projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Improve recently seen address cache
[tinc] / src / protocol_auth.c
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index d1eb6c2..263a131 100644 (file)
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -42,6 +42,9 @@
 #include "utils.h"
 #include "xalloc.h"
 #include "random.h"
+#include "compression.h"
+#include "proxy.h"
+#include "address_cache.h"
 
 #include "ed25519/sha512.h"
 #include "keys.h"
@@ -65,84 +68,12 @@ static bool send_proxyrequest(connection_t *c) {
                return true;
        }
 
-       case PROXY_SOCKS4: {
-               if(c->address.sa.sa_family != AF_INET) {
-                       logger(DEBUG_ALWAYS, LOG_ERR, "Cannot connect to an IPv6 host through a SOCKS 4 proxy!");
-                       return false;
-               }
-
-               const size_t s4reqlen = 9 + (proxyuser ? strlen(proxyuser) : 0);
-               uint8_t *s4req = alloca(s4reqlen);
-               s4req[0] = 4;
-               s4req[1] = 1;
-               memcpy(s4req + 2, &c->address.in.sin_port, 2);
-               memcpy(s4req + 4, &c->address.in.sin_addr, 4);
-
-               if(proxyuser) {
-                       memcpy(s4req + 8, proxyuser, strlen(proxyuser));
-               }
-
-               s4req[s4reqlen - 1] = 0;
-               c->tcplen = 8;
-               return send_meta(c, s4req, s4reqlen);
-       }
-
+       case PROXY_SOCKS4:
        case PROXY_SOCKS5: {
-               size_t len = 3 + 6 + (c->address.sa.sa_family == AF_INET ? 4 : 16);
-               c->tcplen = 2;
-
-               if(proxypass) {
-                       len += 3 + strlen(proxyuser) + strlen(proxypass);
-               }
-
-               uint8_t *s5req = alloca(len);
-
-               size_t i = 0;
-               s5req[i++] = 5;
-               s5req[i++] = 1;
-
-               if(proxypass) {
-                       s5req[i++] = 2;
-                       s5req[i++] = 1;
-                       s5req[i++] = strlen(proxyuser);
-                       memcpy(s5req + i, proxyuser, strlen(proxyuser));
-                       i += strlen(proxyuser);
-                       s5req[i++] = strlen(proxypass);
-                       memcpy(s5req + i, proxypass, strlen(proxypass));
-                       i += strlen(proxypass);
-                       c->tcplen += 2;
-               } else {
-                       s5req[i++] = 0;
-               }
-
-               s5req[i++] = 5;
-               s5req[i++] = 1;
-               s5req[i++] = 0;
-
-               if(c->address.sa.sa_family == AF_INET) {
-                       s5req[i++] = 1;
-                       memcpy(s5req + i, &c->address.in.sin_addr, 4);
-                       i += 4;
-                       memcpy(s5req + i, &c->address.in.sin_port, 2);
-                       i += 2;
-                       c->tcplen += 10;
-               } else if(c->address.sa.sa_family == AF_INET6) {
-                       s5req[i++] = 3;
-                       memcpy(s5req + i, &c->address.in6.sin6_addr, 16);
-                       i += 16;
-                       memcpy(s5req + i, &c->address.in6.sin6_port, 2);
-                       i += 2;
-                       c->tcplen += 22;
-               } else {
-                       logger(DEBUG_ALWAYS, LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
-                       return false;
-               }
-
-               if(i > len) {
-                       abort();
-               }
-
-               return send_meta(c, s5req, len);
+               size_t reqlen = socks_req_len(proxytype, &c->address);
+               uint8_t *req = alloca(reqlen);
+               c->tcplen = create_socks_req(proxytype, req, &c->address);
+               return c->tcplen ? send_meta(c, req, reqlen) : false;
        }
 
        case PROXY_SOCKS4A:
@@ -152,6 +83,7 @@ static bool send_proxyrequest(connection_t *c) {
        case PROXY_EXEC:
                return true;
 
+       case PROXY_NONE:
        default:
                logger(DEBUG_ALWAYS, LOG_ERR, "Unknown proxy type");
                return false;
@@ -164,7 +96,7 @@ bool send_id(connection_t *c) {
        int minor = 0;
 
        if(experimental) {
-               if(c->outgoing && !read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name)) {
+               if(c->outgoing && !ecdsa_active(c->ecdsa) && !(c->ecdsa = read_ecdsa_public_key(&c->config_tree, c->name))) {
                        minor = 1;
                } else {
                        minor = myself->connection->protocol_minor;
@@ -208,6 +140,22 @@ static bool finalize_invitation(connection_t *c, const char *data, uint16_t len)
 
        logger(DEBUG_CONNECTIONS, LOG_INFO, "Key successfully received from %s (%s)", c->name, c->hostname);
 
+       if(!c->node) {
+               c->node = lookup_node(c->name);
+       }
+
+       if(!c->node) {
+               c->node = new_node(c->name);
+               c->node->connection = c;
+               node_add(c->node);
+       }
+
+       if(!c->node->address_cache) {
+               c->node->address_cache = open_address_cache(c->node);
+       }
+
+       add_recent_address(c->node->address_cache, &c->address);
+
        // Call invitation-accepted script
        environment_t env;
        char *address, *port;
@@ -469,8 +417,8 @@ bool id_h(connection_t *c, const char *request) {
                        return false;
                }
 
-               if(experimental) {
-                       read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name);
+               if(experimental && !ecdsa_active(c->ecdsa)) {
+                       c->ecdsa = read_ecdsa_public_key(&c->config_tree, c->name);
                }
 
                /* Ignore failures if no key known yet */
@@ -553,9 +501,10 @@ bool send_metakey(connection_t *c) {
        }
 
        const size_t len = rsa_size(ctx->rsa);
+       const size_t hexkeylen = HEX_SIZE(len);
        char *key = alloca(len);
        char *enckey = alloca(len);
-       char *hexkey = alloca(2 * len + 1);
+       char *hexkey = alloca(hexkeylen);
 
        /* Create a random key */
 
@@ -575,12 +524,14 @@ bool send_metakey(connection_t *c) {
 
        if(!cipher_set_key_from_rsa(&ctx->out.cipher, key, len, true)) {
                free_legacy_ctx(ctx);
+               memzero(key, len);
                return false;
        }
 
        if(debug_level >= DEBUG_SCARY_THINGS) {
                bin2hex(key, hexkey, len);
                logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Generated random meta key (unencrypted): %s", hexkey);
+               memzero(hexkey, hexkeylen);
        }
 
        /* Encrypt the random data
@@ -590,7 +541,10 @@ bool send_metakey(connection_t *c) {
           with a length equal to that of the modulus of the RSA key.
         */
 
-       if(!rsa_public_encrypt(ctx->rsa, key, len, enckey)) {
+       bool encrypted = rsa_public_encrypt(ctx->rsa, key, len, enckey);
+       memzero(key, len);
+
+       if(!encrypted) {
                free_legacy_ctx(ctx);
                logger(DEBUG_ALWAYS, LOG_ERR, "Error during encryption of meta key for %s (%s)", c->name, c->hostname);
                return false;
@@ -608,7 +562,7 @@ bool send_metakey(connection_t *c) {
        bool result = send_request(c, "%d %d %d %d %d %s", METAKEY,
                                   cipher_get_nid(&c->legacy->out.cipher),
                                   digest_get_nid(&c->legacy->out.digest), c->outmaclength,
-                                  c->outcompression, hexkey);
+                                  COMPRESS_NONE, hexkey);
 
        c->status.encryptout = true;
        return result;
@@ -630,6 +584,11 @@ bool metakey_h(connection_t *c, const char *request) {
                return false;
        }
 
+       if(!cipher || !digest) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "Possible intruder %s (%s): cipher %d, digest %d", c->name, c->hostname, cipher, digest);
+               return false;
+       }
+
        /* Convert the challenge from hexadecimal back to binary */
 
        size_t inlen = hex2bin(hexkey, enckey, len);
@@ -651,26 +610,26 @@ bool metakey_h(connection_t *c, const char *request) {
        if(debug_level >= DEBUG_SCARY_THINGS) {
                bin2hex(key, hexkey, len);
                logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Received random meta key (unencrypted): %s", hexkey);
+               // Hopefully the user knew what he was doing leaking session keys into logs. We'll do the right thing here anyway.
+               memzero(hexkey, HEX_SIZE(len));
        }
 
        /* Check and lookup cipher and digest algorithms */
 
-       if(!cipher || !digest) {
-               logger(DEBUG_ALWAYS, LOG_ERR, "Possible intruder %s (%s): cipher %d, digest %d", c->name, c->hostname, cipher, digest);
-               return false;
-       }
-
        if(!init_crypto_by_nid(&c->legacy->in, cipher, digest)) {
+               memzero(key, len);
                logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of cipher or digest from %s (%s)", c->name, c->hostname);
                return false;
        }
 
-       if(!cipher_set_key_from_rsa(&c->legacy->in.cipher, key, len, false)) {
+       bool key_set = cipher_set_key_from_rsa(&c->legacy->in.cipher, key, len, false);
+       memzero(key, len);
+
+       if(!key_set) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Error setting RSA key for %s (%s)", c->name, c->hostname);
                return false;
        }
 
-
        c->status.decryptin = true;
 
        c->allow_request = CHALLENGE;
@@ -939,7 +898,7 @@ static bool upgrade_h(connection_t *c, const char *request) {
                return false;
        }
 
-       if(ecdsa_active(c->ecdsa) || read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name)) {
+       if(ecdsa_active(c->ecdsa) || (c->ecdsa = read_ecdsa_public_key(&c->config_tree, c->name))) {
                char *knownkey = ecdsa_get_base64_public_key(c->ecdsa);
                bool different = strcmp(knownkey, pubkey);
                free(knownkey);
@@ -994,8 +953,7 @@ bool ack_h(connection_t *c, const char *request) {
        n = lookup_node(c->name);
 
        if(!n) {
-               n = new_node();
-               n->name = xstrdup(c->name);
+               n = new_node(c->name);
                node_add(n);
        } else {
                if(n->connection) {
tinc, the VPN daemon