X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=4bbb2d6f16e560bd5911addf946b8ca379d713fc;hb=b811e980e3a2a301c019459b91df2252468fd572;hp=db571ba3830c3846e922afdf0bea5703f19509e7;hpb=42b222ecb66b1957d7b439e5d8be8b287aef0054;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index db571ba3..4bbb2d6f 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -22,12 +22,6 @@
 
 #include "system.h"
 
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
 #ifdef HAVE_ZLIB
 #include <zlib.h>
 #endif
@@ -62,6 +56,7 @@ static void send_udppacket(node_t *, vpn_packet_t *);
 
 unsigned replaywin = 16;
 bool localdiscovery = false;
+sockaddr_t localdiscovery_address;
 
 #define MAX_SEQNO 1073741824
 
@@ -324,10 +319,10 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
 	if(n->status.sptps)
 		return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
 
-	if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
+	if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
 		return false;
 
-	return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
+	return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
 }
 
 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@@ -338,19 +333,27 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 	size_t outlen;
 
 	if(n->status.sptps) {
+		if(!n->sptps.state) {
+			if(!n->status.waitingforkey) {
+				logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
+				send_req_key(n);
+			} else {
+				logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
+			}
+			return;
+		}
 		sptps_receive_data(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
 		return;
 	}
 
-	if(!cipher_active(&n->incipher)) {
-		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
-					n->name, n->hostname);
+	if(!cipher_active(n->incipher)) {
+		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
 		return;
 	}
 
 	/* Check packet length */
 
-	if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
+	if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
 		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
 					n->name, n->hostname);
 		return;
@@ -358,20 +361,20 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
 	/* Check the message authentication code */
 
-	if(digest_active(&n->indigest)) {
-		inpkt->len -= n->indigest.maclength;
-		if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+	if(digest_active(n->indigest)) {
+		inpkt->len -= digest_length(n->indigest);
+		if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
 			logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
 			return;
 		}
 	}
 	/* Decrypt the packet */
 
-	if(cipher_active(&n->incipher)) {
+	if(cipher_active(n->incipher)) {
 		outpkt = pkt[nextpkt++];
 		outlen = MAXSIZE;
 
-		if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+		if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
 			logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
 			return;
 		}
@@ -449,6 +452,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
 	vpn_packet_t outpkt;
 
+	if(len > sizeof outpkt.data)
+		return;
+
 	outpkt.len = len;
 	if(c->options & OPTION_TCPONLY)
 		outpkt.priority = 0;
@@ -464,7 +470,7 @@ static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
 		logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
 		if(!n->status.waitingforkey)
 			send_req_key(n);
-		else if(n->last_req_key + 10 < time(NULL)) {
+		else if(n->last_req_key + 10 < now.tv_sec) {
 			logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
 			sptps_stop(&n->sptps);
 			n->status.waitingforkey = false;
@@ -575,12 +581,22 @@ static void choose_broadcast_address(const node_t *n, const sockaddr_t **sa, int
 	*sock = rand() % listen_sockets;
 
 	if(listen_socket[*sock].sa.sa.sa_family == AF_INET6) {
-		broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
-		broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
-		*sa = &broadcast_ipv6;
+		if(localdiscovery_address.sa.sa_family == AF_INET6) {
+			localdiscovery_address.in6.sin6_port = n->prevedge->address.in.sin_port;
+			*sa = &localdiscovery_address;
+		} else {
+			broadcast_ipv6.in6.sin6_port = n->prevedge->address.in.sin_port;
+			broadcast_ipv6.in6.sin6_scope_id = listen_socket[*sock].sa.in6.sin6_scope_id;
+			*sa = &broadcast_ipv6;
+		}
 	} else {
-		broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
-		*sa = &broadcast_ipv4;
+		if(localdiscovery_address.sa.sa_family == AF_INET) {
+			localdiscovery_address.in.sin_port = n->prevedge->address.in.sin_port;
+			*sa = &localdiscovery_address;
+		} else {
+			broadcast_ipv4.in.sin_port = n->prevedge->address.in.sin_port;
+			*sa = &broadcast_ipv4;
+		}
 	}
 }
 
@@ -656,11 +672,11 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Encrypt the packet */
 
-	if(cipher_active(&n->outcipher)) {
+	if(cipher_active(n->outcipher)) {
 		outpkt = pkt[nextpkt++];
 		outlen = MAXSIZE;
 
-		if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+		if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
 			logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
 			goto end;
 		}
@@ -671,9 +687,13 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Add the message authentication code */
 
-	if(digest_active(&n->outdigest)) {
-		digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
-		inpkt->len += digest_length(&n->outdigest);
+	if(digest_active(n->outdigest)) {
+		if(!digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len)) {
+			logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
+			goto end;
+		}
+
+		inpkt->len += digest_length(n->outdigest);
 	}
 
 	/* Send the packet */