projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add configurable experation time for invitations.
[tinc] / src / protocol_auth.c
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index baf9eac..a99e1d6 100644 (file)
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -47,6 +47,7 @@
 
 #include "ed25519/sha512.h"
 
+int invitation_lifetime;
 ecdsa_t *invitation_key = NULL;
 
 static bool send_proxyrequest(connection_t *c) {
@@ -232,6 +233,18 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat
                return false;
        }
 
+       // Check the timestamp of the invitation
+       struct stat st;
+       if(stat(usedname, &st)) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat %s", usedname);
+               return false;
+       }
+
+       if(st.st_mtime + invitation_lifetime < now.tv_sec) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s tried to use expired invitation %s", c->hostname, cookie);
+               return false;
+       }
+
        // Open the renamed file
        FILE *f = fopen(usedname, "r");
        if(!f) {
tinc, the VPN daemon