X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/8b978d453a63e491e086d0b71118f5daca07d624..refs/heads/mdw/xdh:/site.c diff --git a/site.c b/site.c index 11fc28b..3971e68 100644 --- a/site.c +++ b/site.c @@ -107,6 +107,8 @@ #define SITE_SENTMSG5 7 #define SITE_WAIT 8 +#define CASES_MSG3_KNOWN LABEL_MSG3: case LABEL_MSG3BIS: case LABEL_MSG3TER + int32_t site_max_start_pad = 4*4; static cstring_t state_name(uint32_t state) @@ -314,22 +316,23 @@ struct site { struct rsapubkey_if *pubkey; struct transform_if **transforms; int ntransforms; - struct dh_if *dh; + struct dh_if **dhs; + int ndhs; struct hash_if *hash; uint32_t index; /* Index of this site */ + uint32_t early_capabilities; uint32_t local_capabilities; int32_t setup_retries; /* How many times to send setup packets */ int32_t setup_retry_interval; /* Initial timeout for setup packets */ - int32_t wait_timeout; /* How long to wait if setup unsuccessful */ + int32_t wait_timeout_mean; /* How long to wait if setup unsuccessful */ int32_t mobile_peer_expiry; /* How long to remember 2ary addresses */ int32_t key_lifetime; /* How long a key lasts once set up */ int32_t key_renegotiate_time; /* If we see traffic (or a keepalive) after this time, initiate a new key exchange */ - bool_t setup_priority; /* Do we have precedence if both sites emit - message 1 simultaneously? */ + bool_t our_name_later; /* our name > peer name */ uint32_t log_events; /* runtime information */ @@ -359,6 +362,7 @@ struct site { uint32_t remote_capabilities; uint16_t remote_adv_mtu; struct transform_if *chosen_transform; + struct dh_if *chosen_dh; uint32_t setup_session_id; transport_peers setup_peers; uint8_t localN[NONCELEN]; /* Nonces for key exchange */ @@ -369,7 +373,6 @@ struct site { uint64_t timeout; /* Timeout for current state */ uint8_t *dhsecret; uint8_t *sharedsecret; - uint32_t sharedsecretlen, sharedsecretallocd; struct transform_inst_if *new_transform; /* For key setup/verify */ }; @@ -471,14 +474,15 @@ static bool_t current_valid(struct site *st) } #define DEFINE_CALL_TRANSFORM(fwdrev) \ -static int call_transform_##fwdrev(struct site *st, \ +static transform_apply_return \ +call_transform_##fwdrev(struct site *st, \ struct transform_inst_if *transform, \ struct buffer_if *buf, \ const char **errmsg) \ { \ if (!is_transform_valid(transform)) { \ *errmsg="transform not set up"; \ - return 1; \ + return transform_apply_err; \ } \ return transform->fwdrev(transform->st,buf,errmsg); \ } @@ -505,10 +509,10 @@ static void dispose_transform(struct transform_inst_if **transform_var) static _Bool type_is_msg34(uint32_t type) { - return - type == LABEL_MSG3 || - type == LABEL_MSG3BIS || - type == LABEL_MSG4; + switch (type) { + case CASES_MSG3_KNOWN: case LABEL_MSG4: return True; + default: return False; + } } struct parsedname { @@ -526,38 +530,48 @@ struct msg { uint32_t remote_capabilities; uint16_t remote_mtu; int capab_transformnum; + int capab_dhnum; uint8_t *nR; uint8_t *nL; int32_t pklen; - char *pk; + uint8_t *pk; int32_t hashlen; int32_t siglen; char *sig; }; -static _Bool set_new_transform(struct site *st, char *pk) +static int32_t wait_timeout(struct site *st) { + int32_t t = st->wait_timeout_mean; + int8_t factor; + if (t < INT_MAX/2) { + st->random->generate(st->random->st,sizeof(factor),&factor); + t += (t / 256) * factor; + } + return t; +} + +static _Bool set_new_transform(struct site *st, uint8_t *pk, int32_t pklen) { _Bool ok; - /* Make room for the shared key */ - st->sharedsecretlen=st->chosen_transform->keylen?:st->dh->ceil_len; - assert(st->sharedsecretlen); - if (st->sharedsecretlen > st->sharedsecretallocd) { - st->sharedsecretallocd=st->sharedsecretlen; - st->sharedsecret=safe_realloc_ary(st->sharedsecret,1, - st->sharedsecretallocd, - "site:sharedsecret"); - } - /* Generate the shared key */ - st->dh->makeshared(st->dh->st,st->dhsecret,st->dh->len,pk, - st->sharedsecret,st->sharedsecretlen); + assert(!st->sharedsecret); + st->sharedsecret = safe_malloc(st->chosen_dh->shared_len, + "site:sharedsecret"); + pk[pklen]=0; /* clobbers the following signature length, which we've + * already copied */ + if (!st->chosen_dh->makeshared(st->chosen_dh->st, + st->dhsecret,st->chosen_dh->secret_len, + pk,pklen, + st->sharedsecret, + st->chosen_dh->shared_len)) + return False; /* Set up the transform */ struct transform_if *generator=st->chosen_transform; struct transform_inst_if *generated=generator->create(generator->st); ok = generated->setkey(generated->st,st->sharedsecret, - st->sharedsecretlen,st->setup_priority); + st->chosen_dh->shared_len,st->our_name_later); dispose_transform(&st->new_transform); if (!ok) return False; @@ -565,7 +579,7 @@ static _Bool set_new_transform(struct site *st, char *pk) slog(st,LOG_SETUP_INIT,"key exchange negotiated transform" " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")", - st->chosen_transform->capab_transformnum, + st->chosen_transform->capab_bit, st->local_capabilities, st->remote_capabilities); return True; } @@ -604,7 +618,11 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what) { void *hst; uint8_t *hash; - string_t dhpub, sig; + string_t sig; + uint8_t *pklen_addr; + int32_t pklen; + void *pk; + unsigned minor; st->retries=st->setup_retries; BUF_ALLOC(&st->buffer,what); @@ -616,7 +634,8 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what) struct xinfoadd xia; append_string_xinfo_start(&st->buffer,&xia,st->localname); - if ((st->local_capabilities & CAPAB_EARLY) || (type != LABEL_MSG1)) { + if ((st->local_capabilities & st->early_capabilities) || + (type != LABEL_MSG1)) { buf_append_uint32(&st->buffer,st->local_capabilities); } if (type_is_msg34(type)) { @@ -632,12 +651,21 @@ static bool_t generate_msg(struct site *st, uint32_t type, cstring_t what) if (hacky_par_mid_failnow()) return False; - if (type==LABEL_MSG3BIS) - buf_append_uint8(&st->buffer,st->chosen_transform->capab_transformnum); - - dhpub=st->dh->makepublic(st->dh->st,st->dhsecret,st->dh->len); - buf_append_string(&st->buffer,dhpub); - free(dhpub); + if (MSGMAJOR(type) == 3) do { + minor = MSGMINOR(type); + if (minor < 1) break; + buf_append_uint8(&st->buffer,st->chosen_transform->capab_bit); + if (minor < 2) break; + buf_append_uint8(&st->buffer,st->chosen_dh->capab_bit); + } while (0); + + pklen_addr=buf_append(&st->buffer,2); + pk=buf_append(&st->buffer,st->chosen_dh->public_len); + pklen=st->chosen_dh->makepublic(st->chosen_dh->st, + pk,st->chosen_dh->public_len, + st->dhsecret,st->chosen_dh->secret_len); + put_uint16(pklen_addr,pklen); + buf_unappend(&st->buffer,st->chosen_dh->public_len-pklen); hash=safe_malloc(st->hash->len, "generate_msg"); hst=st->hash->init(); st->hash->update(hst,st->buffer.start,st->buffer.size); @@ -668,7 +696,9 @@ static bool_t unpick_name(struct buffer_if *msg, struct parsedname *nm) static bool_t unpick_msg(struct site *st, uint32_t type, struct buffer_if *msg, struct msg *m) { - m->capab_transformnum=-1; + unsigned minor; + + m->capab_transformnum=m->capab_dhnum=-1; m->hashstart=msg->start; CHECK_AVAIL(msg,4); m->dest=buf_unprepend_uint32(msg); @@ -703,12 +733,20 @@ static bool_t unpick_msg(struct site *st, uint32_t type, CHECK_EMPTY(msg); return True; } - if (type==LABEL_MSG3BIS) { - CHECK_AVAIL(msg,1); - m->capab_transformnum = buf_unprepend_uint8(msg); - } else { - m->capab_transformnum = CAPAB_TRANSFORMNUM_ANCIENT; - } + if (MSGMAJOR(type) == 3) do { + minor = MSGMINOR(type); +#define MAYBE_READ_CAP(minminor, kind, dflt) do { \ + if (minor < (minminor)) \ + m->capab_##kind##num = (dflt); \ + else { \ + CHECK_AVAIL(msg, 1); \ + m->capab_##kind##num = buf_unprepend_uint8(msg); \ + } \ +} while (0) + MAYBE_READ_CAP(1, transform, CAPAB_BIT_ANCIENTTRANSFORM); + MAYBE_READ_CAP(2, dh, CAPAB_BIT_TRADZP); +#undef MAYBE_READ_CAP + } while (0); CHECK_AVAIL(msg,2); m->pklen=buf_unprepend_uint16(msg); CHECK_AVAIL(msg,m->pklen); @@ -757,13 +795,13 @@ static bool_t check_msg(struct site *st, uint32_t type, struct msg *m, return False; } if (type==LABEL_MSG2) return True; - if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)!=0) { + if (!consttime_memeq(m->nR,st->remoteN,NONCELEN)) { *error="wrong remotely-generated nonce"; return False; } /* MSG3 has complicated rules about capabilities, which are * handled in process_msg3. */ - if (type==LABEL_MSG3 || type==LABEL_MSG3BIS) return True; + if (MSGMAJOR(type) == 3) return True; if (m->remote_capabilities!=st->remote_capabilities) { *error="remote capabilities changed"; return False; @@ -812,40 +850,70 @@ static bool_t process_msg2(struct site *st, struct buffer_if *msg2, st->setup_session_id=m.source; st->remote_capabilities=m.remote_capabilities; - /* Select the transform to use */ + /* Select the transform and DH group to use */ - uint32_t remote_transforms = st->remote_capabilities & CAPAB_TRANSFORM_MASK; - if (!remote_transforms) + uint32_t remote_crypto_caps = st->remote_capabilities; + if (!(remote_crypto_caps & CAPAB_EXPLICIT_TRANSFORM_DH)) + remote_crypto_caps &= CAPAB_INEXPLICIT_TRANSFORM_MASK; + if (!remote_crypto_caps) /* old secnets only had this one transform */ - remote_transforms = 1UL << CAPAB_TRANSFORMNUM_ANCIENT; + remote_crypto_caps = 1UL << CAPAB_BIT_ANCIENTTRANSFORM; + if (!(remote_crypto_caps & CAPAB_EXPLICIT_TRANSFORM_DH)) + /* old secnets only had this one kind of group */ + remote_crypto_caps |= 1UL << CAPAB_BIT_TRADZP; + +#define CHOOSE_CRYPTO(kind, whats) do { \ + struct kind##_if *iface; \ + uint32_t bit, ours = 0; \ + int i; \ + for (i= 0; i < st->n##kind##s; i++) { \ + iface=st->kind##s[i]; \ + bit = 1UL << iface->capab_bit; \ + if (bit & remote_crypto_caps) goto kind##_found; \ + ours |= bit; \ + } \ + slog(st,LOG_ERROR,"no " whats " in common" \ + " (us %#"PRIx32"; them: %#"PRIx32")", \ + st->local_capabilities & ours, remote_crypto_caps); \ + return False; \ +kind##_found: \ + st->chosen_##kind = iface; \ +} while (0) - struct transform_if *ti; - int i; - for (i=0; intransforms; i++) { - ti=st->transforms[i]; - if ((1UL << ti->capab_transformnum) & remote_transforms) - goto transform_found; - } - slog(st,LOG_ERROR,"no transforms in common" - " (us %#"PRIx32"; them: %#"PRIx32")", - st->local_capabilities & CAPAB_TRANSFORM_MASK, - remote_transforms); - return False; - transform_found: - st->chosen_transform=ti; + CHOOSE_CRYPTO(transform, "transforms"); + CHOOSE_CRYPTO(dh, "Diffie--Hellman groups"); + +#undef CHOOSE_CRYPTO memcpy(st->remoteN,m.nR,NONCELEN); return True; } +static void generate_dhsecret(struct site *st) +{ + slog(st,LOG_SETUP_INIT,"key exchange negotiated DH group" + " %d (capabilities ours=%#"PRIx32" theirs=%#"PRIx32")", + st->chosen_dh->capab_bit, + st->local_capabilities, st->remote_capabilities); + assert(!st->dhsecret); + st->dhsecret = safe_malloc(st->chosen_dh->secret_len, "site:dhsecret"); + st->random->generate(st->random->st, + st->chosen_dh->secret_len,st->dhsecret); +} + static bool_t generate_msg3(struct site *st) { /* Now we have our nonce and their nonce. Think of a secret key, and create message number 3. */ - st->random->generate(st->random->st,st->dh->len,st->dhsecret); + generate_dhsecret(st); return generate_msg(st, - (st->remote_capabilities & CAPAB_TRANSFORM_MASK - ? LABEL_MSG3BIS : LABEL_MSG3), + (st->remote_capabilities & + CAPAB_EXPLICIT_TRANSFORM_DH) + ? LABEL_MSG3TER + : (st->remote_capabilities & + CAPAB_INEXPLICIT_TRANSFORM_MASK) + ? LABEL_MSG3BIS + : LABEL_MSG3, "site:MSG3"); } @@ -879,7 +947,10 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, struct msg m; cstring_t err; - assert(msgtype==LABEL_MSG3 || msgtype==LABEL_MSG3BIS); + switch (msgtype) { + case CASES_MSG3_KNOWN: break; + default: assert(0); + } if (!unpick_msg(st,msgtype,msg3,&m)) return False; if (!check_msg(st,msgtype,&m,&err)) { @@ -887,7 +958,7 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, return False; } uint32_t capab_adv_late = m.remote_capabilities - & ~st->remote_capabilities & CAPAB_EARLY; + & ~st->remote_capabilities & st->early_capabilities; if (capab_adv_late) { slog(st,LOG_SEC,"msg3 impermissibly adds early capability flag(s)" " %#"PRIx32" (was %#"PRIx32", now %#"PRIx32")", @@ -896,18 +967,25 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, } st->remote_capabilities|=m.remote_capabilities; - struct transform_if *ti; - int i; - for (i=0; intransforms; i++) { - ti=st->transforms[i]; - if (ti->capab_transformnum == m.capab_transformnum) - goto transform_found; - } - slog(st,LOG_SEC,"peer chose unknown-to-us transform %d!", - m.capab_transformnum); - return False; - transform_found: - st->chosen_transform=ti; +#define CHOSE_CRYPTO(kind, what) do { \ + struct kind##_if *iface; \ + int i; \ + for (i=0; in##kind##s; i++) { \ + iface=st->kind##s[i]; \ + if (iface->capab_bit == m.capab_##kind##num) \ + goto kind##_found; \ + } \ + slog(st,LOG_SEC,"peer chose unknown-to-us " what " %d!", \ + m.capab_##kind##num); \ + return False; \ +kind##_found: \ + st->chosen_##kind=iface; \ +} while (0) + + CHOSE_CRYPTO(transform, "transform"); + CHOSE_CRYPTO(dh, "Diffie--Hellman group"); + +#undef CHOSE_CRYPTO if (!process_msg3_msg4(st,&m)) return False; @@ -915,10 +993,10 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, /* Terminate their DH public key with a '0' */ m.pk[m.pklen]=0; /* Invent our DH secret key */ - st->random->generate(st->random->st,st->dh->len,st->dhsecret); + generate_dhsecret(st); /* Generate the shared key and set up the transform */ - if (!set_new_transform(st,m.pk)) return False; + if (!set_new_transform(st,m.pk,m.pklen)) return False; return True; } @@ -949,7 +1027,7 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4, m.pk[m.pklen]=0; /* Generate the shared key and set up the transform */ - if (!set_new_transform(st,m.pk)) return False; + if (!set_new_transform(st,m.pk,m.pklen)) return False; return True; } @@ -1030,8 +1108,9 @@ static void create_msg6(struct site *st, struct transform_inst_if *transform, /* Give the netlink code an opportunity to put its own stuff in the message (configuration information, etc.) */ buf_prepend_uint32(&st->buffer,LABEL_MSG6); - int problem = call_transform_forwards(st,transform, - &st->buffer,&transform_err); + transform_apply_return problem = + call_transform_forwards(st,transform, + &st->buffer,&transform_err); assert(!problem); buf_prepend_uint32(&st->buffer,LABEL_MSG6); buf_prepend_uint32(&st->buffer,st->index); @@ -1071,12 +1150,13 @@ static bool_t process_msg6(struct site *st, struct buffer_if *msg6, return True; } -static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, +static transform_apply_return +decrypt_msg0(struct site *st, struct buffer_if *msg0, const struct comm_addr *src) { cstring_t transform_err, auxkey_err, newkey_err="n/a"; struct msg0 m; - uint32_t problem; + transform_apply_return problem; if (!unpick_msg0(st,msg0,&m)) return False; @@ -1089,15 +1169,15 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, if (!st->auxiliary_is_new) delete_one_key(st,&st->auxiliary_key, "peer has used new key","auxiliary key",LOG_SEC); - return True; + return 0; } - if (problem==2) - goto skew; + if (transform_apply_return_badseq(problem)) + goto badseq; buffer_copy(msg0, &st->scratch); problem = call_transform_reverse(st,st->auxiliary_key.transform, msg0,&auxkey_err); - if (problem==0) { + if (!problem) { slog(st,LOG_DROP,"processing packet which uses auxiliary key"); if (st->auxiliary_is_new) { /* We previously timed out in state SENTMSG5 but it turns @@ -1114,10 +1194,10 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, st->auxiliary_is_new=0; st->renegotiate_key_time=st->auxiliary_renegotiate_key_time; } - return True; + return 0; } - if (problem==2) - goto skew; + if (transform_apply_return_badseq(problem)) + goto badseq; if (st->state==SITE_SENTMSG5) { buffer_copy(msg0, &st->scratch); @@ -1130,20 +1210,21 @@ static bool_t decrypt_msg0(struct site *st, struct buffer_if *msg0, BUF_FREE(&st->buffer); st->timeout=0; activate_new_key(st); - return True; /* do process the data in this packet */ + return 0; /* do process the data in this packet */ } - if (problem==2) - goto skew; + if (transform_apply_return_badseq(problem)) + goto badseq; } slog(st,LOG_SEC,"transform: %s (aux: %s, new: %s)", transform_err,auxkey_err,newkey_err); initiate_key_setup(st,"incoming message would not decrypt",0); send_nak(src,m.dest,m.source,m.type,msg0,"message would not decrypt"); - return False; + assert(problem); + return problem; - skew: - slog(st,LOG_DROP,"transform: %s (merely skew)",transform_err); + badseq: + slog(st,LOG_DROP,"transform: %s (bad seq.)",transform_err); assert(problem); return problem; } @@ -1152,8 +1233,18 @@ static bool_t process_msg0(struct site *st, struct buffer_if *msg0, const struct comm_addr *src) { uint32_t type; - - if (!decrypt_msg0(st,msg0,src)) + transform_apply_return problem; + + problem = decrypt_msg0(st,msg0,src); + if (problem==transform_apply_seqdupe) { + /* We recently received another copy of this packet, maybe due + * to polypath. That's not a problem; indeed, for the + * purposes of transport address management it is a success. + * But we don't want to process the packet. */ + transport_data_msgok(st,src); + return False; + } + if (problem) return False; CHECK_AVAIL(msg0,4); @@ -1340,7 +1431,7 @@ static void decrement_resolving_count(struct site *st, int by) } else if (st->local_mobile) { /* Not very good. We should queue (another) renegotiation * so that we can update the peer address. */ - st->key_renegotiate_time=st->now+st->wait_timeout; + st->key_renegotiate_time=st->now+wait_timeout(st); } else { slog(st,LOG_SETUP_INIT,"resolution failed: " " continuing to use source address of peer's packets"); @@ -1453,7 +1544,8 @@ static void set_link_quality(struct site *st) static void enter_state_run(struct site *st) { - slog(st,LOG_STATE,"entering state RUN"); + slog(st,LOG_STATE,"entering state RUN%s", + current_valid(st) ? " (keyed)" : " (unkeyed)"); st->state=SITE_RUN; st->timeout=0; @@ -1462,8 +1554,16 @@ static void enter_state_run(struct site *st) FILLZERO(st->localN); FILLZERO(st->remoteN); dispose_transform(&st->new_transform); - memset(st->dhsecret,0,st->dh->len); - if (st->sharedsecret) memset(st->sharedsecret,0,st->sharedsecretlen); + if (st->dhsecret) { + memset(st->dhsecret, 0, st->chosen_dh->secret_len); + free(st->dhsecret); + st->dhsecret = 0; + } + if (st->sharedsecret) { + memset(st->sharedsecret, 0, st->chosen_dh->shared_len); + free(st->sharedsecret); + st->sharedsecret = 0; + } set_link_quality(st); if (st->keepalive && !current_valid(st)) @@ -1615,7 +1715,7 @@ static bool_t send_msg7(struct site *st, cstring_t reason) static void enter_state_wait(struct site *st) { slog(st,LOG_STATE,"entering state WAIT"); - st->timeout=st->now+st->wait_timeout; + st->timeout=st->now+wait_timeout(st); st->state=SITE_WAIT; set_link_quality(st); BUF_FREE(&st->buffer); /* will have had an outgoing packet in it */ @@ -1756,6 +1856,35 @@ static bool_t named_for_us(struct site *st, const struct buffer_if *buf_in, && name_matches(&m->local,st->localname); } +static bool_t we_have_priority(struct site *st, const struct msg *m) { + if (st->local_capabilities & m->remote_capabilities & + CAPAB_PRIORITY_MOBILE) { + if (st->local_mobile) return True; + if (st-> peer_mobile) return False; + } + return st->our_name_later; +} + +static bool_t setup_late_msg_ok(struct site *st, + const struct buffer_if *buf_in, + uint32_t msgtype, + const struct comm_addr *source) { + /* For setup packets which seem from their type like they are + * late. Maybe they came via a different path. All we do is make + * a note of the sending address, iff they look like they are part + * of the current key setup attempt. */ + struct msg m; + if (!named_for_us(st,buf_in,msgtype,&m)) + /* named_for_us calls unpick_msg which gets the nonces */ + return False; + if (!consttime_memeq(m.nR,st->remoteN,NONCELEN) || + !consttime_memeq(m.nL,st->localN, NONCELEN)) + /* spoof ? from stale run ? who knows */ + return False; + transport_setup_msgok(st,source); + return True; +} + /* This function is called by the communication device to deliver packets from our peers. It should return True if the packet is recognised as being for @@ -1797,14 +1926,14 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, /* We've just sent a message 1! They may have crossed on the wire. If we have priority then we ignore the incoming one, otherwise we process it as usual. */ - if (st->setup_priority) { + if (we_have_priority(st,&named_msg)) { BUF_FREE(buf); if (!st->msg1_crossed_logged++) - slog(st,LOG_DUMP,"crossed msg1s; we are higher " + slog(st,LOG_SETUP_INIT,"crossed msg1s; we are higher " "priority => ignore incoming msg1"); return True; } else { - slog(st,LOG_DUMP,"crossed msg1s; we are lower " + slog(st,LOG_SETUP_INIT,"crossed msg1s; we are lower " "priority => use incoming msg1"); if (process_msg1(st,buf,source,&named_msg)) { BUF_FREE(&st->buffer); /* Free our old message 1 */ @@ -1817,9 +1946,21 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, BUF_FREE(buf); return True; } + } else if (st->state==SITE_SENTMSG2 || + st->state==SITE_SENTMSG4) { + if (consttime_memeq(named_msg.nR,st->remoteN,NONCELEN)) { + /* We are ahead in the protocol, but that msg1 had the + * peer's nonce so presumably it is from this key + * exchange run, via a slower route */ + transport_setup_msgok(st,source); + } else { + slog(st,LOG_UNEXPECTED,"competing incoming message 1"); + } + BUF_FREE(buf); + return True; } /* The message 1 was received at an unexpected stage of the - key setup. XXX POLICY - what do we do? */ + key setup. Well, they lost the race. */ slog(st,LOG_UNEXPECTED,"unexpected incoming message 1"); BUF_FREE(buf); return True; @@ -1864,6 +2005,10 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, case LABEL_MSG2: /* Setup packet: expected only in state SENTMSG1 */ if (st->state!=SITE_SENTMSG1) { + if ((st->state==SITE_SENTMSG3 || + st->state==SITE_SENTMSG5) && + setup_late_msg_ok(st,buf,msgtype,source)) + break; slog(st,LOG_UNEXPECTED,"unexpected MSG2"); } else if (process_msg2(st,buf,source)) { transport_setup_msgok(st,source); @@ -1872,10 +2017,12 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, slog(st,LOG_SEC,"invalid MSG2"); } break; - case LABEL_MSG3: - case LABEL_MSG3BIS: + case CASES_MSG3_KNOWN: /* Setup packet: expected only in state SENTMSG2 */ if (st->state!=SITE_SENTMSG2) { + if ((st->state==SITE_SENTMSG4) && + setup_late_msg_ok(st,buf,msgtype,source)) + break; slog(st,LOG_UNEXPECTED,"unexpected MSG3"); } else if (process_msg3(st,buf,source,msgtype)) { transport_setup_msgok(st,source); @@ -1887,6 +2034,9 @@ static bool_t site_incoming(void *sst, struct buffer_if *buf, case LABEL_MSG4: /* Setup packet: expected only in state SENTMSG3 */ if (st->state!=SITE_SENTMSG3) { + if ((st->state==SITE_SENTMSG5) && + setup_late_msg_ok(st,buf,msgtype,source)) + break; slog(st,LOG_UNEXPECTED,"unexpected MSG4"); } else if (process_msg4(st,buf,source)) { transport_setup_msgok(st,source); @@ -2036,7 +2186,8 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, assert(index_sequence < 0xffffffffUL); st->index = ++index_sequence; - st->local_capabilities = 0; + st->local_capabilities = CAPAB_EXPLICIT_TRANSFORM_DH; + st->early_capabilities = CAPAB_PRIORITY_MOBILE; st->netlink=find_cl_if(dict,"link",CL_NETLINK,True,"site",loc); #define GET_CLOSURE_LIST(dictkey,things,nthings,CL_TYPE) do{ \ @@ -2079,8 +2230,8 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, st->pubkey=find_cl_if(dict,"key",CL_RSAPUBKEY,True,"site",loc); GET_CLOSURE_LIST("transform",transforms,ntransforms,CL_TRANSFORM); + GET_CLOSURE_LIST("dh",dhs,ndhs,CL_DH); - st->dh=find_cl_if(dict,"dh",CL_DH,True,"site",loc); st->hash=find_cl_if(dict,"hash",CL_HASH,True,"site",loc); #define DEFAULT(D) (st->peer_mobile || st->local_mobile \ @@ -2090,7 +2241,7 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, st->key_lifetime= CFG_NUMBER("key-lifetime", KEY_LIFETIME); st->setup_retries= CFG_NUMBER("setup-retries", SETUP_RETRIES); st->setup_retry_interval= CFG_NUMBER("setup-timeout", SETUP_RETRY_INTERVAL); - st->wait_timeout= CFG_NUMBER("wait-time", WAIT_TIME); + st->wait_timeout_mean= CFG_NUMBER("wait-time", WAIT_TIME); st->mtu_target= dict_read_number(dict,"mtu-target",False,"site",loc,0); st->mobile_peer_expiry= dict_read_number( @@ -2130,7 +2281,7 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, /* The information we expect to see in incoming messages of type 1 */ /* fixme: lots of unchecked overflows here, but the results are only corrupted packets rather than undefined behaviour */ - st->setup_priority=(strcmp(st->localname,st->remotename)>0); + st->our_name_later=(strcmp(st->localname,st->remotename)>0); buffer_new(&st->buffer,SETUP_BUFFER_LEN); @@ -2144,23 +2295,31 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, st->remote_capabilities=0; st->chosen_transform=0; + st->chosen_dh=0; st->current.key_timeout=0; st->auxiliary_key.key_timeout=0; transport_peers_clear(st,&st->peers); transport_peers_clear(st,&st->setup_peers); - /* XXX mlock these */ - st->dhsecret=safe_malloc(st->dh->len,"site:dhsecret"); - st->sharedsecretlen=st->sharedsecretallocd=0; + st->dhsecret=0; st->sharedsecret=0; - for (i=0; intransforms; i++) { - struct transform_if *ti=st->transforms[i]; - uint32_t capbit = 1UL << ti->capab_transformnum; - if (st->local_capabilities & capbit) - slog(st,LOG_ERROR,"transformnum capability bit" - " %d (%#"PRIx32") reused", ti->capab_transformnum, capbit); - st->local_capabilities |= capbit; - } +#define SET_CAPBIT(bit) do { \ + uint32_t capflag = 1UL << (bit); \ + if (st->local_capabilities & capflag) \ + slog(st,LOG_ERROR,"capability bit" \ + " %d (%#"PRIx32") reused", (bit), capflag); \ + st->local_capabilities |= capflag; \ +} while (0) + + for (i=0; intransforms; i++) + SET_CAPBIT(st->transforms[i]->capab_bit); + for (i=0; indhs; i++) + SET_CAPBIT(st->dhs[i]->capab_bit); + +#undef SET_CAPBIT + + if (st->local_mobile || st->peer_mobile) + st->local_capabilities |= CAPAB_PRIORITY_MOBILE; /* We need to register the remote networks with the netlink device */ uint32_t netlink_mtu; /* local virtual interface mtu */