediately after the description of the msg0(msg9)
packet - ie, the ordinary data packet.  It is therefore at the very
least misplaced.

In the git history this paragraph was introduced in "Import release
0.1.14" (4f5e39ec).  However, the diff for that commit (ie the diff
between 0.1.13 and 0.1.4) does not show any code which might
correspond to this comment.

There is not currently any code in site.c which responds to a message
of this kind.  I have had a quick look for code which sends such a
message and failed to find any.

So I think this paragraph represents a never-implemented intent, and
should be removed.  It certainly predates the "hacky parallelism" by a
long way.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

NOTES: Improve documentation of NAKs.

Improve the description of the function of NAK packets.

Document an ancient form of NAK, MSG8.

Add a missing heading "Other messages" and put the description of the
NAK message and of the obsolete NAK in it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Send NAKs for undecryptable data packets (msg0)

Packets which are not understood are supposed in general to produce
NAKs, to let the peer know that we don't have the key they were using.

However, previously this would only happen if the incoming packet had
a local site index which was not in use.  But it can happen that a
particular index value is reused by a recently restarted secnet.
Previously, in this case, data packets would simply be thrown away
undecryptable.

With this change, undecryptable data packets always generate a NAK.

This is particularly relevant for mobile sites, as it can happen that
the fixed site doesn't have an address for the mobile site - so the
association will remain stuck in a broken state until the mobile site
is also restarted.

There is still a potential problem when a site is restarted mid key
exchange.  The peer will refuse to start a new key exchange (because
of the retry timeout) and the restarted site may not know it's
necessary.  This will be dealt with in a later patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

magic: Introduce LABEL_NAK

Replace ad-hoc comments on the message number of NAK packets with an
explicit #define. No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

transform: Do not look at any bytes of PKCS#5 padding other than the last

This might avoid some timing-related information leaks. In principle
this is a protocol change: we now no longer use actual PKCS#5 padding;
instead, we use a padding scheme where all but the last byte of the
padding may be sent as anything and are ignored by the receiver.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

memcmp: Introduce and use consttime_memcmp

We need to use a constant-time memcmp in MAC checking, to avoid
leaking (to an adversary) how much of the MAC is right. (This would
be especially dangerous if our MAC was outside the encryption, which
thankfully it isn't.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: debian packaging improvements

changelog: describe version 0.3.0

site: When if our MSG5s (or peer's MSG6s) get lost, preserve the key

When we time out in state SENTMSG5, keep the key we negotiated.
SENTMSG5 gives the peer permission to start sending packets with it so
we need to be able to decrypt them. If we see such packets, we switch
to using the new key at that point and throw the old key away.

This is the final fix to the "connectivity loss during final key
setup can cause locked-up session" bug.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Keep old keys, and allow them to be used by peer

After we have switched to a new key, keep the old key around until we
see packets using the new key.

This is part of the fix to the "connectivity loss during final key
setup" bug. Fixing this requires that both ends be willing to keep
both old and new data keys available until the peer has sent data with
the new key (which might never happen).

If there were also a key setup, the site would then need three keys:
the old data key, the current data key which the peer hasn't started
using yet, and the fresh key it is trying to negotiate. So we have to
a third key, with its own lifetime expiry.

In the code we call the old key the "auxiliary" key because we're
going to use it for an additional fixup in the next patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Generalise deletion and timeout of keys

Introduce delete_one_key, and rename delete_key to delete_keys. We
distinguish, now, between deleting a single key, and deleting all the
keys for this site.

The expiry check calls delete_one_key rather than delete_keys, and is
likewise done with a helper function.

No functional change other than to the key expiry log message.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Move current_transform, _key_timeout and remote_session_id into a struct

We are going to introduce another set of these for the previous key,
and putting them together in this struct means we will be able to talk
about themm easily.

This patch is very mechanical: we move the three variables into the
new struct, and simply search-and-replace the references.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: No longer track key validity ourselves

We used to have a variable st->current_valid, which we would always
set to True when assigning a key to current_transform, and to False
when calling delkey (or on initialisation).

Now that we have transform->valid(), this is no longer needed.

We do introduce a trivial helper function current_valid(st) to help us
call it, so the places where st->current_valid was checked don't get
too ugly.

There is no intentional change to the externally-visible behaviour.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

transform: add ->valid() function

This allows outside callers to find out whether the transform has been
keyed, and can therefore relieve them of the need to track this
separately.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Deal with losing our MSG6 - retransmit MSG6 when we see MSG5 in RUN

Fix the lost MSG6 bug in the case where we are the responder:

If we are in RUN and we see a SENTMSG5 encrypted with what we now
regard as the data transfer key, conclude that the peer must have lost
the MSG6.  Regenerate and transmit a new MSG6.

This requires a generalised version of generate_msg6 which allows the
new call site to specify which transform and session id to use, and
which doesn't set st->retries.  So break the meat of generate_msg6 out
into a new function which I have chosen to call create_msg6.  (The
fact that functions called `generate_msg*' set st->retries is slightly
unfortunate.)

We also have to add a transform argument to process_msg5 so that we
can try decrypting MSG5s with the data transfer key.

It is still possible, even after this patch, to get the two ends out
of sync: if, just after the responder has switched to the new key and
entered RUN, the network fails entirely for the key setup timeout, the
initiator will abandon the key setup and switch to WAIT, and continue
to use the new key.  However, the responder has already discarded the
old key.

To fix this is not trivial: it will require us to introduce a third
key, with its own lifetime expiry.  This will be in a later patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Deal with losing peer's MSG6 - go to RUN on MSG0 with new key

The original protocol, as implemented, has the following bug:

The responder sends MSG6 on its transition from SENTMSG4 to RUN, on
receipt of the initiator's MSG5.  Unlike all the other key protocol
messages, MSG6 is not retransmitted (for there is no retransmission in
RUN).  If the responder's MSG6 is lost, the initiator has no way of
knowing and won't switch to the new key.  The initator will keep
retransmitting MSG5, which the responder (in old versions of secnet)
ignores.  The responder will be sending data with the new key, which
the initiator (in old versions of secnet) ignores.  This broken
situation can persist until the initiator sends data, which it will do
with the old key, possibly causing a new key exchange attempt to be
initiated by the original responder (in old versions of secnet only),
which may or may not experience the same bug.

This bug needs to be fixed separately at both ends, ideally, so that
running a fixed version at either end avoids the bug.

Here we fix for the case where we are the initiator, as follows:

If are in SENTMSG5 and we see data encrypted with the new key,
conclude that we must have lost the MSG6 and simply switch to the new
key, and state RUN, right away.

Because the transform operates destructively (and changing that fact
about the transform API would be too intrusive), this means we need to
keep a copy of the original ciphertext in process_msg0.

For this purpose we introduce a new buffer `scratch' in the site state
structure, and a new buffer_copy utility function for making a copy of
a buffer (reallocating the destination buffer if necessary).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site, transform: Do not initiate rekey when packets too much out of order

If packets arrive sufficiently out of order, we may unnecessarily
initiate a rekey simply because of the skew.  Solve this as follows:
* transform->reverse gives a distinct error code for `too much skew'.
* site does not initiate a rekey when it sees that error code.

The rekey-on-decrypt-failure feature is in principle unnecessary.
However, due to another bug it is possible for a key setup to be
regarded as successful at only one of the two ends, and the ability to
immediately do another key setup to try to fix things is useful.

In principle this new behaviour might prevent a necessary rekey: if
the sender has sent around 2^31 packets none of which were received,
the receiver would see the new packets as too old.  But: firstly, this
is very unlikely (it would have involved transmitting several Gbytes
into the void, in a period less than the maximum key lifetime).
Secondly, we ought to expire keys before then anyway so the sender
should know that the key had `worn out' (although currently this is
not enforced).

The benefit of this change is that the old behaviour would be likely
to initiate unnecessary rekeys when on unreliable links (eg, mobile
internet).  Unnecessary rekeys are a bad idea in these circumstances
not just because they clog up the link but also because they make the
association more fragile.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Remove pointless check from decrypt_msg0

It is not necessary to check whether we have a current key before
attempting to unpick and decrypt a MSG0. If we don't,
transform->reverse will simply fail due to lacking a key.

This check needs to be removed, because in forthcoming patches we will
want to be able to try to decrypt the packet with other keys, at which
point the lack of a currently valid data transfer key will not be
relevant and this check will be harmful.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Break out separate function for decrypting msg0

The control flow here is going to become more complicated, and this
change will make the next patches, and the resulting code, clearer.

Note that process_msg0's return value is never used; it is only
defined to return bool_t so that it can use the CHECK_AVAIL macro.
Knowing this will make it easier to see that the patch is correct.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

netlink: abolish check_config and output_config

Apparently, a long time ago, MSG5 and MSG6 used to contain some
netlink configuration data, which the receiver of the MSG5 or MSG6
would check.

However, for a long time now the output_config function has been a
no-op and the check function has unconditionally eaten and discarded
anything extra in the message.

Furthermore, because the MSG6 is not retransmitted, this mechanism
couldn't be reliable without a protocol change. So the existing
interface is defective.

So, abolish it the interface, the dummy implementation, and all the
call sites. The check_config call sites in site.c now instead
directly discard any unexpected data at the end of MSG5 and MSG6.

This patch should cause no behavioural change in actual operation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

netlink: report why a packet is bad

Replace
<netlink>: bad IP packet from <source>
with
<netlink>: bad IP packet from <source>: reason

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: transport peers: fix incorrect stride when debug output enabled

When there are multiple peer addresses, attempts to copy them from one
table of peers addresses to another with transport_peers_copy will go
wrong because the stride argument to transport_peers_debug is wrong -
we take sizeof() the pointer rather than of the array element.

This will typically cause a segfault if it happens, but the bug can
only be triggered if LOG_PEER_ADDRS debugging is enabled.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

messages: add some missing newlines

Message and cfgfatal must be called with a message containing a
newline (or, a newline sent in a later call). Fix a few call sites.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

log: Print truncated messages

If a message doesn't survive the vsnprintf in vMessage untruncated,
the result may be that its newline is lost.  After that, buff will
never manage to gain a newline and all further messages will be
discarded.

Fix this by always putting "\n\0" at the end of buff.  That way a
truncated message is printed and the buffer will be cleared out for
the next call.

This does mean that sometimes a message which is just slightly shorter
than the buffer will produce a spurious empty message sent to the
syslog.  However, the whole logging approach here will inevitably
occasionally insert spurious newlines, if only to split up long
messages; long messages may also be truncated.  The bad effect of the
change in this patch is simply to make the length at which
infelicities appear very slightly shorter.  The good effect is that it
turns a very nasty failure mode into a benign one.

So I think it is reasonable to err on the side of code which clearly
cannot go wrong in a bad way.  Other approaches which make the
infelicity threshold a couple of characters longer, or which slightly
reduce the different kinds of infelicity, are much more complicated
and therefore more likely to have bugs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

log: Eliminate potential out-of-control recursion

vMessage looks for the system log instance.  If there is one, it uses
it; otherwise it just uses stderr or stdout.

The system log instance consists, eventually, of syslog_vlog or
logfile_vlog.  Both of these functions have a fallback: if they are
properly set up they do their thing; otherwise they call vMessage.
This is wrong because in this situation they have probably been called
by vMessage so it doesn't help.

At first sight this ought to produce unbounded recursion but for
complicated reasons another bug prevents this.  Instead, messages can
just vanish.

Break out the fallback mode of [v]Message into [v]MessageFallback so
that syslog_vlog and logfile_vlog can use it directly.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Makefile: honour EXTRA_CFLAGS, etc.

This makes it easier to add command-line options at build-time.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

SECURITY: actually reject messages with improper lengths

transform_reverse checks to see if the incoming message is a multiple
of the block cipher block size.  If the message fails this check, it
sets *errmsg but it fails to return.  Instead, it proceeds to attempt
to decrypt it.  This will involve a buffer read/write overrun.

It transform_reverse fails to check to see if the incoming message is
long enough to contain the IV, MAC and padding.  This can easily be
exploited to cause secnet to segfault.

buffer_unprepend should check that the buffer has enough data in it to
unprepend.  With the other patches, this should be irrelevant, but it
turns various other potential read overrun bugs into crashes.

site_incoming should check that the incoming message is long enough.
Again, without this, this is an buffer read overrun or possibly a
segfault.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

userv-ipif: Always request routes from userv, regardless of link quality

Previously the userv-ipif netlink would not request (from userv) a
route for a site for which the link quality was DOWN. The link
quality is a dynamic quantity but userv-ipif lacks any machinery for
dynamically adding routes, so this is wrong.

Instead, in userv-ipif, unconditionally add routes for all sites,
regardless of link up status.

In practice this code is run during startup and the only reason a link
might be down at that point, ie LINK_QUALITY_DOWN, is that it does not
have an address configured. Mobile sites are often in this situation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: Update build-dependency information

Update build-dependency documentation and add missing references to
flex and bison to debian/control.

Signed-off-by: Matthew Vernon <matthewv@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Do not permit "include" in simple sites files

Restrict the "include" directive to the "header" of -u (groupfile
update) mode. Callers who are simply using make-secnet-sites to
transform a (possibly untrusted) sites file into a (to be trusted)
sites.conf file should not have to worry about includes.

"include" directives are already forbidden in group files.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: In -u mode, output file "dereferences" include directives

Whenm make-secnet-sites is writing the "output" sites file in -u
(groupfile update) mode, it includes the effective contents of files
referenced in "include" directives, rather than the "include"
directive itself.

So the "output" sites file does not any longer depend on any files
included by the header.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Do newline-trimming in pline()

This will make life a little easier in a future patch. While we're at
it, use rstrip rather than open-coding it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Actually include addresses in sites.conf

This was broken in

   commit c9d84e31f48a04eb0af525324707f22c738cc8b7
   Author: Ian Jackson <ijackson@chiark.greenend.org.uk>
   Date:   Sat Dec 17 21:21:47 2011 +0000

       make-secnet-sites: Allow sites with no address

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: If definition found in wrong place, bomb out

If it doesn't exit here, make-secnet-sites might subsequently crash
with Python stack backtrace.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: New -P <prefix> option

make-secnet-sites generates a config file which defines the keys
"vpn-data", "vpn", and "all-sites".

To make it possible to usefully include the output of more than one
different piece of output from make-secnet-sites, support the option
-P <prefix>, which generates a config file which defines
"<prefix>vpn-data", "<prefix>vpn", and "<prefix>all-sites".

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Allow sites with no address

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Fix userv invocation after pfilepath

The commit 9b8369e07aeba5ed2c69fb4a7f74d07c8cebe015
make-secnet-sites: refactor to break out new function "pfilepath"
broke the userv service invocation, because it turned out that later
code depended on the "headerinput" variable whose assignment had been
removed and replaced by a call to pfilepath.

Make pfilepath return the lines read from the file and assign the
result to headerinput.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

netlink: Fix up link down behaviour

Partially reverts 04f92904ea6c41517ff7154910c16ef4c3bc646b
"userv-ipif: Always request routes from userv, regardless of link quality"

It turns out that this check is necessary to avoid bringing up a route
for a "netlink" stanza in the configuration file which is never used.

In particular, this avoids bringing up a netlink for (a) sites which
are not mentioned in the config file (b) the site on which secnet is
running.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

userv-ipif: Always request routes from userv, regardless of link quality

Previously the userv-ipif netlink would not request (from userv) a
route for a site for which the link quality was DOWN. The link
quality is a dynamic quantity but userv-ipif lacks any machinery for
dynamically adding routes, so this is wrong.

Instead, in userv-ipif, unconditionally add routes for all sites,
regardless of link up status.

In practice this code is run during startup and the only reason a link
might be down at that point, ie LINK_QUALITY_DOWN, is that it does not
have an address configured. Mobile sites are often in this situation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: new "include" keyword

Allow "headers" files and "sites" files to contain "include"
directives.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: refactor to break out new function "pfilepath"

No intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: More release checklist updates

Need to "make dist" again.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Update VERSION

build system: Fix Ian's email address in debian/changelog

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authbind: get endianness right (again)

It appears that:

* authbind's documentation authbind-helper(8) describes the
   endianness convention of authbind's helper program incorrectly.
   See Debian #651694.

* The version of secnet 0.1.16 tagged as such in revision control
   contains a "fix" which was based on the authbind documentation but
   not apparently tested against authbind.  Ie, this part from NEWS:
    4) Change the endianess of the arguments to authbind-helper.
       sprintf("%04X") already translates from machine repesentation to most
       significant octet first so htons reversed it again.

* The version of secnet 0.1.16 actually in service on chiark had an
   out-of-version-control change to udp.c to make it work with
   chiark's authbind 1.2.0.  The actual code found has been recorded
   on the dead branch "chiark-0.1.16" in the master git repo, but the
   version of udp.c is exactly that from 0.1.15 so it looks like we
   just reverted to the previous udp.c during deployment of 0.1.16.

* We (re)discovered all this after the release of secnet 0.2.0
   because my attempt to deploy 0.2.0 on chiark was not actually
   effective.

Therefore, undo the authbind endianness change introduced in secnet
0.1.16.  This is most easily achieved by constructing the arguments to
the helper from the sockaddr rather than the contents of "st".

Thanks are due to Simon Tatham for the bug report.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Update VERSION

build system: Further improvements to release checklist

We have to:
* Update debian/changelog
* Build a new .deb
* Copy the files to chiark:~secnet/ in case anyone looks there

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

New --managed option for use when running under a daemon supervisor.

The effect is secnet is told that it is running as a daemon right from
the start, so it knows to follow the logging rules for daemons but not
to fork.

The conflation of daemonization with dropping privilege is also
unpicked by this patch. Most importantly this ensures that errors
from PHASE_GETRESOURCES operations such as 'route' commands is sent to
the logfile (or syslog).

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Make the list of phases be an enumeration.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Set group ID and group list.

More sensible username lookup.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

build system: Include signing of tarballs in release checklist

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: New "make dist" uses git; add release checklist

We no longer try to separately track which files should be shipped in
the tarball. Instead, the tarball contains exactly the same files as
the repo.

Add a release checklist at the bottom of Makefile.in, based on the one
from the stable branch (in 813ff677f7020b12fb1356e977a73dc910e64ce5).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

md5: correct size arg to memset().

On realistic targets the effect of the error was that the MD5 context
wasn't fully cleared.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

cleanup: build on Ubuntu Lucid

The discard() idiom is chosen because Clang tolerates it.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Add a man page.

As it stands it is purely reference material - no conceptual or
tutorial stuff whatsoever.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Remove snprintf reimplementation.

We don't want to think about the "Frontier Artistic License" and the
requirements it may or may not impose on distribution of secnet.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Config file fixes.

* Reject integers in excess of 2^32-1 (rather than reducing them mod
  2^32).
* ptree_dump():
  - Remove a magic number.
  - More realistic recursion limit.
* Various bits of type hygeine.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Detect Fink automatically.

The logic is that if Fink is in the path then we should use it. So
(unlike certain build systems I could mention) if you want to use a
local install of GMP, it should be sufficient to run ./configure
without /sw/bin in the path.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

OSX: fix home directory in setup.mac.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Mobile sites: Update test example

Make the "inside" site in test-example be mobile.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Multiple udp ports: Add to test

For testing, add an extra port to one of the sites in test-example.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Multiple udp ports for the same site (multiple "comm"s)

Now you can meaningfully specify more than one comm closure (ie, more
than one udp port) for a site. secnet will respond to incoming key
exchange and data packets on any of the ports.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Support in make-secnet-sites

This allows a sites file to specify that a site is mobile; the mobile
flag gets propagated into the generated sites.conf.

Includes new support for boolean values.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Use different default tuning parameters

Links involving mobile peers are best served by somewhat different
tuning parameters. So make the defaults vary accordingly.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Require specification of whether we think we are mobile

We introduce a new config option "local-mobile" which must match our
peers' idea of whether we are mobile. This is cross-checked with the
"site" entry for our own site, if there is one, to detect mistakes.

We do not transfer this data in the protocol because we don't want to
break compatibility with older secnets which do not understand mobile
peers at all.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Maintain multiple addresses for some peers (new feature)

Provides the following new config option, and some satellite options:

  mobile (bool): if True then peer is "mobile" ie we assume it may change
    its apparent IP address and port number without either it or us
    being aware of the change; so, we remember the last several port/addr
    pairs we've seen and send packets to all of them (subject to a timeout).
    We maintain one set of addresses for key setup exchanges, and another for
    data traffic. [false]

In the code this involves replacing the comm_addrs for setup_peer and
peer with a new struct transport_peers which contains zero or more
comm_addrs.  This subsumes peer_valid, too.

Additionally, we are slightly cleaner about the use of setup_peer: we
ensure that we clean it out appropriately when we go into states where
it won't (shouldn't) be used.

The transport_peers structure is opaque to most of site.c and is
manipulated by a new set of functions which implement the detailed
semantics described in site.c.

The main code in site.c is no longer supposed to call dump_packet and
st->comm->sendmsg directly; it should use transport_xmit (which will
do dump_packet as well as appropriate sendmsgs).

No intentional functional change if mobile=false (the default) and the
new debug log feature ("peer-addrs") is not enabled.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Protocol change: Initiate key setup on incoming packets, not outgoing ones

If data is exchanged after the "renegotiation time", we need to
refresh the data transfer key - ie, to initiate a key setup.
Previously this was done by the peer which wanted to transmit data
using an existing but in-need-of-refreshing key.

However, mobile peers may often be disconnected.  There is no point
trying to do a key renegotiation while they are disconnected.  Thus it
is better to have the renegotiation initiated by a peer which receives
a data packet.  That means that if there is a network outage,
renegotiation will be deferred until the network is restored.

In particular, it means that a mobile node which has no underlying
network but which has applications trying to send data will not waste
effort attempting key renegotiation until it once more has
connectivity.

This minor functional change should be harmless or even beneficial for
non-mobile sites too.  It simply means that the other peer will play
the role of initiator during renegotiation, but since which peer
played this role is arbitrary for non-mobile sites this should make no
difference.

Compatibility: In the case of an old version of secnet talking to a
new version, only data packets in one direction will cause
renegotiation.  This should not be a problem since all real-world
IP protocols involve data in both directions.

So we make the new behaviour universal rather than making it depend on
the forthcoming "mobile-peer" site config option.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

comm, udp: Provide an addr_to_string method

This method writes (into a single static buffer) a string describing a
comm_addr. It describes both the comm instance and the peer address.

No callers yet, but one is about to be introduced.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Site tuning defaults: Improve documentation; internal improvements

Two documentation fixes:

* Quote the correct default value for setup-timeout
  (setup_retry_interval) in the README.
* Improve the documentation of the default value for renegotiate-time.

Three simple internal improvements:

* Change definitions of DEFAULT_* to forms which make the semantics
  of the values clearer, thus obviating the need for the comments
  giving human-readable values.
* Add comments to DEFAULT_* time values giving the units (currently,
  they are all in millisecons).
* Rename (in the code) SETUP_TIMEOUT and setup_timeout to
  SETUP_RETRY_INTERVAL, which is more accurate.  We leave the config
  dictionary entry with the misleading name (particularly, since we
  have no facility for spotting obsolete or misspelled config keys).

Also two changes which are preparatory to the mobile peers support:

* New macro DEFAULT(D) which currently simply expands to DEFAULT_*.
* New convenience macro CFG_NUMBER for a common pattern of use for
  dict_read_number, which uses DEFAULT().

No intentional functional changes.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

comm, site: pass a new "struct comm_addr" rather than sockaddr_in

This abstracts away the fact that the peer address is a sockaddr_in;
instead, most of the code in site.c now only handles the peer address
as an opaque structure.

We put the struct comm_if* in the address structure too, as this will
be useful later. Amongst other things, doing this arranges that the
comm client knows which comm is notifying about an incoming packet.
Previously the client was expected to "just know" because the only
actual client in secnet is site which currently only deals with one
comm.

Also make the relevant arguments const-correct.

Contains consequential changes the signatures of many functions but no
intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: When shutting down, if debug enabled, do dump the MSG7

Insert a call to dump_packet in send_msg7. The packet is mostly
ciphertext and may not make a great deal of sense but turning on
debugging should not show all management packets; only data packets
should not be shown.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Remove some spurious "break"s

Remove two occurrences of "break" which immediately follow
unconditional "return". No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Keepalives: Document that they're unimplemented; remove vestigial code

Keepalives are not actually implemented; the keepalive option does
nothing. Mention this in the README. Remove the option's parsing
and recording from site.c.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: Style improvement to python literals in make-secnet-sites

Python literals can have a trailing comma after the last element.
Doing this is a good idea as it means that adding new elements at the
end doesn't necessitate modifying the previous line.

No intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: provide helpful FILLZERO macro (for certain memset calls)

This macro replaces these idioms:
memset(&foo,0,sizeof(foo)); => FILLZERO(foo);
memset(foo,0,sizeof(*foo)); => FILLZERO(*foo);

This makes it impossible to accidentally get the wrong size.

Use this macro in all such patterns in secnet, apart from two in
site.c which are going to be removed soon anyway.

No intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

secnet.h: provide helpful STRING macro (for preprocessor stringification)

Uses preprocessor stringification; can be helpful for rendering
compile-time constants (eg compile time limit macros) for messages,
etc.

Not used yet; will be used later in this series.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Test example: improve logging, choice of ports

* Turn up the logging in test-example/common.conf, to "all".

* Change the udp port numbers we use to 16900 and 16910, which
conveniently have a "0" for "outside" and a "1" for "inside".

* Swap the order of the inside and outside sites in the sites file, so
that the consistentliy-lower-numbered "outside" comes first.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

.gitignore build-stamp.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Introduce an installdirs target.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Correct a couple of errors in the README.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Prohibit lists where single values expected.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>