2 protocol.c -- handle the meta-protocol
3 Copyright (C) 1999-2001 Ivo Timmermans <itimmermans@bigfoot.com>,
4 2000,2001 Guus Sliepen <guus@sliepen.warande.net>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 $Id: protocol.c,v 1.28.4.105 2001/09/01 12:02:39 guus Exp $
25 #include <sys/types.h>
30 #include <sys/socket.h>
41 #include <netinet/in.h>
43 #include <openssl/sha.h>
44 #include <openssl/rand.h>
45 #include <openssl/evp.h>
47 #ifndef HAVE_RAND_PSEUDO_BYTES
48 #define RAND_pseudo_bytes RAND_bytes
56 #include "connection.h"
62 int check_id(char *id)
66 for (i = 0; i < strlen(id); i++)
67 if(!isalnum(id[i]) && id[i] != '_')
73 /* Generic request routines - takes care of logging and error
76 int send_request(connection_t *cl, const char *format, ...)
79 char buffer[MAXBUFSIZE];
83 /* Use vsnprintf instead of vasprintf: faster, no memory
84 fragmentation, cleanup is automatic, and there is a limit on the
85 input buffer anyway */
87 va_start(args, format);
88 len = vsnprintf(buffer, MAXBUFSIZE, format, args);
89 request = va_arg(args, int);
92 if(len < 0 || len > MAXBUFSIZE-1)
94 syslog(LOG_ERR, _("Output buffer overflow while sending %s to %s (%s)"), request_name[request], cl->name, cl->hostname);
98 if(debug_lvl >= DEBUG_PROTOCOL)
100 if(debug_lvl >= DEBUG_META)
101 syslog(LOG_DEBUG, _("Sending %s to %s (%s): %s"), request_name[request], cl->name, cl->hostname, buffer);
103 syslog(LOG_DEBUG, _("Sending %s to %s (%s)"), request_name[request], cl->name, cl->hostname);
106 buffer[len++] = '\n';
108 return send_meta(cl, buffer, len);
111 int receive_request(connection_t *cl)
115 if(sscanf(cl->buffer, "%d", &request) == 1)
117 if((request < 0) || (request >= LAST) || (request_handlers[request] == NULL))
119 if(debug_lvl >= DEBUG_META)
120 syslog(LOG_DEBUG, _("Unknown request from %s (%s): %s"),
121 cl->name, cl->hostname, cl->buffer);
123 syslog(LOG_ERR, _("Unknown request from %s (%s)"),
124 cl->name, cl->hostname);
130 if(debug_lvl >= DEBUG_PROTOCOL)
132 if(debug_lvl >= DEBUG_META)
133 syslog(LOG_DEBUG, _("Got %s from %s (%s): %s"),
134 request_name[request], cl->name, cl->hostname, cl->buffer);
136 syslog(LOG_DEBUG, _("Got %s from %s (%s)"),
137 request_name[request], cl->name, cl->hostname);
141 if((cl->allow_request != ALL) && (cl->allow_request != request))
143 syslog(LOG_ERR, _("Unauthorized request from %s (%s)"), cl->name, cl->hostname);
147 if(request_handlers[request](cl))
148 /* Something went wrong. Probably scriptkiddies. Terminate. */
150 syslog(LOG_ERR, _("Error while processing %s from %s (%s)"),
151 request_name[request], cl->name, cl->hostname);
157 syslog(LOG_ERR, _("Bogus data received from %s (%s)"),
158 cl->name, cl->hostname);
165 /* The authentication protocol is described in detail in doc/SECURITY2,
166 the rest will be described in doc/PROTOCOL. */
168 int send_id(connection_t *cl)
171 return send_request(cl, "%d %s %d %lx %hd", ID, myself->name, myself->protocol_version, myself->options, myself->port);
174 int id_h(connection_t *cl)
176 char name[MAX_STRING_SIZE];
178 if(sscanf(cl->buffer, "%*d "MAX_STRING" %d %lx %hd", name, &cl->protocol_version, &cl->options, &cl->port) != 4)
180 syslog(LOG_ERR, _("Got bad ID from %s"), cl->hostname);
184 /* Check if version matches */
186 if(cl->protocol_version != myself->protocol_version)
188 syslog(LOG_ERR, _("Peer %s (%s) uses incompatible version %d"),
189 cl->name, cl->hostname, cl->protocol_version);
193 /* Check if identity is a valid name */
197 syslog(LOG_ERR, _("Peer %s uses invalid identity name"), cl->hostname);
201 /* Copy string to cl */
206 cl->name = xstrdup(name);
208 /* Load information about peer */
210 if(read_host_config(cl))
212 syslog(LOG_ERR, _("Peer %s had unknown identity (%s)"), cl->hostname, cl->name);
216 /* Read in the public key, so that we can send a metakey */
218 if(read_rsa_public_key(cl))
221 cl->allow_request = METAKEY;
223 return send_metakey(cl);
226 int ack_h(connection_t *cl)
229 connection_t *old, *p;
231 avl_node_t *node, *node2;
233 /* Okay, before we active the connection, we check if there is another entry
234 in the connection list with the same name. If so, it presumably is an
235 old connection that has timed out but we don't know it yet.
238 if((old = lookup_id(cl->name)))
240 if(debug_lvl >= DEBUG_CONNECTIONS)
241 syslog(LOG_NOTICE, _("Removing old connection for %s at %s in favour of new connection at %s"),
242 old->name, old->hostname, cl->hostname);
243 if(old->status.outgoing)
245 cl->status.outgoing = 1;
246 old->status.outgoing = 0;
248 terminate_connection(old, 0);
252 /* Also check if no other tinc daemon uses the same IP and port for UDP traffic */
254 old = avl_search(active_tree, cl);
257 syslog(LOG_ERR, _("%s is listening on %s:%hd, which is already in use by %s!"),
258 cl->name, cl->hostname, cl->port, old->name);
262 /* Activate this connection */
264 cl->allow_request = ALL;
266 cl->cipher_pkttype = EVP_bf_cbc();
267 cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len;
271 if(debug_lvl >= DEBUG_CONNECTIONS)
272 syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
274 if(cl->status.outgoing)
275 seconds_till_retry = 5; /* Reset retry timeout */
277 /* Check some options */
279 if((cfg = get_config_val(cl->config, config_indirectdata)))
281 if(cfg->data.val == stupid_true)
282 cl->options |= OPTION_INDIRECT;
285 if((cfg = get_config_val(cl->config, config_tcponly)))
287 if(cfg->data.val == stupid_true)
288 cl->options |= OPTION_TCPONLY;
291 /* Send him our subnets */
293 for(node = myself->subnet_tree->head; node; node = node->next)
295 subnet = (subnet_t *)node->data;
296 send_add_subnet(cl, subnet);
299 /* And send him all the hosts and their subnets we know... */
301 for(node = active_tree->head; node; node = node->next)
303 p = (connection_t *)node->data;
307 /* Notify others of this connection */
310 send_add_host(p, cl);
312 /* Notify new connection of everything we know */
314 send_add_host(cl, p);
316 for(node2 = p->subnet_tree->head; node2; node2 = node2->next)
318 subnet = (subnet_t *)node2->data;
319 send_add_subnet(cl, subnet);
327 int send_challenge(connection_t *cl)
332 /* CHECKME: what is most reasonable value for len? */
334 len = RSA_size(cl->rsa_key);
336 /* Allocate buffers for the challenge */
338 buffer = xmalloc(len*2+1);
341 free(cl->hischallenge);
343 cl->hischallenge = xmalloc(len);
345 /* Copy random data to the buffer */
347 RAND_bytes(cl->hischallenge, len);
352 bin2hex(cl->hischallenge, buffer, len);
353 buffer[len*2] = '\0';
356 /* Send the challenge */
358 x = send_request(cl, "%d %s", CHALLENGE, buffer);
364 int challenge_h(connection_t *cl)
366 char buffer[MAX_STRING_SIZE];
369 if(sscanf(cl->buffer, "%*d "MAX_STRING, buffer) != 1)
371 syslog(LOG_ERR, _("Got bad CHALLENGE from %s (%s)"), cl->name, cl->hostname);
375 len = RSA_size(myself->rsa_key);
377 /* Check if the length of the challenge is all right */
379 if(strlen(buffer) != len*2)
381 syslog(LOG_ERR, _("Intruder: wrong challenge length from %s (%s)"), cl->name, cl->hostname);
385 /* Allocate buffers for the challenge */
388 cl->mychallenge = xmalloc(len);
390 /* Convert the challenge from hexadecimal back to binary */
392 hex2bin(buffer,cl->mychallenge,len);
394 cl->allow_request = CHAL_REPLY;
396 /* Rest is done by send_chal_reply() */
398 return send_chal_reply(cl);
401 int send_chal_reply(connection_t *cl)
403 char hash[SHA_DIGEST_LENGTH*2+1];
407 syslog(LOG_ERR, _("Trying to send CHAL_REPLY to %s (%s) without a valid CHALLENGE"), cl->name, cl->hostname);
411 /* Calculate the hash from the challenge we received */
413 SHA1(cl->mychallenge, RSA_size(myself->rsa_key), hash);
415 /* Convert the hash to a hexadecimal formatted string */
417 bin2hex(hash,hash,SHA_DIGEST_LENGTH);
418 hash[SHA_DIGEST_LENGTH*2] = '\0';
423 return send_request(cl, "%d %s", CHAL_REPLY, hash);
426 int chal_reply_h(connection_t *cl)
428 char hishash[MAX_STRING_SIZE];
429 char myhash[SHA_DIGEST_LENGTH];
431 if(sscanf(cl->buffer, "%*d "MAX_STRING, hishash) != 1)
433 syslog(LOG_ERR, _("Got bad CHAL_REPLY from %s (%s)"), cl->name, cl->hostname);
437 /* Check if the length of the hash is all right */
439 if(strlen(hishash) != SHA_DIGEST_LENGTH*2)
441 syslog(LOG_ERR, _("Intruder: wrong challenge reply length from %s (%s)"), cl->name, cl->hostname);
445 /* Convert the hash to binary format */
447 hex2bin(hishash, hishash, SHA_DIGEST_LENGTH);
449 /* Calculate the hash from the challenge we sent */
451 SHA1(cl->hischallenge, RSA_size(cl->rsa_key), myhash);
453 /* Verify the incoming hash with the calculated hash */
455 if(memcmp(hishash, myhash, SHA_DIGEST_LENGTH))
457 syslog(LOG_ERR, _("Intruder: wrong challenge reply from %s (%s)"), cl->name, cl->hostname);
458 if(debug_lvl >= DEBUG_SCARY_THINGS)
460 bin2hex(myhash, hishash, SHA_DIGEST_LENGTH);
461 hishash[SHA_DIGEST_LENGTH*2] = '\0';
462 syslog(LOG_DEBUG, _("Expected challenge reply: %s"), hishash);
467 /* Identity has now been positively verified.
468 ack_h() handles the rest from now on.
474 int send_metakey(connection_t *cl)
479 len = RSA_size(cl->rsa_key);
481 /* Allocate buffers for the meta key */
483 buffer = xmalloc(len*2+1);
485 if(!cl->cipher_outkey)
486 cl->cipher_outkey = xmalloc(len);
488 if(!cl->cipher_outctx)
489 cl->cipher_outctx = xmalloc(sizeof(*cl->cipher_outctx));
491 /* Copy random data to the buffer */
493 RAND_bytes(cl->cipher_outkey, len);
495 /* The message we send must be smaller than the modulus of the RSA key.
496 By definition, for a key of k bits, the following formula holds:
498 2^(k-1) <= modulus < 2^(k)
500 Where ^ means "to the power of", not "xor".
501 This means that to be sure, we must choose our message < 2^(k-1).
502 This can be done by setting the most significant bit to zero.
505 cl->cipher_outkey[0] &= 0x7F;
507 if(debug_lvl >= DEBUG_SCARY_THINGS)
509 bin2hex(cl->cipher_outkey, buffer, len);
510 buffer[len*2] = '\0';
511 syslog(LOG_DEBUG, _("Generated random meta key (unencrypted): %s"), buffer);
514 /* Encrypt the random data
516 We do not use one of the PKCS padding schemes here.
517 This is allowed, because we encrypt a totally random string
518 with a length equal to that of the modulus of the RSA key.
521 if(RSA_public_encrypt(len, cl->cipher_outkey, buffer, cl->rsa_key, RSA_NO_PADDING) != len)
523 syslog(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), cl->name, cl->hostname);
528 /* Convert the encrypted random data to a hexadecimal formatted string */
530 bin2hex(buffer, buffer, len);
531 buffer[len*2] = '\0';
533 /* Send the meta key */
535 x = send_request(cl, "%d %s", METAKEY, buffer);
538 /* Further outgoing requests are encrypted with the key we just generated */
540 EVP_EncryptInit(cl->cipher_outctx, EVP_bf_cfb(),
541 cl->cipher_outkey + len - EVP_bf_cfb()->key_len,
542 cl->cipher_outkey + len - EVP_bf_cfb()->key_len - EVP_bf_cfb()->iv_len);
544 cl->status.encryptout = 1;
549 int metakey_h(connection_t *cl)
551 char buffer[MAX_STRING_SIZE];
554 if(sscanf(cl->buffer, "%*d "MAX_STRING, buffer) != 1)
556 syslog(LOG_ERR, _("Got bad METAKEY from %s (%s)"), cl->name, cl->hostname);
560 len = RSA_size(myself->rsa_key);
562 /* Check if the length of the meta key is all right */
564 if(strlen(buffer) != len*2)
566 syslog(LOG_ERR, _("Intruder: wrong meta key length from %s (%s)"), cl->name, cl->hostname);
570 /* Allocate buffers for the meta key */
572 if(!cl->cipher_inkey)
573 cl->cipher_inkey = xmalloc(len);
575 if(!cl->cipher_inctx)
576 cl->cipher_inctx = xmalloc(sizeof(*cl->cipher_inctx));
578 /* Convert the challenge from hexadecimal back to binary */
580 hex2bin(buffer,buffer,len);
582 /* Decrypt the meta key */
584 if(RSA_private_decrypt(len, buffer, cl->cipher_inkey, myself->rsa_key, RSA_NO_PADDING) != len) /* See challenge() */
586 syslog(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), cl->name, cl->hostname);
590 if(debug_lvl >= DEBUG_SCARY_THINGS)
592 bin2hex(cl->cipher_inkey, buffer, len);
593 buffer[len*2] = '\0';
594 syslog(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer);
597 /* All incoming requests will now be encrypted. */
599 EVP_DecryptInit(cl->cipher_inctx, EVP_bf_cfb(),
600 cl->cipher_inkey + len - EVP_bf_cfb()->key_len,
601 cl->cipher_inkey + len - EVP_bf_cfb()->key_len - EVP_bf_cfb()->iv_len);
603 cl->status.decryptin = 1;
605 cl->allow_request = CHALLENGE;
607 return send_challenge(cl);
610 /* Address and subnet information exchange */
612 int send_add_subnet(connection_t *cl, subnet_t *subnet)
618 owner = subnet->owner->name;
620 x = send_request(cl, "%d %s %s", ADD_SUBNET,
621 owner, netstr = net2str(subnet));
627 int add_subnet_h(connection_t *cl)
629 char subnetstr[MAX_STRING_SIZE];
630 char name[MAX_STRING_SIZE];
631 connection_t *owner, *p;
635 if(sscanf(cl->buffer, "%*d "MAX_STRING" "MAX_STRING, name, subnetstr) != 2)
637 syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s)"), cl->name, cl->hostname);
641 /* Check if owner name is a valid */
645 syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s): invalid identity name"), cl->name, cl->hostname);
649 /* Check if subnet string is valid */
651 if(!(subnet = str2net(subnetstr)))
653 syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s): invalid subnet string"), cl->name, cl->hostname);
657 /* Check if somebody tries to add a subnet of ourself */
659 if(!strcmp(name, myself->name))
661 syslog(LOG_ERR, _("Warning: got ADD_SUBNET from %s (%s) for ourself, restarting"),
662 cl->name, cl->hostname);
667 /* Check if the owner of the new subnet is in the connection list */
669 if(!(owner = lookup_id(name)))
671 syslog(LOG_ERR, _("Got ADD_SUBNET for %s from %s (%s) which is not in our connection list"),
672 name, cl->name, cl->hostname);
676 /* If everything is correct, add the subnet to the list of the owner */
678 subnet_add(owner, subnet);
682 for(node = connection_tree->head; node; node = node->next)
684 p = (connection_t *)node->data;
685 if(p->status.active && p!= cl)
686 send_add_subnet(p, subnet);
692 int send_del_subnet(connection_t *cl, subnet_t *subnet)
698 owner = subnet->owner->name;
700 x = send_request(cl, "%d %s %s", DEL_SUBNET, owner, netstr = net2str(subnet));
706 int del_subnet_h(connection_t *cl)
708 char subnetstr[MAX_STRING_SIZE];
709 char name[MAX_STRING_SIZE];
710 connection_t *owner, *p;
714 if(sscanf(cl->buffer, "%*d "MAX_STRING" "MAX_STRING, name, subnetstr) != 3)
716 syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s)"), cl->name, cl->hostname);
720 /* Check if owner name is a valid */
724 syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s): invalid identity name"), cl->name, cl->hostname);
728 /* Check if subnet string is valid */
730 if(!(subnet = str2net(subnetstr)))
732 syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s): invalid subnet string"), cl->name, cl->hostname);
738 /* Check if somebody tries to add a subnet of ourself */
740 if(!strcmp(name, myself->name))
742 syslog(LOG_ERR, _("Warning: got DEL_SUBNET from %s (%s) for ourself, restarting"),
743 cl->name, cl->hostname);
748 /* Check if the owner of the new subnet is in the connection list */
750 if(!(owner = lookup_id(name)))
752 syslog(LOG_ERR, _("Got DEL_SUBNET for %s from %s (%s) which is not in our connection list"),
753 name, cl->name, cl->hostname);
757 /* If everything is correct, delete the subnet from the list of the owner */
763 for(node = connection_tree->head; node; node = node->next)
765 p = (connection_t *)node->data;
766 if(p->status.active && p!= cl)
767 send_del_subnet(p, subnet);
773 /* New and closed connections notification */
775 int send_add_host(connection_t *cl, connection_t *other)
778 return send_request(cl, "%d %s %lx:%d %lx", ADD_HOST,
779 other->name, other->address, other->port, other->options);
782 int add_host_h(connection_t *cl)
784 connection_t *old, *new, *p;
785 char name[MAX_STRING_SIZE];
788 new = new_connection();
790 if(sscanf(cl->buffer, "%*d "MAX_STRING" %lx:%hd %lx", name, &new->address, &new->port, &new->options) != 4)
792 syslog(LOG_ERR, _("Got bad ADD_HOST from %s (%s)"), cl->name, cl->hostname);
796 /* Check if identity is a valid name */
800 syslog(LOG_ERR, _("Got bad ADD_HOST from %s (%s): invalid identity name"), cl->name, cl->hostname);
801 free_connection(new);
805 /* Check if somebody tries to add ourself */
807 if(!strcmp(name, myself->name))
809 syslog(LOG_ERR, _("Warning: got ADD_HOST from %s (%s) for ourself, restarting"), cl->name, cl->hostname);
811 free_connection(new);
815 /* Fill in more of the new connection structure */
817 new->hostname = hostlookup(htonl(new->address));
819 /* Check if the new host already exists in the connnection list */
821 if((old = lookup_id(name)))
823 if((new->address == old->address) && (new->port == old->port) && (cl->nexthop == old->nexthop))
825 if(debug_lvl >= DEBUG_CONNECTIONS)
826 syslog(LOG_NOTICE, _("Got duplicate ADD_HOST for %s (%s) from %s (%s)"),
827 old->name, old->hostname, cl->name, cl->hostname);
828 free_connection(new);
833 if(debug_lvl >= DEBUG_CONNECTIONS)
834 syslog(LOG_NOTICE, _("Removing old entry for %s (%s) from %s in favour of new connection from %s"),
835 old->name, old->hostname, old->nexthop->name, cl->nexthop->name);
837 terminate_connection(old, 0);
841 /* Hook it up into the active tree */
843 new->name = xstrdup(name);
846 /* Tell the rest about the new host */
848 for(node = connection_tree->head; node; node = node->next)
850 p = (connection_t *)node->data;
851 if(p->status.active && p!=cl)
852 send_add_host(p, new);
855 /* Fill in rest of connection structure */
858 new->cipher_pkttype = EVP_bf_cbc();
859 new->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len;
864 int send_del_host(connection_t *cl, connection_t *other)
867 return send_request(cl, "%d %s %lx:%d %lx", DEL_HOST,
868 other->name, other->address, other->port, other->options);
871 int del_host_h(connection_t *cl)
873 char name[MAX_STRING_SIZE];
877 connection_t *old, *p;
880 if(sscanf(cl->buffer, "%*d "MAX_STRING" %lx:%hd %lx", name, &address, &port, &options) != 4)
882 syslog(LOG_ERR, _("Got bad DEL_HOST from %s (%s)"),
883 cl->name, cl->hostname);
887 /* Check if identity is a valid name */
891 syslog(LOG_ERR, _("Got bad DEL_HOST from %s (%s): invalid identity name"), cl->name, cl->hostname);
895 /* Check if somebody tries to delete ourself */
897 if(!strcmp(name, myself->name))
899 syslog(LOG_ERR, _("Warning: got DEL_HOST from %s (%s) for ourself, restarting"),
900 cl->name, cl->hostname);
905 /* Check if the deleted host already exists in the connnection list */
907 if(!(old = lookup_id(name)))
909 syslog(LOG_ERR, _("Got DEL_HOST from %s (%s) for %s which is not in our connection list"),
910 cl->name, cl->hostname, name);
914 /* Check if the rest matches */
916 if(address!=old->address || port!=old->port || options!=old->options || cl!=old->nexthop)
918 syslog(LOG_WARNING, _("Got DEL_HOST from %s (%s) for %s which doesn't match"), cl->name, cl->hostname, old->name);
922 /* Ok, since EVERYTHING seems to check out all right, delete it */
924 terminate_connection(old, 0);
926 /* Tell the rest about the deleted host */
928 for(node = connection_tree->head; node; node = node->next)
930 p = (connection_t *)node->data;
931 if(p->status.active && p!=cl)
932 send_del_host(p, old);
938 /* Status and error notification routines */
940 int send_status(connection_t *cl, int statusno, char *statusstring)
944 statusstring = status_text[statusno];
946 return send_request(cl, "%d %d %s", STATUS, statusno, statusstring);
949 int status_h(connection_t *cl)
952 char statusstring[MAX_STRING_SIZE];
954 if(sscanf(cl->buffer, "%*d %d "MAX_STRING, &statusno, statusstring) != 2)
956 syslog(LOG_ERR, _("Got bad STATUS from %s (%s)"),
957 cl->name, cl->hostname);
961 if(debug_lvl >= DEBUG_STATUS)
963 syslog(LOG_NOTICE, _("Status message from %s (%s): %s: %s"),
964 cl->name, cl->hostname, status_text[statusno], statusstring);
971 int send_error(connection_t *cl, int err, char *errstring)
975 errstring = strerror(err);
976 return send_request(cl, "%d %d %s", ERROR, err, errstring);
979 int error_h(connection_t *cl)
982 char errorstring[MAX_STRING_SIZE];
984 if(sscanf(cl->buffer, "%*d %d "MAX_STRING, &err, errorstring) != 2)
986 syslog(LOG_ERR, _("Got bad ERROR from %s (%s)"),
987 cl->name, cl->hostname);
991 if(debug_lvl >= DEBUG_ERROR)
993 syslog(LOG_NOTICE, _("Error message from %s (%s): %s: %s"),
994 cl->name, cl->hostname, strerror(err), errorstring);
997 terminate_connection(cl, cl->status.meta);
1002 int send_termreq(connection_t *cl)
1005 return send_request(cl, "%d", TERMREQ);
1008 int termreq_h(connection_t *cl)
1011 terminate_connection(cl, cl->status.meta);
1016 int send_ping(connection_t *cl)
1018 char salt[SALTLEN*2+1];
1020 cl->status.pinged = 1;
1021 cl->last_ping_time = time(NULL);
1022 RAND_pseudo_bytes(salt, SALTLEN);
1023 bin2hex(salt, salt, SALTLEN);
1024 salt[SALTLEN*2] = '\0';
1026 return send_request(cl, "%d %s", PING, salt);
1029 int ping_h(connection_t *cl)
1032 return send_pong(cl);
1035 int send_pong(connection_t *cl)
1037 char salt[SALTLEN*2+1];
1039 RAND_pseudo_bytes(salt, SALTLEN);
1040 bin2hex(salt, salt, SALTLEN);
1041 salt[SALTLEN*2] = '\0';
1043 return send_request(cl, "%d %s", PONG, salt);
1046 int pong_h(connection_t *cl)
1049 cl->status.pinged = 0;
1056 int send_key_changed(connection_t *from, connection_t *cl)
1061 /* Only send this message if some other daemon requested our key previously.
1062 This reduces unnecessary key_changed broadcasts.
1065 if(from==myself && !mykeyused)
1068 for(node = connection_tree->head; node; node = node->next)
1070 p = (connection_t *)node->data;
1071 if(p != cl && p->status.active)
1072 send_request(p, "%d %s", KEY_CHANGED, from->name);
1078 int key_changed_h(connection_t *cl)
1080 char from_id[MAX_STRING_SIZE];
1083 if(sscanf(cl->buffer, "%*d "MAX_STRING, from_id) != 1)
1085 syslog(LOG_ERR, _("Got bad KEY_CHANGED from %s (%s)"),
1086 cl->name, cl->hostname);
1090 if(!(from = lookup_id(from_id)))
1092 syslog(LOG_ERR, _("Got KEY_CHANGED from %s (%s) origin %s which does not exist in our connection list"),
1093 cl->name, cl->hostname, from_id);
1097 from->status.validkey = 0;
1098 from->status.waitingforkey = 0;
1100 send_key_changed(from, cl);
1105 int send_req_key(connection_t *from, connection_t *to)
1108 return send_request(to->nexthop, "%d %s %s", REQ_KEY,
1109 from->name, to->name);
1112 int req_key_h(connection_t *cl)
1114 char from_id[MAX_STRING_SIZE];
1115 char to_id[MAX_STRING_SIZE];
1116 connection_t *from, *to;
1119 if(sscanf(cl->buffer, "%*d "MAX_STRING" "MAX_STRING, from_id, to_id) != 2)
1121 syslog(LOG_ERR, _("Got bad REQ_KEY from %s (%s)"),
1122 cl->name, cl->hostname);
1126 if(!(from = lookup_id(from_id)))
1128 syslog(LOG_ERR, _("Got REQ_KEY from %s (%s) origin %s which does not exist in our connection list"),
1129 cl->name, cl->hostname, from_id);
1133 /* Check if this key request is for us */
1135 if(!strcmp(to_id, myself->name)) /* Yes, send our own key back */
1137 bin2hex(myself->cipher_pktkey, pktkey, myself->cipher_pktkeylength);
1138 pktkey[myself->cipher_pktkeylength*2] = '\0';
1139 send_ans_key(myself, from, pktkey);
1144 if(!(to = lookup_id(to_id)))
1146 syslog(LOG_ERR, _("Got REQ_KEY from %s (%s) destination %s which does not exist in our connection list"),
1147 cl->name, cl->hostname, to_id);
1151 if(to->status.validkey) /* Proxy keys */
1153 bin2hex(to->cipher_pktkey, pktkey, to->cipher_pktkeylength);
1154 pktkey[to->cipher_pktkeylength*2] = '\0';
1155 send_ans_key(to, from, pktkey);
1158 send_req_key(from, to);
1165 int send_ans_key(connection_t *from, connection_t *to, char *pktkey)
1168 return send_request(to->nexthop, "%d %s %s %s", ANS_KEY,
1169 from->name, to->name, pktkey);
1172 int ans_key_h(connection_t *cl)
1174 char from_id[MAX_STRING_SIZE];
1175 char to_id[MAX_STRING_SIZE];
1176 char pktkey[MAX_STRING_SIZE];
1178 connection_t *from, *to;
1180 if(sscanf(cl->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING, from_id, to_id, pktkey) != 3)
1182 syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s)"),
1183 cl->name, cl->hostname);
1187 if(!(from = lookup_id(from_id)))
1189 syslog(LOG_ERR, _("Got ANS_KEY from %s (%s) origin %s which does not exist in our connection list"),
1190 cl->name, cl->hostname, from_id);
1194 /* Check correctness of packet key */
1196 keylength = strlen(pktkey);
1198 if(keylength != from->cipher_pktkeylength*2)
1200 syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key length"),
1201 cl->name, cl->hostname, from->name);
1205 /* Forward it if necessary */
1207 if(strcmp(to_id, myself->name))
1209 if(!(to = lookup_id(to_id)))
1211 syslog(LOG_ERR, _("Got ANS_KEY from %s (%s) destination %s which does not exist in our connection list"),
1212 cl->name, cl->hostname, to_id);
1215 send_ans_key(from, to, pktkey);
1218 /* Update our copy of the origin's packet key */
1220 if(from->cipher_pktkey)
1221 free(from->cipher_pktkey);
1223 from->cipher_pktkey = xstrdup(pktkey);
1225 hex2bin(from->cipher_pktkey, from->cipher_pktkey, keylength);
1226 from->cipher_pktkey[keylength] = '\0';
1228 from->status.validkey = 1;
1229 from->status.waitingforkey = 0;
1236 int send_tcppacket(connection_t *cl, vpn_packet_t *packet)
1242 x = send_request(cl->nexthop, "%d %hd", PACKET, packet->len);
1247 return send_meta(cl, packet->data, packet->len);
1250 int tcppacket_h(connection_t *cl)
1254 if(sscanf(cl->buffer, "%*d %hd", &len) != 1)
1256 syslog(LOG_ERR, _("Got bad PACKET from %s (%s)"), cl->name, cl->hostname);
1260 /* Set reqlen to len, this will tell receive_meta() that a tcppacket is coming. */
1267 /* Jumptable for the request handlers */
1269 int (*request_handlers[])(connection_t*) = {
1270 id_h, metakey_h, challenge_h, chal_reply_h,
1271 status_h, error_h, termreq_h,
1273 add_host_h, del_host_h,
1274 add_subnet_h, del_subnet_h,
1275 key_changed_h, req_key_h, ans_key_h,
1281 char (*request_name[]) = {
1282 "ID", "METAKEY", "CHALLENGE", "CHAL_REPLY",
1283 "STATUS", "ERROR", "TERMREQ",
1285 "ADD_HOST", "DEL_HOST",
1286 "ADD_SUBNET", "DEL_SUBNET",
1287 "KEY_CHANGED", "REQ_KEY", "ANS_KEY",
1291 /* Status strings */
1293 char (*status_text[]) = {
1299 char (*error_text[]) = {