Make datagram SPTPS key exchange more robust.

[tinc] / src / protocol_key.c

diff --git a/src/protocol_key.c b/src/protocol_key.c
index fbd3c16..3e8d29a 100644 (file)
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -116,6 +116,8 @@ bool send_req_key(node_t *to) {
                snprintf(label, sizeof label, "tinc UDP key expansion %s %s", myself->name, to->name);
                sptps_stop(&to->sptps);
                to->status.validkey = false;
+               to->status.waitingforkey = true;
+               to->last_req_key = time(NULL);
                to->incompression = myself->incompression;
                return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); 
        }
@@ -172,6 +174,8 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, in
                        snprintf(label, sizeof label, "tinc UDP key expansion %s %s", from->name, myself->name);
                        sptps_stop(&from->sptps);
                        from->status.validkey = false;
+                       from->status.waitingforkey = true;
+                       from->last_req_key = time(NULL);
                        sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); 
                        sptps_receive_data(&from->sptps, buf, len);
                        return true;
@@ -334,6 +338,9 @@ bool ans_key_h(connection_t *c, const char *request) {
                return send_request(to->nexthop->connection, "%s", request);
        }
 
+       /* Don't use key material until every check has passed. */
+       from->status.validkey = false;
+
        if(compression < 0 || compression > 11) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses bogus compression level!", from->name, from->hostname);
                return true;