+static bool finalize_invitation(connection_t *c, const char *data, uint16_t len) {
+ (void)len;
+
+ if(strchr(data, '\n')) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Received invalid key from invited node %s (%s)!\n", c->name, c->hostname);
+ return false;
+ }
+
+ // Create a new host config file
+ char filename[PATH_MAX];
+ snprintf(filename, sizeof(filename), "%s" SLASH "hosts" SLASH "%s", confbase, c->name);
+
+ if(!access(filename, F_OK)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Host config file for %s (%s) already exists!\n", c->name, c->hostname);
+ return false;
+ }
+
+ FILE *f = fopen(filename, "w");
+
+ if(!f) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Error trying to create %s: %s\n", filename, strerror(errno));
+ return false;
+ }
+
+ fprintf(f, "Ed25519PublicKey = %s\n", data);
+ fclose(f);
+
+ logger(DEBUG_CONNECTIONS, LOG_INFO, "Key successfully received from %s (%s)", c->name, c->hostname);
+
+ // Call invitation-accepted script
+ environment_t env;
+ char *address, *port;
+
+ environment_init(&env);
+ environment_add(&env, "NODE=%s", c->name);
+ sockaddr2str(&c->address, &address, &port);
+ environment_add(&env, "REMOTEADDRESS=%s", address);
+ environment_add(&env, "NAME=%s", myself->name);
+
+ free(address);
+ free(port);
+
+ execute_script("invitation-accepted", &env);
+
+ environment_exit(&env);
+
+ sptps_send_record(&c->sptps, 2, data, 0);
+ return true;
+}
+
+static bool receive_invitation_sptps(void *handle, uint8_t type, const void *data, uint16_t len) {
+ connection_t *c = handle;
+
+ if(type == 128) {
+ return true;
+ }
+
+ if(type == 1 && c->status.invitation_used) {
+ return finalize_invitation(c, data, len);
+ }
+
+ if(type != 0 || len != 18 || c->status.invitation_used) {
+ return false;
+ }
+
+ // Recover the filename from the cookie and the key
+ char *fingerprint = ecdsa_get_base64_public_key(invitation_key);
+ const size_t hashbuflen = 18 + strlen(fingerprint);
+ char *hashbuf = alloca(hashbuflen);
+ char cookie[64];
+ memcpy(hashbuf, data, 18);
+ memcpy(hashbuf + 18, fingerprint, hashbuflen - 18);
+ sha512(hashbuf, hashbuflen, cookie);
+ b64encode_tinc_urlsafe(cookie, cookie, 18);
+ free(fingerprint);
+
+ char filename[PATH_MAX], usedname[PATH_MAX];
+ snprintf(filename, sizeof(filename), "%s" SLASH "invitations" SLASH "%s", confbase, cookie);
+ snprintf(usedname, sizeof(usedname), "%s" SLASH "invitations" SLASH "%s.used", confbase, cookie);
+
+ // Atomically rename the invitation file
+ if(rename(filename, usedname)) {
+ if(errno == ENOENT) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s tried to use non-existing invitation %s\n", c->hostname, cookie);
+ } else {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Error trying to rename invitation %s\n", cookie);
+ }
+
+ return false;
+ }
+
+ // Check the timestamp of the invitation
+ struct stat st;
+
+ if(stat(usedname, &st)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat %s", usedname);
+ return false;
+ }
+
+ if(st.st_mtime + invitation_lifetime < now.tv_sec) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s tried to use expired invitation %s", c->hostname, cookie);
+ return false;
+ }
+
+ // Open the renamed file
+ FILE *f = fopen(usedname, "r");
+
+ if(!f) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Error trying to open invitation %s\n", cookie);
+ return false;
+ }
+
+ // Read the new node's Name from the file
+ char buf[1024] = "";
+
+ if(!fgets(buf, sizeof(buf), f)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Could not read invitation file %s\n", cookie);
+ fclose(f);
+ return false;
+ }
+
+ size_t buflen = strlen(buf);
+
+ // Strip whitespace at the end
+ while(buflen && strchr(" \t\r\n", buf[buflen - 1])) {
+ buf[--buflen] = 0;
+ }
+
+ // Split the first line into variable and value
+ len = strcspn(buf, " \t=");
+ char *name = buf + len;
+ name += strspn(name, " \t");
+
+ if(*name == '=') {
+ name++;
+ name += strspn(name, " \t");
+ }
+
+ buf[len] = 0;
+
+ // Check that it is a valid Name
+ if(!*buf || !*name || strcasecmp(buf, "Name") || !check_id(name) || !strcmp(name, myself->name)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Invalid invitation file %s\n", cookie);
+ fclose(f);
+ return false;
+ }
+
+ free(c->name);
+ c->name = xstrdup(name);
+
+ // Send the node the contents of the invitation file
+ rewind(f);
+ size_t result;
+
+ while((result = fread(buf, 1, sizeof(buf), f))) {
+ sptps_send_record(&c->sptps, 0, buf, result);
+ }
+
+ if(!feof(f)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Could not read invitation file %s\n", cookie);
+ fclose(f);
+ return false;
+ }
+
+ sptps_send_record(&c->sptps, 1, buf, 0);
+ fclose(f);
+ unlink(usedname);
+
+ c->status.invitation_used = true;
+
+ logger(DEBUG_CONNECTIONS, LOG_INFO, "Invitation %s successfully sent to %s (%s)", cookie, c->name, c->hostname);
+ return true;
+}
+
+bool id_h(connection_t *c, const char *request) {
+ char name[MAX_STRING_SIZE];
+
+ if(sscanf(request, "%*d " MAX_STRING " %2d.%3d", name, &c->protocol_major, &c->protocol_minor) < 2) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s)", "ID", c->name,
+ c->hostname);
+ return false;
+ }
+
+ /* Check if this is a control connection */
+
+ if(name[0] == '^' && !strcmp(name + 1, controlcookie)) {
+ c->status.control = true;
+ c->allow_request = CONTROL;
+ c->last_ping_time = now.tv_sec + 3600;
+
+ free(c->name);
+ c->name = xstrdup("<control>");
+
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
+ return send_request(c, "%d %d %d", ACK, TINC_CTL_VERSION_CURRENT, getpid());
+ }
+
+ if(name[0] == '?') {
+ if(!invitation_key) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got invitation from %s but we don't have an invitation key", c->hostname);
+ return false;
+ }
+
+ c->ecdsa = ecdsa_set_base64_public_key(name + 1);
+
+ if(!c->ecdsa) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got bad invitation from %s", c->hostname);
+ return false;
+ }
+
+ c->status.invitation = true;
+ char *mykey = ecdsa_get_base64_public_key(invitation_key);
+
+ if(!mykey) {
+ return false;
+ }
+
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
+ if(!send_request(c, "%d %s", ACK, mykey)) {
+ return false;
+ }
+
+ free(mykey);
+
+ c->protocol_minor = 2;
+
+ return sptps_start(&c->sptps, c, false, false, invitation_key, c->ecdsa, "tinc invitation", 15, send_meta_sptps, receive_invitation_sptps);
+ }
+
+ /* Check if identity is a valid name */
+
+ if(!check_id(name) || !strcmp(name, myself->name)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name,
+ c->hostname, "invalid name");
+ return false;
+ }
+
+ /* If this is an outgoing connection, make sure we are connected to the right host */
+
+ if(c->outgoing) {
+ if(strcmp(c->name, name)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s is %s instead of %s", c->hostname, name,
+ c->name);
+ return false;
+ }
+ } else {
+ free(c->name);
+ c->name = xstrdup(name);
+ }
+
+ /* Check if version matches */
+
+ if(c->protocol_major != myself->connection->protocol_major) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) uses incompatible version %d.%d",
+ c->name, c->hostname, c->protocol_major, c->protocol_minor);
+ return false;
+ }
+
+ if(bypass_security) {
+ if(!c->config_tree) {
+ c->config_tree = create_configuration();
+ }
+
+ c->allow_request = ACK;
+
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
+ return send_ack(c);
+ }
+
+ if(!experimental) {
+ c->protocol_minor = 0;
+ }
+
+ if(!c->config_tree) {
+ c->config_tree = create_configuration();
+
+ if(!read_host_config(c->config_tree, c->name, false)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s had unknown identity (%s)", c->hostname, c->name);
+ return false;
+ }
+
+ if(experimental) {
+ read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name);
+ }
+
+ /* Ignore failures if no key known yet */
+ }
+
+ if(c->protocol_minor && !ecdsa_active(c->ecdsa)) {
+ c->protocol_minor = 1;
+ }
+
+ /* Forbid version rollback for nodes whose Ed25519 key we know */
+
+ if(ecdsa_active(c->ecdsa) && c->protocol_minor < 1) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) tries to roll back protocol version to %d.%d",
+ c->name, c->hostname, c->protocol_major, c->protocol_minor);
+ return false;
+ }
+
+ c->allow_request = METAKEY;
+
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
+ if(c->protocol_minor >= 2) {
+ c->allow_request = ACK;
+
+ const size_t labellen = 25 + strlen(myself->name) + strlen(c->name);
+ char *label = alloca(labellen);
+
+ if(c->outgoing) {
+ snprintf(label, labellen, "tinc TCP key expansion %s %s", myself->name, c->name);
+ } else {
+ snprintf(label, labellen, "tinc TCP key expansion %s %s", c->name, myself->name);
+ }
+
+ return sptps_start(&c->sptps, c, c->outgoing, false, myself->connection->ecdsa, c->ecdsa, label, labellen, send_meta_sptps, receive_meta_sptps);
+ } else {
+ return send_metakey(c);
+ }
+}
+
+#ifndef DISABLE_LEGACY
+bool send_metakey(connection_t *c) {
+ if(!myself->connection->rsa) {
+ logger(DEBUG_CONNECTIONS, LOG_ERR, "Peer %s (%s) uses legacy protocol which we don't support", c->name, c->hostname);
+ return false;
+ }
+
+ if(!read_rsa_public_key(&c->rsa, c->config_tree, c->name)) {
+ return false;
+ }
+
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
+ but try to match the key size with the one from the cipher selected
+ by Cipher.
+ */
+
+ size_t keylen = cipher_keylength(myself->incipher);
+ const char *cipher_name;
+
+ if(keylen <= 16) {
+ cipher_name = "aes-128-cfb";
+ } else if(keylen <= 24) {
+ cipher_name = "aes-192-cfb";
+ } else {
+ cipher_name = "aes-256-cfb";
+ }
+
+ if(!cipher_open_by_name(&c->outcipher, cipher_name)) {
+ return false;
+ }
+
+ c->outbudget = cipher_budget(&c->outcipher);
+
+ if(!digest_open_by_name(&c->outdigest, "sha256", DIGEST_ALGO_SIZE)) {
+ cipher_close(&c->outcipher);
+ return false;
+ }
+
+ const size_t len = rsa_size(c->rsa);
+ char *key = alloca(len);
+ char *enckey = alloca(len);
+ char *hexkey = alloca(2 * len + 1);
+
+ /* Create a random key */
+
+ randomize(key, len);
+
+ /* The message we send must be smaller than the modulus of the RSA key.
+ By definition, for a key of k bits, the following formula holds:
+
+ 2^(k-1) <= modulus < 2^(k)
+
+ Where ^ means "to the power of", not "xor".
+ This means that to be sure, we must choose our message < 2^(k-1).
+ This can be done by setting the most significant bit to zero.
+ */
+
+ key[0] &= 0x7F;
+
+ if(!cipher_set_key_from_rsa(&c->outcipher, key, len, true)) {
+ return false;
+ }
+
+ if(debug_level >= DEBUG_SCARY_THINGS) {
+ bin2hex(key, hexkey, len);
+ logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Generated random meta key (unencrypted): %s", hexkey);
+ }
+
+ /* Encrypt the random data
+
+ We do not use one of the PKCS padding schemes here.
+ This is allowed, because we encrypt a totally random string
+ with a length equal to that of the modulus of the RSA key.
+ */
+
+ if(!rsa_public_encrypt(c->rsa, key, len, enckey)) {
+ logger(DEBUG_ALWAYS, LOG_ERR, "Error during encryption of meta key for %s (%s)", c->name, c->hostname);
+ return false;
+ }
+
+ /* Convert the encrypted random data to a hexadecimal formatted string */
+
+ bin2hex(enckey, hexkey, len);
+
+ /* Send the meta key */
+
+ bool result = send_request(c, "%d %d %d %d %d %s", METAKEY,
+ cipher_get_nid(&c->outcipher),
+ digest_get_nid(&c->outdigest), c->outmaclength,
+ c->outcompression, hexkey);
+
+ c->status.encryptout = true;
+ return result;