X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fprotocol.c;h=ef6018020cd066f77d31801fefb459771b9aef09;hp=be3b5d1ce14e41f538a5563f55d9a5b4dbf61123;hb=1e2bdc2b6d28c76c63fc9fd36169b90fa0994388;hpb=bfc5d6014e3c1563f7b6a2f10698e9ba23ba3e96 diff --git a/src/protocol.c b/src/protocol.c index be3b5d1c..ef601802 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol.c,v 1.28.4.89 2001/05/24 21:52:26 guus Exp $ + $Id: protocol.c,v 1.28.4.98 2001/07/04 08:41:36 guus Exp $ */ #include "config.h" @@ -40,25 +40,14 @@ #include -#ifdef HAVE_OPENSSL_SHA_H -# include -#else -# include -#endif - -#ifdef HAVE_OPENSSL_RAND_H -# include -#else -# include -#endif +#include +#include +#include -#ifdef HAVE_OPENSSL_EVP_H -# include -#else -# include +#ifndef HAVE_RAND_PSEUDO_BYTES +#define RAND_pseudo_bytes RAND_bytes #endif - #include "conf.h" #include "net.h" #include "netutl.h" @@ -106,11 +95,15 @@ cp return -1; } - len++; - if(debug_lvl >= DEBUG_PROTOCOL) - syslog(LOG_DEBUG, _("Sending %s to %s (%s)"), request_name[request], cl->name, cl->hostname); + { + if(debug_lvl >= DEBUG_META) + syslog(LOG_DEBUG, _("Sending %s to %s (%s): %s"), request_name[request], cl->name, cl->hostname, buffer); + else + syslog(LOG_DEBUG, _("Sending %s to %s (%s)"), request_name[request], cl->name, cl->hostname); + } + buffer[len++] = '\n'; cp return send_meta(cl, buffer, len); } @@ -118,20 +111,31 @@ cp int receive_request(connection_t *cl) { int request; -cp +cp if(sscanf(cl->buffer, "%d", &request) == 1) { if((request < 0) || (request >= LAST) || (request_handlers[request] == NULL)) { - syslog(LOG_ERR, _("Unknown request from %s (%s)"), - cl->name, cl->hostname); + if(debug_lvl >= DEBUG_META) + syslog(LOG_DEBUG, _("Unknown request from %s (%s): %s"), + cl->name, cl->hostname, cl->buffer); + else + syslog(LOG_ERR, _("Unknown request from %s (%s)"), + cl->name, cl->hostname); + return -1; } else { if(debug_lvl >= DEBUG_PROTOCOL) - syslog(LOG_DEBUG, _("Got %s from %s (%s)"), - request_name[request], cl->name, cl->hostname); + { + if(debug_lvl >= DEBUG_META) + syslog(LOG_DEBUG, _("Got %s from %s (%s): %s"), + request_name[request], cl->name, cl->hostname, cl->buffer); + else + syslog(LOG_DEBUG, _("Got %s from %s (%s)"), + request_name[request], cl->name, cl->hostname); + } } if((cl->allow_request != ALL) && (cl->allow_request != request)) @@ -158,34 +162,8 @@ cp return 0; } -/* Connection protocol: - - Client Server - send_id(u) - send_challenge(R) - send_chal_reply(H) - send_id(u) - send_challenge(R) - send_chal_reply(H) - --------------------------------------- - send_metakey(R) - send_metakey(R) - --------------------------------------- - send_ack(u) - send_ack(u) - --------------------------------------- - Other requests(E)... - - (u) Unencrypted, - (R) RSA, - (H) SHA1, - (E) Encrypted with symmetric cipher. - - Part of the challenge is directly used to set the symmetric cipher - key and the initial vector. Since a man-in-the-middle cannot - decrypt the RSA challenges, this means that he cannot get or forge - the key for the symmetric cipher. -*/ +/* The authentication protocol is described in detail in doc/SECURITY2, + the rest will be described in doc/PROTOCOL. */ int send_id(connection_t *cl) { @@ -225,6 +203,9 @@ cp /* Copy string to cl */ + if(cl->name) + free(cl->name); + cl->name = xstrdup(name); /* Load information about peer */ @@ -235,22 +216,22 @@ cp return -1; } - /* First check if the host we connected to is already in our + /* First check if the host is already in our connection list. If so, we are probably making a loop, which is not desirable. */ - if(cl->status.outgoing) + if((old = lookup_id(cl->name))) { - if((old = lookup_id(cl->name))) + if(debug_lvl >= DEBUG_CONNECTIONS) + syslog(LOG_NOTICE, _("%s (%s) is already in our connection list"), cl->name, cl->hostname); + if(cl->status.outgoing) { - if(debug_lvl >= DEBUG_CONNECTIONS) - syslog(LOG_NOTICE, _("Uplink %s (%s) is already in our connection list"), cl->name, cl->hostname); cl->status.outgoing = 0; old->status.outgoing = 1; - terminate_connection(cl); - return 0; } + terminate_connection(cl); + return 0; } /* Now we can add the name to the id tree */ @@ -261,8 +242,14 @@ cp node = avl_unlink(connection_tree, cl); cl->port = port; - avl_insert_node(connection_tree, node); - + if(!avl_insert_node(connection_tree, node)) + { + old = avl_search_node(connection_tree, node)->data; + syslog(LOG_ERR, _("%s is listening on %s:%hd, which is already in use by %s!"), + cl->name, cl->hostname, cl->port, old->name); + return -1; + } + /* Read in the public key, so that we can send a metakey */ if(read_rsa_public_key(cl)) @@ -305,6 +292,8 @@ cp if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname); + if(cl->status.outgoing) + seconds_till_retry = 5; /* Reset retry timeout */ cp /* Check some options */ @@ -1066,8 +1055,9 @@ int send_ping(connection_t *cl) cp cl->status.pinged = 1; cl->last_ping_time = time(NULL); - RAND_bytes(salt, SALTLEN); + RAND_pseudo_bytes(salt, SALTLEN); bin2hex(salt, salt, SALTLEN); + salt[SALTLEN*2] = '\0'; cp return send_request(cl, "%d %s", PING, salt); } @@ -1082,8 +1072,9 @@ int send_pong(connection_t *cl) { char salt[SALTLEN*2+1]; cp - RAND_bytes(salt, SALTLEN); + RAND_pseudo_bytes(salt, SALTLEN); bin2hex(salt, salt, SALTLEN); + salt[SALTLEN*2] = '\0'; cp return send_request(cl, "%d %s", PONG, salt); } @@ -1107,17 +1098,16 @@ cp This reduces unnecessary key_changed broadcasts. */ - if(mykeyused) + if(from==myself && !mykeyused) + return 0; + + for(node = connection_tree->head; node; node = node->next) { - for(node = connection_tree->head; node; node = node->next) - { - p = (connection_t *)node->data; - if(p != cl && p->status.meta && p->status.active) - if(!(p->options & OPTION_INDIRECT) || from == myself) - send_request(p, "%d %s", KEY_CHANGED, from->name); - } - mykeyused = 0; - } + p = (connection_t *)node->data; + if(p != cl && p->status.meta && p->status.active) + if(!(p->options & OPTION_INDIRECT) || from == myself) + send_request(p, "%d %s", KEY_CHANGED, from->name); + } cp return 0; } @@ -1285,53 +1275,29 @@ int send_tcppacket(connection_t *cl, vpn_packet_t *packet) { int x; cp + /* Evil hack. */ + x = send_request(cl->nexthop, "%d %hd", PACKET, packet->len); if(x) return x; - - return send_meta(cl->nexthop, packet->data, packet->len); +cp + return send_meta(cl, packet->data, packet->len); } int tcppacket_h(connection_t *cl) { - vpn_packet_t packet; - char *p; - int todo, x; + short int len; cp - if(sscanf(cl->buffer, "%*d %hd", &packet.len) != 1) + if(sscanf(cl->buffer, "%*d %hd", &len) != 1) { syslog(LOG_ERR, _("Got bad PACKET from %s (%s)"), cl->name, cl->hostname); return -1; } - /* Evil hack. */ - - p = packet.data; - todo = packet.len; - - while(todo) - { - x = read(cl->meta_socket, p, todo); - - if(x<=0) - { - if(x==0) - syslog(LOG_NOTICE, _("Connection closed by %s (%s)"), cl->name, cl->hostname); - else - if(errno==EINTR || errno==EAGAIN) /* FIXME: select() or poll() or reimplement this evil hack */ - continue; - else - syslog(LOG_ERR, _("Error during reception of PACKET from %s (%s): %m"), cl->name, cl->hostname); - - return -1; - } - - todo -= x; - p += x; - } + /* Set reqlen to len, this will tell receive_meta() that a tcppacket is coming. */ - receive_packet(cl, &packet); + cl->tcplen = len; cp return 0; }