X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fprotocol_key.c;h=5f71d1ca29feca7368a76bc9e9c7d58eaafd23db;hp=0ba5ad34f71b3f04cf9e510fa640806b7f62fdbe;hb=a85864809febde02687b52dc2931ac4505f57067;hpb=8794274a30d535d49636fec825a0afbf30d8010d diff --git a/src/protocol_key.c b/src/protocol_key.c index 0ba5ad34..5f71d1ca 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -1,7 +1,7 @@ /* protocol_key.c -- handle the meta-protocol, key exchange Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2012 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -127,7 +127,8 @@ bool req_key_h(connection_t *c) { /* Check if this key request is for us */ if(to == myself) { /* Yes, send our own key back */ - send_ans_key(from); + if (!send_ans_key(from)) + return false; } else { if(tunnelserver) return true; @@ -156,9 +157,14 @@ bool send_ans_key(node_t *to) { to->inkey = xrealloc(to->inkey, to->inkeylength); // Create a new key - RAND_bytes((unsigned char *)to->inkey, to->inkeylength); + if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) { + int err = ERR_get_error(); + logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL)); + return false; // Do not send insecure keys, let connection attempt fail. + } + if(to->incipher) - EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); + EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher)); // Reset sequence number and late packet window mykeyused = true; @@ -172,8 +178,8 @@ bool send_ans_key(node_t *to) { return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, myself->name, to->name, key, - to->incipher ? to->incipher->nid : 0, - to->indigest ? to->indigest->type : 0, to->inmaclength, + to->incipher ? EVP_CIPHER_nid(to->incipher) : 0, + to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength, to->incompression); } @@ -227,7 +233,7 @@ bool ans_key_h(connection_t *c) { return true; } - if(!*address && from->address.sa.sa_family != AF_UNSPEC) { + if(!*address && from->address.sa.sa_family != AF_UNSPEC && to->minmtu) { char *address, *port; ifdebug(PROTOCOL) logger(LOG_DEBUG, "Appending reflexive UDP address to ANS_KEY from %s to %s", from->name, to->name); sockaddr2str(&from->address, &address, &port); @@ -262,7 +268,7 @@ bool ans_key_h(connection_t *c) { return true; } - if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) { + if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) { logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname); return true; @@ -282,7 +288,7 @@ bool ans_key_h(connection_t *c) { return true; } - if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) { + if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) { logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!", from->name, from->hostname); return true; @@ -299,7 +305,7 @@ bool ans_key_h(connection_t *c) { from->outcompression = compression; if(from->outcipher) - if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) { + if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) { logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s", from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); return true;