Use cryptographically strong random when generating keys.

[tinc] / src / net_packet.c

diff --git a/src/net_packet.c b/src/net_packet.c
index 054679e..4341cf0 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -269,7 +269,7 @@ static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
 
        HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
 
-       return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
+       return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
 }
 
 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@@ -302,7 +302,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
                HMAC(n->indigest, n->inkey, n->inkeylength,
                         (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
 
-               if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
+               if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
                        ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
                                           n->name, n->hostname);
                        return;
@@ -650,7 +650,7 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
                        for(node = node_udp_tree->head; node; node = node->next) {
                                n = node->data;
 
-                               if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
+                               if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
                                        send_packet(n, packet);
                        }
                        break;
@@ -664,7 +664,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
        avl_node_t *node;
        edge_t *e;
        node_t *n = NULL;
-       bool hard = false;
        static time_t last_hard_try = 0;
 
        for(node = edge_weight_tree->head; node; node = node->next) {
@@ -673,11 +672,8 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
                if(e->to == myself)
                        continue;
 
-               if(sockaddrcmp_noport(from, &e->address)) {
-                       if(last_hard_try == now)
-                               continue;
-                       hard = true;
-               }
+               if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
+                       continue;
 
                if(!try_mac(e->to, pkt))
                        continue;
@@ -686,9 +682,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
                break;
        }
 
-       if(hard)
-               last_hard_try = now;
-
        last_hard_try = now;
        return n;
 }