X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_auth.c;h=499e6869ed38c69076dc67b9a4ffd065711b4271;hb=465837dd7f7b727d489b354e4b75489dd49fd6e3;hp=05f547f22ac5b8ae2f751b8c2023fc9af3ebe07f;hpb=dc09f6fe896f5e35fffe8cc2004781b2e1b6fd5a;p=tinc diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 05f547f2..499e6869 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -1,7 +1,7 @@ /* protocol_auth.c -- handle the meta-protocol, authentication - Copyright (C) 1999-2004 Ivo Timmermans , - 2000-2004 Guus Sliepen + Copyright (C) 1999-2005 Ivo Timmermans, + 2000-2007 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ #include #include -#include "avl_tree.h" +#include "splay_tree.h" #include "conf.h" #include "connection.h" #include "edge.h" @@ -37,24 +37,23 @@ #include "netutl.h" #include "node.h" #include "protocol.h" +#include "rsa.h" #include "utils.h" #include "xalloc.h" -bool send_id(connection_t *c) -{ +bool send_id(connection_t *c) { cp(); return send_request(c, "%d %s %d", ID, myself->connection->name, myself->connection->protocol_version); } -bool id_h(connection_t *c) -{ +bool id_h(connection_t *c, char *request) { char name[MAX_STRING_SIZE]; cp(); - if(sscanf(c->buffer, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) { + if(sscanf(request, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ID", c->name, c->hostname); return false; @@ -68,9 +67,9 @@ bool id_h(connection_t *c) return false; } - /* If we set c->name in advance, make sure we are connected to the right host */ + /* If this is an outgoing connection, make sure we are connected to the right host */ - if(c->name) { + if(c->outgoing) { if(strcmp(c->name, name)) { logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, c->name); @@ -116,18 +115,19 @@ bool id_h(connection_t *c) return send_metakey(c); } -bool send_metakey(connection_t *c) -{ - char buffer[MAX_STRING_SIZE]; - int len; +bool send_metakey(connection_t *c) { + char *buffer; + unsigned int len; bool x; cp(); - len = RSA_size(c->rsa_key); + len = get_rsa_size(&c->rsa_key); /* Allocate buffers for the meta key */ + buffer = alloca(2 * len + 1); + if(!c->outkey) c->outkey = xmalloc(len); @@ -136,7 +136,7 @@ bool send_metakey(connection_t *c) cp(); /* Copy random data to the buffer */ - RAND_pseudo_bytes(c->outkey, len); + RAND_pseudo_bytes((unsigned char *)c->outkey, len); /* The message we send must be smaller than the modulus of the RSA key. By definition, for a key of k bits, the following formula holds: @@ -164,7 +164,7 @@ bool send_metakey(connection_t *c) with a length equal to that of the modulus of the RSA key. */ - if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) { + if(!rsa_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, &c->rsa_key)) { logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), c->name, c->hostname); return false; @@ -186,8 +186,8 @@ bool send_metakey(connection_t *c) if(c->outcipher) { if(!EVP_EncryptInit(c->outctx, c->outcipher, - c->outkey + len - c->outcipher->key_len, - c->outkey + len - c->outcipher->key_len - + (unsigned char *)c->outkey + len - c->outcipher->key_len, + (unsigned char *)c->outkey + len - c->outcipher->key_len - c->outcipher->iv_len)) { logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); @@ -200,21 +200,20 @@ bool send_metakey(connection_t *c) return x; } -bool metakey_h(connection_t *c) -{ +bool metakey_h(connection_t *c, char *request) { char buffer[MAX_STRING_SIZE]; int cipher, digest, maclength, compression; int len; cp(); - if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) { + if(sscanf(request, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name, c->hostname); return false; } - len = RSA_size(myself->connection->rsa_key); + len = get_rsa_size(&myself->connection->rsa_key); /* Check if the length of the meta key is all right */ @@ -237,9 +236,8 @@ bool metakey_h(connection_t *c) /* Decrypt the meta key */ - if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */ - logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), - c->name, c->hostname); + if(!rsa_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, &myself->connection->rsa_key)) { + logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), c->name, c->hostname); return false; } @@ -262,8 +260,8 @@ bool metakey_h(connection_t *c) } if(!EVP_DecryptInit(c->inctx, c->incipher, - c->inkey + len - c->incipher->key_len, - c->inkey + len - c->incipher->key_len - + (unsigned char *)c->inkey + len - c->incipher->key_len, + (unsigned char *)c->inkey + len - c->incipher->key_len - c->incipher->iv_len)) { logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"), c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); @@ -300,25 +298,26 @@ bool metakey_h(connection_t *c) return send_challenge(c); } -bool send_challenge(connection_t *c) -{ - char buffer[MAX_STRING_SIZE]; +bool send_challenge(connection_t *c) { + char *buffer; int len; cp(); /* CHECKME: what is most reasonable value for len? */ - len = RSA_size(c->rsa_key); + len = get_rsa_size(&c->rsa_key); /* Allocate buffers for the challenge */ + buffer = alloca(2 * len + 1); + if(!c->hischallenge) c->hischallenge = xmalloc(len); /* Copy random data to the buffer */ - RAND_pseudo_bytes(c->hischallenge, len); + RAND_pseudo_bytes((unsigned char *)c->hischallenge, len); /* Convert to hex */ @@ -330,20 +329,19 @@ bool send_challenge(connection_t *c) return send_request(c, "%d %s", CHALLENGE, buffer); } -bool challenge_h(connection_t *c) -{ +bool challenge_h(connection_t *c, char *request) { char buffer[MAX_STRING_SIZE]; int len; cp(); - if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) { + if(sscanf(request, "%*d " MAX_STRING, buffer) != 1) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name, c->hostname); return false; } - len = RSA_size(myself->connection->rsa_key); + len = get_rsa_size(&myself->connection->rsa_key); /* Check if the length of the challenge is all right */ @@ -369,8 +367,7 @@ bool challenge_h(connection_t *c) return send_chal_reply(c); } -bool send_chal_reply(connection_t *c) -{ +bool send_chal_reply(connection_t *c) { char hash[EVP_MAX_MD_SIZE * 2 + 1]; EVP_MD_CTX ctx; @@ -379,8 +376,8 @@ bool send_chal_reply(connection_t *c) /* Calculate the hash from the challenge we received */ if(!EVP_DigestInit(&ctx, c->indigest) - || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) - || !EVP_DigestFinal(&ctx, hash, NULL)) { + || !EVP_DigestUpdate(&ctx, c->mychallenge, get_rsa_size(&myself->connection->rsa_key)) + || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) { logger(LOG_ERR, _("Error during calculation of response for %s (%s): %s"), c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; @@ -396,15 +393,14 @@ bool send_chal_reply(connection_t *c) return send_request(c, "%d %s", CHAL_REPLY, hash); } -bool chal_reply_h(connection_t *c) -{ +bool chal_reply_h(connection_t *c, char *request) { char hishash[MAX_STRING_SIZE]; char myhash[EVP_MAX_MD_SIZE]; EVP_MD_CTX ctx; cp(); - if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) { + if(sscanf(request, "%*d " MAX_STRING, hishash) != 1) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHAL_REPLY", c->name, c->hostname); return false; @@ -425,8 +421,8 @@ bool chal_reply_h(connection_t *c) /* Calculate the hash from the challenge we sent */ if(!EVP_DigestInit(&ctx, c->outdigest) - || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)) - || !EVP_DigestFinal(&ctx, myhash, NULL)) { + || !EVP_DigestUpdate(&ctx, c->hischallenge, get_rsa_size(&c->rsa_key)) + || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) { logger(LOG_ERR, _("Error during calculation of response from %s (%s): %s"), c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; @@ -456,8 +452,7 @@ bool chal_reply_h(connection_t *c) return send_ack(c); } -bool send_ack(connection_t *c) -{ +bool send_ack(connection_t *c) { /* ACK message contains rest of the information the other end needs to create node_t and edge_t structures. */ @@ -487,9 +482,8 @@ bool send_ack(connection_t *c) return send_request(c, "%d %s %d %lx", ACK, myport, c->estimated_weight, c->options); } -static void send_everything(connection_t *c) -{ - avl_node_t *node, *node2; +static void send_everything(connection_t *c) { + splay_node_t *node, *node2; node_t *n; subnet_t *s; edge_t *e; @@ -520,8 +514,7 @@ static void send_everything(connection_t *c) } } -bool ack_h(connection_t *c) -{ +bool ack_h(connection_t *c, char *request) { char hisport[MAX_STRING_SIZE]; char *hisaddress, *dummy; int weight, mtu; @@ -530,7 +523,7 @@ bool ack_h(connection_t *c) cp(); - if(sscanf(c->buffer, "%*d " MAX_STRING " %d %lx", hisport, &weight, &options) != 3) { + if(sscanf(request, "%*d " MAX_STRING " %d %lx", hisport, &weight, &options) != 3) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ACK", c->name, c->hostname); return false; @@ -547,8 +540,17 @@ bool ack_h(connection_t *c) } else { if(n->connection) { /* Oh dear, we already have a connection to this node. */ - ifdebug(CONNECTIONS) logger(LOG_DEBUG, _("Established a second connection with %s (%s), closing old connection"), - n->name, n->hostname); + ifdebug(CONNECTIONS) logger(LOG_DEBUG, _("Established a second connection with %s (%s), closing old connection"), n->connection->name, n->connection->hostname); + + if(n->connection->outgoing) { + if(c->outgoing) + logger(LOG_WARNING, _("Two outgoing connections to the same node!")); + else + c->outgoing = n->connection->outgoing; + + n->connection->outgoing = NULL; + } + terminate_connection(n->connection, false); /* Run graph algorithm to purge key and make sure up/down scripts are rerun with new IP addresses and stuff */ graph();