X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol_key.c;h=e838f6135578ea8d8dcd3db2dcd6fe14e89e1bc9;hb=b0d80c7f28528c2c8857c5662b4aca779b3184bb;hp=c042c4b5e259f5dc2c463aa9a2654875499dbc47;hpb=d1ec010660905ae0b99d783737350ccc08b37b16;p=tinc diff --git a/src/protocol_key.c b/src/protocol_key.c index c042c4b5..e838f613 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -1,7 +1,7 @@ /* protocol_key.c -- handle the meta-protocol, key exchange Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2012 Guus Sliepen + 2000-2013 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -98,18 +98,22 @@ static bool send_initial_sptps_data(void *handle, uint8_t type, const char *data bool send_req_key(node_t *to) { if(to->status.sptps) { if(!node_read_ecdsa_public_key(to)) { - logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", to->name, to->hostname); + logger(DEBUG_PROTOCOL, LOG_DEBUG, "No Ed25519 key known for %s (%s)", to->name, to->hostname); send_request(to->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, to->name, REQ_PUBKEY); return true; } - char label[25 + strlen(myself->name) + strlen(to->name)]; + + if(to->sptps.label) + logger(DEBUG_ALWAYS, LOG_DEBUG, "send_req_key(%s) called while sptps->label != NULL!", to->name); + + char label[25 + strlen(myself->name) + strlen(to->name)]; snprintf(label, sizeof label, "tinc UDP key expansion %s %s", myself->name, to->name); sptps_stop(&to->sptps); to->status.validkey = false; to->status.waitingforkey = true; - to->last_req_key = time(NULL); + to->last_req_key = now.tv_sec; to->incompression = myself->incompression; - return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); + return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); } return send_request(to->nexthop->connection, "%d %s %s", REQ_KEY, myself->name, to->name); @@ -120,7 +124,7 @@ bool send_req_key(node_t *to) { static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, int reqno) { switch(reqno) { case REQ_PUBKEY: { - char *pubkey = ecdsa_get_base64_public_key(&myself->connection->ecdsa); + char *pubkey = ecdsa_get_base64_public_key(myself->connection->ecdsa); send_request(from->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, from->name, ANS_PUBKEY, pubkey); free(pubkey); return true; @@ -133,56 +137,57 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, in } char pubkey[MAX_STRING_SIZE]; - if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, pubkey) != 1 || !ecdsa_set_base64_public_key(&from->ecdsa, pubkey)) { + if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, pubkey) != 1 || !(from->ecdsa = ecdsa_set_base64_public_key(pubkey))) { logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "ANS_PUBKEY", from->name, from->hostname, "invalid pubkey"); return true; } - logger(DEBUG_PROTOCOL, LOG_INFO, "Learned ECDSA public key from %s (%s)", from->name, from->hostname); - append_config_file(from->name, "ECDSAPublicKey", pubkey); + logger(DEBUG_PROTOCOL, LOG_INFO, "Learned Ed25519 public key from %s (%s)", from->name, from->hostname); + append_config_file(from->name, "Ed25519PublicKey", pubkey); return true; } case REQ_KEY: { if(!node_read_ecdsa_public_key(from)) { - logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", from->name, from->hostname); + logger(DEBUG_PROTOCOL, LOG_DEBUG, "No Ed25519 key known for %s (%s)", from->name, from->hostname); send_request(from->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, from->name, REQ_PUBKEY); return true; } - } - case REQ_SPTPS: { + if(from->sptps.label) + logger(DEBUG_ALWAYS, LOG_DEBUG, "Got REQ_KEY from %s while we already started a SPTPS session!", from->name); + char buf[MAX_STRING_SIZE]; - if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1) { - logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_KEY", from->name, from->hostname, "invalid SPTPS data"); + int len; + + if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1 || !(len = b64decode(buf, buf, strlen(buf)))) { + logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_SPTPS_START", from->name, from->hostname, "invalid SPTPS data"); return true; } - int len = b64decode(buf, buf, strlen(buf)); - char label[25 + strlen(from->name) + strlen(myself->name)]; snprintf(label, sizeof label, "tinc UDP key expansion %s %s", from->name, myself->name); sptps_stop(&from->sptps); from->status.validkey = false; from->status.waitingforkey = true; - from->last_req_key = time(NULL); - sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); + from->last_req_key = now.tv_sec; + sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); sptps_receive_data(&from->sptps, buf, len); return true; } - case REQ_PACKET: { + case REQ_SPTPS: { if(!from->status.validkey) { - logger(DEBUG_PROTOCOL, LOG_ERR, "Got REQ_PACKET from %s (%s) but we don't have a valid key yet", from->name, from->hostname); + logger(DEBUG_PROTOCOL, LOG_ERR, "Got REQ_SPTPS from %s (%s) but we don't have a valid key yet", from->name, from->hostname); return true; } char buf[MAX_STRING_SIZE]; - if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1) { - logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_KEY", from->name, from->hostname, "invalid SPTPS data"); + int len; + if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1 || !(len = b64decode(buf, buf, strlen(buf)))) { + logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_SPTPS", from->name, from->hostname, "invalid SPTPS data"); return true; } - int len = b64decode(buf, buf, strlen(buf)); sptps_receive_data(&from->sptps, buf, len); return true; } @@ -228,7 +233,7 @@ bool req_key_h(connection_t *c, const char *request) { /* Check if this key request is for us */ - if(to == myself) { /* Yes */ + if(to == myself) { /* Yes */ /* Is this an extended REQ_KEY message? */ if(experimental && reqno) return req_key_ext_h(c, request, from, reqno); @@ -255,32 +260,45 @@ bool send_ans_key(node_t *to) { if(to->status.sptps) abort(); - size_t keylen = cipher_keylength(&myself->incipher); + size_t keylen = myself->incipher ? cipher_keylength(myself->incipher) : 1; char key[keylen * 2 + 1]; - cipher_close(&to->incipher); - digest_close(&to->indigest); + randomize(key, keylen); - cipher_open_by_nid(&to->incipher, cipher_get_nid(&myself->incipher)); - digest_open_by_nid(&to->indigest, digest_get_nid(&myself->indigest), digest_length(&myself->indigest)); - to->incompression = myself->incompression; + cipher_close(to->incipher); + digest_close(to->indigest); - randomize(key, keylen); - cipher_set_key(&to->incipher, key, false); - digest_set_key(&to->indigest, key, keylen); + if(myself->incipher) { + to->incipher = cipher_open_by_nid(cipher_get_nid(myself->incipher)); + if(!to->incipher) + abort(); + if(!cipher_set_key(to->incipher, key, false)) + abort(); + } + + if(myself->indigest) { + to->indigest = digest_open_by_nid(digest_get_nid(myself->indigest), digest_length(myself->indigest)); + if(!to->indigest) + abort(); + if(!digest_set_key(to->indigest, key, keylen)) + abort(); + } + + to->incompression = myself->incompression; bin2hex(key, key, keylen); // Reset sequence number and late packet window mykeyused = true; to->received_seqno = 0; + to->received = 0; if(replaywin) memset(to->late, 0, replaywin); return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, myself->name, to->name, key, - cipher_get_nid(&to->incipher), - digest_get_nid(&to->indigest), - (int)digest_length(&to->indigest), + cipher_get_nid(to->incipher), + digest_get_nid(to->indigest), + (int)digest_length(to->indigest), to->incompression); } @@ -288,8 +306,8 @@ bool ans_key_h(connection_t *c, const char *request) { char from_name[MAX_STRING_SIZE]; char to_name[MAX_STRING_SIZE]; char key[MAX_STRING_SIZE]; - char address[MAX_STRING_SIZE] = ""; - char port[MAX_STRING_SIZE] = ""; + char address[MAX_STRING_SIZE] = ""; + char port[MAX_STRING_SIZE] = ""; int cipher, digest, maclength, compression, keylen; node_t *from, *to; @@ -348,8 +366,8 @@ bool ans_key_h(connection_t *c, const char *request) { } /* Don't use key material until every check has passed. */ - cipher_close(&from->outcipher); - digest_close(&from->outdigest); + cipher_close(from->outcipher); + digest_close(from->outdigest); from->status.validkey = false; if(compression < 0 || compression > 11) { @@ -365,7 +383,7 @@ bool ans_key_h(connection_t *c, const char *request) { char buf[strlen(key)]; int len = b64decode(key, buf, strlen(key)); - if(!sptps_receive_data(&from->sptps, buf, len)) + if(!len || !sptps_receive_data(&from->sptps, buf, len)) logger(DEBUG_ALWAYS, LOG_ERR, "Error processing SPTPS data from %s (%s)", from->name, from->hostname); if(from->status.validkey) { @@ -375,7 +393,7 @@ bool ans_key_h(connection_t *c, const char *request) { update_node_udp(from, &sa); } - if(from->options & OPTION_PMTU_DISCOVERY) + if(from->options & OPTION_PMTU_DISCOVERY && !(from->options & OPTION_TCPONLY)) send_mtu_probe(from); } @@ -384,17 +402,25 @@ bool ans_key_h(connection_t *c, const char *request) { /* Check and lookup cipher and digest algorithms */ - if(!cipher_open_by_nid(&from->outcipher, cipher)) { - logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name, from->hostname); - return false; + if(cipher) { + if(!(from->outcipher = cipher_open_by_nid(cipher))) { + logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name, from->hostname); + return false; + } + } else { + from->outcipher = NULL; } - if(!digest_open_by_nid(&from->outdigest, digest, maclength)) { - logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses unknown digest!", from->name, from->hostname); - return false; + if(digest) { + if(!(from->outdigest = digest_open_by_nid(digest, maclength))) { + logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses unknown digest!", from->name, from->hostname); + return false; + } + } else { + from->outdigest = NULL; } - if(maclength != digest_length(&from->outdigest)) { + if(maclength != digest_length(from->outdigest)) { logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses bogus MAC length!", from->name, from->hostname); return false; } @@ -403,15 +429,17 @@ bool ans_key_h(connection_t *c, const char *request) { keylen = hex2bin(key, key, sizeof key); - if(keylen != cipher_keylength(&from->outcipher)) { + if(keylen != (from->outcipher ? cipher_keylength(from->outcipher) : 1)) { logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname); return true; } /* Update our copy of the origin's packet key */ - cipher_set_key(&from->outcipher, key, true); - digest_set_key(&from->outdigest, key, keylen); + if(from->outcipher && !cipher_set_key(from->outcipher, key, true)) + return false; + if(from->outdigest && !digest_set_key(from->outdigest, key, keylen)) + return false; from->status.validkey = true; from->sent_seqno = 0; @@ -422,7 +450,7 @@ bool ans_key_h(connection_t *c, const char *request) { update_node_udp(from, &sa); } - if(from->options & OPTION_PMTU_DISCOVERY) + if(from->options & OPTION_PMTU_DISCOVERY && !(from->options & OPTION_TCPONLY)) send_mtu_probe(from); return true;