along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: protocol.c,v 1.28.4.33 2000/09/17 21:42:05 guus Exp $
+ $Id: protocol.c,v 1.28.4.36 2000/09/26 14:06:06 guus Exp $
*/
#include "config.h"
#include "net.h"
#include "netutl.h"
#include "protocol.h"
+#include "meta.h"
#include "system.h"
return 1;
}
-/* Generic outgoing request routine - takes care of logging and error detection as well */
+/* Generic request routines - takes care of logging and error detection as well */
int send_request(conn_list_t *cl, const char *format, int request, /*args*/ ...)
{
return -1;
}
- if(debug_lvl >= DEBUG_META)
- syslog(LOG_DEBUG, _("Sending %s to %s (%s): %s"), request_name[request],
- cl->name, cl->hostname, buffer);
- else if(debug_lvl >= DEBUG_PROTOCOL)
+ if(debug_lvl >= DEBUG_PROTOCOL)
syslog(LOG_DEBUG, _("Sending %s to %s (%s)"), request_name[request], cl->name, cl->hostname);
+cp
+ return send_meta(cl, buffer, length);
+}
-
- if(cl->status.encryptin)
+int receive_request(conn_list_t *cl)
+{
+ int request;
+cp
+ if(sscanf(cl->buffer, "%d", &request) == 1)
{
- /* FIXME: Do encryption */
+ if((request < 0) || (request > 255) || (request_handlers[request] == NULL))
+ {
+ syslog(LOG_ERR, _("Unknown request from %s (%s)"),
+ cl->name, cl->hostname);
+ return -1;
+ }
+ else
+ {
+ if(debug_lvl > DEBUG_PROTOCOL)
+ syslog(LOG_DEBUG, _("Got %s from %s (%s)"),
+ request_name[request], cl->name, cl->hostname);
+ }
+ if(request_handlers[request](cl))
+ /* Something went wrong. Probably scriptkiddies. Terminate. */
+ {
+ syslog(LOG_ERR, _("Error while processing %s from %s (%s)"),
+ request_name[request], cl->name, cl->hostname);
+ return -1;
+ }
}
-
- if((write(cl->meta_socket, buffer, len)) < 0)
+ else
{
- syslog(LOG_ERR, _("Sending meta data failed: %m"));
+ syslog(LOG_ERR, _("Bogus data received from %s (%s)"),
+ cl->name, cl->hostname);
return -1;
}
-cp
}
/* Connection protocol:
int send_id(conn_list_t *cl)
{
cp
- return send_request(cl, "%d %s %d %s", ID,
- myself->name, myself->protocol_version, opt2str(myself->options));
+ return send_request(cl, "%d %s %d %lx", ID, myself->name, myself->protocol_version, myself->options);
}
int id_h(conn_list_t *cl)
{
conn_list_t *old;
- char *options;
cp
- if(sscanf(cl->buffer, "%*d %as %d %as", &cl->name, &cl->protocol_version, &options) != 3)
+ if(sscanf(cl->buffer, "%*d %as %d %lx", &cl->name, &cl->protocol_version, &cl->options) != 3)
{
syslog(LOG_ERR, _("Got bad ID from %s"), cl->hostname);
return -1;
return -1;
}
- /* Check if option string is valid */
-
- if((cl->options = str2opt(options)) == -1)
- {
- syslog(LOG_ERR, _("Peer %s uses invalid option string"), cl->hostname);
- return -1;
- }
-
/* Check if identity is a valid name */
if(!check_id(cl->name))
int send_challenge(conn_list_t *cl)
{
- char *buffer;
- int keylength;
- int x;
+ char buffer[CHAL_LENGTH*2+1];
cp
- if(cl->chal_answer)
- free(cl->chal_answer);
-
- /* Allocate buffers for the challenge and the hash */
-
- cl->chal_answer = xmalloc(SHA_DIGEST_LENGTH);
- keylength = BN_num_bytes(cl->rsakey->length);
- buffer = xmalloc(keylength*2);
+ /* Allocate buffers for the challenge */
- /* Copy random data and the public key to the buffer */
-
- RAND_bytes(buffer, keylength);
- BN_bn2bin(cl->rsakey->length, buffer+keylength);
-
- /* If we don't have a blowfish key set yet, use the random data from the challenge to do so. */
-
- if(!cl->status.encryptin)
- {
- set_metakey(cl, buffer, keylength);
- }
+ if(!cl->hischallenge)
+ cl->hischallenge = xmalloc(CHAL_LENGTH);
- /* Calculate the hash from that */
+ /* Copy random data to the buffer */
- SHA1(buffer, keylength*2, cl->chal_answer);
+ RAND_bytes(cl->hischallenge, CHAL_LENGTH);
/* Convert the random data to a hexadecimal formatted string */
- bin2hex(buffer,buffer,keylength);
+ bin2hex(cl->hischallenge,buffer,CHAL_LENGTH);
buffer[keylength*2] = '\0';
/* Send the challenge */
cl->allow_request = CHAL_REPLY;
- x = send_request(cl, "%d %s", CHALLENGE, buffer);
- free(buffer);
- cl->status.encryptout = 1;
cp
- return x;
+ return send_request(cl, "%d %s", CHALLENGE, buffer);
}
int challenge_h(conn_list_t *cl)
{
- char *challenge;
- int x;
-
+ char *buffer;
cp
- if(sscanf(cl->buffer, "%*d %as", &cl->name, &challenge) != 1)
+ if(sscanf(cl->buffer, "%*d %as", &buffer) != 1)
{
syslog(LOG_ERR, _("Got bad CHALLENGE from %s (%s)"), cl->name, cl->hostname);
return -1;
}
- /* Rest is done by send_chal_reply() */
-
- x = send_chal_reply(cl, challenge);
- free(challenge);
-cp
- return x;
-}
-
-int send_chal_reply(conn_list_t *cl, char *challenge)
-{
- char *buffer;
- int keylength;
- char *hash;
- int x;
-
-cp
- keylength = BN_num_bytes(myself->rsakey->length);
-
/* Check if the length of the challenge is all right */
- if(strlen(challenge) != keylength*2)
+ if(strlen(buffer) != CHAL_LENGTH*2)
{
syslog(LOG_ERR, _("Intruder: wrong challenge length from %s (%s)"), cl->name, cl->hostname);
+ free(buffer);
return -1;
}
- /* Allocate buffers for the challenge and the hash */
-
- buffer = xmalloc(keylength*2);
- hash = xmalloc(SHA_DIGEST_LENGTH*2+1);
+ /* Allocate buffers for the challenge */
- /* Copy the incoming random data and our public key to the buffer */
+ if(!cl->mychallenge)
+ cl->mychallenge = xmalloc(CHAL_LENGTH);
- hex2bin(challenge, buffer, keylength);
- BN_bn2bin(myself->rsakey->length, buffer+keylength);
+ /* Convert the challenge from hexadecimal back to binary */
- /* Calculate the hash from that */
-
- SHA1(buffer, keylength*2, hash);
-
- /* If we don't have a blowfish key set yet, use the random data from the challenge to do so. */
+ hex2bin(buffer,cl->mychallenge,CHAL_LENGTH);
+ free(buffer);
+
+ /* Rest is done by send_chal_reply() */
+cp
+ return send_chal_reply(cl);
+}
- if(!cl->status.encrypted)
+int send_chal_reply(conn_list_t *cl)
+{
+ char hash[SHA_DIGEST_LENGTH*2+1];
+cp
+ if(!cl->mychallenge)
{
- set_metakey(cl, buffer, keylength);
- cl->status.encrypted = 1;
+ syslog(LOG_ERR, _("Trying to send CHAL_REPLY to %s (%s) without a valid CHALLENGE"), cl->name, cl->hostname);
+ return -1;
}
+
+ /* Calculate the hash from the challenge we received */
- free(buffer);
+ SHA1(cl->mychallenge, CHAL_LENGTH, hash);
/* Convert the hash to a hexadecimal formatted string */
else
cl->allow_request = ACK;
- x = send_request(cl, "%d %s", CHAL_REPLY, hash);
- free(hash);
cp
- return x;
+ return send_request(cl, "%d %s", CHAL_REPLY, hash);
}
int chal_reply_h(conn_list_t *cl)
{
- char *hash;
+ char *hishash;
+ char myhash[SHA_DIGEST_LENGTH];
cp
- if(sscanf(cl->buffer, "%*d %as", &cl->name, &hash) != 2)
+ if(sscanf(cl->buffer, "%*d %as", &hishash) != 2)
{
syslog(LOG_ERR, _("Got bad CHAL_REPLY from %s (%s)"), cl->name, cl->hostname);
+ free(hishash);
return -1;
}
/* Check if the length of the hash is all right */
- if(strlen(hash) != SHA_DIGEST_LENGTH*2)
+ if(strlen(hishash) != SHA_DIGEST_LENGTH*2)
{
syslog(LOG_ERR, _("Intruder: wrong challenge reply length from %s (%s)"), cl->name, cl->hostname);
+ free(hishash);
return -1;
}
/* Convert the hash to binary format */
- hex2bin(hash, hash, SHA_DIGEST_LENGTH);
+ hex2bin(hishash, hishash, SHA_DIGEST_LENGTH);
+
+ /* Calculate the hash from the challenge we sent */
+
+ SHA1(cl->hischallenge, CHAL_LENGTH, myhash);
/* Verify the incoming hash with the calculated hash */
- if(!memcmp(hash, cl->chal_answer, SHA_DIGEST_LENGTH))
+ if(!memcmp(hishash, myhash, SHA_DIGEST_LENGTH))
{
syslog(LOG_ERR, _("Intruder: wrong challenge reply from %s (%s)"), cl->name, cl->hostname);
+ free(hishash);
return -1;
}
+ free(hishash);
+
/* Identity has now been positively verified.
If we are accepting this new connection, then send our identity,
if we are making this connecting, acknowledge.
*/
-
- free(hash);
- free(cl->chal_answer);
-
cp
if(cl->status.outgoing)
{
int ack_h(conn_list_t *cl)
{
conn_list_t *old;
-
cp
/* Okay, before we active the connection, we check if there is another entry
- in the connection list with the same vpn_ip. If so, it presumably is an
+ in the connection list with the same name. If so, it presumably is an
old connection that has timed out but we don't know it yet.
*/
int send_add_subnet(conn_list_t *cl, conn_list_t *other, subnet_t *subnet)
{
+ int x;
+ char *netstr;
cp
- return send_request(cl, "%d %s %s", ADD_SUBNET,
- other->name, net2str(subnet));
+ x = send_request(cl, "%d %s %s", ADD_SUBNET,
+ other->name, netstr = net2str(subnet));
+ free(netstr);
+cp
+ return x;
}
int add_subnet_h(conn_list_t *cl)
cp
if(sscanf(cl->buffer, "%*d %as %as", &name, &subnetstr) != 3)
{
- syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s)"), cl->name, cl->hostname);
- return -1;
+ syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s)"), cl->name, cl->hostname);
+ free(name); free(subnetstr);
+ return -1;
}
/* Check if owner name is a valid */
if(!check_id(name))
{
syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s): invalid identity name"), cl->name, cl->hostname);
+ free(name); free(subnetstr);
return -1;
}
if((subnet = str2net(subnetstr)) == -1)
{
syslog(LOG_ERR, _("Got bad ADD_SUBNET from %s (%s): invalid subnet string"), cl->name, cl->hostname);
+ free(name); free(subnetstr);
return -1;
}
+
+ free(subnetstr);
/* Check if somebody tries to add a subnet of ourself */
{
syslog(LOG_ERR, _("Warning: got ADD_SUBNET from %s (%s) for ourself, restarting"),
cl->name, cl->hostname);
+ free(name);
sighup = 1;
return 0;
}
if(!(owner = lookup_id(name))
{
- syslog(LOG_NOTICE, _("Got ADD_SUBNET for %s from %s (%s) which is not in our connection list"),
+ syslog(LOG_ERR, _("Got ADD_SUBNET for %s from %s (%s) which is not in our connection list"),
name, cl->name, cl->hostname);
+ free(name);
+ return -1;
}
-
+ /* If everything is correct, add the subnet to the list of the owner */
+cp
+ return subnet_add(owner, subnet);
}
int send_del_subnet(conn_list_t *cl, conn_list_t *other, subnet_t *subnet)
cp
if(sscanf(cl->buffer, "%*d %as %as", &name, &subnetstr) != 3)
{
- syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s)"), cl->name, cl->hostname);
- return -1;
+ syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s)"), cl->name, cl->hostname);
+ free(name); free(subnetstr);
+ return -1;
}
/* Check if owner name is a valid */
if(!check_id(name))
{
syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s): invalid identity name"), cl->name, cl->hostname);
+ free(name); free(subnetstr);
return -1;
}
if((subnet = str2net(subnetstr)) == -1)
{
syslog(LOG_ERR, _("Got bad DEL_SUBNET from %s (%s): invalid subnet string"), cl->name, cl->hostname);
+ free(name); free(subnetstr);
return -1;
}
- /* Check if somebody tries to delete a subnet of ourself */
+ free(subnetstr);
+
+ /* Check if somebody tries to add a subnet of ourself */
if(!strcmp(name, myself->name))
{
syslog(LOG_ERR, _("Warning: got DEL_SUBNET from %s (%s) for ourself, restarting"),
cl->name, cl->hostname);
+ free(name);
sighup = 1;
return 0;
}
if(!(owner = lookup_id(name))
{
- syslog(LOG_NOTICE, _("Got DEL_SUBNET for %s from %s (%s) which is not in our connection list"),
+ syslog(LOG_ERR, _("Got DEL_SUBNET for %s from %s (%s) which is not in our connection list"),
name, cl->name, cl->hostname);
+ free(name);
+ return -1;
}
+
+ /* If everything is correct, add the subnet to the list of the owner */
+cp
+ return subnet_del(owner, subnet);
}
/* New and closed connections notification */
int send_add_host(conn_list_t *cl, conn_list_t *other)
{
cp
- return send_request(cl, "%d %s %lx:%d %s", ADD_HOST, other->name, other->real_ip, other->port, opt2str(other->options));
+ return send_request(cl, "%d %s %s %lx:%d %lx", ADD_HOST,
+ myself->name, other->name, other->real_ip, other->port, other->options);
}
int add_host_h(conn_list_t *cl)
{
- char *options;
- conn_list_t *old, *new;
+ char *sender;
+ conn_list_t *old, *new, *hisuplink;
cp
new = new_conn_list();
- if(sscanf(cl->buffer, "%*d %as %lx:%d %as", &new->name, &new->real_ip, &new->port, &options) != 4)
+ if(sscanf(cl->buffer, "%*d %as %as %lx:%d %lx", &sender, &new->name, &new->address, &new->port, &new->options) != 5)
{
syslog(LOG_ERR, _("Got bad ADD_HOST from %s (%s)"), cl->name, cl->hostname);
return -1;
}
- /* Check if option string is valid */
-
- if((new->options = str2opt(options)) == -1)
- {
- syslog(LOG_ERR, _("Got bad ADD_HOST from %s (%s): invalid option string"), cl->name, cl->hostname);
- return -1;
- }
-
/* Check if identity is a valid name */
- if(!check_id(new->name))
+ if(!check_id(new->name) || !check_id(sender))
{
syslog(LOG_ERR, _("Got bad ADD_HOST from %s (%s): invalid identity name"), cl->name, cl->hostname);
+ free(sender);
return -1;
}
{
syslog(LOG_ERR, _("Warning: got ADD_HOST from %s (%s) for ourself, restarting"), cl->name, cl->hostname);
sighup = 1;
+ free(sender);
+ return 0;
+ }
+
+ /* We got an ADD_HOST from ourself!? */
+
+ if(!strcmp(sender, myself->name))
+ {
+ syslog(LOG_ERR, _("Warning: got ADD_HOST from %s (%s) from ourself, restarting"), cl->name, cl->hostname);
+ sighup = 1;
+ free(sender);
return 0;
}
+ /* Lookup his uplink */
+
+ if(!(new->hisuplink = lookup_id(sender))
+ {
+ syslog(LOG_ERR, _("Got ADD_HOST from %s (%s) with origin %s which is not in our connection list"),
+ sender, cl->name, cl->hostname);
+ free(sender);
+ return -1;
+ }
+
+ free(sender);
+
/* Fill in more of the new conn_list structure */
new->hostname = hostlookup(htonl(new->real_ip));
/* Fill in rest of conn_list structure */
- new->nexthop = cl;
+ new->myuplink = cl;
new->status.active = 1;
/* Hook it up into the conn_list */
int send_del_host(conn_list_t *cl, conn_list_t *other)
{
cp
- return send_request(cl, "%d %s %lx:%d", DEL_HOST,
- other->name, other->real_ip, other->port);
+ return send_request(cl, "%d %s %s %lx:%d %lx", DEL_HOST,
+ myself->name, other->name, other->real_ip, other->port, other->options);
}
int del_host_h(conn_list_t *cl)
{
- char *id;
+ char *name;
+ char *sender;
ip_t address;
port_t port;
- conn_list_t *old;
+ int options;
+ conn_list_t *old, *hisuplink;
cp
- if(sscanf(cl->buffer, "%*d %as %lx:%d", &id, &address, &port) != 3)
+ if(sscanf(cl->buffer, "%*d %as %as %lx:%d %lx", &sender, &name, &address, &port, &options) != 5)
{
syslog(LOG_ERR, _("Got bad DEL_HOST from %s (%s)"),
cl->name, cl->hostname);
return -1;
}
+ /* Check if identity is a valid name */
+
+ if(!check_id(name) || !check_id(sender))
+ {
+ syslog(LOG_ERR, _("Got bad DEL_HOST from %s (%s): invalid identity name"), cl->name, cl->hostname);
+ free(name); free(sender);
+ return -1;
+ }
+
/* Check if somebody tries to delete ourself */
- if(!strcmp(id, myself->name))
+ if(!strcmp(name, myself->name))
{
syslog(LOG_ERR, _("Warning: got DEL_HOST from %s (%s) for ourself, restarting"),
cl->name, cl->hostname);
+ free(name); free(sender);
sighup = 1;
return 0;
}
- /* Check if the new host already exists in the connnection list */
+ /* We got an ADD_HOST from ourself!? */
- if((old = lookup_id(id)))
+ if(!strcmp(sender, myself->name))
{
- if((address == old->real_ip) && (port == old->port))
- {
- notify_others(old, cl, send_del_host);
+ syslog(LOG_ERR, _("Warning: got DEL_HOST from %s (%s) from ourself, restarting"), cl->name, cl->hostname);
+ sighup = 1;
+ free(name); free(sender);
+ return 0;
+ }
- old->status.termreq = 1;
- old->status.active = 0;
+ /* Lookup his uplink */
- terminate_connection(old);
-cp
- return 0;
- }
+ if(!(hisuplink = lookup_id(sender))
+ {
+ syslog(LOG_ERR, _("Got DEL_HOST from %s (%s) with origin %s which is not in our connection list"),
+ cl->name, cl->hostname, sender);
+ free(name); free(sender);
+ return -1;
}
+
+ free(sender);
- if(debug_lvl > DEBUG_CONNECTIONS)
+ /* Check if the new host already exists in the connnection list */
+
+ if(!(old = lookup_id(name)))
+ {
+ syslog(LOG_ERR, _("Got DEL_HOST from %s (%s) for %s which is not in our connection list"),
+ name, cl->name, cl->hostname);
+ free(name);
+ return -1;
+ }
+
+ /* Check if the rest matches */
+
+ if(address!=old->address || port!=old->port || options!=old->options || hisuplink!=old->hisuplink || cl!=old->myuplink)
{
- syslog(LOG_NOTICE, _("Got DEL_HOST for %s from %s (%s) which is not in our connection list"),
- id, cl->name, cl->hostname);
+ syslog(LOG_WARNING, _("Got DEL_HOST from %s (%s) for %s which doesn't match"), cl->name, cl->hostname, old->name);
+ return 0;
}
+
+ /* Ok, since EVERYTHING seems to check out all right, delete it */
+
+ old->status.termreq = 1;
+ old->status.active = 0;
+
+ terminate_connection(old);
cp
return 0;
}
return 0;
}
-/* Old routines */
-
-/*
- Notify all my direct connections of a new host
- that was added to the vpn, with the exception
- of the source of the announcement.
-*/
-
-int notify_others(conn_list_t *new, conn_list_t *source,
- int (*function)(conn_list_t*, conn_list_t*))
-{
- conn_list_t *p;
-cp
- for(p = conn_list; p != NULL; p = p->next)
- if(p != new && p != source && p->status.meta && p->status.active)
- function(p, new);
-cp
- return 0;
-}
-
-/*
- Notify one connection of everything
- I have connected
-*/
-
-int notify_one(conn_list_t *new)
-{
- conn_list_t *p;
-cp
- for(p = conn_list; p != NULL; p = p->next)
- if(p != new && p->status.active)
- send_add_host(new, p);
-cp
- return 0;
-}
-
-/* "Complete overhaul". */
+/* Jumptable for the request handlers */
int (*request_handlers[])(conn_list_t*) = {
id_h, challenge_h, chal_reply_h, ack_h,
key_changed_h, req_key_h, ans_key_h,
};
+/* Request names */
+
char (*request_name[]) = {
"ID", "CHALLENGE", "CHAL_REPLY", "ACK",
"STATUS", "ERROR", "TERMREQ",
projects / tinc / blobdiff