X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/065e1922e00c787775b595badce0e40a999a6afb..0a6cbadea08d824e26838a18bb75745c78f27461:/site.c diff --git a/site.c b/site.c index f65051f..5b071b2 100644 --- a/site.c +++ b/site.c @@ -214,6 +214,12 @@ static void transport_xmit(struct site *st, transport_peers *peers, /***** END of transport peers declarations *****/ +struct data_key { + struct transform_inst_if *transform; + uint64_t key_timeout; /* End of life of current key */ + uint32_t remote_session_id; +}; + struct site { closure_t cl; struct site_if ops; @@ -247,9 +253,6 @@ struct site { after this time, initiate a new key exchange */ - uint8_t *setupsig; /* Expected signature of incoming MSG1 packets */ - int32_t setupsiglen; /* Allows us to discard packets quickly if - they are not for us */ bool_t setup_priority; /* Do we have precedence if both sites emit message 1 simultaneously? */ uint32_t log_events; @@ -259,11 +262,11 @@ struct site { uint64_t now; /* Most recently seen time */ /* The currently established session */ - uint32_t remote_session_id; - struct transform_inst_if *current_transform; - bool_t current_valid; - uint64_t current_key_timeout; /* End of life of current key */ + struct data_key current; + struct data_key auxiliary_key; + bool_t auxiliary_is_new; uint64_t renegotiate_key_time; /* When we can negotiate a new key */ + uint64_t auxiliary_renegotiate_key_time; transport_peers peers; /* Current address(es) of peer for data traffic */ /* The current key setup protocol exchange. We can only be @@ -277,10 +280,12 @@ struct site { uint8_t localN[NONCELEN]; /* Nonces for key exchange */ uint8_t remoteN[NONCELEN]; struct buffer_if buffer; /* Current outgoing key exchange packet */ + struct buffer_if scratch; int32_t retries; /* Number of retries remaining */ uint64_t timeout; /* Timeout for current state */ uint8_t *dhsecret; uint8_t *sharedsecret; + uint32_t sharedsecretlen; struct transform_inst_if *new_transform; /* For key setup/verify */ }; @@ -315,12 +320,22 @@ static void slog(struct site *st, uint32_t event, cstring_t msg, ...) } static void set_link_quality(struct site *st); -static void delete_key(struct site *st, cstring_t reason, uint32_t loglevel); +static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel); +static void delete_one_key(struct site *st, struct data_key *key, + const char *reason /* may be 0 meaning don't log*/, + const char *which /* ignored if !reasonn */, + uint32_t loglevel /* ignored if !reasonn */); static bool_t initiate_key_setup(struct site *st, cstring_t reason); static void enter_state_run(struct site *st); static bool_t enter_state_resolve(struct site *st); static bool_t enter_new_state(struct site *st,uint32_t next); static void enter_state_wait(struct site *st); +static void activate_new_key(struct site *st); + +static bool_t current_valid(struct site *st) +{ + return st->current.transform->valid(st->current.transform->st); +} #define CHECK_AVAIL(b,l) do { if ((b)->size<(l)) return False; } while(0) #define CHECK_EMPTY(b) do { if ((b)->size!=0) return False; } while(0) @@ -329,14 +344,19 @@ static void enter_state_wait(struct site *st); type=buf_unprepend_uint32((b)); \ if (type!=(t)) return False; } while(0) +struct parsedname { + int32_t len; + uint8_t *name; + int32_t extrainfo_len; + uint8_t *extrainfo; +}; + struct msg { uint8_t *hashstart; uint32_t dest; uint32_t source; - int32_t remlen; - uint8_t *remote; - int32_t loclen; - uint8_t *local; + struct parsedname remote; + struct parsedname local; uint8_t *nR; uint8_t *nL; int32_t pklen; @@ -384,6 +404,24 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what) return True; } +static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm) +{ + CHECK_AVAIL(msg,2); + nm->len=buf_unprepend_uint16(msg); + CHECK_AVAIL(msg,nm->len); + nm->name=buf_unprepend(msg,nm->len); + uint8_t *nul=memchr(nm->name,0,nm->len); + if (!nul) { + nm->extrainfo_len=0; + nm->extrainfo=0; + } else { + nm->extrainfo=nul+1; + nm->extrainfo_len=msg->start-nm->extrainfo; + nm->len=nul-nm->name; + } + return True; +} + static bool_t unpick_msg(struct site *st, uint32_t type, struct buffer_if *msg, struct msg *m) { @@ -393,14 +431,8 @@ static bool_t unpick_msg(struct site *st, uint32_t type, CHECK_AVAIL(msg,4); m->source=buf_unprepend_uint32(msg); CHECK_TYPE(msg,type); - CHECK_AVAIL(msg,2); - m->remlen=buf_unprepend_uint16(msg); - CHECK_AVAIL(msg,m->remlen); - m->remote=buf_unprepend(msg,m->remlen); - CHECK_AVAIL(msg,2); - m->loclen=buf_unprepend_uint16(msg); - CHECK_AVAIL(msg,m->loclen); - m->local=buf_unprepend(msg,m->loclen); + if (!unpick_name(msg,&m->remote)) return False; + if (!unpick_name(msg,&m->local)) return False; CHECK_AVAIL(msg,NONCELEN); m->nR=buf_unprepend(msg,NONCELEN); if (type==LABEL_MSG1) { @@ -426,6 +458,14 @@ static bool_t unpick_msg(struct site *st, uint32_t type, return True; } +static bool_t name_matches(const struct parsedname *nm, const char *expected) +{ + int expected_len=strlen(expected); + return + nm->len == expected_len && + !memcmp(nm->name, expected, expected_len); +} + static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, cstring_t *error) { @@ -433,11 +473,11 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, /* Check that the site names and our nonce have been sent back correctly, and then store our peer's nonce. */ - if (memcmp(m->remote,st->remotename,strlen(st->remotename)!=0)) { + if (!name_matches(&m->remote,st->remotename)) { *error="wrong remote site name"; return False; } - if (memcmp(m->local,st->localname,strlen(st->localname)!=0)) { + if (!name_matches(&m->local,st->localname)) { *error="wrong local site name"; return False; } @@ -446,7 +486,7 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, return False; } if (type==LABEL_MSG2) return True; - if (memcmp(m->nR,st->remoteN,NONCELEN)!=0) { + if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) { *error="wrong remotely-generated nonce"; return False; } @@ -463,19 +503,15 @@ static bool_t generate_msg1(struct site *st) } static bool_t process_msg1(struct site *st, struct buffer_if *msg1, - const struct comm_addr *src) + const struct comm_addr *src, struct msg *m) { - struct msg m; - /* We've already determined we're in an appropriate state to process an incoming MSG1, and that the MSG1 has correct values of A and B. */ - if (!unpick_msg(st,LABEL_MSG1,msg1,&m)) return False; - transport_record_peer(st,&st->setup_peers,src,"msg1"); - st->setup_session_id=m.source; - memcpy(st->remoteN,m.nR,NONCELEN); + st->setup_session_id=m->source; + memcpy(st->remoteN,m->nR,NONCELEN); return True; } @@ -544,11 +580,11 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, /* Generate the shared key */ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk, - st->sharedsecret,st->transform->keylen); + st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->transform->keylen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -592,10 +628,10 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4, m.pk[m.pklen]=0; /* Generate the shared key */ st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,m.pk, - st->sharedsecret,st->transform->keylen); + st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->transform->keylen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -640,15 +676,15 @@ static bool_t generate_msg5(struct site *st) } static bool_t process_msg5(struct site *st, struct buffer_if *msg5, - const struct comm_addr *src) + const struct comm_addr *src, + struct transform_inst_if *transform) { struct msg0 m; cstring_t transform_err; if (!unpick_msg0(st,msg5,&m)) return False; - if (st->new_transform->reverse(st->new_transform->st, - msg5,&transform_err)) { + if (transform->reverse(transform->st,msg5,&transform_err)) { /* There's a problem */ slog(st,LOG_SEC,"process_msg5: transform: %s",transform_err); return False; @@ -664,7 +700,8 @@ static bool_t process_msg5(struct site *st, struct buffer_if *msg5, return True; } -static bool_t generate_msg6(struct site *st) +static void create_msg6(struct site *st, struct transform_inst_if *transform, + uint32_t session_id) { cstring_t transform_err; @@ -674,12 +711,15 @@ static bool_t generate_msg6(struct site *st) /* Give the netlink code an opportunity to put its own stuff in the message (configuration information, etc.) */ buf_prepend_uint32(&st->buffer,LABEL_MSG6); - st->new_transform->forwards(st->new_transform->st,&st->buffer, - &transform_err); + transform->forwards(transform->st,&st->buffer,&transform_err); buf_prepend_uint32(&st->buffer,LABEL_MSG6); buf_prepend_uint32(&st->buffer,st->index); - buf_prepend_uint32(&st->buffer,st->setup_session_id); + buf_prepend_uint32(&st->buffer,session_id); +} +static bool_t generate_msg6(struct site *st) +{ + create_msg6(st,st->new_transform,st->setup_session_id); st->retries=1; /* Peer will retransmit MSG5 if this packet gets lost */ return True; } @@ -709,26 +749,79 @@ static bool_t process_msg6(struct site *st, struct buffer_if *msg6, return True; } -static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0) +static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, + const struct comm_addr *src) { - cstring_t transform_err; + cstring_t transform_err, auxkey_err, newkey_err="n/a"; struct msg0 m; uint32_t problem; - if (!st->current_valid) { - slog(st,LOG_DROP,"incoming message but no current key -> dropping"); - initiate_key_setup(st,"incoming message but no current key"); - return False; - } - if (!unpick_msg0(st,msg0,&m)) return False; - problem = st->current_transform->reverse(st->current_transform->st, + /* Keep a copy so we can try decrypting it with multiple keys */ + buffer_copy(&st->scratch, msg0); + + problem = st->current.transform->reverse(st->current.transform->st, msg0,&transform_err); - if (!problem) return True; + if (!problem) { + if (!st->auxiliary_is_new) + delete_one_key(st,&st->auxiliary_key, + "peer has used new key","auxiliary key",LOG_SEC); + return True; + } + if (problem==2) + goto skew; + + buffer_copy(msg0, &st->scratch); + problem = st->auxiliary_key.transform->reverse + (st->auxiliary_key.transform->st,msg0,&auxkey_err); + if (problem==0) { + slog(st,LOG_DROP,"processing packet which uses auxiliary key"); + if (st->auxiliary_is_new) { + /* We previously timed out in state SENTMSG5 but it turns + * out that our peer did in fact get our MSG5 and is + * using the new key. So we should switch to it too. */ + /* This is a bit like activate_new_key. */ + struct data_key t; + t=st->current; + st->current=st->auxiliary_key; + st->auxiliary_key=t; + + delete_one_key(st,&st->auxiliary_key,"peer has used new key", + "previous key",LOG_SEC); + st->auxiliary_is_new=0; + st->renegotiate_key_time=st->auxiliary_renegotiate_key_time; + } + return True; + } + if (problem==2) + goto skew; + + if (st->state==SITE_SENTMSG5) { + buffer_copy(msg0, &st->scratch); + problem = st->new_transform->reverse(st->new_transform->st, + msg0,&newkey_err); + if (!problem) { + /* It looks like we didn't get the peer's MSG6 */ + /* This is like a cut-down enter_new_state(SITE_RUN) */ + slog(st,LOG_STATE,"will enter state RUN (MSG0 with new key)"); + BUF_FREE(&st->buffer); + st->timeout=0; + activate_new_key(st); + return True; /* do process the data in this packet */ + } + if (problem==2) + goto skew; + } - slog(st,LOG_SEC,"transform: %s",transform_err); + slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)", + transform_err,auxkey_err,newkey_err); initiate_key_setup(st,"incoming message would not decrypt"); + send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt"); + return False; + + skew: + slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err); return False; } @@ -737,7 +830,7 @@ static bool_t process_msg0(struct site *st, struct buffer_if *msg0, { uint32_t type; - if (!decrypt_msg0(st,msg0)) + if (!decrypt_msg0(st,msg0,src)) return False; CHECK_AVAIL(msg0,4); @@ -745,7 +838,7 @@ static bool_t process_msg0(struct site *st, struct buffer_if *msg0, switch(type) { case LABEL_MSG7: /* We must forget about the current session. */ - delete_key(st,"request from peer",LOG_SEC); + delete_keys(st,"request from peer",LOG_SEC); return True; case LABEL_MSG9: /* Deliver to netlink layer */ @@ -766,9 +859,9 @@ static bool_t process_msg0(struct site *st, struct buffer_if *msg0, static void dump_packet(struct site *st, struct buffer_if *buf, const struct comm_addr *addr, bool_t incoming) { - uint32_t dest=ntohl(*(uint32_t *)buf->start); - uint32_t source=ntohl(*(uint32_t *)(buf->start+4)); - uint32_t msgtype=ntohl(*(uint32_t *)(buf->start+8)); + uint32_t dest=get_uint32(buf->start); + uint32_t source=get_uint32(buf->start+4); + uint32_t msgtype=get_uint32(buf->start+8); if (st->log_events & LOG_DUMP) slilog(st->log,M_DEBUG,"%s: %s: %08x<-%08x: %08x:", @@ -788,6 +881,24 @@ static bool_t send_msg(struct site *st) st->timeout=st->now+st->setup_retry_interval; st->retries--; return True; + } else if (st->state==SITE_SENTMSG5) { + slog(st,LOG_SETUP_TIMEOUT,"timed out sending MSG5, stashing new key"); + /* We stash the key we have produced, in case it turns out that + * our peer did see our MSG5 after all and starts using it. */ + /* This is a bit like some of activate_new_key */ + struct transform_inst_if *t; + t=st->auxiliary_key.transform; + st->auxiliary_key.transform=st->new_transform; + st->new_transform=t; + + t->delkey(t->st); + st->auxiliary_is_new=1; + st->auxiliary_key.key_timeout=st->now+st->key_lifetime; + st->auxiliary_renegotiate_key_time=st->now+st->key_renegotiate_time; + st->auxiliary_key.remote_session_id=st->setup_session_id; + + enter_state_wait(st); + return False; } else { slog(st,LOG_SETUP_TIMEOUT,"timed out sending key setup packet " "(in state %s)",state_name(st->state)); @@ -843,34 +954,44 @@ static void activate_new_key(struct site *st) { struct transform_inst_if *t; - /* We have two transform instances, which we swap between active - and setup */ - t=st->current_transform; - st->current_transform=st->new_transform; + /* We have three transform instances, which we swap between old, + active and setup */ + t=st->auxiliary_key.transform; + st->auxiliary_key.transform=st->current.transform; + st->current.transform=st->new_transform; st->new_transform=t; t->delkey(t->st); st->timeout=0; - st->current_valid=True; - st->current_key_timeout=st->now+st->key_lifetime; + st->auxiliary_is_new=0; + st->auxiliary_key.key_timeout=st->current.key_timeout; + st->current.key_timeout=st->now+st->key_lifetime; st->renegotiate_key_time=st->now+st->key_renegotiate_time; transport_peers_copy(st,&st->peers,&st->setup_peers); - st->remote_session_id=st->setup_session_id; + st->current.remote_session_id=st->setup_session_id; slog(st,LOG_ACTIVATE_KEY,"new key activated"); enter_state_run(st); } -static void delete_key(struct site *st, cstring_t reason, uint32_t loglevel) +static void delete_one_key(struct site *st, struct data_key *key, + cstring_t reason, cstring_t which, uint32_t loglevel) { - if (st->current_valid) { + if (!key->transform->valid(key->transform->st)) return; + if (reason) slog(st,loglevel,"%s deleted (%s)",which,reason); + key->transform->delkey(key->transform->st); + key->key_timeout=0; +} + +static void delete_keys(struct site *st, cstring_t reason, uint32_t loglevel) +{ + if (current_valid(st)) { slog(st,loglevel,"session closed (%s)",reason); - st->current_valid=False; - st->current_transform->delkey(st->current_transform->st); - st->current_key_timeout=0; + delete_one_key(st,&st->current,0,0,0); set_link_quality(st); } + delete_one_key(st,&st->auxiliary_key,0,0,0); } static void state_assert(struct site *st, bool_t ok) @@ -882,14 +1003,14 @@ static void enter_state_stop(struct site *st) { st->state=SITE_STOP; st->timeout=0; - delete_key(st,"entering state STOP",LOG_TIMEOUT_KEY); + delete_keys(st,"entering state STOP",LOG_TIMEOUT_KEY); st->new_transform->delkey(st->new_transform->st); } static void set_link_quality(struct site *st) { uint32_t quality; - if (st->current_valid) + if (current_valid(st)) quality=LINK_QUALITY_UP; else if (st->state==SITE_WAIT || st->state==SITE_STOP) quality=LINK_QUALITY_DOWN; @@ -915,7 +1036,7 @@ static void enter_state_run(struct site *st) memset(st->remoteN,0,NONCELEN); st->new_transform->delkey(st->new_transform->st); memset(st->dhsecret,0,st->dh->len); - memset(st->sharedsecret,0,st->transform->keylen); + memset(st->sharedsecret,0,st->sharedsecretlen); set_link_quality(st); } @@ -1001,17 +1122,17 @@ static bool_t send_msg7(struct site *st, cstring_t reason) { cstring_t transform_err; - if (st->current_valid && st->buffer.free + if (current_valid(st) && st->buffer.free && transport_peers_valid(&st->peers)) { BUF_ALLOC(&st->buffer,"site:MSG7"); buffer_init(&st->buffer,st->transform->max_start_pad+(4*3)); buf_append_uint32(&st->buffer,LABEL_MSG7); buf_append_string(&st->buffer,reason); - st->current_transform->forwards(st->current_transform->st, + st->current.transform->forwards(st->current.transform->st, &st->buffer, &transform_err); buf_prepend_uint32(&st->buffer,LABEL_MSG0); buf_prepend_uint32(&st->buffer,st->index); - buf_prepend_uint32(&st->buffer,st->remote_session_id); + buf_prepend_uint32(&st->buffer,st->current.remote_session_id); transport_xmit(st,&st->peers,&st->buffer,True); BUF_FREE(&st->buffer); return True; @@ -1052,14 +1173,23 @@ static int site_beforepoll(void *sst, struct pollfd *fds, int *nfds_io, st->now=*now; /* Work out when our next timeout is. The earlier of 'timeout' or - 'current_key_timeout'. A stored value of '0' indicates no timeout + 'current.key_timeout'. A stored value of '0' indicates no timeout active. */ site_settimeout(st->timeout, timeout_io); - site_settimeout(st->current_key_timeout, timeout_io); + site_settimeout(st->current.key_timeout, timeout_io); + site_settimeout(st->auxiliary_key.key_timeout, timeout_io); return 0; /* success */ } +static void check_expiry(struct site *st, struct data_key *key, + const char *which) +{ + if (key->key_timeout && *now>key->key_timeout) { + delete_one_key(st,key,"maximum life exceeded",which,LOG_TIMEOUT_KEY); + } +} + /* NB site_afterpoll will be called before site_beforepoll is ever called */ static void site_afterpoll(void *sst, struct pollfd *fds, int nfds) { @@ -1078,9 +1208,8 @@ static void site_afterpoll(void *sst, struct pollfd *fds, int nfds) st->state); } } - if (st->current_key_timeout && *now>st->current_key_timeout) { - delete_key(st,"maximum key life exceeded",LOG_TIMEOUT_KEY); - } + check_expiry(st,&st->current,"current key"); + check_expiry(st,&st->auxiliary_key,"auxiliary key"); } /* This function is called by the netlink device to deliver packets @@ -1098,15 +1227,15 @@ static void site_outgoing(void *sst, struct buffer_if *buf) /* In all other states we consider delivering the packet if we have a valid key and a valid address to send it to. */ - if (st->current_valid && transport_peers_valid(&st->peers)) { + if (current_valid(st) && transport_peers_valid(&st->peers)) { /* Transform it and send it */ if (buf->size>0) { buf_prepend_uint32(buf,LABEL_MSG9); - st->current_transform->forwards(st->current_transform->st, + st->current.transform->forwards(st->current.transform->st, buf, &transform_err); buf_prepend_uint32(buf,LABEL_MSG0); buf_prepend_uint32(buf,st->index); - buf_prepend_uint32(buf,st->remote_session_id); + buf_prepend_uint32(buf,st->current.remote_session_id); transport_xmit(st,&st->peers,buf,False); } BUF_FREE(buf); @@ -1118,6 +1247,18 @@ static void site_outgoing(void *sst, struct buffer_if *buf) initiate_key_setup(st,"outgoing packet"); } +static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in, + uint32_t type, struct msg *m) + /* For packets which are identified by the local and remote names. + * If it has our name and our peer's name in it it's for us. */ +{ + struct buffer_if buf[1]; + buffer_readonly_clone(buf,buf_in); + return unpick_msg(st,type,buf,m) + && name_matches(&m->remote,st->remotename) + && name_matches(&m->local,st->localname); +} + /* This function is called by the communication device to deliver packets from our peers. */ static bool_t site_incoming(void *sst, struct buffer_if *buf, @@ -1127,66 +1268,63 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, if (buf->size < 12) return False; - uint32_t dest=ntohl(*(uint32_t *)buf->start); - - if (dest==0) { - /* It could be for any site - it should have LABEL_MSG1 and - might have our name and our peer's name in it */ - if (buf->size<(st->setupsiglen+8+NONCELEN)) return False; - if (memcmp(buf->start+8,st->setupsig,st->setupsiglen)==0) { - /* It's addressed to us. Decide what to do about it. */ - dump_packet(st,buf,source,True); - if (st->state==SITE_RUN || st->state==SITE_RESOLVE || - st->state==SITE_WAIT) { - /* We should definitely process it */ - if (process_msg1(st,buf,source)) { - slog(st,LOG_SETUP_INIT,"key setup initiated by peer"); + uint32_t dest=get_uint32(buf->start); + uint32_t msgtype=get_uint32(buf->start+8); + struct msg named_msg; + + if (msgtype==LABEL_MSG1) { + if (!named_for_us(st,buf,msgtype,&named_msg)) + return False; + /* It's a MSG1 addressed to us. Decide what to do about it. */ + dump_packet(st,buf,source,True); + if (st->state==SITE_RUN || st->state==SITE_RESOLVE || + st->state==SITE_WAIT) { + /* We should definitely process it */ + if (process_msg1(st,buf,source,&named_msg)) { + slog(st,LOG_SETUP_INIT,"key setup initiated by peer"); + enter_new_state(st,SITE_SENTMSG2); + } else { + slog(st,LOG_ERROR,"failed to process incoming msg1"); + } + BUF_FREE(buf); + return True; + } else if (st->state==SITE_SENTMSG1) { + /* We've just sent a message 1! They may have crossed on + the wire. If we have priority then we ignore the + incoming one, otherwise we process it as usual. */ + if (st->setup_priority) { + BUF_FREE(buf); + slog(st,LOG_DUMP,"crossed msg1s; we are higher " + "priority => ignore incoming msg1"); + return True; + } else { + slog(st,LOG_DUMP,"crossed msg1s; we are lower " + "priority => use incoming msg1"); + if (process_msg1(st,buf,source,&named_msg)) { + BUF_FREE(&st->buffer); /* Free our old message 1 */ enter_new_state(st,SITE_SENTMSG2); } else { - slog(st,LOG_ERROR,"failed to process incoming msg1"); + slog(st,LOG_ERROR,"failed to process an incoming " + "crossed msg1 (we have low priority)"); } BUF_FREE(buf); return True; - } else if (st->state==SITE_SENTMSG1) { - /* We've just sent a message 1! They may have crossed on - the wire. If we have priority then we ignore the - incoming one, otherwise we process it as usual. */ - if (st->setup_priority) { - BUF_FREE(buf); - slog(st,LOG_DUMP,"crossed msg1s; we are higher " - "priority => ignore incoming msg1"); - return True; - } else { - slog(st,LOG_DUMP,"crossed msg1s; we are lower " - "priority => use incoming msg1"); - if (process_msg1(st,buf,source)) { - BUF_FREE(&st->buffer); /* Free our old message 1 */ - enter_new_state(st,SITE_SENTMSG2); - } else { - slog(st,LOG_ERROR,"failed to process an incoming " - "crossed msg1 (we have low priority)"); - } - BUF_FREE(buf); - return True; - } } - /* The message 1 was received at an unexpected stage of the - key setup. XXX POLICY - what do we do? */ - slog(st,LOG_UNEXPECTED,"unexpected incoming message 1"); - BUF_FREE(buf); - return True; } - return False; /* Not for us. */ + /* The message 1 was received at an unexpected stage of the + key setup. XXX POLICY - what do we do? */ + slog(st,LOG_UNEXPECTED,"unexpected incoming message 1"); + BUF_FREE(buf); + return True; } if (dest==st->index) { /* Explicitly addressed to us */ - uint32_t msgtype=ntohl(get_uint32(buf->start+8)); if (msgtype!=LABEL_MSG0) dump_packet(st,buf,source,True); switch (msgtype) { - case 0: /* NAK */ + case LABEL_NAK: /* If the source is our current peer then initiate a key setup, because our peer's forgotten the key */ - if (get_uint32(buf->start+4)==st->remote_session_id) { + if (get_uint32(buf->start+4)==st->current.remote_session_id) { initiate_key_setup(st,"received a NAK"); } else { slog(st,LOG_SEC,"bad incoming NAK"); @@ -1237,16 +1375,29 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, /* Setup packet: expected only in state SENTMSG4 */ /* (may turn up in state RUN if our return MSG6 was lost and the new key has already been activated. In that - case we should treat it as an ordinary PING packet. We - can't pass it to process_msg5() because the - new_transform will now be unkeyed. XXX) */ - if (st->state!=SITE_SENTMSG4) { - slog(st,LOG_UNEXPECTED,"unexpected MSG5"); - } else if (process_msg5(st,buf,source)) { - transport_setup_msgok(st,source); - enter_new_state(st,SITE_RUN); + case we discard it. The peer will realise that we + are using the new key when they see our data packets. + Until then the peer's data packets to us get discarded. */ + if (st->state==SITE_SENTMSG4) { + if (process_msg5(st,buf,source,st->new_transform)) { + transport_setup_msgok(st,source); + enter_new_state(st,SITE_RUN); + } else { + slog(st,LOG_SEC,"invalid MSG5"); + } + } else if (st->state==SITE_RUN) { + if (process_msg5(st,buf,source,st->current.transform)) { + slog(st,LOG_DROP,"got MSG5, retransmitting MSG6"); + transport_setup_msgok(st,source); + create_msg6(st,st->current.transform, + st->current.remote_session_id); + transport_xmit(st,&st->peers,&st->buffer,True); + BUF_FREE(&st->buffer); + } else { + slog(st,LOG_SEC,"invalid MSG5 (in state RUN)"); + } } else { - slog(st,LOG_SEC,"invalid MSG5"); + slog(st,LOG_UNEXPECTED,"unexpected MSG5"); } break; case LABEL_MSG6: @@ -1416,30 +1567,26 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, /* The information we expect to see in incoming messages of type 1 */ /* fixme: lots of unchecked overflows here, but the results are only corrupted packets rather than undefined behaviour */ - st->setupsiglen=strlen(st->remotename)+strlen(st->localname)+8; - st->setupsig=safe_malloc(st->setupsiglen,"site_apply"); - put_uint32(st->setupsig+0,LABEL_MSG1); - put_uint16(st->setupsig+4,strlen(st->remotename)); - memcpy(&st->setupsig[6],st->remotename,strlen(st->remotename)); - put_uint16(st->setupsig+(6+strlen(st->remotename)),strlen(st->localname)); - memcpy(&st->setupsig[8+strlen(st->remotename)],st->localname, - strlen(st->localname)); st->setup_priority=(strcmp(st->localname,st->remotename)>0); buffer_new(&st->buffer,SETUP_BUFFER_LEN); + buffer_new(&st->scratch,0); + BUF_ALLOC(&st->scratch,"site:scratch"); + /* We are interested in poll(), but only for timeouts. We don't have any fds of our own. */ register_for_poll(st, site_beforepoll, site_afterpoll, 0, "site"); st->timeout=0; - st->current_valid=False; - st->current_key_timeout=0; + st->current.key_timeout=0; + st->auxiliary_key.key_timeout=0; transport_peers_clear(st,&st->peers); transport_peers_clear(st,&st->setup_peers); /* XXX mlock these */ st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret"); - st->sharedsecret=safe_malloc(st->transform->keylen,"site:sharedsecret"); + st->sharedsecretlen=st->transform->keylen?:st->dh->ceil_len; + st->sharedsecret=safe_malloc(st->sharedsecretlen,"site:sharedsecret"); /* We need to compute some properties of our comms */ #define COMPUTE_WORST(pad) \ @@ -1461,8 +1608,10 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, for (i=0; incomms; i++) st->comms[i]->request_notify(st->comms[i]->st, st, site_incoming); - st->current_transform=st->transform->create(st->transform->st); + st->current.transform=st->transform->create(st->transform->st); + st->auxiliary_key.transform=st->transform->create(st->transform->st); st->new_transform=st->transform->create(st->transform->st); + st->auxiliary_is_new=0; enter_state_stop(st);