X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fprotocol_auth.c;h=1b8794d1385377b66de065afeebc1be9ae413ba6;hp=fc0c3aae2bc7a2a9eed94d84461a41050e86ee10;hb=5db596c6844169f1eb5f804b72abe99d067aaa5a;hpb=f75dcef72a81a337e847adf0bae54198894f65b9 diff --git a/src/protocol_auth.c b/src/protocol_auth.c index fc0c3aae..1b8794d1 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -1,7 +1,7 @@ /* protocol_auth.c -- handle the meta-protocol, authentication - Copyright (C) 1999-2002 Ivo Timmermans , - 2000-2002 Guus Sliepen + Copyright (C) 1999-2003 Ivo Timmermans , + 2000-2003 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,14 +17,13 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol_auth.c,v 1.1.4.16 2002/09/09 21:24:45 guus Exp $ + $Id: protocol_auth.c,v 1.1.4.23 2003/07/12 17:41:47 guus Exp $ */ #include "config.h" #include #include -#include #include #include #include @@ -37,10 +36,6 @@ #include #include -#ifndef HAVE_RAND_PSEUDO_BYTES -#define RAND_pseudo_bytes RAND_bytes -#endif - #include "conf.h" #include "net.h" #include "netutl.h" @@ -50,10 +45,11 @@ #include "node.h" #include "edge.h" #include "graph.h" +#include "logger.h" #include "system.h" -int send_id(connection_t * c) +int send_id(connection_t *c) { cp(); @@ -61,7 +57,7 @@ int send_id(connection_t * c) myself->connection->protocol_version); } -int id_h(connection_t * c) +int id_h(connection_t *c) { char name[MAX_STRING_SIZE]; int bla; @@ -69,7 +65,7 @@ int id_h(connection_t * c) cp(); if(sscanf(c->buffer, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) { - syslog(LOG_ERR, _("Got bad %s from %s (%s)"), "ID", c->name, + logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ID", c->name, c->hostname); return -1; } @@ -77,7 +73,7 @@ int id_h(connection_t * c) /* Check if identity is a valid name */ if(check_id(name)) { - syslog(LOG_ERR, _("Got bad %s from %s (%s): %s"), "ID", c->name, + logger(LOG_ERR, _("Got bad %s from %s (%s): %s"), "ID", c->name, c->hostname, "invalid name"); return -1; } @@ -86,7 +82,7 @@ int id_h(connection_t * c) if(c->name) { if(strcmp(c->name, name)) { - syslog(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, + logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, c->name); return -1; } @@ -96,7 +92,7 @@ int id_h(connection_t * c) /* Check if version matches */ if(c->protocol_version != myself->connection->protocol_version) { - syslog(LOG_ERR, _("Peer %s (%s) uses incompatible version %d"), + logger(LOG_ERR, _("Peer %s (%s) uses incompatible version %d"), c->name, c->hostname, c->protocol_version); return -1; } @@ -114,7 +110,7 @@ int id_h(connection_t * c) bla = read_connection_config(c); if(bla) { - syslog(LOG_ERR, _("Peer %s had unknown identity (%s)"), c->hostname, + logger(LOG_ERR, _("Peer %s had unknown identity (%s)"), c->hostname, c->name); return -1; } @@ -137,7 +133,7 @@ int id_h(connection_t * c) return send_metakey(c); } -int send_metakey(connection_t * c) +int send_metakey(connection_t *c) { char buffer[MAX_STRING_SIZE]; int len, x; @@ -152,7 +148,7 @@ int send_metakey(connection_t * c) c->outkey = xmalloc(len); if(!c->outctx) - c->outctx = xmalloc(sizeof(*c->outctx)); + c->outctx = xmalloc_and_zero(sizeof(*c->outctx)); cp(); /* Copy random data to the buffer */ @@ -170,10 +166,10 @@ int send_metakey(connection_t * c) c->outkey[0] &= 0x7F; - if(debug_lvl >= DEBUG_SCARY_THINGS) { + ifdebug(SCARY_THINGS) { bin2hex(c->outkey, buffer, len); buffer[len * 2] = '\0'; - syslog(LOG_DEBUG, _("Generated random meta key (unencrypted): %s"), + logger(LOG_DEBUG, _("Generated random meta key (unencrypted): %s"), buffer); } @@ -185,7 +181,7 @@ int send_metakey(connection_t * c) */ if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) { - syslog(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), + logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), c->name, c->hostname); return -1; } @@ -216,7 +212,7 @@ int send_metakey(connection_t * c) return x; } -int metakey_h(connection_t * c) +int metakey_h(connection_t *c) { char buffer[MAX_STRING_SIZE]; int cipher, digest, maclength, compression; @@ -224,10 +220,8 @@ int metakey_h(connection_t * c) cp(); - if(sscanf - (c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, - &compression, buffer) != 5) { - syslog(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name, + if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) { + logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name, c->hostname); return -1; } @@ -237,8 +231,7 @@ int metakey_h(connection_t * c) /* Check if the length of the meta key is all right */ if(strlen(buffer) != len * 2) { - syslog(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, - c->hostname, "wrong keylength"); + logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong keylength"); return -1; } @@ -248,7 +241,7 @@ int metakey_h(connection_t * c) c->inkey = xmalloc(len); if(!c->inctx) - c->inctx = xmalloc(sizeof(*c->inctx)); + c->inctx = xmalloc_and_zero(sizeof(*c->inctx)); /* Convert the challenge from hexadecimal back to binary */ @@ -257,16 +250,15 @@ int metakey_h(connection_t * c) /* Decrypt the meta key */ if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */ - syslog(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), + logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), c->name, c->hostname); return -1; } - if(debug_lvl >= DEBUG_SCARY_THINGS) { + ifdebug(SCARY_THINGS) { bin2hex(c->inkey, buffer, len); buffer[len * 2] = '\0'; - syslog(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), - buffer); + logger(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer); } /* All incoming requests will now be encrypted. */ @@ -275,10 +267,9 @@ int metakey_h(connection_t * c) if(cipher) { c->incipher = EVP_get_cipherbynid(cipher); - + if(!c->incipher) { - syslog(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, - c->hostname); + logger(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, c->hostname); return -1; } @@ -298,14 +289,12 @@ int metakey_h(connection_t * c) c->indigest = EVP_get_digestbynid(digest); if(!c->indigest) { - syslog(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, - c->hostname); + logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, c->hostname); return -1; } if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) { - syslog(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, - c->hostname); + logger(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, c->hostname); return -1; } } else { @@ -319,7 +308,7 @@ int metakey_h(connection_t * c) return send_challenge(c); } -int send_challenge(connection_t * c) +int send_challenge(connection_t *c) { char buffer[MAX_STRING_SIZE]; int len, x; @@ -351,7 +340,7 @@ int send_challenge(connection_t * c) return x; } -int challenge_h(connection_t * c) +int challenge_h(connection_t *c) { char buffer[MAX_STRING_SIZE]; int len; @@ -359,7 +348,7 @@ int challenge_h(connection_t * c) cp(); if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) { - syslog(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name, + logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name, c->hostname); return -1; } @@ -369,7 +358,7 @@ int challenge_h(connection_t * c) /* Check if the length of the challenge is all right */ if(strlen(buffer) != len * 2) { - syslog(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, + logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong challenge length"); return -1; } @@ -390,7 +379,7 @@ int challenge_h(connection_t * c) return send_chal_reply(c); } -int send_chal_reply(connection_t * c) +int send_chal_reply(connection_t *c) { char hash[EVP_MAX_MD_SIZE * 2 + 1]; EVP_MD_CTX ctx; @@ -414,7 +403,7 @@ int send_chal_reply(connection_t * c) return send_request(c, "%d %s", CHAL_REPLY, hash); } -int chal_reply_h(connection_t * c) +int chal_reply_h(connection_t *c) { char hishash[MAX_STRING_SIZE]; char myhash[EVP_MAX_MD_SIZE]; @@ -423,7 +412,7 @@ int chal_reply_h(connection_t * c) cp(); if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) { - syslog(LOG_ERR, _("Got bad %s from %s (%s)"), "CHAL_REPLY", c->name, + logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHAL_REPLY", c->name, c->hostname); return -1; } @@ -431,7 +420,7 @@ int chal_reply_h(connection_t * c) /* Check if the length of the hash is all right */ if(strlen(hishash) != c->outdigest->md_size * 2) { - syslog(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, + logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, _("wrong challenge reply length")); return -1; } @@ -449,13 +438,13 @@ int chal_reply_h(connection_t * c) /* Verify the incoming hash with the calculated hash */ if(memcmp(hishash, myhash, c->outdigest->md_size)) { - syslog(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, + logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, _("wrong challenge reply")); - if(debug_lvl >= DEBUG_SCARY_THINGS) { + ifdebug(SCARY_THINGS) { bin2hex(myhash, hishash, SHA_DIGEST_LENGTH); hishash[SHA_DIGEST_LENGTH * 2] = '\0'; - syslog(LOG_DEBUG, _("Expected challenge reply: %s"), hishash); + logger(LOG_DEBUG, _("Expected challenge reply: %s"), hishash); } return -1; @@ -470,7 +459,7 @@ int chal_reply_h(connection_t * c) return send_ack(c); } -int send_ack(connection_t * c) +int send_ack(connection_t *c) { /* ACK message contains rest of the information the other end needs to create node_t and edge_t structures. */ @@ -492,7 +481,7 @@ int send_ack(connection_t * c) return x; } -void send_everything(connection_t * c) +static void send_everything(connection_t *c) { avl_node_t *node, *node2; node_t *n; @@ -516,7 +505,7 @@ void send_everything(connection_t * c) } } -int ack_h(connection_t * c) +int ack_h(connection_t *c) { char hisport[MAX_STRING_SIZE]; char *hisaddress, *dummy; @@ -526,9 +515,8 @@ int ack_h(connection_t * c) cp(); - if(sscanf - (c->buffer, "%*d " MAX_STRING " %d %lx", hisport, &weight, &options) != 3) { - syslog(LOG_ERR, _("Got bad %s from %s (%s)"), "ACK", c->name, + if(sscanf(c->buffer, "%*d " MAX_STRING " %d %lx", hisport, &weight, &options) != 3) { + logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ACK", c->name, c->hostname); return -1; } @@ -544,10 +532,11 @@ int ack_h(connection_t * c) } else { if(n->connection) { /* Oh dear, we already have a connection to this node. */ - if(debug_lvl >= DEBUG_CONNECTIONS) - syslog(LOG_DEBUG, _("Established a second connection with %s (%s), closing old connection"), + ifdebug(CONNECTIONS) logger(LOG_DEBUG, _("Established a second connection with %s (%s), closing old connection"), n->name, n->hostname); terminate_connection(n->connection, 0); + /* Run graph algorithm to purge key and make sure up/down scripts are rerun with new IP addresses and stuff */ + graph(); } } @@ -560,8 +549,7 @@ int ack_h(connection_t * c) c->allow_request = ALL; c->status.active = 1; - if(debug_lvl >= DEBUG_CONNECTIONS) - syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), c->name, + ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection with %s (%s) activated"), c->name, c->hostname); /* Send him everything we know */