X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fprotocol_key.c;h=ee292b65448dcee3e043ffd4a71cec0ad2cf96a2;hp=5f71d1ca29feca7368a76bc9e9c7d58eaafd23db;hb=3fae14fae5a347823679ef694ab630b4991a201d;hpb=985d19caf20058db3c764f0f6fbeafa8bcc59fcc;ds=sidebyside diff --git a/src/protocol_key.c b/src/protocol_key.c index 5f71d1ca..ee292b65 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -46,8 +46,10 @@ void send_key_changed(void) { for(node = connection_tree->head; node; node = node->next) { c = node->data; - if(c->status.active && c->node && c->node->status.reachable) + + if(c->status.active && c->node && c->node->status.reachable) { send_ans_key(c->node); + } } } @@ -57,7 +59,7 @@ bool key_changed_h(connection_t *c) { if(sscanf(c->buffer, "%*d %*x " MAX_STRING, name) != 1) { logger(LOG_ERR, "Got bad %s from %s (%s)", "KEY_CHANGED", - c->name, c->hostname); + c->name, c->hostname); return false; } @@ -66,14 +68,15 @@ bool key_changed_h(connection_t *c) { return false; } - if(seen_request(c->buffer)) + if(seen_request(c->buffer)) { return true; + } n = lookup_node(name); if(!n) { logger(LOG_ERR, "Got %s from %s (%s) origin %s which does not exist", - "KEY_CHANGED", c->name, c->hostname, name); + "KEY_CHANGED", c->name, c->hostname, name); return true; } @@ -82,8 +85,9 @@ bool key_changed_h(connection_t *c) { /* Tell the others */ - if(!tunnelserver) + if(!tunnelserver) { forward_request(c); + } return true; } @@ -99,7 +103,7 @@ bool req_key_h(connection_t *c) { if(sscanf(c->buffer, "%*d " MAX_STRING " " MAX_STRING, from_name, to_name) != 2) { logger(LOG_ERR, "Got bad %s from %s (%s)", "REQ_KEY", c->name, - c->hostname); + c->hostname); return false; } @@ -112,7 +116,7 @@ bool req_key_h(connection_t *c) { if(!from) { logger(LOG_ERR, "Got %s from %s (%s) origin %s which does not exist in our connection list", - "REQ_KEY", c->name, c->hostname, from_name); + "REQ_KEY", c->name, c->hostname, from_name); return true; } @@ -120,22 +124,24 @@ bool req_key_h(connection_t *c) { if(!to) { logger(LOG_ERR, "Got %s from %s (%s) destination %s which does not exist in our connection list", - "REQ_KEY", c->name, c->hostname, to_name); + "REQ_KEY", c->name, c->hostname, to_name); return true; } /* Check if this key request is for us */ - if(to == myself) { /* Yes, send our own key back */ - if (!send_ans_key(from)) + if(to == myself) { /* Yes, send our own key back */ + if(!send_ans_key(from)) { return false; + } } else { - if(tunnelserver) + if(tunnelserver) { return true; + } if(!to->status.reachable) { logger(LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable", - "REQ_KEY", c->name, c->hostname, to_name); + "REQ_KEY", c->name, c->hostname, to_name); return true; } @@ -157,19 +163,23 @@ bool send_ans_key(node_t *to) { to->inkey = xrealloc(to->inkey, to->inkeylength); // Create a new key - if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) { + if(1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) { int err = ERR_get_error(); logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL)); return false; // Do not send insecure keys, let connection attempt fail. } - if(to->incipher) + if(to->incipher) { EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher)); + } // Reset sequence number and late packet window mykeyused = true; to->received_seqno = 0; - if(replaywin) memset(to->late, 0, replaywin); + + if(replaywin) { + memset(to->late, 0, replaywin); + } // Convert to hexadecimal and send char key[2 * to->inkeylength + 1]; @@ -177,10 +187,10 @@ bool send_ans_key(node_t *to) { key[to->inkeylength * 2] = '\0'; return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, - myself->name, to->name, key, - to->incipher ? EVP_CIPHER_nid(to->incipher) : 0, - to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength, - to->incompression); + myself->name, to->name, key, + to->incipher ? EVP_CIPHER_nid(to->incipher) : 0, + to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength, + to->incompression); } bool ans_key_h(connection_t *c) { @@ -193,10 +203,10 @@ bool ans_key_h(connection_t *c) { node_t *from, *to; if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d "MAX_STRING" "MAX_STRING, - from_name, to_name, key, &cipher, &digest, &maclength, - &compression, address, port) < 7) { + from_name, to_name, key, &cipher, &digest, &maclength, + &compression, address, port) < 7) { logger(LOG_ERR, "Got bad %s from %s (%s)", "ANS_KEY", c->name, - c->hostname); + c->hostname); return false; } @@ -209,7 +219,7 @@ bool ans_key_h(connection_t *c) { if(!from) { logger(LOG_ERR, "Got %s from %s (%s) origin %s which does not exist in our connection list", - "ANS_KEY", c->name, c->hostname, from_name); + "ANS_KEY", c->name, c->hostname, from_name); return true; } @@ -217,19 +227,20 @@ bool ans_key_h(connection_t *c) { if(!to) { logger(LOG_ERR, "Got %s from %s (%s) destination %s which does not exist in our connection list", - "ANS_KEY", c->name, c->hostname, to_name); + "ANS_KEY", c->name, c->hostname, to_name); return true; } /* Forward it if necessary */ if(to != myself) { - if(tunnelserver) + if(tunnelserver) { return true; + } if(!to->status.reachable) { logger(LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable", - "ANS_KEY", c->name, c->hostname, to_name); + "ANS_KEY", c->name, c->hostname, to_name); return true; } @@ -252,6 +263,7 @@ bool ans_key_h(connection_t *c) { /* Update our copy of the origin's packet key */ from->outkey = xrealloc(from->outkey, strlen(key) / 2); from->outkeylength = strlen(key) / 2; + if(!hex2bin(key, from->outkey, from->outkeylength)) { logger(LOG_ERR, "Got bad %s from %s(%s): %s", "ANS_KEY", from->name, from->hostname, "invalid key"); return true; @@ -264,13 +276,13 @@ bool ans_key_h(connection_t *c) { if(!from->outcipher) { logger(LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name, - from->hostname); + from->hostname); return true; } if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) { logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, - from->hostname); + from->hostname); return true; } } else { @@ -284,13 +296,13 @@ bool ans_key_h(connection_t *c) { if(!from->outdigest) { logger(LOG_ERR, "Node %s (%s) uses unknown digest!", from->name, - from->hostname); + from->hostname); return true; } if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) { logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!", - from->name, from->hostname); + from->name, from->hostname); return true; } } else { @@ -301,13 +313,13 @@ bool ans_key_h(connection_t *c) { logger(LOG_ERR, "Node %s (%s) uses bogus compression level!", from->name, from->hostname); return true; } - + from->outcompression = compression; if(from->outcipher) if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) { logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s", - from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); + from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); return true; } @@ -320,8 +332,9 @@ bool ans_key_h(connection_t *c) { update_node_udp(from, &sa); } - if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuevent) + if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuevent) { send_mtu_probe(from); + } return true; }