- Do proper key exchange
- Encrypt packets - it works, but there is something wrong with the MAC
header after decryption...
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: net.c,v 1.35.4.53 2000/10/29 09:19:24 guus Exp $
+ $Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $
#include <syslog.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <syslog.h>
#include <unistd.h>
#include <sys/ioctl.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
#ifdef HAVE_TUNTAP
#include LINUX_IF_TUN_H
#ifdef HAVE_TUNTAP
#include LINUX_IF_TUN_H
config_t *upstreamcfg;
static int seconds_till_retry;
config_t *upstreamcfg;
static int seconds_till_retry;
+int keylifetime = 0;
+int keyexpires = 0;
+
char *unknown = NULL;
subnet_t mymac;
char *unknown = NULL;
subnet_t mymac;
{
vpn_packet_t outpkt;
int outlen, outpad;
{
vpn_packet_t outpkt;
int outlen, outpad;
cp
outpkt.len = inpkt->len;
cp
outpkt.len = inpkt->len;
-/*
- EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL);
- EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
- EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad);
+
+ EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey);
+ EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+ EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
- Do encryption when everything else is fixed...
-*/
outlen = outpkt.len + 2;
memcpy(&outpkt, inpkt, outlen);
outlen = outpkt.len + 2;
memcpy(&outpkt, inpkt, outlen);
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
outlen, cl->name, cl->hostname);
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
outlen, cl->name, cl->hostname);
{
vpn_packet_t outpkt;
int outlen, outpad;
{
vpn_packet_t outpkt;
int outlen, outpad;
cp
outpkt.len = inpkt->len;
cp
outpkt.len = inpkt->len;
-/*
- EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
- EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
- EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad);
+ EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
+ EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+ EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
- Do decryption is everything else is fixed...
-*/
outlen = outpkt.len+2;
memcpy(&outpkt, inpkt, outlen);
outlen = outpkt.len+2;
memcpy(&outpkt, inpkt, outlen);
if(!cl->status.validkey)
{
if(!cl->status.validkey)
{
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
cl->name, cl->hostname);
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
cl->name, cl->hostname);
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"),
cl->name, cl->hostname);
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"),
cl->name, cl->hostname);
+ /* Generate packet encryption key */
+
+ myself->cipher_pkttype = EVP_bf_cbc();
+
+ myself->cipher_pktkey = (char *)xmalloc(64);
+ RAND_bytes(myself->cipher_pktkey, 64);
+
+ if(!(cfg = get_config_val(config, keyexpire)))
+ keylifetime = 3600;
+ else
+ keylifetime = cfg->data.val;
+
+ keyexpires = time(NULL) + keylifetime;
+
+ /* Activate ourselves */
+
myself->status.active = 1;
syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port);
myself->status.active = 1;
syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port);
struct timeval tv;
int r;
time_t last_ping_check;
struct timeval tv;
int r;
time_t last_ping_check;
cp
last_ping_check = time(NULL);
cp
last_ping_check = time(NULL);
- if(last_ping_check + timeout < time(NULL))
- /* Let's check if everybody is still alive */
+ t = time(NULL);
+
+ /* Let's check if everybody is still alive */
+
+ if(last_ping_check + timeout < t)
{
check_dead_connections();
last_ping_check = time(NULL);
{
check_dead_connections();
last_ping_check = time(NULL);
+
+ /* Should we regenerate our key? */
+
+ if(keyexpires < t)
+ {
+ if(debug_lvl >= DEBUG_STATUS)
+ syslog(LOG_INFO, _("Regenerating symmetric key"));
+
+ RAND_bytes(myself->cipher_pktkey, 64);
+ send_key_changed(myself, NULL);
+ keyexpires = time(NULL) + keylifetime;
+ }
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: protocol.c,v 1.28.4.50 2000/10/29 09:19:25 guus Exp $
+ $Id: protocol.c,v 1.28.4.51 2000/10/29 10:39:08 guus Exp $
#include <openssl/sha.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
#include <openssl/rand.h>
+#include <openssl/evp.h>
#include "conf.h"
#include "net.h"
#include "conf.h"
#include "net.h"
cl->allow_request = ALL;
cl->status.active = 1;
cl->nexthop = cl;
cl->allow_request = ALL;
cl->status.active = 1;
cl->nexthop = cl;
+ cl->cipher_pkttype = EVP_bf_cbc();
if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
{
char *from_id, *to_id;
conn_list_t *from, *to;
{
char *from_id, *to_id;
conn_list_t *from, *to;
cp
if(sscanf(cl->buffer, "%*d %as %as", &from_id, &to_id) != 2)
{
cp
if(sscanf(cl->buffer, "%*d %as %as", &from_id, &to_id) != 2)
{
if(!strcmp(to_id, myself->name))
{
if(!strcmp(to_id, myself->name))
{
- send_ans_key(myself, from, myself->cipher_pktkey);
+ bin2hex(myself->cipher_pktkey, pktkey, 64);
+ pktkey[128] = 0;
+ send_ans_key(myself, from, pktkey);
- /* Check if this key request is for us */
+ /* Update origin's packet key */
- if(!strcmp(to_id, myself->name))
- {
- /* It is for us, convert it to binary and set the key with it. */
+ keylength = strlen(pktkey);
- keylength = strlen(pktkey);
-
- if((keylength%2)!=0 || (keylength <= 0))
- {
- syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"),
- cl->name, cl->hostname, from->name);
- free(from_id); free(to_id); free(pktkey);
- return -1;
- }
+ if((keylength%2)!=0 || (keylength <= 0))
+ {
+ syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"),
+ cl->name, cl->hostname, from->name);
+ free(from_id); free(to_id); free(pktkey);
+ return -1;
+ }
- if(from->cipher_pktkey)
- free(from->cipher_pktkey);
+ if(from->cipher_pktkey)
+ free(from->cipher_pktkey);
- keylength /= 2;
- hex2bin(pktkey, pktkey, keylength);
- pktkey[keylength] = '\0';
- from->cipher_pktkey = pktkey;
+ keylength /= 2;
+ hex2bin(pktkey, pktkey, keylength);
+ pktkey[keylength] = '\0';
+ from->cipher_pktkey = pktkey;
- from->status.validkey = 1;
- from->status.waitingforkey = 0;
- }
- else
+ from->status.validkey = 1;
+ from->status.waitingforkey = 0;
+
+ if(strcmp(to_id, myself->name))
{
if(!(to = lookup_id(to_id)))
{
syslog(LOG_ERR, _("Got ANS_KEY from %s (%s) destination %s which does not exist in our connection list"),
cl->name, cl->hostname, to_id);
{
if(!(to = lookup_id(to_id)))
{
syslog(LOG_ERR, _("Got ANS_KEY from %s (%s) destination %s which does not exist in our connection list"),
cl->name, cl->hostname, to_id);
- free(from_id); free(to_id); free(pktkey);
+ free(from_id); free(to_id);
return -1;
}
send_ans_key(from, to, pktkey);
}
return -1;
}
send_ans_key(from, to, pktkey);
}
- free(from_id); free(to_id); free(pktkey);
+ free(from_id); free(to_id);
projects / tinc / commitdiff