/*
protocol_key.c -- handle the meta-protocol, key exchange
Copyright (C) 1999-2005 Ivo Timmermans,
- 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
/* Check if this key request is for us */
if(to == myself) { /* Yes, send our own key back */
- send_ans_key(from);
+ if (!send_ans_key(from))
+ return false;
} else {
if(tunnelserver)
return true;
to->inkey = xrealloc(to->inkey, to->inkeylength);
// Create a new key
- RAND_bytes((unsigned char *)to->inkey, to->inkeylength);
+ if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) {
+ int err = ERR_get_error();
+ logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL));
+ return false; // Do not send insecure keys, let connection attempt fail.
+ }
+
if(to->incipher)
- EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
+ EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
// Reset sequence number and late packet window
mykeyused = true;
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
myself->name, to->name, key,
- to->incipher ? to->incipher->nid : 0,
- to->indigest ? to->indigest->type : 0, to->inmaclength,
+ to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
+ to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
to->incompression);
}
return true;
}
- if(!*address && from->address.sa.sa_family != AF_UNSPEC) {
+ if(!*address && from->address.sa.sa_family != AF_UNSPEC && to->minmtu) {
char *address, *port;
ifdebug(PROTOCOL) logger(LOG_DEBUG, "Appending reflexive UDP address to ANS_KEY from %s to %s", from->name, to->name);
sockaddr2str(&from->address, &address, &port);
return true;
}
- if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
+ if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
from->hostname);
return true;
return true;
}
- if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
+ if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
from->name, from->hostname);
return true;
from->outcompression = compression;
if(from->outcipher)
- if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
+ if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
return true;
projects / tinc / blobdiff