#define SITE_SENTMSG5 7
#define SITE_WAIT 8
+int32_t site_max_start_pad = 4*4;
+
static cstring_t state_name(uint32_t state)
{
switch (state) {
static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
static void transport_data_msgok(struct site *st, const struct comm_addr *a);
static bool_t transport_compute_setupinit_peers(struct site *st,
- const struct comm_addr *configured_addr /* 0 if none or not found */);
+ const struct comm_addr *configured_addr /* 0 if none or not found */,
+ const struct comm_addr *prod_hint_addr /* 0 if none */);
static void transport_record_peer(struct site *st, transport_peers *peers,
const struct comm_addr *addr, const char *m);
struct random_if *random;
struct rsaprivkey_if *privkey;
struct rsapubkey_if *pubkey;
- struct transform_if *transform;
+ struct transform_if **transforms;
+ int ntransforms;
struct dh_if *dh;
struct hash_if *hash;
/* runtime information */
uint32_t state;
uint64_t now; /* Most recently seen time */
+ bool_t allow_send_prod;
/* The currently established session */
struct data_key current;
timeout before we can listen for another setup packet); perhaps
we should keep a list of 'bad' sources for setup packets. */
uint32_t remote_capabilities;
+ struct transform_if *chosen_transform;
uint32_t setup_session_id;
transport_peers setup_peers;
uint8_t localN[NONCELEN]; /* Nonces for key exchange */
uint64_t timeout; /* Timeout for current state */
uint8_t *dhsecret;
uint8_t *sharedsecret;
- uint32_t sharedsecretlen;
+ uint32_t sharedsecretlen, sharedsecretallocd;
struct transform_inst_if *new_transform; /* For key setup/verify */
};
+static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
+FORMAT(printf,3,4);
static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
{
va_list ap;
}
vsnprintf(buf,sizeof(buf),msg,ap);
- st->log->log(st->log->st,class,"%s: %s",st->tunname,buf);
+ slilog(st->log,class,"%s: %s",st->tunname,buf);
}
va_end(ap);
}
const char *reason /* may be 0 meaning don't log*/,
const char *which /* ignored if !reasonn */,
uint32_t loglevel /* ignored if !reasonn */);
-static bool_t initiate_key_setup(struct site *st, cstring_t reason);
+static bool_t initiate_key_setup(struct site *st, cstring_t reason,
+ const struct comm_addr *prod_hint);
static void enter_state_run(struct site *st);
static bool_t enter_state_resolve(struct site *st);
static bool_t enter_new_state(struct site *st,uint32_t next);
struct parsedname remote;
struct parsedname local;
uint32_t remote_capabilities;
+ int capab_transformnum;
uint8_t *nR;
uint8_t *nL;
int32_t pklen;
char *sig;
};
-static void set_new_transform(struct site *st)
+static void set_new_transform(struct site *st, char *pk)
{
- struct transform_if *generator=st->transform;
+ /* Make room for the shared key */
+ st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len;
+ assert(st->sharedsecretlen);
+ if (st->sharedsecretlen > st->sharedsecretallocd) {
+ st->sharedsecretallocd=st->sharedsecretlen;
+ st->sharedsecret=realloc(st->sharedsecret,st->sharedsecretallocd);
+ }
+ if (!st->sharedsecret) fatal_perror("site:sharedsecret");
+
+ /* Generate the shared key */
+ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk,
+ st->sharedsecret,st->sharedsecretlen);
+
+ /* Set up the transform */
+ struct transform_if *generator=st->chosen_transform;
struct transform_inst_if *generated=generator->create(generator->st);
generated->setkey(generated->st,st->sharedsecret,
st->sharedsecretlen,st->setup_priority);
dispose_transform(&st->new_transform);
st->new_transform=generated;
+
+ slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
+ " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
+ st->chosen_transform->capab_transformnum,
+ st->local_capabilities, st->remote_capabilities);
}
struct xinfoadd {
if (hacky_par_mid_failnow()) return False;
+ if (type==LABEL_MSG3BIS)
+ buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum);
+
dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len);
buf_append_string(&st->buffer,dhpub);
free(dhpub);
static bool_t unpick_msg(struct site *st, uint32_t type,
struct buffer_if *msg, struct msg *m)
{
+ m->capab_transformnum=-1;
m->hashstart=msg->start;
CHECK_AVAIL(msg,4);
m->dest=buf_unprepend_uint32(msg);
m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
}
if (!unpick_name(msg,&m->local)) return False;
+ if (type==LABEL_PROD) {
+ CHECK_EMPTY(msg);
+ return True;
+ }
CHECK_AVAIL(msg,NONCELEN);
m->nR=buf_unprepend(msg,NONCELEN);
if (type==LABEL_MSG1) {
CHECK_EMPTY(msg);
return True;
}
+ if (type==LABEL_MSG3BIS) {
+ CHECK_AVAIL(msg,1);
+ m->capab_transformnum = buf_unprepend_uint8(msg);
+ } else {
+ m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT;
+ }
CHECK_AVAIL(msg,2);
m->pklen=buf_unprepend_uint16(msg);
CHECK_AVAIL(msg,m->pklen);
}
/* MSG3 has complicated rules about capabilities, which are
* handled in process_msg3. */
- if (type==LABEL_MSG3) return True;
+ if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True;
if (m->remote_capabilities!=st->remote_capabilities) {
*error="remote capabilities changed";
return False;
}
st->setup_session_id=m.source;
st->remote_capabilities=m.remote_capabilities;
+
+ /* Select the transform to use */
+
+ uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK;
+ if (!remote_transforms)
+ /* old secnets only had this one transform */
+ remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT;
+
+ struct transform_if *ti;
+ int i;
+ for (i=0; i<st->ntransforms; i++) {
+ ti=st->transforms[i];
+ if ((1UL << ti->capab_transformnum) & remote_transforms)
+ goto transform_found;
+ }
+ slog(st,LOG_ERROR,"no transforms in common"
+ " (us %#"PRIx32"; them: %#"PRIx32")",
+ st->local_capabilities & CAPAB_TRANSFORM_MASK,
+ remote_transforms);
+ return False;
+ transform_found:
+ st->chosen_transform=ti;
+
memcpy(st->remoteN,m.nR,NONCELEN);
return True;
}
/* Now we have our nonce and their nonce. Think of a secret key,
and create message number 3. */
st->random->generate(st->random->st,st->dh->len,st->dhsecret);
- return generate_msg(st,LABEL_MSG3,"site:MSG3");
+ return generate_msg(st,
+ (st->remote_capabilities & CAPAB_TRANSFORM_MASK
+ ? LABEL_MSG3BIS : LABEL_MSG3),
+ "site:MSG3");
}
static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
- const struct comm_addr *src)
+ const struct comm_addr *src, uint32_t msgtype)
{
struct msg m;
uint8_t *hash;
void *hst;
cstring_t err;
- if (!unpick_msg(st,LABEL_MSG3,msg3,&m)) return False;
- if (!check_msg(st,LABEL_MSG3,&m,&err)) {
+ assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS);
+
+ if (!unpick_msg(st,msgtype,msg3,&m)) return False;
+ if (!check_msg(st,msgtype,&m,&err)) {
slog(st,LOG_SEC,"msg3: %s",err);
return False;
}
}
st->remote_capabilities|=m.remote_capabilities;
+ struct transform_if *ti;
+ int i;
+ for (i=0; i<st->ntransforms; i++) {
+ ti=st->transforms[i];
+ if (ti->capab_transformnum == m.capab_transformnum)
+ goto transform_found;
+ }
+ slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!",
+ m.capab_transformnum);
+ return False;
+ transform_found:
+ st->chosen_transform=ti;
+
/* Check signature and store g^x mod m */
hash=safe_malloc(st->hash->len, "process_msg3");
hst=st->hash->init();
/* Invent our DH secret key */
st->random->generate(st->random->st,st->dh->len,st->dhsecret);
- /* Generate the shared key */
- st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk,
- st->sharedsecret,st->sharedsecretlen);
-
- /* Set up the transform */
- set_new_transform(st);
+ /* Generate the shared key and set up the transform */
+ set_new_transform(st,m.pk);
return True;
}
/* Terminate their DH public key with a '0' */
m.pk[m.pklen]=0;
- /* Generate the shared key */
- st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk,
- st->sharedsecret,st->sharedsecretlen);
- /* Set up the transform */
- set_new_transform(st);
+
+ /* Generate the shared key and set up the transform */
+ set_new_transform(st,m.pk);
return True;
}
BUF_ALLOC(&st->buffer,"site:MSG5");
/* We are going to add four words to the message */
- buffer_init(&st->buffer,st->transform->max_start_pad+(4*4));
+ buffer_init(&st->buffer,calculate_max_start_pad());
/* Give the netlink code an opportunity to put its own stuff in the
message (configuration information, etc.) */
buf_prepend_uint32(&st->buffer,LABEL_MSG5);
BUF_ALLOC(&st->buffer,"site:MSG6");
/* We are going to add four words to the message */
- buffer_init(&st->buffer,st->transform->max_start_pad+(4*4));
+ buffer_init(&st->buffer,calculate_max_start_pad());
/* Give the netlink code an opportunity to put its own stuff in the
message (configuration information, etc.) */
buf_prepend_uint32(&st->buffer,LABEL_MSG6);
slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
transform_err,auxkey_err,newkey_err);
- initiate_key_setup(st,"incoming message would not decrypt");
+ initiate_key_setup(st,"incoming message would not decrypt",0);
send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
return False;
transport_data_msgok(st,src);
/* See whether we should start negotiating a new key */
if (st->now > st->renegotiate_key_time)
- initiate_key_setup(st,"incoming packet in renegotiation window");
+ initiate_key_setup(st,"incoming packet in renegotiation window",0);
return True;
default:
slog(st,LOG_SEC,"incoming encrypted message of type %08x "
slog(st,LOG_ERROR,"resolution of %s failed",st->address);
ca_use=0;
}
- if (transport_compute_setupinit_peers(st,ca_use)) {
+ if (transport_compute_setupinit_peers(st,ca_use,0)) {
enter_new_state(st,SITE_SENTMSG1);
} else {
/* Can't figure out who to try to to talk to */
}
}
-static bool_t initiate_key_setup(struct site *st, cstring_t reason)
+static bool_t initiate_key_setup(struct site *st, cstring_t reason,
+ const struct comm_addr *prod_hint)
{
if (st->state!=SITE_RUN) return False;
slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
if (st->address) {
slog(st,LOG_SETUP_INIT,"resolving peer address");
return enter_state_resolve(st);
- } else if (transport_compute_setupinit_peers(st,0)) {
+ } else if (transport_compute_setupinit_peers(st,0,prod_hint)) {
return enter_new_state(st,SITE_SENTMSG1);
}
slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
if (current_valid(st) && st->buffer.free
&& transport_peers_valid(&st->peers)) {
BUF_ALLOC(&st->buffer,"site:MSG7");
- buffer_init(&st->buffer,st->transform->max_start_pad+(4*3));
+ buffer_init(&st->buffer,calculate_max_start_pad());
buf_append_uint32(&st->buffer,LABEL_MSG7);
buf_append_string(&st->buffer,reason);
if (call_transform_forwards(st, st->current.transform,
/* XXX Erase keys etc. */
}
+static void generate_prod(struct site *st, struct buffer_if *buf)
+{
+ buffer_init(buf,0);
+ buf_append_uint32(buf,0);
+ buf_append_uint32(buf,0);
+ buf_append_uint32(buf,LABEL_PROD);
+ buf_append_string(buf,st->localname);
+ buf_append_string(buf,st->remotename);
+}
+
+static void generate_send_prod(struct site *st,
+ const struct comm_addr *source)
+{
+ if (!st->allow_send_prod) return; /* too soon */
+ if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
+ st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
+
+ slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
+ st->allow_send_prod=0;
+ generate_prod(st,&st->scratch);
+ dump_packet(st,&st->scratch,source,False);
+ source->comm->sendmsg(source->comm->st, &st->scratch, source);
+}
+
static inline void site_settimeout(uint64_t timeout, int *timeout_io)
{
if (timeout) {
return;
}
+ st->allow_send_prod=1;
+
/* In all other states we consider delivering the packet if we have
a valid key and a valid address to send it to. */
if (current_valid(st) && transport_peers_valid(&st->peers)) {
slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
BUF_FREE(buf);
- initiate_key_setup(st,"outgoing packet");
+ initiate_key_setup(st,"outgoing packet",0);
}
static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
}
/* This function is called by the communication device to deliver
- packets from our peers. */
+ packets from our peers.
+ It should return True if the packet is recognised as being for
+ this current site instance (and should therefore not be processed
+ by other sites), even if the packet was otherwise ignored. */
static bool_t site_incoming(void *sst, struct buffer_if *buf,
const struct comm_addr *source)
{
BUF_FREE(buf);
return True;
}
+ if (msgtype==LABEL_PROD) {
+ if (!named_for_us(st,buf,msgtype,&named_msg))
+ return False;
+ dump_packet(st,buf,source,True);
+ if (st->state!=SITE_RUN) {
+ slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
+ } else if (current_valid(st)) {
+ slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
+ } else {
+ initiate_key_setup(st,"peer sent PROD packet",source);
+ }
+ BUF_FREE(buf);
+ return True;
+ }
if (dest==st->index) {
/* Explicitly addressed to us */
if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True);
/* If the source is our current peer then initiate a key setup,
because our peer's forgotten the key */
if (get_uint32(buf->start+4)==st->current.remote_session_id) {
- initiate_key_setup(st,"received a NAK");
+ bool_t initiated;
+ initiated = initiate_key_setup(st,"received a NAK",0);
+ if (!initiated) generate_send_prod(st,source);
} else {
slog(st,LOG_SEC,"bad incoming NAK");
}
}
break;
case LABEL_MSG3:
+ case LABEL_MSG3BIS:
/* Setup packet: expected only in state SENTMSG2 */
if (st->state!=SITE_SENTMSG2) {
slog(st,LOG_UNEXPECTED,"unexpected MSG3");
- } else if (process_msg3(st,buf,source)) {
+ } else if (process_msg3(st,buf,source,msgtype)) {
transport_setup_msgok(st,source);
enter_new_state(st,SITE_SENTMSG4);
} else {
st->local_capabilities = 0;
st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
- list_t *comms_cfg=dict_lookup(dict,"comm");
- if (!comms_cfg) cfgfatal(loc,"site","closure list \"comm\" not found\n");
- st->ncomms=list_length(comms_cfg);
- st->comms=safe_malloc_ary(sizeof(*st->comms),st->ncomms,"comms");
- assert(st->ncomms);
- for (i=0; i<st->ncomms; i++) {
- item_t *item=list_elem(comms_cfg,i);
- if (item->type!=t_closure)
- cfgfatal(loc,"site","comm is not a closure\n");
- closure_t *cl=item->data.closure;
- if (cl->type!=CL_COMM) cfgfatal(loc,"site","comm closure wrong type\n");
- st->comms[i]=cl->interface;
- }
+#define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
+ list_t *things##_cfg=dict_lookup(dict,dictkey); \
+ if (!things##_cfg) \
+ cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
+ st->nthings=list_length(things##_cfg); \
+ st->things=safe_malloc_ary(sizeof(*st->things),st->nthings,dictkey "s"); \
+ assert(st->nthings); \
+ for (i=0; i<st->nthings; i++) { \
+ item_t *item=list_elem(things##_cfg,i); \
+ if (item->type!=t_closure) \
+ cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
+ closure_t *cl=item->data.closure; \
+ if (cl->type!=CL_TYPE) \
+ cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
+ st->things[i]=cl->interface; \
+ } \
+}while(0)
+
+ GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
else st->remoteport=0;
st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
- st->transform=
- find_cl_if(dict,"transform",CL_TRANSFORM,True,"site",loc);
+ GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc);
st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
log_event_table,"site");
+ st->allow_send_prod=0;
+
st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
"site_apply");
sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
buffer_new(&st->buffer,SETUP_BUFFER_LEN);
- buffer_new(&st->scratch,0);
+ buffer_new(&st->scratch,SETUP_BUFFER_LEN);
BUF_ALLOC(&st->scratch,"site:scratch");
/* We are interested in poll(), but only for timeouts. We don't have
st->timeout=0;
st->remote_capabilities=0;
+ st->chosen_transform=0;
st->current.key_timeout=0;
st->auxiliary_key.key_timeout=0;
transport_peers_clear(st,&st->peers);
transport_peers_clear(st,&st->setup_peers);
/* XXX mlock these */
st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret");
- st->sharedsecretlen=st->transform->keylen?:st->dh->ceil_len;
- st->sharedsecret=safe_malloc(st->sharedsecretlen,"site:sharedsecret");
-
- /* We need to compute some properties of our comms */
-#define COMPUTE_WORST(pad) \
- int worst_##pad=0; \
- for (i=0; i<st->ncomms; i++) { \
- int thispad=st->comms[i]->pad; \
- if (thispad > worst_##pad) \
- worst_##pad=thispad; \
+ st->sharedsecretlen=st->sharedsecretallocd=0;
+ st->sharedsecret=0;
+
+ for (i=0; i<st->ntransforms; i++) {
+ struct transform_if *ti=st->transforms[i];
+ uint32_t capbit = 1UL << ti->capab_transformnum;
+ if (st->local_capabilities & capbit)
+ slog(st,LOG_ERROR,"transformnum capability bit"
+ " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit);
+ st->local_capabilities |= capbit;
}
- COMPUTE_WORST(min_start_pad)
- COMPUTE_WORST(min_end_pad)
/* We need to register the remote networks with the netlink device */
- st->netlink->reg(st->netlink->st, site_outgoing, st,
- st->transform->max_start_pad+(4*4)+
- worst_min_start_pad,
- st->transform->max_end_pad+worst_min_end_pad);
+ st->netlink->reg(st->netlink->st, site_outgoing, st);
for (i=0; i<st->ncomms; i++)
st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
}
static bool_t transport_compute_setupinit_peers(struct site *st,
- const struct comm_addr *configured_addr /* 0 if none or not found */) {
+ const struct comm_addr *configured_addr /* 0 if none or not found */,
+ const struct comm_addr *prod_hint_addr /* 0 if none */) {
- if (!configured_addr && !transport_peers_valid(&st->peers))
+ if (!configured_addr && !prod_hint_addr &&
+ !transport_peers_valid(&st->peers))
return False;
slog(st,LOG_SETUP_INIT,
- (!configured_addr ? "using only %d old peer address(es)"
- : "using configured address, and/or perhaps %d old peer address(es)"),
- st->peers);
+ "using:%s%s %d old peer address(es)",
+ configured_addr ? " configured address;" : "",
+ prod_hint_addr ? " PROD hint address;" : "",
+ st->peers.npeers);
/* Non-mobile peers havve st->peers.npeers==0 or ==1, since they
* have transport_peers_max==1. The effect is that this code
* always uses the configured address if supplied, or otherwise
- * the existing data peer if one exists; this is as desired. */
+ * the address of the incoming PROD, or the existing data peer if
+ * one exists; this is as desired. */
transport_peers_copy(st,&st->setup_peers,&st->peers);
+ if (prod_hint_addr)
+ transport_record_peer(st,&st->setup_peers,prod_hint_addr,"prod");
+
if (configured_addr)
transport_record_peer(st,&st->setup_peers,configured_addr,"setupinit");