Replace hmac-verify with accept-bad-signatures.

Its polarity is changed, and it also controls incorrectly signed packets.

babeld.man

@@ -469,10 +469,9 @@ otherwise.
 Enable HMAC security on this interface, and use the key
 .IR id .
 .TP
-.BR hmac-verify " {" true | false }
-Check packet signatures, reject unsigned or incorrectly signed
-packets.  The default is
-.BR true .
+.BR accept\-bad\-signatures " {" true | false }
+Accept packets with no signature or an incorrect signature.  This only has
+an effect if a key was configured on an interface.  The default is false.
 .TP
 .SS Filtering rules
 A filtering rule is defined by a single line with the following format:

configuration.c

@@ -694,12 +694,12 @@ parse_anonymous_ifconf(int c, gnc_t gnc, void *closure,
             }
             if_conf->key = key;
             free(key_id);
-        } else if(strcmp(token, "hmac-verify") == 0) {
+        } else if(strcmp(token, "accept-bad-signatures") == 0) {
             int v;
             c = getbool(c, &v, gnc, closure);
             if(c < -1)
                 goto error;
-            if_conf->hmac_verify = v;
+            if_conf->accept_bad_signatures = v;
         } else {
             goto error;
         }
@@ -891,7 +891,7 @@ merge_ifconf(struct interface_conf *dest,
     MERGE(lq);
     MERGE(faraway);
     MERGE(unicast);
-    MERGE(hmac_verify);
+    MERGE(accept_bad_signatures);
     MERGE(channel);
     MERGE(enable_timestamps);
     MERGE(rfc6126);

interface.c

@@ -398,11 +398,10 @@ interface_updown(struct interface *ifp, int up)
 
         if(IF_CONF(ifp, unicast) == CONFIG_YES)
             ifp->flags |= IF_UNICAST;
-        if(IF_CONF(ifp, hmac_verify) == CONFIG_YES ||
-           IF_CONF(ifp, hmac_verify) == CONFIG_DEFAULT)
-            ifp->flags |= IF_HMAC_VERIFY;
-        else if(IF_CONF(ifp, hmac_verify) == CONFIG_NO)
-            ifp->flags &= ~IF_HMAC_VERIFY;
+        if(IF_CONF(ifp, accept_bad_signatures) == CONFIG_YES)
+            ifp->flags |= IF_ACCEPT_BAD_SIGNATURES;
+        else
+            ifp->flags &= ~IF_ACCEPT_BAD_SIGNATURES;
         if(IF_CONF(ifp, hello_interval) > 0)
             ifp->hello_interval = IF_CONF(ifp, hello_interval);
         else if(type == IF_TYPE_WIRELESS)

interface.h

@@ -55,7 +55,7 @@ struct interface_conf {
     char unicast;
     char enable_timestamps;
     char rfc6126;
-    char hmac_verify;
+    char accept_bad_signatures;
     int channel;
     unsigned int rtt_decay;
     unsigned int rtt_min;
@@ -85,8 +85,8 @@ struct interface_conf {
 #define IF_TIMESTAMPS (1 << 6)
 /* Remain compatible with RFC 6126. */
 #define IF_RFC6126 (1 << 7)
-/* Incoming packets are required to have a valid MAC hash. */
-#define IF_HMAC_VERIFY (1 << 8)
+/* Accept packets even if incorrectly signed. */
+#define IF_ACCEPT_BAD_SIGNATURES (1 << 8)
 /* Use Babel over DTLS on this interface. */
 #define IF_DTLS (1 << 9)
 

message.c

@@ -631,26 +631,27 @@ parse_packet(const unsigned char *from, struct interface *ifp,
     }
 
     if(ifp->key != NULL) {
-        switch(check_hmac(packet, packetlen, bodylen, from, to, ifp)) {
-        case -1: /* no mac trailer */
-            if(!(ifp->flags & IF_HMAC_VERIFY))
-                break;
-            /* fallthrough */
-        case 0:
-            fputs("Received wrong hmac.\n", stderr);
+        int rc = check_hmac(packet, packetlen, bodylen, from, to, ifp);
+        if(rc <= 0) {
+            if(rc < 0)
+                debugf("Received unsigned packet.\n");
+            else
+                debugf("Received packet with bad signature.\n");
+            if(!(ifp->flags & IF_ACCEPT_BAD_SIGNATURES))
                 return;
-        case 1:
+        } else {
             neigh = preparse_packet(from, ifp, packet, bodylen, to);
             if(neigh == NULL) {
-                fputs("Received wrong PC or failed the challenge.\n", stderr);
+                debugf("Received packet with wrong PC.\n");
                 return;
             }
         }
     }
 
-    neigh = neigh != NULL ? neigh : find_neighbour(from, ifp);
+    if(neigh == NULL)
+        neigh = find_neighbour(from, ifp);
     if(neigh == NULL) {
-        fputs("Couldn't allocate neighbour.\n", stderr);
+        fprintf(stderr, "Couldn't allocate neighbour.\n");
         return;
     }