X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fprotocol.c;h=bdb78c2b41d1cfa864923714a45927d66a23cfc7;hp=5e72017ddee8cf212d15ea3ff77a4bd10c18c031;hb=34b7a876c3583f7a34585cff6a694bc9e35cdc87;hpb=f777c1807d663eaef3e36c395094451214886898 diff --git a/src/protocol.c b/src/protocol.c index 5e72017d..bdb78c2b 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol.c,v 1.28.4.77 2001/02/06 10:12:51 guus Exp $ + $Id: protocol.c,v 1.28.4.82 2001/02/26 11:37:20 guus Exp $ */ #include "config.h" @@ -31,6 +31,7 @@ #include #include #include +#include #include #include @@ -186,8 +187,6 @@ cp int send_id(connection_t *cl) { -cp - cl->allow_request = CHALLENGE; cp return send_request(cl, "%d %s %d %lx %hd", ID, myself->name, myself->protocol_version, myself->options, myself->port); } @@ -262,13 +261,14 @@ cp cl->port = port; avl_insert_node(connection_tree, node); - /* Read in the public key, so that we can send a challenge */ + /* Read in the public key, so that we can send a metakey */ if(read_rsa_public_key(cl)) return -1; + cl->allow_request = METAKEY; cp - return send_challenge(cl); + return send_metakey(cl); } int send_challenge(connection_t *cl) @@ -276,6 +276,8 @@ int send_challenge(connection_t *cl) char *buffer; int len, x; cp + /* CHECKME: what is most reasonable value for len? */ + len = RSA_size(cl->rsa_key); /* Allocate buffers for the challenge */ @@ -291,32 +293,15 @@ cp RAND_bytes(cl->hischallenge, len); - cl->hischallenge[0] &= 0x7F; /* Somehow if the first byte is more than 0xD0 or something like that, decryption fails... */ -cp - if(debug_lvl >= DEBUG_SCARY_THINGS) - { - bin2hex(cl->hischallenge, buffer, len); - buffer[len*2] = '\0'; - syslog(LOG_DEBUG, _("Generated random challenge (unencrypted): %s"), buffer); - } - - /* Encrypt the random data */ - - if(RSA_public_encrypt(len, cl->hischallenge, buffer, cl->rsa_key, RSA_NO_PADDING) != len) /* NO_PADDING because the message size equals the RSA key size and it is totally random */ - { - syslog(LOG_ERR, _("Error during encryption of challenge for %s (%s)"), cl->name, cl->hostname); - free(buffer); - return -1; - } cp - /* Convert the encrypted random data to a hexadecimal formatted string */ + /* Convert to hex */ - bin2hex(buffer, buffer, len); + bin2hex(cl->hischallenge, buffer, len); buffer[len*2] = '\0'; + cp /* Send the challenge */ - cl->allow_request = CHAL_REPLY; x = send_request(cl, "%d %s", CHALLENGE, buffer); free(buffer); cp @@ -351,22 +336,9 @@ cp /* Convert the challenge from hexadecimal back to binary */ - hex2bin(buffer,buffer,len); - - /* Decrypt the challenge */ - - if(RSA_private_decrypt(len, buffer, cl->mychallenge, myself->rsa_key, RSA_NO_PADDING) != len) /* See challenge() */ - { - syslog(LOG_ERR, _("Error during encryption of challenge for %s (%s)"), cl->name, cl->hostname); - return -1; - } + hex2bin(buffer,cl->mychallenge,len); - if(debug_lvl >= DEBUG_SCARY_THINGS) - { - bin2hex(cl->mychallenge, buffer, len); - buffer[len*2] = '\0'; - syslog(LOG_DEBUG, _("Received random challenge (unencrypted): %s"), buffer); - } + cl->allow_request = CHAL_REPLY; /* Rest is done by send_chal_reply() */ cp @@ -394,11 +366,6 @@ cp /* Send the reply */ - if(cl->status.outgoing) - cl->allow_request = ID; - else - cl->allow_request = METAKEY; - cp return send_request(cl, "%d %s", CHAL_REPLY, hash); } @@ -444,16 +411,11 @@ cp return -1; } - /* Identity has now been positively verified. - If we are accepting this new connection, then send our identity, - if we are making this connecting, acknowledge. + ack_h() handles the rest from now on. */ cp - if(cl->status.outgoing) - return send_metakey(cl); - else - return send_id(cl); + return ack_h(cl); } int send_metakey(connection_t *cl) @@ -477,8 +439,8 @@ cp RAND_bytes(cl->cipher_outkey, len); - cl->cipher_outkey[0] &= 0x7F; /* FIXME: Somehow if the first byte is more than 0xD0 or something like that, decryption fails... */ - + cl->cipher_outkey[0] &= 0x0F; /* Make sure that the random data is smaller than the modulus of the RSA key */ + if(debug_lvl >= DEBUG_SCARY_THINGS) { bin2hex(cl->cipher_outkey, buffer, len); @@ -502,15 +464,16 @@ cp /* Send the meta key */ - if(cl->status.outgoing) - cl->allow_request = METAKEY; - else - cl->allow_request = ACK; - x = send_request(cl, "%d %s", METAKEY, buffer); free(buffer); - EVP_EncryptInit(cl->cipher_outctx, EVP_bf_cfb(), cl->cipher_outkey, cl->cipher_outkey + EVP_bf_cfb()->key_len); + /* Further outgoing requests are encrypted with the key we just generated */ + + EVP_EncryptInit(cl->cipher_outctx, EVP_bf_cfb(), + cl->cipher_outkey + len - EVP_bf_cfb()->key_len, + cl->cipher_outkey + len - EVP_bf_cfb()->key_len - EVP_bf_cfb()->iv_len); + + cl->status.encryptout = 1; cp return x; } @@ -563,26 +526,17 @@ cp syslog(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer); } - EVP_DecryptInit(cl->cipher_inctx, EVP_bf_cfb(), cl->cipher_inkey, cl->cipher_inkey + EVP_bf_cfb()->key_len); - -cp - if(cl->status.outgoing) - return send_ack(cl); - else - return send_metakey(cl); -} + /* All incoming requests will now be encrypted. */ -int send_ack(connection_t *cl) -{ - int x; -cp - if(cl->status.outgoing) - cl->allow_request = ACK; + EVP_DecryptInit(cl->cipher_inctx, EVP_bf_cfb(), + cl->cipher_inkey + len - EVP_bf_cfb()->key_len, + cl->cipher_inkey + len - EVP_bf_cfb()->key_len - EVP_bf_cfb()->iv_len); + + cl->status.decryptin = 1; - x = send_request(cl, "%d", ACK); - cl->status.encryptout = 1; + cl->allow_request = CHALLENGE; cp - return x; + return send_challenge(cl); } int ack_h(connection_t *cl) @@ -610,18 +564,14 @@ cp cl->allow_request = ALL; cl->status.active = 1; - cl->status.decryptin = 1; cl->nexthop = cl; - cl->cipher_pkttype = EVP_bf_cfb(); + cl->cipher_pkttype = EVP_bf_cbc(); cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len; if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname); cp - if(!cl->status.outgoing) - send_ack(cl); - /* Check some options */ if((cfg = get_config_val(cl->config, config_indirectdata))) @@ -928,7 +878,7 @@ cp new->nexthop = cl; new->status.active = 1; - new->cipher_pkttype = EVP_bf_cfb(); + new->cipher_pkttype = EVP_bf_cbc(); new->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len; cp return 0; @@ -1053,10 +1003,10 @@ cp int error_h(connection_t *cl) { - int errno; + int err; char errorstring[MAX_STRING_SIZE]; cp - if(sscanf(cl->buffer, "%*d %d "MAX_STRING, &errno, errorstring) != 2) + if(sscanf(cl->buffer, "%*d %d "MAX_STRING, &err, errorstring) != 2) { syslog(LOG_ERR, _("Got bad ERROR from %s (%s)"), cl->name, cl->hostname); @@ -1066,7 +1016,7 @@ cp if(debug_lvl >= DEBUG_ERROR) { syslog(LOG_NOTICE, _("Error message from %s (%s): %s: %s"), - cl->name, cl->hostname, strerror(errno), errorstring); + cl->name, cl->hostname, strerror(err), errorstring); } terminate_connection(cl); @@ -1324,9 +1274,17 @@ int tcppacket_h(connection_t *cl) while(todo) { x = read(cl->meta_socket, p, todo); - if(x<0) + + if(x<=0) { - syslog(LOG_ERR, _("Error during reception of PACKET from %s (%s): %m"), cl->name, cl->hostname); + if(x==0) + syslog(LOG_NOTICE, _("Connection closed by %s (%s)"), cl->name, cl->hostname); + else + if(errno==EINTR) + continue; + else + syslog(LOG_ERR, _("Error during reception of PACKET from %s (%s): %m"), cl->name, cl->hostname); + return -1; } @@ -1340,7 +1298,7 @@ int tcppacket_h(connection_t *cl) /* Jumptable for the request handlers */ int (*request_handlers[])(connection_t*) = { - id_h, challenge_h, chal_reply_h, metakey_h, ack_h, + id_h, metakey_h, challenge_h, chal_reply_h, status_h, error_h, termreq_h, ping_h, pong_h, add_host_h, del_host_h, @@ -1352,7 +1310,7 @@ int (*request_handlers[])(connection_t*) = { /* Request names */ char (*request_name[]) = { - "ID", "CHALLENGE", "CHAL_REPLY", "METAKEY", "ACK", + "ID", "METAKEY", "CHALLENGE", "CHAL_REPLY", "STATUS", "ERROR", "TERMREQ", "PING", "PONG", "ADD_HOST", "DEL_HOST",