From a4acf7061fadc59d45c98e70a5247bb52114189b Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Mon, 15 Mar 2004 22:22:08 +0000 Subject: [PATCH] Imported gnutls based branch. --- Makefile.am | 2 +- configure.in | 5 +- lib/fake-getaddrinfo.c | 8 +- po/nl.po | 568 ++++++++++++++++++++++------------------- src/Makefile.am | 2 +- src/conf.c | 7 +- src/connection.c | 24 +- src/connection.h | 40 +-- src/meta.c | 77 +++--- src/net.c | 6 +- src/net.h | 7 +- src/net_packet.c | 112 +++++--- src/net_setup.c | 187 +++++++------- src/net_socket.c | 54 +++- src/node.c | 16 +- src/node.h | 16 +- src/protocol.c | 2 +- src/protocol.h | 10 +- src/protocol_auth.c | 435 ++++--------------------------- src/protocol_key.c | 116 +++++---- src/tincd.c | 16 +- 21 files changed, 743 insertions(+), 967 deletions(-) diff --git a/Makefile.am b/Makefile.am index eb800e14..072360c8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -12,7 +12,7 @@ ChangeLog: cvs2cl -U cvsusers --fsf svn-clean: maintainer-clean - svn status --no-ignore | grep '^\?' | sed 's/^\? \+//g' | xargs rm -rf + svn status --no-ignore | sed -n 's/^\? \+//p' | tr '\012' '\0' | xargs -r0 rm -rf deb: dpkg-buildpackage -rfakeroot diff --git a/configure.in b/configure.in index 708f1714..be60b04e 100644 --- a/configure.in +++ b/configure.in @@ -5,7 +5,7 @@ dnl $Id: configure.in,v 1.13.2.86 2004/01/10 23:21:36 guus Exp $ AC_PREREQ(2.59) AC_INIT AC_CONFIG_SRCDIR([src/tincd.c]) -AM_INIT_AUTOMAKE(tinc, 1.0-cvs) +AM_INIT_AUTOMAKE(tinc, 1.0-gnutls) AC_CONFIG_HEADERS([config.h]) AM_MAINTAINER_MODE @@ -279,7 +279,8 @@ case $host_os in ;; esac -tinc_OPENSSL +dnl tinc_OPENSSL +AM_PATH_LIBGNUTLS([1.0.4], [], [AC_MSG_ERROR([GNUTLS library not found.]); break;]) tinc_ZLIB tinc_LZO diff --git a/lib/fake-getaddrinfo.c b/lib/fake-getaddrinfo.c index 14420b58..734f50ae 100644 --- a/lib/fake-getaddrinfo.c +++ b/lib/fake-getaddrinfo.c @@ -64,7 +64,7 @@ static struct addrinfo *malloc_ai(uint16_t port, uint32_t addr) int getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res) { - struct addrinfo *prev = NULL; + struct addrinfo *ai, *prev = NULL; struct hostent *hp; struct in_addr in = {0}; int i; @@ -92,12 +92,14 @@ int getaddrinfo(const char *hostname, const char *servname, const struct addrinf return EAI_NODATA; for (i = 0; hp->h_addr_list[i]; i++) { - *res = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr); + *ai = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr); if(prev) prev->ai_next = *res; + else + *res = ai; - prev = *res; + prev = ai; } return 0; diff --git a/po/nl.po b/po/nl.po index d06f7c57..4ef1fce4 100644 --- a/po/nl.po +++ b/po/nl.po @@ -1,13 +1,13 @@ # Dutch messages for tinc -# Copyright (C) 1999-2004 Ivo Timmermans, Guus Sliepen. +# Copyright (C) 1999-2001 Ivo Timmermans, Guus Sliepen. # Ivo Timmermans , 1999-2003. # Guus Sliepen , 2000-2003. msgid "" msgstr "" -"Project-Id-Version: tinc 1.0-svn\n" +"Project-Id-Version: tinc 1.0-cvs\n" "Report-Msgid-Bugs-To: tinc-devel@nl.linux.org\n" -"POT-Creation-Date: 2004-03-15 19:28+0100\n" -"PO-Revision-Date: 2004-03-15 19:28+0100\n" +"POT-Creation-Date: 2004-03-15 23:20+0100\n" +"PO-Revision-Date: 2003-10-11 16:21+0200\n" "Last-Translator: Guus Sliepen \n" "Language-Team: Dutch \n" "MIME-Version: 1.0\n" @@ -55,29 +55,29 @@ msgstr "" msgid "Cannot open config file %s: %s" msgstr "Kan configuratie bestand %s niet openen: %s" -#: src/conf.c:390 +#: src/conf.c:385 #, c-format msgid "No value for variable `%s' on line %d while reading config file %s" msgstr "" "Geen waarde voor variabele `%s' op regel %d tijdens het lezen van " "configuratie bestand %s" -#: src/conf.c:421 +#: src/conf.c:416 #, c-format msgid "Failed to read `%s': %s" msgstr "Lezen van `%s' mislukte: %s" -#: src/conf.c:443 +#: src/conf.c:438 #, c-format msgid "Please enter a file to save %s to [%s]: " msgstr "Geef een bestand om de %s naar de schrijven [%s]: " -#: src/conf.c:450 +#: src/conf.c:445 #, c-format msgid "Error while reading stdin: %s\n" msgstr "Fout tijdens lezen van standaardinvoer: %s\n" -#: src/conf.c:482 +#: src/conf.c:477 #, c-format msgid "Error opening file `%s': %s\n" msgstr "Fout bij het openen van het bestand `%s': %s\n" @@ -90,50 +90,56 @@ msgstr "iedereen" msgid "BROADCAST" msgstr "BROADCAST" -#: src/connection.c:120 +#: src/connection.c:105 msgid "Connections:" msgstr "Verbindingen:" -#: src/connection.c:124 -#, c-format -msgid " %s at %s options %lx socket %d status %04x" +#: src/connection.c:109 +#, fuzzy, c-format +msgid "" +" %s at %s options %lx socket %d cipher %s digest %s compression %s kx method " +"%s status %04x" msgstr " %s op %s opties %lx socket %d status %04x" -#: src/connection.c:128 +#: src/connection.c:118 msgid "End of connections." msgstr "Einde van verbindingen." -#: src/meta.c:46 +#: src/meta.c:42 #, c-format msgid "Sending %d bytes of metadata to %s (%s)" msgstr "Verzenden van %d bytes metadata naar %s (%s)" -#: src/meta.c:52 -#, c-format -msgid "Error while encrypting metadata to %s (%s): %s" -msgstr "Fout tijdens versleutelen van metadata naar %s (%s): %s" - -#: src/meta.c:65 src/meta.c:118 +#: src/meta.c:50 src/meta.c:114 #, c-format msgid "Connection closed by %s (%s)" msgstr "Verbinding beëindigd door %s (%s)" -#: src/meta.c:70 +#: src/meta.c:55 #, c-format msgid "Sending meta data to %s (%s) failed: %s" msgstr "Fout tijdens verzenden metadata naar %s (%s): %s" -#: src/meta.c:123 +#: src/meta.c:97 +msgid "Continuing handshake..." +msgstr "" + +#: src/meta.c:100 +#, fuzzy, c-format +msgid "Handshake with %s (%s) completed!" +msgstr "Verbinding met %s (%s) geactiveerd" + +#: src/meta.c:106 +#, fuzzy, c-format +msgid "Handshake with %s (%s) failed: %s" +msgstr "Fout tijdens verzenden metadata naar %s (%s): %s" + +#: src/meta.c:119 #, c-format msgid "Metadata socket read error for %s (%s): %s" msgstr "Fout op metadata socket voor %s (%s) tijdens lezen: %s" -#: src/meta.c:138 -#, c-format -msgid "Error while decrypting metadata from %s (%s): %s" -msgstr "Fout tijdens ontsleutelen van metadata van %s (%s): %s" - -#: src/meta.c:191 +#: src/meta.c:172 #, c-format msgid "Metadata read buffer overflow for %s (%s)" msgstr "Metadata leesbuffer overloop voor %s (%s)" @@ -191,329 +197,343 @@ msgstr "Legen taakrij" msgid "Unable to reread configuration file, exitting." msgstr "Kan configuratiebestand niet herlezen, beëindigen." -#: src/net_packet.c:75 -#, c-format +#: src/net_packet.c:70 +#, fuzzy, c-format msgid "No response to MTU probes from %s (%s)" -msgstr "Geen antwoord van %s (%s) op MTU probes" +msgstr "%d pakketten van %s (%s) verloren" -#: src/net_packet.c:82 +#: src/net_packet.c:77 #, c-format msgid "Fixing MTU of %s (%s) to %d after %d probes" -msgstr "MTU van %s (%s) vastgezet op %d na %d probes" +msgstr "" -#: src/net_packet.c:94 -#, c-format +#: src/net_packet.c:89 +#, fuzzy, c-format msgid "Sending MTU probe length %d to %s (%s)" -msgstr "Verzending MTU probe lengte %d naar %s (%s)" +msgstr "Verzending %s naar %s (%s)" -#: src/net_packet.c:107 -#, c-format +#: src/net_packet.c:102 +#, fuzzy, c-format msgid "Got MTU probe length %d from %s (%s)" -msgstr "Kreeg MTU probe met verkeerde lengte %d van %s (%s)" +msgstr "Kreeg verkeerde %s van %s (%s)" -#: src/net_packet.c:164 +#: src/net_packet.c:159 #, c-format msgid "Received packet of %d bytes from %s (%s)" msgstr "Ontvangst pakket van %d bytes van %s (%s)" -#: src/net_packet.c:185 src/route.c:108 +#: src/net_packet.c:181 src/route.c:108 #, c-format msgid "Got too short packet from %s (%s)" msgstr "Kreeg te kort pakket van %s (%s)" -#: src/net_packet.c:198 +#: src/net_packet.c:195 #, c-format msgid "Got unauthenticated packet from %s (%s)" msgstr "Kreeg niet-geauthenticeerd pakket van %s (%s)" -#: src/net_packet.c:213 +#: src/net_packet.c:210 #, c-format msgid "Error decrypting packet from %s (%s): %s" msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s" -#: src/net_packet.c:229 -#, c-format -msgid "Lost %d packets from %s (%s)" +#: src/net_packet.c:235 +#, fuzzy, c-format +msgid "Lost %u packets from %s (%s)" msgstr "%d pakketten van %s (%s) verloren" -#: src/net_packet.c:235 -#, c-format -msgid "Got late or replayed packet from %s (%s), seqno %d, last received %d" +#: src/net_packet.c:241 +#, fuzzy, c-format +msgid "Got late or replayed packet from %s (%s), seqno %u, last received %u" msgstr "" "Kreeg laat of gedupliceerd pakket van %s (%s), seqno %d, laatste ontvangen %d" -#: src/net_packet.c:255 +#: src/net_packet.c:263 #, c-format msgid "Error while uncompressing packet from %s (%s)" msgstr "Fout tijdens decomprimeren pakket van %s (%s)" -#: src/net_packet.c:303 +#: src/net_packet.c:313 #, c-format msgid "No valid key known yet for %s (%s), queueing packet" msgstr "" "Nog geen geldige sleutel bekend voor %s (%s), pakket wordt in wachtrij gezet" -#: src/net_packet.c:332 +#: src/net_packet.c:342 #, c-format msgid "Error while compressing packet to %s (%s)" msgstr "Fout tijdens comprimeren pakket naar %s (%s)" -#: src/net_packet.c:354 +#: src/net_packet.c:386 #, c-format msgid "Error while encrypting packet to %s (%s): %s" msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s" -#: src/net_packet.c:386 +#: src/net_packet.c:400 +#, fuzzy, c-format +msgid "Error while authenticating packet to %s (%s)" +msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s" + +#: src/net_packet.c:424 #, c-format msgid "Setting outgoing packet priority to %d" msgstr "Instellen prioriteit uitgaand pakket op %d" -#: src/net_packet.c:388 src/net_setup.c:475 src/net_socket.c:72 -#: src/net_socket.c:123 src/net_socket.c:152 src/tincd.c:434 src/tincd.c:468 -#: src/process.c:198 src/process.c:231 src/process.c:417 -#: src/cygwin/device.c:150 src/cygwin/device.c:181 src/mingw/device.c:82 -#: src/mingw/device.c:91 src/mingw/device.c:96 src/mingw/device.c:252 -#: src/mingw/device.c:259 src/mingw/device.c:264 src/mingw/device.c:271 -#: src/mingw/device.c:280 src/mingw/device.c:287 +#: src/net_packet.c:426 src/net_setup.c:488 src/net_socket.c:84 +#: src/net_socket.c:135 src/net_socket.c:164 src/net_socket.c:437 +#: src/tincd.c:436 src/tincd.c:468 src/process.c:198 src/process.c:231 +#: src/process.c:417 src/cygwin/device.c:150 src/cygwin/device.c:181 +#: src/mingw/device.c:82 src/mingw/device.c:91 src/mingw/device.c:96 +#: src/mingw/device.c:252 src/mingw/device.c:259 src/mingw/device.c:264 +#: src/mingw/device.c:271 src/mingw/device.c:280 src/mingw/device.c:287 #, c-format msgid "System call `%s' failed: %s" msgstr "Systeemaanroep `%s' mislukte: %s" -#: src/net_packet.c:399 +#: src/net_packet.c:437 #, c-format msgid "Error sending packet to %s (%s): %s" msgstr "Fout tijdens verzenden pakket naar %s (%s): %s" -#: src/net_packet.c:422 +#: src/net_packet.c:460 #, c-format msgid "Sending packet of %d bytes to %s (%s)" msgstr "Verzending pakket van %d bytes naar %s (%s)" -#: src/net_packet.c:426 +#: src/net_packet.c:464 #, c-format msgid "Node %s (%s) is not reachable" msgstr "Node %s (%s) is niet bereikbaar" -#: src/net_packet.c:434 +#: src/net_packet.c:472 #, c-format msgid "Sending packet to %s via %s (%s)" msgstr "Verzending pakket naar %s via %s (%s)" -#: src/net_packet.c:453 +#: src/net_packet.c:491 #, c-format msgid "Broadcasting packet of %d bytes from %s (%s)" msgstr "Verspreiding pakket van %d bytes van %s (%s)" -#: src/net_packet.c:470 +#: src/net_packet.c:508 #, c-format msgid "Flushing queue for %s (%s)" msgstr "Legen van wachtrij voor %s (%s)" -#: src/net_packet.c:492 +#: src/net_packet.c:530 #, c-format msgid "Receiving packet failed: %s" msgstr "Ontvangst pakket mislukt: %s" -#: src/net_packet.c:502 +#: src/net_packet.c:540 #, c-format msgid "Received UDP packet from unknown source %s" msgstr "Ontvangst UDP pakket van onbekende oorsprong %s" -#: src/net_setup.c:77 src/net_setup.c:94 +#: src/net_setup.c:76 src/net_setup.c:93 #, c-format msgid "Error reading RSA public key file `%s': %s" msgstr "Fout tijdens lezen RSA publieke sleutel bestand `%s': %s" -#: src/net_setup.c:109 +#: src/net_setup.c:108 #, c-format msgid "Reading RSA public key file `%s' failed: %s" msgstr "Lezen RSA publieke sleutel bestand `%s' mislukt: %s" -#: src/net_setup.c:145 +#: src/net_setup.c:144 #, c-format msgid "No public key for %s specified!" msgstr "Geen publieke sleutel bekend voor %s gespecificeerd!" -#: src/net_setup.c:160 -msgid "PrivateKey used but no PublicKey found!" -msgstr "PrivateKey gebruikt maar geen PublicKey gevonden!" - -#: src/net_setup.c:179 -#, c-format -msgid "Error reading RSA private key file `%s': %s" +#: src/net_setup.c:163 +#, fuzzy, c-format +msgid "Error reading trust file '%s': %s" msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s" -#: src/net_setup.c:187 -#, c-format -msgid "Could not stat RSA private key file `%s': %s'" -msgstr "Kon gegevens RSA privé sleutel bestand `%s' niet opvragen: %s" +#: src/net_setup.c:173 +#, fuzzy, c-format +msgid "Error reading CRL file '%s': %s" +msgstr "Fout bij het openen van het bestand `%s': %s\n" -#: src/net_setup.c:194 -#, c-format -msgid "Warning: insecure file permissions for RSA private key file `%s'!" +#: src/net_setup.c:188 +msgid "JOEHOE" msgstr "" -"Waarschuwing: onveilige permissies voor RSA privé sleutel bestand `%s'!" -#: src/net_setup.c:201 -#, c-format -msgid "Reading RSA private key file `%s' failed: %s" -msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s" +#: src/net_setup.c:194 +#, fuzzy, c-format +msgid "Error reading credentials from %s and %s: %s" +msgstr "Fout tijdens lezen van %s %s: %s" -#: src/net_setup.c:231 src/net_setup.c:232 +#: src/net_setup.c:226 src/net_setup.c:227 msgid "MYSELF" msgstr "MIJZELF" -#: src/net_setup.c:238 +#: src/net_setup.c:233 msgid "Name for tinc daemon required!" msgstr "Naam voor tinc daemon verplicht!" -#: src/net_setup.c:243 +#: src/net_setup.c:238 msgid "Invalid name for myself!" msgstr "Ongeldige naam voor mijzelf!" -#: src/net_setup.c:252 +#: src/net_setup.c:250 msgid "Cannot open host configuration file for myself!" msgstr "Kan host configuratie bestand voor mijzelf niet openen!" -#: src/net_setup.c:305 +#: src/net_setup.c:300 msgid "Invalid routing mode!" msgstr "Ongeldige routing modus!" -#: src/net_setup.c:316 +#: src/net_setup.c:311 msgid "PriorityInheritance not supported on this platform" msgstr "PriorityInheritance wordt niet ondersteund op dit platform" -#: src/net_setup.c:324 +#: src/net_setup.c:319 msgid "Bogus maximum timeout!" msgstr "Onzinnige maximum timeout!" -#: src/net_setup.c:338 +#: src/net_setup.c:333 msgid "Invalid address family!" msgstr "Ongeldige adresfamilie!" -#: src/net_setup.c:356 +#: src/net_setup.c:350 msgid "Unrecognized cipher type!" msgstr "Onbekend cipher type!" -#: src/net_setup.c:381 src/protocol_auth.c:189 +#: src/net_setup.c:361 #, c-format msgid "Error during initialisation of cipher for %s (%s): %s" msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s" -#: src/net_setup.c:398 +#: src/net_setup.c:375 +#, c-format +msgid "Key %s len %d" +msgstr "" + +#: src/net_setup.c:395 msgid "Unrecognized digest type!" msgstr "Onbekend digest type!" -#: src/net_setup.c:411 +#: src/net_setup.c:407 +#, fuzzy, c-format +msgid "Error during initialisation of digest for %s (%s): %s" +msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s" + +#: src/net_setup.c:428 msgid "MAC length exceeds size of digest!" msgstr "MAC lengte is groter dan dat van digest!" -#: src/net_setup.c:414 +#: src/net_setup.c:431 msgid "Bogus MAC length!" msgstr "Onzinnige MAC lengte!" -#: src/net_setup.c:428 +#: src/net_setup.c:443 msgid "Bogus compression level!" msgstr "Onzinnig compressieniveau!" -#: src/net_setup.c:497 +#: src/net_setup.c:510 #, c-format msgid "Listening on %s" msgstr "Luisterend op %s" -#: src/net_setup.c:508 +#: src/net_setup.c:521 msgid "Ready" msgstr "Gereed" -#: src/net_setup.c:510 +#: src/net_setup.c:523 msgid "Unable to create any listening socket!" msgstr "Kon geen enkele luistersocket aanmaken!" -#: src/net_socket.c:62 +#: src/net_socket.c:74 #, c-format msgid "Creating metasocket failed: %s" msgstr "Aanmaak van metasocket mislukt: %s" -#: src/net_socket.c:103 src/net_socket.c:195 +#: src/net_socket.c:115 src/net_socket.c:207 #, c-format msgid "Can't bind to interface %s: %s" msgstr "Kan niet aan interface %s binden: %s" -#: src/net_socket.c:108 +#: src/net_socket.c:120 msgid "BindToInterface not supported on this platform" msgstr "BindToInterface wordt niet ondersteund op dit platform" -#: src/net_socket.c:115 +#: src/net_socket.c:127 #, c-format msgid "Can't bind to %s/tcp: %s" msgstr "Kan niet aan %s/tcp binden: %s" -#: src/net_socket.c:142 +#: src/net_socket.c:154 #, c-format msgid "Creating UDP socket failed: %s" msgstr "Aanmaak UDP socket mislukte: %s" -#: src/net_socket.c:206 +#: src/net_socket.c:218 #, c-format msgid "Can't bind to %s/udp: %s" msgstr "Kan niet aan %s/udp binden: %s" -#: src/net_socket.c:233 +#: src/net_socket.c:245 #, c-format msgid "Trying to re-establish outgoing connection in %d seconds" msgstr "Poging tot herstellen van uitgaande verbinding over %d seconden" -#: src/net_socket.c:241 +#: src/net_socket.c:255 #, c-format msgid "Connected to %s (%s)" msgstr "Verbonden met %s (%s)" -#: src/net_socket.c:258 +#: src/net_socket.c:278 #, c-format msgid "Could not set up a meta connection to %s" msgstr "Kon geen metaverbinding aangaan met %s" -#: src/net_socket.c:292 +#: src/net_socket.c:312 #, c-format msgid "Trying to connect to %s (%s)" msgstr "Poging tot verbinden met %s (%s)" -#: src/net_socket.c:298 +#: src/net_socket.c:318 #, c-format msgid "Creating socket for %s failed: %s" msgstr "Aanmaken socket voor %s mislukt: %s" -#: src/net_socket.c:322 +#: src/net_socket.c:342 #, c-format msgid "fcntl for %s: %s" msgstr "fcntl voor %s: %s" -#: src/net_socket.c:338 +#: src/net_socket.c:358 #, c-format msgid "%s: %s" msgstr "%s: %s" -#: src/net_socket.c:359 +#: src/net_socket.c:363 +#, fuzzy +msgid "finishing connection" +msgstr "Einde van verbindingen." + +#: src/net_socket.c:380 #, c-format msgid "Already connected to %s" msgstr "Reeds verbonden met %s" -#: src/net_socket.c:378 +#: src/net_socket.c:395 #, c-format msgid "No address specified for %s" msgstr "Geen adres gespecificeerd voor %s" -#: src/net_socket.c:408 +#: src/net_socket.c:426 #, c-format msgid "Accepting a new connection failed: %s" msgstr "Aanname van nieuwe verbinding is mislukt: %s" -#: src/net_socket.c:426 +#: src/net_socket.c:453 #, c-format msgid "Connection from %s" msgstr "Verbinding van %s" -#: src/net_socket.c:450 +#: src/net_socket.c:484 #, c-format msgid "Invalid name for outgoing connection in %s line %d" msgstr "Ongeldige naam voor uitgaande verbinding in %s regel %d" @@ -613,112 +633,81 @@ msgstr "Verzoek reeds gezien" msgid "Aging past requests: deleted %d, left %d" msgstr "Veroudering vorige verzoeken: %d gewist, %d overgebleven" -#: src/protocol_auth.c:58 src/protocol_auth.c:209 src/protocol_auth.c:338 -#: src/protocol_auth.c:405 src/protocol_auth.c:531 src/protocol_edge.c:73 -#: src/protocol_edge.c:188 src/protocol_key.c:62 src/protocol_key.c:105 -#: src/protocol_key.c:172 src/protocol_misc.c:54 src/protocol_misc.c:83 -#: src/protocol_misc.c:171 src/protocol_subnet.c:58 src/protocol_subnet.c:167 -#, c-format -msgid "Got bad %s from %s (%s)" -msgstr "Kreeg verkeerde %s van %s (%s)" - -#: src/protocol_auth.c:66 src/protocol_edge.c:81 src/protocol_edge.c:87 -#: src/protocol_edge.c:196 src/protocol_edge.c:202 src/protocol_subnet.c:66 -#: src/protocol_subnet.c:74 src/protocol_subnet.c:175 -#: src/protocol_subnet.c:196 -#, c-format -msgid "Got bad %s from %s (%s): %s" -msgstr "Kreeg verkeerde %s van %s (%s): %s" - -#: src/protocol_auth.c:75 -#, c-format -msgid "Peer %s is %s instead of %s" -msgstr "Ander %s is %s in plaats van %s" - -#: src/protocol_auth.c:85 +#: src/protocol_auth.c:53 #, c-format -msgid "Peer %s (%s) uses incompatible version %d" -msgstr "Ander %s (%s) gebruikt incompatibele versie %d" - -#: src/protocol_auth.c:101 -#, c-format -msgid "Peer %s had unknown identity (%s)" -msgstr "Ander %s heeft onbekende identiteit (%s)" - -#: src/protocol_auth.c:153 -#, c-format -msgid "Generated random meta key (unencrypted): %s" -msgstr "Willekeurige meta sleutel aangemaakt (niet versleuteld): %s" +msgid "No certificates from %s" +msgstr "" -#: src/protocol_auth.c:165 src/protocol_auth.c:238 -#, c-format -msgid "Error during encryption of meta key for %s (%s)" -msgstr "Fout tijdens versleutelen van meta key voor %s (%s)" +#: src/protocol_auth.c:63 +#, fuzzy, c-format +msgid "Error importing certificate from %s: %s" +msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s" -#: src/protocol_auth.c:219 src/protocol_auth.c:348 src/protocol_auth.c:413 -#: src/protocol_auth.c:435 -#, c-format -msgid "Possible intruder %s (%s): %s" -msgstr "Mogelijke indringer %s (%s): %s" +#: src/protocol_auth.c:70 +#, fuzzy, c-format +msgid "No name in certificate from %s" +msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s" -#: src/protocol_auth.c:246 -#, c-format -msgid "Received random meta key (unencrypted): %s" -msgstr "Ontving willekeurige meta key (niet versleuteld): %s" +#: src/protocol_auth.c:79 +#, fuzzy, c-format +msgid "Invalid name from %s" +msgstr "Ongeldige naam voor mijzelf!" -#: src/protocol_auth.c:257 +#: src/protocol_auth.c:85 #, c-format -msgid "%s (%s) uses unknown cipher!" -msgstr "%s (%s) gebruikt onbekende cipher!" +msgid "Peer %s is %s instead of %s" +msgstr "Ander %s is %s in plaats van %s" -#: src/protocol_auth.c:265 +#: src/protocol_auth.c:96 #, c-format -msgid "Error during initialisation of cipher from %s (%s): %s" -msgstr "Fout tijdens initalisatie van cipher van %s (%s): %s" +msgid "Certificate from %s (%s) invalid" +msgstr "" -#: src/protocol_auth.c:281 src/protocol_key.c:242 +#: src/protocol_auth.c:98 #, c-format -msgid "Node %s (%s) uses unknown digest!" -msgstr "Node %s (%s) gebruikt onbekende digest!" +msgid "Certificate from %s (%s) revoked" +msgstr "" -#: src/protocol_auth.c:286 +#: src/protocol_auth.c:100 #, c-format -msgid "%s (%s) uses bogus MAC length!" -msgstr "%s (%s) gebruikt onzinnige MAC lengte!" +msgid "Certificate from %s (%s) has no known signer" +msgstr "" -#: src/protocol_auth.c:381 +#: src/protocol_auth.c:102 #, c-format -msgid "Error during calculation of response for %s (%s): %s" -msgstr "Fout tijdens berekenen van antwoord voor %s (%s): %s" - -#: src/protocol_auth.c:414 -msgid "wrong challenge reply length" -msgstr "verkeerde lengte antwoord op uitdaging" +msgid "Certificate from %s (%s) has no CA as signer" +msgstr "" -#: src/protocol_auth.c:427 +#: src/protocol_auth.c:109 #, c-format -msgid "Error during calculation of response from %s (%s): %s" -msgstr "Fout tijdens narekenen van antwoord van %s (%s): %s" - -#: src/protocol_auth.c:436 -msgid "wrong challenge reply" -msgstr "verkeerd antwoord op uitdaging" +msgid "Peer %s had unknown identity (%s)" +msgstr "Ander %s heeft onbekende identiteit (%s)" -#: src/protocol_auth.c:441 +#: src/protocol_auth.c:188 src/protocol_edge.c:73 src/protocol_edge.c:188 +#: src/protocol_key.c:62 src/protocol_key.c:105 src/protocol_key.c:176 +#: src/protocol_misc.c:54 src/protocol_misc.c:83 src/protocol_misc.c:171 +#: src/protocol_subnet.c:58 src/protocol_subnet.c:167 #, c-format -msgid "Expected challenge reply: %s" -msgstr "Verwachtte antwoord op uitdaging: %s" +msgid "Got bad %s from %s (%s)" +msgstr "Kreeg verkeerde %s van %s (%s)" -#: src/protocol_auth.c:547 +#: src/protocol_auth.c:204 #, c-format msgid "Established a second connection with %s (%s), closing old connection" msgstr "Tweede verbinding met %s (%s) gemaakt, oude verbinding wordt gesloten" -#: src/protocol_auth.c:570 +#: src/protocol_auth.c:227 #, c-format msgid "Connection with %s (%s) activated" msgstr "Verbinding met %s (%s) geactiveerd" +#: src/protocol_edge.c:81 src/protocol_edge.c:87 src/protocol_edge.c:196 +#: src/protocol_edge.c:202 src/protocol_subnet.c:66 src/protocol_subnet.c:74 +#: src/protocol_subnet.c:175 src/protocol_subnet.c:196 +#, c-format +msgid "Got bad %s from %s (%s): %s" +msgstr "Kreeg verkeerde %s van %s (%s): %s" + #: src/protocol_edge.c:82 src/protocol_edge.c:88 src/protocol_edge.c:197 #: src/protocol_edge.c:203 src/protocol_subnet.c:67 src/protocol_subnet.c:176 msgid "invalid name" @@ -755,14 +744,14 @@ msgstr "Kreeg %s van %s (%s) voor onszelf" msgid "Got %s from %s (%s) origin %s which does not exist" msgstr "Kreeg %s van %s (%s) herkomst %s welke niet bestaat" -#: src/protocol_key.c:113 src/protocol_key.c:180 +#: src/protocol_key.c:113 src/protocol_key.c:184 #, c-format msgid "" "Got %s from %s (%s) origin %s which does not exist in our connection list" msgstr "" "Kreeg %s van %s (%s) herkomst %s welke niet voorkomt in de verbindingslijst" -#: src/protocol_key.c:121 src/protocol_key.c:188 +#: src/protocol_key.c:121 src/protocol_key.c:192 #, c-format msgid "" "Got %s from %s (%s) destination %s which does not exist in our connection " @@ -770,27 +759,32 @@ msgid "" msgstr "" "Kreeg %s van %s (%s) doel %s welke niet voorkomt in de verbindingslijst" -#: src/protocol_key.c:222 +#: src/protocol_key.c:211 #, c-format msgid "Node %s (%s) uses unknown cipher!" msgstr "Node %s (%s) gebruikt onbekende cipher!" -#: src/protocol_key.c:228 +#: src/protocol_key.c:227 #, c-format -msgid "Node %s (%s) uses wrong keylength!" -msgstr "Node %s (%s) gebruikt verkeerde lengte sleutel!" +msgid "Node %s (%s) uses unknown digest!" +msgstr "Node %s (%s) gebruikt onbekende digest!" -#: src/protocol_key.c:248 +#: src/protocol_key.c:235 #, c-format msgid "Node %s (%s) uses bogus MAC length!" msgstr "Node %s (%s) gebruikt onzinnige MAC lengte!" -#: src/protocol_key.c:257 +#: src/protocol_key.c:244 #, c-format msgid "Node %s (%s) uses bogus compression level!" msgstr "Node %s (%s) gebruikt onzinnig compressieniveau!" -#: src/protocol_key.c:265 +#: src/protocol_key.c:260 +#, fuzzy, c-format +msgid "Node %s (%s) uses wrong keylength %d instead of %d!" +msgstr "Node %s (%s) gebruikt verkeerde lengte sleutel!" + +#: src/protocol_key.c:277 src/protocol_key.c:288 #, c-format msgid "Error during initialisation of key from %s (%s): %s" msgstr "Fout tijdens initialisatie van sleutel van %s (%s): %s" @@ -843,12 +837,12 @@ msgstr " %s eigenaar %s" msgid "End of subnet list." msgstr "Einde van subnet lijst." -#: src/tincd.c:108 +#: src/tincd.c:105 #, c-format msgid "Try `%s --help' for more information.\n" msgstr "Probeer `%s --help' voor meer informatie.\n" -#: src/tincd.c:111 +#: src/tincd.c:108 #, c-format msgid "" "Usage: %s [option]...\n" @@ -857,7 +851,7 @@ msgstr "" "Gebruik: %s [optie]...\n" "\n" -#: src/tincd.c:112 +#: src/tincd.c:109 #, c-format msgid "" " -c, --config=DIR Read configuration options from DIR.\n" @@ -887,14 +881,14 @@ msgstr "" " --version Geef versie informatie en beëindig.\n" "\n" -#: src/tincd.c:123 +#: src/tincd.c:120 #, c-format msgid "Report bugs to tinc@nl.linux.org.\n" msgstr "" "Meld fouten in het programma aan tinc@nl.linux.org;\n" "Meld fouten in de vertaling aan vertaling@nl.linux.org.\n" -#: src/tincd.c:179 +#: src/tincd.c:176 #, c-format msgid "" "Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, " @@ -903,7 +897,7 @@ msgstr "" "Ongeldig argument `%s'; SIGNAAL moet een getal zijn of één van HUP, TERM, " "KILL, USR1, USR2, WINCH, INT of ALRM.\n" -#: src/tincd.c:201 +#: src/tincd.c:198 #, c-format msgid "" "Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n" @@ -911,26 +905,31 @@ msgstr "" "Ongeldig argument `%s'; BITS moet een nummer zijn gelijk aan of groter dan " "512.\n" -#: src/tincd.c:294 +#: src/tincd.c:286 +#, c-format +msgid "Use certtool!\n" +msgstr "" + +#: src/tincd.c:295 #, c-format msgid "Generating %d bits keys:\n" msgstr "Bezig met genereren van een %d bits sleutel:\n" -#: src/tincd.c:298 +#: src/tincd.c:299 #, c-format msgid "Error during key generation!\n" msgstr "Fout tijdens genereren sleutel!\n" -#: src/tincd.c:301 +#: src/tincd.c:302 #, c-format msgid "Done.\n" msgstr "Klaar.\n" -#: src/tincd.c:304 +#: src/tincd.c:305 msgid "private RSA key" msgstr "geheime RSA sleutel" -#: src/tincd.c:315 src/tincd.c:334 +#: src/tincd.c:316 src/tincd.c:335 #, c-format msgid "" "Appending key to existing contents.\n" @@ -939,21 +938,21 @@ msgstr "" "Sleutel wordt toegevoegd aan bestaande inhoud.\n" "Let er op dat er slechts één sleutel in het bestand is.\n" -#: src/tincd.c:328 +#: src/tincd.c:329 msgid "public RSA key" msgstr "openbare RSA sleutel" -#: src/tincd.c:387 +#: src/tincd.c:389 msgid "Both netname and configuration directory given, using the latter..." msgstr "" "Zowel netnaam als configuratiemap zijn gegeven, laatste wordt gebruikt..." -#: src/tincd.c:408 +#: src/tincd.c:410 #, c-format msgid "%s version %s (built %s %s, protocol %d)\n" msgstr "%s versie %s (gemaakt %s %s, protocol %d)\n" -#: src/tincd.c:410 +#: src/tincd.c:412 #, c-format msgid "" "Copyright (C) 1998-2003 Ivo Timmermans, Guus Sliepen and others.\n" @@ -971,7 +970,7 @@ msgstr "" "en je bent welkom om het te distribueren onder bepaalde voorwaarden;\n" "zie het bestand COPYING voor details.\n" -#: src/tincd.c:438 +#: src/tincd.c:440 msgid "mlockall() not supported on this platform!" msgstr "mlockall() wordt niet ondersteund op dit platform!" @@ -1059,9 +1058,9 @@ msgid "A tincd is already running with pid %ld.\n" msgstr "Een tincd draait al met pid %ld.\n" #: src/process.c:261 -#, c-format +#, fuzzy, c-format msgid "Could write pid file %s: %s\n" -msgstr "Kon pid bestand %s niet openen: %s\n" +msgstr "Kon `%s' niet openen: %s" #: src/process.c:283 #, c-format @@ -1094,9 +1093,9 @@ msgid "Couldn't detach from terminal: %s" msgstr "Kon niet ontkoppelen van terminal: %s" #: src/process.c:341 -#, c-format +#, fuzzy, c-format msgid "Could not write pid file %s: %s\n" -msgstr "Kon pid bestand %s niet schrijven: %s\n" +msgstr "Kon `%s' niet openen: %s" #: src/process.c:352 #, c-format @@ -1184,52 +1183,48 @@ msgstr "Nieuw MAC adres %hx:%hx:%hx:%hx:%hx:%hx geleerd" #: src/route.c:165 #, c-format msgid "Subnet %s expired" -msgstr "Subnet %s is verlopen" +msgstr "" #: src/route.c:200 src/route.c:353 src/route.c:495 -#, c-format +#, fuzzy, c-format msgid "Packet looping back to %s (%s)!" -msgstr "Pakket komt terug naar %s (%s)!" +msgstr "Pakket komt terug naar ons!" #: src/route.c:299 #, c-format msgid "Length of packet (%d) doesn't match length in IPv4 header (%d)" msgstr "" -"Lengte van pakket (%d) komt niet overeen met lengte in IPv4 header (%d)" #: src/route.c:303 -#, c-format +#, fuzzy, c-format msgid "Fragmenting packet of %d bytes to %s (%s)" -msgstr "Fragmentatie pakket van %d bytes naar %s (%s)" +msgstr "Verzending pakket van %d bytes naar %s (%s)" #: src/route.c:341 -#, c-format +#, fuzzy, c-format msgid "" "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%" "d" -msgstr "" -"Kan pakket van %s (%s) niet routeren: onbekend IPv4 doeladres %d.%d.%d.%d" +msgstr "Kan pakket niet routeren: onbekend IPv4 doeladres %d.%d.%d.%d" #: src/route.c:366 src/route.c:505 #, c-format msgid "Packet for %s (%s) length %d larger than MTU %d" -msgstr "Packet voor %s (%s) lengte %d groter dan MTU %d" +msgstr "" #: src/route.c:479 -#, c-format +#, fuzzy, c-format msgid "" "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%" "hx:%hx:%hx:%hx:%hx:%hx" msgstr "" -"Kan pakket van %s (%s) niet routeren: onbekend IPv6 doeladres %hx:%hx:%hx:%" -"hx:%hx:%hx:%hx:%hx" +"Kan pakket niet routeren: onbekend IPv6 doeladres %hx:%hx:%hx:%hx:%hx:%hx:%" +"hx:%hx" #: src/route.c:537 #, c-format msgid "Got neighbor solicitation request from %s (%s) while in router mode!" msgstr "" -"Kreeg neighbor solicitation request van %s (%s) terwijl we in router mode " -"werken!" #: src/route.c:556 msgid "" @@ -1253,9 +1248,9 @@ msgstr "" "hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx" #: src/route.c:671 -#, c-format +#, fuzzy, c-format msgid "Got ARP request from %s (%s) while in router mode!" -msgstr "Kreeg ARP request van %s (%s) terwijl we in router mode werken!" +msgstr "Kreeg %s van %s (%s) voor %s welke niet voorkomt in de node boom" #: src/route.c:688 msgid "Cannot route packet: received unknown type ARP request" @@ -1267,22 +1262,22 @@ msgid "Cannot route packet: ARP request for unknown address %d.%d.%d.%d" msgstr "Kan pakket niet routeren: ARP verzoek voor onbekend adres %d.%d.%d.%d" #: src/route.c:753 -#, c-format +#, fuzzy, c-format msgid "Cannot route packet from %s (%s): unknown type %hx" -msgstr "Kan pakket van %s (%s) niet routeren: onbekend type %hx" +msgstr "Kan pakket niet routeren: onbekend type %hx" #: src/node.c:183 msgid "Nodes:" msgstr "Nodes:" #: src/node.c:187 -#, c-format +#, fuzzy, c-format msgid "" -" %s at %s cipher %d digest %d maclength %d compression %d options %lx status " +" %s at %s cipher %s digest %s maclength %d compression %d options %lx status " "%04x nexthop %s via %s pmtu %d (min %d max %d)" msgstr "" " %s op %s cipher %d digest %d maclengte %d compressie %d opties %lx status %" -"04x nexthop %s via %s pmtu %d (min %d max %d)" +"04x nexthop %s via %s" #: src/node.c:194 msgid "End of nodes." @@ -1506,6 +1501,65 @@ msgstr "Kan interface %s niet vinden: %s" msgid "Could not bind to %s: %s" msgstr "Kon niet aan interface `%s' binden: %s" +#, fuzzy +#~ msgid "%s is %s" +#~ msgstr "%s is een %s" + +#~ msgid "Error while encrypting metadata to %s (%s): %s" +#~ msgstr "Fout tijdens versleutelen van metadata naar %s (%s): %s" + +#~ msgid "Error while decrypting metadata from %s (%s): %s" +#~ msgstr "Fout tijdens ontsleutelen van metadata van %s (%s): %s" + +#~ msgid "Could not stat RSA private key file `%s': %s'" +#~ msgstr "Kon gegevens RSA privé sleutel bestand `%s' niet opvragen: %s" + +#~ msgid "Warning: insecure file permissions for RSA private key file `%s'!" +#~ msgstr "" +#~ "Waarschuwing: onveilige permissies voor RSA privé sleutel bestand `%s'!" + +#~ msgid "Reading RSA private key file `%s' failed: %s" +#~ msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s" + +#~ msgid "Peer %s (%s) uses incompatible version %d" +#~ msgstr "Ander %s (%s) gebruikt incompatibele versie %d" + +#~ msgid "Generated random meta key (unencrypted): %s" +#~ msgstr "Willekeurige meta sleutel aangemaakt (niet versleuteld): %s" + +#~ msgid "Error during encryption of meta key for %s (%s)" +#~ msgstr "Fout tijdens versleutelen van meta key voor %s (%s)" + +#~ msgid "Possible intruder %s (%s): %s" +#~ msgstr "Mogelijke indringer %s (%s): %s" + +#~ msgid "Received random meta key (unencrypted): %s" +#~ msgstr "Ontving willekeurige meta key (niet versleuteld): %s" + +#~ msgid "%s (%s) uses unknown cipher!" +#~ msgstr "%s (%s) gebruikt onbekende cipher!" + +#~ msgid "Error during initialisation of cipher from %s (%s): %s" +#~ msgstr "Fout tijdens initalisatie van cipher van %s (%s): %s" + +#~ msgid "%s (%s) uses bogus MAC length!" +#~ msgstr "%s (%s) gebruikt onzinnige MAC lengte!" + +#~ msgid "Error during calculation of response for %s (%s): %s" +#~ msgstr "Fout tijdens berekenen van antwoord voor %s (%s): %s" + +#~ msgid "wrong challenge reply length" +#~ msgstr "verkeerde lengte antwoord op uitdaging" + +#~ msgid "Error during calculation of response from %s (%s): %s" +#~ msgstr "Fout tijdens narekenen van antwoord van %s (%s): %s" + +#~ msgid "wrong challenge reply" +#~ msgstr "verkeerd antwoord op uitdaging" + +#~ msgid "Expected challenge reply: %s" +#~ msgstr "Verwachtte antwoord op uitdaging: %s" + #~ msgid "Restarting in %d seconds!" #~ msgstr "Herstart in %d seconden!" diff --git a/src/Makefile.am b/src/Makefile.am index a3b72028..146ff946 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -21,7 +21,7 @@ noinst_HEADERS = conf.h connection.h device.h edge.h event.h graph.h logger.h me LIBS = @LIBS@ @LIBINTL@ tincd_LDADD = \ - $(top_builddir)/lib/libvpn.a + $(top_builddir)/lib/libvpn.a -lgnutls localedir = $(datadir)/locale diff --git a/src/conf.c b/src/conf.c index 369a5fbc..d0a2d2df 100644 --- a/src/conf.c +++ b/src/conf.c @@ -321,7 +321,7 @@ int read_config_file(avl_tree_t *config_tree, const char *fname) int err = -2; /* Parse error */ FILE *fp; char *buffer, *line; - char *variable, *value, *eol; + char *variable, *value; int lineno = 0; int len; bool ignore = false; @@ -372,10 +372,6 @@ int read_config_file(avl_tree_t *config_tree, const char *fname) variable = value = line; - eol = line + strlen(line); - while(strchr("\t ", *--eol)) - *eol = '\0'; - len = strcspn(value, "\t ="); value += len; value += strspn(value, "\t "); @@ -385,7 +381,6 @@ int read_config_file(avl_tree_t *config_tree, const char *fname) } variable[len] = '\0'; - if(!*value) { logger(LOG_ERR, _("No value for variable `%s' on line %d while reading config file %s"), variable, lineno, fname); diff --git a/src/connection.c b/src/connection.c index b4a17ad3..4d036edf 100644 --- a/src/connection.c +++ b/src/connection.c @@ -78,21 +78,6 @@ void free_connection(connection_t *c) { cp(); - if(c->hostname) - free(c->hostname); - - if(c->inkey) - free(c->inkey); - - if(c->outkey) - free(c->outkey); - - if(c->mychallenge) - free(c->mychallenge); - - if(c->hischallenge) - free(c->hischallenge); - free(c); } @@ -121,8 +106,13 @@ void dump_connections(void) for(node = connection_tree->head; node; node = node->next) { c = node->data; - logger(LOG_DEBUG, _(" %s at %s options %lx socket %d status %04x"), - c->name, c->hostname, c->options, c->socket, *(uint32_t *)&c->status); + logger(LOG_DEBUG, _(" %s at %s options %lx socket %d cipher %s digest %s compression %s kx method %s status %04x"), + c->name, c->hostname, c->options, c->socket, + c->session ? gnutls_cipher_get_name(gnutls_cipher_get(c->session)) : "-", + c->session ? gnutls_mac_get_name(gnutls_mac_get(c->session)) : "-", + c->session ? gnutls_compression_get_name(gnutls_compression_get(c->session)) : "-", + c->session ? gnutls_kx_get_name(gnutls_kx_get(c->session)) : "-", + *(uint32_t *)&c->status); } logger(LOG_DEBUG, _("End of connections.")); diff --git a/src/connection.h b/src/connection.h index b1c35af2..0c93fedf 100644 --- a/src/connection.h +++ b/src/connection.h @@ -23,8 +23,7 @@ #ifndef __TINC_CONNECTION_H__ #define __TINC_CONNECTION_H__ -#include -#include +#include #include "avl_tree.h" @@ -51,14 +50,14 @@ typedef struct connection_status_t { #include "node.h" typedef struct connection_t { - char *name; /* name he claims to have */ + char *name; /* name he claims to have */ - union sockaddr_t address; /* his real (internet) ip */ - char *hostname; /* the hostname of its real ip */ + union sockaddr_t address; /* his real (internet) ip */ + char *hostname; /* the hostname of its real ip */ int protocol_version; /* used protocol */ - int socket; /* socket used for this connection */ - long int options; /* options for this connection */ + int socket; /* socket used for this connection */ + long int options; /* options for this connection */ struct connection_status_t status; /* status info */ int estimated_weight; /* estimation for the weight of the edge for this connection */ struct timeval start; /* time this connection was started, used for above estimation */ @@ -67,29 +66,14 @@ typedef struct connection_t { struct node_t *node; /* node associated with the other end */ struct edge_t *edge; /* edge associated with this connection */ - RSA *rsa_key; /* his public/private key */ - const EVP_CIPHER *incipher; /* Cipher he will use to send data to us */ - const EVP_CIPHER *outcipher; /* Cipher we will use to send data to him */ - EVP_CIPHER_CTX *inctx; /* Context of encrypted meta data that will come from him to us */ - EVP_CIPHER_CTX *outctx; /* Context of encrypted meta data that will be sent from us to him */ - char *inkey; /* His symmetric meta key + iv */ - char *outkey; /* Our symmetric meta key + iv */ - int inkeylength; /* Length of his key + iv */ - int outkeylength; /* Length of our key + iv */ - const EVP_MD *indigest; - const EVP_MD *outdigest; - int inmaclength; - int outmaclength; - int incompression; - int outcompression; - char *mychallenge; /* challenge we received from him */ - char *hischallenge; /* challenge we sent to him */ + gnutls_session session; + gnutls_certificate_credentials credentials; char buffer[MAXBUFSIZE]; /* metadata input buffer */ - int buflen; /* bytes read into buffer */ - int reqlen; /* length of incoming request */ - int tcplen; /* length of incoming TCPpacket */ - int allow_request; /* defined if there's only one request possible */ + int buflen; /* bytes read into buffer */ + int reqlen; /* length of incoming request */ + int tcplen; /* length of incoming TCPpacket */ + int allow_request; /* defined if there's only one request possible */ time_t last_ping_time; /* last time we saw some activity from the other end */ diff --git a/src/meta.c b/src/meta.c index 0071eb55..4153c447 100644 --- a/src/meta.c +++ b/src/meta.c @@ -22,8 +22,7 @@ #include "system.h" -#include -#include +#include #include "avl_tree.h" #include "connection.h" @@ -36,9 +35,6 @@ bool send_meta(connection_t *c, const char *buffer, int length) { - const char *bufp; - int outlen; - char outbuf[MAXBUFSIZE]; int result; cp(); @@ -46,32 +42,21 @@ bool send_meta(connection_t *c, const char *buffer, int length) ifdebug(META) logger(LOG_DEBUG, _("Sending %d bytes of metadata to %s (%s)"), length, c->name, c->hostname); - if(c->status.encryptout) { - result = EVP_EncryptUpdate(c->outctx, outbuf, &outlen, buffer, length); - if(!result || outlen != length) { - logger(LOG_ERR, _("Error while encrypting metadata to %s (%s): %s"), - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - bufp = outbuf; - length = outlen; - } else - bufp = buffer; - while(length) { - result = send(c->socket, bufp, length, 0); + result = gnutls_record_send(c->session, buffer, length); + if(result <= 0) { - if(!errno || errno == EPIPE) { + if(!result) { ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"), c->name, c->hostname); - } else if(errno == EINTR) + } else if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN) continue; else logger(LOG_ERR, _("Sending meta data to %s (%s) failed: %s"), c->name, - c->hostname, strerror(errno)); + c->hostname, gnutls_strerror(result)); return false; } - bufp += result; + buffer += result; length -= result; } @@ -96,53 +81,51 @@ void broadcast_meta(connection_t *from, const char *buffer, int length) bool receive_meta(connection_t *c) { int oldlen, i, result; - int lenin, lenout, reqlen; - bool decrypted = false; - char inbuf[MAXBUFSIZE]; + int reqlen; cp(); /* Strategy: - Read as much as possible from the TCP socket in one go. - - Decrypt it. - Check if a full request is in the input buffer. - If yes, process request and remove it from the buffer, then check again. - If not, keep stuff in buffer and exit. */ - lenin = recv(c->socket, c->buffer + c->buflen, MAXBUFSIZE - c->buflen, 0); + if(c->allow_request == ID) { + logger(LOG_DEBUG, _("Continuing handshake...")); + result = gnutls_handshake(c->session); + if(!result) { + logger(LOG_DEBUG, _("Handshake with %s (%s) completed!"), c->name, c->hostname); + c->allow_request = ACK; + return send_ack(c); + } + if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN) + return true; + logger(LOG_DEBUG, _("Handshake with %s (%s) failed: %s"), c->name, c->hostname, gnutls_strerror(result)); + return false; + } + + result = gnutls_record_recv(c->session, c->buffer + c->buflen, MAXBUFSIZE - c->buflen); - if(lenin <= 0) { - if(!lenin || !errno) { + if(result <= 0) { + if(!result) { ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"), c->name, c->hostname); - } else if(errno == EINTR) + } else if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN) return true; else logger(LOG_ERR, _("Metadata socket read error for %s (%s): %s"), - c->name, c->hostname, strerror(errno)); + c->name, c->hostname, gnutls_strerror(result)); return false; } oldlen = c->buflen; - c->buflen += lenin; - - while(lenin > 0) { - /* Decrypt */ - - if(c->status.decryptin && !decrypted) { - result = EVP_DecryptUpdate(c->inctx, inbuf, &lenout, c->buffer + oldlen, lenin); - if(!result || lenout != lenin) { - logger(LOG_ERR, _("Error while decrypting metadata from %s (%s): %s"), - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - memcpy(c->buffer + oldlen, inbuf, lenin); - decrypted = true; - } + c->buflen += result; + while(c->buflen > 0) { /* Are we receiving a TCPpacket? */ if(c->tcplen) { @@ -150,7 +133,6 @@ bool receive_meta(connection_t *c) receive_tcppacket(c, c->buffer, c->tcplen); c->buflen -= c->tcplen; - lenin -= c->tcplen - oldlen; memmove(c->buffer, c->buffer + c->tcplen, c->buflen); oldlen = 0; c->tcplen = 0; @@ -178,7 +160,6 @@ bool receive_meta(connection_t *c) return false; c->buflen -= reqlen; - lenin -= reqlen - oldlen; memmove(c->buffer, c->buffer + reqlen, c->buflen); oldlen = 0; continue; diff --git a/src/net.c b/src/net.c index a6d2bb7a..24f520c0 100644 --- a/src/net.c +++ b/src/net.c @@ -22,7 +22,7 @@ #include "system.h" -#include +#include #include "utils.h" #include "avl_tree.h" @@ -377,9 +377,9 @@ int main_loop(void) if(keyexpires < now) { ifdebug(STATUS) logger(LOG_INFO, _("Regenerating symmetric key")); - RAND_pseudo_bytes(myself->key, myself->keylength); + gcry_randomize(myself->cipherkey, myself->cipherkeylen, GCRY_STRONG_RANDOM); if(myself->cipher) - EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len); + gcry_cipher_setkey(myself->cipher_ctx, myself->cipherkey, myself->cipherkeylen); send_key_changed(broadcast, myself); keyexpires = now + keylifetime; } diff --git a/src/net.h b/src/net.h index 5b145538..0cd4b8d9 100644 --- a/src/net.h +++ b/src/net.h @@ -23,7 +23,7 @@ #ifndef __TINC_NET_H__ #define __TINC_NET_H__ -#include +#include #include "ipv6.h" @@ -33,7 +33,7 @@ #define MTU 1514 /* 1500 bytes payload + 14 bytes ethernet header */ #endif -#define MAXSIZE (MTU + 4 + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */ +#define MAXSIZE (MTU + 4 + 64 + 64 + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */ #define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128) /* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */ #define MAXSOCKETS 128 /* Overkill... */ @@ -126,7 +126,8 @@ extern bool do_prune; extern bool do_purge; extern char *myport; extern time_t now; -extern EVP_CIPHER_CTX packet_ctx; +extern gcry_cipher_hd_t packet_ctx; +extern gcry_md_hd_t digest_ctx; /* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */ #include "connection.h" diff --git a/src/net_packet.c b/src/net_packet.c index 255453e9..b3cd8d4e 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -22,11 +22,7 @@ #include "system.h" -#include -#include -#include -#include -#include +#include #include #include @@ -54,7 +50,6 @@ int keylifetime = 0; int keyexpires = 0; -EVP_CIPHER_CTX packet_ctx; static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; static void send_udppacket(node_t *, vpn_packet_t *); @@ -88,7 +83,7 @@ void send_mtu_probe(node_t *n) len = 64; memset(packet.data, 0, 14); - RAND_pseudo_bytes(packet.data + 14, len - 14); + gcry_randomize(packet.data + 14, len - 14, GCRY_WEAK_RANDOM); packet.len = len; ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname); @@ -173,9 +168,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; int nextpkt = 0; vpn_packet_t *outpkt = pkt[0]; - int outlen, outpad; - char hmac[EVP_MAX_MD_SIZE]; + char *hmac = NULL; + int result; int i; + static char iv[32] = {0}; cp(); @@ -191,10 +187,11 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) if(myself->digest && myself->maclength) { inpkt->len -= myself->maclength; - HMAC(myself->digest, myself->key, myself->keylength, - (char *) &inpkt->seqno, inpkt->len, hmac, NULL); - - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) { + gcry_md_reset(myself->digest_ctx); + gcry_md_write(myself->digest_ctx, (char *)&inpkt->seqno, inpkt->len); + hmac = gcry_md_read(myself->digest_ctx, 0); + + if(!hmac || memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname); return; @@ -204,19 +201,28 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Decrypt the packet */ if(myself->cipher) { - outpkt = pkt[nextpkt++]; + gcry_cipher_reset(myself->cipher_ctx); + //memcpy(iv, &inpkt->seqno, sizeof inpkt->seqno); + //gcry_cipher_setiv(myself->cipher_ctx, iv, myself->cipherblklen); + result = gcry_cipher_decrypt(myself->cipher_ctx, (char *)&inpkt->seqno, inpkt->len, NULL, 0); - if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen, - (char *) &inpkt->seqno, inpkt->len) - || !EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { + if(result) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"), - n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); + n->name, n->hostname, gpg_strerror(result)); + logger(LOG_DEBUG, "%p %p %d", myself->cipher_ctx, (char *)&inpkt->seqno, inpkt->len); return; } + } + + /* Remove padding */ + + if(myself->cipherblklen > 1) { + int padlen; - outpkt->len = outlen + outpad; - inpkt = outpkt; + padlen = ((uint8_t *)&inpkt->seqno)[inpkt->len - 1]; + + if(padlen && padlen <= myself->cipherblklen) + inpkt->len -= padlen; } /* Check the sequence number */ @@ -226,13 +232,13 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) if(inpkt->seqno != n->received_seqno + 1) { if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) { - logger(LOG_WARNING, _("Lost %d packets from %s (%s)"), + logger(LOG_WARNING, _("Lost %u packets from %s (%s)"), inpkt->seqno - n->received_seqno - 1, n->name, n->hostname); memset(n->late, 0, sizeof(n->late)); } else if (inpkt->seqno <= n->received_seqno) { if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) { - logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"), + logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %u, last received %u"), n->name, n->hostname, inpkt->seqno, n->received_seqno); } else for(i = n->received_seqno + 1; i < inpkt->seqno; i++) @@ -240,8 +246,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) } } - n->received_seqno = inpkt->seqno; - n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8); + if(inpkt->seqno > n->received_seqno) { + n->received_seqno = inpkt->seqno; + n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8); + } if(n->received_seqno > MAX_SEQNO) keyexpires = 0; @@ -288,11 +296,13 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) int nextpkt = 0; vpn_packet_t *outpkt; int origlen; - int outlen, outpad; + int result; vpn_packet_t *copy; static int priority = 0; int origpriority; int sock; + char *hmac = NULL; + static char iv[32] = {0}; cp(); @@ -345,26 +355,54 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) /* Encrypt the packet */ if(n->cipher) { - outpkt = pkt[nextpkt++]; + /* Add padding */ + + if(n->cipherblklen > 1) { + int padlen, i; + uint8_t *p; + + padlen = n->cipherblklen - inpkt->len % n->cipherblklen; + p = (char *)&inpkt->seqno + inpkt->len; + + if(padlen == n->cipherblklen) { + if(p[-1] != 0 && p[-1] <= n->cipherblklen) { + inpkt->len += n->cipherblklen; + for(i = 0; i < n->cipherblklen; i++) + *p++ = i + 1; + } + } else { + inpkt->len += padlen; + for(i = 0; i < padlen; i++) + *p++ = i + 1; + } + } + + gcry_cipher_reset(n->cipher_ctx); + //memcpy(iv, &inpkt->seqno, sizeof inpkt->seqno); + //gcry_cipher_setiv(n->cipher_ctx, iv, n->cipherblklen); + result = gcry_cipher_encrypt(n->cipher_ctx, (char *)&inpkt->seqno, inpkt->len, NULL, 0); - if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen, - (char *) &inpkt->seqno, inpkt->len) - || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { + if(result) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), - n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); + n->name, n->hostname, gpg_strerror(result)); goto end; } - - outpkt->len = outlen + outpad; - inpkt = outpkt; } /* Add the message authentication code */ if(n->digest && n->maclength) { - HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno, - inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen); + gcry_md_reset(n->digest_ctx); + gcry_md_write(n->digest_ctx, (char *)&inpkt->seqno, inpkt->len); + hmac = gcry_md_read(n->digest_ctx, 0); + + if(!hmac) { + ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while authenticating packet to %s (%s)"), + n->name, n->hostname); + goto end; + } + + memcpy((char *)&inpkt->seqno + inpkt->len, hmac, n->maclength); inpkt->len += n->maclength; } diff --git a/src/net_setup.c b/src/net_setup.c index aa2fbfbe..58d80da6 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -22,11 +22,9 @@ #include "system.h" -#include -#include -#include -#include -#include +#include +#include +#include #include "avl_tree.h" #include "conf.h" @@ -46,6 +44,7 @@ char *myport; +#if 0 bool read_rsa_public_key(connection_t *c) { FILE *fp; @@ -146,65 +145,61 @@ bool read_rsa_public_key(connection_t *c) return false; } +#endif -bool read_rsa_private_key(void) +bool setup_credentials(void) { - FILE *fp; - char *fname, *key, *pubkey; - struct stat s; + char *trust = NULL, *crl = NULL; + char *key = NULL, *cert = NULL; + int result; cp(); - if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { - if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) { - logger(LOG_ERR, _("PrivateKey used but no PublicKey found!")); + gnutls_certificate_allocate_credentials(&myself->connection->credentials); + + if(get_config_string(lookup_config(config_tree, "TrustFile"), &trust)) { + result = gnutls_certificate_set_x509_trust_file(myself->connection->credentials, trust, GNUTLS_X509_FMT_PEM); + if(result < 0) { + logger(LOG_ERR, _("Error reading trust file '%s': %s"), trust, gnutls_strerror(result)); + free(trust); return false; } - myself->connection->rsa_key = RSA_new(); -// RSA_blinding_on(myself->connection->rsa_key, NULL); - BN_hex2bn(&myself->connection->rsa_key->d, key); - BN_hex2bn(&myself->connection->rsa_key->n, pubkey); - BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); - free(key); - free(pubkey); - return true; + free(trust); } - if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname)) - asprintf(&fname, "%s/rsa_key.priv", confbase); - - fp = fopen(fname, "r"); - - if(!fp) { - logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"), - fname, strerror(errno)); - free(fname); - return false; + if(get_config_string(lookup_config(config_tree, "CRLFile"), &crl)) { + result = gnutls_certificate_set_x509_crl_file(myself->connection->credentials, crl, GNUTLS_X509_FMT_PEM); + if(result) { + logger(LOG_ERR, _("Error reading CRL file '%s': %s"), crl, gnutls_strerror(result)); + free(crl); + return false; + } + free(crl); } -#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN) - if(fstat(fileno(fp), &s)) { - logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"), - fname, strerror(errno)); - free(fname); - return false; - } + if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &key)) + asprintf(&key, "%s/rsa_key.priv", confbase); - if(s.st_mode & ~0100700) - logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname); -#endif + if(!get_config_string(lookup_config(config_tree, "CertificateFile"), &cert)) + asprintf(&cert, "%s/hosts/%s", confbase, myself->name); - myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); - fclose(fp); + + gnutls_certificate_set_x509_trust_file(myself->connection->credentials, cert, GNUTLS_X509_FMT_PEM); + logger(LOG_DEBUG, _("JOEHOE")); + gnutls_certificate_set_verify_flags(myself->connection->credentials, GNUTLS_VERIFY_DISABLE_CA_SIGN); + + result = gnutls_certificate_set_x509_key_file(myself->connection->credentials, cert, key, GNUTLS_X509_FMT_PEM); - if(!myself->connection->rsa_key) { - logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"), - fname, strerror(errno)); - free(fname); + if(result) { + logger(LOG_ERR, _("Error reading credentials from %s and %s: %s"), cert, key, gnutls_strerror(result)); + free(key); + free(cert); return false; } - free(fname); + free(key); + free(cert); + return true; } @@ -220,7 +215,7 @@ bool setup_myself(void) char *envp[5]; struct addrinfo *ai, *aip, hint = {0}; bool choice; - int i, err; + int i, err, result; cp(); @@ -248,15 +243,15 @@ bool setup_myself(void) myself->name = name; myself->connection->name = xstrdup(name); + if(!setup_credentials()) + return false; + if(!read_connection_config(myself->connection)) { logger(LOG_ERR, _("Cannot open host configuration file for myself!")); return false; } - if(!read_rsa_private_key()) - return false; - - if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport)) + if(!get_config_string (lookup_config(myself->connection->config_tree, "Port"), &myport)) asprintf(&myport, "655"); /* Read in all the subnets specified in the host configuration file */ @@ -345,12 +340,11 @@ bool setup_myself(void) /* Generate packet encryption key */ - if(get_config_string - (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) { + if(get_config_string (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) { if(!strcasecmp(cipher, "none")) { - myself->cipher = NULL; + myself->cipher = GCRY_CIPHER_NONE; } else { - myself->cipher = EVP_get_cipherbyname(cipher); + myself->cipher = gcry_cipher_map_name(cipher); if(!myself->cipher) { logger(LOG_ERR, _("Unrecognized cipher type!")); @@ -358,41 +352,44 @@ bool setup_myself(void) } } } else - myself->cipher = EVP_bf_cbc(); + myself->cipher = GCRY_CIPHER_AES; - if(myself->cipher) - myself->keylength = myself->cipher->key_len + myself->cipher->iv_len; - else - myself->keylength = 1; + if(myself->cipher) { + result = gcry_cipher_open(&myself->cipher_ctx, myself->cipher, GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_SECURE); + + if(result) { + logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), + myself->name, myself->hostname, gcry_strerror(result)); + return false; + } + + } - myself->connection->outcipher = EVP_bf_ofb(); + if(myself->cipher) { + myself->cipherkeylen = gcry_cipher_get_algo_keylen(myself->cipher); + myself->cipherblklen = gcry_cipher_get_algo_blklen(myself->cipher); + } else { + myself->cipherkeylen = 1; + } - myself->key = xmalloc(myself->keylength); - RAND_pseudo_bytes(myself->key, myself->keylength); + logger(LOG_DEBUG, _("Key %s len %d"), gcry_cipher_algo_name(myself->cipher), myself->cipherkeylen); + myself->cipherkey = xmalloc(myself->cipherkeylen); + gcry_randomize(myself->cipherkey, myself->cipherkeylen, GCRY_STRONG_RANDOM); + if(myself->cipher) + gcry_cipher_setkey(myself->cipher_ctx, myself->cipherkey, myself->cipherkeylen); if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime)) keylifetime = 3600; keyexpires = now + keylifetime; - if(myself->cipher) { - EVP_CIPHER_CTX_init(&packet_ctx); - if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len)) { - logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), - myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - - } - /* Check if we want to use message authentication codes... */ - if(get_config_string - (lookup_config(myself->connection->config_tree, "Digest"), &digest)) { + if(get_config_string (lookup_config(myself->connection->config_tree, "Digest"), &digest)) { if(!strcasecmp(digest, "none")) { - myself->digest = NULL; + myself->digest = GCRY_MD_NONE; } else { - myself->digest = EVP_get_digestbyname(digest); + myself->digest = gcry_md_map_name(digest); if(!myself->digest) { logger(LOG_ERR, _("Unrecognized digest type!")); @@ -400,14 +397,34 @@ bool setup_myself(void) } } } else - myself->digest = EVP_sha1(); + myself->digest = GCRY_MD_SHA1; + + + if(myself->digest) { + result = gcry_md_open(&myself->digest_ctx, myself->digest, GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC); + + if(result) { + logger(LOG_ERR, _("Error during initialisation of digest for %s (%s): %s"), + myself->name, myself->hostname, gcry_strerror(result)); + return false; + } + + } - myself->connection->outdigest = EVP_sha1(); + if(myself->digest) { + myself->digestlen = gcry_md_get_algo_dlen(myself->digest); + } else { + myself->digestlen = 1; + } - if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), - &myself->maclength)) { + myself->digestkey = xmalloc(myself->digestlen); + gcry_randomize(myself->digestkey, myself->digestlen, GCRY_STRONG_RANDOM); + if(myself->digest) + gcry_md_setkey(myself->digest_ctx, myself->digestkey, myself->digestlen); + + if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &myself->maclength)) { if(myself->digest) { - if(myself->maclength > myself->digest->md_size) { + if(myself->maclength > myself->digestlen) { logger(LOG_ERR, _("MAC length exceeds size of digest!")); return false; } else if(myself->maclength < 0) { @@ -418,8 +435,6 @@ bool setup_myself(void) } else myself->maclength = 4; - myself->connection->outmaclength = 0; - /* Compression */ if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"), @@ -431,8 +446,6 @@ bool setup_myself(void) } else myself->compression = 0; - myself->connection->outcompression = 0; - /* Done */ myself->nexthop = myself; diff --git a/src/net_socket.c b/src/net_socket.c index 3d1be21e..ff903e83 100644 --- a/src/net_socket.c +++ b/src/net_socket.c @@ -22,6 +22,8 @@ #include "system.h" +#include + #include "avl_tree.h" #include "conf.h" #include "connection.h" @@ -45,6 +47,16 @@ int seconds_till_retry = 5; listen_socket_t listen_socket[MAXSOCKETS]; int listen_sockets; +int certselfunc(gnutls_session session, const gnutls_datum *client_cert, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) { + logger(LOG_DEBUG, "Client certificate select function called with %d certs, %d requests\n", ncerts, nreqs); + return 0; +} + +int scertselfunc(gnutls_session session, const gnutls_datum *server_cert, int ncerts) { + logger(LOG_DEBUG, "Server certificate select function called with %d certs\n", ncerts); + return 0; +} + /* Setup sockets */ int setup_listen_socket(const sockaddr_t *sa) @@ -236,13 +248,21 @@ void retry_outgoing(outgoing_t *outgoing) void finish_connecting(connection_t *c) { + int result; + cp(); ifdebug(CONNECTIONS) logger(LOG_INFO, _("Connected to %s (%s)"), c->name, c->hostname); c->last_ping_time = now; - send_id(c); + gnutls_init(&c->session, GNUTLS_SERVER); + gnutls_set_default_priority(c->session); + gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, myself->connection->credentials); + gnutls_certificate_server_set_request(c->session, GNUTLS_CERT_REQUEST); +// gnutls_certificate_client_set_select_function(c->session, certselfunc); +// gnutls_certificate_server_set_select_function(c->session, scertselfunc); + gnutls_transport_set_ptr(c->session, c->socket); } void do_outgoing_connection(connection_t *c) @@ -340,6 +360,7 @@ begin: goto begin; } + logger(LOG_DEBUG, _("finishing connection")); finish_connecting(c); return; @@ -364,10 +385,6 @@ void setup_outgoing_connection(outgoing_t *outgoing) c = new_connection(); c->name = xstrdup(outgoing->name); - c->outcipher = myself->connection->outcipher; - c->outdigest = myself->connection->outdigest; - c->outmaclength = myself->connection->outmaclength; - c->outcompression = myself->connection->outcompression; init_configuration(&c->config_tree); read_connection_config(c); @@ -399,6 +416,7 @@ bool handle_new_meta_connection(int sock) connection_t *c; sockaddr_t sa; int fd, len = sizeof(sa); + int result; cp(); @@ -410,13 +428,22 @@ bool handle_new_meta_connection(int sock) return false; } +#ifdef O_NONBLOCK + { + int flags = fcntl(fd, F_GETFL); + + if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { + closesocket(fd); + logger(LOG_ERR, _("System call `%s' failed: %s"), "fcntl", + strerror(errno)); + return -1; + } + } +#endif + sockaddrunmap(&sa); c = new_connection(); - c->outcipher = myself->connection->outcipher; - c->outdigest = myself->connection->outdigest; - c->outmaclength = myself->connection->outmaclength; - c->outcompression = myself->connection->outcompression; c->address = sa; c->hostname = sockaddr2hostname(&sa); @@ -428,7 +455,14 @@ bool handle_new_meta_connection(int sock) connection_add(c); c->allow_request = ID; - send_id(c); + gnutls_init(&c->session, GNUTLS_CLIENT); + gnutls_set_default_priority(c->session); + gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, myself->connection->credentials); + gnutls_certificate_server_set_request(c->session, GNUTLS_CERT_REQUEST); +// gnutls_certificate_client_set_select_function(c->session, certselfunc); +// gnutls_certificate_server_set_select_function(c->session, scertselfunc); + gnutls_transport_set_ptr(c->session, c->socket); + gnutls_handshake(c->session); return true; } diff --git a/src/node.c b/src/node.c index 35199161..cba598d4 100644 --- a/src/node.c +++ b/src/node.c @@ -79,7 +79,6 @@ node_t *new_node(void) n->subnet_tree = new_subnet_tree(); n->edge_tree = new_edge_tree(); n->queue = list_alloc((list_action_t) free); - EVP_CIPHER_CTX_init(&n->packet_ctx); n->mtu = MTU; n->maxmtu = MTU; @@ -99,8 +98,11 @@ void free_node(node_t *n) if(n->hostname) free(n->hostname); - if(n->key) - free(n->key); + if(n->cipherkey) + free(n->cipherkey); + + if(n->digestkey) + free(n->digestkey); if(n->subnet_tree) free_subnet_tree(n->subnet_tree); @@ -110,8 +112,6 @@ void free_node(node_t *n) sockaddrfree(&n->address); - EVP_CIPHER_CTX_cleanup(&n->packet_ctx); - if(n->mtuevent) event_del(n->mtuevent); @@ -184,9 +184,9 @@ void dump_nodes(void) for(node = node_tree->head; node; node = node->next) { n = node->data; - logger(LOG_DEBUG, _(" %s at %s cipher %d digest %d maclength %d compression %d options %lx status %04x nexthop %s via %s pmtu %d (min %d max %d)"), - n->name, n->hostname, n->cipher ? n->cipher->nid : 0, - n->digest ? n->digest->type : 0, n->maclength, n->compression, + logger(LOG_DEBUG, _(" %s at %s cipher %s digest %s maclength %d compression %d options %lx status %04x nexthop %s via %s pmtu %d (min %d max %d)"), + n->name, n->hostname, gcry_cipher_algo_name(n->cipher), + gcry_md_algo_name(n->digest), n->maclength, n->compression, n->options, *(uint32_t *)&n->status, n->nexthop ? n->nexthop->name : "-", n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu); } diff --git a/src/node.h b/src/node.h index dd9c7a12..e79902b8 100644 --- a/src/node.h +++ b/src/node.h @@ -23,6 +23,8 @@ #ifndef __TINC_NODE_H__ #define __TINC_NODE_H__ +#include + #include "avl_tree.h" #include "connection.h" #include "event.h" @@ -48,13 +50,17 @@ typedef struct node_t { node_status_t status; - const EVP_CIPHER *cipher; /* Cipher type for UDP packets */ - char *key; /* Cipher key and iv */ - int keylength; /* Cipher key and iv length */ - EVP_CIPHER_CTX packet_ctx; /* Cipher context */ + int cipher; /* Cipher type for UDP packets */ + char *cipherkey; /* Cipher key */ + int cipherkeylen; /* Cipher key length */ + int cipherblklen; + gcry_cipher_hd_t cipher_ctx; /* Cipher context */ - const EVP_MD *digest; /* Digest type for MAC */ + int digest; /* Digest type for MAC */ + char *digestkey; + int digestlen; int maclength; /* Length of MAC */ + gcry_md_hd_t digest_ctx; int compression; /* Compressionlevel, 0 = no compression */ diff --git a/src/protocol.c b/src/protocol.c index e6c13f46..a4025ae4 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -35,7 +35,7 @@ bool tunnelserver = false; /* Jumptable for the request handlers */ static bool (*request_handlers[])(connection_t *) = { - id_h, metakey_h, challenge_h, chal_reply_h, ack_h, + NULL, NULL, NULL, NULL, ack_h, status_h, error_h, termreq_h, ping_h, pong_h, add_subnet_h, del_subnet_h, diff --git a/src/protocol.h b/src/protocol.h index 8951cbcd..d2a767c2 100644 --- a/src/protocol.h +++ b/src/protocol.h @@ -80,10 +80,6 @@ extern void age_past_requests(void); /* Requests */ -extern bool send_id(struct connection_t *); -extern bool send_metakey(struct connection_t *); -extern bool send_challenge(struct connection_t *); -extern bool send_chal_reply(struct connection_t *); extern bool send_ack(struct connection_t *); extern bool send_status(struct connection_t *, int, const char *); extern bool send_error(struct connection_t *, int,const char *); @@ -96,15 +92,11 @@ extern bool send_add_edge(struct connection_t *, const struct edge_t *); extern bool send_del_edge(struct connection_t *, const struct edge_t *); extern bool send_key_changed(struct connection_t *, const struct node_t *); extern bool send_req_key(struct connection_t *, const struct node_t *, const struct node_t *); -extern bool send_ans_key(struct connection_t *, const struct node_t *, const struct node_t *); +extern bool send_ans_key(struct connection_t *, const struct node_t *); extern bool send_tcppacket(struct connection_t *, struct vpn_packet_t *); /* Request handlers */ -extern bool id_h(struct connection_t *); -extern bool metakey_h(struct connection_t *); -extern bool challenge_h(struct connection_t *); -extern bool chal_reply_h(struct connection_t *); extern bool ack_h(struct connection_t *); extern bool status_h(struct connection_t *); extern bool error_h(struct connection_t *); diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 77561b81..497d43f7 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -22,10 +22,8 @@ #include "system.h" -#include -#include -#include -#include +#include +#include #include "avl_tree.h" #include "conf.h" @@ -40,60 +38,70 @@ #include "utils.h" #include "xalloc.h" -bool send_id(connection_t *c) +bool send_ack(connection_t *c) { - cp(); + char buf[MAX_STRING_SIZE]; + size_t len; + gnutls_x509_crt cert; + const gnutls_datum *cert_list; + int cert_list_size = 0, result; + char *p, *name; - return send_request(c, "%d %s %d", ID, myself->connection->name, - myself->connection->protocol_version); -} + cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size); -bool id_h(connection_t *c) -{ - char name[MAX_STRING_SIZE]; + if (!cert_list || !cert_list_size) { + logger(LOG_ERR, _("No certificates from %s"), c->hostname); + return false; + } - cp(); + len = sizeof buf; + gnutls_x509_crt_init(&cert); + result = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) + ?: gnutls_x509_crt_get_dn(cert, buf, &len); - if(sscanf(c->buffer, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) { - logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ID", c->name, - c->hostname); + if(result) { + logger(LOG_ERR, _("Error importing certificate from %s: %s"), c->hostname, gnutls_strerror(errno)); + gnutls_x509_crt_deinit(cert); return false; } - /* Check if identity is a valid name */ + name = strstr(buf, "CN="); + if(!name) { + logger(LOG_ERR, _("No name in certificate from %s"), c->hostname); + gnutls_x509_crt_deinit(cert); + return false; + } + name += 3; + for(p = name; *p && *p != ','; p++); + *p = '\0'; if(!check_id(name)) { - logger(LOG_ERR, _("Got bad %s from %s (%s): %s"), "ID", c->name, - c->hostname, "invalid name"); + logger(LOG_ERR, _("Invalid name from %s"), c->hostname); return false; } - /* If we set c->name in advance, make sure we are connected to the right host */ - if(c->name) { if(strcmp(c->name, name)) { - logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, - c->name); + logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, c->hostname); return false; } - } else + } else { c->name = xstrdup(name); - - /* Check if version matches */ - - if(c->protocol_version != myself->connection->protocol_version) { - logger(LOG_ERR, _("Peer %s (%s) uses incompatible version %d"), - c->name, c->hostname, c->protocol_version); - return false; } - - if(bypass_security) { - if(!c->config_tree) - init_configuration(&c->config_tree); - c->allow_request = ACK; - return send_ack(c); + + result = gnutls_certificate_verify_peers(c->session); + + if(result) { + if(result & GNUTLS_CERT_INVALID) + logger(LOG_ERR, _("Certificate from %s (%s) invalid"), c->name, c->hostname); + if(result & GNUTLS_CERT_REVOKED) + logger(LOG_ERR, _("Certificate from %s (%s) revoked"), c->name, c->hostname); + if(result & GNUTLS_CERT_SIGNER_NOT_FOUND) + logger(LOG_ERR, _("Certificate from %s (%s) has no known signer"), c->name, c->hostname); + if(result & GNUTLS_CERT_SIGNER_NOT_CA) + logger(LOG_ERR, _("Certificate from %s (%s) has no CA as signer"), c->name, c->hostname); } - + if(!c->config_tree) { init_configuration(&c->config_tree); @@ -104,357 +112,6 @@ bool id_h(connection_t *c) } } - if(!read_rsa_public_key(c)) { - return false; - } - - c->allow_request = METAKEY; - - return send_metakey(c); -} - -bool send_metakey(connection_t *c) -{ - char buffer[MAX_STRING_SIZE]; - int len; - bool x; - - cp(); - - len = RSA_size(c->rsa_key); - - /* Allocate buffers for the meta key */ - - if(!c->outkey) - c->outkey = xmalloc(len); - - if(!c->outctx) - c->outctx = xmalloc_and_zero(sizeof(*c->outctx)); - cp(); - /* Copy random data to the buffer */ - - RAND_pseudo_bytes(c->outkey, len); - - /* The message we send must be smaller than the modulus of the RSA key. - By definition, for a key of k bits, the following formula holds: - - 2^(k-1) <= modulus < 2^(k) - - Where ^ means "to the power of", not "xor". - This means that to be sure, we must choose our message < 2^(k-1). - This can be done by setting the most significant bit to zero. - */ - - c->outkey[0] &= 0x7F; - - ifdebug(SCARY_THINGS) { - bin2hex(c->outkey, buffer, len); - buffer[len * 2] = '\0'; - logger(LOG_DEBUG, _("Generated random meta key (unencrypted): %s"), - buffer); - } - - /* Encrypt the random data - - We do not use one of the PKCS padding schemes here. - This is allowed, because we encrypt a totally random string - with a length equal to that of the modulus of the RSA key. - */ - - if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) { - logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), - c->name, c->hostname); - return false; - } - - /* Convert the encrypted random data to a hexadecimal formatted string */ - - bin2hex(buffer, buffer, len); - buffer[len * 2] = '\0'; - - /* Send the meta key */ - - x = send_request(c, "%d %d %d %d %d %s", METAKEY, - c->outcipher ? c->outcipher->nid : 0, - c->outdigest ? c->outdigest->type : 0, c->outmaclength, - c->outcompression, buffer); - - /* Further outgoing requests are encrypted with the key we just generated */ - - if(c->outcipher) { - if(!EVP_EncryptInit(c->outctx, c->outcipher, - c->outkey + len - c->outcipher->key_len, - c->outkey + len - c->outcipher->key_len - - c->outcipher->iv_len)) { - logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - - c->status.encryptout = true; - } - - return x; -} - -bool metakey_h(connection_t *c) -{ - char buffer[MAX_STRING_SIZE]; - int cipher, digest, maclength, compression; - int len; - - cp(); - - if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) { - logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name, - c->hostname); - return false; - } - - len = RSA_size(myself->connection->rsa_key); - - /* Check if the length of the meta key is all right */ - - if(strlen(buffer) != len * 2) { - logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong keylength"); - return false; - } - - /* Allocate buffers for the meta key */ - - if(!c->inkey) - c->inkey = xmalloc(len); - - if(!c->inctx) - c->inctx = xmalloc_and_zero(sizeof(*c->inctx)); - - /* Convert the challenge from hexadecimal back to binary */ - - hex2bin(buffer, buffer, len); - - /* Decrypt the meta key */ - - if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */ - logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), - c->name, c->hostname); - return false; - } - - ifdebug(SCARY_THINGS) { - bin2hex(c->inkey, buffer, len); - buffer[len * 2] = '\0'; - logger(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer); - } - - /* All incoming requests will now be encrypted. */ - - /* Check and lookup cipher and digest algorithms */ - - if(cipher) { - c->incipher = EVP_get_cipherbynid(cipher); - - if(!c->incipher) { - logger(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, c->hostname); - return false; - } - - if(!EVP_DecryptInit(c->inctx, c->incipher, - c->inkey + len - c->incipher->key_len, - c->inkey + len - c->incipher->key_len - - c->incipher->iv_len)) { - logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"), - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - - c->status.decryptin = true; - } else { - c->incipher = NULL; - } - - c->inmaclength = maclength; - - if(digest) { - c->indigest = EVP_get_digestbynid(digest); - - if(!c->indigest) { - logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, c->hostname); - return false; - } - - if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) { - logger(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, c->hostname); - return false; - } - } else { - c->indigest = NULL; - } - - c->incompression = compression; - - c->allow_request = CHALLENGE; - - return send_challenge(c); -} - -bool send_challenge(connection_t *c) -{ - char buffer[MAX_STRING_SIZE]; - int len; - - cp(); - - /* CHECKME: what is most reasonable value for len? */ - - len = RSA_size(c->rsa_key); - - /* Allocate buffers for the challenge */ - - if(!c->hischallenge) - c->hischallenge = xmalloc(len); - - /* Copy random data to the buffer */ - - RAND_pseudo_bytes(c->hischallenge, len); - - /* Convert to hex */ - - bin2hex(c->hischallenge, buffer, len); - buffer[len * 2] = '\0'; - - /* Send the challenge */ - - return send_request(c, "%d %s", CHALLENGE, buffer); -} - -bool challenge_h(connection_t *c) -{ - char buffer[MAX_STRING_SIZE]; - int len; - - cp(); - - if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) { - logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name, - c->hostname); - return false; - } - - len = RSA_size(myself->connection->rsa_key); - - /* Check if the length of the challenge is all right */ - - if(strlen(buffer) != len * 2) { - logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, - c->hostname, "wrong challenge length"); - return false; - } - - /* Allocate buffers for the challenge */ - - if(!c->mychallenge) - c->mychallenge = xmalloc(len); - - /* Convert the challenge from hexadecimal back to binary */ - - hex2bin(buffer, c->mychallenge, len); - - c->allow_request = CHAL_REPLY; - - /* Rest is done by send_chal_reply() */ - - return send_chal_reply(c); -} - -bool send_chal_reply(connection_t *c) -{ - char hash[EVP_MAX_MD_SIZE * 2 + 1]; - EVP_MD_CTX ctx; - - cp(); - - /* Calculate the hash from the challenge we received */ - - if(!EVP_DigestInit(&ctx, c->indigest) - || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) - || !EVP_DigestFinal(&ctx, hash, NULL)) { - logger(LOG_ERR, _("Error during calculation of response for %s (%s): %s"), - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - - /* Convert the hash to a hexadecimal formatted string */ - - bin2hex(hash, hash, c->indigest->md_size); - hash[c->indigest->md_size * 2] = '\0'; - - /* Send the reply */ - - return send_request(c, "%d %s", CHAL_REPLY, hash); -} - -bool chal_reply_h(connection_t *c) -{ - char hishash[MAX_STRING_SIZE]; - char myhash[EVP_MAX_MD_SIZE]; - EVP_MD_CTX ctx; - - cp(); - - if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) { - logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHAL_REPLY", c->name, - c->hostname); - return false; - } - - /* Check if the length of the hash is all right */ - - if(strlen(hishash) != c->outdigest->md_size * 2) { - logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, - c->hostname, _("wrong challenge reply length")); - return false; - } - - /* Convert the hash to binary format */ - - hex2bin(hishash, hishash, c->outdigest->md_size); - - /* Calculate the hash from the challenge we sent */ - - if(!EVP_DigestInit(&ctx, c->outdigest) - || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)) - || !EVP_DigestFinal(&ctx, myhash, NULL)) { - logger(LOG_ERR, _("Error during calculation of response from %s (%s): %s"), - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - - /* Verify the incoming hash with the calculated hash */ - - if(memcmp(hishash, myhash, c->outdigest->md_size)) { - logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, - c->hostname, _("wrong challenge reply")); - - ifdebug(SCARY_THINGS) { - bin2hex(myhash, hishash, SHA_DIGEST_LENGTH); - hishash[SHA_DIGEST_LENGTH * 2] = '\0'; - logger(LOG_DEBUG, _("Expected challenge reply: %s"), hishash); - } - - return false; - } - - /* Identity has now been positively verified. - Send an acknowledgement with the rest of the information needed. - */ - - c->allow_request = ACK; - - return send_ack(c); -} - -bool send_ack(connection_t *c) -{ /* ACK message contains rest of the information the other end needs to create node_t and edge_t structures. */ diff --git a/src/protocol_key.c b/src/protocol_key.c index 5067a818..6caba591 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -129,7 +129,7 @@ bool req_key_h(connection_t *c) mykeyused = true; from->received_seqno = 0; memset(from->late, 0, sizeof(from->late)); - send_ans_key(c, myself, from); + send_ans_key(c, from); } else { if(tunnelserver) return false; @@ -140,35 +140,39 @@ bool req_key_h(connection_t *c) return true; } -bool send_ans_key(connection_t *c, const node_t *from, const node_t *to) +bool send_ans_key(connection_t *c, const node_t *to) { - char key[MAX_STRING_SIZE]; + char cipherkey[myself->cipherkeylen * 2 + 1]; + char digestkey[myself->digestlen * 2 + 1]; cp(); - bin2hex(from->key, key, from->keylength); - key[from->keylength * 2] = '\0'; + bin2hex(myself->cipherkey, cipherkey, myself->cipherkeylen); + cipherkey[myself->cipherkeylen * 2] = '\0'; - return send_request(c, "%d %s %s %s %d %d %d %d", ANS_KEY, - from->name, to->name, key, - from->cipher ? from->cipher->nid : 0, - from->digest ? from->digest->type : 0, from->maclength, - from->compression); + bin2hex(myself->digestkey, digestkey, myself->digestlen); + digestkey[myself->digestlen * 2] = '\0'; + + return send_request(c, "%d %s %s %s %s %d %d %d %d", ANS_KEY, + myself->name, to->name, cipherkey, digestkey, + myself->cipher, + myself->digest, myself->maclength, + myself->compression); } bool ans_key_h(connection_t *c) { char from_name[MAX_STRING_SIZE]; char to_name[MAX_STRING_SIZE]; - char key[MAX_STRING_SIZE]; + char cipherkey[MAX_STRING_SIZE]; + char digestkey[MAX_STRING_SIZE]; int cipher, digest, maclength, compression; node_t *from, *to; cp(); - if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d", - from_name, to_name, key, &cipher, &digest, &maclength, - &compression) != 7) { + if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d", + from_name, to_name, cipherkey, digestkey, &cipher, &digest, &maclength, &compression) != 8) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ANS_KEY", c->name, c->hostname); return false; @@ -199,58 +203,41 @@ bool ans_key_h(connection_t *c) return send_request(to->nexthop->connection, "%s", c->buffer); } - /* Update our copy of the origin's packet key */ - - if(from->key) - free(from->key); - - from->key = xstrdup(key); - from->keylength = strlen(key) / 2; - hex2bin(from->key, from->key, from->keylength); - from->key[from->keylength] = '\0'; - - from->status.validkey = true; - from->status.waitingforkey = false; - from->sent_seqno = 0; - /* Check and lookup cipher and digest algorithms */ if(cipher) { - from->cipher = EVP_get_cipherbynid(cipher); - - if(!from->cipher) { + from->cipher = cipher; + if(!*gcry_cipher_algo_name(from->cipher)) { logger(LOG_ERR, _("Node %s (%s) uses unknown cipher!"), from->name, from->hostname); return false; } - if(from->keylength != from->cipher->key_len + from->cipher->iv_len) { - logger(LOG_ERR, _("Node %s (%s) uses wrong keylength!"), from->name, - from->hostname); - return false; - } + from->cipherblklen = gcry_cipher_get_algo_blklen(from->cipher); } else { - from->cipher = NULL; + from->cipher = GCRY_CIPHER_NONE; } from->maclength = maclength; if(digest) { - from->digest = EVP_get_digestbynid(digest); + from->digest = digest; - if(!from->digest) { + if(!*gcry_md_algo_name(from->digest)) { logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), from->name, from->hostname); return false; } - if(from->maclength > from->digest->md_size || from->maclength < 0) { + from->digestlen = gcry_md_get_algo_dlen(from->digest); + + if(from->maclength > from->digestlen || from->maclength < 0) { logger(LOG_ERR, _("Node %s (%s) uses bogus MAC length!"), from->name, from->hostname); return false; } } else { - from->digest = NULL; + from->digest = GCRY_MD_NONE; } if(compression < 0 || compression > 11) { @@ -260,12 +247,53 @@ bool ans_key_h(connection_t *c) from->compression = compression; - if(from->cipher) - if(!EVP_EncryptInit_ex(&from->packet_ctx, from->cipher, NULL, from->key, from->key + from->cipher->key_len)) { + /* Update our copy of the origin's packet key */ + + if(from->cipherkey) + free(from->cipherkey); + + from->cipherkeylen = strlen(cipherkey) / 2; + from->cipherkey = xmalloc(from->cipherkeylen); + hex2bin(cipherkey, from->cipherkey, from->cipherkeylen); + + if(from->cipherkeylen != gcry_cipher_get_algo_keylen(from->cipher)) { + logger(LOG_ERR, _("Node %s (%s) uses wrong keylength %d instead of %d!"), from->name, + from->hostname, from->cipherkeylen, gcry_cipher_get_algo_keylen(from->cipher) ); + return false; + } + + if(from->digestkey) + free(from->digestkey); + + from->digestlen = strlen(digestkey) / 2; + from->digestkey = xmalloc(from->digestlen); + hex2bin(digestkey, from->digestkey, from->digestlen); + + if(from->cipher) { + int result; + result = gcry_cipher_open(&from->cipher_ctx, from->cipher, GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_SECURE); + gcry_cipher_setkey(from->cipher_ctx, from->cipherkey, from->cipherkeylen); + if(result) { + logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"), + from->name, from->hostname, gcry_strerror(result)); + return false; + } + } + + if(from->digest) { + int result; + result = gcry_md_open(&from->digest_ctx, from->digest, GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC); + gcry_md_setkey(from->digest_ctx, from->digestkey, from->digestlen); + if(result) { logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"), - from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); + from->name, from->hostname, gcry_strerror(result)); return false; } + } + + from->status.validkey = true; + from->status.waitingforkey = false; + from->sent_seqno = 0; if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes) send_mtu_probe(from); diff --git a/src/tincd.c b/src/tincd.c index dd6b1e74..ce22b7b6 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -31,10 +31,7 @@ #include #endif -#include -#include -#include -#include +#include #include @@ -286,6 +283,10 @@ static void indicator(int a, int b, void *p) */ static bool keygen(int bits) { + fprintf(stderr, _("Use certtool!\n")); + return false; + +#if 0 RSA *rsa_key; FILE *f; char *name = NULL; @@ -338,6 +339,7 @@ static bool keygen(int bits) free(filename); return true; +#endif } /* @@ -437,7 +439,7 @@ int main(int argc, char **argv) { logger(LOG_ERR, _("mlockall() not supported on this platform!")); #endif - return -1; + return 1; } g_argv = argv; @@ -446,9 +448,7 @@ int main(int argc, char **argv) /* Slllluuuuuuurrrrp! */ - RAND_load_file("/dev/urandom", 1024); - - OpenSSL_add_all_algorithms(); + gnutls_global_init(); if(generate_keys) { read_server_config(); -- 2.20.1