X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_auth.c;h=0049cd93a24646f55640412abfcef207c1a7bd65;hb=b13e1a3c1f7252cda5ab95166d9f2d578983471f;hp=e16fe4fcd7d8774b221dcbde8cf6c8691b3c6746;hpb=2c6b2d70e6640f39563ad7bb0aa0ba87f883848c;p=tinc

diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index e16fe4fc..0049cd93 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -1,7 +1,7 @@
 /*
     protocol_auth.c -- handle the meta-protocol, authentication
     Copyright (C) 1999-2005 Ivo Timmermans,
-                  2000-2017 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2022 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -46,6 +46,9 @@
 #include "ed25519/sha512.h"
 #include "keys.h"
 
+/* If nonzero, use null ciphers and skip all key exchanges. */
+bool bypass_security = false;
+
 int invitation_lifetime;
 ecdsa_t *invitation_key = NULL;
 
@@ -246,7 +249,7 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat
 	memcpy(hashbuf, data, 18);
 	memcpy(hashbuf + 18, fingerprint, sizeof(hashbuf) - 18);
 	sha512(hashbuf, sizeof(hashbuf), cookie);
-	b64encode_urlsafe(cookie, cookie, 18);
+	b64encode_tinc_urlsafe(cookie, cookie, 18);
 	free(fingerprint);
 
 	char filename[PATH_MAX], usedname[PATH_MAX];
@@ -287,7 +290,12 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat
 
 	// Read the new node's Name from the file
 	char buf[1024] = "";
-	fgets(buf, sizeof(buf), f);
+
+	if(!fgets(buf, sizeof(buf), f)) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Could not read invitation file %s\n", cookie);
+		return false;
+	}
+
 	size_t buflen = strlen(buf);
 
 	// Strip whitespace at the end
@@ -427,7 +435,7 @@ bool id_h(connection_t *c, const char *request) {
 
 	if(bypass_security) {
 		if(!c->config_tree) {
-			init_configuration(&c->config_tree);
+			c->config_tree = create_configuration();
 		}
 
 		c->allow_request = ACK;
@@ -444,7 +452,7 @@ bool id_h(connection_t *c, const char *request) {
 	}
 
 	if(!c->config_tree) {
-		init_configuration(&c->config_tree);
+		c->config_tree = create_configuration();
 
 		if(!read_host_config(c->config_tree, c->name, false)) {
 			logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s had unknown identity (%s)", c->hostname, c->name);
@@ -509,18 +517,24 @@ bool send_metakey(connection_t *c) {
 	*/
 
 	size_t keylen = cipher_keylength(myself->incipher);
+	const char *cipher_name;
 
 	if(keylen <= 16) {
-		c->outcipher = cipher_open_by_name("aes-128-cfb");
+		cipher_name = "aes-128-cfb";
 	} else if(keylen <= 24) {
-		c->outcipher = cipher_open_by_name("aes-192-cfb");
+		cipher_name = "aes-192-cfb";
 	} else {
-		c->outcipher = cipher_open_by_name("aes-256-cfb");
+		cipher_name = "aes-256-cfb";
+	}
+
+	if(!cipher_open_by_name(&c->outcipher, cipher_name)) {
+		return false;
 	}
 
-	c->outbudget = cipher_budget(c->outcipher);
+	c->outbudget = cipher_budget(&c->outcipher);
 
-	if(!(c->outdigest = digest_open_by_name("sha256", DIGEST_ALGO_SIZE))) {
+	if(!digest_open_by_name(&c->outdigest, "sha256", DIGEST_ALGO_SIZE)) {
+		cipher_close(&c->outcipher);
 		return false;
 	}
 
@@ -545,7 +559,7 @@ bool send_metakey(connection_t *c) {
 
 	key[0] &= 0x7F;
 
-	if(!cipher_set_key_from_rsa(c->outcipher, key, len, true)) {
+	if(!cipher_set_key_from_rsa(&c->outcipher, key, len, true)) {
 		return false;
 	}
 
@@ -573,8 +587,8 @@ bool send_metakey(connection_t *c) {
 	/* Send the meta key */
 
 	bool result = send_request(c, "%d %d %d %d %d %s", METAKEY,
-	                           cipher_get_nid(c->outcipher),
-	                           digest_get_nid(c->outdigest), c->outmaclength,
+	                           cipher_get_nid(&c->outcipher),
+	                           digest_get_nid(&c->outdigest), c->outmaclength,
 	                           c->outcompression, hexkey);
 
 	c->status.encryptout = true;
@@ -623,7 +637,7 @@ bool metakey_h(connection_t *c, const char *request) {
 	/* Check and lookup cipher and digest algorithms */
 
 	if(cipher) {
-		if(!(c->incipher = cipher_open_by_nid(cipher)) || !cipher_set_key_from_rsa(c->incipher, key, len, false)) {
+		if(!cipher_open_by_nid(&c->incipher, cipher) || !cipher_set_key_from_rsa(&c->incipher, key, len, false)) {
 			logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of cipher from %s (%s)", c->name, c->hostname);
 			return false;
 		}
@@ -632,10 +646,10 @@ bool metakey_h(connection_t *c, const char *request) {
 		return false;
 	}
 
-	c->inbudget = cipher_budget(c->incipher);
+	c->inbudget = cipher_budget(&c->incipher);
 
 	if(digest) {
-		if(!(c->indigest = digest_open_by_nid(digest, DIGEST_ALGO_SIZE))) {
+		if(!digest_open_by_nid(&c->indigest, digest, DIGEST_ALGO_SIZE)) {
 			logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of digest from %s (%s)", c->name, c->hostname);
 			return false;
 		}
@@ -709,12 +723,12 @@ bool challenge_h(connection_t *c, const char *request) {
 
 bool send_chal_reply(connection_t *c) {
 	const size_t len = rsa_size(myself->connection->rsa);
-	size_t digestlen = digest_length(c->indigest);
+	size_t digestlen = digest_length(&c->indigest);
 	char digest[digestlen * 2 + 1];
 
 	/* Calculate the hash from the challenge we received */
 
-	if(!digest_create(c->indigest, c->mychallenge, len, digest)) {
+	if(!digest_create(&c->indigest, c->mychallenge, len, digest)) {
 		return false;
 	}
 
@@ -745,7 +759,7 @@ bool chal_reply_h(connection_t *c, const char *request) {
 
 	/* Check if the length of the hash is all right */
 
-	if(inlen != digest_length(c->outdigest)) {
+	if(inlen != digest_length(&c->outdigest)) {
 		logger(DEBUG_ALWAYS, LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge reply length");
 		return false;
 	}
@@ -753,7 +767,7 @@ bool chal_reply_h(connection_t *c, const char *request) {
 
 	/* Verify the hash */
 
-	if(!digest_verify(c->outdigest, c->hischallenge, rsa_size(c->rsa), hishash)) {
+	if(!digest_verify(&c->outdigest, c->hischallenge, rsa_size(c->rsa), hishash)) {
 		logger(DEBUG_ALWAYS, LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge reply");
 		return false;
 	}
@@ -865,7 +879,7 @@ bool send_ack(connection_t *c) {
 	}
 
 	if(!get_config_int(lookup_config(c->config_tree, "Weight"), &c->estimated_weight)) {
-		get_config_int(lookup_config(config_tree, "Weight"), &c->estimated_weight);
+		get_config_int(lookup_config(&config_tree, "Weight"), &c->estimated_weight);
 	}
 
 	return send_request(c, "%d %s %d %x", ACK, myport, c->estimated_weight, (c->options & 0xffffff) | (experimental ? (PROT_MINOR << 24) : 0));
@@ -886,19 +900,19 @@ static void send_everything(connection_t *c) {
 	}
 
 	if(tunnelserver) {
-		for splay_each(subnet_t, s, myself->subnet_tree) {
+		for splay_each(subnet_t, s, &myself->subnet_tree) {
 			send_add_subnet(c, s);
 		}
 
 		return;
 	}
 
-	for splay_each(node_t, n, node_tree) {
-		for splay_each(subnet_t, s, n->subnet_tree) {
+	for splay_each(node_t, n, &node_tree) {
+		for splay_each(subnet_t, s, &n->subnet_tree) {
 			send_add_subnet(c, s);
 		}
 
-		for splay_each(edge_t, e, n->edge_tree) {
+		for splay_each(edge_t, e, &n->edge_tree) {
 			send_add_edge(c, e);
 		}
 	}
@@ -1005,7 +1019,7 @@ bool ack_h(connection_t *c, const char *request) {
 		n->mtu = mtu;
 	}
 
-	if(get_config_int(lookup_config(config_tree, "PMTU"), &mtu) && mtu < n->mtu) {
+	if(get_config_int(lookup_config(&config_tree, "PMTU"), &mtu) && mtu < n->mtu) {
 		n->mtu = mtu;
 	}