X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_key.c;h=cfa2f53ffe0ff36b759009f6779b68ecb65d66eb;hb=cfe9285adf391ab66faeb5def811fe08e47a221a;hp=fcb748f4ea9ee998d555ac5d8f1c0e8ecd5da333;hpb=b23bf132838156d2fe5a18d50a2b5e068ae18ec3;p=tinc diff --git a/src/protocol_key.c b/src/protocol_key.c index fcb748f4..cfa2f53f 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -1,7 +1,7 @@ /* protocol_key.c -- handle the meta-protocol, key exchange Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -87,7 +87,7 @@ bool key_changed_h(connection_t *c, const char *request) { return true; } -static bool send_initial_sptps_data(void *handle, uint8_t type, const char *data, size_t len) { +static bool send_initial_sptps_data(void *handle, uint8_t type, const void *data, size_t len) { node_t *to = handle; to->sptps.send_data = send_sptps_data; char buf[len * 4 / 3 + 5]; @@ -124,6 +124,11 @@ bool send_req_key(node_t *to) { static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, int reqno) { switch(reqno) { case REQ_PUBKEY: { + if(!node_read_ecdsa_public_key(from)) { + /* Request their key *before* we send our key back. Otherwise the first SPTPS packet from them will get dropped. */ + logger(DEBUG_PROTOCOL, LOG_DEBUG, "Preemptively requesting Ed25519 key for %s (%s)", from->name, from->hostname); + send_request(from->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, from->name, REQ_PUBKEY); + } char *pubkey = ecdsa_get_base64_public_key(myself->connection->ecdsa); send_request(from->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, from->name, ANS_PUBKEY, pubkey); free(pubkey); @@ -250,6 +255,7 @@ bool req_key_h(connection_t *c, const char *request) { return true; } + /* TODO: forwarding SPTPS packets in this way is inefficient because we send them over TCP without checking for UDP connectivity */ send_request(to->nexthop->connection, "%s", request); } @@ -260,6 +266,9 @@ bool send_ans_key(node_t *to) { if(to->status.sptps) abort(); +#ifdef DISABLE_LEGACY + return false; +#else size_t keylen = myself->incipher ? cipher_keylength(myself->incipher) : 1; char key[keylen * 2 + 1]; @@ -300,6 +309,7 @@ bool send_ans_key(node_t *to) { digest_get_nid(to->indigest), (int)digest_length(to->indigest), to->incompression); +#endif } bool ans_key_h(connection_t *c, const char *request) { @@ -365,9 +375,11 @@ bool ans_key_h(connection_t *c, const char *request) { return send_request(to->nexthop->connection, "%s", request); } +#ifndef DISABLE_LEGACY /* Don't use key material until every check has passed. */ cipher_close(from->outcipher); digest_close(from->outdigest); +#endif from->status.validkey = false; if(compression < 0 || compression > 11) { @@ -393,13 +405,19 @@ bool ans_key_h(connection_t *c, const char *request) { update_node_udp(from, &sa); } - if(from->options & OPTION_PMTU_DISCOVERY && !(from->options & OPTION_TCPONLY)) + /* Don't send probes if we can't send UDP packets directly to that node. + TODO: the indirect (via) condition can change at any time as edges are added and removed, so this should probably be moved to graph.c. */ + if((from->via == myself || from->via == from) && from->options & OPTION_PMTU_DISCOVERY && !(from->options & OPTION_TCPONLY)) send_mtu_probe(from); } return true; } +#ifdef DISABLE_LEGACY + logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%) uses legacy protocol!", from->name, from->hostname); + return false; +#else /* Check and lookup cipher and digest algorithms */ if(cipher) { @@ -454,4 +472,5 @@ bool ans_key_h(connection_t *c, const char *request) { send_mtu_probe(from); return true; +#endif }