projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'master' into 1.1
[tinc] / src / protocol_key.c
diff --git a/src/protocol_key.c b/src/protocol_key.c
index 98b934c..802f7ca 100644 (file)
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -47,7 +47,7 @@ void send_key_changed(void) {
        for(node = connection_tree->head; node; node = node->next) {
                c = node->data;
                if(c->status.active && c->node && c->node->status.reachable) {
-                       if(!experimental || OPTION_VERSION(c->node->options) < 2)
+                       if(!c->node->status.sptps)
                                send_ans_key(c->node);
                }
        }
@@ -57,7 +57,7 @@ void send_key_changed(void) {
        if(experimental) {
                for(node = node_tree->head; node; node = node->next) {
                        node_t *n = node->data;
-                       if(n->status.reachable && n->status.validkey && OPTION_VERSION(n->options) >= 2)
+                       if(n->status.reachable && n->status.validkey && n->status.sptps)
                                sptps_force_kex(&n->sptps);
                }
        }
@@ -84,7 +84,7 @@ bool key_changed_h(connection_t *c, const char *request) {
                return true;
        }
 
-       if(OPTION_VERSION(n->options) < 2) {
+       if(!n->status.sptps) {
                n->status.validkey = false;
                n->last_req_key = 0;
        }
@@ -106,14 +106,17 @@ static bool send_initial_sptps_data(void *handle, uint8_t type, const char *data
 }
 
 bool send_req_key(node_t *to) {
-       if(experimental && OPTION_VERSION(to->options) >= 2) {
+       if(to->status.sptps) {
                if(!node_read_ecdsa_public_key(to)) {
-                       logger(DEBUG_ALWAYS, LOG_DEBUG, "No ECDSA key known for %s (%s)", to->name, to->hostname);
+                       logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", to->name, to->hostname);
                        send_request(to->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, to->name, REQ_PUBKEY);
                        return true;
                }
                 char label[25 + strlen(myself->name) + strlen(to->name)];
                snprintf(label, sizeof label, "tinc UDP key expansion %s %s", myself->name, to->name);
+               sptps_stop(&to->sptps);
+               to->status.validkey = false;
+               to->incompression = myself->incompression;
                return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); 
        }
 
@@ -133,7 +136,7 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, in
 
                case ANS_PUBKEY: {
                        if(node_read_ecdsa_public_key(from)) {
-                               logger(DEBUG_ALWAYS, LOG_WARNING, "Got ANS_PUBKEY from %s (%s) even though we already have his pubkey", from->name, from->hostname);
+                               logger(DEBUG_PROTOCOL, LOG_WARNING, "Got ANS_PUBKEY from %s (%s) even though we already have his pubkey", from->name, from->hostname);
                                return true;
                        }
 
@@ -143,14 +146,14 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, in
                                return true;
                        }
 
-                       logger(DEBUG_ALWAYS, LOG_INFO, "Learned ECDSA public key from %s (%s)", from->name, from->hostname);
+                       logger(DEBUG_PROTOCOL, LOG_INFO, "Learned ECDSA public key from %s (%s)", from->name, from->hostname);
                        append_config_file(from->name, "ECDSAPublicKey", pubkey);
                        return true;
                }
 
                case REQ_KEY: {
                        if(!node_read_ecdsa_public_key(from)) {
-                               logger(DEBUG_ALWAYS, LOG_DEBUG, "No ECDSA key known for %s (%s)", from->name, from->hostname);
+                               logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", from->name, from->hostname);
                                send_request(from->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, from->name, REQ_PUBKEY);
                                return true;
                        }
@@ -167,6 +170,8 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, in
 
                        char label[25 + strlen(from->name) + strlen(myself->name)];
                        snprintf(label, sizeof label, "tinc UDP key expansion %s %s", from->name, myself->name);
+                       sptps_stop(&from->sptps);
+                       from->status.validkey = false;
                        sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); 
                        sptps_receive_data(&from->sptps, buf, len);
                        return true;
@@ -213,17 +218,19 @@ bool req_key_h(connection_t *c, const char *request) {
 
        /* Check if this key request is for us */
 
-       if(to == myself) {                      /* Yes, send our own key back */
+       if(to == myself) {                      /* Yes */
+               /* Is this an extended REQ_KEY message? */
                if(experimental && reqno)
                        return req_key_ext_h(c, request, from, reqno);
 
+               /* No, just send our key back */
                send_ans_key(from);
        } else {
                if(tunnelserver)
                        return true;
 
                if(!to->status.reachable) {
-                       logger(DEBUG_ALWAYS, LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable",
+                       logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable",
                                "REQ_KEY", c->name, c->hostname, to_name);
                        return true;
                }
@@ -235,7 +242,7 @@ bool req_key_h(connection_t *c, const char *request) {
 }
 
 bool send_ans_key(node_t *to) {
-       if(experimental && OPTION_VERSION(to->options) >= 2)
+       if(to->status.sptps)
                abort();
 
        size_t keylen = cipher_keylength(&myself->incipher);
@@ -327,9 +334,19 @@ bool ans_key_h(connection_t *c, const char *request) {
                return send_request(to->nexthop->connection, "%s", request);
        }
 
+       /* Don't use key material until every check has passed. */
+       from->status.validkey = false;
+
+       if(compression < 0 || compression > 11) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses bogus compression level!", from->name, from->hostname);
+               return true;
+       }
+
+       from->outcompression = compression;
+
        /* SPTPS or old-style key exchange? */
 
-       if(experimental && OPTION_VERSION(from->options) >= 2) {
+       if(from->status.sptps) {
                char buf[strlen(key)];
                int len = b64decode(key, buf, strlen(key));
 
@@ -367,13 +384,6 @@ bool ans_key_h(connection_t *c, const char *request) {
                return false;
        }
 
-       if(compression < 0 || compression > 11) {
-               logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses bogus compression level!", from->name, from->hostname);
-               return true;
-       }
-
-       from->outcompression = compression;
-
        /* Process key */
 
        keylen = hex2bin(key, key, sizeof key);
tinc, the VPN daemon