X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_auth.c;h=cd39f28debee0b2d2d7090a4f0cdfedead95ab8e;hb=880d74ad2d8a6d73c2e94ec54df542b88dc0c6f4;hp=ac486ea6f0ba0b34b12eacc75b66990d45f7391f;hpb=53036a58790168e18f524bd923f9a7d34691ba2d;p=tinc diff --git a/src/protocol_auth.c b/src/protocol_auth.c index ac486ea6..cd39f28d 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -198,7 +198,7 @@ static bool finalize_invitation(connection_t *c, const char *data, uint16_t len) return true; } -static bool receive_invitation_sptps(void *handle, uint8_t type, const char *data, uint16_t len) { +static bool receive_invitation_sptps(void *handle, uint8_t type, const void *data, uint16_t len) { connection_t *c = handle; if(type == 128) @@ -379,13 +379,13 @@ bool id_h(connection_t *c, const char *request) { } if(experimental) - if(!read_ecdsa_public_key(c)) - return false; - } else { - if(c->protocol_minor && !ecdsa_active(c->ecdsa)) - c->protocol_minor = 1; + read_ecdsa_public_key(c); + /* Ignore failures if no key known yet */ } + if(c->protocol_minor && !ecdsa_active(c->ecdsa)) + c->protocol_minor = 1; + /* Forbid version rollback for nodes whose Ed25519 key we know */ if(ecdsa_active(c->ecdsa) && c->protocol_minor < 2) { @@ -412,6 +412,11 @@ bool id_h(connection_t *c, const char *request) { } bool send_metakey(connection_t *c) { + if(!myself->connection->rsa) { + logger(DEBUG_CONNECTIONS, LOG_ERR, "Peer %s (%s) uses legacy protocol which we don't support", c->name, c->hostname); + return false; + } + if(!read_rsa_public_key(c)) return false; @@ -421,7 +426,7 @@ bool send_metakey(connection_t *c) { if(!(c->outdigest = digest_open_sha1(-1))) return false; - size_t len = rsa_size(c->rsa); + const size_t len = rsa_size(c->rsa); char key[len]; char enckey[len]; char hexkey[2 * len + 1]; @@ -478,9 +483,12 @@ bool send_metakey(connection_t *c) { } bool metakey_h(connection_t *c, const char *request) { + if(!myself->connection->rsa) + return false; + char hexkey[MAX_STRING_SIZE]; int cipher, digest, maclength, compression; - size_t len = rsa_size(myself->connection->rsa); + const size_t len = rsa_size(myself->connection->rsa); char enckey[len]; char key[len]; @@ -540,7 +548,7 @@ bool metakey_h(connection_t *c, const char *request) { } bool send_challenge(connection_t *c) { - size_t len = rsa_size(c->rsa); + const size_t len = rsa_size(c->rsa); char buffer[len * 2 + 1]; if(!c->hischallenge) @@ -560,8 +568,11 @@ bool send_challenge(connection_t *c) { } bool challenge_h(connection_t *c, const char *request) { + if(!myself->connection->rsa) + return false; + char buffer[MAX_STRING_SIZE]; - size_t len = rsa_size(myself->connection->rsa); + const size_t len = rsa_size(myself->connection->rsa); size_t digestlen = digest_length(c->indigest); char digest[digestlen]; @@ -726,7 +737,21 @@ static bool upgrade_h(connection_t *c, const char *request) { } if(ecdsa_active(c->ecdsa) || read_ecdsa_public_key(c)) { - logger(DEBUG_ALWAYS, LOG_INFO, "Already have Ed25519 public key from %s (%s), not upgrading.", c->name, c->hostname); + char *knownkey = ecdsa_get_base64_public_key(c->ecdsa); + bool different = strcmp(knownkey, pubkey); + free(knownkey); + if(different) { + logger(DEBUG_ALWAYS, LOG_ERR, "Already have an Ed25519 public key from %s (%s) which is different from the one presented now!", c->name, c->hostname); + return false; + } + logger(DEBUG_ALWAYS, LOG_INFO, "Already have Ed25519 public key from %s (%s), ignoring.", c->name, c->hostname); + c->allow_request = TERMREQ; + return send_termreq(c); + } + + c->ecdsa = ecdsa_set_base64_public_key(pubkey); + if(!c->ecdsa) { + logger(DEBUG_ALWAYS, LOG_INFO, "Got bad Ed25519 public key from %s (%s), not upgrading.", c->name, c->hostname); return false; }