projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Make build files compatible with muon
[tinc] / src / protocol_auth.c
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 2225457..7a3e6dd 100644 (file)
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -43,6 +43,7 @@
 #include "xalloc.h"
 #include "random.h"
 #include "compression.h"
+#include "proxy.h"
 
 #include "ed25519/sha512.h"
 #include "keys.h"
@@ -66,84 +67,12 @@ static bool send_proxyrequest(connection_t *c) {
                return true;
        }
 
-       case PROXY_SOCKS4: {
-               if(c->address.sa.sa_family != AF_INET) {
-                       logger(DEBUG_ALWAYS, LOG_ERR, "Cannot connect to an IPv6 host through a SOCKS 4 proxy!");
-                       return false;
-               }
-
-               const size_t s4reqlen = 9 + (proxyuser ? strlen(proxyuser) : 0);
-               uint8_t *s4req = alloca(s4reqlen);
-               s4req[0] = 4;
-               s4req[1] = 1;
-               memcpy(s4req + 2, &c->address.in.sin_port, 2);
-               memcpy(s4req + 4, &c->address.in.sin_addr, 4);
-
-               if(proxyuser) {
-                       memcpy(s4req + 8, proxyuser, strlen(proxyuser));
-               }
-
-               s4req[s4reqlen - 1] = 0;
-               c->tcplen = 8;
-               return send_meta(c, s4req, s4reqlen);
-       }
-
+       case PROXY_SOCKS4:
        case PROXY_SOCKS5: {
-               size_t len = 3 + 6 + (c->address.sa.sa_family == AF_INET ? 4 : 16);
-               c->tcplen = 2;
-
-               if(proxypass) {
-                       len += 3 + strlen(proxyuser) + strlen(proxypass);
-               }
-
-               uint8_t *s5req = alloca(len);
-
-               size_t i = 0;
-               s5req[i++] = 5;
-               s5req[i++] = 1;
-
-               if(proxypass) {
-                       s5req[i++] = 2;
-                       s5req[i++] = 1;
-                       s5req[i++] = strlen(proxyuser);
-                       memcpy(s5req + i, proxyuser, strlen(proxyuser));
-                       i += strlen(proxyuser);
-                       s5req[i++] = strlen(proxypass);
-                       memcpy(s5req + i, proxypass, strlen(proxypass));
-                       i += strlen(proxypass);
-                       c->tcplen += 2;
-               } else {
-                       s5req[i++] = 0;
-               }
-
-               s5req[i++] = 5;
-               s5req[i++] = 1;
-               s5req[i++] = 0;
-
-               if(c->address.sa.sa_family == AF_INET) {
-                       s5req[i++] = 1;
-                       memcpy(s5req + i, &c->address.in.sin_addr, 4);
-                       i += 4;
-                       memcpy(s5req + i, &c->address.in.sin_port, 2);
-                       i += 2;
-                       c->tcplen += 10;
-               } else if(c->address.sa.sa_family == AF_INET6) {
-                       s5req[i++] = 3;
-                       memcpy(s5req + i, &c->address.in6.sin6_addr, 16);
-                       i += 16;
-                       memcpy(s5req + i, &c->address.in6.sin6_port, 2);
-                       i += 2;
-                       c->tcplen += 22;
-               } else {
-                       logger(DEBUG_ALWAYS, LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
-                       return false;
-               }
-
-               if(i > len) {
-                       abort();
-               }
-
-               return send_meta(c, s5req, len);
+               size_t reqlen = socks_req_len(proxytype, &c->address);
+               uint8_t *req = alloca(reqlen);
+               c->tcplen = create_socks_req(proxytype, req, &c->address);
+               return c->tcplen ? send_meta(c, req, reqlen) : false;
        }
 
        case PROXY_SOCKS4A:
@@ -153,6 +82,7 @@ static bool send_proxyrequest(connection_t *c) {
        case PROXY_EXEC:
                return true;
 
+       case PROXY_NONE:
        default:
                logger(DEBUG_ALWAYS, LOG_ERR, "Unknown proxy type");
                return false;
@@ -165,7 +95,7 @@ bool send_id(connection_t *c) {
        int minor = 0;
 
        if(experimental) {
-               if(c->outgoing && !read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name)) {
+               if(c->outgoing && !ecdsa_active(c->ecdsa) && !(c->ecdsa = read_ecdsa_public_key(&c->config_tree, c->name))) {
                        minor = 1;
                } else {
                        minor = myself->connection->protocol_minor;
@@ -470,8 +400,8 @@ bool id_h(connection_t *c, const char *request) {
                        return false;
                }
 
-               if(experimental) {
-                       read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name);
+               if(experimental && !ecdsa_active(c->ecdsa)) {
+                       c->ecdsa = read_ecdsa_public_key(&c->config_tree, c->name);
                }
 
                /* Ignore failures if no key known yet */
@@ -554,9 +484,10 @@ bool send_metakey(connection_t *c) {
        }
 
        const size_t len = rsa_size(ctx->rsa);
+       const size_t hexkeylen = HEX_SIZE(len);
        char *key = alloca(len);
        char *enckey = alloca(len);
-       char *hexkey = alloca(2 * len + 1);
+       char *hexkey = alloca(hexkeylen);
 
        /* Create a random key */
 
@@ -576,12 +507,14 @@ bool send_metakey(connection_t *c) {
 
        if(!cipher_set_key_from_rsa(&ctx->out.cipher, key, len, true)) {
                free_legacy_ctx(ctx);
+               memzero(key, len);
                return false;
        }
 
        if(debug_level >= DEBUG_SCARY_THINGS) {
                bin2hex(key, hexkey, len);
                logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Generated random meta key (unencrypted): %s", hexkey);
+               memzero(hexkey, hexkeylen);
        }
 
        /* Encrypt the random data
@@ -591,7 +524,10 @@ bool send_metakey(connection_t *c) {
           with a length equal to that of the modulus of the RSA key.
         */
 
-       if(!rsa_public_encrypt(ctx->rsa, key, len, enckey)) {
+       bool encrypted = rsa_public_encrypt(ctx->rsa, key, len, enckey);
+       memzero(key, len);
+
+       if(!encrypted) {
                free_legacy_ctx(ctx);
                logger(DEBUG_ALWAYS, LOG_ERR, "Error during encryption of meta key for %s (%s)", c->name, c->hostname);
                return false;
@@ -631,6 +567,11 @@ bool metakey_h(connection_t *c, const char *request) {
                return false;
        }
 
+       if(!cipher || !digest) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "Possible intruder %s (%s): cipher %d, digest %d", c->name, c->hostname, cipher, digest);
+               return false;
+       }
+
        /* Convert the challenge from hexadecimal back to binary */
 
        size_t inlen = hex2bin(hexkey, enckey, len);
@@ -652,26 +593,26 @@ bool metakey_h(connection_t *c, const char *request) {
        if(debug_level >= DEBUG_SCARY_THINGS) {
                bin2hex(key, hexkey, len);
                logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Received random meta key (unencrypted): %s", hexkey);
+               // Hopefully the user knew what he was doing leaking session keys into logs. We'll do the right thing here anyway.
+               memzero(hexkey, HEX_SIZE(len));
        }
 
        /* Check and lookup cipher and digest algorithms */
 
-       if(!cipher || !digest) {
-               logger(DEBUG_ALWAYS, LOG_ERR, "Possible intruder %s (%s): cipher %d, digest %d", c->name, c->hostname, cipher, digest);
-               return false;
-       }
-
        if(!init_crypto_by_nid(&c->legacy->in, cipher, digest)) {
+               memzero(key, len);
                logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of cipher or digest from %s (%s)", c->name, c->hostname);
                return false;
        }
 
-       if(!cipher_set_key_from_rsa(&c->legacy->in.cipher, key, len, false)) {
+       bool key_set = cipher_set_key_from_rsa(&c->legacy->in.cipher, key, len, false);
+       memzero(key, len);
+
+       if(!key_set) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Error setting RSA key for %s (%s)", c->name, c->hostname);
                return false;
        }
 
-
        c->status.decryptin = true;
 
        c->allow_request = CHALLENGE;
@@ -940,7 +881,7 @@ static bool upgrade_h(connection_t *c, const char *request) {
                return false;
        }
 
-       if(ecdsa_active(c->ecdsa) || read_ecdsa_public_key(&c->ecdsa, &c->config_tree, c->name)) {
+       if(ecdsa_active(c->ecdsa) || (c->ecdsa = read_ecdsa_public_key(&c->config_tree, c->name))) {
                char *knownkey = ecdsa_get_base64_public_key(c->ecdsa);
                bool different = strcmp(knownkey, pubkey);
                free(knownkey);
tinc, the VPN daemon