X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_auth.c;h=224b6d8450955725758302990b327d11efc0a2cd;hb=979acc48aded5bb04f1574128d174d56550be302;hp=0882ddfc36762c16b420460d323dd5b445219e4f;hpb=cfe9285adf391ab66faeb5def811fe08e47a221a;p=tinc diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 0882ddfc..224b6d84 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -1,7 +1,7 @@ /* protocol_auth.c -- handle the meta-protocol, authentication Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2014 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -117,7 +117,7 @@ static bool send_proxyrequest(connection_t *c) { i += 2; c->tcplen += 22; } else { - logger(DEBUG_ALWAYS, LOG_ERR, "Address family %hx not supported for SOCKS 5 proxies!", c->address.sa.sa_family); + logger(DEBUG_ALWAYS, LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family); return false; } if(i > len) @@ -386,7 +386,7 @@ bool id_h(connection_t *c, const char *request) { /* Forbid version rollback for nodes whose Ed25519 key we know */ - if(ecdsa_active(c->ecdsa) && c->protocol_minor < 2) { + if(ecdsa_active(c->ecdsa) && c->protocol_minor < 1) { logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) tries to roll back protocol version to %d.%d", c->name, c->hostname, c->protocol_major, c->protocol_minor); return false; @@ -421,10 +421,24 @@ bool send_metakey(connection_t *c) { if(!read_rsa_public_key(c)) return false; - if(!(c->outcipher = cipher_open_blowfish_ofb())) + /* We need to use a stream mode for the meta protocol. Use AES for this, + but try to match the key size with the one from the cipher selected + by Cipher. + */ + + int keylen = cipher_keylength(myself->incipher); + if(keylen <= 16) + c->outcipher = cipher_open_by_name("aes-128-cfb"); + else if(keylen <= 24) + c->outcipher = cipher_open_by_name("aes-192-cfb"); + else + c->outcipher = cipher_open_by_name("aes-256-cfb"); + if(!c) return false; - if(!(c->outdigest = digest_open_sha1(-1))) + c->outbudget = cipher_budget(c->outcipher); + + if(!(c->outdigest = digest_open_by_name("sha256", -1))) return false; const size_t len = rsa_size(c->rsa); @@ -536,6 +550,8 @@ bool metakey_h(connection_t *c, const char *request) { c->incipher = NULL; } + c->inbudget = cipher_budget(c->incipher); + if(digest) { if(!(c->indigest = digest_open_by_nid(digest, -1))) { logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of digest from %s (%s)", c->name, c->hostname); @@ -780,6 +796,8 @@ static bool upgrade_h(connection_t *c, const char *request) { logger(DEBUG_ALWAYS, LOG_INFO, "Got Ed25519 public key from %s (%s), upgrading!", c->name, c->hostname); append_config_file(c->name, "Ed25519PublicKey", pubkey); c->allow_request = TERMREQ; + if(c->outgoing) + c->outgoing->timeout = 0; return send_termreq(c); } @@ -788,7 +806,6 @@ bool ack_h(connection_t *c, const char *request) { return upgrade_h(c, request); char hisport[MAX_STRING_SIZE]; - char *hisaddress; int weight, mtu; uint32_t options; node_t *n; @@ -865,19 +882,14 @@ bool ack_h(connection_t *c, const char *request) { c->edge = new_edge(); c->edge->from = myself; c->edge->to = n; - sockaddr2str(&c->address, &hisaddress, NULL); - c->edge->address = str2sockaddr(hisaddress, hisport); - free(hisaddress); + sockaddrcpy(&c->edge->address, &c->address); + sockaddr_setport(&c->edge->address, hisport); sockaddr_t local_sa; socklen_t local_salen = sizeof local_sa; if (getsockname(c->socket, &local_sa.sa, &local_salen) < 0) logger(DEBUG_ALWAYS, LOG_WARNING, "Could not get local socket address for connection with %s", c->name); - else { - char *local_address; - sockaddr2str(&local_sa, &local_address, NULL); - c->edge->local_address = str2sockaddr(local_address, myport); - free(local_address); - } + else + sockaddr_setport(&local_sa, myport); c->edge->weight = (weight + c->estimated_weight) / 2; c->edge->connection = c; c->edge->options = c->options;