X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_auth.c;h=1623e75e4992307f0b460e78f66a8f870301c689;hb=5dec1c25713a19c49fcbb885200184a9682ef175;hp=05724d6faa88059d1ece5bcfca0e6c0cb714f675;hpb=ced4c1a327b321a6d73028a3a15b41b0be64d910;p=tinc

diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 05724d6f..1623e75e 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -174,6 +174,7 @@ static bool finalize_invitation(connection_t *c, const char *data, uint16_t len)
 	fclose(f);
 
 	logger(DEBUG_CONNECTIONS, LOG_INFO, "Key succesfully received from %s (%s)", c->name, c->hostname);
+	sptps_send_record(&c->sptps, 2, data, 0);
 	return true;
 }
 
@@ -324,7 +325,7 @@ bool id_h(connection_t *c, const char *request) {
 
 	if(c->protocol_major != myself->connection->protocol_major) {
 		logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) uses incompatible version %d.%d",
-			   c->name, c->hostname, c->protocol_major, c->protocol_minor);
+			c->name, c->hostname, c->protocol_major, c->protocol_minor);
 		return false;
 	}
 
@@ -346,15 +347,21 @@ bool id_h(connection_t *c, const char *request) {
 			return false;
 		}
 
-		if(experimental && c->protocol_minor >= 2) {
-			if(!read_ecdsa_public_key(c))
-				return false;
-		}
+		if(experimental)
+			read_ecdsa_public_key(c);
 	} else {
 		if(c->protocol_minor && !ecdsa_active(c->ecdsa))
 			c->protocol_minor = 1;
 	}
 
+	/* Forbid version rollback for nodes whose ECDSA key we know */
+
+	if(ecdsa_active(c->ecdsa) && c->protocol_minor < 2) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) tries to roll back protocol version to %d.%d",
+			c->name, c->hostname, c->protocol_major, c->protocol_minor);
+		return false;
+	}
+
 	c->allow_request = METAKEY;
 
 	if(c->protocol_minor >= 2) {