1 /* site.c - manage communication with a remote network site */
4 * This file is part of secnet.
5 * See README for full list of copyright holders.
7 * secnet is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * secnet is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * version 3 along with secnet; if not, see
19 * https://www.gnu.org/licenses/gpl.html.
22 /* The 'site' code doesn't know anything about the structure of the
23 packets it's transmitting. In fact, under the new netlink
24 configuration scheme it doesn't need to know anything at all about
25 IP addresses, except how to contact its peer. This means it could
26 potentially be used to tunnel other protocols too (IPv6, IPX, plain
27 old Ethernet frames) if appropriate netlink code can be written
28 (and that ought not to be too hard, eg. using the TUN/TAP device to
29 pretend to be an Ethernet interface). */
31 /* At some point in the future the netlink code will be asked for
32 configuration information to go in the PING/PONG packets at the end
33 of the key exchange. */
40 #include <sys/socket.h>
44 #include "unaligned.h"
47 #define SETUP_BUFFER_LEN 2048
49 #define DEFAULT_KEY_LIFETIME (3600*1000) /* [ms] */
50 #define DEFAULT_KEY_RENEGOTIATE_GAP (5*60*1000) /* [ms] */
51 #define DEFAULT_SETUP_RETRIES 5
52 #define DEFAULT_SETUP_RETRY_INTERVAL (2*1000) /* [ms] */
53 #define DEFAULT_WAIT_TIME (20*1000) /* [ms] */
55 #define DEFAULT_MOBILE_KEY_LIFETIME (2*24*3600*1000) /* [ms] */
56 #define DEFAULT_MOBILE_KEY_RENEGOTIATE_GAP (12*3600*1000) /* [ms] */
57 #define DEFAULT_MOBILE_SETUP_RETRIES 30
58 #define DEFAULT_MOBILE_SETUP_RETRY_INTERVAL (1*1000) /* [ms] */
59 #define DEFAULT_MOBILE_WAIT_TIME (10*1000) /* [ms] */
61 #define DEFAULT_MOBILE_PEER_EXPIRY (2*60) /* [s] */
63 /* Each site can be in one of several possible states. */
66 SITE_STOP - nothing is allowed to happen; tunnel is down;
67 all session keys have been erased
68 -> SITE_RUN upon external instruction
69 SITE_RUN - site up, maybe with valid key
70 -> SITE_RESOLVE upon outgoing packet and no valid key
71 we start name resolution for the other end of the tunnel
72 -> SITE_SENTMSG2 upon valid incoming message 1 and suitable time
73 we send an appropriate message 2
74 SITE_RESOLVE - waiting for name resolution
75 -> SITE_SENTMSG1 upon successful resolution
76 we send an appropriate message 1
77 -> SITE_SENTMSG2 upon valid incoming message 1 (then abort resolution)
78 we abort resolution and
79 -> SITE_WAIT on timeout or resolution failure
81 -> SITE_SENTMSG2 upon valid incoming message 1 from higher priority end
82 -> SITE_SENTMSG3 upon valid incoming message 2
83 -> SITE_WAIT on timeout
85 -> SITE_SENTMSG4 upon valid incoming message 3
86 -> SITE_WAIT on timeout
88 -> SITE_SENTMSG5 upon valid incoming message 4
89 -> SITE_WAIT on timeout
91 -> SITE_RUN upon valid incoming message 5
92 -> SITE_WAIT on timeout
94 -> SITE_RUN upon valid incoming message 6
95 -> SITE_WAIT on timeout
96 SITE_WAIT - failed to establish key; do nothing for a while
97 -> SITE_RUN on timeout
102 #define SITE_RESOLVE 2
103 #define SITE_SENTMSG1 3
104 #define SITE_SENTMSG2 4
105 #define SITE_SENTMSG3 5
106 #define SITE_SENTMSG4 6
107 #define SITE_SENTMSG5 7
110 #define CASES_MSG3_KNOWN LABEL_MSG3: case LABEL_MSG3BIS: case LABEL_MSG3TER
112 int32_t site_max_start_pad = 4*4;
114 static cstring_t state_name(uint32_t state)
117 case 0: return "STOP";
118 case 1: return "RUN";
119 case 2: return "RESOLVE";
120 case 3: return "SENTMSG1";
121 case 4: return "SENTMSG2";
122 case 5: return "SENTMSG3";
123 case 6: return "SENTMSG4";
124 case 7: return "SENTMSG5";
125 case 8: return "WAIT";
126 default: return "*bad state*";
132 #define LOG_UNEXPECTED 0x00000001
133 #define LOG_SETUP_INIT 0x00000002
134 #define LOG_SETUP_TIMEOUT 0x00000004
135 #define LOG_ACTIVATE_KEY 0x00000008
136 #define LOG_TIMEOUT_KEY 0x00000010
137 #define LOG_SEC 0x00000020
138 #define LOG_STATE 0x00000040
139 #define LOG_DROP 0x00000080
140 #define LOG_DUMP 0x00000100
141 #define LOG_ERROR 0x00000400
142 #define LOG_PEER_ADDRS 0x00000800
144 static struct flagstr log_event_table[]={
145 { "unexpected", LOG_UNEXPECTED },
146 { "setup-init", LOG_SETUP_INIT },
147 { "setup-timeout", LOG_SETUP_TIMEOUT },
148 { "activate-key", LOG_ACTIVATE_KEY },
149 { "timeout-key", LOG_TIMEOUT_KEY },
150 { "security", LOG_SEC },
151 { "state-change", LOG_STATE },
152 { "packet-drop", LOG_DROP },
153 { "dump-packets", LOG_DUMP },
154 { "errors", LOG_ERROR },
155 { "peer-addrs", LOG_PEER_ADDRS },
156 { "default", LOG_SETUP_INIT|LOG_SETUP_TIMEOUT|
157 LOG_ACTIVATE_KEY|LOG_TIMEOUT_KEY|LOG_SEC|LOG_ERROR },
158 { "all", 0xffffffff },
163 /***** TRANSPORT PEERS declarations *****/
165 /* Details of "mobile peer" semantics:
167 - We use the same data structure for the different configurations,
168 but manage it with different algorithms.
170 - We record up to mobile_peers_max peer address/port numbers
171 ("peers") for key setup, and separately up to mobile_peers_max
174 - In general, we make a new set of addrs (see below) when we start
175 a new key exchange; the key setup addrs become the data transport
176 addrs when key setup complets.
178 If our peer is mobile:
180 - We send to all recent addresses of incoming packets, plus
181 initially all configured addresses (which we also expire).
183 - So, we record addrs of good incoming packets, as follows:
184 1. expire any peers last seen >120s ("mobile-peer-expiry") ago
185 2. add the peer of the just received packet to the applicable list
186 (possibly evicting the oldest entries to make room)
187 NB that we do not expire peers until an incoming packet arrives.
189 - If the peer has a configured address or name, we record them the
190 same way, but only as a result of our own initiation of key
191 setup. (We might evict some incoming packet addrs to make room.)
193 - The default number of addrs to keep is 3, or 4 if we have a
194 configured name or address. That's space for two configured
195 addresses (one IPv6 and one IPv4), plus two received addresses.
197 - Outgoing packets are sent to every recorded address in the
198 applicable list. Any unsupported[1] addresses are deleted from
199 the list right away. (This should only happen to configured
200 addresses, of course, but there is no need to check that.)
202 - When we successfully complete a key setup, we merge the key setup
203 peers into the data transfer peers.
205 [1] An unsupported address is one for whose AF we don't have a
206 socket (perhaps because we got EAFNOSUPPORT or some such) or for
207 which sendto gives ENETUNREACH.
209 If neither end is mobile:
211 - When peer initiated the key exchange, we use the incoming packet
214 - When we initiate the key exchange, we try configured addresses
215 until we get one which isn't unsupported then fixate on that.
217 - When we complete a key setup, we replace the data transport peers
218 with those from the key setup.
222 - We can't tell when local network setup changes so we can't cache
223 the unsupported addrs and completely remove the spurious calls to
224 sendto, but we can optimise things a bit by deprioritising addrs
225 which seem to be unsupported.
227 - Use only configured addresses. (Except, that if our peer
228 initiated a key exchange we use the incoming packet address until
229 our name resolution completes.)
231 - When we send a packet, try each address in turn; if addr
232 supported, put that address to the end of the list for future
233 packets, and go onto the next address.
235 - When we complete a key setup, we replace the data transport peers
236 with those from the key setup.
242 struct comm_addr addr;
246 /* configuration information */
247 /* runtime information */
249 transport_peer peers[MAX_PEER_ADDRS];
252 /* Basic operations on transport peer address sets */
253 static void transport_peers_clear(struct site *st, transport_peers *peers);
254 static int transport_peers_valid(transport_peers *peers);
255 static void transport_peers_copy(struct site *st, transport_peers *dst,
256 const transport_peers *src);
258 /* Record address of incoming setup packet; resp. data packet. */
259 static void transport_setup_msgok(struct site *st, const struct comm_addr *a);
260 static void transport_data_msgok(struct site *st, const struct comm_addr *a);
262 /* Initialise the setup addresses. Called before we send the first
263 * packet in a key exchange. If we are the initiator, as a result of
264 * resolve completing (or being determined not to be relevant) or an
265 * incoming PROD; if we are the responder, as a result of the MSG1. */
266 static bool_t transport_compute_setupinit_peers(struct site *st,
267 const struct comm_addr *configured_addrs /* 0 if none or not found */,
268 int n_configured_addrs /* 0 if none or not found */,
269 const struct comm_addr *incoming_packet_addr /* 0 if none */);
271 /* Called if we are the responder in a key setup, when the resolve
272 * completes. transport_compute_setupinit_peers will hvae been called
273 * earlier. If _complete is called, we are still doing the key setup
274 * (and we should use the new values for both the rest of the key
275 * setup and the ongoing data exchange); if _tardy is called, the key
276 * setup is done (either completed or not) and only the data peers are
278 static void transport_resolve_complete(struct site *st,
279 const struct comm_addr *addrs, int naddrs);
280 static void transport_resolve_complete_tardy(struct site *st,
281 const struct comm_addr *addrs, int naddrs);
283 static void transport_xmit(struct site *st, transport_peers *peers,
284 struct buffer_if *buf, bool_t candebug);
286 /***** END of transport peers declarations *****/
290 struct transform_inst_if *transform;
291 uint64_t key_timeout; /* End of life of current key */
292 uint32_t remote_session_id;
298 /* configuration information */
302 bool_t local_mobile, peer_mobile; /* Mobile client support */
303 int32_t transport_peers_max;
304 string_t tunname; /* localname<->remotename by default, used in logs */
305 cstring_t *addresses; /* DNS name or address(es) for bootstrapping, optional */
306 int remoteport; /* Port for bootstrapping, optional */
308 struct netlink_if *netlink;
309 struct comm_if **comms;
310 struct comm_clientinfo **commclientinfos;
312 struct resolver_if *resolver;
314 struct random_if *random;
315 struct rsaprivkey_if *privkey;
316 struct rsapubkey_if *pubkey;
317 struct transform_if **transforms;
321 struct hash_if *hash;
323 uint32_t index; /* Index of this site */
324 uint32_t early_capabilities;
325 uint32_t local_capabilities;
326 int32_t setup_retries; /* How many times to send setup packets */
327 int32_t setup_retry_interval; /* Initial timeout for setup packets */
328 int32_t wait_timeout_mean; /* How long to wait if setup unsuccessful */
329 int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */
330 int32_t key_lifetime; /* How long a key lasts once set up */
331 int32_t key_renegotiate_time; /* If we see traffic (or a keepalive)
332 after this time, initiate a new
335 bool_t our_name_later; /* our name > peer name */
338 /* runtime information */
340 uint64_t now; /* Most recently seen time */
341 bool_t allow_send_prod;
342 bool_t msg1_crossed_logged;
344 int resolving_n_results_all;
345 int resolving_n_results_stored;
346 struct comm_addr resolving_results[MAX_PEER_ADDRS];
348 /* The currently established session */
349 struct data_key current;
350 struct data_key auxiliary_key;
351 bool_t auxiliary_is_new;
352 uint64_t renegotiate_key_time; /* When we can negotiate a new key */
353 uint64_t auxiliary_renegotiate_key_time;
354 transport_peers peers; /* Current address(es) of peer for data traffic */
356 /* The current key setup protocol exchange. We can only be
357 involved in one of these at a time. There's a potential for
358 denial of service here (the attacker keeps sending a setup
359 packet; we keep trying to continue the exchange, and have to
360 timeout before we can listen for another setup packet); perhaps
361 we should keep a list of 'bad' sources for setup packets. */
362 uint32_t remote_capabilities;
363 uint16_t remote_adv_mtu;
364 struct transform_if *chosen_transform;
365 struct dh_if *chosen_dh;
366 uint32_t setup_session_id;
367 transport_peers setup_peers;
368 uint8_t localN[NONCELEN]; /* Nonces for key exchange */
369 uint8_t remoteN[NONCELEN];
370 struct buffer_if buffer; /* Current outgoing key exchange packet */
371 struct buffer_if scratch;
372 int32_t retries; /* Number of retries remaining */
373 uint64_t timeout; /* Timeout for current state */
375 uint8_t *sharedsecret;
376 struct transform_inst_if *new_transform; /* For key setup/verify */
379 static uint32_t event_log_priority(struct site *st, uint32_t event)
381 if (!(event&st->log_events))
384 case LOG_UNEXPECTED: return M_INFO;
385 case LOG_SETUP_INIT: return M_INFO;
386 case LOG_SETUP_TIMEOUT: return M_NOTICE;
387 case LOG_ACTIVATE_KEY: return M_INFO;
388 case LOG_TIMEOUT_KEY: return M_INFO;
389 case LOG_SEC: return M_SECURITY;
390 case LOG_STATE: return M_DEBUG;
391 case LOG_DROP: return M_DEBUG;
392 case LOG_DUMP: return M_DEBUG;
393 case LOG_ERROR: return M_ERR;
394 case LOG_PEER_ADDRS: return M_DEBUG;
395 default: return M_ERR;
399 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
401 static void vslog(struct site *st, uint32_t event, cstring_t msg, va_list ap)
405 class=event_log_priority(st, event);
407 slilog_part(st->log,class,"%s: ",st->tunname);
408 vslilog_part(st->log,class,msg,ap);
409 slilog_part(st->log,class,"\n");
413 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
415 static void slog(struct site *st, uint32_t event, cstring_t msg, ...)
419 vslog(st,event,msg,ap);
423 static void logtimeout(struct site *st, const char *fmt, ...)
425 static void logtimeout(struct site *st, const char *fmt, ...)
427 uint32_t class=event_log_priority(st,LOG_SETUP_TIMEOUT);
434 slilog_part(st->log,class,"%s: ",st->tunname);
435 vslilog_part(st->log,class,fmt,ap);
439 for (i=0, delim=" (tried ";
440 i<st->setup_peers.npeers;
442 transport_peer *peer=&st->setup_peers.peers[i];
443 const char *s=comm_addr_to_string(&peer->addr);
444 slilog_part(st->log,class,"%s%s",delim,s);
447 slilog_part(st->log,class,")\n");
451 static void set_link_quality(struct site *st);
452 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel);
453 static void delete_one_key(struct site *st, struct data_key *key,
454 const char *reason /* may be 0 meaning don't log*/,
455 const char *which /* ignored if !reasonn */,
456 uint32_t loglevel /* ignored if !reasonn */);
457 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
458 const struct comm_addr *prod_hint);
459 static void enter_state_run(struct site *st);
460 static bool_t enter_state_resolve(struct site *st);
461 static void decrement_resolving_count(struct site *st, int by);
462 static bool_t enter_new_state(struct site *st,uint32_t next);
463 static void enter_state_wait(struct site *st);
464 static void activate_new_key(struct site *st);
466 static bool_t is_transform_valid(struct transform_inst_if *transform)
468 return transform && transform->valid(transform->st);
471 static bool_t current_valid(struct site *st)
473 return is_transform_valid(st->current.transform);
476 #define DEFINE_CALL_TRANSFORM(fwdrev) \
477 static transform_apply_return \
478 call_transform_##fwdrev(struct site *st, \
479 struct transform_inst_if *transform, \
480 struct buffer_if *buf, \
481 const char **errmsg) \
483 if (!is_transform_valid(transform)) { \
484 *errmsg="transform not set up"; \
485 return transform_apply_err; \
487 return transform->fwdrev(transform->st,buf,errmsg); \
490 DEFINE_CALL_TRANSFORM(forwards)
491 DEFINE_CALL_TRANSFORM(reverse)
493 static void dispose_transform(struct transform_inst_if **transform_var)
495 struct transform_inst_if *transform=*transform_var;
497 transform->delkey(transform->st);
498 transform->destroy(transform->st);
503 #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0)
504 #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0)
505 #define CHECK_TYPE(b,t) do { uint32_t type; \
506 CHECK_AVAIL((b),4); \
507 type=buf_unprepend_uint32((b)); \
508 if (type!=(t)) return False; } while(0)
510 static _Bool type_is_msg34(uint32_t type)
513 case CASES_MSG3_KNOWN: case LABEL_MSG4: return True;
514 default: return False;
521 struct buffer_if extrainfo;
528 struct parsedname remote;
529 struct parsedname local;
530 uint32_t remote_capabilities;
532 int capab_transformnum;
543 static int32_t wait_timeout(struct site *st) {
544 int32_t t = st->wait_timeout_mean;
547 st->random->generate(st->random->st,sizeof(factor),&factor);
548 t += (t / 256) * factor;
553 static _Bool set_new_transform(struct site *st, char *pk)
557 /* Generate the shared key */
558 assert(!st->sharedsecret);
559 st->sharedsecret = safe_malloc(st->chosen_dh->shared_len,
560 "site:sharedsecret");
561 if (!st->chosen_dh->makeshared(st->chosen_dh->st,
562 st->dhsecret,st->chosen_dh->secret_len,
565 st->chosen_dh->shared_len))
568 /* Set up the transform */
569 struct transform_if *generator=st->chosen_transform;
570 struct transform_inst_if *generated=generator->create(generator->st);
571 ok = generated->setkey(generated->st,st->sharedsecret,
572 st->chosen_dh->shared_len,st->our_name_later);
574 dispose_transform(&st->new_transform);
575 if (!ok) return False;
576 st->new_transform=generated;
578 slog(st,LOG_SETUP_INIT,"key exchange negotiated transform"
579 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
580 st->chosen_transform->capab_bit,
581 st->local_capabilities, st->remote_capabilities);
586 int32_t lenpos, afternul;
588 static void append_string_xinfo_start(struct buffer_if *buf,
589 struct xinfoadd *xia,
591 /* Helps construct one of the names with additional info as found
592 * in MSG1..4. Call this function first, then append all the
593 * desired extra info (not including the nul byte) to the buffer,
594 * then call append_string_xinfo_done. */
596 xia->lenpos = buf->size;
597 buf_append_string(buf,str);
598 buf_append_uint8(buf,0);
599 xia->afternul = buf->size;
601 static void append_string_xinfo_done(struct buffer_if *buf,
602 struct xinfoadd *xia)
604 /* we just need to adjust the string length */
605 if (buf->size == xia->afternul) {
606 /* no extra info, strip the nul too */
607 buf_unappend_uint8(buf);
609 put_uint16(buf->start+xia->lenpos, buf->size-(xia->lenpos+2));
613 /* Build any of msg1 to msg4. msg5 and msg6 are built from the inside
614 out using a transform of config data supplied by netlink */
615 static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what)
622 st->retries=st->setup_retries;
623 BUF_ALLOC(&st->buffer,what);
624 buffer_init(&st->buffer,0);
625 buf_append_uint32(&st->buffer,
626 (type==LABEL_MSG1?0:st->setup_session_id));
627 buf_append_uint32(&st->buffer,st->index);
628 buf_append_uint32(&st->buffer,type);
631 append_string_xinfo_start(&st->buffer,&xia,st->localname);
632 if ((st->local_capabilities & st->early_capabilities) ||
633 (type != LABEL_MSG1)) {
634 buf_append_uint32(&st->buffer,st->local_capabilities);
636 if (type_is_msg34(type)) {
637 buf_append_uint16(&st->buffer,st->mtu_target);
639 append_string_xinfo_done(&st->buffer,&xia);
641 buf_append_string(&st->buffer,st->remotename);
642 BUF_ADD_OBJ(append,&st->buffer,st->localN);
643 if (type==LABEL_MSG1) return True;
644 BUF_ADD_OBJ(append,&st->buffer,st->remoteN);
645 if (type==LABEL_MSG2) return True;
647 if (hacky_par_mid_failnow()) return False;
649 if (MSGMAJOR(type) == 3) do {
650 minor = MSGMINOR(type);
651 if (minor < 1) break;
652 buf_append_uint8(&st->buffer,st->chosen_transform->capab_bit);
653 if (minor < 2) break;
654 buf_append_uint8(&st->buffer,st->chosen_dh->capab_bit);
657 dhpub=st->chosen_dh->makepublic(st->chosen_dh->st,
658 st->dhsecret,st->chosen_dh->secret_len);
659 buf_append_string(&st->buffer,dhpub);
661 hash=safe_malloc(st->hash->len, "generate_msg");
662 hst=st->hash->init();
663 st->hash->update(hst,st->buffer.start,st->buffer.size);
664 st->hash->final(hst,hash);
665 sig=st->privkey->sign(st->privkey->st,hash,st->hash->len);
666 buf_append_string(&st->buffer,sig);
672 static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm)
675 nm->len=buf_unprepend_uint16(msg);
676 CHECK_AVAIL(msg,nm->len);
677 nm->name=buf_unprepend(msg,nm->len);
678 uint8_t *nul=memchr(nm->name,0,nm->len);
680 buffer_readonly_view(&nm->extrainfo,0,0);
682 buffer_readonly_view(&nm->extrainfo, nul+1, msg->start-(nul+1));
683 nm->len=nul-nm->name;
688 static bool_t unpick_msg(struct site *st, uint32_t type,
689 struct buffer_if *msg, struct msg *m)
693 m->capab_transformnum=m->capab_dhnum=-1;
694 m->hashstart=msg->start;
696 m->dest=buf_unprepend_uint32(msg);
698 m->source=buf_unprepend_uint32(msg);
699 CHECK_TYPE(msg,type);
700 if (!unpick_name(msg,&m->remote)) return False;
701 m->remote_capabilities=0;
703 if (m->remote.extrainfo.size) {
704 CHECK_AVAIL(&m->remote.extrainfo,4);
705 m->remote_capabilities=buf_unprepend_uint32(&m->remote.extrainfo);
707 if (type_is_msg34(type) && m->remote.extrainfo.size) {
708 CHECK_AVAIL(&m->remote.extrainfo,2);
709 m->remote_mtu=buf_unprepend_uint16(&m->remote.extrainfo);
711 if (!unpick_name(msg,&m->local)) return False;
712 if (type==LABEL_PROD) {
716 CHECK_AVAIL(msg,NONCELEN);
717 m->nR=buf_unprepend(msg,NONCELEN);
718 if (type==LABEL_MSG1) {
722 CHECK_AVAIL(msg,NONCELEN);
723 m->nL=buf_unprepend(msg,NONCELEN);
724 if (type==LABEL_MSG2) {
728 if (MSGMAJOR(type) == 3) do {
729 minor = MSGMINOR(type);
730 #define MAYBE_READ_CAP(minminor, kind, dflt) do { \
731 if (minor < (minminor)) \
732 m->capab_##kind##num = (dflt); \
734 CHECK_AVAIL(msg, 1); \
735 m->capab_##kind##num = buf_unprepend_uint8(msg); \
738 MAYBE_READ_CAP(1, transform, CAPAB_BIT_ANCIENTTRANSFORM);
739 MAYBE_READ_CAP(2, dh, CAPAB_BIT_TRADZP);
740 #undef MAYBE_READ_CAP
743 m->pklen=buf_unprepend_uint16(msg);
744 CHECK_AVAIL(msg,m->pklen);
745 m->pk=buf_unprepend(msg,m->pklen);
746 m->hashlen=msg->start-m->hashstart;
748 m->siglen=buf_unprepend_uint16(msg);
749 CHECK_AVAIL(msg,m->siglen);
750 m->sig=buf_unprepend(msg,m->siglen);
753 /* In `process_msg3_msg4' below, we assume that we can write a nul
754 * terminator following the signature. Make sure there's enough space.
756 if (msg->start >= msg->base + msg->alloclen)
762 static bool_t name_matches(const struct parsedname *nm, const char *expected)
764 int expected_len=strlen(expected);
766 nm->len == expected_len &&
767 !memcmp(nm->name, expected, expected_len);
770 static bool_t check_msg(struct site *st, uint32_t type, struct msg *m,
773 if (type==LABEL_MSG1) return True;
775 /* Check that the site names and our nonce have been sent
776 back correctly, and then store our peer's nonce. */
777 if (!name_matches(&m->remote,st->remotename)) {
778 *error="wrong remote site name";
781 if (!name_matches(&m->local,st->localname)) {
782 *error="wrong local site name";
785 if (memcmp(m->nL,st->localN,NONCELEN)!=0) {
786 *error="wrong locally-generated nonce";
789 if (type==LABEL_MSG2) return True;
790 if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)) {
791 *error="wrong remotely-generated nonce";
794 /* MSG3 has complicated rules about capabilities, which are
795 * handled in process_msg3. */
796 if (MSGMAJOR(type) == 3) return True;
797 if (m->remote_capabilities!=st->remote_capabilities) {
798 *error="remote capabilities changed";
801 if (type==LABEL_MSG4) return True;
802 *error="unknown message type";
806 static bool_t generate_msg1(struct site *st)
808 st->random->generate(st->random->st,NONCELEN,st->localN);
809 return generate_msg(st,LABEL_MSG1,"site:MSG1");
812 static bool_t process_msg1(struct site *st, struct buffer_if *msg1,
813 const struct comm_addr *src, struct msg *m)
815 /* We've already determined we're in an appropriate state to
816 process an incoming MSG1, and that the MSG1 has correct values
819 st->setup_session_id=m->source;
820 st->remote_capabilities=m->remote_capabilities;
821 memcpy(st->remoteN,m->nR,NONCELEN);
825 static bool_t generate_msg2(struct site *st)
827 st->random->generate(st->random->st,NONCELEN,st->localN);
828 return generate_msg(st,LABEL_MSG2,"site:MSG2");
831 static bool_t process_msg2(struct site *st, struct buffer_if *msg2,
832 const struct comm_addr *src)
837 if (!unpick_msg(st,LABEL_MSG2,msg2,&m)) return False;
838 if (!check_msg(st,LABEL_MSG2,&m,&err)) {
839 slog(st,LOG_SEC,"msg2: %s",err);
842 st->setup_session_id=m.source;
843 st->remote_capabilities=m.remote_capabilities;
845 /* Select the transform and DH group to use */
847 uint32_t remote_crypto_caps = st->remote_capabilities;
848 if (!(remote_crypto_caps & CAPAB_EXPLICIT_TRANSFORM_DH))
849 remote_crypto_caps &= CAPAB_INEXPLICIT_TRANSFORM_MASK;
850 if (!remote_crypto_caps)
851 /* old secnets only had this one transform */
852 remote_crypto_caps = 1UL << CAPAB_BIT_ANCIENTTRANSFORM;
853 if (!(remote_crypto_caps & CAPAB_EXPLICIT_TRANSFORM_DH))
854 /* old secnets only had this one kind of group */
855 remote_crypto_caps |= 1UL << CAPAB_BIT_TRADZP;
857 #define CHOOSE_CRYPTO(kind, whats) do { \
858 struct kind##_if *iface; \
859 uint32_t bit, ours = 0; \
861 for (i= 0; i < st->n##kind##s; i++) { \
862 iface=st->kind##s[i]; \
863 bit = 1UL << iface->capab_bit; \
864 if (bit & remote_crypto_caps) goto kind##_found; \
867 slog(st,LOG_ERROR,"no " whats " in common" \
868 " (us %#"PRIx32"; them: %#"PRIx32")", \
869 st->local_capabilities & ours, remote_crypto_caps); \
872 st->chosen_##kind = iface; \
875 CHOOSE_CRYPTO(transform, "transforms");
876 CHOOSE_CRYPTO(dh, "Diffie--Hellman groups");
880 memcpy(st->remoteN,m.nR,NONCELEN);
884 static void generate_dhsecret(struct site *st)
886 slog(st,LOG_SETUP_INIT,"key exchange negotiated DH group"
887 " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")",
888 st->chosen_dh->capab_bit,
889 st->local_capabilities, st->remote_capabilities);
890 assert(!st->dhsecret);
891 st->dhsecret = safe_malloc(st->chosen_dh->secret_len, "site:dhsecret");
892 st->random->generate(st->random->st,
893 st->chosen_dh->secret_len,st->dhsecret);
896 static bool_t generate_msg3(struct site *st)
898 /* Now we have our nonce and their nonce. Think of a secret key,
899 and create message number 3. */
900 generate_dhsecret(st);
901 return generate_msg(st,
902 (st->remote_capabilities &
903 CAPAB_EXPLICIT_TRANSFORM_DH)
905 : (st->remote_capabilities &
906 CAPAB_INEXPLICIT_TRANSFORM_MASK)
912 static bool_t process_msg3_msg4(struct site *st, struct msg *m)
917 /* Check signature and store g^x mod m */
918 hash=safe_malloc(st->hash->len, "process_msg3_msg4");
919 hst=st->hash->init();
920 st->hash->update(hst,m->hashstart,m->hashlen);
921 st->hash->final(hst,hash);
922 /* Terminate signature with a '0' - already checked that this will fit */
924 if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) {
925 slog(st,LOG_SEC,"msg3/msg4 signature failed check!");
931 st->remote_adv_mtu=m->remote_mtu;
936 static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
937 const struct comm_addr *src, uint32_t msgtype)
943 case CASES_MSG3_KNOWN: break;
947 if (!unpick_msg(st,msgtype,msg3,&m)) return False;
948 if (!check_msg(st,msgtype,&m,&err)) {
949 slog(st,LOG_SEC,"msg3: %s",err);
952 uint32_t capab_adv_late = m.remote_capabilities
953 & ~st->remote_capabilities & st->early_capabilities;
954 if (capab_adv_late) {
955 slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)"
956 " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")",
957 capab_adv_late, st->remote_capabilities, m.remote_capabilities);
960 st->remote_capabilities|=m.remote_capabilities;
962 #define CHOSE_CRYPTO(kind, what) do { \
963 struct kind##_if *iface; \
965 for (i=0; i<st->n##kind##s; i++) { \
966 iface=st->kind##s[i]; \
967 if (iface->capab_bit == m.capab_##kind##num) \
970 slog(st,LOG_SEC,"peer chose unknown-to-us " what " %d!", \
971 m.capab_##kind##num); \
974 st->chosen_##kind=iface; \
977 CHOSE_CRYPTO(transform, "transform");
978 CHOSE_CRYPTO(dh, "Diffie--Hellman group");
982 if (!process_msg3_msg4(st,&m))
985 /* Terminate their DH public key with a '0' */
987 /* Invent our DH secret key */
988 generate_dhsecret(st);
990 /* Generate the shared key and set up the transform */
991 if (!set_new_transform(st,m.pk)) return False;
996 static bool_t generate_msg4(struct site *st)
998 /* We have both nonces, their public key and our private key. Generate
999 our public key, sign it and send it to them. */
1000 return generate_msg(st,LABEL_MSG4,"site:MSG4");
1003 static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
1004 const struct comm_addr *src)
1009 if (!unpick_msg(st,LABEL_MSG4,msg4,&m)) return False;
1010 if (!check_msg(st,LABEL_MSG4,&m,&err)) {
1011 slog(st,LOG_SEC,"msg4: %s",err);
1015 if (!process_msg3_msg4(st,&m))
1018 /* Terminate their DH public key with a '0' */
1021 /* Generate the shared key and set up the transform */
1022 if (!set_new_transform(st,m.pk)) return False;
1033 static bool_t unpick_msg0(struct site *st, struct buffer_if *msg0,
1036 CHECK_AVAIL(msg0,4);
1037 m->dest=buf_unprepend_uint32(msg0);
1038 CHECK_AVAIL(msg0,4);
1039 m->source=buf_unprepend_uint32(msg0);
1040 CHECK_AVAIL(msg0,4);
1041 m->type=buf_unprepend_uint32(msg0);
1043 /* Leaves transformed part of buffer untouched */
1046 static bool_t generate_msg5(struct site *st)
1048 cstring_t transform_err;
1050 BUF_ALLOC(&st->buffer,"site:MSG5");
1051 /* We are going to add four words to the message */
1052 buffer_init(&st->buffer,calculate_max_start_pad());
1053 /* Give the netlink code an opportunity to put its own stuff in the
1054 message (configuration information, etc.) */
1055 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
1056 if (call_transform_forwards(st,st->new_transform,
1057 &st->buffer,&transform_err))
1059 buf_prepend_uint32(&st->buffer,LABEL_MSG5);
1060 buf_prepend_uint32(&st->buffer,st->index);
1061 buf_prepend_uint32(&st->buffer,st->setup_session_id);
1063 st->retries=st->setup_retries;
1067 static bool_t process_msg5(struct site *st, struct buffer_if *msg5,
1068 const struct comm_addr *src,
1069 struct transform_inst_if *transform)
1072 cstring_t transform_err;
1074 if (!unpick_msg0(st,msg5,&m)) return False;
1076 if (call_transform_reverse(st,transform,msg5,&transform_err)) {
1077 /* There's a problem */
1078 slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err);
1081 /* Buffer should now contain untransformed PING packet data */
1082 CHECK_AVAIL(msg5,4);
1083 if (buf_unprepend_uint32(msg5)!=LABEL_MSG5) {
1084 slog(st,LOG_SEC,"MSG5/PING packet contained wrong label");
1087 /* Older versions of secnet used to write some config data here
1088 * which we ignore. So we don't CHECK_EMPTY */
1092 static void create_msg6(struct site *st, struct transform_inst_if *transform,
1093 uint32_t session_id)
1095 cstring_t transform_err;
1097 BUF_ALLOC(&st->buffer,"site:MSG6");
1098 /* We are going to add four words to the message */
1099 buffer_init(&st->buffer,calculate_max_start_pad());
1100 /* Give the netlink code an opportunity to put its own stuff in the
1101 message (configuration information, etc.) */
1102 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
1103 transform_apply_return problem =
1104 call_transform_forwards(st,transform,
1105 &st->buffer,&transform_err);
1107 buf_prepend_uint32(&st->buffer,LABEL_MSG6);
1108 buf_prepend_uint32(&st->buffer,st->index);
1109 buf_prepend_uint32(&st->buffer,session_id);
1112 static bool_t generate_msg6(struct site *st)
1114 if (!is_transform_valid(st->new_transform))
1116 create_msg6(st,st->new_transform,st->setup_session_id);
1117 st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */
1121 static bool_t process_msg6(struct site *st, struct buffer_if *msg6,
1122 const struct comm_addr *src)
1125 cstring_t transform_err;
1127 if (!unpick_msg0(st,msg6,&m)) return False;
1129 if (call_transform_reverse(st,st->new_transform,msg6,&transform_err)) {
1130 /* There's a problem */
1131 slog(st,LOG_SEC,"process_msg6: transform: %s",transform_err);
1134 /* Buffer should now contain untransformed PING packet data */
1135 CHECK_AVAIL(msg6,4);
1136 if (buf_unprepend_uint32(msg6)!=LABEL_MSG6) {
1137 slog(st,LOG_SEC,"MSG6/PONG packet contained invalid data");
1140 /* Older versions of secnet used to write some config data here
1141 * which we ignore. So we don't CHECK_EMPTY */
1145 static transform_apply_return
1146 decrypt_msg0(struct site *st, struct buffer_if *msg0,
1147 const struct comm_addr *src)
1149 cstring_t transform_err, auxkey_err, newkey_err="n/a";
1151 transform_apply_return problem;
1153 if (!unpick_msg0(st,msg0,&m)) return False;
1155 /* Keep a copy so we can try decrypting it with multiple keys */
1156 buffer_copy(&st->scratch, msg0);
1158 problem = call_transform_reverse(st,st->current.transform,
1159 msg0,&transform_err);
1161 if (!st->auxiliary_is_new)
1162 delete_one_key(st,&st->auxiliary_key,
1163 "peer has used new key","auxiliary key",LOG_SEC);
1166 if (transform_apply_return_badseq(problem))
1169 buffer_copy(msg0, &st->scratch);
1170 problem = call_transform_reverse(st,st->auxiliary_key.transform,
1173 slog(st,LOG_DROP,"processing packet which uses auxiliary key");
1174 if (st->auxiliary_is_new) {
1175 /* We previously timed out in state SENTMSG5 but it turns
1176 * out that our peer did in fact get our MSG5 and is
1177 * using the new key. So we should switch to it too. */
1178 /* This is a bit like activate_new_key. */
1181 st->current=st->auxiliary_key;
1182 st->auxiliary_key=t;
1184 delete_one_key(st,&st->auxiliary_key,"peer has used new key",
1185 "previous key",LOG_SEC);
1186 st->auxiliary_is_new=0;
1187 st->renegotiate_key_time=st->auxiliary_renegotiate_key_time;
1191 if (transform_apply_return_badseq(problem))
1194 if (st->state==SITE_SENTMSG5) {
1195 buffer_copy(msg0, &st->scratch);
1196 problem = call_transform_reverse(st,st->new_transform,
1199 /* It looks like we didn't get the peer's MSG6 */
1200 /* This is like a cut-down enter_new_state(SITE_RUN) */
1201 slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)");
1202 BUF_FREE(&st->buffer);
1204 activate_new_key(st);
1205 return 0; /* do process the data in this packet */
1207 if (transform_apply_return_badseq(problem))
1211 slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)",
1212 transform_err,auxkey_err,newkey_err);
1213 initiate_key_setup(st,"incoming message would not decrypt",0);
1214 send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt");
1219 slog(st,LOG_DROP,"transform: %s (bad seq.)",transform_err);
1224 static bool_t process_msg0(struct site *st, struct buffer_if *msg0,
1225 const struct comm_addr *src)
1228 transform_apply_return problem;
1230 problem = decrypt_msg0(st,msg0,src);
1231 if (problem==transform_apply_seqdupe) {
1232 /* We recently received another copy of this packet, maybe due
1233 * to polypath. That's not a problem; indeed, for the
1234 * purposes of transport address management it is a success.
1235 * But we don't want to process the packet. */
1236 transport_data_msgok(st,src);
1242 CHECK_AVAIL(msg0,4);
1243 type=buf_unprepend_uint32(msg0);
1246 /* We must forget about the current session. */
1247 delete_keys(st,"request from peer",LOG_SEC);
1248 /* probably, the peer is shutting down, and this is going to fail,
1249 * but we need to be trying to bring the link up again */
1251 initiate_key_setup(st,"peer requested key teardown",0);
1254 /* Deliver to netlink layer */
1255 st->netlink->deliver(st->netlink->st,msg0);
1256 transport_data_msgok(st,src);
1257 /* See whether we should start negotiating a new key */
1258 if (st->now > st->renegotiate_key_time)
1259 initiate_key_setup(st,"incoming packet in renegotiation window",0);
1262 slog(st,LOG_SEC,"incoming encrypted message of type %08x "
1269 static void dump_packet(struct site *st, struct buffer_if *buf,
1270 const struct comm_addr *addr, bool_t incoming,
1273 uint32_t dest=get_uint32(buf->start);
1274 uint32_t source=get_uint32(buf->start+4);
1275 uint32_t msgtype=get_uint32(buf->start+8);
1277 if (st->log_events & LOG_DUMP)
1278 slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x: %s%s",
1279 st->tunname,incoming?"incoming":"outgoing",
1280 dest,source,msgtype,comm_addr_to_string(addr),
1284 static bool_t comm_addr_sendmsg(struct site *st,
1285 const struct comm_addr *dest,
1286 struct buffer_if *buf)
1289 struct comm_clientinfo *commclientinfo = 0;
1291 for (i=0; i < st->ncomms; i++) {
1292 if (st->comms[i] == dest->comm) {
1293 commclientinfo = st->commclientinfos[i];
1297 return dest->comm->sendmsg(dest->comm->st, buf, dest, commclientinfo);
1300 static uint32_t site_status(void *st)
1305 static bool_t send_msg(struct site *st)
1307 if (st->retries>0) {
1308 transport_xmit(st, &st->setup_peers, &st->buffer, True);
1309 st->timeout=st->now+st->setup_retry_interval;
1312 } else if (st->state==SITE_SENTMSG5) {
1313 logtimeout(st,"timed out sending MSG5, stashing new key");
1314 /* We stash the key we have produced, in case it turns out that
1315 * our peer did see our MSG5 after all and starts using it. */
1316 /* This is a bit like some of activate_new_key */
1317 struct transform_inst_if *t;
1318 t=st->auxiliary_key.transform;
1319 st->auxiliary_key.transform=st->new_transform;
1320 st->new_transform=t;
1321 dispose_transform(&st->new_transform);
1323 st->auxiliary_is_new=1;
1324 st->auxiliary_key.key_timeout=st->now+st->key_lifetime;
1325 st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time;
1326 st->auxiliary_key.remote_session_id=st->setup_session_id;
1328 enter_state_wait(st);
1331 logtimeout(st,"timed out sending key setup packet "
1332 "(in state %s)",state_name(st->state));
1333 enter_state_wait(st);
1338 static void site_resolve_callback(void *sst, const struct comm_addr *addrs,
1339 int stored_naddrs, int all_naddrs,
1340 const char *address, const char *failwhy)
1342 struct site *st=sst;
1344 if (!stored_naddrs) {
1345 slog(st,LOG_ERROR,"resolution of %s failed: %s",address,failwhy);
1347 slog(st,LOG_PEER_ADDRS,"resolution of %s completed, %d addrs, eg: %s",
1348 address, all_naddrs, comm_addr_to_string(&addrs[0]));;
1350 int space=st->transport_peers_max-st->resolving_n_results_stored;
1351 int n_tocopy=MIN(stored_naddrs,space);
1352 COPY_ARRAY(st->resolving_results + st->resolving_n_results_stored,
1355 st->resolving_n_results_stored += n_tocopy;
1356 st->resolving_n_results_all += all_naddrs;
1359 decrement_resolving_count(st,1);
1362 static void decrement_resolving_count(struct site *st, int by)
1364 assert(st->resolving_count>0);
1365 st->resolving_count-=by;
1367 if (st->resolving_count)
1370 /* OK, we are done with them all. Handle combined results. */
1372 const struct comm_addr *addrs=st->resolving_results;
1373 int naddrs=st->resolving_n_results_stored;
1374 assert(naddrs<=st->transport_peers_max);
1377 if (naddrs != st->resolving_n_results_all) {
1378 slog(st,LOG_SETUP_INIT,"resolution of supplied addresses/names"
1379 " yielded too many results (%d > %d), some ignored",
1380 st->resolving_n_results_all, naddrs);
1382 slog(st,LOG_STATE,"resolution completed, %d addrs, eg: %s",
1383 naddrs, iaddr_to_string(&addrs[0].ia));;
1386 switch (st->state) {
1388 if (transport_compute_setupinit_peers(st,addrs,naddrs,0)) {
1389 enter_new_state(st,SITE_SENTMSG1);
1391 /* Can't figure out who to try to to talk to */
1392 slog(st,LOG_SETUP_INIT,
1393 "key exchange failed: cannot find peer address");
1394 enter_state_run(st);
1397 case SITE_SENTMSG1: case SITE_SENTMSG2:
1398 case SITE_SENTMSG3: case SITE_SENTMSG4:
1401 /* We start using the address immediately for data too.
1402 * It's best to store it in st->peers now because we might
1403 * go via SENTMSG5, WAIT, and a MSG0, straight into using
1404 * the new key (without updating the data peer addrs). */
1405 transport_resolve_complete(st,addrs,naddrs);
1406 } else if (st->local_mobile) {
1407 /* We can't let this rest because we may have a peer
1408 * address which will break in the future. */
1409 slog(st,LOG_SETUP_INIT,"resolution failed: "
1410 "abandoning key exchange");
1411 enter_state_wait(st);
1413 slog(st,LOG_SETUP_INIT,"resolution failed: "
1414 " continuing to use source address of peer's packets"
1415 " for key exchange and ultimately data");
1420 slog(st,LOG_SETUP_INIT,"resolution completed tardily,"
1421 " updating peer address(es)");
1422 transport_resolve_complete_tardy(st,addrs,naddrs);
1423 } else if (st->local_mobile) {
1424 /* Not very good. We should queue (another) renegotiation
1425 * so that we can update the peer address. */
1426 st->key_renegotiate_time=st->now+wait_timeout(st);
1428 slog(st,LOG_SETUP_INIT,"resolution failed: "
1429 " continuing to use source address of peer's packets");
1439 static bool_t initiate_key_setup(struct site *st, cstring_t reason,
1440 const struct comm_addr *prod_hint)
1442 /* Reentrancy hazard: can call enter_new_state/enter_state_* */
1443 if (st->state!=SITE_RUN) return False;
1444 slog(st,LOG_SETUP_INIT,"initiating key exchange (%s)",reason);
1445 if (st->addresses) {
1446 slog(st,LOG_SETUP_INIT,"resolving peer address(es)");
1447 return enter_state_resolve(st);
1448 } else if (transport_compute_setupinit_peers(st,0,0,prod_hint)) {
1449 return enter_new_state(st,SITE_SENTMSG1);
1451 slog(st,LOG_SETUP_INIT,"key exchange failed: no address for peer");
1455 static void activate_new_key(struct site *st)
1457 struct transform_inst_if *t;
1459 /* We have three transform instances, which we swap between old,
1461 t=st->auxiliary_key.transform;
1462 st->auxiliary_key.transform=st->current.transform;
1463 st->current.transform=st->new_transform;
1464 st->new_transform=t;
1465 dispose_transform(&st->new_transform);
1468 st->auxiliary_is_new=0;
1469 st->auxiliary_key.key_timeout=st->current.key_timeout;
1470 st->current.key_timeout=st->now+st->key_lifetime;
1471 st->renegotiate_key_time=st->now+st->key_renegotiate_time;
1472 transport_peers_copy(st,&st->peers,&st->setup_peers);
1473 st->current.remote_session_id=st->setup_session_id;
1475 /* Compute the inter-site MTU. This is min( our_mtu, their_mtu ).
1476 * But their mtu be unspecified, in which case we just use ours. */
1477 uint32_t intersite_mtu=
1478 MIN(st->mtu_target, st->remote_adv_mtu ?: ~(uint32_t)0);
1479 st->netlink->set_mtu(st->netlink->st,intersite_mtu);
1481 slog(st,LOG_ACTIVATE_KEY,"new key activated"
1482 " (mtu ours=%"PRId32" theirs=%"PRId32" intersite=%"PRId32")",
1483 st->mtu_target, st->remote_adv_mtu, intersite_mtu);
1484 enter_state_run(st);
1487 static void delete_one_key(struct site *st, struct data_key *key,
1488 cstring_t reason, cstring_t which, uint32_t loglevel)
1490 if (!is_transform_valid(key->transform)) return;
1491 if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason);
1492 dispose_transform(&key->transform);
1496 static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel)
1498 if (current_valid(st)) {
1499 slog(st,loglevel,"session closed (%s)",reason);
1501 delete_one_key(st,&st->current,0,0,0);
1502 set_link_quality(st);
1504 delete_one_key(st,&st->auxiliary_key,0,0,0);
1507 static void state_assert(struct site *st, bool_t ok)
1509 if (!ok) fatal("site:state_assert");
1512 static void enter_state_stop(struct site *st)
1514 st->state=SITE_STOP;
1516 delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY);
1517 dispose_transform(&st->new_transform);
1520 static void set_link_quality(struct site *st)
1523 if (current_valid(st))
1524 quality=LINK_QUALITY_UP;
1525 else if (st->state==SITE_WAIT || st->state==SITE_STOP)
1526 quality=LINK_QUALITY_DOWN;
1527 else if (st->addresses)
1528 quality=LINK_QUALITY_DOWN_CURRENT_ADDRESS;
1529 else if (transport_peers_valid(&st->peers))
1530 quality=LINK_QUALITY_DOWN_STALE_ADDRESS;
1532 quality=LINK_QUALITY_DOWN;
1534 st->netlink->set_quality(st->netlink->st,quality);
1537 static void enter_state_run(struct site *st)
1539 slog(st,LOG_STATE,"entering state RUN%s",
1540 current_valid(st) ? " (keyed)" : " (unkeyed)");
1544 st->setup_session_id=0;
1545 transport_peers_clear(st,&st->setup_peers);
1546 FILLZERO(st->localN);
1547 FILLZERO(st->remoteN);
1548 dispose_transform(&st->new_transform);
1550 memset(st->dhsecret, 0, st->chosen_dh->secret_len);
1554 if (st->sharedsecret) {
1555 memset(st->sharedsecret, 0, st->chosen_dh->shared_len);
1556 free(st->sharedsecret);
1557 st->sharedsecret = 0;
1559 set_link_quality(st);
1561 if (st->keepalive && !current_valid(st))
1562 initiate_key_setup(st, "keepalive", 0);
1565 static bool_t ensure_resolving(struct site *st)
1567 /* Reentrancy hazard: may call site_resolve_callback and hence
1568 * enter_new_state, enter_state_* and generate_msg*. */
1569 if (st->resolving_count)
1572 assert(st->addresses);
1574 /* resolver->request might reentrantly call site_resolve_callback
1575 * which will decrement st->resolving, so we need to increment it
1576 * twice beforehand to prevent decrement from thinking we're
1577 * finished, and decrement it ourselves. Alternatively if
1578 * everything fails then there are no callbacks due and we simply
1579 * set it to 0 and return false.. */
1580 st->resolving_n_results_stored=0;
1581 st->resolving_n_results_all=0;
1582 st->resolving_count+=2;
1583 const char **addrp=st->addresses;
1584 const char *address;
1586 for (; (address=*addrp++); ) {
1587 bool_t ok = st->resolver->request(st->resolver->st,address,
1588 st->remoteport,st->comms[0],
1589 site_resolve_callback,st);
1591 st->resolving_count++;
1595 st->resolving_count=0;
1598 decrement_resolving_count(st,2);
1602 static bool_t enter_state_resolve(struct site *st)
1604 /* Reentrancy hazard! See ensure_resolving. */
1605 state_assert(st,st->state==SITE_RUN);
1606 slog(st,LOG_STATE,"entering state RESOLVE");
1607 st->state=SITE_RESOLVE;
1608 return ensure_resolving(st);
1611 static bool_t enter_new_state(struct site *st, uint32_t next)
1613 bool_t (*gen)(struct site *st);
1616 slog(st,LOG_STATE,"entering state %s",state_name(next));
1619 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE);
1621 st->msg1_crossed_logged = False;
1624 state_assert(st,st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1625 st->state==SITE_SENTMSG1 || st->state==SITE_WAIT);
1629 state_assert(st,st->state==SITE_SENTMSG1);
1630 BUF_FREE(&st->buffer);
1634 state_assert(st,st->state==SITE_SENTMSG2);
1635 BUF_FREE(&st->buffer);
1639 state_assert(st,st->state==SITE_SENTMSG3);
1640 BUF_FREE(&st->buffer);
1644 state_assert(st,st->state==SITE_SENTMSG4);
1645 BUF_FREE(&st->buffer);
1650 fatal("enter_new_state(%s): invalid new state",state_name(next));
1654 if (hacky_par_start_failnow()) return False;
1656 r= gen(st) && send_msg(st);
1659 st->setup_retries, st->setup_retry_interval,
1664 if (next==SITE_RUN) {
1665 BUF_FREE(&st->buffer); /* Never reused */
1666 st->timeout=0; /* Never retransmit */
1667 activate_new_key(st);
1671 slog(st,LOG_ERROR,"error entering state %s",state_name(next));
1672 st->buffer.free=False; /* Unconditionally use the buffer; it may be
1673 in either state, and enter_state_wait() will
1675 enter_state_wait(st);
1679 /* msg7 tells our peer that we're about to forget our key */
1680 static bool_t send_msg7(struct site *st, cstring_t reason)
1682 cstring_t transform_err;
1684 if (current_valid(st) && st->buffer.free
1685 && transport_peers_valid(&st->peers)) {
1686 BUF_ALLOC(&st->buffer,"site:MSG7");
1687 buffer_init(&st->buffer,calculate_max_start_pad());
1688 buf_append_uint32(&st->buffer,LABEL_MSG7);
1689 buf_append_string(&st->buffer,reason);
1690 if (call_transform_forwards(st, st->current.transform,
1691 &st->buffer, &transform_err))
1693 buf_prepend_uint32(&st->buffer,LABEL_MSG0);
1694 buf_prepend_uint32(&st->buffer,st->index);
1695 buf_prepend_uint32(&st->buffer,st->current.remote_session_id);
1696 transport_xmit(st,&st->peers,&st->buffer,True);
1697 BUF_FREE(&st->buffer);
1704 /* We go into this state if our peer becomes uncommunicative. Similar to
1705 the "stop" state, we forget all session keys for a while, before
1706 re-entering the "run" state. */
1707 static void enter_state_wait(struct site *st)
1709 slog(st,LOG_STATE,"entering state WAIT");
1710 st->timeout=st->now+wait_timeout(st);
1711 st->state=SITE_WAIT;
1712 set_link_quality(st);
1713 BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */
1714 /* XXX Erase keys etc. */
1717 static void generate_prod(struct site *st, struct buffer_if *buf)
1720 buf_append_uint32(buf,0);
1721 buf_append_uint32(buf,0);
1722 buf_append_uint32(buf,LABEL_PROD);
1723 buf_append_string(buf,st->localname);
1724 buf_append_string(buf,st->remotename);
1727 static void generate_send_prod(struct site *st,
1728 const struct comm_addr *source)
1730 if (!st->allow_send_prod) return; /* too soon */
1731 if (!(st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1732 st->state==SITE_WAIT)) return; /* we'd ignore peer's MSG1 */
1734 slog(st,LOG_SETUP_INIT,"prodding peer for key exchange");
1735 st->allow_send_prod=0;
1736 generate_prod(st,&st->scratch);
1737 bool_t ok = comm_addr_sendmsg(st, source, &st->scratch);
1738 dump_packet(st,&st->scratch,source,False,ok);
1741 static inline void site_settimeout(uint64_t timeout, int *timeout_io)
1744 int64_t offset=timeout-*now;
1745 if (offset<0) offset=0;
1746 if (offset>INT_MAX) offset=INT_MAX;
1747 if (*timeout_io<0 || offset<*timeout_io)
1752 static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io,
1755 struct site *st=sst;
1757 BEFOREPOLL_WANT_FDS(0); /* We don't use any file descriptors */
1760 /* Work out when our next timeout is. The earlier of 'timeout' or
1761 'current.key_timeout'. A stored value of '0' indicates no timeout
1763 site_settimeout(st->timeout, timeout_io);
1764 site_settimeout(st->current.key_timeout, timeout_io);
1765 site_settimeout(st->auxiliary_key.key_timeout, timeout_io);
1767 return 0; /* success */
1770 static void check_expiry(struct site *st, struct data_key *key,
1773 if (key->key_timeout && *now>key->key_timeout) {
1774 delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY);
1778 /* NB site_afterpoll will be called before site_beforepoll is ever called */
1779 static void site_afterpoll(void *sst, struct pollfd *fds, int nfds)
1781 struct site *st=sst;
1784 if (st->timeout && *now>st->timeout) {
1786 if (st->state>=SITE_SENTMSG1 && st->state<=SITE_SENTMSG5) {
1787 if (!hacky_par_start_failnow())
1789 } else if (st->state==SITE_WAIT) {
1790 enter_state_run(st);
1792 slog(st,LOG_ERROR,"site_afterpoll: unexpected timeout, state=%d",
1796 check_expiry(st,&st->current,"current key");
1797 check_expiry(st,&st->auxiliary_key,"auxiliary key");
1800 /* This function is called by the netlink device to deliver packets
1801 intended for the remote network. The packet is in "raw" wire
1802 format, but is guaranteed to be word-aligned. */
1803 static void site_outgoing(void *sst, struct buffer_if *buf)
1805 struct site *st=sst;
1806 cstring_t transform_err;
1808 if (st->state==SITE_STOP) {
1813 st->allow_send_prod=1;
1815 /* In all other states we consider delivering the packet if we have
1816 a valid key and a valid address to send it to. */
1817 if (current_valid(st) && transport_peers_valid(&st->peers)) {
1818 /* Transform it and send it */
1820 buf_prepend_uint32(buf,LABEL_MSG9);
1821 if (call_transform_forwards(st, st->current.transform,
1822 buf, &transform_err))
1824 buf_prepend_uint32(buf,LABEL_MSG0);
1825 buf_prepend_uint32(buf,st->index);
1826 buf_prepend_uint32(buf,st->current.remote_session_id);
1827 transport_xmit(st,&st->peers,buf,False);
1834 slog(st,LOG_DROP,"discarding outgoing packet of size %d",buf->size);
1836 initiate_key_setup(st,"outgoing packet",0);
1839 static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in,
1840 uint32_t type, struct msg *m)
1841 /* For packets which are identified by the local and remote names.
1842 * If it has our name and our peer's name in it it's for us. */
1844 struct buffer_if buf[1];
1845 buffer_readonly_clone(buf,buf_in);
1846 return unpick_msg(st,type,buf,m)
1847 && name_matches(&m->remote,st->remotename)
1848 && name_matches(&m->local,st->localname);
1851 static bool_t we_have_priority(struct site *st, const struct msg *m) {
1852 if (st->local_capabilities & m->remote_capabilities &
1853 CAPAB_PRIORITY_MOBILE) {
1854 if (st->local_mobile) return True;
1855 if (st-> peer_mobile) return False;
1857 return st->our_name_later;
1860 static bool_t setup_late_msg_ok(struct site *st,
1861 const struct buffer_if *buf_in,
1863 const struct comm_addr *source) {
1864 /* For setup packets which seem from their type like they are
1865 * late. Maybe they came via a different path. All we do is make
1866 * a note of the sending address, iff they look like they are part
1867 * of the current key setup attempt. */
1869 if (!named_for_us(st,buf_in,msgtype,&m))
1870 /* named_for_us calls unpick_msg which gets the nonces */
1872 if (!consttime_memeq(m.nR,st->remoteN,NONCELEN) ||
1873 !consttime_memeq(m.nL,st->localN, NONCELEN))
1874 /* spoof ? from stale run ? who knows */
1876 transport_setup_msgok(st,source);
1880 /* This function is called by the communication device to deliver
1881 packets from our peers.
1882 It should return True if the packet is recognised as being for
1883 this current site instance (and should therefore not be processed
1884 by other sites), even if the packet was otherwise ignored. */
1885 static bool_t site_incoming(void *sst, struct buffer_if *buf,
1886 const struct comm_addr *source)
1888 struct site *st=sst;
1890 if (buf->size < 12) return False;
1892 uint32_t dest=get_uint32(buf->start);
1893 uint32_t msgtype=get_uint32(buf->start+8);
1894 struct msg named_msg;
1896 if (msgtype==LABEL_MSG1) {
1897 if (!named_for_us(st,buf,msgtype,&named_msg))
1899 /* It's a MSG1 addressed to us. Decide what to do about it. */
1900 dump_packet(st,buf,source,True,True);
1901 if (st->state==SITE_RUN || st->state==SITE_RESOLVE ||
1902 st->state==SITE_WAIT) {
1903 /* We should definitely process it */
1904 transport_compute_setupinit_peers(st,0,0,source);
1905 if (process_msg1(st,buf,source,&named_msg)) {
1906 slog(st,LOG_SETUP_INIT,"key setup initiated by peer");
1907 bool_t entered=enter_new_state(st,SITE_SENTMSG2);
1908 if (entered && st->addresses && st->local_mobile)
1909 /* We must do this as the very last thing, because
1910 the resolver callback might reenter us. */
1911 ensure_resolving(st);
1913 slog(st,LOG_ERROR,"failed to process incoming msg1");
1917 } else if (st->state==SITE_SENTMSG1) {
1918 /* We've just sent a message 1! They may have crossed on
1919 the wire. If we have priority then we ignore the
1920 incoming one, otherwise we process it as usual. */
1921 if (we_have_priority(st,&named_msg)) {
1923 if (!st->msg1_crossed_logged++)
1924 slog(st,LOG_SETUP_INIT,"crossed msg1s; we are higher "
1925 "priority => ignore incoming msg1");
1928 slog(st,LOG_SETUP_INIT,"crossed msg1s; we are lower "
1929 "priority => use incoming msg1");
1930 if (process_msg1(st,buf,source,&named_msg)) {
1931 BUF_FREE(&st->buffer); /* Free our old message 1 */
1932 transport_setup_msgok(st,source);
1933 enter_new_state(st,SITE_SENTMSG2);
1935 slog(st,LOG_ERROR,"failed to process an incoming "
1936 "crossed msg1 (we have low priority)");
1941 } else if (st->state==SITE_SENTMSG2 ||
1942 st->state==SITE_SENTMSG4) {
1943 if (consttime_memeq(named_msg.nR,st->remoteN,NONCELEN)) {
1944 /* We are ahead in the protocol, but that msg1 had the
1945 * peer's nonce so presumably it is from this key
1946 * exchange run, via a slower route */
1947 transport_setup_msgok(st,source);
1949 slog(st,LOG_UNEXPECTED,"competing incoming message 1");
1954 /* The message 1 was received at an unexpected stage of the
1955 key setup. Well, they lost the race. */
1956 slog(st,LOG_UNEXPECTED,"unexpected incoming message 1");
1960 if (msgtype==LABEL_PROD) {
1961 if (!named_for_us(st,buf,msgtype,&named_msg))
1963 dump_packet(st,buf,source,True,True);
1964 if (st->state!=SITE_RUN) {
1965 slog(st,LOG_DROP,"ignoring PROD when not in state RUN");
1966 } else if (current_valid(st)) {
1967 slog(st,LOG_DROP,"ignoring PROD when we think we have a key");
1969 initiate_key_setup(st,"peer sent PROD packet",source);
1974 if (dest==st->index) {
1975 /* Explicitly addressed to us */
1976 if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True,True);
1979 /* If the source is our current peer then initiate a key setup,
1980 because our peer's forgotten the key */
1981 if (get_uint32(buf->start+4)==st->current.remote_session_id) {
1983 initiated = initiate_key_setup(st,"received a NAK",source);
1984 if (!initiated) generate_send_prod(st,source);
1986 slog(st,LOG_SEC,"bad incoming NAK");
1990 process_msg0(st,buf,source);
1993 /* Setup packet: should not have been explicitly addressed
1995 slog(st,LOG_SEC,"incoming explicitly addressed msg1");
1998 /* Setup packet: expected only in state SENTMSG1 */
1999 if (st->state!=SITE_SENTMSG1) {
2000 if ((st->state==SITE_SENTMSG3 ||
2001 st->state==SITE_SENTMSG5) &&
2002 setup_late_msg_ok(st,buf,msgtype,source))
2004 slog(st,LOG_UNEXPECTED,"unexpected MSG2");
2005 } else if (process_msg2(st,buf,source)) {
2006 transport_setup_msgok(st,source);
2007 enter_new_state(st,SITE_SENTMSG3);
2009 slog(st,LOG_SEC,"invalid MSG2");
2012 case CASES_MSG3_KNOWN:
2013 /* Setup packet: expected only in state SENTMSG2 */
2014 if (st->state!=SITE_SENTMSG2) {
2015 if ((st->state==SITE_SENTMSG4) &&
2016 setup_late_msg_ok(st,buf,msgtype,source))
2018 slog(st,LOG_UNEXPECTED,"unexpected MSG3");
2019 } else if (process_msg3(st,buf,source,msgtype)) {
2020 transport_setup_msgok(st,source);
2021 enter_new_state(st,SITE_SENTMSG4);
2023 slog(st,LOG_SEC,"invalid MSG3");
2027 /* Setup packet: expected only in state SENTMSG3 */
2028 if (st->state!=SITE_SENTMSG3) {
2029 if ((st->state==SITE_SENTMSG5) &&
2030 setup_late_msg_ok(st,buf,msgtype,source))
2032 slog(st,LOG_UNEXPECTED,"unexpected MSG4");
2033 } else if (process_msg4(st,buf,source)) {
2034 transport_setup_msgok(st,source);
2035 enter_new_state(st,SITE_SENTMSG5);
2037 slog(st,LOG_SEC,"invalid MSG4");
2041 /* Setup packet: expected only in state SENTMSG4 */
2042 /* (may turn up in state RUN if our return MSG6 was lost
2043 and the new key has already been activated. In that
2044 case we discard it. The peer will realise that we
2045 are using the new key when they see our data packets.
2046 Until then the peer's data packets to us get discarded. */
2047 if (st->state==SITE_SENTMSG4) {
2048 if (process_msg5(st,buf,source,st->new_transform)) {
2049 transport_setup_msgok(st,source);
2050 enter_new_state(st,SITE_RUN);
2052 slog(st,LOG_SEC,"invalid MSG5");
2054 } else if (st->state==SITE_RUN) {
2055 if (process_msg5(st,buf,source,st->current.transform)) {
2056 slog(st,LOG_DROP,"got MSG5, retransmitting MSG6");
2057 transport_setup_msgok(st,source);
2058 create_msg6(st,st->current.transform,
2059 st->current.remote_session_id);
2060 transport_xmit(st,&st->peers,&st->buffer,True);
2061 BUF_FREE(&st->buffer);
2063 slog(st,LOG_SEC,"invalid MSG5 (in state RUN)");
2066 slog(st,LOG_UNEXPECTED,"unexpected MSG5");
2070 /* Setup packet: expected only in state SENTMSG5 */
2071 if (st->state!=SITE_SENTMSG5) {
2072 slog(st,LOG_UNEXPECTED,"unexpected MSG6");
2073 } else if (process_msg6(st,buf,source)) {
2074 BUF_FREE(&st->buffer); /* Free message 5 */
2075 transport_setup_msgok(st,source);
2076 activate_new_key(st);
2078 slog(st,LOG_SEC,"invalid MSG6");
2082 slog(st,LOG_SEC,"received message of unknown type 0x%08x",
2093 static void site_control(void *vst, bool_t run)
2095 struct site *st=vst;
2096 if (run) enter_state_run(st);
2097 else enter_state_stop(st);
2100 static void site_phase_hook(void *sst, uint32_t newphase)
2102 struct site *st=sst;
2104 /* The program is shutting down; tell our peer */
2105 send_msg7(st,"shutting down");
2108 static void site_childpersist_clearkeys(void *sst, uint32_t newphase)
2110 struct site *st=sst;
2111 dispose_transform(&st->current.transform);
2112 dispose_transform(&st->auxiliary_key.transform);
2113 dispose_transform(&st->new_transform);
2114 /* Not much point overwiting the signing key, since we loaded it
2115 from disk, and it is only valid prospectively if at all,
2117 /* XXX it would be best to overwrite the DH state, because that
2118 _is_ relevant to forward secrecy. However we have no
2119 convenient interface for doing that and in practice gmp has
2120 probably dribbled droppings all over the malloc arena. A good
2121 way to fix this would be to have a privsep child for asymmetric
2122 crypto operations, but that's a task for another day. */
2125 static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context,
2128 static uint32_t index_sequence;
2136 st->cl.description="site";
2137 st->cl.type=CL_SITE;
2139 st->cl.interface=&st->ops;
2141 st->ops.control=site_control;
2142 st->ops.status=site_status;
2144 /* First parameter must be a dict */
2145 item=list_elem(args,0);
2146 if (!item || item->type!=t_dict)
2147 cfgfatal(loc,"site","parameter must be a dictionary\n");
2149 dict=item->data.dict;
2150 st->localname=dict_read_string(dict, "local-name", True, "site", loc);
2151 st->remotename=dict_read_string(dict, "name", True, "site", loc);
2153 st->keepalive=dict_read_bool(dict,"keepalive",False,"site",loc,False);
2155 st->peer_mobile=dict_read_bool(dict,"mobile",False,"site",loc,False);
2157 dict_read_bool(dict,"local-mobile",False,"site",loc,False);
2159 /* Sanity check (which also allows the 'sites' file to include
2160 site() closures for all sites including our own): refuse to
2161 talk to ourselves */
2162 if (strcmp(st->localname,st->remotename)==0) {
2163 Message(M_DEBUG,"site %s: local-name==name -> ignoring this site\n",
2165 if (st->peer_mobile != st->local_mobile)
2166 cfgfatal(loc,"site","site %s's peer-mobile=%d"
2167 " but our local-mobile=%d\n",
2168 st->localname, st->peer_mobile, st->local_mobile);
2172 if (st->peer_mobile && st->local_mobile) {
2173 Message(M_WARNING,"site %s: site is mobile but so are we"
2174 " -> ignoring this site\n", st->remotename);
2179 assert(index_sequence < 0xffffffffUL);
2180 st->index = ++index_sequence;
2181 st->local_capabilities = CAPAB_EXPLICIT_TRANSFORM_DH;
2182 st->early_capabilities = CAPAB_PRIORITY_MOBILE;
2183 st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc);
2185 #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \
2186 list_t *things##_cfg=dict_lookup(dict,dictkey); \
2187 if (!things##_cfg) \
2188 cfgfatal(loc,"site","closure list \"%s\" not found\n",dictkey); \
2189 st->nthings=list_length(things##_cfg); \
2190 NEW_ARY(st->things,st->nthings); \
2191 assert(st->nthings); \
2192 for (i=0; i<st->nthings; i++) { \
2193 item_t *item=list_elem(things##_cfg,i); \
2194 if (item->type!=t_closure) \
2195 cfgfatal(loc,"site","%s is not a closure\n",dictkey); \
2196 closure_t *cl=item->data.closure; \
2197 if (cl->type!=CL_TYPE) \
2198 cfgfatal(loc,"site","%s closure wrong type\n",dictkey); \
2199 st->things[i]=cl->interface; \
2203 GET_CLOSURE_LIST("comm",comms,ncomms,CL_COMM);
2205 NEW_ARY(st->commclientinfos, st->ncomms);
2206 dict_t *comminfo = dict_read_dict(dict,"comm-info",False,"site",loc);
2207 for (i=0; i<st->ncomms; i++) {
2208 st->commclientinfos[i] =
2210 st->comms[i]->clientinfo(st->comms[i],comminfo,loc);
2213 st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc);
2214 st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc);
2215 st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc);
2217 st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc);
2218 st->addresses=dict_read_string_array(dict,"address",False,"site",loc,0);
2220 st->remoteport=dict_read_number(dict,"port",True,"site",loc,0);
2221 else st->remoteport=0;
2222 st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc);
2224 GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM);
2225 GET_CLOSURE_LIST("dh",dhs,ndhs,CL_DH);
2227 st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc);
2229 #define DEFAULT(D) (st->peer_mobile || st->local_mobile \
2230 ? DEFAULT_MOBILE_##D : DEFAULT_##D)
2231 #define CFG_NUMBER(k,D) dict_read_number(dict,(k),False,"site",loc,DEFAULT(D));
2233 st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME);
2234 st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES);
2235 st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL);
2236 st->wait_timeout_mean= CFG_NUMBER("wait-time", WAIT_TIME);
2237 st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0);
2239 st->mobile_peer_expiry= dict_read_number(
2240 dict,"mobile-peer-expiry",False,"site",loc,DEFAULT_MOBILE_PEER_EXPIRY);
2242 const char *peerskey= st->peer_mobile
2243 ? "mobile-peers-max" : "static-peers-max";
2244 st->transport_peers_max= dict_read_number(
2245 dict,peerskey,False,"site",loc, st->addresses ? 4 : 3);
2246 if (st->transport_peers_max<1 ||
2247 st->transport_peers_max>MAX_PEER_ADDRS) {
2248 cfgfatal(loc,"site", "%s must be in range 1.."
2249 STRING(MAX_PEER_ADDRS) "\n", peerskey);
2252 if (st->key_lifetime < DEFAULT(KEY_RENEGOTIATE_GAP)*2)
2253 st->key_renegotiate_time=st->key_lifetime/2;
2255 st->key_renegotiate_time=st->key_lifetime-DEFAULT(KEY_RENEGOTIATE_GAP);
2256 st->key_renegotiate_time=dict_read_number(
2257 dict,"renegotiate-time",False,"site",loc,st->key_renegotiate_time);
2258 if (st->key_renegotiate_time > st->key_lifetime) {
2259 cfgfatal(loc,"site",
2260 "renegotiate-time must be less than key-lifetime\n");
2263 st->log_events=string_list_to_word(dict_lookup(dict,"log-events"),
2264 log_event_table,"site");
2266 st->resolving_count=0;
2267 st->allow_send_prod=0;
2269 st->tunname=safe_malloc(strlen(st->localname)+strlen(st->remotename)+5,
2271 sprintf(st->tunname,"%s<->%s",st->localname,st->remotename);
2273 /* The information we expect to see in incoming messages of type 1 */
2274 /* fixme: lots of unchecked overflows here, but the results are only
2275 corrupted packets rather than undefined behaviour */
2276 st->our_name_later=(strcmp(st->localname,st->remotename)>0);
2278 buffer_new(&st->buffer,SETUP_BUFFER_LEN);
2280 buffer_new(&st->scratch,SETUP_BUFFER_LEN);
2281 BUF_ALLOC(&st->scratch,"site:scratch");
2283 /* We are interested in poll(), but only for timeouts. We don't have
2284 any fds of our own. */
2285 register_for_poll(st, site_beforepoll, site_afterpoll, "site");
2288 st->remote_capabilities=0;
2289 st->chosen_transform=0;
2291 st->current.key_timeout=0;
2292 st->auxiliary_key.key_timeout=0;
2293 transport_peers_clear(st,&st->peers);
2294 transport_peers_clear(st,&st->setup_peers);
2298 #define SET_CAPBIT(bit) do { \
2299 uint32_t capflag = 1UL << (bit); \
2300 if (st->local_capabilities & capflag) \
2301 slog(st,LOG_ERROR,"capability bit" \
2302 " %d (%#"PRIx32") reused", (bit), capflag); \
2303 st->local_capabilities |= capflag; \
2306 for (i=0; i<st->ntransforms; i++)
2307 SET_CAPBIT(st->transforms[i]->capab_bit);
2308 for (i=0; i<st->ndhs; i++)
2309 SET_CAPBIT(st->dhs[i]->capab_bit);
2313 if (st->local_mobile || st->peer_mobile)
2314 st->local_capabilities |= CAPAB_PRIORITY_MOBILE;
2316 /* We need to register the remote networks with the netlink device */
2317 uint32_t netlink_mtu; /* local virtual interface mtu */
2318 st->netlink->reg(st->netlink->st, site_outgoing, st, &netlink_mtu);
2319 if (!st->mtu_target)
2320 st->mtu_target=netlink_mtu;
2322 for (i=0; i<st->ncomms; i++)
2323 st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming);
2325 st->current.transform=0;
2326 st->auxiliary_key.transform=0;
2327 st->new_transform=0;
2328 st->auxiliary_is_new=0;
2330 enter_state_stop(st);
2332 add_hook(PHASE_SHUTDOWN,site_phase_hook,st);
2333 add_hook(PHASE_CHILDPERSIST,site_childpersist_clearkeys,st);
2335 return new_closure(&st->cl);
2338 void site_module(dict_t *dict)
2340 add_closure(dict,"site",site_apply);
2344 /***** TRANSPORT PEERS definitions *****/
2346 static void transport_peers_debug(struct site *st, transport_peers *dst,
2347 const char *didwhat,
2348 int nargs, const struct comm_addr *args,
2353 if (!(st->log_events & LOG_PEER_ADDRS))
2354 return; /* an optimisation */
2356 slog(st, LOG_PEER_ADDRS, "peers (%s) %s nargs=%d => npeers=%d",
2357 (dst==&st->peers ? "data" :
2358 dst==&st->setup_peers ? "setup" : "UNKNOWN"),
2359 didwhat, nargs, dst->npeers);
2361 for (i=0, argp=(void*)args;
2363 i++, (argp+=stride?stride:sizeof(*args))) {
2364 const struct comm_addr *ca=(void*)argp;
2365 slog(st, LOG_PEER_ADDRS, " args: addrs[%d]=%s",
2366 i, comm_addr_to_string(ca));
2368 for (i=0; i<dst->npeers; i++) {
2369 struct timeval diff;
2370 timersub(tv_now,&dst->peers[i].last,&diff);
2371 const struct comm_addr *ca=&dst->peers[i].addr;
2372 slog(st, LOG_PEER_ADDRS, " peers: addrs[%d]=%s T-%ld.%06ld",
2373 i, comm_addr_to_string(ca),
2374 (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec);
2378 static void transport_peers_expire(struct site *st, transport_peers *peers) {
2379 /* peers must be sorted first */
2380 int previous_peers=peers->npeers;
2381 struct timeval oldest;
2382 oldest.tv_sec = tv_now->tv_sec - st->mobile_peer_expiry;
2383 oldest.tv_usec = tv_now->tv_usec;
2384 while (peers->npeers>1 &&
2385 timercmp(&peers->peers[peers->npeers-1].last, &oldest, <))
2387 if (peers->npeers != previous_peers)
2388 transport_peers_debug(st,peers,"expire", 0,0,0);
2391 static bool_t transport_peer_record_one(struct site *st, transport_peers *peers,
2392 const struct comm_addr *ca,
2393 const struct timeval *tv) {
2394 /* returns false if output is full */
2397 if (peers->npeers >= st->transport_peers_max)
2400 for (search=0; search<peers->npeers; search++)
2401 if (comm_addr_equal(&peers->peers[search].addr, ca))
2404 peers->peers[peers->npeers].addr = *ca;
2405 peers->peers[peers->npeers].last = *tv;
2410 static void transport_record_peers(struct site *st, transport_peers *peers,
2411 const struct comm_addr *addrs, int naddrs,
2413 /* We add addrs into peers. The new entries end up at the front
2414 * and displace entries towards the end (perhaps even off the
2415 * end). Any existing matching entries are moved up to the front.
2417 * Caller must first call transport_peers_expire. */
2420 /* avoids debug for uninteresting updates */
2422 for (i=0; i<peers->npeers; i++) {
2423 if (comm_addr_equal(&addrs[0], &peers->peers[i].addr)) {
2424 memmove(peers->peers+1, peers->peers,
2425 sizeof(peers->peers[0]) * i);
2426 peers->peers[0].addr = addrs[0];
2427 peers->peers[0].last = *tv_now;
2433 int old_npeers=peers->npeers;
2434 transport_peer old_peers[old_npeers];
2435 COPY_ARRAY(old_peers,peers->peers,old_npeers);
2439 for (i=0; i<naddrs; i++) {
2440 if (!transport_peer_record_one(st,peers, &addrs[i], tv_now))
2443 for (i=0; i<old_npeers; i++) {
2444 const transport_peer *old=&old_peers[i];
2445 if (!transport_peer_record_one(st,peers, &old->addr, &old->last))
2449 transport_peers_debug(st,peers,m, naddrs,addrs,0);
2452 static void transport_expire_record_peers(struct site *st,
2453 transport_peers *peers,
2454 const struct comm_addr *addrs,
2455 int naddrs, const char *m) {
2456 /* Convenience function */
2457 transport_peers_expire(st,peers);
2458 transport_record_peers(st,peers,addrs,naddrs,m);
2461 static bool_t transport_compute_setupinit_peers(struct site *st,
2462 const struct comm_addr *configured_addrs /* 0 if none or not found */,
2463 int n_configured_addrs /* 0 if none or not found */,
2464 const struct comm_addr *incoming_packet_addr /* 0 if none */) {
2465 if (!n_configured_addrs && !incoming_packet_addr &&
2466 !transport_peers_valid(&st->peers))
2469 slog(st,LOG_SETUP_INIT,
2470 "using: %d configured addr(s);%s %d old peer addrs(es)",
2472 incoming_packet_addr ? " incoming packet address;" : "",
2475 /* Non-mobile peers try addresses until one is plausible. The
2476 * effect is that this code always tries first the configured
2477 * address if supplied, or otherwise the address of the incoming
2478 * PROD, or finally the existing data peer if one exists; this is
2481 transport_peers_copy(st,&st->setup_peers,&st->peers);
2482 transport_peers_expire(st,&st->setup_peers);
2484 if (incoming_packet_addr)
2485 transport_record_peers(st,&st->setup_peers,
2486 incoming_packet_addr,1, "incoming");
2488 if (n_configured_addrs)
2489 transport_record_peers(st,&st->setup_peers,
2490 configured_addrs,n_configured_addrs, "setupinit");
2492 assert(transport_peers_valid(&st->setup_peers));
2496 static void transport_setup_msgok(struct site *st, const struct comm_addr *a) {
2497 if (st->peer_mobile)
2498 transport_expire_record_peers(st,&st->setup_peers,a,1,"setupmsg");
2500 static void transport_data_msgok(struct site *st, const struct comm_addr *a) {
2501 if (st->peer_mobile)
2502 transport_expire_record_peers(st,&st->peers,a,1,"datamsg");
2505 static int transport_peers_valid(transport_peers *peers) {
2506 return peers->npeers;
2508 static void transport_peers_clear(struct site *st, transport_peers *peers) {
2510 transport_peers_debug(st,peers,"clear",0,0,0);
2512 static void transport_peers_copy(struct site *st, transport_peers *dst,
2513 const transport_peers *src) {
2514 dst->npeers=src->npeers;
2515 COPY_ARRAY(dst->peers, src->peers, dst->npeers);
2516 transport_peers_debug(st,dst,"copy",
2517 src->npeers, &src->peers->addr, sizeof(*src->peers));
2520 static void transport_resolve_complete(struct site *st,
2521 const struct comm_addr *addrs,
2523 transport_expire_record_peers(st,&st->peers,addrs,naddrs,
2525 transport_expire_record_peers(st,&st->setup_peers,addrs,naddrs,
2529 static void transport_resolve_complete_tardy(struct site *st,
2530 const struct comm_addr *addrs,
2532 transport_expire_record_peers(st,&st->peers,addrs,naddrs,
2533 "resolved tardily");
2536 static void transport_peers__copy_by_mask(transport_peer *out, int *nout_io,
2538 const transport_peers *inp) {
2539 /* out and in->peers may be the same region, or nonoverlapping */
2540 const transport_peer *in=inp->peers;
2542 for (slot=0; slot<inp->npeers; slot++) {
2543 if (!(mask & (1U << slot)))
2545 if (!(out==in && slot==*nout_io))
2546 COPY_OBJ(out[*nout_io], in[slot]);
2551 void transport_xmit(struct site *st, transport_peers *peers,
2552 struct buffer_if *buf, bool_t candebug) {
2554 transport_peers_expire(st, peers);
2555 unsigned failed=0; /* bitmask */
2556 assert(MAX_PEER_ADDRS < sizeof(unsigned)*CHAR_BIT);
2559 for (slot=0; slot<peers->npeers; slot++) {
2560 transport_peer *peer=&peers->peers[slot];
2561 bool_t ok = comm_addr_sendmsg(st, &peer->addr, buf);
2563 dump_packet(st, buf, &peer->addr, False, ok);
2565 failed |= 1U << slot;
2568 if (ok && !st->peer_mobile)
2571 /* Now we need to demote/delete failing addrs: if we are mobile we
2572 * merely demote them; otherwise we delete them. */
2573 if (st->local_mobile) {
2574 unsigned expected = ((1U << nfailed)-1) << (peers->npeers-nfailed);
2575 /* `expected' has all the failures at the end already */
2576 if (failed != expected) {
2578 transport_peer failedpeers[nfailed];
2579 transport_peers__copy_by_mask(failedpeers, &fslot, failed,peers);
2580 assert(fslot == nfailed);
2582 transport_peers__copy_by_mask(peers->peers,&wslot,~failed,peers);
2583 assert(wslot+nfailed == peers->npeers);
2584 COPY_ARRAY(peers->peers+wslot, failedpeers, nfailed);
2585 transport_peers_debug(st,peers,"mobile failure reorder",0,0,0);
2588 if (failed && peers->npeers > 1) {
2590 transport_peers__copy_by_mask(peers->peers,&wslot,~failed,peers);
2591 peers->npeers=wslot;
2592 transport_peers_debug(st,peers,"non-mobile failure cleanup",0,0,0);
2597 /***** END of transport peers declarations *****/
~mdw / secnet / blob